At the FCC Commissioners’ meeting on March 16, the FCC imposed new STIR/SHAKEN and robocall mitigation requirements on all providers, including intermediate providers and regardless of their STIR/SHAKEN implementation status. All providers are now required to take “reasonable steps” to mitigate illegal robocall traffic and must submit a certification and mitigation plan to the Commission’s Robocall Mitigation Database. The deadline to comply with the new “reasonable steps” mitigation standard is 60 days following Federal Register publication of these new rules. The certification and mitigation plan must be filed by the later of: (1) 30 days following publication in the Federal Register of notice of approval by the Office of Management and Budget (“OMB”); or (2) any deadline set by the Wireline Competition Bureau through Public Notice. Any updates to this filing must be filed with the Robocall Mitigation Database within 10 business days of any change to the information previously submitted.
Within 90 days after the deadline to file certifications and mitigation plans with the Robocall Mitigation Database, downstream providers will be required to block traffic from any intermediate provider or originating provider that has not yet filed a certification with the Robocall Mitigation Database. Importantly, the FCC set a maximum fine of $23,727 per call for violations of this mandatory blocking requirement.
By December 31, 2023, the new rules also require the first intermediate provider in the path of an unauthenticated Session Initiation Protocol (“SIP”) call to authenticate the call using STIR/SHAKEN when the intermediate provider receives the unauthenticated SIP call directly from the originating provider. However, this new requirement does not apply to the non-IP portion of an intermediate provider’s network so long as the intermediate provider is working to implement a non-IP call authentication solution. It also does not apply to intermediate providers that are unable to obtain a Service Provider Code (“SPC”) token due to established Secure Telephone Identity Governance Authority policies.
With respect to traffic on the IP portion of an intermediate provider’s network, it is no longer sufficient for an intermediate provider to only respond to traceback requests. Instead, if an intermediate provider does not know whether it receives SIP calls directly from an originating provider, the FCC’s rules now require the intermediate provider to vet the providers immediately upstream from it and perform sufficient due diligence to know the source of the traffic it receives.
The FCC also initiated a new rulemaking proceeding seeking comments from the industry as to whether the FCC should revise its rules to explicitly authorize third-party caller ID authentication. In that proceeding, the FCC will also consider whether it should eliminate the STIR/SHAKEN extension for providers unable to obtain an SPC token.
For more information about these new requirements, please contact the attorneys at Fletcher, Heald & Hildreth.