Call Authentication Trust Anchor; Implementation of TRACED Act-Knowledge of Customers by Entities With Access to Numbering Resources, 22029-22043 [2020-07585]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 85, Number 77 (Tuesday, April 21, 2020)]
[Rules and Regulations]
[Pages 22029-22043]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07585]


-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[WC Docket Nos. 17-97, 20-67; FCC 20-42; FRS 16631]


Call Authentication Trust Anchor; Implementation of TRACED Act--
Knowledge of Customers by Entities With Access to Numbering Resources

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Commission adopts a rule that mandates 
that all originating and terminating voice service providers implement 
the STIR/SHAKEN caller ID authentication framework in the internet 
Protocol (IP) portions of their networks by June 30, 2021. In 
establishing this requirement, the Report and Order both acts on the 
Commission's proposal to require voice service providers to implement 
the STIR/SHAKEN caller ID authentication framework if major voice 
service providers did not voluntarily do so by the end of 2019, and 
implements Congress's direction in the recently enacted Pallone-Thune 
Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) 
Act to mandate STIR/SHAKEN not later than 18 months after the date of 
enactment of that Act. This action builds on the Commission's 
aggressive and multi-pronged approach to ending illegal caller ID 
spoofing.

DATES: Effective May 21, 2020.

FOR FURTHER INFORMATION CONTACT: For further information, please 
contact Mason Shefa, Competition Policy Division, Wireline Competition 
Bureau, at [email protected].

SUPPLEMENTARY INFORMATION: The full text of this document, WC Docket 
Nos. 17-97, 20-67; FCC 20-42, adopted and released on March 31, 2020, 
is available for public inspection during regular business hours in the 
FCC Reference Information Center, Portals II, 445 12th Street SW, Room 
CY-A257, Washington, DC 20554 or at the following internet address: 
https://docs.fcc.gov/public/attachments/FCC-20-42A1.pdf . The Further 
Notice of Proposed Rulemaking WC Docket Nos. 17-97, 20-67; FCC 20-42, 
adopted concurrently with this document and available at the same 
internet address, is published elsewhere in this issue of the Federal 
Register.

Synopsis

I. Introduction

    1. Each day, Americans receive millions of unwanted phone calls. 
One source indicates that Americans received over 58 billion such calls 
in 2019 alone. These include ``spoofed'' calls whereby the caller 
falsifies caller ID information that appears on a recipient's phone to 
deceive them into thinking the call is from someone they know or can 
trust. Spoofing has legal and illegal uses. For example, medical 
professionals calling patients from their mobile phones often legally 
spoof the outgoing phone number to be the office phone number for 
privacy reasons, and businesses often display a toll-free call-back 
number. Illegal spoofing, on the other hand, occurs when a caller 
transmits misleading or inaccurate caller ID information with the 
intent to defraud, cause harm, or wrongly obtain anything of value. And 
these spoofed calls are not simply an annoyance--they result in 
billions of dollars lost to fraud, degrade consumer confidence in the 
voice network, and harm our public safety. A 2019 survey estimated that 
spoofing fraud affected one in six Americans and cost approximately 
$10.5 billion in a single 12-month period.
    2. The Commission, Congress, and state attorneys general all agree 
on the need to protect consumers and put an end to illegal caller ID 
spoofing. Over the past three years, the Commission has taken a multi-
pronged approach to this problem--issuing hundreds of millions of 
dollars in fines for violations of our Truth in Caller ID rules; 
expanding those rules to reach foreign calls and text messages; 
enabling voice service providers to block certain clearly unlawful 
calls before they reach consumers' phones; and clarifying that voice 
service providers may offer call-blocking services by default. We have 
also called on industry to ``trace back'' illegal spoofed calls and 
text messages to their original sources and encouraged industry to 
develop and implement new caller ID authentication technology. That 
technology, known as STIR/SHAKEN, allows voice service providers to 
verify that the caller ID information transmitted with a particular 
call matches the caller's number. Entities variously refer to this 
technology as either ``SHAKEN/STIR'' or ``STIR/SHAKEN.'' In the past, 
the Commission has referred to the technology as ``SHAKEN/STIR.'' To 
ensure consistency with the TRACED Act, we use ``STIR/SHAKEN'' here. 
Its widespread implementation will reduce the effectiveness of illegal 
spoofing,

[[Page 22030]]

allow law enforcement to identify bad actors more easily, and help 
voice service providers identify calls with illegally spoofed caller ID 
information before those calls reach their subscribers.
    3. Today, we build on our aggressive and multi-pronged approach to 
ending illegal caller ID spoofing. First, we mandate that all voice 
service providers implement the STIR/SHAKEN caller ID authentication 
framework in the internet Protocol (IP) portions of their networks by 
June 30, 2021. In recognition of the fact that it is caller ID 
information transmitted with a call that is authenticated, we use the 
term ``caller ID authentication'' in this Report and Order and Further 
Notice of Proposed Rulemaking. We understand this term to be 
interchangeable with the term ``call authentication'' as used in other 
contexts, including the TRACED Act. In establishing this requirement, 
we both act on our proposal to require voice service providers to 
implement the STIR/SHAKEN caller ID authentication framework if major 
voice service providers did not voluntarily do so by the end of 2019, 
and implement Congress's direction in the recently enacted Pallone-
Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence 
(TRACED) Act to mandate STIR/SHAKEN not later than 18 months after the 
date of enactment of that Act. Second, we propose and seek comment on 
additional measures to combat illegal spoofing, including further 
implementation of the TRACED Act.

II. Background

    4. Technological advancements and marketplace developments in IP-
based telephony have made caller ID spoofing easier and more affordable 
than ever before. Today, widely available Voice over internet Protocol 
(VoIP) software allows malicious callers to make spoofed calls with 
minimal experience and cost. Taking advantage of the ability to use 
spoofing to mask the true identity of an incoming call, these callers 
have turned to this technology as a quick and cheap way to defraud 
targets and avoid being discovered. Driven in part by the rise of VoIP, 
the telecommunications industry has transitioned from a limited number 
of carriers that all trusted each other to provide accurate caller 
origination information to a proliferation of different voice service 
providers and entities originating calls, which allows consumers to 
enjoy the benefits of far greater competition but also creates new ways 
for bad actors to undermine this trust.
    5. To combat illegal spoofing, industry technologists from the 
internet Engineering Task Force (IETF) and the Alliance for 
Telecommunications Industry Solutions (ATIS) developed standards for 
the authentication and verification of caller ID information for calls 
carried over an IP network using the Session Initiation Protocol (SIP). 
The Session Initiation Protocol (SIP) is ``an application-layer control 
(signaling) protocol for creating, modifying, and terminating 
sessions'' such as internet Protocol (IP) telephony calls. The IETF 
formed the Secure Telephony Identity Revisited (STIR) working group, 
which has produced several protocols for authenticating caller ID 
information. ATIS, together with the SIP Forum, produced the Signature-
based Handling of Asserted information using toKENs (SHAKEN) 
specification which standardizes how the protocols produced by STIR are 
implemented across the industry. The SIP Forum is ``an industry 
association with members from . . . IP communications companies,'' with 
a mission ``[t]o advance the adoption and interoperability of IP 
communications products and services based on SIP.'' Together, these 
technical standards comprise the ``STIR/SHAKEN'' framework for caller 
ID authentication. The STIR/SHAKEN framework consists of two high-level 
components: (1) The technical process of authenticating and verifying 
caller ID information; and (2) the certificate governance process that 
maintains trust in the caller ID authentication information transmitted 
along with a call.
    6. Authenticating and Verifying Caller ID Information Through STIR/
SHAKEN. The STIR/SHAKEN authentication and verification processes 
center on the transmission of encrypted information used to attest to 
the accuracy of caller ID information transmitted with a call. 
Specifically, an originating voice service provider adds a unique 
header to the network-level message used to initiate a SIP call (the 
SIP INVITE). This SIP INVITE contains a series of unencrypted headers 
which provides information about the message, such as a ``From'' 
header, giving information about the calling party; a ``To'' header, 
giving information about the called party; and a ``Via'' header, which 
``indicates the path taken by the request so far and helps in routing 
the responses back along the same path.'' Both originating and 
downstream providers are technically capable of appending headers to 
the SIP INVITE. When a subscriber places a call, the originating voice 
service provider uses an authentication service to create this 
``Identity'' header, which contains encrypted identifying information 
as well as the location of the public key that can be used to decode 
this information. The authentication service can be provided by the 
voice service provider itself, or by a third party acting under the 
voice service provider's direction. When the terminating voice service 
provider receives the call, it sends the SIP INVITE with the Identity 
header to a verification service, which uses the public key that 
corresponds uniquely to the originating voice service provider's 
private key to decode the encrypted information and verify that it is 
consistent with the information sent without encryption in the SIP 
INVITE. Like the corresponding authentication service on the 
originating voice service provider's end, the terminating voice service 
provider's verification service can be performed internally or by a 
trusted third-party service. The verification service then sends the 
results of the verification process--including whether the decoding 
process was successful and whether the encrypted information is 
consistent with the information sent without encryption--to the 
terminating voice service provider. STIR/SHAKEN thus establishes a 
chain of trust back to the originating voice service provider.
    7. Because the STIR/SHAKEN framework relies on transmission of 
information in the Identity header of the SIP INVITE, it only operates 
on the IP portions of a voice service provider's network--that is, 
those portions served by network technology that is able to initiate, 
maintain, and terminate SIP calls. If a call terminates on a network or 
is routed at any point over an intermediate provider network that does 
not support the transmission of SIP calls, the Identity header will be 
lost. Because STIR/SHAKEN only operates on IP networks, some 
stakeholders have advocated for a solution referred to as ``out-of-band 
STIR,'' in which caller ID authentication information is sent across 
the internet, out-of-band from the call path, allowing STIR/SHAKEN to 
be implemented on networks that are not fully IP. Out-of-band STIR 
remains in the early stages of development.
    8. The STIR/SHAKEN framework relies on the originating voice 
service provider attesting to the subscriber's identity. The SHAKEN 
specification allows an originating voice service provider to provide 
different ``levels'' of attestation. Specifically, the voice service 
provider can indicate that (i) it can confirm the identity of the 
subscriber making the call, and that the subscriber is using its 
associated

[[Page 22031]]

telephone number (``full'' or ``A'' attestation); (ii) it can confirm 
the identity of the subscriber but not the telephone number 
(``partial'' or ``B'' attestation); or merely that (iii) it is the 
point of entry to the IP network for a call that originated elsewhere, 
such as a call that originated abroad or on a domestic network that is 
not STIR/SHAKEN-enabled (``gateway'' or ``C'' attestation).
    9. To maintain trust in the voice service providers that vouch for 
caller ID information, the STIR/SHAKEN framework uses digital 
``certificates'' issued through a neutral governance system. The STIR/
SHAKEN credentials are based on an X.509 credential system. X.509 is a 
specific standard for a type of public key infrastructure system that 
uses certificates to facilitate secure internet communications. The 
framework requires that each voice service provider receive its own 
certificate that contains, among other components, that voice service 
provider's public key, and states, in essence, that (i) the voice 
service provider is that which it claims to be; (ii) the voice service 
provider is authorized to authenticate the caller ID information; and 
(iii) the voice service provider's claims about the caller ID 
information it is authenticating can thus be trusted. Every time an 
originating voice service provider originates an authenticated call, it 
transmits the location of its certificate in the Identity header, 
allowing the verification service to acquire the public key and verify 
the caller ID information, and have certainty that the public key is 
truly associated with the voice service provider that originated the 
call. The ``location'' is sent unencrypted in the form of a Uniform 
Resource Locator (URL).
    10. The STIR/SHAKEN governance model requires several roles in 
order to operate: (1) A Governance Authority, which defines the 
policies and procedures for which entities can issue or acquire 
certificates; (2) a Policy Administrator, which applies the rules set 
by the governance authority, confirms that certification authorities 
are authorized to issue certificates, and confirms that voice service 
providers are authorized to request and receive certificates; (3) 
Certification Authorities, which issue the certificates used to 
authenticate and verify calls; and (4) the voice service providers 
themselves, which, as call initiators, select an approved certification 
authority from which to request a certificate, and which, as call 
recipients, check with certification authorities to ensure that the 
certificates they receive were issued by the correct certification 
authority.
    11. Commission and North American Numbering Council Action to 
Promote STIR/SHAKEN Deployment. In July 2017, the Commission released a 
Notice of Inquiry, launching a broad inquiry into caller ID 
authentication and how to expedite its development and implementation. 
In the Notice of Inquiry, the Commission recognized the potential of 
caller ID authentication to ``reduc[e] the risk of fraud and ensur[e] 
that callers be held accountable for their calls.'' Among other issues, 
the Commission sought comment on its role in promoting implementation 
of caller ID authentication technology; what involvement, if any, it 
should have in STIR/SHAKEN governance; and how to address caller ID 
authentication for networks that use non-IP technology.
    12. In February 2018, the Commission directed the Call 
Authentication Trust Anchor Working Group of the North American 
Numbering Council (NANC) to recommend ``criteria by which a [Governance 
Authority] should be selected'' and a ``reasonable timeline or set of 
milestones for adoption and deployment of a SHAKEN/STIR call 
authentication system, including metrics by which the industry's 
progress can be measured.'' In its May 2018 report, the NANC 
recommended that representatives from various industry stakeholders 
comprise a board overseeing the Governance Authority, and that 
``individual companies capable of signing and validating VoIP calls 
using SHAKEN/STIR should implement the standard within a period of 
approximately one year after completion of the NANC CATA report.'' 
Chairman Pai accepted these recommendations shortly after they were 
issued by the NANC.
    13. In November 2018, drawing on the NANC's May 2018 recommendation 
that capable voice service providers rapidly implement STIR/SHAKEN, 
Chairman Pai sent letters to major voice service providers urging them 
to implement a robust caller ID authentication framework by the end of 
2019. He asked these providers for specific details about their 
implementation plans, and encouraged those that did not appear to have 
established concrete plans to promptly protect their subscribers with 
STIR/SHAKEN. In response, the providers submitted letters detailing 
their implementation efforts. Since that time, Commission staff has 
closely tracked the progress of major voice service providers in 
implementation of the STIR/SHAKEN framework.
    14. In June 2019, the Commission adopted a Declaratory Ruling and 
Third Further Notice of Proposed Rulemaking that proposed and sought 
comment on mandating implementation of STIR/SHAKEN in the event that 
major voice service providers did not voluntarily implement the 
framework by the end of 2019. We stressed that ``[i]mplementation of 
the SHAKEN/STIR framework across voice networks is important in the 
fight against unwanted, including illegal, robocalls'' and proposed to 
extend any mandate to ``wireline, wireless, and Voice over Internet 
Protocol (VoIP) providers''; sought comment on what we should require 
voice service providers to accomplish to meet an implementation 
mandate; and asked for comment on how long voice service providers 
should be given to comply with such a mandate. We further sought 
comment on whether we should establish requirements regarding the 
display of STIR/SHAKEN attestation information, what role the 
Commission should have in STIR/SHAKEN governance, and how we could 
encourage caller ID authentication on non-IP networks. The Declaratory 
Ruling and Third Further Notice of Proposed Rulemaking also affirmed 
that voice service providers may, by default, block unwanted calls 
based on reasonable call analytics, as long as their customers are 
informed and have the opportunity to opt out of the blocking; proposed 
to create a safe harbor for voice service providers that block calls 
which fail STIR/SHAKEN verification; and sought comment on whether we 
should create a safe harbor for voice service providers that block 
calls which do not have authenticated caller ID information.
    15. In July 2019, the Commission held a summit focused on 
implementation of STIR/SHAKEN. Summit participants included 
representatives from large and small voice service providers, analytics 
companies, vendors, and members of the Governance Authority. The 
participants discussed implementation progress made by major voice 
service providers; using STIR/SHAKEN to improve the consumer 
experience; and implementation challenges faced by small voice service 
providers.
    16. Developments in STIR/SHAKEN Governance. Currently, the Secure 
Telephone Identity Governance Authority (STI-GA), established by ATIS, 
fills the Governance Authority role. The STI-GA's membership was 
designed to provide a diverse representation of stakeholders from 
across the industry. The STI-GA selected the Policy Administrator, 
iconectiv, in May 2019. In December 2019, the Policy Administrator 
approved the first Certification Authorities, and announced that voice 
service providers are now able to

[[Page 22032]]

register with the Policy Administrator to obtain the credentials 
necessary to receive certificates from approved Certification 
Authorities.
    17. Implementation by Voice Service Providers. We recognize that a 
number of providers have been working hard to implement caller ID 
authentication. Some voice service providers reported that, by the end 
of 2019, they had completed the necessary network upgrades to support 
the STIR/SHAKEN framework and that they were exchanging a limited 
amount of traffic with authenticated caller ID information with other 
voice service providers. Others, however, reported only that they had 
completed necessary network upgrades by the end of 2019, but had not 
begun exchanging authenticated traffic with other voice service 
providers. Still others have shown little to no progress in upgrading 
their networks to be STIR/SHAKEN-capable.
    18. More specifically, as of the end of 2019, AT&T, Bandwidth, 
Charter, Comcast, Cox, T-Mobile, and Verizon announced that they had 
upgraded their networks to support STIR/SHAKEN. AT&T, for example, 
confirmed that it ``authenticates all calls on its network that 
originate from [Voice over LTE] and consumer VoIP customers'' and 
``estimates that approximately 90 percent of its wireless customer base 
(prepaid and postpaid) and more than 50 percent of its consumer 
wireline customer base are SHAKEN/STIR capable.'' Charter stated that 
it ``fulfilled [its] commitment to complete the implementation of the 
STIR/SHAKEN framework by the end of [2019].'' Similarly, Comcast 
reported that ``virtually all calls originating from a Comcast 
residential subscriber and terminating with a Comcast residential 
subscriber are fully authenticated through the STIR/SHAKEN protocol.'' 
Cox reported that it ``has deployed SHAKEN/STIR to over 99% of [its] 
residential customers enabling Cox to sign originating and terminating 
calls.'' T-Mobile stated that it was ``the first wireless provider to 
fully implement STIR/SHAKEN standards on [its] network'' and is 
``capable of signing and authenticating 100% of SIP traffic that both 
originates and then terminates on [its] network.'' According to 
Verizon, it ``finished deploying STIR/SHAKEN to its wireless customer 
base (which constitutes more than 95% of [its] total traffic) in March 
2019,'' ``is devoting substantial resources to deploying STIR/SHAKEN to 
wireline customers that receive service on IP platforms capable of 
being upgraded with the STIR/SHAKEN protocol'' and expects ``to achieve 
deployment of STIR/SHAKEN to Fios Digital customers later this year.''
    19. These voice service providers, however, were exchanging only a 
limited amount of authenticated traffic with other voice service 
providers as of the end of 2019. For instance, Comcast has begun to 
exchange authenticated calls with AT&T and T-Mobile, and explained 
that, as of December 2019, approximately 14.25% of all calls 
``originating on other voice providers' networks and bound for Comcast 
residential subscribers had a STIR/SHAKEN-compliant header and were 
verified by Comcast.'' T-Mobile explained that it is also 
authenticating some traffic exchanged with AT&T, Comcast, and 
Inteliquent. According to AT&T, it ``exchanges approximately 40 percent 
of its SHAKEN/STIR consumer VoIP traffic with one terminating service 
provider.'' Verizon stated that it was signing ``under half of [its] 
outbound traffic'' with one provider as of the end of 2019, and that 
``for the other three partners,'' its production levels were under 5%. 
Cox explained that it is ``exchanging authenticated traffic with four 
carriers resulting in over 14% of all calls on Cox' residential IP 
network being verified.'' Charter stated that it is ``exchanging signed 
and authenticated customer call traffic end-to-end with Comcast.'' 
Bandwidth is also in early stages of exchanging traffic and ``has 
designed, tested and deployed the capability to exchange some of its 
production traffic with Verizon Wireless directly utilizing `self-
signed' certifications that are in keeping with the STIR/SHAKEN 
framework.''
    20. Other voice service providers--namely Frontier, Sprint, U.S. 
Cellular, and Vonage--stated that they have performed necessary network 
upgrades, but had only begun the negotiating and testing phase of 
exchanging authenticated traffic with other voice service providers as 
of the end of 2019. Frontier reported that it ``established the 
capability to authenticate and sign calls'' and is in the negotiating 
and testing phase regarding authenticating traffic exchanged with other 
voice service providers. Sprint reported that it ``deployed the core 
STIR/SHAKEN capability in its network'' and was testing the exchange of 
authenticated traffic with Comcast and T-Mobile. In 2019, U.S. Cellular 
``successfully implemented the STIR/SHAKEN technology in its network'' 
and is currently ``in various stages of the [interconnection agreement] 
process with three of the four national wireless carriers . . . 
including, the successful exchange of traffic on a test basis with at 
least one of . . . those carriers.'' Vonage reported that it was 
testing with ``its two largest peering partners'' and had ``reached out 
to twenty additional carriers to implement outbound and inbound testing 
schedules.''
    21. An additional category of voice service providers--namely 
CenturyLink, TDS, and Google--has indicated limited progress in making 
the necessary network upgrades. CenturyLink, for instance, stated that 
as of late 2019 it had ``taken the steps necessary to prepare its 
network for SHAKEN/STIR deployment'' and is currently conducting 
testing for wider deployment on its IP networks. TDS, meanwhile, 
reported that it had completed work in 2019 to evaluate, select, and 
lab test a vendor solution to allow it to integrate STIR/SHAKEN in the 
IP portions of its network. It is in the process of developing 
implementation plans, but because many of its interconnection points 
with other providers are not IP-enabled, it ``forecast[s] that only a 
small percentage of traffic will be exchanged in IP when SHAKEN/STIR is 
initially deployed in the TDS IP network.'' Google provided limited 
detail about the status of implementation but stated that it ``remains 
committed to implementing SHAKEN/STIR and . . . ha[s] taken 
considerable steps toward doing so.''
    22. Congressional Direction to Require STIR/SHAKEN Implementation. 
On December 30, 2019, Congress enacted the TRACED Act, with the stated 
purpose of ``helping to reduce illegal and unwanted robocalls'' through 
numerous mechanisms. Along with other provisions directed at addressing 
robocalls, the TRACED Act directs the Commission to require, no later 
than 18 months from enactment, all voice service providers to implement 
STIR/SHAKEN in the IP portions of their networks and implement an 
effective caller ID authentication framework in the non-IP portions of 
their networks. The TRACED Act further creates processes by which voice 
service providers (1) may be exempt from this mandate if the Commission 
determines they have achieved certain implementation benchmarks, and 
(2) may be granted an extension for compliance based on a finding of 
undue hardship because of burdens or barriers to implementation or 
based on a delay in development of a caller ID authentication protocol 
for calls delivered over non-IP networks. The TRACED Act further 
directs us, not later than December 30, 2020, to submit a report to 
Congress that includes: (1) an analysis of the extent to which voice 
service providers have implemented caller ID authentication frameworks 
and

[[Page 22033]]

whether the availability of necessary equipment and equipment upgrades 
has impacted such implementation; and (2) an assessment of the efficacy 
of the call authentication frameworks.
    23. This rulemaking is one of several steps we are taking to 
implement the TRACED Act. For instance, we recently proposed rules to 
establish a registration process for a ``single consortium that 
conducts private-led efforts to trace back the origin of suspected 
unlawful robocalls.'' Additionally, the Wireline Competition Bureau 
(Bureau) has charged the NANC Call Authentication Trust Anchor Working 
Group with providing recommendations regarding the TRACED Act's 
direction that the Commission ``issue best practices that providers of 
voice service may use as part of the implementation of effective call 
authentication frameworks . . . to take steps to ensure the calling 
party is accurately identified.'' We will continue to work swiftly and 
carefully to implement the TRACED Act and protect Americans from 
illegal robocalls.

III. Report and Order

    24. In this Report and Order, we require all originating and 
terminating voice service providers to implement the STIR/SHAKEN 
framework in the IP portions of their networks by June 30, 2021. We 
adopt this mandate for several reasons, including that (1) Widespread 
implementation will result in significant benefits from American 
consumers; (2) the record overwhelmingly reflects support from a broad 
array of stakeholders for rapid STIR/SHAKEN implementation; (3) the 
state of industry-wide implementation at the end of 2019 demonstrates 
that further government action is necessary for timely, ubiquitous 
implementation; and (4) the TRACED Act expressly directs us to require 
timely STIR/SHAKEN implementation. Below, we discuss these reasons in 
more detail; describe the specific requirements that comprise our 
mandate; discuss our legal authority to adopt these requirements; 
respond to the limited record opposition to a mandate; and find that 
the benefits of STIR/SHAKEN implementation will far exceed the costs. 
USTelecom and CTIA ask us to adopt a broad call blocking safe harbor 
today. Transaction Network Services suggests that we require or 
recommend that providers pair STIR/SHAKEN with analytics. We intend to 
address call-blocking issues and the role of analytics in relation to 
call blocking in a separate item and thus decline to address these 
requests here.

A. Mandating the STIR/SHAKEN Framework

    25. We require all originating and terminating voice service 
providers to implement the STIR/SHAKEN framework in the IP portions of 
their networks by June 30, 2021 for several compelling reasons. First, 
ubiquitous STIR/SHAKEN implementation will yield substantial benefits 
for American consumers. We estimate that the benefits of eliminating 
the wasted time and nuisances caused by illegal scam robocalls will 
exceed $3 billion annually. And more importantly, we expect STIR/SHAKEN 
paired with call analytics to serve as a tool to effectively protect 
American consumers from fraudulent robocall schemes that cost Americans 
approximately $10 billion annually. Further, we anticipate that 
implementation will increase consumer trust in caller ID information 
and encourage consumers to answer the phone, thereby benefitting 
businesses, healthcare providers, and non-profit charities. Widespread 
implementation also benefits public safety by decreasing disruptions to 
healthcare and emergency communications systems, and as a result, 
saving lives. Additional benefits include significantly reducing costs 
for voice service providers by eliminating unwanted network congestion 
and decreasing the number of consumer complaints about robocalls. 
Ultimately, we expect widespread STIR/SHAKEN implementation to reduce 
the scourge of illegal robocalls that plague Americans every day.
    26. Second, the record overwhelmingly reflects support from a broad 
array of stakeholders for rapid STIR/SHAKEN deployment, and many 
commenters support a STIR/SHAKEN mandate. Commenters, including the 
attorneys general of all fifty states and the District of Columbia, 
consumer groups, and major voice service providers expressed support 
for Commission action if widespread voluntary implementation did not 
occur. The unified state attorneys general argue that a mandate is 
necessary ``in the absence of prompt voluntary implementation'' by the 
end of 2019 because without such action, ``[b]ad actors exploit 
inexpensive and ubiquitous technology to scam consumers and to intrude 
upon consumers' lives, and the problem shows no signs of abating.'' 
Consumer group commenters, including Consumer Reports, the National 
Consumer Law Center, Consumer Action, the Consumer Federation of 
America, the National Association of Consumer Advocates, and Public 
Knowledge, observe that ``cross-carrier implementation has been 
relatively limited'' and state that we ``should require phone companies 
to adopt effective call-authentication policies and technologies.'' 
AT&T explains that ``SHAKEN/STIR must be widely deployed to be 
effective.'' Verizon similarly explains that STIR/SHAKEN only works if 
all voice service providers have implemented the framework in the call 
path--increasing the utility of a mandate. Other providers, including 
Comcast and Transaction Network Services, support a ``measured'' STIR/
SHAKEN requirement that accounts for existing implementation 
challenges. We find that our June 30, 2021 implementation date and 
application of the STIR/SHAKEN mandate to only the IP portions of 
originating and terminating voice service providers' networks satisfies 
these commenters' concerns. And even commenters who express hesitation 
about a mandate are receptive to one that accounts for the burdens and 
barriers confronted by rural and small voice service providers, which 
we proposed to address through the process established in the TRACED 
Act. For example, the Voice of America's Broadband Providers and Teliax 
are receptive to a mandate that ``focus[es] on implementation of . . . 
legislation Congress enacts'' and provides for a more flexible 
implementation timeframe for small and rural providers.
    27. Third, although some major voice service providers have taken 
significant steps towards STIR/SHAKEN implementation, the level of 
implementation by the Commission's end of 2019 deadline shows that, 
absent further governmental action, we will not have timely ubiquitous 
implementation. As Verizon states, ``verifying [c]aller ID for 
consumers using STIR/SHAKEN presents a classic collectivity challenge 
that industry may not be able to overcome on its own.'' As we have 
explained, some voice service providers reported that, by the end of 
2019, they completed the necessary network upgrades to support the 
STIR/SHAKEN framework and that they were exchanging a limited amount of 
traffic with authenticated caller ID information with other voice 
service providers. Others, however, reported only that they had 
completed necessary network upgrades by the end of 2019, but had not 
begun exchanging with other voice service providers. Still others have 
shown little to no progress in upgrading their networks to be STIR/
SHAKEN-capable. We find that the lack of common exchange among these 
voice service providers--and the absence of

[[Page 22034]]

substantial progress by several of them--demonstrate that major voice 
service providers have failed to meet the goal of achieving full 
implementation by the end of 2019. We therefore must act to ensure 
faster progress to protect the public from the scourge of illegal 
robocalls.
    28. Finally, confirming our decision is the recently-enacted TRACED 
Act, which provides additional support for the implementation mandate 
we set forth today. The TRACED Act directs the Commission to ``require 
a provider of voice service to implement the STIR/SHAKEN authentication 
framework in the [IP] networks of the provider of voice service.'' 
Congress's clear direction to require timely STIR/SHAKEN implementation 
further encourages us to adopt the mandate in this Report and Order.
    29. Limited Record Opposition to a STIR/SHAKEN Implementation 
Mandate. We disagree with those commenters who argue that we should not 
move forward with a STIR/SHAKEN implementation mandate. First, we 
specifically disagree with the argument that we should delay a mandate 
while industry develops technical solutions to allow the STIR/SHAKEN 
framework to accommodate certain more challenging scenarios. According 
to some commenters, the standards for attestation do not fully account 
for the situation where an enterprise subscriber places outbound calls 
through a voice service provider other than the voice service provider 
that assigned the telephone number. In such scenarios, commenters 
claim, it would be difficult for an outbound call to receive ``full'' 
or ``A'' attestation because the outbound call ``will not pass through 
the authentication service of the voice service provider that controls 
the numbering resource.'' To provide ``full'' or ``A'' attestation, the 
voice service provider must be able to confirm the identity of the 
subscriber making the call, and that the subscriber is using its 
associated telephone number. We are optimistic that standards bodies, 
which remain engaged on the impact of STIR/SHAKEN on more challenging 
use cases and business models, will be able to resolve those issues--
just as they have overcome numerous other barriers to caller ID 
authentication so far. We will continue to monitor industry progress 
towards solutions to these issues. For instance, the Internet 
Engineering Task Force (IETF) has proposed a ``certificate delegation'' 
solution that would allow ``the carrier who controls the numbering 
resource . . . to delegate a credential that could be used to sign 
calls regardless of which network or administrative domain handles the 
outbound routing for the call.'' Further, granting a delay until 
standards bodies address every possible issue would risk creating an 
incentive for some parties to draw out standards-setting processes, to 
the detriment of widespread STIR/SHAKEN implementation. To the 
contrary, by establishing a June 30, 2021 deadline for widespread STIR/
SHAKEN implementation, we create an incentive for standards bodies to 
work quickly to issue actionable standards and solutions for enterprise 
calls. For this reason, we need not adopt a separate deadline for 
industry development of standards and solutions for enterprise calls, 
as requested by Cloud Communications Alliance. In any event, the TRACED 
Act requires that voice service providers implement the STIR/SHAKEN 
framework in their IP networks on this timetable, with only those 
extensions and exceptions specified by Congress. We decline USTelecom's 
request ``to remove the discussion surrounding enterprise signing from 
the Draft S/S Mandate Order and to move it to the Draft S/S Mandate 
FNPRM to seek further comment.'' We find this request inconsistent with 
the structure of the TRACED Act, which creates a general mandate and 
exceptions to that mandate, rather than limiting the scope of the 
mandate to non-enterprise calls in the first instance. We also note 
that USTelecom has emphasized that some enterprise signing will be 
``possible in the near term'' and that ``some voice service providers 
with enterprise customers are already working on providing the ability 
for their enterprise customers to have certain enterprise calls signed 
(with A-level attestation) this year.'' We are confident that 
mandating, consistent with the TRACED Act, that voice service providers 
implement the STIR/SHAKEN framework in their IP networks--subject to 
the extensions and exceptions created by the TRACED Act--will create 
beneficial incentives for industry to continue to quickly develop 
standards to address enterprise calls.
    30. Second, we disagree with Competitive Carriers Association's 
argument that adopting a STIR/SHAKEN mandate would ``risk impeding 
development of other potential new strategies to block robocalls.'' The 
STIR/SHAKEN framework is one important solution that should be part of 
an arsenal of effective remedies to combat robocalls, and its 
implementation does not preclude voice service providers from pursuing 
additional solutions. Further, consistent with Congress's direction in 
the TRACED Act, we will plan to revisit our caller ID authentication 
rules periodically to ensure that they remain up to date.
    31. Finally, we disagree with ACA Connects' suggestion that we 
limit our implementation mandate to only those voice service providers 
that originate large volumes of illegal robocalls. ACA Connects fails 
to account for the importance of network-wide implementation to the 
effectiveness of STIR/SHAKEN in reducing spoofed robocalls. Moreover, 
it fails to explain how we would identify or define such carriers or 
how such a scheme would stop malicious callers from simply using a 
different voice service provider.
1. STIR/SHAKEN Implementation Requirements
    32. We adopt our proposal in the 2019 Further Notice to require 
voice service providers to implement the STIR/SHAKEN framework. 
Specifically, we require all originating and terminating voice service 
providers to fully implement STIR/SHAKEN on the portions of their voice 
networks that support the transmission of SIP calls and exchange calls 
with authenticated caller ID information with the providers with which 
they interconnect. This STIR/SHAKEN mandate will create the trust 
ecosystem necessary for effective caller ID authentication.
    33. As part of today's mandate, we adopt the following three 
requirements: (i) A voice service provider that originates a call that 
exclusively transits its own network must authenticate and verify the 
caller ID information consistent with the STIR/SHAKEN authentication 
framework; (ii) a voice service provider originating a call that it 
will exchange with another voice service provider or intermediate 
provider must authenticate the caller ID information in accordance with 
the STIR/SHAKEN authentication framework and, to the extent technically 
feasible, transmit that caller ID information with authentication to 
the next provider in the call path; and (iii) a voice service provider 
terminating a call with authenticated caller ID information it receives 
from another provider must verify that caller ID information in 
accordance with the STIR/SHAKEN authentication framework. We discuss 
these requirements below. The TRACED Act states in Sec.  4(b)(1)(A) 
that the Commission shall ``require a provider of voice service to 
implement the STIR/SHAKEN authentication framework'' in its IP 
networks. It goes on to create an exemption, stating that the 
Commission ``shall not take the action'' set forth in

[[Page 22035]]

Sec.  4(b)(1)(A) ``if the Commission determines [by December 30, 2020] 
that such provider of voice service'' in its Internet Protocol networks 
meets four criteria focused on achieving certain benchmarks prior to 
the full mandate going into effect. USTelecom has submitted proposed 
interpretations of those four criteria for our consideration. Among 
other things, USTelecom proposes requiring a showing that all consumer 
VoIP and VoLTE traffic originating on a voice service provider's 
network is capable of authentication, or will be capable of 
authentication, by June 30, 2021. CTIA and USTelecom argue that we 
should consider replacing the implementation criteria that we adopt 
with USTelecom's interpretations of the four criteria in Sec.  
4(b)(2)(A). We find this request inconsistent with the structure of the 
TRACED Act, which creates a general mandate to implement STIR/SHAKEN in 
Sec.  4(b)(1)(A) and a separate exemption process in Sec.  4(b)(2)(A). 
Further, USTelecom's suggested language would not adequately address 
the responsibilities of voice service providers to ``implement the 
STIR/SHAKEN authentication framework'' in accordance with Sec.  
4(b)(1)(A) because it would only require demonstration of testing and 
capability rather than the details of how authentication must actually 
be applied.
    34. First, a voice service provider must authenticate and verify, 
consistent with the STIR/SHAKEN authentication framework, the caller ID 
information of those calls that it originates and terminates 
exclusively in the IP portions of its own network. The most effective 
caller ID authentication system requires the application of STIR/SHAKEN 
to all calls, including calls solely originating and terminating on the 
same voice service provider's network. We recognize that certain 
components of the STIR/SHAKEN framework are designed to promote trust 
across different voice service provider networks and so are not 
necessary for calls that a voice service provider originates and 
terminates solely on its own network. A provider satisfies its 
obligation under this requirement so long as it authenticates and 
verifies in a manner consistent with the STIR/SHAKEN framework, such as 
by including origination and attestation information in the SIP INVITE 
used to establish the call.
    35. Our next two requirements relate to the exchange of caller ID 
authentication information. In the 2019 Further Notice, we sought 
comment on whether we should ``require providers to sign calls on an 
intercarrier basis.'' The record demonstrated support for this 
approach, and we add specificity by outlining particular obligations on 
voice service providers for this requirement. More specifically, a 
voice service provider that originates a call which it will exchange 
with another voice service provider or intermediate provider must use 
an authentication service and insert the Identity header in the SIP 
INVITE and thus authenticate the caller ID information in accordance 
with the STIR/SHAKEN authentication framework; it further must transmit 
that call with authentication to the next voice service provider or 
intermediate provider in the call path, to the extent technically 
feasible. We recognize that the transmission of STIR/SHAKEN 
authentication information over a non-IP interconnection point is not 
technically feasible at this time. Additionally, a voice service 
provider that terminates a call with authenticated caller ID 
information it receives from another voice service provider or 
intermediate provider must use a verification service, which uses a 
public key to review the information stored in the Identity header to 
verify that caller ID information in accordance with the STIR/SHAKEN 
authentication framework. These actions are at the core of an effective 
STIR/SHAKEN ecosystem, and each action requires the other: A 
terminating voice service provider can only verify caller ID 
information that has been authenticated by the originating voice 
service provider and transmitted with authentication, while an 
originating voice service provider's authentication has little value if 
the terminating voice service provider fails to verify that caller ID 
information.
    36. Definitions and Scope. For purposes of the rules we adopt 
today, and consistent with the TRACED Act, we define ``STIR/SHAKEN 
authentication framework'' as ``the secure telephone identity revisited 
and signature-based handling of asserted information using tokens 
standards.'' For purposes of compliance with this definition, we find 
that it would be sufficient to adhere to the three ATIS standards that 
are the foundation of STIR/SHAKEN--ATIS-1000074, ATIS-1000080, and 
ATIS-1000084--and all documents referenced therein. We recognize that 
industry is actively working to improve STIR/SHAKEN. Compliance with 
the most current versions of these three standards as of March 31, 
2020, including any errata as of that date or earlier, represents the 
minimum requirement to satisfy our rules. ATIS and the SIP Forum 
conceptualized ATIS-1000074 as ``provid[ing] a baseline that can evolve 
over time, incorporating more comprehensive functionality and a broader 
scope in a backward compatible and forward looking manner.'' We intend 
for our rules to provide this same room for innovation, while 
maintaining an effective caller ID authentication ecosystem. Voice 
service providers may incorporate any improvements to these standards 
or additional standards into their respective STIR/SHAKEN 
authentication frameworks, so long as any changes or additions maintain 
the baseline call authentication functionality exemplified by ATIS-
1000074, ATIS-1000080, and ATIS-1000084.
    37. For purposes of our rules, we also adopt a definition of 
``voice service'' that aligns with the TRACED Act. The TRACED Act 
employs a broad definition of ``voice service'' that includes ``without 
limitation, any service that enables real-time, two-way voice 
communications, including any service that requires [I]nternet 
[P]rotocol-compatible customer premises equipment . . . and permits 
out-bound calling, whether or not the service is one-way or two-way 
voice over [I]nternet [P]rotocol.'' The TRACED Act definition is 
limited, however, to service ``that is interconnected with the public 
switched telephone network and that furnishes voice communications to 
an end user.'' Thus, the rules we adopt today apply to originating and 
terminating voice service providers and exclude intermediate providers.
    38. In recognition of the fact that STIR/SHAKEN is a SIP-based 
solution, we limit application of the rules we adopt today to only the 
IP portions of voice service providers' networks--those portions that 
are able to initiate, maintain, and terminate SIP calls. This approach 
is consistent with section 4(b)(1)(A) of the TRACED Act, which directs 
us to require implementation of STIR/SHAKEN ``in the [I]nternet 
[P]rotocol networks of the provider of voice service.'' We agree with 
commenters that it would be inappropriate to simply extend the mandate 
we adopt to non-IP networks.
    39. We adopt the proposal from the 2019 Further Notice that our 
implementation mandate apply to all types of ``voice service 
providers--wireline, wireless, and Voice over Internet Protocol (VoIP) 
providers.'' The Cloud Communications Alliance has raised concerns over 
whether all voice service providers are able to obtain the certificates 
used for the intercarrier exchange of authenticated caller ID 
information under the Governance Authority's current policies. We look 
forward to working with the Governance

[[Page 22036]]

Authority and the Cloud Communications Alliance and its members to 
determine how best to resolve these issues expeditiously going forward. 
This includes both two-way and one-way interconnected VoIP providers. 
For STIR/SHAKEN to be successful, all voice service providers capable 
of implementing the framework must participate. If a subset of voice 
service providers continue operating on IP networks without 
implementing STIR/SHAKEN, it will undercut the framework's 
effectiveness. Congress demonstrated its recognition of this fact when 
it adopted a broad definition of ``voice service'' in the TRACED Act, 
which includes ``any service that is interconnected with the public 
switched telephone network and that furnishes voice communications to 
an end user using resources from the North American Numbering Plan.'' 
This includes, ``without limitation, any service that enables real-
time, two-way voice communications, including any service that requires 
[I]nternet [P]rotocol -compatible customer premises equipment (commonly 
known as `CPE') and permits out-bound calling, whether or not the 
service is one-way or two-way voice over [I]nternet [P]rotocol.'' We 
find that our conclusion to apply the mandate to a broad category of 
voice service providers is consistent with Congress's language in the 
TRACED Act.
    40. Finally, we clarify that the rules we adopt today do not apply 
to providers that lack control of the network infrastructure necessary 
to implement STIR/SHAKEN.
    41. Implementation Deadline. We set the implementation deadline of 
June 30, 2021 for two reasons. First, it is consistent with the TRACED 
Act, which requires us to set a deadline for implementation of STIR/
SHAKEN that is not later than 18 months after enactment of that Act, 
i.e., no later than June 30, 2021. Second, this deadline will provide 
sufficient time for us to implement, and for voice service providers to 
gain, a meaningful benefit from the implementation exemption and 
extension mechanisms established by the TRACED Act. Because we find 
that this implementation deadline is necessary to accommodate the 
various exemption and extension mechanisms established by the TRACED 
Act, we decline to adopt the suggestion of some commenters that we 
mandate implementation by June 1, 2020. As we note in the accompanying 
Further Notice, the TRACED Act contemplates compliance extensions and 
exemptions for those providers that we determine meet certain criteria 
by December 30, 2020. We see no way to square this statutory 
requirement with imposition of a mandate six months before that date.
2. Legal Authority
    42. We conclude that section 251(e) of the Communications Act of 
1934, as amended (the Act), provides authority to mandate the adoption 
of the STIR/SHAKEN framework in the IP portions of voice service 
providers' networks. Section 251(e) provides us ``exclusive 
jurisdiction over those portions of the North American Numbering Plan 
that pertain to the United States.'' Pursuant to this provision, we 
retain ``authority to set policy with respect to all facets of 
numbering administration in the United States.'' Our exclusive 
jurisdiction over numbering policy enables us to act flexibly and 
expeditiously with regard to important numbering matters. When bad 
actors unlawfully falsify or spoof the caller ID that appears on a 
subscriber's phone, they are using numbering resources to advance an 
illegal scheme. Mandating that voice service providers deploy the STIR/
SHAKEN framework will help to prevent the fraudulent exploitation of 
North American Numbering Plan (NANP) resources by permitting those 
providers and their subscribers to identify when caller ID information 
has been spoofed. Section 251(e) thus grants us authority to mandate 
that voice service providers implement the STIR/SHAKEN caller ID 
authentication framework in order to prevent the fraudulent 
exploitation of numbering resources. The Commission has previously 
concluded that its numbering authority allows it to extend numbering-
related requirements to interconnected VoIP providers that use 
telephone numbers. As the Commission has explained, ``the obligation to 
ensure that numbers are available on an equitable basis is reasonably 
understood to include not only how numbers are made available but to 
whom, and on what terms and conditions. Thus, we conclude that the 
Commission has authority under section 251(e)(1) to extend to 
interconnected VoIP providers both the rights and obligations 
associated with using telephone numbers.'' Moreover, as the Commission 
has previously found, section 251(e) extends to ``the use of . . . 
unallocated and unused numbers''; it thus gives us authority to mandate 
that voice service providers implement the STIR/SHAKEN framework to 
address the spoofing of unallocated and unused numbers. The Commission 
previously relied on this authority to make clear that voice service 
providers may block calls that spoof invalid, unallocated, or unused 
numbers, none of which can actually be used to originate a call. In the 
2019 Further Notice, we proposed to rely on section 251(e) of the Act 
for authority to mandate implementation of caller ID authentication 
technology and, specifically, the STIR/SHAKEN framework; no commenter 
challenged that proposal. We note, however, that because STIR/SHAKEN 
implementation is not a ``numbering administration arrangement,'' 
section 251(e)(2), which provides that ``[t]he cost of establishing 
telecommunications numbering administration arrangements . . . shall be 
borne by all telecommunications carriers on a competitively neutral 
basis,'' does not apply here. Even if section 251(e)(2) did apply, we 
find that it is satisfied by our requirement that each carrier bear its 
own costs, since each carrier's costs will be proportional to the size 
and quality of its network.
    43. The TRACED Act confirms our authority to mandate the adoption 
of the STIR/SHAKEN framework in the IP portions of voice service 
providers' networks. Indeed, the TRACED Act expressly directs us to 
require voice service providers to implement the STIR/SHAKEN framework 
in the IP portions of their networks no later than 18 months after the 
date of that Act's enactment. The TRACED Act thus provides a second 
clear source of authority for the rules we adopt today.
    44. Finally, we note that Congress charged us with prescribing 
regulations to implement the Truth in Caller ID Act, which made 
unlawful the spoofing of caller ID information ``in connection with any 
telecommunications service or IP-enabled voice service . . . with the 
intent to defraud, cause harm, or wrongfully obtain anything of 
value.'' Given the constantly evolving tactics by malicious callers to 
use spoofed caller ID information to commit fraud, we find that the 
rules we adopt today are necessary to enable voice service providers to 
help prevent these unlawful acts and to protect voice service 
subscribers from scammers and bad actors. Thus, section 227(e) provides 
additional independent authority for these rules. While we sought 
comment in the 2019 Robocall Declaratory Ruling and Further Notice on 
the applicability of sections 201(b) and 202(a) as sources of 
authority, we did so in the context of adopting rules to create a safe 
harbor for certain call-blocking programs and requiring voice service 
providers that offer call-blocking programs to maintain a Critical 
Calls List. Because we did not seek comment in that item on whether 
these provisions grant the Commission authority to

[[Page 22037]]

mandate caller ID authentication, and specifically STIR/SHAKEN, we do 
not rely on them here as sources of authority.

B. Summary of Costs and Benefits

    45. We are convinced that the benefits of requiring STIR/SHAKEN 
implementation far outweigh the costs, even if adoption of the TRACED 
Act makes a comprehensive cost-benefit analysis of a STIR/SHAKEN 
implementation mandate unnecessary. Because STIR/SHAKEN is a part of a 
broader set of technological and regulatory efforts necessary to 
address illegal calls, and its limited deployment makes it difficult to 
measure its full effects at this time, we compare the estimated costs 
of implementing STIR/SHAKEN to the overall foreseeable range of 
quantifiable and non-quantifiable benefits of eliminating illegal 
calls, recognizing that STIR/SHAKEN is necessary but not, alone, a 
solution to the problem. These benefits include reduction in nuisance 
calls, increased protection from illegally spoofed calls restoration of 
consumer confidence in incoming calls, fewer robocall-generated 
disruptions of healthcare and emergency communications, reduction in 
regulatory enforcement costs, and reduction in provider costs. We 
conclude that, based on any plausible assumption about the scope of 
illegal calls deterred by STIR/SHAKEN, the foreseeable benefits of 
STIR/SHAKEN implementation--including reduction in calls that cost 
Americans billions of dollars each year--will far exceed estimated 
costs, including both recurring operating costs of between roughly $39 
million and $780 million annually and estimated up-front costs, which 
may be in the tens of millions of dollars for the largest voice service 
providers. It is implausible that total implementation costs will come 
close to the expected benefits of our actions. For example, broad 
industry support for deploying STIR/SHAKEN strongly indicates that the 
benefits to industry alone outweigh implementation costs, even before 
considering the benefits to consumers of implementation.
1. Expected Benefits
    46. We supplement our estimate of the benefits of eliminating 
illegal and unwanted robocalls in the 2019 Further Notice with 
additional data. Consistent with our earlier conclusion, we find that 
the deployment requirements set forth in this Report and Order will be 
integral to solving illegal robocall spoofing specifically and illegal 
robocalling generally.
    47. Eliminating Nuisance. In the 2019 Further Notice, we estimated 
benefits of at least $3 billion from eliminating illegal scam 
robocalls. That estimate assumed a benefit of ten cents per call and 
multiplied it across a figure of 30 billion illegal scam robocalls per 
year, derived from third-party data. We also sought comment on this $3 
billion estimate and concluded that ``most of these benefits can be 
achieved . . . primarily because SHAKEN/STIR will inform providers of 
the call's true origination.'' We received no comment on this 
conclusion. In its comments, Smithville Telephone Company states that a 
$3 billion benefit amounts to 55 cents per voice line per month 
(calculated by dividing the $3 billion benefit by 455 million retail 
voice telephone service connections based on the FCC's Voice Telephone 
Services Status as of June 30, 2017), and questions whether such 
benefit is enough to drive this decision. The estimate of 30 billion 
scam calls consists of an estimated 47% of all robocalls. If the 
average line receives approximately 5 to 6 scam calls per month, 
Smithville's calculation is consistent with our previous estimate. Our 
burden is to determine that benefits exceed costs, and we find that the 
benefits of implementing STIR/SHAKEN far exceed the costs. We agree 
with commenters that STIR/SHAKEN is one important part of a broader set 
of tools to solve illegal robocalls. We thus reaffirm our finding that 
the potential benefits resulting from eliminating the wasted time and 
nuisances caused by illegal scam robocalls will exceed $3 billion 
annually.
    48. Reducing Fraud. Fraudulent robocall schemes cost Americans an 
estimated $10.5 billion annually, according to a third-party survey. To 
reach $10.5 billion, Truecaller multiplied the 17% of survey 
respondents who reported losing money in a scam during the past 12 
months by the 2018 U.S. Census adult population estimate of 253 
million. The estimated 43 million phone scam victims was then 
multiplied by the average loss of $244. A recent civil action filed by 
the U.S. Department of Justice against five VoIP carriers identifies 
several examples of fraud where consumers individually lost between 
$700 and $9,800 in a single instance. To reach $10.5 billion, 
Truecaller multiplied the 17% of survey respondents who reported losing 
money in a scam during the past 12 months by the 2018 U.S. Census adult 
population estimate of 253 million. The estimated 43 million phone scam 
victims was then multiplied by the average loss of $244. While STIR/
SHAKEN will not itself stop a malicious party from using the voice 
network to commit fraud, it will inform a call recipient that the 
caller has used deceptive caller ID information to try to convince the 
called party to answer the phone. Many commenters noted value in 
pairing STIR/SHAKEN with call analytics, and we expect this will 
significantly reduce the effectiveness of spoofing fraud that costs 
Americans billions of dollars each year, and similarly reduce the 
incidence of such fraud.
    49. Restoring Confidence in Caller ID Information. STIR/SHAKEN 
implementation and other efforts to minimize illegal robocalls will 
begin to restore trust in caller ID information and make call 
recipients more likely to answer the phone. Declines in willingness to 
answer incoming calls in recent years have harmed businesses, 
healthcare providers, and non-profit charities. For example, utility 
companies often call to confirm installation appointments, ``[b]ut if 
the customer doesn't answer the phone for the appointment reminder and 
the truck shows up when they're not there, by one estimate, that's a 
$150 cost.'' Similarly, medical providers have indicated that patients 
often fail to answer scheduling calls from specialists' offices and 
eventually the office will give up after repeated attempts. Donations 
to charities have also declined as a result of the decreased likelihood 
of answering the phone. Such organizations likely will benefit because 
recipients should be more likely to answer their phones if caller ID 
information is authenticated. Furthermore, while we do not adopt any 
display mandates in this item, we anticipate that voice service 
providers will implement voluntary efforts to restore confidence in 
caller ID information. Studies conducted by Cequint indicate that 
including additional caller ID information (e.g., showing a business 
logo along with caller ID information on a smartphone display to convey 
legitimacy) increased pick up rates from 21% to 71%. Such information 
will enhance the benefits achieved by STIR/SHAKEN implementation.
    50. Ensuring Reliable Access to Emergency and Healthcare 
Communications. Implementing STIR/SHAKEN will lead to fewer disruptions 
of healthcare and emergency communication systems that needlessly put 
lives at risk. Hospitals and 911 dispatch centers have reported that 
robocall surges have disabled or disrupted their communications 
network, and such disruptions have the potential to impede 
communications in

[[Page 22038]]

life-or-death emergency situations. In one instance, Tufts Medical 
Center in Boston received more than 4,500 robocalls in a two-hour 
period. In another, the phone lines of several 911 dispatch centers in 
Tarrant County, Texas, were disabled because of an hour long surge in 
robocalls. In 2018, the Commission imposed a $120 million penalty for 
an illegal robocall campaign that disrupted an emergency medical paging 
service. Enabling voice service providers to more effectively identify 
illegal calls, including spoofed calls, to healthcare and emergency 
communication systems should reduce the risk of such situations. The 
benefit to public safety will be considerable.
    51. Reducing Costs to Voice Service Providers. An overall reduction 
in robocalls will ``greatly lower network costs by eliminating unwanted 
traffic and by eliminating the labor costs of handling numerous 
customer complaints.'' We treat these anticipated reductions in cost as 
a benefit to providers in order to limit our analysis of expected costs 
to those for implementation and operation. Illegal robocalls have led 
to unnecessary network congestion with broader possible impacts than 
the targeted disruption of healthcare and emergency operations 
described above. We agree with Comcast's assessment that ``the ability 
to identify and address illegally spoofed robocalls using STIR/SHAKEN 
will help reduce network costs for voice service providers.'' One 
commenter argues that this benefit may be realized by larger providers 
more than smaller providers and we acknowledge that the benefits of 
changes in network capacity will vary by provider. Voice service 
providers should also realize cost savings through the reduced need for 
customer service regarding illegal calls. We find that the overall 
benefit of these anticipated cost savings will be substantial and 
represent a long-term reduction in provider costs attributable to STIR/
SHAKEN. Voice service providers may pass on the cost savings to 
subscribers in the form of lower prices, resulting in additional 
benefit to their subscribers.
    52. Reducing Spending on Enforcement Actions. Broad STIR/SHAKEN 
implementation will both reduce the need for enforcement against 
illegally spoofed robocalls and make continued enforcement less 
resource intensive. The Commission has brought at least six enforcement 
actions against apparently liable actors for illegally spoofing caller 
ID, and issued 38 warning citations for violations of the Telephone 
Consumer Protection Act. The Federal Trade Commission has taken 145 
enforcement actions against companies for Do Not Call Registry 
violations, and 25 other federal, state, and local agencies brought 87 
enforcement actions as part of a single 2019 initiative. By reducing 
overall numbers of robocalls and providing additional information for 
enforcement, industry-wide implementation of STIR/SHAKEN will save 
resources at federal, state, and local agencies. While we do not 
quantify these savings, we believe they add to the benefits of STIR/
SHAKEN implementation that will accrue.
2. Expected Costs
    53. Implementation costs for STIR/SHAKEN will vary depending on a 
voice service provider's existing network configuration. Commenters 
indicated that voice service providers will incur ongoing costs in 
addition to one-time implementation costs. Estimated one-time costs 
include, among others, software licensing for authentication and 
verification services; hardware upgrades to network elements such as 
session border controllers and hardware upgrades required for software 
compatibility; as well as connectivity and network configuration 
changes, depending on current network configuration, and related 
testing. One of the largest voice service providers estimates that it 
will face one-time implementation costs ``in the tens of millions of 
dollars.'' We expect that implementation costs are likely to vary 
significantly based on voice service provider size and choices as to 
implementation solutions. For example, voice service providers choosing 
to directly implement STIR/SHAKEN will likely face larger one-time 
costs than voice service providers choosing a hosted solution, which 
are likely to have larger recurring costs. Recurring annual costs will 
include fees associated with authenticating and verifying calls, plus 
certificate fees. Estimates for recurring annual operating costs 
discussed by panelists at the Commission's July 2019 SHAKEN/STIR 
Robocall Summit range anywhere from approximately $15,000 to $300,000. 
Our estimate regarding recurring annual operating costs reflects a 
range because of variation in provider costs and the uncertainty of 
costs given the ongoing nature of STIR/SHAKEN implementation. One 
commenter asserts that recurring annual operating costs are ``likely to 
be on the lower end of th[is] range.'' On the other hand, USTelecom 
points out that fees paid by voice service providers to the Governance 
Authority and Policy Administrator range from $825 to $240,000 per year 
and states that a number of its members pay the highest annual fee. 
Based on the record, we estimate that the approximately 2,600 voice 
service providers together would spend between roughly $39 million and 
$780 million annually in operating costs, with up-front costs for the 
largest voice service providers in the tens of millions of dollars. 
Approximately 2,600 companies offered mobile voice or fixed voice 
service in December 2018. We anticipate that voice service providers 
may be able to streamline their costs over time. Moreover, we recognize 
that smaller voice service providers may have different costs and 
challenges than larger providers, but we are confident that benefits to 
all Americans far exceed one-time implementation and recurring annual 
operating costs. One small, rural provider, using estimates from the 
Commission's 2019 SHAKEN/STIR Robocall Summit, concludes that an annual 
recurring cost of $100,000 will result in a cost of $26 per line for 
its 319 customers. Additionally, in the Further Notice, we propose to 
extend the compliance deadline for smaller voice service providers and 
anticipate that increased competition between vendors may result in 
lower prices and higher quality solutions. One small, rural provider, 
using estimates from the Commission's 2019 SHAKEN/STIR Robocall Summit, 
concludes that an annual recurring cost of $100,000 will result in a 
cost of $26 per line for its 319 customers. Additionally, in the 
Further Notice, we propose to extend the compliance deadline for 
smaller voice service providers and anticipate that increased 
competition between vendors may result in lower prices and higher 
quality solutions.

C. Other Issues

    54. Display. We are pleased by voice service providers' efforts to 
incorporate STIR/SHAKEN verification results in the information that 
they display to their customers. Voice service providers so far are 
taking a variety of approaches to leveraging STIR/SHAKEN verification 
result information to protect their subscribers from fraudulently 
spoofed calls, including through display of that information. For 
instance, AT&T announced that it would display a green checkmark and 
the words ``Valid Number'' to subscribers if the call has been 
authenticated and passed through screening. T-Mobile announced that it 
would display the words ``Caller Verified,'' on the end user's device 
when it has verified that the call is authentic. Other voice service 
providers have not yet announced plans to display STIR/SHAKEN 
authentication

[[Page 22039]]

information. Because we expect voice service providers to have 
marketplace incentives to make the best possible use of STIR/SHAKEN 
information once it is available, and because industry practices 
regarding display of STIR/SHAKEN verification results are in their 
early stages of development, we decline at this time to require voice 
service providers to display STIR/SHAKEN verification results to their 
subscribers or mandate the specifications voice service providers must 
use if they choose to display. AARP and CUNA advocate for a display 
requirement but do not identify a reason for a mandate beyond merely 
pointing to the value of displaying verification information. While 
display of verification information may be valuable, we decline to 
adopt a mandate on that basis because we expect the marketplace to 
drive display efforts, and because we anticipate that marketplace 
solutions will be superior to a static regulatory mandate. In December 
2019, the Consumer Advisory Committee recommended that stakeholders 
``conduct studies and solicit input on what factors voice service 
providers should consider for displaying caller ID information to 
consumers, including . . . SHAKEN/STIR verification.'' We do not seek 
to prevent the market from determining which form of display, if any, 
is most useful; instead, we seek to encourage voice service providers 
to find the solutions that work best for their subscribers.
    55. Governance. Several commenters advocate changing the governance 
structure. These commenters suggest we play an adjudicatory role in 
disputes that may arise between voice service providers, or direct the 
Governance Authority to take action on specific use cases, or change 
the membership requirements of the Governance Authority.
    56. We decline to impose new regulations on the STIR/SHAKEN 
governance structure. Stakeholders met the aggressive timeline laid out 
in the report issued by the North American Numbering Council (NANC), 
establishing a collaborative Governance Authority and selecting the 
Policy Administrator by May 2019. By December 2019, the Policy 
Administrator approved the first Certification Authorities, and voice 
service providers were able to register with the Policy Administrator 
to obtain credentials necessary to receive certificates from approved 
Certificate Authorities. We agree with T-Mobile that, at this time, it 
``is not necessary for the Commission to have a role in STIR/SHAKEN 
governance.'' STIR/SHAKEN is a flexible solution with an industry-led 
governance system that can adapt and respond to new developments. We do 
not think that our intervention in the governance structure is 
appropriate at this stage given that we do not know the nature and 
scope of the problems that may arise and industry is already working to 
address specific use cases. Additionally, because the Governance 
Authority is made up of a variety of stakeholders representing many 
perspectives, we have no reason to believe it will not operate on a 
neutral basis. The current STI-GA Leadership and Board of Directors is 
available at https://www.atis.org/sti-ga/leadership.

IV. Procedural Matters

    57. Paperwork Reduction Act. This document does not contain new or 
modified information collection requirements subject to the Paperwork 
Reduction Act of 1995 (PRA), Public Law 104-13. In addition, therefore, 
it does not contain any new or modified information collection burden 
for small business concerns with fewer than 25 employees, pursuant to 
the Small Business Paperwork Relief Act of 2002, Public Law 107-198.
    58. Congressional Review Act. The Commission has determined, and 
the Administrator of the Office of Information and Regulatory Affairs, 
Office of Management and Budget, concurs, that this rule is non-major 
under the Congressional Review Act, 5 U.S.C. 804(2). The Commission 
will send a copy of this Report & Order and Further Notice of Proposed 
Rulemaking to Congress and the Government Accountability Office 
pursuant to 5 U.S.C. 801(a)(1)(A).
    59. Ex Parte Rules. This proceeding shall be treated as a ``permit-
but-disclose'' proceeding in accordance with the Commission's ex parte 
rules. Persons making ex parte presentations must file a copy of any 
written presentation or a memorandum summarizing any oral presentation 
within two business days after the presentation (unless a different 
deadline applicable to the Sunshine period applies). Persons making 
oral ex parte presentations are reminded that memoranda summarizing the 
presentation must (1) List all persons attending or otherwise 
participating in the meeting at which the ex parte presentation was 
made, and (2) summarize all data presented and arguments made during 
the presentation. If the presentation consisted in whole or in part of 
the presentation of data or arguments already reflected in the 
presenter's written comments, memoranda or other filings in the 
proceeding, the presenter may provide citations to such data or 
arguments in his or her prior comments, memoranda, or other filings 
(specifying the relevant page or paragraph numbers where such data or 
arguments can be found) in lieu of summarizing them in the memorandum. 
Documents shown or given to Commission staff during ex parte meetings 
are deemed to be written ex parte presentations and must be filed 
consistent with Rule 1.1206(b). In proceedings governed by Rule 1.49(f) 
or for which the Commission has made available a method of electronic 
filing, written ex parte presentations and memoranda summarizing oral 
ex parte presentations, and all attachments thereto, must be filed 
through the electronic comment filing system available for that 
proceeding, and must be filed in their native format (e.g., .doc, .xml, 
.ppt, searchable .pdf). Participants in this proceeding should 
familiarize themselves with the Commission's ex parte rules.
    60. Final Regulatory Flexibility Analysis. As required by the 
Regulatory Flexibility Act of 1980 (RFA), an Initial Regulatory 
Flexibility Analysis (IRFA) was incorporated into the 2019 Robocall 
Declaratory Ruling and Further Notice. The Commission sought written 
public comment on the possible significant economic impact on small 
entities regarding the proposals addressed in the 2019 Robocall 
Declaratory Ruling and Further Notice, including comments on the IRFA. 
Pursuant to the RFA, a Final Regulatory Flexibility Analysis is set 
forth in Appendix C. The Commission's Consumer and Governmental Affairs 
Bureau, Reference Information Center, will send a copy of this Report 
and Order, including the FRFA, to the Chief Counsel for Advocacy of the 
Small Business Administration (SBA).

A. Need for, and Objectives of, the Rules

    61. Nefarious schemes that manipulate caller ID information to 
deceive consumers about the name and phone number of the party that is 
calling them, in order to facilitate fraudulent and other harmful 
activities, continue to plague American consumers. In this Report and 
Order (Order), we both act on our proposal to require voice service 
providers to implement the STIR/SHAKEN caller ID authentication 
framework if major voice service providers did not voluntarily do so by 
the end of 2019, and implement the Pallone-Thune Telephone Robocall 
Abuse Criminal Enforcement and Deterrence (TRACED) Act, which directs 
the Commission to require all voice service providers to implement

[[Page 22040]]

STIR/SHAKEN in the IP portions of their networks.

B. Summary of Significant Issues Raised by Public Comments in Response 
to the IRFA

    62. There were no comments filed that specifically addressed the 
proposed rules and policies presented in the IRFA.

C. Response to Comments by the Chief Counsel for Advocacy of the SBA

    63. Pursuant to the Small Business Jobs Act of 2010, which amended 
the RFA, the Commission is required to respond to any comments filed by 
the Chief Counsel for Advocacy of the Small Business Administration 
(SBA), and to provide a detailed statement of any change made to the 
proposed rules as a result of those comments.
    64. The Chief Counsel did not file any comments in response to the 
proposed rules in this proceeding.

D. Description and Estimate of the Number of Small Entities to Which 
the Rules Will Apply

    65. The RFA directs agencies to provide a description and, where 
feasible, an estimate of the number of small entities that may be 
affected by the final rules adopted pursuant to the Order. The RFA 
generally defines the term ``small entity'' as having the same meaning 
as the terms ``small business,'' ``small organization,'' and ``small 
governmental jurisdiction.'' In addition, the term ``small business'' 
has the same meaning as the term ``small-business concern'' under the 
Small Business Act. Pursuant to 5 U.S.C. 601(3), the statutory 
definition of a small business applies ``unless an agency, after 
consultation with the Office of Advocacy of the Small Business 
Administration and after opportunity for public comment, establishes 
one or more definitions of such term which are appropriate to the 
activities of the agency and publishes such definition(s) in the 
Federal Register.''A ``small-business concern'' is one which: (1) Is 
independently owned and operated; (2) is not dominant in its field of 
operation; and (3) satisfies any additional criteria established by the 
SBA.
1. Wireline Carriers
    66. Wired Telecommunications Carriers. The U.S. Census Bureau 
defines this industry as ``establishments primarily engaged in 
operating and/or providing access to transmission facilities and 
infrastructure that they own and/or lease for the transmission of 
voice, data, text, sound, and video using wired communications 
networks. Transmission facilities may be based on a single technology 
or a combination of technologies. Establishments in this industry use 
the wired telecommunications network facilities that they operate to 
provide a variety of services, such as wired telephony services, 
including VoIP services, wired (cable) audio and video programming 
distribution, and wired broadband internet services. By exception, 
establishments providing satellite television distribution services 
using facilities and infrastructure that they operate are included in 
this industry.'' The SBA has developed a small business size standard 
for Wired Telecommunications Carriers, which consists of all such 
companies having 1,500 or fewer employees. U.S. Census Bureau data for 
2012 show that there were 3,117 firms that operated that year. Of this 
total, 3,083 operated with fewer than 1,000 employees. The largest 
category provided by the census data is ``1000 employees or more'' and 
a more precise estimate for firms with fewer than 1,500 employees is 
not provided. Thus, under this size standard, the majority of firms in 
this industry can be considered small.
    67. Local Exchange Carriers (LECs). Neither the Commission nor the 
SBA has developed a size standard for small businesses applicable to 
local exchange services. The closest applicable NAICS Code category is 
Wired Telecommunications Carriers. Under the applicable SBA size 
standard, such a business is small if it has 1,500 or fewer employees. 
U.S. Census Bureau data for 2012 show that there were 3,117 firms that 
operated for the entire year. Of that total, 3,083 operated with fewer 
than 1,000 employees. The largest category provided by the census data 
is ``1000 employees or more'' and a more precise estimate for firms 
with fewer than 1,500 employees is not provided. Thus under this 
category and the associated size standard, the Commission estimates 
that the majority of local exchange carriers are small entities.
    68. Incumbent Local Exchange Carriers (incumbent LECs). Neither the 
Commission nor the SBA has developed a small business size standard 
specifically for incumbent local exchange services. The closest 
applicable NAICS Code category is Wired Telecommunications Carriers. 
Under the applicable SBA size standard, such a business is small if it 
has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate 
that 3,117 firms operated the entire year. Of this total, 3,083 
operated with fewer than 1,000 employees. Consequently, the Commission 
estimates that most providers of incumbent local exchange service are 
small businesses that may be affected by our actions. According to 
Commission data, one thousand three hundred and seven (1,307) Incumbent 
Local Exchange Carriers reported that they were incumbent local 
exchange service providers. Of this total, an estimated 1,006 have 
1,500 or fewer employees. Thus, using the SBA's size standard the 
majority of incumbent LECs can be considered small entities.
    69. Competitive Local Exchange Carriers (competitive LECs), 
Competitive Access Providers (CAPs), Shared-Tenant Service Providers, 
and Other Local Service Providers. Neither the Commission nor the SBA 
has developed a small business size standard specifically for these 
service providers. The appropriate NAICS Code category is Wired 
Telecommunications Carriers and under that size standard, such a 
business is small if it has 1,500 or fewer employees. U.S. Census 
Bureau data for 2012 indicate that 3,117 firms operated during that 
year. Of that number, 3,083 operated with fewer than 1,000 employees. 
The largest category provided by the census data is ``1000 employees or 
more'' and a more precise estimate for firms with fewer than 1,500 
employees is not provided. Based on these data, the Commission 
concludes that the majority of Competitive LECS, CAPs, Shared-Tenant 
Service Providers, and Other Local Service Providers, are small 
entities. According to Commission data, 1,442 carriers reported that 
they were engaged in the provision of either competitive local exchange 
services or competitive access provider services. Of these 1,442 
carriers, an estimated 1,256 have 1,500 or fewer employees. In 
addition, 17 carriers have reported that they are Shared-Tenant Service 
Providers, and all 17 are estimated to have 1,500 or fewer employees. 
Also, 72 carriers have reported that they are Other Local Service 
Providers. Of this total, 70 have 1,500 or fewer employees. 
Consequently, based on internally researched FCC data, the Commission 
estimates that most providers of competitive local exchange service, 
competitive access providers, Shared-Tenant Service Providers, and 
Other Local Service Providers are small entities.
    70. We have included small incumbent LECs in this present RFA 
analysis. As noted above, a ``small business'' under the RFA is one 
that, inter alia, meets the pertinent small-business size standard 
(e.g., a telephone communications business having 1,500 or fewer 
employees) and ``is not dominant in its field of operation.'' The

[[Page 22041]]

SBA's Office of Advocacy contends that, for RFA purposes, small 
incumbent LECs are not dominant in their field of operation because any 
such dominance is not ``national'' in scope. We have therefore included 
small incumbent LECs in this RFA analysis, although we emphasize that 
this RFA action has no effect on Commission analyses and determinations 
in other, non-RFA contexts. Interexchange Carriers (IXCs). Neither the 
Commission nor the SBA has developed a small business size standard 
specifically for Interexchange Carriers. The closest applicable NAICS 
Code category is Wired Telecommunications Carriers. The applicable size 
standard under SBA rules is that such a business is small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate 
that 3,117 firms operated for the entire year. Of that number, 3,083 
operated with fewer than 1,000 employees. The largest category provided 
by the census data is ``1000 employees or more'' and a more precise 
estimate for firms with fewer than 1,500 employees is not provided.
    71. According to internally developed Commission data, 359 
companies reported that their primary telecommunications service 
activity was the provision of interexchange services. Of this total, an 
estimated 317 have 1,500 or fewer employees. Consequently, the 
Commission estimates that the majority of interexchange service 
providers are small entities.
    72. Cable System Operators (Telecom Act Standard). The 
Communications Act of 1934, as amended, also contains a size standard 
for small cable system operators, which is ``a cable operator that, 
directly or through an affiliate, serves in the aggregate fewer than 
one percent of all subscribers in the United States and is not 
affiliated with any entity or entities whose gross annual revenues in 
the aggregate exceed $250,000,000.'' As of 2018, there were 
approximately 50,504,624 cable video subscribers in the United States. 
Accordingly, an operator serving fewer than 505,046 subscribers shall 
be deemed a small operator if its annual revenues, when combined with 
the total annual revenues of all its affiliates, do not exceed $250 
million in the aggregate. Based on available data, we find that all but 
six incumbent cable operators are small entities under this size 
standard. We note that the Commission neither requests nor collects 
information on whether cable system operators are affiliated with 
entities whose gross annual revenues exceed $250 million. The 
Commission does receive such information on a case-by-case basis if a 
cable operator appeals a local franchise authority's finding that the 
operator does not qualify as a small cable operator pursuant to Sec.  
76.901(f) of the Commission's rules. Therefore we are unable at this 
time to estimate with greater precision the number of cable system 
operators that would qualify as small cable operators under the 
definition in the Communications Act.
2. Wireless Carriers
    73. Wireless Telecommunications Carriers (Except Satellite). This 
industry comprises establishments engaged in operating and maintaining 
switching and transmission facilities to provide communications via the 
airwaves. Establishments in this industry have spectrum licenses and 
provide services using that spectrum, such as cellular services, paging 
services, wireless internet access, and wireless video services. The 
appropriate size standard under SBA rules is that such a business is 
small if it has 1,500 or fewer employees. For this industry, U.S. 
Census Bureau data for 2012 show that there were 967 firms that 
operated for the entire year. Of this total, 955 firms employed fewer 
than 1,000 employees and 12 firms employed of 1000 employees or more. 
Available census data does not provide a more precise estimate of the 
number of firms that have employment of 1,500 or fewer employees. The 
largest category provided is for firms with ``1000 employees or more.'' 
Thus under this category and the associated size standard, the 
Commission estimates that the majority of wireless telecommunications 
carriers (except satellite) are small entities.
    74. The Commission's own data--available in its Universal Licensing 
System--indicate that, as of August 31, 2018 there are 265 Cellular 
licensees that will be affected by our actions. For the purposes of 
this FRFA, consistent with Commission practice for wireless services, 
the Commission estimates the number of licensees based on the number of 
unique FCC Registration Numbers. The Commission does not know how many 
of these licensees are small, as the Commission does not collect that 
information for these types of entities. Similarly, according to 
internally developed Commission data, 413 carriers reported that they 
were engaged in the provision of wireless telephony, including cellular 
service, Personal Communications Service (PCS), and Specialized Mobile 
Radio (SMR) Telephony services. Of this total, an estimated 261 have 
1,500 or fewer employees, and 152 have more than 1,500 employees. Thus, 
using available data, we estimate that the majority of wireless firms 
can be considered small.
    75. Satellite Telecommunications. This category comprises firms 
``primarily engaged in providing telecommunications services to other 
establishments in the telecommunications and broadcasting industries by 
forwarding and receiving communications signals via a system of 
satellites or reselling satellite telecommunications.'' Satellite 
telecommunications service providers include satellite and earth 
station operators. The category has a small business size standard of 
$35 million or less in average annual receipts, under SBA rules. For 
this category, U.S. Census Bureau data for 2012 show that there were a 
total of 333 firms that operated for the entire year. Of this total, 
299 firms had annual receipts of less than $25 million. The available 
U.S. Census Bureau data does not provide a more precise estimate of the 
number of firms that meet the SBA size standard of annual receipts of 
$35 million or less. Consequently, we estimate that the majority of 
satellite telecommunications providers are small entities.
3. Resellers
    76. Local Resellers. The SBA has not developed a small business 
size standard specifically for Local Resellers. The SBA category of 
Telecommunications Resellers is the closest NAICs code category for 
local resellers. The Telecommunications Resellers industry comprises 
establishments engaged in purchasing access and network capacity from 
owners and operators of telecommunications networks and reselling wired 
and wireless telecommunications services (except satellite) to 
businesses and households. Establishments in this industry resell 
telecommunications; they do not operate transmission facilities and 
infrastructure. Mobile virtual network operators (MVNOs) are included 
in this industry. Under the SBA's size standard, such a business is 
small if it has 1,500 or fewer employees. U.S. Census Bureau data from 
2012 show that 1,341 firms provided resale services during that year. 
Of that number, all operated with fewer than 1,000 employees. Available 
census data does not provide a more precise estimate of the number of 
firms that have employment of 1,500 or fewer employees. The largest 
category provided is for firms with ``1000 employees or more.'' Thus, 
under this category and the associated small business size standard, 
the majority of

[[Page 22042]]

these resellers can be considered small entities. According to 
Commission data, 213 carriers have reported that they are engaged in 
the provision of local resale services. Of these, an estimated 211 have 
1,500 or fewer employees and two have more than 1,500 employees. 
Consequently, the Commission estimates that the majority of local 
resellers are small entities.
    77. Toll Resellers. The Commission has not developed a definition 
for Toll Resellers. The closest NAICS Code Category is 
Telecommunications Resellers. The Telecommunications Resellers industry 
comprises establishments engaged in purchasing access and network 
capacity from owners and operators of telecommunications networks and 
reselling wired and wireless telecommunications services (except 
satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. MVNOs are included in this industry. The 
SBA has developed a small business size standard for the category of 
Telecommunications Resellers. Under that size standard, such a business 
is small if it has 1,500 or fewer employees. 2012 Census Bureau data 
show that 1,341 firms provided resale services during that year. Of 
that number, 1,341 operated with fewer than 1,000 employees. Available 
census data does not provide a more precise estimate of the number of 
firms that have employment of 1,500 or fewer employees; the largest 
category provided is for firms with ``1000 employees or more.'' Thus, 
under this category and the associated small business size standard, 
the majority of these resellers can be considered small entities. 
According to Commission data, 881 carriers have reported that they are 
engaged in the provision of toll resale services. Of this total, an 
estimated 857 have 1,500 or fewer employees. Consequently, the 
Commission estimates that the majority of toll resellers are small 
entities.
    78. Prepaid Calling Card Providers. Neither the Commission nor the 
SBA has developed a small business definition specifically for prepaid 
calling card providers. The most appropriate NAICS code-based category 
for defining prepaid calling card providers is Telecommunications 
Resellers. This industry comprises establishments engaged in purchasing 
access and network capacity from owners and operators of 
telecommunications networks and reselling wired and wireless 
telecommunications services (except satellite) to businesses and 
households. Establishments in this industry resell telecommunications; 
they do not operate transmission facilities and infrastructure. Mobile 
virtual networks operators (MVNOs) are included in this industry. Under 
the applicable SBA size standard, such a business is small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2012 show that 
1,341 firms provided resale services during that year. Of that number, 
1,341 operated with fewer than 1,000 employees. Available census data 
does not provide a more precise estimate of the number of firms that 
have employment of 1,500 or fewer employees. The largest category 
provided is for firms with ``1000 employees or more.'' Thus, under this 
category and the associated small business size standard, the majority 
of these prepaid calling card providers can be considered small 
entities. According to Commission data, 193 carriers have reported that 
they are engaged in the provision of prepaid calling cards. All 193 
carriers have 1,500 or fewer employees. Consequently, the Commission 
estimates that the majority of prepaid calling card providers are small 
entities that may be affected by these rules.
4. Other Entities
    79. All Other Telecommunications. The ``All Other 
Telecommunications'' category is comprised of establishments primarily 
engaged in providing specialized telecommunications services, such as 
satellite tracking, communications telemetry, and radar station 
operation. This industry also includes establishments primarily engaged 
in providing satellite terminal stations and associated facilities 
connected with one or more terrestrial systems and capable of 
transmitting telecommunications to, and receiving telecommunications 
from, satellite systems. Establishments providing internet services or 
voice over internet protocol (VoIP) services via client-supplied 
telecommunications connections are also included in this industry. The 
SBA has developed a small business size standard for ``All Other 
Telecommunications,'' which consists of all such firms with annual 
receipts of $35 million or less. For this category, U.S. Census Bureau 
data for 2012 show that there were 1,442 firms that operated for the 
entire year. Of those firms, a total of 1,400 had annual receipts less 
than $25 million and 15 firms had annual receipts of $25 million to 
$49,999,999. Thus, the Commission estimates that the majority of ``All 
Other Telecommunications'' firms potentially affected by our action can 
be considered small.

E. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements for Small Entities

    80. This Order modifies the Commission's rules in accordance with 
our proposal to require voice service providers to implement the STIR/
SHAKEN caller ID authentication framework if major voice service 
providers did not voluntarily do so by the end of 2019, and implements 
Congress's direction in the TRACED Act to mandate STIR/SHAKEN. The 
amended rules adopted in the Order do not contain reporting or 
recordkeeping requirements.

F. Steps Taken To Minimize the Significant Economic Impact on Small 
Entities, and Significant Alternatives Considered

    81. The RFA requires an agency to describe any significant, 
specifically small business, alternatives that it has considered in 
reaching its approach. This document does not distinguish between small 
entities and other entities and individuals.

G. Report to Congress

    82. The Commission will send a copy of the Order, including this 
FRFA, in a report to Congress pursuant to the Congressional Review Act. 
In addition, the Commission will send a copy of the Order, including 
this FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the 
Order and FRFA (or summaries thereof) will also be published in the 
Federal Register.

V. Ordering Clauses

    83. Accordingly, IT IS ORDERED, pursuant to sections 4(i), 4(j), 
227(e), 227b, 251(e), and 303(r), of the Communications Act of 1934, as 
amended (the Act), 47 U.S.C. 154(i), 154(j), 227(e), 227b, 251(e), and 
303(r), that this Report and Order IS ADOPTED.
    84. IT IS FURTHER ORDERED that Part 64 of the Commission's rules IS 
AMENDED as set forth in the following.
    85. IT IS FURTHER ORDERED that, pursuant to Sec. Sec.  1.4(b)(1) 
and 1.103(a) of the Commission's rules, 47 CFR 1.4(b)(1), 1.103(a), 
this Report and Order SHALL BE EFFECTIVE 30 days after publication in 
the Federal Register.
    86. IT IS FURTHER ORDERED that the Commission SHALL SEND a copy of 
this Report and Order to Congress and to the Government Accountability 
Office pursuant to the Congressional Review Act, see 5 U.S.C. 
801(a)(1)(A).

[[Page 22043]]

List of Subjects in 47 CFR Part 64

    Communications common carriers, Carrier equipment, Reporting and 
recordkeeping requirements, Telecommunications, Telephone.

Federal Communications Commission.
Cecilia Sigmund,
Federal Register Liaison Officer, Office of the Secretary.

Final Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission amends 47 CFR part 64 follows:

PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

0
1. The authority citation for part 64 is revised to read as follows:

    Authority: 47 U.S.C. 154, 201, 202, 217, 218, 220, 222, 225, 
226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 403(b)(2)(B), (c), 
616, 620, 1401-1473, unless otherwise noted; Pub. L. 115-141, Div. 
P, sec. 503, 132 Stat. 348, 1091.

0
2. Add Subpart HH, consisting of Sec. Sec.  64.6300 and 64.6301, to 
read as follows:

Subpart HH--Caller ID Authentication


Sec.  64.6300  Definitions.

    (a) Authenticate caller identification information. The term 
``authenticate caller identification information'' refers to the 
process by which a voice service provider attests to the accuracy of 
caller identification information transmitted with a call it 
originates.
    (b) Caller identification information. The term ``caller 
identification information'' has the same meaning given the term 
``caller identification information'' in 47 CFR 64.1600(c) as it 
currently exists or may hereafter be amended.
    (c) Intermediate provider. The term ``intermediate provider'' means 
any entity that carriers or processes traffic that traverses or will 
traverse the PSTN at any point insofar as that entity neither 
originates nor terminates that traffic.
    (d) SIP call. The term ``SIP call'' refers to calls initiated, 
maintained, and terminated using the Session Initiation Protocol 
signaling protocol.
    (e) STIR/SHAKEN authentication framework. The term ``STIR/SHAKEN 
authentication framework'' means the secure telephone identity 
revisited and signature-based handling of asserted information using 
tokens standards.
    (f) Verify caller identification information. The term ``verify 
caller identification information'' refers to the process by which a 
voice service provider confirms that the caller identification 
information transmitted with a call it terminates was properly 
authenticated.
    (g) Voice service. The term ``voice service''--
    (1) Means any service that is interconnected with the public 
switched telephone network and that furnishes voice communications to 
an end user using resources from the North American Numbering Plan or 
any successor to the North American Numbering Plan adopted by the 
Commission under section 251(e)(1) of the Communications Act of 1934, 
as amended; and
    (2) Includes--
    (i) Transmissions from a telephone facsimile machine, computer, or 
other device to a telephone facsimile machine; and
    (ii) Without limitation, any service that enables real-time, two-
way voice communications, including any service that requires internet 
Protocol-compatible customer premises equipment and permits out-bound 
calling, whether or not the service is one-way or two-way voice over 
internet Protocol.


Sec.  64.6301  Caller ID authentication.

    (a) STIR/SHAKEN Implementation by Voice Service Providers. Not 
later than June 30, 2021, a voice service provider shall fully 
implement the STIR/SHAKEN authentication framework in its internet 
Protocol networks. To fulfill this obligation, a voice service provider 
shall:
    (1) Authenticate and verify caller identification information for 
all SIP calls that exclusively transit its own network;
    (2) Authenticate caller identification information for all SIP 
calls it originates and that will exchange with another voice service 
provider or intermediate provider and, to the extent technically 
feasible, transmit that call with caller ID authentication information 
to the next voice service provider or intermediate provider in the call 
path; and
    (3) Verify caller identification information for all SIP calls it 
receives from another voice service provider or intermediate provider 
which it will terminate and for which the caller identification 
information has been authenticated.
    (b) [Reserved].

[FR Doc. 2020-07585 Filed 4-20-20; 8:45 am]
BILLING CODE 6712-01-P