Fcc 20-136

FCC-20-136A1.pdf

Secure Telephone Identity Governance Authority Token Revocation Review Process

FCC 20-136

OMB: 3060-1287

Document [pdf]
Download: pdf | pdf
Federal Communications Commission

FCC 20-136

Before the
Federal Communications Commission
Washington, D.C. 20554
In the Matter of
Call Authentication Trust Anchor

)
)
)
)

WC Docket No. 17-97

SECOND REPORT AND ORDER
Adopted: September 29, 2020

Released: October 1, 2020

By the Commission:
TABLE OF CONTENTS
I. INTRODUCTION ...................................................................................................................................1
II. BACKGROUND .....................................................................................................................................5
III. SECOND REPORT AND ORDER.......................................................................................................16
A. TRACED Act Definitions and Scope .............................................................................................17
B. Caller ID Authentication in Non-IP Networks ...............................................................................24
C. Extension of Implementation Deadline ..........................................................................................36
1. Assessment of Burdens and Barriers to Implementation and Extensions for Undue
Hardship ...................................................................................................................................39
2. Extension for Certain Non-Internet Protocol Networks...........................................................66
3. Reevaluating Granted Extensions.............................................................................................71
4. Robocall Mitigation Program ...................................................................................................74
5. Alternative Methodologies During an Extension .....................................................................95
6. Legal Authority ........................................................................................................................97
D. Voluntary STIR/SHAKEN Implementation Exemption ..............................................................101
1. Relationship of IP Networks and Non-IP Networks Provisions ............................................103
2. Threshold for IP Networks Exemption...................................................................................106
3. Threshold for Non-IP Networks Exemption ..........................................................................114
4. Compliance Certifications ......................................................................................................117
5. Voice Service Providers Eligible for Exemption ...................................................................125
E. Line Item Charges.........................................................................................................................126
F. Intermediate Providers ..................................................................................................................132
1. Authenticated Calls ................................................................................................................133
2. Unauthenticated Calls.............................................................................................................140
3. Limiting Intermediate Provider Requirements to IP Networks..............................................148
4. Definition of Intermediate Provider .......................................................................................151
5. Legal Authority ......................................................................................................................153
G. Other Issues...................................................................................................................................156
IV. PROCEDURAL MATTERS...............................................................................................................158
V. ORDERING CLAUSES......................................................................................................................162
APPENDIX A – FINAL RULES
APPENDIX B – FINAL REGULATORY FLEXIBILITY ANALYSIS
I.
INTRODUCTION
1.

Protecting Americans from the dangers of unwanted and illegal robocalls is our top

Federal Communications Commission

FCC 20-136

consumer protection priority.1 More than just an annoyance, these calls are a tool for scammers to take
advantage of unsuspecting Americans. Bad actors often “spoof” or falsify caller ID information and
deceive call recipients into believing they are trustworthy.2 Even in the midst of the COVID-19
pandemic, bad actors have continued their attempts to use illegal spoofing to target American consumers,
once again illustrating the pervasiveness of this problem.3
2.
As part of our multi-pronged approach to combat this vexing issue, 4 we have made it a
priority to stop the practice of illegal caller ID spoofing.5 For instance, we have issued hundreds of
millions of dollars in fines for violations of our Truth in Caller ID rules.6 We recently proposed a
forfeiture of $225 million—the largest in the Commission’s history—for a company that made
approximately one billion spoofed robocalls,7 and we proposed two forfeiture actions of almost $13
million and $10 million apiece against other entities for apparent spoofing violations.8 We have expanded
our Truth in Caller ID rules to reach foreign calls and text messages.9 Pursuant to the TRACED Act, we
have selected a consortium to conduct private-led traceback efforts of suspected illegal robocalls, which is
particularly useful in instances where the caller ID information transmitted with a call has been

See e.g., FCC Chairman Ajit Pai, Blocking and Tackling Robocalls (May 15, 2019), https://www.fcc.gov/newsevents/blog/2019/05/15/blocking-and-tackling-robocalls (“Combatting the scourge of unwanted robocalls has
topped my consumer protection agenda since I became FCC Chairman.”); FCC Consumer Guide, Stop Unwanted
Robocalls and Texts, https://www.fcc.gov/consumers/guides/stop-unwanted-robocalls-and-texts (last updated July 9,
2020) (“Unwanted calls—including illegal and spoofed robocalls—are the FCC's top consumer complaint and our
top consumer protection priority.”).
1

Spoofing has both legal and illegal uses. Legal uses include domestic violence shelters altering caller ID
information to protect their residents, and ride sharing and delivery services doing the same to protect the privacy of
drivers, passengers, and delivery people. Implementing Section 503 of the RAY BAUM’S Act; Rules and Regulation
Implementing the Truth in Caller ID Act of 2009, WC Docket Nos. 18-335 and 11-39, Second Report and Order, 34
FCC Rcd 7303, 7304-05, para. 4 (2019) (Second Truth in Caller ID Order). It is illegal when a caller transmits
misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongly obtain anything of
value. 47 U.S.C. § 227(e)(1); 47 CFR § 64.1604.
2

Press Release, FCC, FCC, FTC Demand Robocall-Enabling Service Providers Cut Off COVID-19-Related
International Scammers (May 20, 2020), https://docs.fcc.gov/public/attachments/DOC-364482A1.pdf; see also
Brian X. Chen, A Guide to Pandemic Scams, and What Not to Fall For, N.Y. Times (May 13, 2020),
https://www.nytimes.com/2020/05/13/technology/personaltech/pandemic-scams.html.
3

In the first eight months of 2020, YouMail estimates that Americans have received over 30.1 billion robocalls.
YouMail, Historical Robocalls by Time, https://robocallindex.com/history/time (last visited Sept. 3, 2020).
4

See, e.g., Press Release, FCC, Chairman Pai Calls on Industry to Adopt Anti-Spoofing Protocols to Help
Consumers Combat Scam Robocalls (Nov. 5, 2018), https://docs.fcc.gov/public/attachments/DOC-354933A1.pdf.
The importance of halting the practice of illegal caller ID spoofing is also recognized by Congress and state
attorneys general. See Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, Pub.
L. No. 116-105 (2019) (TRACED Act); Fifty-One State Attorneys General, Anti-Robocall Principles,
https://ncdoj.gov/download/141/files/17821/state-agsproviderrs-antirobocall-principles-with-signatories.
5

See FCC Consumer and Governmental Affairs Bureau, Report on Robocalls at 11 (2019),
https://docs.fcc.gov/public/attachments/DOC-356196A1.pdf.
6

John C. Spiller; Jakob A. Mears; Rising Eagle Capital Group LLC; JSquared Telecom LLC; Only Web Leads
LLC; Rising Phoenix Group; Rising Phoenix Holdings; RPG Leads; and Rising Eagle Capital Group – Cayman,
Notice of Apparent Liability for Forfeiture, 35 FCC Rcd 5948 (2020).
7

See Scott Rhodes a.k.a. Scott David Rhodes, Scott D. Rhodes, Scott Platek, Scott P. Platek, Notice of Apparent
Liability for Forfeiture, 35 FCC Rcd 882 (2020); Kenneth Moser dba Marketing Support Systems, Notice of
Apparent Liability for Forfeiture, 34 FCC Rcd 12753 (2019).
8

9

Second Truth in Caller ID Order, 34 FCC Rcd 7303 (2019).

2

Federal Communications Commission

FCC 20-136

maliciously spoofed.10 We have clarified and bolstered our call blocking rules to give voice service
providers new latitude to block calls, including spoofed calls.11
3.
One key part of our broad efforts to thwart illegal caller ID spoofing has been our work to
promote implementation of the STIR/SHAKEN caller ID authentication framework. The
STIR/SHAKEN framework allows voice service providers to verify that the caller ID information
transmitted with a particular call matches the caller’s number, while protecting consumer privacy and
promoting the ability to complete lawful calls. Widespread implementation of STIR/SHAKEN will
reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and
help voice service providers identify calls with illegally spoofed caller ID information before those calls
reach their subscribers. We have worked over the course of multiple years to promote caller ID
authentication,12 and in 2019 Congress amplified our efforts by passing the Pallone-Thune Telephone
Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, which directs the Commission to
take numerous steps to promote and require STIR/SHAKEN implementation.13 In March of this year,
building on the foundation laid by our prior work and by Congress, we adopted rules requiring voice
service providers to implement the STIR/SHAKEN call authentication technology in the internet protocol
(IP) portions of their phone networks by June 30, 2021.14
4.
Today, we continue our work to promote the deployment of caller ID authentication
technology and to implement the TRACED Act. After consideration of the record, we adopt rules
implementing many of the proposals we made in the First Caller ID Authentication Report and Order and
Further Notice. Among other things, we adopt rules governing intermediate providers and caller ID
Implementing Section 13(d) of the Pallone-Thune Robocall Abuse Criminal Enforcement and Deterrence Act
(TRACED Act), EB Docket 20-22, Report and Order and Further Notice of Proposed Rulemaking, 35 FCC Rcd 3113
(2020); Enforcement Bureau Requests Letters of Intent for Traceback Consortium, EB Docket No. 20-22, Public
Notice, 35 FCC Rcd 3659 (2020); Implementing Section 13(d) of the Pallone-Thune Telephone Robocall Abuse
Criminal Enforcement and Deterrence Act (TRACED Act), EB Docket No. 20-22, Report and Order, 35 FCC Rcd
7886 (EB 2020) (selecting USTelecom’s Industry Traceback Group as the single consortium to conduct private-led
traceback efforts).
10

See Advanced Methods to Target and Eliminate Unlawful Robocalls; Call Authentication Trust Anchor, CG
Docket No. 17-59, WC Docket No. 17-97, Declaratory Ruling and Third Further Notice of Proposed Rulemaking,
34 FCC Rcd 4876 (2019) (2019 Robocall Declaratory Ruling and Further Notice); Advanced Methods to Target
and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Third Report and Order, Order on Reconsideration, and
Fourth Further Notice of Proposed Rulemaking, 35 FCC Rcd 7614 (2020) (2020 Call Blocking Order).
11

See e.g., Call Authentication Trust Anchor, WC Docket No. 17-97, Notice of Inquiry, 32 FCC Rcd 5988 (2017)
(Call Authentication NOI) (launching a broad inquiry into caller ID authentication); Letter from Kris Anne
Monteith, Chief, Wireline Competition Bureau, FCC, to Travis Kavulla, Chair, NANC (Dec. 7, 2017) (directing the
Call Authentication Trust Anchor (CATA) Working Group of the North American Numbering Council (NANC) to
recommend the criteria for the selection of a Governance Authority and a reasonable deployment timeline); Press
Release, FCC, Chairman Pai: Caller ID Authentication Necessary for Consumers in 2019 (Feb. 13, 2019),
https://docs.fcc.gov/public/attachments/DOC-356187A1.pdf; 2019 Robocall Declaratory Ruling and Further
Notice, 34 FCC Rcd at 4898-99, para. 71 (proposing that if major voice service providers failed to voluntarily
implement STIR/SHAKEN by the end of 2019, the Commission would adopt rules requiring voice service providers
to implement); Letter from Kris Anne Monteith, Chief, Wireline Competition Bureau, FCC, to Jennifer K. McKee,
Chair, NANC (Feb. 27, 2020) (directing the CATA Working Group to recommend a set of best practices to ensure
voice service providers accurately identify the calling party).
12

Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, Pub. L. No. 116-105
(2019) (TRACED Act).
13

Call Authentication Trust Anchor, Implementation of TRACED Act Section 6(a)—Knowledge of Customers by
Entities with Access to Numbering Resources, WC Docket Nos. 17-97 and 20-67, Report and Order and Further Notice
of Proposed Rulemaking, 35 FCC Rcd 3241 (Mar. 31, 2020) (First Caller ID Authentication Report and Order and
Further Notice).
14

3

Federal Communications Commission

FCC 20-136

authentication in non-IP networks, we implement the exceptions and extensions established by the
TRACED Act, and we prohibit line-item charges for caller ID authentication.
II.

BACKGROUND

5.
As the telecommunications industry has advanced and expanded into IP-based telephony,
costs have decreased as competition increased, benefitting consumers greatly. These benefits, however,
have eroded the chains of trust that previously bound voice service providers together. Partly due to the
rise of the Voice over Internet Protocol (VoIP) software, the telephony industry no longer consists only of
a limited number of carriers that all trusted each other to provide accurate caller ID information. Because
there are now a multitude of voice service providers and entities originating and transiting calls, bad
actors can more easily take advantage of these weakened chains of trust to target consumers with illegally
spoofed calls.15
6.
Recognizing this vulnerability, technologists from the Internet Engineering Task Force
(IETF) and the Alliance for Telecommunications Industry Solutions (ATIS) developed standards to allow
the authentication and verification of caller ID information for calls carried over IP networks using the
Session Initiation Protocol (SIP).16 Since voice service providers could no longer count on the multitude
of entities in each call path to accurately pass the caller ID information, the goal was to create a system
that allowed the identification information to safely and securely travel with the call itself. The result is
the STIR/SHAKEN call authentication framework.
7.
The framework is comprised of several different standards and protocols. The Secure
Telephony Identity Revisited (STIR) working group, formed by the IETF, has produced several protocols
for authenticating caller ID information.17 ATIS, together with the SIP Forum,18 produced the Signaturebased Handling of Asserted information using toKENs (SHAKEN) specification, which standardizes how
the protocols produced by STIR are implemented across the industry using digital “certificates.”19 At a
high-level, the STIR/SHAKEN framework consists of two components: (1) the technical process of
authenticating and verifying caller ID information; and (2) the certificate governance process that
15

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3243-44, para. 4.

See Robocall Strike Force, Robocall Strike Force Report at 3 (2016), https://transition.fcc.gov/cgb/RobocallStrike-Force-Final-Report.pdf. The Session Initiation Protocol (SIP) is “an application-layer control (signaling)
protocol for creating, modifying, and terminating sessions” such as Internet Protocol (IP) telephony calls. IETF,
SIP: Session Initiation Protocol, RFC 3261, at 1 (2002), https://tools.ietf.org/html/rfc3261.
16

See IETF, Secure Telephone Identity Revisited (stir): About, https://datatracker.ietf.org/wg/stir/about (last visited
Sept. 3, 2020) (describing IETF STIR standards and efforts); IETF, Secure Telephone Identity Revisited (stir):
Documents, https://datatracker.ietf.org/wg/stir/documents (last visited Sept. 3, 2020) (listing standards and current
work-in-progress).
17

The SIP Forum is “an industry association with members from . . . IP communications companies,” with a mission
“[t]o advance the adoption and interoperability of IP communications products and services based on SIP.” SIP
Forum, Home, https://www.sipforum.org (last visited Sept. 3, 2020).
18

See ATIS & SIP Forum, Joint ATIS/SIP Forum Standard—Signature-Based Handling of Asserted Information
Using toKENs (SHAKEN), ATIS-1000074 (2017),
https://access.atis.org/apps/group_public/download.php/46770/ATIS-1000074-E.zip (ATIS-1000074); ATIS & SIP
Forum, Errata on ATIS Standard on Signature-based Handling of Asserted information using toKENs (SHAKEN),
ATIS-1000074-E (2019), https://access.atis.org/apps/group_public/download.php/46536/ATIS-1000074-E.zip
(ATIS-1000074-E). In First Caller ID Authentication Report and Order and Further Notice, we adopted a definition
of “STIR/SHAKEN authentication framework” that closely tracked the language of the TRACED Act. We specified
that for the purposes of compliance with the definition and our rules, voice service providers must adhere to the most
current versions of the three main ATIS standards, including any errata, as of March 31, 2020. First Caller ID
Authentication Report and Order and Further Notice, 35 FCC Rcd at 3258-59, para. 36. In this Order, we cite to
errata when that is the most recent version of the relevant standard as of March 31, 2020.
19

4

Federal Communications Commission

FCC 20-136

maintains trust in the caller ID authentication information transmitted along with a call.
8.
Technology. The STIR/SHAKEN technical authentication and verification processes rely
on public key cryptography to securely transmit the information that the originating voice service
provider knows about the identity of the caller and its relationship to the phone number it is using
throughout the entire length of the call path, allowing the terminating voice service provider to verify the
information on the other end.20 The encrypted caller ID information is contained within a unique header
to the message used to initiate a SIP call (the SIP INVITE message), called an “Identity” header.21 While
there is no technical mechanism within the STIR/SHAKEN framework that ensures this Identity header
travels the entire length of the call path unaltered, the unbroken transmission of an unaltered Identity
header from the originating voice service provider, through each intermediate provider, to the terminating
voice service provider is critical to creating the end-to-end chain of trust that allows a terminating
provider to know it has received accurate caller ID information.22
9.
Because providers transmit the Identity header in a SIP INVITE and because SIP is IPbased, STIR/SHAKEN only operates in the IP portions of a provider’s network.23 If a call originates on a
non-IP network, that voice service provider cannot authenticate the caller ID information; if it terminates
on a non-IP network, that voice service provider cannot verify the caller ID authentication information.
And if a call is routed at any point over an interconnection point or intermediate provider network that
does not support the transmission of SIP calls, the Identity header will be lost.24 While standards bodies
are currently working on non-IP call authentication solutions,25 and some vendors are developing
potential non-IP solutions,26 there is yet to be an industry consensus on the path forward.27
10.
In the STIR/SHAKEN framework, the provider adding the Identity header to the SIP
INVITE can use three different levels of attestation to signify what it knows about the identity of the
calling party. The highest level of attestation is called full or A-level attestation. A provider assigns an
A-level attestation when it is the entry point of the call onto the IP network, it can confirm the identity of
the subscriber making the call, and the subscriber is using its associated telephone number.28 The method
or process a provider uses to determine the legitimacy of the caller’s use of a telephone number is specific
to each provider.29 As a result, a provider’s reputation is tied to the rigor of its evaluation process.30 The
middle level of attestation is called partial or B-level attestation. A provider uses a B-level attestation to
See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3244-45, paras. 6-7. In
this Report and Order, we use the term “caller” to broadly refer to the person or entity originating a voice call. We
recognize that for the purpose of industry standards or other technical documents, this relationship may be described
using more exact language suited to the specific technical scenarios described.
20

21

See id. at 3244-45, para. 6.

22

See id.

23

See id.at 3245, para. 7.

24

See id.

See id.; Press Release, ATIS, ATIS Launches New Non-IP Call Authentication Task Force (May 13, 2020),
https://sites.atis.org/insights/atis-launches-new-non-ip-call-authentication-task-force/; IETF, STIR Out-of-Band
Architecture and Use Cases, Draft (2019), https://tools.ietf.org/html/draft-ietf-stir-oob-06 (draft standards for out-ofband STIR).
25

See TransNexus, Out-of-Band STIR/SHAKEN Call Authentication, https://transnexus.com/whitepapers/out-ofband-stir/ (last visited Sept. 3, 2020).
26

27

See, e.g., Comcast Comments, WC Docket Nos. 17-97 and 20-67, at 5 (rec. May 15, 2020) (Comcast Comments).

28

See ATIS-1000074-E § 5.2.3, at 9.

29

See id.

30

Id.

5

Federal Communications Commission

FCC 20-136

indicate that it is the entry point of the call onto the IP network and can confirm the identity of the
subscriber but not the telephone number.31 The lowest level of attestation is called gateway or C-level
attestation. A provider uses a C-level attestation when it is the point of entry to the IP network for a call
that originated elsewhere but has no relationship with the initiator of a call, such as when a provider is
acting as an international gateway.32 A downstream provider can make use of a C-level attestation to
trace a call back to an interconnecting service provider or the call’s entry point into the IP network.33 The
STIR/SHAKEN standards envision these various attestation levels as information that can facilitate
traceback and to enhance the spam identification solutions that terminating voice service providers enable
for their customers.34
11.
Governance. The STIR/SHAKEN framework relies on digital “certificates” to ensure
trust. The voice service provider adding the Identity header includes its assigned certificate which says, in
essence, that the voice service provider is the entity it claims to be and that it has the right to authenticate
the caller ID information.35 To maintain trust and accountability in the voice service providers that vouch
for the caller ID information, a neutral governance system issues the certificates.36 The STIR/SHAKEN
governance model requires several roles in order to operate: (1) a Governance Authority, which defines
the policies and procedures for which entities can issue or acquire certificates;37 (2) a Policy
Administrator, which applies the rules set by the Governance Authority, confirms that certification
authorities are authorized to issue certificates, and confirms that voice service providers are authorized to
request and receive certificates;38 (3) Certification Authorities, which issue the certificates used to
authenticate and verify calls;39 and (4) the voice service providers themselves, which, as call initiators,
select an approved certification authority from which to request a certificate, and which, as call recipients,
check with certification authorities to ensure that the certificates they receive were issued by the correct

31

See id.

32

See id. at 10.

33

See id.

34

See id. § 4, at 3-4.

35

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3246, para. 9.

The STIR/SHAKEN credentials are based on an X.509 credential system. X.509 is a specific standard for a type
of public key infrastructure system that uses certificates to facilitate secure Internet communications. See generally
IETF, Internet x.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC 5280
(2008), https://tools.ietf.org/html/rfc5280.
36

This role is currently filled by the Secure Telephone Identity Governance Authority. Secure Telephone Identity
Governance Authority, STI Governance Authority, https://www.atis.org/sti-ga/ (last visited Sept. 3, 2020).
37

After a request for proposals process, the Governance Authority selected iconectiv to fill this role. Press Release,
ATIS, Mitigating Illegal Robocalling Advances with Secure Telephone Identity Governance Authority Board’s
Selection of iconectiv as Policy Administrator (May 30, 2019), https://sites.atis.org/insights/mitigating-illegalrobocalling-advances-with-secure-telephone-identity-governance-authority-boards-selection-of-iconectiv-as-policyadministrator/.
38

As the Policy Administrator, iconectiv vets and approves organizations interested in serving as a Certification
Authority. See Press Release, STI Governance Authority, Certification Authority registration now open for U.S.
Calling Number Verification Service (Dec. 6, 2019), https://www.atis.org/sti-ga/news/docs/certification-authorityregistration-now-open-for-us-calling-number-verification-service.pdf. The Policy Administrator website reflects
that here are currently two approved Certification Authorities. See Approved Certification Authorities, iconectiv,
https://authenticate.iconectiv.com/approved-certification-authorities%C2%A0 (last visited Sept. 3, 2020).
39

6

Federal Communications Commission

FCC 20-136

certification authority.40 Voice service providers use the digital certificates to indicate that they are
trusted members of the ecosystem and their assertions to a calling party’s identity should be accepted.41
12.
Under the current Governance Authority rules, a voice service provider must meet certain
requirements to receive a certificate.42 Specifically, a voice service provider must have a current FCC
Form 499A on file with the Commission, have been assigned an Operating Company Number (OCN),
and have direct access to telephone numbers from the North American Numbering Plan Administrator
(NANPA) and the National Pooling Administrator.43 The Governance Authority reviews this policy “at
least on a quarterly basis,” or as needed.44
13.
Commission Action to Promote STIR/SHAKEN. In 2017, the Commission released a
Notice of Inquiry into STIR/SHAKEN, launching a broad examination of how to expedite its
development and implementation.45 The Commission directed its expert advisory committee on
numbering, the North American Numbering Council (NANC), to recommend “criteria by which a
[Governance Authority] should be selected” and “a reasonable timeline or set of milestones for adoption
and deployment” of STIR/SHAKEN.46 In its May 2018 report,47 the NANC made a number of
recommendations regarding establishing and organizing a governance system and promoting
STIR/SHAKEN implementation, which Chairman Pai then accepted.48 In November 2018, Chairman Pai
sent letters to 14 major voice service providers urging them to implement a robust caller ID authentication
framework by the end of 2019, asking providers for specific details on their progress and plans.49 In June
2019, the Commission adopted a Declaratory Ruling and Third Further Notice of Proposed Rulemaking
that proposed and sought comment on mandating implementation of STIR/SHAKEN in the event that
major voice service providers did not voluntarily implement the framework by the end of 2019.50
Commission staff closely tracked the implementation progress of major voice service providers.51 In
December 2019, Congress enacted the TRACED Act, which contains numerous provisions directed at
addressing robocalls, including through implementation of STIR/SHAKEN.52 Among other provisions
40

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3246, para. 10.

41

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3246, para. 9.

See STI Governance Authority, STI-GA Policy Decisions Document (2020), https://sti-ga.atis.org/wpcontent/uploads/2020/04/200211-STIGA-Board-Policy.pdf (STI Governance Authority Policy Decisions
Document).
42

43

Id. at 1.

44

Id. at 1.

45

See Call Authentication NOI, 32 FCC Rcd 5988.

Letter from Kris Anne Monteith, Chief, Wireline Competition Bureau, FCC, to Travis Kavulla, Chair, NANC at
1-2 (Dec. 7, 2017).
46

Call Authentication Trust Anchor Working Grp., N. Am. Numbering Council, Report on Selection of Governance
Authority and Timely Deployment of SHAKEN/STIR (2018), http://nancchair.org/docs/mtg_docs/May_18_Call_Authentication_Trust_Anchor_NANC_Final_Report.pdf.
47

Press Release, FCC, Chairman Pai Welcomes Call Authentication Recommendations from the North American
Numbering Council (May 14, 2018), http://nancchair.org/docs/mtg_docs/May18_FCC_Chairman_Welcomes_CATA_Recommendations.pdf.
48

See Press Release, FCC, Chairman Pai Calls on Industry to Adopt Anti-Spoofing Protocols to Help Consumers
Combat Scam Robocalls (Nov. 5, 2018), https://docs.fcc.gov/public/attachments/DOC-354933A1.pdf.
49

50

See 2019 Robocall Declaratory Ruling and Further Notice, 34 FCC Rcd at 4898-99, para. 71.

51

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3249-51, paras. 17-21.

52

See TRACED Act § 4.

7

Federal Communications Commission

FCC 20-136

regarding caller ID authentication, the TRACED Act directed the Commission to require, no later than 18
months from enactment, all voice service providers to implement STIR/SHAKEN in the IP portions of
their networks and implement an effective caller ID authentication framework in the non-IP portions of
their networks.53
14.
In March of this year, we released the First Caller ID Authentication Report and Order
and Further Notice in which we adopted rules requiring voice service providers to implement the
STIR/SHAKEN caller ID authentication framework in the IP portions of their networks by June 30,
2021.54 We also proposed and sought comment on requirements to strengthen STIR/SHAKEN to
implement the TRACED Act. First, we proposed to extend the STIR/SHAKEN implementation mandate
to intermediate providers and require them to both pass authenticated caller ID information unaltered and to
authenticate unauthenticated calls they receive.55 Second, turning to TRACED Act implementation, we
proposed to grant an extension for compliance with the implementation mandate for certain categories of
voice service providers, specifically small voice service providers and voice service providers that
materially rely on non-IP networks.56 Third, we proposed to require voice service providers using non-IP
technology, which cannot support STIR/SHAKEN, to either (i) upgrade their networks to IP to enable
STIR/SHAKEN implementation or (ii) work to develop non-IP caller ID authentication technology.57
Fourth, we proposed to implement a process, as directed by the TRACED Act, pursuant to which voice
service providers may become exempt from the STIR/SHAKEN implementation mandate if we determine
that they have achieved certain implementation benchmarks.58 Fifth, we proposed to prohibit voice service
providers from imposing additional line item charges on consumer and small business subscribers for caller
ID authentication.59 Sixth, we sought comment on how to address consumer confusion or competition
issues related to call labeling.60 Finally, we sought comment, as directed by the TRACED Act, on whether
and how to modify our policies regarding access to numbering resources to help reduce illegal robocallers’
access.61
15.
Implementation Progress. As reported previously, major voice service providers fell into
one of three categories regarding their implementation progress by the end of 2019: (1) voice service
providers that upgraded their networks to support STIR/SHAKEN and began exchanging authenticated
traffic with other voice service providers; (2) voice service providers that upgraded their networks to
support STIR/SHAKEN but had not yet begun exchanging authenticated traffic with other voice service
providers; and (3) voice service providers that had achieved limited, if any, progress towards upgrading
their networks to support STIR/SHAKEN.62 Since the end of 2019, several major voice service providers
have announced further progress in STIR/SHAKEN implementation. In February 2020, T-Mobile

53

Id. § 4(b)(1).

54

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3252, para. 24.

55

Id. at 3270-75, paras. 61-71.

56

Id. at 3276-78, 3279-80, paras. 75-84, 86-89.

57

Id. at 3283-84, paras. 96-101.

58

Id. at 3285-89, paras. 102-118.

59

Id. at 3289-90, paras. 119-120.

Id. at 3290-91, para. 121. We are continuing to monitor when and how terminating voice service providers label
calls based on STIR/SHAKEN information and will not act on this matter at this time.
60

Id. at 3292-96, paras. 123-130. We are continuing to review the record regarding access to numbering resources and
will not act on this matter at this time.
61

62

See id. at 3249-51, paras 17-21.

8

Federal Communications Commission

FCC 20-136

announced that it began exchanging authenticated traffic with Sprint,63 and in March 2020, Bandwidth
announced that it has begun exchanging authenticated traffic with T-Mobile.64 In addition to the 14 major
voice service providers discussed in detail in the First Caller ID Authentication Report and Order and
Further Notice, other voice service providers and intermediate providers have made progress toward
STIR/SHAKEN implementation as well.65 The Governance Authority reports that 34 voice service
providers have been approved to participate in the STIR/SHAKEN framework through the governance
system; 9 providers have completed the testing process and are finalizing their approval; and 52 providers
have begun registration and are in some stage of the testing process.66
III.

SECOND REPORT AND ORDER

16.
Today, we take the next steps to promote the widespread deployment of caller ID
authentication technology and implement the TRACED Act. In the Report and Order, we first address the
definitions and scope of several terms used in the TRACED Act. Next, we adopt rules on caller ID
authentication in non-IP networks. We assess the burdens and barriers to implementation faced by various
categories of voice service providers and adopt extensions to the STIR/SHAKEN mandate based on our
assessment. We also establish the required robocall mitigation program that voice service providers with an
extension must implement and elaborate on the annual reevaluation process for extensions required by the
TRACED Act. We then adopt rules implementing the exemption mechanism established by the TRACED
Act for voice service providers that meet certain criteria regarding early STIR/SHAKEN implementation.
We prohibit voice service providers from imposing additional line item charges for call authentication
technology. Finally, to avoid gaps in a call path that could lead to the loss of caller ID authentication
information, we expand our STIR/SHAKEN implementation mandate to encompass intermediate providers.
A.

TRACED Act Definitions and Scope

17.
In the First Caller ID Authentication Report and Order and Further Notice, we adopted
definitions of several terms used in the TRACED Act. Specifically, we adopted definitions of
“STIR/SHAKEN authentication framework” and “voice service” that closely align with the statutory
language enacted by Congress.67 To provide an opportunity for further refinement of the definitions we
adopted, we sought comment in the Further Notice on whether to alter or add to them.68 We also
proposed in the Further Notice to interpret “providers of voice service” on a call-by-call basis rather than
See Press Release, T-Mobile, Cross-Network STIR/SHAKEN Rollout Helps Stop Number-Spoofing, Keeping
Consumers Safer from Scammers (Feb. 4, 2020), https://www.t-mobile.com/news/tmobile-sprint-callerverified.
63

See Press Release, Bandwidth, Bandwidth Announces Successful STIR/SHAKEN Interop with T-Mobile (Mar.
25, 2020), https://investors.bandwidth.com/news-releases/news-release-details/bandwidth-announces-successfulstirshaken-interop-t-mobile.
64

See e.g., Press Release, T-Mobile, T-Mobile, Comcast and Inteliquent Deliver Industry First in War Against
Illegal Call Spoofing (Nov. 21, 2019), https://www.t-mobile.com/news/press/tmobile-comcast-inteliqent; Press
Release, Brightlink, Brightlink Takes on Robocalling with STIR/SHAKEN Solution (Feb. 26, 2020),
https://www.brightlink.com/brightlink-takes-on-robocalling-with-stir-shaken-solution/; Press Release, Twilio,
Twilio Begins Signing Enterprise Calls Using SHAKEN/STIR Protocols to Help Stop Illegal Robocalls for Business
Users (April 8, 2020), https://www.twilio.com/press/releases/twilio-begins-signing-calls-using-shakenstir-to-stopillegal-robocalls; Press Release, Quality Voice & Data, Quality Voice & Data Attains Authorized SHAKEN Service
Provider Status (May 26, 2020), https://qualityvoicedata.com/2020/05/26/quality-voice-data-attains-authorizedshaken-service-provider-status/.
65

ATIS, STI-GA NANC Update at 0:16:40 (July 28, 2020),https://www.fcc.gov/news-events/events/2020/07/northamerican-numbering-council-meeting-0; see also iconectiv, Authorized Service Providers,
https://authenticate.iconectiv.com/authorized-service-providers-authenticate (last visited Sept. 3, 2020) (listing
approved voice service providers).
66

67

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3268-69, paras. 58-59.

68

See id.

9

Federal Communications Commission

FCC 20-136

a provider-by-provider basis in order to best effectuate Congressional direction.69 In other words, we
proposed evaluating whether a specific entity is a voice service provider (i.e., “provider of voice service”)
within the meaning of the TRACED Act on the basis of the entity’s role with respect to a particular call,
rather than based on the entity’s characteristics as a whole. Today, we reaffirm our definitions of
“STIR/SHAKEN authentication framework” and “voice service,” and adopt a rule codifying our proposed
interpretation of “providers of voice service.”
18.
Definition of “STIR/SHAKEN Authentication Framework.” The definition of
“STIR/SHAKEN authentication framework” that we adopted in the First Caller ID Authentication Report
and Order and Further Notice closely tracks the language Congress used in the TRACED Act.70 In the
Report and Order, we defined “STIR/SHAKEN authentication framework” as “the secure telephone
identity revisited and signature-based handling of asserted information using tokens standards.”71 We did
not receive any comments in the record seeking clarification, so we reaffirm the definition we adopted
previously.
19.
Definition of “Voice Service.” We next reaffirm the definition of “voice service” that we
adopted in the First Caller ID Authentication Report and Order and Further Notice.72 Specifically, we
defined “voice service” as a service “that is interconnected with the public switched telephone network
and that furnishes voice communications to an end user,” and which includes “without limitation, any
service that enables real-time, two-way voice communications, including any service that requires [IP]compatible customer premises equipment . . . and permits out-bound calling, whether or not the service is
one-way or two-way voice over [IP].”73 The definition we adopted is identical to the language Congress
included in the TRACED Act.74 We explained in the First Caller ID Authentication Report and Order and
Further Notice that, based on the definition of “voice service” we adopted, our STIR/SHAKEN rules
apply to “all types of voice service providers—wireline, wireless, and Voice over Internet Protocol
(VoIP) providers,” including both two-way and one-way interconnected VoIP providers.75 And we
clarified that voice service providers which lack control over the network infrastructure necessary to
implement STIR/SHAKEN are not subject to our implementation requirements.76 Commenters that

69

Id. at 3269-70, para. 60.

See TRACED Act § 4(a)(1) (defining “STIR/SHAKEN authentication framework” as “the secure telephone
identity revisited and signature-based handling of asserted information using tokens standards proposed by the
information and communications technology industry.”); First Caller ID Authentication Report and Order and
Further Notice, 35 FCC Rcd at 3268-69, para. 58.
70

71

Id. at 3258-59, para. 36. We also elaborated on the scope of the standards encapsulated within the definition. Id.

Id. at 3259, para. 37; 47 CFR § 64.6300(g) (establishing that “voice service” “(1) [m]eans any service that is
interconnected with the public switched telephone network and that furnishes voice communications to an end user
using resources from the North American Numbering Plan or any successor to the North American Numbering Plan
adopted by the Commission under section 251(e)(1) of the Communications Act of 1934, as amended; and (2)
[i]ncludes—(i) [t]ransmissions from a telephone facsimile machine, computer, or other device to a telephone facsimile
machine; and (ii) [w]ithout limitation, any service that enables real-time, two-way voice communications, including
any service that requires Internet Protocol-compatible customer premises equipment and permits out-bound calling,
whether or not the service is one-way or two-way voice over Internet Protocol.”).
72

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3259, para. 37 (internal
quotation marks removed) (emphasis removed).
73

74

See TRACED Act § 4(a)(2).

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3259-60, para. 39, n.145
(internal quotation marks removed).
75

76

Id. at 3260, para. 40.

10

Federal Communications Commission

FCC 20-136

address the issues nearly unanimously support our definition and interpretation of “voice service,”77
though several commenters seek further clarification.
20.
First, NCTA and CenturyLink advocate for us to interpret our rules to apply to “over-thetop (OTT) service that possess technical control over the origination of calls on their platforms.”78 No
commenter opposed these requests. We reiterate our belief that for STIR/SHAKEN to be successful,
every service provider capable of implementing the framework must participate.79 We therefore conclude
that to the extent a provider of OTT service provides “voice service,”80 and has control of the relevant
network infrastructure to implement STIR/SHAKEN,81 it is subject to our rules.
21.
NCTA further encourages us to revise the current definition of “interconnected VoIP”
found in section 9.3 of our rules in order to “harmonize” it with our caller ID authentication regulations.82
Section 9.3 generally limits “interconnected VoIP service” to two-way interconnected VoIP and only
includes one-way VoIP as “interconnected VoIP” in the context of the Commission’s 911 obligations.83
We understand the definition of “voice service” that Congress adopted in the TRACED Act to encompass
both two-way and one-way interconnected VoIP.84 Because we rely on the statutory term “voice service”
and because the meaning of that term is not limited by the definition of “interconnected VoIP” in section
9.3 of our rules, we see no reason to revisit of the definition of interconnected VoIP in section 9.3 in this
proceeding.
22.
Second, Microsoft argues that the definition of “voice service” should be read to exclude
inbound-only VoIP service.85 Microsoft argues that this service is outside the scope of the
STIR/SHAKEN standards,86 and that the reference to service that “permits out-bound calling” in the
See CenturyLink Reply, WC Docket Nos. 17-97 and 20-67, at 9 (rec. May 29, 2020) (CenturyLink Reply);
Microsoft Reply, WC Docket Nos. 17-97 and 20-67, at 2 (rec. May 29, 2020) (Microsoft Reply); NCTA – The
Internet & Television Association Comments, WC Docket Nos. 17-97 and 20-67, at 4-6 (rec. May 15, 2020) (NCTA
Comments). Noble Systems argues that the Commission should interpret our definition of “voice service” broadly to
encompass intermediate providers. See Noble Systems Corporation Comments, WC Docket Nos. 17-97 and 20-67, at
11-13 (rec. May 12, 2020) (Noble Systems Comments). We maintain our belief that the statutory language of the
TRACED Act forecloses this interpretation by specifying that “voice service” means a service that “furnishes voice
communications to an end user.” TRACED Act § 4(a)(2)(A).
77

NCTA Comments at 4-5; see also CenturyLink Reply at 9 (agreeing with NCTA’s approach and noting that
“[p]roviders that operate platforms such as Skype and Microsoft Teams have the technical control over their
platforms to implement STIR/SHAKEN, unlike MVNOs and other resellers that lack such control”); Microsoft
Reply at 3 (agreeing that “outbound calls placed using services or features that interconnect with the PSTN are
subject to STIR/SHAKEN requirements”).
78

79

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3259-60, para. 39.

80

47 CFR § 64.6300(g).

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3260, para. 40 (“[W]e
clarify that the rules we adopt today do not apply to providers that lack control of the network infrastructure
necessary to implement STIR/SHAKEN.”).
81

82

NCTA Comments at 5-6 n.9; 47 CFR § 9.3; but see Microsoft Reply at 4.

83

See 47 CFR § 9.3.

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3259-60, para. 39 n.145;
see also Second Truth in Caller ID Order, 34 FCC Rcd at 7313-14, para. 25 (interpreting the substantially similar
definition of “voice service” that Congress provided in the RAY BAUM’s Act to “both include and be more expansive
than” the definition of “interconnected VoIP service” already within our rules and to include both two-way and oneway interconnected VoIP service.).
84

85

See Microsoft Reply at 3-4.

86

Id.

11

Federal Communications Commission

FCC 20-136

TRACED Act definition precludes application of our requirement to inbound-only VoIP service. We
disagree. We understand the TRACED Act—which defines “voice service” to mean “any service that is
interconnected with the public switched telephone network and that furnishes voice communications to an
end user” and includes, “without limitation, any service that enables real-time, two-way voice
communications, including any service that . . . permits out-bound calling”—to establish a broad concept
of voice service.87 We read the phrase “without limitation” as indicating that the subsequent phrase
“permits out-bound calling” is not a limitation on the initial, general definition of “voice service,” which
encompasses in-bound VoIP. Similarly, in the context of our Truth in Caller ID rules, we interpreted the
term “interconnected” as used in a substantially similar definition of “voice service” in the RAY BAUM’s
Act to include any service that allows voice communications either to or from the public switched
telephone network (PSTN), regardless of whether inbound and outbound communications are both
enabled within the same service.88 Because our STIR/SHAKEN rules impose obligations on both the
originating and terminating side of a call, we believe that this broad reading of “interconnected” is also
appropriate here. Further, reaching in-bound VoIP advances the purposes of the TRACED Act and
widespread caller ID authentication. Our rules, consistent with the ATIS standards, require a voice
service provider terminating a call with authenticated caller ID information to verify that information
according to the STIR/SHAKEN framework.89 We thus reject Microsoft’s argument that reaching inbound VoIP is unnecessary because the standards comprising STIR/SHAKEN do not assign actions to be
taken when terminating a call.90
23.
Definition of “Providers of Voice Service”—Call-by-Call Basis. Congress directed many
of the TRACED Act caller ID authentication requirements to “providers of voice service.” We proposed
in the First Caller ID Authentication Report and Order and Further Notice to interpret “providers of voice
service” on a call-by-call—rather than entity-by-entity—basis.91 Under this interpretation, a provider of
voice service is not subject to TRACED Act requirements for all services simply because some of its
services fall under the definition of “voice service.”92 Instead, only those services that meet the TRACED
Act definition of “voice service” are subject to TRACED Act obligations.93 We adopt our proposal. Both
commenters that addressed the issue support our proposal.94 We find that the call-by-call approach best
fits the TRACED Act’s structure because it gives meaning to Congress’s inclusion of a definition for
“voice service” and because it best comports with the TRACED Act’s allocation of duties on the basis of
call technology, e.g., differentiating duties between calls over IP and non-IP networks.
B.

Caller ID Authentication in Non-IP Networks

24.
The TRACED Act directs us, not later than June 30, 2021, to require voice service
providers to take “reasonable measures” to implement an effective caller ID authentication framework in

87

TRACED Act § 4(a)(2)(A), (B)(ii) (emphasis added).

88

See Second Truth in Caller ID Order, 34 FCC Rcd at 7314, para. 25.

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3257, para. 33; see also 47
CFR § 64.6301(a)(3) (placing obligation on a terminating voice service provider when it receives a call with
authenticated caller ID information).
89

90

See Microsoft Reply at 3-4.

91

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3269-70, para. 60.

92

See id.

93

See id.

NCTA Comments at 6-7 (“the Commission should define a ‘provider’ of voice service on a call by call basis”);
Noble Systems Comments at 16 (writing that “[a]dopting a call-by-call approach does have merit and seems to be
preferable”).
94

12

Federal Communications Commission

FCC 20-136

the non-IP portions of their networks.95 Given the large proportion of TDM-based networks still in use,
we expect a significant number of calls to be outside the STIR/SHAKEN authentication framework in the
near term. In light of this, it is critically important that we take strong action to address the issue of caller
ID authentication in non-IP networks. To that end, we interpret the TRACED Act’s requirement that a
voice service provider take “reasonable measures” to implement an effective caller ID authentication
framework in the non-IP portions of its network as being satisfied only if the voice service provider is
actively working to implement a caller ID authentication framework on those portions of its network. A
voice service provider satisfies this obligation by either (1) completely upgrading its non-IP networks to
IP and implementing the STIR/SHAKEN authentication framework on its entire network, or (2) working
to develop a non-IP authentication solution. We adopt rules accordingly, and find that this approach best
balances our goal of promoting the IP transition while simultaneously encouraging the development of a
non-IP authentication solution for the benefit of those networks that cannot be speedily or easily
transitioned.96 By adopting rules that are not overly burdensome, we leave voice service providers free to
prioritize transitioning to IP, and we strongly encourage voice service providers to take advantage of this
opportunity to do so.97
25.
In the First Caller ID Authentication Report and Order and Further Notice, we proposed
that a voice service provider satisfies the “reasonable measures” requirement under section 4(b)(1)(B) of
the TRACED Act if it is able to provide us, upon request, with documented proof that it is participating,
either on its own or through a representative, as a member of a working group, industry standards group,
or consortium that is working to develop a non-IP solution, or actively testing such a solution.98 We
explained that this proposal was consistent with our proposed approach to assessing whether a voice
service provider is making “reasonable efforts” to develop a caller ID authentication protocol in the
context of determining whether to limit or terminate an extension of compliance granted under section
4(b)(5)(B) for non-IP networks. We adopt a new rule reflecting this proposal and clarify its specific
requirements.
26.
Under our rule, a voice service provider satisfies its obligations if it participates through a
third-party representative, such as a trade association of which it is a member or vendor. While our
proposal did not include mention of trade associations or vendors, we agree with CCA that it would be
best to broaden the scope of this requirement by including such representatives within the bounds of our
requirement.99 Some industry groups have already established working groups dedicated to examining
potential non-IP call authentication technologies.100 Allowing for such representatives will reduce the
burden of this obligation on individual voice service providers and minimize the potential negative impact
of broad and inexpert participation identified in the record,101 while ensuring that all voice service
95

See TRACED Act § 4(b)(1)(B).

See NTCA Comments at 20 (stating that “the Commission is right to strongly encourage the voice service industry
to develop effective solutions implementable in non-IP networks”).
96

See ATIS Comments, WC Docket Nos. 17-97 and 20-67, at 4-5 (rec. May 15, 2020) (ATIS Comments) (arguing
that “[i]nstead of focusing on developing a TDM call authentication solution . . . the Commission should facilitate
the industry’s transition to IP”); Comcast Comments at 2; NTCA Comments at 19; Telnyx LLC Comments, WC
Docket Nos. 17-97 and 20-67, at 2-3 (rec. May 15, 2020) (Telnyx Comments); T-Mobile Comments, WC Docket
Nos. 17-97 and 20-67, at 2-4 (rec. May 15, 2020) (T-Mobile Comments); Twilio Comments, WC Docket Nos. 17-97
and 20-67, at 15 (rec. May 15, 2020) (Twilio Comments) (noting that the IP transition would allow
“STIR/SHAKEN identity tokens to be exchanged from one end of the network to another”).
97

98

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3282, para. 96.

See Competitive Carriers Association Comments, WC Docket Nos. 17-97 and 20-67, at 7 (rec. May 15, 2020)
(CCA Comments).
99

100

See ATIS Comments at 4.

101

See CTIA Comments, WC Docket Nos. 17-97 and 20-67, at 17-18 (rec. May 15, 2020) (CTIA Comments).

13

Federal Communications Commission

FCC 20-136

providers remain invested in developing a solution for non-IP caller ID authentication. A wider range of
efforts will encourage a greater number of industry partnerships, increasing resource and information
sharing and speeding the development of a non-IP solution.
27.
We expect the benefits of this approach to be numerous, and the costs to voice service
providers comparatively small. While some commenters provided estimates of the cost of replacing their
non-IP networks,102 none provided estimates of the cost of working to develop a caller ID authentication
solution for non-IP networks. Given that our firm but flexible approach permits voice service providers
to satisfy this obligation by participating either on their own or through a representative, as members of a
working group or consortium that is working to develop or actively testing a non-IP solution, we expect
that any related compliance costs will be quite limited. By comparison, the benefits of voice service
providers either upgrading their non-IP networks to IP to support STIR/SHAKEN or working to develop
a caller ID authentication solution for non-IP networks will be considerable, not only in the less tangible
benefits they will have for consumers by reducing the waste and frustration resulting from illegal
robocalls, but in terms of actual monetary savings. Indeed, as we found in the First Caller ID
Authentication Report and Order and Further Notice, the monetary benefits of STIR/SHAKEN are likely
to be in the billions of dollars.103 The greater the number of voice service providers that implement an
effective caller ID authentication framework—either by upgrading their non-IP networks to IP and
implementing STIR/SHAKEN, or by developing and implementing an effective non-IP solution—the
more effective these frameworks will be in combatting illegal robocalls, and the more of the expected
benefits will be realized. Thus, the rules we adopt today will help achieve these savings while
simultaneously minimizing the cost of compliance.
28.
We disagree with ATIS’s contention that we should not adopt rules governing non-IP
caller ID authentication until the joint ATIS/SIP Forum IP-NNI Task Force concludes its work
investigating the viability of non-IP caller ID authentication frameworks.104 Given that this task force is
precisely the kind expressly contemplated, and indeed, mandated, by our order today, we see no reason to
delay these rules. Indeed, the Task Force’s existence is confirmation that we have construed the
“reasonable measures” standard in a manner that appropriately dovetails with current industry efforts to
develop a non-IP solution.105 Further, the rules we adopt today are required by Congressional direction to
mandate voice service providers to take “reasonable measures” to implement a non-Internet Protocol no
later than June 30, 2021; we have no discretion to wait until a given task force has concluded its work to
adopt rules.
29.
Although CTIA argues that requiring voice service providers to participate in industry
standards groups committed to developing or actively testing a non-IP solution “may not improve the
development” of such solutions, and would in fact “divert resources from STIR/SHAKEN deployment
and other robocalls mitigation efforts,” it offers no alternative interpretation of the “reasonable measures”

See, e.g., AT&T Reply, WC Docket Nos. 17-97 and 20-67, at 18 (rec. May 29, 2020) (AT&T Reply); Vantage
Point Solutions, Inc. Reply, WC Docket Nos. 17-97 and 20-67, at 11 (rec. May 29, 2020) (Vantage Point Solutions
Reply).
102

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3252, para. 25
(estimating that the benefits of eliminating the wasted time and nuisances caused by illegal scam robocalls will
exceed $3 billion annually, and expecting “STIR/SHAKEN paired with call analytics to serve as a tool to effectively
protect American consumers from fraudulent robocalls schemes that cost Americans approximately $10 billion
annually”).
103

See ATIS Comments at 4; see also Alaska Communications Reply, WC Docket Nos. 17-97 and 20-67, at 7 (rec.
May 29, 2020) (Alaska Communications Reply).
104

We note that in its comments, ATIS offers no alternative suggestions of what should qualify as “reasonable
measures” for purposes of satisfying the requirement under section 4(b)(1)(B) of the TRACED Act.
105

14

Federal Communications Commission

FCC 20-136

standard mandated by Congress in the TRACED Act.106 We must impose a meaningful mandate to fulfill
Congress’s direction to require “reasonable measures to implement” a non-IP caller ID authentication
solution.107 Requiring voice service providers that choose not to upgrade their non-IP networks to IP to
contribute to groups and organizations that are working to test or develop a non-IP solution strikes a
balance between promoting caller ID authentication solutions for TDM networks, as required by the
TRACED Act, and leaving resources free to invest in IP networks. By allowing participation through a
working group, consortium, or trade association, we allow voice service providers to efficiently pool their
expertise and resources with the goal of not replicating one another’s efforts and more efficiently
developing a non-IP solution. We therefore are not convinced by CTIA’s arguments that the requirement
we adopt will unduly stunt STIR/SHAKEN deployment or that voice service providers will have “few
resources left to dedicate to industry standards groups.”108
30.
We are likewise unconvinced by TransNexus’s conclusory claim that participating in a
working group would not constitute a “reasonable effort” to implement an effective caller ID
authentication framework on non-IP networks.109 Contributing to an industry-led body dedicated to
pooling expertise and resources in the hopes of developing and/or testing non-IP solutions is a reasonable
and efficient strategy for encouraging the creation and deployment of such solutions.
31.
Out-of-Band STIR. We decline to mandate out-of-band STIR for non-IP networks. Outof-band STIR is a proposed non-IP solution whereby caller ID authentication information is sent across
the Internet, out-of-band from the call path.110 Commenters have widely divergent views as to the
viability of out-of-band STIR as a method of effective caller ID authentication in non-IP networks. While
a handful advocate for the implementation of out-of-band STIR as the best method of ensuring effective
call authentication in non-IP networks,111 with Neustar even claiming that this solution should be widely
available in advance of the June 30, 2021 implementation deadline,112 many others contend that out-ofCTIA Comments at 17-18 (suggesting only that the Commission interpret the requirement “flexibly and consider
a range of efforts to be reasonable,” without offering any examples as to what form such efforts might take).
106

107

TRACED Act § 4(b)(1)(B).

108

CTIA Comments at 17.

See TransNexus Comments, WC Docket Nos. 17-97 and 20-67, at 8-9 (rec. May 15, 2020) (TransNexus
Comments).
109

See Cloud Communications Alliance Comments, WC Docket Nos. 17-97 and 20-67, at 6-7 (rec. May 15, 2020)
(Cloud Communications Alliance Comments); NTCA Comments at 18-21; TransNexus Comments at 5-10; Twilio
Comments at 16; WTA Comments at 6-7; Letter from Joe White, Chief Technology Officer, Brightlink, to Marlene
H. Dortch, Secretary, FCC, WC Docket Nos. 17-97, 20-67, at 2 (filed May 15, 2020) (Brightlink May 15, 2020 Ex
Parte); Inteliquent Reply, WC Docket Nos. 17-97 and 20-67, at 1-3 (rec. May 29, 2020) (Inteliquent Reply);
Neustar Reply, WC Docket Nos. 17-97 and 20-67, at 2, 4-7 (rec. May 29, 2020) (Neustar Reply); Wabash
Communications Reply, WC Docket Nos. 17-97 and 20-67, at 1-2 (rec. May 29, 2020) (Wabash Communications
Reply).
110

See Cloud Communications Alliance Comments at 6-7; NTCA Comments at 18-21; TransNexus Comments at 510; Twilio Comments at 16; WTA – Advocates for Rural Broadband Comments, WC Docket Nos. 17-97 and 2067, at 6-7 (rec. May 15, 2020) (WTA Comments); Brightlink May 15, 2020 Ex Parte at 2; Inteliquent Reply at 1-3;
Neustar Reply at 2, 4-7; Wabash Communications Reply at 1-2; Letter from Jim Dalton, CEO, TransNexus, to
Marlene H. Dortch, Secretary, FCC, WC Docket Nos. 17-97, 20-67, at 1-3 (filed July 23, 2020); see also Vantage
Point Solutions Reply at 14-15. While TransNexus refers specifically to “out-of-band SHAKEN,” which it
describes as a “specific use case” of out-of-band STIR, we consider all of the references in the record to out-of-band
solutions to refer to the same general concept where the Identity header is sent across the Internet outside of the call
path. See TransNexus Comments at 5.
111

See Neustar, Inc. Comments, WC Docket Nos. 17-97 and 20-67, at 8-9 (rec. May 15, 2020) (Neustar Comments);
see also Neustar Reply at 2, 4-7.
112

15

Federal Communications Commission

FCC 20-136

band STIR is not yet a viable solution.113 Comcast claims that out-of-band STIR is an untested, timeconsuming, and costly solution that would require the re-creation of multiple network functions in parallel
to IP networks.114 Given the undeniably sharp divide between commenters and the absence of sufficient
testing and implementation to demonstrate the viability of out-of-band STIR as an industrywide solution,
we find that it is not possible to conclude, based on the record before us, that out-of-band STIR is an
effective non-IP solution. We find that significant industry consensus is an important predicate to
deeming a non-IP solution “effective,” given that cross-network exchange of authenticated caller ID
information is a central component to caller ID authentication. Thus, we cannot at this time mandate
adoption of out-of-band STIR by voice service providers in the non-IP portions of their networks.115 At
the same time, we observe that opponents of this technology have offered no meaningful alternative
solutions. To those that would oppose this possible solution without mention of an alternative, we take
this opportunity to note that standards work requires both constructive input and compromise on the part
of all parties and stakeholders.
32.
Effective Non-IP Caller ID Authentication Framework. As we explain in the context of
the extension of the implementation deadline for certain non-IP networks, we will continue to evaluate
whether an effective non-IP caller ID authentication framework emerges from the ongoing work that we
require. Consistent with that section, we will consider a non-IP caller ID authentication framework to be
effective only if it is: (1) fully developed and finalized by industry standards; and (2) reasonably available
such that the underlying equipment and software necessary to implement such protocol is available on the
commercial market.116 If and when we identify an effective framework, we expect to revisit our
“reasonable measures” requirement and shift it from focusing on development to focusing on
implementation. We encourage voice service providers and others to put forward a framework they view
as effective for our consideration. We also will continue to monitor progress in developing a non-IP
authentication solution and may revisit our approach to the TRACED Act’s “reasonable measures”
requirement if we find that industry has failed to make sufficient progress in either transitioning to IP or
developing a consensus non-IP authentication solution. We stand ready to pursue additional steps to
See ATIS Comments at 4; AT&T Comments, WC Docket Nos. 17-97 and 20-67, at 12 (rec. May 15, 2020)
(AT&T Comments) (stating that “no STIR/SHAKEN-equivalent solution for TDM networks has been developed by
standards bodies,” and that out-of-band STIR “at this time remains a proposal rather than a fully developed
standard”); CCA Comments at 4; Comcast Comments at 2-3, 5-7; NTCA Comments at 12-13; Telnyx Comments at
2; USTelecom Comments, WC Docket Nos. 17-97 and 20-67, at iii (rec. May 15, 2020) (USTelecom Comments),
21-22; Verizon Comments, WC Docket Nos. 17-59, 17-97, and 20-67, at 2, 18 (rec. May 15, 2020) (Verizon
Comments); Voice on the Net Coalition Comments at 2-3, WC Docket Nos. 17-97 and 20-67,(rec. May 15, 2020)
(VON Comments); Letter from Beth Choroser, Vice President, Regulatory Affairs, Comcast Corporation, to
Marlene H. Dortch, Secretary, FCC, WC Docket Nos. 17-97, 20-67, at 1 (filed May 12, 2020) (Comcast May 12,
2020 Ex Parte); Alaska Communications Reply at 7-8; AT&T Reply at 19-20; CenturyLink Reply at 14-15;
Comcast Reply, WC Docket Nos. 17-97 and 20-67, at 1-3, 4-5 (rec. May 29, 2020) (Comcast Reply); USTelecom –
The Broadband Association Reply, WC Docket Nos. 17-97 and 20-67, at 5-7 (rec. May 29, 2020) (USTelecom
Reply); Verizon Reply, WC Docket Nos. 17-97 and 20-67, at 19-21 (rec. May 29, 2020) (Verizon Reply).
113

114

See Comcast May 12, 2020 Ex Parte at 1.

This finding is in accord with our preliminary view in the First Caller ID Authentication Report and Order and
Further Notice that out-of-band STIR is still in its infancy and is not sufficiently widespread or readily available to
be implemented. See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3282-84,
para. 97. The TRACED Act itself implies that no viable non-IP solution existed at the time of enactment because it
directs us to grant an extension for voice service providers that “materially rel[y] on a non-[IP] network . . . until a
call authentication protocol has been developed for calls delivered over non-[IP] networks and is reasonably
available.” TRACED Act § 4(b)(5)(B).
115

An effective framework would exist when the fundamental aspects of the protocol are standardized and
implementable by industry and the equipment and software necessary for implementation is commercially available.
See infra paras. 65-69.
116

16

Federal Communications Commission

FCC 20-136

ensure more fulsome caller ID authentication in non-IP networks, including by revisiting our nonprescriptive development-based approach if needed.
33.
Legal Authority. We find authority for these rules under section 4(b)(1)(B) of the
TRACED Act. That section expressly directs us to obligate voice service providers to take “reasonable
measures” to implement an effective caller ID authentication framework in the non-IP portions of their
networks and is a clear source of authority for these non-IP obligations.117
34.
We also conclude that section 251(e) of the Communications Act of 1934, as amended
(the Act), provides additional independent authority to adopt these rules. Section 251(e) provides us
“exclusive jurisdiction over those portions of the North American Numbering Plan (NANP) that pertain
to the United States.”118 Pursuant to this provision, we retain “authority to set policy with respect to all
facets of numbering administration in the United States.”119 Our exclusive jurisdiction over numbering
policy enables us to act flexibly and expeditiously with regard to important numbering matters.120 When
bad actors unlawfully falsify or spoof the caller ID that appears on a subscriber’s phone, they are using
numbering resources to advance an illegal scheme. Mandating that voice service providers take
“reasonable measures” to deploy an effective caller ID authentication framework in the non-IP portions of
their networks will help to prevent the fraudulent exploitation of NANP resources by permitting those
providers and their subscribers to identify when caller ID information has been spoofed. Section 251(e)
thus grants us authority to mandate that voice service providers take “reasonable measures” to implement
an effective caller ID authentication framework in the non-IP portions of their networks in order to
prevent the fraudulent exploitation of numbering resources. Moreover, as the Commission has previously
found, section 251(e) extends to “the use of . . . unallocated and unused numbers”; it thus gives us
authority to mandate that voice service providers implement an effective caller ID authentication
framework to address the spoofing of unallocated and unused numbers.121
35.
Finally, we find authority under the Truth in Caller ID Act. Congress charged us with
prescribing regulations to implement that Act, which made unlawful the spoofing of caller ID information
“in connection with any voice service or text messaging service . . . with the intent to defraud, cause
harm, or wrongfully obtain anything of value.”122 Given the constantly evolving tactics by malicious
callers to use spoofed caller ID information to commit fraud, we find that the rules we adopt today are
necessary to enable voice service providers to help prevent these unlawful acts and to protect voice
service subscribers from scammers and bad actors. Thus, section 227(e) provides additional independent

117

See TRACED Act § 4(b)(1)(B).

47 U.S.C. § 251(e); see also Call Authentication NOI, 32 FCC Rcd at 6001, para. 48; Advanced Methods to
Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Second Notice of Inquiry, 32 FCC Rcd 6007,
6009-10, para. 7 (2017) (“Section 251(e)(1) of the [Act], gives the Commission plenary authority over that portion
of the NANP that pertains to the United States and the Commission has authority to set policy on all facets of
numbering administration in the United States.”) (citing Implementation of the Local Competition Provisions of the
Telecommunications Act of 1996 et al., CC Docket No. 96-98 et al., Second Report and Order and Memorandum
Opinion and Order, 11 FCC Rcd 19392, 19512, para. 271 (1996) (Local Competition Second Report and Order)).
118

119

Local Competition Second Report and Order, 11 FCC Rcd at 19512, para. 271.

120

See id.

See In the Matter of Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59,
Report and Order and Further Notice of Proposed Rulemaking, 32 FCC Rcd 9706, 9727, para. 62 (2017). The
Commission previously relied on this authority to make clear that voice service providers may block calls that spoof
invalid, unallocated, or unused numbers, none of which can actually be used to originate a call. See id.
121

122

47 U.S.C. § 227(e)(1); see also 47 CFR § 64.1604(a).

17

Federal Communications Commission

FCC 20-136

authority for these rules.123
C.

Extension of Implementation Deadline

36.
The TRACED Act includes two provisions for extension of the June 30, 2021
implementation date for caller ID authentication frameworks. First, the TRACED Act states that we
“may, upon a public finding of undue hardship, delay required compliance” with the June 30, 2021 date
for caller ID authentication framework implementation for a “reasonable period of time.”124 Second, we
“shall grant a delay of required compliance” with the June 30, 2021 implementation date “to the extent
that . . . a provider or class of providers of voice services, or type of voice calls, materially relies on a
non-[IP] network for the provision of such service or calls” “until a call authentication protocol has been
developed for calls developed over non-[IP] networks and is reasonably available.”125
37.
Under either extension provision, an extension may be provider-specific or apply to a
“class of providers of voice service, or type of voice calls.”126 We must annually reevaluate any granted
extension for compliance.127 When granting an extension of the implementation deadline under either
provision, we must require impacted voice service providers to “implement an appropriate robocall
mitigation program to prevent unlawful robocalls from originating on the network of the provider.”128
38.
Based on these directives and for the reasons discussed below, we grant the following
extensions from implementation of caller ID authentication: (1) a two-year extension to small, including
small rural, voice service providers; (2) an extension to voice service providers that cannot obtain a
certificate due to the Governance Authority’s token access policy until such provider is able to obtain a
certificate; (3) a one-year extension to services scheduled for section 214 discontinuance; and (4) as
required by the TRACED Act, an extension for the parts of a voice service provider’s network that rely
on technology that cannot initiate, maintain, and terminate SIP calls until a solution for such calls is
reasonably available.129 We further direct the Wireline Competition Bureau (Bureau) to reevaluate
extensions annually, and we require any voice service provider that receives an extension to implement
and certify that it has implemented a robocall mitigation program by June 30, 2021.
1.

Assessment of Burdens and Barriers to Implementation and Extensions for
Undue Hardship

39.
The TRACED Act grants us the discretion to extend a voice service provider’s obligation
to comply with the June 30, 2021 caller ID authentication implementation mandate upon a public finding
of undue hardship.130 It states that the extension may be “for a reasonable period of time . . . as necessary
. . . to address the identified burdens and barriers.”131 In connection with our determination of whether to
grant an extension, the TRACED Act specifically directs us, not later than December 30, 2020 “and as
See also 47 U.S.C. § 154(i) (authority to make rules not inconsistent with the Act “as may be necessary in the
execution of [the Commission’s] functions”).
123

124

TRACED Act § 4(b)(5)(A)(ii).

125

Id. § 4(b)(5)(B).

126

Id. §§ 4(b)(5)(A)(ii), 4(b)(5)(B).

127

Id. § 4(b)(5)(F).

128

Id. § 4(b)(5)(C).

If at any point after receiving an extension a voice service provider no longer meets the extension criteria set for
in this Second Report and Order, the extension will terminate. Upon termination of an extension, a voice service
provider will be required to comply with our STIR/SHAKEN implementation mandate immediately. See 47 CFR
§ 64.6301.
129

130

TRACED Act § 4(b)(5)(A)(ii).

131

Id. § 4(b)(5)(A)(ii).

18

Federal Communications Commission

FCC 20-136

appropriate thereafter,” to assess any burdens and barriers to implementation of caller ID authentication
technology by (1) voice service providers that use time-division multiplexing network technology (TDM),
a non-IP network technology; (2) small voice service providers; and (3) rural voice service providers.132
It further directs us to assess burdens and barriers created by the “inability to purchase or upgrade
equipment to support the call authentication frameworks . . . or lack of availability of such equipment.”133
The TRACED Act does not require us to grant undue hardship extensions to the categories of entities for
which we must evaluate burdens and barriers to implementation, nor does it limit us to granting undue
hardship extensions to entities within the categories for evaluation that it identifies. Based upon our
review of the record, including our evaluation of burdens and barriers to implementation by certain
categories of entities as directed by the TRACED Act, we grant extensions to: (1) small, including small
rural, voice service providers; (2) voice service providers that cannot obtain the certificate necessary for
STIR/SHAKEN; and (3) services subject to a discontinuance application. We decline to grant requested
extensions for non-IP services, for larger rural voice service providers, due to equipment unavailability,
for enterprise calls, for intra-network calls, or due to compatibility issues.
40.
Extension for Small Voice Service Providers. The TRACED Act specifically directs us to
evaluate whether to grant an extension based on undue hardship for small voice service providers. In the
First Caller ID Authentication Report and Order and Further Notice, we proposed granting a one-year
implementation extension due to undue hardship for small, including small rural, voice service
providers.134 After reviewing the record, we grant a two-year extension for small voice service providers,
which we define as those with 100,000 or fewer voice subscriber lines.
41.
The record reflects that a barrier to STIR/SHAKEN implementation for small voice
service providers is the substantial cost, despite resource constraints, to implement STIR/SHAKEN.135
For instance, according to CTIA, “many small providers face financial and resource constraints that other
providers do not” as “[s]mall providers are driving toward the mandate deadline, but with fewer
employees and smaller budgets, they may require more time to transition to STIR/SHAKEN.”136 Small
voice service providers must also balance limited resources and expenses with other required technology
transitions.137 Most recently, commenters explain that the COVID-19 pandemic has monopolized
substantial available resources, increasing the burden on small voice service providers.138
42.
Relatedly, the record demonstrates that equipment availability issues specifically impact
small voice service providers. Such providers rely on third-party vendor solutions, particularly software
solutions, to implement STIR/SHAKEN, and these solutions may be prohibitively expensive for some

132

Id. § 4(b)(5)(A)(i)(I)-(II).

133

Id. § 4(b)(5)(A)(i)(III).

134

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3276, para. 78.

See Atheral Comments, WC Docket Nos. 17-97 and 20-67, at 4 (rec. May 15, 2020) (Atheral Comments); CTIA
Comments at 18; USTelecom Comments at 18.
135

CTIA Comments at 18; see also Alaska Communications Reply at 6 (characterizing the cost of implementing
STIR/SHAKEN, even in the IP-capable portions of its network, as prohibitive).
136

ACA Connects Comments, WC Docket Nos. 17-97 and 20-67, at 5 (rec. May 15, 2020) (ACA Connects
Comments) (“ACA Connects’ members face a statutory deadline of December 20, 2020, to make prescriptive
changes to their cable video billing practices, which will require them to complete significant IT upgrades and
testing, extensive training of customer service representatives, and other time-consuming tasks. Then, over the next
few years, these same companies will be required to make substantial modifications to the C-Band
satellite earth stations they rely on for video backhaul, or may elect to transition off of these stations entirely, as part
of the Commission’s reconfiguration of the band to accommodate 5G operations.”).
137

138

See USTelecom Comments at 16.

19

Federal Communications Commission

FCC 20-136

small voice service providers.139 For instance, WISPA asserts that “[s]ome vendor’s minimum fees could
exceed a small provider’s entire voice revenues.”140 WTA agrees that the upfront expenses “could cause
a budget shortage for small providers that have a limited, set multi-year budget that is already dedicated to
new deployments, staff, etc.”141 Further, ACA Connects expresses concern over a lack of transparency
regarding the costs and relative advantages of available vendor solutions as its smaller voice service
provider members, with limited budgets, must carefully apportion funds for STIR/SHAKEN
deployment.142 Indeed, small voice service providers report they have “been quoted annual rates from
different vendors that range from the low five figures to the low six figures, not including any upfront
costs to install the solution,” with no explanation for the rate disparity.143 The record reflects that as
medium and large voice service providers start to widely deploy STIR/SHAKEN, new and improved
solutions will emerge, increasing competition among vendors and decreasing costs.144 In addition,
multiple commenters contend that small voice service providers are unable “to procure ready-to-install
solutions” from a variety of vendors “on the same timeframe as the nation’s largest voice service
providers.”145 According to NTCA, its members “are typically ‘at the mercy’ of vendors that respond to
the larger operator community muc[h] faster, likely based on the latter’s market share and buying
power.”146 As a result, timing and availability of these vendor solutions may be out of the control and
reach of small voice service providers.147 Further, commenters contend that these vendor solutions remain
at an early stage of development and “far from ‘ready to install’ solutions.”148
43.
We are convinced by this record that an extension is appropriate for small voice service
providers. The record largely supports our proposal for an implementation extension for small voice

See ACA Connects Comments at 4; Atheral Comments at 2; Cap Rock Telephone Cooperative Comments, WC
Docket Nos. 17-97 and 20-67, at 1 (rec. May 11, 2020) (Cap Rock Comments); CCA Comments at 3; Wireless
Internet Service Providers Association Comments, WC Docket Nos. 17-97 and 20-67, at 4 (rec. May 15, 2020)
(WISPA Comments); WTA Comments at 5-6.
139

140

WISPA Comments at 4.

141

WTA Comments at 6.

142

ACA Connects Comments at 4.

Id.; see also NTCA Comments at 16 (“Discussions with vendors and members have produced estimates of highfive-figures or low-six-figures per year (for ‘managed’ IP services), numbers not shocking to nationwide operators
but certainly so for small rural carriers that typically count their subscribers in the four-figure range.”); WTA
Comments at 5-6 (“WTA members have received quotes from vendors for first-year STIR/SHAKEN
implementation costs that average between $50,000 and $100,000 depending on the size of the network. . . .
Members also report that they will have to pay new reoccurring charges of about $40,000 annually for licensing.”).
143

144

ACA Connects Comments at 4; see also Atheral Comments at 4.

USTelecom Comments at 18; see also ACA Connects at 4; Atheral Comments at 3; CCA Comments at 3; NTCA
Comments at 16; WISPA Comments at 2.
145

146

NTCA Comments at 16.

147

WISPA Comments at 2; see also Atheral Comments at 3.

ACA Connects Comments at 3-4; see also Montana Telecommunications Association Comments, WC Docket
No. 20-67, at 4 (rec. May 15, 2020) (Montana Telecom Comments) (“It is not clear that vendor equipment will be
available to these small entities even by the end of 2020.”); NTCA Comments at 16; but see Transaction Network
Services Comments, WC Docket Nos. 17-97 and 20-67, at 5 (rec. May 15, 2020) (TNS Comments) (“TNS, for
example, has partnered with Metaswitch to offer a hosted solution that does not require extensive network upgrades
and can be implemented through an IP interconnection with the service provider. TNS is not alone in offering such
solutions, as alternatives are available from a number of other providers. These hosted solutions are available in the
market today and could be implemented by a small carrier before the June 30, 2021 deadline.”).
148

20

Federal Communications Commission

FCC 20-136

service providers,149 and we agree with these commenters that an extension is warranted to allow small
providers sufficient time to address challenges such as equipment cost and availability. For instance,
according to ACA Connects, NTCA, WISPA, and WTA, vendor costs may be prohibitively expensive for
small voice service providers and could result in budget shortages.150 Additional time will allow voice
service providers confronted with budget shortages to spread costs over a longer time horizon.151 Further,
small voice service providers claim vendor solutions are still in nascent stages of development,152 and an
extension will allow vendors that work with small voice service providers more time to develop solutions
and offer those solutions at a lower cost as the market matures.153
44.
Transaction Network Services and AT&T contend that we should not grant a blanket
extension for small voice service providers. 154 These commenters claim that such an extension would be
overinclusive because not all small voice service providers face identical hardships,155 and allege that
illegal robocalls may originate from these providers.156 We disagree. The overwhelming record support
persuades us that small voice service providers, as a class, face undue hardship, and supports the need for
a blanket implementation extension for such providers to give them the necessary time to implement

See ACA Connects Comments at 2-4, 6-7; CCA Comments at 5; Cooperative Telephone Company Comments,
WC Docket Nos. 17-97 and 20-67, at 3 (rec. May 15, 2020) (CTC Comments); CTIA Comments at 15, 18;
Smithville Comments, WC Docket Nos. 17-97 and 20-67, at 1 (rec. May 15, 2020) (Smithville Comments);
USTelecom Comments at 18; WTA Comments at 5; Alaska Communications Reply at 4.
149

150

ACA Connects Comments at 4; NTCA Comments at 16; WISPA Comments at 4; WTA Comments at 6.

See New York RLECs Comments, WC Docket Nos. 17-97 and 20-67, at 2 (rec. May 15, 2020) (New York
RLECs Comments) (arguing that an extension until June 2023 would give small providers “time to develop and
build these expenses into their budgets”).
151

ACA Connects Comments at 3-4; Atheral Comments at 3; Cap Rock Comments at 1; Montana Telecom
Comments at 4; NTCA Comments at 16; WISPA Comments at 2.
152

See New York RLECs Comments at 2 (“vendor prices may decrease over time as additional larger and mid-size
carriers purchase this equipment”). Some small voice service providers also describe the inability to exchange
traffic at non-IP interconnection points as a barrier to the exchange of calls with authenticated caller ID information
after implementation of STIR/SHAKEN. See CCA Comments at 4; Montana Telecom Comments at 2-3; WISPA
Comments at 5; WTA Comments at 2. In addition, to the extent that it uses TDM technology, a small voice service
provider must contend with the associated technical and resource constraints to implementation. See Atheral
Comments at 4; CTIA Comments at 18; USTelecom Comments at 18; Alaska Communications Reply at 5-6. We
address these issues separately.
153

154

AT&T Comments at 14-15; TNS Comments at 4, 6.

TNS Comments at 4 (“With respect to small providers, however, TNS opposes a blanket extension. A blanket
extension is overinclusive, excusing both providers that face true hardships and those that do not.”).
155

See AT&T Comments at 14-15 (“A blanket extension for small providers would not just be unsupported – it
would be illogical, given the role of some such IP-based providers either in originating and/or serving as the
domestic gateway for unauthorized calls. As a primary enabler of the sort of unauthorized calls that prompted the
need for the STIR/SHAKEN framework in the first place, it would be ironic to then permit these providers to delay
implementing safeguards against these very calls.”); TNS Comments at 6 (“[B]lanket extension risks potential harm
to the network by excluding some of the sources of unlawful robocalls today. . . . [M]any of these small networks
are a source of unlawful robocalls, potentially because of their older networks.”).
156

21

Federal Communications Commission

FCC 20-136

STIR/SHAKEN.157 Further, as ACA Connects contends, granting extensions on a case-by-case basis for
small voice service providers would “inundate the Commission with extension requests from a multitude
of small providers, many of them presenting evidence of the same or similar implementation burdens”
and “consume funds that would be better spent working towards implementation of STIR/SHAKEN.”158
We do not find that this extension will unduly undermine the effectiveness of STIR/SHAKEN. As small
voice service providers account for only a small percentage of voice subscribers, an extension covering
these providers will account for the unique burdens they face while ensuring that many subscribers
benefit from STIR/SHAKEN.159 Further, the prevalence of STIR/SHAKEN will encourage small voice
service providers that can afford to do so to implement the framework as soon as possible to provide the
protections it offers to their subscribers. And small voice service providers—like all providers subject to
an extension—are obligated to implement a robocall mitigation program to combat the origination of
illegal robocalls during the course of the extension.160
45.
We conclude that the extension we grant should run for two years, subject to possible
extension pursuant to the evaluation discussed below. Multiple commenters advocated for an extension
longer than one year.161 For instance, WISPA and Atheral contend that small voice service providers
require an extension of at least two years beyond the implementation deadline to “budget for and absorb
the cost of needed upgrades”162 and to “allow for the development of vendor solutions and reduction in
cost to more affordable levels as volume scales.”163 We expect this extension for small voice service
providers will drive down implementation costs by allowing these providers to benefit from a more
mature market for equipment and software solutions necessary to implement STIR/SHAKEN.164 Small
Atheral Comments at 4; CTIA Comments at 15, 18; Montana Telecom Comments at 4; NTCA Comments at 1718; Smithville Comments at 1; USTelecom Comments at 18; WISPA Comments at 4; WTA Comments at 5; ACA
Connects Reply, WC Docket Nos. 17-97 and 20-67, at 3-4 (rec. May 29, 2020) (ACA Connects Reply); Letter from
John Greene, CEO and General Manager, New Lisbon Telephone Company, to Marlene H. Dortch, Secretary, FCC,
WC Docket Nos. 17-97 and 20-67, at 2 (filed April 30, 2020) (New Lisbon Telephone Ex Parte); NTCA—The
Rural Broadband Association Reply, WC Docket Nos. 17-97 and 20-67, at 8 (rec. May 29, 2020) (NTCA Reply);
see also Arkansas Attorney General Comments, WC Docket Nos. 17-97 and 20-67, at 4 (rec. May 15, 2020)
(Arkansas AG Comments) (advocating for the Commission to grant extensions based on a “tiered approach” that has
“a criterion-based methodology to assess economic and technological barriers to implementation”). The TRACED
Act also identifies small voice service providers as a class for which the Commission should assess burdens and
barriers to implementation. TRACED Act § 4(b)(5)(A)(i)(II).
157

158

ACA Connects Reply at 5.

See Rural Call Completion, WC Docket No. 13-20, Report and Order and Further Notice of Proposed
Rulemaking, 28 FCC Rcd 16154, 16168-69, para. 27 (2013) (finding that exception for smaller providers would still
capture “as much as 95 percent of all callers”).
159

160

See TRACED Act § 4(b)(5)(C).

Montana Telecom Comments at 4 (“MTA members and similarly situated small operators should be granted at
least until June 2023 to adopt STIR/SHAKEN. It is not clear that vendor equipment will be available to these small
entities even by the end of 2020, and in any case these providers should be given more than a one-year delay beyond
that granted to the nation’s largest carriers.”); NTCA Comments at 17-18 (“At the very least, the Commission
should grant RLECs until June 2023, and such a deadline should be tied to the vendor community delivering
solutions in 2020.”); WISPA Comments at 4 (“Given the number of large carriers that still need to migrate to IP
networks, WISPA does not believe that a sufficient number will migrate in the short term to allow for the additional
resources and lower costs envisioned by the Commission to come to fruition by June 30, 2022 (the proposed
extended deadline).”).
161

161

WISPA Comments at 4.

162

Atheral Comments at 4.

163

WISPA Comments at 4.

164

See, e.g., ACA Connects Comments at 4; Atheral Comments at 4; NTCA Comments at 16.

22

Federal Communications Commission

FCC 20-136

voice service providers have also filed estimates of the cost of implementing STIR/SHAKEN on their
networks.165 The additional implementation time will allow these providers to spread the cost of
implementation across a longer time horizon. We find that an implementation deadline of two-years
allows for sufficient time—but no more than necessary—for small voice service providers to meet the
challenges of implementing STIR/SHAKEN on their networks. Our guiding principle in setting this
deadline is to achieve ubiquitous STIR/SHAKEN implementation to combat the scourge of illegal caller
ID spoofing as quickly as possible. This extension should also ease the additional burdens placed on
small voice service providers by the COVID-19 pandemic, which has consumed significant resources.166
46.
We decline at this time NTCA’s requests to tie an implementation extension until June
30, 2023 to “the vendor community delivering solutions in 2020,” and to grant additional implementation
time for small voice service providers “unable to obtain vendor solutions by the end of 2020.”167 In the
interest of promoting ubiquitous STIR/SHAKEN implementation, we decline at this time to grant a longer
extension for small voice service providers that may face continued implementation challenges in the
future. We find that a longer extension would discourage the swift development of effective vendor
solutions and slow the deployment of STIR/SHAKEN to the detriment of consumers. We also find that a
longer extension would unnecessarily rely on speculation about marketplace realities several years from
now. The Bureau may grant a further extension if it determines such an extension is appropriate in its
annual reevaluation.
47.
Finally, we establish that, as proposed in the First Caller ID Authentication Report and
Order and Further Notice,168 a provider is a “small provider[] of voice service”169 for purposes of this
extension if it has 100,000 or fewer voice subscriber lines (counting the total of all business and
residential fixed subscriber lines and mobile phones and aggregated over all of a provider’s affiliates). In
the First Rural Call Completion Order, the Commission determined that the 100,000-subscriber-line
threshold ensured that many subscribers would continue to benefit from our rules while also limiting the
burden on smaller voice service providers.170 Similarly, we find that, in the caller ID authentication
context, limiting the implementation extension for small voice service providers to those that have
100,000 or fewer voice subscriber lines balances the needs of these providers and the importance of
widespread and effective STIR/SHAKEN implementation. We received support in the record for this
definition of “small providers of voice service.”171
48.
We decline at this time USTelecom’s post-circulation request to exclude voice service
providers within the 100,000-subscriber-line threshold that “originate a disproportionate amount of traffic
relative to their subscriber base, namely voice service providers that serve enterprises and other heavy
See, e.g., Colo Telephone Company Reply, WC Docket Nos. 17-97 and 20-67, at 1 (rec. May 29, 2020) (Colo
Telephone Company Reply) (“To add the capabilities and equipment needed to support STIR/SHAKEN the upfront
cost would be roughly $75,000, with an additional yearly maintenance and service fee of $7,000, increasing the
yearly support cost to $23,000.”); Montana Telecom Comments at 3 n.6 (“Preliminary cost estimates for
implementing STIR/SHAKEN range from $36,000 to $81,000 a year.”); MT Networks / Madison Telephone
Comments, WC Docket Nos. 17-97 and 20-67, at 2 (rec. May 15, 2020) (MT Networks Comments); NTCA Reply at
9-10; Vantage Point Solutions Reply at 3, 4, 6, 10-12.
165

166

See USTelecom Comments at 16.

NTCA Comments at 17-18. NTCA contends that the two-year extension may be insufficient to resolve the issues
presented by the lack of IP interconnection if vendor solutions are not available to small voice service providers by
the end of 2020. Id. We separately address the issue of non-IP interconnection.
167

168

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3277, para. 79.

169

TRACED Act § 4(b)(5)(A)(i)(II).

Rural Call Completion, WC Docket No. 13-29, Report and Order and Further Notice of Proposed Rulemaking,
28 FCC Rcd 16154, 16168, para. 27 (2013).
170

171

See ACA Connects Reply at 5-6.

23

Federal Communications Commission

FCC 20-136

callers through their IP networks.”172 While we see value in the policy goals that underlie USTelecom’s
request, implementing its suggestion would require a difficult line-drawing exercise. USTelecom did not
offer any support for its proposed criteria to identify parties that originate a disproportionate amount of
traffic,173 nor are we able to identify criteria in the limited time available in which we have confidence.174
We are open to revisiting this issue should we determine that the extension creates an unreasonable risk of
unsigned calls from a specific subset of small voice service providers.
49.
Extension for Voice Service Providers That Cannot Obtain a Certificate. In the First
Caller ID Authentication Report and Order, we acknowledged the concerns raised by Cloud
Communications Alliance regarding whether all voice service providers are able to obtain the certificates
used for the intercarrier exchange of authenticated caller ID information under the Governance
Authority’s current policies.175 And in the Further Notice, we asked whether we should grant an
implementation extension for any other voice service providers or classes of voice service providers, or
types of calls.176 In response, commenters advocated for an extension for voice service providers that
cannot obtain a certificate because they are ineligible to file FCC Form 499A, obtain an Operating
Company Number, or obtain direct access to telephone numbers—each of which is a prerequisite to
obtaining a certificate under current Governance Authority policy.177
50.
Because it is impossible for a service provider to participate in STIR/SHAKEN without
access to the required certificate and because some voice service providers are unable to obtain a
certificate at this time, we determine that a limited extension is necessary. Multiple commenters contend
that the Governance Authority’s policy excludes voice service providers that lease numbers rather than
obtain them directly from NANPA.178 In particular, one-way VoIP voice service providers have no
Letter from Joshua M. Bercu, Vice President, Policy & Advocacy, USTelecom, to Marlene H. Dortch, Secretary,
FCC, WC Docket No. 17-97, at 5-6 (filed Sept. 18, 2020) (USTelecom Sept. 18 Ex Parte); see also Letter from
Joshua M. Bercu, Vice President, Policy & Advocacy, USTelecom, to Marlene H. Dortch, Secretary, FCC, WC
Docket No. 17-97, at 2 n.5 (filed Sept. 23, 2020) (USTelecom Sept. 23 Ex Parte).
172

See USTelecom Sept. 23 Ex Parte at 2 n.5 (suggesting we “except[] from the definition providers that (i) earn a
majority of their revenue from non-mass market services or (ii) originate more than 500 calls per day for any single
line”).
173

Letter from Brian Hurley, Vice President of Regulatory Affairs, ACA Connects, to Marlene H. Dortch, Secretary,
FCC, WC Docket No. 17-97, at 12 (filed Sept. 24, 2020) (“the timing of USTelecom’s submission does not provide
parties . . . a reasonable opportunity to vet carefully whether the proposed rule changes could also sweep in
legitimate voice providers “).
174

175

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3259, para. 39 n.145.

176

Id. 3277-78, para. 81.

See Cloud Communications Alliance Comments at 2-3; IPNS Comments, WC Docket Nos. 17-97 and 20-67, at
1-3 (rec. May 14, 2020) (IPNS Comments); Securus Technologies, LLC Comments, WC Docket Nos. 17-97 and 2067, at 3-6 (rec. May 15, 2020) (Securus Comments); VON Comments at 2; Inteliquent Reply at 3-4; Noble Systems
Reply, WC Docket Nos. 17-97 and 20-67, at 5 (rec. May 29, 2020) (Noble Systems Reply); Securus Technologies,
LLC Reply, WC Docket Nos. 17-97 and 20-67, at 4-5 (rec. May 29, 2020) (Securus Reply); see also Secure
Telephone Identity Governance Authority, STI-GA Policy Decisions Document at 1 (2020),
https://www.atis.org/sti-ga/resources/docs/200211%20STIGA%20Board%20Policy.pdf.
177

See Cloud Communications Alliance Comments at 2-3 (stating that the Governance Authority policy either
forces these voice service providers to “change their preferred business model and obtain an OCN and petition the
Commission for numbering authority” in order to participate in STIR/SHAKEN, or leaves providers unable to
comply with our STIR/SHAKEN rules); IPNS Comments at 2; Securus Comments at 5-6 (explaining that providers
that do not have an Operating Company Number are unable “to obtain certificates to sign their own originating IP
calls”); VON Comments at 2; Noble Systems Reply at 5; cf. Inteliquent Reply at 3-4 (excluding such voice service
providers “puts at issue hundreds of millions of calls each month” that, as a result, will receive ‘B’ or ‘C’ attestation
rather than ‘A’ attestation”).
178

24

Federal Communications Commission

FCC 20-136

means to obtain direct access to numbers, so they cannot obtain the certificate necessary to comply with
their duty to implement STIR/SHAKEN.179 Therefore, we grant an extension to voice service providers
that cannot obtain a certificate due to the token access policy. We grant this extension until it is feasible
for a provider to participate in STIR/SHAKEN due either to the possibility of compliance with the
Governance Authority policy or a change in the Governance Authority policy. We recognize that a voice
service provider may not be able to immediately come into compliance with its caller ID authentication
obligations after it becomes eligible to receive a certificate, and we will not consider a voice service
provider that diligently pursues a certificate once it is able to receive one in violation of our rules.180 We
expect the extension we establish will decrease costs by relieving such providers from the obligation to
upgrade their networks until they can meaningfully participate in STIR/SHAKEN. We recognize that
industry has made progress on resolving the gap between Governance Authority certificate access policies
and the scope of duties we have established pursuant to the TRACED Act, and we continue to urge
speedy resolution of these issues.181
51.
Extension for Services Scheduled for Section 214 Discontinuance. In the First Caller ID
Authentication Report and Order and Further Notice, we also sought comment on whether to consider
any additional categories of extensions.182 In response to AT&T’s request,183 we grant a one-year
extension based on undue hardship to cover services for which a provider has filed a pending section 214
discontinuance application on or before the June 30, 2021, STIR/SHAKEN implementation deadline.184
This extension will allow voice service providers time to either complete the discontinuance process and
“avoid incurring unnecessary expense and burden to implement STIR/SHAKEN” for services “that are
scheduled to sunset,” or to implement STIR/SHAKEN for any such services that are not discontinued.185
We agree with AT&T that voice service provider resources “are better spent upgrading networks that will
Only carriers and interconnected VoIP providers may obtain direct access to telephone numbers. Numbering
Policies for Modern Communications, IP-Enabled Services, Telephone Number Requirements for IP-Enabled
Services Providers, Telephone Number Portability, Developing a Unified Intercarrier Compensation Regime,
Connect America Fund, Numbering Resource Optimization, WC Docket Nos. 13-97, 04-36, 07-243, 10-90, CC
Docket Nos. 95-116, 01-92, 99-200, Report and Order, 30 FCC Rcd 6839 (2015).
179

See Letter from Michele A. Schuster, General Counsel, PACE, to Marlene H. Dortch, Secretary, FCC, WC
Docket No. 17-97, at 3-4 (filed Sept. 22, 2020). PACE also requests that we determine whether a voice service
provider subject to this extension may comply with our caller ID authentication requirements “by relying on a 3rd
party service provider.” Id. at 2-3. In the absence of a more complete record to guide our decision, we decline to
accept this request at this time.
180

We decline Noble Systems’ request for us to direct the Governance Authority to “revisit its policies that were
defined prior to passage of the TRACED Act” and “revisit the makeup of the [Governance Authority] membership
in light of the broad scope of “voice service” in the TRACED Act.” Noble Systems Reply at 6. In the First Caller
ID Authentication Report and Order and Further Notice, we declined to intervene in or impose new regulations on
the STIR/SHAKEN governance structure and maintain that position. See First Caller ID Authentication Report and
Order and Further Notice, 35 FCC Rcd at 3268, para. 56. We reiterate that because the Governance Authority is
made up of a variety of stakeholders representing many perspectives, we have no reason to believe it will not
operate on a neutral basis. Id.
181

182

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3277-78, para. 81.

183

AT&T Comments at 18.

See AT&T Comments at 18 (“AT&T proposes that, for services for which a Section 214 discontinuance
application has been filed on or before the June 30, 2021 deadline, the provider should not be required to implement
STIR/SHAKEN for that service.”). Verizon and CenturyLink advocate for removing discontinuance obligations
that “require [voice service] providers to obtain permission prior to replacing TDM voice services with VoIP” to
“help make network transitions to IP more straightforward and efficient.” Verizon Comments at 19; CenturyLink
Reply at 16-17 (agreeing with Verizon’s proposal). We decline to grant this request as it is outside the scope of the
current proceeding.
184

185

AT&T Comments at 18.

25

Federal Communications Commission

FCC 20-136

have the potential to reap the full benefits of the IP transition and STIR/SHAKEN.”186 We expect that
this extension will decrease costs by obviating the need to upgrade components of a voice service
provider’s network that will be sunset. We underscore that a one-year extension means that voice service
providers have until June 30, 2022, to either discontinue the legacy service or implement STIR/SHAKEN
if the service has not actually been discontinued, unless the provider obtains a waiver of this requirement
for good cause shown. If we determine that a voice service provider filed a discontinuance application in
bad faith to receive this extension, we will terminate the extension and take appropriate action.
52.
Voice Service Providers That Use TDM—An Extension Would Be Superfluous. The
TRACED Act specifically directs us to evaluate whether to grant an extension to voice service providers
that use TDM network technology. The record reflects that a major barrier to implementation of a caller
ID authentication framework for voice service providers that use TDM technology is the lack of a
standardized caller ID authentication framework for non-IP networks.187 Because the STIR/SHAKEN
framework is an IP-only solution, these voice service providers must expend substantial resources
upgrading network software and hardware to be IP compatible in order to implement the only currently
available standardized caller ID authentication solution.188 According to commenters, voice service
providers that use TDM networks also face availability and cost issues regarding necessary equipment to
upgrade the software and hardware to convert their networks to IP.189 Further, small or rural voice service
providers that use TDM technology may have fewer resources and require additional time for
transitioning their networks to IP technology.190 Multiple commenters agree that “[e]ven if a [voice
service provider] has upgraded its own network to all-IP technology, if that [voice service provider]
exchanges substantial traffic through legacy TDM tandems, such tandems will similarly present obstacles
to STIR/SHAKEN deployment.”191
53.
Although we proposed in the First Caller ID Authentication Report and Order and
Further Notice to grant the same extension to voice service providers that use TDM technology under the
undue hardship standard that we grant to providers that materially rely on non-IP technology,192 we
conclude that a separate and identical extension is redundant and creates administrative duplication. We
want to avoid granting two separate extensions, with associated filing and review requirements, that serve
identical purposes. Because the TRACED Act includes a required extension for voice service providers
that “materially rel[y]” on non-IP technology,193 we decline to grant a separate extension to voice service
providers that use TDM technology under the undue hardship standard.194 Although AT&T contends that
186

Id.

See AT&T Comments at 12, 20 (“[N]o STIR/SHAKEN-equivalent solution for TDM networks has been
developed by standards bodies.”); CCA Comments at 4 (explaining that transitioning to IP “would be a necessary
next step to implementing a program such as SHAKEN/STIR”); USTelecom Comments at 17 (“[N]on-IP networks
do not have call authentication technology.”).
187

188

AT&T Comments at 11-12; CTC Comments at 2; USTelecom Comments at 17.

189

See AT&T Comments at 12; CTC Comments at 2-3; USTelecom Comments at 17.

190

CCA Comments at 4.

Id.; see also AT&T Comments at 12; Montana Telecom Comments at 2-3; WTA Comments at 2; Alaska
Communications Reply at 5; Telnyx LLC Reply, WC Docket Nos. 17-97 and 20-67, at 1-2 (rec. May 29, 2020)
(Telnyx Reply).
191

192

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3276, para. 77.

193

TRACED Act § 4 (b)(5)(B).

This extension (1) applies to those parts of a voice service provider’s network that materially rely on technology
that cannot initiate, maintain, and terminate SIP calls; (2) lasts “until a call authentication protocol has been
developed for calls delivered over non-[IP] networks and is reasonably available”; and (3) may be terminated if the
Commission determines that a voice service provider “is not making reasonable efforts to develop the call
authentication protocol” for non-IP networks. See infra paras. 65-69.
194

26

Federal Communications Commission

FCC 20-136

“an extension for TDM networks is independently warranted,” it does not explain its position.195 In fact,
AT&T concedes that “the extension outcomes are the same.”196 We find the non-IP extension sufficiently
addresses AT&T’s concern that there is not yet a STIR/SHAKEN-equivalent solution for TDM networks.
To the extent there is any lack of clarity, we confirm that TDM networks are included in the non-IP
extension established below, and subject to its terms.197
54.
Rural Voice Service Providers—A Separate Extension Is Unnecessary. The TRACED
Act specifically directs us to evaluate whether to grant an extension based on undue hardship to rural
voice service providers. The record reflects that the burdens and barriers to STIR/SHAKEN
implementation for rural voice service providers are often encompassed by those for small voice service
providers or voice service providers that use non-IP network technology because these voice service
providers also tend to be rural.198 To the extent rural voice service providers rely on non-IP technology,
which is incompatible with STIR/SHAKEN, they encounter the burdens already described for such
providers.199 Similarly, the rural voice service providers that describe specific burdens to
implementation—such as availability of vendor solutions that may be prohibitively expensive with few
reasonable alternatives—are small voice service providers.200 Although CTIA generally states that there
are potential financial and resource constraints for larger rural voice service providers, it does not identify
any specific implementation challenges faced by these providers.201 Indeed, at least one larger rural voice
service provider, TDS Communications, a Wisconsin-based voice service provider that serves nearly 900
rural, suburban, and metropolitan communities throughout the United States, has begun to invest in
STIR/SHAKEN deployment.202
55.
In the First Caller ID Authentication Report and Order and Further Notice, we sought
comment on our proposed view that it would be unnecessary to grant a separate implementation extension
for rural voice service providers as the challenges faced by these providers are already addressed by the
small voice service provider extension and the extension for voice service providers that materially rely
on a non-IP network.203 After review of the record, we adopt our proposal and decline to adopt a separate
extension for rural providers.204 The majority of commenters in the record did not differentiate rural voice
195

AT&T Comments at 20.

Id.; see also AT&T Comments at 11 (arguing that the non-IP extension should “be understood to include all
TDM-based voice services”).
196

See AT&T Comments at 11 (“To make [the] language [of the extension for non-IP networks] more concrete, it
should be understood to include . . . all TDM-based voice services . . .”).
197

See, e.g., NCTA – The Internet & Television Association Reply, WC Docket Nos. 17-97 and 20-67, at 6 (rec.
May 29, 2020) (NCTA Reply).
198

See CCA Comments at 4 (“[R]obocall implementation solutions for non-IP networks are still developing and not
readily available for deployment.”); WISPA Comments at 4.
199

See Atheral Comments at 4 (“At this time, Atheral is aware of only one provider that can provide a solution with
our VoIP switch, and beta code for testing was just released on May 14th, 2020 by our switch vendor.”);
INCOMPAS Comments, WC Docket Nos. 17-97 and 20-67, at 9-10 (rec. May 15, 2020) (INCOMPAS Comments)
(“While the market has started to offer third-party authentication solutions, questions remain about the capacity of
these vendors to bring along all voice service providers by next year’s compliance deadline”); Montana Telecom
Comments at 4; MT Networks Comments at 1; NTCA Comments at 16; WTA Comments at 5-6.
200

201

CTIA Comments at 18-19.

Letter from Sara Cole, Regulatory Counsel, TDS, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97
(filed Jan. 30, 2020) (TDS Ex Parte).
202

203

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3277-78, para. 80.

While we decline to grant an extension to this class of voice service providers, a voice service provider that
believes that it faces an undue hardship may submit a filing that details its specific circumstances.
204

27

Federal Communications Commission

FCC 20-136

service providers from those that are small and referred to them interchangeably.205 As noted above, the
rural voice service providers that called for an extension are themselves small voice service providers.206
NCTA contends that a dedicated extension for rural providers is “unnecessary” because “the vast majority
of rural providers will qualify for the small provider extension” or the extension for voice service
providers that rely on non-IP networks.207 We agree with NCTA that “there does not seem to be a strong
basis for granting any form of relief” to rural voice service providers that do not qualify as small voice
service providers.208 Further, TDS reports that it had completed work in 2019 to evaluate, select, and lab
test a vendor solution to allow it to integrate STIR/SHAKEN into the IP portions of its network.209
Because one large rural voice service provider has already invested in STIR/SHAKEN deployment to best
serve its customers,210 we expect that other similarly situated rural voice service providers have also
begun or would be capable of having begun the implementation process. We conclude that it would be
improper to reach a blanket finding of undue hardship for rural voice service providers because (1) the
record does not show that larger rural providers face undue hardship; and (2) our separate finding of
undue hardship for small voice service providers relieves small rural voice service providers of the
obligation to implement, such that they will no longer face undue hardship for the duration of the
extension. Further, an extension for rural voice service providers would not only be unnecessary, but also
harmful to the goal of widespread implementation.
56.
We also decline the request by CTIA and USTelecom for an extension for vaguelydefined “regional” voice service providers that do not fall within our 100,000 or fewer voice subscriber
line threshold.211 CTIA only generally describes potential financial and resource constraints for these
voice service providers,212 and neither commenter sufficiently defines this class of providers or explains
why we should grant an extension on the basis of undue hardship to providers with the resources that are
necessary for serving a large number of subscribers. We similarly decline the request by Madison
Telephone Networks for an extension until 2024 or 2025 for rural providers in high cost areas to “relieve
financial pressure.”213 We decline to grant this extension as Madison Telephone Networks does not
demonstrate why this is a unique class of providers requiring an extension of this length. Further, we
expect the majority of these voice service providers are also small or materially rely on non-IP technology
and therefore will be covered by either or both of those extensions.214
57.

Equipment Availability—A Separate Extension Is Unnecessary. In the First Caller ID

See, e.g., Atheral Comments at 1-2 (referring to rural and small voice service providers interchangeably);
Montana Telecom Comments at 3-4 (same); NTCA Comments at 15-18 (same); WISPA Comments at 1, 4-5 (same).
205

See Atheral Comments at 4; INCOMPAS Comments at 9-10; Montana Telecom Comments at 4; MT Networks
Comments at 1; NTCA Comments at 16; WTA Comments at 5-6. Rural providers also describe challenges
exchanging calls with authenticated caller ID information due to non-IP interconnection. See, e.g., NTCA
Comments at 16.
206

207

NCTA Reply at 6.

208

Id.

TDS Ex Parte at 1; see also Letter from Ken Paker and Andrew Petersen, TDS, to G. Patrick Webre, Bureau
Chief, Consumer and Governmental Affairs Bureau, FCC, CG Docket No. 17-59, WC Docket No. 17-97, at 1 (filed
Feb 28, 2020) (reporting further that TDS has lab-tested and selected a vendor solution to integrate call analytics
into its network).
209

210

Id. at 1.

211

CTIA Comments at 18; USTelecom Comments at 19.

212

CTIA Comments at 18-19.

213

MT Networks Comments at 2.

If a voice service provider in this category is not covered by an extension and requires additional time for
STIR/SHAKEN implementation, it may file an individual petition requesting an extension, as discussed below.
214

28

Federal Communications Commission

FCC 20-136

Authentication Report and Order and Further Notice, we sought comment on Congress’s direction to
consider whether to grant a separate extension on the basis of “the inability to purchase or upgrade
equipment to support the call authentication frameworks under this section, or lack of availability of such
equipment.”215 We conclude that our extension for small voice service providers adequately addresses
challenges with regard to obtaining necessary equipment and that a separate or additional extension is
unnecessary. As discussed above, the record reflects that equipment availability specifically impacts
small voice service providers.216 This is not a surprise, as it is likely that larger voice service providers
have the resources and negotiating leverage to obtain the equipment they need much more quickly than
small providers. Granting an extension solely for equipment unavailability may discourage larger voice
service providers from putting forward sufficient effort to obtain necessary equipment. Further, no
commenter has identified any specific equipment availability issue for large voice service providers—
commenters merely speak in general terms.217 Granting an ex ante extension on this basis would
introduce difficult line-drawing questions as to when equipment is “unavailable” for which the record
does not suggest a solution and that are not necessary to resolve in light of the extension for small voice
service providers.218
58.
Enterprise Calls—An Extension Would Be Counterproductive. In the First Caller ID
Authentication Report and Order and Further Notice, we sought comment on whether we should grant an
extension for undue hardship for enterprise calls.219 We described the concerns of some commenters that
the standards for attestation do not fully account for the situation where an enterprise subscriber places
outbound calls through a voice service provider other than the voice service provider that assigned the
telephone number.220 In such enterprise calling scenarios, commenters claimed, it would be difficult for
an outbound call to receive A-level attestation 221 because the outbound call “will not pass through the

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3277, para. 81;
TRACED Act § 4(b)(5)(A)(i)(III).
215

See, e.g., ACA Connects Comments at 4 (“The experience of these larger member companies does not inspire
confidence that the smaller providers that make up the majority of ACA Connects’ 700-plus members will be able to
implement the technology seamlessly in their networks anytime soon, especially so if they are competing with larger
providers for vendors’ attention to resolve any implementation challenges they encounter.”); Atheral Comments at 4
(contending that small carriers will need an extension “to budget for and absorb the costs of the needed upgrades”);
USTelecom Comments at 17; WTA Comments at 5; CTC Comments at 2-3.
216

See USTelecom Sept. 23 Ex Parte at 2 n.6 (acknowledging that the record only “implicitly” discusses equipment
availability issues for large voice service providers).
217

We note that under our rules any voice service provider—large or otherwise—that encounters a specific
equipment availability issue may request a waiver of the deadline. Cf. USTelecom Sept. 18 Ex Parte at 7 (asking us
not to foreclose “provider-specific extension[s] based on equipment availability issues that arise in the future”); 47
CFR § 1.3.
218

219

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3278, para. 82.

Id. at 3255, para. 29; see also, e.g., Cloud Communications Alliance Comments, CG Docket No. 17-59, WC
Docket No. 17-97, at 5 (rec. July 24, 2019); INCOMPAS Comments at 6, 13; Telnyx Comments at 1-2;
RingCentral, Inc. Reply, CG Docket No. 17-59, WC Docket No. 17-97, at 2-3 (rec. Aug. 23, 2019).
220

See ATIS/SIP Forum Standard § 5.2.3, at 8-9. To provide A-level attestation, the voice service provider must be
able to confirm the identity of the subscriber making the call, and that the subscriber is using its associated telephone
number. See id.
221

29

Federal Communications Commission

FCC 20-136

authentication service of the [voice] service provider that controls th[e] numbering resource.”222 The
record developed in response to our Further Notice reflects challenges for voice service providers to attest
to enterprise calls with A-attestation in this and other circumstances, meaning that such calls would be
authenticated with B- or C-level attestation.223 Based on these challenges, some commenters argue that
we should grant an extension in compliance with the STIR/SHAKEN implementation mandate for
enterprise calls so that these calls will not receive caller ID authentication until industry standards groups
resolve the enterprise issue, rather than receiving a lower level of attestation in the interim.224 We agree
with the record opposition,225 and we decline to grant an implementation extension to enterprise calling
cases.
59.
First, we agree with those commenters that argue that an implementation extension may
discourage the swift development of technical solutions for enterprise calls.226 Although commenters
offer different perspectives on the timing of a solution that would allow enterprise calls to receive A-level
attestation,227 the record reflects that industry is “working hard to achieve authentication with A-level
attestation this year.”228 It is our goal to encourage this work, rather than remove the beneficial incentive
created by the STIR/SHAKEN mandate. We decline, however, to go so far as some commenters suggest
and “[r]equir[e] the prompt finalization of standards that will enable voice providers that originate

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3255, para. 29 (quoting
IETF, STIR Certificate Delegation, Draft, at 3 (2019), https://tools.ietf.org/html/draft-ietf-stir-cert-delegation-01);
see also AT&T Comments at 17 (“A-level attestation will not be possible for many enterprise calls at this time,
creating the possibility of B- or C-level attestation becoming the norm. That outcome would undermine the
Commission’s efforts and harm the marketplace by enabling illegal robocallers to sign their own calls without
sufficient safeguards in place.”); Cloud Communications Alliance Comments at 3 (“[V]oice providers serving
enterprise customers may not be able to provide an ‘A’ level attestation if they did not assign the calling number
being used by their customer.”); Numeracle, Inc Comments, WC Docket Nos. 17-97 and 20-67, at 8 (rec. May 15,
2020) (Numeracle Comments); Professional Association for Customer Engagement Comments, WC Docket Nos.
17-97 and 20-67, at 5 (rec. May 12, 2020) (PACE Comments); Securus Comments at 3; First Orion Reply, WC
Docket Nos. 17-97 and 20-67, at 12 (rec. May 29, 2020) (First Orion Reply).
222

223

See, e.g., AT&T Comments at 16-20; USTelecom Comments at 19-20.

AT&T Comments at 17; CTIA Comments at 19; INCOMPAS Comments at 11; USTelecom Comments at 20;
Securus Reply at 3; Vonage Reply, WC Docket Nos. 17-97 and 20-67, at 5 (rec. May 29, 2020) (Vonage Reply).
224

NCTA Comments at 9; First Orion Reply at 12; Hiya Reply, WC Docket Nos. 17-97 and 20-67, at 5 (rec. May
29, 2020) (Hiya Reply); Numeracle, Inc Reply, WC Docket Nos. 17-97 and 20-67, at 2 (rec. May 29, 2020)
(Numeracle Reply).
225

See NCTA Comments at 8-9 (opposing an extension in order to incentivize industry to promptly develop a
solution for enterprise calling scenarios); First Orion Reply at 12 (“[G]iven the level of activity in the industry
around technical solutions and potential policy adjustments, we believe an extension is not only unnecessary but
may de-motivate the industry from having solutions available for June 2021.”).
226

See Neustar Comments at 11 (stating its belief that solutions developed within the ATIS IP-NNI Task Force “will
be widely available by June 30, 2021” and “will provide enterprises with the ability to achieve ‘A’ level attestations
for scenarios that would otherwise achieve ‘B’ level attestations”); but see AT&T Comments at 17 (“[A]dditional
time is necessary for the standards bodies to work through the numerous other scenarios applicable to enterprise
authentication and develop industry protocols and/or best practices.”); USTelecom Comments at 20 (“[A]dditional
time is necessary for the standards bodies to work through the numerous other scenarios applicable to enterprises
signing and to develop industry protocols and/or best practices for those scenarios.”); Vonage Reply at 2
(“Notwithstanding the optimism of certain commenters that a solution will be fully operational by the June 30, 2021,
the record demonstrates that additional time should be provided to work through this and other related complex
situations.”).
227

228

AT&T Comments at 17.

30

Federal Communications Commission

FCC 20-136

enterprise calls to provide an A-level attestation.”229 As industry stakeholders, standards bodies, and the
Governance Authority are actively working to finalize standards and solutions to complex enterprise
calling cases,230 we do not wish to intervene in the process.231 At the same time, we continue to
encourage—and expect—industry to promptly resolve the outstanding challenges for complex enterprise
use cases and business models, and we will closely monitor progress on this issue.
60.
We are also not persuaded by claims that authenticating enterprise calls with B- or Clevel attestation poses a major problem.232 These commenters contend that enterprise calls without an Alevel attestation may be blocked, mislabeled as potentially fraudulent, or lead to illegal robocallers
authenticating their own calls.233 However, they fail to explain how the alternative—an enterprise call
without authenticated caller ID information—is preferable to one that receives B- or C-level attestation.234
Notably, NCTA reports that “[i]n [its] members’ experiences, partial (‘B’) attestation can be achieved
more quickly than complete (‘A’) attestation for enterprise calls,” and accordingly, partial attestation is “a
reasonable implementation approach in this context.”235 Similarly, Hiya, an analytics company, commits
that it “currently has no plans—nor is it aware of any plans by other parties in the industry—to either
block calls or label them as potentially fraudulent solely due to lack of ‘full’ or ‘A’ level attestation.”236 It
Cloud Communications Alliance Comments at 3-4, 7; see also INCOMPAS Comments at 10 (“[T]he
Commission would be better served insisting that the STIR/SHAKEN governance authority incorporate protocols
for certificate delegation into the call authentication framework rather than simply addressing whether or not to
grant an extension for undue hardship for enterprise calls.”); Noble Systems Comments at 9-10 (arguing for
mandating a technical solution to the enterprise calling issue); PACE Comments at 6 (“Encouraging carriers to
actually adopt [ATIS’s standard] would address the ‘enterprise problem.’”); Numeracle Reply at 9 (“The
Commission should encourage the standards body to act swiftly on approving enterprise attestation standards.”);
Securus Reply at 3 (“Because Securus would like to implement the STIR/SHAKEN Framework, it of course would
prefer that the Commission require ‘prompt finalization of standards that will enable voice providers . . . to provide
an A level attestation through certificate delegation.’” (quoting Cloud Communications Alliance Comments at 3-4));
cf. Vonage Reply at 4 (“[T]he Commission should insist that standards bodies take prompt action to allow carriers to
achieve full attestation for calls using numbers leased from other sources.”).
229

See Cloud Communications Alliance Comments at 3-4; CTIA Comments at 19; INCOMPAS Comments at 1011; Noble Systems Comments at 9; Sorenson Comments, WC Docket Nos. 17-97 and 20-67, at 2 (rec. May 15,
2020) (Sorenson Comments); USTelecom Comments at 21; CTIA Reply, WC Docket Nos. 17-97 and 20-67, at 5
(rec. May 29, 2020) (CTIA Reply).
230

231

See CTIA Reply at 5 (arguing that mandating a particular solution is “premature”).

232

AT&T Comments at 17; USTelecom Comments at 20; Vonage Reply at 3.

AT&T Comments at 17 (stating that if B- or C-level attestation becomes the norm, it “would undermine the
Commission’s efforts and harm the marketplace by enabling illegal robocallers to sign their own calls without
sufficient safeguards in place”); USTelecom Comments at 20; CenturyLink Reply at 13; Somos Reply, WC Docket
Nos. 17-97 and 20-67, at 1 (rec. May 29, 2020); Vonage Reply at 3.
233

Cloud Communications Alliance addresses this question, but states only that “[i]t is difficult to answer this
question in the abstract without knowing the call validation treatment of B or C level attestations.” Cloud
Communications Alliance Comments at 4. It adds that if voice service providers or the industry “only value an ‘A’
level attestation when deciding call treatment, while wholly discounting a lower level of attestation, the ability to
sign with a B or C level attestation will be of little benefit, perhaps apart from providing information for trace back
purposes.” Id.
234

See NCTA Comments at 9; see also id. at 8 (“NCTA agrees with the Commission’s decision . . . to refrain from
adopting a blanket exemption for enterprise calls from the STIR/SHAKEN implementation mandate . . . .”);
Numeracle Comments at 5 (“Even though a B or C level attestation does not provide the certainty of an A
attestation, these options are part of the STIR/SHAKEN framework to, at a minimum, support traceback efforts to
the originating or gateway carrier.”).
235

236

Hiya Reply at 5.

31

Federal Communications Commission

FCC 20-136

also asserts “that voice service providers and analytics engines will not use attestation level as the sole
determinant for reputation scoring of a caller,” and instead, “attestation information is one of the many
data points that inform analytics-driven call labeling and call blocking.”237 Transaction Network Services
also explains that “STIR/SHAKEN attestations—‘good’ or ‘bad’—will not have the effects that some
commenters suggest” as it “endeavors to incorporate STIR/SHAKEN attestations as one factor in its
analysis” and “does not recommended making call-blocking decisions based on the failure of
STIR/SHAKEN authentication.”238 Indeed, we have previously stated that “a call-blocking program
might block calls based on a combination of factors.”239 Even assuming that calls with B- or C-level
attestation will be treated meaningfully worse than calls without authenticated caller ID information—a
conclusion that, again, is not substantiated by the record—concerns over the treatment of calls
authenticated consistent with current STIR/SHAKEN standards does not amount to an undue hardship in
the implementation of STIR/SHAKEN technology, which is the standard by which Congress directed us
to evaluate undue hardship extension requests.240 In light of these conclusions and our and Congress’s
goal of ubiquitous STIR/SHAKEN implementation in IP networks, we will not grant an extension for
enterprise calls.
61.
Intra-Network Calls—An Extension Would Be Counterproductive. In the First Caller ID
Authentication Report and Order and Further Notice, we established distinct authentication requirements
for inter-network calls and for intra-network calls. In the case of inter-network calls, an originating voice
service provider must “authenticate caller [ID] information for all SIP calls it originates and that [it] will
exchange with another voice service provider or intermediate provider.”241 Because establishing trust
between providers is not necessary for calls that transit a single network, we adopted a different
obligation for intra-network calls that solely transit the network of the originating voice service provider.
Specifically, in recognition of the fact that “certain components of the STIR/SHAKEN framework . . . are
not necessary for calls that a voice service provider originates and terminates on its own network,” we
concluded a voice service provider satisfies its intra-network authentication obligation so long as it
authenticates and verifies “in a manner consistent with the STIR/SHAKEN framework, such as by
including origination and attestation information in the SIP INVITE used to establish the call.” 242
62.
A number of commenters that exchange all traffic with other providers through non-IP
interconnection points—and thus have no obligation under our rules to implement STIR/SHAKEN with
respect to inter-network calls—seek an extension from the intra-network authentication requirement.
These voice service providers seek such relief because compliance requires network upgrades, and they
Id. Vonage contends that attestation may provide a “potentially” “dispositive data point,” but fails to support this
claim. Vonage Reply at 3.
237

Transaction Network Services Reply, WC Docket Nos. 17-97 and 20-67, at 6-7 (rec. May 29, 2020) (TNS
Reply).
238

2019 Robocall Declaratory Ruling and Further Notice, 34 FCC Rcd at 4888, para. 35 (2019). In the Third Call
Blocking Report and Order, we also explained that “[i]f the terminating voice service provider has identified that
calls with ‘A’ attestation previously originating from that number are nevertheless illegal or unwanted based on
reasonable analytics, [it] may block those calls despite the attestation level.” 2020 Call Blocking Order, 35 FCC
Rcd at 7626, para. 31.
239

TRACED Act § 4(b)(5)(A)(ii) (Commission may grant an extension for undue hardship as necessary to enable a
provider “to participate in the implementation in order to address the identified burdens and barriers”).
240

47 CFR § 64.6301(a)(2). This duty applies only “to the extent technically feasible.” Id. In the First Caller ID
Authentication Report and Order and Further Notice we specifically recognized this fact, explaining that
“transmission of STIR/SHAKEN authentication information over a non-IP interconnection point is not technically
feasible at this time.” First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3258,
para. 35 n.135.
241

242.Id.

at 3257-58, para. 34; 47 CFR § 64.6301(a)(1).

32

Federal Communications Commission

FCC 20-136

would prefer to delay investing in these necessary upgrades until they are able to participate in
STIR/SHAKEN both within their own network and with regard to calls exchanged with other voice
service providers, which require many of the same upgrades.243
63.
We decline to grant the requested extension because we do not find that it rises to the
level of undue hardship. Commenters favoring an extension contend that requiring them to invest in
compliance solely as to intra-network calls would require unreasonably burdensome network upgrades
that, in their view, produce limited benefits.244 But these commenters fail to explain why implementation
would be more burdensome for them than for other voice service providers. In fact, implementation
maybe less costly because our standard for intra-network IP calls is only that they are authenticated “in a
manner consistent with the STIR/SHAKEN framework” which does not require those upgrades necessary
to enable cross-provider authentication and verification. The TRACED Act requires an assessment of
burdens and barriers, not a cost-benefit analysis, and parties seeking an extension have failed to show that
they face atypical burdens and barriers on the basis of the intra-network authentication requirement. We
nonetheless note that the benefits of our intra-network requirement are greater than parties favoring an
extension contend. As we have explained, STIR/SHAKEN implementation provides benefits to
consumers even at the intra-network level.245 Specifically, implementing STIR/SHAKEN within a voice
service provider’s own network directly benefits consumers as it enables a voice service provider to
authenticate all calls among its customers.246 To that end, we agree with commenters that while voice
service providers work toward IP interconnection, “[t]here is no reason to deny consumers” the
“immediate benefits” of authenticated caller ID information for calls on their voice service provider’s
own network.247 Further, the record reflects that many providers that face challenges regarding IP
interconnection are small providers, to which we have granted a two-year extension in compliance with
the STIR/SHAKEN mandate.248 Providers so situated will therefore have additional time to negotiate IP
interconnection agreements before being subject to the intra-network mandates.249
See ACA Connects Comments at 11; CTIA Comments at 16-17; NCTA Comments at 10-11; WTA Comments at
2; New Lisbon Telephone Ex Parte at 1-2.
243

See Montana Telecom Comments at 3 (“Not only do the consumer benefits of call authentication technology
disappear when a call leaves an IP network, but the considerable investment that rural telecom companies like
MTA’s members have undertaken, also becomes meaningless as soon as a call originating on an IP network meets a
non-IP transmission circuit.”); NTCA Comments at 11 (contending that absent an extension, voice service providers
that do not exchange traffic at IP interconnection points would be forced to “expend tens of thousands of dollars per
year to implement a system that services no practical purpose as call authentication information they generate would
disappear at the network edge”); ACA Connects Reply at 7; Vantage Point Solutions Reply at 8-9.
244

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3257, para. 33; see also
AT&T Comments at 15 (arguing that “there are benefits from implementing STIR/SHAKEN in a [voice service]
provider’s own network, even in the absence of IP traffic exchange”); Verizon Reply at 17-18 (citing the
Commission and AT&T).
245

246

AT&T Comments at 15; Verizon Reply at 17-18.

247

Id.; see also AT&T Comments at 15 (“The Commission should not delay [STIR/SHAKEN] benefits.”).

See ACA Connects Comments at 10; CCA Comments at 4; Montana Telecom Comments at 2-3; NTCA
Comments at 6; WISPA Comments at 5; WTA Comments at 2; but see NCTA Comments at 11 (arguing that this
issue “is not limited solely to the context of small providers or rural areas”).
248

Various commenters in the record argue that the Commission should more directly resolve the issue of non-IP
interconnection. See INCOMPAS Comments at 12; Montana Telecom Comments at 3-5; NCTA Comments at 1113; NTCA Comments at 4-12; T-Mobile Comments at 3-4; WTA Comments at 3-4; Colo Telephone Reply at 1;
Telnyx Reply at 2-3. While we refrain from directly addressing the issue of non-IP interconnection in this Order,
which focuses largely on completing TRACED Act implementation as to STIR/SHAKEN, we will continue to
monitor the issue. See Letter from Michael Romano, Senior Vice President, NTCA, to Marlene H. Dortch,
Secretary, FCC, WC Docket No. 17-97, at 2 (filed Sept. 21, 2020) (NTCA Ex Parte).
249

33

Federal Communications Commission

FCC 20-136

64.
Further, granting such an extension would impede the progress of the IP transition and
further delay STIR/SHAKEN implementation—contrary to our goal of ubiquitous deployment of caller
ID authentication technology.250 We agree with Comcast that it is essential to “encourage the IP transition
by, among other things, adopting policies in this proceeding that induce providers to prioritize the
implementation of IP-enabled call authentication through STIR/SHAKEN.”251 As AT&T observes, an
extension for intra-network calls of providers that do not interconnect in IP would “discourag[e] voice
service providers from coming to a negotiated resolution and transitioning to IP” at the interconnection
point.252 By denying this extension, we “increase the[] incentive to negotiate creative and commercially
reasonable interconnection agreements” to ensure that customers receive STIR/SHAKEN benefits.253
65.
Provider-Specific Extensions. We decline at this time to grant any extensions to
individual voice service providers. We recognize, as INCOMPAS and CenturyLink suggest, that some
providers may face specific circumstances in all or part of their IP networks that constitute undue
hardship.254 The Commission will be in a better position to evaluate those requests, however, in response
to specific petitions that establish in detail the basis for the requested extension, rather than through
establishing a general principle in response to the vague and general concerns about technology or
compatibility issues that INCOMPAS and CenturyLink set forth. A voice service provider that believes
that it faces an undue hardship within the meaning of the TRACED Act may file in this docket an
individual petition requesting an extension. We direct the Bureau to seek comment on any such petitions
and to issue an order determining whether to grant the voice service provider an extension. We expect
any voice service provider seeking an extension to file its request by November 20, 2020, and we direct
the Bureau to issue a decision no later than March 30, 2021.255 Given the importance of widespread
Atheral and WISPA request that we establish a waiver process for providers with non-IP interconnection points
that need to upgrade media gateways in order to exchange SIP calls. See Atheral Comments at 5-6; WISPA
Comments at 5-6. We decline to establish a unique process in this context, as these parties do not explain why our
existing procedures are insufficient. Parties that wish to seek a waiver are free to do so pursuant to our existing
procedures. See 47 CFR § 1.3.
250

Comcast proposes that we “consider[] a provider’s efforts to transition to . . . IP-to-IP voice interconnection[]
when determining whether to grant or renew a limited extension.” Id. Because we do not grant an extension for the
inability to exchange traffic at IP-enabled interconnection points, we see no need to adopt this suggestion.
251

252

AT&T Comments at 15.

253

Verizon Reply at 18.

INCOMPAS Comments at 10 (requesting “an extension for those providers capable of demonstrating that
implementing the framework will be affected by the type of technology that the provider is using, how network
interconnections are established, and whether the standards will accommodate differences in technology
adequately”); CenturyLink Reply at 14 (requesting an extension for voice service providers that “encounter discrete
network elements that lack compatibility with STIR/SHAKEN technology, delaying implementation in these
elements”).
254

See TRACED Act § 4(b)(5)(A) (directing the Commission to assess burdens and barriers to implementation and
grant extensions for undue hardship “not later than 12 months after the date of the enactment of this Act, and as
appropriate thereafter”) (emphasis added). We find it appropriate to direct the Bureau to issue provider-specific
extension determinations by March 30, 2021, so that the Bureau has adequate time to seek comment on and consider
timely-filed petitions and petitioners have adequate time, before the June 30, 2021, implementation deadline, to act
in response to the Bureau’s determination.
255

Although we expect voice service providers to file extension requests by November 20, 2020, we note that parties
seeking additional extensions after this date are free to seek a waiver of our deadline under section 1.3 of the
Commission’s rules. See USTelecom Sept. 18 Ex Parte at 6-7. This is consistent with the TRACED Act’s mandate
that the Commission consider the burdens and barriers to implementation “as appropriate” beyond the 12-month
period specified in the Act. Of course, in determining whether it is “appropriate” to consider such late-filed
requests, we expect that the Commission will not look favorably on requests that rely on facts that could have been
presented to the Commission prior to November 20, 2020 with reasonable diligence.

34

Federal Communications Commission

FCC 20-136

STIR/SHAKEN implementation, to be granted an extension a voice service provider must demonstrate in
detail the specific undue hardships, including financial and resource constraints, that it has experienced
and explain why any challenges it faces meet the high standard of undue hardship to STIR/SHAKEN
implementation within the timeline required by Congress.
2.

Extension for Certain Non-Internet Protocol Networks

66.
Section 4(b)(5)(B) of the TRACED Act directs that “the Commission shall grant a delay
of required compliance . . . for any provider or class of providers of voice service, or type of voice calls,
only to the extent that such a provider or class of providers of voice service, or type of voice calls,
materially relies on a non-[IP] network for the provision of such service or calls . . . until a call
authentication protocol has been developed for calls delivered over non-[IP] networks and is reasonably
available.”256 In implementing this provision, we impose the same obligations on voice service providers
that receive the extension as we impose in the mandate requiring voice service providers to implement an
effective caller ID authentication framework in the non-IP portions of their networks.257 We find that
doing so ensures that all voice service providers with non-IP network technology are subject to the same
burdens and are working together to develop a non-IP solution as envisioned by the TRACED Act. We
also find that such action most efficiently carries out the goals of protecting consumers from illegal
robocalls on non-IP networks, and encourages a general transition to IP and the wider implementation of
STIR/SHAKEN.
67.
Eligibility for this Extension. Under the TRACED Act, we must grant an extension for
voice service providers or types of voice calls that “materially rel[y] on a non-[IP] network.”258 We
interpret this provision to mean that those portions of a voice service provider’s network that do not use
SIP technology are eligible for an extension of the implementation deadline of June 30, 2021.259 In the
First Caller ID Authentication Report and Order and Further Notice, we proposed defining “non-[IP]
network[s]” as those portions of a voice service provider’s network that rely on technology that cannot
initiate, maintain, and terminate SIP calls.260 We adopt our proposal because we believe this to be a
straightforward implementation of Congress’s direction in the TRACED Act, which also provides that
extensions may be voice service provider-specific or apply to a class of voice service providers or type of
voice calls.261 In determining whether a voice service provider or type of voice calls “materially relies”
on such a non-SIP capable network, we proposed to interpret “material[]” to mean “important or having

TRACED Act § 4(b)(5)(B). The record supports the notion that we are obligated by this section of the TRACED
Act to grant an extension of the implementation deadline for voice service providers that materially rely on non-IP
networks. See, e.g., Alaska Communications Reply at 6-8 (“[T]his delay is mandatory under the TRACED Act.”);
AT&T Comments at 10 (“Because this extension is made mandatory by the statute, it requires no further
justification . . . .”).
256

We note that, along with the obligations we impose for recipients of the non-IP extension, such recipients are also
subject to the robocall mitigation requirements shared by all other recipients of extensions. See TRACED Act
§ 4(b)(5)(B); First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3281, para. 92,
n.288.
257

258

TRACED Act § 4(b)(5)(B).

The TRACED Act states that we shall grant this extension “under section 4(b)(5)(A)(ii),” which governs
extensions granted upon a public finding of undue hardship. Id. § 4(b)(5)(A)(ii). We interpret this clause to mean
that undue hardship is presumed where a voice service provider materially relies on a non-IP network for the
provision of such service or calls. We also interpret “until a call authentication protocol has been developed . . . and
is reasonably available” to be a statutorily-defined “reasonable period of time” for the purposes of this extension.
Id. §§ 4(b)(5)(B), 4(b)(5)(A)(ii).
259

260

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3279, para. 86.

261

TRACED Act § 4(b)(5)(A)(ii).

35

Federal Communications Commission

FCC 20-136

an important effect”262 and, consistent with our call-by-call interpretation of the TRACED Act, we
proposed to read “reli[ance]” with reference to the particular portion of the network in question.263 We
adopt these proposed interpretations, which received no opposition in the record, and we therefore
consider reliance on a non-IP network as material if that portion of the network is incapable of using
SIP.264 Put another way, if a SIP-incompatible portion of a voice service provider’s network is used for
the provision of voice service, that portion of the network is eligible for an extension of the
implementation deadline. The record reflects support for this interpretation.265 We acknowledge the
concerns raised by AT&T and others regarding the prevalence of non-IP networks,266 and find that their
prevalence only increases the importance of taking action to encourage widespread caller ID
authentication across all networks while the IP transition is ongoing.
68.
Duration of Extension. The TRACED Act directs that the non-IP extension shall end
once “a call authentication protocol has been developed for calls delivered over non-[IP] networks and is
reasonably available.”267 In determining whether a caller ID authentication protocol meets this standard,
we adopt the test proposed by Alaska Communications, with some modifications. Consistent with Alaska
Communications’ proposal, we conclude that a caller ID authentication protocol “has been developed” if
we determine that the protocol is fully developed and finalized by industry standards.268 We agree with

Cambridge Dictionary, Material, https://dictionary.cambridge.org/us/dictionary/english/material (last visited
Sept. 3, 2020).
262

263

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3279, para. 86.

Id. Comcast argues that we should refrain from “applying new regulatory mandates to the entire voice industry,”
and should instead “consider[] a provider’s efforts to transition to IP . . . when determining whether to grant or
renew a limited extension of the STIR/SHAKEN implementation deadlines.” Comcast Reply at 3. We decline to
take this approach, as we believe the approach we take today—imposing a broad mandate and granting an extension
where necessary—better comports with the TRACED Act’s mandatory extension for providers that “materially rely”
on non-IP technology.
264

See Alaska Communications Reply at 6 (“[We] agree with the Commission’s proposal to grant an extension
under this provision ‘for those portions of a voice service provider’s network that rely on technology that cannot
initiate, maintain, and terminate SIP calls.’”). After noting that our definition’s scope is consistent with the concept
of material reliance, AT&T suggests that we add to our definition of “non-[IP] network” “all ‘TDM in the middle’
services—that is, those utilizing TDM switching/transport as well as those exchanged over TDM interconnection
points.” AT&T Comments at 11. We decline to do so because we are only obligated under the TRACED Act to
provide extensions for originating and terminating voice service providers, and not intermediate providers. See First
Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3278, para. 83. We also note that
the rules we adopt today regarding intermediate providers only apply to networks which support SIP signaling.
265

266

AT&T Comments at 11; see also NTCA Comments at 13.

TRACED Act § 4(b)(5)(B). We also note that the TRACED Act grants us the authority to limit or terminate any
granted non-IP extension if we determine that a voice service provider “is not making reasonable efforts to develop”
a caller ID authentication protocol for non-IP networks. Id. § 4(b)(5)(D). As noted later, we interpret “reasonable
efforts” to mean that a voice service provider is participating, either on its own, in concert with a vendor, or through
a representative, as a member of a working group, industry standards group, consortium, or trade association that is
working to develop a non-IP solution, or actively testing such a solution.
267

By “fully developed” and “finalized” we do not require that the protocol must have achieved a status whereby no
future development or progress is possible. Under that interpretation, the STIR/SHAKEN framework itself would
not meet this standard. Instead, our standard does not foreclose the possibility of further development and
improvement, but would only determine a protocol has been developed if at least all fundamental aspects of the
protocol which enable its effectiveness are standardized by industry, and the protocol is implementable by voice
service providers.
268

36

Federal Communications Commission

FCC 20-136

commenters that such a protocol must be standards-based and ready for implementation.269 We also find
that a caller ID authentication protocol is “reasonably available” if the underlying equipment and software
necessary to implement such protocol is available on the commercial market.270 We believe this approach
is a workable and clear standard, and has support from the record.271 And as we have explained, we adopt
the same standard for determining whether a caller ID authentication protocol is “effective” for purposes
of our mandate on non-IP networks, ensuring a harmonious approach to our rules regarding non-IP caller
ID authentication technology. Alaska Communications suggests that we adopt an additional requirement
for determining whether a caller ID authentication protocol is “reasonably available.”272 Specifically,
Alaska Communications suggests that the “knowledge, training, and expertise necessary to operate the
equipment and implement the standard [must be] sufficiently widespread among the small, rural, and
other non-IP service providers” in receipt of an extension in order for the standard to be “reasonably
available.”273 We decline to adopt this requirement because doing so could create a perverse incentive for
voice service providers to be willfully ignorant of newly developed protocols so as to prolong an
extension. It also would require an unreasonably complicated inquiry into the knowledge and practices of
numerous small voice service providers. We further find such a requirement to be unnecessary ex ante
without a specific protocol and associated requirements in front of us.
69.
As we explained in the context of the mandate on non-IP networks, we will continue to
monitor industry progress towards the development of a non-IP caller ID authentication solution. If we
find after providing notice and an opportunity for comment that a non-IP solution meets these criteria, we
will both modify the non-IP implementation mandate and phase out the non-IP implementation extension
to account for this new solution. Cooperative Telephone Company suggests that we grant a limited fiveyear extension of the June 30, 2021, deadline for implementing a caller ID authentication framework “for
those service providers currently using a TDM network that have less than 1,000 subscriber lines.”274
Cooperative Telephone Company argues that such small and rural telephone companies have “scarce
resources” which would not cover both the demands of their customers and new regulations for non-IP
technology.275 We decline to do so given that such an extension would not be consistent with the
timeframe that Congress established in the TRACED Act for the non-IP extension—which is to last until

See, e.g., Alaska Communications Reply at 7 (“[T]he Commission could consider the statutory criteria met only
when . . . the standards for implementing call authentication in non-IP networks have been fully developed and
finalized by industry standard-setting bodies . . . .”); USTelecom Reply at 5 (“The Commission should continue to
incentivize full standards-based solutions that have been sufficiently vetted and agreed to by industry, particularly
for calls on legacy networks.”). Although some commenters advocate for mandating out-of-band STIR, see, e.g.,
Neustar Comments at 8-9, TransNexus Comments at 9, we find that this solution is not yet standardized. We thus
conclude that, at this time, no caller ID authentication protocols exist which have been developed and are reasonably
available for calls delivered over non-IP networks.
269

See Alaska Communications Reply at 7. We decline to adopt Alaska Communications’ requirement that the
underlying equipment and software be “widely available and affordable on the commercial market,” because the
terms “widely” and “affordable,” in the context of sophisticated businesses negotiating for specialized equipment
and software, are too broad and indefinite to administer readily; and Alaska Communications does not provide
enough further guidance on these terms to adopt them as part of a workable standard.
270

271

See id.

272

See id.

273

Id.

CTC Comments at 3-4. While Cooperative Telephone Company uses the word “exemption” in its filed
comments, we understand it to be asking for an extension given the requested five-year duration, rather than an
exemption under section 4(b)(2) of the TRACED Act. See TRACED Act § 4(b)(2).
274

275CTC

Comments at 4.

37

Federal Communications Commission

FCC 20-136

a non-IP solution becomes reasonably available—not for a fixed period of years.276 Alaska
Communications suggests that we “grant a permanent exemption for the few non-SS7-connected switches
remaining” because such switches are unique.277 We find adopting this proposal unnecessary at this time.
In the absence of a developed solution, we are not yet in a position to determine whether any technical
exceptions could be necessary and appropriate.
70.
Obligations of Voice Service Providers Receiving an Extension. The TRACED Act
provides that we should limit or terminate an extension of compliance if we determine in a future
assessment that a voice service provider “is not making reasonable efforts to develop the call
authentication protocol” for non-IP networks.278 To be consistent with our approach in mandating that
voice service providers take “reasonable measures” to implement an effective caller ID authentication
framework in the non-IP portions of their networks, we find that a voice service provider satisfies the
“reasonable efforts” requirement under section 4(b)(5)(D) if it is able to provide the Commission, upon
request, with documented proof that it is participating, either on its own, in concert with a vendor, or
through a representative, as a member of a working group, industry standards group, consortium, or trade
association that is working to develop a non-IP solution, or actively testing such a solution.279 We also
conclude this requirement both promotes the IP transition and encourages the development of a non-IP
authentication solution for the benefit of those networks that cannot be speedily or easily transitioned.280
3.

Reevaluating Granted Extensions

71.
Section 4(b)(5)(F) of the TRACED Act requires us annually to reevaluate and revise as
necessary any granted extension, and “to issue a public notice with regard to whether such [extension]
remains necessary, including why such [extension] remains necessary; and when the Commission expects
to achieve the goal of full participation.”281 As we proposed in our First Caller ID Authentication Report
and Order and Further Notice,282 we direct the Bureau to reevaluate the extensions we have established
annually, and to revise or extend them as necessary.283 We adopt this proposal because the Bureau is in
the best position to undertake this fact-intensive and case-by-case evaluation, particularly in the context of
evaluating extensions for undue hardship. Pursuant to the TRACED Act, we direct the Bureau to issue a
Public Notice seeking comment to inform its annual review and consider the comments it receives before
issuing a Public Notice of its decision as to whether to revise or extend an extension.284 The record

276

TRACED Act § 4(b)(5)(B).

277

Alaska Communications Reply at 8-10.

278

TRACED Act § 4(b)(5)(D).

See CTIA Comments at 17-18 (“[T]he Commission should interpret the ‘reasonable efforts’ requirement flexibly
and consider a range of efforts to be reasonable.”); USTelecom Comments at 18 (suggesting that we not adopt
specific requirements for “reasonable efforts,” as voice service providers “are actively working in good faith and
industry should be provided flexibility to develop solutions for TDM and non-IP authentication”).
279

280

See NTCA Comments at 20.

281

TRACED Act § 4(b)(5)(F).

282

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3281, para. 91.

283

TRACED Act § 4(b)(5)(F).

284

TRACED Act § 4(b)(5)(F)(iii).

38

Federal Communications Commission

FCC 20-136

reflects support, and no opposition, for this reevaluation process.285
72.
Scope of Bureau’s Authority. We permit the Bureau to decrease, but not to expand, the
scope of entities that are entitled to a class-based extension based on its assessment of burdens and
barriers to implementation. Specifically, if the Bureau concludes in its review that a class-based
extension should be extended beyond the original end date set by the Commission, it may choose to do so
for all or some recipients of the extension, as it deems appropriate, based on its assessment and after
providing notice and an opportunity for comment. As suggested by ACA Connects, we clarify that the
Bureau may not, however, terminate an extension for some or all recipients prior to the extension’s
originally set or newly extended end date.286
73.
Assessment of Burdens and Barriers. The TRACED Act directs the Commission to
assess burdens and barriers to implementation by December 30, 2020, and “as appropriate thereafter.”287
We find it appropriate to reassess burdens and barriers to implementation by voice service providers that
we granted an extension in conjunction with evaluating whether to maintain, modify, or terminate the
extension.288 Accordingly, we direct the Bureau to assess burdens and barriers to implementation faced
by those categories of voice service providers subject to an extension when it reviews those extensions on
an annual basis or on petition. Coordinating an assessment of burdens and barriers to implementation
with our extension reevaluations will inform the Bureau’s decision to extend or revise any granted
extensions. It will also provide a basis for the Bureau to revise the scope of entities that are entitled to an
extension. We find that aligning the periodic reassessment of burdens and barriers to implementation
with any review of extensions is the best reading of the relevant statutory language. We read
“appropriate” in this section to tie the timing of our future assessments to our annual extension
reevaluations.289 We received no comments in the record to our proposal in this regard.290
4.

Robocall Mitigation Program

74.
Section 4(b)(5)(C)(i) of the TRACED Act directs us to require any voice service provider
that has been granted an extension to implement, during the time of the extension, “an appropriate
robocall mitigation program to prevent unlawful robocalls from originating on the network of the
provider.”291 In the First Caller ID Authentication Report and Order and Further Notice, we sought
comment on USTelecom’s proposal to obligate voice service providers to file certifications describing

See, e.g., ACA Connects Comments at 7 (“We thus support the Commission’s proposal that the Wireline
Competition Bureau [] reexamine the small provider deadline extension within one year of the Commission granting
it and that the Bureau extend the deadline if appropriate, as the TRACED Act contemplates.”); Consumer Reports,
Consumer Action, Consumer Federation of America, and National Consumer Law Center Reply, WC Docket Nos.
17-97 and 20-67, at 7 (rec. May 29, 2020) (Consumer Groups Reply) (“The FCC should . . . invite public comment
on these reviews.”); see also Consumer Reports et al. Comments, EB Docket No. 20-22, at 5 (rec. July 3, 2020).
285

See ACA Connects Comments at 7-8 (“[T]here could be no justification for cutting the deadline short, whether at
the Bureau or Commission level, [because] such a decision would frustrate small providers’ reasonable expectations
in a way that could leave them far worse off than had the Commission never granted an extension in the first
place.”). We reiterate that, while we do not permit the Bureau to terminate any extension early under section
4(b)(5)(F), non-IP extensions are still subject to early termination under section 4(b)(5)(D), if the Bureau determines
that a voice service provider in receipt of an extension “is not making reasonable efforts to develop [a] call[er ID]
authentication protocol” for non-IP networks. TRACED Act § 4(b)(5)(D).
286

287

TRACED Act § 4(b)(5)(A)(i).

288

See id. § 4(b)(5)(F).

289

Id. § 4(b)(5)(A).

290

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3275, para. 74.

291

TRACED Act § 4(b)(5)(C)(i).

39

Federal Communications Commission

FCC 20-136

their robocall mitigation programs in lieu of a prescriptive approach.292 In today’s Report and Order, we
adopt this proposal and give voice service providers the flexibility to decide the specific contours of an
effective robocall mitigation program that best suits the needs of their networks and customers. We
additionally create a certification process and database to aid in enforcement efforts and prohibit
intermediate providers and terminating voice service providers from accepting voice traffic from voice
service providers not listed in the database. These steps will ensure that the only voice traffic to traverse
voice networks in the U.S. is from those voice service providers that have either fully implemented
STIR/SHAKEN on their entire networks or that have implemented a robocall mitigation program on
those portions of their networks that are not STIR/SHAKEN-enabled.
75.
Providers Subject to the TRACED Act’s Robocall Mitigation Program Requirement.
Based on the statutory text, we read the requirement to implement a robocall mitigation program to apply
to all voice service providers that receive an extension on the basis of undue hardship or material reliance
on a non-IP network.293 The record reflects support for this approach.294 Securus argues that we should
not impose a robocall mitigation program requirement on voice service providers—even voice service
providers granted an extension—whose networks uniquely pose “nearly zero” risk of originating high
volumes of illegal robocalls.295 We decline to adopt this suggestion because the TRACED Act obligates
us to require “any provider subject to such [extension to] implement an appropriate robocall mitigation
program.”296 Neustar recommends that we require “all voice service providers [to] utilize robocall
mitigation solutions, regardless of whether they implement STIR/SHAKEN in their networks,”297 and
ZipDX argues that providers which have implemented STIR/SHAKEN should institute robocall
mitigation programs for any calls they authenticate with C-level attestation.298 We decline to adopt these
suggestions. We agree with commenters that under the TRACED Act robocall mitigation “is intended to
be an interim approach for addressing potential unlawful robocalls until the provider has implemented

292

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3281, para. 92.

The TRACED Act states that extensions for material reliance on a non-IP network are “[s]ubject to
subparagraphs (C) through (F),” and paragraph (C)(i) sets forth the robocall mitigation program requirement.
TRACED Act §§ 4(b)(5)(B), 4(b)(5)(C)(i).
293

See, e.g., CTIA Comments at 15 (“The Commission is also right to require providers that are granted an
extension to implement appropriate robocall mitigation programs.”); id. at 20 (“CTIA supports this proposal to
require voice service providers that receive an extension on any basis to implement an appropriate robocall
mitigation program.”).
294

295

Securus Reply at 4-5; see also AT&T Comments at 27-28.

296

TRACED Act § 4(b)(5)(C).

297

Neustar Comments at 5; see also USTelecom Sept. 18 Ex Parte at 2-4 (arguing same).

Letter from David Frankel, ZipDX LLC, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 4-5
(filed Sept. 17, 2020) (ZipDX Ex Parte). ZipDX also argues that we should require voice service providers to
document and share with the Commission information on how they assign the A-, B-, or C-level attestations.
ZipDX Ex Parte at 4. We decline to adopt such a reporting requirement at this time, as we have no reason to believe
the existing mechanisms for policing use of attestation levels within the STIR/SHAKEN framework are insufficient.
See STI-Governance Authority, STI-Participant Agreement, Service Provider at 6, https://sti-ga.atis.org/wpcontent/uploads/2020/04/STI-PA_Service_Provider_Agreement.pdf (last visited Sept. 23, 2020) (including as a
requirement to participation in the STIR/SHAKEN system that voice service providers “shall not sign any telephone
calls that do not meet the levels of attestation in the ATIS SHAKEN Specifications.”); see also ATIS-1000074-E
§ 5.3.2 at 9 (noting that while a voice service provider may develop its own local policy for ensuring their
appropriate use of the attestation levels, their reputation may be dependent on the rigorousness of the process they
develop).
298

40

Federal Communications Commission

FCC 20-136

STIR/SHAKEN.”299 While USTelecom argues we can find authority under other provisions of the Act,300
we need not reach that issue. First, regardless of whether we could rely on an alternative source of
authority, we find it appropriate to defer to Congress’s recent, specific guidance on the subject.301
Moreover, while USTelecom argues that such a requirement “will provide benefits independent of call
authentication solutions, including before and after full deployment of such solutions,”302 we find such a
requirement to be inappropriate at this juncture. We cannot yet know whether requiring voice service
providers to expend additional resources on robocall mitigation even after STIR/SHAKEN
implementation would be an efficient use of their resources, and we do not wish to place additional
burdens on voice service providers already working to comply with the June 30, 2021, STIR/SHAKEN
implementation deadline. We will revisit this conclusion if we determine that additional robocall
mitigation efforts are necessary in addition to STIR/SHAKEN after the caller ID authentication
technology is more widespread.
76.
Robocall Mitigation Program Requirements. The TRACED Act directs us to require all
voice service providers granted an extension—whether on the basis of undue hardship or material reliance
on a non-IP network—to “implement an appropriate robocall mitigation program to prevent unlawful
robocalls from originating on the[ir] network[s].”303 As suggested by USTelecom, we require voice
service providers subject to an extension to “take[] reasonable steps to avoid originating illegal robocall

Noble Systems Reply at 9; see also id. at 10 (“Congress did not see a need to require carriers to deploy a robocall
mitigation program in addition to deploying STIR/SHAKEN, but only as an interim solution. The Commission
should not unilaterally extend this mandate to those carriers meeting the STIR/SHAKEN mandate.”); ACA
Connects Comments at 8 (“[T]he ‘robocall mitigation program’ at issue is intended to serve as a bridge for providers
that the Commission has determined are not yet capable of implementing STIR/SHAKEN.”). Consistent with this
view, in the case of voice service providers that have neither complied with the STIR/SHAKEN mandate by June
30, 2021, nor are subject to any extension, we expect such noncompliant voice service providers to implement
robocall mitigation on the non-STIR/SHAKEN-enabled portions of their networks. Doing so does not free the
provider from enforcement of its violation of our STIR/SHAKEN implementation mandate, but will protect
consumers by ensuring that no portion of the voice network is left without an implementation of either caller ID
authentication or a robocall mitigation program.
299

300

USTelecom Sept. 18 Ex Parte at 3-4.

TRACED Act § 4(b)(5)(C)(i) (“During the time of a[n extension] granted under subparagraph (A)(ii), the
Commission shall require . . . that any provider subject to such [extension] shall implement an appropriate robocall
mitigation program. . . ”). In contrast, the TRACED Act is silent with respect to intermediate providers and
STIR/SHAKEN.
301

302

USTelecom Sept. 18 Ex Parte at 4.

303

TRACED Act § 4(b)(5)(C)(i).

41

Federal Communications Commission

FCC 20-136

traffic.”304 With one exception noted below, we find that a non-prescriptive approach to robocall
mitigation requirements gives voice service providers “the flexibility to react to traffic trends they view
on their own networks and react accordingly.”305 This approach also allows voice service providers to
innovate and “draw from the growing diversity and sophistication of anti-robocall tools and approaches
available.”306
77.
We require voice service providers subject to an extension to document and publicly
certify how they are complying with these requirements. We find that such a requirement will encourage
voice service providers to ensure that they are taking “reasonable steps.” We have previously found that
requiring self-evaluation is an effective means of promoting compliance with our rules.307 Such a
requirement also enables us to evaluate a voice service provider’s “reasonable steps” to determine
whether they are sufficient. This public certification requirement will facilitate our ability to enforce a
Letter from Farhan Chughtai, Director, Policy & Advocacy, USTelecom, to Marlene H. Dortch, Secretary, FCC,
CG Docket No. 17-59, WC Docket No. 17-97, Attach. at 4 (filed Mar. 6, 2020) (USTelecom March 6 Ex Parte).
USTelecom outlines examples of such “reasonable steps,” which could include “[a]nalyz[ing] high-volume voice
network traffic to identify and monitor patterns consistent with robocall campaigns,” “[a]nalyz[ing] traffic for
patterns indicative of fraudulent calls—for example, identifying short duration calls with low completion rates,” and
“[t]ak[ing] reasonable steps to confirm the identity of new commercial VoIP customers by collecting information
such as physical business location, contact person(s), state or country of incorporation, federal tax ID, and the
general nature of the customer’s business.” USTelecom Comments at 8; see also TNS Comments at 7 (“TNS
supports those elements, but urges the Commission to recognize the value that reasonable call analytics has in
identifying and mitigating unlawful robocalls.”). We decline to opine at this time on whether such practices meet
our sufficiency standard, so as to promote experimentation with a wide variety of practices by voice service
providers in their robocall mitigation programs.
304

In a different proceeding, we propose requiring voice service providers to respond to traceback requests, mitigate
illegal traffic when notified of such traffic, and take affirmative, effective measures to prevent new and renewing
customers from using their networks to originate illegal calls; we also seek comment on whether we should
prescribe specific steps. See 2020 Call Blocking Order, 35 FCC Rcd at 7644-45, paras. 95-102. As our action in
this proceeding is concerned with implementing section 4(b)(5)(C) of the TRACED Act, we do not preclude the
possibility of requiring all voice service providers to take affirmative, effective measures to prevent the origination
of unlawful calls—whether specific or not—pursuant to different legal authority, such as section 201(b) of the
Communications Act of 1934, as amended.
NTCA Comments at 22; see also CCA Comments at 6 (contending that “providers will be in a better position to
incorporate mitigation practices that work best for their unique networks, and that may overlap and further the
development of their future caller ID authentication framework”); Neustar Comments at 7 (“Robocall mitigation
solutions can also adapt to future spoofing technologies to help quickly identify and address new schemes.”).
305

CTIA Comments at 16. In a separate proceeding, we proposed requiring voice service providers to take
affirmative, effective measures to prevent new and renewing customers from using their networks to originate illegal
calls, and seek comment on whether we should prescribe specific steps. See 2020 Call Blocking Order, 35 FCC Rcd
at 7645, paras. 101-102. As our analysis here is concerned with implementing section 4(b)(5)(C) of the TRACED
Act, we do not preclude the possibility of requiring all voice service providers to take affirmative, effective
measures to prevent the origination of unlawful calls—whether specific or not—pursuant to different legal authority,
such as section 201(b) of the Act.
306

In the rural call completion context, the Commission adopted a rule requiring covered providers to monitor the
rural call completion performance of the calls they pass on to intermediate providers, and take action to address poor
performance. See Rural Call Completion, WC Docket No. 13-39, Second Report and Order and Third Further
Notice of Proposed Rulemaking, 33 FCC Rcd 4199, 4205, para. 15 (2018). We concluded that such a monitoring
rule “will ensure better call completion to rural areas by covered providers, . . . reduce the necessity for enforcement
action, and aid our enforcement efforts when needed.” Id. at 4205, para. 16 n.46. See also Implementation of the
Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information
and Other Customer Information; IP-Enabled Services, CC Docket No. 96-115, WC Docket No. 04-36, Report and
Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927, 6953, para. 51 (2007).
307

42

Federal Communications Commission

FCC 20-136

prohibition on intermediate providers and terminating voice service providers from accepting voice traffic
from voice service providers with insufficient or ineffective robocall mitigation programs.
78.
While we adopt a non-prescriptive approach to voice service providers’ robocall
mitigation programs, we find it necessary to articulate general standards, both to guide voice service
providers in preparing their programs and to ensure that the statutory obligation to implement a robocall
mitigation program is enforceable. We clarify that a robocall mitigation program is sufficient if it
includes detailed practices that can reasonably be expected to significantly reduce the origination of
illegal robocalls.308 In addition, for its mitigation program to be sufficient, the voice service provider
must comply with the practices it describes. We will also consider a mitigation program insufficient if a
provider knowingly or through negligence serves as the originator for unlawful robocall campaigns.309 At
the same time, we agree with Verizon that “different types of network providers should have different
types of robocall mitigation programs,”310 and we welcome voice service providers adopting approaches
that are innovative, varied, and adapted to their networks.
79.
The record also convinces us that participation in industry traceback efforts is of utmost
importance in the absence of STIR/SHAKEN implementation.311 To that end, we require voice service
providers, as part of their robocall mitigation programs, to commit to cooperating with the Commission,
law enforcement, and the industry traceback consortium in investigating and stopping any illegal
robocallers that it learns are using its service to originate calls.312 We find that this baseline requirement
to participate in traceback efforts is a necessary aspect of any attempt to mitigate illegal robocalls, as it
permits voice service providers and enforcement agencies to identify illegal robocallers and prevent them
from further abusing the voice network.313 Without a means to identify and bring enforcement actions
against the sources of illegal robocalls, such bad actors will continue their operations unchecked and
emboldened. We underscore that this is a necessary, but not sufficient, component of a voice service
provider’s robocall mitigation program which, as we have explained, must include other steps to ensure
that a provider is not the source of illegal robocalls.
80.
We decline at this time to impose other more prescriptive requirements for robocall
mitigation programs, such as mandating an analytics-based robocall mitigation program, as proposed by

This is not to say that a voice service provider may not engage in practices, as part of its robocall mitigation
program, that are experimental or cutting edge, and whose effectiveness is not yet proven. Rather, we encourage
industry experimentation and only require that robocall mitigation programs include proven practices alongside
experimental ones. See, e.g., CTIA Comments at 22 (“Given this evolving ecosystem of anti-robocall tools, the
mitigation program requirement should allow market forces to drive providers toward an appropriate solution for
their network and customer base. Any requirements should be flexible and promote continued development and
innovation.”).
308

We decline to adopt ZipDX’s proposal that a robocall mitigation program merely be “effective” because ZipDX
provides no elaboration of how to define the term, and we think the more detailed requirement we adopt will be both
clearer and more successful than a non-specific “effective” standard. Cf. ZipDX Ex Parte at 4.
309

310

Verizon Comments at 4; see also CTIA Comments at 22.

See CTIA Comments at 23; NTCA Comments at 21 (“[T]his [certification] approach must be centered around
voice service providers’ cooperation with both law enforcement and industry ‘traceback’ efforts.”); Consumer
Groups Reply at 7; Noble Systems Reply at 9-10 (“[A]t a minimum, service providers that are required to implement
this form of robocall mitigation should at a minimum designate individuals able to respond to requests from the
Traceback Consortium.”); USTelecom March 6 Ex Parte, Attach. at 4.
311

See USTelecom March 6 Ex Parte, Attach. at 4. We underscore that this requirement does not supersede any
existing legal processes. USTelecom Sept. 18 Ex Parte at 7-8. We also encourage law enforcement to make
traceback requests through the industry traceback consortium. Id.
312

313

See, e.g., CTIA Comments at 23.

43

Federal Communications Commission

FCC 20-136

Transaction Network Services,314 or know-your-customer policies, as suggested by Consumer Groups.315
While we acknowledge that such practices and policies may be effective aspects of a robocall mitigation
program316—and we encourage voice service providers to incorporate them into their own robocall
mitigation programs—we decline specifically to mandate them, as we agree with commenters that argue
that there is no one-size-fits-all robocall mitigation solution that accounts for the variety and scope of
voice service provider networks.317 For example, a small voice service provider with few subscribers may
not have a need to implement comprehensive analytics given its small size. Similarly, a voice service
provider with limited means may choose a solution suited to its budget and business model.318 We also
decline Neustar’s suggestion that we “ensure that providers implement robocall mitigation solutions for
both originating and terminating calls.”319 The TRACED Act’s mandate plainly requires only robocall
mitigation programs that “prevent unlawful robocalls from originating on the network of the provider.”320
81.
Deficient Robocall Mitigation Programs. If we find that our non-prescriptive approach
to robocall mitigation is not satisfactorily stemming the origination of illegal robocalls, we agree with
NTCA and Verizon that we should be ready to impose more prescriptive obligations on any voice service
provider whose robocall mitigation program has failed to prevent high volumes of illegal robocalls.321
We thus direct the Enforcement Bureau to prescribe more specific robocall mitigation obligations for any
voice service provider it finds has implemented a deficient robocall mitigation program. Such robocall
mitigation obligations would be chosen as appropriate to resolve the specific voice service provider’s
prior shortcomings. In such instances, the Enforcement Bureau will release an order explaining why a
particular mitigation program is deficient and, among other things, prescribe the new obligations needed
to rectify those deficiencies, including any milestones or deadlines. We find that action by the
Enforcement Bureau is appropriate in responding to issues on a case-by-case basis.322 If we find that our
non-prescriptive approach to robocall mitigation programs is falling short on a widespread basis, we will
not hesitate to revisit the obligations we impose through rulemaking at the Commission level.
82.
Voice Service Provider Certification and Database. To promote transparency and
effective robocall mitigation, we require all voice service providers—not only those granted an
extension—to file certifications with the Commission regarding their efforts to stem the origination of

TNS Comments at 7-8 (“Because of the benefits that these services can provide, the Commission should require
that a service provider receiving an extension implement call analytics as a part of its robocall mitigation
program.”).
314

Consumer Groups Reply at 5-6 (“Requiring the phone companies to know who their customers
are . . . would . . . reduce the amount of fraudulent traffic in the system.”); see also Consumer Reports et al.
Comments, EB Docket No. 20-22, at 3-5 (rec. July 3, 2020) (suggesting that we mandate various practices on all
voice service providers including know-your-customer procedures and record-keeping).
315

TNS Comments at 8 (“Reasonable call analytics can supplement other measures a service provider may take to
identify problematic traffic (including ‘know your customer’ practices) by providing additional information from
dozens of other sources. Reasonable call analytics services are widely available from multiple vendors, many of
which offer low-investment services that can be deployed in smaller networks at a reasonable cost.”).
316

See CCA Comments at 6 (advocating for allowing voice service providers “to incorporate mitigation practices
that work best for their unique networks”).
317

318

See, e.g., CCA Comments at 5-6; ACA Comments at 8.

319

Neustar Comments at 6.

320

TRACED Act § 4(b)(5)(C)(i) (emphasis added).

321

See NTCA Comments at 23; Verizon Comments at 3-4.

As part of the penalties it may impose, the Enforcement Bureau may de-list a voice service provider from the
robocall mitigation database we establish. See ZipDX Ex Parte at 4.
322

44

Federal Communications Commission

FCC 20-136

illegal robocalls on their networks. Specifically, as proposed by USTelecom,323 and with the support of
all parties that commented on the issue in the record,324 we require all voice service providers to certify
that their traffic is either “signed with STIR/SHAKEN or . . . subject to a robocall mitigation program”
that includes “tak[ing] reasonable steps to avoid originating illegal robocall traffic,” and committing to
cooperating with the Commission, law enforcement, and the industry traceback consortium in
investigating and stopping any illegal robocallers that it learns are using its service to originate calls.325
For those voice service providers that certify that some or all of their traffic is “subject to a robocall
mitigation program,” we require such voice service providers to detail in their certifications the specific
“reasonable steps” that they have taken “to avoid originating illegal robocall traffic.”326 This requirement
will promote transparency and accountability in light of our non-prescriptive approach to the robocall
mitigation program requirements. While only voice service providers with an extension will be obligated
to implement a robocall mitigation program, we impose the certification requirement on all voice service
providers because doing so will help us and others to hold all voice service providers accountable for the
voice traffic they originate, and give us and others a snapshot of the progress of STIR/SHAKEN
implementation and the variety of robocall mitigation practices adopted by voice service providers.327
83.
Voice service providers must file certifications via a portal on the Commission’s website
that we will establish for this purpose. We will also establish a publicly accessible database in which we
will list such certifications. Establishing a database will aid in monitoring compliance with our robocall
mitigation requirement and facilitate enforcement action should such action be necessary.328 We direct
the Bureau to establish this portal and database, provide appropriate filing instructions and training
materials, and release a Public Notice when voice service providers may begin filing certifications. We
direct the Bureau to release this Public Notice no earlier than March 30, 2021, and to establish a deadline
for the filing of certifications no earlier than June 30, 2021.329 We also direct the Bureau to issue
guidance and a protective order regarding the treatment of any confidential and highly confidential
information included in certifications. We do so to protect voice service providers that are worried that
public disclosure of their robocall mitigation programs may give bad actors the information they need to
undermine their programs, or necessitate disclosure of competitively sensitive information. If we find
that a certification is deficient in some way, such as if the certification describes a robocall mitigation
USTelecom March 6 Ex Parte, Attach. at 3-4; see also First Caller ID Authentication Report and Order and
Further Notice, 35 FCC Rcd at 3281-82, para. 92.
323

See, e.g., AT&T Comments at 27 (“Every provider should be required to certify, for all traffic not signed with
STIR/SHAKEN, that it has an appropriate robocall mitigation program designed to prevent the origination of illegal
calls and has measures in place to identify if its network is being used to generate such illegal calls, and to quickly
mitigate such activity once detected.”).
324

325

USTelecom March 6 Ex Parte, Attach. at 3-4.

326

Id.

Cf. Restoring Internet Freedom, WC Docket No. 17-108, Declaratory Ruling, Report and Order, and Order, 33
FCC Rcd 311, 435, 439, paras. 209, 217 (2018) (finding that transparency enables public scrutiny which incentivizes
good practices by businesses such as Internet service providers).
327

See Verizon Comments at 5 (“The Commission can use the registry not only to monitor compliance with its
STIR/SHAKEN and robocall program mandates, but also to take corrective actions against service providers whose
robocall mitigation programs or STIR/SHAKEN practices are found to be deficient.”).
328

Verizon argues that we “need not wait until 2021 to establish a registry with a certification requirement and issue
rules imposing robocall mitigation obligations on all traffic originated by any service provider.” Verizon Comments
at 6. We disagree and instead find it appropriate to harmonize this requirement—which is tied by statute to
receiving an extension from the STIR/SHAKEN implementation mandate—to the date the STIR/SHAKEN mandate
goes into effect. However, we agree with Verizon that “consumers should get the benefits of the registration
framework and the robocall mitigation rules this year,” id. at 6, and encourage providers to take efforts toward
robocall mitigation as soon as possible.
329

45

Federal Communications Commission

FCC 20-136

program that is ineffective,330 or if we find that a provider nonetheless knowingly or negligently
originates illegal robocall campaigns, we may take enforcement action as appropriate. Enforcement
actions may include, among others, removing a defective certification from the database after providing
notice to the voice service provider and an opportunity to cure the filing, or requiring the voice service
provider to submit to more specific robocall mitigation requirements, and/or imposition of a forfeiture.331
84.
We also require voice service providers filing certifications to provide the following
identification information in the portal on the Commission’s website:
(1) the voice service provider’s business name(s) and primary address;
(2) other business names in use by the voice service provider;
(3) all business names previously used by the voice service provider;
(4) whether a voice service provider is a foreign voice service provider; and
(5) the name, title, department, business address, telephone number, and email address of a
central point of contact within the company responsible for addressing robocall-mitigation-related
issues.
85.
This information will be made publicly available in the database, and reporting such
information presents a minimal burden on voice service providers.332 We find that requiring a voice
service provider to report contact information for the person responsible for addressing robocallmitigation-related issues will facilitate inter-provider cooperation and enforcement actions should issues
arise.333 We also require voice service providers to submit to the Commission via the appropriate portal
any necessary updates to the information they filed in the certification process within 10 business days.334
This requirement will ensure that we and all voice service providers have up-to-date data without
overburdening voice service providers with unnecessary filings.
86.
Obligations on Intermediate Providers and Terminating Voice Service Providers. As
suggested by multiple commenters,335 we prohibit intermediate providers and terminating voice service
providers from accepting voice traffic directly from any voice service provider that does not appear in the
database, including a foreign voice service provider that uses NANP resources that pertain to the United
States to send voice traffic to residential or business subscribers in the United States.336 Effective 90 days
after the deadline for robocall mitigation program certifications set forth in the Bureau Public Notice
establishing the robocall mitigation database and portal, intermediate providers and terminating voice
330

See, e.g., USTelecom Comments at 9-10.

331

See, e.g., id.

See Rural Call Completion, WC Docket No. 13-39, Third Report and Order and Order, 33 FCC Rcd 8400, 840203, para. 7 (2018) (Third Rural Call Completion Order) (agreeing with record statements that the burden of
requiring providers to input this type of basic information about their company into an intermediate provider registry
was minimal).
332

Cf. id. at 8403, para. 8 (finding that requiring such contact information to be publicly available will “facilitate
inter-provider cooperation to solve and prevent call completion issues”).
333

Cf. id. at 8408, para. 20 (requiring intermediate providers to submit any updates to their registration with the
intermediate provider registry to the Commission within 10 business days).
334

335

See, e.g., USTelecom March 6 Ex Parte, Attach. at 3; Verizon Comments at 5-6.

See, e.g., USTelecom Comments at 7; Verizon Comments at 5-6. ZipDX suggests that we prohibit intermediate
providers and terminating voice service providers from accepting voice traffic from foreign voice service providers
using U.S. numbers unless the foreign voice service provider is listed in the robocall mitigation database and the
domestic provider can provide an A-level attestation for the call. See ZipDX Ex Parte at 3. We decline to take this
approach at this time as industry has not yet coalesced around an approach to A-level attestations for foreignoriginated calls.
336

46

Federal Communications Commission

FCC 20-136

service providers are subject to this prohibition.337 The record reflects support for this requirement.338
87.
We agree with Verizon that, “by prohibiting downstream service providers from
accepting traffic from providers that are not in [the database], the Commission can deny a service
provider access to the regulated U.S. voice network if it determines that the service provider’s
STIR/SHAKEN or robocall mitigation practices are inadequate.”339 In this way, we can police the voice
traffic that voice service providers originate by removing or restoring a voice service provider’s listing on
the database, after providing notice of any certification defects and providing an opportunity to cure.
Furthermore, as voice service providers monitor the database to ensure they remain compliant with our
rules, they must necessarily review the listings of voice service providers with which they interconnect to
ensure that such certifications are sufficient. In so doing, industry continually reviews itself to ensure
compliance with our rules, amplifying the effectiveness of our own review. This rule will further
encourage all voice service providers to implement meaningful and effective robocall mitigation
programs on their networks during the period of extension from the STIR/SHAKEN mandate. In turn,
this rule will help prevent illegal robocall traffic from reaching terminating voice service providers and
their subscribers.340
88.
NTCA and ACA argue that we should require intermediate providers and terminating
voice service providers to give notice to an originating voice service provider whose traffic they will
block because it is not listed in the robocall mitigation database.341 NTCA argues that this will “enable
legitimate providers to cure honest mistakes on their part or ‘glitches’ in the database.”342 We decline to
adopt this suggestion as we find that the framework we adopt provides adequate notice to voice service
providers of the need to file sufficient certifications, including a 90-day period between the deadline for
certifications and the prohibition on intermediate and terminating voice service providers accepting traffic
from originating voice service providers not in the database. Second, adopting this suggestion would
place potentially costly obligations on compliant intermediate providers and terminating voice service
providers to provide adequate notice to noncompliant originating voice service providers. Such compliant
providers may be unable to provide notice for lack of having or being able to obtain a noncompliant
provider’s contact information—opening themselves up to potential enforcement action for lack of
compliance. Lastly, we will give notice and an opportunity to cure to voice service providers whose
certifications are deficient before we take enforcement action such as de-listing the provider from the
database.
See Letter from Sarah K. Leggin, Director, Regulatory Affairs, CTIA, to Marlene H. Dortch, Secretary, FCC,
WC Docket No. 17-97, at 3-4, 4 n.12 (filed Sept. 23, 2020) (CTIA Ex Parte).
337

338

See, e.g., id. at 3-4; USTelecom March 6 Ex Parte, Attach. at 3; Verizon Comments at 5-6.

339

Verizon Comments at 5-6.

To ease compliance with this obligation, we will import all listings from the Intermediate Provider Registry into
the Robocall Mitigation Database on a rolling basis so that all registered intermediate providers are represented
therein. See FCC, Intermediate Provider Registry, https://opendata.fcc.gov/dataset/Intermediate-ProviderRegistry/a6ec-cry4/data (last visited Sept. 3, 2020); Third Rural Call Completion Order, 33 FCC Rcd at 8402-03,
paras. 6-8 (establishing the Intermediate Provider Registry). Because intermediate providers that do not originate
any traffic are not subject to our certification requirements, they would not otherwise be listed in the database. By
affirmatively adding such providers we give intermediate and terminating voice service providers confidence that
any provider not listed in the Robocall Mitigation Database is out of compliance with our rules, rather than leaving
the potential for uncertainty about whether a provider is noncompliant or simply was not required to be included in
the database because it does not originate traffic. A provider that serves as both an intermediate provider and
originating voice service provider must file a certification with respect to the traffic for which it serves as an
originating voice service provider, even if its listing has been imported from the Intermediate Provider Registry.
340

NTCA Ex Parte at 2-3; Letter from Brian Hurley, Vice President of Regulatory Affairs, ACA Connects, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 3 (filed Sept. 23, 2020).
341

342

Id.

47

Federal Communications Commission

FCC 20-136

89.
We decline to adopt to USTelecom’s proposal that we require intermediate providers to
file a certification to their compliance with this rule.343 We see no clear need to impose a burdensome
belt-and-suspenders paperwork requirement on providers that are already subject to this obligation by
rule. We similarly decline ZipDX’s proposal that intermediate providers must “[i]mplement[] a Robocall
Mitigation Program applicable to calls [they do] not authenticate.”344 Pursuant to the TRACED Act,
robocall mitigation is meant to stem the origination of illegal robocalls, and ZipDX does not explain
specifically how an intermediate provider could itself prevent the origination of illegal robocalls. We find
the rule we establish—whereby intermediate providers are prohibited from accepting traffic from an
originating voice service provider that has not certified to a robocall mitigation program—best leverages
the role of intermediate providers to combat illegal robocalls within our greater robocall mitigation
scheme.
90.
Foreign Voice Service Providers. In the First Caller ID Authentication Report and
Order and Further Notice, we sought comment on mechanisms to combat robocalls originating abroad.345
The record contains several comments expressing support for combating robocalls originating abroad by
requiring foreign voice service providers that wish to appear in the database to follow the same
requirements as domestic voice service providers,346 and we do so today. Thus, foreign voice service
providers that use NANP numbers that pertain to the United States to send voice traffic to residential and
business subscribers in the United States must follow the same certification requirements as domestic
voice service providers in order to be listed in the database. Because we prohibit domestic intermediate
providers and terminating voice service providers from accepting traffic from foreign voice service
providers that use NANP numbers that pertain to the United States and are not listed in the database, we
create a strong incentive for such foreign voice service providers to file certifications.347
91.
We find that this result will encourage foreign service providers to choose to institute
robocall mitigation programs and file certifications to be listed in the database and thus have their traffic
be accepted by domestic intermediate and terminating voice service providers. The measures we adopt
today will also enable foreign voice service providers to continue using U.S. telephone numbers to send
voice traffic to U.S. subscribers under the same certification procedures that will apply to U.S. voice
service providers and thereby help prevent the fraudulent exploitation of NANP resources and reduce the
volume of illegal voice traffic entering the United States. Ensuring that foreign voice service providers
using U.S. telephone numbers comply with the certification requirements prior to being listed in the
database is especially important in light of the prevalence of foreign-originated illegal robocalls aimed at
U.S. consumers and the difficulty in eliminating such calls.348
92.
We find persuasive the argument by ZipDX that the definition in the initially circulated
and publicly released draft Order, which defined “foreign voice service provider” as “any entity that is
authorized within a foreign country to provide international voice service,” was unduly narrow and
excluded non-U.S. providers that do not possess any authorization to provide service from being able to

343

USTelecom Sept. 18 Ex Parte at 4.

ZipDX Ex Parte at 4. This includes intermediate providers acting as domestic gateway providers for foreignoriginated calls. See id. at 3.
344

345

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3271-72, para. 64.

346

See, e.g., T-Mobile Comments at 6; USTelecom Comments at 5; Verizon Comments at 6-8.

We note for the sake of clarity, however, that we do not require foreign voice service providers to file a
certification; though intermediate providers and terminating voice service providers are prohibited from accepting
traffic from foreign voice service providers who do not appear in the robocall mitigation database.
347

See, e.g., Second Truth in Caller ID Order, 34 FCC Rcd at 7306-07, para. 10 (“As Congress recognized, the
threat to consumers from overseas fraudulent spoofing continues to grow.”).
348

48

Federal Communications Commission

FCC 20-136

file certifications and be listed in the database.349 In response, we revise our rules to establish that an
entity is a “foreign voice service provider” if such entity has the ability to originate voice service that
terminates in a point outside a foreign country or terminate voice service that originates from points
outside that foreign country. Specifically, we define “foreign voice service provider” to mean “any entity
providing voice service outside the United States that has the ability to originate voice service that
terminates in a point outside that foreign country or terminate voice service that originates from points
outside that foreign country.” We find that this approach captures voice traffic originating from a broader
range of foreign voice service providers than the one that initially appeared in the draft.
93.
Under the rules we adopt, foreign voice service providers that use U.S. telephone
numbers to send voice traffic to U.S. subscribers must file the same certification as U.S. voice service
providers in order to be listed in the database. Specifically, to be listed in the database, these providers
must certify either that they have implemented STIR/SHAKEN or comply with the robocall mitigation
program requirements outlined above by “tak[ing] reasonable steps to avoid originating illegal robocall
traffic” and committing to cooperating with the Commission, U.S. law enforcement, and the industry
traceback consortium in investigating and stopping any illegal robocallers that it learns are using its
service to originate calls.350 If we find that a voice service provider’s certification is deficient or the
provider fails to meet the standards of its certification, we will pursue enforcement including de-listing
the provider from the database.351 We further note that, as discussed above, we require voice service
providers—including foreign voice service providers that wish to be listed in the database—to submit to
the Commission any necessary updates regarding any of the information they filed in the certification
process within 10 business days.
94.
Although USTelecom, following circulation and public release of a draft of this Order,
has changed its position and now suggests seeking further comment on this approach, we nevertheless
take action today given the crucial and urgent importance of protecting Americans from illegal and
fraudulent foreign-originated robocalls.352 USTelecom, along with CTIA, suggest that our action today
could result in unforeseen technical issues, or the blocking of legitimate calls.353 ZipDX disagrees with
this suggestion, arguing that any impact that could arise would be minimal and could be promptly
resolved.354 As our rules related to foreign-originated voice traffic that we take today will not begin to
affect such voice traffic until June 2021, we are optimistic that voice service providers will have time to
resolve any identified issues before the deadline.355 Should voice service providers identify concrete
evidence of technical problems or likely blocking of legitimate calls, we encourage them to provide us
such information so that we can consider whether to make any modifications to this rule.
5.

Alternative Methodologies During an Extension

95.
The TRACED Act directs us to “identify, in consultation with small providers of voice
service, and those in rural areas, alternative effective methodologies to protect consumers from
unauthenticated calls during any” extension from compliance with our STIR/SHAKEN implementation

349

Cf. ZipDX Ex Parte at 2.

350

USTelecom March 6 Ex Parte, Attach. at 4.

351

See, e.g., NTCA Comments at 23.

352

See USTelecom Sept. 23 Ex Parte at 1-2; see also CTIA Ex Parte at 4-5.

See USTelecom Sept. 23 Ex Parte at 1; CTIA Ex Parte at 2 & n.7 (“[T]his prohibition could result in consumers
not receiving calls subject to international roaming agreements.”).
353

See Letter from David Frankel, CEO, ZipDX, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97, at 1
(filed Sept. 23, 2020).
354

355

See id.

49

Federal Communications Commission

FCC 20-136

mandate.356 Given that caller ID authentication frameworks are not yet ubiquitous—and thus most calls
that transit U.S. voice networks are unauthenticated—we understand Congress’s concern in this provision
to be about protecting consumers from unauthenticated, illegally spoofed robocalls.357 We therefore
interpret a methodology to be “effective” if it is likely to substantially reduce the volume of illegal
robocalls reaching subscribers.358 We find that this definition tracks the overall purpose of the TRACED
Act which is “to reduce illegal and unwanted robocalls” through various mechanisms.359 We sought
comment in the First Caller ID Authentication Report and Order and Further Notice from small and rural
voice service providers on such alternative effective methodologies.360 The record we received in
response demonstrates that such alternative methodologies either already exist or are in development.361
To fulfill this obligation, we identify the following alternative effective methodologies recommended by
small and rural voice service providers, as well as other commenters:


Innovative Systems reports that its landline call blocking service is “fully developed and currently
installed at 207 landline providers” and, in the last nine years, “has challenged over 19 million
suspected spam calls and blocked another 12 million calls that were from phone numbers off the
FCC’s weekly robocall and telemarketing consumer complaint data reports.”362 It states that
“greater consumer protection can be achieved by having this alternative methodology installed on
all landlines using an opt-out strategy at no cost, versus a purchase to opt-in by the customer.”363



Neustar reports that its robocall mitigation service “helps voice service providers block calls from
illegal robocallers and helps end users identify robocalls . . . . [b]y combining authoritative
data . . . with behavior insights.”364



Transaction Network Services reports that “[c]all analytics have proven successful in identifying
a large number of the problematic calls being transmitted today. . . . Reasonable call analytics are
widely available from multiple vendors, many of which offer low-investment services that can be
deployed in smaller networks at a reasonable cost.”365

TRACED Act § 4(b)(5)(E). The TRACED Act does not specify that voice service providers may substitute such
methods for the robocall mitigation program that it requires, and we read the TRACED Act as merely calling for us
to identify additional options for voice service providers subject to extension that wish to better serve their
customers and the public by going above and beyond their legal obligations.
356

See S. Comm. on Com., Sci., & Transp., Telephone Robocall Abuse Criminal Enforcement and Deterrence Act,
S. Rep. No. 116-41, at 1 (2019).
357

In our 2020 Call Blocking Order, we adopted a safe harbor in our call blocking rules for voice service providers
that use reasonable analytics that include caller ID authentication information to inform their call blocking services.
See 2020 Call Blocking Order, 35 FCC Rcd at 7625, paras. 25-27. We find that these types of call blocking services
would likely reduce the volume of unauthenticated illegal robocalls reaching subscribers, and thus include them in
this definition.
358

S. Comm. on Com., Sci., & Transp., Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, S.
Rep. No. 116-41, at 1 (2019).
359

360

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3282, para. 93.

See Colo Telephone Company Reply at 1; Consumer Groups Reply at 7; Innovative Systems Comments, WC
Docket No. 20-67, at 1-2 (rec. May 11, 2020) (Innovative Systems Comments) (“[W]e believe that effective
alternative methodologies are available from vendors to support small and rural voice providers that are in need of a
compliance extension for an all IP and STIR/SHAKEN network.”).
361

362

Innovative Systems Comments at 1.

363

Id. at 2.

364

Neustar Comments at 6.

365

TNS Comments at 7-8.

50

Federal Communications Commission

FCC 20-136

96.
Additionally, the recent call blocking report released by the Consumer and Governmental
Affairs Bureau identified various available effective methodologies for protecting subscribers from illegal
calls, a sample of which is reproduced below:366
Business name

Blocking/labeling
services offered

Estimate on number of
calls blocked or labeled

Default, opt-in, or optout

AT&T—Wireless

Network-level
blocking

Call Protect and Call
Protect Plus, since 2016,
blocked fraudulent calls or
labeled suspicious calls;
nearly 1.3 billion suspected
fraud and over 3 billion
other calls blocked or
labeled.
Blocked over 46 million
and spam warnings for 36
million.

Network-level blocking is
default

Call Protect or Call
Protect Basic, free
Call Protect Plus
AT&T—VoIP

Network-level
blocking
Digital Phone Call
Protect, free

Call Control (thirdparty analytics
company)
Comcast—Wireline

Software-based call
blocking

Blocked over one billion
calls.

Network-level
blocking

Over 158 million calls
blocked in Dec. 2019.
Anonymous Call Rejection
blocked nearly 37 million
calls in Dec. 2019.
Selective Call Rejection
blocked over five million
calls in Dec. 2019.

Anonymous Call
Rejection, Selective
Call Rejection, free
Customers can sign up
for Nomorobo
blocking service, free
Cox

Edge Blocking, free
Anonymous Call
Rejection, Selective
Call Rejection, free

First Orion (thirdparty analytics
company)
Hiya (third-party

14.6% of calls are blocked
through one of these tools;
Edge Blocking is 65% of
the blocked calls and
Anonymous Call Rejection
is 29%t.

Call Protect is opt-out,
since 2019
Call Protect Plus is opt-in
Network-level blocking is
default
Digital Phone Call Protect
is opt-in
N/A
Network-level blocking is
default
Anonymous Call
Rejection is opt-in, but
will be offered opt-out;
Selective Call Rejection is
opt-in
Nomorobo is opt-in
Edge Blocking is opt-out
Anonymous Call
Rejection and Selective
Call Rejection are opt-in

Customers can sign up
for Nomorobo
blocking service, free.
Scam ID and Scam
Block

Since 2017, identified over
22 billion scam calls.

N/A

Call blocking

Since 2016, blocked or

N/A

See FCC, Call Blocking Tools Now Substantially Available to Consumers: Report on Call Blocking at 10-25,
Appx. B (2020), https://docs.fcc.gov/public/attachments/DOC-365152A1.pdf.
366

51

Federal Communications Commission
analytics company)

Nomorobo (thirdparty analytics
company)
T-Mobile

Call blocking
Scam ID, free
Scam Block, free

Verizon—Wireless

Name ID, free for
some plans
Network-level
blocking

labeled nearly 1.3 billion
suspected fraud calls and
over 3 billion other suspect
calls.
As of April 30, 2020,
blocked over 1.6 billion
robocalls.
Since 2017, identified over
21 billion scam calls and
blocked over 5 billion of
those calls.
Since 2017, blocked
hundreds of millions of
calls.

FCC 20-136

N/A
Scam ID is opt-out for
post-paid customers
Scam Block is opt-in
Network-level blocking is
default

Call Filter, free
Verizon—Wireline

6.

Network-level
blocking

Since 2017, blocked
hundreds of millions of
calls.

Call Filter is opt-out
Network-level blocking is
default

Spam Alert, free

Spam Alert is default

VoIP customers can
sign up for Nomorobo
blocking service, free

Nomorobo is opt-in

Legal Authority

97.
The TRACED Act expressly directs us to grant extensions for compliance with the
STIR/SHAKEN implementation mandate, require any voice service provider subject to such an extension
to implement a robocall mitigation program to prevent unlawful robocalls from originating on its
network,367 and place unique obligations on providers that receive an extension due to material reliance on
non-IP network technology.368 The TRACED Act thus provides a clear source of authority for the rules
we adopt today.
98.
We conclude that section 251(e) of the Act provides additional, independent authority to
adopt the extensions and associated requirements. That section gives us exclusive jurisdiction over
numbering policy and enables us to act flexibly and expeditiously with regard to important numbering
matters.369 When bad actors unlawfully falsify or spoof the caller ID that appears on a subscriber’s phone,
they are using numbering resources to advance an illegal scheme. The extensions and associated
requirements will help to prevent the fraudulent exploitation of NANP resources by permitting those
providers and their subscribers to identify when caller ID information has been spoofed.
99.
We conclude that section 251(e) gives us authority to prohibit intermediate providers and
voice service providers from accepting traffic from both domestic and foreign voice service providers that

367

See TRACED Act § 4(b)(5)(C).

368

See id. § 4(b)(1)(B).

369

See Local Competition Second Report and Order, 11 FCC Rcd at 19512, para. 271.

52

Federal Communications Commission

FCC 20-136

do not appear in our newly established database.370 As we concluded in the First Caller ID
Authentication Report and Order, our exclusive jurisdiction over numbering policy provides authority to
take action to prevent the fraudulent abuse of NANP resources.371 Illegally spoofed calls exploit
numbering resources whenever they transit any portion of the voice network—including the networks of
intermediate providers. Our action preventing such calls from entering an intermediate provider’s or
terminating voice service provider’s network is designed to protect consumers from illegally spoofed
calls, even while STIR/SHAKEN is not yet ubiquitous. Verizon agrees that section 251(e) gives us ample
authority to ensure foreign VoIP providers “submit to the proposed registration and certification regime
by prohibiting regulated U.S. carriers from accepting their traffic if they do not.”372
100.
We additionally find authority in the Truth in Caller ID Act.373 We find that the rules we
adopt today are necessary to enable voice service providers to help prevent these unlawful acts and to
protect voice service subscribers from scammers and bad actors, and that section 227(e) provides
additional independent authority for the rules we adopt today.374
D.

Voluntary STIR/SHAKEN Implementation Exemption

101.
While the TRACED Act directs us to require each voice service provider to implement
STIR/SHAKEN in its IP network,375 section 4(b)(2) of the TRACED Act frees a voice service provider
from this requirement if we determine, by December 30, 2020, that “such provider of voice service”: (A)
“in [IP] networks”—(i) “has adopted the STIR/SHAKEN authentication framework for calls on the [IP]
networks of the provider of voice service; (ii) has agreed voluntarily to participate with other providers of
voice service in the STIR/SHAKEN authentication framework; (iii) has begun to implement the
STIR/SHAKEN authentication framework; and (iv) will be capable of fully implementing the
STIR/SHAKEN authentication framework” not later than June 30, 2021; and (B) “in non-[IP]
networks”—(i) “has taken reasonable measures to implement an effective call authentication framework;
and (ii) will be capable of fully implementing an effective call authentication framework” not later than
June 30, 2021.376
102.
Below, we read section 4(b)(2) of the TRACED Act as creating two exemptions: one for
IP calls and one for non-IP calls. To ensure that the exemption only applies where warranted and to
provide parties with adequate guidance, we expand on each of the prongs that a voice service provider
See 47 U.S.C. § 251(e). We emphasize that the rule we adopt today does not constitute the exercise of
jurisdiction over foreign voice service providers. We acknowledge that this rule will have an indirect effect on
foreign voice service providers by incentivizing them to certify to be listed in the database. An indirect effect on
foreign voice service providers, however, “does not militate against the validity of rules that only operate directly on
voice service providers within the United States.” International Settlement Rate Benchmarks, IB Docket No. 96261, Report and Order, 12 FCC Rcd 19806, 19819 (1997); see also Cable & Wireless P.L.C. v. FCC, 166 F.3d 1224,
1230 (D.C. Cir. 1999) (finding that “the Commission does not exceed its authority simply because a regulatory
action has extraterritorial consequences.”).
370

371

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3260-61, para. 42.

Verizon Comments at 8; see also T-Mobile Comments at 6-8 (arguing that a foreign voice service provider
“should be required to certify to the Commission that it uses an appropriate robocall mitigation program to prevent
unlawful robocalls from originating on its network,” and concurring that our numbering authority allows us “to
impose numbering-related requirements—including the rights and obligations associated with using telephone
numbers”).
372

373

See 47 U.S.C. § 227(e)(1); 47 CFR § 64.1604(a).

See also 47 U.S.C. § 154(i) (“The Commission may perform any and all acts, make such rules and regulations,
and issue such orders, not inconsistent with this chapter, as may be necessary in the execution of its functions.”).
374

375

See TRACED Act § 4(b)(1).

376

See id. § 4(b)(2).

53

Federal Communications Commission

FCC 20-136

must meet to obtain an exemption, and adopt rules accordingly. We find that the best way to implement
the TRACED Act’s exemption provision in a timely manner is via a certification process and thus adopt
rules requiring that a voice service provider that wishes to receive an exemption submit a certification that
it meets the criteria for the exemptions that we have established pursuant to section 4(b)(2)(A), section
4(b)(2)(B), or both. To guard against the risk of gaps and improper claims of the exemption, we require
voice service providers that receive an exemption to file a second certification after June 30, 2021, stating
whether they, in fact, achieved the implementation goal to which they previously committed in their
initial certification. Last, we find that the TRACED Act’s exemption provision does not extend to
intermediate providers. We adopt these rules pursuant to the authority expressly granted us by section
4(b)(2) of the TRACED Act.377
1.

Relationship of IP Networks and Non-IP Networks Provisions

103.
As proposed in the Further Notice of Proposed Rulemaking,378 we read section 4(b)(2) of
the TRACED Act as creating two exemptions: one for IP calls and one for non-IP calls. Thus, a voice
service provider may seek the exemption for its “IP networks” if it meets all four criteria for all calls it
originates or terminates in SIP, and a voice service provider may seek the exemption for its “non-IP
networks” if it meets both the criteria for all non-SIP calls it originates or terminates. This approach is
consistent with the views of the commenters that touched upon this issue in the record.379
104.
We find that this reading best implements Congress’s policy and is consistent with
principles of statutory construction when considering the statute as a whole. As AT&T observes, the
structure of the TRACED Act “recognizes that implementation of a caller ID authentication framework
will differ for IP networks and non-IP networks.”380 Given the presence of the word “and” between the IP
and non-IP networks criteria, we recognize that the exemption could potentially be read as applying only
if the voice service provider meets both the IP and non-IP networks criteria. Yet such a reading would
render the exemption an empty set or nearly so because of the absence of an effective solution for non-IP
caller ID authentication at present, such that few, if any, voice service providers will be able to claim that
they will be capable of “fully implementing” an effective non-IP caller ID authentication framework by
June 30, 2021.381 Our reading cabins the nullity risk more narrowly, thus better effectuating Congress’s
goal of creating a meaningful exemption.382
105.
Our approach also further encourages prompt deployment of STIR/SHAKEN. We
understand the statutory exemption to both encourage and reward early progress in deployment.
Therefore, by giving voice service providers a path to exemption solely for their IP networks—the only
types of networks on which STIR/SHAKEN can effectively operate—our approach will effectuate
Congress’s intent to encourage faster progress in STIR/SHAKEN deployment. And by separating IP and
377

See id. § 4(b)(2).

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3285-86, paras. 103106.
378

379

See AT&T Comments at 20-21; see also T-Mobile Comments at 9; CenturyLink Reply at 18.

380

AT&T Comments at 20-21.

See ATIS Comments at 4; AT&T Comments at 12 (stating that “no STIR/SHAKEN-equivalent solution for TDM
networks has been developed by standards bodies”); CCA Comments at 4; Comcast Comments at 2-3, 5-7; NCTA
Comments at 12-13; Telnyx Comments at 2; USTelecom Comments at iii, 21-22; Verizon Comments at 2, 18; VON
Comments at 2-3; Comcast Ex Parte at 1; AT&T Reply at 19-20; CenturyLink Reply at 14-15; Comcast Reply at 12, 4-5; USTelecom Reply at 5-7; Verizon Reply at 19-21.
381

Cf. RCA Global Communications, Inc. v. FCC, 758 F.2d 722, 723 (D.C. Cir. 1985) (“Because we agree with the
FCC that RCA’s view of the statute would render the Small Carrier Exemption a nullity, we affirm.”); id. at 731
(“To hold otherwise would effectively excise the exemption from the statute, a result the most fundamental
principles of statutory construction will not permit.”) (citations omitted).
382

54

Federal Communications Commission

FCC 20-136

non-IP calls in this way, we align our exemption process with the call-by-call vision of a caller ID
authentication implementation mandate that subjects different parts of a voice service provider’s network
to different requirements.
2.

Threshold for IP Networks Exemption

106.
To ensure that the exemption only applies where warranted and to provide parties with
adequate guidance, we expand on each of the four substantive prongs laid out in the TRACED Act that a
voice service provider must meet to obtain an exemption.
107.
Prong (i)—Adoption of STIR/SHAKEN. In the Further Notice of Proposed Rulemaking,
we proposed to interpret the phrase “has adopted the STIR/SHAKEN authentication framework for calls
on the [IP] networks of the provider of voice service”383 in prong (A)(i) to mean that the voice service
provider has publicly committed, via a certification, to complete implementation of STIR/SHAKEN by
June 30, 2021.384 In light of the comments in the record, we modify this proposal to require that the voice
service provider has completed the network preparations necessary to deploy the STIR/SHAKEN
protocols on its network, including, but not limited to, by participating in test beds and lab testing, or
completing commensurate network adjustments to enable the authentication and validation of calls on its
network consistent with the STIR/SHAKEN framework.
108.
We agree with commenters that focusing on network preparations will provide significant
concrete evidence that a voice service provider is taking the necessary steps in its STIR/SHAKEN
implementation, and will thus offer confirmation that a provider has adopted the STIR/SHAKEN
authentication framework.385 We further agree with AT&T that our original certification-based proposal
would not provide specific measurable criteria by which to assess a provider’s progress.386 Simply issuing
a commitment will not do as much to ensure that voice service providers are actually doing so as will an
obligation to undertake the network preparations necessary to operationalize the STIR/SHAKEN
protocols on their networks. Taking the necessary first steps to participate in STIR/SHAKEN more
affirmatively demonstrates a voice service provider’s commitment and preparedness to implement an
effective caller ID authentication framework than a general declaration of intent that may or may not be
accompanied by concrete steps. We disagree with T-Mobile’s unsupported contention that our previous
proposal would be preferable.387 While a public commitment to complete implementation of
STIR/SHAKEN by June 30, 2021 would be a welcome initial step, we conclude that the better approach
is to require voice service providers to undertake the preparations necessary to implement this framework,
rather than merely issuing a pledge to do so.
109.
Prong (ii)—Participation with Other Providers. In the Further Notice of Proposed
Rulemaking, we proposed to read the phrase “has agreed voluntarily to participate with other providers of
voice service in the STIR/SHAKEN authentication framework” in prong (A)(ii)388 to require that the
voice service provider has written, signed agreements with at least two other voice service providers to
exchange calls with authenticated caller ID information.389 After reviewing the record, we revise this
383

See TRACED Act § 4(b)(2)(A)(i).

384

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3286, para. 107.

See AT&T Comments at 22-23; CCA Comments at 9; Letter from Farhan Chughtai, Director, Policy &
Advocacy, USTelecom, to Marlene H. Dortch, Secretary, FCC, CG Docket No. 17-59, WC Docket Nos. 17-97, 2067, Appx. at 2 (filed Mar. 23, 2020) (USTelecom March 23 Ex Parte); CenturyLink Reply at 17; see also Comcast
Reply at 7-8.
385

386

See AT&T Comments at 23.

387

See T-Mobile Comments at 9-10.

388

See TRACED Act § 4(b)(2)(A)(ii).

389

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3286-87, para. 108.

55

Federal Communications Commission

FCC 20-136

proposal to require that the voice service provider has demonstrated its voluntary agreement to participate
with other voice service providers in the STIR/SHAKEN framework by completing formal registration
(including payment) and testing with the Policy Administrator.390
110.
We agree with commenters that such an action would signal both a public and financial
commitment to working with other voice service providers sufficient to confirm a provider’s coordination
efforts.391 Registering with the Policy Administrator is a necessary predicate to participation with other
voice service providers in the STIR/SHAKEN framework, and was formulated by the industry to allow
the exchange of authenticated traffic without requiring dedicated agreements between voice service
providers. Completing formal registration and testing with the Policy Administrator thus signals both a
voice service provider’s technical readiness and willingness to participate with other providers in the
STIR/SHAKEN framework. We further agree with AT&T, CTIA, and CCA that our initial proposal
ignores certain market realities by assuming that every provider of voice services will require multiple
agreements to exchange traffic destined to every point on the PSTN.392 Given that some voice service
providers may not require two or more interconnection arrangements, let alone multiple agreements with
other providers, to exchange their IP-based traffic, imposing a two-agreement requirement to demonstrate
voluntary participation in the STIR/SHAKEN framework would be arbitrary and might even inject
artificial inefficiencies into such arrangements.393 Our revised interpretation of prong (A)(ii) more closely
aligns with the language and intended purpose of the statute, and better encourages STIR/SHAKEN
implementation without introducing potential inefficiencies. Exchanging traffic using certificates
assigned through the governance system is exactly the way STIR/SHAKEN is designed to work.394
Encouraging voice service providers to complete formal registration and testing with the Policy
Administrator is thus the most appropriate and reasonable interpretation of the requirement in prong
(A)(ii).
111.
Prong (iii)—Begun to Implement. As proposed in the Further Notice of Proposed
Rulemaking,395 we implement the phrase “has begun to implement the STIR/SHAKEN authentication
framework” in prong (A)(iii) by requiring that the voice service provider has completed the necessary
network upgrades to at least one network element (e.g., a single switch or session border controller) to
enable the authentication and verification of caller ID information consistent with the STIR/SHAKEN
standards.396 This interpretation requires a voice service provider to make meaningful progress on
implementation by the time of certification, while taking into account that voice service providers will
have limited time between adoption of this Order and the December 30, 2020 deadline for exemption
determinations.397 While CCA argues that our approach is unachievable and overly prescriptive, we
390

See USTelecom March 23, 2020 Ex Parte, Appx. at 2.

See AT&T Comments at 23; CTIA Comments at 24-25; see also CenturyLink Reply at 17-18; Comcast Reply at
7-8.
391

See AT&T Comments at 24; CCA Comments at 9; CTIA Comments at 24-25; see also Comcast Comments at 910 (opposed to our originally proposed interpretation of this prong); CenturyLink Reply at 18. Since T-Mobile’s
comments touch only upon the particulars of our original proposed interpretation of this prong, we need not address
them here. See T-Mobile Comments at 10.
392

393

See AT&T Comments at 24.

394

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3246, paras. 9-10.

395

See id. at 3287, para. 109.

See TRACED Act § 4(b)(2)(A)(iii); see also 47 U.S.C. § 153(35) (“The term ‘network element’ means a facility
or equipment used in the provision of a telecommunications services. Such term also includes features, functions,
and capabilities that are provided by means of such facility or equipment, including subscriber numbers, databases,
signaling systems, and information sufficient for billing and collection or used in the transmission, routing, or other
provision of a telecommunications service.”).
396

397

See T-Mobile Comments at 10; see also AT&T Comments at 25.

56

Federal Communications Commission

FCC 20-136

disagree.398 To the contrary, our approach accounts for the abbreviated timeframe by giving voice service
providers the flexibility to choose to complete upgrades on the network element which they can upgrade
most efficiently.399
112.
In this case, we find USTelecom’s suggestion that we require voice service providers to
establish the capability to authenticate originated traffic and/or validate such traffic terminating on their
networks to be excessively vague, and it is unclear how little or how much voice service providers would
be required to do under such a rule.400 Depending on the voice service provider, simply “establishing” the
capability to authenticate originated traffic and/or validate such traffic terminating on their networks
could consist of fully implementing this capability or merely attaining this capability without actually
deploying it in one’s network. To the extent that USTelecom—which does not provide a rationale for its
proposal—is concerned that the standard we adopt will be too easily met, we are confident that the
opportunity to verify implementation of an effective authentication framework will help identify any
voice service providers that fail to meet their STIR/SHAKEN implementation commitments.
113.
Prong (iv)—Capable of Fully Implementing. Last, and as proposed in the Further Notice
of Proposed Rulemaking,401 we implement the obligation to “be capable of fully implementing the
STIR/SHAKEN authentication framework” not later than June 30, 2021, in prong (A)(iv) so as to require
that the voice service provider reasonably foresees that it will have completed all necessary network
upgrades to its network infrastructure to be able to authenticate and verify caller ID information for all
SIP calls exchanged with STIR/SHAKEN-enabled partners by June 30, 2021.402 After considering the
arguments in the record, we agree with T-Mobile that our proposal is preferable to USTelecom’s narrower
alternative of requiring a certification that all consumer VoIP and VoLTE traffic originating or
terminating on a voice service provider’s network either is or will be capable of authentication and
validation by June 30, 2021.403 This requirement falls short of our implementation mandate, which
requires that all calls be subject to caller ID authentication and verification—not just consumer VoIP and
VoLTE traffic—except for those subject to the narrow and time-limited extensions we adopt today. To
grant an exemption for voice service providers that will be capable of anything short of full compliance
would indefinitely leave out calls the TRACED Act and our rules thereunder require to be subject to
caller ID authentication. Such an approach also is inconsistent with the statute, which requires “full[]
implementation[]” by June 30, 2021, so it is appropriate for us to demand that a provider reasonably
foresee that it will meet that standard, rather than set a bar that is more easily cleared at the twelve-month
mark but that heightens the risk of a voice service provider ultimately falling short just six months later.
While we understand AT&T’s point that voice service providers with more complex, diverse networks
will necessarily have more complicated and costly STIR/SHAKEN implementation requirements, we do
not think that our proposal is “overly rigid” or “ambiguous.”404 Nor do we agree with CCA that it is
“overly prescriptive.”405 Rather, we institute a clear requirement that voice service providers “reasonably
foresee” that they will be able to meet the standard Congress established by the deadline that Congress
established. This interpretation gives as much latitude to voice service providers as possible to achieve
the desired benchmarks while still requiring some basis for the claim that a provider is “capable of fully

398

See CCA Comments at 8.

399

See T-Mobile Comments at 10.

400

See USTelecom March 23 Ex Parte, Appx. at 2; see also CenturyLink Reply at 18.

401

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3287, para. 110.

402

See TRACED Act § 4(b)(2)(A)(iv).

403

See USTelecom March 23 Ex Parte, Appx. at 2; see also T-Mobile Comments at 10-11.

404

See AT&T Comments at 26; see also CenturyLink Reply at 18.

405

See CCA Comments at 8.

57

Federal Communications Commission

FCC 20-136

implementing the STIR/SHAKEN authentication framework.”406
3.

Threshold for Non-IP Networks Exemption

114.
Under the TRACED Act, a voice service provider is excused from the requirement to
take reasonable measures to implement an effective caller ID authentication framework in the non-IP
portions of its network if the Commission finds that it: (1) has taken reasonable measures to implement an
effective caller ID authentication framework in the non-IP portions of its network; and (2) will be capable
of fully implementing an effective caller ID authentication framework in the non-IP portions of its
network not later than June 30, 2021.407 While we anticipate that in the non-IP context few if any voice
service providers will seek to take advantage of this exemption because of the difficulties in “fully
implementing an effective caller ID authentication framework” by June 30, 2021, we nevertheless adopt
standards for determining whether a voice service provider has met both requirements necessary to
receive an exemption under section 4(b)(2)(B) of the TRACED Act for the non-IP portions of its network,
as required by the TRACED Act.
115.
In the Further Notice of Proposed Rulemaking, we sought comment on section 4(b)(2)(B)
and whether there was an “acceptable interpretation of the ‘fully implementing’ prong that would make it
more achievable for voice service providers to qualify for the exemption.”408 We further sought comment
on what constitutes an “effective” call authentication framework and “reasonable measures” for purposes
of this section.409 We now find that a voice service provider satisfies the first prong—requiring
reasonable measures to implement an effective caller ID authentication framework—if it can certify that it
is working to develop a non-IP authentication solution. Because the statutory language is similar to that
used to establish the non-IP mandate,410 we find it appropriate to harmonize our interpretation of these
two provisions.411 AT&T supports a proposal to require providers to participate in either standards
development for a TDM call authentication framework or implement a robust robocall mitigation
program as two options for satisfying the “reasonable measures” prong of this section.412 We agree as to
the former suggestion, but we find the latter suggestion unduly overlaps with the distinct robocall
mitigation program requirement under the statute.
116.
We implement the provision in section 4(b)(2)(B)(ii) of the TRACED Act that voice
service providers be “capable of fully implementing an effective caller ID authentication framework in
406

TRACED Act § 4(b)(2)(A)(iv).

407

See id. § 4(b)(2)(B).

408

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3288, para. 111.

409

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3288, para. 111.

Compare TRACED Act § 4(b)(2)(B)(i) with id. § 4(b)(1)(B). Section 4(b)(1)(B) requires a voice service
provider “to take reasonable measures to implement an effective call authentication framework” in the non-IP
portions of its networks, while section 4(b)(2)(B)(i) requires that a voice service provider “has taken reasonable
measures to implement an effective call authentication framework” in the non-IP portions of its network. While we
recognize the difference in tenses between the two provisions—one refers to taking reasonable measures, while the
other states that such measures must have already been taken—the remaining language is identical. Thus, we find
that the two provisions are similar enough to implement the same standard in order to quantify what constitutes
“reasonable measures” in both instances. Further, adopting a uniform approach allows us to avoid creating
unnecessarily burdensome overlapping, but distinct, requirements.
410

While we harmonize these provisions, we do not include the first method of compliance with our non-IP
mandate, which a provider satisfies by completely upgrading its non-IP networks to IP and implementing the
STIR/SHAKEN authentication framework. A provider that has completely upgraded its non-IP networks to IP
would be subject to the exemption for IP networks, rather than the exemption for non-IP networks, and would be
required to satisfy the requirements laid out for that exemption.
411

412

See AT&T Comments at 26-27.

58

Federal Communications Commission

FCC 20-136

the non-IP portions of their networks not later than [June 30, 2021]” by requiring that the voice service
provider reasonably foresees that it will have completed all necessary network upgrades to its
infrastructure to be able to authenticate and verify caller ID information for all non-IP calls originating or
terminating on its network as provided by a standardized caller ID authentication framework for non-IP
networks.413 This approach is consistent with our approach to the fourth prong of the IP network
exemption, in which we construe “fully implementing” to mean that caller ID information is able to be
authenticated and verified for all calls exchanged with technically-able partners. Further, it is consistent
with our evaluation of when a non-IP caller ID authentication framework is “reasonably available,” and
we consistently consider such a framework to be “effective” only when it is standardized. We find that
this approach gives as much latitude to voice service providers as possible to achieve the desired result
within the prescribed timeframe while again requiring some basis for the claim—here, that the provider
be “capable of fully implementing an effective caller ID authentication framework.”414
4.

Compliance Certifications

117.
As proposed in the Further Notice of Proposed Rulemaking,415 we find that the best way
to implement the TRACED Act’s exemption provision is via a certification process. Specifically, we
require a voice service provider that seeks to receive an exemption to submit a certification that it meets
the criteria for the IP networks exemption that we have established pursuant to section 4(b)(2)(A), the
criteria for the non-IP networks exemption that we have established pursuant to section 4(b)(2)(B), or
both, as appropriate for its network(s). Given the inherent and obvious difficulty of making
individualized determinations of whether providers qualify for the IP networks exemption on such a
truncated timeframe, we find that a certification process is necessary to allow us to meet Congress’s
deadline for completion of exemption determinations by December 30, 2020. This approach is
unopposed, and both T-Mobile and AT&T support the use of a certification process “as the appropriate
vehicle for a voice service provider to assert its qualification for either or both of the statutory
exemptions.”416
118.
Each voice service provider that seeks to qualify for either the section 4(b)(2)(A) or the
section 4(b)(2)(B) exemption, or both, must have an officer of the voice service provider sign a
compliance certificate stating under penalty of perjury that the officer has personal knowledge that the
company meets each of the stated criteria. Such an attestation is necessary to ensure the accuracy of the
underlying certification.417 We also require the voice service provider to submit an accompanying
statement explaining, in detail, how the company meets each of the prongs of each applicable exemption
so that the Commission can verify the accuracy of the certification.418
119.
As proposed in the Further Notice of Proposed Rulemaking,419 all certifications submitted
pursuant to this requirement must be filed no later than December 1, 2020. All certifications and
413

See TRACED Act § 4(b)(2)(B)(ii).

414

See id.

415

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3288, paras. 112-114.

AT&T Comments at 21; see also T-Mobile Comments at 11. Beyond these comments, which support the
establishment of a certification process, no other commenters in this proceeding addressed this issue.
416

The Commission requires similar certifications in the context of domestic transfer of control applications to
ensure that no party to the application is “subject to a denial of Federal benefits pursuant to section 5301 of the AntiDrug Abuse Act of 1988.” 47 CFR § 63.04(a)(5); 47 CFR § 1.2002.
417

Cf. Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer
Proprietary Network Information and Other Customer Information; IP-Enabled Services, CC Docket No. 96-115,
WC Docket No. 04-36, Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927, 6953-54,
para. 52 (2007).
418

419

See Further Notice of Proposed Rulemaking, 35 FCC Rcd at 3288, para. 113.

59

Federal Communications Commission

FCC 20-136

supporting statements must be filed electronically in WC Docket No. 20-68, Exemption from Caller ID
Authentication Requirements, in the Commission’s Electronic Comment Filing System (ECFS).420 We
direct the Bureau to provide additional directions and filing information regarding the certifications—
including issuing protective orders governing the submission and review of confidential and highly
confidential information, where necessary421—by November 9, 2020, or in the Public Notice announcing
Office of Management and Budget approval of this process, whichever comes sooner. And we direct the
Bureau to review the certifications and accompanying documents for completeness and to determine
whether the certifying party has met the requirements we have established. We further direct the Bureau
to issue a list of parties that have filed complete, valid compliance certifications and that will thus receive
the exemption(s) on or before December 30, 2020.
120.
Because of the limited time for review of certifications, we proposed in the Further
Notice of Proposed Rulemaking that any voice service providers that file inadequate certifications would
not receive an opportunity to cure and instead would be subject to the general duty we established to
implement STIR/SHAKEN by June 30, 2021.422 We adopt this proposal here. We find this consequence
to be reasonable and appropriate because the purpose of the certification is merely to determine which
voice service providers would, in the absence of the STIR/SHAKEN obligation, nonetheless be able to
implement STIR/SHAKEN in a timely manner. While we are sympathetic to AT&T’s suggestion that we
permit voice service providers a chance to cure and revise their certifications should they be found
deficient, the extremely truncated timeline for review of certifications prevents us from allowing such
options.423 Simply put, there is insufficient time to permit voice service providers to revise and resubmit
certifications that the Bureau has deemed deficient and for the Bureau to review such resubmitted
certifications prior to the statutory December 30, 2020 deadline for completion of exemption
determinations. Voice service providers must do their best to demonstrate in their initial certifications
that they have met all the statutory requirements necessary to qualify for an exemption. Moreover, as
stated above, we find the inability of voice service providers to “cure” deficient certifications to be
insignificant given the purpose of the certification.
121.
Implementation Verification. The section 4(b)(2)(A) and (B) exemptions are, by their
nature, based on a voice service provider’s prediction of its future ability to implement STIR/SHAKEN
by June 30, 2021. As we explained in the Further Notice of Proposed Rulemaking, we believe that
Congress intended for us to verify, after the fact, that voice service providers claiming the exemption
completed full implementation in accordance with their commitments.424 Such a review is consistent with
the TRACED Act both because the broad structure of section 4 aims toward full implementation of caller
ID authentication and because sections 4(b)(2)(A)(iv) and 4(b)(2)(B)(ii) each state that a voice service
provider may receive the exemption only if it “will” be capable of “fully” implementing a caller ID
authentication framework (STIR/SHAKEN or “an effective call authentication framework,”
respectively).425 This approach is unopposed in the record, and T-Mobile correctly notes that without
such verification, the voluntary exemption could be misused as a loophole by voice service providers,
thereby diminishing the ultimate effectiveness of STIR/SHAKEN implementation, the success of which
depends on the participation of a critical mass of voice service providers.426 To guard against the risk of
gaps and abusive claims of the exemption, and as proposed in the Further Notice of Proposed
420

This system is accessible at http://www.fcc.gov/ecfs.

421

See T-Mobile Comments at 11.

422

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3288, para. 113.

423

See AT&T Comments at 21.

424

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3289, para. 115.

425

See TRACED Act §§ 4(b)(2)(A)(iv), 4(b)(2)(B)(ii).

426

See T-Mobile Comments at 11-12; see also Consumer Groups Reply at 7-8.

60

Federal Communications Commission

FCC 20-136

Rulemaking,427 we therefore require voice service providers that receive an exemption to file a second
certification after June 30, 2021, stating whether they, in fact, achieved the implementation goal to which
they previously committed.
122.
As proposed in the Further Notice of Proposed Rulemaking, the certification must be
filed electronically in WC Docket No. 20-68, Exemption from Caller ID Authentication Requirements, in
ECFS subject to the same allowance for confidentiality and requirements for sworn signatures and
detailed support as the initial certifications.428 This process will not only help the Bureau to verify the
accuracy of the certification, but will assist it in conducting its review while at the same time ensuring
that any confidential or proprietary information included by filers remains safe from disclosure. We
direct the Bureau to issue a Public Notice no later than three months after June 30, 2021, setting a specific
deadline for the certifications and providing detailed filing requirements. We direct the Bureau to seek
public comment on these certifications. Following review of the certifications, supporting materials, and
responsive comments, we direct the Bureau to issue a Public Notice, no later than four months after the
date of filing of the certifications, identifying which voice service providers achieved the implementation
goal to which they previously committed. As suggested in the record,429 we clarify that voice service
providers that certified in December of 2020 that they have already fully implemented the necessary
STIR/SHAKEN requirements, and for which the Bureau accepted the certification, need not file a second
certification. This second filing is required only from those voice service providers that have not yet
“fully implemented” STIR/SHAKEN by the time of their initial December 2020 certification, but have
committed to doing so by June 30, 2021.
123.
We disagree with T-Mobile’s assertion that there is little value is seeking public comment
on voice service providers’ certifications.430 While T-Mobile is correct that a review of whether a voice
service provider has conformed to the terms of its exemption declarations and implemented
STIR/SHAKEN will require a technical analysis, we anticipate that the considered comments of market
participants, technical and trade associations, and industry professionals can inform and enrich the
Bureau’s analysis of any such technical issues.431 Further, allowing comments is critical to maintaining a
clear and transparent process. Moreover, to the extent that parties must submit confidential information,
the Bureau will issue protective orders governing submission and review akin to those we have employed
in numerous other contexts.432 There is thus no risk that any voice service provider will be obligated to
publicly disclose “sensitive network information” as part of this certification and comment process.433
124.
As proposed in the Further Notice of Proposed Rulemaking, if a voice service provider
cannot certify to full implementation upon the filing of the second certification but demonstrates to the
Bureau that (1) it filed its initial certification in good faith—i.e., with a reasonable expectation that it
would be able to achieve full implementation as certified—and (2) made similarly good faith efforts to
complete implementation, the consequence for such a shortcoming is the loss of the exemption and
427

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3289, para. 116.

428

See id.

429

See NCTA Comments at 13-14; Comcast Reply at 8.

430

See T-Mobile Comments at 12; see also CenturyLink Reply at 18. But see Consumer Groups Reply at 7.

431

See T-Mobile Comments at 12; see also CenturyLink Reply at 18.

See e.g., Application of Liberty Latin America Ltd. and AT&T Inc. For Consent to the Transfer of Control of the
Licenses, Authorizations, and Spectrum Lease Held by AT&T Mobility Puerto Rico Inc. and AT&T Mobility USVI
Inc. to Liberty Latin America Ltd., WT Docket No. 19-384, Protective Order, 35 FCC Rcd 3516 (2020); Northern
Valley Communications, LLC Tariff F.C.C. No. 3, WC Docket No. 20-11, Transmittal No. 12, Protective Order, 35
FCC Rcd 2773 (2020); Modernizing Unbundling and Resale Requirements in an Era of Next-Generation Networks
and Services, WC Docket No. 19-308, Protective Order, 35 FCC Rcd 1485 (2020).
432

433

See T-Mobile Comments at 12; see also CenturyLink Reply at 18.

61

Federal Communications Commission

FCC 20-136

application of the general rule requiring full STIR/SHAKEN implementation, effective immediately upon
release of the Bureau Public Notice identifying which voice service providers achieved the
implementation goal to which they previously committed. We find that an immediate effective date is
required to ensure that certain voice service providers do not receive an extension not granted to similarly
situated voice service providers simply because they filed a certification they later failed to meet. If the
Bureau finds that a voice service provider filed its initial certification in bad faith or failed to take good
faith steps toward implementation, we will not only require that voice service provider to fully implement
STIR/SHAKEN immediately, but will further direct the Bureau to refer the voice service provider to the
Enforcement Bureau for possible enforcement action based on filing a false initial certification.434
5.

Voice Service Providers Eligible for Exemption

125.
We proposed in the Further Notice of Proposed Rulemaking to interpret the TRACED
Act’s exemption process to apply only to voice service providers and to exclude intermediate providers.435
We adopt that approach here. No commenters addressed this issue in the record. In the TRACED Act,
Congress directs the Commission to require “provider[s] of voice service” to implement STIR/SHAKEN
in the IP portions of their networks.436 The exemption provisions in section 4(b)(2) of the TRACED Act
similarly refer to “provider[s] of voice service.”437 Because the obligation on intermediate providers to
implement the STIR/SHAKEN authentication framework is being adopted pursuant to our authority in the
Truth in Caller ID Act and section 251(e),438 we do not believe that the exemption process, which is
mandated under and governed by the TRACED Act, needs to apply to such intermediate providers.439 We
do not find that there is a compelling policy argument in favor of extending the TRACED Act’s
exemption process to intermediate providers. The exemption process as laid out in the TRACED Act will
not have long-term benefits to providers, since even those that qualify for the exemption must be capable
of fully implementing either the STIR/SHAKEN authentication framework or an effective call
authentication framework not later than June 30, 2021.440 Given this, we are disinclined to add further
administrative and regulatory complication where not required by the TRACED Act.
E.

Line Item Charges

126.
We adopt our proposal in the First Caller ID Authentication Report and Order and
Further Notice to prohibit voice service providers from imposing additional line item charges on
consumer or small business subscribers for caller ID authentication.441 The record reflects support for this

434

We note that there was no comment on this issue in the record.

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3289, para. 118.
Section 4(a)(2) of the TRACED Act defines “voice service,” in part, as any service that “furnishes voice
communications to an end user using resources from the North American Numbering Plan.” TRACED Act §
4(a)(2)(A). Because intermediate providers do not furnish calls to end users, we previously concluded that this
definition does not include such providers. First Caller ID Authentication Report and Order and Further Notice, at
3259, para. 37.
435

436

TRACED Act § 4(b)(1)(A).

437

Id. § 4(b)(2).

438

See 47 U.S.C. § 251(e).

No commenters in this proceeding addressed the question of whether we should interpret the TRACED Act’s
exemption process to include intermediate providers. Thus, our determination that this exemption does not, in fact,
include such providers remains undisputed.
439

440

See TRACED Act § 4(b)(2).

441

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3289-90, para. 119.

62

Federal Communications Commission

FCC 20-136

proposal,442 and we believe adopting it is a straightforward implementation of Congress’s direction and
authority in the TRACED Act to “prohibit providers of voice service from adding any additional line item
charges to consumer or small business customer subscribers for the effective call authentication
technology.”443
127.
We are unconvinced by arguments opposed to the rule we adopt today. MT Networks
argues that we should instead affirmatively permit voice service providers to list caller ID authentication
“as a billable feature on their line.”444 Because MT Networks fails to explain how such an alternative
course of action would be consistent with the text of the TRACED Act, we decline to adopt such a
suggestion. Securus argues that the prohibition on line item charges should not apply to inmate calling
service providers.445 We similarly decline to adopt such an exemption for these providers, as the
TRACED Act’s prohibition on line item charges extends to all “providers of voice service,” which
includes inmate calling service providers.446
128.
Other commenters argue that we should go even further than the TRACED Act and
prohibit voice service providers from recouping costs of caller ID authentication and other robocall
mitigation solutions entirely.447 We decline to take such action because doing so would go beyond the
directive in the TRACED Act, and because we recognize that implementation of caller ID authentication
imposes cost on voice service providers.448 Additionally, the record shows that some voice service
providers may not have enough resources simply to absorb the cost of implementing caller ID
authentication.449 By not prohibiting cost recovery through alternate means, we promote the investment
by all voice service providers in caller ID authentication solutions for their networks.450
129.

As proposed, we interpret “consumer” in this context to mean residential mass market

See, e.g., Arkansas AG Comments at 5; Consumer Reports, National Consumer Law Center Comments, CG
Docket No. 17-59, WC Docket No. 17-97, at 3 (rec. July 24, 2019); Fifty-One (51) State Attorneys General Reply,
CG Docket No. 17-59, WC Docket No. 17-97, at 3-4 (rec. Aug. 23, 2019).
442

443

TRACED Act § 4(b)(6).

444

MT Networks Comments at 2.

445

Securus Comments at 7.

446

TRACED Act § 4(b)(6); see id. § 4(a)(2); see also 47 CFR § 64.6300(g).

See, e.g., Arkansas AG Comments at 5 (“Consumers should not be further victimized by allowing providers to
pass along the costs to them.”); Consumer Groups Reply at 3-4 (“We disagree with Securus Technologies, which
argues against clarifying that these line items are not permitted, while they also argue in favor of allowing
companies to recover their costs for implementing STIR/SHAKEN.”). Some commenters argue that we should also
prohibit charges for call blocking services. See, e.g., id. We decline to do so at this time because we do not address
call blocking-related issues in this Report and Order.
447

See, e.g., CenturyLink Reply at 20 (stating that STIR/SHAKEN deployment “will require network investment
and other expenditures”).
448

See, e.g., Colo Telephone Company Reply at 1 (“We as a company support and want to do what is best for our
customers and support the use of STIR/SHAKEN to protect them from unwanted calls and spoofing. However, the
upfront and yearly recurring charges to our small company make it almost impossible to absorb, with no cost
recovery.”); Wabash Communications Reply at 2-3 (“New SHAKEN expenses pretty much exhaust our operating
margins that cover the operational expenses of the network today. Incurring new expenses, while at the same time
reducing margins, is a lose-lose for Wabash.”).
449

See, e.g., CTIA Reply at 12; Securus Reply at 8. This action is also consistent with our approach in our recently
released Report and Order regarding the establishment of 988 as a national suicide hotline. In that proceeding,
although we declined to adopt a cost recovery mechanism for 988, we noted that our decision “does not preclude
service providers from reflecting any increased costs incurred as a result of implementation in their rates charged to
end users.” Implementation of the National Suicide Hotline Improvement Act of 2018, WC Docket No. 18-336,
Report and Order, 35 FCC Rcd 7373, 7413, para. 69 (2020).
450

63

Federal Communications Commission

FCC 20-136

subscribers, and adopt a rule consistent with this interpretation.451 We interpret “consumer” to refer to
individual subscribers because we believe this interpretation will protect individuals from receiving line
item charges on their bills. We received no opposition in the record to our proposal. We also adopt our
proposal to interpret “small business” to refer to business entities that meet the Small Business
Administration definition of “small business.”452 We adopt this definition of “small business” because it
reflects the judgment of the Small Business Administration, which has expertise in this area. We received
no opposition in the record for this interpretation. We decline to adopt RadNet’s proposal that we
prohibit voice service providers “from charging healthcare facilities and providers, regardless of size, for
call authentication technology,”453 because the TRACED Act establishes the classes of entities that
Congress intended to protect from additional line item charges for caller ID authentication: consumers
and small business subscribers.454 Additionally, healthcare facilities that meet the standard for “small
business” that we establish are covered by our rule, and so separate protection for such healthcare
facilities would be redundant. Healthcare facilities that exceed the definition of “small business” are in a
better position to negotiate billing arrangements with voice service providers than small businesses and
residential mass market subscribers. Thus, providing them with the same protections would be
unnecessary.
130.
We also adopt our proposal to implement this section of the TRACED Act by prohibiting
voice service providers from imposing a line item charge for the cost of upgrading network elements that
are necessary to implement caller ID authentication, for any recurring costs associated with the
authentication and verification of calls, or for any display of caller ID authentication information on their
subscribers’ phones.455 Caller ID authentication solutions work by allowing the originating voice service
provider to authenticate the caller ID information transmitted with a call it originates, and the terminating
provider to verify that the caller ID information transmitted with a call it receives is authentic and act on
the information provided after verification. The record reflects that voice service providers must upgrade
their existing network elements to enable caller ID authentication,456 and pay recurring maintenance and
other operating fees in order to actively authenticate caller ID information.457 And, for caller ID
authentication technology to be meaningful for subscribers, voice service providers may choose to display
caller ID authentication information to their end users. We find that the prohibition as adopted covers the
full scope of costs “for” providing caller ID authentication to consumer and small business subscribers.458
131.

CenturyLink argues that this is too expansive a reading of the TRACED Act’s

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3290, para. 119; see
also Restoring Internet Freedom, WC Docket No. 17-108, Declaratory Ruling, Report and Order, and Order, 33
FCC Rcd 311, 318, para. 20 n.58 (2018) (“By mass market, we mean services marketed and sold on a standardized
basis to residential customers, small businesses, and other end-user customers . . . .”).
451

The Small Business Administration determines whether a business is a small business using size standards which
vary by industry, and are generally based on the number of employees or the amount of annual receipts the business
has. See 13 CFR Part 121, Subpart A; see also Small Business Administration, Size Standards,
https://www.sba.gov/federal-contracting/contracting-guide/size-standards#section-header-0 (last visited Sept. 3,
2020).
452

453

RadNet Comments, WC Docket Nos. 17-97 and 20-67, at 2 (rec. May 15, 2020).

454

TRACED Act § 4(b)(6).

455

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3290, para. 120.

See, e.g., AT&T Reply at 18 (“[I]mplementation costs[] includ[e] undertaking the associated upgrades
to . . . networks . . . .”); NTCA Reply at 9-10.
456

See, e.g., Colo Telephone Company Reply at 1; Montana Telecom Comments at 3 n.6 (“Preliminary cost
estimates for implementing STIR/SHAKEN range from $36,000 to $81,000 a year.”).
457

458

TRACED Act § 4(b)(6).

64

Federal Communications Commission

FCC 20-136

language.459 Instead, CenturyLink suggests that, to be more aligned with the language of the TRACED
Act, we only prohibit line items for costs “related to the basic signing of calls and verifying of Identity
headers.”460 We fail to see how costs associated with, for example, network upgrades that are necessary
to implement caller ID authentication are not “for” such technology, and CenturyLink does not explain
why we should read “for” in this context so narrowly. We also note that we do not prohibit cost recovery
for such costs by alternative means.
F.

Intermediate Providers

132.
To further promote effective, network-wide caller ID authentication, we adopt the
proposal from our First Caller ID Authentication Report and Order and Further Notice to extend our
STIR/SHAKEN implementation mandate to intermediate providers.461 The STIR/SHAKEN framework
enables an end-to-end system for authenticating the identity of the caller.462 For this system to work, the
Identity header must travel the entire length of the call path—even when a call transits the networks of
intermediate providers.463 Thus, intermediate providers play a crucial role in this system. In the First
Caller ID Authentication Report and Order and Further Notice, we proposed imposing obligations on
intermediate providers for calls they receive with authenticated and unauthenticated caller ID
information.464 For calls with authenticated caller ID information that an intermediate provider receives
and will exchange in SIP, we proposed requiring an intermediate provider to pass any Identity header
associated with that call, unaltered, to the subsequent provider in the call path.465 And for calls an
intermediate provider receives without authenticated caller ID information that it will exchange in SIP,
we proposed requiring the intermediate provider to authenticate that call with “gateway” or “C”-level
attestation before passing it to the subsequent intermediate or voice service provider in the call path.466
With modifications, we adopt both of these proposals.
1.

Authenticated Calls

133.
We adopt our proposal to require intermediate providers to pass any Identity header that
they receive to the terminating voice service provider or subsequent intermediate provider in the call path.
This means, technically, that the intermediate provider must forward the Identity header downstream in
the SIP INVITE.467 By placing this requirement on intermediate providers, we ensure that SIP calls can
benefit from STIR/SHAKEN regardless of what provider transits the call. This proposal received wide

459

CenturyLink Reply at 21.

460

Id.

461

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3270, para. 61.

462

See ATIS-1000074 § 4, at 3.

463

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3270-71, para. 62.

464

Id. at 3270-71, paras. 62, 64.

465

Id. at 3270, para. 62.

466

Id. at 3271, para. 64.

467

Id. at 3270-71, para. 62.

65

Federal Communications Commission

FCC 20-136

support, and no opposition, in the record.468 INCOMPAS, which notes that it represents a number of
entities that act as intermediate providers, agrees that “[t]he success of STIR/SHAKEN ultimately
depends on the broad participation of voice service providers, including, wherever technically feasible,
intermediate providers.”469 AT&T, Comcast, and Verizon also all confirm the importance of adopting this
rule. AT&T notes that “requiring intermediate providers to pass through Identity header information is
necessary to ensure that calls retain authentication information across the entire call path.”470 Comcast
writes that “[a]chieving truly nationwide call authentication requires the participation of all providers
involved in transmitting voice calls, including intermediate providers.”471 And Verizon emphasizes that
regulatory action is necessary to ensure intermediate provider involvement in the system.472 We agree
with these assertions.
134.
Additionally, we further adopt our proposal to require intermediate providers to pass the
Identity header unaltered.473 We find that this requirement is necessary to prevent a downstream provider
from tampering with the Identity header and thus undermining the end-to-end chain of trust between the
originating and terminating voice service providers. Commenters support this approach,474 with NCTA
stating that it is necessary to “maintain the integrity of the authentication information and reduce the
potential for inadvertent error or intentional manipulation,”475 and Hiya noting that “having access to
untampered identity headers will significantly aid analytics and, as a result, the detection of illegal
robocalls.”476 This requirement ensures that all SIP calls benefit from STIR/SHAKEN, increasing the
effectiveness of STIR/SHAKEN in combating illegally spoofed robocalls and fraudulent robocall
schemes.477 And although entities acting as intermediate providers will face implementation costs in
order to forward unaltered Identity headers, they will not face the recurring costs necessary to authenticate
See ACA Connects Comments at 12 (“If any intermediate provider in the call path fails to transfer the header to
the next provider, it will not reach the terminating provider and the call will not be validated. Exempting
intermediate providers from participation in STIR/SHAKEN would thus create an unacceptable gap in the
deployment of the technology.”); Noble Systems Comments at 11 (“The Commission aptly recognizes that without
the participation of intermediate providers, the SIP Identi[ty] header could be dropped from the originating carrier
when transiting to the terminating carrier, rendering the whole STIR/SHAKEN architecture of little value.”); see
also AT&T Comments at 5-6; Comcast Comments at 3; CTIA Comments at 9-10; First Orion Comments, WC
Docket Nos. 17-97 and 20-67, at 2 (rec. May 15, 2020) (First Orion Comments); NCTA Comments at 7; Neustar
Comments at 9; TCN Comments, WC Docket Nos. 17-97 and 20-67, at 2 (rec. May 15, 2020) (TCN Comments); TMobile Comments at 5; USTelecom Comments at ii; Verizon Comments at 15.
468

INCOMPAS Comments at 5 (noting further that “many intermediate providers are well positioned to participate
in an IP-based call authentication ecosystem as they are among the industry leaders in adopting and operating IP
networks”).
469

470

AT&T Comments at 5-6.

471

Comcast Comments at 3.

472

Verizon Comments at 15.

473

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3271, para. 63.

AT&T Comments at 5 (“Specifically, for calls received in SIP that will be exchanged in SIP, the Commission
should require that intermediate providers pass on unaltered header Identity information to any subsequent providers
in the call path.”); CTIA Comments at 9-10 (“CTIA also supports the Commission’s proposal for intermediate
providers to pass SIP STIR/SHAKEN headers for authenticated traffic unaltered.”); First Orion Comments at 2;
NCTA Comments at 7-8; USTelecom Comments at 13-14.
474

475

NCTA Comments at 7-8.

476

Hiya Reply at 12.

See, e.g., INCOMPAS Comments at 5; T-Mobile Comments at 5; USTelecom Comments, CG Docket No. 17-59,
WC Docket No. 17-97, at 8 (rec. Aug. 23, 2019) (“Industrywide implementation of SHAKEN/STIR is very
important for it to be effective . . . .”).
477

66

Federal Communications Commission

FCC 20-136

and verify caller ID information.478 Moreover, we expect these one-time implementation costs to be far
less than the benefits of this intermediate provider requirement because the inclusion of intermediate
providers is important to achieving the benefits discussed in the First Caller ID Authentication Report and
Order.479 Requiring intermediate providers to pass the Identity headers that they receive to the subsequent
intermediate provider in the call path or the terminating voice service provider is crucial to ensuring endto-end caller ID authentication and unlocking these benefits for consumers and providers alike.
135.
The record convinces us, however, to modify our proposal to allow an intermediate
provider to strip the Identity header in two narrow circumstances: (1) for technical reasons where
necessary to complete the call, and (2) for security reasons where an intermediate provider reasonably
believes the Identity header presents a threat to its network security. Several commenters explain that
these are legitimate reasons why an intermediate provider might need to strip the Identity header.
136.
In identifying the limited technical reasons an intermediate provider may need to strip the
Identity header, the industry standards group ATIS explains that it may be necessary to strip an Identity
header for call completion in cases such as Government Emergency Telecommunications Service (GETS)
call processing;480 INCOMPAS identifies instances where the Identity header may be too large to
successfully transit the network;481 and we recognize it may be necessary to strip the Identity header
before exchanging a call with a non-IP provider or at a non-IP interconnection point. We emphasize that
the technical necessity exception is narrow and limited to circumstances that are necessary to complete
the call. The technical necessity exception does not extend to failures or inadequacies in an intermediate
provider’s network. As the technology supporting STIR/SHAKEN advances and improves, it may be
possible to transmit headers in circumstances where it previously was not. As such, we will continue to
monitor the use of this exception and adjust its outer limits as needed. Commission staff will not hesitate
to refer reports of intermediate providers abuse of this exception to the Enforcement Bureau.
137.
Regarding the security exception, Verizon advocates that we allow intermediate
providers to act should Identity headers become “an attack vector used by bad actors.”482 We agree and
so do not prohibit an intermediate provider from stripping the Identity header when it reasonably believes
the header presents an imminent threat to its network security. We do not, however, permit an
intermediate provider to strip the header if it believes the Identity header has been tampered with or is
fraudulent short of presenting an imminent security threat.483 This narrow exception does not empower
the intermediate provider to make determinations on behalf of other providers in the call path or to

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3265-66, para. 53 (finding
some of the recurring costs to include fees associated with the authentication and verification processes, as well as with
obtaining digital certificates).
478

479

See id. at 3263-65, paras. 46-52.

ATIS explains that “the caller ID information of an incoming GETS call from an Originating Service Provider
(OSP) may be replaced by an authenticating GETS provider as part of GETS processing. In this case, the incoming
STIR/SHAKEN header information is stripped and new STIR/SHAKEN header information for the modified caller
ID is included in the outgoing call.” ATIS Comments at 3; see also T-Mobile Comments at 5 n.18.
480

INCOMPAS notes that when an intermediate provider is relying on User Datagram Protocol (UDP) as a transport
protocol rather than Transmission Control Protocol (TCP), “the Identity header could inflate the size of the SIP
message sufficiently that a single UDP packet would not be capable of carrying the information. It would be
fragmented over multiple UDP packets and the call itself, in some circumstances, could end up being dropped,
defeating the provider’s ultimate aim of delivering the call or having the necessary information to authenticate it or
trace the call back to the source.” INCOMPAS Comments at 6-7.
481

Verizon Comments at 15-16 (claiming that such security threats could include Server-Side Request Forgery
(SSRF) attacks and Telephony Denial of Service (TDOS) attacks).
482

483

See AT&T Comments at 6-7.

67

Federal Communications Commission

FCC 20-136

interfere with the verification process defined in the SHAKEN standards.484 Instead, our goal is to permit
an intermediate provider to act in the face of an imminent security threat to its network. We emphasize
that intermediate providers must employ this exception sparingly, and the exception will not apply where
an intermediate provider strips Identity headers routinely instead of maintaining reasonable network
security. Furthermore, since no commenter identified a circumstance where an intermediate provider
would need to alter the Identity header, we specify that intermediate providers may not alter Identity
headers under any circumstance.
138.
Relatedly, we prohibit an originating voice service provider from sending excessively
large headers with the goal of evading STIR/SHAKEN compliance by forcing an intermediate provider to
strip the header before exchanging the call with a subsequent downstream provider. We would consider
such conduct a violation of our rule requiring an originating voice service provider to authenticate caller
ID information for calls it originates and exchanges with another voice service provider or intermediate
provider.485
139.
ACA Connects proposes that we prohibit intermediate providers from passing a call they
have received in SIP to a downstream provider in TDM when there is a downstream IP option
available.486 We decline to adopt this proposal because, at this early stage, we do not wish to interfere
with call routing decisions for the sake of promoting STIR/SHAKEN. Providers must consider a variety
of factors when routing calls, including cost and reliability, and we do not believe at this stage that
preserving STIR/SHAKEN headers should swamp all other considerations. For the same reason, we
decline to adopt USTelecom’s suggestion to require gateway providers to pass international traffic only to
downstream providers that have implemented STIR/SHAKEN.487 Finally, while we do not require
intermediate providers to append duplicative Identity headers to calls that they transit,488 we decline to
prohibit this practice at this stage of STIR/SHAKEN deployment across the voice network.489 AT&T
contends that, if intermediate providers append duplicative Identity headers, it would add additional
complexity and consume bandwidth for other providers.490 However, this issue received little attention in
the record and, at this time, we have no reason to think it is a practice industry will adopt widely. We
decline to be overly prescriptive at this early stage of deployment, and we will monitor this issue for any
problems that develop.
2.

Unauthenticated Calls

140.
We also adopt a modified version of the proposed authentication requirement on
intermediate providers for unauthenticated calls. Specifically, we require that an intermediate provider
authenticate the caller ID information of a call that it receives with unauthenticated caller ID information
that it will exchange with another intermediate provider or terminating voice service provider as a SIP
call. However, a provider is relieved of this obligation if it (i) cooperatively participates with the industry
traceback consortium and (ii) responds to all traceback requests it receives from the Commission, law
enforcement, or the industry traceback consortium regarding calls for which it acts as an intermediate
484

See ATIS-1000074-E § 5.3, at 11-13.

485

47 CFR § 64.6301(a)(2).

486

ACA Connects Comments at 12-13.

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3271-72, para. 64; see
also T-Mobile Comments at 7 (advocating for the Commission to decline to adopt this proposal from USTelecom
because “[c]urrent call-handling practices do not include an evaluation of what may happen to a call when it is handed
off” to a downstream provider).
487

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3270-71, para. 62 (seeking
comment on such a requirement).
488

489

See AT&T Comments at 7.

490

Id.

68

Federal Communications Commission

FCC 20-136

provider.491 Our final requirement differs from our proposed requirement in two ways. First, we do not
require an intermediate provider to authenticate with a C-level or gateway attestation. Instead, if a
provider chooses to authenticate the caller ID information of an unauthenticated call that it receives, we
require only that a provider authenticate the caller ID information consistent with industry standards. And
second, our modified requirement allows participation with the industry traceback consortium as an
alternative option for compliance.
141.
In the First Caller ID Authentication Report and Order and Further Notice, we proposed
requiring intermediate providers to authenticate caller ID information for unauthenticated traffic that they
receive with a C-level attestation, and tentatively concluded this requirement would improve traceback
efforts and analytics. Some commenters—including major voice service providers that have reported
substantial progress in STIR/SHAKEN implementation—endorse our reasoning that such a rule is in
compliance with the industry standards,492 would enhance traceback capabilities,493 and would benefit call
analytics.494 Neustar argues that intermediate providers should authenticate caller ID information for calls
that they transmit that lack such information because “it allows the terminating voice service provider to
more easily traceback otherwise unauthenticated calls, and provides additional information that can be
used to facilitate innovation in the robocall analytics space.”495 And T-Mobile explains that intermediate
provider authentication would be useful to terminating voice service providers because “[h]aving some
information regarding this large subset of calls to enable traceback and strengthen analytics is preferable
to having no information on which to make blocking and labeling decisions.”496
142.
We modify our proposal to require attestation consistent with industry standards rather
than specifically requiring C-level attestation because this approach better aligns with our goal of
promoting implementation of the industry-defined caller ID authentication standards rather than
interfering with their technical application. This modification brings our intermediate provider rules in
line with the STIR/SHAKEN obligations we imposed on originating and terminating voice service
providers. In the First Caller ID Authentication Report and Order and Further Notice, we explained that
for compliance with our rules it would be sufficient to adhere to the three standards that comprise the
foundation of the STIR/SHAKEN framework—ATIS-1000074, ATIS-1000080, and ATIS-1000084—and
all documents referenced therein.497 Recognizing that industry standards are not static, we framed the most
recent versions of these standards as the baseline requirements for compliance.498 We follow that approach
here and establish that compliance with the most current version of these three standards as of September
See Implementing Section 13(d) of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and
Deterrence Act (TRACED Act), EB Docket No. 20-22, Report and Order, 35 FCC Rcd 7886 (EB 2020) (selecting
USTelecom’s Industry Traceback Group as the single consortium to conduct private-led traceback efforts).
491

See Neustar Comments at 9; First Orion Reply at 10; cf. Noble Systems Reply at 1-2; T-Mobile Reply, WC
Docket Nos. 17-97 and 20-67, at 5-6 (rec. May 29, 2020) (T-Mobile Reply). But see AT&T Reply at 6-7 (arguing
that “the SHAKEN standards allow, but do not require, intermediate providers to assign a C-level attestation when
passing calls”).
492

493

See NCTA Comments at 8; Neustar Comments at 9; Noble Systems Comments at 17-18; T-Mobile Reply at 5-6.

See Atheral Comments at 7; Neustar Comments at 9; TCN Comments at 7-8; First Orion Reply at 10-11; TMobile Reply at 4.
494

495

Neustar Comments at 9.

T-Mobile Reply at 4. T-Mobile further explains that even “C-attested calls all contain an origination ID
(‘origid’)” which is “a globally unique identifier that represents the originating point of the call, such as the
telephone switch where the call started, or a trunk group, which can be useful in tracing back the origin of a call.”
Id. at 5. And T-Mobile notes that “[w]hile USTelecom’s Industry Traceback Group (‘ITG’) can do its work without
relying on origid, this does not obviate the need for origid, which would further advance ITG’s goals.” Id. at 5-6.
496

497

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd 3258-59, para. 36.

498

Id.

69

Federal Communications Commission

FCC 20-136

30, 2020, including any errata as of that date or earlier, represents the minimum requirement for
intermediate providers to satisfy our rules. We encourage innovation and improvement to the
STIR/SHAKEN framework, so long as any changes or additions do not compromise the baseline call
authentication functionality envisioned by ATIS-1000074, ATIS-1000080, and ATIS-1000084.499
143.
Beyond harmonizing our requirements on intermediate providers and originating and
terminating voice service providers, this modification responds to record interest in allowing, where
possible, intermediate providers to authenticate caller ID information with a higher level of attestation
than a C-level attestation.500 It is not our intent to preclude or interfere with efforts to accommodate this
interest; only to ensure the caller ID information for such calls be authenticated. To that end, we agree
with commenters that argue we should not require intermediate providers to authenticate calls with a
specific level of attestation,501 and require instead that intermediate providers authenticate the caller ID
information for unauthenticated calls consistent with industry standards as described above. This
clarification allows for and encourages industry progress, and we look forward to seeing progress on the
numerous proposals in the record to allow for more robust authentication of such calls.502
144.
Although we establish this requirement, in response to arguments that our proposal was
unduly burdensome in some cases,503 we allow for an intermediate provider to register and participate
with the industry traceback consortium as an alternative means of complying with our rules. Several
commenters claim that a requirement for intermediate providers to authenticate the caller ID information
of all unauthenticated calls that they receive would cause bandwidth problems within provider
networks.504 Several commenters also express concern that an attestation requirement would undermine
the efficacy of STIR/SHAKEN by “pollut[ing] the ecosystem” with “billions of useless attestations,”
See id. An example of such an innovation is the recent technical report ATIS and the SIP Forum released
providing guidelines for originating providers on the population of the SHAKEN attestation indicator and
origination identifier. See ATIS & SIP Forum, Technical Report, A Framework for SHAKEN Attestation and
Origination Identifier, ATIS-1000088 (2020), https://access.atis.org/apps/group_public/download.php/51435/ATIS1000088,%20A%20Framework%20for%20SHAKEN%20Attestation%20and%20Origination%20Identifier.pdf.
499

See BT Americas Comments, WC Docket Nos. 17-97, 20-67, at 4-10 (rec. May 15, 2020) (BT Americas
Comments); Business Telecommunication Services, Inc. Comments, WC Docket Nos. 17-97 and 20-67 at 4-9 (rec.
May 15, 2020) (BTS Comments); Cloud Communications Alliance Comments at 8-10; Letter from Beth Choroser,
Vice President, Regulatory Affairs, Comcast Corporation to Marlene H. Dortch, Secretary, FCC, WC Docket Nos,
17-97 and 20-67, at 2 (filed May 12, 2020) (Comcast Ex Parte); Securus Comments at 4-5; VON Comments at 2.
500

See BT Americas Comments at 4-10; BTS Comments at 4-9; Cloud Communications Alliance Comments at 810; Comcast Ex Parte at 2; Securus Comments at 4-5; VON Comments at 2.
501

We decline to require any specific solution, as some commenters suggest, or to impose a specific timeline. See
BT Americas Comments at 4-10; BTS Comments at 8-9; Cloud Communications Alliance Comments at 10;
Comcast Ex Parte at 2; Letter from Steven A. Augustino, Counsel to Business Telecommunication Services, Inc., to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 17-97 (filed Sept. 22, 2020). We encourage interested parties
to continue this work promptly, but the record does not include enough information on which to base a deadline, and
industry standards bodies are better-suited to modify the standards they have created.
502

See ATIS Comments at 5; AT&T Comments at 7-9; Verizon Comments at 14-15; CenturyLink Reply at 5-7;
Verizon Reply at 11-14.
503

See AT&T Comments at 8-9 (claiming that this requirement would “amount[] to an increase of up to 20 percent
from the signing capacity required for calls that originate on AT&T’s network”); Verizon Comments at 14
(estimating broadly that “depending on the platform, the additional bandwidth associated with adding a ‘C’
attestation to otherwise-unsigned calls ranges from 20% to as high as 300%”); Verizon Reply at 12, 12 n.34
(estimating that intermediate provider authentication would lead to an increase of 5-10k calls per second, which
would represent a 25-50% increase in their current expected load). But see First Orion Reply at 11 (observing that
the “Identity headers used for C-Attestation are the same size as those ones used for A-Attestation which is already
mandated and must be relayed”).
504

70

Federal Communications Commission

FCC 20-136

causing customer harm and confusion.505 Further, some commenters contend that such a requirement
would not lead to the benefits that we proposed would accrue.506 Other commenters in the record push
back on these concerns,507 and because of the potential value of more ubiquitous authentication, we do not
find that these concerns justify the elimination of this requirement entirely. We find that attestation of
previously unauthenticated calls will provide significant benefits in facilitating analytics, blocking, and
traceback by offering all parties in the call ecosystem more information, and we thus allow attestation of
unauthenticated calls as one method for compliance. This conclusion is consistent with our analysis in
the First Caller ID Authentication Report and Order, where we found that the benefits of requiring
providers to authenticate calls will substantially outweigh the costs.508
145.
While we make this conclusion, we acknowledge record concerns about the cost of
requiring intermediate provider authentication and thus offer an alternative method of compliance that we
anticipate will be less burdensome and will nonetheless facilitate traceback of calls. Specifically,
establish that an entity acting as an intermediate provider is relieved of the requirement to authenticate the
caller ID information of unauthenticated calls it receives if it (i) cooperatively participates with the
industry traceback consortium, and (ii) responds to all traceback requests it receives from the
Commission, law enforcement, or the industry traceback consortium for calls for which it acts as an
intermediate provider.509
146.
Providing this option addresses intermediate provider concerns over the burden that an
authentication requirement would place on their networks. It further allows for continued evaluation of
the role intermediate providers play in authenticating the caller ID information of the unauthenticated
calls that they receive amid the continued deployment of the STIR/SHAKEN framework. By ensuring
that all calls which transit the voice network either receive some form of attestation or are carried by an
intermediate provider that is registered with the industry traceback consortium, terminating voice service
providers will have more data about a call that can be used to support traceback efforts and call analytics,
and prevent future illegal robocalls—further increasing the net benefits offered by STIR/SHAKEN.
Additionally, providing this option for intermediate providers aligns with the robocall mitigation
requirements we adopt today. By requiring intermediate providers and many originating voice service
providers to engage in practices that promote traceback, we will ensure broad participation through the
entire call path to determine the source of illegal robocalls. Although the obligation to either authenticate
or participate in the industry traceback consortium with respect to unauthenticated calls will place costs
on intermediate providers, we have no reason to believe that our additional mandate will fundamentally

505

See Verizon Comments at 12-14.

See AT&T Comments at 8; USTelecom Comments at 14-15; Verizon Comments at 13-14; CenturyLink Reply at
7; Hiya Reply at 11-12; TNS Reply at 7; Verizon Reply at 10-11. But see First Orion Reply at 11; USTelecom
Comments, CG Docket No. 17-59, WC Docket No. 17-97, at 12-13 (rec. July 24, 2019) (advocating that the
Commission should “ensure that calls entering through a gateway provider are appropriately signed (i.e., gateway
attestation). This would enable the Commission, individual voice service providers, and/or USTelecom’s ITG to
immediately identify the ingress voice service provider for these calls into the United States, thereby expediting and
improving more rapid mitigation efforts”); USTelecom Reply, CG Docket No. 17-59, WC Docket No. 17-97, at 7
(rec. Aug. 23, 2019) (suggesting again that “the Commission should explore requiring voice service providers acting
as gateway providers for international traffic, regardless of their size, to implement the SHAKEN/STIR standard”).
506

507

See First Orion Reply at 11; Noble Systems Reply at 1-2, 6, 8.

508

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3262, para. 45.

We again underscore that this requirement does not supersede any existing legal processes, and we encourage law
enforcement to make traceback requests through the industry traceback consortium. USTelecom Sept. 18 Ex Parte
at 7-8.
509

71

Federal Communications Commission

FCC 20-136

disturb our cost-benefit calculus for STIR/SHAKEN implementation.510
147.
We find it unnecessary to adopt CTIA’s suggestion to require intermediate providers
serving as international gateways to register with the Commission.511 Under the rules we adopt, such
providers are required either to authenticate the caller ID information of the foreign-originated calls that
they receive and will transit on their networks or to register with the industry traceback consortium and
participate in traceback efforts. Both options we adopt address call tracing more directly than a mere
registration requirement, and we are reluctant to create multiple overlapping registration requirements for
providers that choose the latter option. We can revisit CTIA’s suggestion should the measures we adopt
prove insufficient.
3.

Limiting Intermediate Provider Requirements to IP Networks

148.
In the First Caller ID Authentication Report and Order and Further Notice, we proposed
limiting our caller ID authentication obligations on intermediate providers to IP calls.512 We adopt our
proposal with modifications. First, we adopt this proposal for calls with authenticated caller ID
information that an intermediate provider receives. In so doing, we limit the requirement that
intermediate providers pass any received Identity header unaltered to IP calls, that is, calls that the
intermediate provider receives in SIP and exchanges with a terminating provider or another intermediate
provider in SIP. Commenters support limiting our rule to IP calls,513 and doing so harmonizes our rules
for intermediate providers with our rules applying to originating and terminating voice service
providers.514
149.
Second, we modify this proposal for calls with unauthenticated caller ID information that
an intermediate provider receives. To the extent that an intermediate provider chooses to comply with the
rules we adopt today by authenticating the caller ID information of the unauthenticated calls that it
receives, as Comcast suggests,515 we clarify that this requirement applies to all unauthenticated calls an
intermediate provider receives that it will exchange with a subsequent provider in SIP, regardless of whether
the intermediate provider receives the call in SIP. In other words, if the intermediate provider chooses to
authenticate the caller ID information of unauthenticated calls, the obligation applies if the intermediate
provider transmits the call downstream in SIP. We make this modification in recognition of the fact that
calls without authenticated caller ID information may have originated on non-IP networks or have been
exchanged at non-IP interconnection points and thus do not have an existing Identity header. In those
instances, the obligation to authenticate the caller ID information according to industry standards applies
whether or not the call was received by the intermediate provider in SIP.
150.
We decline to adopt Comcast’s proposal that intermediate providers exchanging traffic in
TDM install TDM-to-VoIP gateways.516 At this time, we believe that such a requirement would be
See id. at 3262-66, at paras. 45-53. AT&T argues that “[t]he initial estimates of the major providers’ costs to
implement STIR/SHAKEN grossly underestimate reality,” and that STIR/SHAKEN implementation costs “easily
will exceed hundreds of millions of dollars.” AT&T Reply at 18. We are not convinced by this assertion as AT&T
does not provide concrete evidence to support such claims, nor any explanation as to why initial estimates were
inaccurate.
510

511

See CTIA Comments at 11-12.

512

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3272-73, para. 65.

513

See AT&T Comments at 6.

514

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3259, para. 38.

See Comcast Comments at 8-9 (suggesting that if we limited this requirement to only calls that an intermediate
provider received in SIP, we would “create a substantial gap in the Commission’s call authentication regime and
potentially prevent a large volume of calls from being authenticated”).
515

516

See id. at 8.

72

Federal Communications Commission

FCC 20-136

unduly burdensome.517 Furthermore, it would go beyond both Congress’s and our approach to addressing
the issues around non-IP technology and caller ID authentication, which aim to strike a balance between
encouraging the IP transition and the development of non-IP solutions for the benefit of those networks
that cannot be speedily or easily transitioned. We will continue to monitor the development of technical
solutions to the issue of TDM exchange and are prepared to return to this proposal if circumstances
warrant.
4.

Definition of Intermediate Provider

151.
We adopt our proposal from the First Caller ID Authentication Report and Order and
Further Notice to use the definition of “intermediate provider” found in section 64.1600(i) of our rules.518
This section provides that an “intermediate provider” is “any entity that carries or processes traffic that
traverses or will traverse the [PSTN] at any point insofar as that entity neither originates nor terminates
that traffic.”519 We further determine that as with our interpretation of “providers of voice service,” we
assess the definition of “intermediate provider” on a call-by-call basis for the purpose of our call
authentication rules. A single entity therefore may act as a voice service provider for some calls on its
network and an intermediate provider for others. Intermediate providers play a critical role in ensuring
end-to-end call authentication. We believe that this broad definition will best promote the widespread
deployment of the STIR/SHAKEN framework that is necessary to benefit consumers.
152.
We sought comment in the First Caller ID Authentication Report and Order and Further
Notice on whether we should use a narrower definition of intermediate provider, such as the one we use in
the context of rural call completion.520 One commenter advocates for a narrower definition that would “not
include in its scope an ISP that is only incidentally transmitting voice traffic,” because this “could place a
substantial burden on small, rural ISPs transmitting Non-Interconnected VoIP or Interconnected VoIP via
a third-party service provider they have no relationship with.”521 As we explained in the First Caller ID
Authentication Report and Order and Further Notice, the STIR/SHAKEN framework relies on the
transmission of information in the Identity header of a SIP INVITE.522 We understand that there are
circumstances where a call set up using SIP signaling will then use other paths to exchange the media
packets containing voice data.523 Because we have limited our rules to the exchanging of SIP calls, to the
extent that an ISP is only transmitting voice traffic of a call that does not involve the exchange of a SIP
INVITE, we believe it is already excluded from our rules.
5.

Legal Authority

153.
We find that we have the authority to place caller ID authentication obligations on
intermediate providers and alternatively to require that they register and participate with the industry
traceback consortium under section 251(e) of the Act. In the First Caller ID Authentication Report and
Order, we concluded that our exclusive jurisdiction over numbering policy provides authority to require
voice service providers to implement STIR/SHAKEN in order to prevent the fraudulent abuse of NANP
resources.524 In the Further Notice, we proposed that this same analysis provides the Commission
517

See CenturyLink Reply at 8 (opposing this proposal as unduly burdensome).

518

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3273, para. 67.

519

47 CFR § 64.1600(i).

520

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3273, para. 67.

521

Atheral Comments at 7.

522

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3244-45, paras. 6-7.

See IETF, SIP: Session Initiation Protocol, RFC 3261, at 16 (2002), https://www.rfceditor.org/rfc/pdfrfc/rfc3261.txt.pdf.
523

524

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3260-61, para. 42.

73

Federal Communications Commission

FCC 20-136

authority to impose STIR/SHAKEN implementation requirements on intermediate providers.525 Several
commenters support this view.526 Calls that transit the networks of intermediate providers with illegally
spoofed caller ID are exploiting numbering resources in the same manner as spoofed calls on the
networks of originating and terminating providers, and so we find authority under section 251(e).
Consistent with the First Caller ID Authentication Report and Order and Further Notice,527 we adopt our
proposal concluding that the section 251(e)(2) requirements do not apply in the context of our
establishing STIR/SHAKEN requirements.528
154.
We find additional, independent authority under the Truth in Caller ID Act. The Truth in
Caller ID Act charged the Commission with prescribing rules to make unlawful the spoofing of caller ID
information “in connection with any voice service or text messaging service . . . with the intent to defraud,
cause harm, or wrongfully obtain anything of value.”529 We agree with T-Mobile that this provides us
with authority to mandate that intermediate providers adopt “a framework that will minimize the
frequency with which illegally spoofed scam calls will reach consumers.”530 We found authority in the
First Caller ID Authentication Report and Order for our STIR/SHAKEN implementation mandate on
originating and terminating voice service providers under the Truth in Caller ID Act.531 We explained
that “the rules we adopt today are necessary to enable voice service providers to help prevent these
unlawful acts and to protect voice service subscribers from scammers and bad actors.”532 That same
analysis applies to intermediate providers that, as noted, play an integral role in the success of
STIR/SHAKEN across the voice network.
155.
Verizon, the only commenter to challenge our legal authority, argues that we lack
authority under either section 251(e) or the Truth in Caller ID Act to require an intermediate provider to
authenticate with a C-level attestation the caller ID information for unauthenticated calls it receives.533 It
asserts that “‘C’ attestations do not attest to the accuracy of numbers and indeed have nothing to do with
numbering resources,” and consequently that section 251(e) does not provide us with authority; it further
argues that “‘C’ attestations have nothing to do with the spoofing problem” and so could not be required
under the Truth in Caller ID Act.534 As an initial matter, Verizon’s objections are less pressing because of
the modifications we made to our final rule—requiring only authentication consistent with industry
standards or registration and participation with the industry traceback consortium. Furthermore, we do
not agree that C-level attestations “have nothing to do with” numbering resources or spoofing. The
STIR/SHAKEN standards expressly include the option of C-level attestation, and we think it apparent
525

Id.

526

AT&T Comments at 5 n.7; NCTA Comments at 8; Neustar Comments at 9-10; T-Mobile Comments at 7-8.

527

See First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3273, para. 68.

Because STIR/SHAKEN implementation is not a “numbering administration arrangement,” section 251(e)(2),
which provides that “[t]he cost of establishing telecommunications numbering administration arrangements . . . shall
be borne by all telecommunications carriers on a competitively neutral basis,” does not apply here. 47 U.S.C.
§ 251(e)(2). Even if section 251(e)(2) does apply, we conclude that because each carrier is responsible for bearing
its own implementation costs, the requirement is satisfied. Each carrier’s costs will be proportional to the size and
quality of its network.
528

529

47 U.S.C § 227(e)(1).

530

T-Mobile Comments at 8; see also Neustar Comments at 10.

531

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3262, para. 44.

532

Id.

533

See Verizon Reply at 8 n.18.

Id. Verizon also argues that we may not “go beyond the scope of the legal authority granted by the TRACED
Act,” id., but overlooks language in that very Act providing that “[n]othing in this section shall preclude the
Commission from initiating a rulemaking pursuant to its existing statutory authority.” TRACED Act § 4(d).
534

74

Federal Communications Commission

FCC 20-136

that this component of “a technology specifically designed to counteract misuse of numbering resources”
through spoofing relates both to our authority under section 251(e) 535 and the Truth in Caller ID Act.
When bad actors unlawfully falsify or spoof the caller ID that appears on a subscriber’s phone, they are
using numbering resources to advance an illegal scheme. Mandating that intermediate providers
authenticate unauthenticated calls or participate in traceback efforts will help to prevent and remediate the
fraudulent exploitation of NANP resources and illegal spoofing of caller ID information.
G.

Other Issues

156.
No Additional Exceptions from Originating Voice Service Provider Caller ID
Authentication Mandate. We reject the record requests to grant limited exceptions from our caller ID
authentication rules.536 Verizon argues that we should free a voice service provider from our caller ID
authentication rules in certain circumstances where, in its view, it would be “inadvisable or inappropriate
for the originating carrier to place a signature on a call.”537 Verizon, USTelecom, and CTIA argue that
these circumstances include “periods of substantial network congestion,” such as national emergencies or
natural disasters, or during periods of network maintenance.538 Verizon further argues that a voice service
provider should not be required to authenticate caller ID information in certain complicated calling
cases.539 We decline to grant these categorical exceptions from our mandate. Our goal is ubiquitous
deployment of caller ID authentication technology, and no commenter explains with specificity why its
concerns outweigh that goal. To the contrary, national emergencies and natural disasters are among the
times when caller ID authentication is most important.540 In those instances, affected individuals must be
able to rely on the caller ID information they receive and avoid bad actors taking advantage of an ongoing
emergency or its aftermath. And while we do not grant an exception for complicated calling cases, we
underscore that, to the extent a certain calling case is not accounted for by industry standards, application
of caller ID authentication is not called for by our rules. We explained in the First Caller ID
Authentication Report and Order that “[c]ompliance with the most current versions of . . . three standards
as of March 31, 2020, including any errata as of that date or earlier, represents the minimum requirement
to satisfy our rules.”541
157.
Non-Substantive Rule Revision. We revise section 64.6301(a)(2) of our rules542 to make
two non-substantive changes. First, the adopted rule inadvertently omitted the word “it.” Second, the
535

Comcast Reply at 7.

Verizon Comments at 16; CTIA Ex Parte at 4; USTelecom Sept. 18 Ex Parte at 7. We construe these requests,
which do not respond to any part of the Further Notice, as petitions for reconsideration of the rules adopted in the
First Caller ID Authentication Report and Order and Further Notice. See 47 CFR § 1.429.
536

537

Verizon Comments at 16.

538

Verizon Comments at 17; CTIA Ex Parte at 4; USTelecom Sept. 18 Ex Parte at 7.

539

Verizon Comments at 17.

See FCC Consumer Guide, After Storms, Watch Out for Scams (October 24, 2019),
https://www.fcc.gov/consumers/guides/after-storms-watch-out-scams.
540

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3258-59, para. 36 (identifying
these standards as ATIS-1000074, ATIS-1000080, and ATIS-1000084).
541

USTelecom and CTIA argue that, because we provide intermediate providers limited exceptions to our requirement
that they transit Identity headers unaltered, we must also provide an exception for originating voice service providers
from our call authentication mandate. See USTelecom Sept. 18 Ex Parte at 7; CTIA Ex Parte at 4. But these
commenters fail to explain why adopting narrowly tailored exceptions for intermediate providers justifies adopting
the far broader exception that they seek. Beyond generalized concerns over network congestion and maintenance,
no commenter provides a specific technical rationale for when originating voice service providers should receive an
exception from our caller ID authentication requirements.
542

47 CFR § 64.6301(a)(2).

75

Federal Communications Commission

FCC 20-136

adopted rule referred to “caller ID authentication information,” inconsistent with other terms in the rules.
The rule as revised provides that a voice service provider shall “authenticate caller identification
information for all SIP calls it originates and that it will exchange with another voice service provider or
intermediate provider and, to the extent technically feasible, transmit that call with authenticated caller
identification information to the next voice service provider or intermediate provider in the call path.”543
We make these revisions without seeking notice and comment pursuant to section 553(b)(3)(B) of the
Administrative Procedure Act, which states that an agency for good cause may dispense with rulemaking
if it finds that notice and comment are “impracticable, unnecessary, or contrary to the public interest.”544
Here, notice and comment are unnecessary because correcting the rule does not have a detrimental effect
on the parties regulated by rule and does not alter the regulatory framework established by the First
Caller ID Authentication Report and Order.
IV.

PROCEDURAL MATTERS

158.
Final Regulatory Flexibility Analysis. As required by the Regulatory Flexibility Act of
1980 (RFA),545 an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into the First Caller ID
Authentication Report and Order and Further Notice.546 The Commission sought written public comment
on the possible significant economic impact on small entities regarding the proposals addressed in the
First Caller ID Authentication Report and Order and Further Notice, including comments on the IRFA.547
Pursuant to the RFA, a Final Regulatory Flexibility Analysis is set forth in Appendix B. The
Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, will send a
copy of this Second Report and Order, including the FRFA, to the Chief Counsel for Advocacy of the
Small Business Administration (SBA).548
159.
Paperwork Reduction Act. This document contains new or modified information
collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. It
will be submitted to the Office of Management and Budget (OMB) for review under Section 3507(d) of
the PRA. OMB, the general public, and other Federal agencies are invited to comment on the new or
modified information collection requirements contained in this proceeding. In addition, we note that
pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, we previously sought
comment on how the Commission might further reduce the information collection burden for small
business concerns with fewer than 25 employees.549
160.
Congressional Review Act. The Commission has determined, and the Administrator of
the Office of Information and Regulatory Affairs, Office of Management and Budget, concurs that this
rule is “non-major” under the Congressional Review Act, 5 U.S.C. § 804(2). The Commission will send
a copy of this Second Report and Order to Congress and the Government Accountability Office pursuant
to 5 U.S.C. § 801(a)(1)(A).
161.
Contact person. For further information about this proceeding, please contact
Mason Shefa, FCC Wireline Competition Bureau, Competition Policy Division, 445 12th Street, S.W.,
Washington, D.C., 20554, at (202) 418-2962, or [email protected].

543

See infra Appx. A (emphasis added).

544

5 U.S.C. § 553(b)(3)(B).

545

See 5 U.S.C. § 603.

546

First Caller ID Authentication Report and Order and Further Notice, 35 FCC Rcd at 3314-22, Appx. D.

547

Id. at 3298, para. 134.

548

See 5 U.S.C. § 603(a).

549

See 44 U.S.C. § 3506(c)(4).

76

Federal Communications Commission
V.

FCC 20-136

ORDERING CLAUSES

162.
Accordingly, IT IS ORDERED, pursuant to sections 4(i), 4(j), 227(e), 227b, 251(e), and
303(r), of the Communications Act of 1934, as amended (the Act), 47 U.S.C. §§ 154(i), 154(j), 227(e),
227b, 251(e), and 303(r), that this Second Report and Order IS ADOPTED.
163.
IT IS FURTHER ORDERED that Part 64 of the Commission’s rules IS AMENDED as
set forth in Appendix A, and that any such rule amendments that contain new or modified information
collection requirements that require approval by the Office of Management and Budget under the
Paperwork Reduction Act SHALL BE EFFECTIVE after announcement in the Federal Register of Office
of Management and Budget approval of the rules, and on the effective date announced therein.
164.
IT IS FURTHER ORDERED that, pursuant to sections 1.4(b)(1) and 1.103(a) of the
Commission’s rules, 47 CFR §§ 1.4(b)(1), 1.103(a), this Second Report and Order SHALL BE
EFFECTIVE 30 days after publication in the Federal Register, except for the addition of sections
64.6303(b), 64.6305(b), and 64.6306 to the Commission’s rules that have not been approved by OMB.
The Federal Communications Commission will publish documents in the Federal Register announcing the
effective dates of these provisions.
165.
IT IS FURTHER ORDERED that the Commission SHALL SEND a copy of this Report
and Order to Congress and to the Government Accountability Office pursuant to the Congressional
Review Act, see 5 U.S.C. § 801(a)(1)(A).
166.
IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental
Affairs Bureau, Reference Information Center, SHALL SEND a copy of this Second Report and Order,
including the Final Regulatory Flexibility Analysis (FRFA), to the Chief Counsel for Advocacy of the
Small Business Administration.
FEDERAL COMMUNICATIONS COMMISSION

Marlene H. Dortch
Secretary

77

Federal Communications Commission

FCC 20-136

APPENDIX A
Final Rules
The Federal Communications Commission amends part 64 of Title 47 of the Code of Federal Regulations
as follows:
PART 64 – MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
* * * * *
1. Amend section 64.6300 by redesignating paragraphs (e) through (g) as paragraphs (j) through
(l) and paragraphs (c) and (d) as paragraphs (f) and (h), respectively, and adding new paragraphs (c)
through (e), (g), and (i) to read as follows:”
§ 64.6300 Definitions
* * * * *
(c) Foreign voice service provider. The term “foreign voice service provider” refers to any entity
providing voice service outside the United States that has the ability to originate voice service that
terminates in a point outside that foreign country or terminate voice service that originates from points
outside that foreign country.
(d) Governance Authority. The term “Governance Authority” refers to the Secure Telephone Identity
Governance Authority, the entity that establishes and governs the policies regarding the issuance,
management, and revocation of Service Provider Code (SPC) tokens to intermediate providers and voice
service providers.
(e) Industry traceback consortium. The term “industry traceback consortium” refers to the consortium
that conducts private-led efforts to trace back the origin of suspected unlawful robocalls as selected by the
Commission pursuant to 47 CFR 64.1203.
* * * * *
(g) Robocall Mitigation Database. The term “Robocall Mitigation Database” refers to a database
accessible via the Commission’s website that lists all entities that make filings pursuant to 47 CFR
64.6305(b).
* * * * *
(i) SPC token. The term “SPC token” refers to the Service Provider Code token, an authority token
validly issued to an intermediate provider or voice service provider that allows the provider to
authenticate and verify caller identification information consistent with the STIR/SHAKEN
authentication framework in the United States.
* * * * *
2.

Amend section 64.6301 by revising paragraph (a) to read as follows:

§ 64.6301 Caller ID authentication.
(a) STIR/SHAKEN implementation by voice service providers. Except as provided in 47 CFR 64.6304
and 64.6306, not later than June 30, 2021, a voice service provider shall fully implement the
STIR/SHAKEN authentication framework in its Internet Protocol networks. To fulfill this obligation, a
voice service provider shall:
* * * * *
78

Federal Communications Commission

FCC 20-136

(2) authenticate caller identification information for all SIP calls it originates and that it will
exchange with another voice service provider or intermediate provider and, to the extent
technically feasible, transmit that call with authenticated caller identification information to the
next voice service provider or intermediate provider in the call path; and
* * * * *
3.

Amend Subpart HH by adding sections 64.6302 to 64.6307 to read as follows:

§ 64.6302 Caller ID authentication by intermediate providers.
Not later than June 30, 2021, each intermediate provider shall fully implement the STIR/SHAKEN
authentication framework in its Internet Protocol networks. To fulfill this obligation, an intermediate
provider shall:
(a) pass unaltered to the subsequent intermediate provider or voice service provider in the call path any
authenticated caller identification information it receives with a SIP call, subject to the following
exceptions under which it may remove the authenticated caller identification information:
(1) where necessary for technical reasons to complete the call; or
(2) where the intermediate provider reasonably believes the caller identification
authentication information presents an imminent threat to its network security; and
(b) authenticate caller identification information for all calls it receives for which the caller identification
information has not been authenticated and which it will exchange with another provider as a SIP call,
except that the intermediate provider is excused from such duty to authenticate if it:
(1) cooperatively participates with the industry traceback consortium; and
(2) responds fully and in a timely manner to all traceback requests it receives from the
Commission, law enforcement, and the industry traceback consortium regarding calls for
which it acts as an intermediate provider.
§ 64.6303 Caller ID authentication in non-IP networks.
Except as provided in 47 CFR 64.6304 and 64.6306, not later than June 30, 2021, a voice service provider
shall either:
(a) upgrade its entire network to allow for the initiation, maintenance, and termination of SIP calls and
fully implement the STIR/SHAKEN framework as required in 47 CFR 64.6301 throughout its network;
or
(b) maintain and be ready to provide the Commission on request with documented proof that it is
participating, either on its own or through a representative, including third party representatives, as a
member of a working group, industry standards group, or consortium that is working to develop a nonInternet Protocol caller identification authentication solution, or actively testing such a solution.
§ 64.6304 Extension of implementation deadline.
(a) Small voice service providers.
(1) Small voice service providers are exempt from the requirements of 47 CFR 64.6301
through June 30, 2023.
79

Federal Communications Commission

FCC 20-136

(2) For purposes of this paragraph (a), “small voice service provider” means a provider that
has 100,000 or fewer voice service subscriber lines (counting the total of all business and
residential fixed subscriber lines and mobile phones and aggregated over all of the provider’s
affiliates).
(b) Voice service providers that cannot obtain a SPC token. Voice service providers that are incapable of
obtaining a SPC token due to Governance Authority policy are exempt from the requirements of 47
CFR 64.6301 until they are capable of obtaining a SPC token.
(c) Services scheduled for section 214 discontinuance. Services which are subject to a pending
application for permanent discontinuance of service filed as of June 30, 2021, pursuant to the processes
established in 47 CFR 63.60 through 63.100, as applicable, are exempt from the requirements of 47 CFR
64.6301 through June 30, 2022.
(d) Non-IP networks. Those portions of a voice service provider’s network that rely on technology that
cannot initiate, maintain, and terminate SIP calls are deemed subject to a continuing extension. A voice
service provider subject to the foregoing extension shall comply with the requirements of 47 CFR
64.6303 as to the portion of its network subject to the extension.
(e) Provider-specific extensions. The Wireline Competition Bureau may extend the deadline for
compliance with 47 CFR 64.6301 for voice service providers that file individual petitions for extensions
by November 20, 2020. The Bureau shall seek comment on any such petitions and issue an order
determining whether to grant the voice service provider an extension no later than March 30, 2021.
(f) Annual reevaluation of granted extensions. The Wireline Competition Bureau shall, in conjunction
with an assessment of burdens and barriers to implementation of caller identification authentication
technology, annually review the scope of all previously granted extensions and, after issuing a Public
Notice seeking comment, may extend or decline to extend each such extension, and may decrease the
scope of entities subject to a further extension.
§ 64.6305 Robocall mitigation and certification.
(a) Robocall mitigation program requirements.
(1) Any voice service provider subject to an extension granted under 47 CFR 64.6304 that
has not fully implemented the STIR/SHAKEN authentication framework on its entire
network shall implement an appropriate robocall mitigation program as to those portions of
its network on which it has not implemented the STIR/SHAKEN authentication framework.
(2) Any robocall mitigation program implemented pursuant to paragraph (a)(1) of this section
shall include reasonable steps to avoid originating illegal robocall traffic and shall include a
commitment to respond fully and in a timely manner to all traceback requests from the
Commission, law enforcement, and the industry traceback consortium, and to cooperate with
such entities in investigating and stopping any illegal robocallers that use its service to
originate calls.
(b) Certification and database.
(1) Not later than the date established in a document released by the Wireline Competition
Bureau establishing the Robocall Mitigation Database and portal (amending this paragraph
(b)), a voice service provider, regardless of whether it is subject to an extension granted under
47 CFR 64.6304, shall certify to one of the following:
80

Federal Communications Commission

FCC 20-136

(i) it has fully implemented the STIR/SHAKEN authentication framework across
its entire network and all calls it originates are compliant with 47 CFR
64.6301(a)(1)-(2);
(ii) it has implemented the STIR/SHAKEN authentication framework on a
portion of its network and calls it originates on that portion of its network are
compliant with paragraphs 47 CFR 64.6301 (a)(1)-(2), and the remainder of the
calls that originate on its network are subject to a robocall mitigation program
consistent with paragraph (a); or
(iii) it has not implemented the STIR/SHAKEN authentication framework on any
portion of its network, and all of the calls that originate on its network are subject
to a robocall mitigation program consistent with paragraph (a).
(2) A voice service provider that certifies that some or all of the calls that originate on its
network are subject to a robocall mitigation program consistent with paragraph (a) shall
include the following information in its certification:
(i) identification of the type of extension or extensions the voice service provider
received under 47 CFR 64.6304, if the voice service provider is not a foreign
voice service provider;
(ii) the specific reasonable steps the voice service provider has taken to avoid
originating illegal robocall traffic as part of its robocall mitigation program; and
(iii) a statement of the voice service provider’s commitment to respond fully and
in a timely manner to all traceback requests from the Commission, law
enforcement, and the industry traceback consortium, and to cooperate with such
entities in investigating and stopping any illegal robocallers that use its service to
originate calls.
(3) All certifications made pursuant to paragraph (b)(1)-(2) shall:
(i) be filed in the appropriate portal on the Commission’s website; and
(ii) be signed by an officer in conformity with 47 CFR 1.16.
(4) A voice service provider filing a certification shall submit the following information in
the appropriate portal on the Commission’s website.
(i) the voice service provider’s business name(s) and primary address;
(ii) other business names in use by the voice service provider;
(iii) all business names previously used by the voice service provider;
(iv) whether the voice service provider is a foreign voice service provider; and
(v) the name, title, department, business address, telephone number, and email
address of one person within the company responsible for addressing robocall
mitigation-related issues.
81

Federal Communications Commission

FCC 20-136

(5) A voice service provider shall update its filings within 10 business days of any change to
the information it must provide pursuant to paragraphs (b)(2)-(4) of this section.
(c) Intermediate provider and voice service provider obligations. Beginning ninety days after the
deadline for certifications filed pursuant to paragraph (b) of this section, intermediate providers and voice
service providers shall only accept calls directly from a voice service provider, including a foreign voice
service provider that uses North American Numbering Plan resources that pertain to the United States to
send voice traffic to residential or business subscribers in the United States, if that voice service
provider’s filing appears in the Robocall Mitigation Database in accordance with paragraph (b) of this
section.
§ 64.6306 Exemption.
(a) Exemption for IP networks. A voice service provider may seek an exemption from the requirements
of 47 CFR 64.6301 by certifying on or before December 1, 2020, that, for those portions of its network
served by technology that allows for the transmission of SIP calls, it:
(1) has adopted the STIR/SHAKEN authentication framework for calls on the Internet
Protocol networks of the voice service provider, by completing the network preparations
necessary to deploy the STIR/SHAKEN protocols on its network including but not limited to
participation in test beds and lab testing, or completion of commensurate network
adjustments to enable the authentication and validation of calls on its network consistent with
the STIR/SHAKEN framework;
(2) has agreed voluntarily to participate with other voice service providers in the
STIR/SHAKEN authentication framework, as demonstrated by completing formal
registration (including payment) and testing with the STI Policy Administrator;
(3) has begun to implement the STIR/SHAKEN authentication framework by completing the
necessary network upgrades to at least one network element—e.g., a single switch or session
border controller—to enable the authentication and verification of caller identification
information consistent with the STIR/SHAKEN standards; and
(4) will be capable of fully implementing the STIR/SHAKEN authentication framework not
later than June 30, 2021, which it may only determine if it reasonably foresees that it will
have completed all necessary network upgrades to its network infrastructure to enable the
authentication and verification of caller identification information for all SIP calls exchanged
with STIR/SHAKEN-enabled partners by June 30, 2021.
(b) Exemption for non-IP networks. A voice service provider may seek an exemption from the
requirement to upgrade its network to allow for the initiation, maintenance, and termination of SIP calls
and fully implement the STIR/SHAKEN framework as required by 47 CFR 64.6301 throughout its
network by June 30, 2021, and from associated recordkeeping and reporting requirements, by certifying
on or before December 1, 2020, that, for those portions of its network that do not allow for the
transmission of SIP calls, it:
(1) has taken reasonable measures to implement an effective call authentication framework
by either:
(i) upgrading its entire network to allow for the initiation, maintenance, and
termination of SIP calls, and fully implementing the STIR/SHAKEN framework
as required in 47 CFR 64.6301 throughout its network; or
82

Federal Communications Commission

FCC 20-136

(ii) maintaining and being ready to provide the Commission on request with
documented proof that it is participating, either on its own or through a
representative, including third party representatives, as a member of a working
group, industry standards group, or consortium that is working to develop a nonInternet Protocol caller identification authentication solution, or actively testing
such a solution; and
(2) will be capable of fully implementing an effective call authentication framework not later
than June 30, 2021, because it reasonably foresees that it will have completed all necessary
network upgrades to its network infrastructure to enable the authentication and verification of
caller identification information for all non-Internet Protocol calls originating or terminating
on its network as provided by a standardized caller identification authentication framework
for non-Internet Protocol networks by June 30, 2021.
(c) Certification submission procedures. All certifications that a voice service provider is eligible for
exemption shall be:
(1) filed in the Commission’s Electronic Comment Filing System (ECFS) in WC Docket No.
20-68, Exemption from Caller ID Authentication Requirements, no later than December 1,
2020;
(2) signed by an officer in conformity with 47 CFR 1.16; and
(3) accompanied by detailed support as to the assertions in the certification.
(d) Determination timing. The Wireline Competition Bureau shall determine whether to grant or deny
timely requests for exemption on or before December 30, 2020.
(e) Implementation verification. All voice service providers granted an exemption under paragraphs (a)
and (b) of this section shall file an additional certification consistent with the requirements of paragraph
(c) of this section above on or before a date specified in a document issued by the Wireline Competition
Bureau (amending this paragraph (e)) that attests to whether the voice service provider fully implemented
the STIR/SHAKEN authentication framework because it completed all necessary network upgrades to its
network infrastructure to enable the authentication and verification of caller identification information for
all SIP calls exchanged with STIR/SHAKEN-enabled partners by June 30, 2021. The Wireline
Competition Bureau, after issuing a Public Notice seeking comment on the certifications, will, not later
than four months after the deadline for filing of the certifications, issue a Public Notice identifying which
voice service providers achieved complete implementation of the STIR/SHAKEN authentication
framework.
(1) If a voice service provider cannot certify to full implementation upon the filing of this
second certification, but demonstrates to the Wireline Competition Bureau that (1) it filed its
initial certification in good faith—i.e., with a reasonable expectation that it would be able to
achieve full implementation as initially certified—and (2) it made a good faith effort to
complete implementation, the consequence for such a shortcoming is the loss of the
exemption and the application of the implementation requirements of 47 CFR 64.6301 and
64.6303, effective immediately upon release by the Wireline Competition Bureau of the
Public Notice identifying which voice service providers achieved full implementation of the
STIR/SHAKEN authentication framework.
(2) If a voice service provider cannot certify to full implementation upon the filing of this
second certification, and the Wireline Competition Bureau finds that the voice service
provider filed its initial certification in bad faith or failed to make a good faith effort to
83

Federal Communications Commission

FCC 20-136

complete implementation, then (A) the voice service provider is required to fully implement
the STIR/SHAKEN authentication framework immediately upon release by the Wireline
Competition Bureau of the Public Notice identifying which voice service providers achieved
full implementation of the STIR/SHAKEN authentication framework and (B) the Wireline
Competition Bureau shall refer the voice service provider to the Enforcement Bureau for
possible enforcement action based on filing a false initial certification.
§ 64.6307 Line item charges.
Providers of voice service are prohibited from adding any additional line item charges to consumer or
small business customer subscribers for the effective call authentication technology required by 47 CFR
64.6301 and 64.6303.
(a) For purposes of this section, “consumer subscribers” means residential mass-market subscribers.
(b) For purposes of this section, “small business customer subscribers” means subscribers that are
business entities that meet the size standards established in 13 CFR Part 121, subpart A.

84

Federal Communications Commission

FCC 20-136

APPENDIX B
Final Regulatory Flexibility Analysis
1.
As required by the Regulatory Flexibility Act of 1980, as amended (RFA),1 an Initial
Regulatory Flexibility Analysis (IRFA) was incorporated into the First Caller ID Authentication Report
and Order and Further Notice, released March 2020.2 The Commission sought written public comment
on the proposals in the Further Notice, including comment on the IRFA. No comments were filed
addressing the IRFA. This present Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.3
A.

Need for, and Objectives of, the Rules

2.
In this Second Report and Order (Order), we continue the Commission’s efforts to
combat illegal spoofed robocalls. Specifically, the Order implements the provisions of section 4 of the
Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act as
follows: requiring providers to take “reasonable measures” to implement an effective caller ID
authentication framework in their non-IP networks by either completely upgrading non-IP networks to IP
or by actively working to develop a non-IP authentication solution;4 granting extensions of varying
lengths from implementation of caller ID authentication for (1) small, including small rural, voice service
providers; (2) voice service providers that cannot obtain a certificate due to the Governance Authority’s
token access policy until such provider is able to obtain a certificate; (3) services scheduled for section
214 discontinuance; and (4) as required by the TRACED Act, an extension for the parts of a voice service
provider’s network that rely on technology that cannot initiate, maintain, and terminate SIP calls until a
solution for such calls is reasonably available;5 granting an exemption from our implementation mandate
for providers which have certified that they have reached certain implementation goals;6 and prohibiting
providers from imposing additional line item charges on consumer and small business subscribers for
caller ID authentication technology.7 The Order also adopts rules requiring intermediate providers to (1)
pass any Identity header that they receive to the terminating voice service provider or subsequent
intermediate provider in the call path; and (2) either (i) authenticate the caller ID information of a call that
it receives with unauthenticated caller ID information that it will exchange with another intermediate
provider or terminating voice service provider as a SIP call, or (ii) cooperatively participate with the
Commission-selected consortium to conduct traceback efforts.8 These rules will help promote effective
caller ID authentication and fulfill our obligations under the TRACED Act.
B.

Summary of Significant Issues Raised by Public Comments in Response to the IRFA

3.
There were no comments filed that specifically addressed the proposed rules and policies
presented in the IRFA.
C.

Response to Comments by the Chief Counsel for Advocacy of the SBA

See 5 U.S.C. § 603. The RFA, see 5 U.S.C. §§ 601-612, has been amended by the Small Business Regulatory
Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 847 (1996).
1

See Call Authentication Trust Anchor; Implementation of TRACED Act Section 6(a) — Knowledge of Customers
by Entities with Access to Numbering Resources, WC Docket Nos. 17-97, 20-67, Report and Order and Further
Notice of Proposed Rulemaking, 35 FCC Rcd 3241 (2020) (First Caller ID Authentication Report and Order and
Further Notice).
2

3

See 5 U.S.C. § 604.

4

See supra Section III.B.

5

See supra Section III.C.

6

See supra Section III.D.

7

See supra Section III.E.

8

See supra Section III.F.

85

Federal Communications Commission

FCC 20-136

4.
Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the
Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the
Small Business Administration (SBA), and to provide a detailed statement of any change made to the
proposed rules as a result of those comments.9
5.
proceeding.
D.

The Chief Counsel did not file any comments in response to the proposed rules in this
Description and Estimate of the Number of Small Entities to Which the Rules Will
Apply

6.
The RFA directs agencies to provide a description and, where feasible, an estimate of the
number of small entities that may be affected by the final rules adopted pursuant to the Order.10 The RFA
generally defines the term “small entity” as having the same meaning as the terms “small business,”
“small organization,” and “small governmental jurisdiction.”11 In addition, the term “small business” has
the same meaning as the term “small-business concern” under the Small Business Act.12 A “smallbusiness concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field
of operation; and (3) satisfies any additional criteria established by the SBA.13
1.

Wireline Carriers

7.
Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as
“establishments primarily engaged in operating and/or providing access to transmission facilities and
infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using
wired communications networks. Transmission facilities may be based on a single technology or a
combination of technologies. Establishments in this industry use the wired telecommunications network
facilities that they operate to provide a variety of services, such as wired telephony services, including
VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet
services. By exception, establishments providing satellite television distribution services using facilities
and infrastructure that they operate are included in this industry.”14 The SBA has developed a small
business size standard for Wired Telecommunications Carriers, which consists of all such companies
having 1,500 or fewer employees.15 U.S. Census Bureau data for 2012 show that there were 3,117 firms

9

5 U.S.C. § 604(a)(3).

10

See 5 U.S.C. § 604(a)(4).

11

See 5 U.S.C. § 601(6).

See 5 U.S.C. § 601(3) (incorporating by reference the definition of “small-business concern” in the Small
Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies
“unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after
opportunity for public comment, establishes one or more definitions of such term which are appropriate to the
activities of the agency and publishes such definition(s) in the Federal Register.”
12

13

See 15 U.S.C. § 632.

See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017.
14

15

See 13 CFR § 121.201, NAICS Code 517311 (previously 517110).

86

Federal Communications Commission

FCC 20-136

that operated that year.16 Of this total, 3,083 operated with fewer than 1,000 employees.17 Thus, under
this size standard, the majority of firms in this industry can be considered small.
8.
Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a
size standard for small businesses specifically applicable to local exchange services. The closest
applicable NAICS Code category is Wired Telecommunications Carriers.18 Under the applicable SBA
size standard, such a business is small if it has 1,500 or fewer employees.19 U.S. Census Bureau data for
2012 show that there were 3,117 firms that operated for the entire year.20 Of that total, 3,083 operated
with fewer than 1,000 employees.21 Thus under this category and the associated size standard, the
Commission estimates that the majority of local exchange carriers are small entities.
9.
Incumbent Local Exchange Carriers (incumbent LECs). Neither the Commission nor the
SBA has developed a small business size standard specifically for incumbent local exchange services.
The closest applicable NAICS Code category is Wired Telecommunications Carriers.22 Under the
applicable SBA size standard, such a business is small if it has 1,500 or fewer employees.23 U.S. Census
Bureau data for 2012 indicate that 3,117 firms operated the entire year.24 Of this total, 3,083 operated
with fewer than 1,000 employees.25 Consequently, the Commission estimates that most providers of
incumbent local exchange service are small businesses that may be affected by our actions. According to
Commission data, one thousand three hundred and seven (1,307) Incumbent Local Exchange Carriers
reported that they were incumbent local exchange service providers.26 Of this total, an estimated 1,006
have 1,500 or fewer employees.27 Thus, using the SBA’s size standard the majority of incumbent LECs
can be considered small entities.
See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false.
16

Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that
meet the SBA size standard.
17

See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017.
18

19

See 13 CFR § 121.201, NAICS Code 517311 (previously 517110).

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false.
20

Id. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for
firms with fewer than 1,500 employees is not provided.
21

See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017.
22

23

See 13 CFR § 121.201, NAICS Code 517311 (previously 517110).

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false.
24

Id. The largest category provided by U.S. Census Bureau data is “1000 employees or more” and a more precise
estimate for firms with fewer than 1,500 employees is not provided.
25

See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry
Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service).
26

27

Id.

87

Federal Communications Commission

FCC 20-136

10.
Competitive Local Exchange Carriers (Competitive LECs), Competitive Access Providers
(CAPs), Shared-Tenant Service Providers, and Other Local Service Providers. Neither the Commission
nor the SBA has developed a small business size standard specifically for these service providers. The
appropriate NAICS Code category is Wired Telecommunications Carriers28 and under that size standard,
such a business is small if it has 1,500 or fewer employees.29 U.S. Census Bureau data for 2012 indicate
that 3,117 firms operated during that year.30 Of that number, 3,083 operated with fewer than 1,000
employees.31 Based on these data, the Commission concludes that the majority of Competitive LECS,
CAPs, Shared-Tenant Service Providers, and Other Local Service Providers, are small entities.
According to Commission data, 1,442 carriers reported that they were engaged in the provision of either
competitive local exchange services or competitive access provider services.32 Of these 1,442 carriers, an
estimated 1,256 have 1,500 or fewer employees.33 In addition, 17 carriers have reported that they are
Shared-Tenant Service Providers, and all 17 are estimated to have 1,500 or fewer employees.34 Also, 72
carriers have reported that they are Other Local Service Providers.35 Of this total, 70 have 1,500 or fewer
employees.36 Consequently, based on internally researched FCC data, the Commission estimates that
most providers of competitive local exchange service, competitive access providers, Shared-Tenant
Service Providers, and Other Local Service Providers are small entities.
11.
We have included small incumbent LECs in this present RFA analysis. As noted above,
a “small business” under the RFA is one that, inter alia, meets the pertinent small-business size standard
(e.g., a telephone communications business having 1,500 or fewer employees) and “is not dominant in its
field of operation.”37 The SBA’s Office of Advocacy contends that, for RFA purposes, small incumbent
LECs are not dominant in their field of operation because any such dominance is not “national” in
scope.38 We have therefore included small incumbent LECs in this RFA analysis, although we emphasize
that this RFA action has no effect on Commission analyses and determinations in other, non-RFA
contexts.
12.
Interexchange Carriers (IXCs). Neither the Commission nor the SBA has developed a
small business size standard specifically for Interexchange Carriers. The closest applicable NAICS Code
See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017.
28

29

See 13 CFR § 121.201, NAICS Code 517311 (previously 517110).

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false.
30

Id. The largest category provided by U.S. Census Bureau data is “1000 employees or more” and a more precise
estimate for firms with fewer than 1,500 employees is not provided.
31

See Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology
Division, Trends in Telephone Service at Table 5.3 (Sept. 2010) (Trends in Telephone Service),
https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf.
32

33

Id.

34

Id.

35

Id.

36

Id.

37

5 U.S.C. § 601(3).

Letter from Jere W. Glover, Chief Counsel for Advocacy, SBA, to William E. Kennard, Chairman, FCC (filed
May 27, 1999). The Small Business Act contains a definition of “small business concern,” which the RFA
incorporates into its own definition of “small business.” 15 U.S.C. § 632(a); 5 U.S.C. § 601(3). SBA regulations
interpret “small business concern” to include the concept of dominance on a national basis. 13 CFR § 121.102(b).
38

88

Federal Communications Commission

FCC 20-136

category is Wired Telecommunications Carriers.39 The applicable size standard under SBA rules is that
such a business is small if it has 1,500 or fewer employees.40 U.S. Census Bureau data for 2012 indicate
that 3,117 firms operated for the entire year.41 Of that number, 3,083 operated with fewer than 1,000
employees.42 According to internally developed Commission data, 359 companies reported that their
primary telecommunications service activity was the provision of interexchange services.43 Of this total,
an estimated 317 have 1,500 or fewer employees.44 Consequently, the Commission estimates that the
majority of interexchange service providers are small entities.
13.
Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as
amended, also contains a size standard for small cable system operators, which is “a cable operator that,
directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the
United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate
exceed $250,000,000.”45 As of 2019, there were approximately 48,646,056 basic cable video subscribers
in the United States.46 Accordingly, an operator serving fewer than 486,460 subscribers shall be deemed
a small operator if its annual revenues, when combined with the total annual revenues of all its affiliates,
do not exceed $250 million in the aggregate.47 Based on available data, we find that all but five cable
operators are small entities under this size standard.48 We note that the Commission neither requests nor
collects information on whether cable system operators are affiliated with entities whose gross annual
revenues exceed $250 million.49 Therefore, we are unable at this time to estimate with greater precision
the number of cable system operators that would qualify as small cable operators under the definition in
the Communications Act.
2.
14.

Wireless Carriers

Wireless Telecommunications Carriers (except Satellite). This industry comprises

See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017.
39

40

See 13 CFR § 121.201, NAICS Code 517311 (previously 517110).

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false.
41

Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that
meet the SBA size standard.
42

See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry
Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service).
https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf.
43

44

Id.

45

47 U.S.C. § 543(m)(2); see 47 CFR § 76.901(f) & nn.1–3.

S&P Global Market Intelligence, U.S. Cable Subscriber Highlights, Basic Subscribers(actual) 2019, U.S. Cable
MSO Industry Total, see also U.S. Multichannel Industry Benchmarks, U.S. Cable Industry Benchmarks, Basic
Subscribers 2019Y, https://platform.marketintelligence.spglobal.com.
46

47

47 CFR § 76.901(f) and notes ff. 1, 2, and 3.

S&P Global Market Intelligence, Top Cable MSOs as of 12/2019,
https://platform.marketintelligence.spglobal.com. The five cable operators all had more than 486,460 basic cable
subscribers.
48

The Commission does receive such information on a case-by-case basis if a cable operator appeals a local
franchise authority’s finding that the operator does not qualify as a small cable operator pursuant to § 76.901(f) of
the Commission’s rules. See 47 CFR § 76.909(b).
49

89

Federal Communications Commission

FCC 20-136

establishments engaged in operating and maintaining switching and transmission facilities to provide
communications via the airwaves. Establishments in this industry have spectrum licenses and provide
services using that spectrum, such as cellular services, paging services, wireless internet access, and
wireless video services.50 The appropriate size standard under SBA rules is that such a business is small
if it has 1,500 or fewer employees.51 For this industry, U.S. Census Bureau data for 2012 show that there
were 967 firms that operated for the entire year.52 Of this total, 955 firms employed fewer than 1,000
employees and 12 firms employed of 1000 employees or more.53 Thus under this category and the
associated size standard, the Commission estimates that the majority of Wireless Telecommunications
Carriers (except Satellite) are small entities.
15.
The Commission’s own data—available in its Universal Licensing System—indicate that,
as of August 31, 2018 there are 265 Cellular licensees that will be affected by our actions.54 The
Commission does not know how many of these licensees are small, as the Commission does not collect
that information for these types of entities. Similarly, according to internally developed Commission data,
413 carriers reported that they were engaged in the provision of wireless telephony, including cellular
service, Personal Communications Service (PCS), and Specialized Mobile Radio (SMR) Telephony
services.55 Of this total, an estimated 261 have 1,500 or fewer employees, and 152 have more than 1,500
employees.56 Thus, using available data, we estimate that the majority of wireless firms can be
considered small.
16.
Satellite Telecommunications. This category comprises firms “primarily engaged in
providing telecommunications services to other establishments in the telecommunications and
broadcasting industries by forwarding and receiving communications signals via a system of satellites or
reselling satellite telecommunications.”57 Satellite telecommunications service providers include satellite
and earth station operators. The category has a small business size standard of $35 million or less in
average annual receipts, under SBA rules.58 For this category, U.S. Census Bureau data for 2012 show

See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except
Satellite)”, https://www.census.gov/cgibin/sssd/naics/naicsrch?input=517312&search=2017+NAICS+Search&search=2017.
50

51

See 13 CFR § 121.201, NAICS Code 517312 (previously 517210).

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series: Estab and Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517210,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517210&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false&vintage=2012.
52

Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that
meet the SBA size standard.
53

See http://wireless.fcc.gov/uls. For the purposes of this FRFA, consistent with Commission practice for wireless
services, the Commission estimates the number of licensees based on the number of unique FCC Registration
Numbers.
54

See Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology
Division, Trends in Telephone Service at Table 5.3 (Sept. 2010) (Trends in Telephone Service),
https://apps.fcc.gov/edocs_public/attachmatch/DOC-301823A1.pdf.
55

56

See id.

See U.S. Census Bureau, 2017 NAICS Definition, “517410 Satellite Telecommunications”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517410&search=2017+NAICS+Search&search=2017.
57

58

See 13 CFR § 121.201, NAICS Code 517410.

90

Federal Communications Commission

FCC 20-136

that there were a total of 333 firms that operated for the entire year.59 Of this total, 299 firms had annual
receipts of less than $25 million.60 Consequently, we estimate that the majority of satellite
telecommunications providers are small entities.
3.

Resellers

17.
Local Resellers. The SBA has not developed a small business size standard specifically
for Local Resellers. The SBA category of Telecommunications Resellers is the closest NAICs code
category for local resellers. The Telecommunications Resellers industry comprises establishments
engaged in purchasing access and network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services (except satellite) to businesses
and households. Establishments in this industry resell telecommunications; they do not operate
transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this
industry.61 Under the SBA’s size standard, such a business is small if it has 1,500 or fewer employees.62
U.S. Census Bureau data from 2012 show that 1,341 firms provided resale services during that year.63 Of
that number, all operated with fewer than 1,000 employees.64 Thus, under this category and the
associated small business size standard, the majority of these resellers can be considered small entities.
According to Commission data, 213 carriers have reported that they are engaged in the provision of local
resale services.65 Of these, an estimated 211 have 1,500 or fewer employees and two have more than
1,500 employees.66 Consequently, the Commission estimates that the majority of local resellers are small
entities.
18.
Toll Resellers. The Commission has not developed a definition for Toll Resellers. The
closest NAICS Code Category is Telecommunications Resellers. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and network capacity from owners and
operators of telecommunications networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this industry resell
telecommunications; they do not operate transmission facilities and infrastructure. MVNOs are included
in this industry.67 The SBA has developed a small business size standard for the category of
See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ4, Information:
Subject Series - Estab and Firm Size: Receipts Size of Firms for the U.S.: 2012, NAICS Code 517410,
https://data.census.gov/cedsci/table?text=EC1251SSSZ4&n=517410&tid=ECNSIZE2012.EC1251SSSZ4&hidePrev
iew=false&vintage=2012.
59

Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that
meet the SBA size standard.
60

See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search.
61

62

See 13 CFR § 121.201, NAICS Code 517911.

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517911,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517911&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false.
63

Id. Available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that have
employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or
more.”
64

See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry
Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service).
65

66

See id.

See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers”,,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search.
67

91

Federal Communications Commission

FCC 20-136

Telecommunications Resellers.68 Under that size standard, such a business is small if it has 1,500 or
fewer employees.69 2012 U.S. Census Bureau data show that 1,341 firms provided resale services during
that year.70 Of that number, 1,341 operated with fewer than 1,000 employees.71 Thus, under this category
and the associated small business size standard, the majority of these resellers can be considered small
entities. According to Commission data, 881 carriers have reported that they are engaged in the provision
of toll resale services.72 Of this total, an estimated 857 have 1,500 or fewer employees.73 Consequently,
the Commission estimates that the majority of toll resellers are small entities.
19.
Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a
small business definition specifically for prepaid calling card providers. The most appropriate NAICS
code-based category for defining prepaid calling card providers is Telecommunications Resellers.74 This
industry comprises establishments engaged in purchasing access and network capacity from owners and
operators of telecommunications networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this industry resell
telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual
networks operators (MVNOs) are included in this industry.75 Under the applicable SBA size standard,
such a business is small if it has 1,500 or fewer employees.76 U.S. Census Bureau data for 2012 show that
1,341 firms provided resale services during that year.77 Of that number, 1,341 operated with fewer than
1,000 employees.78 Thus, under this category and the associated small business size standard, the
majority of these prepaid calling card providers can be considered small entities. According to the
Commission's Form 499 Filer Database, 86 active companies reported that they were engaged in the
provision of prepaid calling cards.79 The Commission does not have data regarding how many of these
companies have 1,500 or fewer employees, however, the Commission estimates that the majority of the
68

See 13 CFR § 121.201, NAICS Code 517911.

69

Id.

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517911,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517911&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false..
70

Id. Available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that have
employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or
more.”
71

See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry
Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service).
72

73

See id.

See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517911&search=2017%20NAICS%20Search.
74

75

Id.

76

See 13 CFR § 121.201, NAICS Code 517911.

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information:
Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517911,
https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517911&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev
iew=false.
77

Id. Available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that have
employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or
more.”
78

See Federal Communications Commission, FCC Form 499 Filer Database,
http://apps.fcc.gov/cgb/form499/499a.cfm (last visited July 10, 2020).
79

92

Federal Communications Commission

FCC 20-136

86 active prepaid calling card providers that may be affected by these rules are likely small entities.
4.

Other Entities

20.
All Other Telecommunications. The “All Other Telecommunications” category is
comprised of establishments primarily engaged in providing specialized telecommunications services,
such as satellite tracking, communications telemetry, and radar station operation.80 This industry also
includes establishments primarily engaged in providing satellite terminal stations and associated facilities
connected with one or more terrestrial systems and capable of transmitting telecommunications to, and
receiving telecommunications from, satellite systems.81 Establishments providing Internet services or
voice over Internet protocol (VoIP) services via client-supplied telecommunications connections are also
included in this industry.82 The SBA has developed a small business size standard for “All Other
Telecommunications”, which consists of all such firms with annual receipts of $35 million or less.83 For
this category, U.S. Census Bureau data for 2012 show that there were 1,442 firms that operated for the
entire year.84 Of those firms, a total of 1,400 had annual receipts less than $25 million and 15 firms had
annual receipts of $25 million to $49, 999,999.85 Thus, the Commission estimates that the majority of
“All Other Telecommunications” firms potentially affected by our action can be considered small.
E.

Description of Projected Reporting, Recordkeeping, and Other Compliance
Requirements for Small Entities

21.
The Order adopts rules that obligate voice service providers that use non-IP network
technology to be able to provide the Commission, upon request, with documented proof that the provider
is participating, either on its own or through a representative, as a member of a working group, industry
standards group, or consortium that is working to develop a non-IP solution, or actively testing such a
solution.86 Under this rule, a voice service provider satisfies its obligations if it participates through a
third-party representative, such as a trade association of which it is a member or vendor.87
22.
Section 4(b)(5)(C)(i) of the TRACED Act directs the Commission to require any voice
service provider that has been granted an extension in compliance with the caller ID authentication
implementation mandates to implement, during the time of the extension, “an appropriate robocall
mitigation program to prevent unlawful robocalls from originating on the network of the provider.”88 The
Order requires voice service providers to file certifications documenting and describing their robocall
mitigation programs.89 Specifically, the Order requires all voice service providers—not only those
granted an extension—to certify on or before June 30, 2021, that their traffic is either signed with
See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications”,
https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517919&search=2017+NAICS+Search&search=2017.
80

81

Id.

82Id.
83

See 13 CFR § 121.201, NAICS Code 517919.

See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ4, Information:
Subject Series - Estab and Firm Size: Receipts Size of Firms for the U.S.: 2012, NAICS Code 517919,
https://data.census.gov/cedsci/table?text=EC1251SSSZ4&n=517919&tid=ECNSIZE2012.EC1251SSSZ4&hidePrev
iew=false.
84

Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that
meet the SBA size standard.
85

86

See supra Sections III.B, III.C.

87

See supra Sections III.B.

88

TRACED Act § 4(b)(5)(C)(i).

89

See supra Section III.C.

93

Federal Communications Commission

FCC 20-136

STIR/SHAKEN or subject to a robocall mitigation program that includes taking reasonable steps to avoid
originating illegal robocall traffic, and committing to cooperating with law enforcement and the industry
traceback consortium in investigating and stopping any illegal robocallers that it learns are using its
service to originate calls.90 For those voice service providers that certify that some or all of their traffic is
subject to a robocall mitigation program, the Order requires such voice service providers to detail in their
certifications the specific “reasonable steps” that they have taken to avoid originating illegal robocall
traffic.91 While only voice service providers with an extension will be obligated to implement a robocall
mitigation program, the Order imposes the certification requirement on all voice service providers
because doing so will help the Commission and others to hold all voice service providers accountable for
the voice traffic they originate, and give the Commission and others a snapshot of the progress of
STIR/SHAKEN implementation and the variety of robocall mitigation practices adopted by voice service
providers.92
23.
Voice service providers must file robocall mitigation certifications via a portal on the
Commission’s website that we will establish for this purpose.93 The Order also requires voice service
providers filing certifications to provide the following identification information in the portal on the
Commission’s website:
(1) the voice service provider’s business name(s) and primary address;
(2) other business names in use by the voice service provider;
(3) all business names previously used by the voice service provider;
(4) whether a voice service provider is a foreign voice service provider; and
(5) the name, title, department, business address, telephone number, and email address of a
central point of contact within the company responsible for addressing robocall-mitigation-related
issues.94
24.
The Order also requires voice service providers to submit to the Commission any
necessary updates regarding any of the information they filed in the certification process within 10
business days.95 The Order extends this certification requirement to foreign voice service providers that
use U.S. North American Numbering Plan numbers that pertain to the United States to send voice traffic
to residential and business subscribers in the United States and wish to be listed in the database.96
25.
The Order also adopts rules in accordance with our proposal to require that, in order to
receive a voluntary exemption from our implementation mandate, a voice service provider must file a
certification reflecting that it is in a reasonably foreseeable position to meet certain implementation goals,
and that, in order to maintain that exemption, a provider must make a later filing reflecting its
achievement of those goals it stated it was in a reasonably foreseeable position to meet.97 The
requirement of such certifications entails new reporting, recordkeeping, and other compliance
requirements for voice service providers. Specifically, we require that each voice service provider that
wishes to qualify for the voluntary exemption from our implementation mandate must have an officer of
90

See id.

91

See id.

92

See id.

93

See id.

94

See id.

95

See supra Section III.C.

96

See id.

97

See supra Section III.D.

94

Federal Communications Commission

FCC 20-136

the voice service provider sign a compliance certificate stating, under penalty of perjury, that the officer
has personal knowledge that the company meets each of the stated criteria.98 We also require the voice
service provider to submit an accompanying statement explaining, in detail, how the company meets each
of the prongs of each applicable exemption so that the Commission can verify the accuracy of the
certification.99 We also require that these certifications be filed no later than December 1, 2020, and that
all certifications and supporting statements be filed electronically in WC Docket No. 20-68, Exemption
from Caller ID Authentication Requirements, in the Commission’s Electronic Comment Filing System
(ECFS).100 Voice service providers that receive an exemption are further required to file a second
certification by a deadline specified in a Public Notice issued by the Wireline Competition Bureau no
later than three months after June 30, 2021, stating whether they, in fact, achieved the implementation
goal to which they previously committed.101 The certification must be filed electronically in WC Docket
No. 20-68, Exemption from Caller ID Authentication Requirements, in ECFS subject to the same
allowance for confidentiality and requirements for sworn signatures and detailed support as the initial
certifications.102 Voice service providers that certified in December of 2020 that they have already fully
implemented the necessary STIR/SHAKEN requirements, and for which the Bureau accepted the
certification, need not file a second certification.103 This second filing is required only from those voice
service providers that have not yet “fully implemented” STIR/SHAKEN by the time of their initial
December 2020 certification, but have committed to doing so by June 30, 2021.104
F.

Steps Taken to Minimize the Significant Economic Impact on Small Entities, and
Significant Alternatives Considered

26.
The RFA requires an agency to describe any significant, specifically small business,
alternatives that it has considered in reaching its approach, which may include the following four
alternatives (among others): “(1) the establishment of differing compliance or reporting requirements or
timetables that take into account the resources available to small entities; (2) the clarification,
consolidation, or simplification of compliance and reporting requirements under the rule for such small
entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of
the rule, or any part thereof for such small entities.”105
27.
The rules we adopt in today’s Order permit providers to satisfy the requirement under
section 4(b)(1)(B) of the TRACED Act to take “reasonable measures” to implement an effective caller ID
authentication framework in the non-IP portions of their networks,106 by participating as a member of a
working group, industry standards group, or consortium that is working to develop a non-IP solution, or
actively testing such a solution.107 A voice service provider satisfies this obligation if it participates
through a third-party representative, such as a trade association of which it is a member or vendor.108 As
the record in this proceeding shows, some industry groups have already established working groups
98

See id.

99

See id.

100

See id. This system is accessible at http://www.fcc.gov/ecfs.

101

See supra Section III.D.

102

See id.

103

See id.

104

See id.

105

5 U.S.C. § 603(c)(1)-(4).

106

See TRACED Act § 4(b)(1)(B).

107

See supra Section III.B.

108

See id.

95

Federal Communications Commission

FCC 20-136

dedicated to examining potential non-IP call authentication technologies.109 Allowing for such
representatives will reduce the burden of this obligation on individual voice service providers, including
those which are smaller, and minimize the potential negative impact of broad and inexpert participation
identified in the record,110 while ensuring that all voice service providers remain invested in developing a
solution for non-IP caller ID authentication.111
28.
In addition, the Order grants a two-year extension from implementation of caller ID
authentication to small, including small rural, voice service providers.112 The Order also grants an
exemption from our implementation mandate for voice service providers, including small providers,
which certify that they have reached certain implementation goals,113 and prohibits voice service providers
from imposing additional line item charges on consumer or small business subscribers for caller ID
authentication.114 In these ways, we have taken steps to minimize the economic impact of the rules
adopted in today’s Order on small entities.
Report to Congress:
29.
The Commission will send a copy of the Order, including this FRFA, in a report to
Congress pursuant to the Congressional Review Act.115 In addition, the Commission will send a copy of
the Order, including this FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Order and
FRFA (or summaries thereof) will also be published in the Federal Register.116

109

See ATIS Comments at 4.

110

See CTIA Comments at 17-18.

111

See supra Section III.B.

112

See supra Section III.C.

113

See supra Section III.D.

114

See supra Section III.E.

115

See 5 U.S.C. § 801(a)(1)(A).

116

See 5 U.S.C. § 604(b).

96

Federal Communications Commission

FCC 20-136

STATEMENT OF
CHAIRMAN AJIT PAI
Re:

Call Authentication Trust Anchor, WC Docket No. 17-97.

According to one survey, 70% of Americans don’t answer their phones if they don’t recognize the
number.1 I’m among them. And that’s for good reason, because the average American has received
nearly 92 robocalls so far this year.2 Illegal robocalls often used spoofed information—like a local area
code or phone number of a trusted institution—to trick the recipient into thinking the call is from
someone they might know.
In March, we took a critical step toward protecting consumers from these spoofed robocalls by
requiring originating and terminating voice service providers to implement the STIR/SHAKEN caller ID
authentication framework—a technology that enables providers to verify that the caller ID information
transmitted with a phone call matches the caller’s real number. Providers must implement
STIR/SHAKEN in the IP portions of their networks by June 30, 2021, consistent with the TRACED Act.
Today, we take the next step in promoting caller ID authentication technology. We require
providers to either upgrade their non-IP networks to IP and then implement STIR/SHAKEN by the June
30, 2021 deadline or develop a non-IP caller ID authentication solution. We obligate intermediate
providers to implement STIR/SHAKEN in the IP portions of their networks by June 30, 2021 to ensure
that a call will benefit from caller ID authentication regardless of how it travels through the network. For
the non-IP portions of networks where STIR/SHAKEN cannot be enabled, we require voice service
providers to implement a robocall mitigation program to ensure they are not the source of illegally
spoofed robocalls. We also acknowledge the progress many companies have made in deploying
STIR/SHAKEN, and as required by the TRACED Act, establish a process to exempt these providers from
the deadline. And we grant an extension, as required by the TRACED Act, to providers that would face
undue hardship in making necessary network upgrades to meet the June 30, 2021 deadline.
Today’s Order is another key piece of our multi-pronged effort to fight spoofed robocalls. We
continue to engage in swift and tough enforcement action, collaborate with the industry traceback group
to identify those responsible for unlawful robocalls, partner with state governments and other federal
agencies, and educate consumers to combat this problem. And there is evidence that we are making
progress with these efforts. The Federal Trade Commission recently reported that the number of robocall
complaints received in April and May was 60% lower than the same months last year,3 and the YouMail
Robocall Index shows the number of robocalls in the United States declined by around 33% from the first
to the second quarter of 2020.4 But while these trends are welcome, we recognize that our work to fight
the scourge of illegal robocalls calls is far from done.
I’d like to thank the following Commission staff for their ongoing work to implement the
TRACED Act and to protect Americans from spoofed robocalls: Pam Arluk, James Bachtell, Annick
Banoun, Matt Collins, Justin Faulb, CJ Ferraro, Gabriela Gross, Kim Jackson, Dan Kahn, Jodie May,
Rodney McDonald, Kris Monteith, Terri Natoli, Mason Shefa, and John Visclosky of the Wireline
Competition Bureau; Ed Bartholme, Jennifer Burnett, Aaron Garza, Kurt Schroeder, Mark Stone, and
Kristi Thornton of the Consumer and Governmental Affairs Bureau; Kenneth Carlberg and Lauren
Tim Harper, Why Robocalls Are Even Worse Than You Thought (May 15, 2019),
https://www.consumerreports.org/robocalls/why-robocalls-are-even-worse-than-you-thought/.
1

2

YouMail, Robocall Index, https://robocallindex.com/history/time (last visited Sept. 24, 2020).

3

Id.

Lois Greisman, Robocall reports down, FTC still fighting (June 15, 2020),
https://www.consumer.ftc.gov/blog/2020/06/robocall-reports-still-down-ftc-still-fighting.
4

97

Federal Communications Commission

FCC 20-136

Kravetz of the Public Safety and Homeland Security Bureau; Denise Coca, Kim Cook, and Jim
Schlichting of the International Bureau; Lisa Gelb and Kristi Thompson of the Enforcement Bureau;
Chuck Needy, Eric Ralph, and Emily Talaga of the Office of Economics and Analytics; and Linda Oliver,
Richard Mallen, Bill Richardson, and Derek Yeo of the Office of General Counsel.

98

Federal Communications Commission

FCC 20-136

STATEMENT OF
COMMISSIONER BRENDAN CARR
Re:

Call Authentication Trust Anchor, WC Docket No. 17-97.

Americans are fed up with robocalls. They are tired of scam artists lighting up their phones.
They are done with fraudsters placing calls at all hours of the day and night. And they are sick of spoofed
numbers tricking them into picking up the phone. Like many people today, I rarely answer my cellphone
unless the caller is in my contact list.
All of this is why the FCC has elevated robocalls to our top enforcement priority. We have
imposed major fines on illegal callers. And we have even expanded our enforcement authority to target
illegal calls that originate overseas.
But we recognized a while ago that it is not enough to target these calls for enforcement action.
We need to stop these calls before they make it to a consumer’s phone. So we created a reassigned
numbers database to help combat these unwanted calls. And we’ve allowed carriers to block fraudulent
calls and those originated by bad actors. But in order to do that, carriers need to know where the call is
really coming from. On the more advanced portions of the networks, carriers will have to implement the
STIR/SHAKEN protocol so fraudulent robocall campaigns can be traced and blocked. As for the less
advanced networks, where STIR/SHAKEN won’t work, carriers will either have to upgrade them, or
develop other methods to identify the traffic on their networks, and file with the Commission to show us
how they are tackling the problem.
While there is no silver bullet for a problem like robocalls, the actions we have taken will make a
real difference in Americans’ lives. As we found in a previous report, the combination of
STIR/SHAKEN and call analytics could save Americans $10 billion per year.1 So we will keep up the
fight against robocalls—through tough enforcement, requiring carriers to better police their networks, and
by empowering consumers. Thanks to the Wireline Competition Bureau for their work on this important
item. It has my support.

Call Authentication Trust Anchor, Implementation of TRACED Act Section 6(a)—Knowledge of Customers by
Entities with Access to Numbering Resources, WC Docket Nos. 17-97 and 20-67, Report and Order and Further
Notice of Proposed Rulemaking, 35 FCC Rcd 3241, 3252, para. 25 (Mar. 31, 2020).
1

99

Federal Communications Commission

FCC 20-136

STATEMENT OF
COMMISSIONER GEOFFREY STARKS
Re:

Call Authentication Trust Anchor, WC Docket No. 17-97.

This item represents another important step in the effort to stop the millions of illegal and
unwanted spoofed robocalls placed every day to Americans. When consumers cannot trust the caller ID
information provided, they lose the ability to make informed decisions about whether they want to answer
a call. More than just an annoyance, this can put consumers in peril or subject them to fraud and other
harms, especially in critical times like these when we rely so much on our telephones for information and
connection with the outside world.
Earlier this year, we implemented several provisions of the Telephone Robocall Abuse Criminal
Enforcement and Deterrence (TRACED) Act, including a mandate for voice service providers to
implement the STIR/SHAKEN caller ID framework, but only in the internet protocol, or IP portions of
their networks. Today’s item fills a gap by adopting rules for non-IP networks, establishing deadlines for
implementation of caller ID authentication capability for providers and services that cannot yet implement
the STIR/SHAKEN technology, and requiring robocall mitigation in the interim for all voice service
providers. I am particularly pleased that we recognize the important role that intermediate and
terminating voice service providers play in stopping illegal robocalls by prohibiting them from accepting
voice traffic from providers that have not filed a certification of compliance with call authentication or
robocall mitigation requirements, including foreign service providers.
With today’s action, the Commission recognizes that we will never be able to fully combat illegal
robocalls unless all voice service providers implement call authentication and robocall mitigation in all
networks. I therefore am pleased to support this item, and thank the staff for their work on this
proceeding.

100


File Typeapplication/pdf
File Modified0000-00-00
File Created0000-00-00

© 2024 OMB.report | Privacy Policy