Federal Communications Commission Washington, D.C. 20554 June 21, 2021 DA 21-724 Small Entity Compliance Guide The Commission’s Rules Regarding Caller ID Authentication FCC 20-136 WC Docket No. 17-97 Released: October 1, 2020 FCC 20-42 WC Docket Nos. 17-97; 20-67 Released: March 31, 2020 This Guide is prepared in accordance with the requirements of Section 212 of the Small Business Regulatory Enforcement Fairness Act of 1996. It is intended to help small entities—small businesses, small organizations (non-profits), and small governmental jurisdictions—comply with the revised rules adopted in the above-referenced Federal Communications Commission (FCC or Commission) rulemaking dockets. This Guide is not intended to replace or supersede these rules, but to facilitate compliance with the rules. Although we have attempted to cover all parts of the rules that might be especially important to small entities, the coverage may not be exhaustive. This Guide cannot anticipate all situations in which the rules apply. Furthermore, the Commission retains the discretion to adopt case-by-case approaches, where appropriate, that may differ from this Guide. Any decision regarding a particular small entity will be based on the statute and any relevant rules. In any civil or administrative action against a small entity for a violation of rules, the content of the Small Entity Compliance Guide may be considered as evidence of the reasonableness or appropriateness of proposed fines, penalties or damages. Interested parties are free to file comments regarding this Guide and the appropriateness of its application to a particular situation. The FCC will then consider whether the recommendations or interpretations in the Guide are appropriate in that situation. The FCC may decide to revise this Guide without public notice to reflect changes in the FCC’s approach to implementing a rule, or it may clarify or update the text of the Guide. Direct your comments and recommendations, or calls for further assistance, to the FCC’s Consumer Center: 1-888-CALL-FCC (1-888-225-5322) TTY: 1-888-TELL-FCC (1-888-835-5322) Videophone: 1-844-4-FCC-ASL (1-844-432-2275) Fax: 1-866-418-0232 TABLE OF CONTENTS I. OBJECTIVES OF THE PROCEEDING 3 II. COMPLIANCE REQUIREMENTS 3 III. RECORDKEEPING AND REPORTING REQUIREMENTS 6 IV. IMPLEMENTATION DATE 7 V. INTERNET LINKS 7 I. OBJECTIVES OF THE PROCEEDING In the First Report and Order and Further Notice of Proposed Rulemaking in WC Docket Nos. 20-67 and 17-97 (First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking) and the Second Report and Order in WC Docket No. 17-97 (Second Caller ID Authentication Report and Order) (collectively, Caller ID Authentication Orders), the Federal Communications Commission (Commission or FCC) adopted rules implementing the TRACED Act, including requiring voice service providers to adopt caller ID authentication technology using technical standards known as “STIR/SHAKEN.” STIR/SHAKEN standards enable phone companies to verify that the caller ID information transmitted with a call matches the caller’s phone number. Widespread deployment of STIR/SHAKEN will reduce illegal call spoofing’s effectiveness, allow law enforcement to identify bad actors more easily, and help phone companies identify calls with illegally spoofed caller ID information before those calls reach their subscribers. The FCC estimates that the benefits of eliminating the wasted time and nuisance caused by illegal scam robocalls will exceed $3 billion annually and STIR/SHAKEN is an important part of realizing those cost savings. Additionally, when paired with call analytics, STIR/SHAKEN will help protect American consumers from fraudulent robocall schemes that cost Americans approximately $10 billion annually. Improved caller ID authentication will also benefit public safety by reducing spoofed robocalls that disrupt healthcare and emergency communications systems. II. COMPLIANCE REQUIREMENTS The Commission’s March 2020 First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking required all voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021, consistent with the recently-enacted TRACED Act. The September 2020 Second Caller ID Authentication Report and Order continued the FCC’s work to implement the TRACED Act and promote the deployment of caller ID authentication technology. Among other things, that order provided for certain exemptions and extensions from the June 30, 2021 deadline and extended the STIR/SHAKEN implementation mandate to intermediate providers (i.e., those providers that carry or process but do not originate or terminate voice traffic that traverses the PSTN). Definitions (47 CFR § 64.6300) · The Caller ID Authentication Orders adopted several new definitions applicable to the Caller ID authentication rule subpart (Subpart HH), including: o Foreign voice service provider is defined as “any entity providing voice service outside of the United States that has the ability to originate voice service that terminates in a point outside that foreign country or terminate voice service that originates from points outside that foreign country.” o Governance authority is defined as “the Secure Telephone Identity Governance Authority” or STI-GA, “the entity that establishes and governs the policies regarding the issuance, management, and revocation of Service Provider Code (SPC) tokens to intermediate providers and voice service providers.” o Intermediate provider is defined as “any entity that carries or processes traffic that traverses or will traverse the PSTN at any point insofar as that entity neither originates nor terminates that traffic.” o Robocall mitigation database is defined as “a database accessible via the Commission’s website that lists all entities that make filings pursuant to 47 CFR 64.6305(b).” o SIP call is defined as a “call initiated, maintained, and terminated using the Session Initiation Protocol signaling protocol.” o SPC token is defined as “the Service Provider Code token, an authority token validly issued to an intermediate provider or voice service provider that allows the provider to authenticate and verify caller ID information consistent with the STIR/SHAKEN authentication framework in the United States.” o STIR/SHAKEN authentication framework is defined as “the secure telephone identity revisited and signature-based handling of asserted information using tokens standards.” o Voice service is defined as “any service that is interconnected with the public switched telephone network and that furnishes voice communications to an end user using resources from the North American Numbering Plan or any successor to the North American Numbering Plan adopted by the Commission” and includes both “transmissions from a telephone facsimile machine, computer, or other device to a telephone facsimile machine;” and “without limitation, any service that enables real-time, two-way voice communications, including any service that requires Internet Protocol-compatible consumer premises equipment and permits out-bound calling, whether or not the service is one-way or two-way voice over Internet Protocol.” Voice Service Providers’ Implementation of STIR/SHAKEN on IP-based Networks (47 CFR § 64.6301) · Voice service providers must fully implement STIR/SHAKEN in the IP portions of their networks by June 30, 2021. o A voice service provider must meet the June 30, 2021 deadline UNLESS it is subject to the extensions in 64.6304 or the exemptions in 64.6306 described below. · To comply with this obligation, a voice service provider must: o Authenticate and verify caller ID information for all SIP calls that exclusively transit its network. o Authenticate caller ID information for all SIP calls it originates and exchanges with another voice service provider or intermediate provider. To the extent technically feasible, a voice service provider must also transmit that call with authenticated caller ID information to the next voice service provider or intermediate provider in the call path. o Verify caller ID information for all SIP calls it receives from another voice service provider or intermediate provider, which it will terminate and for which the caller ID information has been authenticated. Voice Service Providers’ Implementation of STIR/SHAKEN in non-IP-based Networks (47 CFR § 64.6303) · For the non-IP portions of their network, voice service providers must either (1) upgrade to IP and implement STIR/SHAKEN by June 30, 2021, OR (2) work to develop a non-IP caller ID authentication solution as described in 64.6303(b) (See Section III below) Caller ID Authentication by Intermediate Providers (47 CFR § 63.6302) · Intermediate providers must implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021 by doing the following: o First, an intermediate provider must pass unaltered to the subsequent intermediate provider or voice service provider in the call path any authenticated caller ID information it receives with a SIP call unless (1) necessary for technical reasons to complete the call; or (2) where the intermediate provider reasonably believes the caller ID authentication information presents an imminent threat to its network security. o Second, an intermediate provider must either: § Authenticate caller ID information for all calls it receives for which the caller ID information has not been authenticated and which it will exchange with another provider as a SIP call OR § (1) cooperatively participate with the industry traceback consortium; and (2) respond fully and in a timely manner to all traceback requests it receives from the Commission, law enforcement, and the industry traceback consortium regarding calls for which it acts as an intermediate provider. Extensions of STIR/SHAKEN Implementation Deadline (47 CFR § 64.6304) · Several categories of voice service providers are eligible for extensions of the June 30, 2021 STIR/SHAKEN implementation deadline, including: o Small voice service providers (those with 100,000 or fewer lines) have a two-year extension until June 30, 2023. o Voice service providers offering services scheduled for discontinuance as of June 30, 2021, have a one-year extension, until June 30, 2022, to either implement STIR/SHAKEN or discontinue the service. o Voice service providers currently incapable of obtaining from the STI-GA a “certificate” necessary to implement STIR/SHAKEN have an extension until they can obtain a certificate. If a provider cannot obtain a certificate until timely filing into the robocall mitigation database, it must “diligently pursue” a certificate after such filing to continue to benefit from this extension. § In November 2020, STI-GA changed its policy to obtain a certificate. Under its revised policy, a provider need not have direct access to telephone numbers but instead must be listed in the robocall mitigation database. The policy still requires providers to obtain an operating company number and have submitted FCC Form 499A. o Service providers that filed extension requests by the November 20, 2020 deadline and the Wireline Competition Bureau (Bureau) were able to receive individualized extensions if they demonstrated that they met the Commission’s undue hardship standard. On March 30, 2021, the Bureau denied all pending extension requests. Robocall Mitigation Program Requirements (47 CFR § 64.6305(a)) · Voice service providers subject to an extension, including voice service providers operating non-IP networks, must implement a robocall mitigation program regarding the non-STIR/SHAKEN-enabled portions of their networks (both IP and non-IP). In adopting a mitigation program, the provider must: o Take reasonable steps to avoid originating robocall traffic. o Commit to respond to a request from the Industry Traceback Group to investigate suspected robocalls. o Cooperate in investigating and stopping any illegal robocallers. (See Section III below regarding duty to describe mitigation program and cooperation efforts). Intermediate Provider and Voice Service Provider Obligations (47 CFR § 64.6305(c)) · By September 28, 2021, intermediate providers and voice service providers may only accept calls directly from a voice service provider, including a foreign voice service provider that uses North American Numbering Plan resources that pertain to the U.S. to send traffic to residential or business subscribers in the U.S., if that voice service provider has filed a certification in the robocall mitigation database as described in 64.6303(b). (See Section III below). Exemptions from STIR/SHAKEN (47 CFR § 64.6306) · The Commission’s rules allow a provider to receive an exemption from the obligation to implement STIR/SHAKEN by June 30, 2021, by meeting certain early implementation benchmarks. This exemption process is separate from the extensions described above. The Bureau granted an exemption to seven providers in December 2020. o Providers that received an exemption must file a second certification to demonstrate that they met their implementation goals and the required criteria. Providers unable to make this second certification lose their exemption and may be referred to the Enforcement Bureau. Prohibition on Line Item Charges (47 CFR § 63.6307) · Voice service providers are prohibited from adding any line item charges to the bills of consumer or small business customer subscribers for caller ID authentication technology, as required by the TRACED Act. III. RECORDKEEPING AND REPORTING REQUIREMENTS The Caller ID Authentication Orders contain the following new or modified information collection and reporting requirements. Voice Service Providers’ Implementation of STIR/SHAKEN in non-IP-based Networks, Alternative Requirements (47 CFR § 64.6303(b)) · For the non-IP portions of their network, voice service providers must either (1) upgrade to IP and implement STIR/SHAKEN by June 30, 2021, OR (2) work to develop a non-IP caller ID authentication solution. If a provider wishes to comply by meeting the second option, it must maintain and be ready to provide the Commission on request with documented proof that it is participating (on its own or through a representative, including a third party representative) as a member of a working group, industry standards group, or consortium that is working to develop or is actively testing a non-IP caller ID authentication solution. Robocall Certification Database and Portal (47 CFR § 64.6305(b)) · All voice service providers must file a certification in an FCC database by June 30, 2021. o The certification must state whether it has fully implemented STIR/SHAKEN across its entire network or that calls on its network are subject to a robocall mitigation program. The certification must be filed in an FCC portal and signed by a company officer. · Those voice service providers required to implement a mitigation program (see Section II above) must describe the program in the certification, stating: o The type of extension the provider received. o The specific steps the provider has taken to avoid originating illegal robocalls. o Its commitment to fully and timely investigating traceback requests and stopping illegal robocallers using its service. · Those voice service providers required to implement a mitigation program must, along with the certification, also file the following information into the FCC portal: o the voice service provider’s business name(s) and primary address; o other business names in use; o all business names previously used; o whether it is a foreign voice service provider; AND o the name, title department, business address, telephone number, and email address of one person with the company responsible for addressing robocall mitigation-related issues. · A provider must update any information it previously submitted in its certification or the portal within ten business days of any change. IV. IMPLEMENTATION DATE The rules in the First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking became effective on May 21, 2020. The rules in the Second Caller ID Authentication Report and Order became effective December 17, 2020, except for rules that required approval by the Office of Management and Budget (OMB) under the Paperwork Reduction Act, 47 CFR §§ 64.6303(b) and 64.6305(b). Those rules were approved by OMB and became effective on May 13, 2021. V. INTERNET LINKS A copy of the First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking is available at: https://docs.fcc.gov/public/attachments/FCC-20-42A1.pdf A copy of the Second Caller ID Authentication Report and Order is available at: https://docs.fcc.gov/public/attachments/FCC-20-136A1.pdf A copy of the Bureau order granting seven voice service providers’ exemption requests is available at: https://docs.fcc.gov/public/attachments/DA-20-1533A1.pdf A copy of the Federal Register Summary of the First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking is available at: https://www.govinfo.gov/content/pkg/FR-2020-04-21/pdf/2020-07585.pdf A copy of the Federal Register Summary of the Second Caller ID Authentication Report and Order is available at: https://www.govinfo.gov/content/pkg/FR-2020-11-17/pdf/2020-24904.pdf A copy of the Federal Register Notice announcing OMB approval of rules in the Second Caller ID Authentication Report and Order is available at: https://www.govinfo.gov/content/pkg/FR-2021-06-04/pdf/2021-11682.pdf A copy of the Caller ID Authentication Rules (47 CFR § 64.6300 et seq.) is available at: https://www.ecfr.gov/cgi-bin/text-idx?SID=05b3c248d829d4ccfe957a6c5a461c85&mc=true&node=sp47.3.64.hh&rgn=div6. A copy of the TRACED Act is available at: https://www.congress.gov/116/plaws/publ105/PLAW-116publ105.pdf