Rule2022-13436
Advanced Methods To Target and Eliminate Unlawful Robocalls; Call Authentication Trust Anchor
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
July 18, 2022
Effective
September 16, 2022
Issuing agencies
Federal Communications Commission
Abstract
In this document, the Federal Communications Commission (Commission or FCC) takes further steps to stem the tide of foreign- originated illegal robocalls by placing new obligations on the gateway providers that are the entry point or foreign calls into the United States by requiring them to play a more active role in the fight.
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 136 (Monday, July 18, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 136 (Monday, July 18, 2022)]
[Rules and Regulations]
[Pages 42916-42948]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-13436]
[[Page 42915]]
Vol. 87
Monday,
No. 136
July 18, 2022
Part III
Federal Communications Commission
-----------------------------------------------------------------------
47 CFR Parts 0 and 64
Advanced Methods to Target and Eliminate Unlawful Robocalls; Call
Authentication Trust Anchor; Final Rule
��Federal Register / Vol. 87 , No. 136 / Monday, July 18, 2022 / Rules
and Regulations��
[[Page 42916]]
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Parts 0 and 64
[CG Docket No. 17-59, WC Docket No. 17-97; FCC 22-37, FR ID 91946]
Advanced Methods To Target and Eliminate Unlawful Robocalls; Call
Authentication Trust Anchor
AGENCY: Federal Communications Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission
(Commission or FCC) takes further steps to stem the tide of foreign-
originated illegal robocalls by placing new obligations on the gateway
providers that are the entry point or foreign calls into the United
States by requiring them to play a more active role in the fight.
DATES:
Effective date: This rule is effective September 16, 2022.
Compliance date: Compliance with the amendments to 47 CFR
64.1200(n)(1) and (o), 64.6303(b), and 64.6305(b), (c)(2), (d), and
(e)(2) and (3), are delayed indefinitely. The Federal Communications
Commission will publish a document in the Federal Register announcing
the compliance dates.
ADDRESSES: Federal Communications Commission, 45 L Street NE,
Washington, DC 20554.
FOR FURTHER INFORMATION CONTACT: Jonathan Lechter, Competition Policy
Division, Wireline Competition Bureau, at (202) 418-0984,
<a href="/cdn-cgi/l/email-protection#fe9491909f8a969f90d0929b9d968a9b8cbe989d9dd0999188"><span class="__cf_email__" data-cfemail="f3999c9d92879b929ddd9f96909b879681b3959090dd949c85">[email protected]</span></a>; or Jerusha Burnett, Attorney Advisor,
Consumer Policy Division, Consumer and Governmental Affairs Bureau, at
(202) 418-0526, <a href="/cdn-cgi/l/email-protection#e08a859295938881ce8295928e859494a0868383ce878f96"><span class="__cf_email__" data-cfemail="0d67687f787e656c236f787f636879794d6b6e6e236a627b">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Sixth
Report and Order in CG Docket No. 17-59 and Fifth Report and Order in
WC Docket No. 17-97 Order on Reconsideration and Order in WC Docket No.
17-97 adopted on May 19, 2022 and released on May 20, 2022 (Gateway
Provider Report and Order). The document is available for download at
<a href="https://docs.fcc.gov/public/attachments/FCC-22-37A1.pdf">https://docs.fcc.gov/public/attachments/FCC-22-37A1.pdf</a>. Compliance
with the amendments to 47 CFR 64.1200(n)(1) and (o), 64.6303(b), and
64.6305(b), (c)(2), and (d), which contain information collection
requirements that have not been approved by the Office of Management
and Budget (OMB), and the amendments to 47 CFR 64.6305(e)(2) and (3),
are delayed indefinitely. The Federal Communications Commission will
publish a document in the Federal Register announcing the compliance
dates.
To request materials in accessible formats for people with
disabilities (Braille, large print, electronic files, audio format),
send an email to <a href="/cdn-cgi/l/email-protection#31777272040105715752521f565e47"><span class="__cf_email__" data-cfemail="783e3b3b4d484c381e1b1b561f170e">[email protected]</span></a> or call the Consumer & Governmental
Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).
Synopsis
I. Sixth Report and Order and Fifth Report and Order
1. In this document, the Commission takes steps to protect
consumers from foreign-originated illegal robocalls. Gateway providers'
networks are the key entry point for foreign-originated robocalls, and
the authentication and mitigation requirements the Commission adopts
will ensure that American consumers are protected. The Commission
defines the term ``gateway provider,'' requires such providers to
authenticate all unauthenticated Session Initiation Protocol (SIP)
calls in the internet Protocol (IP) portions of their networks, and
adopts mitigation requirements specific to such providers, including
requirements related to the Robocall Mitigation Database. As explained
below, the Commission finds that the benefits of these new
requirements, particularly to American consumers deluged by illegal
calls originating in other countries, will far outweigh the short-term
implementation costs imposed on gateway providers.
A. Need for Action
2. Current Rules Addressing Foreign-Originated Robocalls Are
Insufficient to Stop the Deluge of Illegal Robocalls Originating
Abroad. As proposed, the Commission concludes that consumers will
benefit from caller ID authentication and illegal robocall mitigation
requirements applied to gateway providers to address the problem of
foreign-originated illegal robocalls (86 FR 59084, (Oct. 26, 2021)).
3. Commenters overwhelmingly support additional action to stop the
flood of foreign-originated illegal calls. For example, Comcast agrees
with the Commission that the current rules ``are not sufficient to
resolve the problem of foreign-originated illegal robocalls'' and that
the robocall landscape ``warrants consideration of further regulatory
efforts targeting gateway providers.'' The State attorneys general also
support steps to stop the ``continued deluge of illegal foreign-based
robocalls that use spoofed, U.S.-based phone numbers.''
4. Foreign robocallers use U.S. North American Numbering Plan
(NANP) numbers in myriad ways to reach U.S. end users. In some cases,
the foreign robocallers utilize spoofed U.S. numbers, while in other
cases they have obtained U.S. NANP numbers from providers who have
themselves obtained numbers on the secondary market or directly from
the North American Numbering Plan Administrator (NANPA).
5. Commenting parties agree that foreign-originated calls are a
significant portion, if not the majority, of illegal robocalls. The
latest data from the Industry Traceback Group support the conclusion
that many providers facilitating illegal robocalls are gateway
providers and the upstream foreign originating and intermediate
providers from whom they receive foreign-originating calls. Of the 347
providers identified in the Industry Traceback Group's 2021 report as
responsible for transmitting illegal robocalls, 111 were gateway
providers that brought the traffic into the U.S. network, and 115 were
foreign providers originating illegal robocalls. According to the
Industry Traceback Group, 10% of all providers that are not responsive
to traceback requests constitute 48% of all non-responsive traceback
requests. Of that 10%, over two-thirds are foreign providers. Recent
action after the release of the Gateway Provider Further Notice of
Proposed Rulemaking (Gateway Provider FNPRM), 86 FR 59084, (Oct. 26,
2021), by the Commission's Enforcement Bureau underscores the need for
action against foreign-originated robocalls, including cease-and-desist
letters the Enforcement Bureau sent to three companies for transmitting
illegal robocalls, ``many of which originate overseas.''
6. Role of Gateway Providers. The Commission concludes that gateway
providers serve as a critical choke-point for reducing the number of
illegal robocalls received by American consumers, a conclusion
confirmed by the record. Gateway providers can stop illegal calls to
customers before they reach terminating providers, or, as the Industry
Traceback Group data demonstrates, readily allow such calls into the
U.S. market. State attorneys general argue that ``in most cases''
robocalling fraud results from ``foreign actors gaining access to the
U.S. phone network through international gateway providers.'' State
actions against gateway providers following the Gateway Provider FNPRM
reinforce this conclusion.
[[Page 42917]]
B. Scope of Requirements and Definition
7. Definition of Gateway Provider. The Commission defines a
``gateway provider'' as a U.S.-based intermediate provider that
receives a call directly from a foreign originating provider or foreign
intermediate provider at its U.S.-based facilities before transmitting
the call downstream to another U.S.-based provider, a slightly modified
version of the definition the Commission proposed in the Gateway
Provider FNPRM. By ``U.S.-based,'' the Commission means that the
provider has facilities located in the U.S., including a point of
presence capable of processing the call. By ``receives a call
directly'' from a provider, the Commission means the foreign provider
directly upstream of the gateway provider in the call path sent the
call to the gateway provider, with no providers in-between. Commenters
support the Commission's proposed definition, with some suggesting
minor modifications addressed below.
8. In the Gateway Provider FNPRM, the Commission initially proposed
to define a gateway provider as ``the first U.S.-based intermediate
provider in the call path of a foreign-originated call that transmits
the call directly to another intermediate provider or a terminating
voice service provider in the United States.'' The Commission adds
``receives a call directly from a foreign originating provider or
foreign intermediate provider'' and drop ``foreign-originated call''
from its adopted definition for several reasons. First, as commenters
note, a gateway provider may not know the identity or location of the
entity that originated the call, but it will know the identity of the
immediate upstream provider that sent the call to the gateway provider,
including whether that provider has registered as a foreign provider in
the Robocall Mitigation Database. (As explained below, the Commission
clarifies foreign intermediate providers' traffic will be blocked
unless they register in the Robocall Mitigation Database.) The
Commission's adopted definition ensures that a provider will be
considered a gateway provider for any call it receives directly from a
foreign provider that the provider does not itself terminate. Second,
the Commission's definition ensures that calls sent on a circuitous
path out of and then back into the U.S. will be brought within the
regime. In that scenario, the U.S.-based provider acts as a gateway
provider at the point in the call path when the foreign provider
immediately upstream of the gateway provider sends the call to the
gateway provider, even for calls originated within the United States.
The Commission agrees with commenters that ``U.S.-based facilities''
for the purpose of the Commission's definition means that the provider
has facilities in the U.S., including, at a minimum, a U.S.-located
point of presence.
9. The Commission clarifies that foreign affiliates of a U.S.-based
provider or other U.S.-licensed entities that receive traffic in
another country and transmit that traffic to another provider to bring
across the boundary of the U.S. network are not gateway providers. As
proposed, the Commission does not include in the definition providers
that also terminate the call because they are then acting as
terminating providers and are subject to the existing rules applicable
to such providers. In their capacity as terminating providers, these
providers have existing obligations to prevent their own end users from
receiving illegal robocalls. (A terminating provider is a voice service
provider for purposes of section 4 of the TRACED Act and the
Commission's caller ID authentication rules. A voice service provider
is required to, among other things, verify caller ID information
pursuant to STIR/SHAKEN for traffic it terminates, 47 CFR
64.6301(a)(3), and submit a certification to the Robocall Mitigation
Database.)
10. Because the TRACED Act defines ``voice service'' in a manner
that excludes intermediate providers, the authentication and Robocall
Mitigation Database rules use ``voice service provider'' in this
manner. The Commission's call blocking rules, many of which the
Commission adopted prior to adoption of the TRACED Act, use a
definition of ``voice service provider'' that includes intermediate
providers. In that context, use of the TRACED Act definition of ``voice
service'' would create inconsistency with the existing rules. To avoid
confusion, for purposes of this item, the Commission uses the term
``voice service provider'' consistent with the TRACED Act definition
and where discussing caller ID authentication or the Robocall
Mitigation Database. In all other instances, the Commission uses
``provider'' and specifies the type of provider as appropriate. Unless
otherwise specified, the Commission means any provider, regardless of
its position in the call path.
11. Call-by-Call Basis. Consistent with the proposal in the Gateway
Provider FNPRM, the Commission adopts the gateway provider
classification on a call-by-call basis. That is, a provider is a
gateway provider and subject to the rules for gateway providers the
Commission adopts in this document only for those calls for which it
acts as a gateway provider unless otherwise noted.
12. As the Commission noted in the Gateway Provider FNPRM, the
Commission took this approach when classifying intermediate and voice
service providers with respect to the Commission's caller ID
authentication rules. The Commission adopts the call-by-call
classification to ensure that gateway providers, due to their key role
in the call path, are subject to the requirements. There is record
support for this approach. Concluding that the burdens are overstated,
the Commission rejects concerns of commenters that assert that the
call-by-call classification would not be administratively feasible, and
would potentially impose two different sets of regulations on the same
set of providers, causing confusion. As the Commission notes, and a
number of commenters agree, a gateway provider will know the identity
of the immediate upstream provider from which it receives a call. (As
explained below, the Commission clarifies foreign intermediate
providers' traffic will be blocked unless they register in the Robocall
Mitigation Database.) The gateway provider will also know whether that
provider has registered as a foreign provider in the Robocall
Mitigation Database. The Commission's approach ensures that a gateway
provider is subject to the consumer protection requirements it adopts
whenever it receives a call directly from a foreign provider.
13. Moreover, a call-by-call approach will have a limited practical
burden for several reasons. As an initial matter, several of the
obligations the Commission adopts do not require a gateway provider or
providers downstream from the gateway provider to determine, in real
time, whether or not the relevant provider is acting as a gateway
provider for a particular call. First, the 24-hour traceback
requirement and know-your-upstream provider requirements do not involve
any real-time action on the part of a gateway provider when it receives
the call. Second, the obligation to block traffic upon notification by
the Commission applies only to those entities identified by the
Commission, so that providers need not identify relevant traffic in
real-time in the first instance. Third, if a provider acts as a gateway
provider for any calls, it must submit a robocall mitigation plan to
the Robocall Mitigation Database describing how it mitigates calls in
its role as a gateway provider generally. Fourth, where a downstream
provider needs to block
[[Page 42918]]
traffic from an upstream provider that has not filed in the Robocall
Mitigation Database, it is required to do so if it has reason to
believe it is a gateway or voice service provider for any calls.
Additionally, while gateway providers must undertake call blocking on a
call-by-call basis at the time of the call for numbers on a Do Not
Originate (DNO) list, all domestic providers in the call path are
already permitted to engage in such blocking and can therefore elect to
apply such blocking to all calls, rather than simply the calls for
which they act as a gateway provider. Similarly, while gateway
providers must take ``reasonable steps'' to mitigate calls received as
a gateway provider on a call-by-call basis, the burden of identifying
the relevant calls is likely low; gateway providers should know those
calls they receive from foreign providers and send downstream to
another domestic provider and can apply the appropriate mitigation
procedures to those calls. Indeed, several stated that they already do
so. At a minimum, to the extent a provider receives a call directly
from a provider listed as ``foreign'' in the Robocall Mitigation
Database, it is acting as a gateway provider for that call.
14. The Commission notes that many providers already operate under
multiple sets of obligations--for example, as intermediate providers
and voice service providers under the Commission's caller ID
authentication rules--and no party has indicated why a call-by-call
approach for gateway providers would be more burdensome. Moreover, no
commenter proposed an alternative approach for imposing unique
obligations on gateway providers. (Many commenters assert that the
Commission should not impose unique obligations on gateway providers.
The Commission addresses that argument in Section I.E.4 infra.) The
Commission thus concludes that the burden on gateway providers to
identify the appropriate regulatory regime applicable to a particular
call will be limited.
15. U.S. NANP Numbers. Consistent with its proposal, the Commission
limits the scope of the requirements for gateway providers to those
calls that are carrying a U.S. number in the caller ID field. By a
``U.S. number,'' the Commission means NANP resources that pertain to
the United States. The Commission excludes from the scope of its rules
those calls that carry a U.S. number in the ANI field but display a
foreign number in the caller ID field. Commenters uniformly support
this approach, which is consistent with the scope of the prohibition on
receiving calls carrying U.S. NANP numbers from foreign voice service
providers not listed in the Robocall Mitigation Database. Foreign-
originated robocalls are successful to the extent that end users
believe they are calls from U.S. customers or businesses, and the
Commission therefore concludes it is appropriate to focus its efforts
on such calls. (For this reason, the Commission concludes that
including ``in the caller ID field'' within its definition and
elsewhere in its newly adopted rules will not encourage a deluge of
illegal robocalls using non-US numbers as ZipDX argues.)
16. No Traffic Carve-Outs. Finally, the Commission declines to
exclude certain types of traffic from the consumer protections it
adopts. The Commission therefore rejects iBasis's contention that the
Commission should exempt from the rules cellular roaming calls sent
from U.S. customers abroad. The Commission also declines, at this time,
to draw a distinction between ``conversational'' and ``non-
conversational traffic'' and to require it to be segregated at the
gateway and subject to different levels of regulatory scrutiny. (The
Commission notes that it seeks comment on some of these ideas in the
accompanying FNPRM published elsewhere in this this issue of the
Federal Register.) The record does not reflect sufficient evidence to
justify the utility of these carve-outs, or explain how they could be
implemented in an administrable way and in a manner that avoids
robocallers gaming whatever call-length definitions the Commission
adopts. For example, the Commission is concerned that, if it sets a
threshold for conversational traffic at a particular call length,
robocallers would find a way to avoid crossing it while continuing to
send robocalls. The Commission finds, at this time, that analytics
providers, who can and do take call-length patterns into account in
determining whether a call is likely to be an illegal robocall, are in
the best position to make these sorts of determinations. These entities
have the incentive and ability to react quickly to robocallers'
shifting tactics and can do so without disclosing to bad actors the
specific thresholds on which they rely.
C. Robocall Mitigation Database
17. The Commission adopts its proposal to require gateway providers
to submit a certification and mitigation plan to the Robocall
Mitigation Database. As explained below, the Commission requires
gateway providers to take ``reasonable steps'' to mitigate robocall
traffic regardless of whether they have fully implemented STIR/SHAKEN.
Gateway providers' robocall mitigation plans must describe their
robocall mitigation practices and state that they are adhering to those
practices, regardless of whether they have fully implemented STIR/
SHAKEN. The Commission also adopts a modified version of its proposal
for downstream domestic providers receiving traffic from gateway
providers to block traffic from such a provider if the gateway provider
has not submitted a certification in the Robocall Mitigation Database
or if the gateway provider has been de-listed from the Robocall
Mitigation Database pursuant to enforcement action. The vast majority
of commenters supported these proposals.
18. Gateway Provider Robocall Mitigation Database Filing
Obligations. The Commission concludes that requiring gateway providers
to submit a certification to the Robocall Mitigation Database
describing their robocall mitigation practices and stating that they
are adhering to those practices, in conjunction with the new robocall
mitigation obligations the Commission adopt elsewhere in this document,
is an appropriate extension of similar obligations that currently apply
to other providers. The Commission further concludes that requiring
gateway provider certification will encourage compliance and facilitate
enforcement efforts and industry cooperation. The record reflects
significant support for this action. For example, iBasis, a gateway
provider, ``believes that it is appropriate to require such a
submission'' along with a mitigation plan. While INCOMPAS and T-Mobile
argue that gateway providers that have implemented STIR/SHAKEN should
not have to submit a mitigation plan, the Commission disagrees because
of the importance of gateway providers in the call path and its
conclusion that STIR/SHAKEN, on its own, will not eliminate illegal
robocalls, particularly traffic originating from outside the United
States.
19. These rules the Commission adopts require gateway providers to
submit the same information to the Robocall Mitigation Database that
voice service providers must submit under existing Commission rules,
except for the limited areas described below. Specifically, gateway
providers must certify to the status of STIR/SHAKEN implementation and
robocall mitigation on their networks; submit contact information for a
person responsible for addressing robocall mitigation-related issues;
and describe in detail their robocall mitigation practices. Gateway
providers may make confidential submissions consistent with the
[[Page 42919]]
Commission's existing confidentiality rules. (As USTelecom notes,
providers may only redact filings to the extent appropriate under the
Commission's confidentiality rules.) Gateway providers must also
certify that they will comply with traceback requests within 24 hours,
unlike the current ``reasonable period of time'' applicable for voice
service providers, or that it has received a waiver of that rule.
20. Consistent with voice service providers' current obligations,
the Commission does not require gateway providers to describe their
mitigation program in a particular manner, with the exception of
clearly explaining how they are complying with the know-your-upstream-
provider obligation adopted in this document. The Commission concludes
that it and the public will benefit from understanding how each
provider chooses to comply with the know-your-upstream provider duty,
both because compliance is critical to stopping the illegal carrying or
processing of robocalls and because providers may choose to comply with
this duty in different ways. (In several legal settlements with gateway
providers, the gateway providers were required to comply with extremely
detailed, and public, know-your-customer obligations.) As USTelecom
argues, ``providers' robocall mitigation programs should reflect at
least a basic level of vetting of the providers from whom they directly
accept traffic--beyond ensuring that they are registered in the
[Robocall Mitigation Database].''
21. The Commission also clarifies that, consistent with existing
Commission filing requirements in other contexts, all mitigation plans
must be submitted in English or with a certified English translation.
To remove any ambiguity, the Commission also codifies that requirement
with respect to its STIR/SHAKEN rules. Plans that were not submitted in
English or with a certified English translation must be updated no
later than 10 business days following the effective date of this
document, consistent with the Commission's existing requirement for
updating information in the Robocall Mitigation Database.
22. The Commission delegates to the Wireline Competition Bureau the
authority to specify the form and format of any submissions, and it
directs the Wireline Competition Bureau to comply with any requirements
under the Paperwork Reduction Act attendant upon such action. This
includes whether gateway providers that are also voice service
providers may either submit a separate certification and plan as a
gateway provider or amend their current certification and any plan. A
gateway provider that is also a voice service provider should explain
the mitigation steps it undertakes as a gateway provider and the
mitigation steps it undertakes as a voice service provider, to the
extent those mitigation steps are different for each role. And as with
voice service providers, and consistent with the Commission's proposal,
the Commission requires gateway providers to update their
certifications within ten business days of ``any change in the
information'' submitted, ensuring that the information is kept up to
date.
23. The Commission also notes that it may take the same enforcement
actions against a gateway provider whose certification is deficient or
who fails to meet the standards of its certifications as is the case
for voice service providers. This includes, but is not limited to,
delisting the gateway provider from the Robocall Mitigation Database.
In the Second Caller ID Authentication Report and Order, 85 FR 73360
(Nov. 17, 2020), the Commission set forth consequences for providers
that file a deficient robocall mitigation plan or that ``knowingly or
negligently'' originate illegal robocall campaigns, including removal
from the Robocall Mitigation Database. To promote regulatory symmetry
and close any loopholes in the Commission's regime, gateway providers
will be subject to similar consequences. Specifically, if the
Commission find that a certification is deficient, such as if the
certification describes an ineffective program, or it determines that a
provider knowingly or negligently carries or processes illegal
robocalls, it will take appropriate enforcement action. These actions
may include, among others, removing a certification from the database
after providing notice to the gateway provider and an opportunity to
cure the filing, requiring the gateway provider to submit to more
specific robocall mitigation requirements, and/or the imposition of a
forfeiture. Should the Commission remove a gateway provider from the
Robocall Mitigation Database, downstream providers must block that
gateway provider's traffic as described below.
24. Gateway providers must submit a certification to the Robocall
Mitigation Database by 30 days following publication in the Federal
Register of notice of approval by OMB of any associated Paperwork
Reduction Act (PRA) obligations. (In the Gateway Provider FNPRM, the
Commission proposed a filing deadline of 30 days after the publication
of this document, but that did not account for OMB approval of PRA
obligations.) The Commission concludes that the deadline will give
providers sufficient time to prepare their submission following
notification of OMB approval. If a gateway provider has not fully
implemented STIR/SHAKEN by the filing deadline, it must so indicate in
its filing. (Below, the Commission requires gateway providers to
authenticate unauthenticated SIP traffic pursuant to STIR/SHAKEN by
June 30, 2023.) It must then later update the filing within 10 business
days of STIR/SHAKEN implementation. (Given the importance of tracking
gateway providers' mitigation efforts, the Commission concludes that
the benefit of an earlier filing deadline outweighs the burden for some
providers to subsequently update their filing with their STIR/SHAKEN
compliance status.)
25. The Commission does not at this time adopt a requirement for
gateway providers to inform the Commission through an update to the
Robocall Mitigation Database filing if the gateway provider is subject
to a Commission, law enforcement, or regulatory agency action,
investigation, or inquiry due to its robocall mitigation plan being
deemed insufficient or problematic, or due to suspected unlawful
robocalling or spoofing. Similarly, the Commission does not at this
time require all or a subset of Robocall Mitigation Database filers to
include additional identifying information. While the Commission
concludes that taking these steps may have merit, it finds the record
is insufficient to support taking action at this time. Instead, the
Commission seeks comment in the accompanying FNPRM on imposing these
obligations on all domestic providers in the call path.
26. The Commission also does not at this time extend this
certification obligation to domestic intermediate providers other than
gateway providers or require voice service providers that have already
implemented STIR/SHAKEN to meet the ``reasonable steps'' standard and
submit a robocall mitigation plan. However, the Commission seeks
comment on doing so in the accompanying FNPRM.
27. Gateway Provider Call Blocking. The Commission also extends the
prohibition on accepting traffic from unlisted voice service providers
to gateway providers as proposed. This proposal received significant
record support and will close a loophole in the Commission's regime.
Under this rule, downstream providers will be prohibited from accepting
any traffic from a gateway provider not listed in the Robocall
Mitigation Database, either because the provider did not file or their
[[Page 42920]]
certification was removed from the Robocall Mitigation Database as part
of an enforcement action. The Commission concludes that a gateway
provider Robocall Mitigation Database filing requirement and an
associated prohibition against accepting traffic from gateway providers
not in the Robocall Mitigation Database will ensure regulatory symmetry
between voice service providers and gateway providers and underscore
the key role gateway providers play in stemming foreign-originated
illegal robocalls. Consistent with the Commission's proposal, and the
parallel requirement adopted for voice service providers in the Second
Caller ID Authentication Report and Order, this prohibition will go
into effect 90 days following the deadline for gateway providers to
submit a certification to the Robocall Mitigation Database.
28. As a result of gateway providers' affirmative obligation to
submit a certification in the Robocall Mitigation Database, the
Commission concludes that downstream providers will no longer be able
to rely upon any gateway provider database registration imported from
the intermediate provider registry when making blocking determinations.
(Previously, all intermediate providers were imported into the Robocall
Mitigation Database from the rural call completion database's
Intermediate Provider Registry so that all intermediate providers would
be represented therein, giving voice service providers ``confidence
that any provider not listed in the Robocall Mitigation Database'' was
not in compliance with the Commission's rules.) In the Second Caller ID
Authentication Report and Order, the Commission imported intermediate
providers into the Robocall Mitigation Database from the intermediate
provider registry to ensure that downstream providers did not
inadvertently block traffic sent from the intermediate providers'
networks. At that time, no intermediate providers were subject to a
Robocall Mitigation Database filing or mitigation requirement. To the
extent a gateway provider was imported into the Robocall Mitigation
Database via the intermediate provider registry, that Robocall
Mitigation Database entry is not sufficient to meet the gateway
provider's Robocall Mitigation Database filing obligation or to prevent
downstream providers from blocking traffic upon the effective date of
the obligation for downstream providers to block traffic from gateway
providers. Therefore, gateway providers must submit a certification to
the Robocall Mitigation Database by 30 days following Federal Register
publication of OMB approval of the relevant information collection
requirements, and the downstream provider must begin blocking traffic
within 90 days of that certification deadline if the gateway provider
has not submitted a certification to the Robocall Mitigation Database.
The Commission delegates to the Wireline Competition Bureau to make the
necessary changes to the Robocall Mitigation Database to indicate
whether a gateway provider has made an affirmative filing (as opposed
to being imported as an intermediate provider) and whether any
provider's filing has been de-listed as part of an enforcement action.
The Bureau may, pursuant to an enforcement action, remove the record of
a providers' filing or clearly mark it in a way so that downstream
providers may not rely on it.
29. For the purpose of the downstream providers' call blocking
duty, the Commission does not require the downstream provider to
determine if a specific call was sent from a provider acting as a voice
service provider or gateway provider for that call. Nevertheless, the
Commission recognizes that it may not always be possible for the
downstream provider to know whether the upstream provider is (1) a
voice service provider or gateway provider whose traffic must be
blocked if the provider did not make an affirmative certification in
the Robocall Mitigation Database and has not been de-listed; or (2) an
intermediate provider that is not a gateway provider, whose traffic
should not be blocked. The Commission therefore only requires the
downstream provider to block calls if they have a reasonable basis to
believe that the upstream provider acts, for some calls, as a voice
service provider or gateway provider and that the provider did not
affirmatively file or in the Robocall Mitigation Database or has been
de-listed. The Commission notes it is proposing in the FNPRM to expand
the obligation to submit an affirmative certification to the Robocall
Mitigation Database to all domestic intermediate providers. Adoption of
that proposal should eliminate any of these implementation concerns. In
that case, the downstream provider would simply check to see if the
upstream provider affirmatively filed in the Robocall Mitigation
Database and has not been de-listed and would block the call if
appropriate. Nevertheless, the Commission concludes it must act now
with respect to gateway providers to stem the tide of foreign-
originated calls.
30. Bureau Guidance. The Commission directs the Wireline
Competition Bureau to make the necessary changes to the Robocall
Mitigation Database portal and provide appropriate filing instructions
and training materials consistent with this document. The Commission
also directs the Wireline Competition Bureau to release a public notice
upon OMB approval of the information collection requirements for filing
a certification, setting the deadlines for filing a certification, and
for the downstream provider to block traffic from a gateway provider
that has not filed a certification in the database. Either in that same
or a separate public notice, the Wireline Competition Bureau shall also
state when gateway providers may begin filing certifications in the
Robocall Mitigation Database.
31. Commenters disagreed whether intermediate providers' imported
data should be deleted from the database. Consistent with the
Commission's direction to the Wireline Competition Bureau to make the
necessary changes to the portal to effectuate the rules, the Commission
directs the Bureau to determine how to manage the imported data of
gateway providers and to announce its determination as part of its
guidance described in the paragraph above.
32. Public Safety Calls. In the Gateway Provider FNPRM, the
Commission clarified that: (1) even if a provider is not listed in the
Robocall Mitigation Database, other voice service providers and
intermediate providers in the call path must make all reasonable
efforts to avoid blocking calls from public safety answering points
(PSAPs) and Government outbound emergency numbers; and (2) emergency
calls to 911 from originating providers not in the Robocall Mitigation
database must not be blocked ``under any circumstances.'' (These
clarifications reflect the Commission's existing requirements.) The
Commission now codifies these requirements and applies them as well to
the new blocking obligations it adopts in this document. Codifying
these clarifications with respect to providers not listed in the
Robocall Mitigation Database are consistent with the Commission's
action to similarly codify these safeguards in its other blocking rules
and will ensure completion of emergency calls is subject to the same
safeguards regardless of the rule under which the call would otherwise
be blocked. There was record support for this approach. The Commission
disagrees with ZipDX that its clarification in the Gateway Provider
FNPRM and its expansion to gateway providers would not be
administratively feasible. Providers have had to comply
[[Page 42921]]
with the Commission's public safety exception to blocking for other
purposes for several years, and ZipDX does not adequately explain why
applying this exception to traffic sent from providers not in the
Robocall Mitigation Database now would be different. Additionally, in
balancing any implementation concerns against the critical importance
of completing emergency calls, the Commission concludes that adopting
and expanding the public safety exception is in the public interest.
33. The Commission also sought comment in the Gateway Provider
FNPRM on whether it should expand these clarifications, including
whether it should further define what constitutes ``reasonable
efforts'' to prevent blocking of emergency calls. In light of the
limited comments in the record and the uncertain benefits to be gained,
the Commission does not take any further action at this time.
D. Authentication
34. To combat foreign-originated robocalls, and to further the
long-standing Commission goal and benefits of ubiquitous STIR/SHAKEN
authentication, the Commission requires gateway providers, consistent
with its proposal, to implement STIR/SHAKEN to authenticate SIP calls
that are carrying a U.S. number in the caller ID field. The Commission
concludes based on the record that authentication, as well as the
additional data sent to downstream providers along with the
authentication, will reduce the incentive and ability of foreign
providers to send illegal robocalls into the U.S. market, as well as
provide downstream intermediate and terminating providers and their
call analytics partners with additional data to protect their
customers, and therefore will provide a significant benefit.
Attestation information will facilitate analytics and promote traceback
and enforcement efforts. Speeding traceback efforts is also consistent
with the underlying goal of the Commission's 24-hour traceback
requirement. The Commission finds those benefits outweigh the
implementation costs. Additionally, certain commenters support
requiring gateway providers to authenticate calls.
35. As the Commission has previously explained, application of
caller ID authentication by intermediate--including gateway--providers
``will provide significant benefits in facilitating analytics,
blocking, and traceback by offering all parties in the call ecosystem
more information.'' At the time the Commission reached this conclusion,
given the concerns that an authentication requirement on all
intermediate providers ``was unduly burdensome in some cases,'' the
Commission determined that intermediate providers could, instead of
authenticating unauthenticated calls, ``register and participate with
the industry traceback consortium as an alternative means of complying
with our rules.'' Since that time, the Commission imposed on all
domestic providers the requirement to respond to all traceback requests
from the Commission, law enforcement, or the industry traceback
consortium, fully and in a timely manner. Because evidence shows that
foreign-originated robocalls are a significant and increasing problem
and that the benefits of a gateway authentication requirement outweigh
the burdens, the Commission thus adopts a gateway provider
authentication obligation to address this problem. The Commission
believes gateway provider authentication will address a significant
risk to American consumers and enhance their trust in this country's
telecommunications network.
36. Requirement. To comply with the requirement to authenticate
calls, consistent with the Commission's proposal, a gateway provider
must authenticate caller ID information for all SIP calls it receives
for which the caller ID information has not been authenticated and
which it will exchange with another provider as a SIP call. (As noted,
the call blocking rules have mooted this choice--all domestic providers
now must cooperate with traceback efforts.) A gateway provider can
satisfy its authentication requirement if it adheres to the three
Alliance for Telecommunications Industry Solutions (ATIS) standards
that are the foundation of STIR/SHAKEN--ATIS-1000074, ATIS-1000080, and
ATIS-1000084--and all documents referenced therein. Compliance with the
most current versions of these standards as of the compliance deadline,
including any errata to the standards as of that date or earlier,
represents the minimum requirement to satisfy the Commission's rules.
(No commenters addressed this proposal.) ATIS and the SIP Forum
conceptualized ATIS-1000074 as ``provid[ing] a baseline that can evolve
over time, incorporating more comprehensive functionality and a broader
scope in a backward compatible and forward looking manner.'' The
Commission intends for its rules to provide this same room for
innovation, while maintaining an effective caller ID authentication
ecosystem. Gateway providers may incorporate any improvements to these
standards or additional standards into their respective STIR/SHAKEN
authentication frameworks, so long as any changes or additions maintain
the baseline call authentication functionality exemplified by ATIS-
1000074, ATIS-1000080, and ATIS-1000084.
37. In addition, in line with the rule applicable to intermediate
providers generally and the Commission's proposal, gateway providers
have the flexibility in implementing call authentication to assign the
level of attestation appropriate to the call based on the call
information available to the gateway provider. Gateway providers are
not limited to assigning ``gateway'' (C-level) attestation, and one
commenter notes that there are significant benefits to be gained from
gateway providers appropriately applying higher attestation levels
consistent with the standard. Stakeholders support this approach.
38. Benefits Outweigh Burdens. The Commission concludes that the
benefits of a gateway provider authentication obligation outweigh the
burdens. Record evidence demonstrates that the benefits of gateway
provider authentication are significant and are likely to grow over
time as more providers are brought within the STIR/SHAKEN regime.
Illegal robocalls cost Americans billions of dollars each year. Even
minimal deterrence arising from authenticating unauthenticated foreign-
originated calls is likely to be highly beneficial. To the extent
``gateway providers already exchange traffic in SIP and therefore
likely are ready to implement STIR/SHAKEN,'' the requirement will have
a real, near-term benefit.
39. Those commenters asserting such a requirement will cost
significant time and resources to implement do not provide detailed
support for their claims. Indeed, to the extent a gateway provider also
serves as a voice service provider, it will have already implemented
STIR/SHAKEN in at least some portion of its network, likely lowering
its compliance costs to meet the requirement the Commission adopts.
Given the real and significant benefits to providers and American
consumers in the form of billions in savings and increased trust in the
voice network that will flow from the reduction in foreign-originated
illegal robocalls, the Commission concludes that requiring
authentication is in the public interest even if it credits those
arguing that there are substantial implementation costs.
40. While gateway providers are likely to authenticate most calls
with only C-level attestation at least initially, the
[[Page 42922]]
Commission disagrees with those commenters who argue that the benefits
of lower attestation levels, along with other information sent along
with the attestation, are not worth the asserted cost. While ``C-level
attestation is not as good as higher-level attestation . . . it is far
more valuable, particularly in the case of foreign-originated illegal
robocalls, than NO signature.'' Terminating providers and their end
users directly benefit from gateway provider authentication. As T-
Mobile notes, ``[r]eceiving any level of attestation can help carriers
trace where unwanted or illegal calls enter the country so they can
follow up and prevent additional traffic from the offending source. The
information passed along with the attestation can be valuable for
analytics engines, enabling calls to be appropriately labeled or sent
to voice mail'' before reaching end users. Indeed, the North American
Numbering Council (NANC) recently recognized the value of this
information. Even if not all analytics providers currently use this
information, more could readily do so in the future. And, while the
Commission agrees with commenters that gateway provider authentication
is not a ``silver bullet,'' it ``will have a significant impact on
curtailing illegal robocalls which is critical to restoring trust in
the voice network.'' It also will make the traceback process more
efficient and rapid, consistent with the underlying goal of the
Commission's newly adopted 24-hour traceback requirement. Even if
foreign-originated calls carrying U.S. numbers constitute a small
portion of gateway providers' overall traffic, such traffic represents
a disproportionate share of illegal robocall traffic received by such
providers, underscoring the importance of authentication. The
Commission agrees with USTelecom that the Commission's authentication
regime would be harmed if gateway providers improperly sign calls with
A-level attestations, but that is not a problem unique to gateway
provider authentication--all domestic providers authenticating calls
are obligated to provide the appropriate attestation level. Similarly,
the Commission disagrees with Verizon that because some gateway
providers still have some time division multiplex (TDM) facilities,
which fall ``out of the scope'' of the attestation mandate, the
Commission should not require gateway providers to authenticate SIP
calls. The Commission continuously has required voice service providers
to implement authentication on the IP portions of their networks, as it
does for gateway providers here, despite the presence of TDM facilities
on their networks subject to a continuing extension.
41. Expanding the scope of providers subject to the STIR/SHAKEN
regime will increase the overall benefits of the standard and its
future reach. As many parties and the NANC note, STIR/SHAKEN has
beneficial network effects, and the more steps the Commission takes to
increase its use, the greater the overall benefit for those providers
that have already implemented the standard and those providers'
customers. (For the same reasons, the Commission does not adopt
USTelecom's alternative proposal to only impose a gateway provider
authentication obligation on smaller, non-facilities-based providers.)
Indeed, the Commission's expansion of the STIR/SHAKEN regime may spur
other countries and regulators to also develop and adopt STIR/SHAKEN,
further increasing the standards' benefit. (While the i3forum opposes
an attestation obligation, it notes that cross-border adoption of STIR/
SHAKEN and voluntary agreements can lead to ``situations in which [the
gateway provider] has access to information that would enable it to
provide an A-level or B-level attestation.'') In the interim, gateway
provider authentication is the only way to ensure that all foreign-
originated calls with U.S. numbers in the caller ID field are
authenticated. The Commission acknowledges that at least some of the
benefits that will flow from gateway provider authentication are based
on its reasoned predictions arising from disputed record evidence.
Nevertheless, in adopting its rule, the Commission is persuaded by the
available evidence that the benefits will be significant, and the
sooner the Commission acts, the sooner the public will obtain these
benefits. For these reasons, the Commission disagrees with CTIA-The
Wireless Association that it would be ``premature'' for the Commission
to require gateway authentication while foreign regulators consider
mandating STIR/SHAKEN or that the Commission should wait for the
recommendations of outside third parties, or possible future rule
changes, before acting.
42. Compliance Deadline. The Commission requires that gateway
providers authenticate unauthenticated foreign-originated SIP calls
carrying U.S. NANP numbers by June 30, 2023, a longer period than the
Commission proposed in the Gateway Provider FNPRM. One commenter
supported a December 2023 deadline, while others supported either a
longer or shorter deadline. The Commission conclude that this deadline
appropriately balances the relevant burdens and benefits of
implementation; it will give gateway providers less time than the 18
months voice service providers had to implement STIR/SHAKEN, but more
time than the shorter deadline of the effective date of the order
proposed by the 51 State attorneys general. This deadline also
coincides with the extension for STIR/SHAKEN implementation for
facilities-based small voice service providers.
43. The Commission also believes that a June 30, 2023, deadline is
reasonable because the industry has much more experience with
implementation than when the Commission originally required voice
service providers to implement STIR/SHAKEN, there is evidence that
STIR/SHAKEN implementation costs have dropped since it first adopted
the requirement for voice service providers and because the
authentication requirement applies only to the IP portions of the
gateway providers' networks. Finally, to facilitate uniformity,
simplify compliance, and consistent with comments in the record, the
Commission does not adopt an earlier deadline for those providers that
have, in their role as voice service providers, already implemented
STIR/SHAKEN, nor do it adopt a longer deadline for certain providers or
classes of provider, or a specific process for the grant of extensions
or exemptions from this requirement, with the exception of two
extensions regarding token access and non-IP networks described below.
(Parties are, of course, free to file a request for waiver. The
Commission may grant such requests where the particular facts at issue
make strict compliance with the rule at issue inconsistent with the
public interest. In considering whether to grant a waiver, the
Commission may take into account factors such as hardship, equity, or
more effective implementation of overall policy. This extension will be
similar to the one already in place for voice service providers.) As
noted above, once a gateway provider has fully implemented STIR/SHAKEN,
it must update its filing in the Robocall Mitigation Database.
44. Token Access. The Commission sought comment on whether the
Secure Telephone Identity Governance Authority's (STI-GA) token access
policy serves as a barrier for all or a subset of gateway providers
from obtaining a token and, if so, what if any actions it should take
to address that barrier, but it received limited response. (USTelecom
and iconnectiv assert that the policy should not be changed. iBasis
argues that the operating company
[[Page 42923]]
number (OCN) criteria should be eliminated.) The Commission concludes
that the current token access policy will likely not present a material
barrier to gateway providers meeting their authentication obligation,
and it anticipates that the STI-GA can address any concerns before
gateway providers are required to authenticate calls by June 30, 2023.
Nevertheless, to ensure that gateway providers are not unfairly
penalized, the Commission provides a STIR/SHAKEN extension to gateway
providers that are unable to obtain a token due to the STI-GA token
access policy. The extension will run until the gateway provider is
able to obtain a token as long as the gateway provider ``diligently
pursues'' doing so.
45. Non-IP Networks and Authentication. The Commission concludes
that gateway providers should have the same duty as voice service
providers to either upgrade their non-IP networks to IP and implement
STIR/SHAKEN or work with a working group, standards group, or
consortium to develop a non-IP caller ID authentication solution. Such
an obligation is appropriate in light of gateway providers' key role in
serving as the entry point for foreign-originated voice traffic into
the U.S. marketplace and the limited burden gateway providers would
experience in working with a standards group. No party commented on
this issue, and this approach is consistent with those commenters
arguing that all domestic providers in the call path should have
similar obligations. As with voice service providers, gateway providers
that choose to work with a working group are subject to an extension to
implement STIR/SHAKEN in the non-IP portions of their networks.
46. The Commission asked in the Gateway Provider FNPRM whether it
should require gateway providers to adopt a non-IP caller ID
authentication solution, an obligation that voice service providers
currently do not have. A number of commenters filed specific proposals
in the record for authentication on IP and non-IP networks for gateway
providers as well as voice service providers. The Commission does not
adopt these proposals, in part because many are outside of the scope of
the Gateway Provider FNPRM. However, the Commission seeks comment on
some of these alternatives in the accompanying FNPRM, as well as their
applicability to all domestic providers in the call path, and do not
foreclose the possibility of seeking comment on the remainder of these
proposals in a future proposal.
E. Robocall Mitigation
47. The Commission adopts several of its robocall mitigation
proposals from the Gateway Provider FNPRM. First, the Commission adopts
its proposal to require gateway providers to respond to traceback
requests within 24 hours, with one modification. Second, it requires
gateway providers and the providers immediately downstream from the
gateway provider to comply with blocking mandates in certain instances.
Third, it requires gateway providers to ``know'' the provider
immediately upstream from the gateway provider. Finally, the Commission
adopts a general mitigation standard.
1. 24-Hour Traceback Requirement
48. The Commission adopts its proposal to require gateway providers
to fully respond to traceback requests from the Commission, civil and
criminal law enforcement, and the industry traceback consortium within
24 hours of receipt of such a request. (To be clear, the 24-hour clock
does not start outside of the business hours of the local time for the
responding office. Requests received outside of business hours as
defined in the Commission's rules are deemed received at 8 a.m. on the
next business day. Similarly, if the 24-hour response period would end
on a non-business day, either a weekend or a Federal legal holiday, the
24-hour clock does not run for the weekend or holiday in question, and
restarts at 12:01 a.m. on the next business day following when the
request would otherwise be due. ``Business day'' for these purposes is
Monday through Friday, excluding Federal legal holidays, and ``business
hours'' are 8 a.m. to 5:30 p.m. on a business day, consistent with the
definition of office hours in the Commission's rules. By way of
example, a request received at 3 p.m. on a Friday will be due at 3 p.m.
on the following Monday, assuming that Monday is not a Federal legal
holiday. The Commission believes that this clarification resolves
concerns raised by some parties about the burden of a strict 24-hour
requirement.) This is an enhancement of the Commission's existing rule,
which requires all domestic providers, including gateway providers, to
respond to traceback requests ``fully and in a timely manner.'' The
Commission takes this step recognizing the critical role that gateway
providers play in stopping the deluge of illegal foreign-originated
robocalls, which continue to increase despite its previous efforts to
stem the tide.
49. The Commission finds that a mandatory 24-hour response
requirement best serves to protect consumers from foreign-originated
illegal robocalls, which are a prevalent source of illegal robocalls
aimed at U.S. consumers. As the Commission has repeatedly made clear,
traceback is an essential part of both identifying and stopping illegal
calls, and rapid traceback is key to its success. The process used by
the Industry Traceback Group, which is the currently designated
industry traceback consortium, is semi-automated, allowing the process
to continue very quickly when a provider responds to a traceback
request. While time is always of the essence in traceback, time is
particularly important in the case of foreign-originated calls. In such
cases, reaching the origination point of the call may require working
with foreign providers and foreign governments, which could
significantly increase the total time for the traceback process. As the
51 State AGs have argued, time is of the essence for traceback of
foreign-originated calls because law enforcement may need to work with
international regulators to obtain information from providers outside
of U.S. jurisdiction. As a result, any unnecessary delay increases the
risk that this essential information may become impossible to obtain.
50. The Commission therefore disagrees with commenters that do not
support its enhanced 24-hour requirement. First, the Commission
disagrees with commenters that argue that a stricter requirement is not
warranted here. The Commission acknowledges the work industry has done
on improving the traceback process, and recognizes that many, if not
most, providers that receive traceback requests already respond in
under 24 hours. However, the Commission finds that it is important to
act aggressively in the international calling context. The gateway
provider's response to a traceback request is often the first step in a
process where the entity conducting the traceback must work with
multiple foreign providers to trace a call back to the originating
foreign provider and caller. The longer this process takes, the higher
the risk that a foreign provider will no longer have the information
necessary to respond--if they are even willing to do so--or that other
factors will change, reducing the ability to fully trace the call.
Therefore, this process must both begin and be completed as soon as
possible. Many, if not most, providers that receive traceback requests
are already responding within 24 hours, and the Commission believes
this
[[Page 42924]]
enhanced obligation presents no additional burden. For providers that
do not already meet this standard, the additional burden is justified
by the need to quickly obtain this information. The record does not
support the contention that this requirement presents a significant
burden for providers. (Some commenters did raise specific concerns
about this requirement. However, as discussed further below, these
comments appear to either misunderstand the current expectations or to
misunderstand the scope of the requirement.) The Commission emphasizes
again, as it stated in the Fourth Call Blocking Order, 86 FR 17726
(April 6, 2021), that it generally expects all domestic providers to
respond to traceback within 24 hours in most instances. The rule the
Commission adopts simply makes that expectation a requirement in the
gateway context. (While the Commission requires response to all
traceback requests within 24 hours, it retains its right to exercise
discretion in enforcement or consider limited waivers where a provider
that normally responds within the 24-hour time frame has an truly
unexpected or unpredictable issue that leads to a delayed response in a
particular case or for a short period of time.)
51. The Commission also disagrees with commenters who argue that 24
hours is too short a time frame. (One commenter incorrectly indicated
that the ``current deadline'' is 36 hours, without indicating the
source of that figure.) The Commission notes that, in the Fourth Call
Blocking Order, it made clear that, in most cases, it expects responses
within 24 hours under its existing rule. Further, according to a report
by the Industry Traceback Group, the average time to complete a single
hop in the traceback process is less than one day, with many providers
responding in less than 30 minutes. (While the Industry Traceback Group
notes that overall response time is reduced by certain providers
responding more quickly, it also notes that ``[t]racebacks that end
with non-responsive providers tend to have slower response times, even
in completed hops before the non-responsive provider'' and that
providers closer to the origination point tend to respond more slowly.
Speeding up these responses can only benefit the traceback process.)
Many, if not most, providers that receive traceback requests already
respond in under 24 hours. The Commission therefore sees no reason to
believe that the rule it adopts would unduly burden any gateway
providers, nor would the burden of such a requirement outweigh the
significant benefits to law enforcement from such a requirement.
(Gateway providers for which this requirement poses a unique and
significant burden may apply for a waiver of this rule under the ``good
cause'' standard of Sec. 1.3 of the Commission's rules. Under that
standard, for example, waivers may be available in the event of sudden
unforeseen circumstances that prevent compliance for a limited period
or for a limited number of calls. The Commission notes that any
applicant for waiver ``faces a high hurdle even at the starting gate''
and would need to ``plead with particularity'' the ``special
circumstances'' that warrant a waiver and explain how granting a waiver
would serve the public interest.)
52. The Commission makes clear that it does not require the gateway
provider to identify the caller or originating provider within this 24-
hour response period except in the case where the originating provider
is the provider from which the gateway provider received the call. Some
commenters appear concerned that this rule would require them to trace
a call back to the point of origination, or, at least, through several
hops. One commenter points to the ``need to obtain information from
several other carriers located in foreign countries,'' while another
mentions the need for ``detailed investigations.'' The Commission
requires the gateway provider to respond with information only about
the provider from which it directly received the call. (An appropriate
response would include the identity of the upstream provider, as well
as, for example, the country, a complete address, contact information
for the provider, and a link to that provider's Robocall Mitigation
Database filing.)
53. The Commission also encourages gateway providers to determine
whether their relationship with upstream providers should change to
better facilitate traceback. (For example, a gateway provider may
conduct such an investigation as part of compliance with the ``know
your upstream provider'' obligation discussed below, which does not
have a 24-hour requirement.) The Commission sees no reason that a
gateway provider should not be able to identify the immediate upstream
provider from its records and respond to the traceback request without
further investigation. In fact, one commenter indicated that it
currently automates response to traceback.
54. Compliance Deadline. The Commission requires gateway providers
to comply with this requirement no later than 30 days after publication
of notice of OMB approval under the PRA. This allows gateway providers
sufficient time to update their processes and come into compliance with
the rule.
2. Mandatory Blocking
55. The Commission adopts some, but not all, of the mandatory
blocking proposals it sought comment on in the Gateway Provider FNPRM.
First, the Commission requires gateway providers to block, rather than
simply effectively mitigate, illegal traffic when notified of such
traffic by the Commission, and it requires providers immediately
downstream from the gateway provider to block all traffic from an
identified gateway provider that has failed to meet its blocking
obligation upon Commission notification. Second, it requires gateway
providers to block calls based on any reasonable DNO list. Third, it
declines at this time to require gateway providers to block calls based
on reasonable analytics. Finally, the Commission addresses related
issues including requests for a safe harbor, as well as transparency
and redress.
56. The Commission find that the mandatory blocking requirements it
adopts, along with the appropriate procedural safeguards described
herein, strike an appropriate balance between the benefit of blocking
calls likely to be illegal with the risk of blocking lawful calls. The
Commission acknowledges that this represents a shift, at least in part,
from the Commission's previous approach of permitting, rather than
mandating, blocking. The Commission agrees that ``[b]locking calls is a
serious and complicated action that must be precisely and judiciously
applied to avoid blocking lawful traffic.'' However, the Commission
disagrees with commenters that argue mandatory blocking requirements
are generally inappropriate. The Commission's existing permissive
blocking rules are still in effect; it encourages providers to make use
of permissive blocking, where available, to protect American consumers
from unwanted and illegal calls. The rules the Commission adopts
narrowly target the most obvious foreign-originated illegal calls,
including those calls that have already been determined to be illegal,
and enlist gateway providers into the fight to block these calls before
they enter the U.S. telephone network.
a. Blocking Following Commission Notification
57. The Commission adopts two of its proposals from the Gateway
Provider FNPRM. First, the Commission requires gateway providers to
block, rather than
[[Page 42925]]
effectively mitigate, illegal traffic when notified of such traffic by
the Commission. Second, it requires providers immediately downstream
from a gateway provider to block all traffic from the identified
provider when notified by the Commission that the gateway provider
failed meet its obligation to block illegal traffic. To ensure that
gateway providers are afforded sufficient due process prior to
downstream providers blocking all traffic from them, the Commission
adopts a clear process that allows ample time for the notified gateway
provider to remedy the problem and demonstrate that it can be a good
actor in the calling ecosystem before the Commission directs downstream
providers to begin blocking. This process, laid out in greater detail
below, includes the following steps: (1) the Enforcement Bureau shall
provide the gateway provider with an initial Notification of Suspected
Illegal Traffic; (2) the gateway provider shall be granted time to
investigate and act upon that notice; (3) if the gateway provider fails
to respond or its response is deemed insufficient, the Enforcement
Bureau shall issue an Initial Determination Order, providing a final
opportunity for the gateway provider to respond and; (4) if the gateway
provider fails to respond or that response is deemed insufficient, the
Enforcement Bureau shall issue a Final Determination Order, directing
downstream providers to block all traffic from the identified provider.
58. Gateway Provider Blocking Following Commission Notification of
Suspected Illegal Traffic. The Commission first adopts its proposal to
require gateway providers to block, rather than simply effectively
mitigate, illegal traffic when notified of such traffic by the
Commission. In order to comply with this requirement, gateway providers
must block traffic that is substantially similar to the identified
traffic on an ongoing basis. As with the existing requirement for
providers to take steps to effectively mitigate illegal traffic when
notified, the Commission directs the Commission's Enforcement Bureau to
identify suspected illegal calls and provide written notice to gateway
providers that clearly indicates that the provider must comply with 47
CFR 64.1200(n)(5).
59. The Commission agrees with commenters that this blocking will
help protect American consumers by ensuring less illegal traffic
reaches their phones. An affirmative obligation for gateway providers
to block upon Commission notification ensures greater protection than
an ``effective mitigation'' requirement. This is particularly true
because gateway providers, by definition, are intermediate providers
and are thus a step removed from the caller, limiting their available
effective mitigation options.
60. The Commission therefore disagrees with commenters that urge it
to rely on the existing requirement to effectively mitigate this
traffic rather than to adopt this enhanced requirement. The Commission
also disagrees with providers that a separate set of obligations when
acting as a gateway provider complicates or increases the burden of
compliance because providers cannot easily determine if they are acting
as a gateway provider for a particular call. Here, per the process
described below, the Enforcement Bureau makes the initial determination
of whether the provider is acting as a gateway provider. (A provider
determines whether it is a ``gateway provider'' on a call-by-call
basis. A provider may be a gateway provider for some of the calls in
the identified traffic and a non-gateway originating provider, non-
gateway intermediate provider, or non-gateway terminating provider for
other calls in the identified traffic. If the provider is the gateway
provider for any of the calls in the traffic identified in the
Notification of Suspected Illegal Traffic, the provider must block all
traffic that is substantially similar to the identified traffic,
regardless of whether the provider is a gateway provider for any
particular call.) If the gateway provider is not directed to comply
with 47 CFR 64.1200(n)(5), but rather with 47 CFR 64.1200(n)(2), then
that provider will not be in violation of the Commission's rules for
effectively mitigating, rather than blocking, illegal traffic,
regardless of its position in the call path for a particular call.
61. Downstream Provider Blocking When Gateway Provider Fails to
Comply with Blocking Requirement. The Commission adopts its proposal
requiring providers immediately downstream from a gateway provider to
block all traffic from the identified provider when notified by the
Commission that the gateway provider failed to block. If the
Enforcement Bureau determines a gateway provider fails to satisfy 47
CFR 64.1200(n)(5), it shall publish and release an Initial
Determination Order as described below giving the provider a final
opportunity to respond to the Enforcement Bureau's initial
determination. If the Enforcement Bureau determines that the identified
gateway provider continues to violate its obligations, the Enforcement
Bureau shall release and publish a Final Determination Order in EB
Docket No. 22-174 to direct downstream providers to both block and
cease accepting all traffic they receive directly from the identified
gateway provider starting 30 days from the release date of the Final
Determination Order. (Ignorance of a Final Determination Order's
release is not sufficient reason for a downstream provider to fail to
block all traffic from the gateway provider unless such Order is not
posted in EB 22-174.)
62. The Commission agrees with several commenters that support this
requirement and disagree with the lone commenter that objects to this
mandate. The Commission finds that this requirement is an appropriate
and proportional response where a gateway provider actively and
willfully refuses to be a good actor in the calling ecosystem. Blocking
all traffic from a particular provider is a dramatic step that will
likely also block some lawful traffic but is justified by the need to
protect consumers from foreign-originated illegal robocalls. Lawful
traffic can then be routed through other gateway providers that comply
with the Commission's rules.
63. Process for Issuing a Notification of Suspected Illegal
Traffic. The Enforcement Bureau shall make an initial determination
that the provider is a gateway provider for suspected illegal traffic
and notify the provider by issuing a written Notification of Suspected
Illegal Traffic. The Notification of Suspected Illegal Traffic shall:
(1) identify with as much particularity as possible the suspected
illegal traffic; (2) provide the basis for the Enforcement Bureau's
reasonable belief that the identified traffic is unlawful (the notice
should include any relevant nonconfidential evidence from credible
sources such as the industry traceback consortium or law enforcement
agencies); (3) cite the statutory or regulatory provisions the
suspected illegal traffic appears to violate; and (4) direct the
provider receiving the notice that it must comply with Sec.
64.1200(n)(5) of the Commission's rules.
64. The Enforcement Bureau's Notification of Suspected Illegal
Traffic shall specify a timeframe of no fewer than 14 days for an
identified gateway provider to complete its investigation and report
its results. Upon receiving such notice, the gateway provider must
promptly investigate the traffic identified in the notice and begin
blocking the identified traffic within the timeframe specified in the
Notification of Suspected Illegal Traffic unless its investigation
determines that the traffic is legal.
[[Page 42926]]
65. The Commission makes clear that the requirement to block on an
ongoing basis is not tied to the number in the caller ID field or any
other single criterion. Instead, the Commission requires the identified
provider to block on a continuing basis any traffic that is
substantially similar to the identified traffic and provide the
Enforcement Bureau with a plan as to how it expects to do so. The
Commission does not define ``substantially similar traffic'' in any
detail here because that will be a case-specific determination based on
the traffic at issue. The Commission declines to limit the scope of
``substantially similar traffic'' to only ``traffic sent by the
upstream entity that was responsible for sending the illegal robocall
traffic that triggered the Commission's notification.'' While gateway
providers may propose such a limitation in the blocking plan they
submit to the Enforcement Bureau, the Commission does not find that
such a limitation is appropriate in all instances. In particular, such
a limitation could make it easy for a bad actor to circumvent blocking
by simply routing their traffic through multiple upstream providers.
The Commission is also concerned that a detailed definition could allow
bad actors to circumvent this blocking by providing a roadmap as to how
to avoid detection. Additionally, the Commission notes that each
calling campaign will have unique qualities that are better addressed
on a case-by-case basis, where the analytics used can be tailored to
the particular campaign at issue. The Commission nevertheless
encourages gateway providers to consider common indicia of illegal
calls such as call duration; call completion ratios; large bursts of
calls in a short time frame; neighbor spoofing patterns; and sequential
dialing patterns. The Commission makes clear that these are not the
only criteria that the gateway provider may consider in developing its
plan, and that not all criteria may be relevant in all situations.
Gateway providers will have flexibility to determine the correct
approach for each particular case, but a gateway provider must provide
a detailed plan in its response to the Enforcement Bureau so that the
Bureau can assess the plan's sufficiency. If the Enforcement Bureau
determines that the plan is insufficient, it shall provide the gateway
provider an opportunity to remedy the deficiencies prior to taking
further action. The Commission will consider the identified provider to
be in compliance with its mandatory blocking rule if it blocks traffic
in accordance with its approved plan. However, the Commission makes
clear that the Enforcement Bureau may require the identified provider
to modify its approved plan if it determines that the identified
provider is not blocking substantially similar traffic. Additionally,
if the Enforcement Bureau finds, based on the evidence, that the
identified provider continues to allow suspected illegal traffic onto
the U.S. network, it may proceed to an Initial Determination Order or
Final Determination Order, as appropriate. Finally, the Commission
adopts a limited safe harbor from liability under the Communications
Act or its rules for gateway providers that inadvertently block lawful
traffic as part of the requirement to block substantially similar
traffic in accordance with the gateway provider's approved plan. While
the Commission agrees that a safe harbor for inadvertent over-blocking
is warranted, it declines to provide a safe harbor for under-blocking
within this rule. A gateway provider that is under-blocking and not
fully cooperating with the Enforcement Bureau to address the issue
should not be granted protection from liability under the very rule
with which it fails to comply.
66. Gateway Provider Investigation. Each notified provider must
investigate the identified traffic and report the results of its
investigation to the Enforcement Bureau in the timeframe specified in
the Notification of Suspected Illegal Traffic. If the provider's
investigation determines that it served as the gateway provider for the
identified traffic, it must block the identified traffic within the
timeframe specified in the Notification of Suspected Illegal Traffic
(unless its investigation determines that the traffic is not illegal)
and include in its report to the Enforcement Bureau: (1) a
certification that it is blocking the identified traffic and will
continue to do so; and (2) a description of its plan to identify and
block substantially similar traffic on an ongoing basis. If the
provider's investigation determines that the identified traffic is not
illegal, it shall provide an explanation as to why the provider
reasonably concluded that the identified traffic is not illegal and
what steps it took to reach that conclusion. Absent such a showing, or
the Enforcement Bureau determines based on the evidence that the
traffic is illegal despite the provider's assertions, the identified
traffic will be deemed illegal. If a provider's investigation
determines it did not serve as a gateway provider for any of the
identified traffic, its report shall provide an explanation as to how
it reached that conclusion and, if it is a non-gateway intermediate or
terminating provider for the identified traffic, the provider must
identify the upstream provider(s) from which it received the identified
traffic and, if possible, take lawful steps to mitigate this traffic.
(Such steps could include, for example, enforcing contract terms, or
blocking the calls from bad actor providers consistent with the safe
harbor found in 47 CFR 64.1200(k)(4).) If the notified provider
determines that it is the originating provider for the identified
traffic, or the traffic otherwise comes from a source that does not
have direct access to the U.S. public switched telephone network, the
notified provider must comply with 47 CFR 64.1200(n)(2) by effectively
mitigating the identified traffic and report to the Enforcement Bureau
any steps the provider has taken to effectively mitigate the identified
traffic. If the gateway provider determines that the traffic is not
illegal, it must inform the Enforcement Bureau and explain its
conclusion within the specified timeframe.
67. Process for Issuing an Initial Determination Order. If the
gateway provider fails to respond to the notice within the specified
timeframe, the Enforcement Bureau determines that the response is
insufficient, the Enforcement Bureau determines that the gateway
provider is continuing to allow substantially similar traffic onto the
U.S. network, or the Enforcement Bureau determines based on the
evidence that the traffic is illegal despite the provider's assertions,
the Enforcement Bureau shall issue an Initial Determination Order to
the gateway provider stating its determination that the gateway
provider is not in compliance with 47 CFR 64.1200(n)(5). This Initial
Determination Order must include the Enforcement Bureau's reasoning for
its determination and give the gateway provider a minimum of 14 days to
provide a final response prior to the Enforcement Bureau's final
determination as to whether the gateway provider is in compliance with
47 CFR 64.1200(n)(5).
68. Process for Issuing a Final Determination Order. If the gateway
provider does not provide an adequate response to the Initial
Determination Order or continues to allow substantially similar traffic
onto the U.S. network, or the Enforcement Bureau determines based on
the evidence that the traffic is illegal despite the provider's
assertions, the Enforcement Bureau shall issue a Final Determination
Order. The Enforcement Bureau shall publish the Final Determination
Order in EB Docket No. 22-174 to direct downstream providers
[[Page 42927]]
to both block and cease accepting all traffic they receive directly
from the identified gateway provider starting 14 days from the release
date of the Final Determination Order. This Final Determination Order
may be adopted up to one year after the release date of the Initial
Determination Order and may be based on either an immediate failure to
comply with 47 CFR 64.1200(n)(5) or a determination that the gateway
provider has failed to meet its ongoing obligation to block
substantially similar traffic under that rule.
69. Each Final Determination Order shall state the grounds for the
Bureau's determination that the gateway provider has failed to comply
with its obligation to block illegal traffic and direct downstream
providers to initiate blocking 14 days from the release date of the
Final Determination Order. A provider that chooses to initiate blocking
sooner than 14 days from the release date may do so consistent with the
Commission's existing safe harbor in 47 CFR 64.1200(k)(4).
b. Do-Not-Originate
70. The Commission further requires gateway providers to block
calls based on a reasonable DNO list. A ``DNO list'' is a list of
numbers that should never be used to originate calls, and therefore any
calls that include a listed number in the caller ID field can be
blocked. The Commission declines to mandate the use of a specific list,
but allow gateway providers to use any DNO list so long as the list is
reasonable. The Commission declines to mandate the use of a specific
list, but gateway providers must use at least one DNO list, so long as
the list is reasonable. Such a list may include only invalid,
unallocated, and unused numbers, as well as numbers for which the
subscriber to the number has requested blocking.
71. Reasonable DNO lists may include only the listed categories of
numbers described in the preceding paragraph, but the Commission does
not require that such DNO lists include all possible covered numbers in
order to be reasonable. In particular, the Commission recognizes that
unused numbers may be difficult to identify, and that a reasonable list
may err on the side of caution. The Commission makes clear, however,
that a list so limited in scope that it leaves out obvious numbers that
could be included with little effort may be deemed unreasonable.
72. In the 2017 Call Blocking Order, 82 FR 44118 (Sept. 21, 2017),
the Commission specifically found that, where the subscriber to the
originating number requests blocking, calls purporting to be from that
number are ``highly likely to be illegal and to violate the
Commission's anti-spoofing rule, with the potential to cause harm
defraud, or wrongfully obtain something of value.'' Spoofing of this
sort is particularly damaging as it can be used to foster consumer
trust and bolster imposter scams. Therefore, the Commission finds that
a reasonable list would need to include, at a minimum, any inbound-only
government numbers where the government entity has requested the number
be included. It must additionally include private inbound-only numbers
that have been used in imposter scams, when a request is made by the
private entity assigned such a number. (The current list maintained by
the Industry Traceback Group is reasonable. The Commission declines,
however, to deem that list ``presumptively reasonable'' as NCTA-The
internet & Television Association suggests. While the Commission agrees
that the list, as it currently stands ``would advance the Commission's
goal of reducing harmful spoofing and imposter scams,'' it is concerned
that deeming it ``presumptively reasonable'' does not account for the
fact that the list is not under Commission control and could be
modified, or no longer updated, at any time without Commission input.)
In either scenario, the provider or the third party that manages the
DNO list may impose reasonable requirements on including the numbers,
such as requiring that the number is currently being spoofed at a
substantial volume. (Multiple parties requested this or a similar
clarification, to address concerns that some switches may have limits
on the total amount of numbers that can be blocked.) Gateway providers,
or those managing such a list on behalf of gateway providers, should
ensure that entities can reasonably request inclusion on the list.
73. The Commission agrees with commenters that support a DNO
mandate. The Commission further agrees with one commenter that urged
the Commission to look to existing DNO lists for this purpose. While
the Commission do not endorse a specific list, it encourages industry
to either make use of existing tools or develop new ones to serve this
purpose. Gateway providers may choose the list that works best for
their networks so long as that list is reasonable. Because the
Commission finds that a single, centralized list is not the correct
approach, it declines to develop a ``high availability application or
online tool'' as one commenter suggests. The Commission is concerned
that a centralized list could present security concerns and allow bad
actors to circumvent blocking by providing a clear list of numbers to
avoid spoofing. (In some instances, there is still value in a DNO list
even when bad actors know what numbers are included. For example,
consumer trust may increase when the caller cannot spoof a known number
associated with the caller the bad actor is attempting to impersonate.
A non-public list, at a minimum, slows bad actors in their efforts to
switch numbers and prevents some calls from reaching consumers.)
74. The Commission disagrees with the commenter that argued the
mandate is unnecessary because many providers already use a DNO list to
block calls. The Commission recognizes that providers have used DNO
lists to reduce the number of illegal calls that reach consumers, and
the Commission applauds these industry efforts. The Commission finds
that enlisting all gateway providers in this effort will further reduce
the risk of illegal calls reaching consumers. There is no legitimate
reason for the caller to use numbers that appear on a DNO list.
Therefore, these calls, if they reach even a single consumer, cause
harm. The Commission also declines to deem gateway providers in
compliance with this requirement if they have implemented a reasonable
DNO in some parts of their network but not at the gateway. The intent
of this rule is to stop foreign-originated illegal calls from entering
the U.S. network at all. If these calls are not stopped at the gateway,
there is a risk that they will not be blocked at all and will therefore
reach consumers.
c. No Analytics-Based Call Blocking Mandate
75. The Commission declines at this time to require gateway
providers to block calls that are highly likely to be illegal based on
reasonable analytics. The Commission agrees with commenters' concerns
regarding mandating such blocking. Additionally, the Commission finds
that many of the arguments against mandatory blocking generally, while
not persuasive in the context of other rules the Commission adopts, are
persuasive in this context. An analytics-based blocking mandate would
require the Commission to more strictly define ``reasonable analytics''
in order for gateway providers to be certain that they are in
compliance with a mandatory blocking rule. To do so may be counter-
productive and prevent providers from responding to evolving threats.
The Commission is also concerned that providing a strict
[[Page 42928]]
definition, while certainly valuable to lawful callers, could
potentially provide a road map bad actors could use to circumvent
blocking. These concerns, coupled with the need for truly robust
redress mechanisms for callers when the blocking is not initiated by
the consumer and therefore cannot be corrected by the consumer, support
the Commission's decision not to require such blocking at this time.
(Several commenters, while objecting to a blocking mandate, urged the
Commission to extend its safe harbor for blocking based on reasonable
analytics to all providers in the call path, either in conjunction with
a mandate or as an alternative. Because the Commission does not adopt
such a mandate, it declines to reach the question of whether a safe
harbor would be a necessary part of such a requirement. At this time,
the Commission also declines to consider further extending the safe
harbor absent such a mandate, as such an extension would be outside the
scope of this document).
d. No Blocking Safe Harbor
76. Except as described above, the Commission declines to adopt a
safe harbor for providers that block consistent with the rules the
Commission adopts. Several comments addressing safe harbors focused on
blocking based on reasonable analytics, and in some cases on extending
the Commission's existing safe harbor instead of mandating blocking.
The Commission does not adopt a reasonable analytics blocking mandate,
and extending the existing safe harbor is outside of the scope of this
document. Other comments did support a safe harbor more broadly,
without tying the request to reasonable analytics. However, the
Commission finds that the rules it adopts remove the need for such a
safe harbor. In the case of blocking based on Commission notification,
there is no need for a safe harbor where there is a clear Commission
directive to block particular traffic directed at an individual
provider. Nor is a safe harbor necessary for the downstream provider
blocking requirement because the immediate downstream provider is
required to block all traffic from the identified provider, regardless
of whether that provider is a gateway provider for the particular
traffic. There is no judgment call for a provider to make that could
require a safe harbor. The Commission declines CTIA's request to
establish a safe harbor is necessary for blocking based on a reasonable
DNO list. First, providers have been permitted to engage in this type
of blocking since 2017, and no commenter has pointed to any liability
issues regarding over-blocking in this context. A gateway provider that
is concerned about the possibility that they may not be able to keep a
list containing unallocated or unused numbers fully up to date is not
required to include those numbers on the list; while these numbers may
be included, they are not mandatory. Providers that are concerned about
possible under-blocking should take steps to ensure they are making use
of a reasonable DNO list, and the Commission sees no reason to provide
additional protection.
e. Protections for Lawful Calls
77. Consistent with the Commission's existing blocking rules,
gateway providers must never block emergency calls to 911 and must make
all reasonable efforts to ensure that calls from PSAPs and Government
emergency numbers are not blocked. The Commission declines to adopt
additional transparency and redress requirements at this time or extend
any other existing requirements that would not already apply to the
blocking mandates the Commission adopts. The new mandatory blocking
rules either require the Commission to direct blocking, in which case
the blocking provider is not in a position to provide redress, or
target categories of calls that have been permissible to block since
2017. Some commenters expressed concerns about transparency and
redress. The Commission recognizes some concerns regarding the
potential for lawful calls to be blocked are valid, such as when a
provider relies on analytics to make blocking decisions. These concerns
do not apply here, however, where blocking is either at the direction
of the Commission or based on a reasonable DNO list.
f. Compliance Deadline
78. The Commission requires gateway and downstream providers to
comply with the requirements to block upon Commission notification no
later than 60 days after publication of this document in the Federal
Register. Additionally, the Commission requires gateway providers to
comply with the DNO blocking requirement no later than 30 days after
publication of notice of OMB approval under PRA. The Commission finds
that requiring gateway providers to comply with these rules quickly
imposes a minimal burden. In the case of blocking upon Commission
notification, gateway providers need not make any changes to their
processes prior to receipt of such a notification, and the Commission
allows time for a gateway provider to comply following that
notification. The Commission acknowledges that gateway providers that
do not already block based on a DNO list may need to identify or
develop such a list in order to comply with that particular
requirement. However, the PRA approval process gives providers ample
time to do so, and providers may use one of the existing DNO lists to
meet this requirement with minimal burden.
3. ``Know Your Upstream Provider''
79. The Commission adopts a modified version of its proposal to
require gateway providers to ``know the customer.'' Recognizing the
difficulty posed by a requirement for gateway providers to know
information about the caller, who is likely not their customer and with
whom they have no relationship, the Commission instead requires gateway
providers to ``know'' the immediate upstream foreign provider from
which they receive traffic with U.S. numbers in the caller ID field.
Specifically, the Commission requires gateway providers to take
reasonable and effective steps to ensure that the immediate upstream
foreign provider is not using the gateway provider to carry or process
a high volume of illegal traffic onto the U.S. network.
80. The record supports deeming the immediate upstream foreign
provider as ``customer'' for these purposes, rather than the caller.
Though one commenter favored adopting its original proposal, the
Commission agrees with other commenters that it would be difficult, if
not impossible, for gateway providers to routinely confirm that a
particular caller is authorized to use a U.S. number. By definition, a
gateway provider is an intermediate provider and is thus at least one
step removed from the caller. By contrast, the gateway provider must
have a direct relationship with the upstream foreign provider from
which it accepts traffic, which allows the gateway provider to ``know''
that upstream provider. This approach best balances the benefit of
holding gateway providers responsible for calls they allow into the
U.S. network with the difficulty of determining information about a
caller that may be several hops away from the gateway.
81. The Commission agrees with the commenter that argues that the
Commission's existing, flexible approach to know-your-customer
requirements, rather than specific mandates, is appropriate in the
gateway context. The Commission does not mandate the steps gateway
providers must take in order to ``know'' the upstream foreign provider.
Instead, the Commission allows gateway providers
[[Page 42929]]
the flexibility to determine the exact measures to take, including
whether to adopt contractual provisions with their upstream providers
to meet this obligation, and the contours of any such provisions. (The
Commission notes that several commenters argued contract terms can be a
valuable way of meeting a know-your-customer obligation and mitigating
robocalls.) This approach is consistent with the Commission's existing
requirement for originating providers to implement effective measures
to prevent new and renewing customers from originating illegal calls,
and allows each gateway provider to determine the best approach for its
network and customers. (For the same reason, the Commission does not
require gateway providers to enter into contractual provisions with
their upstream provider to meet this know-your-upstream-provider
requirement or any other new requirements the Commission adopts.
However, gateway providers must explain the steps they have taken to
meet their know-your-upstream-provider obligation in their Robocall
Mitigation Database certification.) The Commission make clear, however,
that gateway providers must take effective steps. If a gateway provider
repeatedly allows a high volume of illegal traffic onto the U.S.
network, the steps that provider has taken are not effective and must
be modified for that provider to be in compliance with the Commission's
rules.
82. The Commission recognizes concerns about the effectiveness of
such a requirement, since the foreign provider upstream of the gateway
may not be the source of the calls. The Commission agrees that the
ideal approach would be for any obligation to fall to the originating
provider, as in the Commission's existing rules. Unfortunately, in the
case of foreign-originated calls, the Commission faces substantial
difficulties in enforcing such an obligation on the foreign originating
provider. (Due to this jurisdictional issue, the Commission imposes
this obligation on the gateway provider as the first U.S.-based
provider in the call path.) The Commission recognizes that gateway
providers cannot prevent all instances of illegal calls from entering
the U.S. network. In particular, a gateway provider's previously
effective steps may become unexpectedly ineffective due to changes in
factors outside of the gateway provider's control, particularly when
the gateway provider is multiple hops from the call originator. (The
Commission further acknowledges that, no matter how effective a gateway
provider's methods are, some illegal calls may make up a portion of the
traffic that it originates onto the U.S. network, and make clear that
the fact that some illegal calls evade detection does not necessarily
make a gateway provider's methods ineffective. The Commission therefore
agrees with parties that asked it to clarify that ``occasionally
serving as a gateway provider for illegal robocalls, particularly where
those illegal calls are an insignificant fraction of that provider's
traffic, does not inherently make the provider's practices
ineffective.'' The Commission declines, however, to adopt the specific
language proposed by the INCOMPAS et al. May 6 Ex Parte. The Commission
makes clear, however, that a ``high volume of illegal traffic'' is a
relative measure that is determined, in part, by what percentage of the
traffic for which the provider is a gateway provider is illegal.) The
Commission therefore reiterates that, as with its existing rule, it
does not expect perfection. The Commission does require gateway
providers to take reasonable steps, and it encourages gateway providers
to regularly evaluate and adjust their approach so that they remain
reasonable and effective. (Reasonable steps may include, but are not
limited to, investigation of the practices of the upstream provider,
modification of contracts to allow termination where issues arise, and/
or monitoring incoming traffic for issues on an ongoing, proactive,
basis.)
83. Because the Commission does not adopt the exact proposal in the
Gateway Provider FNPRM, it declines to address roaming or adopt a
carve-out for emergency calls. (The Commission further address roaming
traffic in the accompanying FNPRM.) The rule the Commission adopts does
not require gateway providers to block calls when they cannot confirm
that the caller is authorized to use a particular U.S. number in the
caller ID field, and therefore is unlikely to have detrimental effect
on roaming or emergency traffic. The Commission also declines to adopt
alternative proposals in the record that fall outside the scope of this
document, including YouMail's proposal for post-contracting know-your-
customer, i3forum's ``know your traffic'' proposal, or ZipDX's proposal
to expand the requirement to cover all high-volume, non-conversational
traffic even when such traffic is not foreign originated.
84. Compliance Deadline. The Commission requires gateway providers
to comply with this rule no later than 180 days after publication of
this document in the Federal Register. The Commission agrees with the
commenter that argued that requiring compliance 30 days after
publication may be insufficient for such a requirement. Allowing 180
days after publication ensures that gateway providers have sufficient
time to develop effective systems and make any modifications to their
networks or practices to implement these measures.
4. General Mitigation Standard
85. In addition to the specific mitigation requirements that the
Commission adopts above, it also requires gateway providers to meet a
general obligation to mitigate illegal robocalls regardless of whether
they have fully implemented STIR/SHAKEN on the IP portions of their
network. The Commission takes this step now because of the unique and
key role that gateway providers play in the call path. Specifically,
the Commission now requires all gateway providers to take ``reasonable
steps to avoid carrying or processing illegal robocall traffic.'' The
Commission does not require that the gateway provider take specific
steps to meet this standard, in line with the existing requirement for
voice service providers. The majority of commenters support the
adoption of a general mitigation standard for gateway providers.
86. As with voice service providers subject to the ``reasonable
steps'' standard, gateway providers must also implement a robocall
mitigation program and, as explained above, file that plan along with a
certification in the Robocall Mitigation Database. The record reflects
significant support for adopting, at a minimum, a mitigation duty for
gateway providers in addition to requiring them to submit a
certification to the Robocall Mitigation Database. The Commission
therefore adopts, consistent with its proposal, a mitigation duty for
gateway providers that closely tracks the analogous rule for voice
service providers. Specifically, a gateway provider's plan is
``sufficient if it includes detailed practices that can reasonably be
expected to significantly reduce the [carrying or processing] of
illegal robocalls.'' Moreover, a gateway provider ``must comply with
the practices'' that its plan requires, and its program is insufficient
if the gateway provider ``knowingly or through negligence [carries or
processes calls] for unlawful robocall campaigns.''
87. The Commission requires gateway providers to mitigate traffic
under the ``reasonable steps'' standard even if they have implemented
STIR/SHAKEN for several reasons. First, the Commission notes the strong
support in the record
[[Page 42930]]
for requiring gateway provider mitigation, regardless of their STIR/
SHAKEN status, with certain commenters explicitly advocating for both
gateway provider authentication and mitigation. Commenters agree that
gateway providers are uniquely positioned to stop the entry of
robocalls into this country, increasing the importance of strong
mitigation.
88. Second, both the current record and the experience since the
Second Caller ID Authentication Report and Order have shown that while
STIR/SHAKEN is an effective tool to stop illegal robocalls, it is not a
``silver bullet,'' particularly in those cases where a robocaller is
using a properly assigned telephone number. Providers, especially
gateway providers serving as the entry point to the U.S. marketplace,
can and must do more to stop robocalls. This is particularly the case
while STIR/SHAKEN mandates by foreign governments and implementation by
foreign providers remain limited.
89. Finally, the Commission anticipates that a general mitigation
duty applicable to all gateway providers regardless of whether they
have implemented STIR/SHAKEN will ``provide a valuable backstop'' to
the other obligations the Commission adopts because call blocking, and
traceback based on notice ``cannot take the place of the proactive
dut[y] to mitigate harmful traffic.'' For all these reasons, the
Commission disagrees with INCOMPAS and T-Mobile that it should not
impose mitigation obligations on gateway providers that have
implemented STIR/SHAKEN and find that requiring gateway providers that
have implemented STIR/SHAKEN to also meet the Commission's ``reasonable
steps'' mitigation standard ``would be an efficient use of their
resources.'' The Commission does not adopt an alternative mitigation
standard for gateway providers including a requirement proposed in the
Gateway Provider FNPRM based on the existing duty for providers to take
``affirmative, effective measures to prevent new and renewing customers
from using their network to originate illegal calls.'' The Commission
notes, however, that under the rules it adopts, gateway providers must
also comply with the ``know-your-upstream-provider standard, and steps
a gateway provider takes to meet one standard could meet the other, and
vice versa.
90. The Commission concludes that gateway providers' key role in
facilitating the transmission of foreign-originated robocalls to U.S.
consumers warrants imposing the ``reasonable steps'' mitigation duty on
these providers without delay. While several commenters argue in the
record for adopting more specific and broader duties on all domestic
providers, the Commission leaves open for consideration such an
expansion in the accompanying FNPRM. For example, it does not at this
time require gateway providers to take specific actions to meet the
``reasonable steps'' standard. Nor does it require voice service
providers or other intermediate providers to comply with the unique
requirements it adopts for gateway providers, including the obligation
to meet a general mitigation obligation even if they have fully
implemented STIR/SHAKEN. Given the scope of the Gateway Provider FNPRM
and the limited record evidence submitted regarding specific proposals,
the Commission does not take these additional steps at this time.
91. Compliance Deadline. The Commission requires gateway providers
to comply with the ``reasonable steps'' standard within 30 days of the
effective date of this document. The Commission concludes that this is
an appropriate period because the Commission does not mandate specific
steps that gateway providers must take to meet this requirement other
than submitting a certification to the Robocall Mitigation Database,
and many gateway providers are already mitigating illegal call traffic.
The compliance date for the requirement to submit a certification and
mitigation plan to the Robocall Mitigation Database is 30 days
following Federal Register notice of OMB approval of the relevant
information collection requirements, and the Commission expects
providers to refine their ``reasonable steps'' in light of additional
time and marketplace developments prior to submission into the Robocall
Mitigation Database.
F. Summary of Cost Benefit Analysis
92. The Commission finds that the benefits of the rules it adopts
will greatly outweigh the costs imposed on gateway providers. The
Commission sought comment on its belief that the proposed rules, viewed
collectively, would account for a large share of the annual $13.5
billion minimum benefit the Commission originally estimated in the
First Caller ID Authentication Report and Order, 85 FR 22029 (April 21,
2020), and FNPRM, 85 FR 22099 (April 21, 2022), because of the large
share of illegal calls originating outside of the United States. While
some commenters argue that the individual requirements may not provide
substantial benefit taken individually or that there is no benefit to
imposing obligations solely on gateway providers, others agree that the
requirements the Commission adopts will benefit consumers and the
calling ecosystem. The Commission finds that these requirements, taken
together, will achieve a large share of the annual $13.5 billion
minimum benefit. In addition, the Commission finds that there are many
additional, non-quantifiable benefits from these rules, including
restoring confidence in the U.S. telephone network and reliable access
to the emergency and healthcare communications that save lives, reduce
human suffering, and prevent the loss of property.
93. The Commission finds that the costs imposed on gateway
providers are, in many instances, minimal and in all cases do not
exceed the benefits. For example, a number of gateway providers are
already required to implement STIR/SHAKEN in some portions of their
networks because they do not solely act as gateway or intermediate
providers, but may also serve as originating or terminating providers
for some calls. In these cases, the additional burden to implement
STIR/SHAKEN where a provider is acting as a gateway provider may be
limited and has declined over time. Similarly, requiring gateway
providers to block, rather than effectively mitigate, illegal traffic
when notified by the Commission does not represent a burden increase,
and in some cases may even be a burden decrease by eliminating the need
to determine what mitigation is effective in a particular instance. As
explained, the Commission disagrees with the burden estimates proffered
by some commenters. However, even if the Commission does credit those
claims, the expected minimum benefit is, as explained, so large that it
will greatly outweigh the expected burden. (Contrary to USTelecom's
assertion, the Commission does not take the position that it ``can
adopt any individual regulation to fight illegal robocalls, no matter
the cost or benefit of that particular regulation, as long as the
aggregate cost of requirements is less than $13.5 billion.'' Rather,
the Commission concludes that the requirements it adopts here will
result in a ``large share'' of the $13.5 billion annual projected
benefits from eliminating illegal robocalls, and no party has asserted
that the purported costs of any or all of these regulations would cost
either in one year or over several years a ``large share'' of $13.5
billion.)
94. Moreover, although the rules the Commission adopts will impose
higher short-term costs on gateway providers
[[Page 42931]]
for implementation, it finds that they will lead to lower long-term
costs. Specifically, the Commission finds that an overall reduction in
illegal robocalls will greatly lower network costs for the gateway
providers and other domestic service providers by eliminating both the
unwanted traffic congestion and labor costs of handling numerous
customer complaints, and by enabling those providers to trace calls
back to the originator more quickly and efficiently.
G. Legal Authority
95. Consistent with its proposals, the Commission adopts the
foregoing obligations pursuant to the legal authority the Commission
relied on in prior caller ID authentication and call blocking orders.
The Commission notes that no commenter questioned its proposed legal
authority. (USTelecom suggests that because C-level attestations are
``untethered to the call authentication goal,'' the TRACED Act does not
provide authority to adopt a gateway provider authentication
requirement. But USTelecom's argument is inapposite because the
Commission does not rely on the TRACED Act for its authority to impose
this obligation, and USTelecom does not assert that the Commission
otherwise lacks authority to impose a gateway provider authentication
obligation.)
96. Caller ID Authentication. The Commission finds authority to
impose caller ID authentication obligations on gateway providers under
section 251(e) of the Communications Act of 1934 (the Act) and the
Truth in Caller ID Act. In the Second Caller ID Authentication Report
and Order, the Commission found it had the authority to impose caller
ID authentication obligations on intermediate providers under these
provisions. It reasoned that ``[c]alls that transit the networks of
intermediate providers with illegally spoofed caller ID are exploiting
numbering resources'' and so found authority under section 251(e). It
found ``additional, independent authority under the Truth in Caller ID
Act'' on the basis that such rules were necessary to ``prevent . . .
unlawful acts and to protect voice service subscribers from scammers
and bad actors,'' stressing that intermediate providers ``play an
integral role in the success of STIR/SHAKEN across the voice network.''
While the Second Caller ID Authentication Report and Order did not
specifically discuss gateway providers, the Commission uses the same
legal authority to impose an authentication obligation on gateway
providers because it defines gateway providers as a subset of
intermediate providers.
97. Robocall Mitigation and Call Blocking. The Commission adopts
its robocall mitigation and call blocking provisions for gateway
providers pursuant to sections 201(b), 202(a), 251(e), the Truth in
Caller ID Act, and its ancillary authority, consistent with the
authority it invoked to adopt analogous rules.
98. The Commission concludes that section 251(e) and the Truth in
Caller ID Act authorizes it to prohibit intermediate providers and
voice service providers from accepting traffic from gateway providers
that do not appear in the Robocall Mitigation Database. In the Second
Caller ID Authentication Report and Order, the Commission concluded,
``section 251(e) gives us authority to prohibit intermediate providers
and voice service providers from accepting traffic from both domestic
and foreign voice service providers that do not appear in [the Robocall
Mitigation Database],'' noting that its ``exclusive jurisdiction over
numbering policy provides authority to take action to prevent the
fraudulent abuse of NANP resources.'' The Commission observed that
``[i]llegally spoofed calls exploit numbering resources whenever they
transit any portion of the voice network--including the networks of
intermediate providers'' and that ``preventing such calls from entering
an intermediate provider's or terminating voice service provider's
network is designed to protect consumers from illegally spoofed
calls.'' The Commission found that the Truth in Caller ID Act provided
additional authority for its actions to protect voice service
subscribers from illegally spoofed calls.
99. The Commission also concludes that sections 201(b), 202(a), and
251(e) of the Act, as well as the Truth in Caller ID Act and its
ancillary authority, support the mandatory mitigation and blocking
obligations the Commission imposes on gateway providers here. In the
Fourth Call Blocking Order, the Commission required providers ``to take
affirmative, effective measures to prevent new and renewing customers
from originating illegal calls,'' which includes a duty to ``know''
their customers. Additionally, the Commission required providers, to
``take steps to effectively mitigate illegal traffic when notified by
the Commission,'' which may require blocking when applied to gateway
providers. The Commission also adopted traceback obligations.
100. The Commission concluded that it had the authority to adopt
these requirements pursuant to sections 201(b), 202(a), and 251(e) of
the Act, as well as the Truth in Caller ID Act and its ancillary
authority. Sections 201(b) and 202(a) provide the Commission with
``broad authority to adopt rules governing just and reasonable
practices of common carriers.'' Accordingly, the Commission found that
the new blocking rules were ``clearly within the scope of our section
201(b) and 202(a) authority'' and ``that it is essential that the rules
apply to all voice service providers,'' applying its ancillary
authority in section 4(i). The Commission also found that section
251(e) and the Truth in Caller ID Act provided the basis ``to prescribe
rules to prevent the unlawful spoofing of caller ID and abuse of NANP
resources by all voice service providers,'' a category that includes
Voice over internet Protocol (VoIP) providers and, in the context of
the Commission's call blocking orders, gateway providers. The
Commission concludes that the same authority provides a basis to adopt
the mitigation and blocking obligations on gateway providers the
Commission adopts in this document to the extent that gateway providers
are acting as common carriers.
101. While the Commission concludes that its direct sources of
authority provide an ample basis to adopt its proposed rules on all
gateway providers, its ancillary authority in section 4(i) provides an
independent basis to do so with respect to gateway providers that have
not been classified as common carriers. The Commission concludes that
the regulations adopted in this document are ``reasonably ancillary to
the Commission's effective performance of its . . . responsibilities''
because gateway providers that interconnect with the public switched
telephone network and exchange IP traffic clearly offer ``communication
by wire and radio.''
102. Requiring gateway providers to comply with the Commission's
proposed rules is reasonably ancillary to the Commission's effective
performance of its statutory responsibilities under sections 201(b),
202(a), 251(e), and the Truth in Caller ID Act as described above. With
respect to sections 201(b) and 202(a), absent application of the
Commission's proposed rules to gateway providers that are not
classified as common carriers, originators of international robocalls
could circumvent its proposed scheme by sending calls only to such
gateway providers to reach the U.S. market.
103. Indirect Effect on Foreign Service Providers. The Commission
confirms its conclusion in the Gateway Provider FNPRM that, to the
extent any of the rules it adopts have an effect on foreign
[[Page 42932]]
service providers, that effect is only indirect and therefore
consistent with the Commission's authority, and the Commission finds
that it does not conflict with any of its international treaty
obligations. (The Commission expressly sought comment on ``whether any
of our proposed rules would be contrary to any of our international
treaty obligations.'' No commenter identified any international treaty
obligations that would be contravened by the Commission's new
requirement, nor is the Commission aware of any.) No commenter argues
otherwise. In the Second Caller ID Authentication Report and Order, the
Commission acknowledged an indirect effect on foreign providers but
concluded that it was permissible under Commission precedent affirmed
by the courts. This includes the authority, pursuant to section 201,
for the Commission to require that U.S. providers modify their
contracts with foreign providers with respect to ``foreign
communication'' to ensure that the charges and practices are ``just and
reasonable,'' as the Commission does here. The obligations the
Commission adopts only impose such an indirect effect.
104. Several parties argue that foreign providers may not be able
to file in the Robocall Mitigation Database because foreign legal
obligations may prevent them from satisfying the traceback obligations
imposed on all such filers. (The Commission notes that these
obligations arise out of the prohibition established in the Second
Caller ID Authentication Report and Order on receiving calls carrying
U.S. NANP numbers from foreign providers not listed in the Robocall
Mitigation Database.) To the extent that foreign providers face bona
fide domestic legal constraints that conflict with any of the
certifications or attestations required of Robocall Mitigation Database
filers, the Commission clarifies that they may still submit a
certification to the Robocall Mitigation Database. The Commission
recommends that foreign providers explain any such domestic legal
constraints as part of their certification. The Commission directs the
Wireline Competition Bureau to make any limited, necessary changes to
the Robocall Mitigation Database to ensure that foreign providers are
able to provide any necessary explanations.
II. Order on Reconsideration
105. In this document, the Commission expands the requirement that
voice service providers only accept calls carrying U.S. NANP numbers
from foreign-originating providers listed in the Robocall Mitigation
Database so that domestic providers may only accept calls carrying U.S.
NANP numbers sent directly from foreign-originating or intermediate
providers that are listed in the Robocall Mitigation Database,
including those that have not been de-listed through enforcement
action. (The Commission adopts this change in response to both CTIA's
and Voice on the Net Coalition's (VON) Petitions, as well as the
Gateway Provider FNPRM, which sought comment on whether to eliminate,
retain, or enhance the requirement that voice service providers only
accept calls carrying U.S. NANP numbers from foreign providers listed
in the Robocall Mitigation Database.) In doing so, the Commission
resolves the petitions of CTIA and VON seeking reconsideration of the
existing requirement, and end the stay of enforcement of that
requirement in the Gateway Provider FNPRM. (The VON Petition also seeks
reconsideration of ``the requirement in Sec. 64.6305(b)(4) that voice
service providers filing certifications provide the name, telephone
number and email address of a central point of contact within the
company responsible for addressing robocall-mitigation-related
issues.'' The Commission does not address that issue at this time, but
may do so at a later date.)
A. Ending the Stay of Enforcement and Extending the Requirement To
Include Calls Received Directly From Intermediate Foreign Providers
106. In response to the Gateway Provider FNPRM and the Petitions
for Reconsideration filed by CTIA and VON, the Commission has
reconsidered the requirement that voice service providers only accept
calls carrying U.S. NANP numbers from foreign voice service providers
listed in the Robocall Mitigation Database and have concluded that
amendment of the initial requirement is necessary to ensure that it
more comprehensively protects American consumers from foreign-
originated illegal robocalls. The Commission now resumes enforcement of
the requirement and expand its scope so that domestic providers now may
only accept calls directly from a foreign provider that originates,
carries, or processes a call if that foreign provider is registered in
the Robocall Mitigation Database and has not been de-listed pursuant to
enforcement action. The Commission finds that such an extension of the
requirement to include calls received from foreign intermediate
providers as well as foreign-originating providers is consistent with
the record and will better equip domestic providers to protect American
consumers from foreign-originated illegal robocalls without causing
widespread disruptions of lawful traffic.
107. Several commenters support this approach, including CTIA. In
its comments, CTIA notes that industry stakeholders have made
significant strides in encouraging their foreign partners to implement
robocall mitigation programs so that they can register in the Robocall
Mitigation Database, with many reporting that ``all, or nearly all, of
their foreign partners that originate traffic have now registered,''
even absent enforcement of the requirement. Indeed, as of May 17, 2022,
875 foreign voice service providers have filed in the Robocall
Mitigation Database, out of a total 6,285 voice service provider
filings. To further enhance the effectiveness of the Robocall
Mitigation Database in protecting against foreign-originated robocalls,
CTIA argues that the Commission should clarify that foreign
intermediate providers must also implement robocall mitigation programs
and certify to such in the database in order for their traffic to be
accepted by domestic providers. CTIA notes that promoting robocall
mitigation by foreign intermediate providers in this fashion will
promote use of the techniques by all entities in the call path and will
help protect U.S. networks from illegal traffic.
108. The Commission agrees with CTIA's conclusions. Given the
number of different entities that are typically involved in
originating, carrying, processing, and terminating a call, a
requirement that applies only to calls received directly from the
foreign provider that originated them will capture only a small
fraction of the total number of calls that domestic providers accept
from foreign providers on a daily basis. To increase the effectiveness
of the requirement and to better protect American consumers from
foreign-originated illegal robocalls, it is necessary to expand the
scope of the requirement to include all calls received directly from a
foreign provider that originates, carries, or processes the call in
question. This approach obviates the concerns of commenters that a
gateway provider likely does not know which provider originated a
particular call or where it was originated; it only knows the upstream
foreign provider that handed off the call. Indeed, this is one of the
reasons the Commission defines ``gateway provider'' in this document as
the U.S.-based intermediate provider that receives a call directly from
a foreign originating or foreign intermediate provider at its U.S.-
based facilities before transmitting the call
[[Page 42933]]
downstream to another U.S.-based provider.
109. To ensure that foreign providers have sufficient time to take
steps in light of this expanded rule and to facilitate consistent
obligations, the Commission will begin enforcing the requirement that
providers accept only traffic received directly from foreign providers
that originate, carry, or process calls that have filed a certification
in the database on the deadline for gateway providers to block traffic
sent from foreign providers that originate, carry, or process calls
established in this document. That is, enforcement will begin 90 days
following the deadline for gateway providers to submit a certification
to the Robocall Mitigation Database. This same blocking deadline will
also apply to providers to block traffic from foreign intermediate
providers that were not subject to the prior blocking rule. The date of
this deadline is subject to OMB approval for any new information
collection requirements. The Commission concludes that this extended
period will provide sufficient time for all affected foreign providers
to submit a certification to the Robocall Mitigation Database in order
to remain on the Database. For similar reasons, the Commission adds
``in the caller ID field'' to the expanded rule to clarify the scope of
the requirement and make it consistent with the newly adopted blocking
obligation for providers receiving calls from gateway providers.
110. Contrary to the dire outcomes contemplated in CTIA and VON's
Petitions discussed below, the requirement that voice service providers
only accept calls carrying U.S. NANP numbers from foreign voice service
providers listed in the Robocall Mitigation Database has not resulted
in mass confusion or a widespread failure on the part of foreign voice
service providers to register in the Robocall Mitigation Database. In
reality, a significant number of foreign voice service providers have
been made aware of the requirement and have registered in the Robocall
Mitigation Database. Now that the Commission has taken the time to
ensure that the requirement can be implemented without causing
significant disruptions to legitimate, legal traffic, it is time to
ensure that the requirement adequately protects American consumers from
as many foreign-originated illegal robocalls as possible, and not
merely a tiny fraction of such calls. The Commission knows the
requirement can work on a practical level, and the Commission finds
that the expected benefits will far outweigh any minimal costs that may
be imposed on gateway providers. While the rules the Commission adopts
in this document provide some additional tools to domestic providers to
combat illegal robocalls originating outside the U.S., the Commission
must give domestic providers as many tools as it can to protect their
customers from as wide a swathe of foreign-originated illegal robocalls
as possible. (To quote T-Mobile, the tools the new gateway provider
rules represent ``may not be foolproof.'')
111. Several commenters have urged the Commission to reach out to
its counterparts in foreign governments and inform them of its latest
efforts to protect consumers from illegal robocalls while also
encouraging regulators abroad to promote foreign provider participation
in robocall mitigation and the Robocall Mitigation Database. The
Commission takes this opportunity to reiterate its commitment to
continue engaging actively with its international partners abroad to
inform them of its latest efforts to combat illegal robocalls and to
encourage robocall mitigation efforts on their part as well as
participation in the Robocall Mitigation Database among their domestic
providers. The Commission recognizes that it is only through active
dialogue and cooperation with its international counterparts that it
will be able to fully address the scourge of illegal robocalls here at
home.
112. Legal Authority. The Commission concludes that section 251(e)
gives it authority to require intermediate providers and voice service
providers to accept traffic only from foreign intermediate providers
using U.S. NANP numbering resources in the caller ID field that appear
in the Robocall Mitigation Database. As the Commission concluded in the
First Caller ID Authentication Report and Order and FNPRM and affirmed
in the Second Caller ID Authentication Report and Order, its exclusive
jurisdiction over numbering policy provides authority to take action to
prevent the fraudulent abuse of U.S. NANP resources. Illegally spoofed
calls exploit numbering resources whenever they transit any portion of
the voice network--including the networks of intermediate and
terminating providers. The Commission's action preventing such calls
from entering an intermediate provider's or terminating provider's
network is designed to protect consumers from illegally spoofed calls,
even while STIR/SHAKEN is not yet ubiquitous. No commenters have
challenged the Commission's authority to require voice service
providers to accept traffic only from foreign providers that do appear
in the Robocall Mitigation Database. (T-Mobile does not challenge the
Commission's authority to require intermediate providers and voice
service providers to only accept traffic directly from foreign
providers that appear in the Robocall Mitigation Database, but it
asserts that ``the FCC has no authority over foreign voice service
providers.'' The revised rule the Commission adopts does not constitute
the exercise of jurisdiction over foreign voice service providers. The
Commission acknowledges that this rule will have an indirect effect on
foreign voice service providers by incentivizing them to certify to be
listed in the database. An indirect effect on foreign voice service
providers, however, ``does not militate against the validity of rules
that only operate directly on voice service providers within the United
States.'' In addition, several commenters raise concerns about whether
registering in the Robocall Mitigation Database would have U.S. tax
implications for foreign providers, whether registration would subject
foreign providers to universal service contributions, and whether such
providers would be subject to the Commission's enforcement authority
regarding certifications or other matters, such as compliance with
traceback requests. In the absence of any showing of any significant
tax consequences for foreign providers, and in light of the
overwhelming pace at which they have already registered, the Commission
concludes that the benefits obtained by its new rules substantially
outweigh any such possible consequences. The Commission clarifies that
the act of registration in the Robocall Mitigation Database, by itself,
would not create a universal service contribution obligation for a
foreign provider. Finally, the Commission confirms that the Commission
has authority to enforce its rules by ensuring that the Robocall
Mitigation Database includes only accurate certifications.) One of the
only parties to even touch upon the subject in response to the First
Caller ID Authentication Report and Order and FNPRM, Verizon, agrees
that section 251(e) gives the Commission ample authority to ensure
foreign VoIP providers ``submit to the proposed registration and
certification regime by prohibiting regulated U.S. carriers from
accepting their traffic if they do not.''
113. The Commission additionally finds authority in the Truth in
Caller ID Act. It finds that the rule the Commission adopts is
necessary to enable voice service providers and intermediate providers
to help prevent illegal spoofed robocalls and to protect
[[Page 42934]]
voice service subscribers from scammers and bad actors that spoof
caller ID numbers, and that section 227(e) thus provides additional
independent authority for the revised rule the Commission adopts.
B. Petitions for Reconsideration
114. In expanding the scope of the requirement and concluding that
domestic providers may only accept calls directly from a foreign
provider that originates, carries, or processes a call if that foreign
provider is registered in the Robocall Mitigation Database, the
Commission plainly disagrees with the CTIA and VON Petitions for
Reconsideration requesting that the Commission eliminate or otherwise
curtail the requirement or asserting that the Commission violated the
Administrative Procedure Act's (APA) notice-and-comment requirement
when it adopted this rule in the Second Caller ID Authentication Report
and Order. The Commission resolves the Petitions as described below.
1. CTIA Petition
115. The Commission denies CTIA's Petition because the evidence in
the record demonstrates that the requirement is unlikely to have the
negative consequences CTIA fears, and the Commission has already
followed CTIA's recommendations to focus on other mitigation efforts
and to delay enforcement of the requirement while developing a more
substantial record. In its Petition, CTIA raises three primary
arguments against the requirement that domestic providers only accept
calls carrying U.S. NANP numbers from foreign voice service providers
listed in the Robocall Mitigation Database: (1) the requirement will
cause issues with international roaming that will harm American mobile
wireless consumers in the U.S. and abroad; (2) the Commission's other
efforts enable providers to protect consumers from illegal and unwanted
robocalls from overseas without the need for a requirement that
domestic providers only accept calls carrying U.S. NANP numbers from
foreign voice service providers listed in the Robocall Mitigation
Database; and (3) reconsideration is necessary because evidence of the
requirement's impact on American wireless consumers is now available.
The Commission addresses each of these arguments in turn.
a. International Roaming
116. CTIA asserts in its Petition that wireless roaming is a
``complex endeavor, which is more complicated internationally, as U.S.
mobile network operators have roaming agreements with hundreds of
overseas network operators to enable U.S. consumers to remain connected
no matter where they travel or move.'' When a mobile wireless consumer
abroad uses a U.S. phone number to call a consumer in the U.S., ``that
call may be routed from an originating foreign provider's network over
long distance routes that involve multiple foreign mobile network
operators often on the basis of least cost routing to reach a U.S.
intermediate or terminating provider for delivery to the intended
recipient.'' Because of this, there are a ``number of hand-offs for a
call on its way back to a U.S. consumer, and any one of hundreds of
foreign providers could be chosen as the final foreign provider in the
call path that interconnects with a U.S. intermediate or terminating
provider.'' CTIA asserts that, if that final foreign voice service
provider fails to implement a robocall mitigation program and certify
to such in the Robocall Mitigation Database, all of its traffic--
including legal, legitimate traffic--would be ``prohibited from
reaching the intended recipients. . . .'' Thus, CTIA claims that the
requirement that domestic providers only accept calls carrying U.S.
NANP numbers from foreign voice service providers listed in the
Robocall Mitigation Database would risk ``significant call completion
issues for wireless calls from hundreds of foreign providers' networks,
from any mobile wireless consumer using a U.S. phone number to make a
call from abroad.'' CTIA also claims that foreign voice service
providers that interconnect with U.S. providers will ``likely fail to
register'' with the Robocall Mitigation Database in a timely manner.
(And BT Americas Inc. asserts in its comments in support of the CTIA
Petition that ``the certification process may place foreign carriers in
the impossible situation of either having to violate their commitment
to the FCC or violate the laws of their home country.'' As the
Commission states earlier in this document, to the extent that foreign
providers face bona fide domestic legal constraints that conflict with
any of the certifications or attestations required of Robocall
Mitigation Database filers, they may still submit a certification to
the Robocall Mitigation Database and explain any such domestic legal
constraints as part of their certification.) Thus, CTIA argues that
reconsideration of the requirement is needed to prevent unintended
blocking of legitimate, legal traffic and to give foreign providers
sufficient time to develop robocall mitigation implementation plans and
to register with the Commission.
117. The Commission believes that CTIA's concerns are overstated,
and in any event the Commission does not find them sufficient to
outweigh the benefits of the requirement. In light of the prevalence of
foreign-originated illegal robocalls aimed at U.S. consumers, the
requirement is a critical tool in combatting such calls. And far from
resulting in a widespread failure to register with the Robocall
Mitigation Database among foreign service providers, the requirement--
along with the diligent and concerted efforts of U.S. providers--seems
to have actively encouraged foreign voice service providers to
institute robocall mitigation programs abroad and file certifications
to be listed in the database and thus have their traffic continue to be
accepted by domestic intermediate and terminating providers. As CTIA
itself notes in its comments, since the establishment of the
requirement in 2020, ``U.S. providers have worked diligently to educate
their foreign counterparts about call authentication, robocall
mitigation, and registration expectations,'' outreach that has included
individual providers engaging directly with their foreign counterparts,
as well as efforts to increase awareness of these changes through
existing industry bodies such as the GSM Association (GSMA), the
Communications Fraud Control Association, and the Messaging, Malware
and Mobile Anti-Abuse Working Group (M3AAWG). According to CTIA, this
work has produced results, with many foreign voice service providers
implementing robocall mitigation plans and registering in the Robocall
Mitigation Database even as the requirement has been held in abeyance.
Based on the education and outreach efforts of CTIA members, 99% of
AT&T's international traffic now comes from carriers registered in the
Robocall Mitigation Database. Similarly, T-Mobile reports receiving all
of its inbound international traffic from providers registered in the
Robocall Mitigation Database, and Verizon states that approximately 99%
of the traffic it receives from foreign voice service providers is from
those registered in the Robocall Mitigation Database, thus mooting T-
Mobile's arguments that the Second Caller ID Authentication Report and
Order contains little evidence ``showing the likelihood of widespread
compliance as a result of industry pressure'' and that the requirement
``will punish U.S. wireless subscribers when they are abroad, along
with those in the U.S. whom they may try to call.'' (This result also
runs counter to IDT
[[Page 42935]]
Telecom, Inc.'s (IDT) concerns that the requirement would be
anticompetitive for U.S. companies because it would ``incline toward a
handful of foreign wholesalers dominating the aggregation of USA
termination, leading to only a small number of US carriers connecting
with them.'') Beyond high levels of Robocall Mitigation Database
registration among foreign voice service providers, CTIA reports that
``domestic voice service providers have continued to modify their
interconnection contracts with foreign providers to focus on the need
to mitigate illegal robocall traffic.''
118. Given the extraordinarily high levels at which foreign voice
service providers have implemented robocall mitigation programs and
registered with the Robocall Mitigation Database even absent
enforcement of the requirement, the Commission finds CTIA's initial
concerns that foreign voice service providers would fail to register
with the database to no longer be an issue. (Nor has there been, as IDT
feared, a rash of reciprocal registration and filing requirements for
U.S. providers from foreign regulators. As for IDT's concern that the
requirement would lead to ``an unequal enforcement problem, as many
small operators may turn a blind eye to the requirement of their
customers' registration, yet will go undetected because of a low
profile,'' such a generalized risk could be said to apply equally to
every regulation the Commission adopts and is not a valid reason to
refrain from adopting a specific policy or regulation. Moreover, this
argument imparts a heightened degree of malicious intent to small
providers based purely upon the size of their operations. The
Commission do not believe that small providers are any more or less
likely to engage in illegal or malicious conduct than are large ones,
and the Commission thus rejects the assumptions underpinning this
argument.) Indeed, it appears that, much as CTIA intended, the
Commission's decision to hold the requirement in abeyance has permitted
domestic providers to interface with their foreign counterparts and
encourage them to develop robocall mitigation implementation plans and
register with the Robocall Mitigation Database. The Commission,
therefore, concludes that the requirement should not result in
significant call completion issues and that reconsideration based on
this concern is unwarranted.
b. Other Efforts To Curb Illegal Robocalls
119. CTIA's second argument is that the Commission's other actions
to prevent illegal and unwanted robocalls from outside the United
States--including enforcement actions against VoIP providers
facilitating illegal voice traffic, encouraging providers to protect
international gateways from robocalls, and adopting a safe harbor for
blocking traffic from bad actors--are more targeted and less disruptive
than the requirement that domestic providers only accept calls carrying
U.S. NANP numbers from foreign voice service providers listed in the
Robocall Mitigation Database. Thus, the Commission ``should continue to
focus on these and similar efforts while developing the record'' on the
requirement.
120. After having developed a more fulsome record on the
requirement in the wake of the Gateway Provider FNPRM, the Commission
finds that the requirement that domestic providers only accept calls
carrying U.S. NANP numbers from foreign voice service providers listed
in the Robocall Mitigation Database is not disruptive and that its
other actions to prevent illegal and unwanted robocalls from overseas
are insufficient on their own to properly address the problem of
foreign-originated illegal robocalls. As CTIA itself has noted since
filing its initial petition, industry outreach to foreign voice service
providers has met with great success, with numerous foreign voice
service providers implementing robocall mitigation plans and
registering in the Robocall Mitigation Database. With 99% of AT&T and
Verizon's and 100% of T-Mobile's inbound international traffic now
coming from carriers who are registered in the Robocall Mitigation
Database, the Commission finds it unlikely that enforcement of the
requirement that domestic providers only accept calls carrying U.S.
NANP numbers from foreign voice service providers listed in the
Robocall Mitigation Database will result in widespread call completion
issues. At the same time, the Commission believes that the requirement
is necessary to supplement its other actions, including enforcement
actions against VoIP providers facilitating illegal voice traffic,
encouraging providers to protect international gateways from robocalls,
and adopting a safe harbor for blocking traffic from bad actors. While
these steps are certainly important, merely encouraging providers to
protect international gateways from illegal foreign-originated
robocalls and adopting a safe harbor for those who block traffic from
bad actors is not sufficient. If the Commission is to adequately
address the significant problem of foreign-originated robocalls, just
as with U.S. originated robocalls, those receiving such calls (here,
gateway providers) must explicitly be required to accept only those
calls carrying U.S. NANP numbers from foreign voice service providers
that are listed in the Robocall Mitigation Database. To address the
endemic practice of illegal robocalling, the Commission must use every
tool at its disposal, especially those which have been shown not to
result in significant call completion issues. The Commission thus finds
CTIA's second argument unpersuasive.
c. Availability of Additional Evidence
121. CTIA's final argument is that reconsideration is appropriate
because the Commission did not, in the Second Caller ID Authentication
Report and Order, seek comment on the impacts of the requirement on
international wireless roaming. Without such record evidence, CTIA
contends, the Commission lacked ``sufficient support to prohibit
domestic intermediate and terminating providers from completing calls
from foreign voice service providers that have not certified in the
[Robocall Mitigation Database].'' Thus, CTIA claims that the Commission
should reconsider the requirement and further develop its record so
that it can craft a ``more reasonable approach to encourage
international provider certification'' without jeopardizing U.S.
consumers or the U.S. voice network.
122. As noted above, the Commission solicited a more robust record
in response to the Gateway Provider FNPRM regarding the requirement and
its possible effects. As that record shows, efforts to educate foreign
voice service providers and encourage implementation of robocall
mitigation programs and registration with the Robocall Mitigation
Database have met with great success. Foreign providers have been
granted time to develop robocall mitigation implementation plans and
register with the Robocall Mitigation Database, and they appear to have
used that time well. In light of this success, the Commission feels
confident that it may proceed with enforcement of the requirement that
domestic providers only accept calls carrying U.S. NANP numbers from
foreign voice service providers listed in the Robocall Mitigation
Database without causing significant disruption to the completion of
legal, legitimate traffic. The requirement, as crafted, is already
``reasonable,'' and addresses illegal robocalls originating from
outside the United States without jeopardizing U.S. consumers or the
U.S. voice network.
[[Page 42936]]
123. For the forgoing reasons, the Commission denies CTIA's
petition.
2. VON Petition
124. VON's Petition relies largely on a single argument in seeking
reconsideration of the requirement that domestic providers only accept
calls carrying U.S. NANP numbers from foreign providers listed in the
Robocall Mitigation Database--that the requirement violates the APA
because the Commission failed to solicit and consider public comment on
it. Thus, VON contends that the Commission should seek additional
comments on the proposal to ``allow for a more thoughtful vetting of an
otherwise very complicated issue.'' The Commission denies the VON
Petition on substantive grounds for the reasons stated below. The
Commission alternatively dismisses the Petition as mooted by the
Commission's decision to hold enforcement of the requirement in
abeyance until a final decision was reached regarding whether to
eliminate, retain, or enhance the requirement and the Commission's
request for comments on the scope of the requirement in the Gateway
Provider FNPRM.
a. The Requirement That Domestic Providers Only Accept Calls From
Foreign Voice Service Providers Listed in the Robocall Mitigation
Database Complies With APA Notice-and-Comment Requirements
125. In the First Caller ID Authentication Report and Order and
FNPRM, the Commission proposed that, when an intermediate provider
receives an unauthenticated call that it will exchange with another
intermediate or voice service provider as a SIP call, it must
authenticate such a call with a ``gateway'' or C-level attestation. In
seeking comment on that proposal, the Commission noted that multiple
commenters had supported imposing STIR/SHAKEN requirements on gateway
providers as a way to identify robocalls that originate abroad and to
identify which provider served as the entry point for these calls to
U.S. networks. The Commission then sought comment on whether this was
an effective way to combat illegal calls originating outside the U.S.
and whether there were ``other rules involving STIR/SHAKEN that we
should consider regarding intermediate providers to further combat
illegal calls originating abroad.'' The Commission also reiterated
Verizon's suggestion that the Commission impose an obligation to use
STIR/SHAKEN on any provider, regardless of its geographic location, if
it intends to allow its customers to use U.S. telephone numbers, as
well as USTelecom's proposal that the Commission consider obligating
gateway providers to pass international traffic only to downstream
providers that have implemented STIR/SHAKEN. The Commission sought
comment on both proposals and asked if there were any other actions it
could take to promote caller ID authentication implementation to combat
robocalls originating abroad.
126. In response to the First Caller ID Authentication Report and
Order and FNPRM, several commenters filed initial comments expressing
support for combating robocalls originating abroad by requiring foreign
voice service providers that appear in the Robocall Mitigation Database
to follow the same requirements as domestic voice service providers.
127. Courts have long held that the APA requires that the final
rule that an agency adopts be a ``logical outgrowth of the rule
proposed.'' While the Commission did not explicitly propose a rule in
the First Caller ID Authentication Report and Order and FNPRM requiring
domestic intermediate and terminating providers to accept calls only
from foreign voice service providers that use U.S. NANP numbers and are
listed in the Robocall Mitigation Database, it did seek comment on: (1)
whether to impose STIR/SHAKEN requirements on gateway providers as a
way to identify robocalls that originate abroad; (2) whether there were
other rules involving STIR/SHAKEN that the Commission should consider
regarding intermediate providers to further combat illegal calls
originating abroad; (3) Verizon's suggestion to impose on any provider,
regardless of its geographic location, an obligation to use STIR/
SHAKEN; (4) USTelecom's proposal that the Commission consider
obligating gateway providers to pass international traffic only to
downstream providers that have implemented STIR/SHAKEN; and (5) whether
there were any other actions the Commission could take to promote
caller ID authentication implementation to combat robocalls originating
abroad. The Commission concludes that the requirement that domestic
providers only accept calls carrying U.S. NANP numbers from foreign
voice service providers listed in the Robocall Mitigation Database is a
logical outgrowth of these repeated and specific requests for comment
on the types of obligations the Commission should impose on gateway
providers that accept traffic from foreign voice service providers.
Indeed, while it did not specifically mention the requirement in its
final adopted form, the Commission did seek comment on whether to
impose STIR/SHAKEN requirements on gateway providers, as well as other
actions that would promote caller ID authentication implementation and
combat foreign-originated robocalls.
128. That this requirement is a logical outgrowth of such requests
for comment is evident from the fact numerous entities filed comments
in response to the First Caller ID Authentication Report and Order and
FNPRM voicing support for combating robocalls originating abroad by
requiring foreign voice service providers that appear in the Robocall
Mitigation Database to follow the same requirements as domestic voice
service providers. While the two are not exactly the same, this notion
of requiring foreign voice service providers who file with the Robocall
Mitigation Database to fulfill the same requirements as domestic
providers is quite similar to the requirement the Commission eventually
adopted, and the fact that it was mentioned by multiple commenters
indicates that the requirement was indeed a logically foreseeable
outgrowth of the language in the First Caller ID Authentication Report
and Order and FNPRM. Even were it not a logical outgrowth of the First
Caller ID Authentication Report and Order and FNPRM, the possibility of
a requirement that domestic providers only accept calls carrying U.S.
NANP numbers from foreign providers listed in the Robocall Mitigation
Database was raised in the initial comments and was open to
consideration and comment during the reply stage.
129. The Commission thus finds VON's claim that the adoption of the
requirement violated the APA to be baseless and, accordingly, deny
their Petition on substantive grounds.
b. VON's Petition Is Moot
130. Independently, and in the alternative, the Commission finds
that the Commission's decision to hold enforcement of the requirement
in abeyance until it reached a final decision regarding whether to
eliminate, retain, or enhance the requirement, together with the
Commission's request for comments on the scope of the requirement in
the Gateway Provider FNPRM, renders the VON Petition moot. Even
assuming arguendo that the initial adoption of the requirement in the
Second Caller ID Authentication Report and Order violated the notice
and comment requirements of the APA, the same cannot be said of the
Gateway Provider FNPRM, which specifically and extensively sought
comment on
[[Page 42937]]
whether ``to eliminate, retain, or enhance'' the requirement.
131. Much like CTIA in its own Petition, VON did not call for the
wholesale elimination of the requirement that domestic providers only
accept calls carrying U.S. NANP numbers from foreign voice service
providers listed in the Robocall Mitigation Database, but merely time
to solicit additional comment and allow for further consideration of
the requirement. Regardless of whether the First Caller ID
Authentication Report and Order and FNPRM provided notice and an
opportunity to comment on the requirement, the Gateway Provider FNPRM
undoubtedly provided both. The Commission in the Gateway Provider FNPRM
stated that, until a final decision was made regarding whether to
eliminate, retain, or enhance the requirement, it would not enforce the
requirement that domestic voice service providers and intermediate
providers accept only traffic carrying U.S. NANP numbers sent directly
from foreign voice service providers listed in the Robocall Mitigation
Database. (The Commission treats its holding enforcement of the
prohibition in abeyance the same as a stay.) As the Commission has
satisfied the terms of VON's Petition, the Commission dismisses it as
moot. (As with the CTIA Petition, the Commission notes that the
concerns raised in the VON Petition--namely, that the requirement would
limit the number of foreign carriers who can terminate calls in the
U.S., restrict the ability of U.S. carriers to terminate calls on
behalf of U.S. customers to foreign points, and lead to the disruption
of legitimate, non-harmful traffic--have proved to be largely unfounded
in the wake of adoption of the requirement, and as noted above, 99% of
AT&T and Verizon's and 100% of T-Mobile's inbound international traffic
currently comes from carriers who are registered in the Robocall
Mitigation Database. Thus, as with CTIA's concerns, the Commission
finds VON's concerns about the potential failure of foreign providers
to register in the database to be largely baseless in reality.)
132. Because the Commission finds that adoption of the requirement
that domestic voice service providers and domestic intermediate
providers only accept calls carrying U.S. NANP numbers from foreign
voice service providers listed in the Robocall Mitigation Database did
not violate the APA's notice-and-comment requirements and that VON's
Petition is mooted by the Commission's decision to hold enforcement of
the requirement in abeyance while the Commission sought comment on
whether to eliminate, retain, or enhance the requirement, the
Commission denies VON's Petition on substantive grounds and
independently, and in the alternative, dismiss it as moot.
III. Order
133. In this document, the Commission makes a ministerial change to
a codified rule required to correct an inadvertent typographical error
and spell out an undefined acronym. The Commission revises Sec.
64.6300(f) of its rules, which defines the term ``intermediate
provider,'' to change the word ``carriers'' to ``carries'' and to
change the reference to ``PSTN'' to ``public switched telephone
network.'' The Commission finds that there is good cause for adopting
this amendment here because the typographical error may confuse those
seeking to understand how the Commission defines the term
``intermediate provider'' for purposes of complying with its rules
governing caller ID authentication, and the use of undefined acronyms,
even if well known, is not preferable.
134. Section 553 of the Administrative Procedure Act permits the
Commission to amend the Commission's rules without undergoing notice
and comment where the Commission finds good cause that doing so is
``impracticable, unnecessary, or contrary to the public interest.'' The
Commission has previously determined that notice and comment is not
necessary for ``editorial changes or corrections of typographical
errors.'' Consistent with Commission precedent, in this instance the
Commission finds that notice and comment is unnecessary for adopting a
ministerial revision to Sec. 64.6300(f) to correct an inadvertent
typographical error and spell out an undefined acronym in the
definition of ``intermediate provider.''
IV. Final Regulatory Flexibility Analysis
135. As required by the Regulatory Flexibility Act of 1980 (RFA),
as amended, an Initial Regulatory Flexibility Analysis (IRFA) was
incorporated into the Further Notice of Proposed Rulemaking adopted in
September 2021 (Gateway Provider FNPRM). (The RFA, 5 U.S.C. 601-612,
has been amended by the Contract With America Advancement Act of 1996,
Public Law 104-121, 110 Stat. 847 (1996) (CWAAA). Title II of the CWAAA
is the Small Business Regulatory Enforcement Fairness Act of 1996
(SBREFA)). The Commission sought written public comment on the
proposals in the Gateway Provider FNPRM, including comment on the IRFA.
The comments received are discussed below. This Final Regulatory
Flexibility Analysis (FRFA) conforms to the RFA.
A. Need for, and Objectives of, the Order
136. First, this document takes important steps in the fight
against foreign-originated illegal robocalls by holding gateway
providers responsible for the calls they allow onto the U.S. network.
Finally, the Order on Reconsideration in this document strengthens the
prohibition on receiving calls carrying U.S. NANP numbers from foreign
providers not listed in the Robocall Mitigation Database. The decisions
the Commission makes here protect American consumers from unwanted and
illegal calls while balancing the legitimate interests of callers
placing lawful calls.
137. Gateway Provider Report and Order. This document takes
important steps to protect consumers from foreign-originated illegal
robocalls. These steps help stem the tide of foreign-originated illegal
robocalls, which are a significant portion, if not the majority, of
illegal robocalls. As the entry point onto the U.S. network for these
calls, gateway providers are best positioned to protect all American
consumers. Because there is no single solution to the illegal robocall
problem, this document addresses this issue from several angles, all
focused on reducing the number of foreign-originated illegal calls
American consumers receive and aiding in identifying bad actors.
138. First, this document requires gateway providers to submit a
certification and plan to the Robocall Mitigation Database describing
their robocall mitigation practices and stating that they are adhering
to those practices, regardless of whether they have fully implemented
STIR/SHAKEN, and requires downstream domestic providers receiving
traffic from gateway providers to block traffic from such a provider if
the gateway provider has not submitted a certification in the Robocall
Mitigation Database. Second, this document requires gateway providers
to implement STIR/SHAKEN to authenticate SIP calls that are carrying a
U.S. number in the caller ID field. Third, it requires gateway
providers to fully respond to traceback requests from the Commission,
civil and criminal law enforcement, and the industry traceback
consortium within 24 hours of receipt of such a request. Fourth, it
requires gateway providers to block illegal traffic when notified of
such traffic by the
[[Page 42938]]
Commission and the providers immediately downstream from the gateway to
block all traffic from the identified provider when notified by the
Commission that the gateway provider failed to meet its obligation to
block illegal traffic. This rule builds on the Commission's existing
effective mitigation requirement and bad-actor provider blocking safe
harbor, and proscribes specific steps that the Enforcement Bureau must
take before directing downstream providers to block. Fifth, it requires
gateway providers to block using a reasonable do-not-originate (DNO)
list. Sixth, it requires gateway providers to take reasonable and
effective steps to ensure that the immediate upstream provider is not
using the gateway provider to originate a high volume of illegal
traffic onto the U.S. network. Finally, it requires gateway providers
to meet a general obligation to mitigate illegal robocalls regardless
of whether they have fully implemented STIR/SHAKEN on the IP portions
of their network.
139. Order on Reconsideration. The Order on Reconsideration in this
document strengthens the existing prohibition on receiving calls
carrying U.S. NANP numbers from foreign providers not listed in the
Robocall Mitigation Database. To ensure that all foreign providers are
brought within the prohibition, the Order on Reconsideration in this
document modifies the rule such that the prohibition applies to calls
directly from a foreign provider that originates, carries, or processes
a call if that foreign provider is not listed in the Robocall
Mitigation Database.
B. Summary of Significant Issues Raised by Public Comments in Response
to the IRFA
140. There were no comments raised that specifically addressed the
proposed rules and policies presented in the Gateway Provider FNPRM
IRFA. Nonetheless, the Commission considered the potential impact of
the rules proposed in the IRFA on small entities and took steps where
appropriate and feasible to reduce the compliance burden for small
entities in order to reduce the economic impact of the rules enacted
herein on such entities.
C. Response to Comments by the Chief Counsel for Advocacy of the Small
Business Administration
141. Pursuant to the Small Business Jobs Act of 2010, which amended
the RFA, the Commission is required to respond to any comments filed by
the Chief Counsel for Advocacy of the Small Business Administration
(SBA), and to provide a detailed statement of any change made to the
proposed rules as a result of those comments. The Chief Counsel did not
file any comments in response to the proposed rules in this proceeding.
D. Description and Estimate of the Number of Small Entities to Which
the Rules Will Apply
142. The RFA directs agencies to provide a description of, and
where feasible, an estimate of the number of small entities that may be
affected by the rules adopted herein. The RFA generally defines the
term ``small entity'' as having the same meaning as the terms ``small
business,'' ``small organization,'' and ``small governmental
jurisdiction.'' In addition, the term ``small business'' has the same
meaning as the term ``small-business concern'' under the Small Business
Act. (Pursuant to 5 U.S.C. 601(3), the statutory definition of a small
business applies ``unless an agency, after consultation with the Office
of Advocacy of the Small Business Administration and after opportunity
for public comment, establishes one or more definitions of such term
which are appropriate to the activities of the agency and publishes
such definition(s) in the Federal Register.'') A ``small-business
concern'' is one which: (1) is independently owned and operated; (2) is
not dominant in its field of operation; and (3) satisfies any
additional criteria established by the SBA.
143. Small Businesses, Small Organizations, Small Governmental
Jurisdictions. The Commission's actions, over time, may affect small
entities that are not easily categorized at present. The Commission
therefore describes here, at the outset, three broad groups of small
entities that could be directly affected herein. First, while there are
industry specific size standards for small businesses that are used in
the regulatory flexibility analysis, according to data from the SBA's
Office of Advocacy, in general a small business is an independent
business having fewer than 500 employees. These types of small
businesses represent 99.9% of all businesses in the United States,
which translates to 32.5 million businesses.
144. Next, the type of small entity described as a ``small
organization'' is generally ``any not-for-profit enterprise which is
independently owned and operated and is not dominant in its field.''
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000
or less to delineate its annual electronic filing requirements for
small exempt organizations. (The IRS benchmark is similar to the
population of less than 50,000 benchmark in 5 U.S.C. 601(5) that is
used to define a small governmental jurisdiction. Therefore, the IRS
benchmark has been used to estimate the number small organizations in
this small entity description. The Commission notes that the IRS data
does not provide information on whether a small exempt organization is
independently owned and operated or dominant in its field.) Nationwide,
for tax year 2020, there were approximately 447,689 small exempt
organizations in the U.S. reporting revenues of $50,000 or less
according to the registration and tax data for exempt organizations
available from the IRS. (The IRS Exempt Organization Business Master
File (E.O. BMF) Extract provides information on all registered tax-
exempt/non-profit organizations. The data utilized for purposes of this
description was extracted from the IRS E.O. BMF data for businesses for
the tax year 2020 with revenue less than or equal to $50,000, for
Region 1--Northeast Area (58,577), Region 2--Mid-Atlantic and Great
Lakes Areas (175,272), and Region 3--Gulf Coast and Pacific Coast Areas
(213,840) which includes the continental U.S., Alaska, and Hawaii. This
data does not include information for Puerto Rico.)
145. Finally, the small entity described as a ``small governmental
jurisdiction'' is defined generally as ``governments of cities,
counties, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.'' U.S. Census
Bureau data from the 2017 Census of Governments (the Census of
Governments survey is conducted every five (5) years compiling data for
years ending with ``2'' and ``7'') indicates that there were 90,075
local governmental jurisdictions consisting of general purpose
governments and special purpose governments in the United States.
(Local governmental jurisdictions are made up of general purpose
governments (county, municipal and town or township) and special
purpose governments (special districts and independent school
districts).) Of this number there were 36,931 general purpose
governments (county, municipal and town or township) with populations
of less than 50,000 and 12,040 special purpose governments--independent
school districts with enrollment populations of less than 50,000.
(There were 2,105 county governments with populations less than 50,000.
This category does not include subcounty (municipal and township)
governments. There were
[[Page 42939]]
18,729 municipal and 16,097 town and township governments with
populations less than 50,000. There were 12,040 independent school
districts with enrollment populations less than 50,000. While the
special purpose governments category also includes local special
district governments, the 2017 Census of Governments data does not
provide data aggregated based on population size for the special
purpose governments category. Therefore, only data from independent
school districts is included in the special purpose governments
category.) Accordingly, based on the 2017 U.S. Census of Governments
data, the Commission estimates that at least 48,971 entities fall into
the category of ``small governmental jurisdictions.'' (This total is
derived from the sum of the number of general purpose governments
(county, municipal and town or township) with populations of less than
50,000 (36,931) and the number of special purpose governments--
independent school districts with enrollment populations of less than
50,000 (12,040), from the 2017 Census of Governments--Organizations
tbls. 5, 6 & 10.)
1. Wireline Carriers
146. Wired Telecommunications Carriers. The U.S. Census Bureau
defines this industry as establishments primarily engaged in operating
and/or providing access to transmission facilities and infrastructure
that they own and/or lease for the transmission of voice, data, text,
sound, and video using wired communications networks. Transmission
facilities may be based on a single technology or a combination of
technologies. Establishments in this industry use the wired
telecommunications network facilities that they operate to provide a
variety of services, such as wired telephony services, including VoIP
services, wired (cable) audio and video programming distribution, and
wired broadband internet services. By exception, establishments
providing satellite television distribution services using facilities
and infrastructure that they operate are included in this industry.
Wired Telecommunications Carriers are also referred to as wireline
carriers or fixed local service providers. (Fixed Local Service
Providers include the following types of providers: Incumbent Local
Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and
Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs,
Interconnected VOIP Providers, Non-Interconnected VOIP Providers,
Shared-Tenant Service Providers, Audio Bridge Service Providers, and
Other Local Service Providers. Local Resellers fall into another U.S.
Census Bureau industry group and therefore data for these providers is
not included in this industry.)
147. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees. (The
available U.S. Census Bureau data does not provide a more precise
estimate of the number of firms that meet the SBA size standard.)
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 5,183 providers
that reported they were engaged in the provision of fixed local
services. Of these providers, the Commission estimates that 4,737
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
148. Local Exchange Carriers (LECs). Neither the Commission nor the
SBA has developed a size standard for small businesses specifically
applicable to local exchange services. Providers of these services
include both incumbent and competitive local exchange service
providers. Wired Telecommunications Carriers is the closest industry
with an SBA small business size standard. Wired Telecommunications
Carriers are also referred to as wireline carriers or fixed local
service providers. (Fixed Local Exchange Service Providers include the
following types of providers: Incumbent Local Exchange Carriers
(ILECs), Competitive Access Providers (CAPs) and Competitive Local
Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP
Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service
Providers, Audio Bridge Service Providers, Local Resellers, and Other
Local Service Providers.) The SBA small business size standard for
Wired Telecommunications Carriers classifies firms having 1,500 or
fewer employees as small. U.S. Census Bureau data for 2017 show that
there were 3,054 firms that operated in this industry for the entire
year. Of this number, 2,964 firms operated with fewer than 250
employees. (The available U.S. Census Bureau data does not provide a
more precise estimate of the number of firms that meet the SBA size
standard.) Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 5,183
providers that reported they were fixed local exchange service
providers. Of these providers, the Commission estimates that 4,737
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
149. Incumbent Local Exchange Carriers (Incumbent LECs). Neither
the Commission nor the SBA have developed a small business size
standard specifically for incumbent local exchange carriers. Wired
Telecommunications Carriers is the closest industry with an SBA small
business size standard. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms in this industry that operated for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees. (The
available U.S. Census Bureau data does not provide a more precise
estimate of the number of firms that meet the SBA size standard.)
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 1,227 providers
that reported they were incumbent local exchange service providers. Of
these providers, the Commission estimates that 929 providers have 1,500
or fewer employees. Consequently, using the SBA's small business size
standard, the Commission estimates that the majority of incumbent local
exchange carriers can be considered small entities.
150. Competitive Local Exchange Carriers (LECs). Neither the
Commission nor the SBA has developed a size standard for small
businesses specifically applicable to local exchange services.
Providers of these services include several types of competitive local
exchange service providers. (Competitive Local Exchange Service
Providers include the following types of providers: Competitive Access
Providers (CAPs) and Competitive Local Exchange Carriers (CLECs),
Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected
VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service
Providers, Local Resellers, and Other Local Service Providers.) Wired
Telecommunications Carriers is the closest industry with an SBA small
business size standard. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees
[[Page 42940]]
as small. U.S. Census Bureau data for 2017 show that there were 3,054
firms that operated in this industry for the entire year. Of this
number, 2,964 firms operated with fewer than 250 employees. (The
available U.S. Census Bureau data does not provide a more precise
estimate of the number of firms that meet the SBA size standard.)
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 3,956 providers
that reported they were competitive local exchange service providers.
Of these providers, the Commission estimates that 3,808 providers have
1,500 or fewer employees. Consequently, using the SBA's small business
size standard, most of these providers can be considered small
entities.
151. Interexchange Carriers (IXCs). Neither the Commission nor the
SBA have developed a small business size standard specifically for
Interexchange Carriers. Wired Telecommunications Carriers is the
closest industry with an SBA small business size standard. The SBA
small business size standard for Wired Telecommunications Carriers
classifies firms having 1,500 or fewer employees as small. U.S. Census
Bureau data for 2017 show that there were 3,054 firms that operated in
this industry for the entire year. Of this number, 2,964 firms operated
with fewer than 250 employees. (The available U.S. Census Bureau data
does not provide a more precise estimate of the number of firms that
meet the SBA size standard.) Additionally, based on Commission data in
the 2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 151 providers that reported they were engaged in the
provision of interexchange services. Of these providers, the Commission
estimates that 131 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, the
Commission estimates that the majority of providers in this industry
can be considered small entities.
152. Cable System Operators (Telecom Act Standard). The
Communications Act of 1934, as amended, contains a size standard for
small cable system operators, which classifies ``a cable operator that,
directly or through an affiliate, serves in the aggregate fewer than
one percent of all subscribers in the United States and is not
affiliated with any entity or entities whose gross annual revenues in
the aggregate exceed $250,000,000,'' as small. As of December 2020,
there were approximately 45,308,192 basic cable video subscribers in
the top Cable multiple system operators (MSOs) in the United States.
Accordingly, an operator serving fewer than 453,082 subscribers shall
be deemed a small operator if its annual revenues, when combined with
the total annual revenues of all its affiliates, do not exceed $250
million in the aggregate. Based on available data, all but five of the
cable operators in the Top Cable MSOs have less than 453,082
subscribers and can be considered small entities under this size
standard. The Commission notes however, that the Commission neither
requests nor collects information on whether cable system operators are
affiliated with entities whose gross annual revenues exceed $250
million. (The Commission does receive such information on a case-by-
case basis if a cable operator appeals a local franchise authority's
finding that the operator does not qualify as a small cable operator
pursuant to Sec. 76.901(e) of the Commission's rules.) Therefore, the
Commission is unable at this time to estimate with greater precision
the number of cable system operators that would qualify as small cable
operators under the definition in the Communications Act.
153. Other Toll Carriers. Neither the Commission nor the SBA has
developed a definition for small businesses specifically applicable to
Other Toll Carriers. This category includes toll carriers that do not
fall within the categories of interexchange carriers, operator service
providers, prepaid calling card providers, satellite service carriers,
or toll resellers. Wired Telecommunications Carriers is the closest
industry with an SBA small business size standard. The SBA small
business size standard for Wired Telecommunications Carriers classifies
firms having 1,500 or fewer employees as small. U.S. Census Bureau data
for 2017 show that there were 3,054 firms in this industry that
operated for the entire year. Of this number, 2,964 firms operated with
fewer than 250 employees. (The available U.S. Census Bureau data does
not provide a more precise estimate of the number of firms that meet
the SBA size standard.) Additionally, based on Commission data in the
2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 115 providers that reported they were engaged in the
provision of other toll services. Of these providers, the Commission
estimates that 113 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
2. Wireless Carriers
154. Wireless Telecommunications Carriers (except Satellite). This
industry comprises establishments engaged in operating and maintaining
switching and transmission facilities to provide communications via the
airwaves. Establishments in this industry have spectrum licenses and
provide services using that spectrum, such as cellular services, paging
services, wireless internet access, and wireless video services. The
SBA size standard for this industry classifies a business as small if
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show
that there were 2,893 firms in this industry that operated for the
entire year. Of that number, 2,837 firms employed fewer than 250
employees. (The available U.S. Census Bureau data does not provide a
more precise estimate of the number of firms that meet the SBA size
standard.) Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 797
providers that reported they were engaged in the provision of wireless
services. Of these providers, the Commission estimates that 715
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
155. Satellite Telecommunications. This industry comprises firms
``primarily engaged in providing telecommunications services to other
establishments in the telecommunications and broadcasting industries by
forwarding and receiving communications signals via a system of
satellites or reselling satellite telecommunications.'' Satellite
telecommunications service providers include satellite and earth
station operators. The SBA small business size standard for this
industry classifies a business with $35 million or less in annual
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms
in this industry operated for the entire year. Of this number, 242
firms had revenue of less than $25 million. (The available U.S. Census
Bureau data does not provide a more precise estimate of the number of
firms that meet the SBA size standard. The Commission also notes that
according to the U.S. Census Bureau glossary, the terms receipts and
revenues are used interchangeably.) Additionally, based on Commission
data in the 2021 Universal Service Monitoring Report, as of December
31, 2020, there were 71 providers that reported they were engaged in
the provision of satellite
[[Page 42941]]
telecommunications services. Of these providers, the Commission
estimates that approximately 48 providers have 1,500 or fewer
employees. Consequently, using the SBA's small business size standard,
a little more than of these providers can be considered small entities.
3. Resellers
156. Local Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Local
Resellers. Telecommunications Resellers is the closest industry with an
SBA small business size standard. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and
network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. (The available U.S. Census Bureau data does not provide a
more precise estimate of the number of firms that meet the SBA size
standard.) Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 293
providers that reported they were engaged in the provision of local
resale services. Of these providers, the Commission estimates that 289
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
157. Toll Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Toll
Resellers. Telecommunications Resellers is the closest industry with an
SBA small business size standard. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and
network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. (The available U.S. Census Bureau data does not provide a
more precise estimate of the number of firms that meet the SBA size
standard.) Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 518
providers that reported they were engaged in the provision of toll
services. Of these providers, the Commission estimates that 495
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
158. Prepaid Calling Card Providers. Neither the Commission nor the
SBA has developed a small business size standard specifically for
prepaid calling card providers. Telecommunications Resellers. is the
closest industry with an SBA small business size standard. The
Telecommunications Resellers industry comprises establishments engaged
in purchasing access and network capacity from owners and operators of
telecommunications networks and reselling wired and wireless
telecommunications services (except satellite) to businesses and
households. Establishments in this industry resell telecommunications;
they do not operate transmission facilities and infrastructure. Mobile
virtual network operators (MVNOs) are included in this industry. The
SBA small business size standard for Telecommunications Resellers
classifies a business as small if it has 1,500 or fewer employees. U.S.
Census Bureau data for 2017 show that 1,386 firms in this industry
provided resale services for the entire year. Of that number, 1,375
firms operated with fewer than 250 employees. (The available U.S.
Census Bureau data does not provide a more precise estimate of the
number of firms that meet the SBA size standard.) Additionally, based
on Commission data in the 2021 Universal Service Monitoring Report, as
of December 31, 2020, there were 58 providers that reported they were
engaged in the provision of payphone services. Of these providers, the
Commission estimates that 57 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
4. Other Entities
159. All Other Telecommunications. This industry is comprised of
establishments primarily engaged in providing specialized
telecommunications services, such as satellite tracking, communications
telemetry, and radar station operation. This industry also includes
establishments primarily engaged in providing satellite terminal
stations and associated facilities connected with one or more
terrestrial systems and capable of transmitting telecommunications to,
and receiving telecommunications from, satellite systems. Providers of
internet services (e.g., dial-up internet service providers (ISPs)) or
voice over internet protocol (VoIP) services, via client-supplied
telecommunications connections are also included in this industry. The
SBA small business size standard for this industry classifies firms
with annual receipts of $35 million or less as small. U.S. Census
Bureau data for 2017 show that there were 1,079 firms in this industry
that operated for the entire year. Of those firms, 1,039 had revenue of
less than $25 million. (The available U.S. Census Bureau data does not
provide a more precise estimate of the number of firms that meet the
SBA size standard. The Commission also notes that according to the U.S.
Census Bureau glossary, the terms receipts and revenues are used
interchangeably.) Based on this data, the Commission estimates that the
majority of ``All Other Telecommunications'' firms can be considered
small.
E. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
160. The Gateway Provider Report and Order and Order on
Reconsideration require providers, primarily but not exclusively
gateway providers, to meet certain obligations. These changes affect
small and large companies equally and apply equally to all the classes
of regulated entities identified above.
161. Gateway Provider Report and Order. This document requires
gateway providers to submit a certification and plan to the Robocall
Mitigation Database describing their robocall mitigation practices and
stating that they are adhering to those practices, regardless of
whether they have fully implemented
[[Page 42942]]
STIR/SHAKEN. Additionally, downstream domestic providers receiving
traffic from gateway providers must block traffic from such a provider
if the gateway provider has not submitted a certification in the
Robocall Mitigation Database. Gateway providers are not required to
describe their mitigation program in a particular manner, but must
clearly explain how they are complying with the know-your-upstream-
provider obligation adopted in this document.
162. A gateway provider must certify whether it has fully,
partially, or not implemented STIR/SHAKEN, and include a statement in
its certification that it commits to responding fully to all traceback
requests from the Commission, law enforcement, and the industry
traceback consortium and cooperate with such entities in investigating
and stopping illegal robocalls. Submissions may be made confidentially
consistent with the Commission's existing confidentiality rules. All
information must be submitted in English or with a certified English
translation and updated within 10 business days. Gateway providers must
provide the same identifying information submitted by voice service
providers.
163. Gateway prov
[…truncated; see source link]Indexed from Federal Register on July 18, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.