Rule2023-12142
Call Authentication Trust Anchor
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 21, 2023
Effective
August 21, 2023
Issuing agencies
Federal Communications Commission
Abstract
In this document, the Federal Communications Commission (Commission) takes further steps to combat illegally spoofed robocalls by strengthening and expanding caller ID authentication and robocall mitigation obligations and creating new mechanisms to hold providers accountable for violations of the Commission's rules.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 118 (Wednesday, June 21, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 118 (Wednesday, June 21, 2023)]
[Rules and Regulations]
[Pages 40096-40121]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-12142]
=======================================================================
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Parts 0, 1, and 64
[WC Docket No. 17-97; FCC 23-18, FR ID 138840]
Call Authentication Trust Anchor
AGENCY: Federal Communications Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission
(Commission) takes further steps to combat illegally spoofed robocalls
by strengthening and expanding caller ID authentication and robocall
mitigation obligations and creating new mechanisms to hold providers
accountable for violations of the Commission's rules.
DATES: Effective date: This rule is effective August 21, 2023, except
for the amendments codified at 47 CFR 64.6303(c) (amendatory
instruction 9) and 64.6305(d), (e), (f), and (g) (amendatory
instruction 12) which are delayed. The Commission will publish a
document in the Federal Register announcing the effective dates for the
delayed amendments to 47 CFR 64.6303(c) and 64.6305(d), (e), (f), (g).
FOR FURTHER INFORMATION CONTACT: Jonathan Lechter, Competition Policy
Division, Wireline Competition Bureau, at (202) 418-0984,
<a href="/cdn-cgi/l/email-protection#1b7174757a6f737a7535777e78736f7e695b7d7878357c746d"><span class="__cf_email__" data-cfemail="e78d888986938f8689c98b82848f938295a7818484c9808891">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Sixth
Report and Order in WC Docket No. 17-97 adopted on March 16, 2023 and
released on March 17, 2023. The document is available for download at
<a href="https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf">https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf</a>. To request
materials in accessible formats for people with disabilities (Braille,
large print, electronic files, audio format), send an email to
<a href="/cdn-cgi/l/email-protection#0d4b4e4e383d394d6b6e6e236a627b"><span class="__cf_email__" data-cfemail="a1e7e2e2949195e1c7c2c28fc6ced7">[email protected]</span></a> or call the Consumer & Governmental Affairs Bureau at
202-418-0530 (voice), 202-418-0432 (TTY).
Synopsis
I. Sixth Report and Order
1. In this document, the Commission continues to strengthen and
expand caller ID authentication requirements in the Secure Telephony
Identity Revisited/Signature-based Handling of Asserted information
using toKENs (STIR/SHAKEN) ecosystem by requiring non-gateway
intermediate providers that receive unauthenticated calls directly from
an originating provider to use STIR/SHAKEN to authenticate those calls.
The STIR/SHAKEN framework is a set of technical standards and protocols
that enable providers to authenticate and verify caller ID information
transmitted with Session Initiation Protocol (SIP) calls. The STIR/
SHAKEN framework consists of two components: (1) the technical process
of authenticating and verifying caller ID information; and (2) the
certificate governance process that maintains trust in the caller ID
authentication information transmitted along with a call.
2. Further, with this document, the Commission expands robocall
mitigation requirements for all providers, including those that have
not yet implemented STIR/SHAKEN because they lack the necessary
infrastructure or are subject to an implementation extension. The
Commission empowers the Enforcement Bureau with new tools and penalties
to hold providers accountable for failing to comply with its rules. The
Commission also defines the STIR/SHAKEN obligations of satellite
providers.
3. The STIR/SHAKEN caller ID authentication framework protects
consumers from illegally spoofed robocalls by enabling authenticated
caller ID information to securely travel with the call itself
throughout the entire call path. The Commission, consistent with
Congress's direction in the Telephone Robocall Abuse Criminal
Enforcement and Deterrence (TRACED) Act, adopted rules requiring voice
service providers to implement STIR/SHAKEN in the internet Protocol
(IP) portions of their voice networks by June 30, 2021, subject to
certain exceptions.
[[Page 40097]]
Because the TRACED Act defines ``voice service'' in a manner that
excludes intermediate providers, the Commission's authentication and
Robocall Mitigation Database rules use ``voice service provider'' in
this manner. The Commission's rules in 47 CFR 64.1200, many of which
the Commission adopted prior to adoption of the TRACED Act, use a
definition of ``voice service provider'' that includes intermediate
providers. For purposes of this document, the Commission uses the term
``voice service provider'' consistent with the TRACED Act definition
and where discussing caller ID authentication or the Robocall
Mitigation Database. In all other instances, the Commission uses
``provider'' and specifies the type of provider as appropriate. Unless
otherwise specified, the Commission means any provider, regardless of
its position in the call path.
A. Strengthening the Intermediate Provider Authentication Obligation
1. Requiring the First Intermediate Provider To Authenticate
Unauthenticated Calls
4. Under the Commission's caller ID authentication rules,
intermediate providers are required to authenticate any unauthenticated
caller ID information for the SIP calls they receive or, alternatively,
cooperate with the industry traceback consortium and timely and fully
respond to all traceback requests received from the Commission, law
enforcement, and the industry traceback consortium. In the Fourth Call
Blocking Order, 86 FR 17726 (Apr. 6, 2021), however, the Commission
required all providers in the path of a SIP call--including gateway
providers and other intermediate providers--to respond fully and in a
timely manner to traceback requests. The Commission later enhanced this
obligation for gateway providers to require response within 24 hours in
the Fifth Caller ID Authentication Report and Order, 87 FR 42916 (July
18, 2022). As a result of that action, intermediate providers may
decline to authenticate caller ID information given that compliance
with the traceback alternative has been made mandatory. In the Fifth
Caller ID Authentication Further Notice of Proposed Rulemaking (FNPRM),
87 FR 42670 (July 18, 2022), the Commission proposed closing this gap
in the STIR/SHAKEN caller ID authentication regime by requiring all
U.S. intermediate providers in the path of a SIP call carrying a U.S.
number in the caller ID field to authenticate unauthenticated caller ID
information, irrespective of their traceback obligations. Based on its
review of the record, the Commission adopts its proposal to establish a
mandatory caller ID authentication obligation for intermediate
providers, but does so on an incremental basis. Specifically, the
Commission amends its rules to require any non-gateway intermediate
provider that receives an unauthenticated SIP call directly from an
originating provider to authenticate the call. Stated differently, the
first intermediate provider in the path of an unauthenticated SIP call
will now be subject to a mandatory requirement to authenticate the
call.
5. The Commission has previously recognized that the STIR/SHAKEN
framework has beneficial network effects and becomes more effective as
more providers implement it. The record in this proceeding supports
expanding STIR/SHAKEN implementation by requiring non-gateway
intermediate providers to authenticate unauthenticated calls,
regardless of their traceback obligations. Although originating
providers are required to authenticate calls under the Commission's
rules--with limited exceptions--some originating providers are not
capable of implementing STIR/SHAKEN. In other cases, unscrupulous
providers may deliberately fail to comply with the Commission's rules.
The record shows that the failure of originating providers to sign
calls is one of the key weaknesses in the STIR/SHAKEN regime. By
requiring intermediate providers to authenticate unauthenticated SIP
calls they receive directly from an originating provider, the
Commission closes an important loophole in its caller ID authentication
scheme, and incorporates calls that would otherwise go unauthenticated
into the STIR/SHAKEN framework. Further, intermediate provider
authentication will facilitate analytics, blocking, and traceback
efforts by providing more information to downstream providers.
6. The Commission recognizes, however, that a mandatory
authentication obligation could subject intermediate providers to
significant costs. The Commission believes that the goals of the STIR/
SHAKEN framework and the public interest are best served by taking a
targeted approach to intermediate provider authentication that focuses
on the first intermediate provider in the call path. The Commission
therefore opts to take an incremental approach to imposing mandatory
authentication obligations on intermediate providers, requiring only
the first intermediate provider in the path of a SIP call to
authenticate unauthenticated caller ID information, rather than
requiring all intermediate providers in the path to do so at this time.
Intermediate providers should know whether they receive calls directly
from an originating provider pursuant to contracts that provide
information to the intermediate provider about the originating
provider's customers and expectations for handling their traffic.
Further, as explained below, the Commission requires non-gateway
intermediate providers to take ``reasonable steps'' to mitigate illegal
robocall traffic. That duty, along with other requirements of the
Commission's rules, may require an intermediate provider to perform the
due diligence necessary to understand the sources of the traffic it
receives. Accordingly, in the unlikely event that an intermediate
provider does not know through its contracts whether it receives calls
directly from an originating provider, it should obtain that
information to comply with this and other aspects of the Commission's
rules. The Commission finds that this approach, which focuses on the
beginning of the call path, will directly address the problem of calls
entering the call path without being authenticated by originating
providers, as described above. The Commission agrees with YouMail that
this targeted approach is likely to have the greatest impact on
stopping illegally spoofed robocalls. As YouMail argues, apart from the
originating provider, the ``best entity to identify and stop the
sources of robocalls is the first `downstream' provider (i.e., the next
provider in line that receives calls placed on the originating
provider's network).'' While the Commission may consider expanding a
call authentication requirement to all intermediate providers in the
future, this targeted approach will provide the Commission with an
opportunity to evaluate this first mandatory obligation for
intermediate providers, together with other pending expansions of the
caller ID authentication regime, and determine whether an
authentication requirement for more downstream intermediate providers
is warranted.
7. The Commission is not persuaded by the arguments submitted by
commenters favoring a mandatory authentication requirement for all
intermediate providers. For instance, some commenters argue that the
Commission's justifications for adopting a mandatory gateway provider
authentication requirement apply with equal force to all non-gateway
[[Page 40098]]
intermediate providers in the call path. The Commission disagrees. The
gateway provider caller ID authentication rules adopted by the
Commission in May 2022 apply to the first domestic intermediate
provider in the path of a foreign-originated call. The authentication
requirement the Commission adopts in this document similarly applies to
the first intermediate provider in the path of a U.S.-originated call.
Further, there are fewer gateway providers than other domestic
intermediate providers. Therefore, the overall industry cost of an
authentication obligation imposed on all domestic intermediate
providers is likely to be significantly higher than that of the gateway
provider obligation. The record in this proceeding simply does not
support requiring all intermediate providers to incur those costs at
this time if imposing an authentication obligation on the first
intermediate provider that receives an unauthenticated call directly
from an originating provider can close significant gaps in the
Commission's caller ID authentication regime. The Commission finds that
the incremental approach it adopts in this document will target a
critical gap in its call authentication regime while minimizing the
impact of the requirements on industry, including new entrants to the
market.
8. The Commission also declines to impose an authentication
obligation on all intermediate providers at this time to address
instances in which authentication information is ``stripped out'' by
the call transiting a non-IP network. The Commission has launched an
inquiry into solutions to enable caller ID authentication over non-IP
networks, the nexus between non-IP caller ID authentication and the IP
transition generally, and on specific steps the Commission can take to
encourage the industry's transition to IP. Widespread adoption of a
non-IP authentication solution or IP interconnection would result in
authenticated caller ID information being preserved and received by the
terminating provider. The Commission therefore declines to impose an
authentication obligation on all intermediate providers to address
circumstances where a call traverses a non-IP network, but may revisit
the subject after the Commission concludes its inquiry into whether
non-IP authentication or IP interconnection solutions are feasible and
can be timely implemented.
9. The Commission notes that the requirement it adopts here for the
first intermediate provider to authenticate a call will arise in
limited circumstances, such as where the originating provider failed to
comply with their own authentication obligation or where the call is
sent directly to an intermediate provider from the limited subset of
originating providers that lack an authentication obligation. If the
originating provider complies with its authentication obligation, the
first intermediate provider in the call chain need only meet its
preexisting obligation to pass-on that authentication information to
the next provider in the chain. Indeed, the first intermediate provider
in the call path may completely avoid the need to authenticate calls if
it implements contractual provisions with its upstream originating
providers stating that it will only accept authenticated traffic.
USTelecom requests that the Commission clarify that non-gateway
intermediate providers be deemed in compliance with their
authentication obligations if they enter into contractual provisions
with originating providers and such providers represent and warrant
that they do not originate any unsigned traffic and thereafter ``have
no reason to know, and do not know, that their upstream provider is
sending unsigned traffic it originated.'' The Commission declines to do
so, finding that such a clarification is unnecessary. If a non-gateway
intermediate provider were to claim that it has complied with the
authentication obligation that the Commission adopts pursuant to terms
of a contract with an originating provider, the Commission would
evaluate such a claim on a case-by-case basis.
2. Applicable STIR/SHAKEN Standards for Compliance
10. Voice service providers and gateway providers are obligated to
comply with, at a minimum, the version of the STIR/SHAKEN standards
ATIS-1000074, ATIS-1000080, and ATIS-1000084 and all of the documents
referenced therein in effect at the time of their respective compliance
deadlines, including any errata as of those dates or earlier. In the
Fifth Caller ID Authentication FNPRM, the Commission proposed that non-
gateway intermediate providers comply with, at a minimum, the versions
of these standards in effect at the time of their compliance deadline.
The Commission also sought comment on whether all providers should be
required to comply with the same versions of the standards as non-
gateway intermediate providers and whether it should establish a
mechanism for updating the standard that providers must comply with
going forward, including through delegation to the Wireline Competition
Bureau.
11. The Commission adopts its proposal that non-gateway
intermediate providers subject to the authentication obligation
described above must comply with, at a minimum, the versions of the
standards in effect at the time of their authentication compliance
deadline (which is addressed in the following section), along with any
errata. Like other providers, non-gateway intermediate providers will
have the flexibility to assign the level of attestation appropriate to
the call based on the applicable level of the standards and the
available call information. This approach is supported in the record.
12. The Commission does not at this time require gateway and voice
service providers to comply with versions of the standards that came
into effect after their respective compliance deadlines. The Commission
reiterates, however, that its requirement that providers must comply
with a specific version of a standard ``at a minimum,'' means that
while providers are required to comply with these standards, they are
permitted to comply with any version of the standard that has been
ratified by the Alliance for Telecommunications Industry Solutions
(ATIS) subsequent to the standard in effect at the time their
authentication implementation deadline. However, any later-adopted or
improved version of the standards that a provider chooses to
incorporate into its STIR/SHAKEN authentication framework must maintain
the baseline call authentication functionality exemplified by the
versions of ATIS-1000074, ATIS-1000080, and ATIS-1000084 in effect at
the time of its respective compliance date.
13. The Commission nevertheless concludes that there may be
significant benefits for all providers to comply with standards as they
are updated, particularly where updated versions contain critical new
features or functions. Requiring all providers to comply with a single,
updated standard would also facilitate enforcement of the Commission's
rules and ensure that any new features and functions contained in
revised standards spread throughout the STIR/SHAKEN ecosystem.
Therefore, the Commission adopts a process to incorporate future
standards into its rules where appropriate, similar to the process it
has adopted to require compliance with updated technical standards in
other contexts.
14. Specifically, the Commission delegates to the Wireline
Competition Bureau the authority to determine whether to seek comment
on requiring compliance with revised versions of the three ATIS
standards associated with the STIR/SHAKEN authentication
[[Page 40099]]
framework, and all documents referenced therein. The Commission also
delegates to the Wireline Competition Bureau the authority to require
providers subject to a STIR/SHAKEN authentication requirement to comply
with those revised standards, and the authority to set appropriate
compliance deadlines regarding such revised standards. Providers will
only be required to implement new standards if the benefits to the
STIR/SHAKEN ecosystem outweigh any compliance burdens. Additionally, a
process based on delegated authority may allow the adoption of revised
standards more quickly than would be the case through Commission-level
notice and comment procedures.
15. As with voice service and gateway providers, the Commission
also requires any non-gateway intermediate provider subject to the
authentication obligation described in this section to either upgrade
its network to allow for the initiation, maintenance, and termination
of SIP calls and fully implement the STIR/SHAKEN framework, or maintain
and be ready to provide the Commission on request with documented proof
that it is participating, either on its own or through a
representative, including third party representatives, as a member of a
working group, industry standards group, or consortium that is working
to develop a non-internet Protocol caller identification authentication
solution, or actively testing such a solution. The Commission finds
that expanding the requirements of Sec. 64.6303 to non-gateway
intermediate providers will ensure regulatory parity and promote the
development of non-IP authentication solutions, while offering
flexibility to providers that rely on non-IP infrastructure.
3. Compliance Deadlines
16. The Commission sets a December 31, 2023, deadline for the new
authentication obligations adopted in this section. By that date, the
first non-gateway intermediate provider in the call chain must
authenticate unauthenticated calls it receives. The Commission adopts a
deadline longer than the six-month deadline it suggested in the Fifth
Caller ID Authentication FNPRM because intermediate providers need time
to deploy the technical capability to comply with the Commission's
requirement to authenticate calls, and providers may wish to amend
their contracts with upstream originating providers to meet this new
requirement. While the record reflects disagreement as to an
appropriate intermediate authentication provider deadline, the
Commission concludes that a later deadline is not necessary.
Implementation of call authentication technology has likely become
faster and less costly for many providers than when the Commission
first adopted caller ID authentication requirements, particularly for
those that have already implemented STIR/SHAKEN in their other roles in
the call stream. Moreover, a non-gateway intermediate provider can
avoid the need to implement STIR/SHAKEN where it agrees to only accept
authenticated traffic from originating providers. The Commission has
previously found that six months is sufficient time for providers to
evaluate and renegotiate contracts to address new regulatory
requirements. Accordingly, the Commission finds that the approximate
nine-month period afforded by the December 31, 2023, deadline provides
sufficient time for intermediate providers to amend their contracts
with originating providers, if necessary, to comply with the
Commission's authentication requirement.
B. Mitigation and Robocall Mitigation Database Filing Obligations
17. The Commission next takes action to strengthen the robocall
mitigation requirements and Robocall Mitigation Database filing
obligations of all providers. As the Commission proposed in the Fifth
Caller ID Authentication FNPRM, it requires all providers--including
intermediate providers and voice service providers without the
facilities necessary to implement STIR/SHAKEN--to: (1) take
``reasonable steps'' to mitigate illegal robocall traffic; (2) submit a
certification to the Robocall Mitigation Database regarding their STIR/
SHAKEN implementation status along with other identifying information;
and (3) submit a robocall mitigation plan to the Robocall Mitigation
Database. Consistent with its proposal, the Commission also requires
downstream providers to block traffic received directly from all
intermediate providers that are not in the Robocall Mitigation
Database. These actions have significant support in the record. While
the Commission does not require providers to take specific steps to
meet their mitigation obligations, it does expand the subjects that
providers must describe in their filed mitigation plans and the
information that providers must submit to the Robocall Mitigation
Database.
1. Applying the ``Reasonable Steps'' Mitigation Standard to All
Providers
18. The Commission adopts its proposal in the Fifth Caller ID
Authentication FNPRM to expand to all providers the obligation to
mitigate illegal robocalls under the general ``reasonable steps''
standard. Specifically, the Commission now requires all non-gateway
intermediate providers, as well as voice service providers that have
fully implemented STIR/SHAKEN, to meet the same ``reasonable steps''
general mitigation standard that is currently applied to gateway
providers and voice service providers that have not fully implemented
STIR/SHAKEN under the Commission's rules. The general mitigation
standard the Commission adopts here for all providers is separate from
and in addition to the new robocall mitigation program description
obligations for all providers discussed below. The Commission also
concludes that voice service providers without the facilities necessary
to implement STIR/SHAKEN must mitigate illegal robocalls and meet this
same mitigation standard.
19. Requiring all providers to mitigate calls under the
``reasonable steps'' standard will ensure that every provider in the
call chain is subject to the same duty to mitigate illegal robocalls,
promoting regulatory symmetry and administrability. There is
significant support in the record for this approach. For providers with
a STIR/SHAKEN authentication obligation, these mitigation duties will
serve as an ``effective backstop'' to that authentication obligation
and, for those without such an obligation, they will act as a key
bulwark against illegal robocalls. As the Commission has noted, STIR/
SHAKEN is not a silver bullet and has a limited effect on illegal
robocalls where the number was obtained lawfully and not spoofed.
Requiring all providers to take reasonable steps to mitigate illegal
robocalls will help address these limitations in the STIR/SHAKEN
regime.
20. As proposed, the Commission retains a general standard that
requires providers to take ``reasonable steps'' to mitigate illegal
robocall traffic, rather than mandate that providers include specific
measures as part of their mitigation plans. The Commission notes,
however, that what constitutes a ``reasonable step'' may depend upon
the specific circumstances and the provider's role in the call path.
While some commenters argue that the Commission should require
providers to take specific measures under the ``reasonable steps''
standard, the Commission agrees that providers should retain ``the
necessary flexibility in determining which measures to use to mitigate
illegal calls on their networks.'' For this reason, the
[[Page 40100]]
Commission rejects ZipDX's request that it require providers to
describe specific practices in their robocall mitigation plans,
including specific know-your-upstream provider and analytics practices.
That said, the Commission agrees that promptly investigating and
mitigating illegal robocall traffic that is brought to the provider's
attention through measures such as internal monitoring and tracebacks
would constitute reasonable steps. Pursuant to this standard, a
provider's program is ``sufficient if it includes detailed practices
that can reasonably be expected to significantly reduce'' the carrying
or processing (for intermediate providers) or origination (for voice
service providers) of illegal robocalls. Each provider ``must comply
with the practices'' that its program requires, and its program is
insufficient if the provider ``knowingly or through negligence''
carries or processes calls (for intermediate providers) or originates
(for voice service providers) unlawful robocall campaigns.
21. The Commission declines to adopt Voice On The Net Coalition
(VON)'s proposal for a safe harbor from contract breach for providers
invoking contract termination provisions against providers originating
illegal robocall traffic. VON does not explain why such a safe harbor
is necessary or the legal authority for the Commission to adopt such a
provision, and the Commission finds it outside the scope of this
proceeding. Providers' programs must also commit to respond fully,
within the time period required by the Commission's rules, to all
traceback requests from the Commission, law enforcement, and the
industry traceback consortium, and to cooperate with such entities in
investigating and stopping illegal robocallers that use its service to
originate, carry, or process illegal robocalls. The Commission declines
to adopt Electronic Privacy Information Center and National Consumer
Law Center (EPIC/NCLC)'s proposal to replace the ``reasonable steps''
general mitigation standard with the ``affirmative, effective
measures'' standard found elsewhere in its rules. Under EPIC/NCLC's
proposal, a provider would fail to meet this standard if they allow the
origination of any illegal robocalls, even where the provider may have
taken ``reasonable steps'' to mitigate such calls. The Commission
disagrees with EPIC/NCLC's reading of its rules and conclude that these
standards work hand-in-hand to prevent illegal robocalls. A key purpose
of the ``reasonable steps'' standard is to ensure that providers enact
a robocall mitigation program and describe that program in the Robocall
Mitigation Database. If the program is not reasonable as described, or
if it is not followed, the provider may be held liable. Further, if the
steps described in a mitigation program are followed but are not
actually effective in stopping illegal robocalls, the originating
provider could be held liable for failing to put in place
``affirmative, effective'' measures to stop robocalls if they do not
take further action. Regardless of the mitigation standard the
Commission adopts, the Commission disagrees with EPIC/NCLC that
providers should be held strictly liable for allowing the origination
of any illegal robocalls regardless of whether they have taken
``reasonable steps'' to mitigate such calls, as explained in more
detail below.
22. The Commission also does not adopt VON's proposal of a ``gross
negligence'' standard to evaluate whether a mitigation program is
sufficient, rather than the Commission's existing standard, which
assesses whether a provider ``knowingly or through negligence''
originates, carries, or processes illegal robocalls. The Commission
disagrees that its existing standard ``essentially impose[s] strict
liability on providers,'' as VON asserts. On the contrary, if a
provider is taking sufficient ``reasonable steps'' to mitigate illegal
robocall traffic pursuant to a robocall mitigation program that
complies with the Commission's rules, the provider is likely not acting
negligently.
23. The Commission declines to adopt a heightened mitigation
obligation solely for Voice over internet Protocol (VoIP) providers.
The Commission acknowledges that there is evidence that VoIP providers
are disproportionally involved in the facilitation of illegal
robocalls. However, the Commission agrees with commenters opposing such
a heightened standard, because the threat of illegal robocalls is an
industry issue and impacts every type of provider. The Commission finds
that applying its obligations to providers regardless of the technology
used to transmit calls better aligns with the competitive neutrality of
the TRACED Act.
24. Deadlines. Consistent with the obligation placed on other
providers and the limited comments filed in the record, the Commission
requires providers newly covered by the general mitigation standard to
meet that standard within 60 days following Federal Register
publication of this document. No commenter argued that a greater length
of time is needed to comply, and the Commission finds no reason to
depart from the same compliance timeframe previously established for
other providers.
2. Expanded Robocall Mitigation Database Filing Obligations
25. The Commission next takes steps to strengthen its Robocall
Mitigation Database filing obligations to increase transparency and
ensure that all providers act to mitigate illegal robocalls. The
Commission previously required voice service providers with a STIR/
SHAKEN implementation obligation and those subject to an extension to
file certifications in the Robocall Mitigation Database regarding their
efforts to mitigate illegal robocalls on their networks--specifically,
whether their traffic is either signed with STIR/SHAKEN or subject to a
robocall mitigation program. By ``STIR/SHAKEN implementation
obligation,'' the Commission means the applicable requirement under its
rules that a provider implement STIR/SHAKEN in the IP portions of their
networks by a date certain, subject to certain exceptions. When
referencing those providers ``without'' a STIR/SHAKEN implementation
obligation, the Commission means those providers that are subject to an
implementation extension, such as a provider with an entirely non-IP
network or one that is unable to obtain the necessary Service Provider
Code (SPC) token to authenticate caller ID information, or that lack
control over the facilities necessary to implement STIR/SHAKEN. Those
voice service providers that certified that some or all of their
traffic is ``subject to a robocall mitigation program'' were required
to submit a robocall mitigation plan detailing the specific
``reasonable steps'' that they have taken ``to avoid originating
illegal robocall traffic.'' The Commission did not specifically require
voice service providers without the facilities necessary to implement
STIR/SHAKEN to file certifications in the database and had previously
concluded that they were not subject to the Commission's implementation
requirements.
26. The Commission adopts its proposal to expand the obligation to
file a robocall mitigation plan along with a certification in the
Robocall Mitigation Database to all providers regardless of whether
they are required to implement STIR/SHAKEN--including non-gateway
intermediate providers and providers without the facilities necessary
to implement STIR/SHAKEN--and expand the downstream blocking duty to
providers receiving traffic directly from non-gateway intermediate
providers not in the Robocall Mitigation Database. As
[[Page 40101]]
proposed, providers with a new Robocall Mitigation Database filing
obligation must submit the same basic information as providers that had
previously been required to file. The Commission also requires all
providers to file additional information in certain circumstances, as
explained below.
27. Universal Robocall Mitigation Database Filing Obligation. There
was overwhelming record support for broadening the Robocall Mitigation
Database certification and mitigation plan filing obligation to cover
all providers. Like the expanded mitigation obligation above, this
approach will ensure that every provider in the call chain is covered
by the same basic set of rules and will increase transparency and
accountability. The Commission also agrees with USTelecom that
requiring non-gateway intermediate providers to file a certification
and mitigation plan in the Robocall Mitigation Database will facilitate
the Commission's enforcement efforts for those providers, as it will
for voice service providers newly obligated to file a mitigation plan.
28. Consistent with its proposal and existing providers'
obligations, all providers' robocall mitigation plans must describe the
specific ``reasonable steps'' the provider has taken to avoid, as
applicable, the origination, carrying, or processing of illegal
robocall traffic as part of its robocall mitigation program. A provider
that plays more than one ``role'' in the call chain should explain the
mitigation steps it undertakes in each role, to the extent those
mitigation steps are different.
29. New Robocall Mitigation Program Description Obligations for All
Providers. Under the Commission's current rules, voice service
providers are required to describe the specific ``reasonable steps''
that they have taken ``to avoid originating illegal robocall traffic''
as part of their robocall mitigation programs. Gateway providers are
required to address this topic and provide a description of how they
have complied with the know-your-upstream provider requirement in Sec.
64.1200(n)(4) of the Commission's rules. The Commission now imposes
specific additional requirements for the contents of robocall
mitigation plans filed in the Robocall Mitigation Database.
Specifically, as part of their obligation to ``describe with
particularity'' their robocall mitigation techniques, (1) voice service
providers must describe how they are meeting their existing obligation
to take affirmative, effective measures to prevent new and renewing
customers from originating illegal calls; (2) non-gateway intermediate
providers and voice service providers must, like gateway providers,
describe any ``know-your-upstream provider'' procedures in place
designed to mitigate illegal robocalls; and (3) all providers must
describe any call analytics systems they use to identify and block
illegal traffic, including whether they use a third-party vendor or
vendors and the name of the vendor(s). To comply with the new
requirements to describe their ``new and renewing customer'' and
``know-your-upstream provider'' procedures, providers must describe any
contractual provisions with end-users or upstream providers designed to
mitigate illegal robocalls. The Commission does not expect providers to
necessarily submit contractual provisions, but to describe them in
general terms, including whether such provisions are typically included
in their contracts. The Commission concludes that the obligation to
describe these procedures is particularly important for voice service
providers without a STIR/SHAKEN implementation obligation. While the
Commission does not currently require intermediate providers other than
gateway providers to engage in ``know-your-upstream provider''
procedures, if they have put such procedures in place, they must be
documented in their robocall mitigation plan. While the Commission does
not specifically require providers to use call analytics, doing so may
be a ``reasonable step'' to mitigate illegal robocall traffic,
depending on the circumstances. For example, if a provider is a
reseller, it is likely to rely on any analytics software adopted by its
wholesale provider to monitor call traffic. In that case, the reseller
should describe this practice in its robocall mitigation plan.
30. In the Fifth Caller ID Authentication Report and Order, the
Commission required gateway providers to comply with a new requirement
to ``know'' their upstream provider and required gateway providers to
include in their Robocall Mitigation Database-filed mitigation plan a
description of how they have complied with this obligation. In the
Fifth Caller ID Authentication FNPRM, the Commission sought comment on
expanding these two requirements to non-gateway intermediate providers.
The Commission continues to study the record on whether to do so.
Similarly, the Commission continues to consider whether to adopt its
proposal to require all providers to respond to traceback requests
within 24 hours as gateway providers are currently required to do.
31. The Commission imposes these new requirements because it has
become increasingly clear that provider due diligence and the use of
call analytics are key ways to stop illegal robocalls. The public and
the Commission's understanding of the steps providers take to
scrutinize their relationships with other providers in the call path
and analyze their traffic will facilitate compliance with and
enforcement of the Commission's rules. Recent actions by the
Enforcement Bureau demonstrating that some providers are not including
meaningful descriptions in their mitigation plans warrants more
prescriptive obligations. There is also specific record support for
these new requirements.
32. Baseline Information Submitted with Robocall Mitigation
Database Certifications. Consistent with existing providers' filing
obligations and the Commission's proposal in the Fifth Caller ID
Authentication FNPRM, all providers newly obligated to submit a
certification to the Robocall Mitigation Database pursuant to the
requirements adopted herein must submit the following information: (1)
whether it has fully, partially, or not implemented the STIR/SHAKEN
authentication framework in the IP portions of its network; (2) the
provider's business name(s) and primary address; (3) other business
name(s) in use by the provider; (4) all business names previously used
by the provider; (5) whether the provider is a foreign provider; and,
(6) the name, title, department, business address, telephone number,
and email address of one person within the company responsible for
addressing robocall mitigation-related issues. The certification must
be signed by an officer of the company. Consistent with the
Commission's proposal and current rules, providers with a new filing
obligation must update any information submitted within 10 business
days of ``any change in the information'' submitted, ensuring that the
information is kept up to date. Certifications and robocall mitigation
plans must be submitted in English or with a certified English
translation.
33. Additional Information to be Submitted with Mitigation Plans.
In order to effectively implement its new and modified authentication
obligations, in addition to the baseline information currently required
of all filers, the Commission also requires providers to submit
additional information in their Robocall Mitigation Database
certifications. The Commission requires all providers: (1) to submit
additional information regarding their role(s) in the call chain; (2)
asserting they do not have an obligation to implement STIR/SHAKEN to
include more detail regarding the basis of that
[[Page 40102]]
assertion; (3) to certify that they have not been prohibited from
filing in the Robocall Mitigation Database; and (4) to state whether
they are subject to a Commission, law enforcement, or regulatory agency
action or investigation due to suspected unlawful robocalling or
spoofing and provide information concerning any such actions or
investigations.
34. First, to increase transparency for the industry and regulators
and better facilitate its evaluation of the mitigation plans detailed
in the Robocall Mitigation Database, the Commission requires providers
to submit additional information to indicate the role or roles they are
playing in the call chain. Specifically, providers must indicate
whether they are: (1) a voice service provider with a STIR/SHAKEN
implementation obligation serving end-users; (2) a voice service
provider with a STIR/SHAKEN obligation acting as a wholesale provider
originating calls; (3) a voice service provider without a STIR/SHAKEN
obligation; (4) a non-gateway intermediate provider with a STIR/SHAKEN
obligation; (5) a non-gateway intermediate provider without a STIR/
SHAKEN obligation; (6) a gateway provider with a STIR/SHAKEN
obligation; (7) a gateway provider without a STIR/SHAKEN obligation;
and/or (8) a foreign provider. This requirement expands upon the
existing rule that providers indicate in their Robocall Mitigation
Database filings whether they are a foreign provider, voice service
provider, and/or gateway provider. The Commission notes that certain
provider classes have different obligations under its rules and, as
explained above, the ``reasonable steps'' necessary to meet the
Commission's mitigation standard may differ based on the provider's
role in the call path. The Commission concludes, therefore, that the
collection of this information is necessary to allow the public and the
Commission to determine whether a specific provider's mitigation steps
are reasonable.
35. Second, the Commission expands its requirement that providers
with a current Robocall Mitigation Database filing obligation must
state in their mitigation plan whether a STIR/SHAKEN extension applies,
and apply that rule to all current and new Robocall Mitigation Database
filers. Specifically, a filer asserting it does not have an obligation
to implement STIR/SHAKEN because of an ongoing extension, or because it
lacks the facilities necessary to implement STIR/SHAKEN, must both
explicitly state the rule that exempts it from compliance (for example,
by explaining that it lacks the necessary facilities to implement STIR/
SHAKEN or it cannot obtain an SPC token) and explain in detail why that
exemption applies to the filer (for example, by explaining that it is a
pure reseller with some facilities, but that they are not sufficient to
implement STIR/SHAKEN, or the steps it has taken to diligently pursue
obtaining a token). The Commission concludes that this limited
expansion of its existing rule is necessary to permit the public and
Commission to evaluate why a provider believes it is not subject to all
or a subset of the Commission's rules and whether that explanation is
reasonable.
36. Third, the Commission requires new and existing filers to
certify that they have not been prohibited from filing in the Robocall
Mitigation Database pursuant to a law enforcement action, including the
new enforcement requirements adopted herein. Filers will be required to
certify that they have not been barred from filing in the Robocall
Mitigation Database by such an enforcement action. This includes, but
is not limited to, instances in which a provider has been removed from
the Robocall Mitigation Database and has been precluded from refiling
unless and until certain deficiencies have been cured and those in
which a provider's authorization to file has been revoked due to
continued violations of the Commission's robocall mitigation rules.
This information will enhance the effectiveness of the new enforcement
measures the Commission adopts herein to impose consequences on repeat
offenders of its robocall mitigation rules. The Commission disagrees
with Cloud Communications Alliance (CCA) that the same purpose can be
served by indicating whether a provider filed under a prior name. This
is not sufficient information to facilitate the Commission's rule
barring related entities of repeated bad actors from filing in the
Robocall Mitigation Database. The Commission also adopts its proposal
to require providers to submit information regarding their principals,
affiliates, subsidiaries, and parent companies in sufficient detail to
facilitate the Commission's ability to determine whether the provider
has been prohibited from filing in the Robocall Mitigation Database.
The Commission delegates to the Wireline Competition Bureau to
determine the form and format of such data.
37. Fourth, the Commission requires all providers to: (1) state
whether, at any time in the prior two years, the filing entity (and/or
any entity for which the filing entity shares common ownership,
management, directors, or control) has been the subject of a formal
Commission, law enforcement, or regulatory agency action or
investigation with accompanying findings of actual or suspected
wrongdoing due to the filing entity transmitting, encouraging,
assisting, or otherwise facilitating illegal robocalls or spoofing, or
a deficient Robocall Mitigation Database certification or mitigation
program description; and, if so (2) provide a description of any such
action or investigation, including all law enforcement or regulatory
agencies involved, the date that any action or investigation was
commenced, the current status of the action or investigation, a summary
of the findings of wrongdoing made in connection with the action or
investigation, and whether any final determinations have been issued.
The Commission limits this reporting requirement to formal actions and
investigations that have been commenced or issued pursuant to a written
notice or other instrument containing findings by the law enforcement
or regulatory agency that the filing entity has been or is suspected of
the illegal activities itemized above, including, but not limited to,
notices of apparent liability, forfeiture orders, state or federal
civil lawsuits or criminal indictments, and cease-and-desist notices.
Providers that must include confidential information to accurately and
fully comply with this reporting requirement, as explained below, may
seek confidential treatment of that information pursuant to Sec. 0.459
of the Commission's rules. This information will help the Commission
evaluate claims made by providers in their mitigation program
descriptions and identify potential violations of its rules. The
Commission does not adopt USTelecom's request that the reporting
requirement the Commission adopts be limited to public actions and
investigations. The Commission finds that limiting the reporting
requirement to formal actions and investigations that are public would
simply reduce the scope of the reporting requirement and is not
necessary to clarify it. The Commission agrees with commenters,
however, that providers should not be required to submit information
concerning mere inquiries from law enforcement or regulatory agencies
or investigations that do not include findings of actual or suspected
wrongdoing. Thus, for example, traceback requests, Enforcement Bureau
letters of inquiry or subpoenas, or investigative demand letters or
subpoenas issued by regulatory agencies or law enforcement would not
trigger this obligation because they are not
[[Page 40103]]
accompanied by findings of actual or suspected wrongdoing. The
Commission does not adopt INCOMPAS's proposal that it exempt formal
actions and investigations accompanied by findings of actual or
suspected wrongdoing that rely ``solely'' on tracebacks from the
disclosure requirement the Commission adopts in this document. As
stated above, the Commission excludes traceback requests from the
disclosure requirement when they are not accompanied by findings of
actual or suspected wrongdoing. When a formal action or investigation
based solely on traceback requests is accompanied by findings of actual
or suspected wrongdoing made by the Commission, law enforcement, or a
regulatory agency, disclosure of that information may be useful in
evaluating claims made by providers in their mitigation program
descriptions and identifying potential violations of the Commission's
rules. The Commission finds that inquiries or investigations that do
not contain findings of actual or suspected wrongdoing by the law
enforcement or regulatory agency would be of limited value to the
Commission in evaluating the certifications and robocall mitigation
plans submitted to the Robocall Mitigation Database.
38. Finally, the Commission requires filers to submit their
Operating Company Number (OCN) if they have one. An OCN is a
prerequisite to obtaining an SPC token, and the Commission concludes
that filing the OCN or indicating that they do not have one will allow
the Commission to more easily determine whether a provider is meeting
its requirement to diligently pursue obtaining a token in order to
authenticate their own calls and provides an additional way to
determine relationships among providers. The Commission does not
require filers to include additional identifying information discussed
in the Fourth Caller ID Authentication FNPRM, 86 FR 59084 (Oct. 26,
2021). There was no support for doing so, and the Commission finds the
incremental benefits of providing additional information beyond the OCN
are unclear.
39. Robocall Mitigation Database Filing Deadlines. Providers newly
subject to the Commission's Robocall Mitigation Database filing
obligations must submit a certification and mitigation plan to the
Robocall Mitigation Database by the later of: (1) 30 days following
publication in the Federal Register of notice of approval by the Office
of Management and Budget (OMB) of any associated Paperwork Reduction
Act (PRA) obligations; or (2) any deadline set by the Wireline
Competition Bureau through Public Notice. This approach provides
additional flexibility to the Wireline Competition Bureau to provide an
extended filing window where circumstances warrant. Existing filers
subject to new or modified requirements adopted in this document must
amend their filings with the newly required information by the same
deadline. If a provider is required to fully implement STIR/SHAKEN but
has not done so by the Robocall Mitigation Database filing deadline, it
must so indicate in its filing. It must then later update the filing
within 10 business days of completing STIR/SHAKEN implementation. The
Commission recognizes that some of this information may be considered
confidential. Providers may make confidential submissions consistent
with the Commission's existing confidentiality rules. Providers may
only redact filings to the extent appropriate under the Commission's
confidentiality rules.
40. Refusing Traffic From Unlisted Providers. As proposed, the
Commission extends the prohibition on accepting traffic from unlisted
(including de-listed) providers to non-gateway intermediate providers.
This proposal is well supported in the record and will close the final
gap in the Commission's Robocall Mitigation Database call blocking
regime. Under this rule, downstream providers will be prohibited from
accepting any traffic from a non-gateway intermediate provider not
listed in the Robocall Mitigation Database, either because the provider
did not file or their certification was removed as part of an
enforcement action. The Commission concludes that a non-gateway
intermediate provider Robocall Mitigation Database filing requirement
and an associated prohibition against accepting traffic from non-
gateway intermediate providers not in the Robocall Mitigation Database
will ensure regulatory symmetry. By extending this prohibition to non-
gateway intermediate providers, the Commission ensures that downstream
providers will no longer be required to determine the ``role'' of the
upstream provider on a call-by-call basis to determine whether the call
should be blocked. Consistent with the Commission's proposal, and the
parallel requirements adopted for accepting traffic from gateway
providers and voice service providers, compliance will be required no
sooner than 90 days following the deadline for non-gateway intermediate
providers to submit a certification to the Robocall Mitigation
Database.
41. As a result of non-gateway intermediate providers' affirmative
obligation to submit a certification in the Robocall Mitigation
Database, downstream providers may not rely upon any non-gateway
intermediate provider database registration imported from the
intermediate provider registry. Any imported Robocall Mitigation
Database entry is not sufficient to meet a non-gateway intermediate
provider's Robocall Mitigation Database filing obligation or to prevent
downstream providers from blocking traffic upon the effective date of
the obligation for downstream providers to block traffic from non-
gateway intermediate providers.
42. Bureau Guidance. Consistent with its prior delegations of
authority concerning the Robocall Mitigation Database submission
process, the Commission directs the Wireline Competition Bureau to make
the necessary changes to the Robocall Mitigation Database and to
provide appropriate Robocall Mitigation Database filing instructions
and training materials as necessary and consistent with this document.
The Commission delegates to the Wireline Competition Bureau the
authority to specify the form and format of any submissions as well as
necessary changes to the Robocall Mitigation Database submission
interface. The Commission also delegates to the Wireline Competition
Bureau the authority to make the necessary changes to the Robocall
Mitigation Database to indicate whether a non-gateway intermediate
provider has made an affirmative filing (as opposed to being imported
as an intermediate provider) and whether any provider's filing has been
de-listed as part of an enforcement action, and to announce its
determination as part of its guidance. The Commission also directs the
Wireline Competition Bureau to release a public notice upon Office of
Management and Budget (OMB) approval of any information collection
associated with the Commission's Robocall Mitigation Database filing
requirements, announcing OMB approval of its rules, effective dates,
and deadlines for filing and for providers to block traffic from non-
gateway intermediate providers that have not filed.
C. Enforcement
43. In order to further strengthen its efforts to hold illegal
robocallers accountable for their actions, the Commission adopts
several enforcement proposals described in the Fifth Caller
[[Page 40104]]
ID Authentication FNPRM. Specifically, the Commission: (1) adopts a
per-call forfeiture penalty for failure to block traffic in accordance
with its rules and sets maximum forfeitures for such violations; (2)
requires the removal of non-gateway intermediate providers from the
Robocall Mitigation Database for violations of its rules, consistent
with the standard applied to other filers; (3) establishes an expedited
process for provider removal for facially deficient certifications; and
(4) establishes rules that would impose consequences on repeat
offenders of its robocall mitigation rules. The adoption of more robust
enforcement tools is supported in the record.
1. Per Call Maximum Forfeitures
44. The Commission first adopts its proposal to establish a
forfeiture penalty on a per-call basis for violations of its robocall
blocking rules in 47 CFR 64.1200 through 64.1204 and 47 CFR 64.6300
through 64.6308. Commenters generally agreed that aggressive penalties
are appropriate. Mandatory blocking is an important tool for protecting
American consumers from illegal robocalls. As the Commission has found
in its previous robocalling orders and enforcement actions, illegal
robocalls cause significant consumer harm. Penalties for failure to
comply with mandatory blocking requirements must deter noncompliance
and be sufficient to ensure that entities subject to these requirements
are unwilling to risk suffering serious economic harm.
45. Consistent with its proposal, the Commission authorizes the
maximum forfeiture amount for each violation of the mandatory blocking
requirements of $23,727 per call. This is the maximum forfeiture amount
the Commission's rules permit it to impose on non-common carriers.
Although common carriers may be assessed a maximum forfeiture of
$237,268 for each violation, the Commission finds that it should not
impose a greater penalty on one class of providers than another for
purposes of the mandatory blocking requirements. The Commission also
sets a base forfeiture amount of $2,500 per call because it concludes
that the failure to block results in a similar consumer harm as the
robocall itself (e.g., the consumer receives the robocall itself). The
Commission finds that a $2,500 base forfeiture is reasonable in
comparison to the $4,500 base forfeiture for violations of the
Telephone Consumer Protection Act of 1991 (TCPA). While the failure to
block produces significant consumer harm, the harm is not as great and
does not carry the same degree of culpability as the initiator of an
illegal robocall campaign who may have committed a TCPA violation.
While the Commission sought comment on whether it should consider
specific additional mitigating or aggravating factors, it did not
receive sufficient comment to provide a basis for doing so. As with
other violations of its rules, however, existing upward and downward
adjustment criteria in Sec. 1.80 of the Commission's rules may apply.
Additionally, there may be pragmatic factors in its prosecutorial
discretion in calculating the total forfeiture amount--particularly
when there is a very large number of calls at issue--as the Commission
has done in its enforcement actions pursuant to the TCPA and those
actions taken against spoofing.
2. Provider Removal From the Robocall Mitigation Database
46. The Commission also adopts its proposal to provide for the
removal of non-gateway intermediate providers from the database for
violations of its rules. In the Second Caller ID Authentication Report
and Order, 85 FR 73360 (Nov. 17, 2020), the Commission set forth
consequences for voice service providers that file a deficient robocall
mitigation plan or that ``knowingly or negligently'' originate illegal
robocall campaigns, including removal from the Robocall Mitigation
Database. Gateway providers are now subject to the same rules for calls
that they carry or process. To promote regulatory symmetry, the
Commission concludes that non-gateway intermediate providers should
face similar consequences.
47. Specifically, the Commission finds that a non-gateway
intermediate provider with a deficient certification--such as when the
certification describes a program that is unreasonable, or if it
determines that a provider knowingly or negligently carries or
processes illegal robocalls--the Commission will take appropriate
enforcement action. This may include, among other actions, removing a
certification from the database after providing notice to the
intermediate provider and an opportunity to cure the filing, requiring
the intermediate provider to submit to more specific robocall
mitigation requirements, and/or proposing the imposition of a
forfeiture. The Commission declines, however, to adopt other reasons to
remove providers from the database. The Commission concludes that the
existing basis for removal is appropriately tailored to the underlying
purpose of the Robocall Mitigation Database--to facilitate detection
and elimination of illegal robocall traffic. As proposed, the
Commission explicitly expands its delegation of authority to the
Enforcement Bureau to de-list or exclude a provider from the Robocall
Mitigation Database to include the removal of non-gateway intermediate
providers.
48. Downstream providers must refuse traffic sent by a non-gateway
intermediate provider that is not listed in the Robocall Mitigation
Database, as described above and consistent with the existing
safeguards applicable to the Commission's existing rules for refusing
traffic for calls to 911, public safety answering points, and
government emergency numbers. The Commission agrees with VON that any
sanctions for failure to block calls from a provider removed from the
database should not occur without sufficient notice to the industry.
The Commission concludes, however, that the existing Enforcement Bureau
process, where providers are given two business days to block calls
following Commission notice of removal from the database, is
sufficient, as it appropriately balances the public's interest in
blocking unwanted robocalls against the need to allow providers
sufficient time to take the necessary steps to block traffic.
3. Expedited Removal Procedure for Facially Deficient Filings
49. The Commission agrees with commenters that there are certain
instances in which a provider should be removed from the Robocall
Mitigation Database on an expedited basis. Specifically, the Commission
finds that where the Enforcement Bureau determines that a provider's
filing is facially deficient, the Enforcement Bureau may remove a
provider from the Robocall Mitigation Database using an expedited two-
step procedure, which entails providing notice and an opportunity to
cure the deficiency. This streamlined process will allow the
Enforcement Bureau to move more quickly against providers whose filings
clearly fail to meet the Commission's requirements.
50. In the Second Caller ID Authentication Report and Order, the
Commission required that providers be given notice of any deficiencies
in their certification and an opportunity to cure prior to removal from
the Robocall Mitigation Database, but did not prescribe a specific
removal procedure. Pursuant to that requirement and the Commission's
prior delegation, the Wireline Competition Bureau and Enforcement
Bureau have implemented the following three-step removal procedure: (1)
the Wireline Competition Bureau contacts the provider, notifying
[[Page 40105]]
it that its filing is deficient, explaining the nature of the
deficiency, and providing 14 days for the provider to cure the
deficiency; (2) if the provider fails to rectify the deficiency, the
Enforcement Bureau releases an order concluding that a provider's
filing is deficient based on the available evidence and directing the
provider to explain, within 14 days, why the Enforcement Bureau should
not remove the Company's certification from the Robocall Mitigation
Database and giving the provider a further opportunity to cure the
deficiencies in its filing; and (3) if the provider fails to rectify
the deficiency or provide a sufficient explanation why its filing is
not deficient within that 14-day period, the Enforcement Bureau
releases an order removing the provider from the Robocall Mitigation
Database.
51. While this procedure is appropriate in cases where there may be
questions about the sufficiency of the steps described in a mitigation
plan, the Commission concludes that an expedited approach is warranted
where the certification is facially deficient. A certification is
``facially deficient'' where the provider fails to submit a robocall
mitigation plan within the meaning of the Commission's rules. That is,
it fails to submit any information regarding the ``specific reasonable
steps'' it is taking to mitigate illegal robocalls. While it is not
practical to provide an exhaustive list of reasons why a filing would
be considered ``facially deficient,'' examples include, without
limitation, instances where the provider only submits: (1) a request
for confidentiality with no underlying substantive filing; (2) only
non-responsive data or documents (e.g., a screenshot from the
Commission's website of a provider's FCC Registration Number data or
other document that does not describe robocall mitigation efforts); (3)
information that merely states how STIR/SHAKEN generally works, with no
specific information about the provider's own robocall mitigation
efforts; or (4) a certification that is not in English and lacks a
certified English translation. In these and similar cases, the
Commission need not reach the question of whether the steps the
provider is taking to mitigate robocalls are reasonable because the
provider has failed to submit even the most basic information required
to do so.
52. The Commission concludes that where a provider's filing is
facially deficient, it has ``willfully'' violated its Robocall
Mitigation Database filing obligation within the meaning of that term
in section 9(b) of the Administrative Procedure Act (APA), 5 U.S.C.
558(c), which applies to revocations of licenses. Although the
Commission does not reach a definitive conclusion here, the removal of
a provider's certification from the Robocall Mitigation Database--which
will lead to the mandatory blocking of the provider's traffic by
downstream providers--is arguably equivalent to the revocation of a
license. This finding is consistent with precedent concluding that a
party acts ``willfully'' within the meaning of section 558(c) where it
acts with ``careless disregard.'' As such, where a ``willful''
violation has occurred, the provider's Robocall Mitigation Database
certification may be removed without a separate notice prior to the
initiation of an ``agency proceeding'' to remove the certification.
While the Commission does not specifically conclude that a Robocall
Mitigation Database certification is a license within the meaning of
that section, the Commission's expedited procedure would be compliant
with section 558 if it reached such a conclusion. The Commission does
not adopt Professional Association for Customer Engagement (PACE)'s
proposal to provide a complete list of reasons for why a provider's
filing might be facially deficient, and the specific steps it must take
in response to avoid removal. It is not practical to provide an
exhaustive list of all potential examples of facially deficient filings
and methods to cure such deficiencies. Further, attempting to do so
would limit the Commission's flexibility to respond to changing tactics
by bad actors and could provide a roadmap for bad actors to avoid
expedited removal. Moreover, the Commission concludes that PACE's due
process concerns are addressed under the expedited removal process it
adopts: The Enforcement Bureau's notice to the provider in the first
step will explain the basis for its conclusion that the filing is
facially deficient, while the second step offers providers an
opportunity to cure that deficiency prior to removal. Therefore, the
Commission adopts the following two-step expedited procedure for
removing a facially deficient certification: (1) issuance of a notice
by the Enforcement Bureau to the provider explaining the basis for its
conclusion that the certification is facially deficient and providing
an opportunity for the provider to cure the deficiency or explain why
its certification is not deficient within 10 days; and (2) if the
deficiency is not cured or the provider fails to establish that there
is no deficiency within that 10-day period, the Enforcement Bureau will
issue an order removing the provider from the database. The Commission
notes that a number of providers have responded within 14 days to
Enforcement Bureau requests to correct their deficient filings and
concludes that employing a marginally shorter time period for this
expedited process will further the Commission's interest in swiftly
resolving these willful violations without materially affecting a
providers' ability to respond to the Enforcement Bureau's notice.
53. The Commission finds that this expedited two-step procedure is
also consistent with providers' Fifth Amendment due process rights
under the Supreme Court's three factor test. While providers have a
significant ``private interest'' under the first factor of the test
that would be affected by removal from the Robocall Mitigation
Database, the risk of an erroneous deprivation of such interest through
the procedures used and the probable value, if any, of additional or
substitute procedural safeguards under the second factor is exceedingly
low, given that (1) the filings in question are facially deficient, and
(2) providers would have a reasonable opportunity to cure the deficient
filings by submitting a valid robocall mitigation plan. Given the
extremely low risk of erroneous deprivation of a private interest in
these situations, the Commission finds that these first two factors do
not outweigh the third factor--the ``Government's interest''--which is
very weighty here: The Government has a strong interest in ensuring
that providers adopt valid robocall mitigation plans as soon as
possible to further its continuing efforts to reduce the number of
illegal robocalls and harm to consumers, and in blocking traffic of
providers that are unable or unwilling to implement or document
effective mitigation measures.
54. The Commission concludes that this expedited approach is
preferable to EPIC/NCLC's proposal to automatically remove certain
``high-risk'' VoIP providers from the Robocall Mitigation Database or
impose forfeitures through a bespoke, expedited process. As explained
above, the Commission does not believe that a separate set of rules for
VoIP providers is appropriate and the expedited procedure the
Commission adopts in this document complies with the APA and due
process. EPIC/NCLC do not explain how removal from the database prior
to any opportunity to respond is consistent with the APA or due
process.
[[Page 40106]]
4. Consequences for Continued Violations
55. In order to address continued violations of its robocall
mitigation rules, the Commission proposed in the Fifth Caller ID
Authentication FNPRM to subject repeat offenders to proceedings to
revoke their section 214 operating authority and to ban offending
companies and/or their individual company owners, directors, officers,
and principals from future significant association with entities
regulated by the Commission. The Commission further proposed to find
that providers that are not common carriers operating pursuant to
blanket section 214 authority hold other Commission authorizations
sufficient to subject them to the Commission's jurisdiction for
purposes of enforcing its rules pertaining to preventing illegal
robocalls. The Commission also proposed to find that providers not
classified as common carriers but that are registered in the Robocall
Mitigation Database hold a Commission certification such that they are
subject to the Commission's jurisdiction. The Commission adopts its
proposal to revoke the section 214 operating authority of entities that
engage in continued violations of its robocall mitigation rules. The
Commission also finds that non-common carriers holding Commission
authorizations and/or certifications are similarly subject to
revocation of their authorizations and/or certifications. The
Commission further finds that it will consider whether it is in the
public interest for individual company owners, directors, officers, and
principals of entities for which the Commission has revoked an
authority or a certification, or for other entities with which those
individuals are affiliated, to obtain future Commission authorizations,
licenses, or certifications at the time that they apply for them.
56. Revocation of Section 214 Authority and Other Commission
Authorizations. In the Fifth Caller ID Authentication FNPRM, the
Commission proposed to find that entities engaging in continued
violations of its robocall mitigation rules, be subject to revocation
of their section 214 operating authority, where applicable. The
Commission concludes that the ``robocall mitigation rules'' within the
scope of this requirement means the specific obligations to: (1)
implement a robocall mitigation program that includes specific
``reasonable steps'' to mitigate illegal robocalls and comply with the
steps outlined in the plan; (2) submit a plan describing the mitigation
program to the Robocall Mitigation database; and (3) not accept traffic
from providers not in the Robocall Mitigation database. This includes
obligations that the Commission previously adopted as well as those
that it adopts in this document.
57. The Commission concludes that this requirement also pertains to
continued violation of providers' authentication obligations. While in
certain instances the Commission has referred to provider mitigation
obligations as separate from authentication, the Commission has also
concluded that they work hand in hand to stop illegal robocalls.
Indeed, analytics providers often use authentication information to
determine whether to block or label a call. The Commission therefore
concludes that call authentication serves to mitigate illegal
robocalls, and failure to follow the Commission's authentication rules
falls within the scope of the enforcement authority it adopts in this
document.
58. The Commission did not receive comments regarding the scope of
the specific rules covered by the consequences proposed in the Fifth
Caller ID Authentication FNPRM. The Commission finds, however, that it
is reasonable to fully enforce the foregoing robocall mitigation rules
by holding accountable those who engage in continued violations of
those rules. The Commission will exercise its ability to revoke the
section 214 authorizations for providers engaging in continued
violations of those rules, consistent with its long-standing authority
to revoke the section 214 authority of any provider for serious
misconduct.
59. The Commission's authority to revoke section 214 authority in
order to protect the public interest is well established. The
Commission intends to apply that authority as necessary to address
entities engaging in continued violations of its rules. Specifically,
an entity engaging in continued violations of the Commission's robocall
mitigation rules as defined in this section will be required to explain
to the Enforcement Bureau why the Commission should not initiate
proceedings to revoke its domestic and/or international section 214
authorizations. Consistent with established Commission procedures, the
Commission may then adopt an order to institute a proceeding to revoke
domestic and/or international section 214 authority. Should the entity
fail to address concerns regarding its retention of section 214
authority, the Commission would then issue an Order on Revocation
consistent with its authority to revoke section 214 authority when
warranted to protect the public interest.
60. The Commission also adopts its proposals that providers not
classified as common carriers but that hold other types of Commission
authorizations, including a certification as a result of being
registered in the Robocall Mitigation Database, are subject to the
Commission's jurisdiction for the purpose of the consequences the
Commission adopts in this section. Interconnected VoIP providers are
subject to Title II of the Communications Act of 1934, as amended
(Communications Act or Act) through their requirement to file
applications to discontinue service under section 214 and Sec. 63.71
of the Commission's rules. As explained below, this approach does not
constitute an improper exercise of jurisdiction over domestic non-
common carriers or foreign providers. The Fifth Caller ID
Authentication FNPRM listed the providers that the Commission
contemplated would be subject to its enforcement authority. These
providers have domestic and international section 214 authorizations,
have applied for and received authorization for direct access to
numbering resources, are designated as eligible telecommunications
carriers under section 214(e) of the Communications Act in order to
receive federal universal service support, or are registered in the
Robocall Mitigation Database. Where the Commission grants a right or
privilege, it unquestionably has the right to revoke or deny that right
or privilege in appropriate circumstances. In addition, holders of
these and all Commission authorizations have a clear and demonstrable
duty to operate in the public interest. Continued violations of the
Commission's robocall mitigation rules are wholly inconsistent with the
public interest, and the Commission finds it necessary to exercise its
authority to institute a proceeding and, if warranted, revoke the
authorizations, licenses, and/or certifications of all repeat
offenders. Indeed, there is no opposition in the record to the
Commission instituting revocation proceedings when warranted, and the
Commission agrees with VON that when providers, including those without
section 214 authority, have clearly and repeatedly been responsible for
originating or transporting illegal robocalls and have had a sufficient
opportunity to be heard through the enforcement process, there may be
grounds for termination of Commission authorizations. The Commission's
established section 214 revocation
[[Page 40107]]
process described above satisfies due process requirements, and the
Commission intends to apply it to all entities that it finds to be
continually violating its robocall mitigation rules.
61. Future Review of Entities, Individual Company Owners,
Directors, Officers, and Principals Applying for Commission
Authorizations, Licenses, or Certifications. Once the Commission has
revoked the section 214 or other Commission authorization, license, or
certification of an entity that has engaged in continued violations of
its robocall mitigation rules, the Commission will consider the public
interest impact of granting other future Commission authorizations,
licenses, or certifications to the entity that was subject to the
revocation, as well as individual company owners, directors, officers,
and principals (either individuals or entities) of such entities. The
Commission expects that owners, directors, officers, and principals,
whether or not they have control of the entity, have influence,
management, or supervisory responsibilities for the entity subject to
the revocation. The Commission will consider the public interest impact
as part of its established review processes for Commission applications
at the time that they are filed. For example, a principal of a provider
that had its section 214 authority revoked or that was removed from the
Robocall Mitigation Database as a result of an enforcement action may
be subject to a denial of other Commission authorizations, licenses, or
certifications, including for international section 214 authority, or
for approval to acquire an entity that holds blanket domestic section
214 authority or international section 214 authority. This is
consistent with the Commission's current process in which it reviews
many public interest factors in determining whether to grant an
application, including whether an applicant for a license has the
requisite citizenship, character, financial, technical, and other
qualifications. To ensure that the Commission can accurately identify
individual company owners, directors, officers, and principals of an
entity for which it revoked authority, the Commission intends to rely
on information contained in providers' registrations filed in the
Robocall Mitigation Database. Where that information is insufficient
for this purpose, the Commission will require entities undergoing
revocation proceedings to identify their individual company owners,
directors, officers, and principals as part of the revocation process.
62. The Commission proposed in the Fifth Caller ID Authentication
FNPRM that principals and others associated with entities subject to
revocation would be banned from holding a 5% or greater ownership
interest in any entity that applies for or already holds any FCC
license or instrument of authorization for the provision of a regulated
service subject to Title II of the Act or of any entity otherwise
engaged in the provision of voice service for a period of time to be
determined. The record contains no information on how the Commission
would undertake the complex process of identifying the providers or
applicants that would be impacted by the 5% ownership trigger
threshold, or whether it would risk negatively impacting the operations
and customers of providers associated with the targeted principal, but
which were not involved in the robocall offenses. Should the Commission
see an increased volume of repeat offenses of the robocall mitigation
rules, it will consider whether to adopt rules permanently barring
principals and others associated with entities subject to revocation
from holding both existing and future Commission authorizations. Going
forward now, the Commission will generally consider whether it is in
the public interest for individual company owners, directors, officers,
and principals associated with an entity for which it has revoked a
Commission authorization to obtain new Commission authorizations or
licenses at the time that they, or an entity with which they are
affiliated, apply for them. This is consistent with the Commission's
stated intent in the Fifth Caller ID Authentication FNPRM to consider
the impact these principals and others may have on ``future''
significant association with entities regulated by the Commission.
63. The Commission concludes that these new enforcement tools,
acting in tandem with its new requirement for providers to submit their
related entities and principals in their robocall mitigation plans,
will ensure that bad actor providers and their principals will face
potentially serious consequences for their repeated violation of the
Commission's robocall mitigation rules. These potential consequences
reach beyond a forfeiture and appropriately subject these entities and
principals to specified consequences and a thorough public interest
review as required. The Commission makes clear that revoking a
Commission authorization or license does not transform entities that
have not been classified as common carriers into common carriers or
extend its general jurisdiction over foreign providers. Rather, this
consequence merely allows the Commission discretion to revoke a
Commission authorization or license that a provider, person, or entity
would otherwise be eligible for or to deny an application for a
Commission license or authorization by a principal of an entity subject
to revocation. For this reason, the Commission need not exempt foreign
providers from this rule, as some commenters argue.
5. Other Enforcement Matters
64. The Commission does not adopt EPIC/NCLC's proposal to base
enforcement actions, including removal from the Robocall Mitigation
Database, solely on the number of tracebacks a provider receives. In
enforcement actions, the Commission has considered a high volume of
tracebacks as a factor in determining whether a provider engaged in
egregious and intentional misconduct. While receiving a high number of
traceback requests may be evidence of malfeasance in certain instances,
this is not always the case. The Commission's rules independently
require providers to commit to respond to traceback requests--and to
actually respond to such requests--in a certain time period, and they
may be subject to forfeiture or removal for failure to do so. The
Commission also declines to adopt licensing or bonding requirements for
certain VoIP providers as EPIC/NCLC proposes.
65. The Commission declines to adopt EPIC/NCLC's strict liability
standard for forfeiture or removal from the Robocall Mitigation
Database for failure to block any illegal calls regardless of the
circumstances, or their suggestion of an ``interim'' standard of
assessing liability for transmitting illegal robocall traffic based on
whether a provider ``knew or should have known that [a] call was
illegal.'' The Commission concludes that expectations to stop all
illegal calls are not realistic and that a strict liability standard
could lead to significant market disruptions. Similarly, the Commission
declines to adopt NCTA or ACA Connect's proposed ``good faith'' or
CCA's proposed ``reasonableness'' standards.
D. STIR/SHAKEN Obligations of Satellite Providers
66. The Commission concludes that satellite providers that do not
use North American Numbering Plan (NANP) numbers to originate calls or
only use such numbers to forward calls to non-NANP numbers are not
``voice service providers'' under the TRACED Act and therefore do not
have a STIR/SHAKEN
[[Page 40108]]
implementation obligation. The Commission also provides an ongoing
extension from TRACED Act obligations to satellite providers that are
small voice service providers and use NANP numbers to originate calls
on the basis of a finding of undue hardship.
67. The Commission previously provided small voice services
providers, including satellite providers, an extension from STIR/SHAKEN
implementation until June 30, 2023. In the Fifth Caller ID
Authentication FNPRM, the Commission sought comment on whether the
TRACED Act requirements apply to some or all satellite providers and,
if so, whether the Commission should grant certain satellite providers
a STIR/SHAKEN extension. In addition to the questions raised in the
Fifth Caller ID Authentication FNPRM, the Wireline Competition Bureau
in August 2022 sought comment on the small provider extension generally
and its applicability to satellite providers.
68. Satellite Providers Originating Calls Using Non-NANP Numbers.
The Commission concludes that, where satellite providers originate
calls using non-NANP numbers, they are not acting as ``voice service
providers'' within the meaning of the TRACED Act. This conclusion is
consistent with the TRACED Act's definition of voice service which
requires that voice communications must use resources from the NANP.
The Commission also concludes that where satellite providers utilize
NANP resources for call forwarding to non-NANP numbers, such calls also
fall outside of the definition of voice service. This finding is
consistent with the underlying purpose of the STIR/SHAKEN regime. One
of the key aims of the TRACED Act, STIR/SHAKEN, and the Commission's
implementing rules, is to prevent call spoofing. Where a phone number
is not displayed to the end user, as is the case in the satellite call
forwarding scenario, call spoofing is not a concern.
69. Satellite Providers Originating Calls Using NANP Numbers. The
Commission next permits an indefinite extension of time for small voice
providers that are satellite providers originating calls using NANP
numbers. There are de minimis instances where satellite providers may
assign NANP resources to their subscribers for caller ID purposes.
While the Commission finds that, in these cases, satellite providers
are acting as voice service providers, the Commission believes it is
also appropriate to provide an indefinite extension for STIR/SHAKEN
implementation to these providers by applying the TRACED Act's ``undue
hardship'' standard.
70. The TRACED Act directed the Commission to assess burdens or
barriers to the implementation of STIR/SHAKEN, and granted the
Commission discretion to extend the implementation deadline for a
``reasonable period of time'' based upon a ``public finding of undue
hardship.'' In considering whether the hardship is ``undue'' under the
TRACED Act--as well as whether an extension is for a ``reasonable
period of time''--it is appropriate to balance the hardship of
compliance due to the ``the burdens and barriers to implementation''
faced by a voice service provider or class of voice service providers
with the benefit to the public of implementing STIR/SHAKEN
expeditiously.
71. The Commission concludes that an indefinite extension is
appropriate under this standard for small voice providers that are
satellite providers originating calls using NANP numbers. The number of
satellite subscribers using NANP resources is miniscule. There is
little evidence that satellite providers or their users are responsible
for illegal robocalls and satellite service costs make the high-volume
calling necessary for robocallers uneconomical. The balancing of the
benefits and burdens, therefore, counsels against requiring such
providers to implement STIR/SHAKEN.
72. The Commission notes that it must annually reevaluate TRACED
Act extensions granted, ensuring that the Commission will be able to
act quickly to prevent any unforeseen abuses. While the Commission
provides small voice service satellite providers an extension from
STIR/SHAKEN implementation, the Commission makes clear that they must,
like other voice service providers with an extension, submit a
certification to the Robocall Mitigation Database pursuant to its
existing rules and the new obligations the Commission adopts in this
document.
E. Differential Treatment of International Roaming Traffic
73. The Commission next declines to adopt rules in this document
concerning the differential treatment of international roaming traffic.
The Commission also declines to adopt rules concerning differential
treatment of non-conversational traffic in this document. The
Commission continues to consider the record on this issue. In the Fifth
Caller ID Authentication FNPRM, the Commission sought comment on
stakeholders' assertions that international cellular roaming traffic
involving NANP numbers (i.e., traffic originated abroad from U.S.
mobile subscribers carrying U.S. NANP numbers and terminated in the
U.S.) is unlikely to carry illegal robocalls and therefore should be
treated with a ``lighter'' regulatory touch. As part of that inquiry,
the Commission also asked whether any separate regulatory regime for
such traffic could be ``gamed'' by illegal robocallers by disguising
their traffic as cellular roaming traffic.
74. Given the limited record on this issue, particularly with
respect to whether and how providers could readily identify or
segregate such traffic for differential treatment, the Commission
directs the Wireline Competition Bureau to refer the issue to the North
American Numbering Council for further investigation.
F. Summary of Cost Benefit Analysis
75. The Commission finds that the benefits of the rules it adopts
in this document will greatly outweigh the costs imposed on providers.
As it explained in the First Caller ID Authentication Report and Order,
85 FR 22029 (Apr. 21, 2020), the Commission concluded that its STIR/
SHAKEN rules are likely to result in, at a minimum, $13.5 billion in
annual benefits. In the Fifth Caller ID Authentication FNPRM, the
Commission sought comment on its belief that its proposed rules and
actions would achieve a large share of the annual $13.5 billion benefit
and that the benefits will far exceed the costs imposed on providers.
After reviewing the record in this proceeding, the Commission confirms
this conclusion.
76. Limiting the ability of illegal robocallers to evade existing
rules will preserve and extend the benefits of STIR/SHAKEN. The new
enforcement tools the Commission adopts, as well as expanded call
authentication and robocall mitigation obligations, will increase the
effectiveness of its authentication regime, thereby allowing more
illegal robocalls to be readily identified and stopped. As the
Commission found previously, it again concludes that an overall
reduction in illegal robocalls from new rules will lower network costs
by eliminating both unwanted traffic congestion and the labor costs of
handling numerous customer complaints. This reduction in robocalls will
also help restore confidence in the U.S. telephone network and
facilitate reliable access to emergency and healthcare services.
77. In this document the Commission adopts a targeted obligation
applicable to the first intermediate provider in the call path. By
limiting the authentication obligation to the intermediate provider at
the beginning of the call chain, the
[[Page 40109]]
Commission maximizes the benefits of the requirement while minimizing
its costs. Indeed, intermediate providers can avoid any authentication
burden if they require their upstream providers to only send them
authenticated traffic.
78. The Commission acknowledges that the revised and expanded
mitigation and Robocall Mitigation Database filing obligations it
adopts in this document will impose limited short-term implementation
costs. Nevertheless, the Commission concludes that the benefits of
bringing all providers within the mitigation and Robocall Mitigation
Database regime will produce significant benefits to the Commission and
the public by increasing transparency and accountability, and by
facilitating the enforcement of the Commission's rules.
G. Legal Authority
79. Consistent with its proposals, the Commission adopts the
foregoing obligations pursuant to the legal authority it relied on in
prior caller ID authentication and call blocking orders.
80. Caller ID Authentication. The Commission concludes that the
same authority through which it imposed caller ID authentication
obligations on gateway providers--a subset of intermediate providers--
applies equally to its rules that impose caller ID authentication
obligations on non-gateway intermediate providers. Specifically, the
Commission finds authority to impose caller ID authentication
obligations on the first intermediate providers in the call chain under
section 251(e) of the Act and the Truth in Caller ID Act. In the Second
Caller ID Authentication Report and Order, the Commission found it had
the authority to impose caller ID authentication obligations on
intermediate providers under these provisions. It reasoned that calls
that transit the networks of intermediate providers with illegally
spoofed caller ID are exploiting numbering resources and so found
authority under section 251(e). The Commission found additional,
independent authority under the Truth in Caller ID Act on the basis
that such rules were necessary to prevent unlawful acts and to protect
voice service subscribers from scammers and bad actors, stressing that
intermediate providers play an integral role in the success of STIR/
SHAKEN across the voice network. The Commission relied on this
reasoning in adopting authentication obligations on gateway providers
and it therefore relies on this same legal authority to impose an
authentication obligation on the first intermediate providers in the
call chain.
81. Robocall Mitigation. The Commission adopts its robocall
mitigation provisions for non-gateway intermediate providers and voice
service providers, including those without the facilities necessary to
implement STIR/SHAKEN, pursuant to sections 201(b), 202(a), and 251(e)
of the Communications Act; the Truth in Caller ID Act; and the
Commission's ancillary authority, consistent with the authority the
Commission invoked to adopt analogous rules in the Fifth Caller ID
Authentication Report and Order and Second Caller ID Authentication
Report and Order. The Commission sought comment on whether it should
impose a mitigation duty on voice providers without the facilities
necessary to implement STIR/SHAKEN on the basis of an ongoing extension
from the TRACED Act. The Commission concludes that because such
providers were not granted an initial extension as a class under the
TRACED Act, the clearest basis of authority for imposing a mitigation
obligation is found in sections 201(b), 202(a), and 251(e) of the
Communications Act; the Truth in Caller ID Act; and the Commission's
ancillary authority. The Commission concludes that section 251(e) of
the Act and the Truth in Caller ID Act authorize it to prohibit
domestic intermediate providers and voice service providers from
accepting traffic from non-gateway intermediate providers that have not
filed in the Robocall Mitigation Database. In the Second Caller ID
Authentication Report and Order, the Commission concluded that section
251(e) gives it authority to prohibit intermediate providers and voice
service providers from accepting traffic from both domestic and foreign
voice service providers that do not appear in the Robocall Mitigation
Database, noting that its exclusive jurisdiction over numbering policy
provides authority to take action to prevent the fraudulent abuse of
NANP resources. The Commission observed that illegally spoofed calls
exploit numbering resources whenever they transit any portion of the
voice network--including the networks of intermediate providers and
that preventing such calls from entering an intermediate provider's or
terminating voice service provider's network is designed to protect
consumers from illegally spoofed calls. The Commission found that the
Truth in Caller ID Act provided additional authority for its actions to
protect voice service subscribers from illegally spoofed calls.
82. The Commission concluded that it had the authority to adopt
these requirements pursuant to sections 201(b), 202(a), and 251(e) of
the Act, as well as the Truth in Caller ID Act, and its ancillary
authority. Sections 201(b) and 202(a) provide the Commission with broad
authority to adopt rules governing just and reasonable practices of
common carriers. Accordingly, the Commission found that the new
blocking rules were clearly within the scope of its sections 201(b) and
202(a) authority and that it is essential that the rules apply to all
voice service providers, applying its ancillary authority in section
4(i). The Commission also found that section 251(e) and the Truth in
Caller ID Act provided the basis to prescribe rules to prevent the
unlawful spoofing of caller ID and abuse of NANP resources by all voice
service providers, a category that includes VoIP providers and, in the
context of its call blocking orders, intermediate providers. The
Commission concludes that the same authority provides a basis to adopt
the mitigation obligations it adopts in this document to the extent
that providers are acting as common carriers.
83. While the Commission concludes that its direct sources of
authority provide an ample basis to adopt its proposed rules on all
providers, its ancillary authority in section 4(i) provides an
independent basis to do so with respect to providers that have not been
classified as common carriers. The Commission may exercise ancillary
jurisdiction when two conditions are satisfied: (1) the Commission's
general jurisdictional grant under Title I of the Communications Act
covers the regulated subject; and (2) the regulations are reasonably
ancillary to the Commission's effective performance of its statutorily
mandated responsibilities. The Commission concludes that the
regulations adopted in this document satisfy the first prong because
providers that interconnect with the public switched telephone network
and exchange IP traffic clearly offer ``communication by wire and
radio.''
84. With regard to the second prong, requiring providers to comply
with its proposed rules is reasonably ancillary to the Commission's
effective performance of its statutory responsibilities under sections
201(b), 202(a), and 251(e) of the Communications Act and the Truth in
Caller ID Act as described above. With respect to sections 201(b) and
202(a), absent application of its proposed rules to providers that are
not classified as common carriers, originators of robocalls could
circumvent the Commission's proposed scheme by sending calls only via
providers that
[[Page 40110]]
have not yet been classified as common carriers.
85. Enforcement. The Commission adopts its additional enforcement
rules above pursuant to sections 501, 502, and 503 of the Act. These
provisions allow the Commission to take enforcement action against
common carriers as well as providers not classified as common carriers
following a citation. The Commission relies on this same authority to
revise Sec. 1.80 of its rules by adding new maximum and base
forfeiture amounts.
II. Final Regulatory Flexibility Analysis
86. As required by the Regulatory Flexibility Act of 1980 (RFA), as
amended, an Initial Regulatory Flexibility Analysis (IRFA) was
incorporated into the FNPRM adopted in May 2022 (Fifth Caller ID
Authentication FNPRM). The Commission sought written public comment on
the proposals in the Fifth Caller ID Authentication FNPRM, including
comment on the IRFA. The comments received are discussed below. This
Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.
A. Need for, and Objectives of, the Order
87. This document takes important steps in the fight against
illegal robocalls by strengthening caller ID authentication
obligations, expanding robocall mitigation rules, and granting an
indefinite extension for small voice service providers that are also
satellite providers originating calls using NANP numbers on the basis
of undue hardship. The decisions the Commission makes here protect
consumers from unwanted and illegal calls while balancing the
legitimate interests of callers placing lawful calls.
88. First, this document requires any non-gateway intermediate
provider that receives an unauthenticated SIP call directly from an
originating provider to authenticate the call. Second, it requires non-
gateway intermediate providers subject to the authentication obligation
to comply with, at a minimum, the version of the standards in effect on
December 31, 2023, along with any errata. Third, it requires all
providers--including intermediate providers and voice service providers
without the facilities necessary to implement STIR/SHAKEN--to: (1) take
``reasonable steps'' to mitigate illegal robocall traffic; (2) submit a
certification to the Robocall Mitigation Database regarding their STIR/
SHAKEN implementation status along with other identifying information;
and (3) submit a robocall mitigation plan to the Robocall Mitigation
Database. Fourth, it requires all providers to commit to fully respond
to traceback requests from the Commission, law enforcement, and the
industry traceback consortium, and to cooperate with such entities in
investigating and stopping illegal robocallers that use its services to
originate, carry, or process illegal robocalls. Fifth, it requires
downstream providers to block traffic received directly from non-
gateway intermediate providers that have not submitted a certification
in the Robocall Mitigation Database or have been removed through
enforcement actions. Finally, this document grants an ongoing STIR/
SHAKEN implementation extension on the basis of undue hardship for
satellite providers that are small service providers using NANP numbers
to originate calls.
B. Summary of Significant Issues Raised by Public Comments in Response
to the IRFA
89. There were no comments raised that specifically addressed the
proposed rules and policies presented in the Fifth Caller ID
Authentication FNPRM IRFA. Nonetheless, the Commission considered the
potential impact of the rules proposed in the IRFA on small entities
and took steps where appropriate and feasible to reduce the compliance
burden for small entities in order to reduce the economic impact of the
rules enacted herein on such entities.
C. Response to Comments by the Chief Counsel for Advocacy of the Small
Business Administration
90. Pursuant to the Small Business Jobs Act of 2010, which amended
the RFA, the Commission is required to respond to any comments filed by
the Chief Counsel for Advocacy of the Small Business Administration
(SBA), and to provide a detailed statement of any change made to the
proposed rules as a result of those comments. The Chief Counsel did not
file any comments in response to the proposed rules in this proceeding.
D. Description and Estimate of the Number of Small Entities to Which
Rules Will Apply
91. The RFA directs agencies to provide a description of, and where
feasible, an estimate of the number of small entities that may be
affected by the rules adopted herein. The RFA generally defines the
term ``small entity'' as having the same meaning as the terms ``small
business,'' ``small organization,'' and ``mall governmental
jurisdiction.'' In addition, the term ``small business'' has the same
meaning as the term ``small-business concern'' under the Small Business
Act. Pursuant to 5 U.S.C. 601(3), the statutory definition of a small
business applies unless an agency, after consultation with the Office
of Advocacy of the SBA and after opportunity for public comment,
establishes one or more definitions of such term which are appropriate
to the activities of the agency and publishes such definition(s) in the
Federal Register. A ``small-business concern'' is one which: (1) is
independently owned and operated; (2) is not dominant in its field of
operation; and (3) satisfies any additional criteria established by the
SBA.
92. Small Businesses, Small Organizations, Small Governmental
Jurisdictions. The Commission's actions, over time, may affect small
entities that are not easily categorized at present. The Commission
therefore describes, at the outset, three broad groups of small
entities that could be directly affected herein. First, while there are
industry specific size standards for small businesses that are used in
the regulatory flexibility analysis, according to data from the SBA
Office of Advocacy, in general a small business is an independent
business having fewer than 500 employees. These types of small
businesses represent 99.9% of all businesses in the United States,
which translates to 32.5 million businesses.
93. Next, the type of small entity described as a ``small
organization'' is generally ``any not-for-profit enterprise which is
independently owned and operated and is not dominant in its field.''
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000
or less to delineate its annual electronic filing requirements for
small exempt organizations. The IRS benchmark is similar to the
population of less than 50,000 benchmark in 5 U.S.C. 601(5) that is
used to define a small governmental jurisdiction. Therefore, the IRS
benchmark has been used to estimate the number small organizations in
this small entity description. Nationwide, for tax year 2020, there
were approximately 447,689 small exempt organizations in the U.S.
reporting revenues of $50,000 or less according to the registration and
tax data for exempt organizations available from the IRS. The IRS
Exempt Organization Business Master File (E.O. BMF) Extract provides
information on all registered tax-exempt/non-profit organizations. The
data utilized for purposes of this description was extracted from the
IRS E.O. BMF data for businesses for the tax year 2020 with revenue
less than or equal to $50,000,
[[Page 40111]]
for Region 1--Northeast Area (58,577), Region 2--Mid-Atlantic and Great
Lakes Areas (175,272), and Region 3--Gulf Coast and Pacific Coast Areas
(213,840) that includes the continental U.S., Alaska, and Hawaii. This
data does not include information for Puerto Rico.
94. Finally, the small entity described as a ``small governmental
jurisdiction'' is defined generally as ``governments of cities,
counties, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.'' U.S. Census
Bureau data from the 2017 Census of Governments indicate there were
90,075 local governmental jurisdictions consisting of general purpose
governments and special purpose governments in the United States. The
Census of Governments survey is conducted every five (5) years
compiling data for years ending with ``2'' and ``7''. Local
governmental jurisdictions are made up of general purpose governments
(county, municipal, and town or township) and special purpose
governments (special districts and independent school districts). Of
this number there were 36,931 general purpose governments (county,
municipal and town or township) with populations of less than 50,000
and 12,040 special purpose governments--independent school districts
with enrollment populations of less than 50,000. There were 2,105
county governments with populations less than 50,000. This category
does not include subcounty (municipal and township) governments. There
were 18,729 municipal and 16,097 town and township governments with
populations less than 50,000. There were 12,040 independent school
districts with enrollment populations less than 50,000. While the
special purpose governments category also includes local special
district governments, the 2017 Census of Governments data does not
provide data aggregated based on population size for the special
purpose governments category. Therefore, only data from independent
school districts is included in the special purpose governments
category. Accordingly, based on the 2017 U.S. Census of Governments
data, the Commission estimates that at least 48,971 entities fall into
the category of ``small governmental jurisdictions.'' This total is
derived from the sum of the number of general purpose governments
(county, municipal. and town or township) with populations of less than
50,000 (36,931) and the number of special purpose governments--
independent school districts with enrollment populations of less than
50,000 (12,040), from the 2017 Census of Governments--Organizations
tbls. 5, 6 & 10.
95. Wired Telecommunications Carriers. The U.S. Census Bureau
defines this industry as establishments primarily engaged in operating
and/or providing access to transmission facilities and infrastructure
that they own and/or lease for the transmission of voice, data, text,
sound, and video using wired communications networks. Transmission
facilities may be based on a single technology or a combination of
technologies. Establishments in this industry use the wired
telecommunications network facilities that they operate to provide a
variety of services, such as wired telephony services, including VoIP
services, wired (cable) audio and video programming distribution, and
wired broadband internet services. By exception, establishments
providing satellite television distribution services using facilities
and infrastructure that they operate are included in this industry.
Wired Telecommunications Carriers are also referred to as wireline
carriers or fixed local service providers. Fixed Local Service
Providers include the following types of providers: Incumbent Local
Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and
Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs,
Interconnected VOIP Providers, Non-Interconnected VOIP Providers,
Shared-Tenant Service Providers, Audio Bridge Service Providers, and
Other Local Service Providers. Local Resellers fall into another U.S.
Census Bureau industry group and therefore data for these providers is
not included in this industry.
96. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees. The
available U.S. Census Bureau data does not provide a more precise
estimate of the number of firms that meet the SBA size standard.
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 5,183 providers
that reported they were engaged in the provision of fixed local
services. Of these providers, the Commission estimates that 4,737
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
97. Local Exchange Carriers (LECs). Neither the Commission nor the
SBA has developed a size standard for small businesses specifically
applicable to local exchange services. Providers of these services
include both incumbent and competitive local exchange service
providers. Wired Telecommunications Carriers is the closest industry
with an SBA small business size standard. Wired Telecommunications
Carriers are also referred to as wireline carriers or fixed local
service providers. Fixed Local Exchange Service Providers include the
following types of providers: Incumbent Local Exchange Carriers
(ILECs), Competitive Access Providers (CAPs) and Competitive Local
Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP
Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service
Providers, Audio Bridge Service Providers, Local Resellers, and Other
Local Service Providers. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees. The
available U.S. Census Bureau data does not provide a more precise
estimate of the number of firms that meet the SBA size standard.
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 5,183 providers
that reported they were fixed local exchange service providers. Of
these providers, the Commission estimates that 4,737 providers have
1,500 or fewer employees. Consequently, using the SBA's small business
size standard, most of these providers can be considered small
entities.
98. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the
Commission nor the SBA have developed a small business size standard
specifically for incumbent local exchange carriers. Wired
Telecommunications Carriers is the closest industry with an SBA small
business size standard. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms in this industry that operated for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees. The
available U.S. Census
[[Page 40112]]
Bureau data does not provide a more precise estimate of the number of
firms that meet the SBA size standard. Additionally, based on
Commission data in the 2021 Universal Service Monitoring Report, as of
December 31, 2020, there were 1,227 providers that reported they were
incumbent local exchange service providers. Of these providers, the
Commission estimates that 929 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, the
Commission estimates that the majority of incumbent local exchange
carriers can be considered small entities.
99. Competitive Local Exchange Carriers (LECs). Neither the
Commission nor the SBA has developed a size standard for small
businesses specifically applicable to local exchange services.
Providers of these services include several types of competitive local
exchange service providers. Competitive Local Exchange Service
Providers include the following types of providers: Competitive Access
Providers (CAPs) and Competitive Local Exchange Carriers (CLECs),
Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected
VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service
Providers, Local Resellers, and Other Local Service Providers. Wired
Telecommunications Carriers is the closest industry with a SBA small
business size standard. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees. The
available U.S. Census Bureau data does not provide a more precise
estimate of the number of firms that meet the SBA size standard.
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 3,956 providers
that reported they were competitive local exchange service providers.
Of these providers, the Commission estimates that 3,808 providers have
1,500 or fewer employees. Consequently, using the SBA's small business
size standard, most of these providers can be considered small
entities.
100. Interexchange Carriers (IXCs). Neither the Commission nor the
SBA have developed a small business size standard specifically for
Interexchange Carriers. Wired Telecommunications Carriers is the
closest industry with a SBA small business size standard. The SBA small
business size standard for Wired Telecommunications Carriers classifies
firms having 1,500 or fewer employees as small. U.S. Census Bureau data
for 2017 show that there were 3,054 firms that operated in this
industry for the entire year. Of this number, 2,964 firms operated with
fewer than 250 employees. The available U.S. Census Bureau data does
not provide a more precise estimate of the number of firms that meet
the SBA size standard. Additionally, based on Commission data in the
2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 151 providers that reported they were engaged in the
provision of interexchange services. Of these providers, the Commission
estimates that 131 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, the
Commission estimates that the majority of providers in this industry
can be considered small entities.
101. Cable System Operators (Telecom Act Standard). The
Communications Act of 1934, as amended, contains a size standard for a
``small cable operator,'' which is a cable operator that, directly or
through an affiliate, serves in the aggregate fewer than one percent of
all subscribers in the United States and is not affiliated with any
entity or entities whose gross annual revenues in the aggregate exceed
$250,000,000. For purposes of the Telecom Act Standard, the Commission
determined that a cable system operator that serves fewer than 677,000
subscribers, either directly or through affiliates, will meet the
definition of a small cable operator based on the cable subscriber
count established in a 2001 Public Notice. Based on industry data, only
six cable system operators have more than 677, 000 subscribers.
Accordingly, the Commission estimates that the majority of cable system
operators are small under this size standard. The Commission notes
however, that it neither requests nor collects information on whether
cable system operators are affiliated with entities whose gross annual
revenues exceed $250 million. The Commission does receive such
information on a case-by-case basis if a cable operator appeals a local
franchise authority's finding that the operator does not qualify as a
small cable operator pursuant to Sec. 76.901(e) of the Commission's
rules. Therefore, the Commission is unable at this time to estimate
with greater precision the number of cable system operators that would
qualify as small cable operators under the definition in the
Communications Act.
102. Other Toll Carriers. Neither the Commission nor the SBA has
developed a definition for small businesses specifically applicable to
Other Toll Carriers. This category includes toll carriers that do not
fall within the categories of interexchange carriers, operator service
providers, prepaid calling card providers, satellite service carriers,
or toll resellers. Wired Telecommunications Carriers is the closest
industry with a SBA small business size standard. The SBA small
business size standard for Wired Telecommunications Carriers classifies
firms having 1,500 or fewer employees as small. U.S. Census Bureau data
for 2017 show that there were 3,054 firms in this industry that
operated for the entire year. Of this number, 2,964 firms operated with
fewer than 250 employees. The available U.S. Census Bureau data does
not provide a more precise estimate of the number of firms that meet
the SBA size standard. Additionally, based on Commission data in the
2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 115 providers that reported they were engaged in the
provision of other toll services. Of these providers, the Commission
estimates that 113 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
103. Wireless Telecommunications Carriers (except Satellite). This
industry comprises establishments engaged in operating and maintaining
switching and transmission facilities to provide communications via the
airwaves. Establishments in this industry have spectrum licenses and
provide services using that spectrum, such as cellular services, paging
services, wireless internet access, and wireless video services. The
SBA size standard for this industry classifies a business as small if
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show
that there were 2,893 firms in this industry that operated for the
entire year. Of that number, 2,837 firms employed fewer than 250
employees. The available U.S. Census Bureau data does not provide a
more precise estimate of the number of firms that meet the SBA size
standard. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 797
providers that reported they were engaged in the provision of wireless
services. Of these providers, the Commission estimates that 715
providers have 1,500 or fewer employees. Consequently, using the
[[Page 40113]]
SBA's small business size standard, most of these providers can be
considered small entities.
104. Satellite Telecommunications. This industry comprises firms
primarily engaged in providing telecommunications services to other
establishments in the telecommunications and broadcasting industries by
forwarding and receiving communications signals via a system of
satellites or reselling satellite telecommunications. Satellite
telecommunications service providers include satellite and earth
station operators. The SBA small business size standard for this
industry classifies a business with $35 million or less in annual
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms
in this industry operated for the entire year. Of this number, 242
firms had revenue of less than $25 million. The available U.S. Census
Bureau data does not provide a more precise estimate of the number of
firms that meet the SBA size standard. The Commission also notes that
according to the U.S. Census Bureau glossary, the terms receipts and
revenues are used interchangeably. Additionally, based on Commission
data in the 2021 Universal Service Monitoring Report, as of December
31, 2020, there were 71 providers that reported they were engaged in
the provision of satellite telecommunications services. Of these
providers, the Commission estimates that approximately 48 providers
have 1,500 or fewer employees. Consequently, using the SBA's small
business size standard, a little more than of these providers can be
considered small entities.
105. Local Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Local
Resellers. Telecommunications Resellers is the closest industry with a
SBA small business size standard. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and
network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. The available U.S. Census Bureau data does not provide a
more precise estimate of the number of firms that meet the SBA size
standard. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 293
providers that reported they were engaged in the provision of local
resale services. Of these providers, the Commission estimates that 289
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
106. Toll Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Toll
Resellers. Telecommunications Resellers is the closest industry with an
SBA small business size standard. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and
network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. The available U.S. Census Bureau data does not provide a
more precise estimate of the number of firms that meet the SBA size
standard. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 518
providers that reported they were engaged in the provision of toll
services. Of these providers, the Commission estimates that 495
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
107. Prepaid Calling Card Providers. Neither the Commission nor the
SBA has developed a small business size standard specifically for
prepaid calling card providers. Telecommunications Resellers is the
closest industry with a SBA small business size standard. The
Telecommunications Resellers industry comprises establishments engaged
in purchasing access and network capacity from owners and operators of
telecommunications networks and reselling wired and wireless
telecommunications services (except satellite) to businesses and
households. Establishments in this industry resell telecommunications;
they do not operate transmission facilities and infrastructure. Mobile
virtual network operators (MVNOs) are included in this industry. The
SBA small business size standard for Telecommunications Resellers
classifies a business as small if it has 1,500 or fewer employees. U.S.
Census Bureau data for 2017 show that 1,386 firms in this industry
provided resale services for the entire year. Of that number, 1,375
firms operated with fewer than 250 employees. The available U.S. Census
Bureau data does not provide a more precise estimate of the number of
firms that meet the SBA size standard. Additionally, based on
Commission data in the 2021 Universal Service Monitoring Report, as of
December 31, 2020, there were 58 providers that reported they were
engaged in the provision of payphone services. Of these providers, the
Commission estimates that 57 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
108. All Other Telecommunications. This industry is comprised of
establishments primarily engaged in providing specialized
telecommunications services, such as satellite tracking, communications
telemetry, and radar station operation. This industry also includes
establishments primarily engaged in providing satellite terminal
stations and associated facilities connected with one or more
terrestrial systems and capable of transmitting telecommunications to,
and receiving telecommunications from, satellite systems. Providers of
internet services (e.g., dial-up internet Service Providers) or VoIP
services, via client-supplied telecommunications connections are also
included in this industry. The SBA small business size standard for
this industry classifies firms with annual receipts of $35 million or
less as small. U.S. Census Bureau data for 2017 show that there were
1,079 firms in this industry that operated for the entire year. Of
those firms, 1,039 had revenue of less than $25 million. The available
U.S. Census
[[Page 40114]]
Bureau data does not provide a more precise estimate of the number of
firms that meet the SBA size standard. The Commission also notes that
according to the U.S. Census Bureau glossary, the terms receipts and
revenues are used interchangeably. Based on this data, the Commission
estimates that the majority of ``All Other Telecommunications'' firms
can be considered small.
E. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
109. This document requires providers to meet certain obligations.
These changes affect small and large companies equally and apply
equally to all the classes of regulated entities identified above.
Specifically, this document adopts a limited intermediate provider
authentication requirement. It requires a non-gateway intermediate
provider that receives an unauthenticated SIP call directly from an
originating provider to authenticate the call. The requirement will
arise in limited circumstances--where the originating provider failed
to comply with their own authentication obligation, or where the call
is sent directly to an intermediate provider from the limited subset of
originating providers that lack an authentication obligation. Indeed,
if the first intermediate provider in the call path implements
contractual provisions with its upstream originating providers stating
that it will only accept authenticated traffic, it will completely
avoid the need to authenticate calls. Non-gateway intermediate
providers that are subject to the authentication obligation have the
flexibility to assign the level of attestation appropriate to the call
based on the current version of the standards and the call information
available. A non-gateway intermediate provider using non-IP network
technology in its network has the flexibility to either upgrade its
network to allow for the initiation, maintenance, and termination of
SIP calls and fully implement the STIR/SHAKEN framework, or provide the
Commission, upon request, with documented proof that it is
participating, either on its own or through a representative, as a
member of a working group, industry standards group, or consortium that
is working to develop a non-IP solution, or actively testing such a
solution. Under this rule, a non-gateway intermediate provider
satisfies its obligation if it participates through a third-party
representative, such as a trade association of which it is a member or
vendor.
110. This document also requires all providers to take ``reasonable
steps'' to mitigate illegal robocalls. The new classes of providers
subject to the ``reasonable steps'' standard are not required to
implement specific measures to meet that standard, but providers'
programs must include detailed practices that can reasonably be
expected to significantly reduce the carrying, processing, or
origination of illegal robocalls. In addition, all providers must
implement a robocall mitigation program and comply with the practices
that its program requires. The providers must also commit to respond
fully to all traceback requests from the Commission, law enforcement,
and the industry traceback consortium, and to cooperate with such
entities in investigating and stopping illegal robocalls.
111. All providers must submit a certification and robocall
mitigation plan to the Robocall Mitigation Database regardless of
whether they are required to implement STIR/SHAKEN, including providers
without the facilities necessary to implement STIR/SHAKEN. The robocall
mitigation plan must describe the specific ``reasonable steps'' that
the provider has taken to avoid, as applicable, the origination,
carrying, or processing of illegal robocall traffic. This document also
requires providers to ``describe with particularity'' certain
mitigation techniques in their robocall mitigation plans. Specifically,
(1) voice service providers must describe how they are complying with
their existing obligation to take affirmative effective measures to
prevent new and renewing customers from originating illegal calls; (2)
non-gateway intermediate providers and voice service providers must
describe any ``know-your-upstream provider'' procedures; and (3) all
providers must describe any call analytics systems used to identify and
block illegal traffic. To comply with the new requirements to describe
their ``new and renewing customer'' and ``know-your-upstream provider''
procedures, providers must describe any contractual provisions with
end-users or upstream providers designed to mitigate illegal robocalls.
112. All providers with new filing obligations must submit a
certification to the Robocall Mitigation Database that includes the
following baseline information:
(1) whether the provider has fully, partially, or not implemented
the STIR/SHAKEN authentication framework in the IP portions of its
network;
(2) the provider's business name(s) and primary address;
(3) other business name(s) in use by the provider;
(4) all business names previously used by the provider;
(5) whether the provider is a foreign service provider;
(6) the name, title, department, business address, telephone
number, and email address of one person within the company responsible
for addressing robocall mitigation-related issues.
113. Certifications and robocall mitigations plans must be
submitted in English or with certified English translation, and
providers with new filing obligations must update any submitted
information within 10 business days.
114. This document also adopts rules requiring providers to submit
additional information in their Robocall Mitigation certifications.
Specifically, (1) all providers must submit additional information
regarding their role(s) in the call chain; (2) all providers asserting
they do not have an obligation to implement STIR/SHAKEN must include
more detail regarding the basis of that assertion; (3) all providers
must certify that they have not been prohibited from filing in the
Robocall Mitigation Database pursuant to a law enforcement action; (4)
all providers must state whether they have been subject to a formal
Commission, law enforcement, or regulatory agency action or
investigation with accompanying findings of actual or suspected
wrongdoing due to unlawful robocalling or spoofing and provide
information concerning any such actions or investigations; and (5) all
filers must submit their OCN if they have one. Submissions may be made
confidentially, consistent with the Commission's existing
confidentiality rules.
115. This document requires downstream providers to block traffic
received from a non-gateway intermediate provider that is not listed in
the Robocall Mitigation Database, either because the provider did not
file or their certification was removed as part of an enforcement
action. After receiving notice from the Commission that a provider has
been removed from the Robocall Mitigation Database, downstream
providers must block all traffic from the identified provider within
two business days.
F. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
116. The RFA requires an agency to describe any significant
alternatives that it has considered in reaching its approach, which may
include the following four alternatives, among
[[Page 40115]]
others: (1) the establishment of differing compliance or reporting
requirements or timetables that take into account the resources
available to small entities; (2) the clarification, consolidation, or
simplification of compliance or reporting requirements under the rule
for small entities; (3) the use of performance, rather than design,
standards; and (4) an exemption from coverage of the rule, or any part
thereof, for small entities.
117. Generally, the decisions the Commission made in this document
apply to all providers, and do not impose unique burdens or benefits on
small providers. The Commission took several steps to minimize the
economic impact of the rules adopted in this document on small
entities.
118. This document imposes a limited intermediate provider
authentication obligation that requires the first non-gateway
intermediate provider in the call chain to authenticate unauthenticated
calls received directly from an originating provider. Limiting the
application of the authentication obligation to first non-gateway
intermediate providers helps reduce the burden on intermediate
providers, including small providers, and minimizes the potential costs
associated with a broader authentication requirement for all
intermediate providers that were identified in the record.
119. The Commission also allowed flexibility where appropriate to
ensure that providers, including small providers, can determine the
best approach for compliance based on the needs of their networks. For
example, non-gateway intermediate providers have the flexibility to
assign the level of attestation appropriate to the call based on the
applicable level of the standards and the available call information.
Additionally, the new classes of providers subject to the ``reasonable
steps'' standard have the flexibility to determine which measures to
use to mitigate illegal robocall traffic on their networks. In reaching
this approach, the Commission considered and declined to adopt a
``gross negligence'' standard for evaluating whether a mitigation
program is sufficient. The Commission also declined to adopt a
heightened mitigation obligation solely for VoIP providers in order to
ensure that the obligation applies to providers regardless of the
technology used to transmit calls. Likewise, the Commission allowed
non-gateway intermediate providers subject to its call authentication
requirements that rely on non-IP infrastructure the flexibility to
either upgrade their networks to implement STIR/SHAKEN or participate
as a member of a working group, industry standards group, or consortium
that is working to develop a non-IP caller ID authentication solution.
This flexibility will reduce compliance costs for non-gateway
intermediate providers, including small providers. The Commission also
declined to require providers to submit information concerning
inquiries from law enforcement or regulatory agencies or investigations
that do not include findings of actual or suspected wrongdoing. And the
Commission declined to require Robocall Mitigation Database filers to
include certain additional identifying information discussed in the
Fourth Caller ID Authentication FNPRM beyond their OCN.
120. This document also grants an indefinite STIR/SHAKEN
implementation extension to satellite providers that are small voice
service providers and use NANP numbers to originate calls.
G. Report to Congress
121. The Commission will send a copy of the Sixth Report and Order,
including this FRFA, in a report to be sent to Congress and the
Government Accountability Office pursuant to the Congressional Review
Act. In addition, the Commission will send a copy of the Sixth Report
and Order, including this FRFA, to the Chief Counsel for Advocacy of
the Small Business Administration. A copy of the Sixth Report and Order
(or summaries thereof) will also be published in the Federal Register.
III. Procedural Matters
122. Final Regulatory Flexibility Analysis. As required by the
Regulatory Flexibility Act of 1980 (RFA), an Initial Regulatory
Flexibility Analysis (IRFA) was incorporated into the Fifth Caller ID
Authentication FNPRM. The Commission sought written public comment on
the possible significant economic impact on small entities regarding
the proposals addressed in the Fifth Caller ID Authentication FNPRM,
including comments on the IRFA. Pursuant to the RFA, a Final Regulatory
Flexibility Analysis (FRFA) is set forth in Section II, above. The
Commission's Consumer and Governmental Affairs Bureau, Reference
Information Center, will send a copy of the Sixth Report and Order,
including the FRFA, to the Chief Counsel for Advocacy of the Small
Business Administration (SBA).
123. Paperwork Reduction Act. This document may contain new or
modified information collection requirements subject to the PRA, Public
Law 104-13. Specifically, the rules adopted in 47 CFR 64.6303(c) and
64.6305(d), (e), and (f) may require new or modified information
collections. All such new or modified information collection
requirements will be submitted to OMB for review under section 3507(d)
of the PRA. OMB, the general public, and other Federal agencies will be
invited to comment on the new or modified information collection
requirements contained in this proceeding. In addition, the Commission
notes that pursuant to the Small Business Paperwork Relief Act of 2002,
Public Law 107-198, it previously sought specific comment on how the
Commission might further reduce the information collection burden for
small business concerns with fewer than 25 employees. In this document,
the Commission describes several steps it has taken to minimize the
information collection burdens on small entities.
124. Congressional Review Act. The Commission has determined, and
the Administrator of the Office of Information and Regulatory Affairs,
OMB, concurs, that this rule is ``major'' under the Congressional
Review Act, 5 U.S.C. 804(2). The Commission will send a copy of the
Sixth Report and Order to Congress and the Government Accountability
Office pursuant to 5 U.S.C. 801(a)(1)(A).
IV. Ordering Clauses
125. Accordingly, pursuant to sections 4(i), 4(j), 201, 202, 214,
217, 227, 227b, 251(e), 303(r), 501, 502, and 503 of the Communications
Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 202, 214, 217,
227, 227b, 251(e), 303(r), 501, 502, and 503, it is ordered that the
Sixth Report and Order is adopted.
126. It is further ordered that parts 0, 1, and 64 of the
Commission's rules are amended as set forth in the Final Rules.
127. It is further ordered that, pursuant to Sec. Sec. 1.4(b)(1)
and 1.103(a) of the Commission's rules, 47 CFR 1.4(b)(1), 1.103(a), the
Sixth Report and Order, including the rule revisions and redesignations
described in the Final Rules, shall be effective 60 days after
publication in the Federal Register, except that: (1) the additions of
47 CFR 64.6303(c) and 64.6305(f) and the revisions to redesignated 47
CFR 64.6305(d) and (e) as described in the Final Rules will not be
effective until OMB completes any review that the Wireline Competition
Bureau determines is required under the Paperwork Reduction Act; and
(2) the revisions to redesignated 47 CFR 64.6305(g) as described in the
Final
[[Page 40116]]
Rules will not be effective until an effective date is announced by the
Wireline Competition Bureau. The Commission directs the Wireline
Competition Bureau to announce effective dates for the additions of and
revisions to 47 CFR 64.6303(c) and 64.6305(d) through (g), as
redesignated by the Sixth Report and Order, by subsequent notification.
128. It is further ordered that the Office of the Managing
Director, Performance Evaluation and Records Management, shall send a
copy of the Sixth Report and Order in a report to be sent to Congress
and the Government Accountability Office pursuant to the Congressional
Review Act, see 5 U.S.C. 801(a)(1)(A).
129. It is further ordered that the Commission's Consumer and
Governmental Affairs Bureau, Reference Information Center, shall send a
copy of the Sixth Report and Order, including the Final Regulatory
Flexibility Analysis, to the Chief Counsel for Advocacy of the Small
Business Administration.
List of Subjects
47 CFR Part 0
Authority delegations (Government agencies), Communications,
Communications common carriers, Classified information, Freedom of
information, Government publications, Infants and children,
Organization and functions (Government agencies), Postal Service,
Privacy, Reporting and recordkeeping requirements, Sunshine Act,
Telecommunications.
47 CFR Part 1
Administrative practice and procedure, Civil rights, Claims,
Communications, Communications common carriers, Communications
equipment, Cuba, Drug abuse, Environmental impact statements, Equal
access to justice, Equal employment opportunity, Federal buildings and
facilities, Government employees, Historic preservation, Income taxes,
Indemnity payments, Individuals with disabilities, internet,
Investigations, Lawyers, Metric system, Penalties, Radio, Reporting and
recordkeeping requirements, Satellites, Security measures,
Telecommunications, Telephone, Television, Wages.
47 CFR Part 64
Carrier equipment, Communications common carriers, Reporting and
recordkeeping requirements, Telecommunications, Telephone.
Federal Communications Commission.
Marlene Dortch,
Secretary.
Final Rules
For the reasons discussed in the preamble, the Federal
Communications Commission amends 47 CFR parts 0, 1, and 64 as follows:
PART 0--COMMISSION ORGANIZATION
0
1. The authority citation for part 0 continues to read as follows:
Authority: 47 U.S.C. 151, 154(i), 154(j), 155, 225, and 409,
unless otherwise noted.
Subpart A--Organization
0
2. Amend Sec. 0.111 by revising paragraph (a)(28)(i) and (ii) and
adding paragraph (a)(29) to read as follows:
Sec. 0.111 Functions of the Bureau.
(a) * * *
(28) * * *
(i) Whose certification required by Sec. 64.6305 of this chapter
is deficient after giving that provider notice and an opportunity to
cure the deficiency; or
(ii) Who accepts calls directly from a provider not listed in the
Robocall Mitigation Database in violation of Sec. 64.6305(g) of this
chapter.
(29) Take enforcement action, including revoking an existing
section 214 authorization, license, or instrument for any entity that
has repeatedly violated Sec. 64.6301, Sec. 64.6302, or Sec. 64.6305
of this chapter. The Commission or the Enforcement Bureau under
delegated authority will provide prior notice of its intent to revoke
an existing license or instrument of authorization and follow
applicable revocation procedures, including providing the authorization
holder with a written opportunity to demonstrate why revocation is not
warranted.
* * * * *
PART 1--PRACTICE AND PROCEDURE
0
3. The authority citation for part 1 continues to read as follows:
Authority: 47 U.S.C. chs. 2, 5, 9, 13; 28 U.S.C. 2461 note,
unless otherwise noted.
Subpart A--General Rules of Practice and Procedure
0
4. Amend Sec. 1.80 by:
0
a. Redesignating paragraphs (b)(9) through (11) as paragraphs (b)(10)
through (12);
0
b. Adding new paragraph (b)(9);
0
c. Revising newly redesignated paragraph (b)(10);
0
d. In newly redesignated paragraph (b)(11):
0
i. Revising table 1;
0
ii. Revising the headings for tables 2 and 3;
0
iii. Revising the heading and footnote 1 for table 4; and
0
iv. Revising note 2 following table 4;
0
e. In newly redesignated paragraph (b)(12)(ii), revising the heading
for table 5; and
0
f. Revising note 3 following table 5 to newly redesignated paragraph
(b)(12)(ii).
The addition and revisions read as follows:
Sec. 1.80 Forfeiture proceedings.
* * * * *
(9) Forfeiture penalty for a failure to block. Any person
determined to have failed to block illegal robocalls pursuant to
Sec. Sec. 64.6305(g) and 64.1200(n) of this chapter shall be liable to
the United States for a forfeiture penalty of no more than $23,727 for
each violation, to be assessed on a per-call basis.
(10) Maximum forfeiture penalty for any case not previously
covered. In any case not covered in paragraphs (b)(1) through (9) of
this section, the amount of any forfeiture penalty determined under
this section shall not exceed $23,727 for each violation or each day of
a continuing violation, except that the amount assessed for any
continuing violation shall not exceed a total of $177,951 for any
single act or failure to act described in paragraph (a) of this
section.
(11) * * *
Table 1 to Paragraph (b)(11)--Base Amounts for Section 503 Forfeitures
------------------------------------------------------------------------
Violation
Forfeitures amount
------------------------------------------------------------------------
Misrepresentation/lack of candor............................ (\1\)
Failure to file required DODC required forms, and/or filing $15,000
materially inaccurate or incomplete DODC information.......
Construction and/or operation without an instrument of 10,000
authorization for the service..............................
Failure to comply with prescribed lighting and/or marking... 10,000
[[Page 40117]]
Violation of public file rules.............................. 10,000
Violation of political rules: Reasonable access, lowest unit 9,000
charge, equal opportunity, and discrimination..............
Unauthorized substantial transfer of control................ 8,000
Violation of children's television commercialization or 8,000
programming requirements...................................
Violations of rules relating to distress and safety 8,000
frequencies................................................
False distress communications............................... 8,000
EAS equipment not installed or operational.................. 8,000
Alien ownership violation................................... 8,000
Failure to permit inspection................................ 7,000
Transmission of indecent/obscene materials.................. 7,000
Interference................................................ 7,000
Importation or marketing of unauthorized equipment.......... 7,000
Exceeding of authorized antenna height...................... 5,000
Fraud by wire, radio or television.......................... 5,000
Unauthorized discontinuance of service...................... 5,000
Use of unauthorized equipment............................... 5,000
Exceeding power limits...................................... 4,000
Failure to Respond to Commission communications............. 4,000
Violation of sponsorship ID requirements.................... 4,000
Unauthorized emissions...................................... 4,000
Using unauthorized frequency................................ 4,000
Failure to engage in required frequency coordination........ 4,000
Construction or operation at unauthorized location.......... 4,000
Violation of requirements pertaining to broadcasting of 4,000
lotteries or contests......................................
Violation of transmitter control and metering requirements.. 3,000
Failure to file required forms or information............... 3,000
Per call violations of the robocall blocking rules.......... 2,500
Failure to make required measurements or conduct required 2,000
monitoring.................................................
Failure to provide station ID............................... 1,000
Unauthorized pro forma transfer of control.................. 1,000
Failure to maintain required records........................ 1,000
------------------------------------------------------------------------
Table 2 to Paragraph (b)(11)--Violations Unique to the Service
* * * * *
Table 3 to Paragraph (b)(11)--Adjustment Criteria for Section 503
Forfeitures
* * * * *
Table 4 to Paragraph (b)(11)--Non-Section 503 Forfeitures That Are
Affected by the Downward Adjustment Factors \1\
* * * * *
\1\ Unlike section 503 of the Act, which establishes maximum
forfeiture amounts, other sections of the Act, with two exceptions,
state prescribed amounts of forfeitures for violations of the
relevant section. These amounts are then subject to mitigation or
remission under section 504 of the Act. One exception is section 223
of the Act, which provides a maximum forfeiture per day. For
convenience, the Commission will treat this amount as if it were a
prescribed base amount, subject to downward adjustments. The other
exception is section 227(e) of the Act, which provides maximum
forfeitures per violation, and for continuing violations. The
Commission will apply the factors set forth in section 503(b)(2)(E)
of the Act and this table 4 to determine the amount of the penalty
to assess in any particular situation. The amounts in this table 4
are adjusted for inflation pursuant to the Debt Collection
Improvement Act of 1996 (DCIA), 28 U.S.C. 2461. These non-section
503 forfeitures may be adjusted downward using the ``Downward
Adjustment Criteria'' shown for section 503 forfeitures in table 3
to this paragraph (b)(11).
Note 2 to paragraph (b)(11): Guidelines for Assessing
Forfeitures. The Commission and its staff may use the guidelines in
tables 1 through 4 of this paragraph (b)(11) in particular cases.
The Commission and its staff retain the discretion to issue a higher
or lower forfeiture than provided in the guidelines, to issue no
forfeiture at all, or to apply alternative or additional sanctions
as permitted by the statute. The forfeiture ceilings per violation
or per day for a continuing violation stated in section 503 of the
Communications Act and the Commission's rules are described in
paragraph (b)(12) of this section. These statutory maxima became
effective September 13, 2013. Forfeitures issued under other
sections of the Act are dealt with separately in table 4 to this
paragraph (b)(11).
(12) * * *
(ii) * * *
Table 5 to Paragraph (b)(12)(ii)
* * * * *
Note 3 to paragraph (b)(12): Pursuant to Public Law 104-134, the
first inflation adjustment cannot exceed 10 percent of the statutory
maximum amount.
* * * * *
PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
0
5. The authority citation for part 64 continues to read as follows:
Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220,
222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 255, 262,
276, 403(b)(2)(B), (c), 616, 617, 620, 1401-1473, unless otherwise
noted; Pub. L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.
Subpart HH--Caller ID Authentication
0
6. Amend Sec. 64.6300 by redesignating paragraphs (i) through (n) as
paragraphs (j) through (o) and adding new paragraph (i) to read as
follows:
Sec. 64.6300 Definitions.
* * * * *
(i) Non-gateway intermediate provider. The term ``non-gateway
intermediate provider'' means any entity that is an intermediate
provider as that term is defined by paragraph (g) of this section that
is not a gateway provider as that term is defined by paragraph (d) of
this section.
* * * * *
[[Page 40118]]
0
7. Amend Sec. 64.6302 by adding paragraph (d) to read as follows:
Sec. 64.6302 Caller ID authentication by intermediate providers.
* * * * *
(d) Notwithstanding paragraph (b) of this section, a non-gateway
intermediate provider must, not later than December 31, 2023,
authenticate caller identification information for all calls it
receives directly from an originating provider and for which the caller
identification information has not been authenticated and which it will
exchange with another provider as a SIP call, unless that non-gateway
intermediate provider is subject to an applicable extension in Sec.
64.6304.
Sec. 64.6303 [Amended]
0
8. Amend Sec. 63.6303 by adding reserved paragraph (c).
0
9. Delayed indefinitely, further amend Sec. 63.6303 by adding
paragraph (c) to read as follows:
Sec. 64.6303 Caller ID authentication in non-IP networks.
* * * * *
(c) Except as provided in Sec. 64.6304, not later than December
31, 2023, a non-gateway intermediate provider receiving a call directly
from an originating provider shall either:
(1) Upgrade its entire network to allow for the processing and
carrying of SIP calls and fully implement the STIR/SHAKEN framework as
required in Sec. 64.6302(d) throughout its network; or
(2) Maintain and be ready to provide the Commission on request with
documented proof that it is participating, either on its own or through
a representative, including third party representatives, as a member of
a working group, industry standards group, or consortium that is
working to develop a non-internet Protocol caller identification
authentication solution, or actively testing such a solution.
0
10. Amend Sec. 64.6304 by:
0
a. Removing the word ``and'' at the end of paragraph (a)(1)(i);
0
b. Revising paragraph (a)(1)(ii);
0
c. Adding paragraph (a)(1)(iii); and
0
d. Revising paragraphs (b) and (d).
The revisions and addition read as follows:
Sec. 64.6304 Extension of implementation deadline.
(a) * * *
(1) * * *
(ii) A small voice service provider notified by the Enforcement
Bureau pursuant to Sec. 0.111(a)(27) of this chapter that fails to
respond in a timely manner, fails to respond with the information
requested by the Enforcement Bureau, including credible evidence that
the robocall traffic identified in the notification is not illegal,
fails to demonstrate that it taken steps to effectively mitigate the
traffic, or if the Enforcement Bureau determines the provider violates
Sec. 64.1200(n)(2), will no longer be exempt from the requirements of
Sec. 64.6301 beginning 90 days following the date of the Enforcement
Bureau's determination, unless the extension would otherwise terminate
earlier pursuant to paragraph (a)(1) introductory text or (a)(1)(i), in
which case the earlier deadline applies; and
(iii) Small voice service providers that originate calls via
satellite using North American Numbering Plan numbers are deemed
subject to a continuing extension of Sec. 64.6301.
* * * * *
(b) Voice service providers, gateway providers, and non-gateway
intermediate providers that cannot obtain an SPC token. Voice service
providers that are incapable of obtaining an SPC token due to
Governance Authority policy are exempt from the requirements of Sec.
64.6301 until they are capable of obtaining an SPC token. Gateway
providers that are incapable of obtaining an SPC token due to
Governance Authority policy are exempt from the requirements of Sec.
64.6302(c) regarding call authentication. Non-gateway intermediate
providers that are incapable of obtaining an SPC token due to
Governance Authority policy are exempt from the requirements of Sec.
64.6302(d) regarding call authentication.
* * * * *
(d) Non-IP networks. Those portions of a voice service provider,
gateway provider, or non-gateway intermediate provider's network that
rely on technology that cannot initiate, maintain, carry, process, and
terminate SIP calls are deemed subject to a continuing extension. A
voice service provider subject to the foregoing extension shall comply
with the requirements of Sec. 64.6303(a) as to the portion of its
network subject to the extension, a gateway provider subject to the
foregoing extension shall comply with the requirements of Sec.
64.6303(b) as to the portion of its network subject to the extension,
and a non-gateway intermediate provider receiving calls directly from
an originating provider subject to the foregoing extension shall comply
with the requirements of Sec. 64.6303(c) as to the portion of its
network subject to the extension.
* * * * *
0
11. Amend Sec. 64.6305 by:
0
a. Revising paragraph (a)(1);
0
b. Redesignating paragraphs (c), (d), and (e) as paragraphs (d), (e),
and (g) and adding new paragraph (c);
0
c. Revising newly redesignated paragraphs (d)(3) introductory text,
(d)(5) introductory text, (e)(2) introductory text, (e)(3) introductory
text, and (e)(5);
0
d. Adding reserved paragraph (f);
0
e. Revising newly redesignated paragraphs (g)(1) through (3);
0
f. Redesignating paragraph (g)(4) as paragraph (g)(5) and adding new
reserved paragraph (g)(4); and
0
g. Revising newly redesignated paragraph (g)(5) introductory text.
The additions and revisions read as follows:
Sec. 64.6305 Robocall mitigation and certification.
(a) * * *
(1) Each voice service provider shall implement an appropriate
robocall mitigation program.
* * * * *
(c) Robocall mitigation program requirements for non-gateway
intermediate providers. (1) Each non-gateway intermediate provider
shall implement an appropriate robocall mitigation program.
(2) Any robocall mitigation program implemented pursuant to
paragraph (c)(1) of this section shall include reasonable steps to
avoid carrying or processing illegal robocall traffic and shall include
a commitment to respond fully and in a timely manner to all traceback
requests from the Commission, law enforcement, and the industry
traceback consortium, and to cooperate with such entities in
investigating and stopping any illegal robocallers that use its service
to carry or process calls.
(d) * * *
(3) All certifications made pursuant to paragraphs (d)(1) and (2)
of this section shall:
* * * * *
(5) A voice service provider shall update its filings within 10
business days of any change to the information it must provide pursuant
to paragraphs (d)(1) through (4) of this section.
* * * * *
(e) * * *
(2) A gateway provider shall include the following information in
its certification made pursuant to paragraph (e)(1) of this section, in
[[Page 40119]]
English or with a certified English translation:
* * * * *
(3) All certifications made pursuant to paragraphs (e)(1) and (2)
of this section shall:
* * * * *
(5) A gateway provider shall update its filings within 10 business
days to the information it must provide pursuant to paragraphs (e)(1)
through (4) of this section, subject to the conditions set forth in
paragraphs (d)(5)(i) and (ii) of this section.
* * * * *
(f) [Reserved]
(g) * * *
(1) Accepting traffic from domestic voice service providers.
Intermediate providers and voice service providers shall accept calls
directly from a domestic voice service provider only if that voice
service provider's filing appears in the Robocall Mitigation Database
in accordance with paragraph (d) of this section and that filing has
not been de-listed pursuant to an enforcement action.
(2) Accepting traffic from foreign providers. Beginning April 11,
2023, intermediate providers and voice service providers shall accept
calls directly from a foreign voice service provider or foreign
intermediate provider that uses North American Numbering Plan resources
that pertain to the United States in the caller ID field to send voice
traffic to residential or business subscribers in the United States,
only if that foreign provider's filing appears in the Robocall
Mitigation Database in accordance with paragraph (d) of this section
and that filing has not been de-listed pursuant to an enforcement
action.
(3) Accepting traffic from gateway providers. Beginning April 11,
2023, intermediate providers and voice service providers shall accept
calls directly from a gateway provider only if that gateway provider's
filing appears in the Robocall Mitigation Database in accordance with
paragraph (e) of this section, showing that the gateway provider has
affirmatively submitted the filing, and that filing has not been de-
listed pursuant to an enforcement action.
(4) [Reserved]
(5) Public safety safeguards. Notwithstanding paragraphs (g)(1)
through (4) of this section:
* * * * *
0
12. Delayed indefinitely, further amend Sec. 64.6305 by:
0
a. Revising paragraphs (d)(1) introductory text, (d)(1)(ii) and (iii),
(d)(2), and (d)(4)(iv) and (v) and adding paragraphs (d)(4)(vi) and
(vii);
0
b. Revising paragraphs (e)(1) introductory text and (e)(2)(i) through
(iii);
0
c. Adding paragraph (e)(2)(iv);
0
d. Revising paragraphs (e)(4)(iv) and (v) and adding paragraphs
(e)(4)(vi) and (vii); and
0
e. Adding paragraphs (f) and (g)(4).
The additions and revisions read as follows:
Sec. 64.6305 Robocall mitigation and certification.
* * * * *
(d) * * *
(1) A voice service provider shall certify that all of the calls
that it originates on its network are subject to a robocall mitigation
program consistent with paragraph (a) of this section, that any prior
certification has not been removed by Commission action and it has not
been prohibited from filing in the Robocall Mitigation Database by the
Commission, and to one of the following:
* * * * *
(ii) It has implemented the STIR/SHAKEN authentication framework on
a portion of its network and all calls it originates on that portion of
its network are compliant with Sec. 64.6301(a)(1) and (2); or
(iii) It has not implemented the STIR/SHAKEN authentication
framework on any portion of its network.
(2) A voice service provider shall include the following
information in its certification in English or with a certified English
translation:
(i) Identification of the type of extension or extensions the voice
service provider received under Sec. 64.6304, if the voice service
provider is not a foreign voice service provider, and the basis for the
extension or extensions, or an explanation of why it is unable to
implement STIR/SHAKEN due to a lack of control over the network
infrastructure necessary to implement STIR/SHAKEN;
(ii) The specific reasonable steps the voice service provider has
taken to avoid originating illegal robocall traffic as part of its
robocall mitigation program, including a description of how it complies
with its obligation to know its customers pursuant to Sec.
64.1200(n)(3), any procedures in place to know its upstream providers,
and the analytics system(s) it uses to identify and block illegal
traffic, including whether it uses any third-party analytics vendor(s)
and the name(s) of such vendor(s);
(iii) A statement of the voice service provider's commitment to
respond fully and in a timely manner to all traceback requests from the
Commission, law enforcement, and the industry traceback consortium, and
to cooperate with such entities in investigating and stopping any
illegal robocallers that use its service to originate calls; and
(iv) State whether, at any time in the prior two years, the filing
entity (and/or any entity for which the filing entity shares common
ownership, management, directors, or control) has been the subject of a
formal Commission, law enforcement, or regulatory agency action or
investigation with accompanying findings of actual or suspected
wrongdoing due to the filing entity transmitting, encouraging,
assisting, or otherwise facilitating illegal robocalls or spoofing, or
a deficient Robocall Mitigation Database certification or mitigation
program description; and, if so, provide a description of any such
action or investigation, including all law enforcement or regulatory
agencies involved, the date that any action or investigation was
commenced, the current status of the action or investigation, a summary
of the findings of wrongdoing made in connection with the action or
investigation, and whether any final determinations have been issued.
* * * * *
(4) * * *
(iv) Whether the voice service provider is a foreign voice service
provider;
(v) The name, title, department, business address, telephone
number, and email address of one person within the company responsible
for addressing robocall mitigation-related issues;
(vi) Whether the voice service provider is:
(A) A voice service provider with a STIR/SHAKEN implementation
obligation directly serving end users;
(B) A voice service provider with a STIR/SHAKEN implementation
obligation acting as a wholesale provider originating calls on behalf
of another provider or providers; or
(C) A voice service provider without a STIR/SHAKEN implementation
obligation; and
(vii) The voice service provider's OCN, if it has one.
* * * * *
(e) * * *
(1) A gateway provider shall certify that all of the calls that it
carries or processes on its network are subject to a robocall
mitigation program consistent with paragraph (b)(1) of this section,
that any prior certification has not been removed by Commission action
and it
[[Page 40120]]
has not been prohibited from filing in the Robocall Mitigation Database
by the Commission, and to one of the following:
* * * * *
(2) * * *
(i) Identification of the type of extension or extensions the
gateway provider received under Sec. 64.6304 and the basis for the
extension or extensions, or an explanation of why it is unable to
implement STIR/SHAKEN due to a lack of control over the network
infrastructure necessary to implement STIR/SHAKEN;
(ii) The specific reasonable steps the gateway provider has taken
to avoid carrying or processing illegal robocall traffic as part of its
robocall mitigation program, including a description of how it complies
with its obligation to know its upstream providers pursuant to Sec.
64.1200(n)(4), the analytics system(s) it uses to identify and block
illegal traffic, and whether it uses any third-party analytics
vendor(s) and the name(s) of such vendor(s);
(iii) A statement of the gateway provider's commitment to respond
fully and within 24 hours to all traceback requests from the
Commission, law enforcement, and the industry traceback consortium, and
to cooperate with such entities in investigating and stopping any
illegal robocallers that use its service to carry or process calls; and
(iv) State whether, at any time in the prior two years, the filing
entity (and/or any entity for which the filing entity shares common
ownership, management, directors, or control) has been the subject of a
formal Commission, law enforcement, or regulatory agency action or
investigation with accompanying findings of actual or suspected
wrongdoing due to the filing entity transmitting, encouraging,
assisting, or otherwise facilitating illegal robocalls or spoofing, or
a deficient Robocall Mitigation Database certification or mitigation
program description; and, if so, provide a description of any such
action or investigation, including all law enforcement or regulatory
agencies involved, the date that any action or investigation was
commenced, the current status of the action or investigation, a summary
of the findings of wrongdoing made in connection with the action or
investigation, and whether any final determinations have been issued.
* * * * *
(4) * * *
(iv) Whether the gateway provider or any affiliate is also foreign
voice service provider;
(v) The name, title, department, business address, telephone
number, and email address of one person within the company responsible
for addressing robocall mitigation-related issues;
(vi) Whether the gateway provider is:
(A) A gateway provider with a STIR/SHAKEN implementation
obligation; or
(B) A gateway provider without a STIR/SHAKEN implementation
obligation; and
(vii) The gateway provider's OCN, if it has one.
* * * * *
(f) Certification by non-gateway intermediate providers in the
Robocall Mitigation Database. (1) A non-gateway intermediate provider
shall certify that all of the calls that it carries or processes on its
network are subject to a robocall mitigation program consistent with
paragraph (c) of this section, that any prior certification has not
been removed by Commission action and it has not been prohibited from
filing in the Robocall Mitigation Database by the Commission, and to
one of the following:
(i) It has fully implemented the STIR/SHAKEN authentication
framework across its entire network and all calls it carries or
processes are compliant with Sec. 64.6302(b);
(ii) It has implemented the STIR/SHAKEN authentication framework on
a portion of its network and calls it carries or processes on that
portion of its network are compliant with Sec. 64.6302(b); or
(iii) It has not implemented the STIR/SHAKEN authentication
framework on any portion of its network for carrying or processing
calls.
(2) A non-gateway intermediate provider shall include the following
information in its certification made pursuant to paragraph (f)(1) of
this section in English or with a certified English translation:
(i) Identification of the type of extension or extensions the non-
gateway intermediate provider received under Sec. 64.6304, if the non-
gateway intermediate provider is not a foreign provider, and the basis
for the extension or extensions, or an explanation of why it is unable
to implement STIR/SHAKEN due to a lack of control over the network
infrastructure necessary to implement STIR/SHAKEN;
(ii) The specific reasonable steps the non-gateway intermediate
provider has taken to avoid carrying or processing illegal robocall
traffic as part of its robocall mitigation program, including a
description of any procedures in place to know its upstream providers
and the analytics system(s) it uses to identify and block illegal
traffic, including whether it uses any third-party analytics vendor(s)
and the name of such vendor(s);
(iii) A statement of the non-gateway intermediate provider's
commitment to respond fully and in a timely manner to all traceback
requests from the Commission, law enforcement, and the industry
traceback consortium, and to cooperate with such entities in
investigating and stopping any illegal robocallers that use its service
to carry or process calls; and
(iv) State whether, at any time in the prior two years, the filing
entity (and/or any entity for which the filing entity shares common
ownership, management, directors, or control) has been the subject of a
formal Commission, law enforcement, or regulatory agency action or
investigation with accompanying findings of actual or suspected
wrongdoing due to the filing entity transmitting, encouraging,
assisting, or otherwise facilitating illegal robocalls or spoofing, or
a deficient Robocall Mitigation Database certification or mitigation
program description; and, if so, provide a description of any such
action or investigation, including all law enforcement or regulatory
agencies involved, the date that any action or investigation was
commenced, the current status of the action or investigation, a summary
of the findings of wrongdoing made in connection with the action or
investigation, and whether any final determinations have been issued.
(3) All certifications made pursuant to paragraphs (f)(1) and (2)
of this section shall:
(i) Be filed in the appropriate portal on the Commission's website;
and
(ii) Be signed by an officer in conformity with 47 CFR 1.16.
(4) A non-gateway intermediate provider filing a certification
shall submit the following information in the appropriate portal on the
Commission's website:
(i) The non-gateway intermediate provider's business name(s) and
primary address;
(ii) Other business names in use by the non-gateway intermediate
provider;
(iii) All business names previously used by the non-gateway
intermediate provider;
(iv) Whether the non-gateway intermediate provider or any affiliate
is also foreign voice service provider;
(v) The name, title, department, business address, telephone
number, and email address of one person within the company responsible
for addressing robocall mitigation-related issues;
[[Page 40121]]
(vi) Whether the non-gateway intermediate provider is:
(A) A non-gateway intermediate provider with a STIR/SHAKEN
implementation obligation; or
(B) A non-gateway intermediate provider without a STIR/SHAKEN
implementation obligation; and
(vii) The non-gateway intermediate service provider's OCN, if it
has one.
(5) A non-gateway intermediate provider shall update its filings
within 10 business days of any change to the information it must
provide pursuant to this paragraph (f) subject to the conditions set
forth in paragraphs (d)(5)(i) and (ii) of this section.
(g) * * *
(4) Accepting traffic from non-gateway intermediate providers.
Intermediate providers and voice service providers shall accept calls
directly from a non-gateway intermediate provider only if that non-
gateway intermediate provider's filing appears in the Robocall
Mitigation Database in accordance with paragraph (f) of this section,
showing that the non-gateway intermediate provider affirmatively
submitted the filing, and that filing has not been de-listed pursuant
to an enforcement action.
* * * * *
[FR Doc. 2023-12142 Filed 6-20-23; 8:45 am]
BILLING CODE 6712-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on June 21, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.