Call Authentication Trust Anchor; Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions, 48511-48521 [2021-18765]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 86, Number 166 (Tuesday, August 31, 2021)]
[Rules and Regulations]
[Pages 48511-48521]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-18765]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Parts 0 and 64

[WC Docket Nos. 17-97 and 21-291; FCC 21-93; FR ID 45192]


Call Authentication Trust Anchor; Appeals of the STIR/SHAKEN 
Governance Authority Token Revocation Decisions

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission (the 
Commission) adopts rules establishing a process for voice service 
providers aggrieved by a token revocation decision of the private STIR/
SHAKEN Governance Authority to file a request for review to the 
Commission. Without this process the private STIR/SHAKEN Governance 
Authority can place other private entities out of compliance with the 
Commission's STIR/SHAKEN implementation rules without oversight from 
the Commission. The adopted rules will provide appropriate oversight 
and ensure due process for voice service providers aggrieved by a 
Governance Authority token revocation decision.

DATES: Effective September 30, 2021.

FOR FURTHER INFORMATION CONTACT: Alexander Hobbs, Attorney Advisor, 
Competition Policy Division, Wireline Competition Bureau, at (202) 418-
7433, or email: [email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report 
and Order in WC Docket Nos. 17-97, 21-291, FCC 21-93, adopted on August 
5, 2021, and released on August 6, 2021. The complete text of this 
document is available for download at https://docs.fcc.gov/public/attachments/FCC-21-93A1.pdf. To request materials in accessible formats 
for people with disabilities (Braille, large print, electronic files, 
audio format), send an email to [email protected] or call the Consumer and 
Governmental Affairs Bureau at (202) 418-0530 (voice), (202) 418-0432 
(TTY).

Synopsis

I. Introduction

    Caller ID authentication using the STIR/SHAKEN framework is a key 
component of our multi-pronged effort to combat the scourge of illegal 
robocalls. STIR/SHAKEN is a set of technological standards that helps 
to prevent illegal ``spoofing,'' a practice that involves falsifying 
caller ID information in order to trick unsuspecting Americans into 
thinking that calls are trustworthy because the caller ID information 
appears as if the call came from a neighbor or a familiar or reputable 
source. With voice service providers required by our rules to implement 
STIR/SHAKEN in the internet Protocol (IP) portions of their networks by 
June 30, 2021, Americans are now in a position to answer their phones 
with greater confidence that the number displayed is correct.
    To guard against bad actors and preserve trust within the 
distributed caller ID authentication system, the ability of a voice 
service provider to participate in STIR/SHAKEN can be revoked by the 
private Governance Authority that oversees the STIR/SHAKEN framework. 
This revocation process effectively allows the private Governance 
Authority to make decisions that render voice service providers 
noncompliant with our rules. To provide appropriate oversight and 
ensure due process, today we establish a process for voice service 
providers to appeal such revocation decisions to the Commission.

II. Background

    To address the issue of illegal caller ID spoofing, technologists 
from the internet Engineering Task Force (IETF) and the Alliance for 
Telecommunications Industry Solutions (ATIS) developed standards to 
allow for

[[Page 48512]]

the authentication and verification of caller ID information for calls 
carried over IP networks. The result of their efforts is the STIR/
SHAKEN caller ID authentication framework, which allows for the caller 
ID information to securely travel with the call itself throughout the 
entire length of the call path. A key component of the STIR/SHAKEN 
framework is the transmission of a digital ``certificate'' along with 
the call. This certificate essentially states that the voice service 
provider authenticating the caller ID information is the voice service 
provider it claims to be, it is authorized to authenticate this 
information and, thus, the voice service provider's claims about the 
caller ID information can be trusted. To maintain trust and 
accountability in the voice service providers that vouch for the caller 
ID information, a neutral governance system issues the certificates.
    The STIR/SHAKEN governance system is comprised of several different 
entities fulfilling specialized roles. The Governance Authority, 
managed by a board consisting of representatives from across the voice 
service industry, defines the policies and procedures for which 
entities can issue or acquire certificates. The Policy Administrator 
applies the rules the Governance Authority establishes, confirms that 
Certification Authorities are authorized to issue certificates, and 
confirms that voice service providers are authorized to request and 
receive certificates. Certification Authorities, of which there are 
several, issue the certificates that voice service providers use to 
authenticate and verify calls. Finally, the voice service providers, 
when acting as call initiators, select an approved Certification 
Authority from which to request a certificate, and when acting as call 
recipients, check with Certification Authorities to ensure that the 
certificates they receive were issued by the correct Certification 
Authority.
    To receive a digital certificate, a voice service provider must 
first apply to the Policy Administrator for a Service Provider Code 
(SPC) token. To obtain a token, the Governance Authority policy 
requires that a voice service provider must (1) have a current FCC Form 
499A on file with the Commission, (2) have been assigned an Operating 
Company Number (OCN), and (3) have certified with the FCC that they 
have implemented STIR/SHAKEN or comply with the Commission's Robocall 
Mitigation Program requirements and are listed in the FCC Robocall 
Mitigation Database. The token then permits the voice service provider 
to obtain the digital certificates it will use to authenticate calls 
from one of the approved Certification Authorities. The token, 
therefore, is a prerequisite for a voice service provider to 
participate in the STIR/SHAKEN ecosystem endorsed by section 4 of the 
TRACED Act (and the Commission's implementing rules), and management of 
token access is the mechanism by which the Policy Administrator and 
Governance Authority protect the system from abuse and misuse.
    The Policy Administrator grants tokens to voice service providers 
that meet the three eligibility criteria conditioned on the execution 
of a signed agreement with each voice service provider, stating that 
the voice service provider will follow the ATIS SHAKEN specifications. 
This agreement establishes that if the Policy Administrator deems the 
voice service provider to be in breach of the agreement, it has the 
authority to suspend or revoke a voice service provider's token. The 
Policy Administrator may revoke a service provider's service token on 
its own initiative in certain circumstances or when directed by the 
Governance Authority. In the SPC Token Revocation Policy, the 
Governance Authority lists the reasons for which a token may be 
revoked: (1) In the situation of compromised credentials, i.e., a voice 
service provider's private key has been lost, stolen, or compromised, 
or a certification authority has been compromised; (2) the voice 
service provider exits the STIR/SHAKEN ecosystem and closes its account 
with the Policy Administrator; (3) the voice service provider failed to 
adhere to the policy and technical requirements of the STIR/SHAKEN 
ecosystem, including the SPC Token Access Policy, funding requirements, 
or technical specifications regarding the use of STIR/SHAKEN; or (4) 
when directed by a court, the Commission, or another body with relevant 
legal authority due to a violation of Federal law related to caller ID 
authentication. When a service provider's credentials are compromised 
or it exits the ecosystem (the former two scenarios), the Policy 
Administrator may revoke a service provider's token without prior 
direction from the Governance Authority because in either circumstance 
revocation is clearly appropriate. However, when revocation is because 
a service provider failed to adhere to a policy or technical 
requirement, or is effected at the direction of a governmental body 
(the latter two scenarios), the Governance Authority conducts the 
revocation process according to the process outlined in the SPC Token 
Revocation Policy.
    Token Revocation Procedure. Before the Governance Authority revokes 
a token due to a voice service provider's violation of a policy, 
technical, or legal requirement, the Governance Authority follows a 
multi-step process described by the SPC Token Revocation Policy, which 
allows the voice service provider to respond to the alleged infraction 
and appeal any adverse decision according to the Governance Authority's 
operating procedures. According to the SPC Token Revocation Policy, the 
revocation review process is triggered when a voice service provider, 
the Policy Administrator, a Certification Authority, or a regulatory 
authority (such as the Commission) reports a potential issue to the 
Governance Authority, generally via a complaint. After a preliminary 
review of the complaint, the Governance Authority decides whether or 
not to move forward with the review process. If the Governance 
Authority determines there is sufficient information to move forward, 
notice of the complaint will be sent to the Governance Authority Board. 
After the Governance Authority Board receives notice of the complaint, 
additional notices are sent to the complainant and to all other parties 
in the investigation process notifying them of the confidentiality 
requirements of the revocation proceeding. The Governance Authority 
also sends notice to the subject of the complaint--which has five 
business days to provide a preliminary response--and to the Policy 
Administrator who, after consulting with the Certification Authority if 
necessary, provides further information on facts related to the 
complaint and a proposed recommendation to the Governance Authority 
Board on whether to move forward with the complaint review. The 
Governance Authority Board then decides to either reject the complaint 
review, agrees review is necessary and accepts the complaint for 
review, or, if required, assigns it to the Technical Committee for 
further review.
    If the Governance Authority Board decides to accept the complaint 
for review, it will reach out to the entity that is the subject of the 
complaint to provide another notification, this time stating that the 
complaint is being investigated and requesting a substantive written 
response. If the Governance Authority Board determines that additional 
review by the Technical Committee is also necessary, it will send the 
complaint to the Technical Committee, which will review the complaint 
and provide a recommendation to the Governance

[[Page 48513]]

Authority Board. The Governance Authority will then review the 
Technical Committee's recommendation and request further investigation 
or discussion for the complaint, including submitting questions to all 
entities involved in the complaint review process. After reviewing all 
the material, including the Technical Committee's recommendation if 
necessary, the Governance Authority Board votes on whether to revoke 
the token, requiring a two-thirds vote of the Governance Authority 
Board to approve the revocation. If the Governance Authority Board 
votes to revoke the token, the decision is transmitted to the affected 
voice service provider, the complainant, and the Policy Administrator. 
The Policy Administrator then will execute the token revocation by 
deactivating the voice service provider's account and notifying all 
Certification Authorities to stop assigning new certificates to the 
voice service provider.
    The aggrieved voice service provider may appeal an adverse decision 
by the Governance Authority Board through a formal appeal process 
outlined in the Governance Authority's Operating Procedures. In 
addition to the Governance Authority Board reviewing the complaint and 
issuing a written response, the formal appeal process includes the 
potential for a hearing before an independent panel of three 
individuals. Following a hearing, the appeal panel issues a written 
decision stating its findings of fact, conclusions, and the reasoning 
for its conclusions. If a voice service provider loses the appeal, or 
chooses not to appeal, it may seek reinstatement to the STIR/SHAKEN 
ecosystem if the Governance Authority approves of its plan of action to 
remedy the issue or issues underlying the token revocation.
    On January 14, 2021, the Commission released a Second Caller ID 
Authentication Further Notice of Proposed Rulemaking proposing and 
seeking comment on establishing an oversight role for the Commission to 
oversee token revocation decisions made by the Governance Authority. 
The Commission specifically proposed adopting an appeal process similar 
to our process for reviewing decisions by the Universal Service 
Administrative Company (USAC). All commenters in the docket generally 
supported the proposal to establish such a role for the Commission. The 
Governance Authority Board states that ``[g]iven the impact token 
revocation decisions will have on providers' abilities to comply with 
the Commission's call authentication rules, it is appropriate that the 
Commission should have a role in reviewing these decisions.'' INCOMPAS 
``supports an oversight role for the agency in the certificate 
revocation process'' while VON ``recognizes the benefits to all 
stakeholders'' from such a role, and USTelecom states ``the Commission 
has a critical role in reviewing any [Governance Authority] revocation 
decisions.''

III. Discussion

    After reviewing the record, we conclude that the Commission should 
have an oversight role and therefore establish a review process of the 
Governance Authority's token revocation decisions. We do so to provide 
proper due process for voice service providers aggrieved by Governance 
Authority token revocation decisions and to ``ensure that the STIR/
SHAKEN ecosystem remains robust.'' We detail the specific appeals 
process we adopt below. As we explain, we largely adopt the proposals 
in the Second Caller ID Authentication Further Notice. We deviate from 
those proposals in several respects, however, such as by requiring 
parties seeking review of a Governance Authority decision to file their 
requests for review in a dedicated public docket in the Commission's 
Electronic Comment Filing System (ECFS) and by directing the Wireline 
Competition Bureau (Bureau) to review all appeals in the first 
instance. As we explain below, we make these changes from our initial 
proposals because we find doing so will facilitate efficient review 
based on a full record.

A. Appeals Process and Requirements

    Exhaustion of Governance Authority Appeals Process Required. We 
will require parties seeking review by the Bureau to first exhaust the 
Governance Authority appeal process, including completing the 
Governance Authority's formal appeal process. In the Second Caller ID 
Authentication Further Notice, the Commission proposed to require 
exhaustion of the Governance Authority's process before accepting 
appeals, stating that such a requirement would ``enable the dispute to 
fully develop before potentially reaching the Commission, thereby 
making it easier for the Commission to identify the relevant facts and 
issues.'' All commenters addressing the issue support this proposal. We 
agree with USTelecom that ``[r]equiring exhaustion of the [Governance 
Authority] process will ensure that the [Governance Authority] can 
complete its process and render an independent decision before the FCC 
intervenes.'' Doing so will ensure that only ``serious challenges'' 
will end up in front of the Commission, and will avoid wasting 
Commission resources by preventing us from ``duplicating efforts and 
expending resources to develop the same facts [as the Governance 
Authority].'' As VON notes, requiring exhaustion of the Governance 
Authority's process will ``resolve a large majority of complaints 
without Commission action'' ensuring the Commission does not waste time 
on issues that can be properly resolved by the Governance Authority.
    Parties Permitted to Seek Review. We establish that any voice 
service provider aggrieved by a Governance Authority decision to revoke 
that provider's token may seek review by the Bureau after exhausting 
the appeals process established by the Governance Authority. We only 
allow appeals by the aggrieved party that suffered the token 
revocation, and not another party on its behalf, to ensure efficient 
use of limited Commission resources and provide finality and certainty 
for affected parties seeking an appeal. Third parties, including the 
Governance Authority, may participate to the extent that they may file 
oppositions and replies. This procedure mirrors the process in 
Universal Service appeals, where only the aggrieved party may appeal a 
USAC decision and other interested third parties may participate by 
filing oppositions and replies as appropriate, as well as supportive 
filings. We find that this approach--in addition to being consistent 
with the well-established process for USAC appeals--best balances 
competing arguments in the record. VON argues that voice service 
providers that rely on a delegated certification from a token holder 
should also be allowed to participate in the appeal as ``intervenors'' 
or have ``interested party status.'' VON states that some voice service 
providers ``required to participate in the STIR/SHAKEN ecosystem may 
not obtain their own certificates and may instead rely on delegated 
certification from a token-holder.'' Therefore, it asserts, ``revoking 
a token would not just result in potential injury to the token-holder, 
but also to any other service provider that relies on the token-
holder's continued authorization.'' We disagree that voice service 
providers that rely on delegated tokens should be accorded special 
status because allowing them to participate in the appeal as interested 
parties ``is not likely to give them the relief they need if the token 
holder is abusing its token.'' Furthermore, the impact to a voice 
service provider with a delegated token is irrelevant as to whether the 
token holder acted in violation of rules such that token

[[Page 48514]]

revocation is appropriate. USTelecom, in contrast with VON, argues that 
``[o]nly the token holders should participate in the appeal process.'' 
To the extent USTelecom is arguing that third parties should not be 
able to participate in an appeal in any capacity, we disagree; we see 
no compelling reason to diverge with our standard procedures and not 
allow third parties, including voice service providers that rely on 
delegated tokens, to file oppositions and replies.
    We note that any voice service provider that relies on a delegated 
token from another entity may seek a waiver of our STIR/SHAKEN rules 
for a limited time period if the token it relies upon is revoked. We 
agree with USTelecom that in typical cases, a 90-day waiver period, 
from the date the Governance Authority revokes a provider's token in 
the first instance, should give a voice service provider sufficient 
time to transfer its delegated token to a new partner and continue to 
participate in the STIR/SHAKEN framework. This time period balances the 
need for an affected voice service provider to have adequate time to 
receive another certificate with the public interest of broad STIR/
SHAKEN participation. However, affected providers are free to request a 
different waiver period accompanied by an explanation of good cause for 
such a time period. We direct the Bureau to rule on all such waiver 
requests. Review of waivers of Commission rules is consistent with the 
Bureau's authority and will ensure waiver requests are reviewed in a 
timely and efficient manner to maintain the efficacy of the STIR/SHAKEN 
ecosystem.
    Filing Deadlines. We establish that aggrieved providers have 60 
days to seek Bureau review after the Governance Authority upholds its 
adverse token revocation decision. Specifically, a voice service 
provider requesting Bureau review of a Governance Authority decision to 
revoke that voice service provider's token shall file such a request 
electronically in ECFS within 60 days from the date the Governance 
Authority upholds its token revocation decision. Sixty days will 
provide sufficient time to an aggrieved voice service provider to 
receive notice and file a request for review and is equivalent to the 
time given parties in our Universal Service appeals process. The only 
commenter to address this issue, INCOMPAS, opposed our proposal and 
suggested we give aggrieved voice service providers 30 days to request 
review instead of 60 days in order to expedite the review process 
because ``[r]evoking a voice service provider's access to SPC tokens 
will have significant repercussions for the provider and its 
customers.'' We disagree with INCOMPAS's proposed shorter deadline. 
Because of the importance of the token to our STIR/SHAKEN rules we want 
to ensure providers have sufficient time to request review of any token 
revocation. Thirty days may not give affected voice service providers 
enough time to receive notice of the Governance Authority decision and 
then to prepare and file a request for review with the Bureau. We note 
that the 60-day deadline does not prevent providers from filing appeals 
sooner to expedite a review. We also note that 60 days is the same 
timeframe provided for in our Universal Service appeal process.
    We also establish that any commenters shall adhere to the time 
periods for filing oppositions and replies as set forth in Sec.  1.45 
of our rules. This follows the procedure in our USAC appeals process 
and was unopposed in the record.
    We establish a 180-day ``shot clock'' for the Bureau's review 
period, similar to the procedure used in our pole access complaint 
resolution proceedings. One hundred eighty days will typically be 
sufficient time for staff to complete reviews even if they present 
novel and potentially complex factual issues, and for staff to have 
time to present follow-up questions to the appealing party or the 
Governance Authority if necessary, while also ensuring parties can set 
expectations for when the review will be completed. As with pole access 
complaints, we expect the Bureau to meet the shot clock ``except in 
extraordinary circumstances.''
    The record support in favor of establishing a specific time limit 
for the Bureau's review persuades us to deviate from our proposal not 
to impose such a limit. VON argues we should impose a time limit on 
Bureau review ``since revocation of a token can substantially impact a 
provider's business.'' INCOMPAS suggests the Commission adopt a 30-day 
time limit for the Bureau to complete its review, arguing that speedy 
resolution is necessary because it ``will give impacted voice service 
providers and their customers the information and clarity they need to 
make plans beyond the Commission's review.'' And the Governance 
Authority Board states, ``it is important that the Commission conclude 
its review and issue a decision as quickly as reasonably possible.'' 
Nonetheless, while we agree with these commenters that prompt review is 
important, we disagree with INCOMPAS that the review period should be 
30 days. INCOMPAS does not explain how the Bureau can adequately 
account for the potential novel and complex factual issues each appeal 
could raise in 30 days. Instead, we think a 180-day period is 
sufficient to ensure that the Bureau has time to render a carefully 
considered review for each appeal while also ensuring the review is 
completed in a timely and reasonable manner. And if an appeal were not 
to pose novel or complex issues, we think it could be completed well 
before 180 days.
    We establish that the shot clock will start when the request for 
review is filed in ECFS. This procedure is identical to the one used in 
our pole access complaint proceedings and will ensure the Bureau and 
all parties are on notice of when the shot clock begins counting down 
in order to set expectations of when the review will be completed. We 
also establish that the Bureau will have discretion to pause the 180-
day review period when actions outside the Bureau's control delay the 
Bureau's review. For example, the Bureau may pause the shot clock if 
parties need additional time to provide key information requested by 
the Bureau. The Bureau will resume the shot clock when the cause for 
pausing the shot clock has been resolved. We direct the Bureau to 
provide written notice of any pause in the shot clock, as well as when 
the shot clock is resumed. This procedure similarly draws from the one 
we use in pole access complaint review and will ensure the Bureau has 
adequate time to complete its review if faced with delays outside its 
control and that all parties are duly informed whenever the shot clock 
is paused or resumed.
    Filing Requirements. We establish that requests for review shall be 
filed electronically in WC Docket No. 21-291, Appeals of the STIR/
SHAKEN Governance Authority Token Revocation Decisions, in ECFS. The 
request for review shall be captioned ``In the matter of Request for 
Review by (name of party seeking review) of Decision of the Governance 
Authority to Revoke an SPC Token.'' The request for review shall 
contain (1) a statement setting forth the voice service provider's 
asserted basis for appealing the Governance Authority's decision to 
revoke the token; (2) a full statement of relevant, material facts with 
supporting affidavits and documentation, including any background 
information the voice service provider deems useful to the Bureau's 
review; and (3) the question presented for review, with reference, 
where appropriate, to any underlying Commission rule or Governance 
Authority policy. Moreover, we establish that requests for review need

[[Page 48515]]

not include a statement of the relief sought. We assume that the relief 
sought will always be the reversal of the Governance Authority's 
revocation decision. We establish that the party seeking review shall 
send a copy of the request for review to the Governance Authority via 
[email protected] or another method specified in the Governance 
Authority's Operating Procedures. Filers may request confidential 
treatment for filings pursuant to Sec.  0.459 of our rules. These 
proposals were all unopposed in the record. In the Second Further 
Notice we proposed that filers would submit requests for review to the 
Commission's non-docketed inbox where they would not be viewable by the 
public. We deviate from this proposal and require filers to submit 
their requests to ECFS in order to allow public notice and opportunity 
to comment by third parties.
    Governance Authority Record. We encourage the Governance Authority 
to submit to the Bureau the full record of a token revocation appeal 
within five days of receiving notice of a voice service provider's 
request for Bureau review. We ask the Governance Authority to file the 
record materials in WC Docket No. 21-291, Appeals of the STIR/SHAKEN 
Governance Authority Token Revocation Decisions, in ECFS. Governance 
Authority submission of such materials to the Bureau will ``increase 
efficiency and fairness'' of the Bureau's review process. The full 
record should include, as suggested by the Governance Authority Board, 
``the completed SPC token Complaint Submission Form, the notice of 
complaint that was sent to the [Governance Authority] Board, written 
responses from the provider at issue, the final written decision of the 
[Governance Authority] Board, any materials provided by the service 
provider as part of an appeal of the decision under the [Governance 
Authority] Operating Procedures, as well as the written decision by the 
[Governance Authority] Board regarding the appeal.'' We agree with the 
Governance Authority Board that it does not need to submit drafts of 
the required documents or Board discussions to protect the 
confidentiality of its internal deliberations. We also recognize the 
Governance Authority Board's concern that the materials submitted by 
the Governance Authority Board merit confidential treatment and should 
be treated as such because they are likely to contain privileged or 
confidential ``provider-specific'' commercial information. Accordingly, 
the Governance Authority may request confidential treatment for its 
submissions pursuant to Sec.  0.459 of our rules (as set forth in our 
rules, the Governance Authority Board would need to identify the 
specific information for which it is requesting confidential treatment. 
The Governance Authority Board also would need to submit a version of 
the filing that can be made public with the confidential material 
redacted. We encourage the Governance Authority Board to work with the 
voice service provider seeking review to determine which information is 
confidential or to put procedures in place that will require voice 
service providers to identify confidential information when submitting 
information to the Governance Authority Board and to identify any 
categories of internal documents it considers confidential.).
    We do not expect the Governance Authority to submit a statement in 
opposition to the request for review. We will rely ``on the entirety of 
the record developed'' by the Governance Authority during its review 
process and will ``only engage the [Governance Authority] in an appeal 
to the extent necessary to understand [Governance Authority's] policies 
and procedures and the [Governance Authority's] interpretations of 
them.'' USTelecom argues that ``[r]equiring the [Governance Authority] 
to file a statement in opposition to the FCC review request would 
needlessly make the [Governance Authority] a party to the proceeding 
rather than a neutral, independent arbiter in its own right.'' 
USTelecom also notes that in the USAC appeals process ``USAC does not 
file a statement in opposition to the review request.'' We agree with 
USTelecom that the Governance Authority should remain a neutral party 
in the appeals process. However, we do not affirmatively prohibit the 
Governance Authority from participating beyond submission of the record 
should it find it appropriate to do so.
    Wireline Competition Bureau Review. We establish that the Wireline 
Competition Bureau will review and issue decisions in the first 
instance in all appeals of decisions from the Governance Authority (in 
the Second Caller ID Authentication Further Notice the Commission 
proposed that the Bureau would review all appeals with one exception: 
the Commission would review appeals that presented ``novel questions of 
fact, law, or policy.'' That approach followed our USAC appeals 
procedure. We deviate from our USAC appeals procedure because, after 
further consideration, we expect most, if not all, appeals to present 
fact-specific and technically complicated issues; the Bureau is best 
situated to review such appeals in the first instance in a speedy 
manner.). Accordingly, we direct the Bureau to review all requests for 
review in the first instance, with applications for review to the 
Commission available after the Bureau issues a final decision. We 
direct the Bureau to ensure its decisions maintain the integrity and 
efficacy of the STIR/SHAKEN ecosystem to protect the public from 
unlawfully spoofed calls and unlawful robocalls. By directing the 
Bureau to review all appeals in the first instance we ensure voice 
service providers receive speedy resolution of their disputes by agency 
experts and those voice service providers whose tokens are determined 
to be rightfully revoked are promptly required to update their Robocall 
Mitigation Database certifications. We reiterate that, as with any 
decision adopted on delegated authority, an affected party may seek 
review by the full Commission of a decision issued by the Bureau, thus 
ensuring Commission oversight of all decision-making and availability 
to any interested party. No party addressed the appropriate scope of 
review by the Bureau in the record.
    Standard of Review. We establish that the standard of review by the 
Bureau will be de novo. Specifically, we direct the Bureau to conduct 
de novo review of Governance Authority decisions to revoke a voice 
service provider's token. We agree with the Governance Authority Board 
that de novo review ``will allow the Commission to independently verify 
the [Governance Authority] Board's decisions and better ensure that the 
SHAKEN ecosystem continues to operate in a fair and equitable manner.'' 
Such an approach also avoids the concern expressed by VON that 
``anything more deferential than de novo review would inevitably result 
in [Governance Authority] decisions receiving precedential treatment, 
and would turn the STI-GA into a de facto policymaking body in place of 
the FCC.'' A de novo standard of review was unopposed in the record and 
commenters all agreed a de novo standard is appropriate.
    Status During Pendency of Appeals. We adopt a new rule establishing 
that throughout the review period, starting from when the Governance 
Authority revokes a voice service provider's token and including the 
duration of the Governance Authority's formal appeals process, until 
the Bureau issues a decision on the appeal, a voice service provider 
will not be judged to be in violation of the Commission's STIR/SHAKEN 
rules as a result of the revocation. We agree with USTelecom

[[Page 48516]]

that it would be unreasonable for the agency to judge a voice service 
provider as noncompliant during the pendency of an appeal before it 
evaluates a revocation decision. USTelecom and NCTA supported this 
proposal. We find it necessary to satisfy due process for a party to 
have the opportunity to appeal the decision of the private Governance 
Authority and, if it appeals, to obtain a decision by the Bureau before 
being judged noncompliant. VON argues that we also not judge 
``delegated certificate customers'' of a voice service provider that 
has its token revoked noncompliant during the pendency of an appeal. We 
disagree with VON. Establishing that a voice service provider that 
relies on a delegated token not be judged in violation of our rules 
during the pendency of an appeal would be redundant because such a 
provider may seek a waiver of our rules if the token it relies upon is 
revoked.
    More specifically, we clarify that a provider subject to a 
revocation will not be in violation of our STIR/SHAKEN rules as a 
result of the revocation during (1) the time period in which it may 
file an appeal to the Governance Authority; (2) the pendency of any 
appeal before the Governance Authority; (3) the time period in which it 
may file an appeal to the Bureau; and (4) if it files an appeal with 
the Bureau, until the Bureau releases a final decision regarding the 
appeal (should the Bureau uphold or otherwise decide not to overturn 
the Governance Authority's decision, an aggrieved voice service 
provider may file a petition for reconsideration or application for 
review within the time periods permitted by our rules, but such filing 
will not protect the provider from a finding of noncompliance while the 
petition or application is pending.). The exclusion from liability 
applies specifically to rule 64.6301, which requires implementation of 
STIR/SHAKEN. In addition, because a voice service provider that has 
been aggrieved by an adverse Governance Authority service token 
revocation decision is not considered in violation of 64.6301 during 
the pendency of its appeal to the Bureau, it will not need to submit an 
amended filing to the Robocall Mitigation Database until its window to 
appeal to the Governance Authority or the Bureau lapses or, if it 
appeals, until the Bureau issues a final decision regarding its appeal. 
Specifically, while a voice service provider has the opportunity to 
appeal and while a filed appeal is pending, the voice service provider 
will not be judged in violation of the requirement to file an updated 
filing within 10 business days of any change to the information it must 
provide to the Commission pursuant to Sec.  64.6305 of our rules. After 
the Bureau issues its decision, the voice service provider must update 
its Robocall Mitigation Database filing within 10 business days, if 
necessary (if the Bureau upholds a token revocation decision, the 
affected provider will be in violation of the Sec.  64.6301(a) 
requirement to participate in STIR/SHAKEN because, without a token, the 
provider will not be able to authenticate calls it originates 
consistent with the STIR/SHAKEN standards. A voice service provider 
that has its token revoked will not be eligible for the extension for 
voice service providers that cannot obtain a SPC token. The Commission 
established the extension for voice service providers for whom it is 
unfeasible to obtain a token in the first instance under the Governance 
Authority's Token Access Policy, not for providers that are subject to 
token revocation.).
    In the Second Caller ID Authentication Further Notice, the 
Commission proposed that a voice service provider would not be judged 
in violation of the TRACED Act during the pendency of an appeal. We 
decline to adopt this proposal. The TRACED Act contains no STIR/SHAKEN 
implementation obligation for voice service providers; rather it 
directs the Commission to require voice service providers to implement 
STIR/SHAKEN. There is therefore no need to establish that voice 
providers will not be judged in violation of the TRACED Act during the 
pendency of an appeal.
    We conclude that after revocation by the Governance Authority, a 
voice service provider may not maintain possession and use of its token 
regardless of whether it files an appeal to the Bureau. In effect, this 
means that although a voice service provider will not be judged in 
violation of our rules it will not be able to continue to exchange 
STIR/SHAKEN-authenticated traffic during the pendency of an appeal. The 
only commenter to address the subject supports the approach we adopt, 
and we agree that we do not want to create an incentive for bad-actor 
voice service providers to appeal the Governance Authority decision for 
the sole purpose of delaying revocation of their tokens. For the same 
reason, should the Bureau uphold or otherwise decide not to overturn 
the Governance Authority's decision, a voice service provider will not 
regain the right to use its token by filing a petition for 
reconsideration or application for review. This proposal was unopposed 
in the record.

B. Legal Authority

    We conclude that section 4(b)(1) of the TRACED Act grants us 
authority to establish an oversight role for the Commission to review 
token revocation decisions made by the Governance Authority. Section 
4(b)(1) directs the Commission to require the implementation of the 
STIR/SHAKEN framework. Establishing an oversight role for the 
Commission is consistent with the TRACED Act's caller ID authentication 
implementation mandate because it will make revocation decisions by the 
Governance Authority that have the effect of putting entities outside 
of our STIR/SHAKEN implementation rules reviewable by the Commission. 
We also conclude we have authority to establish an oversight role for 
the Commission under section 251(e) of the Communications Act of 1934, 
as amended. Section 251(e) grants the Commission exclusive jurisdiction 
over North American Numbering Plan resources in the United States and, 
within that broad grant, provides us with authority to mandate caller 
ID authentication. We find that section 251(e) grants us the 
corresponding authority to review decisions that have the impact of 
preventing a voice service provider from complying with our caller ID 
authentication rules. No party opposed our assertion of legal 
authority.

IV. Procedural Matters

    Final Regulatory Flexibility Analysis. As required by the 
Regulatory Flexibility Act of 1980 (RFA), an Initial Regulatory 
Flexibility Analysis (IRFA) was incorporated in the Second Caller ID 
Authentication Further Notice of Proposed Rulemaking. The Commission 
sought written public comment on the possible significant economic 
impact on small entities regarding proposals addressed in the Second 
Caller ID Authentication Further Notice of Proposed Rulemaking, 
including comments on the IRFA. Pursuant to the RFA, a Final Regulatory 
Flexibility Analysis is set forth in Appendix B. The Commission's 
Consumer and Governmental Affairs Bureau, Reference Information Center, 
will send a copy of this Third Report and Order, including the FRFA, to 
the Chief Counsel for Advocacy of the Small Business Administration 
(SBA).
    Paperwork Reduction Act. This document contains new or modified 
information collection requirements subject to the Paperwork Reduction 
Act of 1995 (PRA), Public Law 104-13. These requirements have been 
reviewed and approved by the Office of Management and Budget (OMB)

[[Page 48517]]

pursuant to 44 U.S.C. 3507(d) (The new information collection 
requirements were preapproved by the Office of Management and Budget 
under OMB Control No. 3060-1287 on June 3, 2021.) In addition, we note 
that pursuant to the Small Business Paperwork Relief Act of 2002, 
Public Law 107-198, we previously sought comment on how the Commission 
might further reduce the information collection burden for small 
business concerns with fewer than 25 employees. This document also 
contains non-substantive modifications to the approved information 
collection. These modifications will be submitted to OMB for review and 
approval pursuant to OMB's non-substantive change process.
    Congressional Review Act. The Commission has determined, and the 
Administrator of the Office of Information and Regulatory Affairs, 
Office of Management and Budget, concurs, that this rule is ``non-
major'' under the Congressional Review Act, 5 U.S.C. 804(2). The 
Commission will send a copy of this Third Report and Order to Congress 
and the Government Accountability Office pursuant to 5 U.S.C. 
801(a)(1)(A).
    Contact Person. For further information about the Third Report and 
Order, contact Alexander Hobbs, Attorney Advisor, Competition Policy 
Division, Wireline Competition Bureau, at (202) 418-7433 or 
[email protected].

V. Initial Final Regulatory Flexibility Analysis

    As required by the Regulatory Flexibility Act of 1980, as amended, 
an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into 
the Second Caller ID Authentication Further Notice of Proposed 
Rulemaking. The Commission sought written public comments on the 
proposals in the Second Caller ID Authentication Further Notice, 
including comments on the IRFA. No comments were filed addressing the 
IRFA. This present Final Regulatory Flexibility Analysis (FRFA) 
conforms to the RFA.

Need for, and Objectives of, the Proposed Rules

    This Third Report and Order continues the Commission's efforts to 
combat illegal spoofed robocalls. Specifically, the Third Report and 
Order establishes an oversight role for the Commission of the STIR/
SHAKEN governance system's token revocation process. Under the adopted 
procedure, any voice service provider or intermediate provider that has 
its Service Provider Code (SPC) token revoked may seek review of this 
decision by the Commission through established procedures. The 
procedures in the Third Report and Order will help promote effective 
caller ID authentication through STIR/SHAKEN.
    The Third Report and Order finds authority for these proposed rules 
under the TRACED Act. Section 4(b)(1) of the TRACED Act provided 
authority to require the implementation of the STIR/SHAKEN framework. 
We believe that to effectively direct the implementation of STIR/SHAKEN 
consistent with the TRACED Act, the Commission must have a role in 
decisions to revoke Service Provider Code tokens because the result of 
such a decision could place the service provider in noncompliance with 
our rules. The Third Report and Order also finds independent authority 
under section 251(e) of the Communications Act of 1934, as amended (the 
Act).

Summary of Significant Issues Raised by Public Comments in Response to 
the IRFA

    There were no comments filed that specifically addressed the 
proposed rules and policies presented in the IRFA.

Response to Comments by the Chief Counsel for Advocacy of the SBA

    Pursuant to the Small Business Jobs Act of 2010, which amended the 
RFA, the Commission is required to respond to any comments filed by the 
Chief Counsel for Advocacy of the Small Business Administration (SBA), 
and to provide a detailed statement of any change made to the proposed 
rules as a result of those comments.
    The Chief Counsel did not file any comments in response to the 
proposed rules in this proceeding.

Description and Estimate of the Number of Small Entities to Which the 
Proposed Rules Will Apply

    The RFA directs agencies to provide a description of and, where 
feasible, an estimate of the number of small entities that may be 
affected by the proposed rules and by the rule revisions on which the 
Notice seeks comment, if adopted. The RFA generally defines the term 
``small entity'' as having the same meaning as the terms ``small 
business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small-business concern'' under the Small Business 
Act. A ``small-business concern'' is one which: (1) Is independently 
owned and operated; (2) is not dominant in its field of operation; and 
(3) satisfies any additional criteria established by the SBA.
    Wired Telecommunications Carriers. The U.S. Census Bureau defines 
this industry as ``establishments primarily engaged in operating and/or 
providing access to transmission facilities and infrastructure that 
they own and/or lease for the transmission of voice, data, text, sound, 
and video using wired communications networks. Transmission facilities 
may be based on a single technology or a combination of technologies. 
Establishments in this industry use the wired telecommunications 
network facilities that they operate to provide a variety of services, 
such as wired telephony services, including VoIP services, wired 
(cable) audio and video programming distribution, and wired broadband 
internet services. By exception, establishments providing satellite 
television distribution services using facilities and infrastructure 
that they operate are included in this industry.'' The SBA has 
developed a small business size standard for Wired Telecommunications 
Carriers, which consists of all such companies having 1,500 or fewer 
employees. U.S. Census Bureau data for 2012 show that there were 3,117 
firms that operated that year. Of this total, 3,083 operated with fewer 
than 1,000 employees. Thus, under this size standard, the majority of 
firms in this industry can be considered small.
    Local Exchange Carriers (LECs). Neither the Commission nor the SBA 
has developed a size standard for small businesses specifically 
applicable to local exchange services. The closest applicable NAICS 
Code category is Wired Telecommunications Carriers. Under the 
applicable SBA size standard, such a business is small if it has 1,500 
or fewer employees. U.S. Census Bureau data for 2012 show that there 
were 3,117 firms that operated for the entire year. Of that total, 
3,083 operated with fewer than 1,000 employees. Thus under this 
category and the associated size standard, the Commission estimates 
that the majority of local exchange carriers are small entities.
    Incumbent LECs. Neither the Commission nor the SBA has developed a 
small business size standard specifically for incumbent local exchange 
services. The closest applicable NAICS Code category is Wired 
Telecommunications Carriers. Under the applicable SBA size standard, 
such a business is small if it has 1,500 or fewer employees. U.S. 
Census Bureau data for 2012 indicate that 3,117 firms operated the 
entire year. Of this total, 3,083 operated with fewer than 1,000 
employees. Consequently, the

[[Page 48518]]

Commission estimates that most providers of incumbent local exchange 
service are small businesses that may be affected by our actions. 
According to Commission data, one thousand three hundred and seven 
(1,307) Incumbent Local Exchange Carriers reported that they were 
incumbent local exchange service providers. Of this total, an estimated 
1,006 have 1,500 or fewer employees. Thus, using the SBA's size 
standard the majority of incumbent LECs can be considered small 
entities.
    Competitive Local Exchange Carriers (Competitive LECs), Competitive 
Access Providers (CAPs), Shared-Tenant Service Providers, and Other 
Local Service Providers. Neither the Commission nor the SBA has 
developed a small business size standard specifically for these service 
providers. The appropriate NAICS Code category is Wired 
Telecommunications Carriers and under that size standard, such a 
business is small if it has 1,500 or fewer employees. U.S. Census 
Bureau data for 2012 indicate that 3,117 firms operated during that 
year. Of that number, 3,083 operated with fewer than 1,000 employees. 
Based on these data, the Commission concludes that the majority of 
Competitive LECS, CAPs, Shared-Tenant Service Providers, and Other 
Local Service Providers, are small entities. According to Commission 
data, 1,442 carriers reported that they were engaged in the provision 
of either competitive local exchange services or competitive access 
provider services. Of these 1,442 carriers, an estimated 1,256 have 
1,500 or fewer employees. In addition, 17 carriers have reported that 
they are Shared-Tenant Service Providers, and all 17 are estimated to 
have 1,500 or fewer employees. Also, 72 carriers have reported that 
they are Other Local Service Providers. Of this total, 70 have 1,500 or 
fewer employees. Consequently, based on internally researched FCC data, 
the Commission estimates that most providers of competitive local 
exchange service, competitive access providers, Shared-Tenant Service 
Providers, and Other Local Service Providers are small entities.
    We have included small incumbent LECs in this present RFA analysis. 
As noted above, a ``small business'' under the RFA is one that, inter 
alia, meets the pertinent small-business size standard (e.g., a 
telephone communications business having 1,500 or fewer employees) and 
``is not dominant in its field of operation.'' The SBA's Office of 
Advocacy contends that, for RFA purposes, small incumbent LECs are not 
dominant in their field of operation because any such dominance is not 
``national'' in scope. We have therefore included small incumbent LECs 
in this RFA analysis, although we emphasize that this RFA action has no 
effect on Commission analyses and determinations in other, non-RFA 
contexts.
    Interexchange Carriers (IXCs). Neither the Commission nor the SBA 
has developed a small business size standard specifically for 
Interexchange Carriers. The closest applicable NAICS Code category is 
Wired Telecommunications Carriers. The applicable size standard under 
SBA rules is that such a business is small if it has 1,500 or fewer 
employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms 
operated for the entire year. Of that number, 3,083 operated with fewer 
than 1,000 employees. According to internally developed Commission 
data, 359 companies reported that their primary telecommunications 
service activity was the provision of interexchange services. Of this 
total, an estimated 317 have 1,500 or fewer employees. Consequently, 
the Commission estimates that the majority of interexchange service 
providers are small entities.
    Cable System Operators (Telecom Act Standard). The Communications 
Act of 1934, as amended, also contains a size standard for small cable 
system operators, which is ``a cable operator that, directly or through 
an affiliate, serves in the aggregate fewer than one percent of all 
subscribers in the United States and is not affiliated with any entity 
or entities whose gross annual revenues in the aggregate exceed 
$250,000,000.'' As of 2018, there were approximately 50,504,624 cable 
video subscribers in the United States. Accordingly, an operator 
serving fewer than 505,046 subscribers shall be deemed a small operator 
if its annual revenues, when combined with the total annual revenues of 
all its affiliates, do not exceed $250 million in the aggregate. We 
note that the Commission neither requests nor collects information on 
whether cable system operators are affiliated with entities whose gross 
annual revenues exceed $250 million. Therefore we are unable at this 
time to estimate with greater precision the number of cable system 
operators that would qualify as small cable operators under the 
definition in the Communications Act.
    Wireless Telecommunications Carriers (except Satellite). This 
industry comprises establishments engaged in operating and maintaining 
switching and transmission facilities to provide communications via the 
airwaves. Establishments in this industry have spectrum licenses and 
provide services using that spectrum, such as cellular services, paging 
services, wireless internet access, and wireless video services. The 
appropriate size standard under SBA rules is that such a business is 
small if it has 1,500 or fewer employees. For this industry, U.S. 
Census Bureau data for 2012 show that there were 967 firms that 
operated for the entire year. Of this total, 955 firms employed fewer 
than 1,000 employees and 12 firms employed of 1,000 employees or more. 
Thus under this category and the associated size standard, the 
Commission estimates that the majority of wireless telecommunications 
carriers (except satellite) are small entities.
    The Commission's own data--available in its Universal Licensing 
System--indicate that, as of August 31, 2018 there are 265 Cellular 
licensees that will be affected by our actions. The Commission does not 
know how many of these licensees are small, as the Commission does not 
collect that information for these types of entities. Similarly, 
according to internally developed Commission data, 413 carriers 
reported that they were engaged in the provision of wireless telephony, 
including cellular service, Personal Communications Service (PCS), and 
Specialized Mobile Radio (SMR) Telephony services. Of this total, an 
estimated 261 have 1,500 or fewer employees, and 152 have more than 
1,500 employees. Thus, using available data, we estimate that the 
majority of wireless firms can be considered small.
    Satellite Telecommunications. This category comprises firms 
``primarily engaged in providing telecommunications services to other 
establishments in the telecommunications and broadcasting industries by 
forwarding and receiving communications signals via a system of 
satellites or reselling satellite telecommunications.'' Satellite 
telecommunications service providers include satellite and earth 
station operators. The category has a small business size standard of 
$35 million or less in average annual receipts, under SBA rules. For 
this category, U.S. Census Bureau data for 2012 show that there were a 
total of 333 firms that operated for the entire year. Of this total, 
299 firms had annual receipts of less than $25 million. Consequently, 
we estimate that the majority of satellite telecommunications providers 
are small entities.
    Local Resellers. The SBA has not developed a small business size 
standard specifically for Local Resellers.

[[Page 48519]]

The SBA category of Telecommunications Resellers is the closest NAICs 
code category for local resellers. The Telecommunications Resellers 
industry comprises establishments engaged in purchasing access and 
network capacity from owners and operators of telecommunications 
networks and reselling wired and wireless telecommunications services 
(except satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. Mobile virtual network operators (MVNOs) 
are included in this industry. Under the SBA's size standard, such a 
business is small if it has 1,500 or fewer employees. U.S. Census 
Bureau data from 2012 show that 1,341 firms provided resale services 
during that year. Of that number, all operated with fewer than 1,000 
employees. Thus, under this category and the associated small business 
size standard, the majority of these resellers can be considered small 
entities. According to Commission data, 213 carriers have reported that 
they are engaged in the provision of local resale services. Of these, 
an estimated 211 have 1,500 or fewer employees and two have more than 
1,500 employees. Consequently, the Commission estimates that the 
majority of local resellers are small entities.
    Toll Resellers. The Commission has not developed a definition for 
Toll Resellers. The closest NAICS Code Category is Telecommunications 
Resellers. The Telecommunications Resellers industry comprises 
establishments engaged in purchasing access and network capacity from 
owners and operators of telecommunications networks and reselling wired 
and wireless telecommunications services (except satellite) to 
businesses and households. Establishments in this industry resell 
telecommunications; they do not operate transmission facilities and 
infrastructure. MVNOs are included in this industry. The SBA has 
developed a small business size standard for the category of 
Telecommunications Resellers. Under that size standard, such a business 
is small if it has 1,500 or fewer employees. 2012 Census Bureau data 
show that 1,341 firms provided resale services during that year. Of 
that number, 1,341 operated with fewer than 1,000 employees. Thus, 
under this category and the associated small business size standard, 
the majority of these resellers can be considered small entities. 
According to Commission data, 881 carriers have reported that they are 
engaged in the provision of toll resale services. Of this total, an 
estimated 857 have 1,500 or fewer employees. Consequently, the 
Commission estimates that the majority of toll resellers are small 
entities.
    Prepaid Calling Card Providers. Neither the Commission nor the SBA 
has developed a small business definition specifically for prepaid 
calling card providers. The most appropriate NAICS code-based category 
for defining prepaid calling card providers is Telecommunications 
Resellers. This industry comprises establishments engaged in purchasing 
access and network capacity from owners and operators of 
telecommunications networks and reselling wired and wireless 
telecommunications services (except satellite) to businesses and 
households. Establishments in this industry resell telecommunications; 
they do not operate transmission facilities and infrastructure. Mobile 
virtual networks operators (MVNOs) are included in this industry. Under 
the applicable SBA size standard, such a business is small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2012 show that 
1,341 firms provided resale services during that year. Of that number, 
1,341 operated with fewer than 1,000 employees. Thus, under this 
category and the associated small business size standard, the majority 
of these prepaid calling card providers can be considered small 
entities. According to Commission data, 193 carriers have reported that 
they are engaged in the provision of prepaid calling cards. All 193 
carriers have 1,500 or fewer employees. Consequently, the Commission 
estimates that the majority of prepaid calling card providers are small 
entities that may be affected by these rules.
    All Other Telecommunications. The ``All Other Telecommunications'' 
category is comprised of establishments primarily engaged in providing 
specialized telecommunications services, such as satellite tracking, 
communications telemetry, and radar station operation. This industry 
also includes establishments primarily engaged in providing satellite 
terminal stations and associated facilities connected with one or more 
terrestrial systems and capable of transmitting telecommunications to, 
and receiving telecommunications from, satellite systems. 
Establishments providing internet services or voice over internet 
protocol (VoIP) services via client-supplied telecommunications 
connections are also included in this industry. The SBA has developed a 
small business size standard for ``All Other Telecommunications'', 
which consists of all such firms with annual receipts of $35 million or 
less. For this category, U.S. Census Bureau data for 2012 show that 
there were 1,442 firms that operated for the entire year. Of those 
firms, a total of 1,400 had annual receipts less than $25 million and 
15 firms had annual receipts of $25 million to $49,999,999. Thus, the 
Commission estimates that the majority of ``All Other 
Telecommunications'' firms potentially affected by our action can be 
considered small.

Description of Projected Reporting, Recordkeeping, and Other Compliance 
Requirements for Small Entities

    The Third Report and Order adopts new rules requiring voice service 
providers to update their filings to the robocall mitigation database 
if the Bureau upholds an adverse service token revocation decision made 
by the Governance Authority. Some voice service providers required to 
amend their filings in this way may be small voice service providers.

Steps Taken To Minimize the Significant Economic Impact on Small 
Entities, and Significant Alternatives Considered

    The RFA requires an agency to describe any significant alternatives 
that it has considered in reaching its proposed approach, which may 
include the following four alternatives (among others): (1) The 
establishment of differing compliance or reporting requirements or 
timetables that take into account the resources available to small 
entities; (2) the clarification, consolidation, or simplification of 
compliance and reporting requirements under the rules for such small 
entities; (3) the use of performance rather than design standards; and 
(4) an exemption from coverage of the rule, or any part thereof, for 
such small entities.
    The Third Report and Order adopts rules establishing an oversight 
role for the Commission within the STIR/SHAKEN governance system's 
token revocation process. Under our newly adopted rules entities, 
including small entities, that have their SPC token revoked by the 
private STIR/SHAKEN Governance Authority may appeal that decision to 
the Commission.

Federal Rules That May Duplicate, Overlap, or Conflict With the 
Proposed Rules

    None.

[[Page 48520]]

Report to Congress

    The Commission will send a copy of the Third Report and Order, 
including this FRFA, in a report to Congress pursuant to the 
Congressional Review Act. In addition, the Commission will send a copy 
of the Third Report and Order, including the FRFA, to the Chief Counsel 
for Advocacy of the SBA. A copy of the Third Report and Order and FRFA 
(or summaries thereof) will also be published in the Federal Register.

VI. Ordering Clauses

    Accordingly, it is ordered, pursuant to sections 4(i), 4(j), 
201(b), 227b, 251(e), and 303(r) of the Communications Act of 1934, as 
amended, 47 U.S.C. 154(i), 154(j), 201(b), 227b, 251(e), and 303(r), 
that this Third Report and Order is adopted.
    It is further ordered that parts 0 and 64 of the Commission's rules 
are amended as set forth in Appendix A, and that, pursuant to 
Sec. Sec.  1.4(b)(1) and 1.103(a) of the Commission's rules, 47 CFR 
1.4(b)(1), 1.103(a), this Third Report and Order shall be effective 30 
days after publication of this Third Report and Order in the Federal 
Register, which will occur after the Commission receives OMB approval 
of the non-substantive changes contained herein.
    It is further ordered that the Commission shall send a copy of this 
Third Report and Order to Congress and to the Government Accountability 
Office pursuant to the Congressional Review Act, see 5 U.S.C. 
801(a)(1)(A).

List of Subjects in 47 CFR Parts 0 and 64

    Authority delegations (government agencies), Communications common 
carriers.

Federal Communications Commission.
Marlene Dortch,
Secretary.

Final Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission amends 47 parts 0 and 64 as follows:

PART 0--COMMISSION ORGANIZATION

0
1. The authority citation for part 0 continues to read as follows:

    Authority: 47 U.S.C. 151, 154(i), 154(j), 155, 225, and 409, 
unless otherwise noted.


0
2. Amend Sec.  0.91 by adding paragraph (r) to read as follows:


Sec.  0.91  Functions of the Bureau.

* * * * *
    (r) Review and resolve appeals of decisions by the STIR/SHAKEN 
authentication framework Governance Authority (as those terms are 
defined in Sec.  64.6300 of this chapter) in accordance with Sec.  
64.6308 of this chapter.

PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

0
3. The authority citation for part 64 continues to read as follows:

    Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220, 
222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 276, 
403(b)(2)(B), (c), 616, 620, 1401-1473, unless otherwise noted; Pub. 
L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.


0
4. Amend Sec.  64.6305 by adding paragraphs (b)(5)(i) and (ii) to read 
as follows:


Sec.  64.6305  Robocall mitigation and certification.

* * * * *
    (b) * * *
    (5) * * *
    (i) A voice service provider or intermediate provider that has been 
aggrieved by a Governance Authority decision to revoke that voice 
service provider's or intermediate provider's SPC token need not update 
its filing on the basis of that revocation until the sixty (60) day 
period to request Commission review, following completion of the 
Governance Authority's formal review process, pursuant to Sec.  
64.6308(b)(1) expires or, if the aggrieved voice service provider or 
intermediate provider files an appeal, until ten business days after 
the Wireline Competition Bureau releases a final decision pursuant to 
Sec.  64.6308(d)(1).
    (ii) If a voice service provider or intermediate provider elects 
not to file a formal appeal of the Governance Authority decision to 
revoke that voice service provider's or intermediate provider's SPC 
token, the provider need not update its filing on the basis of that 
revocation until the thirty (30) day period to file a formal appeal 
with the Governance Authority Board expires.
* * * * *

0
5. Add Sec.  64.6308 to subpart HH to read as follows:


Sec.  64.6308  Review of Governance Authority Decision to Revoke an SPC 
Token.

    (a) Parties permitted to seek review of Governance Authority 
decision. (1) Any voice service provider or intermediate provider 
aggrieved by a Governance Authority decision to revoke that voice 
service provider's or intermediate provider's SPC token, must seek 
review from the Governance Authority and complete the appeals process 
established by the Governance Authority prior to seeking Commission 
review.
    (2) Any voice service provider or intermediate provider aggrieved 
by an action to revoke its SPC token taken by the Governance Authority, 
after exhausting the appeals process provided by the Governance 
Authority, may then seek review from the Commission, as set forth in 
this section.
    (b) Filing deadlines. (1) A voice service provider or intermediate 
provider requesting Commission review of a Governance Authority 
decision to revoke that voice service provider's or intermediate 
provider's SPC token by the Commission, shall file such a request 
electronically in the Electronic Comment Filing System (ECFS) in WC 
Docket No. 21-291, Appeals of the STIR/SHAKEN Governance Authority 
Token Revocation Decisions within sixty (60) days from the date the 
Governance Authority upholds it token revocation decision.
    (2) Parties shall adhere to the time periods for filing oppositions 
and replies set forth in Sec.  1.45.
    (c) Filing requirements. (1) A request for review of a Governance 
Authority decision to revoke a voice service provider's or intermediate 
provider's SPC token by the Commission shall be filed in WC Docket No. 
21-291, Appeals of the STIR/SHAKEN Governance Authority Token 
Revocation Decisions, in the Electronic Comment Filing System (ECFS). 
The request for review shall be captioned ``In the matter of Request 
for Review by (name of party seeking review) of Decision of the 
Governance Authority to Revoke an SPC Token.''
    (2) A request for review shall contain:
    (i) A statement setting forth the voice service provider's or 
intermediate provider's asserted basis for appealing the Governance 
Authority's decision to revoke the SPC token;
    (ii) A full statement of relevant, material facts with supporting 
affidavits and documentation, including any background information the 
voice service provider or intermediate provider deems useful to the 
Commission's review; and
    (iii) The question presented for review, with reference, where 
appropriate, to any underlying Commission rule or Governance Authority 
policy.
    (3) A copy of a request for review that is submitted to the 
Commission shall be served on the Governance Authority by the voice 
service provider requesting Commission review via [email protected] or in 
accordance with any alternative

[[Page 48521]]

delivery mechanism the Governance Authority may establish in its 
operating procedures.
    (d) Review by the Wireline Competition Bureau. (1) Except in 
extraordinary circumstances, final action on a request for review of a 
Governance Authority decision to revoke a voice service provider's or 
intermediate provider's SPC token should be expected no later than 180 
days from the date the request for review is filed in the Electronic 
Comment Filing System (ECFS) pursuant to Sec.  64.6308(b)(1). The 
Wireline Competition Bureau shall have the discretion to pause the 180-
day review period in situations where actions outside the Wireline 
Competition Bureau's control are responsible for delaying review of a 
request for review.
    (2) An affected party may seek review of a decision issued under 
delegated authority by the Wireline Competition Bureau pursuant to the 
rules set forth in Sec.  1.115.
    (e) Standard of review. The Wireline Competition Bureau shall 
conduct de novo review of Governance Authority decisions to revoke a 
voice service provider's or intermediate provider's SPC token.
    (f) Status during pendency of a request for review and a Governance 
Authority decision. (1) A voice service provider or intermediate 
provider shall not be considered to be in violation of the Commission's 
caller ID authentication rules under Sec.  64.6301 after revocation of 
its SPC token by the Governance Authority until the thirty (30) day 
period to file a formal appeal with the Governance Authority Board 
expires, or during the pendency of any formal appeal to the Governance 
Authority Board.
    (2) A voice service provider or intermediate provider shall not be 
considered to be in violation of the Commission's caller ID 
authentication rules under Sec.  64.6301 after the Governance Authority 
Board upholds the Governance Authority's SPC token revocation decision 
until the sixty (60) day period to file a request for review with the 
Commission expires.
    (3) When a voice service provider or intermediate provider has 
sought timely Commission review of a Governance Authority decision to 
revoke a voice service provider's or intermediate provider's SPC token 
under this section, the voice service provider shall not be considered 
to be in violation of the Commission's caller ID authentication rules 
under Sec.  64.6301 until and unless the Wireline Competition Bureau, 
pursuant to paragraph (d)(1) of this section, has upheld or otherwise 
decided not to overturn the Governance Authority's decision.
    (4) In accordance with Sec. Sec.  1.102(b) and 1.106(n), the 
effective date of any action pursuant to paragraph (d) shall not be 
stayed absent order by the Wireline Competition Bureau or the 
Commission.

[FR Doc. 2021-18765 Filed 8-30-21; 8:45 am]
BILLING CODE 6712-01-P