The Federal Communications Commission (FCC) is seeking comment on new proposed robocall mitigation and enforcement rules that would include:
- Requirements for all domestic providers to adopt a non-IP caller ID authentication standard, respond to traceback requests within 24 hours, block traffic upon receiving FCC notification, and submit a Robocall Mitigation Database (RMD) certification and plan;
- Requirements for downstream providers to block traffic from "bad actor" providers under a new FCC notification process and block traffic received from a provider that is not listed in or has been removed from the RMD;
- Requirements for intermediate providers to fully implement STIR/SHAKEN in the IP portions of their networks and submit an RMD certification and plan;
- Requirements for updates to the content of providers' robocall mitigation plan and RMD certifications;
- Restrictions on using numbering resources for foreign-originated calls; and
- Adoption of new enforcement measures, including per-call forfeitures for failing to block illegal robocall traffic and the revocation of Section 214 operating authority for repeat offenders.
Comments and reply comments on the FCC's proposed rules will be due 30 and 60 days after the July 18 publication of the proposed rules in the Federal Register, respectively, so comments are now due August 17 with reply comments due September 16, 2022.
As explained in multiple advisories and posts, tracking the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act's implementation, in March 2020 the FCC began adopting and implementing certain robocall enforcement rules and mechanisms. Most recently, the FCC extended new obligations on gateway providers to mitigate the scourge of foreign originated illegal calls still pouring into the United States. In the Further Notice of Proposed Rulemaking (FNPRM), the FCC proposes expanding some of these gateway provider rules to cover other providers in the call path and adding new requirements to protect consumers from illegal calls.
The FCC proposes requiring all domestic providers, regardless of whether they have implemented STIR/SHAKEN, to comply with certain mitigation requirements, including the following:
- 24-Hour Traceback Response: A requirement to respond to a traceback request within 24 hours, which is stricter than the current requirement to respond in a timely manner.
- Blocking Following FCC Notification: A requirement to block calls specifically identified by the FCC, rather than simply "effectively mitigate" illegal traffic identified by the FCC (as current rules require).
- RMD Certification: Regardless of a provider's STIR/SHAKEN implementation status, requiring all domestic providers to file an RMD certification and corresponding robocall mitigation plan that "includes detailed practices that can be reasonably expected to substantially reduce the origination [or carrying or processing] of illegal robocalls." Additionally, the FCC asks whether a provider's plan should be deemed insufficient if it "knowingly or through negligence" originates, carries, or processes illegal robocalls – a rule that, if adopted, could pose serious risks for a provider's failure to follow through on its mitigation plan.
- Addressing Non-IP Networks: The FCC also seeks comment on whether, for the non-IP portions of providers' networks, providers should be required to adopt a certain non-IP caller ID authentication solution and, if so, which one.
Currently, only originating and gateway providers are required to block traffic of identified providers upon receiving FCC notification. The FCC now proposes requiring all intermediate and terminating providers immediately downstream from another provider to comply with the following blocking requirements:
- Blocking of "Bad Actor" Providers: A requirement to block all traffic from an upstream provider that has been identified through the FCC's issuance of a Final Determination Order in EB Docket No. 22-174 for failing to respond or insufficiently resolve robocall mitigation issues previously identified by the FCC.
- Blocking of Providers Not Listed in RMD: A requirement to block all traffic from an upstream provider that has failed to submit an RMD certification or is delisted from the RMD.
The FCC also proposes applying additional mitigation solutions to intermediate providers, including the following:
- STIR/SHAKEN Implementation: A requirement to implement STIR/SHAKEN in all IP portions of their networks to authenticate any SIP call that is carrying a U.S. number in the caller ID field for which the caller ID information has not been authenticated. (This would replace the existing rule under which intermediate providers have the option to authenticate rather than cooperate with traceback efforts.)
- RMD Certification: A requirement to file an RMD certification addressing: (1) the status of STIR/SHAKEN implementation and robocall mitigation on their networks; (2) contact information for a representative responsible for addressing robocall mitigation; and (3) a robocall mitigation plan. The FCC also asks whether intermediate providers should be required to explain what steps they are taking to ensure the immediate upstream provider is not using their network to transmit illegal calls.
Updates to Robocall Mitigation Database
The FCC asks whether all classes of providers required to submit an RMD certification should have to provide additional information to further assist the FCC in identifying bad actor providers and customers. For example, the FCC asks whether providers should be required to add information regarding bad actors' principals, known affiliates, subsidiaries, and parent companies to help "identify bad actors previously removed from the [RMD] that continue to be affiliated with other entities filing in the [RMD]." Further, the agency asks if requiring providers to include their Carrier Identification Code, Operating Company Number, and/or Access Customer Name Abbreviation would further assist in identifying bad actors.
The FCC asks whether to strengthen the standard used to determine the sufficiency of robocall mitigation plans by judging whether they "can reasonably be expected to significantly reduce the origination of illegal robocalls." The FCC also asks whether plans should be required to identify the analytics providers and/or describe the analytics used by a certifying provider or disclose the contractual requirements providers rely on to keep their upstream carrier customers from transmitting illegal traffic.
Restrictions on Number Usage
The FCC additionally seeks comment on possible changes to its numbering rules to "prevent the misuse of numbering resources to originate illegal robocalls, particularly calls originating abroad." In particular, the FCC asks whether it should restrict the use of domestic numbering resources for foreign-originated calls and/or prohibit indirect access to U.S. NANP numbers. The FCC asks whether numbering restriction policies implemented by other countries would reduce illegal traffic.
Finally, the FCC proposes new robocall mitigation enforcement measures, including:
- Forfeitures for Failing to Block Calls: Imposing a maximum forfeiture of $22,021 on a per-call basis for a provider's failure to block calls after FCC notice.
- RMD Removal: Removing any provider from the RMD – and thus have its traffic blocked by all downstream carriers – for: (1) filing a deficient robocall mitigation plan or RMD certification; or (2) "knowingly or negligently" originating or transmitting illegal calls. The FCC also asks if there are any other reasons why a provider should be de-listed from the RMD.
- Section 214 Violation: Revoking the Section 214 operating authority of any provider that engages in continued violations of the FCC's robocall mitigation rules and banning any of the provider's principals (either individuals or entities) from serving either directly or indirectly as an officer or director in any entity that applies for or holds any FCC license or instrument of authorization.
DWT is following developments in this area closely. We are happy to answer any questions you may have.