Federal Communications Commission DA 21-549 DA 21-549 Released: May 10, 2021 CALLER ID AUTHENTICATION GOVERNANCE FRAMEWORK REVISED TO ENABLE EARLIER PARTICIPATION BY PROVIDERS WITHOUT DIRECT ACCESS TO TELEPHONE NUMBERS WC Docket Nos. 13-97, 17-97 By this Public Notice, the Wireline Competition Bureau (Bureau) announces that, on May 10, 2021, the Secure Telephone Identity Governance Authority (Governance Authority) issued an update to its Service Provider Code (SPC) Token Access Policy. Press Release, STI-GA, STI-GA Announces Effective Date of Revised SPC token Access Policy (May 10, 2021), https://sti-ga.atis.org/wp-content/uploads/sites/14/2021/05/051021-SPC-token-Access-Policy-advisory.pdf (May 2021 Governance Authority Press Release). Under the revised policy, entities without direct access to telephone numbers may immediately pursue the certificate necessary to participate in STIR/SHAKEN caller ID authentication, as long as they have filed in the Federal Communications Commission’s Robocall Mitigation Database. In September 2020, the Commission adopted rules requiring voice service providers to file certifications in the Robocall Mitigation Database, no later than June 30, 2021, attesting that their traffic is either “signed with STIR/SHAKEN or . . . subject to a robocall mitigation program.” Call Authentication Trust Anchor, WC Docket No. 17-97, Second Report and Order, FCC 20-136, at 44, para. 82 (2020) (Second Caller ID Authentication Report and Order). The Governance Authority, managed by a board consisting of representatives from across the voice service industry, defines the policies and procedures for which entities can acquire a digital certificate necessary to participate in STIR/SHAKEN. See Call Authentication Trust Anchor, Implementation of TRACED Act Section 6(a)—Knowledge of Customers by Entities with Access to Numbering Resources, WC Docket Nos. 17-97 and 20-67, Report and Order and Further Notice of Proposed Rulemaking, 35 FCC Rcd 3241, 3246, para. 9 (2020) (First Caller ID Authentication Report and Order and Further Notice). One such policy is the SPC Token Access Policy, which establishes three requirements an entity must meet to receive a certificate. The SPC Token Access Policy originally required an entity seeking a certificate, among other things, to “[h]ave direct access to telephone numbers from the North American Numbering Plan Administrator . . . and National Pooling Administrator.” See STIR/SHAKEN Caller ID Authentication Governance Framework Revised to Expand Participation, WC Docket No. 17-97, Public Notice, DA 20-1374, 35 FCC Rcd 13034, 13034 (WCB 2020). On November 18, 2020, the Governance Authority issued an update that removed and replaced the requirement that an entity have direct access to telephone numbers to receive a certificate. In place of that requirement, the revised policy requires that an entity must be listed in the Robocall Mitigation Database. Press Release, ATIS, New Secure Telephone Identity Governance Authority Policies Advance Industry Illegal Robocall Mitigation Goals (Nov. 18, 2020), https://www.atis.org/press-releases/new-secure-telephone-identity-governance-authority-policies-advance-industry-illegal-robocall-mitigation-goals/. Although the Governance Authority announced this revision in November, it stated that the new policy would only be effective upon the Commission’s Robocall Mitigation Database filing deadline and that, until then, “the current SPC token access policy remains in effect.” Id. On April 20, 2021, the Bureau established a June 30, 2021, filing deadline for the Robocall Mitigation Database. Wireline Competition Bureau Announces Opening of Robocall Mitigation Database and Provides Filing Instructions and Deadlines, WC Docket No. 17-97, Public Notice, DA 21-454, at 1 (WCB Apr. 20, 2021). On May 10, 2021, the Governance Authority announced that it had changed the effective date of this revision, to be effective immediately. May 2021 Governance Authority Press Release. Thus, effective immediately, an entity that lacks a certificate does not need direct access to telephone numbers to pursue a certificate, and instead must be listed in the Commission’s Robocall Mitigation Database. The Commission has recognized that the SPC Token Access Policy could prevent certain categories of voice service providers from participating in STIR/SHAKEN. Second Caller ID Authentication Report and Order at 24, para. 49; First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3259, para. 39 n.145. In recognition of this challenge, the Commission granted an extension of the STIR/SHAKEN implementation deadline to voice service providers that cannot obtain a certificate due to the SPC Token Access Policy “until it is feasible for a provider to participate in STIR/SHAKEN due either to the possibility of compliance with the Governance Authority policy or a change in the Governance Authority policy.” Second Caller ID Authentication Report and Order at 24, para. 50. The Commission further “recognize[d] that a voice service provider may not be able to immediately come into compliance with its caller ID authentication obligations after it becomes eligible to receive a certificate,” and found that it “will not consider a voice service provider that diligently pursues a certificate once it is able to receive one in violation of our rules.” Id. As a result of the Governance Authority’s policy change, voice service providers that previously were unable to obtain a certificate due to a lack of direct access to numbers must now “diligently pursue” a certificate by registering in the Robocall Mitigation Database and then seeking a certificate from a Secure Telephone Identity Certification Authority. For further information, please contact Matthew Collins, Assistant Chief, Competition Policy Division, Wireline Competition Bureau, at (202) 418-7141 or by email at matthew.collins@fcc.gov. 2