eLaws | eCases | United States Code | Federal Courts |
Home » 2022 Issues » 87 FR (07/18/2022) » 2022-13436. Advanced Methods To Target and Eliminate Unlawful Robocalls; Call Authentication Trust Anchor

  2022-13436. Advanced Methods To Target and Eliminate Unlawful Robocalls; Call Authentication Trust Anchor  

  • Start Preamble Start Printed Page 42916

    AGENCY:

    Federal Communications Commission.

    ACTION:

    Final rule.

    SUMMARY:

    In this document, the Federal Communications Commission (Commission or FCC) takes further steps to stem the tide of foreign-originated illegal robocalls by placing new obligations on the gateway providers that are the entry point or foreign calls into the United States by requiring them to play a more active role in the fight.

    DATES:

    Effective date: This rule is effective September 16, 2022.

    Compliance date: Compliance with the amendments to 47 CFR 64.1200(n)(1) and (o), 64.6303(b), and 64.6305(b), (c)(2), (d), and (e)(2) and (3), are delayed indefinitely. The Federal Communications Commission will publish a document in the Federal Register announcing the compliance dates.

    ADDRESSES:

    Federal Communications Commission, 45 L Street NE, Washington, DC 20554.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Jonathan Lechter, Competition Policy Division, Wireline Competition Bureau, at (202) 418-0984, jonathan.lechter@fcc.gov ; or Jerusha Burnett, Attorney Advisor, Consumer Policy Division, Consumer and Governmental Affairs Bureau, at (202) 418-0526, jerusha.burnett@fcc.gov .

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    This is a summary of the Commission's Sixth Report and Order in CG Docket No. 17-59 and Fifth Report and Order in WC Docket No. 17-97 Order on Reconsideration and Order in WC Docket No. 17-97 adopted on May 19, 2022 and released on May 20, 2022 ( Gateway Provider Report and Order ). The document is available for download at https://docs.fcc.gov/​public/​attachments/​FCC-22-37A1.pdf . Compliance with the amendments to 47 CFR 64.1200(n)(1) and (o), 64.6303(b), and 64.6305(b), (c)(2), and (d), which contain information collection requirements that have not been approved by the Office of Management and Budget (OMB), and the amendments to 47 CFR 64.6305(e)(2) and (3), are delayed indefinitely. The Federal Communications Commission will publish a document in the Federal Register announcing the compliance dates.

    To request materials in accessible formats for people with disabilities (Braille, large print, electronic files, audio format), send an email to FCC504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).

    Synopsis

    I. Sixth Report and Order and Fifth Report and Order

    1. In this document, the Commission takes steps to protect consumers from foreign-originated illegal robocalls. Gateway providers' networks are the key entry point for foreign-originated robocalls, and the authentication and mitigation requirements the Commission adopts will ensure that American consumers are protected. The Commission defines the term “gateway provider,” requires such providers to authenticate all unauthenticated Session Initiation Protocol (SIP) calls in the internet Protocol (IP) portions of their networks, and adopts mitigation requirements specific to such providers, including requirements related to the Robocall Mitigation Database. As explained below, the Commission finds that the benefits of these new requirements, particularly to American consumers deluged by illegal calls originating in other countries, will far outweigh the short-term implementation costs imposed on gateway providers.

    A. Need for Action

    2. Current Rules Addressing Foreign-Originated Robocalls Are Insufficient to Stop the Deluge of Illegal Robocalls Originating Abroad . As proposed, the Commission concludes that consumers will benefit from caller ID authentication and illegal robocall mitigation requirements applied to gateway providers to address the problem of foreign-originated illegal robocalls (86 FR 59084, (Oct. 26, 2021)).

    3. Commenters overwhelmingly support additional action to stop the flood of foreign-originated illegal calls. For example, Comcast agrees with the Commission that the current rules “are not sufficient to resolve the problem of foreign-originated illegal robocalls” and that the robocall landscape “warrants consideration of further regulatory efforts targeting gateway providers.” The State attorneys general also support steps to stop the “continued deluge of illegal foreign-based robocalls that use spoofed, U.S.-based phone numbers.”

    4. Foreign robocallers use U.S. North American Numbering Plan (NANP) numbers in myriad ways to reach U.S. end users. In some cases, the foreign robocallers utilize spoofed U.S. numbers, while in other cases they have obtained U.S. NANP numbers from providers who have themselves obtained numbers on the secondary market or directly from the North American Numbering Plan Administrator (NANPA).

    5. Commenting parties agree that foreign-originated calls are a significant portion, if not the majority, of illegal robocalls. The latest data from the Industry Traceback Group support the conclusion that many providers facilitating illegal robocalls are gateway providers and the upstream foreign originating and intermediate providers from whom they receive foreign-originating calls. Of the 347 providers identified in the Industry Traceback Group's 2021 report as responsible for transmitting illegal robocalls, 111 were gateway providers that brought the traffic into the U.S. network, and 115 were foreign providers originating illegal robocalls. According to the Industry Traceback Group, 10% of all providers that are not responsive to traceback requests constitute 48% of all non-responsive traceback requests. Of that 10%, over two-thirds are foreign providers. Recent action after the release of the Gateway Provider Further Notice of Proposed Rulemaking (Gateway Provider FNPRM), 86 FR 59084, (Oct. 26, 2021), by the Commission's Enforcement Bureau underscores the need for action against foreign-originated robocalls, including cease-and-desist letters the Enforcement Bureau sent to three companies for transmitting illegal robocalls, “many of which originate overseas.”

    6. Role of Gateway Providers. The Commission concludes that gateway providers serve as a critical choke-point for reducing the number of illegal robocalls received by American consumers, a conclusion confirmed by the record. Gateway providers can stop illegal calls to customers before they reach terminating providers, or, as the Industry Traceback Group data demonstrates, readily allow such calls into the U.S. market. State attorneys general argue that “in most cases” robocalling fraud results from “foreign actors gaining access to the U.S. phone network through international gateway providers.” State actions against gateway providers following the Gateway Provider FNPRM reinforce this conclusion. Start Printed Page 42917

    B. Scope of Requirements and Definition

    7. Definition of Gateway Provider. The Commission defines a “gateway provider” as a U.S.-based intermediate provider that receives a call directly from a foreign originating provider or foreign intermediate provider at its U.S.-based facilities before transmitting the call downstream to another U.S.-based provider, a slightly modified version of the definition the Commission proposed in the Gateway Provider FNPRM . By “U.S.-based,” the Commission means that the provider has facilities located in the U.S., including a point of presence capable of processing the call. By “receives a call directly” from a provider, the Commission means the foreign provider directly upstream of the gateway provider in the call path sent the call to the gateway provider, with no providers in-between. Commenters support the Commission's proposed definition, with some suggesting minor modifications addressed below.

    8. In the Gateway Provider FNPRM, the Commission initially proposed to define a gateway provider as “the first U.S.-based intermediate provider in the call path of a foreign-originated call that transmits the call directly to another intermediate provider or a terminating voice service provider in the United States.” The Commission adds “receives a call directly from a foreign originating provider or foreign intermediate provider” and drop “foreign-originated call” from its adopted definition for several reasons. First, as commenters note, a gateway provider may not know the identity or location of the entity that originated the call, but it will know the identity of the immediate upstream provider that sent the call to the gateway provider, including whether that provider has registered as a foreign provider in the Robocall Mitigation Database. (As explained below, the Commission clarifies foreign intermediate providers' traffic will be blocked unless they register in the Robocall Mitigation Database.) The Commission's adopted definition ensures that a provider will be considered a gateway provider for any call it receives directly from a foreign provider that the provider does not itself terminate. Second, the Commission's definition ensures that calls sent on a circuitous path out of and then back into the U.S. will be brought within the regime. In that scenario, the U.S.-based provider acts as a gateway provider at the point in the call path when the foreign provider immediately upstream of the gateway provider sends the call to the gateway provider, even for calls originated within the United States. The Commission agrees with commenters that “U.S.-based facilities” for the purpose of the Commission's definition means that the provider has facilities in the U.S., including, at a minimum, a U.S.-located point of presence.

    9. The Commission clarifies that foreign affiliates of a U.S.-based provider or other U.S.-licensed entities that receive traffic in another country and transmit that traffic to another provider to bring across the boundary of the U.S. network are not gateway providers. As proposed, the Commission does not include in the definition providers that also terminate the call because they are then acting as terminating providers and are subject to the existing rules applicable to such providers. In their capacity as terminating providers, these providers have existing obligations to prevent their own end users from receiving illegal robocalls. (A terminating provider is a voice service provider for purposes of section 4 of the TRACED Act and the Commission's caller ID authentication rules. A voice service provider is required to, among other things, verify caller ID information pursuant to STIR/SHAKEN for traffic it terminates, 47 CFR 64.6301(a)(3), and submit a certification to the Robocall Mitigation Database.)

    10. Because the TRACED Act defines “voice service” in a manner that excludes intermediate providers, the authentication and Robocall Mitigation Database rules use “voice service provider” in this manner. The Commission's call blocking rules, many of which the Commission adopted prior to adoption of the TRACED Act, use a definition of “voice service provider” that includes intermediate providers. In that context, use of the TRACED Act definition of “voice service” would create inconsistency with the existing rules. To avoid confusion, for purposes of this item, the Commission uses the term “voice service provider” consistent with the TRACED Act definition and where discussing caller ID authentication or the Robocall Mitigation Database. In all other instances, the Commission uses “provider” and specifies the type of provider as appropriate. Unless otherwise specified, the Commission means any provider, regardless of its position in the call path.

    11. Call-by-Call Basis. Consistent with the proposal in the Gateway Provider FNPRM, the Commission adopts the gateway provider classification on a call-by-call basis. That is, a provider is a gateway provider and subject to the rules for gateway providers the Commission adopts in this document only for those calls for which it acts as a gateway provider unless otherwise noted.

    12. As the Commission noted in the Gateway Provider FNPRM, the Commission took this approach when classifying intermediate and voice service providers with respect to the Commission's caller ID authentication rules. The Commission adopts the call-by-call classification to ensure that gateway providers, due to their key role in the call path, are subject to the requirements. There is record support for this approach. Concluding that the burdens are overstated, the Commission rejects concerns of commenters that assert that the call-by-call classification would not be administratively feasible, and would potentially impose two different sets of regulations on the same set of providers, causing confusion. As the Commission notes, and a number of commenters agree, a gateway provider will know the identity of the immediate upstream provider from which it receives a call. (As explained below, the Commission clarifies foreign intermediate providers' traffic will be blocked unless they register in the Robocall Mitigation Database.) The gateway provider will also know whether that provider has registered as a foreign provider in the Robocall Mitigation Database. The Commission's approach ensures that a gateway provider is subject to the consumer protection requirements it adopts whenever it receives a call directly from a foreign provider.

    13. Moreover, a call-by-call approach will have a limited practical burden for several reasons. As an initial matter, several of the obligations the Commission adopts do not require a gateway provider or providers downstream from the gateway provider to determine, in real time, whether or not the relevant provider is acting as a gateway provider for a particular call. First, the 24-hour traceback requirement and know-your-upstream provider requirements do not involve any real-time action on the part of a gateway provider when it receives the call. Second, the obligation to block traffic upon notification by the Commission applies only to those entities identified by the Commission, so that providers need not identify relevant traffic in real-time in the first instance. Third, if a provider acts as a gateway provider for any calls, it must submit a robocall mitigation plan to the Robocall Mitigation Database describing how it mitigates calls in its role as a gateway provider generally . Fourth, where a downstream provider needs to block Start Printed Page 42918 traffic from an upstream provider that has not filed in the Robocall Mitigation Database, it is required to do so if it has reason to believe it is a gateway or voice service provider for any calls. Additionally, while gateway providers must undertake call blocking on a call-by-call basis at the time of the call for numbers on a Do Not Originate (DNO) list, all domestic providers in the call path are already permitted to engage in such blocking and can therefore elect to apply such blocking to all calls, rather than simply the calls for which they act as a gateway provider. Similarly, while gateway providers must take “reasonable steps” to mitigate calls received as a gateway provider on a call-by-call basis, the burden of identifying the relevant calls is likely low; gateway providers should know those calls they receive from foreign providers and send downstream to another domestic provider and can apply the appropriate mitigation procedures to those calls. Indeed, several stated that they already do so. At a minimum, to the extent a provider receives a call directly from a provider listed as “foreign” in the Robocall Mitigation Database, it is acting as a gateway provider for that call.

    14. The Commission notes that many providers already operate under multiple sets of obligations—for example, as intermediate providers and voice service providers under the Commission's caller ID authentication rules—and no party has indicated why a call-by-call approach for gateway providers would be more burdensome. Moreover, no commenter proposed an alternative approach for imposing unique obligations on gateway providers. (Many commenters assert that the Commission should not impose unique obligations on gateway providers. The Commission addresses that argument in Section I.E.4 infra .) The Commission thus concludes that the burden on gateway providers to identify the appropriate regulatory regime applicable to a particular call will be limited.

    15. U.S. NANP Numbers. Consistent with its proposal, the Commission limits the scope of the requirements for gateway providers to those calls that are carrying a U.S. number in the caller ID field. By a “U.S. number,” the Commission means NANP resources that pertain to the United States. The Commission excludes from the scope of its rules those calls that carry a U.S. number in the ANI field but display a foreign number in the caller ID field. Commenters uniformly support this approach, which is consistent with the scope of the prohibition on receiving calls carrying U.S. NANP numbers from foreign voice service providers not listed in the Robocall Mitigation Database. Foreign-originated robocalls are successful to the extent that end users believe they are calls from U.S. customers or businesses, and the Commission therefore concludes it is appropriate to focus its efforts on such calls. (For this reason, the Commission concludes that including “in the caller ID field” within its definition and elsewhere in its newly adopted rules will not encourage a deluge of illegal robocalls using non-US numbers as ZipDX argues.)

    16. No Traffic Carve-Outs. Finally, the Commission declines to exclude certain types of traffic from the consumer protections it adopts. The Commission therefore rejects iBasis's contention that the Commission should exempt from the rules cellular roaming calls sent from U.S. customers abroad. The Commission also declines, at this time, to draw a distinction between “conversational” and “non-conversational traffic” and to require it to be segregated at the gateway and subject to different levels of regulatory scrutiny. (The Commission notes that it seeks comment on some of these ideas in the accompanying FNPRM published elsewhere in this this issue of the Federal Register .) The record does not reflect sufficient evidence to justify the utility of these carve-outs, or explain how they could be implemented in an administrable way and in a manner that avoids robocallers gaming whatever call-length definitions the Commission adopts. For example, the Commission is concerned that, if it sets a threshold for conversational traffic at a particular call length, robocallers would find a way to avoid crossing it while continuing to send robocalls. The Commission finds, at this time, that analytics providers, who can and do take call-length patterns into account in determining whether a call is likely to be an illegal robocall, are in the best position to make these sorts of determinations. These entities have the incentive and ability to react quickly to robocallers' shifting tactics and can do so without disclosing to bad actors the specific thresholds on which they rely.

    C. Robocall Mitigation Database

    17. The Commission adopts its proposal to require gateway providers to submit a certification and mitigation plan to the Robocall Mitigation Database. As explained below, the Commission requires gateway providers to take “reasonable steps” to mitigate robocall traffic regardless of whether they have fully implemented STIR/SHAKEN. Gateway providers' robocall mitigation plans must describe their robocall mitigation practices and state that they are adhering to those practices, regardless of whether they have fully implemented STIR/SHAKEN. The Commission also adopts a modified version of its proposal for downstream domestic providers receiving traffic from gateway providers to block traffic from such a provider if the gateway provider has not submitted a certification in the Robocall Mitigation Database or if the gateway provider has been de-listed from the Robocall Mitigation Database pursuant to enforcement action. The vast majority of commenters supported these proposals.

    18. Gateway Provider Robocall Mitigation Database Filing Obligations. The Commission concludes that requiring gateway providers to submit a certification to the Robocall Mitigation Database describing their robocall mitigation practices and stating that they are adhering to those practices, in conjunction with the new robocall mitigation obligations the Commission adopt elsewhere in this document, is an appropriate extension of similar obligations that currently apply to other providers. The Commission further concludes that requiring gateway provider certification will encourage compliance and facilitate enforcement efforts and industry cooperation. The record reflects significant support for this action. For example, iBasis, a gateway provider, “believes that it is appropriate to require such a submission” along with a mitigation plan. While INCOMPAS and T-Mobile argue that gateway providers that have implemented STIR/SHAKEN should not have to submit a mitigation plan, the Commission disagrees because of the importance of gateway providers in the call path and its conclusion that STIR/SHAKEN, on its own, will not eliminate illegal robocalls, particularly traffic originating from outside the United States.

    19. These rules the Commission adopts require gateway providers to submit the same information to the Robocall Mitigation Database that voice service providers must submit under existing Commission rules, except for the limited areas described below. Specifically, gateway providers must certify to the status of STIR/SHAKEN implementation and robocall mitigation on their networks; submit contact information for a person responsible for addressing robocall mitigation-related issues; and describe in detail their robocall mitigation practices. Gateway providers may make confidential submissions consistent with the Start Printed Page 42919 Commission's existing confidentiality rules. (As USTelecom notes, providers may only redact filings to the extent appropriate under the Commission's confidentiality rules.) Gateway providers must also certify that they will comply with traceback requests within 24 hours, unlike the current “reasonable period of time” applicable for voice service providers, or that it has received a waiver of that rule.

    20. Consistent with voice service providers' current obligations, the Commission does not require gateway providers to describe their mitigation program in a particular manner, with the exception of clearly explaining how they are complying with the know-your-upstream-provider obligation adopted in this document. The Commission concludes that it and the public will benefit from understanding how each provider chooses to comply with the know-your-upstream provider duty, both because compliance is critical to stopping the illegal carrying or processing of robocalls and because providers may choose to comply with this duty in different ways. (In several legal settlements with gateway providers, the gateway providers were required to comply with extremely detailed, and public, know-your-customer obligations.) As USTelecom argues, “providers' robocall mitigation programs should reflect at least a basic level of vetting of the providers from whom they directly accept traffic—beyond ensuring that they are registered in the [Robocall Mitigation Database].”

    21. The Commission also clarifies that, consistent with existing Commission filing requirements in other contexts, all mitigation plans must be submitted in English or with a certified English translation. To remove any ambiguity, the Commission also codifies that requirement with respect to its STIR/SHAKEN rules. Plans that were not submitted in English or with a certified English translation must be updated no later than 10 business days following the effective date of this document, consistent with the Commission's existing requirement for updating information in the Robocall Mitigation Database.

    22. The Commission delegates to the Wireline Competition Bureau the authority to specify the form and format of any submissions, and it directs the Wireline Competition Bureau to comply with any requirements under the Paperwork Reduction Act attendant upon such action. This includes whether gateway providers that are also voice service providers may either submit a separate certification and plan as a gateway provider or amend their current certification and any plan. A gateway provider that is also a voice service provider should explain the mitigation steps it undertakes as a gateway provider and the mitigation steps it undertakes as a voice service provider, to the extent those mitigation steps are different for each role. And as with voice service providers, and consistent with the Commission's proposal, the Commission requires gateway providers to update their certifications within ten business days of “any change in the information” submitted, ensuring that the information is kept up to date.

    23. The Commission also notes that it may take the same enforcement actions against a gateway provider whose certification is deficient or who fails to meet the standards of its certifications as is the case for voice service providers. This includes, but is not limited to, delisting the gateway provider from the Robocall Mitigation Database. In the Second Caller ID Authentication Report and Order, 85 FR 73360 (Nov. 17, 2020), the Commission set forth consequences for providers that file a deficient robocall mitigation plan or that “knowingly or negligently” originate illegal robocall campaigns, including removal from the Robocall Mitigation Database. To promote regulatory symmetry and close any loopholes in the Commission's regime, gateway providers will be subject to similar consequences. Specifically, if the Commission find that a certification is deficient, such as if the certification describes an ineffective program, or it determines that a provider knowingly or negligently carries or processes illegal robocalls, it will take appropriate enforcement action. These actions may include, among others, removing a certification from the database after providing notice to the gateway provider and an opportunity to cure the filing, requiring the gateway provider to submit to more specific robocall mitigation requirements, and/or the imposition of a forfeiture. Should the Commission remove a gateway provider from the Robocall Mitigation Database, downstream providers must block that gateway provider's traffic as described below.

    24. Gateway providers must submit a certification to the Robocall Mitigation Database by 30 days following publication in the Federal Register of notice of approval by OMB of any associated Paperwork Reduction Act (PRA) obligations. (In the Gateway Provider FNPRM, the Commission proposed a filing deadline of 30 days after the publication of this document, but that did not account for OMB approval of PRA obligations.) The Commission concludes that the deadline will give providers sufficient time to prepare their submission following notification of OMB approval. If a gateway provider has not fully implemented STIR/SHAKEN by the filing deadline, it must so indicate in its filing. (Below, the Commission requires gateway providers to authenticate unauthenticated SIP traffic pursuant to STIR/SHAKEN by June 30, 2023.) It must then later update the filing within 10 business days of STIR/SHAKEN implementation. (Given the importance of tracking gateway providers' mitigation efforts, the Commission concludes that the benefit of an earlier filing deadline outweighs the burden for some providers to subsequently update their filing with their STIR/SHAKEN compliance status.)

    25. The Commission does not at this time adopt a requirement for gateway providers to inform the Commission through an update to the Robocall Mitigation Database filing if the gateway provider is subject to a Commission, law enforcement, or regulatory agency action, investigation, or inquiry due to its robocall mitigation plan being deemed insufficient or problematic, or due to suspected unlawful robocalling or spoofing. Similarly, the Commission does not at this time require all or a subset of Robocall Mitigation Database filers to include additional identifying information. While the Commission concludes that taking these steps may have merit, it finds the record is insufficient to support taking action at this time. Instead, the Commission seeks comment in the accompanying FNPRM on imposing these obligations on all domestic providers in the call path.

    26. The Commission also does not at this time extend this certification obligation to domestic intermediate providers other than gateway providers or require voice service providers that have already implemented STIR/SHAKEN to meet the “reasonable steps” standard and submit a robocall mitigation plan. However, the Commission seeks comment on doing so in the accompanying FNPRM .

    27. Gateway Provider Call Blocking. The Commission also extends the prohibition on accepting traffic from unlisted voice service providers to gateway providers as proposed. This proposal received significant record support and will close a loophole in the Commission's regime. Under this rule, downstream providers will be prohibited from accepting any traffic from a gateway provider not listed in the Robocall Mitigation Database, either because the provider did not file or their Start Printed Page 42920 certification was removed from the Robocall Mitigation Database as part of an enforcement action. The Commission concludes that a gateway provider Robocall Mitigation Database filing requirement and an associated prohibition against accepting traffic from gateway providers not in the Robocall Mitigation Database will ensure regulatory symmetry between voice service providers and gateway providers and underscore the key role gateway providers play in stemming foreign-originated illegal robocalls. Consistent with the Commission's proposal, and the parallel requirement adopted for voice service providers in the Second Caller ID Authentication Report and Order, this prohibition will go into effect 90 days following the deadline for gateway providers to submit a certification to the Robocall Mitigation Database.

    28. As a result of gateway providers' affirmative obligation to submit a certification in the Robocall Mitigation Database, the Commission concludes that downstream providers will no longer be able to rely upon any gateway provider database registration imported from the intermediate provider registry when making blocking determinations. (Previously, all intermediate providers were imported into the Robocall Mitigation Database from the rural call completion database's Intermediate Provider Registry so that all intermediate providers would be represented therein, giving voice service providers “confidence that any provider not listed in the Robocall Mitigation Database” was not in compliance with the Commission's rules.) In the Second Caller ID Authentication Report and Order, the Commission imported intermediate providers into the Robocall Mitigation Database from the intermediate provider registry to ensure that downstream providers did not inadvertently block traffic sent from the intermediate providers' networks. At that time, no intermediate providers were subject to a Robocall Mitigation Database filing or mitigation requirement. To the extent a gateway provider was imported into the Robocall Mitigation Database via the intermediate provider registry, that Robocall Mitigation Database entry is not sufficient to meet the gateway provider's Robocall Mitigation Database filing obligation or to prevent downstream providers from blocking traffic upon the effective date of the obligation for downstream providers to block traffic from gateway providers. Therefore, gateway providers must submit a certification to the Robocall Mitigation Database by 30 days following Federal Register publication of OMB approval of the relevant information collection requirements, and the downstream provider must begin blocking traffic within 90 days of that certification deadline if the gateway provider has not submitted a certification to the Robocall Mitigation Database. The Commission delegates to the Wireline Competition Bureau to make the necessary changes to the Robocall Mitigation Database to indicate whether a gateway provider has made an affirmative filing (as opposed to being imported as an intermediate provider) and whether any provider's filing has been de-listed as part of an enforcement action. The Bureau may, pursuant to an enforcement action, remove the record of a providers' filing or clearly mark it in a way so that downstream providers may not rely on it.

    29. For the purpose of the downstream providers' call blocking duty, the Commission does not require the downstream provider to determine if a specific call was sent from a provider acting as a voice service provider or gateway provider for that call. Nevertheless, the Commission recognizes that it may not always be possible for the downstream provider to know whether the upstream provider is (1) a voice service provider or gateway provider whose traffic must be blocked if the provider did not make an affirmative certification in the Robocall Mitigation Database and has not been de-listed; or (2) an intermediate provider that is not a gateway provider, whose traffic should not be blocked. The Commission therefore only requires the downstream provider to block calls if they have a reasonable basis to believe that the upstream provider acts, for some calls, as a voice service provider or gateway provider and that the provider did not affirmatively file or in the Robocall Mitigation Database or has been de-listed. The Commission notes it is proposing in the FNPRM to expand the obligation to submit an affirmative certification to the Robocall Mitigation Database to all domestic intermediate providers. Adoption of that proposal should eliminate any of these implementation concerns. In that case, the downstream provider would simply check to see if the upstream provider affirmatively filed in the Robocall Mitigation Database and has not been de-listed and would block the call if appropriate. Nevertheless, the Commission concludes it must act now with respect to gateway providers to stem the tide of foreign-originated calls.

    30. Bureau Guidance. The Commission directs the Wireline Competition Bureau to make the necessary changes to the Robocall Mitigation Database portal and provide appropriate filing instructions and training materials consistent with this document. The Commission also directs the Wireline Competition Bureau to release a public notice upon OMB approval of the information collection requirements for filing a certification, setting the deadlines for filing a certification, and for the downstream provider to block traffic from a gateway provider that has not filed a certification in the database. Either in that same or a separate public notice, the Wireline Competition Bureau shall also state when gateway providers may begin filing certifications in the Robocall Mitigation Database.

    31. Commenters disagreed whether intermediate providers' imported data should be deleted from the database. Consistent with the Commission's direction to the Wireline Competition Bureau to make the necessary changes to the portal to effectuate the rules, the Commission directs the Bureau to determine how to manage the imported data of gateway providers and to announce its determination as part of its guidance described in the paragraph above.

    32. Public Safety Calls. In the Gateway Provider FNPRM, the Commission clarified that: (1) even if a provider is not listed in the Robocall Mitigation Database, other voice service providers and intermediate providers in the call path must make all reasonable efforts to avoid blocking calls from public safety answering points (PSAPs) and Government outbound emergency numbers; and (2) emergency calls to 911 from originating providers not in the Robocall Mitigation database must not be blocked “under any circumstances.” (These clarifications reflect the Commission's existing requirements.) The Commission now codifies these requirements and applies them as well to the new blocking obligations it adopts in this document. Codifying these clarifications with respect to providers not listed in the Robocall Mitigation Database are consistent with the Commission's action to similarly codify these safeguards in its other blocking rules and will ensure completion of emergency calls is subject to the same safeguards regardless of the rule under which the call would otherwise be blocked. There was record support for this approach. The Commission disagrees with ZipDX that its clarification in the Gateway Provider FNPRM and its expansion to gateway providers would not be administratively feasible. Providers have had to comply Start Printed Page 42921 with the Commission's public safety exception to blocking for other purposes for several years, and ZipDX does not adequately explain why applying this exception to traffic sent from providers not in the Robocall Mitigation Database now would be different. Additionally, in balancing any implementation concerns against the critical importance of completing emergency calls, the Commission concludes that adopting and expanding the public safety exception is in the public interest.

    33. The Commission also sought comment in the Gateway Provider FNPRM on whether it should expand these clarifications, including whether it should further define what constitutes “reasonable efforts” to prevent blocking of emergency calls. In light of the limited comments in the record and the uncertain benefits to be gained, the Commission does not take any further action at this time.

    D. Authentication

    34. To combat foreign-originated robocalls, and to further the long-standing Commission goal and benefits of ubiquitous STIR/SHAKEN authentication, the Commission requires gateway providers, consistent with its proposal, to implement STIR/SHAKEN to authenticate SIP calls that are carrying a U.S. number in the caller ID field. The Commission concludes based on the record that authentication, as well as the additional data sent to downstream providers along with the authentication, will reduce the incentive and ability of foreign providers to send illegal robocalls into the U.S. market, as well as provide downstream intermediate and terminating providers and their call analytics partners with additional data to protect their customers, and therefore will provide a significant benefit. Attestation information will facilitate analytics and promote traceback and enforcement efforts. Speeding traceback efforts is also consistent with the underlying goal of the Commission's 24-hour traceback requirement. The Commission finds those benefits outweigh the implementation costs. Additionally, certain commenters support requiring gateway providers to authenticate calls.

    35. As the Commission has previously explained, application of caller ID authentication by intermediate—including gateway—providers “will provide significant benefits in facilitating analytics, blocking, and traceback by offering all parties in the call ecosystem more information.” At the time the Commission reached this conclusion, given the concerns that an authentication requirement on all intermediate providers “was unduly burdensome in some cases,” the Commission determined that intermediate providers could, instead of authenticating unauthenticated calls, “register and participate with the industry traceback consortium as an alternative means of complying with our rules.” Since that time, the Commission imposed on all domestic providers the requirement to respond to all traceback requests from the Commission, law enforcement, or the industry traceback consortium, fully and in a timely manner. Because evidence shows that foreign-originated robocalls are a significant and increasing problem and that the benefits of a gateway authentication requirement outweigh the burdens, the Commission thus adopts a gateway provider authentication obligation to address this problem. The Commission believes gateway provider authentication will address a significant risk to American consumers and enhance their trust in this country's telecommunications network.

    36. Requirement. To comply with the requirement to authenticate calls, consistent with the Commission's proposal, a gateway provider must authenticate caller ID information for all SIP calls it receives for which the caller ID information has not been authenticated and which it will exchange with another provider as a SIP call. (As noted, the call blocking rules have mooted this choice—all domestic providers now must cooperate with traceback efforts.) A gateway provider can satisfy its authentication requirement if it adheres to the three Alliance for Telecommunications Industry Solutions (ATIS) standards that are the foundation of STIR/SHAKEN—ATIS-1000074, ATIS-1000080, and ATIS-1000084—and all documents referenced therein. Compliance with the most current versions of these standards as of the compliance deadline, including any errata to the standards as of that date or earlier, represents the minimum requirement to satisfy the Commission's rules. (No commenters addressed this proposal.) ATIS and the SIP Forum conceptualized ATIS-1000074 as “provid[ing] a baseline that can evolve over time, incorporating more comprehensive functionality and a broader scope in a backward compatible and forward looking manner.” The Commission intends for its rules to provide this same room for innovation, while maintaining an effective caller ID authentication ecosystem. Gateway providers may incorporate any improvements to these standards or additional standards into their respective STIR/SHAKEN authentication frameworks, so long as any changes or additions maintain the baseline call authentication functionality exemplified by ATIS-1000074, ATIS-1000080, and ATIS-1000084.

    37. In addition, in line with the rule applicable to intermediate providers generally and the Commission's proposal, gateway providers have the flexibility in implementing call authentication to assign the level of attestation appropriate to the call based on the call information available to the gateway provider. Gateway providers are not limited to assigning “gateway” (C-level) attestation, and one commenter notes that there are significant benefits to be gained from gateway providers appropriately applying higher attestation levels consistent with the standard. Stakeholders support this approach.

    38. Benefits Outweigh Burdens. The Commission concludes that the benefits of a gateway provider authentication obligation outweigh the burdens. Record evidence demonstrates that the benefits of gateway provider authentication are significant and are likely to grow over time as more providers are brought within the STIR/SHAKEN regime. Illegal robocalls cost Americans billions of dollars each year. Even minimal deterrence arising from authenticating unauthenticated foreign-originated calls is likely to be highly beneficial. To the extent “gateway providers already exchange traffic in SIP and therefore likely are ready to implement STIR/SHAKEN,” the requirement will have a real, near-term benefit.

    39. Those commenters asserting such a requirement will cost significant time and resources to implement do not provide detailed support for their claims. Indeed, to the extent a gateway provider also serves as a voice service provider, it will have already implemented STIR/SHAKEN in at least some portion of its network, likely lowering its compliance costs to meet the requirement the Commission adopts. Given the real and significant benefits to providers and American consumers in the form of billions in savings and increased trust in the voice network that will flow from the reduction in foreign-originated illegal robocalls, the Commission concludes that requiring authentication is in the public interest even if it credits those arguing that there are substantial implementation costs.

    40. While gateway providers are likely to authenticate most calls with only C-level attestation at least initially, the Start Printed Page 42922 Commission disagrees with those commenters who argue that the benefits of lower attestation levels, along with other information sent along with the attestation, are not worth the asserted cost. While “C-level attestation is not as good as higher-level attestation . . . it is far more valuable, particularly in the case of foreign-originated illegal robocalls, than NO signature.” Terminating providers and their end users directly benefit from gateway provider authentication. As T-Mobile notes, “[r]eceiving any level of attestation can help carriers trace where unwanted or illegal calls enter the country so they can follow up and prevent additional traffic from the offending source. The information passed along with the attestation can be valuable for analytics engines, enabling calls to be appropriately labeled or sent to voice mail” before reaching end users. Indeed, the North American Numbering Council (NANC) recently recognized the value of this information. Even if not all analytics providers currently use this information, more could readily do so in the future. And, while the Commission agrees with commenters that gateway provider authentication is not a “silver bullet,” it “will have a significant impact on curtailing illegal robocalls which is critical to restoring trust in the voice network.” It also will make the traceback process more efficient and rapid, consistent with the underlying goal of the Commission's newly adopted 24-hour traceback requirement. Even if foreign-originated calls carrying U.S. numbers constitute a small portion of gateway providers' overall traffic, such traffic represents a disproportionate share of illegal robocall traffic received by such providers, underscoring the importance of authentication. The Commission agrees with USTelecom that the Commission's authentication regime would be harmed if gateway providers improperly sign calls with A-level attestations, but that is not a problem unique to gateway provider authentication—all domestic providers authenticating calls are obligated to provide the appropriate attestation level. Similarly, the Commission disagrees with Verizon that because some gateway providers still have some time division multiplex (TDM) facilities, which fall “out of the scope” of the attestation mandate, the Commission should not require gateway providers to authenticate SIP calls. The Commission continuously has required voice service providers to implement authentication on the IP portions of their networks, as it does for gateway providers here, despite the presence of TDM facilities on their networks subject to a continuing extension.

    41. Expanding the scope of providers subject to the STIR/SHAKEN regime will increase the overall benefits of the standard and its future reach. As many parties and the NANC note, STIR/SHAKEN has beneficial network effects, and the more steps the Commission takes to increase its use, the greater the overall benefit for those providers that have already implemented the standard and those providers' customers. (For the same reasons, the Commission does not adopt USTelecom's alternative proposal to only impose a gateway provider authentication obligation on smaller, non-facilities-based providers.) Indeed, the Commission's expansion of the STIR/SHAKEN regime may spur other countries and regulators to also develop and adopt STIR/SHAKEN, further increasing the standards' benefit. (While the i3forum opposes an attestation obligation, it notes that cross-border adoption of STIR/SHAKEN and voluntary agreements can lead to “situations in which [the gateway provider] has access to information that would enable it to provide an A-level or B-level attestation.”) In the interim, gateway provider authentication is the only way to ensure that all foreign-originated calls with U.S. numbers in the caller ID field are authenticated. The Commission acknowledges that at least some of the benefits that will flow from gateway provider authentication are based on its reasoned predictions arising from disputed record evidence. Nevertheless, in adopting its rule, the Commission is persuaded by the available evidence that the benefits will be significant, and the sooner the Commission acts, the sooner the public will obtain these benefits. For these reasons, the Commission disagrees with CTIA-The Wireless Association that it would be “premature” for the Commission to require gateway authentication while foreign regulators consider mandating STIR/SHAKEN or that the Commission should wait for the recommendations of outside third parties, or possible future rule changes, before acting.

    42. Compliance Deadline. The Commission requires that gateway providers authenticate unauthenticated foreign-originated SIP calls carrying U.S. NANP numbers by June 30, 2023, a longer period than the Commission proposed in the Gateway Provider FNPRM . One commenter supported a December 2023 deadline, while others supported either a longer or shorter deadline. The Commission conclude that this deadline appropriately balances the relevant burdens and benefits of implementation; it will give gateway providers less time than the 18 months voice service providers had to implement STIR/SHAKEN, but more time than the shorter deadline of the effective date of the order proposed by the 51 State attorneys general. This deadline also coincides with the extension for STIR/SHAKEN implementation for facilities-based small voice service providers.

    43. The Commission also believes that a June 30, 2023, deadline is reasonable because the industry has much more experience with implementation than when the Commission originally required voice service providers to implement STIR/SHAKEN, there is evidence that STIR/SHAKEN implementation costs have dropped since it first adopted the requirement for voice service providers and because the authentication requirement applies only to the IP portions of the gateway providers' networks. Finally, to facilitate uniformity, simplify compliance, and consistent with comments in the record, the Commission does not adopt an earlier deadline for those providers that have, in their role as voice service providers, already implemented STIR/SHAKEN, nor do it adopt a longer deadline for certain providers or classes of provider, or a specific process for the grant of extensions or exemptions from this requirement, with the exception of two extensions regarding token access and non-IP networks described below. (Parties are, of course, free to file a request for waiver. The Commission may grant such requests where the particular facts at issue make strict compliance with the rule at issue inconsistent with the public interest. In considering whether to grant a waiver, the Commission may take into account factors such as hardship, equity, or more effective implementation of overall policy. This extension will be similar to the one already in place for voice service providers.) As noted above, once a gateway provider has fully implemented STIR/SHAKEN, it must update its filing in the Robocall Mitigation Database.

    44. Token Access. The Commission sought comment on whether the Secure Telephone Identity Governance Authority's (STI-GA) token access policy serves as a barrier for all or a subset of gateway providers from obtaining a token and, if so, what if any actions it should take to address that barrier, but it received limited response. (USTelecom and iconnectiv assert that the policy should not be changed. iBasis argues that the operating company Start Printed Page 42923 number (OCN) criteria should be eliminated.) The Commission concludes that the current token access policy will likely not present a material barrier to gateway providers meeting their authentication obligation, and it anticipates that the STI-GA can address any concerns before gateway providers are required to authenticate calls by June 30, 2023. Nevertheless, to ensure that gateway providers are not unfairly penalized, the Commission provides a STIR/SHAKEN extension to gateway providers that are unable to obtain a token due to the STI-GA token access policy. The extension will run until the gateway provider is able to obtain a token as long as the gateway provider “diligently pursues” doing so.

    45. Non-IP Networks and Authentication. The Commission concludes that gateway providers should have the same duty as voice service providers to either upgrade their non-IP networks to IP and implement STIR/SHAKEN or work with a working group, standards group, or consortium to develop a non-IP caller ID authentication solution. Such an obligation is appropriate in light of gateway providers' key role in serving as the entry point for foreign-originated voice traffic into the U.S. marketplace and the limited burden gateway providers would experience in working with a standards group. No party commented on this issue, and this approach is consistent with those commenters arguing that all domestic providers in the call path should have similar obligations. As with voice service providers, gateway providers that choose to work with a working group are subject to an extension to implement STIR/SHAKEN in the non-IP portions of their networks.

    46. The Commission asked in the Gateway Provider FNPRM whether it should require gateway providers to adopt a non-IP caller ID authentication solution, an obligation that voice service providers currently do not have. A number of commenters filed specific proposals in the record for authentication on IP and non-IP networks for gateway providers as well as voice service providers. The Commission does not adopt these proposals, in part because many are outside of the scope of the Gateway Provider FNPRM. However, the Commission seeks comment on some of these alternatives in the accompanying FNPRM, as well as their applicability to all domestic providers in the call path, and do not foreclose the possibility of seeking comment on the remainder of these proposals in a future proposal.

    E. Robocall Mitigation

    47. The Commission adopts several of its robocall mitigation proposals from the Gateway Provider FNPRM. First, the Commission adopts its proposal to require gateway providers to respond to traceback requests within 24 hours, with one modification. Second, it requires gateway providers and the providers immediately downstream from the gateway provider to comply with blocking mandates in certain instances. Third, it requires gateway providers to “know” the provider immediately upstream from the gateway provider. Finally, the Commission adopts a general mitigation standard.

    1. 24-Hour Traceback Requirement

    48. The Commission adopts its proposal to require gateway providers to fully respond to traceback requests from the Commission, civil and criminal law enforcement, and the industry traceback consortium within 24 hours of receipt of such a request. (To be clear, the 24-hour clock does not start outside of the business hours of the local time for the responding office. Requests received outside of business hours as defined in the Commission's rules are deemed received at 8 a.m. on the next business day. Similarly, if the 24-hour response period would end on a non-business day, either a weekend or a Federal legal holiday, the 24-hour clock does not run for the weekend or holiday in question, and restarts at 12:01 a.m. on the next business day following when the request would otherwise be due. “Business day” for these purposes is Monday through Friday, excluding Federal legal holidays, and “business hours” are 8 a.m. to 5:30 p.m. on a business day, consistent with the definition of office hours in the Commission's rules. By way of example, a request received at 3 p.m. on a Friday will be due at 3 p.m. on the following Monday, assuming that Monday is not a Federal legal holiday. The Commission believes that this clarification resolves concerns raised by some parties about the burden of a strict 24-hour requirement.) This is an enhancement of the Commission's existing rule, which requires all domestic providers, including gateway providers, to respond to traceback requests “fully and in a timely manner.” The Commission takes this step recognizing the critical role that gateway providers play in stopping the deluge of illegal foreign-originated robocalls, which continue to increase despite its previous efforts to stem the tide.

    49. The Commission finds that a mandatory 24-hour response requirement best serves to protect consumers from foreign-originated illegal robocalls, which are a prevalent source of illegal robocalls aimed at U.S. consumers. As the Commission has repeatedly made clear, traceback is an essential part of both identifying and stopping illegal calls, and rapid traceback is key to its success. The process used by the Industry Traceback Group, which is the currently designated industry traceback consortium, is semi-automated, allowing the process to continue very quickly when a provider responds to a traceback request. While time is always of the essence in traceback, time is particularly important in the case of foreign-originated calls. In such cases, reaching the origination point of the call may require working with foreign providers and foreign governments, which could significantly increase the total time for the traceback process. As the 51 State AGs have argued, time is of the essence for traceback of foreign-originated calls because law enforcement may need to work with international regulators to obtain information from providers outside of U.S. jurisdiction. As a result, any unnecessary delay increases the risk that this essential information may become impossible to obtain.

    50. The Commission therefore disagrees with commenters that do not support its enhanced 24-hour requirement. First, the Commission disagrees with commenters that argue that a stricter requirement is not warranted here. The Commission acknowledges the work industry has done on improving the traceback process, and recognizes that many, if not most, providers that receive traceback requests already respond in under 24 hours. However, the Commission finds that it is important to act aggressively in the international calling context. The gateway provider's response to a traceback request is often the first step in a process where the entity conducting the traceback must work with multiple foreign providers to trace a call back to the originating foreign provider and caller. The longer this process takes, the higher the risk that a foreign provider will no longer have the information necessary to respond—if they are even willing to do so—or that other factors will change, reducing the ability to fully trace the call. Therefore, this process must both begin and be completed as soon as possible. Many, if not most, providers that receive traceback requests are already responding within 24 hours, and the Commission believes this Start Printed Page 42924 enhanced obligation presents no additional burden. For providers that do not already meet this standard, the additional burden is justified by the need to quickly obtain this information. The record does not support the contention that this requirement presents a significant burden for providers. (Some commenters did raise specific concerns about this requirement. However, as discussed further below, these comments appear to either misunderstand the current expectations or to misunderstand the scope of the requirement.) The Commission emphasizes again, as it stated in the Fourth Call Blocking Order, 86 FR 17726 (April 6, 2021), that it generally expects all domestic providers to respond to traceback within 24 hours in most instances. The rule the Commission adopts simply makes that expectation a requirement in the gateway context. (While the Commission requires response to all traceback requests within 24 hours, it retains its right to exercise discretion in enforcement or consider limited waivers where a provider that normally responds within the 24-hour time frame has an truly unexpected or unpredictable issue that leads to a delayed response in a particular case or for a short period of time.)

    51. The Commission also disagrees with commenters who argue that 24 hours is too short a time frame. (One commenter incorrectly indicated that the “current deadline” is 36 hours, without indicating the source of that figure.) The Commission notes that, in the Fourth Call Blocking Order, it made clear that, in most cases, it expects responses within 24 hours under its existing rule. Further, according to a report by the Industry Traceback Group, the average time to complete a single hop in the traceback process is less than one day, with many providers responding in less than 30 minutes. (While the Industry Traceback Group notes that overall response time is reduced by certain providers responding more quickly, it also notes that “[t]racebacks that end with non-responsive providers tend to have slower response times, even in completed hops before the non-responsive provider” and that providers closer to the origination point tend to respond more slowly. Speeding up these responses can only benefit the traceback process.) Many, if not most, providers that receive traceback requests already respond in under 24 hours. The Commission therefore sees no reason to believe that the rule it adopts would unduly burden any gateway providers, nor would the burden of such a requirement outweigh the significant benefits to law enforcement from such a requirement. (Gateway providers for which this requirement poses a unique and significant burden may apply for a waiver of this rule under the “good cause” standard of § 1.3 of the Commission's rules. Under that standard, for example, waivers may be available in the event of sudden unforeseen circumstances that prevent compliance for a limited period or for a limited number of calls. The Commission notes that any applicant for waiver “faces a high hurdle even at the starting gate” and would need to “plead with particularity” the “special circumstances” that warrant a waiver and explain how granting a waiver would serve the public interest.)

    52. The Commission makes clear that it does not require the gateway provider to identify the caller or originating provider within this 24-hour response period except in the case where the originating provider is the provider from which the gateway provider received the call. Some commenters appear concerned that this rule would require them to trace a call back to the point of origination, or, at least, through several hops. One commenter points to the “need to obtain information from several other carriers located in foreign countries,” while another mentions the need for “detailed investigations.” The Commission requires the gateway provider to respond with information only about the provider from which it directly received the call. (An appropriate response would include the identity of the upstream provider, as well as, for example, the country, a complete address, contact information for the provider, and a link to that provider's Robocall Mitigation Database filing.)

    53. The Commission also encourages gateway providers to determine whether their relationship with upstream providers should change to better facilitate traceback. (For example, a gateway provider may conduct such an investigation as part of compliance with the “know your upstream provider” obligation discussed below, which does not have a 24-hour requirement.) The Commission sees no reason that a gateway provider should not be able to identify the immediate upstream provider from its records and respond to the traceback request without further investigation. In fact, one commenter indicated that it currently automates response to traceback.

    54. Compliance Deadline. The Commission requires gateway providers to comply with this requirement no later than 30 days after publication of notice of OMB approval under the PRA. This allows gateway providers sufficient time to update their processes and come into compliance with the rule.

    2. Mandatory Blocking

    55. The Commission adopts some, but not all, of the mandatory blocking proposals it sought comment on in the Gateway Provider FNPRM. First, the Commission requires gateway providers to block, rather than simply effectively mitigate, illegal traffic when notified of such traffic by the Commission, and it requires providers immediately downstream from the gateway provider to block all traffic from an identified gateway provider that has failed to meet its blocking obligation upon Commission notification. Second, it requires gateway providers to block calls based on any reasonable DNO list. Third, it declines at this time to require gateway providers to block calls based on reasonable analytics. Finally, the Commission addresses related issues including requests for a safe harbor, as well as transparency and redress.

    56. The Commission find that the mandatory blocking requirements it adopts, along with the appropriate procedural safeguards described herein, strike an appropriate balance between the benefit of blocking calls likely to be illegal with the risk of blocking lawful calls. The Commission acknowledges that this represents a shift, at least in part, from the Commission's previous approach of permitting, rather than mandating, blocking. The Commission agrees that “[b]locking calls is a serious and complicated action that must be precisely and judiciously applied to avoid blocking lawful traffic.” However, the Commission disagrees with commenters that argue mandatory blocking requirements are generally inappropriate. The Commission's existing permissive blocking rules are still in effect; it encourages providers to make use of permissive blocking, where available, to protect American consumers from unwanted and illegal calls. The rules the Commission adopts narrowly target the most obvious foreign-originated illegal calls, including those calls that have already been determined to be illegal, and enlist gateway providers into the fight to block these calls before they enter the U.S. telephone network.

    a. Blocking Following Commission Notification

    57. The Commission adopts two of its proposals from the Gateway Provider FNPRM. First, the Commission requires gateway providers to block, rather than Start Printed Page 42925 effectively mitigate, illegal traffic when notified of such traffic by the Commission. Second, it requires providers immediately downstream from a gateway provider to block all traffic from the identified provider when notified by the Commission that the gateway provider failed meet its obligation to block illegal traffic. To ensure that gateway providers are afforded sufficient due process prior to downstream providers blocking all traffic from them, the Commission adopts a clear process that allows ample time for the notified gateway provider to remedy the problem and demonstrate that it can be a good actor in the calling ecosystem before the Commission directs downstream providers to begin blocking. This process, laid out in greater detail below, includes the following steps: (1) the Enforcement Bureau shall provide the gateway provider with an initial Notification of Suspected Illegal Traffic; (2) the gateway provider shall be granted time to investigate and act upon that notice; (3) if the gateway provider fails to respond or its response is deemed insufficient, the Enforcement Bureau shall issue an Initial Determination Order, providing a final opportunity for the gateway provider to respond and; (4) if the gateway provider fails to respond or that response is deemed insufficient, the Enforcement Bureau shall issue a Final Determination Order, directing downstream providers to block all traffic from the identified provider.

    58. Gateway Provider Blocking Following Commission Notification of Suspected Illegal Traffic. The Commission first adopts its proposal to require gateway providers to block, rather than simply effectively mitigate, illegal traffic when notified of such traffic by the Commission. In order to comply with this requirement, gateway providers must block traffic that is substantially similar to the identified traffic on an ongoing basis. As with the existing requirement for providers to take steps to effectively mitigate illegal traffic when notified, the Commission directs the Commission's Enforcement Bureau to identify suspected illegal calls and provide written notice to gateway providers that clearly indicates that the provider must comply with 47 CFR 64.1200(n)(5).

    59. The Commission agrees with commenters that this blocking will help protect American consumers by ensuring less illegal traffic reaches their phones. An affirmative obligation for gateway providers to block upon Commission notification ensures greater protection than an “effective mitigation” requirement. This is particularly true because gateway providers, by definition, are intermediate providers and are thus a step removed from the caller, limiting their available effective mitigation options.

    60. The Commission therefore disagrees with commenters that urge it to rely on the existing requirement to effectively mitigate this traffic rather than to adopt this enhanced requirement. The Commission also disagrees with providers that a separate set of obligations when acting as a gateway provider complicates or increases the burden of compliance because providers cannot easily determine if they are acting as a gateway provider for a particular call. Here, per the process described below, the Enforcement Bureau makes the initial determination of whether the provider is acting as a gateway provider. (A provider determines whether it is a “gateway provider” on a call-by-call basis. A provider may be a gateway provider for some of the calls in the identified traffic and a non-gateway originating provider, non-gateway intermediate provider, or non-gateway terminating provider for other calls in the identified traffic. If the provider is the gateway provider for any of the calls in the traffic identified in the Notification of Suspected Illegal Traffic, the provider must block all traffic that is substantially similar to the identified traffic, regardless of whether the provider is a gateway provider for any particular call.) If the gateway provider is not directed to comply with 47 CFR 64.1200(n)(5), but rather with 47 CFR 64.1200(n)(2), then that provider will not be in violation of the Commission's rules for effectively mitigating, rather than blocking, illegal traffic, regardless of its position in the call path for a particular call.

    61. Downstream Provider Blocking When Gateway Provider Fails to Comply with Blocking Requirement. The Commission adopts its proposal requiring providers immediately downstream from a gateway provider to block all traffic from the identified provider when notified by the Commission that the gateway provider failed to block. If the Enforcement Bureau determines a gateway provider fails to satisfy 47 CFR 64.1200(n)(5), it shall publish and release an Initial Determination Order as described below giving the provider a final opportunity to respond to the Enforcement Bureau's initial determination. If the Enforcement Bureau determines that the identified gateway provider continues to violate its obligations, the Enforcement Bureau shall release and publish a Final Determination Order in EB Docket No. 22-174 to direct downstream providers to both block and cease accepting all traffic they receive directly from the identified gateway provider starting 30 days from the release date of the Final Determination Order. (Ignorance of a Final Determination Order's release is not sufficient reason for a downstream provider to fail to block all traffic from the gateway provider unless such Order is not posted in EB 22-174.)

    62. The Commission agrees with several commenters that support this requirement and disagree with the lone commenter that objects to this mandate. The Commission finds that this requirement is an appropriate and proportional response where a gateway provider actively and willfully refuses to be a good actor in the calling ecosystem. Blocking all traffic from a particular provider is a dramatic step that will likely also block some lawful traffic but is justified by the need to protect consumers from foreign-originated illegal robocalls. Lawful traffic can then be routed through other gateway providers that comply with the Commission's rules.

    63. Process for Issuing a Notification of Suspected Illegal Traffic. The Enforcement Bureau shall make an initial determination that the provider is a gateway provider for suspected illegal traffic and notify the provider by issuing a written Notification of Suspected Illegal Traffic. The Notification of Suspected Illegal Traffic shall: (1) identify with as much particularity as possible the suspected illegal traffic; (2) provide the basis for the Enforcement Bureau's reasonable belief that the identified traffic is unlawful (the notice should include any relevant nonconfidential evidence from credible sources such as the industry traceback consortium or law enforcement agencies); (3) cite the statutory or regulatory provisions the suspected illegal traffic appears to violate; and (4) direct the provider receiving the notice that it must comply with § 64.1200(n)(5) of the Commission's rules.

    64. The Enforcement Bureau's Notification of Suspected Illegal Traffic shall specify a timeframe of no fewer than 14 days for an identified gateway provider to complete its investigation and report its results. Upon receiving such notice, the gateway provider must promptly investigate the traffic identified in the notice and begin blocking the identified traffic within the timeframe specified in the Notification of Suspected Illegal Traffic unless its investigation determines that the traffic is legal. Start Printed Page 42926

    65. The Commission makes clear that the requirement to block on an ongoing basis is not tied to the number in the caller ID field or any other single criterion. Instead, the Commission requires the identified provider to block on a continuing basis any traffic that is substantially similar to the identified traffic and provide the Enforcement Bureau with a plan as to how it expects to do so. The Commission does not define “substantially similar traffic” in any detail here because that will be a case-specific determination based on the traffic at issue. The Commission declines to limit the scope of “substantially similar traffic” to only “traffic sent by the upstream entity that was responsible for sending the illegal robocall traffic that triggered the Commission's notification.” While gateway providers may propose such a limitation in the blocking plan they submit to the Enforcement Bureau, the Commission does not find that such a limitation is appropriate in all instances. In particular, such a limitation could make it easy for a bad actor to circumvent blocking by simply routing their traffic through multiple upstream providers. The Commission is also concerned that a detailed definition could allow bad actors to circumvent this blocking by providing a roadmap as to how to avoid detection. Additionally, the Commission notes that each calling campaign will have unique qualities that are better addressed on a case-by-case basis, where the analytics used can be tailored to the particular campaign at issue. The Commission nevertheless encourages gateway providers to consider common indicia of illegal calls such as call duration; call completion ratios; large bursts of calls in a short time frame; neighbor spoofing patterns; and sequential dialing patterns. The Commission makes clear that these are not the only criteria that the gateway provider may consider in developing its plan, and that not all criteria may be relevant in all situations. Gateway providers will have flexibility to determine the correct approach for each particular case, but a gateway provider must provide a detailed plan in its response to the Enforcement Bureau so that the Bureau can assess the plan's sufficiency. If the Enforcement Bureau determines that the plan is insufficient, it shall provide the gateway provider an opportunity to remedy the deficiencies prior to taking further action. The Commission will consider the identified provider to be in compliance with its mandatory blocking rule if it blocks traffic in accordance with its approved plan. However, the Commission makes clear that the Enforcement Bureau may require the identified provider to modify its approved plan if it determines that the identified provider is not blocking substantially similar traffic. Additionally, if the Enforcement Bureau finds, based on the evidence, that the identified provider continues to allow suspected illegal traffic onto the U.S. network, it may proceed to an Initial Determination Order or Final Determination Order, as appropriate. Finally, the Commission adopts a limited safe harbor from liability under the Communications Act or its rules for gateway providers that inadvertently block lawful traffic as part of the requirement to block substantially similar traffic in accordance with the gateway provider's approved plan. While the Commission agrees that a safe harbor for inadvertent over-blocking is warranted, it declines to provide a safe harbor for under-blocking within this rule. A gateway provider that is under-blocking and not fully cooperating with the Enforcement Bureau to address the issue should not be granted protection from liability under the very rule with which it fails to comply.

    66. Gateway Provider Investigation. Each notified provider must investigate the identified traffic and report the results of its investigation to the Enforcement Bureau in the timeframe specified in the Notification of Suspected Illegal Traffic. If the provider's investigation determines that it served as the gateway provider for the identified traffic, it must block the identified traffic within the timeframe specified in the Notification of Suspected Illegal Traffic (unless its investigation determines that the traffic is not illegal) and include in its report to the Enforcement Bureau: (1) a certification that it is blocking the identified traffic and will continue to do so; and (2) a description of its plan to identify and block substantially similar traffic on an ongoing basis. If the provider's investigation determines that the identified traffic is not illegal, it shall provide an explanation as to why the provider reasonably concluded that the identified traffic is not illegal and what steps it took to reach that conclusion. Absent such a showing, or the Enforcement Bureau determines based on the evidence that the traffic is illegal despite the provider's assertions, the identified traffic will be deemed illegal. If a provider's investigation determines it did not serve as a gateway provider for any of the identified traffic, its report shall provide an explanation as to how it reached that conclusion and, if it is a non-gateway intermediate or terminating provider for the identified traffic, the provider must identify the upstream provider(s) from which it received the identified traffic and, if possible, take lawful steps to mitigate this traffic. (Such steps could include, for example, enforcing contract terms, or blocking the calls from bad actor providers consistent with the safe harbor found in 47 CFR 64.1200(k)(4).) If the notified provider determines that it is the originating provider for the identified traffic, or the traffic otherwise comes from a source that does not have direct access to the U.S. public switched telephone network, the notified provider must comply with 47 CFR 64.1200(n)(2) by effectively mitigating the identified traffic and report to the Enforcement Bureau any steps the provider has taken to effectively mitigate the identified traffic. If the gateway provider determines that the traffic is not illegal, it must inform the Enforcement Bureau and explain its conclusion within the specified timeframe.

    67. Process for Issuing an Initial Determination Order. If the gateway provider fails to respond to the notice within the specified timeframe, the Enforcement Bureau determines that the response is insufficient, the Enforcement Bureau determines that the gateway provider is continuing to allow substantially similar traffic onto the U.S. network, or the Enforcement Bureau determines based on the evidence that the traffic is illegal despite the provider's assertions, the Enforcement Bureau shall issue an Initial Determination Order to the gateway provider stating its determination that the gateway provider is not in compliance with 47 CFR 64.1200(n)(5). This Initial Determination Order must include the Enforcement Bureau's reasoning for its determination and give the gateway provider a minimum of 14 days to provide a final response prior to the Enforcement Bureau's final determination as to whether the gateway provider is in compliance with 47 CFR 64.1200(n)(5).

    68. Process for Issuing a Final Determination Order. If the gateway provider does not provide an adequate response to the Initial Determination Order or continues to allow substantially similar traffic onto the U.S. network, or the Enforcement Bureau determines based on the evidence that the traffic is illegal despite the provider's assertions, the Enforcement Bureau shall issue a Final Determination Order. The Enforcement Bureau shall publish the Final Determination Order in EB Docket No. 22-174 to direct downstream providers Start Printed Page 42927 to both block and cease accepting all traffic they receive directly from the identified gateway provider starting 14 days from the release date of the Final Determination Order. This Final Determination Order may be adopted up to one year after the release date of the Initial Determination Order and may be based on either an immediate failure to comply with 47 CFR 64.1200(n)(5) or a determination that the gateway provider has failed to meet its ongoing obligation to block substantially similar traffic under that rule.

    69. Each Final Determination Order shall state the grounds for the Bureau's determination that the gateway provider has failed to comply with its obligation to block illegal traffic and direct downstream providers to initiate blocking 14 days from the release date of the Final Determination Order. A provider that chooses to initiate blocking sooner than 14 days from the release date may do so consistent with the Commission's existing safe harbor in 47 CFR 64.1200(k)(4).

    b. Do-Not-Originate

    70. The Commission further requires gateway providers to block calls based on a reasonable DNO list. A “DNO list” is a list of numbers that should never be used to originate calls, and therefore any calls that include a listed number in the caller ID field can be blocked. The Commission declines to mandate the use of a specific list, but allow gateway providers to use any DNO list so long as the list is reasonable. The Commission declines to mandate the use of a specific list, but gateway providers must use at least one DNO list, so long as the list is reasonable. Such a list may include only invalid, unallocated, and unused numbers, as well as numbers for which the subscriber to the number has requested blocking.

    71. Reasonable DNO lists may include only the listed categories of numbers described in the preceding paragraph, but the Commission does not require that such DNO lists include all possible covered numbers in order to be reasonable. In particular, the Commission recognizes that unused numbers may be difficult to identify, and that a reasonable list may err on the side of caution. The Commission makes clear, however, that a list so limited in scope that it leaves out obvious numbers that could be included with little effort may be deemed unreasonable.

    72. In the 2017 Call Blocking Order, 82 FR 44118 (Sept. 21, 2017), the Commission specifically found that, where the subscriber to the originating number requests blocking, calls purporting to be from that number are “highly likely to be illegal and to violate the Commission's anti-spoofing rule, with the potential to cause harm defraud, or wrongfully obtain something of value.” Spoofing of this sort is particularly damaging as it can be used to foster consumer trust and bolster imposter scams. Therefore, the Commission finds that a reasonable list would need to include, at a minimum, any inbound-only government numbers where the government entity has requested the number be included. It must additionally include private inbound-only numbers that have been used in imposter scams, when a request is made by the private entity assigned such a number. (The current list maintained by the Industry Traceback Group is reasonable. The Commission declines, however, to deem that list “presumptively reasonable” as NCTA-The internet & Television Association suggests. While the Commission agrees that the list, as it currently stands “would advance the Commission's goal of reducing harmful spoofing and imposter scams,” it is concerned that deeming it “presumptively reasonable” does not account for the fact that the list is not under Commission control and could be modified, or no longer updated, at any time without Commission input.) In either scenario, the provider or the third party that manages the DNO list may impose reasonable requirements on including the numbers, such as requiring that the number is currently being spoofed at a substantial volume. (Multiple parties requested this or a similar clarification, to address concerns that some switches may have limits on the total amount of numbers that can be blocked.) Gateway providers, or those managing such a list on behalf of gateway providers, should ensure that entities can reasonably request inclusion on the list.

    73. The Commission agrees with commenters that support a DNO mandate. The Commission further agrees with one commenter that urged the Commission to look to existing DNO lists for this purpose. While the Commission do not endorse a specific list, it encourages industry to either make use of existing tools or develop new ones to serve this purpose. Gateway providers may choose the list that works best for their networks so long as that list is reasonable. Because the Commission finds that a single, centralized list is not the correct approach, it declines to develop a “high availability application or online tool” as one commenter suggests. The Commission is concerned that a centralized list could present security concerns and allow bad actors to circumvent blocking by providing a clear list of numbers to avoid spoofing. (In some instances, there is still value in a DNO list even when bad actors know what numbers are included. For example, consumer trust may increase when the caller cannot spoof a known number associated with the caller the bad actor is attempting to impersonate. A non-public list, at a minimum, slows bad actors in their efforts to switch numbers and prevents some calls from reaching consumers.)

    74. The Commission disagrees with the commenter that argued the mandate is unnecessary because many providers already use a DNO list to block calls. The Commission recognizes that providers have used DNO lists to reduce the number of illegal calls that reach consumers, and the Commission applauds these industry efforts. The Commission finds that enlisting all gateway providers in this effort will further reduce the risk of illegal calls reaching consumers. There is no legitimate reason for the caller to use numbers that appear on a DNO list. Therefore, these calls, if they reach even a single consumer, cause harm. The Commission also declines to deem gateway providers in compliance with this requirement if they have implemented a reasonable DNO in some parts of their network but not at the gateway. The intent of this rule is to stop foreign-originated illegal calls from entering the U.S. network at all. If these calls are not stopped at the gateway, there is a risk that they will not be blocked at all and will therefore reach consumers.

    c. No Analytics-Based Call Blocking Mandate

    75. The Commission declines at this time to require gateway providers to block calls that are highly likely to be illegal based on reasonable analytics. The Commission agrees with commenters' concerns regarding mandating such blocking. Additionally, the Commission finds that many of the arguments against mandatory blocking generally, while not persuasive in the context of other rules the Commission adopts, are persuasive in this context. An analytics-based blocking mandate would require the Commission to more strictly define “reasonable analytics” in order for gateway providers to be certain that they are in compliance with a mandatory blocking rule. To do so may be counter-productive and prevent providers from responding to evolving threats. The Commission is also concerned that providing a strict Start Printed Page 42928 definition, while certainly valuable to lawful callers, could potentially provide a road map bad actors could use to circumvent blocking. These concerns, coupled with the need for truly robust redress mechanisms for callers when the blocking is not initiated by the consumer and therefore cannot be corrected by the consumer, support the Commission's decision not to require such blocking at this time. (Several commenters, while objecting to a blocking mandate, urged the Commission to extend its safe harbor for blocking based on reasonable analytics to all providers in the call path, either in conjunction with a mandate or as an alternative. Because the Commission does not adopt such a mandate, it declines to reach the question of whether a safe harbor would be a necessary part of such a requirement. At this time, the Commission also declines to consider further extending the safe harbor absent such a mandate, as such an extension would be outside the scope of this document).

    d. No Blocking Safe Harbor

    76. Except as described above, the Commission declines to adopt a safe harbor for providers that block consistent with the rules the Commission adopts. Several comments addressing safe harbors focused on blocking based on reasonable analytics, and in some cases on extending the Commission's existing safe harbor instead of mandating blocking. The Commission does not adopt a reasonable analytics blocking mandate, and extending the existing safe harbor is outside of the scope of this document. Other comments did support a safe harbor more broadly, without tying the request to reasonable analytics. However, the Commission finds that the rules it adopts remove the need for such a safe harbor. In the case of blocking based on Commission notification, there is no need for a safe harbor where there is a clear Commission directive to block particular traffic directed at an individual provider. Nor is a safe harbor necessary for the downstream provider blocking requirement because the immediate downstream provider is required to block all traffic from the identified provider, regardless of whether that provider is a gateway provider for the particular traffic. There is no judgment call for a provider to make that could require a safe harbor. The Commission declines CTIA's request to establish a safe harbor is necessary for blocking based on a reasonable DNO list. First, providers have been permitted to engage in this type of blocking since 2017, and no commenter has pointed to any liability issues regarding over-blocking in this context. A gateway provider that is concerned about the possibility that they may not be able to keep a list containing unallocated or unused numbers fully up to date is not required to include those numbers on the list; while these numbers may be included, they are not mandatory. Providers that are concerned about possible under-blocking should take steps to ensure they are making use of a reasonable DNO list, and the Commission sees no reason to provide additional protection.

    e. Protections for Lawful Calls

    77. Consistent with the Commission's existing blocking rules, gateway providers must never block emergency calls to 911 and must make all reasonable efforts to ensure that calls from PSAPs and Government emergency numbers are not blocked. The Commission declines to adopt additional transparency and redress requirements at this time or extend any other existing requirements that would not already apply to the blocking mandates the Commission adopts. The new mandatory blocking rules either require the Commission to direct blocking, in which case the blocking provider is not in a position to provide redress, or target categories of calls that have been permissible to block since 2017. Some commenters expressed concerns about transparency and redress. The Commission recognizes some concerns regarding the potential for lawful calls to be blocked are valid, such as when a provider relies on analytics to make blocking decisions. These concerns do not apply here, however, where blocking is either at the direction of the Commission or based on a reasonable DNO list.

    f. Compliance Deadline

    78. The Commission requires gateway and downstream providers to comply with the requirements to block upon Commission notification no later than 60 days after publication of this document in the Federal Register . Additionally, the Commission requires gateway providers to comply with the DNO blocking requirement no later than 30 days after publication of notice of OMB approval under PRA. The Commission finds that requiring gateway providers to comply with these rules quickly imposes a minimal burden. In the case of blocking upon Commission notification, gateway providers need not make any changes to their processes prior to receipt of such a notification, and the Commission allows time for a gateway provider to comply following that notification. The Commission acknowledges that gateway providers that do not already block based on a DNO list may need to identify or develop such a list in order to comply with that particular requirement. However, the PRA approval process gives providers ample time to do so, and providers may use one of the existing DNO lists to meet this requirement with minimal burden.

    3. “Know Your Upstream Provider”

    79. The Commission adopts a modified version of its proposal to require gateway providers to “know the customer.” Recognizing the difficulty posed by a requirement for gateway providers to know information about the caller, who is likely not their customer and with whom they have no relationship, the Commission instead requires gateway providers to “know” the immediate upstream foreign provider from which they receive traffic with U.S. numbers in the caller ID field. Specifically, the Commission requires gateway providers to take reasonable and effective steps to ensure that the immediate upstream foreign provider is not using the gateway provider to carry or process a high volume of illegal traffic onto the U.S. network.

    80. The record supports deeming the immediate upstream foreign provider as “customer” for these purposes, rather than the caller. Though one commenter favored adopting its original proposal, the Commission agrees with other commenters that it would be difficult, if not impossible, for gateway providers to routinely confirm that a particular caller is authorized to use a U.S. number. By definition, a gateway provider is an intermediate provider and is thus at least one step removed from the caller. By contrast, the gateway provider must have a direct relationship with the upstream foreign provider from which it accepts traffic, which allows the gateway provider to “know” that upstream provider. This approach best balances the benefit of holding gateway providers responsible for calls they allow into the U.S. network with the difficulty of determining information about a caller that may be several hops away from the gateway.

    81. The Commission agrees with the commenter that argues that the Commission's existing, flexible approach to know-your-customer requirements, rather than specific mandates, is appropriate in the gateway context. The Commission does not mandate the steps gateway providers must take in order to “know” the upstream foreign provider. Instead, the Commission allows gateway providers Start Printed Page 42929 the flexibility to determine the exact measures to take, including whether to adopt contractual provisions with their upstream providers to meet this obligation, and the contours of any such provisions. (The Commission notes that several commenters argued contract terms can be a valuable way of meeting a know-your-customer obligation and mitigating robocalls.) This approach is consistent with the Commission's existing requirement for originating providers to implement effective measures to prevent new and renewing customers from originating illegal calls, and allows each gateway provider to determine the best approach for its network and customers. (For the same reason, the Commission does not require gateway providers to enter into contractual provisions with their upstream provider to meet this know-your-upstream-provider requirement or any other new requirements the Commission adopts. However, gateway providers must explain the steps they have taken to meet their know-your-upstream-provider obligation in their Robocall Mitigation Database certification.) The Commission make clear, however, that gateway providers must take effective steps. If a gateway provider repeatedly allows a high volume of illegal traffic onto the U.S. network, the steps that provider has taken are not effective and must be modified for that provider to be in compliance with the Commission's rules.

    82. The Commission recognizes concerns about the effectiveness of such a requirement, since the foreign provider upstream of the gateway may not be the source of the calls. The Commission agrees that the ideal approach would be for any obligation to fall to the originating provider, as in the Commission's existing rules. Unfortunately, in the case of foreign-originated calls, the Commission faces substantial difficulties in enforcing such an obligation on the foreign originating provider. (Due to this jurisdictional issue, the Commission imposes this obligation on the gateway provider as the first U.S.-based provider in the call path.) The Commission recognizes that gateway providers cannot prevent all instances of illegal calls from entering the U.S. network. In particular, a gateway provider's previously effective steps may become unexpectedly ineffective due to changes in factors outside of the gateway provider's control, particularly when the gateway provider is multiple hops from the call originator. (The Commission further acknowledges that, no matter how effective a gateway provider's methods are, some illegal calls may make up a portion of the traffic that it originates onto the U.S. network, and make clear that the fact that some illegal calls evade detection does not necessarily make a gateway provider's methods ineffective. The Commission therefore agrees with parties that asked it to clarify that “occasionally serving as a gateway provider for illegal robocalls, particularly where those illegal calls are an insignificant fraction of that provider's traffic, does not inherently make the provider's practices ineffective.” The Commission declines, however, to adopt the specific language proposed by the INCOMPAS et al. May 6 Ex Parte. The Commission makes clear, however, that a “high volume of illegal traffic” is a relative measure that is determined, in part, by what percentage of the traffic for which the provider is a gateway provider is illegal.) The Commission therefore reiterates that, as with its existing rule, it does not expect perfection. The Commission does require gateway providers to take reasonable steps, and it encourages gateway providers to regularly evaluate and adjust their approach so that they remain reasonable and effective. (Reasonable steps may include, but are not limited to, investigation of the practices of the upstream provider, modification of contracts to allow termination where issues arise, and/or monitoring incoming traffic for issues on an ongoing, proactive, basis.)

    83. Because the Commission does not adopt the exact proposal in the Gateway Provider FNPRM, it declines to address roaming or adopt a carve-out for emergency calls. (The Commission further address roaming traffic in the accompanying FNPRM. ) The rule the Commission adopts does not require gateway providers to block calls when they cannot confirm that the caller is authorized to use a particular U.S. number in the caller ID field, and therefore is unlikely to have detrimental effect on roaming or emergency traffic. The Commission also declines to adopt alternative proposals in the record that fall outside the scope of this document, including YouMail's proposal for post-contracting know-your-customer, i3forum's “know your traffic” proposal, or ZipDX's proposal to expand the requirement to cover all high-volume, non-conversational traffic even when such traffic is not foreign originated.

    84. Compliance Deadline. The Commission requires gateway providers to comply with this rule no later than 180 days after publication of this document in the Federal Register . The Commission agrees with the commenter that argued that requiring compliance 30 days after publication may be insufficient for such a requirement. Allowing 180 days after publication ensures that gateway providers have sufficient time to develop effective systems and make any modifications to their networks or practices to implement these measures.

    4. General Mitigation Standard

    85. In addition to the specific mitigation requirements that the Commission adopts above, it also requires gateway providers to meet a general obligation to mitigate illegal robocalls regardless of whether they have fully implemented STIR/SHAKEN on the IP portions of their network. The Commission takes this step now because of the unique and key role that gateway providers play in the call path. Specifically, the Commission now requires all gateway providers to take “reasonable steps to avoid carrying or processing illegal robocall traffic.” The Commission does not require that the gateway provider take specific steps to meet this standard, in line with the existing requirement for voice service providers. The majority of commenters support the adoption of a general mitigation standard for gateway providers.

    86. As with voice service providers subject to the “reasonable steps” standard, gateway providers must also implement a robocall mitigation program and, as explained above, file that plan along with a certification in the Robocall Mitigation Database. The record reflects significant support for adopting, at a minimum, a mitigation duty for gateway providers in addition to requiring them to submit a certification to the Robocall Mitigation Database. The Commission therefore adopts, consistent with its proposal, a mitigation duty for gateway providers that closely tracks the analogous rule for voice service providers. Specifically, a gateway provider's plan is “sufficient if it includes detailed practices that can reasonably be expected to significantly reduce the [carrying or processing] of illegal robocalls.” Moreover, a gateway provider “must comply with the practices” that its plan requires, and its program is insufficient if the gateway provider “knowingly or through negligence [carries or processes calls] for unlawful robocall campaigns.”

    87. The Commission requires gateway providers to mitigate traffic under the “reasonable steps” standard even if they have implemented STIR/SHAKEN for several reasons. First, the Commission notes the strong support in the record Start Printed Page 42930 for requiring gateway provider mitigation, regardless of their STIR/SHAKEN status, with certain commenters explicitly advocating for both gateway provider authentication and mitigation. Commenters agree that gateway providers are uniquely positioned to stop the entry of robocalls into this country, increasing the importance of strong mitigation.

    88. Second, both the current record and the experience since the Second Caller ID Authentication Report and Order have shown that while STIR/SHAKEN is an effective tool to stop illegal robocalls, it is not a “silver bullet,” particularly in those cases where a robocaller is using a properly assigned telephone number. Providers, especially gateway providers serving as the entry point to the U.S. marketplace, can and must do more to stop robocalls. This is particularly the case while STIR/SHAKEN mandates by foreign governments and implementation by foreign providers remain limited.

    89. Finally, the Commission anticipates that a general mitigation duty applicable to all gateway providers regardless of whether they have implemented STIR/SHAKEN will “provide a valuable backstop” to the other obligations the Commission adopts because call blocking, and traceback based on notice “cannot take the place of the proactive dut[y] to mitigate harmful traffic.” For all these reasons, the Commission disagrees with INCOMPAS and T-Mobile that it should not impose mitigation obligations on gateway providers that have implemented STIR/SHAKEN and find that requiring gateway providers that have implemented STIR/SHAKEN to also meet the Commission's “reasonable steps” mitigation standard “would be an efficient use of their resources.” The Commission does not adopt an alternative mitigation standard for gateway providers including a requirement proposed in the Gateway Provider FNPRM based on the existing duty for providers to take “affirmative, effective measures to prevent new and renewing customers from using their network to originate illegal calls.” The Commission notes, however, that under the rules it adopts, gateway providers must also comply with the “know-your-upstream-provider standard, and steps a gateway provider takes to meet one standard could meet the other, and vice versa.

    90. The Commission concludes that gateway providers' key role in facilitating the transmission of foreign-originated robocalls to U.S. consumers warrants imposing the “reasonable steps” mitigation duty on these providers without delay. While several commenters argue in the record for adopting more specific and broader duties on all domestic providers, the Commission leaves open for consideration such an expansion in the accompanying FNPRM. For example, it does not at this time require gateway providers to take specific actions to meet the “reasonable steps” standard. Nor does it require voice service providers or other intermediate providers to comply with the unique requirements it adopts for gateway providers, including the obligation to meet a general mitigation obligation even if they have fully implemented STIR/SHAKEN. Given the scope of the Gateway Provider FNPRM and the limited record evidence submitted regarding specific proposals, the Commission does not take these additional steps at this time.

    91. Compliance Deadline. The Commission requires gateway providers to comply with the “reasonable steps” standard within 30 days of the effective date of this document. The Commission concludes that this is an appropriate period because the Commission does not mandate specific steps that gateway providers must take to meet this requirement other than submitting a certification to the Robocall Mitigation Database, and many gateway providers are already mitigating illegal call traffic. The compliance date for the requirement to submit a certification and mitigation plan to the Robocall Mitigation Database is 30 days following Federal Register notice of OMB approval of the relevant information collection requirements, and the Commission expects providers to refine their “reasonable steps” in light of additional time and marketplace developments prior to submission into the Robocall Mitigation Database.

    F. Summary of Cost Benefit Analysis

    92. The Commission finds that the benefits of the rules it adopts will greatly outweigh the costs imposed on gateway providers. The Commission sought comment on its belief that the proposed rules, viewed collectively, would account for a large share of the annual $13.5 billion minimum benefit the Commission originally estimated in the First Caller ID Authentication Report and Order, 85 FR 22029 (April 21, 2020), and FNPRM, 85 FR 22099 (April 21, 2022), because of the large share of illegal calls originating outside of the United States. While some commenters argue that the individual requirements may not provide substantial benefit taken individually or that there is no benefit to imposing obligations solely on gateway providers, others agree that the requirements the Commission adopts will benefit consumers and the calling ecosystem. The Commission finds that these requirements, taken together, will achieve a large share of the annual $13.5 billion minimum benefit. In addition, the Commission finds that there are many additional, non-quantifiable benefits from these rules, including restoring confidence in the U.S. telephone network and reliable access to the emergency and healthcare communications that save lives, reduce human suffering, and prevent the loss of property.

    93. The Commission finds that the costs imposed on gateway providers are, in many instances, minimal and in all cases do not exceed the benefits. For example, a number of gateway providers are already required to implement STIR/SHAKEN in some portions of their networks because they do not solely act as gateway or intermediate providers, but may also serve as originating or terminating providers for some calls. In these cases, the additional burden to implement STIR/SHAKEN where a provider is acting as a gateway provider may be limited and has declined over time. Similarly, requiring gateway providers to block, rather than effectively mitigate, illegal traffic when notified by the Commission does not represent a burden increase, and in some cases may even be a burden decrease by eliminating the need to determine what mitigation is effective in a particular instance. As explained, the Commission disagrees with the burden estimates proffered by some commenters. However, even if the Commission does credit those claims, the expected minimum benefit is, as explained, so large that it will greatly outweigh the expected burden. (Contrary to USTelecom's assertion, the Commission does not take the position that it “can adopt any individual regulation to fight illegal robocalls, no matter the cost or benefit of that particular regulation, as long as the aggregate cost of requirements is less than $13.5 billion.” Rather, the Commission concludes that the requirements it adopts here will result in a “large share” of the $13.5 billion annual projected benefits from eliminating illegal robocalls, and no party has asserted that the purported costs of any or all of these regulations would cost either in one year or over several years a “large share” of $13.5 billion.)

    94. Moreover, although the rules the Commission adopts will impose higher short-term costs on gateway providers Start Printed Page 42931 for implementation, it finds that they will lead to lower long-term costs. Specifically, the Commission finds that an overall reduction in illegal robocalls will greatly lower network costs for the gateway providers and other domestic service providers by eliminating both the unwanted traffic congestion and labor costs of handling numerous customer complaints, and by enabling those providers to trace calls back to the originator more quickly and efficiently.

    G. Legal Authority

    95. Consistent with its proposals, the Commission adopts the foregoing obligations pursuant to the legal authority the Commission relied on in prior caller ID authentication and call blocking orders. The Commission notes that no commenter questioned its proposed legal authority. (USTelecom suggests that because C-level attestations are “untethered to the call authentication goal,” the TRACED Act does not provide authority to adopt a gateway provider authentication requirement. But USTelecom's argument is inapposite because the Commission does not rely on the TRACED Act for its authority to impose this obligation, and USTelecom does not assert that the Commission otherwise lacks authority to impose a gateway provider authentication obligation.)

    96. Caller ID Authentication. The Commission finds authority to impose caller ID authentication obligations on gateway providers under section 251(e) of the Communications Act of 1934 (the Act) and the Truth in Caller ID Act. In the Second Caller ID Authentication Report and Order, the Commission found it had the authority to impose caller ID authentication obligations on intermediate providers under these provisions. It reasoned that “[c]alls that transit the networks of intermediate providers with illegally spoofed caller ID are exploiting numbering resources” and so found authority under section 251(e). It found “additional, independent authority under the Truth in Caller ID Act” on the basis that such rules were necessary to “prevent . . . unlawful acts and to protect voice service subscribers from scammers and bad actors,” stressing that intermediate providers “play an integral role in the success of STIR/SHAKEN across the voice network.” While the Second Caller ID Authentication Report and Order did not specifically discuss gateway providers, the Commission uses the same legal authority to impose an authentication obligation on gateway providers because it defines gateway providers as a subset of intermediate providers.

    97. Robocall Mitigation and Call Blocking. The Commission adopts its robocall mitigation and call blocking provisions for gateway providers pursuant to sections 201(b), 202(a), 251(e), the Truth in Caller ID Act, and its ancillary authority, consistent with the authority it invoked to adopt analogous rules.

    98. The Commission concludes that section 251(e) and the Truth in Caller ID Act authorizes it to prohibit intermediate providers and voice service providers from accepting traffic from gateway providers that do not appear in the Robocall Mitigation Database. In the Second Caller ID Authentication Report and Order, the Commission concluded, “section 251(e) gives us authority to prohibit intermediate providers and voice service providers from accepting traffic from both domestic and foreign voice service providers that do not appear in [the Robocall Mitigation Database],” noting that its “exclusive jurisdiction over numbering policy provides authority to take action to prevent the fraudulent abuse of NANP resources.” The Commission observed that “[i]llegally spoofed calls exploit numbering resources whenever they transit any portion of the voice network—including the networks of intermediate providers” and that “preventing such calls from entering an intermediate provider's or terminating voice service provider's network is designed to protect consumers from illegally spoofed calls.” The Commission found that the Truth in Caller ID Act provided additional authority for its actions to protect voice service subscribers from illegally spoofed calls.

    99. The Commission also concludes that sections 201(b), 202(a), and 251(e) of the Act, as well as the Truth in Caller ID Act and its ancillary authority, support the mandatory mitigation and blocking obligations the Commission imposes on gateway providers here. In the Fourth Call Blocking Order, the Commission required providers “to take affirmative, effective measures to prevent new and renewing customers from originating illegal calls,” which includes a duty to “know” their customers. Additionally, the Commission required providers, to “take steps to effectively mitigate illegal traffic when notified by the Commission,” which may require blocking when applied to gateway providers. The Commission also adopted traceback obligations.

    100. The Commission concluded that it had the authority to adopt these requirements pursuant to sections 201(b), 202(a), and 251(e) of the Act, as well as the Truth in Caller ID Act and its ancillary authority. Sections 201(b) and 202(a) provide the Commission with “broad authority to adopt rules governing just and reasonable practices of common carriers.” Accordingly, the Commission found that the new blocking rules were “clearly within the scope of our section 201(b) and 202(a) authority” and “that it is essential that the rules apply to all voice service providers,” applying its ancillary authority in section 4(i). The Commission also found that section 251(e) and the Truth in Caller ID Act provided the basis “to prescribe rules to prevent the unlawful spoofing of caller ID and abuse of NANP resources by all voice service providers,” a category that includes Voice over internet Protocol (VoIP) providers and, in the context of the Commission's call blocking orders, gateway providers. The Commission concludes that the same authority provides a basis to adopt the mitigation and blocking obligations on gateway providers the Commission adopts in this document to the extent that gateway providers are acting as common carriers.

    101. While the Commission concludes that its direct sources of authority provide an ample basis to adopt its proposed rules on all gateway providers, its ancillary authority in section 4(i) provides an independent basis to do so with respect to gateway providers that have not been classified as common carriers. The Commission concludes that the regulations adopted in this document are “reasonably ancillary to the Commission's effective performance of its . . . responsibilities” because gateway providers that interconnect with the public switched telephone network and exchange IP traffic clearly offer “communication by wire and radio.”

    102. Requiring gateway providers to comply with the Commission's proposed rules is reasonably ancillary to the Commission's effective performance of its statutory responsibilities under sections 201(b), 202(a), 251(e), and the Truth in Caller ID Act as described above. With respect to sections 201(b) and 202(a), absent application of the Commission's proposed rules to gateway providers that are not classified as common carriers, originators of international robocalls could circumvent its proposed scheme by sending calls only to such gateway providers to reach the U.S. market.

    103. Indirect Effect on Foreign Service Providers. The Commission confirms its conclusion in the Gateway Provider FNPRM that, to the extent any of the rules it adopts have an effect on foreign Start Printed Page 42932 service providers, that effect is only indirect and therefore consistent with the Commission's authority, and the Commission finds that it does not conflict with any of its international treaty obligations. (The Commission expressly sought comment on “whether any of our proposed rules would be contrary to any of our international treaty obligations.” No commenter identified any international treaty obligations that would be contravened by the Commission's new requirement, nor is the Commission aware of any.) No commenter argues otherwise. In the Second Caller ID Authentication Report and Order, the Commission acknowledged an indirect effect on foreign providers but concluded that it was permissible under Commission precedent affirmed by the courts. This includes the authority, pursuant to section 201, for the Commission to require that U.S. providers modify their contracts with foreign providers with respect to “foreign communication” to ensure that the charges and practices are “just and reasonable,” as the Commission does here. The obligations the Commission adopts only impose such an indirect effect.

    104. Several parties argue that foreign providers may not be able to file in the Robocall Mitigation Database because foreign legal obligations may prevent them from satisfying the traceback obligations imposed on all such filers. (The Commission notes that these obligations arise out of the prohibition established in the Second Caller ID Authentication Report and Order on receiving calls carrying U.S. NANP numbers from foreign providers not listed in the Robocall Mitigation Database.) To the extent that foreign providers face bona fide domestic legal constraints that conflict with any of the certifications or attestations required of Robocall Mitigation Database filers, the Commission clarifies that they may still submit a certification to the Robocall Mitigation Database. The Commission recommends that foreign providers explain any such domestic legal constraints as part of their certification. The Commission directs the Wireline Competition Bureau to make any limited, necessary changes to the Robocall Mitigation Database to ensure that foreign providers are able to provide any necessary explanations.

    II. Order on Reconsideration

    105. In this document, the Commission expands the requirement that voice service providers only accept calls carrying U.S. NANP numbers from foreign-originating providers listed in the Robocall Mitigation Database so that domestic providers may only accept calls carrying U.S. NANP numbers sent directly from foreign-originating or intermediate providers that are listed in the Robocall Mitigation Database, including those that have not been de-listed through enforcement action. (The Commission adopts this change in response to both CTIA's and Voice on the Net Coalition's (VON) Petitions, as well as the Gateway Provider FNPRM, which sought comment on whether to eliminate, retain, or enhance the requirement that voice service providers only accept calls carrying U.S. NANP numbers from foreign providers listed in the Robocall Mitigation Database.) In doing so, the Commission resolves the petitions of CTIA and VON seeking reconsideration of the existing requirement, and end the stay of enforcement of that requirement in the Gateway Provider FNPRM. (The VON Petition also seeks reconsideration of “the requirement in § 64.6305(b)(4) that voice service providers filing certifications provide the name, telephone number and email address of a central point of contact within the company responsible for addressing robocall-mitigation-related issues.” The Commission does not address that issue at this time, but may do so at a later date.)

    A. Ending the Stay of Enforcement and Extending the Requirement To Include Calls Received Directly From Intermediate Foreign Providers

    106. In response to the Gateway Provider FNPRM and the Petitions for Reconsideration filed by CTIA and VON, the Commission has reconsidered the requirement that voice service providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database and have concluded that amendment of the initial requirement is necessary to ensure that it more comprehensively protects American consumers from foreign-originated illegal robocalls. The Commission now resumes enforcement of the requirement and expand its scope so that domestic providers now may only accept calls directly from a foreign provider that originates, carries, or processes a call if that foreign provider is registered in the Robocall Mitigation Database and has not been de-listed pursuant to enforcement action. The Commission finds that such an extension of the requirement to include calls received from foreign intermediate providers as well as foreign-originating providers is consistent with the record and will better equip domestic providers to protect American consumers from foreign-originated illegal robocalls without causing widespread disruptions of lawful traffic.

    107. Several commenters support this approach, including CTIA. In its comments, CTIA notes that industry stakeholders have made significant strides in encouraging their foreign partners to implement robocall mitigation programs so that they can register in the Robocall Mitigation Database, with many reporting that “all, or nearly all, of their foreign partners that originate traffic have now registered,” even absent enforcement of the requirement. Indeed, as of May 17, 2022, 875 foreign voice service providers have filed in the Robocall Mitigation Database, out of a total 6,285 voice service provider filings. To further enhance the effectiveness of the Robocall Mitigation Database in protecting against foreign-originated robocalls, CTIA argues that the Commission should clarify that foreign intermediate providers must also implement robocall mitigation programs and certify to such in the database in order for their traffic to be accepted by domestic providers. CTIA notes that promoting robocall mitigation by foreign intermediate providers in this fashion will promote use of the techniques by all entities in the call path and will help protect U.S. networks from illegal traffic.

    108. The Commission agrees with CTIA's conclusions. Given the number of different entities that are typically involved in originating, carrying, processing, and terminating a call, a requirement that applies only to calls received directly from the foreign provider that originated them will capture only a small fraction of the total number of calls that domestic providers accept from foreign providers on a daily basis. To increase the effectiveness of the requirement and to better protect American consumers from foreign-originated illegal robocalls, it is necessary to expand the scope of the requirement to include all calls received directly from a foreign provider that originates, carries, or processes the call in question. This approach obviates the concerns of commenters that a gateway provider likely does not know which provider originated a particular call or where it was originated; it only knows the upstream foreign provider that handed off the call. Indeed, this is one of the reasons the Commission defines “gateway provider” in this document as the U.S.-based intermediate provider that receives a call directly from a foreign originating or foreign intermediate provider at its U.S.-based facilities before transmitting the call Start Printed Page 42933 downstream to another U.S.-based provider.

    109. To ensure that foreign providers have sufficient time to take steps in light of this expanded rule and to facilitate consistent obligations, the Commission will begin enforcing the requirement that providers accept only traffic received directly from foreign providers that originate, carry, or process calls that have filed a certification in the database on the deadline for gateway providers to block traffic sent from foreign providers that originate, carry, or process calls established in this document. That is, enforcement will begin 90 days following the deadline for gateway providers to submit a certification to the Robocall Mitigation Database. This same blocking deadline will also apply to providers to block traffic from foreign intermediate providers that were not subject to the prior blocking rule. The date of this deadline is subject to OMB approval for any new information collection requirements. The Commission concludes that this extended period will provide sufficient time for all affected foreign providers to submit a certification to the Robocall Mitigation Database in order to remain on the Database. For similar reasons, the Commission adds “in the caller ID field” to the expanded rule to clarify the scope of the requirement and make it consistent with the newly adopted blocking obligation for providers receiving calls from gateway providers.

    110. Contrary to the dire outcomes contemplated in CTIA and VON's Petitions discussed below, the requirement that voice service providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database has not resulted in mass confusion or a widespread failure on the part of foreign voice service providers to register in the Robocall Mitigation Database. In reality, a significant number of foreign voice service providers have been made aware of the requirement and have registered in the Robocall Mitigation Database. Now that the Commission has taken the time to ensure that the requirement can be implemented without causing significant disruptions to legitimate, legal traffic, it is time to ensure that the requirement adequately protects American consumers from as many foreign-originated illegal robocalls as possible, and not merely a tiny fraction of such calls. The Commission knows the requirement can work on a practical level, and the Commission finds that the expected benefits will far outweigh any minimal costs that may be imposed on gateway providers. While the rules the Commission adopts in this document provide some additional tools to domestic providers to combat illegal robocalls originating outside the U.S., the Commission must give domestic providers as many tools as it can to protect their customers from as wide a swathe of foreign-originated illegal robocalls as possible. (To quote T-Mobile, the tools the new gateway provider rules represent “may not be foolproof.”)

    111. Several commenters have urged the Commission to reach out to its counterparts in foreign governments and inform them of its latest efforts to protect consumers from illegal robocalls while also encouraging regulators abroad to promote foreign provider participation in robocall mitigation and the Robocall Mitigation Database. The Commission takes this opportunity to reiterate its commitment to continue engaging actively with its international partners abroad to inform them of its latest efforts to combat illegal robocalls and to encourage robocall mitigation efforts on their part as well as participation in the Robocall Mitigation Database among their domestic providers. The Commission recognizes that it is only through active dialogue and cooperation with its international counterparts that it will be able to fully address the scourge of illegal robocalls here at home.

    112. Legal Authority. The Commission concludes that section 251(e) gives it authority to require intermediate providers and voice service providers to accept traffic only from foreign intermediate providers using U.S. NANP numbering resources in the caller ID field that appear in the Robocall Mitigation Database. As the Commission concluded in the First Caller ID Authentication Report and Order and FNPRM and affirmed in the Second Caller ID Authentication Report and Order, its exclusive jurisdiction over numbering policy provides authority to take action to prevent the fraudulent abuse of U.S. NANP resources. Illegally spoofed calls exploit numbering resources whenever they transit any portion of the voice network—including the networks of intermediate and terminating providers. The Commission's action preventing such calls from entering an intermediate provider's or terminating provider's network is designed to protect consumers from illegally spoofed calls, even while STIR/SHAKEN is not yet ubiquitous. No commenters have challenged the Commission's authority to require voice service providers to accept traffic only from foreign providers that do appear in the Robocall Mitigation Database. (T-Mobile does not challenge the Commission's authority to require intermediate providers and voice service providers to only accept traffic directly from foreign providers that appear in the Robocall Mitigation Database, but it asserts that “the FCC has no authority over foreign voice service providers.” The revised rule the Commission adopts does not constitute the exercise of jurisdiction over foreign voice service providers. The Commission acknowledges that this rule will have an indirect effect on foreign voice service providers by incentivizing them to certify to be listed in the database. An indirect effect on foreign voice service providers, however, “does not militate against the validity of rules that only operate directly on voice service providers within the United States.” In addition, several commenters raise concerns about whether registering in the Robocall Mitigation Database would have U.S. tax implications for foreign providers, whether registration would subject foreign providers to universal service contributions, and whether such providers would be subject to the Commission's enforcement authority regarding certifications or other matters, such as compliance with traceback requests. In the absence of any showing of any significant tax consequences for foreign providers, and in light of the overwhelming pace at which they have already registered, the Commission concludes that the benefits obtained by its new rules substantially outweigh any such possible consequences. The Commission clarifies that the act of registration in the Robocall Mitigation Database, by itself, would not create a universal service contribution obligation for a foreign provider. Finally, the Commission confirms that the Commission has authority to enforce its rules by ensuring that the Robocall Mitigation Database includes only accurate certifications.) One of the only parties to even touch upon the subject in response to the First Caller ID Authentication Report and Order and FNPRM, Verizon, agrees that section 251(e) gives the Commission ample authority to ensure foreign VoIP providers “submit to the proposed registration and certification regime by prohibiting regulated U.S. carriers from accepting their traffic if they do not.”

    113. The Commission additionally finds authority in the Truth in Caller ID Act. It finds that the rule the Commission adopts is necessary to enable voice service providers and intermediate providers to help prevent illegal spoofed robocalls and to protect Start Printed Page 42934 voice service subscribers from scammers and bad actors that spoof caller ID numbers, and that section 227(e) thus provides additional independent authority for the revised rule the Commission adopts.

    B. Petitions for Reconsideration

    114. In expanding the scope of the requirement and concluding that domestic providers may only accept calls directly from a foreign provider that originates, carries, or processes a call if that foreign provider is registered in the Robocall Mitigation Database, the Commission plainly disagrees with the CTIA and VON Petitions for Reconsideration requesting that the Commission eliminate or otherwise curtail the requirement or asserting that the Commission violated the Administrative Procedure Act's (APA) notice-and-comment requirement when it adopted this rule in the Second Caller ID Authentication Report and Order. The Commission resolves the Petitions as described below.

    1. CTIA Petition

    115. The Commission denies CTIA's Petition because the evidence in the record demonstrates that the requirement is unlikely to have the negative consequences CTIA fears, and the Commission has already followed CTIA's recommendations to focus on other mitigation efforts and to delay enforcement of the requirement while developing a more substantial record. In its Petition, CTIA raises three primary arguments against the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database: (1) the requirement will cause issues with international roaming that will harm American mobile wireless consumers in the U.S. and abroad; (2) the Commission's other efforts enable providers to protect consumers from illegal and unwanted robocalls from overseas without the need for a requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database; and (3) reconsideration is necessary because evidence of the requirement's impact on American wireless consumers is now available. The Commission addresses each of these arguments in turn.

    a. International Roaming

    116. CTIA asserts in its Petition that wireless roaming is a “complex endeavor, which is more complicated internationally, as U.S. mobile network operators have roaming agreements with hundreds of overseas network operators to enable U.S. consumers to remain connected no matter where they travel or move.” When a mobile wireless consumer abroad uses a U.S. phone number to call a consumer in the U.S., “that call may be routed from an originating foreign provider's network over long distance routes that involve multiple foreign mobile network operators often on the basis of least cost routing to reach a U.S. intermediate or terminating provider for delivery to the intended recipient.” Because of this, there are a “number of hand-offs for a call on its way back to a U.S. consumer, and any one of hundreds of foreign providers could be chosen as the final foreign provider in the call path that interconnects with a U.S. intermediate or terminating provider.” CTIA asserts that, if that final foreign voice service provider fails to implement a robocall mitigation program and certify to such in the Robocall Mitigation Database, all of its traffic—including legal, legitimate traffic—would be “prohibited from reaching the intended recipients. . . .” Thus, CTIA claims that the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database would risk “significant call completion issues for wireless calls from hundreds of foreign providers' networks, from any mobile wireless consumer using a U.S. phone number to make a call from abroad.” CTIA also claims that foreign voice service providers that interconnect with U.S. providers will “likely fail to register” with the Robocall Mitigation Database in a timely manner. (And BT Americas Inc. asserts in its comments in support of the CTIA Petition that “the certification process may place foreign carriers in the impossible situation of either having to violate their commitment to the FCC or violate the laws of their home country.” As the Commission states earlier in this document, to the extent that foreign providers face bona fide domestic legal constraints that conflict with any of the certifications or attestations required of Robocall Mitigation Database filers, they may still submit a certification to the Robocall Mitigation Database and explain any such domestic legal constraints as part of their certification.) Thus, CTIA argues that reconsideration of the requirement is needed to prevent unintended blocking of legitimate, legal traffic and to give foreign providers sufficient time to develop robocall mitigation implementation plans and to register with the Commission.

    117. The Commission believes that CTIA's concerns are overstated, and in any event the Commission does not find them sufficient to outweigh the benefits of the requirement. In light of the prevalence of foreign-originated illegal robocalls aimed at U.S. consumers, the requirement is a critical tool in combatting such calls. And far from resulting in a widespread failure to register with the Robocall Mitigation Database among foreign service providers, the requirement—along with the diligent and concerted efforts of U.S. providers—seems to have actively encouraged foreign voice service providers to institute robocall mitigation programs abroad and file certifications to be listed in the database and thus have their traffic continue to be accepted by domestic intermediate and terminating providers. As CTIA itself notes in its comments, since the establishment of the requirement in 2020, “U.S. providers have worked diligently to educate their foreign counterparts about call authentication, robocall mitigation, and registration expectations,” outreach that has included individual providers engaging directly with their foreign counterparts, as well as efforts to increase awareness of these changes through existing industry bodies such as the GSM Association (GSMA), the Communications Fraud Control Association, and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG). According to CTIA, this work has produced results, with many foreign voice service providers implementing robocall mitigation plans and registering in the Robocall Mitigation Database even as the requirement has been held in abeyance. Based on the education and outreach efforts of CTIA members, 99% of AT&T's international traffic now comes from carriers registered in the Robocall Mitigation Database. Similarly, T-Mobile reports receiving all of its inbound international traffic from providers registered in the Robocall Mitigation Database, and Verizon states that approximately 99% of the traffic it receives from foreign voice service providers is from those registered in the Robocall Mitigation Database, thus mooting T-Mobile's arguments that the Second Caller ID Authentication Report and Order contains little evidence “showing the likelihood of widespread compliance as a result of industry pressure” and that the requirement “will punish U.S. wireless subscribers when they are abroad, along with those in the U.S. whom they may try to call.” (This result also runs counter to IDT Start Printed Page 42935 Telecom, Inc.'s (IDT) concerns that the requirement would be anticompetitive for U.S. companies because it would “incline toward a handful of foreign wholesalers dominating the aggregation of USA termination, leading to only a small number of US carriers connecting with them.”) Beyond high levels of Robocall Mitigation Database registration among foreign voice service providers, CTIA reports that “domestic voice service providers have continued to modify their interconnection contracts with foreign providers to focus on the need to mitigate illegal robocall traffic.”

    118. Given the extraordinarily high levels at which foreign voice service providers have implemented robocall mitigation programs and registered with the Robocall Mitigation Database even absent enforcement of the requirement, the Commission finds CTIA's initial concerns that foreign voice service providers would fail to register with the database to no longer be an issue. (Nor has there been, as IDT feared, a rash of reciprocal registration and filing requirements for U.S. providers from foreign regulators. As for IDT's concern that the requirement would lead to “an unequal enforcement problem, as many small operators may turn a blind eye to the requirement of their customers' registration, yet will go undetected because of a low profile,” such a generalized risk could be said to apply equally to every regulation the Commission adopts and is not a valid reason to refrain from adopting a specific policy or regulation. Moreover, this argument imparts a heightened degree of malicious intent to small providers based purely upon the size of their operations. The Commission do not believe that small providers are any more or less likely to engage in illegal or malicious conduct than are large ones, and the Commission thus rejects the assumptions underpinning this argument.) Indeed, it appears that, much as CTIA intended, the Commission's decision to hold the requirement in abeyance has permitted domestic providers to interface with their foreign counterparts and encourage them to develop robocall mitigation implementation plans and register with the Robocall Mitigation Database. The Commission, therefore, concludes that the requirement should not result in significant call completion issues and that reconsideration based on this concern is unwarranted.

    b. Other Efforts To Curb Illegal Robocalls

    119. CTIA's second argument is that the Commission's other actions to prevent illegal and unwanted robocalls from outside the United States—including enforcement actions against VoIP providers facilitating illegal voice traffic, encouraging providers to protect international gateways from robocalls, and adopting a safe harbor for blocking traffic from bad actors—are more targeted and less disruptive than the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database. Thus, the Commission “should continue to focus on these and similar efforts while developing the record” on the requirement.

    120. After having developed a more fulsome record on the requirement in the wake of the Gateway Provider FNPRM, the Commission finds that the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database is not disruptive and that its other actions to prevent illegal and unwanted robocalls from overseas are insufficient on their own to properly address the problem of foreign-originated illegal robocalls. As CTIA itself has noted since filing its initial petition, industry outreach to foreign voice service providers has met with great success, with numerous foreign voice service providers implementing robocall mitigation plans and registering in the Robocall Mitigation Database. With 99% of AT&T and Verizon's and 100% of T-Mobile's inbound international traffic now coming from carriers who are registered in the Robocall Mitigation Database, the Commission finds it unlikely that enforcement of the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database will result in widespread call completion issues. At the same time, the Commission believes that the requirement is necessary to supplement its other actions, including enforcement actions against VoIP providers facilitating illegal voice traffic, encouraging providers to protect international gateways from robocalls, and adopting a safe harbor for blocking traffic from bad actors. While these steps are certainly important, merely encouraging providers to protect international gateways from illegal foreign-originated robocalls and adopting a safe harbor for those who block traffic from bad actors is not sufficient. If the Commission is to adequately address the significant problem of foreign-originated robocalls, just as with U.S. originated robocalls, those receiving such calls (here, gateway providers) must explicitly be required to accept only those calls carrying U.S. NANP numbers from foreign voice service providers that are listed in the Robocall Mitigation Database. To address the endemic practice of illegal robocalling, the Commission must use every tool at its disposal, especially those which have been shown not to result in significant call completion issues. The Commission thus finds CTIA's second argument unpersuasive.

    c. Availability of Additional Evidence

    121. CTIA's final argument is that reconsideration is appropriate because the Commission did not, in the Second Caller ID Authentication Report and Order, seek comment on the impacts of the requirement on international wireless roaming. Without such record evidence, CTIA contends, the Commission lacked “sufficient support to prohibit domestic intermediate and terminating providers from completing calls from foreign voice service providers that have not certified in the [Robocall Mitigation Database].” Thus, CTIA claims that the Commission should reconsider the requirement and further develop its record so that it can craft a “more reasonable approach to encourage international provider certification” without jeopardizing U.S. consumers or the U.S. voice network.

    122. As noted above, the Commission solicited a more robust record in response to the Gateway Provider FNPRM regarding the requirement and its possible effects. As that record shows, efforts to educate foreign voice service providers and encourage implementation of robocall mitigation programs and registration with the Robocall Mitigation Database have met with great success. Foreign providers have been granted time to develop robocall mitigation implementation plans and register with the Robocall Mitigation Database, and they appear to have used that time well. In light of this success, the Commission feels confident that it may proceed with enforcement of the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database without causing significant disruption to the completion of legal, legitimate traffic. The requirement, as crafted, is already “reasonable,” and addresses illegal robocalls originating from outside the United States without jeopardizing U.S. consumers or the U.S. voice network. Start Printed Page 42936

    123. For the forgoing reasons, the Commission denies CTIA's petition.

    2. VON Petition

    124. VON's Petition relies largely on a single argument in seeking reconsideration of the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign providers listed in the Robocall Mitigation Database—that the requirement violates the APA because the Commission failed to solicit and consider public comment on it. Thus, VON contends that the Commission should seek additional comments on the proposal to “allow for a more thoughtful vetting of an otherwise very complicated issue.” The Commission denies the VON Petition on substantive grounds for the reasons stated below. The Commission alternatively dismisses the Petition as mooted by the Commission's decision to hold enforcement of the requirement in abeyance until a final decision was reached regarding whether to eliminate, retain, or enhance the requirement and the Commission's request for comments on the scope of the requirement in the Gateway Provider FNPRM.

    a. The Requirement That Domestic Providers Only Accept Calls From Foreign Voice Service Providers Listed in the Robocall Mitigation Database Complies With APA Notice-and-Comment Requirements

    125. In the First Caller ID Authentication Report and Order and FNPRM, the Commission proposed that, when an intermediate provider receives an unauthenticated call that it will exchange with another intermediate or voice service provider as a SIP call, it must authenticate such a call with a “gateway” or C-level attestation. In seeking comment on that proposal, the Commission noted that multiple commenters had supported imposing STIR/SHAKEN requirements on gateway providers as a way to identify robocalls that originate abroad and to identify which provider served as the entry point for these calls to U.S. networks. The Commission then sought comment on whether this was an effective way to combat illegal calls originating outside the U.S. and whether there were “other rules involving STIR/SHAKEN that we should consider regarding intermediate providers to further combat illegal calls originating abroad.” The Commission also reiterated Verizon's suggestion that the Commission impose an obligation to use STIR/SHAKEN on any provider, regardless of its geographic location, if it intends to allow its customers to use U.S. telephone numbers, as well as USTelecom's proposal that the Commission consider obligating gateway providers to pass international traffic only to downstream providers that have implemented STIR/SHAKEN. The Commission sought comment on both proposals and asked if there were any other actions it could take to promote caller ID authentication implementation to combat robocalls originating abroad.

    126. In response to the First Caller ID Authentication Report and Order and FNPRM, several commenters filed initial comments expressing support for combating robocalls originating abroad by requiring foreign voice service providers that appear in the Robocall Mitigation Database to follow the same requirements as domestic voice service providers.

    127. Courts have long held that the APA requires that the final rule that an agency adopts be a “logical outgrowth of the rule proposed.” While the Commission did not explicitly propose a rule in the First Caller ID Authentication Report and Order and FNPRM requiring domestic intermediate and terminating providers to accept calls only from foreign voice service providers that use U.S. NANP numbers and are listed in the Robocall Mitigation Database, it did seek comment on: (1) whether to impose STIR/SHAKEN requirements on gateway providers as a way to identify robocalls that originate abroad; (2) whether there were other rules involving STIR/SHAKEN that the Commission should consider regarding intermediate providers to further combat illegal calls originating abroad; (3) Verizon's suggestion to impose on any provider, regardless of its geographic location, an obligation to use STIR/SHAKEN; (4) USTelecom's proposal that the Commission consider obligating gateway providers to pass international traffic only to downstream providers that have implemented STIR/SHAKEN; and (5) whether there were any other actions the Commission could take to promote caller ID authentication implementation to combat robocalls originating abroad. The Commission concludes that the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database is a logical outgrowth of these repeated and specific requests for comment on the types of obligations the Commission should impose on gateway providers that accept traffic from foreign voice service providers. Indeed, while it did not specifically mention the requirement in its final adopted form, the Commission did seek comment on whether to impose STIR/SHAKEN requirements on gateway providers, as well as other actions that would promote caller ID authentication implementation and combat foreign-originated robocalls.

    128. That this requirement is a logical outgrowth of such requests for comment is evident from the fact numerous entities filed comments in response to the First Caller ID Authentication Report and Order and FNPRM voicing support for combating robocalls originating abroad by requiring foreign voice service providers that appear in the Robocall Mitigation Database to follow the same requirements as domestic voice service providers. While the two are not exactly the same, this notion of requiring foreign voice service providers who file with the Robocall Mitigation Database to fulfill the same requirements as domestic providers is quite similar to the requirement the Commission eventually adopted, and the fact that it was mentioned by multiple commenters indicates that the requirement was indeed a logically foreseeable outgrowth of the language in the First Caller ID Authentication Report and Order and FNPRM. Even were it not a logical outgrowth of the First Caller ID Authentication Report and Order and FNPRM, the possibility of a requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign providers listed in the Robocall Mitigation Database was raised in the initial comments and was open to consideration and comment during the reply stage.

    129. The Commission thus finds VON's claim that the adoption of the requirement violated the APA to be baseless and, accordingly, deny their Petition on substantive grounds.

    b. VON's Petition Is Moot

    130. Independently, and in the alternative, the Commission finds that the Commission's decision to hold enforcement of the requirement in abeyance until it reached a final decision regarding whether to eliminate, retain, or enhance the requirement, together with the Commission's request for comments on the scope of the requirement in the Gateway Provider FNPRM, renders the VON Petition moot. Even assuming arguendo that the initial adoption of the requirement in the Second Caller ID Authentication Report and Order violated the notice and comment requirements of the APA, the same cannot be said of the Gateway Provider FNPRM, which specifically and extensively sought comment on Start Printed Page 42937 whether “to eliminate, retain, or enhance” the requirement.

    131. Much like CTIA in its own Petition, VON did not call for the wholesale elimination of the requirement that domestic providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database, but merely time to solicit additional comment and allow for further consideration of the requirement. Regardless of whether the First Caller ID Authentication Report and Order and FNPRM provided notice and an opportunity to comment on the requirement, the Gateway Provider FNPRM undoubtedly provided both. The Commission in the Gateway Provider FNPRM stated that, until a final decision was made regarding whether to eliminate, retain, or enhance the requirement, it would not enforce the requirement that domestic voice service providers and intermediate providers accept only traffic carrying U.S. NANP numbers sent directly from foreign voice service providers listed in the Robocall Mitigation Database. (The Commission treats its holding enforcement of the prohibition in abeyance the same as a stay.) As the Commission has satisfied the terms of VON's Petition, the Commission dismisses it as moot. (As with the CTIA Petition, the Commission notes that the concerns raised in the VON Petition—namely, that the requirement would limit the number of foreign carriers who can terminate calls in the U.S., restrict the ability of U.S. carriers to terminate calls on behalf of U.S. customers to foreign points, and lead to the disruption of legitimate, non-harmful traffic—have proved to be largely unfounded in the wake of adoption of the requirement, and as noted above, 99% of AT&T and Verizon's and 100% of T-Mobile's inbound international traffic currently comes from carriers who are registered in the Robocall Mitigation Database. Thus, as with CTIA's concerns, the Commission finds VON's concerns about the potential failure of foreign providers to register in the database to be largely baseless in reality.)

    132. Because the Commission finds that adoption of the requirement that domestic voice service providers and domestic intermediate providers only accept calls carrying U.S. NANP numbers from foreign voice service providers listed in the Robocall Mitigation Database did not violate the APA's notice-and-comment requirements and that VON's Petition is mooted by the Commission's decision to hold enforcement of the requirement in abeyance while the Commission sought comment on whether to eliminate, retain, or enhance the requirement, the Commission denies VON's Petition on substantive grounds and independently, and in the alternative, dismiss it as moot.

    III. Order

    133. In this document, the Commission makes a ministerial change to a codified rule required to correct an inadvertent typographical error and spell out an undefined acronym. The Commission revises § 64.6300(f) of its rules, which defines the term “intermediate provider,” to change the word “carriers” to “carries” and to change the reference to “PSTN” to “public switched telephone network.” The Commission finds that there is good cause for adopting this amendment here because the typographical error may confuse those seeking to understand how the Commission defines the term “intermediate provider” for purposes of complying with its rules governing caller ID authentication, and the use of undefined acronyms, even if well known, is not preferable.

    134. Section 553 of the Administrative Procedure Act permits the Commission to amend the Commission's rules without undergoing notice and comment where the Commission finds good cause that doing so is “impracticable, unnecessary, or contrary to the public interest.” The Commission has previously determined that notice and comment is not necessary for “editorial changes or corrections of typographical errors.” Consistent with Commission precedent, in this instance the Commission finds that notice and comment is unnecessary for adopting a ministerial revision to § 64.6300(f) to correct an inadvertent typographical error and spell out an undefined acronym in the definition of “intermediate provider.”

    IV. Final Regulatory Flexibility Analysis

    135. As required by the Regulatory Flexibility Act of 1980 (RFA), as amended, an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into the Further Notice of Proposed Rulemaking adopted in September 2021 ( Gateway Provider FNPRM ). (The RFA, 5 U.S.C. 601-612, has been amended by the Contract With America Advancement Act of 1996, Public Law 104-121, 110 Stat. 847 (1996) (CWAAA). Title II of the CWAAA is the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA)). The Commission sought written public comment on the proposals in the Gateway Provider FNPRM, including comment on the IRFA. The comments received are discussed below. This Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.

    A. Need for, and Objectives of, the Order

    136. First, this document takes important steps in the fight against foreign-originated illegal robocalls by holding gateway providers responsible for the calls they allow onto the U.S. network. Finally, the Order on Reconsideration in this document strengthens the prohibition on receiving calls carrying U.S. NANP numbers from foreign providers not listed in the Robocall Mitigation Database. The decisions the Commission makes here protect American consumers from unwanted and illegal calls while balancing the legitimate interests of callers placing lawful calls.

    137. Gateway Provider Report and Order. This document takes important steps to protect consumers from foreign-originated illegal robocalls. These steps help stem the tide of foreign-originated illegal robocalls, which are a significant portion, if not the majority, of illegal robocalls. As the entry point onto the U.S. network for these calls, gateway providers are best positioned to protect all American consumers. Because there is no single solution to the illegal robocall problem, this document addresses this issue from several angles, all focused on reducing the number of foreign-originated illegal calls American consumers receive and aiding in identifying bad actors.

    138. First, this document requires gateway providers to submit a certification and plan to the Robocall Mitigation Database describing their robocall mitigation practices and stating that they are adhering to those practices, regardless of whether they have fully implemented STIR/SHAKEN, and requires downstream domestic providers receiving traffic from gateway providers to block traffic from such a provider if the gateway provider has not submitted a certification in the Robocall Mitigation Database. Second, this document requires gateway providers to implement STIR/SHAKEN to authenticate SIP calls that are carrying a U.S. number in the caller ID field. Third, it requires gateway providers to fully respond to traceback requests from the Commission, civil and criminal law enforcement, and the industry traceback consortium within 24 hours of receipt of such a request. Fourth, it requires gateway providers to block illegal traffic when notified of such traffic by the Start Printed Page 42938 Commission and the providers immediately downstream from the gateway to block all traffic from the identified provider when notified by the Commission that the gateway provider failed to meet its obligation to block illegal traffic. This rule builds on the Commission's existing effective mitigation requirement and bad-actor provider blocking safe harbor, and proscribes specific steps that the Enforcement Bureau must take before directing downstream providers to block. Fifth, it requires gateway providers to block using a reasonable do-not-originate (DNO) list. Sixth, it requires gateway providers to take reasonable and effective steps to ensure that the immediate upstream provider is not using the gateway provider to originate a high volume of illegal traffic onto the U.S. network. Finally, it requires gateway providers to meet a general obligation to mitigate illegal robocalls regardless of whether they have fully implemented STIR/SHAKEN on the IP portions of their network.

    139. Order on Reconsideration. The Order on Reconsideration in this document strengthens the existing prohibition on receiving calls carrying U.S. NANP numbers from foreign providers not listed in the Robocall Mitigation Database. To ensure that all foreign providers are brought within the prohibition, the Order on Reconsideration in this document modifies the rule such that the prohibition applies to calls directly from a foreign provider that originates, carries, or processes a call if that foreign provider is not listed in the Robocall Mitigation Database.

    B. Summary of Significant Issues Raised by Public Comments in Response to the IRFA

    140. There were no comments raised that specifically addressed the proposed rules and policies presented in the Gateway Provider FNPRM IRFA. Nonetheless, the Commission considered the potential impact of the rules proposed in the IRFA on small entities and took steps where appropriate and feasible to reduce the compliance burden for small entities in order to reduce the economic impact of the rules enacted herein on such entities.

    C. Response to Comments by the Chief Counsel for Advocacy of the Small Business Administration

    141. Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (SBA), and to provide a detailed statement of any change made to the proposed rules as a result of those comments. The Chief Counsel did not file any comments in response to the proposed rules in this proceeding.

    D. Description and Estimate of the Number of Small Entities to Which the Rules Will Apply

    142. The RFA directs agencies to provide a description of, and where feasible, an estimate of the number of small entities that may be affected by the rules adopted herein. The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” In addition, the term “small business” has the same meaning as the term “small-business concern” under the Small Business Act. (Pursuant to 5 U.S.C. 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register .”) A “small-business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA.

    143. Small Businesses, Small Organizations, Small Governmental Jurisdictions. The Commission's actions, over time, may affect small entities that are not easily categorized at present. The Commission therefore describes here, at the outset, three broad groups of small entities that could be directly affected herein. First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the SBA's Office of Advocacy, in general a small business is an independent business having fewer than 500 employees. These types of small businesses represent 99.9% of all businesses in the United States, which translates to 32.5 million businesses.

    144. Next, the type of small entity described as a “small organization” is generally “any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.” The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations. (The IRS benchmark is similar to the population of less than 50,000 benchmark in 5 U.S.C. 601(5) that is used to define a small governmental jurisdiction. Therefore, the IRS benchmark has been used to estimate the number small organizations in this small entity description. The Commission notes that the IRS data does not provide information on whether a small exempt organization is independently owned and operated or dominant in its field.) Nationwide, for tax year 2020, there were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS. (The IRS Exempt Organization Business Master File (E.O. BMF) Extract provides information on all registered tax-exempt/non-profit organizations. The data utilized for purposes of this description was extracted from the IRS E.O. BMF data for businesses for the tax year 2020 with revenue less than or equal to $50,000, for Region 1—Northeast Area (58,577), Region 2—Mid-Atlantic and Great Lakes Areas (175,272), and Region 3—Gulf Coast and Pacific Coast Areas (213,840) which includes the continental U.S., Alaska, and Hawaii. This data does not include information for Puerto Rico.)

    145. Finally, the small entity described as a “small governmental jurisdiction” is defined generally as “governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.” U.S. Census Bureau data from the 2017 Census of Governments (the Census of Governments survey is conducted every five (5) years compiling data for years ending with “2” and “7”) indicates that there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States. (Local governmental jurisdictions are made up of general purpose governments (county, municipal and town or township) and special purpose governments (special districts and independent school districts).) Of this number there were 36,931 general purpose governments (county, municipal and town or township) with populations of less than 50,000 and 12,040 special purpose governments—independent school districts with enrollment populations of less than 50,000. (There were 2,105 county governments with populations less than 50,000. This category does not include subcounty (municipal and township) governments. There were Start Printed Page 42939 18,729 municipal and 16,097 town and township governments with populations less than 50,000. There were 12,040 independent school districts with enrollment populations less than 50,000. While the special purpose governments category also includes local special district governments, the 2017 Census of Governments data does not provide data aggregated based on population size for the special purpose governments category. Therefore, only data from independent school districts is included in the special purpose governments category.) Accordingly, based on the 2017 U.S. Census of Governments data, the Commission estimates that at least 48,971 entities fall into the category of “small governmental jurisdictions.” (This total is derived from the sum of the number of general purpose governments (county, municipal and town or township) with populations of less than 50,000 (36,931) and the number of special purpose governments—independent school districts with enrollment populations of less than 50,000 (12,040), from the 2017 Census of Governments—Organizations tbls. 5, 6 & 10.)

    1. Wireline Carriers

    146. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet services. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. (Fixed Local Service Providers include the following types of providers: Incumbent Local Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, and Other Local Service Providers. Local Resellers fall into another U.S. Census Bureau industry group and therefore data for these providers is not included in this industry.)

    147. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 5,183 providers that reported they were engaged in the provision of fixed local services. Of these providers, the Commission estimates that 4,737 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

    148. Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include both incumbent and competitive local exchange service providers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. (Fixed Local Exchange Service Providers include the following types of providers: Incumbent Local Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, Local Resellers, and Other Local Service Providers.) The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 5,183 providers that reported they were fixed local exchange service providers. Of these providers, the Commission estimates that 4,737 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

    149. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the Commission nor the SBA have developed a small business size standard specifically for incumbent local exchange carriers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 1,227 providers that reported they were incumbent local exchange service providers. Of these providers, the Commission estimates that 929 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, the Commission estimates that the majority of incumbent local exchange carriers can be considered small entities.

    150. Competitive Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include several types of competitive local exchange service providers. (Competitive Local Exchange Service Providers include the following types of providers: Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, Local Resellers, and Other Local Service Providers.) Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees Start Printed Page 42940 as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 3,956 providers that reported they were competitive local exchange service providers. Of these providers, the Commission estimates that 3,808 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

    151. Interexchange Carriers (IXCs). Neither the Commission nor the SBA have developed a small business size standard specifically for Interexchange Carriers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 151 providers that reported they were engaged in the provision of interexchange services. Of these providers, the Commission estimates that 131 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, the Commission estimates that the majority of providers in this industry can be considered small entities.

    152. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, contains a size standard for small cable system operators, which classifies “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000,” as small. As of December 2020, there were approximately 45,308,192 basic cable video subscribers in the top Cable multiple system operators (MSOs) in the United States. Accordingly, an operator serving fewer than 453,082 subscribers shall be deemed a small operator if its annual revenues, when combined with the total annual revenues of all its affiliates, do not exceed $250 million in the aggregate. Based on available data, all but five of the cable operators in the Top Cable MSOs have less than 453,082 subscribers and can be considered small entities under this size standard. The Commission notes however, that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million. (The Commission does receive such information on a case-by-case basis if a cable operator appeals a local franchise authority's finding that the operator does not qualify as a small cable operator pursuant to § 76.901(e) of the Commission's rules.) Therefore, the Commission is unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act.

    153. Other Toll Carriers. Neither the Commission nor the SBA has developed a definition for small businesses specifically applicable to Other Toll Carriers. This category includes toll carriers that do not fall within the categories of interexchange carriers, operator service providers, prepaid calling card providers, satellite service carriers, or toll resellers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 115 providers that reported they were engaged in the provision of other toll services. Of these providers, the Commission estimates that 113 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

    2. Wireless Carriers

    154. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. Of that number, 2,837 firms employed fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 797 providers that reported they were engaged in the provision of wireless services. Of these providers, the Commission estimates that 715 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

    155. Satellite Telecommunications. This industry comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” Satellite telecommunications service providers include satellite and earth station operators. The SBA small business size standard for this industry classifies a business with $35 million or less in annual receipts as small. U.S. Census Bureau data for 2017 show that 275 firms in this industry operated for the entire year. Of this number, 242 firms had revenue of less than $25 million. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. The Commission also notes that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 71 providers that reported they were engaged in the provision of satellite Start Printed Page 42941 telecommunications services. Of these providers, the Commission estimates that approximately 48 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, a little more than of these providers can be considered small entities.

    3. Resellers

    156. Local Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Local Resellers. Telecommunications Resellers is the closest industry with an SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. Of that number, 1,375 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 293 providers that reported they were engaged in the provision of local resale services. Of these providers, the Commission estimates that 289 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

    157. Toll Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Toll Resellers. Telecommunications Resellers is the closest industry with an SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. Of that number, 1,375 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 518 providers that reported they were engaged in the provision of toll services. Of these providers, the Commission estimates that 495 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

    158. Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a small business size standard specifically for prepaid calling card providers. Telecommunications Resellers. is the closest industry with an SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. Of that number, 1,375 firms operated with fewer than 250 employees. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard.) Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 58 providers that reported they were engaged in the provision of payphone services. Of these providers, the Commission estimates that 57 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

    4. Other Entities

    159. All Other Telecommunications. This industry is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Providers of internet services ( e.g., dial-up internet service providers (ISPs)) or voice over internet protocol (VoIP) services, via client-supplied telecommunications connections are also included in this industry. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. Of those firms, 1,039 had revenue of less than $25 million. (The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. The Commission also notes that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably.) Based on this data, the Commission estimates that the majority of “All Other Telecommunications” firms can be considered small.

    E. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities

    160. The Gateway Provider Report and Order and Order on Reconsideration require providers, primarily but not exclusively gateway providers, to meet certain obligations. These changes affect small and large companies equally and apply equally to all the classes of regulated entities identified above.

    161. Gateway Provider Report and Order. This document requires gateway providers to submit a certification and plan to the Robocall Mitigation Database describing their robocall mitigation practices and stating that they are adhering to those practices, regardless of whether they have fully implemented Start Printed Page 42942 STIR/SHAKEN. Additionally, downstream domestic providers receiving traffic from gateway providers must block traffic from such a provider if the gateway provider has not submitted a certification in the Robocall Mitigation Database. Gateway providers are not required to describe their mitigation program in a particular manner, but must clearly explain how they are complying with the know-your-upstream-provider obligation adopted in this document.

    162. A gateway provider must certify whether it has fully, partially, or not implemented STIR/SHAKEN, and include a statement in its certification that it commits to responding fully to all traceback requests from the Commission, law enforcement, and the industry traceback consortium and cooperate with such entities in investigating and stopping illegal robocalls. Submissions may be made confidentially consistent with the Commission's existing confidentiality rules. All information must be submitted in English or with a certified English translation and updated within 10 business days. Gateway providers must provide the same identifying information submitted by voice service providers.

    163. Gateway providers must also implement STIR/SHAKEN to authenticate SIP calls that are carrying a U.S. number in the caller ID field. To comply with this requirement, a gateway provider must authenticate caller ID information for all SIP calls it receives for which the caller ID information has not been authenticated and which it will exchange with another provider as a SIP call consistent with the relevant ATIS standards. Gateway providers have the flexibility to assign the level of attestation appropriate to the call based on the current version of the standards and the call information available to the gateway provider. A gateway provider using non-IP network technology in all or a portion of its network must provide the Commission, upon request, with documented proof that it is participating, either on its own or through a representative, as a member of a working group, industry standards group, or consortium that is working to develop a non-IP solution, or actively testing such a solution. Under this rule, a gateway provider satisfies its obligations if it participates through a third-party representative, such as a trade association of which it is a member or vendor.

    164. Gateway providers, and, in one case, any intermediate or terminating provider immediately downstream from the gateway, must also satisfy several robocall mitigation requirements. These requirements apply to any gateway provider, regardless of whether or not they have fully implemented STIR/SHAKEN on the IP portions of their network.

    165. First, gateway providers must fully respond to traceback requests from the Commission, civil and criminal law enforcement, and the industry traceback consortium within 24 hours of receipt of such a request. The gateway provider should respond with information about the provider from which it directly received the call.

    166. Second, gateway providers, and in one case, any intermediate or terminating provider immediately downstream from the gateway, must block calls in certain instances. Specifically, the gateway provider must block illegal traffic once notified of such traffic by the Commission through its Enforcement Bureau. In order to comply with this requirement, gateway providers must block traffic that is substantially similar to the identified traffic on an ongoing basis. When a gateway provider fails to comply with this requirement, the Commission may require providers immediately downstream from a gateway provider to block all traffic from the identified provider when notified by the Commission. As part of this requirement, a notified gateway provider must promptly report the results of its investigation to the Enforcement Bureau, including, unless the gateway provider determines it is either not a gateway provider for any of the identified traffic or that the identified traffic is not illegal, both a certification that it is blocking the identified traffic and will continue to do so and a description of its plan to identify the traffic on an ongoing basis. In order to comply with the downstream provider blocking requirement, all providers must monitor EB Docket No. 22-174 and initiate blocking within 30 days of a Blocking Order being released. Gateway providers must also block based on a reasonable do-not-originate (DNO list). Gateway providers are allowed flexibility to select the list that works best for them, so long as it is reasonable and only includes invalid, unallocated, and unused numbers, as well as numbers for which the subscriber to the number has requested blocking.

    167. Third, gateway providers must take reasonable and effective steps to ensure that the immediate upstream provider is not using the gateway provider to originate a high volume of illegal traffic onto the U.S. network. Gateway providers have flexibility to determine the exact measures to take, so long as those steps are effective. Finally, gateway providers must meet a general obligation to mitigate illegal robocalls. Gateway providers are not required to take specific steps to satisfy this obligation, but must implement “reasonable steps” to avoid carrying or processing illegal robocall traffic and must also implement a robocall mitigation program and, as explained below, file that plan along with a certification in the Robocall Mitigation Database.

    168. The Order on Reconsideration in this document strengthens the existing rule requiring downstream providers to block calls carrying U.S. NANP numbers sent from foreign providers not listed in the Robocall Mitigation Database. It modifies the requirement to apply to calls sent directly from a foreign provider that originates, as well as carries or processes a call carrying a U.S. NANP number. Therefore, a downstream domestic provider must block such calls sent directly from any foreign provider not listed in the Robocall Mitigation Database.

    F. Steps Taken To Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered

    169. The RFA requires an agency to describe any significant alternatives that it has considered in reaching its approach, which may include the following four alternatives, among others: (1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance or reporting requirements under the rule for small entities; (3) the use of performance, rather than design, standards; and (4) an exemption from coverage of the rule, or any part thereof, for small entities.

    170. Generally, the decisions the Commission made in this document apply to all providers generally, and do not impose unique burdens or benefits on small providers. Small providers are as capable of being the entry-point onto the U.S. network for illegal calls as large providers, which necessitates equal treatment if the Commission is to protect consumers from these calls. However, the Commission did take steps to ensure that providers, including small providers, would not be unduly burdened by these requirements. Specifically, the Commission allowed flexibility where appropriate to ensure that providers, including small providers, can determine the best Start Printed Page 42943 approach for compliance based on the needs of their networks. For example, gateway providers have the flexibility to determine their proposed approach to blocking illegal traffic when notified by the Commission, to choose a reasonable DNO list, and to determine the steps they take to “know the upstream provider.” A similarly flexible approach applies to the requirement for gateway providers to implement and describe their mitigation plan filed in the Robocall Mitigation Database.

    G. Report to Congress

    171. The Commission will send a copy of the Gateway Provider Report and Order and Order on Reconsideration, including the FRFA, in a report to be sent to Congress and the Government Accountability Office pursuant to the Congressional Review Act. In addition, the Commission will send a copy of the Gateway Provider Report and Order and Order on Reconsideration, including the FRFA, to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the Gateway Provider Report and Order and Order on Reconsideration (or summaries thereof) will also be published in the Federal Register .

    V. Procedural Matters

    172. Paperwork Reduction Act. This document may contain new and modified information collection requirements subject to the PRA, Public Law 104-13. Specifically, the rules adopted in 47 CFR 64.1200(n)(1) and (o), 64.6303(b), 64.6305(b), (c)(2), and (d) may require new or modified information collections. This document will be submitted to the Office of Management and Budget (OMB) for review under Section 3507(d) of the PRA. OMB, the general public, and other Federal agencies will be invited to comment on the new or modified information collection requirements contained in this proceeding. The modification to 47 CFR 64.6305(c)(2) is non-substantive and will be submitted to OMB in accordance with its process for non-substantive changes. In addition, the Commission notes that pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, the Commission previously sought specific comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees.

    173. Final Regulatory Flexibility Analysis. As required by the Regulatory Flexibility Act of 1980 (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into the Gateway Provider FNPRM. The Commission sought written public comment on the possible significant economic impact on small entities regarding the proposals addressed in the Gateway Provider FNPRM, including comments on the IRFA. Pursuant to the RFA, a Final Regulatory Flexibility Analysis is set forth in Section II above. The Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, will send a copy of the Gateway Provider Report and Order, including the Final Regulatory Flexibility Analysis (FRFA), to the Chief Counsel for Advocacy of the Small Business Administration (SBA).

    174. Congressional Review Act. The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget (OMB), concurs, that this rule is “major” under the Congressional Review Act, 5 U.S.C. 804(2). The Commission will send a copy of the Gateway Provider Report and Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A). The Commission will send a copy of the Gateway Provider Report and Order and Order on Reconsideration to Congress and the Government Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A).

    VI. Ordering Clauses

    175. Accordingly, pursuant to sections 4(i), 4(j), 201, 202, 217, 227, 227b, 251(e), 303(r), and 403 of the Communications Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 202, 217, 227, 227b, 251(e), 303(r), and 403, it is ordered that the Gateway Provider Report and Order is adopted.

    176. It is further ordered that, pursuant to sections 4(i), 4(j), 201, 202, 217, 227, 227b, 251(e), 303(r), 403, and 405 of the Communications Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 202, 217, 227, 227b, 251(e), 303(r), 403, and 405, the Order on Reconsideration is adopted.

    177. It is further ordered that, pursuant to sections 4(i), 4(j), 201, 202, 217, 227, 227b, 251(e), and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 202, 217, 227, 227b, 251(e), and 303(r), the Gateway Provider Report and Order is adopted.

    178. It is further ordered that parts 0 and 64 of the Commission's rules are amended as set forth in the Final Rules.

    179. It is further ordered that, pursuant to §§ 1.4(b)(1) and 1.103(a) of the Commission's rules, 47 CFR 1.4(b)(1), 1.103(a), and the Gateway Provider Report and Report and Order shall be effective 60 days after publication in the Federal Register . Compliance with 47 CFR 64.1200(n)(1) and (o) will not be required until OMB completes any review that the Consumer and Governmental Affairs Bureau determines is required under the PRA. The Commission directs the Consumer and Governmental Affairs Bureau to announce a compliance date by subsequent notification and to cause 47 CFR 64.1200(n)(1) and (o) to be revised accordingly. Compliance with 47 CFR 64.6303(b) and 64.6305(b), (c)(2), and (d) will not be required until OMB completes any review that the Wireline Competition Bureau determines is required under the PRA. The Commission directs the Wireline Competition Bureau to announce a compliance date by subsequent notification and to cause 47 CFR 64.6303(b) and 64.6305(b), (c)(2), and (d) to be revised accordingly.

    180. It is further ordered that the Petition for Partial Reconsideration filed by CTIA is denied.

    181. It is further ordered that the Petition for Reconsideration filed by Voice on the Net Coalition is denied in part and, in the alternative, dismissed in part.

    182. It is further ordered that the Order on Reconsideration and Gateway Provider Report and Order shall be effective 60 days after publication in the Federal Register .

    183. It is further ordered that the Office of the Managing Director, Performance Evaluation and Records Management, shall send a copy of the Gateway Provider Report and Order and Order on Reconsideration in a report to be sent to Congress and the Government Accountability Office pursuant to the Congressional Review Act, see 5 U.S.C. 801(a)(1)(A).

    184. It is further ordered that the Commission's Consumer & Governmental Affairs Bureau, Reference Information Center, shall send a copy of the Gateway Provider Report and Order and Order on Reconsideration, including the Final Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration.

    Start List of Subjects

    List of Subjects

    47 CFR Part 0

    • Authority delegations (Government agencies)
    • Communications
    • Communications common carriers
    • Classified information
    • Freedom of information
    • Government publications
    • Infants and children
    • Organization and functions (Government agencies)
    • Postal Service
    • Privacy
    • Reporting and

    47 CFR Part 64

    • Carrier equipment
    • Communications common carriers
    • Reporting and recordkeeping requirements
    • Telecommunications
    • Telephone
    End List of Subjects Start Signature

    Federal Communications Commission.

    Marlene Dortch,

    Secretary.

    End Signature

    Final Rules

    The Federal Communications Commission amends parts 0 and 64 of title 47 of the Code of Federal Regulations as follows:

    Start Part

    PART 0—COMMISSION ORGANIZATION

    Subpart A—Organization

    End Part Start Amendment Part

    1. The authority citation for part 0, subpart A, continues to read as follows:

    End Amendment Part Start Authority

    Authority: 47 U.S.C. 151, 154(i), 154(j), 155, 225, and 409, unless otherwise noted.

    End Authority Start Amendment Part

    2. Amend § 0.111 by revising paragraph (a)(27) and adding paragraph (a)(28) to read as follows:

    End Amendment Part
    Functions of the Bureau.

    (a) * * *

    (27) Identify suspected illegal calls and provide written notice to voice service providers. The Enforcement Bureau shall:

    (i) Identify with as much particularity as possible the suspected traffic;

    (ii) Cite the statutory or regulatory provisions the suspected traffic appears to violate;

    (iii) Provide the basis for the Enforcement Bureau's reasonable belief that the identified traffic is unlawful, including any relevant nonconfidential evidence from credible sources such as the industry traceback consortium or law enforcement agencies; and

    (iv) Direct the voice service provider receiving the notice that it must comply with § 64.1200(n)(2) or (5) of this chapter.

    (28) Take enforcement action, including de-listing from the Robocall Mitigation Database, against any provider:

    (i) Whose certification described in § 64.6305(c) and (d) of this chapter is deficient after giving that provider notice and an opportunity to cure the deficiency; or

    (ii) Who accepts calls directly from a domestic voice service provider, gateway provider, or foreign provider not listed in the Robocall Mitigation Database in violation of § 64.6305(e) of this chapter.

    * * * * *
    Start Part

    PART 64—MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

    End Part Start Amendment Part

    3. The authority citation for part 64 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220, 222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 255, 262, 276, 403(b)(2)(B), (c), 616, 620, 716, 1401-1473, unless otherwise noted; Pub. L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.

    End Authority

    Subpart L—Restrictions on Telemarketing, Telephone Solicitation, and Facsimile Advertising

    Start Amendment Part

    4. Amend § 64.1200 by:

    End Amendment Part Start Amendment Part

    a. Adding paragraphs (f)(19);

    End Amendment Part Start Amendment Part

    b. Revising paragraphs (k)(5) and (6) and (n)(1); and

    End Amendment Part Start Amendment Part

    c. Adding paragraphs (n)(4) through (6), (o), and (p).

    End Amendment Part

    The additions and revisions read as follows:

    Delivery restrictions.
    * * * * *

    (f) * * *

    (19) The term gateway provider means a U.S.-based intermediate provider that receives a call directly from a foreign originating provider or foreign intermediate provider at its U.S.-based facilities before transmitting the call downstream to another U.S.-based provider. For purposes of this paragraph (f)(19):

    (i) U.S.-based means that the provider has facilities located in the United States, including a point of presence capable of processing the call; and

    (ii) Receives a call directly from a provider means the foreign provider directly upstream of the gateway provider in the call path sent the call to the gateway provider, with no providers in-between.

    * * * * *

    (k) * * *

    (5) A provider may not block a voice call under paragraphs (k)(1) through (4), paragraph (k)(11), paragraphs (n)(5) and (6), or paragraph (o) of this section if the call is an emergency call placed to 911.

    (6) When blocking consistent with paragraphs (k)(1) through (4), paragraph (k)(11), paragraphs (n)(5) and (6), or paragraph (o) of this section, a provider must making all reasonable efforts to ensure that calls from public safety answering points and government emergency numbers are not blocked.

    * * * * *

    (n) * * *

    (1) Upon receipt of a traceback request from the Commission, civil law enforcement, criminal law enforcement, or the industry traceback consortium:

    (i) If the provider is an originating, terminating, or non-gateway intermediate provider for all calls specified in the traceback request, the provider must respond fully and in a timely manner;

    (ii) If the provider receiving a traceback request is the gateway provider for any calls specified in the traceback request, the provider must fully respond to the traceback request within 24 hours of receipt of the request. The 24-hour clock does not start outside of business hours, and requests received during that time are deemed received at 8 a.m. on the next business day. If the 24-hour response period would end on a non-business day, either a weekend or a Federal legal holiday, the 24-hour clock does not run for the weekend or holiday in question, and restarts at 12:01 a.m. on the next business day following when the request would otherwise be due. For example, a request received at 3 p.m. on a Friday will be due at 3 p.m. on the following Monday, assuming that Monday is not a Federal legal holiday. For purposes of this paragraph (n)(1)(ii), business day is defined as Monday through Friday, excluding Federal legal holidays, and business hours is defined as 8 a.m. to 5:30 p.m. on a business day. For purposes of this paragraph (n)(1)(ii), all times are local time for the office that is required to respond to the request.

    * * * * *

    (4) If the provider acts as a gateway provider, take reasonable and effective steps to ensure that any foreign originating provider or foreign intermediate provider from which it directly receives traffic is not using the gateway provider to carry or process a high volume of illegal traffic onto the U.S. network. Compliance with this paragraph (n)(4) will not be required until January 16, 2023.

    (5) If the provider acts as a gateway provider, and is properly notified under this section, block identified illegal traffic and any substantially similar traffic on an ongoing basis (unless its investigation determines that the traffic is not illegal) when it receives actual written notice of such traffic by the Commission through its Enforcement Bureau. The gateway provider will not be held liable under the Communications Act or the Commission's rules in this chapter for gateway providers that inadvertently block lawful traffic as part of the requirement to block substantially similar traffic so long as it is blocking consistent with the requirements of this paragraph (n)(5). For purposes of this paragraph (n)(5), identified traffic means the illegal traffic identified in the Notification of Suspected Illegal Traffic Start Printed Page 42945 issued by the Enforcement Bureau. The following procedures shall apply:

    (i)(A) The Enforcement Bureau will issue a Notification of Suspected Illegal Traffic that identifies with as much particularity as possible the suspected illegal traffic; provides the basis for the Enforcement Bureau's reasonable belief that the identified traffic is unlawful; cites the statutory or regulatory provisions the identified traffic appears to violate; and directs the provider receiving the notice that it must comply with this section. The Enforcement Bureau's Notification of Suspected Illegal Traffic shall give the identified provider a minimum of 14 days to comply with the notice. Each notified provider must promptly investigate the identified traffic and report the results of that investigation to the Enforcement Bureau within the timeframe specified in the Notification of Suspected Illegal Traffic. If the provider's investigation determines that it served as the gateway provider for the identified traffic, it must block the identified traffic within the timeframe specified in the Notification of Suspected Illegal Traffic and include in its report to the Enforcement Bureau:

    ( 1 ) A certification that it is blocking the identified traffic and will continue to do so; and

    ( 2 ) A description of its plan to identify and block substantially similar traffic on an ongoing basis.

    (B) If the provider's investigation determines that the identified traffic is not illegal, it shall provide an explanation as to why the provider reasonably concluded that the identified traffic is not illegal and what steps it took to reach that conclusion. Absent such a showing, or if the Enforcement Bureau determines based on the evidence that the traffic is illegal despite the provider's assertions, the identified traffic will be deemed illegal. If the notified provider determines during this investigation that it did not serve as the gateway provider for any of the identified traffic, it shall provide an explanation as to how it reached that conclusion and, if it is a non-gateway intermediate or terminating provider for the identified traffic, it must identify the upstream provider(s) from which it received the identified traffic and, if possible, take lawful steps to mitigate this traffic. If the notified provider determines that it is the originating provider, or the traffic otherwise comes from a source that does not have direct access to the U.S. public switched telephone network, it must promptly comply with paragraph (n)(2) of this section by effectively mitigating the identified traffic and reporting to the Enforcement Bureau any steps it has taken to effectively mitigate the identified traffic. If the Enforcement Bureau finds that an approved plan is not blocking substantially similar traffic, the identified provider shall modify its plan to block such traffic. If the Enforcement Bureau finds, that the identified provider continues to allow suspected illegal traffic onto the U.S. network, it may proceed under paragraph (n)(5)(ii) or (iii) of this section as appropriate.

    (ii) If the provider fails to respond to the Notification of Suspected Illegal Traffic, the Enforcement Bureau determines that the response is insufficient, the Enforcement Bureau determines that the gateway provider is continuing to allow substantially similar traffic onto the U.S. network after the timeframe specified in the Notification of Suspected Illegal Traffic, or the Enforcement Bureau determines based on the evidence that the traffic is illegal despite the provider's assertions, the Enforcement Bureau shall issue an Initial Determination Order to the gateway provider stating the Bureau's initial determination that the gateway provider is not in compliance with this section. The Initial Determination Order shall include the Enforcement Bureau's reasoning for its determination and give the gateway provider a minimum of 14 days to provide a final response prior to the Enforcement Bureau making a final determination on whether the provider is in compliance with this section.

    (iii) If the gateway provider does not provide an adequate response to the Initial Determination Order within the timeframe permitted in that Order or continues to allow substantially similar traffic onto the U.S. network, the Enforcement Bureau shall issue a Final Determination Order finding that the gateway provider is not in compliance with this section. The Final Determination Orders shall be published in EB Docket No. 22-174 at https://www.fcc.gov/​ecfs/​search/​search-filings. A Final Determination Order may be issued up to one year after the release date of the Initial Determination Order, and may be based on either an immediate failure to comply with this rule or a determination that the gateway provider has failed to meet its ongoing obligation under this rule to block substantially similar traffic.

    (6) When notified by the Commission through its Enforcement Bureau that a Final Determination Order has been issued finding that a gateway provider has failed to block as required under paragraph (n)(5) of this section, block and cease accepting all traffic received directly from the identified gateway provider beginning 30 days after the release date of the Final Determination Order. This paragraph (n)(6) applies to any provider immediately downstream from the gateway provider. The Enforcement Bureau shall provide notification by publishing the Final Determination Order in EB Docket No. 22-174 at https://www.fcc.gov/​ecfs/​search/​search-filings. Providers must monitor EB Docket No. 22-174 and initiate blocking no later than 30 days from the release date of the Final Determination Order. A provider that chooses to initiate blocking sooner than 30 days from the release date may do so consistent with paragraph (k)(4) of this section.

    (o) A provider that serves as a gateway provider for particular calls must, with respect to those calls, block any calls purporting to originate from a number on a reasonable do-not-originate list. A list so limited in scope that it leaves out obvious numbers that could be included with little effort may be deemed unreasonable. The do-not-originate list may include only:

    (1) Numbers for which the subscriber to which the number is assigned has requested that calls purporting to originate from that number be blocked because the number is used for inbound calls only;

    (2) North American Numbering Plan numbers that are not valid;

    (3) Valid North American Numbering Plan Numbers that are not allocated to a provider by the North American Numbering Plan Administrator; and

    (4) Valid North American Numbering Plan numbers that are allocated to a provider by the North American Numbering Plan Administrator, but are unused, so long as the provider blocking the calls is the allocatee of the number and confirms that the number is unused or has obtained verification from the allocatee that the number is unused at the time of blocking.

    (p) Paragraphs (n)(1) and (o) of this section may contain an information-collection and/or recordkeeping requirement. Compliance with paragraphs (n)(1) and (o) will not be required until this paragraph (p) is removed or contains a compliance date, which will not occur until after the Office of Management and Budget completes review of such requirements pursuant to the Paperwork Reduction Act or until after the Consumer and Governmental Affairs Bureau determines that such review is not required. The Commission directs the Consumer and Governmental Affairs Bureau to announce a compliance date for paragraphs (n)(1) and (o) by subsequent Public Notice and Start Printed Page 42946 notification in the Federal Register and to cause paragraphs (n)(1) and (o) to be revised accordingly.

    Subpart HH—Caller ID Authentication

    Start Amendment Part

    5. Amend § 64.6300 by:

    End Amendment Part Start Amendment Part

    a. Redesignating paragraphs (d) through (m) as paragraphs (e) through (n);

    End Amendment Part Start Amendment Part

    b. Adding a new paragraph (d); and

    End Amendment Part Start Amendment Part

    c. Revising newly redesignated paragraph (g).

    End Amendment Part

    The addition and revision read as follows:

    Definitions.
    * * * * *

    (d) Gateway provider. The term “gateway provider” means a U.S.-based intermediate provider that receives a call directly from a foreign originating provider or foreign intermediate provider at its U.S.-based facilities before transmitting the call downstream to another U.S.-based provider. For purposes of this paragraph (d):

    (1) U.S.-based means that the provider has facilities located in the United States, including a point of presence capable of processing the call; and

    (2) Receives a call directly from a provider means the foreign provider directly upstream of the gateway provider in the call path sent the call to the gateway provider, with no providers in-between.

    * * * * *

    (g) Intermediate provider. The term “intermediate provider” means any entity that carries or processes traffic that traverses or will traverse the public switched telephone network at any point insofar as that entity neither originates nor terminates that traffic.

    * * * * *
    Start Amendment Part

    6. Amend § 64.6302 by adding paragraph (c) to read as follows:

    End Amendment Part
    Caller ID authentication by intermediate providers.
    * * * * *

    (c) Notwithstanding paragraph (b) of this section, a gateway provider must, not later than June 30, 2023, authenticate caller identification information for all calls it receives that use North American Numbering Plan resources that pertain to the United States in the caller ID field and for which the caller identification information has not been authenticated and which it will exchange with another provider as a SIP call, unless that gateway provider is subject to an applicable extension in § 64.6304.

    Start Amendment Part

    7. Revise § 64.6303 to read as follows:

    End Amendment Part
    Caller ID authentication in non-IP networks.

    (a) Except as provided in §§ 64.6304 and 64.6306, not later than June 30, 2021, a voice service provider shall either:

    (1) Upgrade its entire network to allow for the initiation, maintenance, and termination of SIP calls and fully implement the STIR/SHAKEN framework as required in § 64.6301 throughout its network; or

    (2) Maintain and be ready to provide the Commission on request with documented proof that it is participating, either on its own or through a representative, including third party representatives, as a member of a working group, industry standards group, or consortium that is working to develop a non-internet Protocol caller identification authentication solution, or actively testing such a solution.

    (b) Except as provided in § 64.6304, not later than June 30, 2023, a gateway provider shall either:

    (1) Upgrade its entire network to allow for the processing and carrying of SIP calls and fully implement the STIR/SHAKEN framework as required in § 64.6302(c) throughout its network; or

    (2) Maintain and be ready to provide the Commission on request with documented proof that it is participating, either on its own or through a representative, including third party representatives, as a member of a working group, industry standards group, or consortium that is working to develop a non-internet Protocol caller identification authentication solution, or actively testing such a solution.

    (3) Paragraph (b) of this section may contain an information collection and/or recordkeeping requirement. Compliance with paragraph (b) will not be required until this paragraph (b)(3) is removed or contains a compliance date, which will not occur until after the Office of Management and Budget completes review of such requirements pursuant to the Paperwork Reduction Act or until after the Wireline Competition Bureau determines that such review is not required. The Commission directs the Wireline Competition Bureau to announce a compliance date for paragraph (b) by subsequent Public Notice and notification in the Federal Register and to cause paragraph (b) to be revised accordingly.

    Start Amendment Part

    8. Amend § 64.6304 by revising paragraphs (b) and (d) to read as follows:

    End Amendment Part
    Extension of implementation deadline.
    * * * * *

    (b) Voice service providers and gateway providers that cannot obtain an SPC token. Voice service providers that are incapable of obtaining an SPC token due to Governance Authority policy are exempt from the requirements of § 64.6301 until they are capable of obtaining a SPC token. Gateway providers that are incapable of obtaining an SPC token due to Governance Authority policy are exempt from the requirements of § 64.6302(c) regarding call authentication.

    * * * * *

    (d) Non-IP Networks. Those portions of a voice service provider or gateway provider's network that rely on technology that cannot initiate, maintain, carry, process, and terminate SIP calls are deemed subject to a continuing extension. A voice service provider subject to the foregoing extension shall comply with the requirements of § 64.6303(a) as to the portion of its network subject to the extension, and a gateway provider subject to the foregoing extension shall comply with the requirements of § 64.6303(b) as to the portion of its network subject to the extension.

    * * * * *
    Start Amendment Part

    9. Revise § 64.6305 to read as follows:

    End Amendment Part
    Robocall mitigation and certification.

    (a) Robocall mitigation program requirements for voice service providers. (1) Any voice service provider subject to an extension granted under § 64.6304 that has not fully implemented the STIR/SHAKEN authentication framework on its entire network shall implement an appropriate robocall mitigation program as to those portions of its network on which it has not implemented the STIR/SHAKEN authentication framework.

    (2) Any robocall mitigation program implemented pursuant to paragraph (a)(1) of this section shall include reasonable steps to avoid originating illegal robocall traffic and shall include a commitment to respond fully and in a timely manner to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to originate calls.

    (b) Robocall mitigation program requirements for gateway providers. (1) Each gateway provider shall implement an appropriate robocall mitigation program with respect to calls that use North American Numbering Plan resources that pertain to the United States in the caller ID field. Start Printed Page 42947

    (2) Any robocall mitigation program implemented pursuant to paragraph (b)(1) of this section shall include reasonable steps to avoid carrying or processing illegal robocall traffic and shall include a commitment to respond fully and within 24 hours to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to carry or process calls.

    (3) Paragraph (b)(2) of this section may contain an information-collection and/or recordkeeping requirement. Compliance with paragraph (b)(2) will not be required until this paragraph (b)(3) is removed or contains a compliance date, which will not occur until after the Office of Management and Budget completes review of such requirements pursuant to the Paperwork Reduction Act or until after the Wireline Competition Bureau determines that such review is not required. The Commission directs the Wireline Competition Bureau to announce a compliance date for paragraph (b) of this section by subsequent Public Notice and notification in the Federal Register and to cause paragraph (b) to be revised accordingly.

    (c) Certification by voice service providers in the Robocall Mitigation Database. (1) Not later than June 30, 2021, a voice service provider, regardless of whether it is subject to an extension granted under § 64.6304, shall certify to one of the following:

    (i) It has fully implemented the STIR/SHAKEN authentication framework across its entire network and all calls it originates are compliant with § 64.6301(a)(1) and (2);

    (ii) It has implemented the STIR/SHAKEN authentication framework on a portion of its network and calls it originates on that portion of its network are compliant with § 64.6301(a)(1) and (2), and the remainder of the calls that originate on its network are subject to a robocall mitigation program consistent with paragraph (a) of this section; or

    (iii) It has not implemented the STIR/SHAKEN authentication framework on any portion of its network, and all of the calls that originate on its network are subject to a robocall mitigation program consistent with paragraph (a) of this section.

    (2) A voice service provider that certifies that some or all of the calls that originate on its network are subject to a robocall mitigation program consistent with paragraph (a) of this section shall include the following information in its certification in English or with a certified English translation:

    (i) Identification of the type of extension or extensions the voice service provider received under § 64.6304, if the voice service provider is not a foreign voice service provider;

    (ii) The specific reasonable steps the voice service provider has taken to avoid originating illegal robocall traffic as part of its robocall mitigation program; and

    (iii) A statement of the voice service provider's commitment to respond fully and in a timely manner to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to originate calls.

    (3) All certifications made pursuant to paragraphs (c)(1) and (2) of this section shall:

    (i) Be filed in the appropriate portal on the Commission's website; and

    (ii) Be signed by an officer in conformity with 47 CFR 1.16.

    (4) A voice service provider filing a certification shall submit the following information in the appropriate portal on the Commission's website:

    (i) The voice service provider's business name(s) and primary address;

    (ii) Other business names in use by the voice service provider;

    (iii) All business names previously used by the voice service provider;

    (iv) Whether the voice service provider is a foreign voice service provider; and

    (v) The name, title, department, business address, telephone number, and email address of one person within the company responsible for addressing robocall mitigation-related issues.

    (5) A voice service provider shall update its filings within 10 business days of any change to the information it must provide pursuant to paragraphs (c)(1) through (4) of this section.

    (i) A voice service provider or intermediate provider that has been aggrieved by a Governance Authority decision to revoke that voice service provider's or intermediate provider's SPC token need not update its filing on the basis of that revocation until the sixty (60) day period to request Commission review, following completion of the Governance Authority's formal review process, pursuant to § 64.6308(b)(1) expires or, if the aggrieved voice service provider or intermediate provider files an appeal, until ten business days after the Wireline Competition Bureau releases a final decision pursuant to § 64.6308(d)(1).

    (ii) If a voice service provider or intermediate provider elects not to file a formal appeal of the Governance Authority decision to revoke that voice service provider's or intermediate provider's SPC token, the provider need not update its filing on the basis of that revocation until the thirty (30) day period to file a formal appeal with the Governance Authority Board expires.

    (6) Paragraph (c)(2) of this section may contain an information collection and/or recordkeeping requirement. Compliance with paragraph (c)(2) will not be required until this paragraph (c)(6) is removed or contains a compliance date, which will not occur until after the Office of Management and Budget completes review of such requirements pursuant to the Paperwork Reduction Act or until after the Wireline Competition Bureau determines that such review is not required. The Commission directs the Wireline Competition Bureau to announce a compliance date for paragraph (c)(2) by subsequent Public Notice and notification in the Federal Register and to cause paragraph (c)(2) to be revised accordingly.

    (d) Certification by gateway providers in the Robocall Mitigation Database. (1) 30 days following Federal Register notification of OMB approval of the relevant information collection obligations, a gateway provider shall certify to one of the following:

    (i) It has fully implemented the STIR/SHAKEN authentication framework across its entire network and all calls it carries or processes are compliant with § 64.6302(b);

    (ii) It has implemented the STIR/SHAKEN authentication framework on a portion of its network and calls it carries or processes on that portion of its network are compliant with § 64.6302(b); or

    (iii) It has not implemented the STIR/SHAKEN authentication framework on any portion of its network for carrying or processing calls.

    (2) A gateway provider shall include the following information in its certification made pursuant to paragraph (d)(1) of this section, in English or with a certified English translation:

    (i) Identification of the type of extension or extensions the gateway provider received under § 64.6304;

    (ii) The specific reasonable steps the gateway provider has taken to avoid carrying or processing illegal robocall traffic as part of its robocall mitigation program, including a description of how it has complied with the know-your-upstream provider requirement in § 64.1200(n)(4); and Start Printed Page 42948

    (iii) A statement of the gateway provider's commitment to respond fully and within 24 hours to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to carry or process calls.

    (3) All certifications made pursuant to paragraphs (d)(1) and (2) of this section shall:

    (i) Be filed in the appropriate portal on the Commission's website; and

    (ii) Be signed by an officer in conformity with 47 CFR 1.16.

    (4) A gateway provider filing a certification shall submit the following information in the appropriate portal on the Commission's website:

    (i) The gateway provider's business name(s) and primary address;

    (ii) Other business names in use by the gateway provider;

    (iii) All business names previously used by the gateway provider;

    (iv) Whether the gateway provider or any affiliate is also a foreign voice service provider; and

    (v) The name, title, department, business address, telephone number, and email address of one person within the company responsible for addressing robocall mitigation-related issues.

    (5) A gateway provider shall update its filings within 10 business days of any change to the information it must provide pursuant to paragraphs (d)(1) through (4) of this section, subject to the conditions set forth in paragraphs (c)(5)(i) and (ii) of this section.

    (6) Paragraphs (d)(1) through (5) of this section may contain an information collection and/or recordkeeping requirement. Compliance with paragraphs (d)(1) through (5) will not be required until this paragraph (d)(6) is removed or contains a compliance date, which will not occur until after the Office of Management and Budget completes review of such requirements pursuant to the Paperwork Reduction Act or until after the Wireline Competition Bureau determines that such review is not required. The Commission directs the Wireline Competition Bureau to announce a compliance date for paragraph (d) of this section by subsequent Public Notice and notification in the Federal Register and to cause paragraph (d) to be revised accordingly.

    (e) Intermediate provider and voice service provider obligations —(1) Accepting traffic from domestic voice service providers. Intermediate providers and voice service providers shall accept calls directly from a domestic voice service provider only if that voice service provider's filing appears in the Robocall Mitigation Database in accordance with paragraph (c) of this section and that filing has not been de-listed pursuant to an enforcement action.

    (2) Accepting traffic from foreign providers. Beginning 90 days after the deadline for filing certifications pursuant to paragraph (d)(1) of this section, intermediate providers and voice service providers shall accept calls directly from a foreign voice service provider or foreign intermediate provider that uses North American Numbering Plan resources that pertain to the United States in the caller ID field to send voice traffic to residential or business subscribers in the United States, only if that foreign provider's filing appears in the Robocall Mitigation Database in accordance with paragraph (c) of this section and that filing has not been de-listed pursuant to an enforcement action.

    (3) Accepting traffic from gateway providers. Beginning 90 days after the deadline for filing certifications pursuant to paragraph (d) of this section, intermediate providers and voice service providers shall accept calls directly from a gateway provider only if that gateway provider's filing appears in the Robocall Mitigation Database in accordance with paragraph (d) of this section, showing that the gateway provider has affirmatively submitted the filing, and that filing has not been de-listed pursuant to an enforcement action.

    (4) Public safety safeguards. Notwithstanding paragraphs (e)(1) through (3) of this section:

    (i) A provider may not block a voice call under any circumstances if the call is an emergency call placed to 911; and

    (ii) A provider must make all reasonable efforts to ensure that it does not block any calls from public safety answering points and government emergency numbers.

    End Supplemental Information

    [FR Doc. 2022-13436 Filed 7-15-22; 8:45 am]

    BILLING CODE 6712-01-P

Visit the Official Version
Leave a Comment

Document Information

Effective Date:
9/16/2022
Published:
07/18/2022
Department:
Federal Communications Commission
Entry Type:
Rule
Action:
Final rule.
Document Number:
2022-13436
Dates:
Effective date: This rule is effective September 16, 2022.
Pages:
42916-42948 (33 pages)
Docket Numbers:
CG Docket No. 17-59, WC Docket No. 17-97, FCC 22-37, FR ID 91946
Topics:
Authority delegations (Government agencies), Classified information, Communications, Communications common carriers, Freedom of information, Government publications, Infants and children, Organization and functions (Government agencies), Postal Service, Privacy, Reporting and recordkeeping requirements, Sunshine Act, Telecommunications, Telephone
PDF File:
2022-13436.pdf
CFR: (7)
47 CFR 0.111
47 CFR 64.1200
47 CFR 64.6300
47 CFR 64.6302
47 CFR 64.6303
More ...