STIR/SHAKEN and robocall mitigation - countdown to the deadline
This, the latest in our series of blog posts on the topic of STIR/SHAKEN and robocalling, switches gears and looks at the regulations rather than the technology. This is because the regulatory deadlines are coming thick and fast. Read on to find out more.
NOTE: This is not legal advice. You should engage your own regulatory consultant or legal counsel to understand what the regulations mean for your business.
Headline: it’s all about deadlines!
There are some crucial dates in the calendar coming up very soon for any service provider putting traffic into the US PSTN, some better known than others. This blog sets out what is happening, what it means for you, and how Metaswitch can help. It’s all in the context of the FCC’s continued war on illegal robocallers, spammers, fraudsters and scammers, and places the onus very firmly on all voice service providers to take action to prevent origination of illegal calls from their networks.
The key dates are as follows:
- 6 May 2021 – “affirmative obligations” on all voice service providers concerning robocalling
- 30 June 2021 – implementation of STIR/SHAKEN and/or robocall mitigation, and filing in the FCC’s database
- 28 September 2021 – obligation not to accept traffic from any service provider not in the database
- 1 January 2022 – implementation of specific SIP and ISUP response codes when blocking calls.
What does this mean for you?
You should consult your regulatory experts, but in a nutshell
- there are specific new requirements on your business processes, policies and practices, in particular for “robocall mitigation”
- you may need to change the way you deal with your customers, especially business customers
- you have to follow particular new rules on what calls you may block
- on the other hand, you can take advantage of new safe harbor provisions to expand the set of calls you may block
- you have to create and maintain filings with the FCC
- you may need software updates to your switching infrastructure.
Let’s look at this in more detail.
Key date 1: 6 May 2021 – affirmative obligations on all voice service providers
On 6 April, the FCC published a notice in the Federal Register bringing into effect some provisions of the Fourth Robocall Report and Order, as follows.
- You need to respond to traceback requests from the FCC, from law enforcement, and from the USTelecom Industry Traceback Group, so the authorities have the information needed to crack down on illegal robocalling.
- You need strengthened “know your customer” practices, to implement effective measures to prevent new customers and those renewing service from using your network to originate illegal calls, and to carry out proper due diligence to ensure your network is not being used in that way.
- You must ensure you do not block 911 calls, and do make all reasonable efforts to ensure you are not blocking calls from PSAPs and government emergency numbers.
- You must stop blocking calls if a caller makes a credible claim of erroneous blocking and you determine that the calls should not have been blocked.
- You must have a single point of contact for blocking and call authentication issues and disputes, and publicize it on your website.
- You must resolve disputes in a reasonable time, including providing a status update within 24 hours, and not make any charge for investigating and resolving disputes raised in good faith.
As well as this, the safe harbor for call blocking is expanded, giving you more leeway to block calls based on neutral, non-discriminatory reasonable analytics, provided that you
- reasonably determine that a call pattern is highly likely to be illegal
- use caller ID authentication information where available
- exercise proper human oversight
- stop blocking calls as soon as you know they are likely to be lawful
- tell your customers you are doing blocking
- do not charge your customers for doing this.
Key date 2: 30 June 2021 – STIR/SHAKEN and robocall mitigation implementation and filing deadline
This is the one that has had all the attention, stemming from the TRACED Act signed into law at the end of 2019, the Second Call Authentication Report and Order from October 2020, and the Public Notice from the Wireline Competition Bureau on 20 April 2021 providing details of the database and how to file.
First, it reaffirms the 30 June 2021 deadline for implementation of STIR/SHAKEN, but provides extensions
- for two years for providers of up to 100,000 subscriber lines
- indefinitely for any provider that cannot participate (e.g. because of not having their own numbering resources)
- for one year for any service under notice of discontinuation, provided it is indeed discontinued within that time.
The extensions come at a price, though – namely that you implement a robocall mitigation program. The FCC is deliberately not prescriptive about this, demanding only that it includes “detailed practices that are reasonably expected to significantly reduce the origination of illegal calls” on your network. In lots of ways, this simply builds on the affirmative obligations above, and lots of what you do for that will also help with this. Beyond that, there is some guidance in the form of the Best Practice document published in December 2020, which lists three things:
- analysis and monitoring of network traffic
- investigating suspicious calls and calling patterns
- confirming the identity of commercial customers.
These are not a mandate, not even a safe harbor, but it’s likely that processes along those lines will be considered sufficient. And that’s important, as the FCC has the power to impose further processes on you if it judges you are not going far enough.
The final key obligation is to do with filing an entry in the new Robocall Mitigation Database, details of which were published on 20 April. By 30 June 2021, every service provider needs to file, with an explanation of what you are doing – STIR/SHAKEN, robocall mitigation or both, including the details of the robocall mitigation program, and a statement of your commitment to cooperate with traceback requests to track down the bad actors.
So, if you haven’t started thinking about what you are going to do, and how, and preparing your filing, then now is the time to start.
Key date 3: 28 September 2021
This is the date when the FCC can start wielding a very big stick to ensure compliance. Ninety days after the June deadline for filing in the robocall mitigation database, if you don’t have a filing then other providers are obliged to not accept traffic from you. This is an existential threat to your business.
Key date 4: 1 January 2022
Somewhat further out, as part of what the FCC calls “enhanced redress and transparency” is the deadline for implementing particular return codes in signaling for blocked calls, so that the caller can tell that the call has been blocked and where technically possible has the means to contact whoever blocked it in the case that blocking was erroneous. The requirement is to use SIP 607 or 608 and ISUP cause code 21, and to do appropriate interworking between them. At this stage, the right action is to look at your network and consider what upgrades you may need, and to contact your equipment vendors.
Want to know more?
Get in touch with your regulatory experts, and your vendors.
For chapter and verse from the regulations themselves, check out the official documents:
- Fourth Robocall Report and Order (Dec 2020) – https://docs.fcc.gov/public/attachments/FCC-20-187A1.pdf
- Second Call Authentication Report and Order (Oct 2020) – https://docs.fcc.gov/public/attachments/FCC-20-136A1.pdf
- Best Practices for call authentication and robocall mitigation (Dec 2020) – https://docs.fcc.gov/public/attachments/DA-20-1526A1.pdf
- Federal Register entry bringing into effect “affirmative obligations” (Apr 2020) – https://www.federalregister.gov/documents/2021/04/06/2021-04414/advanced-methods-to-target-and-eliminate-unlawful-robocalls
- Public Notice establishing robocall mitigation database (Apr 2020) – https://docs.fcc.gov/public/attachments/DA-21-454A1.pdf
- FCC Robocall Mitigation Database portal – https://fccprod.servicenowservices.com/rmd?id=rmd_welcome
- Instructions for accessing the database – https://www.fcc.gov/files/rmd-instructions
Director, Product Management at Metaswitch.