Is your U.S. or non-U.S. Company subject to STIR-SHAKEN?

The FCC’s rule to register in the Robocall Mitigation Database and to file an Robocall Mitigation Plan (“RMP”) covering all calls you originate but for which you do not create a STIR-SHAKEN header applies to what the FCC calls a “voice service provider” (“VSP”).  Is your company a VSP?  Ask yourself a few questions:  Do you:

  1. Have customers who originate calls on your IP network using a calling party and called party phone number associated with the United States and are in the North American Numbering Plan Format 1+(NPA)(NXX)(XXXX)?
  2. If you answered “Yes,” do you directly or via third-party carriers transmit those calls for termination to the United States, including its territories, e.g., Puerto Rico and Guam, where the calls are, in fact, terminated?

If you answered “No” to one or more of these questions, you may not be subject to the FCC’s STIR-SHAKEN Rules.

However, if you answered “Yes” to these two questions, then you are likely subject to the FCC’s STIR-SHAKEN Rules for those calls subject to the STIR-SHAKEN Rules, so please keep reading.

If you are subject to the STIR-SHAKEN rules, What are your obligations under the U.S. LAW?

Registering as a Voice Service Provider with the FCC

By June 30, 2021, you must register as a Voice Service Provider (“VSP”) with the FCC.  Certifications, identification information, and contact information must be submitted via a portal on the FCC’s website.

As a VSP, beginning June 30, 2021, you must assist the FCC, ITG, or other authorized U.S. entity in inquiries regarding illegal robocalls you may have (knowingly or unknowingly) originated, transmitted, or terminated, and you need to undertake good faith efforts to ensure that you are not willfully transmitting such calls.  If you are subject to the STIR-SHAKEN Rules, you must abide by them:  failure to do so may result in U.S. carriers being absolutely prohibited from receiving voice service traffic from you. Of equal importance when you register as a VSP, you must also certify to the FCC as to whether all, some or none of your voice service calls originated on your IP network are signed by you using STIR-SHAKEN protocols.  What does it mean to sign calls using STIR-SHAKEN protocols?  We’ll discuss that below.  But first, let’s assume that at least initially, none or at least some of your voice service calls will be signed.  If less than all of your voice service calls are signed using STIR-SHAKEN protocols, these unsigned calls are subject to what the FCC calls a Robocall Mitigation Program.  A RMP is, essentially, an explanation of the steps you are taking to ensure that you are not originating illegal robocalls.  One way may be through knowing your customers and the traffic they originate.  Other ways may be through studying the traffic you originate and looking for indicators of illegal robocalls.  If you look on the FCC’s registration website, you will see many carriers that have filed RMPs.  A review of these plans may provide suggestions for you to adopt into your own RMP.

A critical component of a RMP is your stated commitment to respond fully and in a timely manner to requests from the FCC, ITG or other authorized U.S. entity.  When thinking about signing your calls using STIR-SHAKEN protocols and developing an RMP, keep in mind the FCC’s stated goal:  that the only voice traffic to traverse voice networks in the U.S. is from those voice service providers that have either fully implemented STIR-SHAKEN on their entire networks or that have implemented a RMP on those portions of their networks that are not STIR-SHAKEN-enabled.

Certifications, identification information, and contact information must be submitted as part of your RMP via a portal on the FCC’s website here on or before June 30, 2021.  Instructions for submitting a certification and this information can be found here.  VSPs must submit any necessary updates because of changes to their certification, identification information, or contact information to the Commission within 10 business days of the change.

The Robocall Mitigation Database is available on the Commission’s website here.

A list of VSPs that have submitted certifications, may be downloaded from here.

What exactly are STIR-SHAKEN protocols?

When a call is made, a SIP invite is initiated by the calling party. The originating voice service provider receives it and checks the source of the call and calling number to determine the attestation level.

The originating service provider – either on its own or via a third-party authentication service – creates an encrypted SIP identity header that includes:

  • Originating party number
  • Called party number
  • Current date and timestamp
  • Attestation level
  • A unique origination Identifier for traceback

Then, the SIP Invite, along with the SIP identity header, is sent to the intermediate or terminating provider, who – either on its own or via a third-party service – attempts to verify the SIP invite.

What are Attestation Levels?

In a STIR-SHAKEN call, the originating service provider attests via data in the SIP header to their relationship with the caller and the caller’s right to use the calling number.  One part of the data is the Attestation level.  There are three levels of attestation that can be applied to a call:

Full or “A” Attestation:
The voice service provider knows the end-user customer and their right to use the phone number.

Partial or “B” Attestation:
The voice service provider knows the end-user customer but not the source of the phone number.

Gateway or “C” Attestation:
The service provider has originated the call onto the network but cannot authenticate the call source e.g., international gateway.

Once a call has been given an Attestation level, that level may not be changed by another carrier.

How do carriers obtain authorization to implement a SIP Header including Attestation Level?

To become authorized to implement SIP Headers with an Attestation Level, a voice service provider must file an application with the Secure Telephone Identity Policy Administrator (“STI-PA”).  The STI-PA is a company called “iconectiv” and the information they provide on how to obtain a Service Provider Account is found here

The Service Provider Token Access Policy requires that Voice Service Providers seeking to register also meet three criteria:

  1. Have a current form 499A on file with the FCC;
  2. Have been assigned an Operating Company Number (“OCN”); and
  3. Have certified with the FCC that they have implemented STIR/SHAKEN or comply with the Robocall Mitigation Program requirements and are listed in the FCC’s Robocall Mitigation Database.

You can file for an FCC 499A from this page

You can obtain an OCN from this page (If you are not a telephone company, you can apply for an IP Enabled Service OCN (“IPES OCN“))

We have discussed the requirements for #3 above in this article.

What happens if you are not in compliance with the FCC’s STIR-SHAKEN Rules?

If you are not in compliance with the FCC’s STIR-SHAKEN Rules – specifically, if you are not registered with the FCC and with (at least) a RMP on file as discussed above – beginning September 28, 2021, for those calls you originate that are subject to the FCC’s STIR-SHAKEN Rules, no voice service provider will be able to accept these calls for termination in the U.S. because it will be a violation of U.S. law to do so. 

How can GTI help you comply with the FCC’s STIR-SHAKEN Rules?

If you are registered with the FCC and have a RMP on file, we will be able to accept your calls after September 28, 2021:  we will assign them the appropriate Attestation level.  There are some additional things GTI can do to help you to comply with the FCC’s STIR-SHAKEN Rules. We cannot be your legal counsel; we cannot help you fill out forms and we cannot provide legal advice.  If you would like to better understand what we can do for you, contact GTI GLOBAL  sales team.

Recommended Readings

  1. TRACED Act Implementation
  2. Robocall Mitigation Database Opens; Filing Instructions and Deadlines