Federal Communications Commission DA 22-1303 DA 22-1303 Released: December 12, 2022 WIRELINE COMPETITION BUREAU ANNOUNCES DEADLINES FOR GATEWAY PROVIDER ROBOCALL MITIGATION REQUIREMENTS AND ADDITIONAL COMPLIANCE DATES AND FILING INSTRUCTIONS WC Docket No. 17-97 In this Public Notice, the Wireline Competition Bureau (Bureau) announces that gateway providers have until January 11, 2023 to submit certifications, including robocall mitigation plans, to the Robocall Mitigation Database (Database) pursuant to section 64.6305(d) of the Commission’s rules. 47 CFR § 64.6305(d). The Database is now open to accept gateway provider filings. Based on this deadline, intermediate providers and voice service providers will be prohibited from accepting traffic from gateway providers not listed in the Database beginning April 11, 2023. See id. § 64.6305(e)(3). The implementation of these requirements is a critical step in protecting consumers in the United States from foreign-originated illegal robocalls, which the Commission has observed are a significant portion, if not the majority, of all illegal robocalls. See Advanced Methods to Combat Unlawful Robocalls; Call Authentication Trust Anchor, GC Docket No. 17-59, WC Docket No. 17-97, Sixth Report and Order in GC Docket No. 17-59, Fifth Report and Order in WC Docket No. 17-97, Order on Reconsideration in WC Docket No. 17-97, Order, Seventh Further Notice of Proposed Rulemaking in GC Docket No. 17-59, and Fifth Further Notice of Proposed Rulemaking in WC Docket No. 17-97, FCC 22-37 at 11, para. 23 (May 20, 2022) (Gateway Provider Order). The Bureau also announces the compliance deadlines for certain other requirements adopted in the Gateway Provider Order and Database filing instructions for foreign voice service providers subject to bona fide foreign legal constraints that conflict with any of the certifications or attestations required of Database filers. See id. at 92, para. 248. I. ROBOCALL MITIGATION REQUIREMENTS FOR GATEWAY PROVIDERS AND ASSOCIATED DEADLINES Implementation of Robocall Mitigation Programs. In the Gateway Provider Order, the Commission promulgated rules requiring gateway providers, which serve as the entry point for foreign calls into the United States, The Commission defined “gateway provider” to mean “a U.S.-based intermediate provider that receives a call directly from a foreign originating provider or foreign intermediate provider at its U.S.-based facilities before transmitting the call downstream to another U.S.-based provider.” Id. at 12, para. 25. to play a more active role in the fight against illegal robocalls. See generally id. at 10-50, paras. 19-121. Among other provisions, The Commission also adopted rules requiring gateway providers to: (1) apply STIR/SHAKEN caller ID authentication to all unauthenticated foreign-originated Session Initiation Protocol (SIP) calls with U.S. North American Numbering Plan (NANP) numbers; (2) respond to traceback requests within 24 hours; (3) block calls where it is clear they are conduits for illegal traffic; and (4) implement “know your upstream provider” obligations. See id. at 22-43, paras. 51-101. Gateway providers are required to authenticate unauthenticated SIP traffic pursuant to STIR/SHAKEN by June 30, 2023. Id. at 28, para. 59. The 24-hour traceback requirement became effective for gateway providers on September 23, 2022, following Office of Management and Budget (OMB) approval of the associated information collection requirements pursuant to the Paperwork Reduction Act (PRA). See 87 Fed. Reg. 42916 (July 18, 2022) (Federal Register Summary); OMB Control Number 3060-1303. the Commission adopted rules requiring gateway providers to develop and implement robocall mitigation programs with respect to calls that are carrying a U.S. number in the caller ID field. See Gateway Provider Order at 15, 16, paras. 32, 34; 47 CFR § 64.6305(b). Such robocall mitigation programs must include: (1) reasonable steps to avoid carrying or processing illegal robocall traffic; 47 CFR § 64.6305(b)(2). The Commission adopted a general mitigation standard for gateway providers that requires them to take “reasonable steps to avoid carrying or processing illegal robocall traffic,” regardless of whether they have fully implemented STIR/SHAKEN on the IP portions of their network. Gateway Provider Order at 43, para. 102. (2) a commitment to respond fully and within 24 hours to all traceback requests from the Commission, law enforcement, and the industry traceback consortium; 47 CFR § 64.6305(b)(2). and (3) a commitment to cooperate with such entities in investigating and stopping any illegal robocallers that use the gateway provider’s service to carry or process calls. Id. The Bureau hereby announces that the deadline for gateway providers to implement robocall mitigation programs meeting these requirements is January 11, 2023. The Commission directed the Bureau to announce a compliance deadline for the gateway provider robocall mitigation program requirement in section 64.6305(b) of its rules after determining whether OMB review under the PRA is required. Gateway Provider Order at 92, para. 248; see also Federal Register Summary at 42916. The Bureau determined that the amendment to section 64.6305(b) does not contain information collection requirements and did not seek OMB approval. 87 Fed. Reg. 75943 (December 12, 2022) (Federal Register Notice). Certification Requirements. Gateway providers must file robocall mitigation plans meeting the requirements above Gateway providers are not required to describe their mitigation program in a particular manner but must clearly explain how they are complying with the know-your-upstream-provider obligation adopted in the Order. Gateway Provider Order at 17, para. 37; see id. at 41-43, paras. 96-101 (adopting “know your upstream provider” requirement for gateway providers); 47 CFR § 64.1200(n)(3). with the Commission as part of a certification submitted to the Database stating whether they have fully, partially, or not implemented STIR/SHAKEN on the IP portions of their networks. 47 CFR § 64.6305(d)(1), (2)(ii)-(iii). All gateway provider and voice service provider certification options require the filer to upload a robocall mitigation program description, except for voice service providers certifying to complete STIR/SHAKEN implementation. If the gateway provider is subject to a STIR/SHAKEN implementation extension pursuant to section 64.6304 of the Commission’s rules, the gateway provider must also include that information as part of its certification. Id. § 64.6305(d)(2)(i). When filing their certifications, gateway providers must submit the same identifying information required of all voice service providers filing in the Database. Gateway Provider Order at 20, para. 45. Such information must include: (1) the business name(s) and primary address of the gateway provider; (2) other business names in use by the gateway provider; (3) all business names previously used by the gateway provider; (4) whether the gateway provider or any affiliate is also a foreign voice service provider; and (5) the name, title, department, business address, telephone number, and email address of one person within the company responsible for addressing robocall mitigation-related issues. Id. at 17, para. 36. All certifications submitted to the Database must be in English or with a certified English translation, 47 CFR § 64.6305(d)(2). and must be signed by an officer in conformity with section 1.16. Id. § 64.6305(d)(3); id. § 1.16. To the extent a gateway provider filing was imported into the Database via the Intermediate Provider Registry, that Database entry is not sufficient to meet the gateway provider’s affirmative obligation to submit a certification to the Database. Gateway Provider Order at 20, para. 45. Such providers must submit an affirmative filing and certification consistent with the filing requirements and instructions provided in this Public Notice. Pursuant to the rules adopted in the Gateway Provider Order, all gateway providers required to submit a certification and mitigation plan to the Database must do so by January 11, 2023. The Commission required gateway providers to submit a certification to the Database by 30 days following publication in the Federal Register of notice of approval by OMB of any associated PRA obligations. Id. at 16, para. 34; see also id. at 21, para. 47. OMB approval for the information collection required by the amendment to section 64.6305(d) of the Commission’s rules was obtained on October 13, 2022. OMB Control Number 3060-1285. Notice of OMB approval was published in the Federal Register on December 12, 2022. Federal Register Notice at 75943. Gateway Providers That Are Also Voice Service Providers. A gateway provider that previously submitted a certification and, if applicable, a robocall mitigation plan to the Database as a voice service provider, must amend its current certification and any mitigation plan to comply with the requirements for gateway providers described above. See Gateway Provider Order at 18, para. 39 (“We delegate to the [Bureau] the authority to specify the form and format of any submissions . . . [including] whether gateway providers that are also voice service providers may either submit a separate certification and plan as a gateway provider or amend their current certification and any plan.”). Only a single Database filing can be associated with a given FCC Registration Number (FRN), and therefore a gateway provider that is also a voice service provider will not be permitted to submit a separate certification using the same FRN used to submit its voice service provider certification. See the Robocall Mitigation Database Filing Instructions for more information, available at https://www.fcc.gov/sites/default/files/rmd-instructions.pdf. Such providers will have the opportunity to indicate on the submission form that they are certifying as both a gateway provider and a voice service provider, and will be presented with two sets of certification options—one set containing the required certifications for gateway providers See 47 CFR § 64.6305(d)(1). and one set containing the required certifications for voice service providers. See id. § 64.6305(c)(1). The certification option the provider previously selected when it certified as a voice service provider will be pre-selected on the submission form, but may be modified. See the Robocall Mitigation Database filing instructions for more information, available at https://www.fcc.gov/sites/default/files/rmd-instructions.pdf. A gateway provider that is also a voice service provider need only submit a single mitigation plan, but should explain the mitigation steps it undertakes as a gateway provider and the mitigation steps it undertakes as a voice service provider, to the extent those mitigation steps are different for each role. Amended certifications and associated robocall mitigation plans must also be completed by January 11, 2023. See Gateway Provider Order at 20, para. 45; Federal Register Notice at 75944. Obligations on Downstream Intermediate Providers and Voice Service Providers. In the Gateway Provider Order, the Commission adopted a rule prohibiting “downstream providers . . . from accepting any traffic from a gateway provider not listed in the Robocall Mitigation Database, either because the provider did not file or their certification was removed from the Robocall Mitigation Database as part of an enforcement action.” Gateway Provider Order at 19-20, para. 44. The Commission stated that this rule would be effective “90 days following the deadline for gateway providers to submit a certification to the Robocall Mitigation Database.” Id. at 20, para. 44. With the filing deadline now established for January 11, 2023, this prohibition will go into effect on April 11, 2023. As of that day, intermediate providers and voice service providers will be prohibited from accepting calls directly from a gateway provider if that gateway provider’s filing does not appear in the Database and show that the gateway provider has affirmatively submitted the filing. 47 CFR § 64.6305(e)(3); see also Gateway Provider Order at 20, para. 44. As a result of gateway providers’ affirmative obligation to submit a certification in the Database, downstream providers will no longer be able to rely upon any gateway provider Database registration imported from the Intermediate Provider Registry when making blocking determinations. Gateway Provider Order at 20, para. 45. To assist providers in making blocking determinations, two new columns have been added to the Database: a “Gateway Provider” column and an “Imported” column. The “Gateway Provider” column will display “Yes” for a given filing if the filer indicated on the submission form that it is a gateway provider or a combined gateway and voice service provider, and “No” if the filer indicated it is neither. The “Imported” column will display “True” if a filing was imported from the Intermediate Provider Registry and “False” if it was not imported. Viewed together, these columns will enable providers to differentiate between affirmative gateway provider filings and imported gateway provider filings when making blocking determinations. See id. (“We delegate to the [Bureau] to make the necessary changes to the Robocall Mitigation Database to indicate whether a gateway provider has made an affirmative filing (as opposed to being imported as an intermediate provider) . . . .”). The Bureau will remove from the Database the filing and certification of any provider that is de-listed pursuant to an enforcement action and no record of the de-listed filing will remain in the Database. See id. (“The Bureau may, pursuant to an enforcement action, remove the record of a providers’ filing or clearly mark it in a way so that downstream providers may not rely on it.”). Certification Filing Instructions. Gateway providers must submit their certification, mitigation plan, identification information, and contact information via the Database portal on the Commission’s website at https://fccprod.servicenowservices.com/rmd?id=rmd_welcome. Updated instructions for submitting a certification and accompanying information can be found at https://www.fcc.gov/files/rmd-instructions. See id. at 21, para. 47 (“We direct the [Bureau] to make the necessary changes to the Robocall Mitigation Database portal and provide appropriate filing instructions and training materials consistent with this Order.”). Gateway providers must submit any necessary updates regarding changes to their certification, mitigation plan, identification information, or contact information to the Commission within 10 business days of the change. 47 CFR § 64.6305(d)(5); see also Gateway Provider Order at 18, para. 39. Intermediate provider entries will continue to be imported from the Intermediate Provider Registry to the Database on a rolling basis, and can now be identified by the “Imported” column, as described above. See Gateway Provider Order at 21, para. 48 (“[W]e direct the Bureau to determine how to manage the imported data of gateway providers and to announce its determination as part of its guidance described in the paragraph above.”). Database Location. The Database is publicly available on the Commission’s website at https://fccprod.servicenowservices.com/rmd?id=rmd_listings. A list of all providers with current filings in the database, published as a .csv file, may be downloaded at any time at https://fccprod.servicenowservices.com/rmd?id=rmd_welcome. This list excludes providers with filings that have been removed pursuant to an enforcement action or were voluntarily deleted. Confidential Submissions. Filers will be able to request that any materials or information submitted to the Commission in their certifications be withheld from public inspection. To do so, a gateway provider must first submit a confidentiality request in WC Docket No. 17-97 through the Commission’s Electronic Comment Filing System (ECFS). See 47 CFR § 0.459; Wireline Competition Bureau Adopts Protective Order for Robocall Mitigation Program Descriptions, WC Docket No. 17-97, Public Notice, Appx. A, 36 FCC Rcd 14562, 14566, para. 2 (WCB 2021) (defining confidential information filed as part of a robocall mitigation plan as information filed consistent with the protective order or sections 0.459 or 0.461 of the Commission’s rules). The gateway provider will then be able to submit redacted (i.e., public) and unredacted (i.e., non-public) copies of its robocall mitigation program description via the Commission’s portal. Comprehensive instructions for submitting confidential filings via the portal are available at https://www.fcc.gov/files/rmd-instructions. II. ADDITIONAL COMPLIANCE DEADLINES In the Gateway Provider Order, the Commission directed the Bureau to announce compliance deadlines for two additional requirements after obtaining OMB approval of the related information collection requirements. Gateway Provider Order at 92, para. 248; Federal Register Summary at 42916. First, the Commission required gateway providers to either upgrade their non-IP networks to IP and implement STIR/SHAKEN, or work with a working group, standards group, or consortium to develop a non-IP caller ID authentication solution. 47 CFR § 64.6303(b); see also Gateway Provider Order at 29, para. 62. As with voice service providers, gateway providers that choose to work with a working group are subject to an extension to implement STIR/SHAKEN in the non-IP portions of their networks. Gateway Provider Order at 29, para. 62; see also 47 CFR § 64.6304. The Commission adopted a compliance deadline of June 30, 2023 for this requirement, but ordered that compliance with the deadline be delayed if required to obtain OMB approval of any associated information collection. Gateway Provider Order at 92, para. 248. The Commission also directed the Bureau to announce compliance dates for sections 64.6305(b) and 64.6305(d) of its rules. Those compliance dates are announced above. Because OMB approval of the information collection has been obtained and notice of the approval has been published in the Federal Register, See Federal Register Notice at 75943. the Bureau hereby confirms that gateway providers must comply with the Commission’s rules regarding caller ID authentication in non-IP networks in section 64.6303(b) by June 30, 2023. Second, the Commission codified a requirement that all voice service providers submit information to the Database in English or with a certified English translation in an amendment to section 64.6305(c)(2) of the Commission’s rules. Gateway Provider Order at 18, para. 38; 47 CFR § 64.6305(c)(2). OMB has approved the information collection associated with that amendment and the Bureau hereby announces a compliance deadline of January 11, 2023. As the Commission explained in the Gateway Provider Order, however, the requirement to submit a certified translation for filings written in a language other than English is mandated by a separate provision of the Commission’s rules that has remained in effect during the pendency of OMB’s review of the information collection. Gateway Provider Order at 18, para. 38 & n.117; see also 47 CFR § 1.355 (“Every document, exhibit, or other paper written in a language other than English, which shall be filed in any proceeding, or in response to any order, shall be filed in the language in which it is written together with an English translation thereof duly verified under oath . . . .”). III. INSTRUCTIONS FOR FOREIGN VOICE SERVICE PROVIDERS FACING CONFLICTING LEGAL OBLIGATIONS In the Gateway Provider Order, the Commission noted arguments made by several commenters that foreign providers may not be able to file in the Database Foreign voice service providers that use NANP numbers that pertain to the United States to send voice traffic to residential and business subscribers in the United States must follow the same certification requirements as domestic voice service providers in order to be listed in the Database. Call Authentication Trust Anchor, WC Docket No. 17-37, Second Report and Order, 36 FCC Rcd 1859, 1905, para. 90 (2020). Because the Commission prohibits domestic intermediate providers and terminating voice service providers from accepting traffic from foreign voice service providers that use NANP numbers that pertain to the United States and are not listed in the Database, such foreign voice service providers have a strong incentive to file certifications. Id. because foreign legal obligations may prevent them from satisfying the traceback obligations imposed on all such filers, and directed the Bureau to make any limited changes to the Database that are necessary to ensure that foreign providers are able to provide any necessary explanations. Gateway Provider Order at 50, para. 121. To the extent that foreign providers face bona fide foreign legal constraints that conflict with any of the certifications or attestations required of Database filers, such foreign providers should explain any such legal constraints in their robocall mitigation program description. If such foreign provider is submitting a voice service provider certification only—that is, not as a gateway provider or as a combined gateway and voice service provider—and has fully implemented STIR/SHAKEN, the foreign provider should certify to partial STIR/SHAKEN implementation so that it may upload a robocall mitigation program description and explain any such foreign legal constraints. Voice service providers certifying to complete STIR/SHAKEN implementation are not currently required to upload a robocall mitigation program description. The foreign provider should note in its robocall mitigation program description that it has fully implemented STIR/SHAKEN but has certified to partial STIR/SHAKEN so that it may upload a program description explaining any foreign legal constraints regarding its certification. For further information, please contact Erik Beith, Wireline Competition Bureau, Competition Policy Division, at (202) 418-0756 or by email at Erik.Beith@fcc.gov. - FCC - 2