Federal Communications Commission FCC 21-105 Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C. 20554 In the Matter of Advanced Methods to Target and Eliminate Unlawful Robocalls Call Authentication Trust Anchor ) ) ) ) ) ) CG Docket No. 17-59 WC Docket No. 17-97 FIFTH FURTHER NOTICE OF PROPOSED RULEMAKING IN CG DOCKET NO. 17-59 & FOURTH FURTHER NOTICE OF PROPOSED RULEMAKING IN WC DOCKET NO. 17-97 Adopted: September 30, 2021 Released: October 1, 2021 Comment Date: (30 days after date of publication in the Federal Register) Reply Comment Date: (60 days after date of publication in the Federal Register) By the Commission: Acting Chairwoman Rosenworcel and Commissioner Starks issuing separate statements. TABLE OF CONTENTS I. INTRODUCTION 1 II. BACKGROUND 4 III. DISCUSSION 22 A. Need for Action 24 B. Scope of Requirements and Definitions 32 C. Authentication 38 D. Robocall Mitigation 51 1. 24-Hour Traceback Requirement 52 2. Mandatory Blocking 56 3. “Know Your Customer” Requirements for Gateway Providers 80 4. Contractual Provisions 87 5. General Mitigation Standard 91 E. Robocall Mitigation Database 94 F. Alternative Approaches 103 G. Expected Benefits and Costs 107 H. Legal Authority 112 IV. PROCEDURAL MATTERS 120 V. ORDERING CLAUSES 127 Appendix A Proposed Rules Appendix B Initial Regulatory Flexibility Analysis I. INTRODUCTION 1. In this Further Notice of Proposed Rulemaking (Further Notice), we propose to take decisive action to stem the tide of foreign-originated illegal robocalls. Eliminating illegal robocalls that originate abroad is one of the most vexing challenges we face in eliminating the scourge of robocalling because of the difficulties presented by foreign-based robocallers. The rules we propose today will help to address this problem by placing new obligations on the gateway providers that are the point of entry for foreign calls into the United States, requiring them to lend a hand in the fight against illegal robocalls originating abroad. 2. Specifically, we propose to require gateway providers to apply STIR/SHAKEN caller ID authentication to, and perform robocall mitigation on, foreign-originated calls with U.S. numbers. This proposal would subject foreign-originated calls, once they enter the United States, to requirements similar to those of domestic-originated calls, by placing additional obligations on gateway providers in light of the large number of illegal robocalls that originate abroad and the risk such calls present to Americans. We further propose and seek comment on a number of additional robocall mitigation requirements to ensure that gateway providers take steps to prevent illegal calls from entering the U.S. network. Doing so will continue our aggressive and multi-pronged approach to combatting illegal robocalls. 3. We also take this opportunity to make general improvements to our anti-robocalling rules by seeking comment on revisions to the information that filers must submit to the Robocall Mitigation Database and by clarifying the obligations of voice service providers and intermediate providers with respect to calls to and from Public Safety Answer Points (PSAPs) and other emergency services providers. II. BACKGROUND 4. Unwanted calls, which include illegal robocalls, are consistently the Commission’s top source of consumer complaints. The Commission received approximately 232,000 such complaints in 2018, 193,000 in 2019, 154,000 in 2020, and 131,000 in 2021 as of September 28th. FCC, Consumer Complaint Data Center, https://www.fcc.gov/consumer-help-center-data (last visited Sept. 28, 2021). Multiple factors can affect these numbers, including outreach efforts and media coverage on how to avoid unwanted calls. Complaint numbers declined significantly during the first four months of the COVID-19 pandemic, reducing the total number of complaints the Commission received in 2020. Consumer harm from unwanted and illegal calls ranges from simple irritation to fraud and financial loss. In fact, the Federal Trade Commission (FTC) reports that American consumers lost $436 million to fraud over the phone and $86 million to fraud by text message in 2020. FTC, Consumer Sentinel Network Data Book 2020 at 12 (2021), https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf. This reported fraud is only a fraction of the approximately $13.5 billion in estimated annual costs from illegal robocalls. Call Authentication Trust Anchor, Implementation of the TRACED Act Section 6(a) Knowledge of Customers by Entities with Access to Numbering Resources, WC Docket Nos. 17-97, 20-67, Report and Order and Further Notice of Proposed Rulemaking, 35 FCC Rcd 3241, 3263, paras. 47-48 (2020) (First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking). Caller ID spoofing—the practice whereby a caller misrepresents, or “spoofs,” the information in the caller ID field—poses a particular problem because the identity of the calling party is falsified. 5. The Commission and Congress have long acknowledged that illegal robocalls that originate abroad are a significant part of the robocall problem. In a 2011 report to Congress, the Commission stated that “caller ID spoofing directed at the United States by people and entities operating outside the country can cause great harm.” Caller Identification Information in Successor or Replacement Technologies, Report, 26 FCC Rcd 8643, 8655, para. 25 (2011). Congress highlighted this problem in 2018, when it amended the Communications Act of 1934, as amended (the Act), to prohibit spoofing calls or texts originating outside the U.S. See Consolidated Appropriations Act, 2018, Pub. L. No. 115-141, Div. P, Title V, § 503, 132 Stat. 348, 1091-94 (2018) (codified as amended in 47 U.S.C. § 227(e)) (RAY BAUM’S Act). Similarly, in 2020, the North American Numbering Council (NANC), the Commission’s advisory committee of outside experts on telephone numbering matters, stated that “it is a long-standing problem that international gateway traffic is a significant source of fraudulent traffic.” North American Numbering Council Call Authentication Trust Anchor Working Group, Best Practices for the Implementation of Call Authentication Frameworks at 14 (2020), https://docs.fcc.gov/public/attachments/DOC-367133A1.pdf (2020 NANC Best Practices Report). While these calls pose a significant problem, our jurisdiction does not generally apply directly to foreign entities. 6. Types of Illegal Calls. Illegal calls can come in many forms. Perhaps the most well-known illegal calls are those that are simply fraudulent, where the caller poses as a business, or even a government entity, in order to obtain payment or personal information. Fraudulent calls may violate any of a number of state or federal statutes. See, e.g., Telemarketing Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101-6108; Credit Card Fraud Act of 1984, 18 U.S.C. § 1029; Communications Act Amendments, 1952, 18 U.S.C. §§ 1343, 1344. These calls can take a number of forms, but some common scams include callers posing as the Internal Revenue Service (IRS) or Social Security Administration (SSA), scams following natural disasters, or auto warranty scams. The IRS continues to warn consumers about phone scams, or “vishing” as part of its annual “Dirty Dozen” scams, stating that while overall it has seen a decline in reports of scammers claiming to be the IRS, consumers should remain cautious. Internal Revenue Service, IRS Urges Caution with Email, Social Media, and Phones as Part of “Dirty Dozen” Series (June 29, 2021), https://www.irs.gov/newsroom/irs-urges-caution-with-email-social-media-and-phones-as-part-of-dirty-dozen-series. The SSA also warns consumers to be wary of phone scams, providing tips to consumers on how to recognize these calls. Social Security Administration, What Should I Do if I Get a Call Claiming There’s a Problem with My Social Security Number or Account? (Dec. 9, 2020), https://faq.ssa.gov/en-us/Topic/article/KA-10018. See also Federal Communications Commission, After Storms, Watch Out for Scams (Sept. 18, 2020), https://www.fcc.gov/consumers/guides/after-storms-watch-out-scams; Federal Communications Commission, Watch Out for Auto Warranty Scams (Mar. 4, 2021), https://www.fcc.gov/consumers/guides/beware-auto-warranty-scams. Taken together, the FTC received over 700,000 reports of fraud by phone or text in 2020 alone. FTC, Consumer Sentinel Network Data Book 2020 at 12 (2021), https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf. 7. But calls need not be fraudulent to be illegal. Calls can violate the Telephone Consumer Protection Act (TCPA), which prohibits initiating “any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party,” with certain statutory exemptions. See 47 U.S.C. § 227(b)(1)(B). The TCPA exempts from this prohibition calls for emergency purposes. See id.; see also 47 CFR § 64.1200(f)(4) (defining “emergency purposes”). In addition, in all but one instance, artificial or prerecorded voice messages must state the identity of the business, individual, or other entity that is responsible for initiating the call clearly at the beginning of the message as well as the telephone number either during or at the end of the message. 47 CFR § 64.1200(b)(1). Finally, the TCPA authorizes the Commission to adopt regulatory exemptions to 47 U.S.C. § 227(b)(1)(B) for certain types of calls, including those not made for commercial purposes or that do not include an unsolicited advertisement. 47 U.S.C. § 227(b)(2)(B). Similarly, the TCPA prohibits, without the prior express consent of the called party, any call using an automatic telephone dialing system or an artificial or prerecorded voice to any telephone number “assigned to a . . . cellular telephone service, . . . or any service for which the called party is charged for the call” unless a statutory exemption applies. See 47 U.S.C. § 227(b)(1)(A)(iii). The TCPA grants the Commission authority to exempt certain calls from the requirements of 47 U.S.C. § 227(b)(1)(A)(iii). 8. Calls are also illegal in some instances where the caller ID information has been spoofed. The Truth in Caller ID Act of 2009 made it illegal to transmit false or misleading caller ID information in order to defraud, cause harm, or wrongfully obtain something of value. 47 U.S.C. § 227(e)(1). And as we explained, in 2018, Congress extended this prohibition to reach spoofing activities directed at consumers in the United States from foreign actors, and applied the prohibition to alternative voice and text message services. See RAY BAUM’S Act. 9. In enforcement actions, the Commission has found that robocalling campaigns, regardless of the content of the robocalls, may violate the Truth in Caller ID Act and its implementing rules. Specifically, the Commission has found that when an entity spoofs a large number of calls in a robocall campaign, it causes harm to: (1) the subscribers of the numbers that are spoofed; (2) the consumers who receive the spoofed calls; and (3) the terminating carriers forced to deliver the calls to consumers and handle “consumers’ ire,” thereby increasing their costs. See John C. Spiller et al., File No.: EB-TCD-18-0027781, Notice of Apparent Liability for Forfeiture, 35 FCC Rcd 5948, 5957-61, paras. 23-33 (2020) (Spiller NAL). The Commission has held that the element of “harm” is broad and “encompasses financial, physical, and emotional harm” and that “intent” can be found when the harms can be shown to be “substantially certain” to result from the spoofing. Rules and Regulations Implementing the Truth in Caller ID Act of 2009, WC Docket No. 11-39, Report and Order, 26 FCC Rcd 9114, 9122, para. 22 (2011); see also Affordable Enterprises of Arizona, LLC, Notice of Apparent Liability for Forfeiture, 33 FCC Rcd 9233, 9242-43, para. 26 n.70 (2018) (citing Restatement (Second) of Torts § 8A, comment b, p. 15 (“Intent is not . . . limited to consequences which are desired. If the actor knows that the consequences are certain, or substantially certain, to result from his act, and still goes ahead, he is treated by the law as if he had in fact desired to produce the result.”). Cf. Burr v. Adam Eidemiller, Inc., 386 Pa. 416 (1956) (intentional invasion can occur when the actor knows that it is substantially certain to result from his conduct); Garratt v. Dailey, 13 Wash. 2d. 197 (1955) (finding defendant committed an intentional tort when he moved a chair if he knew with “substantial certainty” that the plaintiff was about to sit down). When an entity knowingly uses a number that does not belong to it “to make a large number of calls . . . the intent to harm may be imputed” to the spoofing entity. Spiller NAL, 35 FCC Rcd at 5959, para. 25. Moreover, the Commission has found that repeated spoofing of unassigned numbers is “a strong indication” that the caller has the intent to defraud or cause harm. Best Insurance Contracts, Inc, and Philip Roesel et al., File No. EB-TCD-16-00023195, Forfeiture Order, 33 FCC Rcd 9204, 9215-16, n.85 (2018); see also Best Insurance Contracts Inc., and Philip Roesel, et al., File No. EB-TCD-16-00023195, Notice of Apparent Liability for Forfeiture, 32 FCC Rcd 6403, 6411, para. 23 (2017); Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Report and Order and Further Notice of Proposed Rulemaking, 32 FCC Rcd 9706, 9713, para. 18 (2017) (First Call Blocking Order) (“Use of an unassigned number provides a strong indication that the calling party is spoofing the Caller ID to potentially defraud and harm a voice service subscriber. Such calls are therefore highly likely to be illegal.”). 10. STIR/SHAKEN Caller ID Authentication. While the Truth in Caller ID Act made spoofing illegal in certain instances, it did not by itself solve a fundamental technical problem: how to identify spoofing in the first instance and track down the call originator after discovering spoofing had occurred. To address this challenge, technologists from the Internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS) developed standards to allow for the authentication and verification of caller ID information carried over Internet Protocol (IP) networks. See Call Authentication Trust Anchor, WC Docket No. 17-97, Second Report and Order, 36 FCC Rcd 1859, 1862, para. 6 (2020) (Second Caller ID Authentication Report and Order); 47 CFR § 64.6300(h) (defining SIP call as “calls initiated, maintained, and terminated using the Session Initiation Protocol signaling protocol”). The result of their efforts is the STIR/SHAKEN caller ID authentication framework, More specifically, a working group of the IETF called the Secure Telephony Identity Revisited (STIR) developed several protocols for authenticating caller ID information. See Second Caller ID Authentication Report and Order, 35 FCC Rcd at 1862-63, para. 7. And ATIS, in conjunction with the SIP Forum, produced the Signature-based Handling of Asserted information using toKENs (SHAKEN) specification, which standardizes how the protocols produced by STIR are implemented across the industry. Id. which allows for authenticated caller ID information to securely travel with the call itself throughout the entire length of the call path. Id. at 1862, para. 6. The Commission, consistent with Congress’s direction in the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, adopted rules requiring voice service providers to implement STIR/SHAKEN in the IP portions of their voice networks by June 30, 2021, 47 CFR § 64.6301; First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking, 35 FCC Rcd at 3252, para. 24. In this Further Notice of Proposed Rulemaking, we use the terms “voice service provider” and “intermediate provider” consistent with the definitions in Part 64, Subpart HH of the Commission’s rules, unless otherwise specified. See 47 CFR § 64.6300. Thus, “voice service provider” as used in this Further Notice refers, unless otherwise specified, to a provider of “service that is interconnected with the public switched telephone network and that furnishes voice communications to an end user using resources from the North American Numbering Plan” and “intermediate provider” refers to “any entity that carries or processes traffic that traverses or will traverse the PSTN at any point insofar as that entity neither originates nor terminates that traffic.” Id. at § 64.6300(f), (l). The term “voice service provider” has a different meaning in the Commission’s Call Blocking Orders, and there includes intermediate providers. See, e.g., Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Fourth Report and Order, 35 FCC Rcd 15221, 1552 n.2 (2020) (Fourth Call Blocking Order). Our use of the term “voice service provider” in this Further Notice does not expand on or narrow that phrase as used in those Orders and associated rules. subject to certain exceptions. 47 CFR §§ 64.6304, 64.6306; see also Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1876-83, paras. 36-51, 1897-1907, paras. 74-94. 11. At a high level, the STIR/SHAKEN framework consists of two components: (1) the technical process of authenticating and verifying caller ID information; and (2) the certificate governance process that maintains trust in the caller ID authentication information transmitted along with a call. Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1862-63, para. 7. Regarding the technical process, STIR/SHAKEN requires that the provider authenticating the call attach additional, encrypted information to the metadata that travels along with a call, which allows the terminating voice service provider to verify that the caller ID is legitimate. Id. at 1863, para. 8. The authenticating provider must include in this information its own identity as the provider that authenticated the call and an “attestation level” to signify what it knows about the calling party and its right to use the number in the caller ID. Id. at 1863-64, para. 10. The current STIR/SHAKEN standards allow for three attestation levels. The highest level of attestation—called “full” or “A-level”—asserts that the authenticating provider can confirm the identity of the subscriber making the call and that it is using its associated telephone number. The next-highest level of attestation—called “partial” or “B-level”—asserts that the authenticating provider can confirm the identity of the subscriber but not the telephone number. The lowest level of attestation—called “gateway” or “C-level”—asserts only that the provider is the point of entry to the IP network for a call that originated elsewhere and has no relationship to the call initiator. See id. The authenticating provider must also include a digital “certificate” which says, in essence, that the provider is the entity it claims to be and that it has the right to authenticate the caller ID information. Id. at 1864, para. 11. 12. To maintain trust and accountability in the providers that vouch for the caller ID information, a neutral governance system issues these certificates. Id. The STIR/SHAKEN governance system requires several roles in order to operate: (1) a Governance Authority, which defines the policies and procedures for which entities can issue or acquire certificates; This role is currently filled by the Secure Telephone Identity Governance Authority. Secure Telephone Identity Governance Authority, STI Governance Authority, https://www.atis.org/sti-ga/ (last visited Sept. 2, 2021). (2) a Policy Administrator, which applies the rules set by the Governance Authority, confirms that Certification Authorities are authorized to issue certificates, and confirms that voice service providers are authorized to request and receive certificates; After a request for proposals process, the Governance Authority selected iconectiv to fill this role. Press Release, ATIS, Mitigating Illegal Robocalling Advances with Secure Telephone Identity Governance Authority Board’s Selection of iconectiv as Policy Administrator (May 30, 2019), https://sites.atis.org/insights/mitigating-illegal-robocalling-advances-with-secure-telephone-identity-governance-authority-boards-selection-of-iconectiv-as-policy-administrator/. (3) Certification Authorities, which issue the certificates used to authenticate and verify calls; As the Policy Administrator, iconectiv vets and approves organizations interested in serving as a Certification Authority. See Press Release, STI Governance Authority, Certification Authority registration now open for U.S. Calling Number Verification Service (Dec. 6, 2019), https://www.atis.org/press-releases/certification-authority-registration-now-open-for-u-s-calling-number-verification-service/. The Policy Administrator website reflects that there are currently eight approved Certification Authorities. See Approved Certification Authorities, iconectiv, https://authenticate.iconectiv.com/approved-certification-authorities (last visited Sept. 2, 2021). and (4) the authenticating providers themselves, which select an approved Certification Authority from which to request a certificate. Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1864-65, para. 11. Under the current Governance Authority rules, a provider must meet certain requirements to receive a certificate. See STI Governance Authority, STI-GA Policy Decisions Binder, Version, 2.0 at 6 (July 26, 2021), Policy Decision 001: SPC Token Access Policy, version 1.2 (May 18, 2021), https://sti-ga.atis.org/wp-content/uploads/sites/14/2021/07/210726-STIGA-Board-Policy-Decision-Binder-Revised-Final.pdf (STI-GA Token Access Policy). To obtain a token, the Governance Authority policy requires that a provider must “(1) [h]ave a current FCC Form 499A on file with the Commission . . .; (2) [h]ave been assigned an Operating Company Number (OCN) . . . ;[and] (3) [h]ave certified with the FCC that they have implemented STIR/SHAKEN or comply with the [Commission’s] Robocall Mitigation Program requirements and are listed in the FCC Robocall Mitigation Database, or have direct access to numbering resources.” Id. 13. The Commission requires voice service providers subject to an extension from the requirement to implement STIR/SHAKEN—including smaller voice service providers and voice service providers with non-IP technology—to adopt and implement robocall mitigation practices in lieu of caller ID authentication. 47 CFR §§ 64.6304, 64.6305; see also Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1876-83, paras. 36-51, 1897-1907, paras. 74-94. The Commission specifically directed voice service providers that must implement robocall mitigation to “take reasonable steps to avoid originating illegal robocall traffic.” Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1899, para. 76 (internal quotations omitted). The Commission adopted this standards-based approach to “allow . . . voice service providers to innovate and draw from the growing diversity and sophistication of anti-robocall tools and approaches available,” Id. (internal quotations omitted). and because it found that “there is no one-size-fits-all robocall mitigation solution that accounts for the variety and scope of voice service provider networks.” Id. at 1901, para. 80. The Commission established just one prescriptive requirement: a commitment to respond “in a timely manner to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocalls that use its service to originate calls.” 47 CFR § 64.6305(b) (2)(iii). The Commission explained that if it determined that its standards-based approach was not sufficient, it would “not hesitate to revisit the obligations we impose through rulemaking at the Commission level.” See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1902, para. 81. 14. The Commission also required voice service providers to, by June 30, 2021, submit a certification to the Robocall Mitigation Database, stating whether they had implemented STIR/SHAKEN on all or part of their networks and, if they had not fully implemented STIR/SHAKEN, describe their robocall mitigation program and “the specific reasonable steps the voice service provider has taken to avoid originating illegal robocall traffic.” 47 CFR § 64.6305(b)(2)(ii). The Commission stated that a robocall mitigation program is sufficient if it “includes detailed practices that can reasonably be expected to significantly reduce the origination of illegal robocalls,” and stated that “the voice service provider must comply with the practices it describes.” See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1900, para. 78. As of September 28, 2021, 4,948 voice service providers have filed in the Robocall Mitigation Database: 1,302 attest to full STIR/SHAKEN implementation, 1,202 state that they have implemented a mix of STIR/SHAKEN and robocall mitigation, and 2,437 state that they rely solely on robocall mitigation. 15. The Commission prohibited intermediate providers and terminating voice service providers from accepting calls directly from a voice service provider not listed in the Robocall Mitigation Database, 47 CFR § 64.6305(c). The prohibition went into effect on September 28, 2021. See Wireline Competition Bureau Announces Opening of Robocall Mitigation Database and Provides Filing Instructions and Deadlines, WC Docket No. 17-97, Public Notice, 36 FCC Rcd 7394 (WCB 2021). finding that such a prohibition would “encourage all voice service providers to implement meaningful and effective robocall mitigation programs . . . during the period of extension from the STIR/SHAKEN mandate.” Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1904, para. 87. The Commission extended this prohibition to traffic originated by foreign voice service providers that use “North American Numbering Plan resources that pertain to the United States to send voice traffic to residential or business subscribers in the United States.” 47 CFR § 64.6305(c). We note that CTIA and the Voice on the Net Coalition (VON) filed petitions for reconsideration of the prohibition as it relates to foreign-originated traffic. See Petition of CTIA for Partial Reconsideration, WC Docket No. 17-97 (filed Dec. 17, 2020); Petition for Reconsideration of VON, WC Docket No. 17-97 (filed Dec. 17, 2020). This prohibition became effective on September 28, 2021. 47 CFR § 64.6305(c). While the Commission made clear that it did “not require foreign voice service providers to file a certification,” it found that the rule “create[d] a strong incentive for . . . foreign voice service providers” to do so to avoid having their traffic blocked. See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1905 n.347, para. 90. The Commission concluded that the rule’s “indirect effect” on foreign providers is consistent with the Commission’s and courts’ past conclusions regarding the scope of Commission jurisdiction. See id. at 1910 n.370 (citing International Settlement Rate Benchmarks, IB Docket No. 96-261, Report and Order, 12 FCC Rcd 19806, 19819, para. 27 (1997); Cable and Wireless P.L.C. v. FCC, 166 F.3d 1224, 1230 (D.C. Cir. 1999) (finding that “the Commission does not exceed its authority simply because a regulatory action has extraterritorial consequences”). As of September 28, 2021, 609 foreign voice service providers have filed in the Robocall Mitigation Database, out of a total 4,948 voice service provider filings. 16. In addition to placing these obligations on voice service providers, the Commission required intermediate providers to implement STIR/SHAKEN in their IP networks. In the Second Caller ID Authentication Report and Order, the Commission placed two requirements on intermediate providers. First, regarding calls an intermediate provider receives with authenticated caller ID information, the Commission required intermediate providers to pass the authenticated caller ID information unaltered to the next provider in the call path. 47 CFR § 64.6302(a). The Commission created two exceptions from this rule under which an intermediate provider may remove the authenticated caller ID information: (1) where necessary for technical reasons to complete the call; and (2) where the intermediate provider reasonably believes the caller ID authentication information presents an imminent threat to its network security. Id. at (a)(1)-(2). Second, regarding calls an intermediate provider receives without authenticated caller ID information, the Commission gave intermediate providers two options. An intermediate provider could either authenticate caller ID information for these calls, 47 CFR § 64.6302(b). or, in the alternative, an intermediate provider must cooperatively participate with the industry traceback consortium and respond fully and in a timely manner to all traceback requests. 47 CFR § 64.6302(b)(1)-(2). The Commission concluded that it had authority to place these obligations on intermediate providers under section 251(e) of the Act and the Truth in Caller ID Act. See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1931-32, paras. 153-55; see also id. at 1932, para. 155 (“Mandating that intermediate providers authenticate unauthenticated calls or participate in traceback efforts will help to prevent and remediate the fraudulent exploitation of NANP resource and illegal spoofing of caller ID information.”). 17. In adopting these rules, the Commission defined “voice service,” consistent with section 4 of the TRACED Act, in part as “any service that is interconnected with the public switched telephone network and that furnishes voice communications to an end-user using resources from the North American Numbering Plan or any successor.” 47 CFR § 64.6300(l)(1); see also TRACED Act § 4(a)(2) (defining “voice service”). It defined an “intermediate provider” as “any entity that [carries] or processes traffic that traverses or will traverse the PSTN at any point insofar as that entity neither originates nor terminates that traffic.” 47 CFR § 64.6300(f). The Commission also established that its rules governing voice service providers and intermediate providers apply on a “call-by-call” basis; under this approach, “[a] single entity . . . may act as a voice service provider for some calls on its network and an intermediate provider for others.” Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1930, para. 151. 18. Call Blocking. In parallel with its caller ID authentication work, the Commission has encouraged voice service providers, including intermediate providers, to block unwanted and illegal calls in certain situations, while also imposing requirements to reduce the risk that legitimate calls are blocked. See, e.g., First Call Blocking Order, 32 FCC Rcd at 9710-21, paras. 10-40 (establishing that certain calls may be blocked based on the number that the call purports to originate from); Advanced Methods to Target and Eliminate Unlawful Robocalls; Call Authentication Trust Anchor, CG Docket No. 17-59, WC Docket No. 17-97, Declaratory Ruling and Third Further Notice of Proposed Rulemaking, 34 FCC Rcd 4876, 4884-91, paras. 26-46 (2019) (Call Blocking Declaratory Ruling and Further Notice) (making clear that terminating voice service providers may block calls in certain instances); Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Third Report and Order, Order on Reconsideration, and Fourth Further Notice of Proposed Rulemaking, 35 FCC Rcd 7614, 7625-31, 7633-37, paras. 51-60, 25-45 (2020) (Third Call Blocking Order and Further Notice) (establishing two safe harbors for blocking, as well as certain protections in case of erroneous blocking); Fourth Call Blocking Order, 35 FCC Rcd at 15234-47, paras. 39-78 (expanding the analytics-based safe harbor and establishing several transparency and redress requirements). Similarly, the Commission has adopted affirmative obligations for voice service providers, which include intermediate providers for purposes of our call blocking rules, See supra note 20. to help eliminate illegal calls from the network. Fourth Call Blocking Order, 35 FCC Rcd at 15227-33, paras. 14-36. 19. To date, the Commission has taken a mostly permissive approach to call blocking, encouraging terminating voice service providers and, occasionally, all voice service providers (including intermediate providers) to block in certain instances and protecting them from liability under the Commission’s rules if they block in error. See, e.g., 47 CFR § 64.1200(k); First Call Blocking Order, 32 FCC Rcd at 9710-21, paras. 10-40; Call Blocking Declaratory Ruling and Further Notice, 34 FCC Rcd at 4884-91, paras. 26-46; Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7625-31, 7633-37, paras. 51-60, 25-45; Fourth Call Blocking Order, 35 FCC Rcd at 15234-47, paras. 39-78. The Commission, in the 2017 First Call Blocking Order, took a clear, bright-line approach by authorizing voice service providers, including intermediate providers, to block calls that purport to be from invalid, unallocated, or unused numbers without first obtaining customer consent. First Call Blocking Order, 32 FCC Rcd at 9710-21, paras. 10-40. The Commission reasoned that there is no legitimate reason for a caller to spoof these numbers, and therefore these calls are highly likely to be illegal. Id. at 9709, para. 9. As a result, no reasonable consumer would want to receive such calls. Id. at 9722, para. 44. The First Call Blocking Order also permitted blocking of calls using a do-not-originate list, which includes numbers that should never be used to originate calls. Id. at 9710, paras. 10-17. The Commission determined that these rules apply to foreign-originated calls that purport to originate from U.S. North American Numbering Plan (NANP) numbers on the grounds that many illegal calls originate from call centers abroad. Id. at 9721, para. 42. 20. Subsequent Commission action ensured that terminating voice service providers can respond to the evolving tactics of bad actors. First, in the Call Blocking Declaratory Ruling and Further Notice, adopted in 2019, the Commission made clear that terminating voice service providers may block calls based on reasonable analytics so long as consumers are given the opportunity to opt out of such blocking. Call Blocking Declaratory Ruling and Further Notice, 34 FCC Rcd at 4884-91, paras. 26-46. The Commission, in the 2020 Third Call Blocking Order and Further Notice, then adopted a safe harbor from violations of the Act and the Commission’s rules for terminating voice service providers that block based on reasonable analytics designed to identify unwanted calls, so long as the analytics take into account caller ID authentication information and consumers are given the opportunity to opt out. Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7625-27, paras. 25-34. The Second Report and Order in CG Docket No. 17-59 concerns the Reassigned Numbers Database and is not directly relevant to our discussion here. See Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Second Report and Order, 33 FCC Rcd 12024 (2018). The Commission also established a safe harbor for voice service providers (including intermediate providers) to block calls from a bad-actor upstream provider that fails to effectively mitigate illegal traffic after being notified of such traffic by the Commission. Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7627-31, paras. 35-45. Finally, the Commission, in that Order, took steps to reduce the risk of erroneous blocking. Id. at 7633-36, paras. 51, 59. In the 2020 One Ring Scam Order, the Commission permitted voice service providers (including intermediate providers) to use reasonable analytics on a network-wide basis to block calls from numbers that are highly likely to be associated with one-ring scams and extended the existing safe harbor to include such blocking. See Protecting Consumers from One-Ring Scams, CG Docket No. 20-93, Report and Order, 35 FCC Rcd 14236, 14238-40, paras. 8-11 (2020). Providers may block such calls if they “appear to be one-ring scam calls, even if such identification proves to be erroneous in a particular instance.” Id. at 14240, para. 10. 21. Most recently, in the December 2020 Fourth Call Blocking Order, the Commission expanded the safe harbor for blocking based on reasonable analytics to include certain network-level blocking, without consumer opt out, designed to identify calls that are highly likely to be illegal. Fourth Call Blocking Order, 35 FCC Rcd at 15234-38, paras. 39-47. The safe harbor is available to terminating voice service providers that disclose to consumers that they are engaging in such blocking. Id. at 15235-36, para. 41. The Commission also adopted enhanced transparency and redress requirements for voice service providers that block calls. Id.at 15238-47, paras. 48-78. Beyond blocking, the Commission, in the Fourth Call Blocking Order, established three affirmative obligations that apply to voice service providers (including intermediate providers). Id. at 15227-34, paras. 14-38. First, voice service providers must respond to all traceback requests from the Commission, law enforcement, or the industry traceback consortium, fully and timely. Id. at 15227-29, paras. 15-21. Second, voice service providers must take steps to effectively mitigate illegal traffic when notified of such traffic by the Commission. Id. at 15229-32, paras. 22-31. The Commission noted that “blocking may be necessary for gateway providers to comply with these requirements.” Id. at 15231, para. 26. Finally, voice service providers must adopt affirmative, effective measures to prevent new and renewing customers from using the network to originate illegal calls. Id. at 15232-33, paras. 32-36. III. DISCUSSION 22. Now that voice service providers have implemented STIR/SHAKEN or a robocall mitigation program, a key component of our anti-robocall efforts is in effect. However, bad actors abroad continue to remain largely outside of our caller ID authentication scheme. At present, our rules only require the gateway providers that bring foreign calls into the United States to pass along preexisting authenticated caller ID information unaltered, participate in traceback, and take steps to effectively mitigate illegal traffic when notified of such traffic by the Commission. While these obligations are valuable, they are not enough for the task at hand: stopping illegal robocalls that originate abroad and the fraudulent actors producing those calls from preying on Americans. 23. To that end, we propose to place additional requirements on gateway providers to ensure that they are doing their part to combat the scourge of illegal robocalls. Specifically, we propose to require gateway providers to authenticate all SIP calls and employ robocall mitigation techniques on calls that they allow into the United States from abroad that display a U.S. number in the caller ID field, which implies to the call recipient that the call originated in the United States. In this Further Notice, where we refer to caller ID information or the number in the caller ID field, we rely on the definition of “caller identification information” in our rules. See 47 CFR § 64.1600(c) (defining “caller identification information” as “information provided by a caller identification service regarding the telephone number of, or other information regarding the origination of, a call made using a voice service or a text message sent using a text messaging service”). A. Need for Action 24. Current Rules Addressing Foreign-Originated Robocalls Are Insufficient. We tentatively conclude that our current rules addressing foreign-originated robocalls are not sufficient to resolve the problem of foreign-originated illegal robocalls: See Letter from Linda S. Vandeloop, AVP, AT&T, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, CG Docket No. 17-59, at 1 (filed Sept. 23, 2021) (“AT&T supports efforts to identify additional steps to prevent internationally originated illegal robocalls from entering the United States.”). · Under our caller ID authentication rules, gateway providers—as intermediate providers—are required to pass along authenticated caller ID information unaltered. 47 CFR § 64.6302(a). Although intermediate providers are also required to apply STIR/SHAKEN to unauthenticated calls they receive, they are excused from that requirement if they elect to cooperatively participate with the industry traceback consortium and respond fully and in a timely manner to all traceback requests they receive from the Commission, law enforcement, and the industry traceback consortium regarding calls for which they act as an intermediate provider. 47 CFR § 64.6302(b). Since May 6, 2021, however, under our call blocking rules, intermediate providers (again, including gateway providers) are also subject to a separate requirement to respond fully and in a timely manner to all traceback requests from those same entities. 47 CFR § 64.1200(n)(1). This rule was adopted in the Fourth Call Blocking Order and took effect on May 6, 2021. See 86 Fed. Reg. 17726, 17727, 17734 (Apr. 6, 2021). By complying with that new rule, intermediate providers also meet the traceback requirement in our caller ID authentication rules (section 64.6302(b)) and, under that rule, are excused from complying with the requirement to apply STIR/SHAKEN to unauthenticated calls. In addition, intermediate providers are not subject to any requirement under the caller ID authentication rules to perform robocall mitigation. This means that even though gateway providers are where a call first enters the U.S. network, they are not subject to the same obligations that apply to domestic originating voice service providers. · Foreign entities are prohibited from spoofing caller ID with the intent to defraud, cause harm, or wrongfully obtain anything of value when placing calls to recipients in the United States. 47 U.S.C. § 227(e)(1). While this prohibition is valuable, the very nature of spoofing makes it difficult to identify spoofing in the first instance, and track down the call originator after discovering spoofing has occurred. · Foreign originating voice service providers that use NANP resources that pertain to the United States to send traffic to the United States may have their traffic blocked if they are not in our Robocall Mitigation Database, 47 CFR § 64.6305(c). which requires certification of STIR/SHAKEN implementation or the use of a robocall mitigation program. 47 CFR § 64.6305(b). But this requirement is limited by the fact that the prohibition applies only to traffic received “directly” from a foreign voice service provider not listed in the Robocall Mitigation Database; a foreign voice service provider is not currently required to file if it always routes traffic destined for U.S. consumers over intermediate provider networks before they reach the U.S. gateway, and a bad actor could easily exploit this loophole. See Letter from Joshua M. Bercu, Vice President, Policy & Advocacy, USTelecom—The Broadband Ass’n, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 2-3 (filed Apr. 15, 2021) (USTelecom Ex Parte). · Our call blocking rules require voice service providers (including intermediate providers) to respond to traceback requests and take steps to effectively mitigate illegal traffic and require originating providers to take steps to prevent new and renewing customers from using the network to originate illegal calls. 47 CFR § 64.1200(n). However, because a foreign voice service provider upstream from the gateway provider is outside of the scope of our rules, these requirements may not always allow the call originator to be identified or the traffic to be stopped before it reaches United States consumers. 25. We tentatively conclude that it would benefit Americans to subject foreign-originated robocalls, once they reach a gateway provider in the United States, to the same types of measures applied to calls originated in the United States: caller ID authentication and robocall mitigation. We further tentatively conclude the unique challenges associated with foreign-originated robocalls demand that gateway providers be subject to additional caller ID authentication and robocall mitigation requirements, to ensure Americans are protected from calls originating abroad. Unlike other providers, gateway providers have visibility into the foreign network where the call originates and have the ability to identify instances when a call that purports to originate from a U.S. number in fact originated internationally, which can reduce the accuracy and effectiveness of blocking analytics. And unlike terminating voice service providers, gateway providers can stop illegal calls to customers of many terminating voice service providers. We seek comment on these tentative conclusions. Are our current rules addressing foreign-originated robocalls sufficient? Rather than adopt new rules, should we leverage our existing rules in new ways to stop such calls? Or should we adopt new rules that rely on methods other than caller ID authentication and robocall mitigation? If so, what type of rules should we adopt? 26. A Large Portion of Illegal Robocalls Originate Abroad. Available evidence indicates that a large portion of unlawful robocalls terminating within the United States originate outside the United States. Insider, The Annoyance Engine: Spam Robocalls became profitable by exploiting the phone system, but you can stop them, Walt Hickey (Mar. 3, 2021), https://www.businessinsider.com/why-so-many-spam-robocalls-how-to-stop-them-2021-3 (noting most robocall campaigns originate abroad and that the calls are routed through gateway providers that are “willing to place those calls to American phones [and] may not always know they’re laundering scam calls into the US telecom system”); The Economic Times, US files lawsuits against call centers, mostly from India, for making fake robocalls to Americans, (Jan. 29, 2020) https://economictimes.indiatimes.com/news/politics-and-nation/us-files-lawsuits-against-call-centres-mostly-from-india-for-making-fake-robocalls-to-americans/articleshow/73731293.cms?from=mdr (“According to federal prosecutors, Americans have experienced a deluge of robocalls over the past several years. Many of the robocalls originate from abroad.”). USTelecom states that fraudulent calls are “almost always are coming from overseas,” NBC News, Pandemic lockdowns have curbed robocalls. The telecom industry is trying to keep them from coming back, Nigel Chiwaya (June 7, 2021) (quoting Josh Bercu, Vice President, USTelecom) https://www.nbcnews.com/news/us-news/pandemic-lockdowns-have-curbed-robocalls-telecom-industry-trying-keep-them-n1269831. while ZipDX states that traceback data “have implicated foreign entities as a primary source of the worst kinds of robocalls.” See Letter from David Frankel, CEO, ZipDX, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 1 (filed Apr. 16, 2021). While some fraudulent traffic carries caller ID information matching the origination country (e.g., a call from France carries French caller ID), “the portion of this traffic to the overall fraudulent call volume is relatively small,” and it appears that most foreign-originated fraudulent traffic carries a U.S. number in the caller ID field. 2020 NANC Best Practices Report at 14-15. We seek comment on this evidence, the relative proportion of domestic- and foreign-originated illegal robocalls, the prevalence of caller ID spoofing in foreign-originated robocalls, and trends in foreign-originated robocalling targeted at the United States over time. We also seek comment on the causes of any identified shift from domestic- to foreign-originated illegal robocall campaigns. Have the recent steps the Commission has taken in its call blocking and caller ID authentication orders and the June 30, 2021 STIR/SHAKEN implementation deadline pushed an increasing proportion of illegal robocall origination abroad? Are there other explanations for a shift to foreign-originated robocalls? 27. Role of Gateway Providers. While foreign-originated illegal robocalls are a major problem, these calls can only reach U.S. consumers and businesses after they pass through a gateway provider. The NANC has recognized that, to access the U.S. market, foreign originators must send traffic to a gateway provider that is unwilling or unable to block that traffic. See id. 28. The Commission’s Enforcement Bureau has repeatedly identified gateway providers as playing a key role in bringing illegal robocalls to the United States. In letters sent to multiple gateway providers in February 2020 to “assist the . . . Commission in stopping the flow of malicious robocalls originating from sources outside the United States,” the Enforcement Bureau noted that a gateway provider, “[a]s the point of entry for this traffic into the U.S. telephone network, is uniquely situated to . . . combat apparently illegal robocalls.” Letter from Rosemary C. Harold, Chief, Enforcement Bureau, FCC, to Brick Kane, President, Globex Telecom, at 1-2 (Feb. 4, 2020), https://docs.fcc.gov/public/attachments/DOC-362255A1.pdf. In spring 2020, in conjunction with a Division of the Federal Trade Commission, the Enforcement Bureau warned international “gateway providers facilitating COVD-19 related scam robocalls originating abroad that they must cut off these calls or face serious consequences.” FCC, Press Release, FCC, FTC Demand Gateway Providers Cut Off Robocallers Perpetrating Coronavirus-Related Scams from United States Telephone Network (Apr. 3, 2020), https://docs.fcc.gov/public/attachments/DOC-363522A1.pdf. In April 2020, the FTC and FCC wrote to three gateway providers and demanded that they stop facilitating scam COVID-19-related robocalls from India and Pakistan. See id. In May 2020, the FTC and FCC sent an additional three letters to three separate gateway providers regarding similar campaigns originating in the UK, Germany, and other destinations abroad. FCC, Press Release, FCC, FTC Demand Robocall-Enabling Service Providers Cut Off Covid-19-Related International Scammers (May 20, 2020), https://docs.fcc.gov/public/attachments/DOC-364482A1.pdf. Most recently, in spring 2021, the Enforcement Bureau sent cease-and-desist letters to ten providers, including some gateway providers, making clear that, should they not cease transmitting illegal robocall campaigns immediately, “other network operators [would] be authorized to block traffic from these companies.” Press Release, FCC, FCC Demands Two More Companies Immediately Stop Facilitating Illegal Robocall Campaigns (May 18, 2021), https://docs.fcc.gov/public/attachments/DOC-372543A1.pdf; see also Press Release, FCC, FCC Calls on Carriers to Ensure Free Consumer Tools Are Available to Block Robocalls and Issues New Robocall Cease-and-Desist Letters (Apr. 13, 2021), https://docs.fcc.gov/public/attachments/DOC-371553A1.pdf. 29. The Department of Justice (DOJ) has also brought enforcement actions against gateway providers that allow illegal robocall traffic into the country. In two recent DOJ cases, DOJ states that “the defendants engaged in wire fraud schemes by knowingly serving as ‘gateway carriers’ for fraudulent calls; that is, the defendants received fraudulent robocalls from foreign customers and relayed those calls into the United States telecommunications system.” US Department of Justice, Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, 2020 Report to Congress at 3, https://www.justice.gov/opa/press-release/file/1331576/download. The schemes, according to the DOJ, would not have worked unless the defendants, were “willing to accept the fraudsters’ robocall traffic into the U.S. telephone system. . . . The [defendants] provide the crucial interface between foreign internet-based phone traffic and the U.S. telephone system.” See United States of America vs. Nicholas Palumbo, et. al., Civil Action No. 20-CV-473, Complaint, para. 8, p.4 (E.D.N.Y) (Jan. 28, 2020) (Palumbo Complaint). We seek comment on whether these cases are representative of the role that some gateway providers play in allowing illegal robocalls to reach U.S. subscribers. 30. We seek comment on the relationship between gateway providers and illegal robocalls entering the U.S. market. Is the problem driven by a few unscrupulous gateway providers that have entered into business arrangements to transit illegal foreign-originated robocall traffic? In a recent case, the DOJ noted that the defendant gateway providers “specifically market their services to foreign call centers and foreign VoIP providers looking to transmit high volumes of robocalls into the United States.” Id. at para. 26, p.11; see also E-mail of David Frankel, ZipDX, to Jonathan Lechter, Attorney Advisor, Competition and Policy Division, Wireline Competition Bureau, FCC, and Jerusha Bennett, Attorney Advisor, Consumer Policy Division, Consumer and Governmental Affairs Bureau, FCC (Sept. 13, 2021, 7:22 EDT) (filed in WC Docket No. 17-97 & CG Docket No. 17-59, Sept. 15, 2021) (ZipDX Sept. 13 Ex Parte) (“Historically intermediate providers (taking calls from domestic upstream) have been viewed as mere traffic pass-throughs. But in many cases, these providers are part of the call-laundering scheme -- they are accepting traffic (and payments) from upstreams that they know, or should know, are sending huge volumes of calls (in many cases from foreign sources).”). Or is the problem more widespread, for instance because gateway providers do not or cannot easily identify bad actors sending illegal robocalls to the United States through the gateway provider’s network? If the problem is widespread, why do gateway providers today decline to identify and act to restrict bad actors and unlawful robocalls? Do foreign originators send illegal robocall traffic to the gateway indirectly, through one or more foreign intermediate providers, in order to conceal the nature of the call before it reaches the U.S. gateway? Are there other mechanisms by which foreign originators of illegal robocalls send their traffic to the United States such that it would be brought onto the U.S. network by an unsuspecting gateway provider? 31. We also seek comment on how foreign robocallers and the voice service providers that serve them use U.S. numbers in the caller ID field for their illegal robocall campaigns. Do these entities primarily spoof U.S. numbers? See, e.g., United States of America v. Jon Kahen, et al., Civil Action No. 20-CV-474, Declaration of Sean Fagan, para. 48, p.28 (E.D.N.Y, Mar. 2, 2020) (noting that defendant gateway provider facilitated foreign-originated calls using spoofed numbers). Or do these bad actors also use U.S. numbers that the voice service provider or their customer has obtained the right to use, either directly from the Numbering Administrator or indirectly through another provider? See Affordable Enterprises of Arizona, LLC, File No. EB-TCD-17-00024974, Forfeiture Order, 35 FCC Rcd 12142, 12145, para. 8 (2020) (using number assigned to the company for other purposes to make illegal calls). We note that the Commission recently proposed rules to help prevent VoIP providers from obtaining numbers directly from the Numbering Administrator for use in illegal robocall campaigns, See Numbering Policies for Modern Communications et al., WC Docket No. 13-97 et al., Further Notice of Proposed Rulemaking, FCC 21-94, para. 13 (rel. Aug. 6, 2021) (Direct Access Further Notice). and there are existing reporting rules regarding number usage. See 47 CFR § 52.15(f); see also Numbering Policies for Modern Communications et al., WC Docket No. 13-97 et al., Report and Order, 30 FCC Rcd 6839, 6853-55, paras. 30-32 (2015). Are there other safeguards we should consider to prevent foreign providers from using U.S. NANP numbers in illegal robocall campaigns? B. Scope of Requirements and Definitions 32. In light of their unique role in bringing foreign-originated illegal robocalls onto U.S. networks, we propose to impose new obligations on gateway providers for foreign-originated calls that use U.S. numbers in the caller ID field. We believe that this approach will narrowly target those providers best able to stop those calls that have the greatest likelihood to be part of illegal robocall campaigns that harm Americans—foreign-originated calls carrying U.S. numbers in the caller ID field. 33. While the Commission has imposed requirements on intermediate providers, including gateway providers, it has never defined “gateway provider” as a distinct category of entities. We now propose to define a “gateway provider” as the first U.S.-based intermediate provider in the call path of a foreign-originated call that transmits the call directly to another intermediate provider or a terminating voice service provider in the United States. We do not include in this proposed definition a gateway provider that terminates calls in the U.S. To the extent a gateway provider terminates a call in the U.S., it is acting as a terminating voice service provider and is already subject to our existing caller ID authentication and/or robocall mitigation rules. See 47 CFR §§ 64.6301, 64.6305. In this proposed definition, by “U.S.-based,” we mean that the provider has facilities in the U.S. including a U.S. located point of presence. See Letter of Michael H. Pryor, Counsel, iBasis, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, CG Docket No. 17-59, at 2 (filed Sept. 22, 2021) (iBasis Ex Parte) (suggesting this definition of “U.S.-based” as an option for further clarification). We seek comment on this proposed definition. Should we define “gateway provider” differently? Should we define “U.S.-based” differently? Should our definition include the first U.S.-based provider in the call path for a foreign-originated call that also terminates that call? Should we extend some or all of the requirements we propose today to such terminating voice service providers, or are existing requirements sufficient? Should we exclude from the definition those providers that serve as a gateway for only a de minimis amount of foreign originated traffic? Are such providers unlikely to be the source of illegal robocalls? If so, how should we define de minimis for this purpose? Is there another way to effectively limit our definition to apply only to those gateway providers that are especially likely to be the source of illegal calls on the U.S. network? Does our definition need to be modified to take into account the scenario where a call originates in the U.S., is routed internationally (over the same provider or a different provider’s facilities), and then is routed back to a U.S. end-user through a gateway provider? What about a scenario where a call enters the U.S. through a gateway provider, is routed outside of the U.S. and then back into the U.S. through the same or different gateway provider? See ZipDX Sept. 13 Ex Parte (noting these routing scenarios and requesting that the Commission seek comment on prohibiting U.S.-based providers from routing U.S. bound calls “to a foreign entity”). 34. We seek comment on whether U.S.-based providers that fall under our proposed definition of gateway provider also, in some instances, originate calls from abroad carrying U.S. NANP numbers that are brought into the U.S. by that same provider. In other words, are there instances where the provider that brings the call into the U.S. is also acting as an originating provider? For such calls, the U.S.-based provider would not fall under our proposed gateway provider definition where it is not acting as an intermediate provider. For example, a U.S.-based provider acts as a gateway provider for calls foreign providers send to it. The same U.S-based provider may also serve an end-user customer in another country that is originating traffic in that country and sending traffic over that U.S.-based provider’s network into the U.S. marketplace. In such an instance, the U.S.-based provider is not acting as an intermediate provider and thus would not fall within our proposed definition of gateway provider. However, if a U.S.-based provider has contracted with a foreign provider or customer to allow calls into the U.S. marketplace and the call is brought to the U.S.-based providers’ U.S. network by a foreign provider, the U.S.-based provider would be an “intermediate provider” and therefore fall within our proposed definition. Are certain arrangements that are not covered by our proposed definition likely to be part of an illegal robocall campaign? If so, should we broaden or otherwise modify our proposed definition to ensure that such calls fall within the scope of the protections we propose in this Further Notice? Alternatively, should we explicitly include these situations for the purposes of specific rules, such as our proposed mandatory blocking rules? 35. As we have elsewhere in our caller ID authentication rules, See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1930, para. 151 (“We further determine that as with our interpretation of ‘providers of voice service,’ we assess the definition of ‘intermediate provider' on a call-by-call basis for the purpose of our call authentication rules. A single entity therefore may act as a voice service provider for some calls on its network and an intermediate provider for others.”). we propose to classify providers as gateway providers on a call-by-call basis rather than on a class basis. Thus, a provider would be a “gateway provider”—and subject to rules applied to that class of provider—only for those calls for which it acts as a gateway provider; it would be an “intermediate provider” or “voice service provider”—and subject to rules applied to those classes of provider—for all other calls, e.g., for domestic-originated calls that it carries. We believe it is appropriate to apply that approach here not only for regulatory symmetry, but also because it would capture all instances in which an entity acts as a gateway provider. At the same time, this approach would not subject all traffic handled by an entity to enhanced obligations simply because a portion of that traffic originates abroad. We seek comment on this proposal. Should we instead diverge from our “call-by-call” approach for gateway providers? Do providers have the ability to treat foreign-originated calls differently on a call-by-call basis? If we were to establish that a provider is a gateway provider for all of its traffic, if any traffic it transits originates abroad, would such an approach place unreasonable obligations on a provider’s domestic traffic simply because some traffic is foreign-originated? 36. We further propose to limit the scope of our proposed requirements for gateway providers to those calls that are carrying a U.S. number in the caller ID field. By a “U.S. number,” we are referring to NANP resources that pertain to the United States. See Administration of the North American Numbering Plan, CC Docket No. 92-237, Report and Order, 11 FCC Rcd 2588, 2591-92, paras. 3-4 (1995) (“The [NANP] is the basic numbering scheme that permits interoperable communications in the United States, Canada, Bermuda and most of the Caribbean. . . . NANP erects a framework for assigning the telephone numbers upon which these services depend and for permitting international calls between its member countries to be completed without the need to dial international access codes and international country codes. . . .These numbers are a public resource”). Under this approach, we would exclude from the scope of our rule those calls that carry a U.S. number in the ANI field but display a foreign number in the caller ID field. See 47 CFR § 64.1600(b) (“The term ‘ANI’ (automatic number identification) refers to the delivery of the calling party’s billing number by a local exchange carrier to any interconnecting carrier for billing or routing purposes, and to the subsequent delivery of such number to end users.”). We believe that this approach is consistent with our goal to prevent illegal spoofing, which is dependent upon manipulating the caller ID field that is visible to the call recipient. We further propose to apply this requirement on a “call-by-call” basis. Under this approach, a gateway provider would be subject to these requirements for those calls it transits that carry a U.S. number in the caller ID field, but that same gateway provider would not be subject to these requirements for calls displaying numbers associated with another country. We seek comment on these proposals. We also seek comment on the feasibility and desirability of widening the scope of our proposed rules to cover calls carrying non-U.S. numbers in the caller ID field or a subset of non-U.S. numbers. If we include a subset of non-U.S. numbers, what numbers should we include? 37. Limiting our proposed rules to calls that use U.S. numbers in the caller ID field is similar to the approach in our current rule that requires intermediate providers and voice service providers to not accept calls directly from a foreign voice service provider that is carrying U.S. numbers if the foreign voice service provider is not listed in the Robocall Mitigation Database. 47 CFR § 64.6305(c). In that context, we limited application of our rule to foreign voice service providers that “use[] North American Numbering Plan resources that pertain to the United States.” Id. We seek comment on whether it is appropriate, in this context, to take a narrower or more expansive approach than we did in the context of foreign voice service providers whose traffic must be blocked if they are not listed in the Robocall Mitigation Database. C. Authentication 38. To combat foreign-originated robocalls, we propose to require gateway providers to authenticate caller ID information consistent with STIR/SHAKEN for SIP calls that are carrying a U.S. number in the caller ID field. 39. As the Commission has previously explained, application of caller ID authentication by intermediate—including gateway—providers “will provide significant benefits in facilitating analytics, blocking, and traceback by offering all parties in the call ecosystem more information.” Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1928, para. 144. At the time the Commission reached this conclusion, in light of record concerns that an authentication requirement on all intermediate providers “was unduly burdensome in some cases,” the Commission established that intermediate providers could “register and participate with the industry traceback consortium as an alternative means of complying with our rules,” in lieu of authenticating unauthenticated calls. Id. 40. Since the Commission established those requirements in the Second Caller ID Authentication Report and Order, in the Fourth Call Blocking Order, the Commission subsequently required all voice service providers—which include gateway providers and other intermediate providers under our call blocking rules—to cooperate with traceback requests. See Fourth Call Blocking Order, 35 FCC Rcd at 15227-29, paras. 15-21. This rule has effectively mooted the choice given to intermediate providers in the earlier Second Caller ID Authentication Report and Order to authenticate calls or cooperate with traceback requests. See 47 CFR § 64.6302(b). We propose concluding that, given the key role gateway providers play in allowing foreign calls into the United States, gateway providers should be required to authenticate unauthenticated foreign-originated SIP calls that they receive and cooperate with traceback requests with respect to those same calls. Requiring gateway providers to authenticate caller ID information for all unauthenticated foreign-originated SIP calls will offer information to the downstream providers regarding where a foreign-originated robocall entered the call path, facilitating analytics and promoting traceback efforts. Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1926, para. 141. We seek comment on this proposal. 41. Illegal robocalls cost Americans over $13.5 billion annually. See First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking, 35 FCC Rcd at 3263, paras. 47-48. Given the prevalence of robocalls from abroad, we anticipate that the deterrence that arises from authenticating unauthenticated foreign-originated calls is likely to be highly beneficial and that those benefits outweigh any concerns about C-level attestations not carrying sufficient information to assist in the policing of illegal robocalling campaigns. See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1928, para. 144 (“We find that attestation of previously unauthenticated calls [even at lower levels of attestation by intermediate providers] will provide significant benefits in facilitating analytics, blocking and traceback by offering all parties in the call ecosystem more information.”). Even with a “C-level” (gateway) attestation, we anticipate that authenticating unauthenticated calls will facilitate faster traceback and improve call analytics. See id. (noting that some commenters believe that lower-level attestations will result in “billions of useless attestations”). We seek comment on this analysis and on the possible benefits of the requirement we propose. 42. We also seek comment on the proposal’s costs for gateway providers. While the Commission previously acknowledged claims that it was “unduly burdensome in some cases” to require all intermediate providers to authenticate unauthenticated calls, Id. we anticipate that our proposal will not be unusually costly for gateway providers compared to voice service providers already required to implement caller ID authentication. Further, as more and more providers implement STIR/SHAKEN, we anticipate that technology and solutions will be more widely available and less costly to implement. We seek comment on this analysis. Is there any reason to believe that authentication is more costly for gateway providers compared to other providers or that the benefit of lower-level attestations would be limited? 43. Requirements. We propose that, to comply with the requirement to authenticate calls, a gateway provider must authenticate caller ID information for all SIP calls it receives for which the caller ID information has not been authenticated and which it will exchange with another provider as a SIP call. This proposal follows the caller ID authentication rule governing intermediate provider authentication of unauthenticated calls they receive, where intermediate providers elect authentication instead of cooperation with tracebacks. 47 CFR § 64.6302(b). As noted, the call blocking rules have mooted this choice. See supra para. 40. We seek comment on whether and how to alter this proposal. Are there any scenarios in which transmitting a call with authenticated caller ID information is not possible, and if so, how should we address any such circumstances? Should we adopt a technical feasibility exception, as we have established for voice service providers with respect to the obligation to transmit an authenticated call with authenticated caller identification information to the next voice service provider or intermediate provider in the call path? 47 CFR § 64.6301(a)(2). Would establishing exceptions present the possibility for abuse? 44. We propose that, as with our requirement on voice service provider authentication, a gateway provider satisfies this requirement if it adheres to the three ATIS standards that are the foundation of STIR/SHAKEN—ATIS-1000074, ATIS-1000080, and ATIS-1000084—and all documents referenced therein. First Caller ID Authentication Report and Order, 36 FCC Rcd at 3258, para. 36. We also propose that compliance with the most current versions of these standards as of the date of release of any Report and Order following this Further Notice, including any errata as of that date or earlier, represents the minimum requirement to satisfy our rules. Id. at 3258-59, para. 36. We seek comment on this approach. Are there any reasons these standards are not appropriate for gateway providers? Are there any technical challenges that may emerge (e.g., will the addition of the authenticated Identity Header in the SIP message cause UDP fragmentation)? And if so, how can they be mitigated? Alternatively, are there other standards we should require gateway providers to adhere to? Should we require compliance with standards current as of an earlier date? If so, which date? 45. Because we propose permitting gateway providers to authenticate caller ID information in a manner consistent with industry standards, we do not propose limiting the attestation level they may assign to a given call. To the extent standards allow a gateway provider to assign “full” (A-level) or “partial” (B-level) attestation to a call, under this proposal they are free to do so; they would not be limited to assigning “gateway” (C-level) attestation. Stakeholders previously supported this approach regarding intermediate providers, Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1926-27, paras. 142-43. and we seek comment on whether this continues to be the best approach to attestations by gateway providers, a subset of intermediate providers. Is there a reason we should limit gateway providers to assigning a certain attestation level or levels, and if so what level? Under what circumstances would gateway providers be able to assign, and anticipate assigning, an A- or B-level attestation? 46. Non-IP Network Technology. As we have explained, the STIR/SHAKEN framework is an IP-based solution. How should we address gateway providers that use non-IP network technology? How prevalent is non-IP network technology among gateway providers? Are gateway providers using non-IP network technology less likely or more likely to be the point of entry for foreign-originated illegal robocalls onto the U.S. network? Our rules require voice service providers with non-IP network technology to either upgrade their network to IP and implement STIR/SHAKEN, or work with a working group, standards group, or consortium to develop a non-IP caller ID authentication solution. 47 CFR § 64.6303. Should we adopt a similar requirement here? We do not currently apply a similar requirement to intermediate providers, including gateway providers. In our preliminary view, however, adopting such a requirement for gateway providers may be warranted to prevent evasion of any restrictions we establish by bad actors. We seek comment on this view. The Commission previously stated that it would “continue to evaluate whether an effective non-IP caller ID authentication framework emerges” and, “if and when [it] identif[ies] an effective framework, [it] expect[s] to . . . shift . . . from focusing on development to focusing on implementation.” Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1874, para. 32. We seek comment on adopting this same approach with respect to gateway providers here. Should we instead mandate that gateway providers with non-IP network technology implement a non-IP caller ID authentication solution, such as Out-of-Band STIR? See id. at 1873-74, para. 31 (discussing Out-of-Band STIR non-IP authentication framework); see also Press Release, TransNexus, Shaken for TDM Standards Approved (July 15, 2021), https://transnexus.com/news/2021/shaken-for-tdm-standards-approved/?utm_source=salesforce&utm_medium=email&utm_campaign=shaken (announcing approval by the ATIS non-IP call authentication Task Force of two technical standards, Extending STIR/SHAKEN over TDM (ATIS-1000095) and SHAKEN: Out-of-Band PASSporT Transmission involving TDM Networks (ATIS-1000096)). Should gateway providers relying on non-IP technology continue to be fully exempt from any obligation to implement caller ID authentication, like other intermediate providers? 47. Token Access. Does the Governance Authority’s token access policy STI-GA Token Access Policy. serve as a barrier to participation in STIR/SHAKEN for all or a subset of gateway providers? That policy requires entities to have a current FCC Form 499-A on file with the Commission, have been assigned an Operating Company Number (OCN), and have either direct access to numbering resources or filed a certification in the Robocall Mitigation Database in order to obtain a token necessary to participate in STIR/SHAKEN. Id. We assume that gateway providers that are already acting as voice service providers and are subject to the duty to authenticate calls they originate or terminate may have already obtained a token in order to comply with their duties as a voice service provider. Is that assumption correct? How many gateway providers also serve as voice service providers? While providers so situated may already possess the necessary token, will other gateway providers have difficulty obtaining tokens under the current policy? Do some or all gateway providers have no obligation to file an FCC Form 499-A because they do not fall under one of the categories of entities required to submit the form? See 2021 Instruction to the Telecommunications Reporting Worksheet, FCC Form 499-A, p. 4-5 (listing the entities that must file), https://www.usac.org/wp-content/uploads/service-providers/documents/forms/2021/2021-FCC-Form-499A-Form-Instructions.pdf. If so, should we encourage the Governance Authority to waive for such providers the requirement to file an FCC Form 499-A to obtain a token? Are some or all gateway providers unable to obtain an OCN based on the National Exchange Carrier Association’s (NECA) policies? See NECA, Company Code Request Instructions, https://www.neca.org/business-solutions/company-codes/company-code-request-instructions. If certain gateway providers are not required to file a Form 499-A or cannot readily obtain an OCN, should we encourage or require the Governance Authority to modify its token access policy to ensure that gateway providers are able to obtain a token and comply with an authentication requirement? And do we need to make changes to our Robocall Mitigation Database to allow compliance with the Governance Authority’s filing requirement? 48. Compliance Deadline. We seek comment on when we should require gateway providers’ authentication obligation to become effective, mindful of the public interest of prompt implementation by gateway providers with the need for these providers to have sufficient time to implement our proposed obligation. We note that the STIR/SHAKEN caller ID authentication obligations in the TRACED Act became effective 18 months following its enactment, See TRACED Act, Public Law 116-105—Dec. 30. 2019; id. § 4(b) (requiring the Commission to require voice service providers to implement STIR/SHAKEN, subject to exceptions, “not later than 18 months after the date of the enactment of this Act”). and voice service providers were able to meet that deadline. Our rules adopted pursuant to the TRACED Act grant certain providers exemptions and extensions from this deadline. See 47 CFR § 64.6304 (granting extensions to various classes of providers, including “small” voice service providers); 47 § 64.6306 (establishing a process to obtain an exemption). Accordingly, would a March 1, 2023 deadline, falling approximately 18 months after we adopt this Further Notice, be a reasonable deadline for implementation of our authentication obligation? Would an earlier or later deadline for all gateway providers better balance the benefit of the rule against the burden? 49. Should we modify our proposed deadline for certain classes of gateway providers? For example, should we identify a subset of gateway providers that are most likely to be the conduit for illegal robocalls and subject them to an accelerated timeline? How should we identify such providers? Should we identify those gateway providers that have received at least a certain number of traceback requests or other indicia of involvement in illegal robocalling? If so, what would be an appropriate threshold? What deadline should we give such providers? Instead, should we expect faster implementation of STIR/SHAKEN by those gateway providers that are also voice service providers under our STIR/SHAKEN rules, are not subject to an extension or exemption, and therefore are already authenticating caller ID information for calls they originate? Will a provider so situated be in a better position to implement STIR/SHAKEN quickly? If so, why? 50. In the Second Caller ID Authentication Report and Order, the Commission granted several categories of voice service providers that faced undue hardship in implementing STIR/SHAKEN additional time for compliance, consistent with the directive of the TRACED Act: small voice service providers, providers unable to receive a token from the Governance Authority, and services subject to discontinuance. Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1876-83, paras. 39-51. Should we grant any categories of gateway providers extensions or exceptions from our proposed authentication requirement on the basis of undue hardship or for another reason? Are the extensions the Commission previously granted for STIR/SHAKEN based on undue hardship relevant to the context of gateway providers? For instance, should we grant small gateway providers an extension from any deadline we establish, and, if so, which gateway providers should we define as “small?” See Call Authentication Trust Anchor, WC Docket No. 17-97, Third Further Notice of Proposed Rulemaking, 36 FCC Rcd 8827 (2020) (proposing to shorten the existing STIR/SHAKEN implementation extension for those small voice service providers most likely to originate illegal robocalls from June 30, 2023 to June 20, 2022). Or would doing so undermine the value of any requirements we adopt? If we grant an extension to some gateway providers, how much additional time would be appropriate in light of the public interest of prompt participation in the STIR/SHAKEN framework? If we grant an exemption, how would any exemption square with the importance of ubiquitous STIR/SHAKEN? Instead of a categorical approach, should we rely on individualized waiver requests pursuant to the Commission’s longstanding waiver standard? The Commission may exercise its discretion to waive a rule where the particular facts at issue make strict compliance inconsistent with the public interest. Northeast Cellular Tel. Co. v. FCC, 897 F.2d 1164, 1166 (D.C. Cir. 1990). In considering whether to grant a waiver, the Commission may take into account considerations of hardship, equity, or more effective implementation of overall policy on an individual basis. WAIT Radio v. FCC, 418 F.2d 1153, 1159 (D.C. Cir. 1969). D. Robocall Mitigation 51. While our caller ID authentication rules require voice service providers to implement STIR/SHAKEN or, if they are subject to an extension, to implement an appropriate robocall mitigation program, in this Notice we propose requiring gateway providers to apply both of these protections to calls they bring onto the U.S. network. We further propose and seek comment on additional requirements on gateway providers, at least some of which go beyond those that currently apply to voice service providers. First, we propose to require gateway providers to respond to all traceback requests from the Commission, law enforcement, and the industry traceback consortium within 24 hours. Second, we propose and seek comment on imposing mandatory blocking requirements on gateway providers. Third, we seek comment on establishing know-your-customer requirements for gateway providers. Fourth, we seek comment on requiring gateway providers to adopt certain contractual provisions with foreign providers from which they accept calls. Finally, in addition to adopting one or more of these robocall mitigation requirements, we propose to establish a general duty on gateway providers to mitigate illegal robocalls. 1. 24-Hour Traceback Requirement 52. We propose to require gateway providers to respond fully to all traceback requests from the Commission, civil or criminal law enforcement, and the industry traceback consortium within 24 hours of receiving such request. This requirement would be stricter than our general obligation, which requires that voice service providers (including intermediate providers) respond to traceback requests “in a timely manner.” 47 CFR § 64.1200(n)(1); Fourth Call Blocking Order, 35 FCC Rcd at 15227-29, paras. 15-21. As we have stated in the past, traceback is an essential part of identifying the source of illegal calls. See, e.g., Fourth Call Blocking Order, 35 FCC Rcd at 15227, para. 15. Information gained from traceback can both aid in enforcement after calls are placed and be used proactively to stop further calls from a particular source. We believe that time is of the essence in all tracebacks, but particularly for foreign-originated calls where the Commission or law enforcement may need to work with international regulators to obtain information from providers outside of U.S. jurisdiction. 53. We seek comment on this proposal. Is a mandatory 24-hour response time appropriate, or should we consider a different response time? Because gateway providers are already required to respond to traceback “timely,” we believe that this enhanced requirement presents a minimal burden on gateway providers. Id. at 15228, para. 17 n.52. We seek comment on this tentative conclusion. Are there any instances where a gateway provider may need more time to respond? If so, what would cause such a delay (e.g., what are the technical and/or operational challenges that would contribute to the delay)? How might we address any such problems to best enable gateway providers to meet such a requirement? Should we instead consider requiring response in a shorter time than 24 hours? Are there additional benefits or burdens to requiring a faster response time? Are there any other issues we should consider in adopting such a requirement, such as the impact on small gateway providers? 54. We seek comment on other means to improve traceback when calls originate internationally. Are there other, or additional, steps the Commission could take to improve this process and make bad actors easier to identify and stop? Should the Commission consider taking these steps in addition to, or instead of, requiring gateway providers to respond within 24 hours? What benefit would these approaches provide? Are there any particular burdens or concerns the Commission should consider when weighing these options? 55. Compliance Deadline. We propose to require gateway providers to comply with this requirement by 30 days after publication of the notice of an Order adopting this requirement in the Federal Register. Because gateway providers are already required to respond to traceback requests “fully and timely,” Id. we do not believe there is any reason to further delay implementation of this requirement. We seek comment on this proposal and analysis. Would a different compliance deadline be more appropriate and, if so, why? 2. Mandatory Blocking 56. To date, the Commission has generally taken a permissive approach to call blocking, allowing voice service providers the flexibility to block in certain instances, but not requiring blocking. See, e.g., First Call Blocking Order, 32 FCC Rcd at 9710-21, paras. 10-40; Call Blocking Declaratory Ruling and Further Notice, 34 FCC Rcd at 4884-91, paras. 26-46; Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7625-31, 7633-37, paras. 51-60, 25-45; Fourth Call Blocking Order, 35 FCC Rcd at 15234-47, paras. 39-78. In adopting the effective mitigation requirement, the Commission did make clear that gateway providers may be required to block in order to comply. Fourth Call Blocking Order, 35 FCC Rcd at 15231, para. 26. The Commission’s rules also direct intermediate and voice service providers to only accept calls using NANP numbers sent directly from voice service providers with a filing in the Robocall Mitigation Database. 47 CFR § 64.6305(c). This requirement is distinct from our blocking requirements. Unfortunately, illegal calls continue to plague American consumers. When calls originate outside the United States, enforcement against, or even identification of, the caller is much more difficult. Gateway providers are positioned to reduce the flood of foreign-originated illegal calls before they reach American consumers. If a gateway provider stops a single calling campaign before it enters the U.S. network, no American consumers will receive those calls. Because gateway providers may, in many cases, not have direct relationships with American consumers, they may lack incentive to take aggressive action absent a mandate. To address these issues, we seek comment on several possible approaches to requiring gateway providers to block calls, particularly where those calls bear a U.S. number in the caller ID field. 57. Gateway Provider Blocking Based on Commission Notification of Illegal Calls. In the Fourth Call Blocking Order, the Commission adopted rules requiring voice service providers, including gateway providers, to “take steps to effectively mitigate” illegal traffic when notified of such traffic by the Commission. Fourth Call Blocking Order, 35 FCC Rcd at 15229-31, paras. 22-31. The Commission noted that gateway providers may need to block calls in order to comply with this requirement as, unlike originating voice service providers, they often do not have a direct relationship with the call originator. Id. at 15231, para. 26. We believe that modifying this rule to affirmatively require gateway providers to block calls upon receipt of notification from the Commission through its Enforcement Bureau would better protect American consumers from illegal calls and thus seek comment on whether to do so. We therefore propose to strengthen our existing effective mitigation requirement as to gateway providers. Specifically, we propose to require gateway providers, following a prompt investigation to determine whether the traffic identified in the Enforcement Bureau’s notice is illegal, to promptly block all traffic associated with the traffic pattern identified in that notice. We seek comment on this proposal. 58. We seek comment on whether allowing gateway providers to investigate prior to blocking strikes the correct balance. Currently, our rules do not specify how quickly a voice service provider must act, but do require that it investigate and report to the Commission “promptly.” The report must include any steps taken to effectively mitigate the identified traffic or an explanation as to why the provider has concluded that the identified calls were not illegal. 47 CFR § 64.1200(n)(2). Is this the correct approach given the heightened risk of foreign-originated illegal robocalls, or should we adopt a stricter standard for gateway providers? For example, should gateway providers block calls prior to investigation? If so, should we require that gateway providers implement blocking immediately upon receipt of notification? If not, what is an appropriate delay prior to implementing a block? If we require blocking prior to investigation, how can we ensure that gateway providers are granted due process? What are the risks associated with a too-long or too-short time, and how might we mitigate those risks? Are there any other issues we should consider in determining how quickly a gateway provider must block calls and whether to allow investigation prior to blocking? 59. We seek comment on the contours of the blocking obligation. Should we require the notified gateway provider to block all calls that meet criteria identified by the Enforcement Bureau in its notice that make it highly likely that the calls are part of the same call pattern as those calls that the Commission has determined to be illegal? The Fourth Call Blocking Order established specific details that the Enforcement Bureau must include in its notice. Fourth Call Blocking Order, 35 FCC Rcd at 15230, para. 23. Or should we allow gateway providers some discretion to determine the scope of the block based on the Enforcement Bureau’s notice? If we allow discretion, should we instead establish general guidelines in our rules, to ensure that a gateway provider can know that it is in full compliance with our rules? If so, what might these guidelines look like? If we adopt our proposal of permitting a gateway provider to investigate prior to blocking, should we require the gateway provider to indicate what criteria it is using, based on the Enforcement Bureau’s notice and its own investigation, in its response to the Commission? Alternatively, should we require that gateway providers, regardless of the specifics of the call pattern, block all calls that purport to originate from the same number(s) as the identified illegal traffic? Is there some other approach that we should consider? What are the risks of each approach? Specifically, what is the risk that lawful calls will be blocked, or that illegal calls will continue from the same source despite the gateway provider’s compliance? How can we reduce unnecessary burdens on gateway providers under each approach? Are there any other issues we should consider in determining how a gateway provider may comply with this requirement, such as the impact on small businesses? 60. Requiring Downstream Providers to Block Calls from Bad-Actor Gateway Providers. A complementary approach to requiring gateway providers to block calls is to require the voice service provider or intermediate provider downstream from the gateway provider to block where the Commission determines a particular gateway provider is a bad actor. In the Third Call Blocking Order and Further Notice, we used the phrase “bad actor” when discussing originating or terminating providers that fail to take appropriate steps to prevent their networks from being used to originate or transmit illegal calls. Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7623 n.57. Here, we expand our use of that term to include gateway providers that fail to comply with the rules we propose above. Supra paras. 57-59. This approach provides a strong incentive for the gateway provider to avoid having its traffic blocked by ensuring that it complies with our rules. In the Third Call Blocking Order and Further Notice, the Commission encouraged, without requiring, such blocking by establishing a safe harbor for terminating voice service providers and intermediate providers that choose to block calls from bad-actor upstream providers once certain criteria are met. Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7627-31, paras. 35-45. In conjunction with our mandatory blocking proposal above, we propose that, should a gateway provider fail to comply with those requirements, the Commission, through its Enforcement Bureau, may send a notice to all providers immediately downstream from the gateway provider in the call path. Upon receipt of such notice, all providers must promptly block all traffic from the identified gateway provider, with the exception of 911 and PSAP calls. We seek comment on this approach. 61. Currently, our rules allow a downstream provider to block and cease accepting all traffic from a bad-actor upstream provider which, upon receipt of Commission notice of illegal traffic, fails to either effectively mitigate that traffic or fails to take steps to prevent new and renewing customers from originating illegal calls. 47 CFR § 64.1200(k)(4); Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7627-31, paras. 35-45. If a gateway provider fails to effectively mitigate illegal traffic, calls continue to reach American consumers, and enforcement only comes after the fact. For these reasons, we believe there is value in requiring the voice service provider or intermediate provider immediately downstream from a gateway provider to block all calls from that gateway provider in the event that the gateway provider fails to effectively mitigate, or block if required, illegal traffic once notified of such traffic by the Commission via the Enforcement Bureau. We seek comment on this view. 62. We seek comment on how much time gateway providers should have to begin effectively mitigating, or blocking, calls before directing downstream providers to block all calls from that gateway provider. Should we require that gateway providers take such steps “promptly,” consistent with our existing rules? If we instead adopt a stricter requirement for gateway provider action, should we immediately notify downstream providers to block, or allow additional time before taking that step? If we determine more time is appropriate, how long should we delay our notification to downstream providers? If we use the “promptly” standard, how should we determine what is “prompt” for these purposes? Should we notify gateway providers before directing downstream providers to block and thereby give the gateway provider an additional chance to mitigate the traffic? What are the costs and benefits of each approach? 63. We seek comment on how much time to permit downstream providers to begin blocking calls from the identified gateway provider. Should we require that the downstream provider begin blocking immediately? Are there any technical or practical barriers to immediate blocking? If so, how can we address them? If we do not require immediate blocking, how much time should we allow? What are the costs and benefits of each approach? Are there any other issues we should consider around timing? 64. We seek comment on how best to notify downstream providers when blocking is required. Where there are multiple providers immediately downstream from the gateway provider, should we directly notify them all? If so, how can we ensure that every relevant provider is notified? Alternatively, should we notify a single entity, such as the industry traceback consortium, and require that downstream providers work with that entity to obtain this information? If so, does this alter the timeline for compliance? Is there some other approach that would be more appropriate, such as a public notice or use of the Robocall Mitigation Database? We also seek comment on how we can determine whether a downstream provider is complying with this blocking requirement. Should we require the downstream provider to block all calls from the identified gateway provider, or just those that are part of the identified call pattern? 65. Finally, we recognize that blocking of all traffic from a particular gateway provider is likely to have a profound impact on that gateway provider’s ability to do business. We therefore seek comment on whether to adopt additional due process steps or requirements to ensure that these rules are not erroneously applied to gateway providers. Is allowing investigation prior to requiring blocking sufficient, or should we adopt additional protections? If we do not allow investigation prior to blocking, should we adopt additional due process protections prior to directing downstream providers to block? Additionally, should we adopt rules to direct downstream providers to cease blocking if the gateway provider later takes appropriate steps to effectively mitigate or block the identified traffic? If so, what should be included in these rules? When would it be appropriate to direct downstream providers to cease blocking? How much time should we allow for this to occur? Should we use the same means of notification? We seek comment on any other issues we should consider in adopting such a requirement, including the impact on small businesses. 66. Blocking Based on Reasonable Analytics. Our rules currently permit broad blocking based on reasonable analytics by terminating voice service providers only and, in most cases, require those providers to allow customers to opt out. Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7624-27, paras. 25-34; see also Call Blocking Declaratory Ruling and Further Notice, 34 FCC Rcd at 4884-90, paras. 26-42. One-ring scam blocking also uses “reasonable analytics” and may be used by any voice service provider or intermediate provider in the call path without requiring any opt-out provisions. See 47 CFR § 64.1200(k)(2)(iv). However, the use of analytics for one-ring scam calls is more narrowly tailored, designed to identify only one particular type of illegal call. In contrast, the Commission’s other authorizations of blocking based on reasonable analytics have permitted terminating voice service providers broad discretion to block unwanted calls or calls that are highly likely to be illegal and are not limited to analytics designed to identify a specific, identified, type of call. The Fourth Call Blocking Order expanded the safe harbor for blocking based on reasonable analytics to include network-based blocking without any opt-out requirement where the provider’s analytics are designed to identify calls that are “highly likely to be illegal” so long as they meet other requirements. Fourth Call Blocking Order, 35 FCC Rcd at 15234-38, paras. 39-47. In all cases of broad authorizations of blocking based on reasonable analytics, the voice service provider must disclose to customers that it is engaging in this blocking. Id. at 15235-36, para. 4 (making clear that blocking must be disclosed to the customer); Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7625, para. 25 (requiring that consumers be given the opportunity to opt out). Because these broad authorizations allow only terminating voice service providers to block calls, only customers of those voice service providers that block calls are protected. In our effort to increase protection for American consumers, we propose to require gateway providers to block calls that are highly likely to be illegal based on reasonable analytics, preventing these calls from entering the U.S. network. We further propose additional requirements around this blocking consistent with our existing authorization of blocking based on reasonable analytics designed to identify calls that are highly likely to be illegal for terminating voice service providers. Specifically, we propose to require gateway providers to: 1) incorporate caller ID authentication information where available; 2) manage the blocking with human oversight and network monitoring sufficient to ensure that it blocks only calls that are highly likely to be illegal, which must include a process that reasonably determines that the particular call pattern is highly likely to be illegal before initiating blocking of calls that are part of that pattern; 3) cease blocking calls that are part of the call pattern as soon as the gateway provider has actual knowledge that the blocked calls are likely lawful; and, 4) apply all analytics in a non-discriminatory, competitively neutral manner. We seek comment on these proposals. 67. We believe requiring gateway providers to use reasonable analytics to block will increase blocking of illegal calls entering the U.S. network, and will build on the success of current reasonable analytics blocking. We thus believe using the “highly likely to be illegal” standard for gateway provider blocking makes sense. We seek comment on this view. We also recognize that a standard with flexibility, such as this one, can result in over- or under-inclusive blocking and that, unlike terminating voice service provider blocking, consumers will have no recourse for erroneous gateway provider blocking. 68. How should we address this potential problem? We propose to require gateway providers to manage the blocking with human oversight and network monitoring sufficient to ensure that only calls that are highly likely to be illegal are blocked. This is consistent with our requirement for terminating voice service providers that block calls that are highly likely to be illegal without consumer opt out. Fourth Call Blocking Order, 35 FCC Rcd at 15236, paras. 42-43. Is this the correct approach? If not, should we require a different process? If so, what would this process look like? Are there steps we could take to otherwise reduce the risk that lawful calls will be blocked? Should we adopt additional requirements to ensure that a gateway provider can be certain that its blocking is within the scope of our rules, rather than under- or over-inclusive? Would a gateway provider that makes use of comparatively conservative blocking analytics be subject to liability for under-blocking? If so, how might we address this issue? Are there any other issues we should consider in taking this approach? 69. Consistent with our existing safe harbor for the blocking of calls based on reasonable analytics, we propose to require gateway providers to incorporate caller ID authentication information, where that information is available, and to ensure that all analytics are applied in a non-discriminatory, competitively neutral, manner. Is this the appropriate approach? Should we modify or remove either of these requirements in this context? If so, how might we change them? We also propose to require that gateway providers cease blocking calls that are part of the call pattern as soon as the gateway provider has actual knowledge that the blocked calls are likely lawful. We believe that this is the best approach to reduce the risk of lawful calls being blocked. We seek comment on this belief. Should we modify our approach in this context? For example, should we require gateway providers to obtain further confirmation that calls are lawful? Or, in contrast to that option, should we require a gateway provider to cease blocking whenever it receives information that particular calls may be lawful? If we take this approach, should we require gateway providers to investigate this information to determine whether it is accurate and, if it is inaccurate, resume blocking? 70. Should we provide further guidance as to what constitutes “reasonable analytics” in this context? Other than in the First Call Blocking Order, we have declined to establish specific standards, both out of a concern that such standards will create a road map for bad actors seeking to avoid blocking and to allow flexibility in response to evolving threats. Under the First Call Blocking Order, voice service providers, as well as intermediate providers, are permitted to block based on the number in the caller ID field. Specifically, blocking is permitted where the number is unused, unallocated, or invalid, or where the subscriber to the number has indicated that it does not use the number to originate calls and requests that all calls purporting to originate from that number be blocked. First Call Blocking Order, 32 FCC Rcd at 9710-21, paras. 10-40. However, we want to ensure that a gateway provider has notice as to whether or not it is in compliance with our rules. Are there standards we could adopt here that would provide certainty to gateway providers without allowing bad actors to easily circumvent blocking? Would this approach reduce the burden on small businesses by providing certainty? We further seek comment on whether we should consider bases for blocking other than reasonable analytics and how they would better serve consumers. Are there any other issues we should consider if we set specific standards? 71. Gateway Provider Do Not Originate. The Commission has authorized voice service providers (including intermediate providers) to block calls where: (1) the subscriber to the number indicated that that number should never be used to originate calls; (2) the number was unallocated; (3) the number was unused; or, (4) the number was invalid. Id. Voice service providers and intermediate providers need not obtain consumer consent for blocking these calls, as there is no valid reason for these numbers to originate calls. Id. at 9722, paras. 44-47. There are at least two do-not-originate list implementations in use by industry that take different approaches to the issue. Industry Traceback Group, Policies and Procedures Revised July 2021 at 17-18, Appx. B, https://ustelecom.org/wp-content/uploads/2021/01/ITG_Policies-and-Procedures_2021.pdf (ITG Policies) (laying out policies for the Industry); Somos, Help Protect the Integrity of Toll-Free, https://www.somos.com/realnumber-interest. We seek comment on requiring gateway providers to block calls purporting to originate from numbers on a do-not-originate list. 72. Should we require gateway providers to block calls from numbers on a do-not-originate list? If so, what numbers should be included on the list? The Industry Traceback Group, for example, maintains a “measured and tightly controlled process” for adding numbers to the do-not-originate list it operates based on the rules adopted in the First Call Blocking Order. ITG Policies at 17-18, Appx. B. Its policies allow for a do-not-originate request from federal and state government entities where the number is legitimately used for inbound calls only, is currently spoofed to perpetrate impersonation-focused fraud, is authorized for participating in the list by the party to which the telephone number is assigned, and is recognized by consumers as belonging to a legitimate entity. Id. Private entities that wish to have numbers added to the list must meet additional requirements. The additional policies for private entities include a thorough vetting process and a requirement that there be “active and significant fraudulent activity” involving spoofing. There also may be an administrative charge assessed. Id. Should we take a similar approach for adding numbers to a do-not-originate list? Alternatively, should we take a broader approach and allow any number that should never be originating calls outside the United States to be added by the person or entity to which the number is assigned? Should we include other categories of numbers, such as unused or unallocated numbers? Are there any specific standards or vetting processes we should adopt to ensure that numbers are not added in error? What benefits and risks would each specific approach create? Are there any other factors we should consider in determining what numbers may be added to the list? 73. We seek comment on how we might implement such a list. Who should maintain the list? For example, should it be the maintained by the Commission, the industry traceback consortium, or some other entity? What are the advantages and disadvantages of each approach? Should the list be public or private? If public, how can we ensure that bad actors cannot abuse the list? If private, how can we ensure the security of the list? How might we collect these numbers, and how can we ensure that the costs of collecting, vetting, and maintaining the list are recouped? Should the list be combined with an existing do-not-originate list, such as the Industry Traceback Group’s list, or should it be completely separate? Should we adopt a formal process for removing numbers from the list? Are there any approaches that would reduce these costs without eliminating the benefits? Are there any other particular issues we should consider in determining how to implement the list, including the impact on small businesses? 74. Alternative Blocking Programs. We seek comment on other potential mandatory blocking programs for gateway providers. Are there any other approaches to mandatory blocking we should consider? If so, what are the specifics of each approach, and what issues should we consider when adopting rules? What benefits would the blocking provide? What risks would the blocking pose, including the risk of blocking lawful calls? What burdens would the blocking pose for gateway providers? Should we consider the approach instead of, or in conjunction with, another type of blocking? 75. Protections for Lawful Calls. We believe that all blocking contains some risk of erroneous blocking, e.g., blocking calls that are not illegal. For example, a particular caller’s call patterns could look similar enough to the patterns of an illegal caller and a gateway provider, acting in good faith, could believe that the caller is placing illegal calls and thus block them. We seek comment on appropriate transparency and redress options that could accompany mandatory blocking requirements for gateway providers. What transparency and redress requirements should we adopt? Are the requirements we have already adopted sufficient, 47 CFR § 64.1200(k)(8)-(10). or are there reasons to adopt additional, or alternative, requirements? Should our transparency and redress requirements vary depending on what blocking approach we adopt? If so, how? Are there steps we should take to reduce issues related to language barriers? Are there any other issues we should consider? 76. We want to be particularly careful of the risk of blocking emergency calls, such as calls to 911, or calls from PSAPs and government emergency outbound numbers. We seek additional comment on protections for public safety calls more broadly elsewhere in this item. See infra paras. 100-01. We seek comment on how to address these concerns. What is the risk of such calls being blocked under each of our proposals? Should we require that gateway providers never block such calls, or is a different approach more appropriate? 77. Limitation of Liability for Compliance with Mandatory Blocking. Aside from the Commission’s prior statement that gateway providers may need to block calls in order to comply with the requirement to effectively mitigate illegal traffic, Fourth Call Blocking Order, 35 FCC Rcd at 15231, para. 27. our existing rules generally do not require blocking. Instead, they focus on permitting blocking and ensuring that voice service providers will not be subject to liability under the Act and the Commission’s rules when blocking in certain instances. See, 47 CFR § 64.1200(k)(3)-(4), (11); see also First Call Blocking Order, 32 FCC Rcd at 9710-21, paras. 10-40; Call Blocking Declaratory Ruling and Further Notice, 34 FCC Rcd at 4884-91, paras. 26-46; Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7625-31, 25-45 7633-37, paras. 51-60; Fourth Call Blocking Order, 35 FCC Rcd at 15234-47, paras. 39-78. We seek comment on whether, if we adopt mandatory blocking requirements, we should take a similar approach here. Our previous safe harbors were designed to incent blocking by ensuring that providers do not face liability for good faith blocking. See, e.g., Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7624-25, paras. 23-24. Here, blocking would be mandatory. Given this, is there a need for such a safe harbor? Could gateway providers be subject to liability under the Act or the Commission’s rules for steps taken to comply with any of the blocking options we discuss in this Further Notice? If so, what is the source of this liability? Should we provide a blanket safe harbor under the Act and the Commission’s rules, or should we limit that protection to actions taken to comply in good faith? If we have a good faith requirement, should we define good faith, and, if so, how? Should gateway providers be required to make a particular showing to demonstrate good faith sufficient to absolve them of liability for inadvertently blocking legal calls? For example, should we require an officer of a gateway provider to certify to the Commission, in the company’s Robocall Mitigation Database certification or elsewhere, that they have acted in good faith and complied with our redress requirements? Are there any other issues we should consider? 78. We seek comment on how to determine whether a gateway provider has met its obligation to block under each of these options. As the Commission has previously concluded, “we do not expect perfection in mitigation.” Fourth Call Blocking Order, 35 FCC Rcd at 15229, para. 20. To address this concern, should we establish a good faith standard under which a gateway provider making its best, good faith efforts to block is not liable in cases where illegal traffic is not blocked? What would this obligation look like? How might we determine that a gateway provider is acting in good faith rather than willful ignorance? Should we make clear that a gateway provider will not be liable for failing to block where the information is not readily available, or should we adopt a different standard? We seek comment on what information is “readily available” to gateway providers at the time of the call. Is certain information available to gateway providers, but too expensive or inconsistently available to be considered “readily available” for all or some providers? What information might not be readily available at the time of the call but is readily available after the fact, allowing or requiring gateway providers to mitigate or block the traffic from the same source at a later time? Are there specific criteria we should use to provide regulatory certainty? Are there other issues we should consider? 79. Compliance Deadline. We propose to require gateway providers to comply with any mandatory blocking requirement by 30 days after publication of the notice of any Order adopting blocking requirements in the Federal Register or the publication of notice of Office of Management and Budget (OMB) approval under the Paperwork Reduction Act (PRA), where appropriate. We seek comment on this proposal. Should we allow additional implementation time for any or all of the proposed blocking requirements? If so, how much of a delay is appropriate and, if so, why? 3. “Know Your Customer” Requirements for Gateway Providers 80. Our rules currently require a voice service provider to “[t]ake affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic.” 47 CFR § 64.1200(n)(3). This rule generally applies to originating providers and, under our proposed definition, gateway providers do not have a direct relationship with the call originator and instead receive calls from a number of upstream originating or intermediate providers. As a result, gateway providers may not have a “customer” to “know” for the purpose of complying with a “know your customer” requirement. We believe, however, that extending “know your customer” obligations to gateway providers could benefit U.S. consumers. First, we propose and seek comment on requiring gateway providers to confirm that a foreign call originator is authorized to use a particular U.S. number that purports to originate the call. We then seek comment on whether, and how, to apply additional “know your customer” requirements to gateway providers to reduce the risk of illegal calls entering the U.S. network, including who the gateway provider’s “customer” should be for this purpose. 81. Use of U.S. NANP Numbers for Foreign-Originated Calls. While there are valid reasons for some U.S. numbers to originate calls internationally, spoofing allows a bad-actor foreign caller to appear to a consumer as a U.S.-based entity, making it more likely a U.S. consumer will answer the phone. We propose and seek comment on requiring gateway providers to confirm that a foreign originator is authorized to use the particular U.S. number that purports to originate the call. We further propose to make clear that this requirement applies only when an originator seeks to place a high volume of calls using a U.S. number, and does not apply to traffic consistent with private, individual use. 82. We seek comment on how a gateway provider can best comply with this requirement. Is it feasible for a gateway provider to obtain useful information? If so, can the gateway provider reliably gather this information prior to calls being placed? If so, how? If information is not available until after some calls have been placed, should we instead require the gateway provider to obtain this information within a set amount of time after receiving the first call purporting to originate from a particular U.S. number? How might a gateway provider get this information? How long is appropriate for gathering this information? Should our requirement be based on the number of calls placed, or the time since the first call was placed? We also seek comment on whether there is the possibility for gateway providers to have contractual relationships with call originators, distinct from their position on the call path, such that they will transmit all calls for a particular caller. If so, does this change the feasibility of obtaining useful information? Should any requirement we adopt apply to all gateway providers, or only to gateway providers with contractual relationships with callers, distinct from the relationship between a caller and originating voice service provider? 83. We seek comment on the scope and extent of this requirement. Should we adopt a carve out to ensure that gateway providers do not prevent origination of emergency calls, including calls to 911, calls from PSAPs, or calls from government emergency outbound numbers? If so, what might this look like? In addition, we specifically propose to impose this requirement only where the originator seeks to place a high volume of calls. We seek comment on this proposal. We are concerned about ensuring that individual callers, such as U.S. residents traveling abroad, are not prevented from placing calls using a number to which they are subscribed while in a foreign country. To address this, should the requirement only be triggered after the gateway provider sees a set number of calls purporting to originate from a particular U.S. number? If so, what is the appropriate threshold to constitute a “high volume” of calls? Are there other measures we could adopt that would ensure that traffic consistent with individual use does not trigger this requirement without allowing the rule to be circumvented by clever callers? Are there any other issues we should consider? 84. Upstream Provider as the “Customer.” Alternatively, should we impose a requirement similar to the rule adopted in the Fourth Call Blocking Order, Id. and require gateway providers to take steps to know the upstream providers from which they receive traffic and prevent those providers from originating illegal traffic onto the U.S. network? While at least a step removed from the call originator, the provider upstream from a particular gateway provider does have a direct relationship with that gateway provider. As a result, it is more likely for a gateway provider to have ready access to information about that upstream provider. We therefore seek comment on defining the provider immediately upstream from the gateway provider to be the gateway provider’s “customer.” If we adopt this definition, what should the gateway provider “know” to be able to reasonably claim it “knows” this “customer”? Should we limit our requirement to information readily available to the gateway provider, or should we require additional information that may be more difficult for a gateway provider to obtain? What information would provide the most benefit in stopping illegal calls? Is such information readily available to the gateway provider? If not, what costs or challenges might the gateway provider face in obtaining this information? Are there ways we could reduce or eliminate these costs or complications? What should a gateway provider be required to do with this information? For example, should we require gateway providers to cease accepting traffic from upstream providers that meet certain criteria? Should this requirement only apply to foreign-originated calls that use a U.S. number in the caller ID field? How does this approach compare to the approach of considering the call originator the “customer” discussed further below? Are there any other technical, legal, or policy considerations we should pay particular attention to if we define the customer as the upstream provider, including the impact on small businesses? 85. Call Originator as the “Customer.” Alternatively, should we consider the call originator the gateway provider’s “customer” for purposes of such a requirement? We believe that the originator, as the entity placing the calls, is probably the most relevant “customer” for the purpose of stopping illegal calls. Unfortunately, the gateway provider, in many cases, may have no direct relationship with the originator, making it significantly more difficult to obtain information. We seek comment on considering the call originator the “customer” for purposes of a know-your-customer requirement. What would be sufficient for a gateway provider to reasonably claim that it “knows” this “customer”? What are the barriers to gateway providers obtaining necessary information from originators and how could we address those barriers? How does this approach compare to the approach of considering the upstream provider the “customer,” discussed above? Are there any other technical, legal, or policy considerations we should pay particular attention to if we define the customer as the call originator? 86. Compliance Deadline. We propose to require gateway providers to comply with “know-your-customer” requirements by 30 days after publication of the notice of any Order adopting such a requirement in the Federal Register. We seek comment on this proposal. Is there any need to delay compliance? If so, why and how much time do gateway providers reasonably need to comply? 4. Contractual Provisions 87. The NANC and industry stakeholders have recommended that gateway providers require their customers to adopt contractual provisions that would help mitigate illegal robocalling. See 2020 NANC Best Practices Report at 4, 9, 11, 15-16, 21, 25; USTelecom, How to Identify and Mitigate Illegal Robocalls at 8 (Oct. 2019), https://www.ustelecom.org/wp-content/uploads/2019/11/USTelecom-Whitepaper-Combating-Illegal-Robocalls.pdf (USTelecom White Paper); Anti-Robocall Principles for Voice Service Providers at 2, https://www.attorneygeneral.gov/wp-content/uploads/2019/08/2019-08-22-State-AGs-Providers-AntiRobocall-Principles-With-Signatories.pdf (State AG Robocall Principles also signed by larger voice service providers); see also Wireline Competition Bureau Issues Caller ID Authentication Best Practices, WC Docket Nos. 17-97 and 20-324, Public Notice, 35 FCC Rcd 14726, 14732, para. 17 (2020) (WCB Caller ID Best Practices). We seek comment on whether, in light of increased risk of foreign-originated illegal robocall campaigns and the critical role gateway providers play in allowing such calls to reach the U.S. market, we should require gateway providers to adopt specific contractual provisions addressing robocall mitigation with foreign providers from which the gateway provider directly receives traffic carrying U.S. NANP numbers, and, in some cases, traffic from their foreign-end user customers (collectively for purposes of this subsection, foreign partners). Under our proposed definition of gateway provider above, a U.S.-based provider would fall outside of the definition of gateway provider if it is not also acting as an intermediate provider with respect to a particular call. See supra para. 33 (proposing definition of gateway provider). Consistent with that definition, we are also seeking comment on imposing mandatory contractual obligations on gateway providers where they have entered into contracts with foreign end-user customers to accept their traffic into the U.S, marketplace. To the extent we adopt a broader definition of gateway provider to include those instances where the U.S.-based provider originates calls outside of the U.S. and the U.S.-based provider is not acting as an intermediate provider, we also seek comment on whether we should apply mandatory contractual provisions in those cases. See supra para. 34 (seeking comment on broader definition). What are the benefits and costs of requiring such contractual amendments? See ZipDX Sept. 13 Ex Parte (“[V]irtually all of the problematic robocall traffic we have seen is exchanged via commercial agreements that are wholly under the control of partnering entities.”). 88. We seek comment on what specific contractual provisions, if any, we should require. Should we require gateway providers to ensure by contract that their foreign partners validate that the calling party is authorized to use the U.S. NANP telephone numbers, for calls with such numbers in the caller ID display? See WCB Caller ID Best Practices, 35 FCC Rcd at 14732, para. 17. Are we correct in anticipating that if a foreign partner cannot validate the number, there is a significant risk that the number is being spoofed and is therefore likely to be involved in an illegal robocalling campaign? Cf. Federal Trade Commission v. Alcazar Networks Inc., et al., Stipulated Final Order for Permanent Injunction and Monetary Judgement, Case 6:20-cv-02200-PGB-DCI, at 8 (M.D.F.L. Dec. 3, 2020) (requiring gateway provider to determine whether a customer that is engaged in telemarketing has the right to use the numbers it plans on using). How should we address circumstances in which the foreign partner cannot validate the number on its own? For instance, should we require the gateway provider to require foreign partners by contract to use a third-party telephone number validation service? See WCB Caller ID Best Practices, 35 FCC Rcd at 14731, para. 15. Should we require gateway providers to ensure that their foreign partners employ know-your-customer practices, and if so should we mandate requiring specific know-your-customer practices? Should we require gateway providers to contractually obligate foreign partners to submit a certification to the Robocall Mitigation Database? We seek comment on what similar contractual provisions providers already have in place, their effectiveness in stopping illegal robocall traffic, and how widespread they are. See ZipDX Sept. 13 Ex Parte. 89. We seek comment on implementation of any requirement to adopt specific contractual provisions. Should we expand, contract, or alter the scope of foreign partners with which we would require gateway providers to enter into specific contractual provisions? What steps, if any, should we require gateway providers to take to ensure that foreign partners are living up to their contractual commitments? Should we require gateway providers to impose specific consequences, such as a refusal to accept traffic, on foreign partners that fail to live up to any required contractual provisions? See, e.g., In re: VC Dreams USA LLC d/b/a Strategic IT Partner, Assurance of Discontinuance, at 10 https://ago.vermont.gov/wp-content/uploads/2021/04/Executed-AOD-SITP.pdf (Vt. Super. Ct.) (VC Dreams) (requiring the gateway providers to “agree to require its customer to” among other things, notify the gateway provider if it has been subject to traceback requests or deemed a “non-cooperative provider”); id. at 6 (requiring gateway provider to drop customer if customer does not agree to provide know-your-customer information). What consequences should we impose a gateway provider that fails to enter into or enforce any required contractual provisions? 90. Consistent with the other mitigation obligations proposed in this Further Notice, we propose to require gateway providers comply with any contractual provisions 30 days after the effective date of an Order adopting such requirements. We seek comment on this proposal. We also seek comment on whether such a period provides sufficient time to comply with such obligations with respect to existing contracts in order to negotiate contractual amendments with foreign partners. Should we modify the deadline for certain classes of providers based on their burden or the benefit that would result in those classes’ compliance with the rule? Should we consider any other issues in setting a compliance deadline? 5. General Mitigation Standard 91. In addition to the specific mitigation requirements for which we seek comment above, we also propose to require gateway providers to meet a general obligation to mitigate illegal robocalls. Robocallers have shown that they can adapt to specific safeguards targeting illegal traffic. A general obligation can serve as an effective backstop to ensure that robocallers cannot evade any granular requirements we adopt. In the Second Caller ID Authentication Report and Order, the Commission required those voice service providers subject to a robocall mitigation requirement to take “reasonable steps to avoid originating illegal robocall traffic,” and established that a robocall mitigation program is sufficient if it “includes detailed practices that can reasonably be expected to significantly reduce the origination of illegal robocalls” and the provider “compl[ies] with the practices it describes.” See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1899-1900, paras. 76, 78. The Commission stated that a program is “insufficient if a provider knowingly or through negligence serves as the originator for unlawful robocall campaigns.” See id. at 1900, para. 78. We believe imposing an analogous requirement on gateway providers would provide a valuable backstop and help reduce the likelihood that illegal robocalls might make their way to U.S. consumers. Under this approach, gateway providers would be required to take reasonable steps to avoid transiting illegal robocall traffic. What would be the benefits and drawbacks of doing so? What would constitute “reasonable steps” in this context, aside from any of the actions proposed in this Further Notice? Would the consistency of obligations between gateway providers and voice service providers facilitate innovation and development of novel, effective robocall mitigation techniques? Would it ease compliance? Is a standards-based approach sufficient to address the difficult task of mitigating foreign-originated illegal robocalls? Should we adopt a standards-based approach but establish a different standard for effective robocall mitigation for gateway providers? What should that standard be? Does a standards-based approach make compliance more difficult, particularly for small entities that may less easily be able to identify appropriate practices? 92. Instead of establishing a general mitigation standard based on the standard in the Second Caller ID Authentication Report and Order, should we instead adopt a general standard by building upon the obligation in the Fourth Call Blocking Order for voice service providers (including intermediate providers) to mitigate robocall traffic by adopting “affirmative, effective measures to prevent new and renewing customers from using their network to originate illegal calls”? Fourth Call Blocking Order, 35 FCC Rcd at 15232, para. 32. This duty differs in certain respects from the duty for voice service providers subject to a robocall mitigation requirement to take “reasonable steps to avoid originating illegal robocall traffic.” For example, there is no duty for gateway providers to take action with respect to existing customers. Should we establish a general mitigation obligation for gateway providers based on a modified version of this duty? What should those modifications be? Should we require gateway providers to take affirmative, effective measures to prevent current, new, and renewing customers from using their network to transit illegal calls? Are other modifications appropriate? Instead or in addition to making such modifications, should we provide additional guidance to gateway providers about what measures would be deemed “affirmative” and “effective”? What should that guidance be? 93. We seek comment on an appropriate deadline for any general mitigation standard we adopt. We believe that any compliance deadline we adopt should, at a minimum, be consistent with the time and effort necessary to implement the standard, balanced against the public benefit that will result in rapid implementation of the standard. We therefore urge commenters proposing a standard to propose a specific deadline consistent with these principles. E. Robocall Mitigation Database 94. We propose to require gateway providers to submit a certification to the Robocall Mitigation Database describing their robocall mitigation practices and stating that they are adhering to those practices. We also take this opportunity to address other issues related to the Robocall Mitigation Database that are not specifically related to gateway providers. First, we seek comment on revisions to the information that filers must submit to the Robocall Mitigation Database. Second, we clarify the obligations of voice service providers and intermediate providers with respect to calls to and from PSAPs and other emergency services providers. 95. Gateway Providers. While we declined to impose a filing requirement on intermediate providers that had no robocall mitigation obligations in the Second Caller ID Authentication Report and Order, Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1905, para. 89. we believe that requiring gateway providers to do so now in conjunction with any new robocall mitigation obligations we adopt is appropriate and situates gateway providers consistently with voice service providers under our STIR/SHAKEN rules. We seek comment on our proposal to require gateway providers to submit a certification. We anticipate that requiring certification will encourage compliance and facilitate enforcement efforts and industry cooperation to address problems. We also anticipate that a registration requirement would not be more costly for gateway providers than voice service providers. We seek comment on this analysis. Are there additional benefits of requiring registration? Do gateway providers face additional costs compared to voice service providers that we should consider? Rather than require gateway providers to file in the Robocall Mitigation Database, should we instead impose some other filing obligation? What would that obligation be? 96. We propose requiring gateway providers to submit the same information that voice service providers must submit under Commission rules. Specifically, we propose requiring gateway providers to certify to the status of STIR/SHAKEN implementation and robocall mitigation on their networks; submit contact information for a person responsible for addressing robocall mitigation-related issues; and describe in detail their robocall mitigation practices. 47 CFR § 64.6305. In the alternative, we seek comment on whether to alter or remove any of these obligations as applied to gateway providers, and whether gateway providers should submit any additional information beyond the information required from originating and terminating voice service providers. If we adopt specific robocall mitigation requirements, should we relieve gateway providers of the obligation to describe their robocall mitigation practices? Would this belt-and-suspenders approach to certification only add compliance costs with limited benefit? If we did not require gateway providers to describe their robocall mitigation practices, should they be required to submit any alternative information? If so, what should that be? We seek comment on any modifications we should make to the filing process for those gateway providers that are also voice service providers. See ZipDX Sept. 13 Ex Parte (seeking clarification on how providers with more than one “role” should be identified in the Robocall Mitigation Database). 97. Similar to our recently proposed rules for VoIP direct access applicants, should we require gateway providers to “inform the Commission” through an update to the Robocall Mitigation Database filing, if the gateway provider is “subject . . . to a Commission, law enforcement, or regulatory agency action, investigation, or inquiry due to its robocall mitigation plan being deemed insufficient or problematic, or due to suspected unlawful robocalling or spoofing . . . ”? Direct Access Further Notice at para. 15. We propose that information in any gateway provider certification would also be subject to the existing duty to update that certification within 10 business days, ensuring that the information is kept up to date. See 47 CFR § 64.6305(b)(5) (“A voice service provider shall update its filings within 10 business days of any change to the information it must provide pursuant to paragraphs (b)(2) through (4) of this section.”). Is another time period appropriate for some or all of the information we require? Should we establish a materiality threshold for circumstances in which an update is necessary, and if so what threshold should we set? 98. We propose to extend the prohibition on accepting traffic from unlisted providers to gateway providers. 47 CFR § 64.6305(c). Under this proposal, intermediate providers and terminating voice service providers would be prohibited from accepting traffic from a gateway provider not listed in the Robocall Mitigation Database. We believe that a gateway provider Robocall Mitigation Database filing requirement and an associated prohibition against accepting traffic from gateway providers not in the Robocall Mitigation Database will ensure regulatory symmetry between voice service providers and gateway providers and underscore the key role gateway providers play in stemming illegal robocalls. We seek comment on that conclusion and this proposal. Taking into consideration the time between the effective date of the prohibition on voice service providers (September 28, 2021) from accepting traffic from other unlisted voice service providers and the comment due date of this Further Notice, is there any preliminary evidence that the prohibition has been beneficial in the ways the Commission envisioned? We also propose that this prohibition should go into effect 90 days following the effective date of the requirement for gateway providers to submit a certification to the Robocall Mitigation Database. Ninety days between the effective date of the filing obligation and the beginning of the requirement to reject traffic from non-filers is the same time period as that adopted in the Second Caller ID Authentication Report and Order for voice service providers. Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1904, para. 86 (“Effective 90 days after the deadline for robocall mitigation program certifications set forth in the Bureau Public Notice establishing the robocall mitigation database and portal, intermediate providers and terminating voice service providers are subject to this prohibition.”). We seek comment on providers’ experience with that 90-day timeframe and whether it would be appropriate in this instance. Should we set a shorter time period to ensure Americans benefit from this scheme sooner? Or do voice service providers and intermediate providers need additional time, beyond 90 days, to come into compliance with any blocking obligation and, if so, why? How, if at all, should we tailor the information that gateway providers must submit to the Robocall Mitigation Database to ensure that a downstream provider has sufficient information to know whether to block calls depending on the call-by-call “role” of the upstream provider? See ZipDX Sept. 13 Ex Parte. For example, if an upstream provider is acting as a gateway provider for a call and has submitted a certification as a voice service provider to the Robocall Mitigation Database, but has not submitted its certification as a gateway provider, what information does that downstream provider need to know to block the call under our proposed rule if and when it becomes effective? 99. In line with our proposals above to require gateway providers to implement mitigation requirements by 30 days after publication of the notice of an Order adopting this requirement in the Federal Register, we propose to require gateway providers to submit a certification to the Robocall Mitigation Database by that same date and to thereafter amend such certification of compliance to attest to STIR/SHAKEN compliance by the deadline established in this proceeding, subject to publication in the Federal Register of notice of approval by OMB of any associated PRA obligations. We seek comment on this approach and any alternatives. For example, should we instead require gateway providers submit an interim certification by an earlier date so that the Commission and the general public know the status of gateway providers’ STIR/SHAKEN implementation? Would the benefits of requiring an additional interim filing outweigh the burdens? What other considerations should we take into account in setting any filing deadlines? 100. Identifying Information for All Filers. We take this opportunity to seek comment on whether we should require Robocall Mitigation Database filers—including voice service providers and, if required, gateway providers—to submit additional identifying indicia, such as a Carrier Identification Code, Operating Company Number, and/or Access Customer Name Abbreviation. We anticipate that requiring some additional identifying information may ease compliance by facilitating searches within the Robocall Mitigation Database and cross-checking information within the Robocall Mitigation Database against other sources. Do commenters agree? If so, what additional information should we require? What are the benefits and costs of such a requirement? We recognize that as of the date we adopt this Further Notice, a large number of voice service providers have already filed in the Robocall Mitigation Database, and requiring any additional information would require these providers to revise their filings. As we have explained, to date, approximately 4,948 voice service providers have submitted information into the Robocall Mitigation Database.  Additionally, we realize that the September 28 blocking deadline has passed and that the identifying information we seek comment on may not be as useful as it would have been prior to this deadline. Based on these facts, does the benefit of requiring additional information nonetheless outweigh the burden of asking such a high number of voice service providers to refile? If not, should we consider applying this requirement on a prospective-only basis? Would this approach still have benefit even if only some filers submitted this information? Are there any categories of filer, such as foreign voice service providers that use NANP resources that pertain to the United States, that are unlikely to have this identifying information? If so, how should any new requirements address these filers? Alternatively, should we consider making the submission of this additional information voluntary to avoid a refiling requirement and account for filers that do not possess the information? Or would submission on a voluntary basis provide little benefit? If we require submission of additional information by some or all filers, what deadline for filing should we set? 101. Public Safety Calls. We take this opportunity to clarify that even if a voice service provider (or, if we adopt our proposal in today’s Further Notice, a gateway provider) is not listed in the Robocall Mitigation Database, other voice service providers and intermediate providers in the call path must make all reasonable efforts to avoid blocking calls from PSAPs and government outbound emergency numbers. Additionally, consistent with the Commission’s previous statement that its call-blocking rules “do not authorize the blocking of calls to 911 under any circumstances,” First Call Blocking Order, 32 FCC Rcd at 9721, para. 41; see also Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7633-34, paras. 52-53 (“Calls to PSAPs via 911 . . . should never be blocked unless the voice service provider knows without a doubt that the calls are unlawful.”); TRACED Act § 10(b) (codified at 47 U.S.C. § 227(j)(1)(C)). calls to 911 must not be blocked, even if originated by a voice service provider not in the Robocall Mitigation Database or otherwise subject to blocking. And as regards outbound emergency calls, we reiterate the Commission’s position that all voice service providers and intermediate providers “must make all reasonable efforts to ensure that calls from PSAPs and government outbound emergency numbers are not blocked.” Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7633-34, paras. 52-53; see also TRACED Act § 10 (b) (codified at 47 U.S.C. § 227(j)(1)(C)); First Call Blocking Order, 32 FCC Rcd at 9721, para. 41 (clarifying that the Commission’s call-blocking rules “do not authorize the blocking of calls to 911 under any circumstances” and that “these rules do not permit the blocking of emergency calls except as otherwise expressly permitted by the Commission’s rules”); Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7631, para. 45 (“We agree that critical calls are of the highest importance, and below we require all voice service providers to make all reasonable efforts to prevent emergency calls from being blocked.”). We adopt this clarification to ensure completion of emergency calls and to clarify that the scope of the exception for emergency calls is identical between our call blocking rules See 47 CFR § 64.1200(k). and our rules prohibiting acceptance of traffic from voice service providers not listed in the Robocall Mitigation Database. See 47 CFR § 64.6305(c). 102. We seek comment on whether we should modify our rules to reflect this clarification. We also seek comment on whether we should expand upon our clarification. Does our clarification contain any ambiguities that we should address, and if so how should we address them? For example, should we make clear what “reasonable efforts” we expect voice service providers and intermediate providers to take to ensure completion of outbound emergency calls? If so, what specific steps should we require? Would prohibiting providers from blocking calls on a “whitelist” of public safety numbers be effective, or would it instead provide a roadmap for bad actors to exploit? We note that the Commission has previously declined to adopt such a list, finding that it “would likely to do more harm than good.” See Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7635-36, para. 58. We seek comment on whether circumstances have changed since the Commission’s prior decision that would make this option more viable. Are there fewer concerns for such a list in the context of gateway providers? Are there other ways bad actors could exploit this emergency exception to originate illegal robocalls, either directed at PSAPs (because calls to 911 may not be blocked) or directed to the general public by posing as emergency callers (because providers must make all reasonable efforts to ensure that calls from PSAPs and government outbound emergency numbers are not blocked)? If so, what steps can we take to minimize that threat while ensuring the vital goal of emergency call completion? How should we account for emergency calls if we require gateway providers to file in the Robocall Mitigation Database? Are emergency calls to U.S. PSAPs likely to originate abroad? We also propose that any calls to and from PSAPs and government outbound emergency numbers that may be otherwise subject to mandatory call blocking duties adopted pursuant to this Further Notice should be subject to the same emergency call exception and clarification that we adopt today, as well as any further clarifications that we adopt pursuant to the questions above, and we seek comment on this proposal. F. Alternative Approaches 103. We seek comment on alternative approaches to stop illegal foreign-originated robocalls. This Further Notice proposes imposing obligations on gateway providers because they are in the unique position of acting as the conduit for all foreign-originated calls. We anticipate that rules focused on gateway providers would be the most efficient and effective way to prevent illegal robocalls from reaching U.S. consumers and businesses from abroad. At the same time, we want to explore all available options and thus seek comment on whether we should instead pursue alternative approaches to enhancing our rules to target foreign-originated robocalls. 104. We first seek comment on strengthening our prohibition on U.S.-based providers accepting traffic carrying U.S. NANP numbers that is received “directly from” foreign voice service providers that are not in the Robocall Mitigation Database. 47 CFR § 64.6305(c). By its terms, this rule does not require U.S.-based providers to reject foreign-originated traffic carrying U.S. NANP numbers that is received by a U.S. provider directly from a foreign intermediate provider—at present, the prohibition only applies to traffic received directly from the originating foreign provider. Some have argued that this loophole allows a significant portion of foreign-originated robocall traffic carrying U.S. NANP numbers to reach the U.S. outside of the prohibition. See, e.g., USTelecom Ex Parte at 3 (“[I]f intermediate providers can take traffic from any other intermediate provider regardless of their database status, international gateways could continue to take traffic from foreign intermediate providers that aggregate the traffic on the way to the United States. This would be a breakdown of the chain of trust that is implicit in the framework established in the Second Report & Order.”). We seek comment on whether this is the case and, if so, whether we should expand the prohibition and require U.S.-based providers to reject traffic carrying U.S. NANP numbers directly from any foreign provider not in the Robocall Mitigation Database. What are the benefits and burdens of this approach? Should we require U.S.-based providers to ensure that foreign intermediate providers comply with specific robocall mitigation practices, such as know-your-customer practices, and describe in their certifications the specific robocall mitigation practices they have implemented? Are most foreign intermediate providers also originating and exchanging traffic with U.S. NANP numbers directly with U.S. providers, indicating that most foreign providers are already covered under the current prohibition? 609 foreign voice service providers have already filed in the Robocall Mitigation Database. We seek comment on what percentage of foreign providers currently subject to the prohibition this represents, compared to the percentage of foreign providers that would be subject to our proposed expanded prohibition. If we expand the prohibition to encompass foreign intermediate providers, what compliance deadline should we set? 105. Conversely, should we limit or eliminate the foreign provider prohibition rather than expand it? Some argue that the compliance burden of the current rule on foreign voice service providers is significant, that many providers did not register by the deadline, and therefore there is a significant risk that domestic providers will unnecessarily block foreign-originated calls. See generally, Petition of CTIA for Partial Reconsideration, WC Docket No. 17-97 (filed Dec. 17, 2020); Petition for Reconsideration of VON, WC Docket No. 17-97 (filed Dec. 17, 2020); see also Letter of Glenn S. Richards, Counsel, VON, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 1-2 (filed Aug. 6, 2021); Letter of Sarah Leggin, Director, Regulatory Affairs, CTIA, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 5 (filed July 29, 2021) (“[F]oreign service providers that interconnect with U.S. providers would likely fail to register in a timeline manner with the Robocall Mitigation Database.”). We seek comment on the validity of these assertions and whether a rule expansion would compound those burdens and risks. Others argue that, at a minimum, foreign voice service providers needed additional time to submit a certification to the Robocall Mitigation Database. See, e.g., Letter of Linda S. Vandeloop, AVP, AT&T, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 1-2 (filed Aug. 3, 2021) (arguing that a six month extension “will give U.S. service providers working in good faith additional time to educate smaller Foreign Service Providers on the registration process.”). If the burdens of the current rule are large and the benefits small, should we consider eliminating the current rule, particularly if we adopt effective measures for gateway providers to stop illegal robocall traffic from entering the U.S. market? 106. In light of the unique difficulties foreign service providers may face in timely registering with the Commission’s new Robocall Mitigation Database, the fact that the foreign provider prohibition can be evaded by transmitting traffic via one or more foreign intermediate providers, and in order to avoid the potential disruption associated with such delays while permitting the Commission to explore these potentially more effective measures, we conclude that the public interest will be served by not enforcing the foreign provider prohibition during the pendency of this proceeding. Cf. FCC Announces Brief Delay in Enforcement of the Red Light Rule, Public Notice, 19 FCC Rcd 19452 (2004) (delaying enforcement of recently adopted red light rule in “[t]he public interest” to allow companies to become comfortable with the online filing system); US West, Inc. and Continental Cablevision, CSR 4788-X, Memorandum Opinion and Order, 11 FCC Rcd 13260, 13269, para. 20 (1996 Cable Services Bureau) (“Several years after granting temporary relief in Golden West Associates, the Commission clarified that in that case the Commission did not waive §613(a), but delayed enforcement temporarily to accommodate the exigencies of the marketplace.”) (internal citations omitted). See also Letter of Christopher Shipley, Attorney and Policy Advisor, INCOMPAS, Michael H. Pryor, Counsel for CCA, Glen Richards, Counsel for VON, WC Docket No. 17-97, CG Docket No. 17-59 at 1 (supporting not enforcing the foreign provider prohibition during the pendency of this proceeding). But see E-mail of David Frankel, ZipDX, to Jonathan Lechter, Attorney Advisor, Competition Policy Division, Wireline Competition Bureau, FCC, and Jerusha Bennett, Attorney Advisor, Consumer Policy Division, Consumer and Governmental Affairs Bureau, FCC, (Sept. 15, 2021, 9:56 EDT) (filed in WC Docket No. 17-97 & CG Docket No. 17-59, Sept. 15, 2021) (ZipDX September 15 Ex Parte) (opposing the Commission’s approach). While ZipDX suggests a “narrower deferment” that would allow enforcement if a foreign provider is responsible for a “significant or on-going illegal robocalling activity,” see ZipDX September 15 Ex Parte, we decline taking such an approach because it would involve engaging in a line-drawing exercise for which we do not have sufficient guidance and data and ZipDX does not suggest a specific, administrable approach. We anticipate that we will make a final decision regarding whether to eliminate, retain, or enhance the foreign provider prohibition as part of our larger consideration of how best to address illegal robocalls originating abroad in the order issued pursuant to this Further Notice. Therefore, until that time, domestic voice service providers and intermediate providers may accept traffic carrying U.S. NANP numbers sent directly from foreign voice service providers not listed in the Robocall Mitigation Database. 47 CFR § 64.6305(c). G. Expected Benefits and Costs 107. As noted above, a large portion of illegal robocalls originate abroad, and that share may be growing. We therefore anticipate that the benefits of our proposals will far outweigh the costs imposed on gateway providers. 108. As to expected benefits, the Commission found in the First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking that widespread deployment of STIR/SHAKEN will increase the effectiveness of the framework for both voice service providers and their subscribers, producing a potential benefit of at least $13.5 billion annually due to the reduction in nuisance calls and fraud. First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking, 35 FCC Rcd at 3263, paras. 47-48.   In addition, the Commission identified many non-quantifiable benefits, such as restoring confidence in incoming calls and reliable access to emergency and healthcare communications. Id. at 3263-64, paras. 49-50. 109. We anticipate that the impact of our proposals, including the deterrence that arises from authenticating unauthenticated foreign-originated calls, will account for a large share of that $13.5 billion benefit because of the significant share of illegal calls originating outside our country.  While each of the proposed requirements on their own may not fully accomplish that goal, viewed collectively, we expect that they will achieve a large share of the $13.5 billion minimum benefit. We seek comment on this analysis and on the possible benefits of the requirements we propose. 110. We believe that the costs imposed on gateway providers by our proposed changes, at least some of which are likely minimal, will be far exceeded by the expected benefits. For example, many intermediate providers that would be classified as gateway providers under our proposed definition are already voice service providers and have already implemented or are required to soon implement STIR/SHAKEN authentication on their networks. See supra para. 100. But see iBasis Ex Parte at 3 (setting forth concerns regarding characterization of potential costs as minimal). Moreover, as the Commission stated in the First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking, an overall reduction in illegal robocalls will greatly lower providers’ network costs by eliminating both the unwanted traffic congestion and the labor costs of handling numerous customer complaints. First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking, 35 FCC Rcd at 3264-65, paras. 52-53.   We therefore believe that the proposals in this Further Notice would impose only minimal short-term costs on gateway providers while lowering long-term network costs for gateway providers and other domestic service providers.  We seek comment on this analysis and whether it remains valid in light of industry experience in implementing STIR/SHAKEN and the Commission’s various blocking regimes? Is it equally applicable to gateway providers? We also seek detailed comment on the potential costs associated with each proposal.  Will these costs vary according to the size of the provider?  Does the benefit of each proposal outweigh its cost? How do the proposed compliance deadlines for each requirement and possible alternative deadlines affect the benefits and costs? 111. Digital Equity and Inclusion. The Commission, as part of its continuing effort to advance digital equity for all, Section 1 of the Communications Act of 1934, as amended, provides that the FCC “regulat[es] interstate and foreign commerce in communication by wire and radio so as to make [such service] available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex.” 47 U.S.C. § 151. including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations The term “equity” is used here consistent with Executive Order 13985 as the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. See Exec. Order No. 13985, 86 Fed. Reg. 7009, Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government (January 20, 2021). and benefits (if any) that may be associated with the proposals and issues discussed herein. Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well the scope of the Commission’s relevant legal authority. H. Legal Authority 112. We propose to adopt the foregoing obligations pursuant to the legal authority we relied upon in prior caller ID authentication and call blocking orders. 113. Caller ID Authentication. We propose to find authority to impose caller ID authentication obligations on gateway providers under section 251(e) of the Act and the Truth in Caller ID Act. See 47 U.S.C. §§ 227(e), 251(e). In the Second Caller ID Authentication Report and Order, the Commission found it had the authority to impose caller ID authentication obligations on intermediate providers under these provisions. See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1931-32, paras. 153-55. It reasoned that “[c]alls that transit the networks of intermediate providers with illegally spoofed caller ID are exploiting numbering resources” and so found authority under section 251(e). Id. at 1931, para. 153. And it found additional, independent authority under the Truth in Caller ID Act on the basis that such rules were necessary to “prevent . . . unlawful acts and to protect voice service subscribers from scammers and bad actors,” and it stressed that intermediate providers “play an integral role in the success of STIR/SHAKEN across the voice network.” Id. at 1931, para. 154. While that Order did not specifically discuss gateway providers, we propose to conclude that we can impose an authentication obligation on gateway providers on the same basis. Indeed, we propose to define gateway providers as a subset of intermediate providers; thus, we tentatively conclude that the Second Caller ID Authentication Report and Order already accounted for the actions we propose today. We seek comment on this proposal. Should we revisit the Commission’s earlier conclusion that it has authority to place these obligations on intermediate—including gateway—providers? Are there other sources of authority, including the TRACED Act, that we could invoke to impose our caller ID authentication rules on gateway providers? 114. Robocall Mitigation and Call Blocking. We propose to adopt our robocall mitigation and call blocking provisions on gateway providers pursuant to sections 201(b), 202(a), 251(e), the Truth in Caller ID Act, the TRACED Act, and, where appropriate, our ancillary authority, consistent with the authority we invoked to adopt analogous rules in the Second Caller ID Authentication Report and Order and our Call Blocking Orders. We seek comment on this proposal. 115. In the Second Caller ID Authentication Report and Order, the Commission concluded “section 251(e) gives us authority to prohibit intermediate providers and voice service providers from accepting traffic from both domestic and foreign voice service providers that do not appear in [the Robocall Mitigation Database],” noting that its “exclusive jurisdiction over numbering policy provides authority to take action to prevent the fraudulent abuse of NANP resources.” Id. at 1910, para. 99. The Commission observed that “[i]llegally spoofed calls exploit numbering resources whenever they transit any portion of the voice network—including the networks of intermediate providers” and that “preventing such calls from entering an intermediate provider’s or terminating voice service provider’s network is designed to protect consumers from illegally spoofed calls.” Id. The Commission also found that the Truth in Caller ID Act provided additional authority for our actions to protect voice service subscribers from illegally spoofed calls. Id. at 1910, para. 100. We propose to conclude that section 251(e) and the Truth in Caller ID Act authorize us to prohibit intermediate providers and voice service providers from accepting traffic from gateway providers that do not appear in the Robocall Mitigation Database. The Commission also relied on the TRACED Act in adopting mitigation duties for voice service providers Id. at 1909-10, para. 97 (citing TRACED Act § 4(b)(5)(C) for the proposition that “[t]he TRACED Act expressly directs us to…require any voice service provider subject to [an extension] to implement a robocall mitigation program.”). and we propose to conclude that it authorizes us to require voice service providers to submit additional information to the Robocall Mitigation Database. 116. In the Fourth Call Blocking Order, the Commission required voice service providers “to take affirmative, effective measures to prevent new and renewing customers from originating illegal calls,” which includes a duty to “know” their customers. Fourth Call Blocking Order, 35 FCC Rcd at 15232-33, paras. 32-36. Additionally, the Commission required voice service providers, including intermediate providers, to “take steps to effectively mitigate illegal traffic when notified by the Commission,” which may require blocking when applied to gateway providers. Id. at 15229-32, paras 22-31. The Commission also adopted traceback obligations. Id. at 15227-29, paras. 15-21 (describing traceback obligations). The Commission concluded that it had the authority to adopt these requirements pursuant to sections 201(b), 202(a), and 251(e) of the Act, as well as the Truth in Caller ID Act and its ancillary authority. Id. at 15233-34, paras. 37-38. Sections 201(b) and 202(a) provide the Commission with “broad authority to adopt rules governing just and reasonable practices of common carriers.” Id. 15233-34, para. 37. Accordingly, the Commission found that the new blocking rules were “clearly within the scope of our section 201(b) and 202(a) authority” and “that it is essential that the rules apply to all voice service providers,” applying its ancillary authority in section 4(i). Id. at 15234, para. 37; see also 47 U.S.C. § 154(i). The Commission also found that section 251(e) and the Truth in Caller ID Act provided the basis “to prescribe rules to prevent the unlawful spoofing of caller ID and abuse of NANP resources by all voice service providers,” a category that includes VoIP providers and, in the context of our call blocking orders gateway providers. Fourth Call Blocking Order, 35 FCC Rcd at 15234, para. 37; id. at 15222 n.2 (defining voice service provider to include intermediate provider). We believe that these same statutory provisions authorizing our current mitigation and blocking rules support the mandatory mitigation and blocking obligations we propose to impose on gateway providers here. Are there additional sources of authority that we should consider? 117. We propose to find additional authority in section 7 of the TRACED Act. The Commission initiated a rulemaking to “help protect a subscriber from receiving unwanted calls or text messages from a caller using an unauthenticated number” TRACED Act § 7. in the Third Call Blocking Order and Further Notice, Third Call Blocking Order and Further Notice, 35 FCC Rcd at 7642-43, paras. 88-90. but declined to take further action in the Fourth Call Blocking Order. Fourth Call Blocking Order, 35 FCC Rcd at 15249-50, para. 84. We believe that several of the proposals we make today would have the effect of protecting consumers from unwanted calls from unauthenticated numbers. In particular, we believe that our mandatory blocking and “know-your-customer” proposals would further these goals. We seek comment on this belief. Is this an appropriate use of the authority granted in TRACED Act section 7? What should we consider, including the considerations listed in section 7(b) of the TRACED Act, TRACED Act § 7(b). in determining whether any rules we adopt are consistent with our authority under that section? 118. While we propose to conclude that our direct sources of authority provide an ample basis to adopt our proposed rules on all gateway providers, we believe that our ancillary authority in section 4(i) 47 U.S.C. § 154(i). provides an independent basis to do so with respect to gateway providers that have not been classified as common carriers, and we seek comment on this view. We anticipate that the proposed regulations are “reasonably ancillary to the Commission’s effective performance of its . . . responsibilities.” United States v. Southwestern Cable Co., 392 U.S. 157, 178 (1968); see also, e.g., Rural Call Completion, WC Docket No. 13-39, Report and Order and Further Notice of Proposed Rulemaking, 28 FCC Rcd 16154, 16562, para. 35 (2013) (“Ancillary authority may be employed, at the Commission’s discretion, when the Act covers the regulated subject and the assertion of jurisdiction is reasonably ancillary to the effective performance of the Commission’s various responsibilities.”) (internal citations omitted). Specifically, gateway providers interconnected with the public switched telephone network and exchanging IP traffic clearly constitutes “communication by wire and radio.” 47 U.S.C. § 152(a). We believe that requiring gateway providers to comply with our proposed rules is reasonably ancillary to the Commission’s effective performance of its statutory responsibilities under section 152(a), as well as reasonably ancillary to our exercise of authority under sections 201(b), 202(a), 251(e), and the Truth in Caller ID Act as described above. With respect to sections 201(b) and 202(a), absent application of our proposed rules to gateway providers that are not classified as common carriers, originators of international robocalls could circumvent our proposed scheme by sending calls only to such gateway providers to reach the U.S. market. We seek comment on this analysis. 119. Indirect Effect on Foreign Service Providers. We propose to conclude that, to the extent any of the rules we seek to adopt today have an effect on foreign service providers, that effect is only indirect and therefore consistent with the Commission’s authority. In the Second Caller ID Authentication Report and Order, the Commission acknowledged an indirect effect on foreign providers but concluded that it was permissible under past Commission precedent confirmed by the courts. Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1910 n.370 (“An indirect effect on foreign voice providers, however does not militate against the validity of rules that only operate directly on voice service providers within the United States”)(citing International Settlement Rate Benchmarks, IB Docket No. 96-261, Report and Order, 12 FCC Rcd 19806, 19819, para. 27 (1997) (internal citations omitted)); see also Cable & Wireless P.L.C. v. FCC, 166 F.3d 1224, 1230 (D.C. Cir. 1999) (finding that “the Commission does not exceed its authority simply because a regulatory action has extraterritorial consequences”); 47 CFR §§ 1.767(g)(5), 63.14 (prohibiting carriers from agreeing to access special concessions from a foreign carrier with respect to any U.S. international route where the foreign carrier possesses sufficient market power to adversely affect competition in the U.S. market); Petition of AT&T for Settlements Stop Payment Order on the U.S.-Tonga Route, IB Docket No. 09-10, Memorandum Opinion and Order, 29 FCC Rcd 4186, 4196, para. 24 (2014) (Tonga) (concluding that “Commission review and interpretation of contracts entered into by U.S. carriers for delivery of traffic to foreign destinations may, as here, be necessary and relevant to the Commission’s policy goals of protecting U.S. ratepayers from the effects of anticompetitive actions . . . Thus, the existence of extraterritorial consequences stemming from the Bureau’s review of this case does not render the Bureau’s actions impermissible.”). This includes the authority, pursuant to section 201, for the Commission to require U.S. providers to modify their contracts with a foreign provider with respect to “foreign communication” to ensure that the charges and practices are “just and reasonable.” See 47 U.S.C. § 201(a)-(b); Tonga, 24 FCC Rcd at 8014-15, para. 24 (“The Act also gives the Commission authority to prescribe just and reasonable charges when it finds that a charge or practice associated with a U.S. carrier providing foreign communications is unlawful.”). We seek comment on whether any of our proposed rules exceed the scope of our jurisdiction over foreign communications that enter the United States. We also seek comment on whether any of our proposed rules would be contrary to any of our international treaty obligations, other international laws and rules, or create a risk of foreign retaliation. Cf. Comments of BT Americas, WC Docket No. 17-97, at 4-5 (filed Jan. 29, 2021) (arguing that the foreign provider prohibition could implicate foreign tax, privacy and data protection issues and result in retaliation from foreign regulators). IV. PROCEDURAL MATTERS 120. Initial Regulatory Flexibility Analysis. As required by the Regulatory Flexibility Act, the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on small entities of the policies and rules addressed in this Further Notice. The IRFA is set forth in Appendix B. Written public comments are requested on the IRFA. Comments must be filed by the deadlines for comments on the Further Notice indicated on the first page of this document and must have a separate and distinct heading designating them as responses to the IRFA. The Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, will send a copy of this Further Notice, including the IRFA, to the Chief Counsel for Advocacy of the SBA. See 5 U.S.C. § 603(a). 121. Paperwork Reduction Act. The Further Notice contains proposed new information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public and OMB to comment on the information collection requirements contained in this document, as required by the Paperwork Reduction Act of 1995, Public Law 104-13. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C 3506(c)(4), we seek specific comment on how we might further reduce the information collection burden for small business concerns with fewer than 25 employees. 122. Ex Parte Presentations—Permit-But-Disclose. The proceeding this Further Notice initiates shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission’s ex parte rules. 47 CFR §§ 1.1200 et seq. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with section 1.1206(b) of the Commission’s rules. In proceedings governed by section 1.49(f) of the Commission’s rules or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules. 47 CFR § 1.49(f). 123. Comment Filing Procedures. Pursuant to sections 1.415 and 1.419 of the Commission’s rules, 47 CFR §§ 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission’s Electronic Comment Filing System (ECFS). See Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121 (1998). • Electronic Filers: Comments may be filed electronically using the Internet by accessing ECFS: https://www.fcc.gov/ecfs/. • Currently, the Commission does not accept any hand-delivered or messenger-delivered filings as a temporary measure taken to help protect the health and safety of individuals, and to mitigate the transmission of COVID-19. In the event that the Commission announces the lifting of COVID-19 restrictions, a filing window will be opened at the Commission’s office located at 9050 Junction Drive, Annapolis, Maryland 20701. Amendment of the Commission’s Rules of Practice and Procedure, Order, 35 FCC Rcd 5450 (OMD 2020). 124. Pursuant to section 1.49 of the Commission’s rules, 47 CFR § 1.49, parties to this proceeding must file any documents in this proceeding using the Commission’s Electronic Comment Filing System (ECFS): www.fcc.gov/ecfs. 125. People with Disabilities. To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY). 126. Additional Information. For further information about the Further Notice, contact either Jonathan Lechter, Attorney Advisor, Competition Policy Division, Wireline Competition Bureau, at Jonathan.lechter@fcc.gov, (202) 418-0984 or Jerusha Burnett, Attorney Advisor, Consumer Policy Division, Consumer and Governmental Affairs Bureau, at jerusha.burnett@fcc.gov, 202-418-0526. V. ORDERING CLAUSES 127. Accordingly, IT IS ORDERED, pursuant to sections 4(i), 4(j), 201, 202, 217, 227, 227b, 251(e), 303(r), and 403 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 154(i), 154(j), 201, 202, 217, 227, 227b, 251(e), 303(r), 403, that this Further Notice of Proposed Rulemaking IS ADOPTED. 128. IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental Affairs Bureau, Reference information Center, SHALL SEND a copy of this Further Notice of Proposed Rulemaking, including the Initial Regulatory Flexibility Analysis (IRFA), to the Chief Counsel for Advocacy of the Small Business Administration. FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary 2 APPENDIX A Proposed Rules The Federal Communications Commission amends part 64 of Title 47 of the Code of Federal Regulations as follows: PART 64 – MISCELLANEOUS RULES RELATING TO COMMON CARRIERS Subpart L – Restrictions on Telemarketing, Telephone Solicitation, and Facsimile Advertising 1. Amend § 64.1200 by revising paragraph (n)(1); revising and redesignating paragraphs (n)(2) as n(3) and (n)(3) as (n)(2); and adding new paragraphs (f)(19), (o), and (p) to read as follows: (f)(19) The term gateway provider means the first U.S.-based intermediate provider in the call path of a foreign-originated call that transmits the call directly to another intermediate provider or a terminating voice service provider in the United States. (n)(1) Respond fully and in a timely manner to all traceback requests from the Commission, civil law enforcement, criminal law enforcement, and the industry traceback consortium. Where the voice service provider is a gateway provider, it must respond within 24 hours of receipt of such a request; (n)(2) Take affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic; and, (n)(3) Take steps to effectively mitigate illegal traffic when it receives actual written notice of such traffic from the Commission through its Enforcement Bureau. (i) In providing notice, the Enforcement Bureau shall identify with as much particularity as possible the suspected traffic; provide the basis for the Enforcement Bureau’s reasonable belief that the identified traffic is unlawful; cite the statutory or regulatory provisions the suspected traffic appears to violate; and direct the voice service provider receiving the notice that it must comply with this section; (ii) Each notified provider must promptly investigate the identified traffic. Each notified provider must then promptly report the results of its investigation to the Enforcement Bureau, including any steps the provider has taken to effectively mitigate the identified traffic or an explanation as to why the provider has reasonably concluded that the identified calls were not illegal and what steps it took to reach that conclusion. Should the notified provider find that the traffic comes from an upstream provider with direct access to the U.S. Public Switched Telephone Network, that provider must promptly inform the Enforcement Bureau of the source of the traffic and, if possible, take steps to mitigate this traffic; (iii) If the notified provider is a gateway provider, that provider must, after conducting the investigation described in paragraph (ii), promptly block all traffic associated with the traffic pattern identified in the Enforcement Bureau’s notice; and (iv) Should a gateway provider fail to comply with the requirements of paragraph (iii), the Commission, through its Enforcement Bureau, may send a notice to all providers immediately downstream from the gateway provider in the call path. Upon receipt of such notice, all providers must promptly block all traffic from the identified gateway provider. (o) A gateway provider must block calls that it reasonably determines, based on reasonable analytics that include consideration of caller ID authentication information where available, that calls are part of a call pattern that is highly likely to be illegal. (i) The gateway provider must manage this blocking with human oversight and network monitoring sufficient to ensure that it blocks only calls that are highly likely to be illegal, which must include a process that reasonably determines that the particular call pattern is highly likely to be illegal before initiating blocking of calls that are part of that pattern. (ii) The gateway provider ceases blocking calls that are part of the call pattern as soon as the gateway provider has actual knowledge that the blocked calls are likely lawful; (iii) All analytics are applied in a non-discriminatory, competitively neutral manner. (p) A gateway provider must confirm that the originator of a high volume of foreign-originated calls that use a U.S. North American Numbering Plan number in the caller ID field is authorized to use that number to originate calls. 2. Amend section 64.6300 by adding paragraph (d) and redesignating paragraphs (d) through (1) as (e) through (m), respectively, to read as follows: (d) Gateway Provider. The term “gateway provider” means the first U.S.-based intermediate provider in the call path of a foreign-originated call that transmits the call directly to another intermediate provider or a terminating voice service provider in the United States. 3. Amend section 64.6302 by adding paragraph (c) to read as follows: (c) Notwithstanding paragraph (b) of this section, a gateway provider must, not later than March 1, 2023, authenticate caller identification information for all calls it receives that use North American Numbering Plan resources that pertain to the United States and for which the caller identification information has not been authenticated and which it will exchange with another provider as a SIP call. 4. Amend section 64.6305 by redesignating paragraphs (b) and (c) as (c) and (e), respectively, revising paragraph (a) and redesignated paragraph (c), and adding new paragraphs (b) and (d) to read as follows: (a) Robocall mitigation program requirements for voice service providers.  (1) Any voice service provider subject to an extension granted under §64.6304 that has not fully implemented the STIR/SHAKEN authentication framework on its entire network shall implement an appropriate robocall mitigation program as to those portions of its network on which it has not implemented the STIR/SHAKEN authentication framework. (2) Any robocall mitigation program implemented pursuant to paragraph (a)(1) of this section shall include reasonable steps to avoid originating illegal robocall traffic and shall include a commitment to respond fully and in a timely manner to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to originate calls. (b) Robocall mitigation program requirements for gateway providers. (1) Each gateway provider shall implement an appropriate robocall mitigation program with respect to calls that use North American Numbering Plan resources that pertain to the United States. (2) Any robocall mitigation program implemented pursuant to paragraph (b)(1) of this section shall include reasonable steps to avoid carrying or processing illegal robocall traffic and shall include a commitment to respond fully and within 24 hours to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to carry or process calls. (c) Certification by voice service providers in the Robocall Mitigation Database. (1) Not later than June 30, 2021, a voice service provider, regardless of whether it is subject to an extension granted under §64.6304, shall certify to one of the following: (i) It has fully implemented the STIR/SHAKEN authentication framework across its entire network and all calls it originates are compliant with §64.6301(a)(1) and (2); (ii) It has implemented the STIR/SHAKEN authentication framework on a portion of its network and calls it originates on that portion of its network are compliant with §64.6301(a)(1) and (2), and the remainder of the calls that originate on its network are subject to a robocall mitigation program consistent with paragraph (a) of this section; or (iii) It has not implemented the STIR/SHAKEN authentication framework on any portion of its network, and all of the calls that originate on its network are subject to a robocall mitigation program consistent with paragraph (a) of this section. (2) A voice service provider that certifies that some or all of the calls that originate on its network are subject to a robocall mitigation program consistent with paragraph (a) of this section shall include the following information in its certification: (i) Identification of the type of extension or extensions the voice service provider received under §64.6304, if the voice service provider is not a foreign voice service provider; (ii) The specific reasonable steps the voice service provider has taken to avoid originating illegal robocall traffic as part of its robocall mitigation program; and (iii) A statement of the voice service provider's commitment to respond fully and in a timely manner to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to originate calls. (3) All certifications made pursuant to paragraphs (c)(1) and (2) of this section shall: (i) Be filed in the appropriate portal on the Commission's website; and (ii) Be signed by an officer in conformity with 47 CFR 1.16. (4) A voice service provider filing a certification shall submit the following information in the appropriate portal on the Commission's website. (i) The voice service provider’s business name(s) and primary address; (ii) Other business names in use by the voice service provider; (iii) All business names previously used by the voice service provider; (iv) Whether the voice service provider is a foreign voice service provider; and (v) The name, title, department, business address, telephone number, and email address of one person within the company responsible for addressing robocall mitigation-related issues. (5) A voice service provider shall update its filings within 10 business days of any change to the information it must provide pursuant to paragraphs (c)(2) through (4) of this section. (i) A voice service provider or intermediate provider that has been aggrieved by a Governance Authority decision to revoke that voice service provider’s or intermediate provider’s SPC token need not update its filing on the basis of that revocation until the sixty (60) day period to request Commission review, following completion of the Governance Authority’s formal review process, pursuant to §64.6308(b)(1) expires or, if the aggrieved voice service provider or intermediate provider files an appeal, until ten business days after the Wireline Competition Bureau releases a final decision pursuant to §64.6308(d)(1). (ii) If a voice service provider or intermediate provider elects not to file a formal appeal of the Governance Authority decision to revoke that voice service provider’s or intermediate provider’s SPC token, the provider need not update its filing on the basis of that revocation until the thirty (30) day period to file a formal appeal with the Governance Authority Board expires. (d) Certification by gateway providers in the Robocall Mitigation Database. (1) Not later than March 1, 2023, a gateway provider shall certify that it has fully implemented the STIR/SHAKEN authentication framework across its entire network and all calls it carries or processes are compliant with §64.6302(a) and (c); (2) A gateway provider shall include the following information in its certification: (i) The specific reasonable steps the gateway provider has taken to avoid carrying or processing illegal robocall traffic as part of its robocall mitigation program; and (ii) A statement of the gateway provider’s commitment to respond fully and within 24 hours to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to carry or process calls. (3) All certifications made pursuant to paragraph (d)(1) of this section shall: (i) Be filed in the appropriate portal on the Commission's website; and (ii) Be signed by an officer in conformity with 47 CFR 1.16. (4) A gateway provider filing a certification shall submit the following information in the appropriate portal on the Commission's website. (i) The gateway provider’s business name(s) and primary address; (ii) Other business names in use by the gateway provider; (iii) All business names previously used by the gateway provider; (iv) Whether the gateway provider or any affiliate is also a foreign voice service provider; and (v) The name, title, department, business address, telephone number, and email address of one person within the company responsible for addressing robocall mitigation-related issues. (5) A gateway provider shall update its filings within 10 business days of any change to the information it must provide pursuant to paragraphs (d)(2) through (4) of this section, subject to the conditions set forth in paragraphs (c)(5)(i)-(ii) of this section. (e) Intermediate provider and voice service provider obligations. (1) Beginning September 28, 2021, intermediate providers and voice service providers shall accept calls directly from a voice service provider, including a foreign voice service provider that uses North American Numbering Plan resources that pertain to the United States to send voice traffic to residential or business subscribers in the United States, only if that voice service provider's filing appears in the Robocall Mitigation Database in accordance with paragraph (c) of this section. (2) Additional intermediate provider and voice service provider obligations. Beginning ninety days after the deadline for filing certifications pursuant to paragraph (d) of this section, intermediate providers and voice service providers shall accept calls directly from a gateway provider only if that gateway provider’s filing appears in the Robocall Mitigation Database in accordance with paragraph (d) of this section. Federal Communications Commission FCC 21-105 APPENDIX B Initial Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), See 5 U.S.C. § 603. The RFA, see 5 U.S.C. § 601-612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). the Commission has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on small entities by the policies and rules proposed in this Further Notice of Proposed Rulemaking (Further Notice). The Commission requests written public comments on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments provided on the first page of the Further Notice. The Commission will send a copy of the Further Notice, including this IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). See 5 U.S.C. § 603(a). In addition, the Further Notice and IRFA (or summaries thereof) will be published in the Federal Register. See 5 U.S.C. § 603(a). A. Need for, and Objectives of, the Proposed Rules 2. In order to continue the Commission’s work combating illegal calls, this Further Notice proposes to impose several obligations on gateway providers. Specifically, the Further Notice proposes to require gateway providers to authenticate and employ robocall mitigation techniques on all SIP calls that they allow into the United States from abroad that display a U.S. number in the caller ID field. Further Notice at paras. 38-50. The Further Notice also proposes that gateway providers should engage in robocall mitigation by (1) responding to all traceback requests from the Commission, law enforcement, and the industry traceback consortium within 24 hours; Id. at paras. 52-55. (2) complying with mandatory call blocking requirements; Id. at paras. 56-59, 66-79. (3) complying with enhanced know-your-customer obligations; Id. at paras. 80-86. (4) complying with a general duty to mitigate illegal robocalls; Id. at paras. 91-93. and (5) filing a certification in the Robocall Mitigation Database. Id. at paras. 94-99. The Commission also proposes one blocking requirement for intermediate and terminating providers immediately downstream from the gateway provider, which would require those providers to block all traffic from a gateway provider that fails to block or effectively mitigate illegal traffic when notified of such traffic by the Commission. Id. at paras. 60-65. B. Legal Basis 3. The Further Notice proposes to find authority largely under those provisions through which it has previously adopted rules to stem the tide of robocalls in its Call Blocking and Call Authentication Orders. Specifically, the Further Notice proposes to find authority under sections 201(a) and (b), 202(a), 251(e), the Truth in Caller ID Act, the TRACED Act and, where appropriate, ancillary authority. Id.at paras. 112-19. The Further Notice also proposes to conclude that, to the extent any of the rules we seek to adopt today have an effect on foreign service providers, that effect is only indirect and therefore consistent with the Commission’s authority. The Further Notice solicits comment on these proposals. C. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply 4. The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the proposed rules and by the rule revisions on which the Notice seeks comment, if adopted. See 5 U.S.C. § 603(b)(3). The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” See 5 U.S.C. § 601(6). In addition, the term “small business” has the same meaning as the term “small-business concern” under the Small Business Act. 5 U.S.C. § 601(3) (incorporating by reference the definition of “small-business concern” in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” A “small-business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA. See 15 U.S.C. § 632. 1. Wireline Carriers 5. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as “establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet services. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry.” See US Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. The SBA has developed a small business size standard for Wired Telecommunications Carriers, which consists of all such companies having 1,500 or fewer employees. See 13 CFR § 120.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated that year. See US Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012. NAICS Code 517110. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of this total, 3,083 operated with fewer than 1,000 employees. Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Thus, under this size standard, the majority of firms in this industry can be considered small. 6. Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers. See US Census Bureau, 2017 NAICS Definition, NAICS Code 517311 “Wired Telecommunications Carriers,” https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. See 13 CFR § 120.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated for the entire year. See US Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517110. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of that total, 3,083 operated with fewer than 1,000 employees. Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Thus under this category and the associated size standard, the Commission estimates that the majority of local exchange carriers are small entities. 7. Incumbent LECs. Neither the Commission nor the SBA has developed a small business size standard specifically for incumbent local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers. See, US Census Bureau, 2017 NAICS Definition, NAICS Code 517311 “Wired Telecommunications Carriers,”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 indicate that 3,117 firms operated the entire year. See US Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 (517110 Wired Telecommunications Carriers). https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of this total, 3,083 operated with fewer than 1,000 employees. Id. Consequently, the Commission estimates that most providers of incumbent local exchange service are small businesses that may be affected by our actions. According to Commission data, one thousand three hundred and seven (1,307) Incumbent Local Exchange Carriers reported that they were incumbent local exchange service providers. See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). Of this total, an estimated 1,006 have 1,500 or fewer employees. Id. Thus, using the SBA’s size standard the majority of incumbent LECs can be considered small entities. 8. Competitive Local Exchange Carriers (Competitive LECs), Competitive Access Providers (CAPs), Shared-Tenant Service Providers, and Other Local Service Providers. Neither the Commission nor the SBA has developed a small business size standard specifically for these service providers. The appropriate NAICS Code category is Wired Telecommunications Carriers See US Census Bureau, 2017 NAICS Definition, NAICS Code 517311 “Wired Telecommunications Carriers,”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. and under that size standard, such a business is small if it has 1,500 or fewer employees. See 13 CFR § 120.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 indicate that 3,117 firms operated during that year. See US Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012, NAICS Code 517110. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of that number, 3,083 operated with fewer than 1,000 employees. Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Based on these data, the Commission concludes that the majority of Competitive LECS, CAPs, Shared-Tenant Service Providers, and Other Local Service Providers, are small entities. According to Commission data, 1,442 carriers reported that they were engaged in the provision of either competitive local exchange services or competitive access provider services. See Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division, Trends in Telephone Service at Table 5.3 (Sept. 2010) (Trends in Telephone Service), https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf. Of these 1,442 carriers, an estimated 1,256 have 1,500 or fewer employees. Id. In addition, 17 carriers have reported that they are Shared-Tenant Service Providers, and all 17 are estimated to have 1,500 or fewer employees. Id. Also, 72 carriers have reported that they are Other Local Service Providers. Id. Of this total, 70 have 1,500 or fewer employees. Id. Consequently, based on internally researched FCC data, the Commission estimates that most providers of competitive local exchange service, competitive access providers, Shared-Tenant Service Providers, and Other Local Service Providers are small entities. 9. We have included small incumbent LECs in this present RFA analysis. As noted above, a “small business” under the RFA is one that, inter alia, meets the pertinent small-business size standard (e.g., a telephone communications business having 1,500 or fewer employees) and “is not dominant in its field of operation.” 5 U.S.C. § 601(3). The SBA’s Office of Advocacy contends that, for RFA purposes, small incumbent LECs are not dominant in their field of operation because any such dominance is not “national” in scope. Letter from Jere W. Glover, Chief Counsel for Advocacy, SBA, to William E. Kennard, Chairman, FCC (filed May 27, 1999). The Small Business Act contains a definition of “small business concern,” which the RFA incorporates into its own definition of “small business.” 15 U.S.C. § 632(a); 5 U.S.C. § 601(3). SBA regulations interpret “small business concern” to include the concept of dominance on a national basis. 13 CFR § 121.102(b). We have therefore included small incumbent LECs in this RFA analysis, although we emphasize that this RFA action has no effect on Commission analyses and determinations in other, non-RFA contexts. 10. Interexchange Carriers (IXCs). Neither the Commission nor the SBA has developed a small business size standard specifically for Interexchange Carriers. The closest applicable NAICS Code category is Wired Telecommunications Carriers. See US Census Bureau, 2017 NAICS Definition, NAICS Code 517311 “Wired Telecommunications Carriers,” https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. The applicable size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees. See 13 CFR § 120.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 indicate that 3,117 firms operated for the entire year. See US Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517110. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of that number, 3,083 operated with fewer than 1,000 employees. Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. According to internally developed Commission data, 359 companies reported that their primary telecommunications service activity was the provision of interexchange services. See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf. Of this total, an estimated 317 have 1,500 or fewer employees. Id. Consequently, the Commission estimates that the majority of interexchange service providers are small entities. 11. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended (the Act), also contains a size standard for small cable system operators, which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.” 47 U.S.C. § 543(m)(2); see 47 CFR § 76.901(e) & nn.1-3. As of 2018, there were approximately 50,504,624 cable video subscribers in the United States. S&P Global Market Intelligence, US Cable Subscriber Highlights, Basic Subscribers(actual) 2018, US Cable MSO Industry Total, https://platform.marketintelligence.spglobal.com/. Accordingly, an operator serving fewer than 505,046 subscribers shall be deemed a small operator if its annual revenues, when combined with the total annual revenues of all its affiliates, do not exceed $250 million in the aggregate. 47 CFR § 76.901(e) and nn. 1- 3. We note that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million. The Commission does receive such information on a case-by-case basis if a cable operator appeals a local franchise authority’s finding that the operator does not qualify as a small cable operator pursuant to § 76.901(f) of the Commission’s rules. See 47 CFR § 76.990(b). Therefore we are unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Act. 12. Other Toll Carriers. Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to other toll carriers. This category includes toll carriers that do not fall within the categories of interexchange carriers, operator service providers, prepaid calling card providers, satellite service carriers, or toll resellers. The closest applicable size standard under SBA rules is for Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as “establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet services. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry.” U.S. Census Bureau, 2017 NAICS Definitions, “517311 Wired Telecommunications Carriers”; http://www.census.gov/cgi-bin/sssd/naics/naicsrch. Under that size standard, such a business is small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS code 517311. Census data for 2012 show that there were 3,117 firms that operated that year. Of this total, 3,083 operated with fewer than 1,000 employees. 2012 U.S. Economic Census, NAICs Code 517311, at https://data.census.gov/cedsci/table?q=Estab%20%26%20Firm%20Size%3A%20Employment%20Size%20of%20Establishments%20for%20the%20U.S&g=&table=EC1251SSSZ5&tid=ECNSIZE2012.EC1251SSSZ5&hidePreview=false&lastDisplayedRow=11&vintage=2012&mode=&n=517311. Thus, under this category and the associated small business size standard, the majority of other toll carriers can be considered small. 2. Wireless Carriers 13. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services. US Census Bureau, 2017 NAICS Definitions, “517312 Wireless Telecommunications Carriers (Except Satellite)” h,ttps://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517312&search=2017%20NAICS%20Search. The appropriate size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (previously 517210). For this industry, U.S. Census Bureau data for 2012 show that there were 967 firms that operated for the entire year. US Census Bureau, 2012 Economic Census of the United States, Table EC1251SSSZ5, Information: Subject Series: Estab and Firm Size: Employment Size of Firms for the US: 2012, NAICS Code 517210. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517210. Of this total, 955 firms employed fewer than 1,000 employees and 12 firms employed of 1000 employees or more. Id. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus under this category and the associated size standard, the Commission estimates that the majority of wireless telecommunications carriers (except satellite) are small entities. 14. The Commission’s own data—available in its Universal Licensing System—indicate that, as of August 31, 2018 there are 265 Cellular licensees that will be affected by our actions. See http://wireless.fcc.gov/uls.  For the purposes of this IRFA, consistent with Commission practice for wireless services, the Commission estimates the number of licensees based on the number of unique FCC Registration Numbers. The Commission does not know how many of these licensees are small, as the Commission does not collect that information for these types of entities. Similarly, according to internally developed Commission data, 413 carriers reported that they were engaged in the provision of wireless telephony, including cellular service, Personal Communications Service (PCS), and Specialized Mobile Radio (SMR) Telephony services. See Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division, Trends in Telephone Service at Table 5.3 (Sept. 2010) (Trends in Telephone Service), https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf. Of this total, an estimated 261 have 1,500 or fewer employees, and 152 have more than 1,500 employees. See id. Thus, using available data, we estimate that the majority of wireless firms can be considered small. 15. Satellite Telecommunications. This category comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” US Census Bureau, 2017 NAICS Definitions, “517410 Satellite Telecommunications”; https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517410&search=2017+NAICS+Search&search=2017. Satellite telecommunications service providers include satellite and earth station operators. The category has a small business size standard of $35 million or less in average annual receipts, under SBA rules. 13 CFR § 121.201, NAICS code 517410. For this category, U.S. Census Bureau data for 2012 show that there were a total of 333 firms that operated for the entire year. US Census Bureau, 2012 Economic Census of the United States, Table EC1251SSSZ4, Information: Subject Series - Estab and Firm Size: Receipts Size of Firms for the United States: 2012, NAICS Code 517410, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ4//naics~517410. Of this total, 299 firms had annual receipts of less than $25 million. Id. The available US Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard of annual receipts of $35 million or less. Consequently, we estimate that the majority of satellite telecommunications providers are small entities. 3. Resellers 16. Local Resellers. The SBA has not developed a small business size standard specifically for Local Resellers. The SBA category of Telecommunications Resellers is the closest NAICs code category for local resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. US Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search. Under the SBA’s size standard, such a business is small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS code 517911. U.S. Census Bureau data from 2012 show that 1,341 firms provided resale services during that year. See US Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517911, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517911. Of that number, all operated with fewer than 1,000 employees. Id. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these resellers can be considered small entities. According to Commission data, 213 carriers have reported that they are engaged in the provision of local resale services. See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). Of these, an estimated 211 have 1,500 or fewer employees and two have more than 1,500 employees. See id. Consequently, the Commission estimates that the majority of local resellers are small entities. 17. Toll Resellers. The Commission has not developed a definition for Toll Resellers. The closest NAICS Code Category is Telecommunications Resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. MVNOs are included in this industry. US Census Bureau, 2017 NAICS Definition, 517911 Telecommunications Resellers, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search. The SBA has developed a small business size standard for the category of Telecommunications Resellers. 13 CFR § 121.201, NAICS code 517911. Under that size standard, such a business is small if it has 1,500 or fewer employees. Id. 2012 Census Bureau data show that 1,341 firms provided resale services during that year. See US Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517911, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517911. Of that number, 1,341 operated with fewer than 1,000 employees. Id. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees; the largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these resellers can be considered small entities. According to Commission data, 881 carriers have reported that they are engaged in the provision of toll resale services. See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). Of this total, an estimated 857 have 1,500 or fewer employees. See id. Consequently, the Commission estimates that the majority of toll resellers are small entities. 18. Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a small business definition specifically for prepaid calling card providers. The most appropriate NAICS code-based category for defining prepaid calling card providers is Telecommunications Resellers. US Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search. This industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual networks operators (MVNOs) are included in this industry. Id. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911. U.S. Census Bureau data for 2012 show that 1,341 firms provided resale services during that year. See US Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517911, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517911. Of that number, 1,341 operated with fewer than 1,000 employees. Id. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these prepaid calling card providers can be considered small entities. According to Commission data, 193 carriers have reported that they are engaged in the provision of prepaid calling cards. See Trends in Telephone Service, at tbl. 5.3. All 193 carriers have 1,500 or fewer employees. Id. Consequently, the Commission estimates that the majority of prepaid calling card providers are small entities that may be affected by these rules.. 4. Other Entities 19. All Other Telecommunications. The “All Other Telecommunications” category is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. See US Census Bureau, 2017 NAICS Definitions, “517919 All Other Telecommunications”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517919&search=2017+NAICS+Search&search=2017. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Id. Establishments providing Internet services or voice over Internet protocol (VoIP) services via client-supplied telecommunications connections are also included in this industry. Id. The SBA has developed a small business size standard for “All Other Telecommunications”, which consists of all such firms with annual receipts of $35 million or less. See 13 CFR § 121.201, NAICS Code 517919. For this category, U.S. Census Bureau data for 2012 show that there were 1,442 firms that operated for the entire year. US Census Bureau, 2012 Economic Census of the United States, Table EC1251SSSZ4, Information: Subject Series - Estab and Firm Size: Receipts Size of Firms for the United States: 2012, NAICS Code 517919, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ4//naics~517919. Of those firms, a total of 1,400 had annual receipts less than $25 million and 15 firms had annual receipts of $25 million to $49,999,999. Id. Thus, the Commission estimates that the majority of “All Other Telecommunications” firms potentially affected by our action can be considered small. D. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 20. The Further Notice proposes to impose several obligations on gateway providers, many of whom may be small entities. Specifically, we propose to require gateway providers to authenticate and employ robocall mitigation techniques on all SIP calls 47 CFR § 64.6300(h) (defining SIP call as “calls initiated, maintained, and terminated using the Session Initiation Protocol signaling protocol”). that they allow into the United States from abroad that display a U.S. number in the caller ID field. Further Notice at paras. 38-50. The Further Notice also proposes that gateway providers should engage in robocall mitigation by (1) responding to all traceback requests from the Commission, law enforcement, and the industry traceback consortium within 24 hours; Id. at paras. 52-55. (2) complying with mandatory call blocking requirements; Id. at paras. 56-59, 66-79. (3) complying with enhanced know-your-customer obligations; Id. at paras. 80-86. (4) complying with a general duty to mitigate illegal robocalls; Id. at paras. 91-93. and (5) filing a certification in the Robocall Mitigation Database. Id. at paras. 94-99. The Further Notice also proposes one blocking requirement for intermediate and terminating providers immediately downstream from the gateway provider, which would require those providers to block all traffic from a gateway provider that fails to block or effectively mitigate illegal traffic when notified of such traffic by the Commission. Id. at paras. 60-65. This proposal may also cover small entities. E. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 21. The RFA requires an agency to describe any significant alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): (1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rules for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities. 5 U.S.C. § 603(c)(1)-(4). 22. The Further Notice seeks comment on the particular impacts that the proposed rules may have on small entities. The Further Notice seeks comment on whether the costs of the proposed gateway provider authentication requirement may vary by provider, including those providers that have not yet implemented STIR/SHAKEN, such as small voice service providers. Further Notice at para. 42, 50. The Further Notice also seeks comment on the burdens on “small gateway providers” of a 24-hour traceback requirement. Id. at para. 53. It also seeks comment on the impact on small businesses whose traffic may be blocked under our proposed blocking rules and know your customer obligations. Id. at paras. 59, 65, 70, 84. The Further Notice also seeks comment on whether a general mitigation approach may make compliance more difficult for small entities. Id. at para. 91. F. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules 23. None. 2 STATEMENT OF ACTING CHAIRWOMAN JESSICA ROSENWORCEL Re: Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59; Call Authentication Trust Anchor, WC Docket No. 17-97, Further Notice of Proposed Rulemaking (September 30, 2021). Robocalls are singularly annoying. But there is no one single solution to get them off the line. So we are firing on all fronts. We’re enforcing the law. We’re sending cease-and desist letters to companies running illegal robocall campaigns to tell them they have 48 hours to knock it off or we will tell all other carriers to reject their traffic. We adopted the largest FCC fine in history for spoofing. We adopted the largest FCC fine in history under the Telephone Consumer Protection Act. In short, we’re bringing new heat to our enforcement and are not going to stop until we get these calls off the line. We’re giving consumers new tools. We’ve empowered consumers with new blocking tools and have given carriers the regulatory green light to block illegal calls before they reach our homes and business. We’re using new technologies. We’re requiring carriers to put STIR/SHAKEN technology in their networks. With this caller authentication system in place, carriers can know that callers really are who they say they are and stop spoofing at the source. We’re also making carriers use a new Robocall Mitigation Database. Every carrier in the United States is required to register and tell us what they are doing to stop robocalls. But we’re not just looking at their plans, if carriers fail to register, we’re telling all other carriers to block their calls. We’re shutting down loopholes. With reports finding that more and more robocalls are coming to us from outside of this country, we need a way to cut them off before they reach our shores. After all, we don’t want international calling to become a loophole for our policies. So today we are proposing that gateway providers in the United States—the companies that bring in calls from overseas—take action to stop this stuff from coming in from abroad. That means they need to use STIR/SHAKEN technology, register in our Robocall Mitigation Database, and comply with traceback requests to figure out where these junk calls are originating from overseas. This will help us tackle the growing number of international robocalls. Because we can’t have these scam artists multiplying abroad and hiding from our regulatory reach. We’re going to stop these nuisance calls before they reach our homes and businesses in the United States. And if the tools we have here are not up to task—we will need to go to Congress and ask for more. Thank you to the Robocall Response Team for their efforts on this and specifically thank you to Pam Arluk, Michele Berlove, Matt Collins, Dan Kahn, Jonathan Lechter, and Kris Monteith of the Wireline Competition Bureau; Robert Aldrich, Jerusha Burnett, Aaron Garza, Karen Schroeder, Mark Stone, Kristi Thornton, and Patrick Webre of the Consumer and Governmental Affairs Bureau; Patrick DeGraba, Chuck Needy, and Emily Talaga of the Office of Economics and Analytics; Lisa Gelb, David Strickland, Kristi Thompson, and Lisa Zaina of the Enforcement Bureau; Kimberly Cook, Wayne Leighton, and Jim Schlichting of the International Bureau; Ken Carlberg and David Furth of the Public Safety and Homeland Security Bureau; Belford Lawson and Sanford Williams of the Office of Communications Business Opportunities; and Michele Ellison, Rick Mallen, Linda Oliver, Bill Richardson, and Derek Yeo of the Office of General Counsel. STATEMENT OF COMMISSIONER GEOFFREY STARKS Re: Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59; Call Authentication Trust Anchor, WC Docket No. 17-97, Further Notice of Proposed Rulemaking (September 30, 2021). I am proud of the work we have done—and continue to do—to combat illegal and unwanted robocalls, a major source of harm and potential fraud to the American public. But there is still more to do. As I have long said, illegal robocalls will continue so long as those initiating and facilitating them can get away with and profit from it. Last year’s estimated 46 billion robocalls and last month’s estimated 4.1 billion calls are proof positive of that. We must therefore continue to be vigilant in our efforts to identify the sources of these calls and stop them in their tracks. Foreign-originated illegal robocalls that use U.S.-based numbers are a particularly challenging problem, in large part because such calls cannot always be traced to their foreign sources. By proposing to require U.S.-based gateway providers, the point of entry for foreign calls into the United States, to be the first line of defense, we improve our chances of tracing these calls back to their original sources so we can hold them accountable. That ability, coupled with other proposals in this Further Notice to improve on our anti-robocalling rules, should get us closer to our goal of stopping illegal robocalls for good. My thanks to the Consumer and Governmental Affairs and Wireline Competition Bureaus for their hard work on this proceeding.