Little did the Federal Communications Commissions (FCC) know that when they signed the First Order of the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act in late 2019, a global pandemic would follow suit and affect the way the world would soon depend on the communications channel so heavily. With this dependency came an open window for bad actors in the ecosystem to take advantage of the opportunity to scam consumers.
Mistrust in the industry has grown rapidly, with many legitimate and critical calls going unanswered. The FCC’s timing could not have been more perfect in presenting the mandates included in the TRACED Act to create a framework to identify authenticated callers and reduce the amount of fraudulent and spam phone calls in the caller ecosystem. The Act put forth a framework designed to authenticate the identity of callers to keep these scammers out, along with a deadline to ensure that the implementation was to be prioritized.
TRACED also set out to establish rules on caller ID authentication in non-IP networks, establish frameworks for exemptions from and extensions of the June 30, 2021 STIR/SHAKEN mandate deadline, impose obligations on intermediate providers, and create a new registration framework for all voice service providers. For an expanded summary of the proceedings background and inclusions, check out: Latest FCC Move Against Robocalls Would Increase Caller ID Authentication, Other Requirements from Wiley.
How STIR/SHAKEN Works
SHAKEN is a framework that is built on the idea of STIR protocol. It provides an end-to-end architecture for service providers to verify and attest who is originating the call so a terminating carrier can validate it, thus identifying the callers’ identity.
When an originating provider knows the customer and can verify where the number originated, they can add a certificate to the SIP invite, therefore attesting the call. This acts as the telephone identity that gets attached to the SIP invite to be transported over the SIP network to the terminating service provider. When the terminating carrier receives the certificate, they verify the validity of the attached certificate, if it has been signed by the relevant key that has been attested, and then choose how to terminate that call.
This process is what is known as the Base STIR/SHAKEN Standard that needs to be implemented by June 30th, 2021.
The Enterprise Challenge
Indirect cases in this flow exist which result in an Attestation Gap, also known as the Enterprise Challenge. A key component of the STIR/SHAKEN certificate is the Attestation Level which can be ranked as A, B, or C. These ranks depend on the relationship between the originating provider and the customer as well as to the origination of the phone number. Visit our STIR/SHAKEN Knowledge Center to read more about Attestation Levels. How these ranks will be visually displayed to the customer has still not been determined, however, some attestation A calls can display a checkmark or [V], depending on the subscribers’ device, either on the incoming call screen or in the call log.
A very real-life example of the Enterprise Challenge, or Attestation Gap, could occur when a contact center partner or BPO is making calls on behalf of multiple clients involving more than one party during the call path. The end clients being represented (enterprise brands) would not have a direct relationship with the voice service providers (VSPs) utilized by the BPO/contact center, which causes a situation where the VSP may not be able to validate the identity of the end brands, or the brands’ authorization to display the phone numbers being used.
About the STIR/SHAKEN Deadline
The First Order of the TRACED Act was signed by the FCC in December of 2019 to outline the implementation of the STIR/SHAKEN authentication framework, mandating that originating and terminating voice service providers must implement the standards in the IP portions of their networks and take reasonable measures to implement the framework in the non-IP portions of their networks. This implementation is set to be done by the end of this month on June 30th, 2021.
For a full review on the timeline of Robocall Initiatives which set these new expectations for voice service providers into motion, check out Wiley’s recap on the regulatory landscape. As mandated alongside the STIR/SHAKEN implementation deadline, “[voice] providers will be required to certify [in a] new database. For those providers that are subject to an extension of this deadline, they will need to have implemented a robocall mitigation program and to certify as such in the new database.”
Preparing for the Deadline: Enterprise Callers
As an enterprise caller preparing for June 30th, 2021, the first step would be to get an assessment of how your service provider is preparing for the deadline. Whether your calls originate via BPO, CPaaS, UCaaS, or direct carrier, your providers can update you on the status of their implementation as well as how your relationship with them may affect the level of attestation your calls may end up receiving.
Next, inquire how your provider’s compliance with the law is going to impact your current contract. Be aware beforehand of the contractual impact, such as an increase in cost or service-level agreement changes, that the implementation may have on your business.
Third, keep in mind that reputational analytics will continue to exist within the mobile and app ecosystem to determine if calls are unwanted or suspected scams, so call blocking and labeling will still be a relevant issue that you’ll need to address. STIR/SHAKEN does not replace the technologies used today to display calls as Spam of Potential Fraud, but may be used as an additional datapoint to increase the accuracy of reputational analytics.
Preparing for the Deadline: Service Providers
In April 2021, the FCC’s Wireline Competition Bureau announced the opening of the Robocall Mitigation Database, including filing instructions and deadlines for communications providers. Pursuant to 47 CFR § 64.6305(b), all voice service providers must file certifications to the Robocall Mitigation Database providing detailed information regarding their implementation of the STIR/SHAKEN caller ID authentication framework and/or a robocall mitigation program.
“These mitigation programs are going to be tailored to a carrier’s particular services and their particular mix of customers. So it's not really going to be a cookie cutter situation where the obligations are the same. What you need to do if you're a small MVNO reseller is different than what you’re going to need to do when you're a service provider to the call center industry and are enabling outbound calls that can be high volume calls.” - Kelley Drye Partner, Steve Augustino
The Robocall Mitigation Database is accessible to the public, where an active listing of all voice service providers that have submitted sufficient filings can be reviewed, and detailed instructions for how to file can be obtained.
- View current list of providers who have completed filing
- Still need to file? Review the instructions here
As noted while viewing the Robocall Mitigation Database, if you believe there are errors with the content or function of the database, or if you require special assistance with submitting a filing, please email FCC staff at RobocallMitigationDatabase@FCC.gov.
Preparing Your Robocall Mitigation Plan: Service Providers
As Wiley notes in this article on Expectations for Voice Service Providers, the filing of a robocall mitigation plan “applies to all voice service providers – not only those granted an extension – who will be required to file robocall certifications with the FCC.” With a special thanks to our friends at Kelley Drye, we recommend taking a look at the following helpful resources for service providers to further dive into the requirements set forth by the FCC to file a robocall mitigation plan:
- Guidance for Implementing the STIR-SHAKEN Call Authentication and Robocall Mitigation Mandates in 2021: to help communications providers determine what their obligations are under the rules, including a review of requirements and exemptions.
- Robocall Mitigation Plan Checklist: review and understand the three required elements of a robocall mitigation program as defined by the FCC.
- Podcast: Robocall Mitigation Plans: understand when providers need to implement mitigation programs and what needs to be included. Review recommendations for customizing a program to fit a provider’s needs and how to build a program that is both effective and manageable.
So What Happens on July 1?
One of the major concerns facing the communications industry is the fear that outbound calls will be automatically blocked starting on July 1, 2021 if service providers have not properly implemented the authentication standard by the mandated deadline. Within the TRACED Act, however, there is no specific language included that states unattested enterprise calls will be simply blocked. As denoted in TRACED Act, SEC. 4. Call Authentication, further rulemaking will be issued to ensure “calls originating from a provider of voice service in an area where the provider is subject to a delay of compliance with the time period described in subsection (b)(1) are not unreasonably blocked because the calls are not able to be authenticated.”
In an episode of Numeracle’s Tuesday Talks series, we asked Chris Wendt of the ATIS/SIP Forum IP-NNI Joint Task Force and the STI-GA Technical Committee to de-bunk STIR/SHAKEN misconceptions, such as “what’s going to happen to calls starting to July 1?” In his reply, Chris shares his perspective on how the timeline to deploy STIR/SHAKEN across the large and unique mix of service providers required to sign traffic across the network might impact the customer experience on the terminating side.
Looking to the Future
As service providers continue to implement STIR/SHAKEN, conversations will continue around how to address the Attestation Gap for the enterprise, how to effectively monitor and address for discrepancies implementing STIR/SHAKEN cross-provider, how to educate mobile subscribers on what the new visual descriptors of authenticated calls (such as green checkmarks) mean, and more. All said, ever since the FCC unanimously agreed to increase caller ID authentication last year, STIR/SHAKEN is the foundational next step in restoring trust throughout the network and lays critical groundwork for further developments in a secure identity-based voice channel.
About this Article
Endeavoring to shed light and bring truth on emerging topics in the communications industry, Numeracle’s CEO and Founder, Rebekah Johnson, alongside Numeracle's Chief Product Officer, Anis Jaffer, have begun a biweekly live discussion series-turned-podcast, Tuesday Talks. Their first episode was aimed at debunking the STIR/SHAKEN deadline, explaining the qualifications for attestation levels, the Enterprise Challenge, and other complex scenarios.
To listen in on these and other full episodes of Tuesday Talks, visit https://www.numeracle.com/tuesday-talks, or check out our STIR/SHAKEN Knowledge Center for additional information around the rollout of the STIR/SHAKEN call authentication framework.