47 CFR Document 2020-07585
Call Authentication Trust Anchor; Implementation of TRACED Act-Knowledge of Customers by Entities With Access to Numbering Resources
February 16, 2021
CFR

AGENCY:

Federal Communications Commission.

ACTION:

Final rule.

SUMMARY:

In this document, the Commission adopts a rule that mandates that all originating and terminating voice service providers implement the STIR/SHAKEN caller ID authentication framework in the internet Protocol (IP) portions of their networks by June 30, 2021. In establishing this requirement, the Report and Order both acts on the Commission's proposal to require voice service providers to implement the STIR/SHAKEN caller ID authentication framework if major voice service providers did not voluntarily do so by the end of 2019, and implements Congress's direction in the recently enacted Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to mandate STIR/SHAKEN not later than 18 months after the date of enactment of that Act. This action builds on the Commission's aggressive and multi-pronged approach to ending illegal caller ID spoofing.

DATES:

Effective May 21, 2020.

FOR FURTHER INFORMATION CONTACT:

For further information, please contact Mason Shefa, Competition Policy Division, Wireline Competition Bureau, at Mason.Shefa@fcc.gov.

SUPPLEMENTARY INFORMATION:

The full text of this document, WC Docket Nos. 17-97, 20-67; FCC 20-42, adopted and released on March 31, 2020, is available for public inspection during regular business hours in the FCC Reference Information Center, Portals II, 445 12th Street SW, Room CY-A257, Washington, DC 20554 or at the following internet address: https://docs.fcc.gov/​public/​attachments/​FCC-20-42A1.pdf . The Further Notice of Proposed Rulemaking WC Docket Nos. 17-97, 20-67; FCC 20-42, adopted concurrently with this document and available at the same internet address, is published elsewhere in this issue of the Federal Register.

Synopsis

I. Introduction

1. Each day, Americans receive millions of unwanted phone calls. One source indicates that Americans received over 58 billion such calls in 2019 alone. These include “spoofed” calls whereby the caller falsifies caller ID information that appears on a recipient's phone to deceive them into thinking the call is from someone they know or can trust. Spoofing has legal and illegal uses. For example, medical professionals calling patients from their mobile phones often legally spoof the outgoing phone number to be the office phone number for privacy reasons, and businesses often display a toll-free call-back number. Illegal spoofing, on the other hand, occurs when a caller transmits misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongly obtain anything of value. And these spoofed calls are not simply an annoyance—they result in billions of dollars lost to fraud, degrade consumer confidence in the voice network, and harm our public safety. A 2019 survey estimated that spoofing fraud affected one in six Americans and cost approximately $10.5 billion in a single 12-month period.

2. The Commission, Congress, and state attorneys general all agree on the need to protect consumers and put an end to illegal caller ID spoofing. Over the past three years, the Commission has taken a multi-pronged approach to this problem—issuing hundreds of millions of dollars in fines for violations of our Truth in Caller ID rules; expanding those rules to reach foreign calls and text messages; enabling voice service providers to block certain clearly unlawful calls before they reach consumers' phones; and clarifying that voice service providers may offer call-blocking services by default. We have also called on industry to “trace back” illegal spoofed calls and text messages to their original sources and encouraged industry to develop and implement new caller ID authentication technology. That technology, known as STIR/SHAKEN, allows voice service providers to verify that the caller ID information transmitted with a particular call matches the caller's number. Entities variously refer to this technology as either “SHAKEN/STIR” or “STIR/SHAKEN.” In the past, the Commission has referred to the technology as “SHAKEN/STIR.” To ensure consistency with the TRACED Act, we use “STIR/SHAKEN” here. Its widespread implementation will reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help voice service providers identify calls with illegally spoofed caller ID information before those calls reach their subscribers.

3. Today, we build on our aggressive and multi-pronged approach to ending illegal caller ID spoofing. First, we mandate that all voice service providers implement the STIR/SHAKEN caller ID authentication framework in the internet Protocol (IP) portions of their networks by June 30, 2021. In recognition of the fact that it is caller ID information transmitted with a call that is authenticated, we use the term “caller ID authentication” in this Report and Order and Further Notice of Proposed Rulemaking. We understand this term to be interchangeable with the term “call authentication” as used in other contexts, including the TRACED Act. In establishing this requirement, we both act on our proposal to require voice service providers to implement the STIR/SHAKEN caller ID authentication framework if major voice service providers did not voluntarily do so by the end of 2019, and implement Congress's direction in the recently enacted Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to mandate STIR/SHAKEN not later than 18 months after the date of enactment of that Act. Second, we propose and seek comment on additional measures to combat illegal spoofing, including further implementation of the TRACED Act.

II. Background

4. Technological advancements and marketplace developments in IP-based telephony have made caller ID spoofing easier and more affordable than ever before. Today, widely available Voice over internet Protocol (VoIP) software allows malicious callers to make spoofed calls with minimal experience and cost. Taking advantage of the ability to use spoofing to mask the true identity of an incoming call, these callers have turned to this technology as a quick and cheap way to defraud targets and avoid being discovered. Driven in part by the rise of VoIP, the telecommunications industry has transitioned from a limited number of carriers that all trusted each other to provide accurate caller origination information to a proliferation of different voice service providers and entities originating calls, which allows consumers to enjoy the benefits of far greater competition but also creates new ways for bad actors to undermine this trust.

5. To combat illegal spoofing, industry technologists from the internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS) developed standards for the authentication and verification of caller ID information for calls carried over an IP network using the Session Initiation Protocol (SIP). The Session Initiation Protocol (SIP) is “an application-layer control (signaling) protocol for creating, modifying, and terminating sessions” such as internet Protocol (IP) telephony calls. The IETF formed the Secure Telephony Identity Revisited (STIR) working group, which has produced several protocols for authenticating caller ID information. ATIS, together with the SIP Forum, produced the Signature-based Handling of Asserted information using toKENs (SHAKEN) specification which standardizes how the protocols produced by STIR are implemented across the industry. The SIP Forum is “an industry association with members from . . . IP communications companies,” with a mission “[t]o advance the adoption and interoperability of IP communications products and services based on SIP.” Together, these technical standards comprise the “STIR/SHAKEN” framework for caller ID authentication. The STIR/SHAKEN framework consists of two high-level components: (1) The technical process of authenticating and verifying caller ID information; and (2) the certificate governance process that maintains trust in the caller ID authentication information transmitted along with a call.

6. Authenticating and Verifying Caller ID Information Through STIR/SHAKEN. The STIR/SHAKEN authentication and verification processes center on the transmission of encrypted information used to attest to the accuracy of caller ID information transmitted with a call. Specifically, an originating voice service provider adds a unique header to the network-level message used to initiate a SIP call (the SIP INVITE). This SIP INVITE contains a series of unencrypted headers which provides information about the message, such as a “From” header, giving information about the calling party; a “To” header, giving information about the called party; and a “Via” header, which “indicates the path taken by the request so far and helps in routing the responses back along the same path.” Both originating and downstream providers are technically capable of appending headers to the SIP INVITE. When a subscriber places a call, the originating voice service provider uses an authentication service to create this “Identity” header, which contains encrypted identifying information as well as the location of the public key that can be used to decode this information. The authentication service can be provided by the voice service provider itself, or by a third party acting under the voice service provider's direction. When the terminating voice service provider receives the call, it sends the SIP INVITE with the Identity header to a verification service, which uses the public key that corresponds uniquely to the originating voice service provider's private key to decode the encrypted information and verify that it is consistent with the information sent without encryption in the SIP INVITE. Like the corresponding authentication service on the originating voice service provider's end, the terminating voice service provider's verification service can be performed internally or by a trusted third-party service. The verification service then sends the results of the verification process—including whether the decoding process was successful and whether the encrypted information is consistent with the information sent without encryption—to the terminating voice service provider. STIR/SHAKEN thus establishes a chain of trust back to the originating voice service provider.

7. Because the STIR/SHAKEN framework relies on transmission of information in the Identity header of the SIP INVITE, it only operates on the IP portions of a voice service provider's network—that is, those portions served by network technology that is able to initiate, maintain, and terminate SIP calls. If a call terminates on a network or is routed at any point over an intermediate provider network that does not support the transmission of SIP calls, the Identity header will be lost. Because STIR/SHAKEN only operates on IP networks, some stakeholders have advocated for a solution referred to as “out-of-band STIR,” in which caller ID authentication information is sent across the internet, out-of-band from the call path, allowing STIR/SHAKEN to be implemented on networks that are not fully IP. Out-of-band STIR remains in the early stages of development.

8. The STIR/SHAKEN framework relies on the originating voice service provider attesting to the subscriber's identity. The SHAKEN specification allows an originating voice service provider to provide different “levels” of attestation. Specifically, the voice service provider can indicate that (i) it can confirm the identity of the subscriber making the call, and that the subscriber is using its associated telephone number (“full” or “A” attestation); (ii) it can confirm the identity of the subscriber but not the telephone number (“partial” or “B” attestation); or merely that (iii) it is the point of entry to the IP network for a call that originated elsewhere, such as a call that originated abroad or on a domestic network that is not STIR/SHAKEN-enabled (“gateway” or “C” attestation).

9. To maintain trust in the voice service providers that vouch for caller ID information, the STIR/SHAKEN framework uses digital “certificates” issued through a neutral governance system. The STIR/SHAKEN credentials are based on an X.509 credential system. X.509 is a specific standard for a type of public key infrastructure system that uses certificates to facilitate secure internet communications. The framework requires that each voice service provider receive its own certificate that contains, among other components, that voice service provider's public key, and states, in essence, that (i) the voice service provider is that which it claims to be; (ii) the voice service provider is authorized to authenticate the caller ID information; and (iii) the voice service provider's claims about the caller ID information it is authenticating can thus be trusted. Every time an originating voice service provider originates an authenticated call, it transmits the location of its certificate in the Identity header, allowing the verification service to acquire the public key and verify the caller ID information, and have certainty that the public key is truly associated with the voice service provider that originated the call. The “location” is sent unencrypted in the form of a Uniform Resource Locator (URL).

10. The STIR/SHAKEN governance model requires several roles in order to operate: (1) A Governance Authority, which defines the policies and procedures for which entities can issue or acquire certificates; (2) a Policy Administrator, which applies the rules set by the governance authority, confirms that certification authorities are authorized to issue certificates, and confirms that voice service providers are authorized to request and receive certificates; (3) Certification Authorities, which issue the certificates used to authenticate and verify calls; and (4) the voice service providers themselves, which, as call initiators, select an approved certification authority from which to request a certificate, and which, as call recipients, check with certification authorities to ensure that the certificates they receive were issued by the correct certification authority.

11. Commission and North American Numbering Council Action to Promote STIR/SHAKEN Deployment. In July 2017, the Commission released a Notice of Inquiry, launching a broad inquiry into caller ID authentication and how to expedite its development and implementation. In the Notice of Inquiry, the Commission recognized the potential of caller ID authentication to “reduc[e] the risk of fraud and ensur[e] that callers be held accountable for their calls.” Among other issues, the Commission sought comment on its role in promoting implementation of caller ID authentication technology; what involvement, if any, it should have in STIR/SHAKEN governance; and how to address caller ID authentication for networks that use non-IP technology.

12. In February 2018, the Commission directed the Call Authentication Trust Anchor Working Group of the North American Numbering Council (NANC) to recommend “criteria by which a [Governance Authority] should be selected” and a “reasonable timeline or set of milestones for adoption and deployment of a SHAKEN/STIR call authentication system, including metrics by which the industry's progress can be measured.” In its May 2018 report, the NANC recommended that representatives from various industry stakeholders comprise a board overseeing the Governance Authority, and that “individual companies capable of signing and validating VoIP calls using SHAKEN/STIR should implement the standard within a period of approximately one year after completion of the NANC CATA report.” Chairman Pai accepted these recommendations shortly after they were issued by the NANC.

13. In November 2018, drawing on the NANC's May 2018 recommendation that capable voice service providers rapidly implement STIR/SHAKEN, Chairman Pai sent letters to major voice service providers urging them to implement a robust caller ID authentication framework by the end of 2019. He asked these providers for specific details about their implementation plans, and encouraged those that did not appear to have established concrete plans to promptly protect their subscribers with STIR/SHAKEN. In response, the providers submitted letters detailing their implementation efforts. Since that time, Commission staff has closely tracked the progress of major voice service providers in implementation of the STIR/SHAKEN framework.

14. In June 2019, the Commission adopted a Declaratory Ruling and Third Further Notice of Proposed Rulemaking that proposed and sought comment on mandating implementation of STIR/SHAKEN in the event that major voice service providers did not voluntarily implement the framework by the end of 2019. We stressed that “[i]mplementation of the SHAKEN/STIR framework across voice networks is important in the fight against unwanted, including illegal, robocalls” and proposed to extend any mandate to “wireline, wireless, and Voice over Internet Protocol (VoIP) providers”; sought comment on what we should require voice service providers to accomplish to meet an implementation mandate; and asked for comment on how long voice service providers should be given to comply with such a mandate. We further sought comment on whether we should establish requirements regarding the display of STIR/SHAKEN attestation information, what role the Commission should have in STIR/SHAKEN governance, and how we could encourage caller ID authentication on non-IP networks. The Declaratory Ruling and Third Further Notice of Proposed Rulemaking also affirmed that voice service providers may, by default, block unwanted calls based on reasonable call analytics, as long as their customers are informed and have the opportunity to opt out of the blocking; proposed to create a safe harbor for voice service providers that block calls which fail STIR/SHAKEN verification; and sought comment on whether we should create a safe harbor for voice service providers that block calls which do not have authenticated caller ID information.

15. In July 2019, the Commission held a summit focused on implementation of STIR/SHAKEN. Summit participants included representatives from large and small voice service providers, analytics companies, vendors, and members of the Governance Authority. The participants discussed implementation progress made by major voice service providers; using STIR/SHAKEN to improve the consumer experience; and implementation challenges faced by small voice service providers.

16. Developments in STIR/SHAKEN Governance. Currently, the Secure Telephone Identity Governance Authority (STI-GA), established by ATIS, fills the Governance Authority role. The STI-GA's membership was designed to provide a diverse representation of stakeholders from across the industry. The STI-GA selected the Policy Administrator, iconectiv, in May 2019. In December 2019, the Policy Administrator approved the first Certification Authorities, and announced that voice service providers are now able to register with the Policy Administrator to obtain the credentials necessary to receive certificates from approved Certification Authorities.

17. Implementation by Voice Service Providers. We recognize that a number of providers have been working hard to implement caller ID authentication. Some voice service providers reported that, by the end of 2019, they had completed the necessary network upgrades to support the STIR/SHAKEN framework and that they were exchanging a limited amount of traffic with authenticated caller ID information with other voice service providers. Others, however, reported only that they had completed necessary network upgrades by the end of 2019, but had not begun exchanging authenticated traffic with other voice service providers. Still others have shown little to no progress in upgrading their networks to be STIR/SHAKEN-capable.

18. More specifically, as of the end of 2019, AT&T, Bandwidth, Charter, Comcast, Cox, T-Mobile, and Verizon announced that they had upgraded their networks to support STIR/SHAKEN. AT&T, for example, confirmed that it “authenticates all calls on its network that originate from [Voice over LTE] and consumer VoIP customers” and “estimates that approximately 90 percent of its wireless customer base (prepaid and postpaid) and more than 50 percent of its consumer wireline customer base are SHAKEN/STIR capable.” Charter stated that it “fulfilled [its] commitment to complete the implementation of the STIR/SHAKEN framework by the end of [2019].” Similarly, Comcast reported that “virtually all calls originating from a Comcast residential subscriber and terminating with a Comcast residential subscriber are fully authenticated through the STIR/SHAKEN protocol.” Cox reported that it “has deployed SHAKEN/STIR to over 99% of [its] residential customers enabling Cox to sign originating and terminating calls.” T-Mobile stated that it was “the first wireless provider to fully implement STIR/SHAKEN standards on [its] network” and is “capable of signing and authenticating 100% of SIP traffic that both originates and then terminates on [its] network.” According to Verizon, it “finished deploying STIR/SHAKEN to its wireless customer base (which constitutes more than 95% of [its] total traffic) in March 2019,” “is devoting substantial resources to deploying STIR/SHAKEN to wireline customers that receive service on IP platforms capable of being upgraded with the STIR/SHAKEN protocol” and expects “to achieve deployment of STIR/SHAKEN to Fios Digital customers later this year.”

19. These voice service providers, however, were exchanging only a limited amount of authenticated traffic with other voice service providers as of the end of 2019. For instance, Comcast has begun to exchange authenticated calls with AT&T and T-Mobile, and explained that, as of December 2019, approximately 14.25% of all calls “originating on other voice providers' networks and bound for Comcast residential subscribers had a STIR/SHAKEN-compliant header and were verified by Comcast.” T-Mobile explained that it is also authenticating some traffic exchanged with AT&T, Comcast, and Inteliquent. According to AT&T, it “exchanges approximately 40 percent of its SHAKEN/STIR consumer VoIP traffic with one terminating service provider.” Verizon stated that it was signing “under half of [its] outbound traffic” with one provider as of the end of 2019, and that “for the other three partners,” its production levels were under 5%. Cox explained that it is “exchanging authenticated traffic with four carriers resulting in over 14% of all calls on Cox' residential IP network being verified.” Charter stated that it is “exchanging signed and authenticated customer call traffic end-to-end with Comcast.” Bandwidth is also in early stages of exchanging traffic and “has designed, tested and deployed the capability to exchange some of its production traffic with Verizon Wireless directly utilizing `self-signed' certifications that are in keeping with the STIR/SHAKEN framework.”

20. Other voice service providers—namely Frontier, Sprint, U.S. Cellular, and Vonage—stated that they have performed necessary network upgrades, but had only begun the negotiating and testing phase of exchanging authenticated traffic with other voice service providers as of the end of 2019. Frontier reported that it “established the capability to authenticate and sign calls” and is in the negotiating and testing phase regarding authenticating traffic exchanged with other voice service providers. Sprint reported that it “deployed the core STIR/SHAKEN capability in its network” and was testing the exchange of authenticated traffic with Comcast and T-Mobile. In 2019, U.S. Cellular “successfully implemented the STIR/SHAKEN technology in its network” and is currently “in various stages of the [interconnection agreement] process with three of the four national wireless carriers . . . including, the successful exchange of traffic on a test basis with at least one of . . . those carriers.” Vonage reported that it was testing with “its two largest peering partners” and had “reached out to twenty additional carriers to implement outbound and inbound testing schedules.”

21. An additional category of voice service providers—namely CenturyLink, TDS, and Google—has indicated limited progress in making the necessary network upgrades. CenturyLink, for instance, stated that as of late 2019 it had “taken the steps necessary to prepare its network for SHAKEN/STIR deployment” and is currently conducting testing for wider deployment on its IP networks. TDS, meanwhile, reported that it had completed work in 2019 to evaluate, select, and lab test a vendor solution to allow it to integrate STIR/SHAKEN in the IP portions of its network. It is in the process of developing implementation plans, but because many of its interconnection points with other providers are not IP-enabled, it “forecast[s] that only a small percentage of traffic will be exchanged in IP when SHAKEN/STIR is initially deployed in the TDS IP network.” Google provided limited detail about the status of implementation but stated that it “remains committed to implementing SHAKEN/STIR and . . . ha[s] taken considerable steps toward doing so.”

22. Congressional Direction to Require STIR/SHAKEN Implementation. On December 30, 2019, Congress enacted the TRACED Act, with the stated purpose of “helping to reduce illegal and unwanted robocalls” through numerous mechanisms. Along with other provisions directed at addressing robocalls, the TRACED Act directs the Commission to require, no later than 18 months from enactment, all voice service providers to implement STIR/SHAKEN in the IP portions of their networks and implement an effective caller ID authentication framework in the non-IP portions of their networks. The TRACED Act further creates processes by which voice service providers (1) may be exempt from this mandate if the Commission determines they have achieved certain implementation benchmarks, and (2) may be granted an extension for compliance based on a finding of undue hardship because of burdens or barriers to implementation or based on a delay in development of a caller ID authentication protocol for calls delivered over non-IP networks. The TRACED Act further directs us, not later than December 30, 2020, to submit a report to Congress that includes: (1) an analysis of the extent to which voice service providers have implemented caller ID authentication frameworks and whether the availability of necessary equipment and equipment upgrades has impacted such implementation; and (2) an assessment of the efficacy of the call authentication frameworks.

23. This rulemaking is one of several steps we are taking to implement the TRACED Act. For instance, we recently proposed rules to establish a registration process for a “single consortium that conducts private-led efforts to trace back the origin of suspected unlawful robocalls.” Additionally, the Wireline Competition Bureau (Bureau) has charged the NANC Call Authentication Trust Anchor Working Group with providing recommendations regarding the TRACED Act's direction that the Commission “issue best practices that providers of voice service may use as part of the implementation of effective call authentication frameworks . . . to take steps to ensure the calling party is accurately identified.” We will continue to work swiftly and carefully to implement the TRACED Act and protect Americans from illegal robocalls.

III. Report and Order

24. In this Report and Order, we require all originating and terminating voice service providers to implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021. We adopt this mandate for several reasons, including that (1) Widespread implementation will result in significant benefits from American consumers; (2) the record overwhelmingly reflects support from a broad array of stakeholders for rapid STIR/SHAKEN implementation; (3) the state of industry-wide implementation at the end of 2019 demonstrates that further government action is necessary for timely, ubiquitous implementation; and (4) the TRACED Act expressly directs us to require timely STIR/SHAKEN implementation. Below, we discuss these reasons in more detail; describe the specific requirements that comprise our mandate; discuss our legal authority to adopt these requirements; respond to the limited record opposition to a mandate; and find that the benefits of STIR/SHAKEN implementation will far exceed the costs. USTelecom and CTIA ask us to adopt a broad call blocking safe harbor today. Transaction Network Services suggests that we require or recommend that providers pair STIR/SHAKEN with analytics. We intend to address call-blocking issues and the role of analytics in relation to call blocking in a separate item and thus decline to address these requests here.

A. Mandating the STIR/SHAKEN Framework

25. We require all originating and terminating voice service providers to implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021 for several compelling reasons. First, ubiquitous STIR/SHAKEN implementation will yield substantial benefits for American consumers. We estimate that the benefits of eliminating the wasted time and nuisances caused by illegal scam robocalls will exceed $3 billion annually. And more importantly, we expect STIR/SHAKEN paired with call analytics to serve as a tool to effectively protect American consumers from fraudulent robocall schemes that cost Americans approximately $10 billion annually. Further, we anticipate that implementation will increase consumer trust in caller ID information and encourage consumers to answer the phone, thereby benefitting businesses, healthcare providers, and non-profit charities. Widespread implementation also benefits public safety by decreasing disruptions to healthcare and emergency communications systems, and as a result, saving lives. Additional benefits include significantly reducing costs for voice service providers by eliminating unwanted network congestion and decreasing the number of consumer complaints about robocalls. Ultimately, we expect widespread STIR/SHAKEN implementation to reduce the scourge of illegal robocalls that plague Americans every day.

26. Second, the record overwhelmingly reflects support from a broad array of stakeholders for rapid STIR/SHAKEN deployment, and many commenters support a STIR/SHAKEN mandate. Commenters, including the attorneys general of all fifty states and the District of Columbia, consumer groups, and major voice service providers expressed support for Commission action if widespread voluntary implementation did not occur. The unified state attorneys general argue that a mandate is necessary “in the absence of prompt voluntary implementation” by the end of 2019 because without such action, “[b]ad actors exploit inexpensive and ubiquitous technology to scam consumers and to intrude upon consumers' lives, and the problem shows no signs of abating.” Consumer group commenters, including Consumer Reports, the National Consumer Law Center, Consumer Action, the Consumer Federation of America, the National Association of Consumer Advocates, and Public Knowledge, observe that “cross-carrier implementation has been relatively limited” and state that we “should require phone companies to adopt effective call-authentication policies and technologies.” AT&T explains that “SHAKEN/STIR must be widely deployed to be effective.” Verizon similarly explains that STIR/SHAKEN only works if all voice service providers have implemented the framework in the call path—increasing the utility of a mandate. Other providers, including Comcast and Transaction Network Services, support a “measured” STIR/SHAKEN requirement that accounts for existing implementation challenges. We find that our June 30, 2021 implementation date and application of the STIR/SHAKEN mandate to only the IP portions of originating and terminating voice service providers' networks satisfies these commenters' concerns. And even commenters who express hesitation about a mandate are receptive to one that accounts for the burdens and barriers confronted by rural and small voice service providers, which we proposed to address through the process established in the TRACED Act. For example, the Voice of America's Broadband Providers and Teliax are receptive to a mandate that “focus[es] on implementation of . . . legislation Congress enacts” and provides for a more flexible implementation timeframe for small and rural providers.

27. Third, although some major voice service providers have taken significant steps towards STIR/SHAKEN implementation, the level of implementation by the Commission's end of 2019 deadline shows that, absent further governmental action, we will not have timely ubiquitous implementation. As Verizon states, “verifying [c]aller ID for consumers using STIR/SHAKEN presents a classic collectivity challenge that industry may not be able to overcome on its own.” As we have explained, some voice service providers reported that, by the end of 2019, they completed the necessary network upgrades to support the STIR/SHAKEN framework and that they were exchanging a limited amount of traffic with authenticated caller ID information with other voice service providers. Others, however, reported only that they had completed necessary network upgrades by the end of 2019, but had not begun exchanging with other voice service providers. Still others have shown little to no progress in upgrading their networks to be STIR/SHAKEN-capable. We find that the lack of common exchange among these voice service providers—and the absence of substantial progress by several of them—demonstrate that major voice service providers have failed to meet the goal of achieving full implementation by the end of 2019. We therefore must act to ensure faster progress to protect the public from the scourge of illegal robocalls.

28. Finally, confirming our decision is the recently-enacted TRACED Act, which provides additional support for the implementation mandate we set forth today. The TRACED Act directs the Commission to “require a provider of voice service to implement the STIR/SHAKEN authentication framework in the [IP] networks of the provider of voice service.” Congress's clear direction to require timely STIR/SHAKEN implementation further encourages us to adopt the mandate in this Report and Order.

29. Limited Record Opposition to a STIR/SHAKEN Implementation Mandate. We disagree with those commenters who argue that we should not move forward with a STIR/SHAKEN implementation mandate. First, we specifically disagree with the argument that we should delay a mandate while industry develops technical solutions to allow the STIR/SHAKEN framework to accommodate certain more challenging scenarios. According to some commenters, the standards for attestation do not fully account for the situation where an enterprise subscriber places outbound calls through a voice service provider other than the voice service provider that assigned the telephone number. In such scenarios, commenters claim, it would be difficult for an outbound call to receive “full” or “A” attestation because the outbound call “will not pass through the authentication service of the voice service provider that controls the numbering resource.” To provide “full” or “A” attestation, the voice service provider must be able to confirm the identity of the subscriber making the call, and that the subscriber is using its associated telephone number. We are optimistic that standards bodies, which remain engaged on the impact of STIR/SHAKEN on more challenging use cases and business models, will be able to resolve those issues—just as they have overcome numerous other barriers to caller ID authentication so far. We will continue to monitor industry progress towards solutions to these issues. For instance, the Internet Engineering Task Force (IETF) has proposed a “certificate delegation” solution that would allow “the carrier who controls the numbering resource . . . to delegate a credential that could be used to sign calls regardless of which network or administrative domain handles the outbound routing for the call.” Further, granting a delay until standards bodies address every possible issue would risk creating an incentive for some parties to draw out standards-setting processes, to the detriment of widespread STIR/SHAKEN implementation. To the contrary, by establishing a June 30, 2021 deadline for widespread STIR/SHAKEN implementation, we create an incentive for standards bodies to work quickly to issue actionable standards and solutions for enterprise calls. For this reason, we need not adopt a separate deadline for industry development of standards and solutions for enterprise calls, as requested by Cloud Communications Alliance. In any event, the TRACED Act requires that voice service providers implement the STIR/SHAKEN framework in their IP networks on this timetable, with only those extensions and exceptions specified by Congress. We decline USTelecom's request “to remove the discussion surrounding enterprise signing from the Draft S/S Mandate Order and to move it to the Draft S/S Mandate FNPRM to seek further comment.” We find this request inconsistent with the structure of the TRACED Act, which creates a general mandate and exceptions to that mandate, rather than limiting the scope of the mandate to non-enterprise calls in the first instance. We also note that USTelecom has emphasized that some enterprise signing will be “possible in the near term” and that “some voice service providers with enterprise customers are already working on providing the ability for their enterprise customers to have certain enterprise calls signed (with A-level attestation) this year.” We are confident that mandating, consistent with the TRACED Act, that voice service providers implement the STIR/SHAKEN framework in their IP networks—subject to the extensions and exceptions created by the TRACED Act—will create beneficial incentives for industry to continue to quickly develop standards to address enterprise calls.

30. Second, we disagree with Competitive Carriers Association's argument that adopting a STIR/SHAKEN mandate would “risk impeding development of other potential new strategies to block robocalls.” The STIR/SHAKEN framework is one important solution that should be part of an arsenal of effective remedies to combat robocalls, and its implementation does not preclude voice service providers from pursuing additional solutions. Further, consistent with Congress's direction in the TRACED Act, we will plan to revisit our caller ID authentication rules periodically to ensure that they remain up to date.

31. Finally, we disagree with ACA Connects' suggestion that we limit our implementation mandate to only those voice service providers that originate large volumes of illegal robocalls. ACA Connects fails to account for the importance of network-wide implementation to the effectiveness of STIR/SHAKEN in reducing spoofed robocalls. Moreover, it fails to explain how we would identify or define such carriers or how such a scheme would stop malicious callers from simply using a different voice service provider.

1. STIR/SHAKEN Implementation Requirements

32. We adopt our proposal in the 2019 Further Notice to require voice service providers to implement the STIR/SHAKEN framework. Specifically, we require all originating and terminating voice service providers to fully implement STIR/SHAKEN on the portions of their voice networks that support the transmission of SIP calls and exchange calls with authenticated caller ID information with the providers with which they interconnect. This STIR/SHAKEN mandate will create the trust ecosystem necessary for effective caller ID authentication.

33. As part of today's mandate, we adopt the following three requirements: (i) A voice service provider that originates a call that exclusively transits its own network must authenticate and verify the caller ID information consistent with the STIR/SHAKEN authentication framework; (ii) a voice service provider originating a call that it will exchange with another voice service provider or intermediate provider must authenticate the caller ID information in accordance with the STIR/SHAKEN authentication framework and, to the extent technically feasible, transmit that caller ID information with authentication to the next provider in the call path; and (iii) a voice service provider terminating a call with authenticated caller ID information it receives from another provider must verify that caller ID information in accordance with the STIR/SHAKEN authentication framework. We discuss these requirements below. The TRACED Act states in § 4(b)(1)(A) that the Commission shall “require a provider of voice service to implement the STIR/SHAKEN authentication framework” in its IP networks. It goes on to create an exemption, stating that the Commission “shall not take the action” set forth in § 4(b)(1)(A) “if the Commission determines [by December 30, 2020] that such provider of voice service” in its Internet Protocol networks meets four criteria focused on achieving certain benchmarks prior to the full mandate going into effect. USTelecom has submitted proposed interpretations of those four criteria for our consideration. Among other things, USTelecom proposes requiring a showing that all consumer VoIP and VoLTE traffic originating on a voice service provider's network is capable of authentication, or will be capable of authentication, by June 30, 2021. CTIA and USTelecom argue that we should consider replacing the implementation criteria that we adopt with USTelecom's interpretations of the four criteria in § 4(b)(2)(A). We find this request inconsistent with the structure of the TRACED Act, which creates a general mandate to implement STIR/SHAKEN in § 4(b)(1)(A) and a separate exemption process in § 4(b)(2)(A). Further, USTelecom's suggested language would not adequately address the responsibilities of voice service providers to “implement the STIR/SHAKEN authentication framework” in accordance with § 4(b)(1)(A) because it would only require demonstration of testing and capability rather than the details of how authentication must actually be applied.

34. First, a voice service provider must authenticate and verify, consistent with the STIR/SHAKEN authentication framework, the caller ID information of those calls that it originates and terminates exclusively in the IP portions of its own network. The most effective caller ID authentication system requires the application of STIR/SHAKEN to all calls, including calls solely originating and terminating on the same voice service provider's network. We recognize that certain components of the STIR/SHAKEN framework are designed to promote trust across different voice service provider networks and so are not necessary for calls that a voice service provider originates and terminates solely on its own network. A provider satisfies its obligation under this requirement so long as it authenticates and verifies in a manner consistent with the STIR/SHAKEN framework, such as by including origination and attestation information in the SIP INVITE used to establish the call.

35. Our next two requirements relate to the exchange of caller ID authentication information. In the 2019 Further Notice, we sought comment on whether we should “require providers to sign calls on an intercarrier basis.” The record demonstrated support for this approach, and we add specificity by outlining particular obligations on voice service providers for this requirement. More specifically, a voice service provider that originates a call which it will exchange with another voice service provider or intermediate provider must use an authentication service and insert the Identity header in the SIP INVITE and thus authenticate the caller ID information in accordance with the STIR/SHAKEN authentication framework; it further must transmit that call with authentication to the next voice service provider or intermediate provider in the call path, to the extent technically feasible. We recognize that the transmission of STIR/SHAKEN authentication information over a non-IP interconnection point is not technically feasible at this time. Additionally, a voice service provider that terminates a call with authenticated caller ID information it receives from another voice service provider or intermediate provider must use a verification service, which uses a public key to review the information stored in the Identity header to verify that caller ID information in accordance with the STIR/SHAKEN authentication framework. These actions are at the core of an effective STIR/SHAKEN ecosystem, and each action requires the other: A terminating voice service provider can only verify caller ID information that has been authenticated by the originating voice service provider and transmitted with authentication, while an originating voice service provider's authentication has little value if the terminating voice service provider fails to verify that caller ID information.

36. Definitions and Scope. For purposes of the rules we adopt today, and consistent with the TRACED Act, we define “STIR/SHAKEN authentication framework” as “the secure telephone identity revisited and signature-based handling of asserted information using tokens standards.” For purposes of compliance with this definition, we find that it would be sufficient to adhere to the three ATIS standards that are the foundation of STIR/SHAKEN—ATIS-1000074, ATIS-1000080, and ATIS-1000084—and all documents referenced therein. We recognize that industry is actively working to improve STIR/SHAKEN. Compliance with the most current versions of these three standards as of March 31, 2020, including any errata as of that date or earlier, represents the minimum requirement to satisfy our rules. ATIS and the SIP Forum conceptualized ATIS-1000074 as “provid[ing] a baseline that can evolve over time, incorporating more comprehensive functionality and a broader scope in a backward compatible and forward looking manner.” We intend for our rules to provide this same room for innovation, while maintaining an effective caller ID authentication ecosystem. Voice service providers may incorporate any improvements to these standards or additional standards into their respective STIR/SHAKEN authentication frameworks, so long as any changes or additions maintain the baseline call authentication functionality exemplified by ATIS-1000074, ATIS-1000080, and ATIS-1000084.

37. For purposes of our rules, we also adopt a definition of “voice service” that aligns with the TRACED Act. The TRACED Act employs a broad definition of “voice service” that includes “without limitation, any service that enables real-time, two-way voice communications, including any service that requires [I]nternet [P]rotocol-compatible customer premises equipment . . . and permits out-bound calling, whether or not the service is one-way or two-way voice over [I]nternet [P]rotocol.” The TRACED Act definition is limited, however, to service “that is interconnected with the public switched telephone network and that furnishes voice communications to an end user.” Thus, the rules we adopt today apply to originating and terminating voice service providers and exclude intermediate providers.

38. In recognition of the fact that STIR/SHAKEN is a SIP-based solution, we limit application of the rules we adopt today to only the IP portions of voice service providers' networks—those portions that are able to initiate, maintain, and terminate SIP calls. This approach is consistent with section 4(b)(1)(A) of the TRACED Act, which directs us to require implementation of STIR/SHAKEN “in the [I]nternet [P]rotocol networks of the provider of voice service.” We agree with commenters that it would be inappropriate to simply extend the mandate we adopt to non-IP networks.

39. We adopt the proposal from the 2019 Further Notice that our implementation mandate apply to all types of “voice service providers—wireline, wireless, and Voice over Internet Protocol (VoIP) providers.” The Cloud Communications Alliance has raised concerns over whether all voice service providers are able to obtain the certificates used for the intercarrier exchange of authenticated caller ID information under the Governance Authority's current policies. We look forward to working with the Governance Authority and the Cloud Communications Alliance and its members to determine how best to resolve these issues expeditiously going forward. This includes both two-way and one-way interconnected VoIP providers. For STIR/SHAKEN to be successful, all voice service providers capable of implementing the framework must participate. If a subset of voice service providers continue operating on IP networks without implementing STIR/SHAKEN, it will undercut the framework's effectiveness. Congress demonstrated its recognition of this fact when it adopted a broad definition of “voice service” in the TRACED Act, which includes “any service that is interconnected with the public switched telephone network and that furnishes voice communications to an end user using resources from the North American Numbering Plan.” This includes, “without limitation, any service that enables real-time, two-way voice communications, including any service that requires [I]nternet [P]rotocol -compatible customer premises equipment (commonly known as `CPE') and permits out-bound calling, whether or not the service is one-way or two-way voice over [I]nternet [P]rotocol.” We find that our conclusion to apply the mandate to a broad category of voice service providers is consistent with Congress's language in the TRACED Act.

40. Finally, we clarify that the rules we adopt today do not apply to providers that lack control of the network infrastructure necessary to implement STIR/SHAKEN.

41. Implementation Deadline. We set the implementation deadline of June 30, 2021 for two reasons. First, it is consistent with the TRACED Act, which requires us to set a deadline for implementation of STIR/SHAKEN that is not later than 18 months after enactment of that Act, i.e., no later than June 30, 2021. Second, this deadline will provide sufficient time for us to implement, and for voice service providers to gain, a meaningful benefit from the implementation exemption and extension mechanisms established by the TRACED Act. Because we find that this implementation deadline is necessary to accommodate the various exemption and extension mechanisms established by the TRACED Act, we decline to adopt the suggestion of some commenters that we mandate implementation by June 1, 2020. As we note in the accompanying Further Notice, the TRACED Act contemplates compliance extensions and exemptions for those providers that we determine meet certain criteria by December 30, 2020. We see no way to square this statutory requirement with imposition of a mandate six months before that date.

2. Legal Authority

42. We conclude that section 251(e) of the Communications Act of 1934, as amended (the Act), provides authority to mandate the adoption of the STIR/SHAKEN framework in the IP portions of voice service providers' networks. Section 251(e) provides us “exclusive jurisdiction over those portions of the North American Numbering Plan that pertain to the United States.” Pursuant to this provision, we retain “authority to set policy with respect to all facets of numbering administration in the United States.” Our exclusive jurisdiction over numbering policy enables us to act flexibly and expeditiously with regard to important numbering matters. When bad actors unlawfully falsify or spoof the caller ID that appears on a subscriber's phone, they are using numbering resources to advance an illegal scheme. Mandating that voice service providers deploy the STIR/SHAKEN framework will help to prevent the fraudulent exploitation of North American Numbering Plan (NANP) resources by permitting those providers and their subscribers to identify when caller ID information has been spoofed. Section 251(e) thus grants us authority to mandate that voice service providers implement the STIR/SHAKEN caller ID authentication framework in order to prevent the fraudulent exploitation of numbering resources. The Commission has previously concluded that its numbering authority allows it to extend numbering-related requirements to interconnected VoIP providers that use telephone numbers. As the Commission has explained, “the obligation to ensure that numbers are available on an equitable basis is reasonably understood to include not only how numbers are made available but to whom, and on what terms and conditions. Thus, we conclude that the Commission has authority under section 251(e)(1) to extend to interconnected VoIP providers both the rights and obligations associated with using telephone numbers.” Moreover, as the Commission has previously found, section 251(e) extends to “the use of . . . unallocated and unused numbers”; it thus gives us authority to mandate that voice service providers implement the STIR/SHAKEN framework to address the spoofing of unallocated and unused numbers. The Commission previously relied on this authority to make clear that voice service providers may block calls that spoof invalid, unallocated, or unused numbers, none of which can actually be used to originate a call. In the 2019 Further Notice, we proposed to rely on section 251(e) of the Act for authority to mandate implementation of caller ID authentication technology and, specifically, the STIR/SHAKEN framework; no commenter challenged that proposal. We note, however, that because STIR/SHAKEN implementation is not a “numbering administration arrangement,” section 251(e)(2), which provides that “[t]he cost of establishing telecommunications numbering administration arrangements . . . shall be borne by all telecommunications carriers on a competitively neutral basis,” does not apply here. Even if section 251(e)(2) did apply, we find that it is satisfied by our requirement that each carrier bear its own costs, since each carrier's costs will be proportional to the size and quality of its network.

43. The TRACED Act confirms our authority to mandate the adoption of the STIR/SHAKEN framework in the IP portions of voice service providers' networks. Indeed, the TRACED Act expressly directs us to require voice service providers to implement the STIR/SHAKEN framework in the IP portions of their networks no later than 18 months after the date of that Act's enactment. The TRACED Act thus provides a second clear source of authority for the rules we adopt today.

44. Finally, we note that Congress charged us with prescribing regulations to implement the Truth in Caller ID Act, which made unlawful the spoofing of caller ID information “in connection with any telecommunications service or IP-enabled voice service . . . with the intent to defraud, cause harm, or wrongfully obtain anything of value.” Given the constantly evolving tactics by malicious callers to use spoofed caller ID information to commit fraud, we find that the rules we adopt today are necessary to enable voice service providers to help prevent these unlawful acts and to protect voice service subscribers from scammers and bad actors. Thus, section 227(e) provides additional independent authority for these rules. While we sought comment in the 2019 Robocall Declaratory Ruling and Further Notice on the applicability of sections 201(b) and 202(a) as sources of authority, we did so in the context of adopting rules to create a safe harbor for certain call-blocking programs and requiring voice service providers that offer call-blocking programs to maintain a Critical Calls List. Because we did not seek comment in that item on whether these provisions grant the Commission authority to mandate caller ID authentication, and specifically STIR/SHAKEN, we do not rely on them here as sources of authority.

B. Summary of Costs and Benefits

45. We are convinced that the benefits of requiring STIR/SHAKEN implementation far outweigh the costs, even if adoption of the TRACED Act makes a comprehensive cost-benefit analysis of a STIR/SHAKEN implementation mandate unnecessary. Because STIR/SHAKEN is a part of a broader set of technological and regulatory efforts necessary to address illegal calls, and its limited deployment makes it difficult to measure its full effects at this time, we compare the estimated costs of implementing STIR/SHAKEN to the overall foreseeable range of quantifiable and non-quantifiable benefits of eliminating illegal calls, recognizing that STIR/SHAKEN is necessary but not, alone, a solution to the problem. These benefits include reduction in nuisance calls, increased protection from illegally spoofed calls restoration of consumer confidence in incoming calls, fewer robocall-generated disruptions of healthcare and emergency communications, reduction in regulatory enforcement costs, and reduction in provider costs. We conclude that, based on any plausible assumption about the scope of illegal calls deterred by STIR/SHAKEN, the foreseeable benefits of STIR/SHAKEN implementation—including reduction in calls that cost Americans billions of dollars each year—will far exceed estimated costs, including both recurring operating costs of between roughly $39 million and $780 million annually and estimated up-front costs, which may be in the tens of millions of dollars for the largest voice service providers. It is implausible that total implementation costs will come close to the expected benefits of our actions. For example, broad industry support for deploying STIR/SHAKEN strongly indicates that the benefits to industry alone outweigh implementation costs, even before considering the benefits to consumers of implementation.

1. Expected Benefits

46. We supplement our estimate of the benefits of eliminating illegal and unwanted robocalls in the 2019 Further Notice with additional data. Consistent with our earlier conclusion, we find that the deployment requirements set forth in this Report and Order will be integral to solving illegal robocall spoofing specifically and illegal robocalling generally.

47. Eliminating Nuisance. In the 2019 Further Notice, we estimated benefits of at least $3 billion from eliminating illegal scam robocalls. That estimate assumed a benefit of ten cents per call and multiplied it across a figure of 30 billion illegal scam robocalls per year, derived from third-party data. We also sought comment on this $3 billion estimate and concluded that “most of these benefits can be achieved . . . primarily because SHAKEN/STIR will inform providers of the call's true origination.” We received no comment on this conclusion. In its comments, Smithville Telephone Company states that a $3 billion benefit amounts to 55 cents per voice line per month (calculated by dividing the $3 billion benefit by 455 million retail voice telephone service connections based on the FCC's Voice Telephone Services Status as of June 30, 2017), and questions whether such benefit is enough to drive this decision. The estimate of 30 billion scam calls consists of an estimated 47% of all robocalls. If the average line receives approximately 5 to 6 scam calls per month, Smithville's calculation is consistent with our previous estimate. Our burden is to determine that benefits exceed costs, and we find that the benefits of implementing STIR/SHAKEN far exceed the costs. We agree with commenters that STIR/SHAKEN is one important part of a broader set of tools to solve illegal robocalls. We thus reaffirm our finding that the potential benefits resulting from eliminating the wasted time and nuisances caused by illegal scam robocalls will exceed $3 billion annually.

48. Reducing Fraud. Fraudulent robocall schemes cost Americans an estimated $10.5 billion annually, according to a third-party survey. To reach $10.5 billion, Truecaller multiplied the 17% of survey respondents who reported losing money in a scam during the past 12 months by the 2018 U.S. Census adult population estimate of 253 million. The estimated 43 million phone scam victims was then multiplied by the average loss of $244. A recent civil action filed by the U.S. Department of Justice against five VoIP carriers identifies several examples of fraud where consumers individually lost between $700 and $9,800 in a single instance. To reach $10.5 billion, Truecaller multiplied the 17% of survey respondents who reported losing money in a scam during the past 12 months by the 2018 U.S. Census adult population estimate of 253 million. The estimated 43 million phone scam victims was then multiplied by the average loss of $244. While STIR/SHAKEN will not itself stop a malicious party from using the voice network to commit fraud, it will inform a call recipient that the caller has used deceptive caller ID information to try to convince the called party to answer the phone. Many commenters noted value in pairing STIR/SHAKEN with call analytics, and we expect this will significantly reduce the effectiveness of spoofing fraud that costs Americans billions of dollars each year, and similarly reduce the incidence of such fraud.

49. Restoring Confidence in Caller ID Information. STIR/SHAKEN implementation and other efforts to minimize illegal robocalls will begin to restore trust in caller ID information and make call recipients more likely to answer the phone. Declines in willingness to answer incoming calls in recent years have harmed businesses, healthcare providers, and non-profit charities. For example, utility companies often call to confirm installation appointments, “[b]ut if the customer doesn't answer the phone for the appointment reminder and the truck shows up when they're not there, by one estimate, that's a $150 cost.” Similarly, medical providers have indicated that patients often fail to answer scheduling calls from specialists' offices and eventually the office will give up after repeated attempts. Donations to charities have also declined as a result of the decreased likelihood of answering the phone. Such organizations likely will benefit because recipients should be more likely to answer their phones if caller ID information is authenticated. Furthermore, while we do not adopt any display mandates in this item, we anticipate that voice service providers will implement voluntary efforts to restore confidence in caller ID information. Studies conducted by Cequint indicate that including additional caller ID information (e.g., showing a business logo along with caller ID information on a smartphone display to convey legitimacy) increased pick up rates from 21% to 71%. Such information will enhance the benefits achieved by STIR/SHAKEN implementation.

50. Ensuring Reliable Access to Emergency and Healthcare Communications. Implementing STIR/SHAKEN will lead to fewer disruptions of healthcare and emergency communication systems that needlessly put lives at risk. Hospitals and 911 dispatch centers have reported that robocall surges have disabled or disrupted their communications network, and such disruptions have the potential to impede communications in life-or-death emergency situations. In one instance, Tufts Medical Center in Boston received more than 4,500 robocalls in a two-hour period. In another, the phone lines of several 911 dispatch centers in Tarrant County, Texas, were disabled because of an hour long surge in robocalls. In 2018, the Commission imposed a $120 million penalty for an illegal robocall campaign that disrupted an emergency medical paging service. Enabling voice service providers to more effectively identify illegal calls, including spoofed calls, to healthcare and emergency communication systems should reduce the risk of such situations. The benefit to public safety will be considerable.

51. Reducing Costs to Voice Service Providers. An overall reduction in robocalls will “greatly lower network costs by eliminating unwanted traffic and by eliminating the labor costs of handling numerous customer complaints.” We treat these anticipated reductions in cost as a benefit to providers in order to limit our analysis of expected costs to those for implementation and operation. Illegal robocalls have led to unnecessary network congestion with broader possible impacts than the targeted disruption of healthcare and emergency operations described above. We agree with Comcast's assessment that “the ability to identify and address illegally spoofed robocalls using STIR/SHAKEN will help reduce network costs for voice service providers.” One commenter argues that this benefit may be realized by larger providers more than smaller providers and we acknowledge that the benefits of changes in network capacity will vary by provider. Voice service providers should also realize cost savings through the reduced need for customer service regarding illegal calls. We find that the overall benefit of these anticipated cost savings will be substantial and represent a long-term reduction in provider costs attributable to STIR/SHAKEN. Voice service providers may pass on the cost savings to subscribers in the form of lower prices, resulting in additional benefit to their subscribers.

52. Reducing Spending on Enforcement Actions. Broad STIR/SHAKEN implementation will both reduce the need for enforcement against illegally spoofed robocalls and make continued enforcement less resource intensive. The Commission has brought at least six enforcement actions against apparently liable actors for illegally spoofing caller ID, and issued 38 warning citations for violations of the Telephone Consumer Protection Act. The Federal Trade Commission has taken 145 enforcement actions against companies for Do Not Call Registry violations, and 25 other federal, state, and local agencies brought 87 enforcement actions as part of a single 2019 initiative. By reducing overall numbers of robocalls and providing additional information for enforcement, industry-wide implementation of STIR/SHAKEN will save resources at federal, state, and local agencies. While we do not quantify these savings, we believe they add to the benefits of STIR/SHAKEN implementation that will accrue.

2. Expected Costs

53. Implementation costs for STIR/SHAKEN will vary depending on a voice service provider's existing network configuration. Commenters indicated that voice service providers will incur ongoing costs in addition to one-time implementation costs. Estimated one-time costs include, among others, software licensing for authentication and verification services; hardware upgrades to network elements such as session border controllers and hardware upgrades required for software compatibility; as well as connectivity and network configuration changes, depending on current network configuration, and related testing. One of the largest voice service providers estimates that it will face one-time implementation costs “in the tens of millions of dollars.” We expect that implementation costs are likely to vary significantly based on voice service provider size and choices as to implementation solutions. For example, voice service providers choosing to directly implement STIR/SHAKEN will likely face larger one-time costs than voice service providers choosing a hosted solution, which are likely to have larger recurring costs. Recurring annual costs will include fees associated with authenticating and verifying calls, plus certificate fees. Estimates for recurring annual operating costs discussed by panelists at the Commission's July 2019 SHAKEN/STIR Robocall Summit range anywhere from approximately $15,000 to $300,000. Our estimate regarding recurring annual operating costs reflects a range because of variation in provider costs and the uncertainty of costs given the ongoing nature of STIR/SHAKEN implementation. One commenter asserts that recurring annual operating costs are “likely to be on the lower end of th[is] range.” On the other hand, USTelecom points out that fees paid by voice service providers to the Governance Authority and Policy Administrator range from $825 to $240,000 per year and states that a number of its members pay the highest annual fee. Based on the record, we estimate that the approximately 2,600 voice service providers together would spend between roughly $39 million and $780 million annually in operating costs, with up-front costs for the largest voice service providers in the tens of millions of dollars. Approximately 2,600 companies offered mobile voice or fixed voice service in December 2018. We anticipate that voice service providers may be able to streamline their costs over time. Moreover, we recognize that smaller voice service providers may have different costs and challenges than larger providers, but we are confident that benefits to all Americans far exceed one-time implementation and recurring annual operating costs. One small, rural provider, using estimates from the Commission's 2019 SHAKEN/STIR Robocall Summit, concludes that an annual recurring cost of $100,000 will result in a cost of $26 per line for its 319 customers. Additionally, in the Further Notice, we propose to extend the compliance deadline for smaller voice service providers and anticipate that increased competition between vendors may result in lower prices and higher quality solutions. One small, rural provider, using estimates from the Commission's 2019 SHAKEN/STIR Robocall Summit, concludes that an annual recurring cost of $100,000 will result in a cost of $26 per line for its 319 customers. Additionally, in the Further Notice, we propose to extend the compliance deadline for smaller voice service providers and anticipate that increased competition between vendors may result in lower prices and higher quality solutions.

C. Other Issues

54. Display. We are pleased by voice service providers' efforts to incorporate STIR/SHAKEN verification results in the information that they display to their customers. Voice service providers so far are taking a variety of approaches to leveraging STIR/SHAKEN verification result information to protect their subscribers from fraudulently spoofed calls, including through display of that information. For instance, AT&T announced that it would display a green checkmark and the words “Valid Number” to subscribers if the call has been authenticated and passed through screening. T-Mobile announced that it would display the words “Caller Verified,” on the end user's device when it has verified that the call is authentic. Other voice service providers have not yet announced plans to display STIR/SHAKEN authentication information. Because we expect voice service providers to have marketplace incentives to make the best possible use of STIR/SHAKEN information once it is available, and because industry practices regarding display of STIR/SHAKEN verification results are in their early stages of development, we decline at this time to require voice service providers to display STIR/SHAKEN verification results to their subscribers or mandate the specifications voice service providers must use if they choose to display. AARP and CUNA advocate for a display requirement but do not identify a reason for a mandate beyond merely pointing to the value of displaying verification information. While display of verification information may be valuable, we decline to adopt a mandate on that basis because we expect the marketplace to drive display efforts, and because we anticipate that marketplace solutions will be superior to a static regulatory mandate. In December 2019, the Consumer Advisory Committee recommended that stakeholders “conduct studies and solicit input on what factors voice service providers should consider for displaying caller ID information to consumers, including . . . SHAKEN/STIR verification.” We do not seek to prevent the market from determining which form of display, if any, is most useful; instead, we seek to encourage voice service providers to find the solutions that work best for their subscribers.

55. Governance. Several commenters advocate changing the governance structure. These commenters suggest we play an adjudicatory role in disputes that may arise between voice service providers, or direct the Governance Authority to take action on specific use cases, or change the membership requirements of the Governance Authority.

56. We decline to impose new regulations on the STIR/SHAKEN governance structure. Stakeholders met the aggressive timeline laid out in the report issued by the North American Numbering Council (NANC), establishing a collaborative Governance Authority and selecting the Policy Administrator by May 2019. By December 2019, the Policy Administrator approved the first Certification Authorities, and voice service providers were able to register with the Policy Administrator to obtain credentials necessary to receive certificates from approved Certificate Authorities. We agree with T-Mobile that, at this time, it “is not necessary for the Commission to have a role in STIR/SHAKEN governance.” STIR/SHAKEN is a flexible solution with an industry-led governance system that can adapt and respond to new developments. We do not think that our intervention in the governance structure is appropriate at this stage given that we do not know the nature and scope of the problems that may arise and industry is already working to address specific use cases. Additionally, because the Governance Authority is made up of a variety of stakeholders representing many perspectives, we have no reason to believe it will not operate on a neutral basis. The current STI-GA Leadership and Board of Directors is available at https://www.atis.org/​sti-ga/​leadership.

IV. Procedural Matters

57. Paperwork Reduction Act. This document does not contain new or modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. In addition, therefore, it does not contain any new or modified information collection burden for small business concerns with fewer than 25 employees, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198.

58. Congressional Review Act. The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, concurs, that this rule is non-major under the Congressional Review Act, 5 U.S.C. 804(2). The Commission will send a copy of this Report & Order and Further Notice of Proposed Rulemaking to Congress and the Government Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A).

59. Ex Parte Rules. This proceeding shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission's ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) List all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with Rule 1.1206(b). In proceedings governed by Rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission's ex parte rules.

60. Final Regulatory Flexibility Analysis. As required by the Regulatory Flexibility Act of 1980 (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into the 2019 Robocall Declaratory Ruling and Further Notice. The Commission sought written public comment on the possible significant economic impact on small entities regarding the proposals addressed in the 2019 Robocall Declaratory Ruling and Further Notice, including comments on the IRFA. Pursuant to the RFA, a Final Regulatory Flexibility Analysis is set forth in Appendix C. The Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, will send a copy of this Report and Order, including the FRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA).

A. Need for, and Objectives of, the Rules

61. Nefarious schemes that manipulate caller ID information to deceive consumers about the name and phone number of the party that is calling them, in order to facilitate fraudulent and other harmful activities, continue to plague American consumers. In this Report and Order (Order), we both act on our proposal to require voice service providers to implement the STIR/SHAKEN caller ID authentication framework if major voice service providers did not voluntarily do so by the end of 2019, and implement the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, which directs the Commission to require all voice service providers to implement STIR/SHAKEN in the IP portions of their networks.

B. Summary of Significant Issues Raised by Public Comments in Response to the IRFA

62. There were no comments filed that specifically addressed the proposed rules and policies presented in the IRFA.

C. Response to Comments by the Chief Counsel for Advocacy of the SBA

63. Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (SBA), and to provide a detailed statement of any change made to the proposed rules as a result of those comments.

64. The Chief Counsel did not file any comments in response to the proposed rules in this proceeding.

D. Description and Estimate of the Number of Small Entities to Which the Rules Will Apply

65. The RFA directs agencies to provide a description and, where feasible, an estimate of the number of small entities that may be affected by the final rules adopted pursuant to the Order. The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” In addition, the term “small business” has the same meaning as the term “small-business concern” under the Small Business Act. Pursuant to 5 U.S.C. 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.”A “small-business concern” is one which: (1) Is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA.

1. Wireline Carriers

66. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as “establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet services. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry.” The SBA has developed a small business size standard for Wired Telecommunications Carriers, which consists of all such companies having 1,500 or fewer employees. U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated that year. Of this total, 3,083 operated with fewer than 1,000 employees. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Thus, under this size standard, the majority of firms in this industry can be considered small.

67. Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses applicable to local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated for the entire year. Of that total, 3,083 operated with fewer than 1,000 employees. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Thus under this category and the associated size standard, the Commission estimates that the majority of local exchange carriers are small entities.

68. Incumbent Local Exchange Carriers (incumbent LECs). Neither the Commission nor the SBA has developed a small business size standard specifically for incumbent local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms operated the entire year. Of this total, 3,083 operated with fewer than 1,000 employees. Consequently, the Commission estimates that most providers of incumbent local exchange service are small businesses that may be affected by our actions. According to Commission data, one thousand three hundred and seven (1,307) Incumbent Local Exchange Carriers reported that they were incumbent local exchange service providers. Of this total, an estimated 1,006 have 1,500 or fewer employees. Thus, using the SBA's size standard the majority of incumbent LECs can be considered small entities.

69. Competitive Local Exchange Carriers (competitive LECs), Competitive Access Providers (CAPs), Shared-Tenant Service Providers, and Other Local Service Providers. Neither the Commission nor the SBA has developed a small business size standard specifically for these service providers. The appropriate NAICS Code category is Wired Telecommunications Carriers and under that size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms operated during that year. Of that number, 3,083 operated with fewer than 1,000 employees. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided. Based on these data, the Commission concludes that the majority of Competitive LECS, CAPs, Shared-Tenant Service Providers, and Other Local Service Providers, are small entities. According to Commission data, 1,442 carriers reported that they were engaged in the provision of either competitive local exchange services or competitive access provider services. Of these 1,442 carriers, an estimated 1,256 have 1,500 or fewer employees. In addition, 17 carriers have reported that they are Shared-Tenant Service Providers, and all 17 are estimated to have 1,500 or fewer employees. Also, 72 carriers have reported that they are Other Local Service Providers. Of this total, 70 have 1,500 or fewer employees. Consequently, based on internally researched FCC data, the Commission estimates that most providers of competitive local exchange service, competitive access providers, Shared-Tenant Service Providers, and Other Local Service Providers are small entities.

70. We have included small incumbent LECs in this present RFA analysis. As noted above, a “small business” under the RFA is one that, inter alia, meets the pertinent small-business size standard (e.g., a telephone communications business having 1,500 or fewer employees) and “is not dominant in its field of operation.” The SBA's Office of Advocacy contends that, for RFA purposes, small incumbent LECs are not dominant in their field of operation because any such dominance is not “national” in scope. We have therefore included small incumbent LECs in this RFA analysis, although we emphasize that this RFA action has no effect on Commission analyses and determinations in other, non-RFA contexts. Interexchange Carriers (IXCs). Neither the Commission nor the SBA has developed a small business size standard specifically for Interexchange Carriers. The closest applicable NAICS Code category is Wired Telecommunications Carriers. The applicable size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms operated for the entire year. Of that number, 3,083 operated with fewer than 1,000 employees. The largest category provided by the census data is “1000 employees or more” and a more precise estimate for firms with fewer than 1,500 employees is not provided.

71. According to internally developed Commission data, 359 companies reported that their primary telecommunications service activity was the provision of interexchange services. Of this total, an estimated 317 have 1,500 or fewer employees. Consequently, the Commission estimates that the majority of interexchange service providers are small entities.

72. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, also contains a size standard for small cable system operators, which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.” As of 2018, there were approximately 50,504,624 cable video subscribers in the United States. Accordingly, an operator serving fewer than 505,046 subscribers shall be deemed a small operator if its annual revenues, when combined with the total annual revenues of all its affiliates, do not exceed $250 million in the aggregate. Based on available data, we find that all but six incumbent cable operators are small entities under this size standard. We note that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million. The Commission does receive such information on a case-by-case basis if a cable operator appeals a local franchise authority's finding that the operator does not qualify as a small cable operator pursuant to § 76.901(f) of the Commission's rules. Therefore we are unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act.

2. Wireless Carriers

73. Wireless Telecommunications Carriers (Except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services. The appropriate size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees. For this industry, U.S. Census Bureau data for 2012 show that there were 967 firms that operated for the entire year. Of this total, 955 firms employed fewer than 1,000 employees and 12 firms employed of 1000 employees or more. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus under this category and the associated size standard, the Commission estimates that the majority of wireless telecommunications carriers (except satellite) are small entities.

74. The Commission's own data—available in its Universal Licensing System—indicate that, as of August 31, 2018 there are 265 Cellular licensees that will be affected by our actions. For the purposes of this FRFA, consistent with Commission practice for wireless services, the Commission estimates the number of licensees based on the number of unique FCC Registration Numbers. The Commission does not know how many of these licensees are small, as the Commission does not collect that information for these types of entities. Similarly, according to internally developed Commission data, 413 carriers reported that they were engaged in the provision of wireless telephony, including cellular service, Personal Communications Service (PCS), and Specialized Mobile Radio (SMR) Telephony services. Of this total, an estimated 261 have 1,500 or fewer employees, and 152 have more than 1,500 employees. Thus, using available data, we estimate that the majority of wireless firms can be considered small.

75. Satellite Telecommunications. This category comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” Satellite telecommunications service providers include satellite and earth station operators. The category has a small business size standard of $35 million or less in average annual receipts, under SBA rules. For this category, U.S. Census Bureau data for 2012 show that there were a total of 333 firms that operated for the entire year. Of this total, 299 firms had annual receipts of less than $25 million. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard of annual receipts of $35 million or less. Consequently, we estimate that the majority of satellite telecommunications providers are small entities.

3. Resellers

76. Local Resellers. The SBA has not developed a small business size standard specifically for Local Resellers. The SBA category of Telecommunications Resellers is the closest NAICs code category for local resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. Under the SBA's size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data from 2012 show that 1,341 firms provided resale services during that year. Of that number, all operated with fewer than 1,000 employees. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these resellers can be considered small entities. According to Commission data, 213 carriers have reported that they are engaged in the provision of local resale services. Of these, an estimated 211 have 1,500 or fewer employees and two have more than 1,500 employees. Consequently, the Commission estimates that the majority of local resellers are small entities.

77. Toll Resellers. The Commission has not developed a definition for Toll Resellers. The closest NAICS Code Category is Telecommunications Resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. MVNOs are included in this industry. The SBA has developed a small business size standard for the category of Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. 2012 Census Bureau data show that 1,341 firms provided resale services during that year. Of that number, 1,341 operated with fewer than 1,000 employees. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees; the largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these resellers can be considered small entities. According to Commission data, 881 carriers have reported that they are engaged in the provision of toll resale services. Of this total, an estimated 857 have 1,500 or fewer employees. Consequently, the Commission estimates that the majority of toll resellers are small entities.

78. Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a small business definition specifically for prepaid calling card providers. The most appropriate NAICS code-based category for defining prepaid calling card providers is Telecommunications Resellers. This industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual networks operators (MVNOs) are included in this industry. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 show that 1,341 firms provided resale services during that year. Of that number, 1,341 operated with fewer than 1,000 employees. Available census data does not provide a more precise estimate of the number of firms that have employment of 1,500 or fewer employees. The largest category provided is for firms with “1000 employees or more.” Thus, under this category and the associated small business size standard, the majority of these prepaid calling card providers can be considered small entities. According to Commission data, 193 carriers have reported that they are engaged in the provision of prepaid calling cards. All 193 carriers have 1,500 or fewer employees. Consequently, the Commission estimates that the majority of prepaid calling card providers are small entities that may be affected by these rules.

4. Other Entities

79. All Other Telecommunications. The “All Other Telecommunications” category is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Establishments providing internet services or voice over internet protocol (VoIP) services via client-supplied telecommunications connections are also included in this industry. The SBA has developed a small business size standard for “All Other Telecommunications,” which consists of all such firms with annual receipts of $35 million or less. For this category, U.S. Census Bureau data for 2012 show that there were 1,442 firms that operated for the entire year. Of those firms, a total of 1,400 had annual receipts less than $25 million and 15 firms had annual receipts of $25 million to $49,999,999. Thus, the Commission estimates that the majority of “All Other Telecommunications” firms potentially affected by our action can be considered small.

E. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities

80. This Order modifies the Commission's rules in accordance with our proposal to require voice service providers to implement the STIR/SHAKEN caller ID authentication framework if major voice service providers did not voluntarily do so by the end of 2019, and implements Congress's direction in the TRACED Act to mandate STIR/SHAKEN. The amended rules adopted in the Order do not contain reporting or recordkeeping requirements.

F. Steps Taken To Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered

81. The RFA requires an agency to describe any significant, specifically small business, alternatives that it has considered in reaching its approach. This document does not distinguish between small entities and other entities and individuals.

G. Report to Congress

82. The Commission will send a copy of the Order, including this FRFA, in a report to Congress pursuant to the Congressional Review Act. In addition, the Commission will send a copy of the Order, including this FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Order and FRFA (or summaries thereof) will also be published in the Federal Register.

V. Ordering Clauses

83. Accordingly, IT IS ORDERED, pursuant to sections 4(i), 4(j), 227(e), 227b, 251(e), and 303(r), of the Communications Act of 1934, as amended (the Act), 47 U.S.C. 154(i), 154(j), 227(e), 227b, 251(e), and 303(r), that this Report and Order IS ADOPTED.

84. IT IS FURTHER ORDERED that Part 64 of the Commission's rules IS AMENDED as set forth in the following.

85. IT IS FURTHER ORDERED that, pursuant to §§ 1.4(b)(1) and 1.103(a) of the Commission's rules, 47 CFR 1.4(b)(1), 1.103(a), this Report and Order SHALL BE EFFECTIVE 30 days after publication in the Federal Register.

86. IT IS FURTHER ORDERED that the Commission SHALL SEND a copy of this Report and Order to Congress and to the Government Accountability Office pursuant to the Congressional Review Act, see 5 U.S.C. 801(a)(1)(A).

List of Subjects in 47 CFR Part 64

  • Communications common carriers
  • Carrier equipment
  • Reporting and recordkeeping requirements
  • Telecommunications
  • Telephone

Federal Communications Commission.

Cecilia Sigmund,

Federal Register Liaison Officer, Office of the Secretary.

Final Rules

For the reasons discussed in the preamble, the Federal Communications Commission amends 47 CFR part 64 follows:

PART 64—MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

1. The authority citation for part 64 is revised to read as follows:

Authority: 47 U.S.C. 154, 201, 202, 217, 218, 220, 222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 403(b)(2)(B), (c), 616, 620, 1401-1473, unless otherwise noted; Pub. L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.

2. Add Subpart HH, consisting of §§ 64.6300 and 64.6301, to read as follows:

Subpart HH—Caller ID Authentication

§ 64.6300
Definitions.

(a) Authenticate caller identification information. The term “authenticate caller identification information” refers to the process by which a voice service provider attests to the accuracy of caller identification information transmitted with a call it originates.

(b) Caller identification information. The term “caller identification information” has the same meaning given the term “caller identification information” in 47 CFR 64.1600(c) as it currently exists or may hereafter be amended.

(c) Intermediate provider. The term “intermediate provider” means any entity that carriers or processes traffic that traverses or will traverse the PSTN at any point insofar as that entity neither originates nor terminates that traffic.

(d) SIP call. The term “SIP call” refers to calls initiated, maintained, and terminated using the Session Initiation Protocol signaling protocol.

(e) STIR/SHAKEN authentication framework. The term “STIR/SHAKEN authentication framework” means the secure telephone identity revisited and signature-based handling of asserted information using tokens standards.

(f) Verify caller identification information. The term “verify caller identification information” refers to the process by which a voice service provider confirms that the caller identification information transmitted with a call it terminates was properly authenticated.

(g) Voice service. The term “voice service”—

(1) Means any service that is interconnected with the public switched telephone network and that furnishes voice communications to an end user using resources from the North American Numbering Plan or any successor to the North American Numbering Plan adopted by the Commission under section 251(e)(1) of the Communications Act of 1934, as amended; and

(2) Includes—

(i) Transmissions from a telephone facsimile machine, computer, or other device to a telephone facsimile machine; and

(ii) Without limitation, any service that enables real-time, two-way voice communications, including any service that requires internet Protocol-compatible customer premises equipment and permits out-bound calling, whether or not the service is one-way or two-way voice over internet Protocol.

§ 64.6301
Caller ID authentication.

(a) STIR/SHAKEN Implementation by Voice Service Providers. Not later than June 30, 2021, a voice service provider shall fully implement the STIR/SHAKEN authentication framework in its internet Protocol networks. To fulfill this obligation, a voice service provider shall:

(1) Authenticate and verify caller identification information for all SIP calls that exclusively transit its own network;

(2) Authenticate caller identification information for all SIP calls it originates and that will exchange with another voice service provider or intermediate provider and, to the extent technically feasible, transmit that call with caller ID authentication information to the next voice service provider or intermediate provider in the call path; and

(3) Verify caller identification information for all SIP calls it receives from another voice service provider or intermediate provider which it will terminate and for which the caller identification information has been authenticated.

(b) [Reserved].

[FR Doc. 2020-07585 Filed 4-20-20; 8:45 am]

BILLING CODE 6712-01-P


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.