The STIR/SHAKEN Deadline Is Finally Here!
If you’re like us, you’ve been hearing a lot about STIR/SHAKEN for YEARS! That’s right, two years - since the TRACED Act was passed in 2019. For Neustar, the journey started before that, since Vice President and Fellow, Jon Peterson, first named STIR, and wrote the STIR problem statement and threat model in May 2013―eight years ago!
We’re relieved and excited that the FCC’s June 30 implementation deadline has finally arrived and want to acknowledge all the successes along the way. When it comes to regulations like STIR/SHAKEN, and legislation―as well as technologies and solutions to address the issue of robocalls and call spoofing―so much has happened that it’s hard for Communications Service Providers (CSPs) and enterprises to keep up. We put together a summary, starting with the latest developments, below.
You can also read the blog, The STIR/SHAKEN Deadline is Next Week, Then What?
Let’s begin at the beginning.
Robocalls, call spoofing and scams are rampant, and customers don’t want to answer the phone anymore since they don’t trust who’s calling.
Congress and the FCC stepped in.
The TRACED Act mandated that all CSPs implement STIR/SHAKEN as the caller ID authentication framework in the Internet Protocol (IP) portion of their networks by June 30, 2021. Most of the Tier 1 CSPs in the U.S. have implemented STIR/SHAKEN, and are leveraging robocall mitigation solutions in their networks as part of best practices.
In addition, they’ve encouraged subscribers to use apps to block robocalls. But many small- to mid-sized carriers faced hardships in implementing STIR/SHAKEN due to the cost of compliance to upgrade infrastructure. Such carriers still have an obligation to take action to combat robocalls–and document what they are doing in the FCC’s Robocall Mitigation Database.
According to the FCC, new evidence suggests that a subset of small voice service providers appear to be originating a large and increasing quantity of illegal robocalls. So, on April 29, the FCC issued a proposal to shorten the two-year extension given to small and mid-sized carriers to one year – with a new deadline of June 2022. Read the details here.
Recap of all the rules and regs.
In order from latest to earliest, here’s a list of the many actions taken by regulators to address robocalls in the past few years.
The FCC's public notice mandated that CSPs file certifications about what they’re doing to stop illegal robocalls from originating on their networks in the new Robocall Mitigation Database by TODAY! Even carriers that were granted an extension to STIR/SHAKEN call authentication implementation deadline must provide detailed information about measures they are taking to ensure they are not the source of illegal robocalls.
The FCC doesn’t describe a checklist or prescriptive set of requirements for carriers, as it could act as a blueprint for bad actors to avoid detection. But, CSPs are required to “document and publicly certify how they are complying.”
The FCC does say that a robocall mitigation program is sufficient if it:
- Includes detailed practices that can reasonably be expected to significantly reduce the origination of illegal robocalls
- Complies with the practices it describes
- Participates in industry traceback efforts
The FCC’s Enforcement Bureau will review each CSP’s program and can also prescribe more specific robocall mitigation obligations for any carrier that hasn’t implemented a sufficient robocall mitigation program.
- Beginning September 28, 2021
Intermediate and terminating CSPs must block calls from service providers that are not listed in the database. The result? Some subscribers will be unable to complete calls when the recipient is not on the same name network.
FCC Fourth Report and Order. Expands safe harbor based upon reasonable analytics to cover network-based blocking; requires CSPs work with FCC and law enforcement on tracebacks; and more.
TCPA Report and Order. Limits the number of non-telemarketing calls made to residential phones for the first time.
FCC issues Second Report and Order. Recognizing that many smaller carriers are critical to the cause and may require more time to address certain challenges, the FCC made specific allowances and required robocall mitigation solutions as an interim measure.
FCC mandates that service providers implement STIR/SHAKEN call authentication technology in the Internet protocol (IP) portions of their phone networks by June 30, 2021.
Congress passes Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act. Directs FCC to take numerous steps to promote and require STIR/SHAKEN implementation.
FCC’s Wireline Competition Bureau also called upon North American Numbering Council (NANC) via its Call Authentication Trust Anchor (CATA) Working Group (WG) to recommend Best Practices for the Implementation of Call Authentication Frameworks.
Touching on technologies and solutions.
In addition to efforts by regulators and legislators – who have taken direct action to punish service providers and individuals responsible for fraud and scams, the industry itself has taken its own steps.
The Industry Traceback Group (ITG) was established by US Telecom | The Broadband Association, to partner with companies from across the wireline, wireless, VoIP, and cable industries collaborate to trace, source, and ultimately, stop illegal robocalls. According to ITG, “Domestic and foreign voice service providers cooperate with ITG traceback requests, and over 40 leading voice service providers collaborate to support and sustain the ITG’s efforts. The ITG also works in close partnership with government entities who rely on ITG referrals and data to bring to justice individuals and entities responsible for illegal robocalls.”
Resources and solutions have also been developed by industry experts like Neustar, to help CSPs meet regulatory requirements, implement STIR/SHAKEN and robocall mitigation solutions across their networks, empower enterprises and protect consumers. (Learn about Certified Caller and Robocall Mitigation Solutions.)
We also launched our seven-step trusted call journey to help enterprises transform the call experience, reduce risk, and restore trust in the phone with consumers. That includes Branded Call Display (BCD). Through a centralized platform, BCD informs consumers with logos, verification status, and call reasons, even before they answer – and verifies that the call has not been spoofed, using STIR/SHAKEN.