Federal Communications Commission FCC 21-93 Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C. 20554 In the Matter of Call Authentication Trust Anchor Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions ) ) ) ) ) ) WC Docket No. 17-97 WC Docket No. 21-291 THIRD REPORT AND ORDER Adopted: August 5, 2021 Released: August 6, 2021 By the Commission: Acting Chairwoman Rosenworcel issuing a statement. TABLE OF CONTENTS I. INTRODUCTION 1 II. BACKGROUND 3 III. DISCUSSION 11 A. APPEALS PROCESS AND REQUIREMENTS 12 B. LEGAL AUTHORITY 29 IV. PROCEDURAL MATTERS 30 V. ORDERING CLAUSES 34 APPENDIX A – FINAL RULES APPENDIX B – FINAL REGULATORY FLEXIBILITY ANALYSIS I. INTRODUCTION 1. Caller ID authentication using the STIR/SHAKEN framework is a key component of our multi-pronged effort to combat the scourge of illegal robocalls. STIR/SHAKEN is a set of technological standards that helps to prevent illegal “spoofing,” a practice that involves falsifying caller ID information in order to trick unsuspecting Americans into thinking that calls are trustworthy because the caller ID information appears as if the call came from a neighbor or a familiar or reputable source. See FCC, Consumer Guides, Caller ID Spoofing, https://www.fcc.gov/consumers/guides/spoofing-and-caller-id (last updated Mar. 17, 2021). Spoofing has both legal and illegal uses. Implementing Section 503 of the RAY BAUM’S Act; Rules and Regulation Implementing the Truth in Caller ID Act of 2009, WC Docket Nos. 18-335 and 11-39, Second Report and Order, 34 FCC Rcd 7303, 7304-05, para. 4 (2019) (Second Truth in Caller ID Order). It is illegal when a caller transmits misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongly obtain anything of value. 47 U.S.C. § 227(e)(1); 47 CFR § 64.1604. With voice service providers required by our rules to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021, 47 CFR § 64.6301; see also Call Authentication Trust Anchor; Implementation of TRACED Act Section 6(A)—Knowledge of Customers by Entities with Access to Numbering Resources, WC Docket Nos. 17-97 20-67, Report and Order and Further Notice of Proposed Rulemaking, 35 FCC Rcd 3241, 3252, para. 25 (2020) (First Caller ID Authentication Report and Order and Further Notice); Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, Pub. L. No. 116-105 (2019) (TRACED Act) § 4(b)(1)(A). Consistent with Congress’s direction, the Commission provided some types of voice service providers additional time to implement the technology in their networks based on undue hardship. 47 CFR § 64.6304(a)-(d); see also Call Authentication Trust Anchor, WC Docket No. 17-97, Second Report and Order, 36 FCC Rcd 1859, 1876-96, paras. 36-70 (2020) (Second Caller ID Authentication Report and Order); TRACED Act § 4(b)(5)(A). Americans are now in a position to answer their phones with greater confidence that the number displayed is correct. 2. To guard against bad actors and preserve trust within the distributed caller ID authentication system, the ability of a voice service provider to participate in STIR/SHAKEN can be revoked by the private Governance Authority that oversees the STIR/SHAKEN framework. STI-Governance Authority, STI-GA Policy Decisions Binder, Policy Decision 003: SPC Token Revocation Policy (July 26, 2021), https://sti-ga.atis.org/wp-content/uploads/sites/14/2021/07/210726-STIGA-Board-Policy-Decision-Binder-Revised-Final.pdf (STI-GA Policy Decisions Binder). This revocation process effectively allows the private Governance Authority to make decisions that render voice service providers noncompliant with our rules. See Call Authentication Trust Anchor, WC Docket No. 17-97, Second Further Notice of Proposed Rulemaking, 36 FCC Rcd 684, 689, para. 10 (2021) (Second Caller ID Authentication Further Notice). To provide appropriate oversight and ensure due process, today we establish a process for voice service providers to appeal such revocation decisions to the Commission. II. BACKGROUND 3. To address the issue of illegal caller ID spoofing, technologists from the Internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS) developed standards to allow for the authentication and verification of caller ID information for calls carried over IP networks. Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1862, para. 6. The result of their efforts is the STIR/SHAKEN caller ID authentication framework, Id. More specifically, a working group of the IETF called the Secure Telephony Identity Revisited (STIR) developed several protocols for authenticating caller ID information. Id. at 1862, para 7. And ATIS, in conjunction with the SIP Forum, produced the Signature-based Handling of Asserted information using toKENs (SHAKEN) specification, which standardizes how the protocols produced by STIR are implemented across the industry. Id. which allows for the caller ID information to securely travel with the call itself throughout the entire length of the call path. Id. at 1862, para 6. A key component of the STIR/SHAKEN framework is the transmission of a digital “certificate” along with the call. This certificate essentially states that the voice service provider authenticating the caller ID information is the voice service provider it claims to be, it is authorized to authenticate this information and, thus, the voice service provider’s claims about the caller ID information can be trusted. See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3246, para. 9. To maintain trust and accountability in the voice service providers that vouch for the caller ID information, a neutral governance system issues the certificates. 4. The STIR/SHAKEN governance system is comprised of several different entities fulfilling specialized roles. Id. at 3246, para. 10. The Governance Authority, managed by a board consisting of representatives from across the voice service industry, defines the policies and procedures for which entities can issue or acquire certificates. Id. at 3246, para. 10; see STI-Governance Authority, Operating Procedures, Version 1.2, at 1, sec. I.2 (2019), https://www.atis.org/wp-content/uploads/sites/14/2020/04/STI-GA-Operating-Procedures-Version-1.2.pdf (STI-GA Operating Procedures). The Policy Administrator applies the rules the Governance Authority establishes, confirms that Certification Authorities are authorized to issue certificates, and confirms that voice service providers are authorized to request and receive certificates. First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3246, para. 10. The Governance Authority issued a request for proposals and subsequently selected iconectiv to fill this role. Press Release, ATIS, Mitigating Illegal Robocalling Advances with Secure Telephone Identity Governance Authority Board’s Selection of iconectiv as Policy Administrator (May 30, 2019), https://sites.atis.org/insights/mitigating-illegal-robocalling-advances-with-secure-telephone-identity-governance-authority-boards-selection-of-iconectiv-as-policy-administrator/. Certification Authorities, of which there are several, issue the certificates that voice service providers use to authenticate and verify calls. The Policy Administrator, iconectiv, vets and approves the organizations that serve as Certification Authorities. See Press Release, iconectiv, Certification Authority registration now open for U.S. Calling Number Verification Service (Dec. 12, 2019), https://authenticate.iconectiv.com/notices-authenticate. The Policy Administrator website shows that there are currently seven approved Certification Authorities. See iconectiv, Approved Certification Authorities, https://authenticate.iconectiv.com/approved-certification-authorities (last visited July 30, 2021). Finally, the voice service providers, when acting as call initiators, select an approved Certification Authority from which to request a certificate, and when acting as call recipients, check with Certification Authorities to ensure that the certificates they receive were issued by the correct Certification Authority. First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3246, para. 10. There are currently 336 authorized service providers. iconectiv, Authorized Service Providers, https://authenticate.iconectiv.com/authorized-service-providers-authenticate (last visited July 30, 2021). 5. To receive a digital certificate, a voice service provider must first apply to the Policy Administrator for a Service Provider Code (SPC) token. See STI-GA Policy Decisions Binder, Policy Decision 001: SPC Token Access Policy, version 1.2, at 6. To obtain a token, the Governance Authority policy requires that a voice service provider must (1) have a current FCC Form 499A on file with the Commission, (2) have been assigned an Operating Company Number (OCN), and (3) have certified with the FCC that they have implemented STIR/SHAKEN or comply with the Commission’s Robocall Mitigation Program requirements See 47 CFR § 64.6305. and are listed in the FCC Robocall Mitigation Database. See STI-GA Policy Decisions Binder, Policy Decision 001: SPC Token Access Policy version 1.2, at 6. Initially, to acquire a certificate, Governance Authority policy required an entity to have direct access to telephone numbers from the North American Number Plan Administrator (NANPA) and the National Pooling Administrator (NPA). Id., version 1.0, at 5. On May 10, 2021, the Governance Authority announced that version 1.1 of the policy, which permits entities without direct access to telephone numbers to request a certificate if they have filed a certification in the Robocall Mitigation Database, is “effective immediately”; the announcement also stated that the original policy requiring direct access to telephone numbers “will also remain in effect until June 30, 2021.” Press Release, STI-GA, STI-GA Announces Effective Date of Revised SPC Token Access Policy (May 10, 2021), https://sti-ga.atis.org/wp-content/uploads/sites/14/2021/05/051021-SPC-token-Access-Policy-advisory.pdf. The Robocall Mitigation Database is a publicly accessible online database. FCC, Robocall Mitigation Database, https://fccprod.servicenowservices.com/rmd?id=rmd_welcome (last visited July 30, 2021). On July 26, 2021, the Governance Authority announced further revisions to the token access policy to accommodate certain toll free use cases but did not modify these baseline requirements. Press Release, STI-GA, STI-GA Announces Policy Changes to Support Delegate Certificates and Toll-Free (July 26, 2021), https://www.atis.org/press-releases/sti-ga-announces-policy-changes-to-support-delegate-certificates-and-toll-free/. The token then permits the voice service provider to obtain the digital certificates it will use to authenticate calls from one of the approved Certification Authorities. See STI-GA Policy Decisions Binder, Policy Decision 001: SPC Token Access Policy, version 1.2, at 6. The token, therefore, is a prerequisite for a voice service provider to participate in the STIR/SHAKEN ecosystem endorsed by section 4 of the TRACED Act (and the Commission’s implementing rules), and management of token access is the mechanism by which the Policy Administrator and Governance Authority protect the system from abuse and misuse. See STI-GA Policy Decisions Binder, Policy Decision 003: SPC Token Revocation Policy at 71. 6. The Policy Administrator grants tokens to voice service providers that meet the three eligibility criteria conditioned on the execution of a signed agreement with each voice service provider, stating that the voice service provider will follow the ATIS SHAKEN specifications. Id. at 71-72; STI-Governance Authority, STI-Participant Agreement, Service Provider § 6, https://sti-ga.atis.org/wp-content/uploads/sites/14/2020/09/STI-Participant-Agreement-082520.pdf (last visited June 7, 2021) (STI-Participant Agreement). This agreement establishes that if the Policy Administrator deems the voice service provider to be in breach of the agreement, it has the authority to suspend or revoke a voice service provider’s token. STI-Participant Agreement § 8. The Policy Administrator may revoke a service provider’s service token on its own initiative in certain circumstances or when directed by the Governance Authority. See STI-GA Policy Decisions, Policy Decision 003: SPC Token Revocation Policy at 72. In the SPC Token Revocation Policy, the Governance Authority lists the reasons for which a token may be revoked: (1) in the situation of compromised credentials, i.e., a voice service provider’s private key has been lost, stolen, or compromised, or a certification authority has been compromised; (2) the voice service provider exits the STIR/SHAKEN ecosystem and closes its account with the Policy Administrator; (3) the voice service provider failed to adhere to the policy and technical requirements of the STIR/SHAKEN ecosystem, including the SPC Token Access Policy, funding requirements, or technical specifications regarding the use of STIR/SHAKEN; or (4) when directed by a court, the Commission, or another body with relevant legal authority due to a violation of Federal law related to caller ID authentication. See id. at 72. When a service provider’s credentials are compromised or it exits the ecosystem (the former two scenarios), the Policy Administrator may revoke a service provider’s token without prior direction from the Governance Authority because in either circumstance revocation is clearly appropriate. Id. However, when revocation is because a service provider failed to adhere to a policy or technical requirement, or is effected at the direction of a governmental body (the latter two scenarios), the Governance Authority conducts the revocation process according to the process outlined in the SPC Token Revocation Policy. Id. at 73. 7. Token Revocation Procedure. Before the Governance Authority revokes a token due to a voice service provider’s violation of a policy, technical, or legal requirement, the Governance Authority follows a multi-step process described by the SPC Token Revocation Policy, which allows the voice service provider to respond to the alleged infraction and appeal any adverse decision according to the Governance Authority’s operating procedures. See id. at 74-75. According to the SPC Token Revocation Policy, the revocation review process is triggered when a voice service provider, the Policy Administrator, a Certification Authority, or a regulatory authority (such as the Commission) reports a potential issue to the Governance Authority, generally via a complaint. See id. at 73-74. The SPC Token Revocation Policy provides an exception to the use of the complaint process for regulatory authorities, stating that such authorities “should submit their request for SPC token revocation to the STI-GA in writing but do[] not necessarily need to use the standardized [complaint] format. The regulatory authority may do so through contact with the STI-GA Director, STI-GA Board Chair, or Vice-Chair.” Id. at 73. Complaints must, at a minimum, contain the following: (1) the name of the complainant, including contact information; (2) the name of the party against which the claim is submitted; (3) the nature of the complaint and supporting information; and (4) acknowledgement that data may be passed to the appropriate regulatory authority. Id. at 73-74. The complaint cannot be anonymous and must provide adequate information sufficient to beginning the formal review process. Id. at 74. After a preliminary review of the complaint, the Governance Authority decides whether or not to move forward with the review process. Id. at 74. If the Governance Authority determines there is sufficient information to move forward, notice of the complaint will be sent to the Governance Authority Board. Id. After the Governance Authority Board receives notice of the complaint, additional notices are sent to the complainant and to all other parties in the investigation process notifying them of the confidentiality requirements of the revocation proceeding. Id. The confidentiality requirements ensure “news of STI-GA investigation of the complaint is not shared outside STI-GA circles.” Id. The Governance Authority also sends notice to the subject of the complaint—which has five business days to provide a preliminary response—and to the Policy Administrator who, after consulting with the Certification Authority if necessary, provides further information on facts related to the complaint and a proposed recommendation to the Governance Authority Board on whether to move forward with the complaint review. Id. The Governance Authority Board then decides to either reject the complaint review, agrees review is necessary and accepts the complaint for review, or, if required, assigns it to the Technical Committee for further review. Id. at 75. The Technical Committee, comprised of three to eight members, provides “information and guidance to the [Governance Authority] Board related to the technical issues, including changes to the [STIR/SHAKEN] specifications and other technical and technological developments impacting the implementation of SHAKEN by the industry.” STI-GA Operating Procedures at 5, sec. V.2. 8. If the Governance Authority Board decides to accept the complaint for review, it will reach out to the entity that is the subject of the complaint to provide another notification, this time stating that the complaint is being investigated and requesting a substantive written response. STI-GA Policy Decisions, Policy Decision 003: SPC Token Revocation Policy at 75. If the Governance Authority Board determines that additional review by the Technical Committee is also necessary, it will send the complaint to the Technical Committee, which will review the complaint and provide a recommendation to the Governance Authority Board. Id. The Governance Authority will then review the Technical Committee’s recommendation and request further investigation or discussion for the complaint, including submitting questions to all entities involved in the complaint review process. Id. After reviewing all the material, including the Technical Committee’s recommendation if necessary, the Governance Authority Board votes on whether to revoke the token, requiring a two-thirds vote of the Governance Authority Board to approve the revocation. See id. As part of the NANC’s 2018 report on the establishment of a Governance Authority and the deployment of STIR/SHAKEN, the NANC recommended the creation of a policy and decision-making body comprised of representatives from across the communications industry. Call Authentication Trust Anchor Working Grp., N. Am. Numbering Council, Report on Selection of Governance Authority and Timely Deployment of SHAKEN/STIR at 7 (2018), http://nanc-chair.org/docs/mtg_docs/May_18_Call_Authentication_Trust_Anchor_NANC_Final_Report.pdf. After Chairman Pai accepted the NANC’s recommendations, the various industry representatives outlined in the NANC’s report selected a twelve-member board to be operated under the auspices of ATIS. Press Release, ATIS, Secure Telephone Identity Governance Authority Launched in Major Industry Effort to Combat Unwanted Robocalling (Sept. 9, 2018), https://sites.atis.org/insights/secure-telephone-identity-governance-authority-launched-in-major-industry-effort-to-combat-unwanted-robocalling. If the Governance Authority Board votes to revoke the token, the decision is transmitted to the affected voice service provider, the complainant, and the Policy Administrator. STI-GA Policy Decisions, Policy Decision 003: SPC Token Revocation Policy at 75. The Policy Administrator then will execute the token revocation by deactivating the voice service provider’s account and notifying all Certification Authorities to stop assigning new certificates to the voice service provider. Id. 9. The aggrieved voice service provider may appeal an adverse decision by the Governance Authority Board through a formal appeal process outlined in the Governance Authority’s Operating Procedures. See STI-GA Operating Procedures at 8-9, sec. XI.2. See also STI-GA Policy Decisions Binder, Policy Decision 004: SPC Token Reinstatement Policy at 78. In addition to the Governance Authority Board reviewing the complaint and issuing a written response, the formal appeal process includes the potential for a hearing before an independent panel of three individuals. See STI-GA Operating Procedures at 8-9. For hearings conducted as a part of the formal complaint process, the three panelists must not have been directly involved in the matter and “will not be materially or directly affected by any decision made or to be made in the dispute.” Id. at 9. And out of the three panelists, at least two must be acceptable to the appealing party and at least two must be acceptable to the responding party. Id. Following a hearing, the appeal panel issues a written decision stating its findings of fact, conclusions, and the reasoning for its conclusions. See id. at 9. If a voice service provider loses the appeal, or chooses not to appeal, it may seek reinstatement to the STIR/SHAKEN ecosystem if the Governance Authority approves of its plan of action to remedy the issue or issues underlying the token revocation. See STI-GA Policy Decisions Binder, Policy Decision 004: SPC Token Reinstatement Policy at 78. The Commission is aware of the timing discrepancy between the appeal process as described in the Reinstatement Policy and the STI-GA Operating Procedures, and we encourage the STI-GA to further clarify the timing for each. See Id.; STI-GA Operating Procedures, part XI, section 2. 10. On January 14, 2021, the Commission released a Second Caller ID Authentication Further Notice of Proposed Rulemaking proposing and seeking comment on establishing an oversight role for the Commission to oversee token revocation decisions made by the Governance Authority. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 689, para. 10. The Commission specifically proposed adopting an appeal process similar to our process for reviewing decisions by the Universal Service Administrative Company (USAC). Id. All commenters in the docket generally supported the proposal to establish such a role for the Commission. See Comments of the Alliance for Telecommunications Industry Solutions (ATIS), WC Docket No. 17-97, at 1 (rec. Mar. 19, 2021) (filed on behalf of the STI-GA Board) (STI-GA Board Comments); Comments of INCOMPAS, WC Docket No. 17-97, at 1 (rec. Mar. 19, 2021) (INCOMPAS Comments); Comments of Voice on the Net Coalition, WC Docket No. 17-97, at 1, (rec. Mar. 19, 2021) (VON Comments); Reply Comments of NCTA—The Internet & Television Association, WC Docket No. 17-97, at 1 (rec. Apr. 30, 2021) (NCTA Reply); Reply Comments of USTelecom—The Broadband Association, WC Docket No. 17-97, at 1 (rec. Mar. 30, 2021) (USTelecom Reply). The Governance Authority Board states that “[g]iven the impact token revocation decisions will have on providers’ abilities to comply with the Commission’s call authentication rules, it is appropriate that the Commission should have a role in reviewing these decisions.” STI-GA Board Comments at 3. INCOMPAS “supports an oversight role for the agency in the certificate revocation process” INCOMPAS Comments at 1. while VON “recognizes the benefits to all stakeholders” from such a role, VON Comments at 1. and USTelecom states “the Commission has a critical role in reviewing any [Governance Authority] revocation decisions.” USTelecom Reply at 1. III. DISCUSSION 11. After reviewing the record, we conclude that the Commission should have an oversight role and therefore establish a review process of the Governance Authority’s token revocation decisions. We do so to provide proper due process for voice service providers aggrieved by Governance Authority token revocation decisions and to “ensure that the STIR/SHAKEN ecosystem remains robust.” NCTA Reply at 2. We detail the specific appeals process we adopt below. As we explain, we largely adopt the proposals in the Second Caller ID Authentication Further Notice. We deviate from those proposals in several respects, however, such as by requiring parties seeking review of a Governance Authority decision to file their requests for review in a dedicated public docket in the Commission’s Electronic Comment Filing System (ECFS) and by directing the Wireline Competition Bureau (Bureau) to review all appeals in the first instance. As we explain below, we make these changes from our initial proposals because we find doing so will facilitate efficient review based on a full record. A. Appeals Process and Requirements 12. Exhaustion of Governance Authority Appeals Process Required. We will require parties seeking review by the Bureau to first exhaust the Governance Authority appeal process, including completing the Governance Authority’s formal appeal process. See supra para. 9; see also STI-GA Operating Procedures at 8-9, sec. XI.2. In the Second Caller ID Authentication Further Notice, the Commission proposed to require exhaustion of the Governance Authority’s process before accepting appeals, stating that such a requirement would “enable the dispute to fully develop before potentially reaching the Commission, thereby making it easier for the Commission to identify the relevant facts and issues.” Second Caller ID Authentication Further Notice, 36 FCC Rcd at 689, para. 11. All commenters addressing the issue support this proposal. VON Comments at 3; USTelecom Reply at 6. We agree with USTelecom that “[r]equiring exhaustion of the [Governance Authority] process will ensure that the [Governance Authority] can complete its process and render an independent decision before the FCC intervenes.” USTelecom Reply at 6. Doing so will ensure that only “serious challenges” will end up in front of the Commission, and will avoid wasting Commission resources by preventing us from “duplicating efforts and expending resources to develop the same facts [as the Governance Authority].” Id. As VON notes, requiring exhaustion of the Governance Authority’s process will “resolve a large majority of complaints without Commission action” ensuring the Commission does not waste time on issues that can be properly resolved by the Governance Authority. VON Comments at 3. 13. Parties Permitted to Seek Review. We establish that any voice service provider aggrieved by a Governance Authority decision to revoke that provider’s token may seek review by the Bureau after exhausting the appeals process established by the Governance Authority. We only allow appeals by the aggrieved party that suffered the token revocation, and not another party on its behalf, to ensure efficient use of limited Commission resources and provide finality and certainty for affected parties seeking an appeal. Third parties, including the Governance Authority, may participate to the extent that they may file oppositions and replies. This procedure mirrors the process in Universal Service appeals, where only the aggrieved party may appeal a USAC decision and other interested third parties may participate by filing oppositions and replies as appropriate, as well as supportive filings. See 47 CFR §§ 54.719, 54.720(d). We find that this approach—in addition to being consistent with the well-established process for USAC appeals—best balances competing arguments in the record. VON argues that voice service providers that rely on a delegated certification from a token holder should also be allowed to participate in the appeal as “intervenors” or have “interested party status.” VON Comments at 2 (“These entities should be provided an intervenor, or interested party status, as their participation in the process would provide the FCC with a more complete picture of the ramifications of its decision and enable it to offer explicit, temporary relief from enforcement as the affected service provider seeks another token holder, should that be necessary.”). VON states that some voice service providers “required to participate in the STIR/SHAKEN ecosystem may not obtain their own certificates and may instead rely on delegated certification from a token-holder.” Id. See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1882, para. 50 (“it is impossible for a service provider to participate in STIR/SHAKEN without access to the required certificate and [] some voice service providers are unable to obtain a certificate at this time[.]”). Therefore, it asserts, “revoking a token would not just result in potential injury to the token-holder, but also to any other service provider that relies on the token-holder’s continued authorization.” VON Comments at 2. We disagree that voice service providers that rely on delegated tokens should be accorded special status because allowing them to participate in the appeal as interested parties “is not likely to give them the relief they need if the token holder is abusing its token.” USTelecom Reply at 7. Furthermore, the impact to a voice service provider with a delegated token is irrelevant as to whether the token holder acted in violation of rules such that token revocation is appropriate. USTelecom, in contrast with VON, argues that “[o]nly the token holders should participate in the appeal process.” Id. To the extent USTelecom is arguing that third parties should not be able to participate in an appeal in any capacity, we disagree; we see no compelling reason to diverge with our standard procedures and not allow third parties, including voice service providers that rely on delegated tokens, to file oppositions and replies. 14. We note that any voice service provider that relies on a delegated token from another entity may seek a waiver of our STIR/SHAKEN rules for a limited time period if the token it relies upon is revoked. See Id. Generally, the Commission’s rules may be waived if good cause is shown. 47 CFR § 1.3. The Commission “may exercise its discretion to waive a rule “only if special circumstances warrant a deviation from the general rule” and “the particular facts make strict compliance inconsistent with the public interest.” Northeast Cellular Telephone Co. v. FCC, 897 F.2d 1164, 1166 (D.C. Cir. 1990) (Northeast Cellular). In addition, the Commission may “take into account considerations of hardship, equity, or more effective implementation of overall policy on an individual basis.” WAIT Radio v. FCC, 418 F.2d 1153, 1159 (D.C. Cir. 1969). Waiver of the Commission’s rules is appropriate only if both (i) special circumstances warrant a deviation from the general rule, and (ii) such deviation will better serve the public interest. NetworkIP, LLC v. FCC, 548 F.3d 116, 125-128 (D.C. Cir. 2008); Northeast Cellular, 897 F.2d at 1166. We agree with USTelecom that in typical cases, a 90-day waiver period, from the date the Governance Authority revokes a provider’s token in the first instance, See supra para 9. should give a voice service provider sufficient time to transfer its delegated token to a new partner and continue to participate in the STIR/SHAKEN framework. USTelecom Reply at 7. This time period balances the need for an affected voice service provider to have adequate time to receive another certificate with the public interest of broad STIR/SHAKEN participation. However, affected providers are free to request a different waiver period accompanied by an explanation of good cause for such a time period. We direct the Bureau to rule on all such waiver requests. Review of waivers of Commission rules is consistent with the Bureau’s authority and will ensure waiver requests are reviewed in a timely and efficient manner to maintain the efficacy of the STIR/SHAKEN ecosystem. 47 CFR § 0.91(b). 15. Filing Deadlines. We establish that aggrieved providers have 60 days to seek Bureau review after the Governance Authority upholds its adverse token revocation decision. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 689, para. 12. Specifically, a voice service provider requesting Bureau review of a Governance Authority decision to revoke that voice service provider’s token shall file such a request electronically in ECFS within 60 days from the date the Governance Authority upholds its token revocation decision. Sixty days will provide sufficient time to an aggrieved voice service provider to receive notice and file a request for review and is equivalent to the time given parties in our Universal Service appeals process. 47 CFR § 54.720(a). The only commenter to address this issue, INCOMPAS, opposed our proposal and suggested we give aggrieved voice service providers 30 days to request review instead of 60 days in order to expedite the review process because “[r]evoking a voice service provider’s access to SPC tokens will have significant repercussions for the provider and its customers.” INCOMPAS Comments at 3. We disagree with INCOMPAS’s proposed shorter deadline. Because of the importance of the token to our STIR/SHAKEN rules we want to ensure providers have sufficient time to request review of any token revocation. Thirty days may not give affected voice service providers enough time to receive notice of the Governance Authority decision and then to prepare and file a request for review with the Bureau. We note that the 60-day deadline does not prevent providers from filing appeals sooner to expedite a review. We also note that 60 days is the same timeframe provided for in our Universal Service appeal process. See 47 CFR § 54.720(a). 16. We also establish that any commenters shall adhere to the time periods for filing oppositions and replies as set forth in section 1.45 of our rules. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 689, para. 12; 47 CFR § 1.45. This follows the procedure in our USAC appeals process and was unopposed in the record. 17. We establish a 180-day “shot clock” for the Bureau’s review period, similar to the procedure used in our pole access complaint resolution proceedings. See 47 CFR § 1.1414(a); Accelerating Wireline Broadband Deployment by Removing Barriers to Infrastructure Investment, WC Docket No. 17-84, Report and Order, Declaratory Ruling, and Further Notice of Proposed Rulemaking, 32 FCC Rcd 11128, 11132, para. 9 (2017) (Pole Access Complaint Order). One hundred eighty days will typically be sufficient time for staff to complete reviews even if they present novel and potentially complex factual issues, and for staff to have time to present follow-up questions to the appealing party or the Governance Authority if necessary, while also ensuring parties can set expectations for when the review will be completed. As with pole access complaints, we expect the Bureau to meet the shot clock “except in extraordinary circumstances.” Pole Access Complaint Order, 32 FCC Rcd at 11132, para. 9. 18. The record support in favor of establishing a specific time limit for the Bureau’s review persuades us to deviate from our proposal not to impose such a limit. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 690, para. 14. VON argues we should impose a time limit on Bureau review “since revocation of a token can substantially impact a provider’s business.” VON Comments at 4. INCOMPAS suggests the Commission adopt a 30-day time limit for the Bureau to complete its review, arguing that speedy resolution is necessary because it “will give impacted voice service providers and their customers the information and clarity they need to make plans beyond the Commission’s review.” INCOMPAS Comments at 4; see also letter from Christopher L. Shipley, Attorney & Policy Advisor, INCOMPAS, to Marlene Dortch, Secretary, FCC, WC Docket No.17-97, at 1 (filed July 28, 2021). And the Governance Authority Board states, “it is important that the Commission conclude its review and issue a decision as quickly as reasonably possible.” STI-GA Board Comments at 3; see also USTelecom Reply at 7 n.28 (“The Commission also should commit to an expedited review of STI-GA token revocation decisions.”). Nonetheless, while we agree with these commenters that prompt review is important, we disagree with INCOMPAS that the review period should be 30 days. INCOMPAS does not explain how the Bureau can adequately account for the potential novel and complex factual issues each appeal could raise in 30 days. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 690, para. 14. Instead, we think a 180-day period is sufficient to ensure that the Bureau has time to render a carefully considered review for each appeal while also ensuring the review is completed in a timely and reasonable manner. And if an appeal were not to pose novel or complex issues, we think it could be completed well before 180 days. 19. We establish that the shot clock will start when the request for review is filed in ECFS. This procedure is identical to the one used in our pole access complaint proceedings and will ensure the Bureau and all parties are on notice of when the shot clock begins counting down in order to set expectations of when the review will be completed. See 47 CFR § 1.1414(a); Pole Access Complaint Order, 32 FCC Rcd at 11133, para. 11. We also establish that the Bureau will have discretion to pause the 180-day review period when actions outside the Bureau’s control delay the Bureau’s review. For example, the Bureau may pause the shot clock if parties need additional time to provide key information requested by the Bureau. The Bureau will resume the shot clock when the cause for pausing the shot clock has been resolved. We direct the Bureau to provide written notice of any pause in the shot clock, as well as when the shot clock is resumed. This procedure similarly draws from the one we use in pole access complaint review and will ensure the Bureau has adequate time to complete its review if faced with delays outside its control and that all parties are duly informed whenever the shot clock is paused or resumed. See 47 CFR § 1.1414(a); Pole Access Complaint Order, 32 FCC Rcd at 11133-34, para. 12. 20. Filing Requirements. We establish that requests for review shall be filed electronically in WC Docket No. 21-291, Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions, in ECFS. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 689, para. 13. The request for review shall be captioned “In the matter of Request for Review by (name of party seeking review) of Decision of the Governance Authority to Revoke an SPC Token.” The request for review shall contain (1) a statement setting forth the voice service provider’s asserted basis for appealing the Governance Authority’s decision to revoke the token; (2) a full statement of relevant, material facts with supporting affidavits and documentation, including any background information the voice service provider deems useful to the Bureau’s review; and (3) the question presented for review, with reference, where appropriate, to any underlying Commission rule or Governance Authority policy. Id. Moreover, we establish that requests for review need not include a statement of the relief sought. We assume that the relief sought will always be the reversal of the Governance Authority’s revocation decision. Id. at 690, para. 13. We establish that the party seeking review shall send a copy of the request for review to the Governance Authority via sti-ga@atis.org or another method specified in the Governance Authority’s Operating Procedures. Id. Filers may request confidential treatment for filings pursuant to section 0.459 of our rules. 47 CFR § 0.459. Due to the ongoing COVID-19 pandemic, until further notice filers should follow the Commission’s directions regarding submitting confidential information. See FCC Provides Further Instructions Regarding Submissions of Confidential Materials¸ Public Notice, DA 20-5361 (Mar 31, 2020). These proposals were all unopposed in the record. In the Second Further Notice we proposed that filers would submit requests for review to the Commission’s non-docketed inbox where they would not be viewable by the public. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 689, para. 13. We deviate from this proposal and require filers to submit their requests to ECFS in order to allow public notice and opportunity to comment by third parties. 21. Governance Authority Record. We encourage the Governance Authority to submit to the Bureau the full record of a token revocation appeal within five days of receiving notice of a voice service provider’s request for Bureau review. Id. We ask the Governance Authority to file the record materials in WC Docket No. 21-291, Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions, in ECFS. Governance Authority submission of such materials to the Bureau will “increase efficiency and fairness” of the Bureau’s review process. VON Comments at 4. The full record should include, as suggested by the Governance Authority Board, “the completed SPC token Complaint Submission Form, the notice of complaint that was sent to the [Governance Authority] Board, written responses from the provider at issue, the final written decision of the [Governance Authority] Board, any materials provided by the service provider as part of an appeal of the decision under the [Governance Authority] Operating Procedures, as well as the written decision by the [Governance Authority] Board regarding the appeal.” STI-GA Board Comments at 4. We agree with the Governance Authority Board that it does not need to submit drafts of the required documents or Board discussions to protect the confidentiality of its internal deliberations. Id. We also recognize the Governance Authority Board’s concern that the materials submitted by the Governance Authority Board merit confidential treatment and should be treated as such because they are likely to contain privileged or confidential “provider-specific” commercial information. Id. VON and USTelecom also commented in favor of confidential treatment of Governance Authority material submitted to the Commission. VON Comments at 4 n.14; USTelecom Reply at 7-9. see also 5 U.S.C. § 552(b)(4). Accordingly, the Governance Authority may request confidential treatment for its submissions pursuant to section 0.459 of our rules. As set forth in our rules, the Governance Authority Board would need to identify the specific information for which it is requesting confidential treatment. 47 CFR § 0.459(b)(1). The Governance Authority Board also would need to submit a version of the filing that can be made public with the confidential material redacted. 47 CFR § 0.459(a). We encourage the Governance Authority Board to work with the voice service provider seeking review to determine which information is confidential or to put procedures in place that will require voice service providers to identify confidential information when submitting information to the Governance Authority Board and to identify any categories of internal documents it considers confidential. 22. We do not expect the Governance Authority to submit a statement in opposition to the request for review. We will rely “on the entirety of the record developed” by the Governance Authority during its review process and will “only engage the [Governance Authority] in an appeal to the extent necessary to understand [Governance Authority’s] policies and procedures and the [Governance Authority’s] interpretations of them.” USTelecom Reply at 7-8. USTelecom argues that “[r]equiring the [Governance Authority] to file a statement in opposition to the FCC review request would needlessly make the [Governance Authority] a party to the proceeding rather than a neutral, independent arbiter in its own right.” Id. at 8. USTelecom also notes that in the USAC appeals process “USAC does not file a statement in opposition to the review request.” Id. We agree with USTelecom that the Governance Authority should remain a neutral party in the appeals process. However, we do not affirmatively prohibit the Governance Authority from participating beyond submission of the record should it find it appropriate to do so. 23. Wireline Competition Bureau Review. We establish that the Wireline Competition Bureau will review and issue decisions in the first instance in all appeals of decisions from the Governance Authority. In the Second Caller ID Authentication Further Notice the Commission proposed that the Bureau would review all appeals with one exception: the Commission would review appeals that presented “novel questions of fact, law, or policy.” Second Caller ID Authentication Further Notice, 36 FCC Rcd at 689, para. 10. That approach followed our USAC appeals procedure. See 47 CFR § 54.772(a). We deviate from our USAC appeals procedure because, after further consideration, we expect most, if not all, appeals to present fact-specific and technically complicated issues; the Bureau is best situated to review such appeals in the first instance in a speedy manner. Accordingly, we direct the Bureau to review all requests for review in the first instance, 47 CFR § 0.91. with applications for review to the Commission available after the Bureau issues a final decision. 47 CFR § 1.115. We direct the Bureau to ensure its decisions maintain the integrity and efficacy of the STIR/SHAKEN ecosystem to protect the public from unlawfully spoofed calls and unlawful robocalls. By directing the Bureau to review all appeals in the first instance we ensure voice service providers receive speedy resolution of their disputes by agency experts and those voice service providers whose tokens are determined to be rightfully revoked are promptly required to update their Robocall Mitigation Database certifications. See 47 CFR § 64.6305. We reiterate that, as with any decision adopted on delegated authority, an affected party may seek review by the full Commission of a decision issued by the Bureau, thus ensuring Commission oversight of all decision-making and availability to any interested party. 47 CFR § 1.115. No party addressed the appropriate scope of review by the Bureau in the record. 24. Standard of Review. We establish that the standard of review by the Bureau will be de novo. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 690, para. 15. Specifically, we direct the Bureau to conduct de novo review of Governance Authority decisions to revoke a voice service provider’s token. We agree with the Governance Authority Board that de novo review “will allow the Commission to independently verify the [Governance Authority] Board’s decisions and better ensure that the SHAKEN ecosystem continues to operate in a fair and equitable manner.” STI-GA Board Comments at 3. Such an approach also avoids the concern expressed by VON that “anything more deferential than de novo review would inevitably result in [Governance Authority] decisions receiving precedential treatment, and would turn the STI-GA into a de facto policymaking body in place of the FCC.” VON Comments at 3. A de novo standard of review was unopposed in the record and commenters all agreed a de novo standard is appropriate. See USTelecom Reply at 8 (“the FCC can review the STI-GA’s written decision, . . . and it should do so under a de novo standard of review to ensure proper due process.”); INCOMPAS Comments at 4 (“INCOMPAS supports the Commission’s proposal to apply a de novo standard when reviewing a revocation.”); STI-GA Board Comments at 3 (“The STI-GA Board supports the Commission’s recommendation that it should perform a de novo review of these decisions.”); NCTA Reply at 2 (“NCTA . . . therefore supports the Commission’s proposal to conduct de novo review of token revocation decisions”). 25. Status During Pendency of Appeals. We adopt a new rule establishing that throughout the review period, starting from when the Governance Authority revokes a voice service provider’s token and including the duration of the Governance Authority’s formal appeals process, See STI-GA Operating Procedures at 8-9, sec. XI.2. until the Bureau issues a decision on the appeal, a voice service provider will not be judged to be in violation of the Commission’s STIR/SHAKEN rules as a result of the revocation. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 690, para. 14. We agree with USTelecom that it would be unreasonable for the agency to judge a voice service provider as noncompliant during the pendency of an appeal before it evaluates a revocation decision. USTelecom Reply at 6, n.28. USTelecom and NCTA supported this proposal. NCTA Reply at 2; USTelecom Reply at 6, n.28. We find it necessary to satisfy due process for a party to have the opportunity to appeal the decision of the private Governance Authority and, if it appeals, to obtain a decision by the Bureau before being judged noncompliant. VON argues that we also not judge “delegated certificate customers” of a voice service provider that has its token revoked noncompliant during the pendency of an appeal. Letter from Glenn S. Richards, Counsel, VON, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 1 (filed July 29, 2021). We disagree with VON. Establishing that a voice service provider that relies on a delegated token not be judged in violation of our rules during the pendency of an appeal would be redundant because such a provider may seek a waiver of our rules if the token it relies upon is revoked. See supra para. 14. 26. More specifically, we clarify that a provider subject to a revocation will not be in violation of our STIR/SHAKEN rules as a result of the revocation during (1) the time period in which it may file an appeal to the Governance Authority; See STI-GA Operating Procedures at 8-9, sec. XI.2. (2) the pendency of any appeal before the Governance Authority; (3) the time period in which it may file an appeal to the Bureau; and (4) if it files an appeal with the Bureau, until the Bureau releases a final decision regarding the appeal. Should the Bureau uphold or otherwise decide not to overturn the Governance Authority’s decision, an aggrieved voice service provider may file a petition for reconsideration or application for review within the time periods permitted by our rules, but such filing will not protect the provider from a finding of noncompliance while the petition or application is pending. The exclusion from liability applies specifically to rule 64.6301, which requires implementation of STIR/SHAKEN. In addition, because a voice service provider that has been aggrieved by an adverse Governance Authority service token revocation decision is not considered in violation of 64.6301 during the pendency of its appeal to the Bureau, it will not need to submit an amended filing to the Robocall Mitigation Database until its window to appeal to the Governance Authority or the Bureau lapses or, if it appeals, until the Bureau issues a final decision regarding its appeal. 47 CFR § 64.6305(b)(5). Specifically, while a voice service provider has the opportunity to appeal and while a filed appeal is pending, the voice service provider will not be judged in violation of the requirement to file an updated filing within 10 business days of any change to the information it must provide to the Commission pursuant to section 64.6305 of our rules. See 47 CFR § 64.6305(b)(2)-(4). After the Bureau issues its decision, the voice service provider must update its Robocall Mitigation Database filing within 10 business days, if necessary. If the Bureau upholds a token revocation decision, the affected provider will be in violation of the section 64.6301(a) requirement to participate in STIR/SHAKEN because, without a token, the provider will not be able to authenticate calls it originates consistent with the STIR/SHAKEN standards. See 47 CFR § 64.6301(a). A voice service provider that has its token revoked will not be eligible for the extension for voice service providers that cannot obtain a SPC token. See 47 CFR § 64.6304(b). The Commission established the extension for voice service providers for whom it is unfeasible to obtain a token in the first instance under the Governance Authority’s Token Access Policy, not for providers that are subject to token revocation. See Second Caller ID Authentication Report and Order, 36 FCC Rcd at 1881-82, para. 50. 27. In the Second Caller ID Authentication Further Notice, the Commission proposed that a voice service provider would not be judged in violation of the TRACED Act during the pendency of an appeal. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 690, para. 14. We decline to adopt this proposal. The TRACED Act contains no STIR/SHAKEN implementation obligation for voice service providers; rather it directs the Commission to require voice service providers to implement STIR/SHAKEN. See TRACED Act § 4(b)(1)(A). There is therefore no need to establish that voice providers will not be judged in violation of the TRACED Act during the pendency of an appeal. 28. We conclude that after revocation by the Governance Authority, a voice service provider may not maintain possession and use of its token regardless of whether it files an appeal to the Bureau. In effect, this means that although a voice service provider will not be judged in violation of our rules it will not be able to continue to exchange STIR/SHAKEN-authenticated traffic during the pendency of an appeal. The only commenter to address the subject supports the approach we adopt, and we agree that we do not want to create an incentive for bad-actor voice service providers to appeal the Governance Authority decision for the sole purpose of delaying revocation of their tokens. USTelecom Reply at 6 (“The STI-GA process is designed to be expedient and thorough to ensure that the ecosystem and consumers are protected while also affording a provider a fair opportunity before its token is revoked. Given the depth of the STI-GA process already, the Commission should not create an opportunity for a bad actor provider to delay and cause further damage to the ecosystem of an inappropriately-held token.”). For the same reason, should the Bureau uphold or otherwise decide not to overturn the Governance Authority’s decision, a voice service provider will not regain the right to use its token by filing a petition for reconsideration or application for review. This proposal was unopposed in the record. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 690, para. 14. B. Legal Authority 29. We conclude that section 4(b)(1) of the TRACED Act grants us authority to establish an oversight role for the Commission to review token revocation decisions made by the Governance Authority. Section 4(b)(1) directs the Commission to require the implementation of the STIR/SHAKEN framework. TRACED Act § 4(b)(1). Establishing an oversight role for the Commission is consistent with the TRACED Act’s caller ID authentication implementation mandate because it will make revocation decisions by the Governance Authority that have the effect of putting entities outside of our STIR/SHAKEN implementation rules reviewable by the Commission. See VON Comments at 3. We also conclude we have authority to establish an oversight role for the Commission under section 251(e) of the Communications Act of 1934, as amended. 47 U.S.C. § 251(e). Section 251(e) grants the Commission exclusive jurisdiction over North American Numbering Plan resources in the United States and, within that broad grant, provides us with authority to mandate caller ID authentication. Id.; see First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3260-61, para. 42. We find that section 251(e) grants us the corresponding authority to review decisions that have the impact of preventing a voice service provider from complying with our caller ID authentication rules. No party opposed our assertion of legal authority. IV. PROCEDURAL MATTERS 30. Final Regulatory Flexibility Analysis. As required by the Regulatory Flexibility Act of 1980 (RFA), See 5 U.S.C. § 603. an Initial Regulatory Flexibility Analysis (IRFA) was incorporated in the Second Caller ID Authentication Further Notice of Proposed Rulemaking. Second Caller ID Authentication Further Notice, 36 FCC Rcd at 696-704, Appx. B. The Commission sought written public comment on the possible significant economic impact on small entities regarding proposals addressed in the Second Caller ID Authentication Further Notice of Proposed Rulemaking, including comments on the IRFA. Id. at 692, para. 19. Pursuant to the RFA, a Final Regulatory Flexibility Analysis is set forth in Appendix B. The Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, will send a copy of this Third Report and Order, including the FRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). See 5 U.S.C. § 603(a). 31. Paperwork Reduction Act. This document contains new or modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. These requirements have been reviewed and approved by the Office of Management and Budget (OMB) pursuant to 44 U.S.C. § 3507(d). The new information collection requirements were preapproved by the Office of Management and Budget under OMB Control No. 3060-1287 on June 3, 2021. In addition, we note that pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, we previously sought comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees. See 44 U.S.C. § 3506(c)(4). This document also contains non-substantive modifications to the approved information collection. These modifications will be submitted to OMB for review and approval pursuant to OMB’s non-substantive change process. 32. Congressional Review Act. The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, concurs, that this rule is “non-major” under the Congressional Review Act, 5 U.S.C. § 804(2). The Commission will send a copy of this Third Report and Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. § 801(a)(1)(A). 33. Contact Person. For further information about the Third Report and Order, contact Alexander Hobbs, Attorney Advisor, Competition Policy Division, Wireline Competition Bureau, at (202) 418-7433 or Alexander.Hobbs@fcc.gov. V. ORDERING CLAUSES 34. Accordingly, IT IS ORDERED, pursuant to sections 4(i), 4(j), 201(b), 227b, 251(e), and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. §§ 154(i), 154(j), 201(b) 227b, 251(e), and 303(r), that this Third Report and Order IS ADOPTED. 35. IT IS FURTHER ORDERED that Parts 0 and 64 of the Commission’s rules ARE AMENDED as set forth in Appendix A, and that, pursuant to sections 1.4(b)(1) and 1.103(a) of the Commission’s rules, 47 CFR §§ 1.4(b)(1), 1.103(a), this Third Report and Order SHALL BE EFFECTIVE 30 days after publication of this Third Report and Order in the Federal Register, which will occur after the Commission receives OMB approval of the non-substantive changes contained herein. 36. IT IS FURTHER ORDERED that the Commission SHALL SEND a copy of this Third Report and Order to Congress and to the Government Accountability Office pursuant to the Congressional Review Act, see 5 U.S.C. § 801(a)(1)(A). 37. IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, SHALL SEND a copy of this Third Report and Order, including the Final Regulatory Flexibility Analysis (FRFA), to the Chief Counsel for Advocacy of the Small Business Administration. FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary 2 APPENDIX A Final Rules The Federal Communications Commission amends part 0 of Title 47 of the Code of Federal Regulations as follows: PART 0 – COMMISSION ORGANIZATION * * * * * 1. Amend Subpart A by revising section 0.91 to add paragraph (r) to read as follows: * * * * * (r) Review and resolve appeals of decisions by the STIR/SHAKEN authentication framework Governance Authority (as those terms are defined in § 64.6300 of this chapter) in accordance with § 64.6308 of this chapter. The Federal Communications Commission amends part 64 of Title 47 of the Code of Federal Regulations as follows: PART 64 – MISCELLANEOUS RULES RELATING TO COMMON CARRIERS * * * * * 1. Amend section 64.6305 to add paragraphs (b)(5)(i) and (ii) to read as follows: § 64.6305 Robocall mitigation and certification. * * * * * (b) * * * (5) * * * (i) A voice service provider or intermediate provider that has been aggrieved by a Governance Authority decision to revoke that voice service provider’s or intermediate provider’s SPC token need not update its filing on the basis of that revocation until the sixty (60) day period to request Commission review, following completion of the Governance Authority’s formal review process, pursuant to §64.6308(b)(1) expires or, if the aggrieved voice service provider or intermediate provider files an appeal, until ten business days after the Wireline Competition Bureau releases a final decision pursuant to §64.6308(d)(1). (ii) If a voice service provider or intermediate provider elects not to file a formal appeal of the Governance Authority decision to revoke that voice service provider’s or intermediate provider’s SPC token, the provider need not update its filing on the basis of that revocation until the thirty (30) day period to file a formal appeal with the Governance Authority Board expires. * * * * * 2. Amend Subpart HH by adding section 64.6308 to read as follows: § 64.6308 Review of Governance Authority Decision to Revoke an SPC Token (a) Parties permitted to seek review of Governance Authority decision. (1) Any voice service provider or intermediate provider aggrieved by a Governance Authority decision to revoke that voice service provider’s or intermediate provider’s SPC token, must seek review from the Governance Authority and complete the appeals process established by the Governance Authority prior to seeking Commission review. (2) Any voice service provider or intermediate provider aggrieved by an action to revoke its SPC token taken by the Governance Authority, after exhausting the appeals process provided by the Governance Authority, may then seek review from the Commission, as set forth in this section. (b) Filing deadlines. (1) A voice service provider or intermediate provider requesting Commission review of a Governance Authority decision to revoke that voice service provider’s or intermediate provider’s SPC token by the Commission, shall file such a request electronically in the Electronic Comment Filing System (ECFS) in WC Docket No. 21-291, Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions within sixty (60) days from the date the Governance Authority upholds it token revocation decision. (2) Parties shall adhere to the time periods for filing oppositions and replies set forth in § 1.45. (c) Filing requirements. (1) A request for review of a Governance Authority decision to revoke a voice service provider’s or intermediate provider’s SPC token by the Commission shall be filed in WC Docket No. 21-291, Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions, in the Electronic Comment Filing System (ECFS). The request for review shall be captioned “In the matter of Request for Review by (name of party seeking review) of Decision of the Governance Authority to Revoke an SPC Token.” (2) A request for review shall contain: (i) A statement setting forth the voice service provider’s or intermediate provider’s asserted basis for appealing the Governance Authority’s decision to revoke the SPC token; (ii) A full statement of relevant, material facts with supporting affidavits and documentation, including any background information the voice service provider or intermediate provider deems useful to the Commission’s review; and (iii) The question presented for review, with reference, where appropriate, to any underlying Commission rule or Governance Authority policy. (3) A copy of a request for review that is submitted to the Commission shall be served on the Governance Authority by the voice service provider requesting Commission review via sti-ga@atis.org or in accordance with any alternative delivery mechanism the Governance Authority may establish in its operating procedures. (d) Review by the Wireline Competition Bureau. (1) Except in extraordinary circumstances, final action on a request for review of a Governance Authority decision to revoke a voice service provider’s or intermediate provider’s SPC token should be expected no later than 180 days from the date the request for review is filed in the Electronic Comment Filing System (ECFS) pursuant to § 64.6308(b)(1). The Wireline Competition Bureau shall have the discretion to pause the 180-day review period in situations where actions outside the Wireline Competition Bureau's control are responsible for delaying review of a request for review. (2) An affected party may seek review of a decision issued under delegated authority by the Wireline Competition Bureau pursuant to the rules set forth in § 1.115. (e) Standard of review. The Wireline Competition Bureau shall conduct de novo review of Governance Authority decisions to revoke a voice service provider’s or intermediate provider’s SPC token. (f) Status during pendency of a request for review and a Governance Authority decision. (1) A voice service provider or intermediate provider shall not be considered to be in violation of the Commission’s caller ID authentication rules under § 64.6301 after revocation of its SPC token by the Governance Authority until the thirty (30) day period to file a formal appeal with the Governance Authority Board expires, or during the pendency of any formal appeal to the Governance Authority Board. (2) A voice service provider or intermediate provider shall not be considered to be in violation of the Commission’s caller ID authentication rules under § 64.6301 after the Governance Authority Board upholds the Governance Authority’s SPC token revocation decision until the sixty (60) day period to file a request for review with the Commission expires. (3) When a voice service provider or intermediate provider has sought timely Commission review of a Governance Authority decision to revoke a voice service provider’s or intermediate provider’s SPC token under this section, the voice service provider shall not be considered to be in violation of the Commission’s caller ID authentication rules under § 64.6301 until and unless the Wireline Competition Bureau, pursuant to paragraph (d)(1) of this section, has upheld or otherwise decided not to overturn the Governance Authority’s decision. (4) In accordance with §§ 1.102(b) and 1.106(n), the effective date of any action pursuant to paragraph (d) shall not be stayed absent order by the Wireline Competition Bureau or the Commission. Federal Communications Commission FCC 21-93 APPENDIX B Final Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended, See 5 U.S.C. § 603. The RFA, see 5 U.S.C. § 601-612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into the Second Caller ID Authentication Further Notice of Proposed Rulemaking (Second Caller ID Authentication Further Notice). Call Authentication Trust Anchor, WC Docket No. 17-97, Second Further Notice of Proposed Rulemaking, 36 FCC Rcd 684, 696-704, Appx. B. (2020) (Second Caller ID Authentication Further Notice). The Commission sought written public comments on the proposals in the Second Caller ID Authentication Further Notice, including comments on the IRFA. No comments were filed addressing the IRFA. This present Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA. See 5 U.S.C. § 604. A. Need for, and Objectives of, the Proposed Rules 2. This Third Report and Order continues the Commission’s efforts to combat illegal spoofed robocalls. Specifically, the Third Report and Order establishes an oversight role for the Commission of the STIR/SHAKEN governance system’s token revocation process. See supra, para. 11. Under the adopted procedure, any voice service provider or intermediate provider that has its Service Provider Code (SPC) token revoked may seek review of this decision by the Commission through established procedures. See supra, paras. 12-26. The procedures in the Third Report and Order will help promote effective caller ID authentication through STIR/SHAKEN. B. Legal Basis 3. The Third Report and Order finds authority for these proposed rules under the TRACED Act. See supra, para. 27. Section 4(b)(1) of the TRACED Act provided authority to require the implementation of the STIR/SHAKEN framework. We believe that to effectively direct the implementation of STIR/SHAKEN consistent with the TRACED Act, the Commission must have a role in decisions to revoke Service Provider Code tokens because the result of such a decision could place the service provider in noncompliance with our rules. The Third Report and Order also finds independent authority under section 251(e) of the Communications Act of 1934, as amended (the Act). 47 U.S.C. § 251(e); see supra, para. 27. C. Summary of Significant Issues Raised by Public Comments in Response to the IRFA 4. There were no comments filed that specifically addressed the proposed rules and policies presented in the IRFA. D. Response to Comments by the Chief Counsel for Advocacy of the SBA 5. Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (SBA), and to provide a detailed statement of any change made to the proposed rules as a result of those comments. 5 U.S.C. § 604(a)(3). 6. The Chief Counsel did not file any comments in response to the proposed rules in this proceeding. E. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply 7. The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the proposed rules and by the rule revisions on which the Notice seeks comment, if adopted. See 5 U.S.C. § 603(b)(3). The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” See 5 U.S.C. § 601(6). In addition, the term “small business” has the same meaning as the term “small-business concern” under the Small Business Act. 5 U.S.C. § 601(3) (incorporating by reference the definition of “small-business concern” in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” A “small-business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA. See 15 U.S.C. § 632. 1. Wireline Carriers 8. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as “establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet services. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry.” See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. The SBA has developed a small business size standard for Wired Telecommunications Carriers, which consists of all such companies having 1,500 or fewer employees. See 13 CFR § 120.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated that year. See U.S. Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012. NAICS Code 517110. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of this total, 3,083 operated with fewer than 1,000 employees. Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Thus, under this size standard, the majority of firms in this industry can be considered small. 9. Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers. See U.S. Census Bureau, 2017 NAICS Definition, NAICS Code 517311 “Wired Telecommunications Carriers,” , https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. See 13 CFR § 120.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated for the entire year. See U.S. Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517110. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of that total, 3,083 operated with fewer than 1,000 employees. Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Thus under this category and the associated size standard, the Commission estimates that the majority of local exchange carriers are small entities. 10. Incumbent LECs. Neither the Commission nor the SBA has developed a small business size standard specifically for incumbent local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers. See, U.S. Census Bureau, 2017 NAICS Definition, NAICS Code 517311 “Wired Telecommunications Carriers,”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 indicate that 3,117 firms operated the entire year. See U.S. Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 (517110 Wired Telecommunications Carriers). https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of this total, 3,083 operated with fewer than 1,000 employees. Id. Consequently, the Commission estimates that most providers of incumbent local exchange service are small businesses that may be affected by our actions. According to Commission data, one thousand three hundred and seven (1,307) Incumbent Local Exchange Carriers reported that they were incumbent local exchange service providers. See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). Of this total, an estimated 1,006 have 1,500 or fewer employees. Id. Thus, using the SBA’s size standard the majority of incumbent LECs can be considered small entities. 11. Competitive Local Exchange Carriers (Competitive LECs), Competitive Access Providers (CAPs), Shared-Tenant Service Providers, and Other Local Service Providers. Neither the Commission nor the SBA has developed a small business size standard specifically for these service providers. The appropriate NAICS Code category is Wired Telecommunications Carriers See U.S. Census Bureau, 2017 NAICS Definition, NAICS Code 517311 “Wired Telecommunications Carriers,”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. and under that size standard, such a business is small if it has 1,500 or fewer employees. See 13 CFR § 120.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 indicate that 3,117 firms operated during that year. See U.S. Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012, NAICS Code 517110. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of that number, 3,083 operated with fewer than 1,000 employees. Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Based on these data, the Commission concludes that the majority of Competitive LECS, CAPs, Shared-Tenant Service Providers, and Other Local Service Providers, are small entities. According to Commission data, 1,442 carriers reported that they were engaged in the provision of either competitive local exchange services or competitive access provider services. See Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division, Trends in Telephone Service at Table 5.3 (Sept. 2010) (Trends in Telephone Service), https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf. Of these 1,442 carriers, an estimated 1,256 have 1,500 or fewer employees. Id. In addition, 17 carriers have reported that they are Shared-Tenant Service Providers, and all 17 are estimated to have 1,500 or fewer employees. Id. Also, 72 carriers have reported that they are Other Local Service Providers. Id. Of this total, 70 have 1,500 or fewer employees. Id. Consequently, based on internally researched FCC data, the Commission estimates that most providers of competitive local exchange service, competitive access providers, Shared-Tenant Service Providers, and Other Local Service Providers are small entities. 12. We have included small incumbent LECs in this present RFA analysis. As noted above, a “small business” under the RFA is one that, inter alia, meets the pertinent small-business size standard (e.g., a telephone communications business having 1,500 or fewer employees) and “is not dominant in its field of operation.” 5 U.S.C. § 601(3). The SBA’s Office of Advocacy contends that, for RFA purposes, small incumbent LECs are not dominant in their field of operation because any such dominance is not “national” in scope. Letter from Jere W. Glover, Chief Counsel for Advocacy, SBA, to William E. Kennard, Chairman, FCC (filed May 27, 1999). The Small Business Act contains a definition of “small business concern,” which the RFA incorporates into its own definition of “small business.” 15 U.S.C. § 632(a); 5 U.S.C. § 601(3). SBA regulations interpret “small business concern” to include the concept of dominance on a national basis. 13 CFR § 121.102(b). We have therefore included small incumbent LECs in this RFA analysis, although we emphasize that this RFA action has no effect on Commission analyses and determinations in other, non-RFA contexts. 13. Interexchange Carriers (IXCs). Neither the Commission nor the SBA has developed a small business size standard specifically for Interexchange Carriers. The closest applicable NAICS Code category is Wired Telecommunications Carriers. See U.S. Census Bureau, 2017 NAICS Definition, NAICS Code 517311 “Wired Telecommunications Carriers,” https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. The applicable size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees. See 13 CFR § 120.201, NAICS Code 517311 (previously 517110). U.S. Census Bureau data for 2012 indicate that 3,117 firms operated for the entire year. See U.S. Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517110. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517110. Of that number, 3,083 operated with fewer than 1,000 employees. Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. According to internally developed Commission data, 359 companies reported that their primary telecommunications service activity was the provision of interexchange services. See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf. Of this total, an estimated 317 have 1,500 or fewer employees. Id. Consequently, the Commission estimates that the majority of interexchange service providers are small entities. 14. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, also contains a size standard for small cable system operators, which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.” 47 U.S.C. § 543(m)(2); see 47 CFR § 76.901(f) & n.1–3. As of 2018, there were approximately 50,504,624 cable video subscribers in the United States. S&P Global Market Intelligence, U.S. Cable Subscriber Highlights, Basic Subscribers(actual) 2018, U.S. Cable MSO Industry Total, https://platform.marketintelligence.spglobal.com/. Accordingly, an operator serving fewer than 505,046 subscribers shall be deemed a small operator if its annual revenues, when combined with the total annual revenues of all its affiliates, do not exceed $250 million in the aggregate. 47 CFR § 76.901(f) and n. ff. 1, 2, and 3. We note that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million. The Commission does receive such information on a case-by-case basis if a cable operator appeals a local franchise authority’s finding that the operator does not qualify as a small cable operator pursuant to § 76.901(f) of the Commission’s rules. See 47 CFR § 76.909(b). Therefore we are unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act. 2. Wireless Carriers 15. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services. U.S. Census Bureau, 2017 NAICS Definitions, “517312 Wireless Telecommunications Carriers (Except Satellite)” h,ttps://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517312&search=2017%20NAICS%20Search. The appropriate size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (previously 517210). For this industry, U.S. Census Bureau data for 2012 show that there were 967 firms that operated for the entire year. U.S. Census Bureau, 2012 Economic Census of the United States, Table EC1251SSSZ5, Information: Subject Series: Estab and Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517210. https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517210. Of this total, 955 firms employed fewer than 1,000 employees and 12 firms employed of 1000 employees or more. Id. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus under this category and the associated size standard, the Commission estimates that the majority of wireless telecommunications carriers (except satellite) are small entities. 16. The Commission’s own data—available in its Universal Licensing System—indicate that, as of August 31, 2018 there are 265 Cellular licensees that will be affected by our actions. See http://wireless.fcc.gov/uls.  For the purposes of this IRFA, consistent with Commission practice for wireless services, the Commission estimates the number of licensees based on the number of unique FCC Registration Numbers. The Commission does not know how many of these licensees are small, as the Commission does not collect that information for these types of entities. Similarly, according to internally developed Commission data, 413 carriers reported that they were engaged in the provision of wireless telephony, including cellular service, Personal Communications Service (PCS), and Specialized Mobile Radio (SMR) Telephony services. See Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division, Trends in Telephone Service at Table 5.3 (Sept. 2010) (Trends in Telephone Service), https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf. Of this total, an estimated 261 have 1,500 or fewer employees, and 152 have more than 1,500 employees. See id. Thus, using available data, we estimate that the majority of wireless firms can be considered small. 17. Satellite Telecommunications. This category comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” U.S. Census Bureau, 2017 NAICS Definitions, “517410 Satellite Telecommunications”; https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517410&search=2017+NAICS+Search&search=2017. Satellite telecommunications service providers include satellite and earth station operators. The category has a small business size standard of $35 million or less in average annual receipts, under SBA rules. 13 CFR § 121.201, NAICS code 517410. For this category, U.S. Census Bureau data for 2012 show that there were a total of 333 firms that operated for the entire year. U.S. Census Bureau, 2012 Economic Census of the United States, Table EC1251SSSZ4, Information: Subject Series - Estab and Firm Size: Receipts Size of Firms for the United States: 2012, NAICS Code 517410, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ4//naics~517410. Of this total, 299 firms had annual receipts of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard of annual receipts of $35 million or less. Consequently, we estimate that the majority of satellite telecommunications providers are small entities. 3. Resellers 18. Local Resellers. The SBA has not developed a small business size standard specifically for Local Resellers. The SBA category of Telecommunications Resellers is the closest NAICs code category for local resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search. Under the SBA’s size standard, such a business is small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS code 517911. U.S. Census Bureau data from 2012 show that 1,341 firms provided resale services during that year. See U.S. Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517911, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517911. Of that number, all operated with fewer than 1,000 employees. Id. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these resellers can be considered small entities. According to Commission data, 213 carriers have reported that they are engaged in the provision of local resale services. See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). Of these, an estimated 211 have 1,500 or fewer employees and two have more than 1,500 employees. See id. Consequently, the Commission estimates that the majority of local resellers are small entities. 19. Toll Resellers. The Commission has not developed a definition for Toll Resellers. The closest NAICS Code Category is Telecommunications Resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. MVNOs are included in this industry. U.S. Census Bureau, 2017 NAICS Definition, 517911 Telecommunications Resellers, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search. The SBA has developed a small business size standard for the category of Telecommunications Resellers. 13 CFR § 121.201, NAICS code 517911. Under that size standard, such a business is small if it has 1,500 or fewer employees. Id. 2012 Census Bureau data show that 1,341 firms provided resale services during that year. See U.S. Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517911, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517911. Of that number, 1,341 operated with fewer than 1,000 employees. Id. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees; the largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these resellers can be considered small entities. According to Commission data, 881 carriers have reported that they are engaged in the provision of toll resale services. See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). Of this total, an estimated 857 have 1,500 or fewer employees. See id. Consequently, the Commission estimates that the majority of toll resellers are small entities. 20. Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a small business definition specifically for prepaid calling card providers. The most appropriate NAICS code-based category for defining prepaid calling card providers is Telecommunications Resellers. U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search. This industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual networks operators (MVNOs) are included in this industry. Id. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911. U.S. Census Bureau data for 2012 show that 1,341 firms provided resale services during that year. See U.S. Census Bureau, 2012 Economic Census of the United States, Table No. EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms: 2012 NAICS Code 517911, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ5//naics~517911. Of that number, 1,341 operated with fewer than 1,000 employees. Id. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these prepaid calling card providers can be considered small entities. According to Commission data, 193 carriers have reported that they are engaged in the provision of prepaid calling cards. See Trends in Telephone Service, at tbl. 5.3. All 193 carriers have 1,500 or fewer employees. Id. Consequently, the Commission estimates that the majority of prepaid calling card providers are small entities that may be affected by these rules. 4. Other Entities 21. All Other Telecommunications. The “All Other Telecommunications” category is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. See U.S. Census Bureau, 2017 NAICS Definitions, “517919 All Other Telecommunications”, https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517919&search=2017+NAICS+Search&search=2017. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Id. Establishments providing Internet services or voice over Internet protocol (VoIP) services via client-supplied telecommunications connections are also included in this industry. Id. The SBA has developed a small business size standard for “All Other Telecommunications”, which consists of all such firms with annual receipts of $35 million or less. See 13 CFR § 121.201, NAICS Code 517919. For this category, U.S. Census Bureau data for 2012 show that there were 1,442 firms that operated for the entire year. U.S. Census Bureau, 2012 Economic Census of the United States, Table EC1251SSSZ4, Information: Subject Series - Estab and Firm Size: Receipts Size of Firms for the United States: 2012, NAICS Code 517919, https://factfinder.census.gov/bkmk/table/1.0/en/ECN/2012_US/51SSSZ4//naics~517919. Of those firms, a total of 1,400 had annual receipts less than $25 million and 15 firms had annual receipts of $25 million to $49, 999,999. Id. Thus, the Commission estimates that the majority of “All Other Telecommunications” firms potentially affected by our action can be considered small. F. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 22. The Third Report and Order adopts new rules requiring voice service providers to update their filings to the robocall mitigation database if the Bureau upholds an adverse service token revocation decision made by the Governance Authority. See supra para. 25. Some voice service providers required to amend their filings in this way may be small voice service providers. G. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 23. The RFA requires an agency to describe any significant alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): (1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rules for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities. 5 U.S.C. § 603(c)(1)-(4). 24. The Third Report and Order adopts rules establishing an oversight role for the Commission within the STIR/SHAKEN governance system’s token revocation process. See supra, para. 11. Under our newly adopted rules entities, including small entities, that have their SPC token revoked by the private STIR/SHAKEN Governance Authority may appeal that decision to the Commission. See id. H. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules 25. None. I. Report to Congress 26. The Commission will send a copy of the Third Report and Order, including this FRFA, in a report to Congress pursuant to the Congressional Review Act. See 5 U.S.C. § 801(a)(1)(A). In addition, the Commission will send a copy of the Third Report and Order, including the FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Third Report and Order and FRFA (or summaries thereof) will also be published in the Federal Register. See 5 U.S.C. § 604(b). 2 STATEMENT OF ACTING CHAIRWOMAN JESSICA ROSENWORCEL Re: Promoting Caller ID Authentication to Combat Illegal Robocalls, WC Docket No. 17-97, Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions, WC Docket No. 21-291, Third Report and Order (August 5, 2021). It was a little over a month ago, on June 30, that the Federal Communications Commission required carriers across the country to put in place a call authentication system known as STIR/SHAKEN. Maybe you didn’t take note of it when it happened. But you will benefit from it if you have a phone. That’s because STIR/SHAKEN is a technology that helps protect against robocalls. And the more of it we put into our networks, the fewer junk calls we’ll all receive. The STIR/SHAKEN framework depends on carriers holding a digital token provided by the private Governance Authority. If a carrier abuses the system, the Governance Authority can revoke the token, meaning that the carrier cannot use STIR/SHAKEN and would fall out of compliance with our rules. Because due process matters, we clarify here the precise procedure to allow carriers with revoked tokens to appeal their decision to the FCC. This is the right thing to do. But make no mistake: if carriers fail to properly put in place the technology they are required to use to prevent robocalls, they will hear from us. I’d like to thank the Robocall Response Team and the staff who worked on this decision, including Pam Arluk, Michele Berlove, Matthew Collins, Lynne Engledow, Justin Faulb, Victoria Goldberg, Alexander Hobbs, Dan Kahn, Jonathan Lechter, Albert Lewis, Kris Monteith, and Gil Strobel of the Wireline Competition Bureau; Jerusha Burnett, Aaron Garza, Kurt Schroeder, Mark Stone, and Kristi Thornton of the Consumer and Governmental Affairs Bureau; Kim Cook and Jim Schlichting of the International Bureau; Ken Carlberg of the Public Safety and Homeland Security Bureau; Eugene Kiselev, Giulia McHenry, Chuck Needy, Eric Ralph, and Emily Talaga of the Office of Economics and Analytics; and Michele Ellison, Richard Mallen, Linda Oliver, William Richardson, and Derek Yeo of the Office of General Counsel.