Advanced Methods To Target and Eliminate Unlawful Robocalls, Call Authentication Trust Anchor, 59084-59109 [2021-23164]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 86, Number 204 (Tuesday, October 26, 2021)]
[Proposed Rules]
[Pages 59084-59109]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-23164]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[CG Docket No. 17-59, WC Docket No. 17-97; FCC 21-105; FR ID 53781]


Advanced Methods To Target and Eliminate Unlawful Robocalls, Call 
Authentication Trust Anchor

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Commission adopted a Further Notice of 
Proposed Rulemaking that proposes and seeks comment on a number of 
actions aimed at stopping illegal robocalls from entering U.S. 
networks. The document proposes to require gateway providers to apply 
STIR/SHAKEN caller ID authentication to, and perform robocall 
mitigation on, foreign-originated calls with U.S. numbers. It also 
proposes and seeks comment on a number of additional requirements to 
ensure that gateway providers take steps to prevent foreign-originated 
calls from entering the U.S. network.

DATES: Comments are due on or before November 26, 2021, and reply 
comments are due on or before December 27, 2021. Written comments on 
the Paperwork Reduction Act proposed information collection 
requirements must be submitted by the public, Office of Management and 
Budget (OMB), and other interested parties on or before December 27, 
2021.

ADDRESSES: Pursuant to Sec. Sec.  1.415 and 1.419 of the Commission's 
rules, 47 CFR 1.415, 1.419, interested parties may file comments and 
reply comments on or before the dates indicated in this document. 
Comments and reply comments may be filed using the Commission's 
Electronic Comment Filing System (ECFS). See Electronic Filing of 
Documents in Rulemaking Proceedings, 63 FR 24121 (1998). Interested 
parties may file comments or reply comments, identified by CG Docket 
No. 17-59 and WC Docket No. 17-97 by any of the following methods:
     Electronic Filers: Comments may be filed electronically 
using the internet by accessing ECFS: https://www.fcc.gov/ecfs/.
     Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing.
     Filings can be sent by commercial overnight courier, or by 
first-class or overnight U.S. Postal Service mail. All filings must be 
addressed to the Commission's Secretary, Office of the Secretary, 
Federal Communications Commission.
     Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9050 Junction Drive, 
Annapolis Junction, MD 20701.
     U.S. Postal Service first-class, Express, and Priority 
mail must be addressed to 45 L Street NE, Washington, DC 20554.
     Effective March 19, 2020, and until further notice, the 
Commission no longer accepts any hand or messenger delivered filings. 
This is a temporary measure taken to help protect the health and safety 
of individuals, and to mitigate the transmission of COVID-19. See FCC 
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, 35 FCC Rcd 2788 (March 19, 2020), 
https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
    In addition to filing comments with the Secretary, a copy of any 
comments on the Paperwork Reduction Act proposed information collection 
requirements contained herein should be submitted to the Federal 
Communications Commission via email to [email protected] and to Nicole 
Ongele, FCC, via email to [email protected].

FOR FURTHER INFORMATION CONTACT: For further information, please 
contact either Jonathan Lechter, Attorney Advisor, Competition Policy 
Division, Wireline Competition Bureau, at [email protected] or 
at (202) 418-0984, or Jerusha Burnett, Attorney Advisor, Consumer 
Policy Division, Consumer and Governmental Affairs Bureau, at 
[email protected]. For additional information concerning the 
Paperwork Reduction Act proposed information collection requirements 
contained in this document, send an email to [email protected] or contact 
Nicole Ongele at (202) 418-2991.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Fifth 
Further Notice of Proposed Rulemaking and Fourth Further Notice of 
Proposed Rulemaking (FNPRM) in CG Docket No. 17-59 and WC Docket No. 
17-97, FCC 21-105, adopted on September 30, 2021, and released on 
October 1, 2021. The full text of this document is available for public 
inspection at the following internet address: https://docs.fcc.gov/public/attachments/FCC-21-105A1.pdf. To request materials in accessible 
formats for people with disabilities (e.g., Braille, large print, 
electronic files, audio format, etc.), send an email to [email protected] 
or call the Consumer & Governmental Affairs Bureau at (202) 418-0530 
(voice), or (202) 418-0432 (TTY).

[[Page 59085]]

Initial Paperwork Reduction Act of 1995 Analysis

    This document contains proposed information collection 
requirements. The Commission, as part of its continuing effort to 
reduce paperwork burdens, invites the general public to comment on the 
information collection requirements contained in this document, as 
required by the Paperwork Reduction Act of 1995, Public Law 104-13.
    Comments should address: (a) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information shall have practical 
utility; (b) the accuracy of the Commission's burden estimates; (c) 
ways to enhance the quality, utility, and clarity of the information 
collected; (d) ways to minimize the burden of the collection of 
information on the respondents, including the use of automated 
collection techniques or other forms of information technology; and (e) 
way to further reduce the information collection burden on small 
business concerns with fewer than 25 employees. In addition, pursuant 
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, 
see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might 
further reduce the information collection burden for small business 
concerns with fewer than 25 employees.

Synopsis

I. Introduction

    1. In this Further Notice of Proposed Rulemaking (FNPRM), we 
propose to take decisive action to stem the tide of foreign-originated 
illegal robocalls. Eliminating illegal robocalls that originate abroad 
is one of the most vexing challenges we face in eliminating the scourge 
of robocalling because of the difficulties presented by foreign-based 
robocallers. The rules we propose today will help to address this 
problem by placing new obligations on the gateway providers that are 
the point of entry for foreign calls into the United States, requiring 
them to lend a hand in the fight against illegal robocalls originating 
abroad.
    2. Specifically, we propose to require gateway providers to apply 
STIR/SHAKEN caller ID authentication to, and perform robocall 
mitigation on, foreign-originated calls with U.S. numbers. This 
proposal would subject foreign-originated calls, once they enter the 
United States, to requirements similar to those of domestic-originated 
calls, by placing additional obligations on gateway providers in light 
of the large number of illegal robocalls that originate abroad and the 
risk such calls present to Americans. We further propose and seek 
comment on a number of additional robocall mitigation requirements to 
ensure that gateway providers take steps to prevent illegal calls from 
entering the U.S. network. Doing so will continue our aggressive and 
multi-pronged approach to combatting illegal robocalls.
    3. We also take this opportunity to make general improvements to 
our anti-robocalling rules by seeking comment on revisions to the 
information that filers must submit to the Robocall Mitigation Database 
and by clarifying the obligations of voice service providers and 
intermediate providers with respect to calls to and from Public Safety 
Answer Points (PSAPs) and other emergency services providers.

II. Background

    4. Unwanted calls, which include illegal robocalls, are 
consistently the Commission's top source of consumer complaints. The 
Commission received approximately 232,000 such complaints in 2018, 
193,000 in 2019, 154,000 in 2020, and 131,000 in 2021 as of September 
28th. Multiple factors can affect these numbers, including outreach 
efforts and media coverage on how to avoid unwanted calls. Complaint 
numbers declined significantly during the first four months of the 
COVID-19 pandemic, reducing the total number of complaints the 
Commission received in 2020. Consumer harm from unwanted and illegal 
calls ranges from simple irritation to fraud and financial loss. In 
fact, the Federal Trade Commission (FTC) reports that American 
consumers lost $436 million to fraud over the phone and $86 million to 
fraud by text message in 2020. This reported fraud is only a fraction 
of the approximately $13.5 billion in estimated annual costs from 
illegal robocalls. Caller ID spoofing--the practice whereby a caller 
misrepresents, or ``spoofs,'' the information in the caller ID field--
poses a particular problem because the identity of the calling party is 
falsified.
    5. The Commission and Congress have long acknowledged that illegal 
robocalls that originate abroad are a significant part of the robocall 
problem. In a 2011 report to Congress, the Commission stated that 
``caller ID spoofing directed at the United States by people and 
entities operating outside the country can cause great harm.'' Congress 
highlighted this problem in 2018, when it amended the Communications 
Act of 1934, as amended (the Act), to prohibit spoofing calls or texts 
originating outside the U.S. Similarly, in 2020, the North American 
Numbering Council (NANC), the Commission's advisory committee of 
outside experts on telephone numbering matters, stated that ``it is a 
long-standing problem that international gateway traffic is a 
significant source of fraudulent traffic.'' While these calls pose a 
significant problem, our jurisdiction does not generally apply directly 
to foreign entities.
    6. Types of Illegal Calls. Illegal calls can come in many forms. 
Perhaps the most well-known illegal calls are those that are simply 
fraudulent, where the caller poses as a business, or even a government 
entity, in order to obtain payment or personal information. Fraudulent 
calls may violate any of a number of state or federal statutes. These 
calls can take a number of forms, but some common scams include callers 
posing as the Internal Revenue Service (IRS) or Social Security 
Administration (SSA), scams following natural disasters, or auto 
warranty scams. The IRS continues to warn consumers about phone scams, 
or ``vishing'' as part of its annual ``Dirty Dozen'' scams, stating 
that while overall it has seen a decline in reports of scammers 
claiming to be the IRS, consumers should remain cautious. The SSA also 
warns consumers to be wary of phone scams, providing tips to consumers 
on how to recognize these calls. Taken together, the FTC received over 
700,000 reports of fraud by phone or text in 2020 alone.
    7. But calls need not be fraudulent to be illegal. Calls can 
violate the Telephone Consumer Protection Act (TCPA), which prohibits 
initiating ``any telephone call to any residential telephone line using 
an artificial or prerecorded voice to deliver a message without the 
prior express consent of the called party,'' with certain statutory 
exemptions. The TCPA exempts from this prohibition calls for emergency 
purposes. In addition, in all but one instance, artificial or 
prerecorded voice messages must state the identity of the business, 
individual, or other entity that is responsible for initiating the call 
clearly at the beginning of the message as well as the telephone number 
either during or at the end of the message. Finally, the TCPA 
authorizes the Commission to adopt regulatory exemptions to 47 U.S.C. 
227(b)(1)(B) for certain types of calls, including those not made for 
commercial purposes or that do not include an unsolicited 
advertisement. Similarly, the TCPA prohibits, without the prior express 
consent of the called party, any call using an automatic telephone 
dialing system or an artificial or prerecorded

[[Page 59086]]

voice to any telephone number ``assigned to a . . . cellular telephone 
service, . . . or any service for which the called party is charged for 
the call'' unless a statutory exemption applies. The TCPA grants the 
Commission authority to exempt certain calls from the requirements of 
47 U.S.C. 227(b)(1)(A)(iii).
    8. Calls are also illegal in some instances where the caller ID 
information has been spoofed. The Truth in Caller ID Act of 2009 made 
it illegal to transmit false or misleading caller ID information in 
order to defraud, cause harm, or wrongfully obtain something of value. 
And as we explained, in 2018, Congress extended this prohibition to 
reach spoofing activities directed at consumers in the United States 
from foreign actors, and applied the prohibition to alternative voice 
and text message services.
    9. In enforcement actions, the Commission has found that 
robocalling campaigns, regardless of the content of the robocalls, may 
violate the Truth in Caller ID Act and its implementing rules. 
Specifically, the Commission has found that when an entity spoofs a 
large number of calls in a robocall campaign, it causes harm to: (1) 
The subscribers of the numbers that are spoofed; (2) the consumers who 
receive the spoofed calls; and (3) the terminating carriers forced to 
deliver the calls to consumers and handle ``consumers' ire,'' thereby 
increasing their costs. The Commission has held that the element of 
``harm'' is broad and ``encompasses financial, physical, and emotional 
harm'' and that ``intent'' can be found when the harms can be shown to 
be ``substantially certain'' to result from the spoofing. When an 
entity knowingly uses a number that does not belong to it ``to make a 
large number of calls . . . the intent to harm may be imputed'' to the 
spoofing entity. Moreover, the Commission has found that repeated 
spoofing of unassigned numbers is ``a strong indication'' that the 
caller has the intent to defraud or cause harm.
    10. STIR/SHAKEN Caller ID Authentication. While the Truth in Caller 
ID Act made spoofing illegal in certain instances, it did not by itself 
solve a fundamental technical problem: How to identify spoofing in the 
first instance and track down the call originator after discovering 
spoofing had occurred. To address this challenge, technologists from 
the internet Engineering Task Force (IETF) and the Alliance for 
Telecommunications Industry Solutions (ATIS) developed standards to 
allow for the authentication and verification of caller ID information 
carried over internet Protocol (IP) networks. The result of their 
efforts is the STIR/SHAKEN caller ID authentication framework, which 
allows for authenticated caller ID information to securely travel with 
the call itself throughout the entire length of the call path. More 
specifically, a working group of the IETF called the Secure Telephony 
Identity Revisited (STIR) developed several protocols for 
authenticating caller ID information. And ATIS, in conjunction with the 
SIP Forum, produced the Signature-based Handling of Asserted 
information using toKENs (SHAKEN) specification, which standardizes how 
the protocols produced by STIR are implemented across the industry. The 
Commission, consistent with Congress's direction in the Pallone-Thune 
Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) 
Act, adopted rules requiring voice service providers to implement STIR/
SHAKEN in the IP portions of their voice networks by June 30, 2021, 
subject to certain exceptions. In this Further Notice of Proposed 
Rulemaking, we use the terms ``voice service provider'' and 
``intermediate provider'' consistent with the definitions in Part 64, 
Subpart HH of the Commission's rules, unless otherwise specified. Thus, 
``voice service provider'' as used in this FNPRM refers, unless 
otherwise specified, to a provider of ``service that is interconnected 
with the public switched telephone network and that furnishes voice 
communications to an end user using resources from the North American 
Numbering Plan'' and ``intermediate provider'' refers to ``any entity 
that carries or processes traffic that traverses or will traverse the 
PSTN at any point insofar as that entity neither originates nor 
terminates that traffic.'' The term ``voice service provider'' has a 
different meaning in the Commission's Call Blocking Orders, and there 
includes intermediate providers. Our use of the term ``voice service 
provider'' in this FNPRM does not expand on or narrow that phrase as 
used in those Orders and associated rules.
    11. At a high level, the STIR/SHAKEN framework consists of two 
components: (1) The technical process of authenticating and verifying 
caller ID information; and (2) the certificate governance process that 
maintains trust in the caller ID authentication information transmitted 
along with a call. Regarding the technical process, STIR/SHAKEN 
requires that the provider authenticating the call attach additional, 
encrypted information to the metadata that travels along with a call, 
which allows the terminating voice service provider to verify that the 
caller ID is legitimate. The authenticating provider must include in 
this information its own identity as the provider that authenticated 
the call and an ``attestation level'' to signify what it knows about 
the calling party and its right to use the number in the caller ID. The 
current STIR/SHAKEN standards allow for three attestation levels. The 
highest level of attestation--called ``full'' or ``A-level''--asserts 
that the authenticating provider can confirm the identity of the 
subscriber making the call and that it is using its associated 
telephone number. The next-highest level of attestation--called 
``partial'' or ``B-level''--asserts that the authenticating provider 
can confirm the identity of the subscriber but not the telephone 
number. The lowest level of attestation--called ``gateway'' or ``C-
level''--asserts only that the provider is the point of entry to the IP 
network for a call that originated elsewhere and has no relationship to 
the call initiator. The authenticating provider must also include a 
digital ``certificate'' which says, in essence, that the provider is 
the entity it claims to be and that it has the right to authenticate 
the caller ID information.
    12. To maintain trust and accountability in the providers that 
vouch for the caller ID information, a neutral governance system issues 
these certificates. The STIR/SHAKEN governance system requires several 
roles in order to operate: (1) A Governance Authority, which defines 
the policies and procedures for which entities can issue or acquire 
certificates (This role is currently filled by the Secure Telephone 
Identity Governance Authority); (2) a Policy Administrator, which 
applies the rules set by the Governance Authority, confirms that 
Certification Authorities are authorized to issue certificates, and 
confirms that voice service providers are authorized to request and 
receive certificates (After a request for proposals process, the 
Governance Authority selected iconectiv to fill this role); (3) 
Certification Authorities, which issue the certificates used to 
authenticate and verify calls (As the Policy Administrator, iconectiv 
vets and approves organizations interested in serving as a 
Certification Authority. The Policy Administrator website reflects that 
there are currently eight approved Certification Authorities.); and (4) 
the authenticating providers themselves, which select an approved 
Certification Authority from which to request a certificate. Under the 
current Governance Authority rules, a provider

[[Page 59087]]

must meet certain requirements to receive a certificate.
    13. The Commission requires voice service providers subject to an 
extension from the requirement to implement STIR/SHAKEN--including 
smaller voice service providers and voice service providers with non-IP 
technology--to adopt and implement robocall mitigation practices in 
lieu of caller ID authentication. The Commission specifically directed 
voice service providers that must implement robocall mitigation to 
``take reasonable steps to avoid originating illegal robocall 
traffic.'' The Commission adopted this standards-based approach to 
``allow . . . voice service providers to innovate and draw from the 
growing diversity and sophistication of anti-robocall tools and 
approaches available,'' and because it found that ``there is no one-
size-fits-all robocall mitigation solution that accounts for the 
variety and scope of voice service provider networks.'' The prohibition 
went into effect on September 28, 2021. The Commission established just 
one prescriptive requirement: A commitment to respond ``in a timely 
manner to all traceback requests from the Commission, law enforcement, 
and the industry traceback consortium, and to cooperate with such 
entities in investigating and stopping any illegal robocalls that use 
its service to originate calls.'' The Commission explained that if it 
determined that its standards-based approach was not sufficient, it 
would ``not hesitate to revisit the obligations we impose through 
rulemaking at the Commission level.''
    14. The Commission also required voice service providers to, by 
June 30, 2021, submit a certification to the Robocall Mitigation 
Database, stating whether they had implemented STIR/SHAKEN on all or 
part of their networks and, if they had not fully implemented STIR/
SHAKEN, describe their robocall mitigation program and ``the specific 
reasonable steps the voice service provider has taken to avoid 
originating illegal robocall traffic.'' The Commission stated that a 
robocall mitigation program is sufficient if it ``includes detailed 
practices that can reasonably be expected to significantly reduce the 
origination of illegal robocalls,'' and stated that ``the voice service 
provider must comply with the practices it describes.'' As of September 
28, 2021, 4,948 voice service providers have filed in the Robocall 
Mitigation Database: 1,302 attest to full STIR/SHAKEN implementation, 
1,202 state that they have implemented a mix of STIR/SHAKEN and 
robocall mitigation, and 2,437 state that they rely solely on robocall 
mitigation.
    15. The Commission prohibited intermediate providers and 
terminating voice service providers from accepting calls directly from 
a voice service provider not listed in the Robocall Mitigation 
Database, finding that such a prohibition would ``encourage all voice 
service providers to implement meaningful and effective robocall 
mitigation programs . . . during the period of extension from the STIR/
SHAKEN mandate.'' The Commission extended this prohibition to traffic 
originated by foreign voice service providers that use ``North American 
Numbering Plan resources that pertain to the United States to send 
voice traffic to residential or business subscribers in the United 
States.'' We note that CTIA and the Voice on the Net Coalition (VON) 
filed petitions for reconsideration of the prohibition as it relates to 
foreign-originated traffic. This prohibition became effective on 
September 28, 2021. While the Commission made clear that it did ``not 
require foreign voice service providers to file a certification,'' it 
found that the rule ``create[d] a strong incentive for . . . foreign 
voice service providers'' to do so to avoid having their traffic 
blocked. The Commission concluded that the rule's ``indirect effect'' 
on foreign providers is consistent with the Commission's and courts' 
past conclusions regarding the scope of Commission jurisdiction. As of 
September 28, 2021, 609 foreign voice service providers have filed in 
the Robocall Mitigation Database, out of a total 4,948 voice service 
provider filings.
    16. In addition to placing these obligations on voice service 
providers, the Commission required intermediate providers to implement 
STIR/SHAKEN in their IP networks. In the Second Caller ID 
Authentication Report and Order, the Commission placed two requirements 
on intermediate providers. First, regarding calls an intermediate 
provider receives with authenticated caller ID information, the 
Commission required intermediate providers to pass the authenticated 
caller ID information unaltered to the next provider in the call path. 
The Commission created two exceptions from this rule under which an 
intermediate provider may remove the authenticated caller ID 
information: (1) Where necessary for technical reasons to complete the 
call; and (2) where the intermediate provider reasonably believes the 
caller ID authentication information presents an imminent threat to its 
network security. Second, regarding calls an intermediate provider 
receives without authenticated caller ID information, the Commission 
gave intermediate providers two options. An intermediate provider could 
either authenticate caller ID information for these calls, or, in the 
alternative, an intermediate provider must cooperatively participate 
with the industry traceback consortium and respond fully and in a 
timely manner to all traceback requests. The Commission concluded that 
it had authority to place these obligations on intermediate providers 
under section 251(e) of the Act and the Truth in Caller ID Act.
    17. In adopting these rules, the Commission defined ``voice 
service,'' consistent with section 4 of the TRACED Act, in part as 
``any service that is interconnected with the public switched telephone 
network and that furnishes voice communications to an end-user using 
resources from the North American Numbering Plan or any successor.'' It 
defined an ``intermediate provider'' as ``any entity that [carries] or 
processes traffic that traverses or will traverse the PSTN at any point 
insofar as that entity neither originates nor terminates that 
traffic.'' The Commission also established that its rules governing 
voice service providers and intermediate providers apply on a ``call-
by-call'' basis; under this approach, ``[a] single entity . . . may act 
as a voice service provider for some calls on its network and an 
intermediate provider for others.''
    18. Call Blocking. In parallel with its caller ID authentication 
work, the Commission has encouraged voice service providers, including 
intermediate providers, to block unwanted and illegal calls in certain 
situations, while also imposing requirements to reduce the risk that 
legitimate calls are blocked. Similarly, the Commission has adopted 
affirmative obligations for voice service providers, which include 
intermediate providers for purposes of our call blocking rules, to help 
eliminate illegal calls from the network.
    19. To date, the Commission has taken a mostly permissive approach 
to call blocking, encouraging terminating voice service providers and, 
occasionally, all voice service providers (including intermediate 
providers) to block in certain instances and protecting them from 
liability under the Commission's rules if they block in error. The 
Commission, in the 2017 First Call Blocking Order, took a clear, 
bright-line approach by authorizing voice service providers, including 
intermediate providers, to block calls that purport to be from invalid, 
unallocated, or unused numbers without first obtaining customer

[[Page 59088]]

consent. The Commission reasoned that there is no legitimate reason for 
a caller to spoof these numbers, and therefore these calls are highly 
likely to be illegal. As a result, no reasonable consumer would want to 
receive such calls. The First Call Blocking Order also permitted 
blocking of calls using a do-not-originate list, which includes numbers 
that should never be used to originate calls. The Commission determined 
that these rules apply to foreign-originated calls that purport to 
originate from U.S. North American Numbering Plan (NANP) numbers on the 
grounds that many illegal calls originate from call centers abroad.
    20. Subsequent Commission action ensured that terminating voice 
service providers can respond to the evolving tactics of bad actors. 
First, in the Call Blocking Declaratory Ruling and Further Notice of 
Proposed Rulemaking, adopted in 2019, the Commission made clear that 
terminating voice service providers may block calls based on reasonable 
analytics so long as consumers are given the opportunity to opt out of 
such blocking. The Commission, in the 2020 Third Call Blocking Order 
and Further Notice of Proposed Rulemaking, then adopted a safe harbor 
from violations of the Act and the Commission's rules for terminating 
voice service providers that block based on reasonable analytics 
designed to identify unwanted calls, so long as the analytics take into 
account caller ID authentication information and consumers are given 
the opportunity to opt out. The Second Report and Order in CG Docket 
No. 17-59 concerns the Reassigned Numbers Database and is not directly 
relevant to our discussion here. The Commission also established a safe 
harbor for voice service providers (including intermediate providers) 
to block calls from a bad-actor upstream provider that fails to 
effectively mitigate illegal traffic after being notified of such 
traffic by the Commission. Finally, the Commission, in that Order, took 
steps to reduce the risk of erroneous blocking. In the 2020 One Ring 
Scam Order, the Commission permitted voice service providers (including 
intermediate providers) to use reasonable analytics on a network-wide 
basis to block calls from numbers that are highly likely to be 
associated with one-ring scams and extended the existing safe harbor to 
include such blocking. Providers may block such calls if they ``appear 
to be one-ring scam calls, even if such identification proves to be 
erroneous in a particular instance.''
    21. Most recently, in the December 2020 Fourth Call Blocking Order, 
the Commission expanded the safe harbor for blocking based on 
reasonable analytics to include certain network-level blocking, without 
consumer opt out, designed to identify calls that are highly likely to 
be illegal. The safe harbor is available to terminating voice service 
providers that disclose to consumers that they are engaging in such 
blocking. The Commission also adopted enhanced transparency and redress 
requirements for voice service providers that block calls. Beyond 
blocking, the Commission, in the Fourth Call Blocking Order, 
established three affirmative obligations that apply to voice service 
providers (including intermediate providers). First, voice service 
providers must respond to all traceback requests from the Commission, 
law enforcement, or the industry traceback consortium, fully and 
timely. Second, voice service providers must take steps to effectively 
mitigate illegal traffic when notified of such traffic by the 
Commission. The Commission noted that ``blocking may be necessary for 
gateway providers to comply with these requirements.'' Finally, voice 
service providers must adopt affirmative, effective measures to prevent 
new and renewing customers from using the network to originate illegal 
calls.

III. Discussion

    22. Now that voice service providers have implemented STIR/SHAKEN 
or a robocall mitigation program, a key component of our anti-robocall 
efforts is in effect. However, bad actors abroad continue to remain 
largely outside of our caller ID authentication scheme. At present, our 
rules only require the gateway providers that bring foreign calls into 
the United States to pass along preexisting authenticated caller ID 
information unaltered, participate in traceback, and take steps to 
effectively mitigate illegal traffic when notified of such traffic by 
the Commission. While these obligations are valuable, they are not 
enough for the task at hand: Stopping illegal robocalls that originate 
abroad and the fraudulent actors producing those calls from preying on 
Americans.
    23. To that end, we propose to place additional requirements on 
gateway providers to ensure that they are doing their part to combat 
the scourge of illegal robocalls. Specifically, we propose to require 
gateway providers to authenticate all SIP calls and employ robocall 
mitigation techniques on calls that they allow into the United States 
from abroad that display a U.S. number in the caller ID field, which 
implies to the call recipient that the call originated in the United 
States. In this FNPRM, where we refer to caller ID information or the 
number in the caller ID field, we rely on the definition of ``caller 
identification information'' in our rules.

A. Need for Action

    24. Current Rules Addressing Foreign-Originated Robocalls Are 
Insufficient. We tentatively conclude that our current rules addressing 
foreign-originated robocalls are not sufficient to resolve the problem 
of foreign-originated illegal robocalls:
     Under our caller ID authentication rules, gateway 
providers--as intermediate providers--are required to pass along 
authenticated caller ID information unaltered. Although intermediate 
providers are also required to apply STIR/SHAKEN to unauthenticated 
calls they receive, they are excused from that requirement if they 
elect to cooperatively participate with the industry traceback 
consortium and respond fully and in a timely manner to all traceback 
requests they receive from the Commission, law enforcement, and the 
industry traceback consortium regarding calls for which they act as an 
intermediate provider. Since May 6, 2021, however, under our call 
blocking rules, intermediate providers (again, including gateway 
providers) are also subject to a separate requirement to respond fully 
and in a timely manner to all traceback requests from those same 
entities. This rule was adopted in the Fourth Call Blocking Order and 
took effect on May 6, 2021. By complying with that new rule, 
intermediate providers also meet the traceback requirement in our 
caller ID authentication rules (Sec.  64.6302(b)) and, under that rule, 
are excused from complying with the requirement to apply STIR/SHAKEN to 
unauthenticated calls. In addition, intermediate providers are not 
subject to any requirement under the caller ID authentication rules to 
perform robocall mitigation. This means that even though gateway 
providers are where a call first enters the U.S. network, they are not 
subject to the same obligations that apply to domestic originating 
voice service providers.
     Foreign entities are prohibited from spoofing caller ID 
with the intent to defraud, cause harm, or wrongfully obtain anything 
of value when placing calls to recipients in the United States. While 
this prohibition is valuable, the very nature of spoofing makes it 
difficult to identify spoofing in the first instance, and track down 
the call originator after discovering spoofing has occurred.
     Foreign originating voice service providers that use NANP 
resources that

[[Page 59089]]

pertain to the United States to send traffic to the United States may 
have their traffic blocked if they are not in our Robocall Mitigation 
Database, which requires certification of STIR/SHAKEN implementation or 
the use of a robocall mitigation program. But this requirement is 
limited by the fact that the prohibition applies only to traffic 
received ``directly'' from a foreign voice service provider not listed 
in the Robocall Mitigation Database; a foreign voice service provider 
is not currently required to file if it always routes traffic destined 
for U.S. consumers over intermediate provider networks before they 
reach the U.S. gateway, and a bad actor could easily exploit this 
loophole.
     Our call blocking rules require voice service providers 
(including intermediate providers) to respond to traceback requests and 
take steps to effectively mitigate illegal traffic and require 
originating providers to take steps to prevent new and renewing 
customers from using the network to originate illegal calls. However, 
because a foreign voice service provider upstream from the gateway 
provider is outside of the scope of our rules, these requirements may 
not always allow the call originator to be identified or the traffic to 
be stopped before it reaches United States consumers.
    25. We tentatively conclude that it would benefit Americans to 
subject foreign-originated robocalls, once they reach a gateway 
provider in the United States, to the same types of measures applied to 
calls originated in the United States: Caller ID authentication and 
robocall mitigation. We further tentatively conclude the unique 
challenges associated with foreign-originated robocalls demand that 
gateway providers be subject to additional caller ID authentication and 
robocall mitigation requirements, to ensure Americans are protected 
from calls originating abroad. Unlike other providers, gateway 
providers have visibility into the foreign network where the call 
originates and have the ability to identify instances when a call that 
purports to originate from a U.S. number in fact originated 
internationally, which can reduce the accuracy and effectiveness of 
blocking analytics. And unlike terminating voice service providers, 
gateway providers can stop illegal calls to customers of many 
terminating voice service providers. We seek comment on these tentative 
conclusions. Are our current rules addressing foreign-originated 
robocalls sufficient? Rather than adopt new rules, should we leverage 
our existing rules in new ways to stop such calls? Or should we adopt 
new rules that rely on methods other than caller ID authentication and 
robocall mitigation? If so, what type of rules should we adopt?
    26. A Large Portion of Illegal Robocalls Originate Abroad. 
Available evidence indicates that a large portion of unlawful robocalls 
terminating within the United States originate outside the United 
States. USTelecom states that fraudulent calls are ``almost always are 
coming from overseas,'' while ZipDX states that traceback data ``have 
implicated foreign entities as a primary source of the worst kinds of 
robocalls.'' While some fraudulent traffic carries caller ID 
information matching the origination country (e.g., a call from France 
carries French caller ID), ``the portion of this traffic to the overall 
fraudulent call volume is relatively small,'' and it appears that most 
foreign-originated fraudulent traffic carries a U.S. number in the 
caller ID field. We seek comment on this evidence, the relative 
proportion of domestic- and foreign-originated illegal robocalls, the 
prevalence of caller ID spoofing in foreign-originated robocalls, and 
trends in foreign-originated robocalling targeted at the United States 
over time. We also seek comment on the causes of any identified shift 
from domestic- to foreign-originated illegal robocall campaigns. Have 
the recent steps the Commission has taken in its call blocking and 
caller ID authentication orders and the June 30, 2021 STIR/SHAKEN 
implementation deadline pushed an increasing proportion of illegal 
robocall origination abroad? Are there other explanations for a shift 
to foreign-originated robocalls?
    27. Role of Gateway Providers. While foreign-originated illegal 
robocalls are a major problem, these calls can only reach U.S. 
consumers and businesses after they pass through a gateway provider. 
The NANC has recognized that, to access the U.S. market, foreign 
originators must send traffic to a gateway provider that is unwilling 
or unable to block that traffic.
    28. The Commission's Enforcement Bureau has repeatedly identified 
gateway providers as playing a key role in bringing illegal robocalls 
to the United States. In letters sent to multiple gateway providers in 
February 2020 to ``assist the . . . Commission in stopping the flow of 
malicious robocalls originating from sources outside the United 
States,'' the Enforcement Bureau noted that a gateway provider, ``[a]s 
the point of entry for this traffic into the U.S. telephone network, is 
uniquely situated to . . . combat apparently illegal robocalls.'' In 
spring 2020, in conjunction with a Division of the Federal Trade 
Commission, the Enforcement Bureau warned international ``gateway 
providers facilitating COVD-19 related scam robocalls originating 
abroad that they must cut off these calls or face serious 
consequences.'' In April 2020, the FTC and FCC wrote to three gateway 
providers and demanded that they stop facilitating scam COVID-19-
related robocalls from India and Pakistan. In May 2020, the FTC and FCC 
sent an additional three letters to three separate gateway providers 
regarding similar campaigns originating in the UK, Germany, and other 
destinations abroad. Most recently, in spring 2021, the Enforcement 
Bureau sent cease-and-desist letters to ten providers, including some 
gateway providers, making clear that, should they not cease 
transmitting illegal robocall campaigns immediately, ``other network 
operators [would] be authorized to block traffic from these 
companies.''
    29. The Department of Justice (DOJ) has also brought enforcement 
actions against gateway providers that allow illegal robocall traffic 
into the country. In two recent DOJ cases, DOJ states that ``the 
defendants engaged in wire fraud schemes by knowingly serving as 
`gateway carriers' for fraudulent calls; that is, the defendants 
received fraudulent robocalls from foreign customers and relayed those 
calls into the United States telecommunications system.'' The schemes, 
according to the DOJ, would not have worked unless the defendants, were 
``willing to accept the fraudsters' robocall traffic into the U.S. 
telephone system. . . . The [defendants] provide the crucial interface 
between foreign internet-based phone traffic and the U.S. telephone 
system.'' We seek comment on whether these cases are representative of 
the role that some gateway providers play in allowing illegal robocalls 
to reach U.S. subscribers.
    30. We seek comment on the relationship between gateway providers 
and illegal robocalls entering the U.S. market. Is the problem driven 
by a few unscrupulous gateway providers that have entered into business 
arrangements to transit illegal foreign-originated robocall traffic? In 
a recent case, the DOJ noted that the defendant gateway providers 
``specifically market their services to foreign call centers and 
foreign VoIP providers looking to transmit high volumes of robocalls 
into the United States.'' Or is the problem more widespread, for 
instance because gateway providers do not or cannot easily identify bad 
actors sending illegal robocalls to the United States through the 
gateway provider's network? If the

[[Page 59090]]

problem is widespread, why do gateway providers today decline to 
identify and act to restrict bad actors and unlawful robocalls? Do 
foreign originators send illegal robocall traffic to the gateway 
indirectly, through one or more foreign intermediate providers, in 
order to conceal the nature of the call before it reaches the U.S. 
gateway? Are there other mechanisms by which foreign originators of 
illegal robocalls send their traffic to the United States such that it 
would be brought onto the U.S. network by an unsuspecting gateway 
provider?
    31. We also seek comment on how foreign robocallers and the voice 
service providers that serve them use U.S. numbers in the caller ID 
field for their illegal robocall campaigns. Do these entities primarily 
spoof U.S. numbers? Or do these bad actors also use U.S. numbers that 
the voice service provider or their customer has obtained the right to 
use, either directly from the Numbering Administrator or indirectly 
through another provider? We note that the Commission recently proposed 
rules to help prevent VoIP providers from obtaining numbers directly 
from the Numbering Administrator for use in illegal robocall campaigns, 
and there are existing reporting rules regarding number usage. Are 
there other safeguards we should consider to prevent foreign providers 
from using U.S. NANP numbers in illegal robocall campaigns?

B. Scope of Requirements and Definitions

    32. In light of their unique role in bringing foreign-originated 
illegal robocalls onto U.S. networks, we propose to impose new 
obligations on gateway providers for foreign-originated calls that use 
U.S. numbers in the caller ID field. We believe that this approach will 
narrowly target those providers best able to stop those calls that have 
the greatest likelihood to be part of illegal robocall campaigns that 
harm Americans--foreign-originated calls carrying U.S. numbers in the 
caller ID field.
    33. While the Commission has imposed requirements on intermediate 
providers, including gateway providers, it has never defined ``gateway 
provider'' as a distinct category of entities. We now propose to define 
a ``gateway provider'' as the first U.S.-based intermediate provider in 
the call path of a foreign-originated call that transmits the call 
directly to another intermediate provider or a terminating voice 
service provider in the United States. We do not include in this 
proposed definition a gateway provider that terminates calls in the 
U.S. To the extent a gateway provider terminates a call in the U.S., it 
is acting as a terminating voice service provider and is already 
subject to our existing caller ID authentication and/or robocall 
mitigation rules. In this proposed definition, by ``U.S.-based,'' we 
mean that the provider has facilities in the U.S. including a U.S. 
located point of presence. We seek comment on this proposed definition. 
Should we define ``gateway provider'' differently? Should we define 
``U.S.-based'' differently? Should our definition include the first 
U.S.-based provider in the call path for a foreign-originated call that 
also terminates that call? Should we extend some or all of the 
requirements we propose today to such terminating voice service 
providers, or are existing requirements sufficient? Should we exclude 
from the definition those providers that serve as a gateway for only a 
de minimis amount of foreign originated traffic? Are such providers 
unlikely to be the source of illegal robocalls? If so, how should we 
define de minimis for this purpose? Is there another way to effectively 
limit our definition to apply only to those gateway providers that are 
especially likely to be the source of illegal calls on the U.S. 
network? Does our definition need to be modified to take into account 
the scenario where a call originates in the U.S., is routed 
internationally (over the same provider or a different provider's 
facilities), and then is routed back to a U.S. end-user through a 
gateway provider? What about a scenario where a call enters the U.S. 
through a gateway provider, is routed outside of the U.S. and then back 
into the U.S. through the same or different gateway provider?
    34. We seek comment on whether U.S.-based providers that fall under 
our proposed definition of gateway provider also, in some instances, 
originate calls from abroad carrying U.S. NANP numbers that are brought 
into the U.S. by that same provider. In other words, are there 
instances where the provider that brings the call into the U.S. is also 
acting as an originating provider? For such calls, the U.S.-based 
provider would not fall under our proposed gateway provider definition 
where it is not acting as an intermediate provider. For example, a 
U.S.-based provider acts as a gateway provider for calls foreign 
providers send to it. The same U.S-based provider may also serve an 
end-user customer in another country that is originating traffic in 
that country and sending traffic over that U.S.-based provider's 
network into the U.S. marketplace. In such an instance, the U.S.-based 
provider is not acting as an intermediate provider and thus would not 
fall within our proposed definition of gateway provider. However, if a 
U.S.-based provider has contracted with a foreign provider or customer 
to allow calls into the U.S. marketplace and the call is brought to the 
U.S.-based providers' U.S. network by a foreign provider, the U.S.-
based provider would be an ``intermediate provider'' and therefore fall 
within our proposed definition. Are certain arrangements that are not 
covered by our proposed definition likely to be part of an illegal 
robocall campaign? If so, should we broaden or otherwise modify our 
proposed definition to ensure that such calls fall within the scope of 
the protections we propose in this FNPRM? Alternatively, should we 
explicitly include these situations for the purposes of specific rules, 
such as our proposed mandatory blocking rules?
    35. As we have elsewhere in our caller ID authentication rules, we 
propose to classify providers as gateway providers on a call-by-call 
basis rather than on a class basis. Thus, a provider would be a 
``gateway provider''--and subject to rules applied to that class of 
provider--only for those calls for which it acts as a gateway provider; 
it would be an ``intermediate provider'' or ``voice service 
provider''--and subject to rules applied to those classes of provider--
for all other calls, e.g., for domestic-originated calls that it 
carries. We believe it is appropriate to apply that approach here not 
only for regulatory symmetry, but also because it would capture all 
instances in which an entity acts as a gateway provider. At the same 
time, this approach would not subject all traffic handled by an entity 
to enhanced obligations simply because a portion of that traffic 
originates abroad. We seek comment on this proposal. Should we instead 
diverge from our ``call-by-call'' approach for gateway providers? Do 
providers have the ability to treat foreign-originated calls 
differently on a call-by-call basis? If we were to establish that a 
provider is a gateway provider for all of its traffic, if any traffic 
it transits originates abroad, would such an approach place 
unreasonable obligations on a provider's domestic traffic simply 
because some traffic is foreign-originated?
    36. We further propose to limit the scope of our proposed 
requirements for gateway providers to those calls that are carrying a 
U.S. number in the caller ID field. By a ``U.S. number,'' we are 
referring to NANP resources that pertain to the United States. Under 
this approach, we would exclude from the scope of our rule those calls 
that carry a U.S. number in the ANI field but

[[Page 59091]]

display a foreign number in the caller ID field. We believe that this 
approach is consistent with our goal to prevent illegal spoofing, which 
is dependent upon manipulating the caller ID field that is visible to 
the call recipient. We further propose to apply this requirement on a 
``call-by-call'' basis. Under this approach, a gateway provider would 
be subject to these requirements for those calls it transits that carry 
a U.S. number in the caller ID field, but that same gateway provider 
would not be subject to these requirements for calls displaying numbers 
associated with another country. We seek comment on these proposals. We 
also seek comment on the feasibility and desirability of widening the 
scope of our proposed rules to cover calls carrying non-U.S. numbers in 
the caller ID field or a subset of non-U.S. numbers. If we include a 
subset of non-U.S. numbers, what numbers should we include?
    37. Limiting our proposed rules to calls that use U.S. numbers in 
the caller ID field is similar to the approach in our current rule that 
requires intermediate providers and voice service providers to not 
accept calls directly from a foreign voice service provider that is 
carrying U.S. numbers if the foreign voice service provider is not 
listed in the Robocall Mitigation Database. In that context, we limited 
application of our rule to foreign voice service providers that ``use[ 
] North American Numbering Plan resources that pertain to the United 
States.'' We seek comment on whether it is appropriate, in this 
context, to take a narrower or more expansive approach than we did in 
the context of foreign voice service providers whose traffic must be 
blocked if they are not listed in the Robocall Mitigation Database.

C. Authentication

    38. To combat foreign-originated robocalls, we propose to require 
gateway providers to authenticate caller ID information consistent with 
STIR/SHAKEN for SIP calls that are carrying a U.S. number in the caller 
ID field.
    39. As the Commission has previously explained, application of 
caller ID authentication by intermediate--including gateway--providers 
``will provide significant benefits in facilitating analytics, 
blocking, and traceback by offering all parties in the call ecosystem 
more information.'' At the time the Commission reached this conclusion, 
in light of record concerns that an authentication requirement on all 
intermediate providers ``was unduly burdensome in some cases,'' the 
Commission established that intermediate providers could ``register and 
participate with the industry traceback consortium as an alternative 
means of complying with our rules,'' in lieu of authenticating 
unauthenticated calls.
    40. Since the Commission established those requirements in the 
Second Caller ID Authentication Report and Order, in the Fourth Call 
Blocking Order, the Commission subsequently required all voice service 
providers--which include gateway providers and other intermediate 
providers under our call blocking rules--to cooperate with traceback 
requests. This rule has effectively mooted the choice given to 
intermediate providers in the earlier Second Caller ID Authentication 
Report and Order to authenticate calls or cooperate with traceback 
requests. We propose concluding that, given the key role gateway 
providers play in allowing foreign calls into the United States, 
gateway providers should be required to authenticate unauthenticated 
foreign-originated SIP calls that they receive and cooperate with 
traceback requests with respect to those same calls. Requiring gateway 
providers to authenticate caller ID information for all unauthenticated 
foreign-originated SIP calls will offer information to the downstream 
providers regarding where a foreign-originated robocall entered the 
call path, facilitating analytics and promoting traceback efforts. We 
seek comment on this proposal.
    41. Illegal robocalls cost Americans over $13.5 billion annually. 
Given the prevalence of robocalls from abroad, we anticipate that the 
deterrence that arises from authenticating unauthenticated foreign-
originated calls is likely to be highly beneficial and that those 
benefits outweigh any concerns about C-level attestations not carrying 
sufficient information to assist in the policing of illegal robocalling 
campaigns. Even with a ``C-level'' (gateway) attestation, we anticipate 
that authenticating unauthenticated calls will facilitate faster 
traceback and improve call analytics. We seek comment on this analysis 
and on the possible benefits of the requirement we propose.
    42. We also seek comment on the proposal's costs for gateway 
providers. While the Commission previously acknowledged claims that it 
was ``unduly burdensome in some cases'' to require all intermediate 
providers to authenticate unauthenticated calls, we anticipate that our 
proposal will not be unusually costly for gateway providers compared to 
voice service providers already required to implement caller ID 
authentication. Further, as more and more providers implement STIR/
SHAKEN, we anticipate that technology and solutions will be more widely 
available and less costly to implement. We seek comment on this 
analysis. Is there any reason to believe that authentication is more 
costly for gateway providers compared to other providers or that the 
benefit of lower-level attestations would be limited?
    43. Requirements. We propose that, to comply with the requirement 
to authenticate calls, a gateway provider must authenticate caller ID 
information for all SIP calls it receives for which the caller ID 
information has not been authenticated and which it will exchange with 
another provider as a SIP call. This proposal follows the caller ID 
authentication rule governing intermediate provider authentication of 
unauthenticated calls they receive, where intermediate providers elect 
authentication instead of cooperation with tracebacks. As noted, the 
call blocking rules have mooted this choice. We seek comment on whether 
and how to alter this proposal. Are there any scenarios in which 
transmitting a call with authenticated caller ID information is not 
possible, and if so, how should we address any such circumstances? 
Should we adopt a technical feasibility exception, as we have 
established for voice service providers with respect to the obligation 
to transmit an authenticated call with authenticated caller 
identification information to the next voice service provider or 
intermediate provider in the call path? Would establishing exceptions 
present the possibility for abuse?
    44. We propose that, as with our requirement on voice service 
provider authentication, a gateway provider satisfies this requirement 
if it adheres to the three ATIS standards that are the foundation of 
STIR/SHAKEN--ATIS-1000074, ATIS-1000080, and ATIS-1000084--and all 
documents referenced therein. We also propose that compliance with the 
most current versions of these standards as of the date of release of 
any Report and Order following this FNPRM, including any errata as of 
that date or earlier, represents the minimum requirement to satisfy our 
rules. We seek comment on this approach. Are there any reasons these 
standards are not appropriate for gateway providers? Are there any 
technical challenges that may emerge (e.g., will the addition of the 
authenticated Identity Header in the SIP message cause UDP 
fragmentation)? And if so, how can they be mitigated? Alternatively, 
are there other standards we should require gateway providers to adhere 
to? Should we require compliance with standards current as of an 
earlier date? If so, which date?

[[Page 59092]]

    45. Because we propose permitting gateway providers to authenticate 
caller ID information in a manner consistent with industry standards, 
we do not propose limiting the attestation level they may assign to a 
given call. To the extent standards allow a gateway provider to assign 
``full'' (A-level) or ``partial'' (B-level) attestation to a call, 
under this proposal they are free to do so; they would not be limited 
to assigning ``gateway'' (C-level) attestation. Stakeholders previously 
supported this approach regarding intermediate providers, and we seek 
comment on whether this continues to be the best approach to 
attestations by gateway providers, a subset of intermediate providers. 
Is there a reason we should limit gateway providers to assigning a 
certain attestation level or levels, and if so what level? Under what 
circumstances would gateway providers be able to assign, and anticipate 
assigning, an A- or B-level attestation?
    46. Non-IP Network Technology. As we have explained, the STIR/
SHAKEN framework is an IP-based solution. How should we address gateway 
providers that use non-IP network technology? How prevalent is non-IP 
network technology among gateway providers? Are gateway providers using 
non-IP network technology less likely or more likely to be the point of 
entry for foreign-originated illegal robocalls onto the U.S. network? 
Our rules require voice service providers with non-IP network 
technology to either upgrade their network to IP and implement STIR/
SHAKEN, or work with a working group, standards group, or consortium to 
develop a non-IP caller ID authentication solution. Should we adopt a 
similar requirement here? We do not currently apply a similar 
requirement to intermediate providers, including gateway providers. In 
our preliminary view, however, adopting such a requirement for gateway 
providers may be warranted to prevent evasion of any restrictions we 
establish by bad actors. We seek comment on this view. The Commission 
previously stated that it would ``continue to evaluate whether an 
effective non-IP caller ID authentication framework emerges'' and, ``if 
and when [it] identif[ies] an effective framework, [it] expect[s] to . 
. . shift . . . from focusing on development to focusing on 
implementation.'' We seek comment on adopting this same approach with 
respect to gateway providers here. Should we instead mandate that 
gateway providers with non-IP network technology implement a non-IP 
caller ID authentication solution, such as Out-of-Band STIR? Should 
gateway providers relying on non-IP technology continue to be fully 
exempt from any obligation to implement caller ID authentication, like 
other intermediate providers?
    47. Token Access. Does the Governance Authority's token access 
policy serve as a barrier to participation in STIR/SHAKEN for all or a 
subset of gateway providers? That policy requires entities to have a 
current FCC Form 499-A on file with the Commission, have been assigned 
an Operating Company Number (OCN), and have either direct access to 
numbering resources or filed a certification in the Robocall Mitigation 
Database in order to obtain a token necessary to participate in STIR/
SHAKEN. We assume that gateway providers that are already acting as 
voice service providers and are subject to the duty to authenticate 
calls they originate or terminate may have already obtained a token in 
order to comply with their duties as a voice service provider. Is that 
assumption correct? How many gateway providers also serve as voice 
service providers? While providers so situated may already possess the 
necessary token, will other gateway providers have difficulty obtaining 
tokens under the current policy? Do some or all gateway providers have 
no obligation to file an FCC Form 499-A because they do not fall under 
one of the categories of entities required to submit the form? If so, 
should we encourage the Governance Authority to waive for such 
providers the requirement to file an FCC Form 499-A to obtain a token? 
Are some or all gateway providers unable to obtain an OCN based on the 
National Exchange Carrier Association's (NECA) policies? If certain 
gateway providers are not required to file a Form 499-A or cannot 
readily obtain an OCN, should we encourage or require the Governance 
Authority to modify its token access policy to ensure that gateway 
providers are able to obtain a token and comply with an authentication 
requirement? And do we need to make changes to our Robocall Mitigation 
Database to allow compliance with the Governance Authority's filing 
requirement?
    48. Compliance Deadline. We seek comment on when we should require 
gateway providers' authentication obligation to become effective, 
mindful of the public interest of prompt implementation by gateway 
providers with the need for these providers to have sufficient time to 
implement our proposed obligation. We note that the STIR/SHAKEN caller 
ID authentication obligations in the TRACED Act became effective 18 
months following its enactment, and voice service providers were able 
to meet that deadline. Our rules adopted pursuant to the TRACED Act 
grant certain providers exemptions and extensions from this deadline. 
Accordingly, would a March 1, 2023 deadline, falling approximately 18 
months after we adopt this FNPRM, be a reasonable deadline for 
implementation of our authentication obligation? Would an earlier or 
later deadline for all gateway providers better balance the benefit of 
the rule against the burden?
    49. Should we modify our proposed deadline for certain classes of 
gateway providers? For example, should we identify a subset of gateway 
providers that are most likely to be the conduit for illegal robocalls 
and subject them to an accelerated timeline? How should we identify 
such providers? Should we identify those gateway providers that have 
received at least a certain number of traceback requests or other 
indicia of involvement in illegal robocalling? If so, what would be an 
appropriate threshold? What deadline should we give such providers? 
Instead, should we expect faster implementation of STIR/SHAKEN by those 
gateway providers that are also voice service providers under our STIR/
SHAKEN rules, are not subject to an extension or exemption, and 
therefore are already authenticating caller ID information for calls 
they originate? Will a provider so situated be in a better position to 
implement STIR/SHAKEN quickly? If so, why?
    50. In the Second Caller ID Authentication Report and Order, the 
Commission granted several categories of voice service providers that 
faced undue hardship in implementing STIR/SHAKEN additional time for 
compliance, consistent with the directive of the TRACED Act: Small 
voice service providers, providers unable to receive a token from the 
Governance Authority, and services subject to discontinuance. Should we 
grant any categories of gateway providers extensions or exceptions from 
our proposed authentication requirement on the basis of undue hardship 
or for another reason? Are the extensions the Commission previously 
granted for STIR/SHAKEN based on undue hardship relevant to the context 
of gateway providers? For instance, should we grant small gateway 
providers an extension from any deadline we establish, and, if so, 
which gateway providers should we define as ``small?'' Or would doing 
so undermine the value of any requirements we adopt? If we grant an 
extension to some gateway providers, how much additional time would be 
appropriate in light of the public interest of prompt

[[Page 59093]]

participation in the STIR/SHAKEN framework? If we grant an exemption, 
how would any exemption square with the importance of ubiquitous STIR/
SHAKEN? Instead of a categorical approach, should we rely on 
individualized waiver requests pursuant to the Commission's 
longstanding waiver standard? The Commission may exercise its 
discretion to waive a rule where the particular facts at issue make 
strict compliance inconsistent with the public interest. In considering 
whether to grant a waiver, the Commission may take into account 
considerations of hardship, equity, or more effective implementation of 
overall policy on an individual basis.

D. Robocall Mitigation

    51. While our caller ID authentication rules require voice service 
providers to implement STIR/SHAKEN or, if they are subject to an 
extension, to implement an appropriate robocall mitigation program, in 
this Notice we propose requiring gateway providers to apply both of 
these protections to calls they bring onto the U.S. network. We further 
propose and seek comment on additional requirements on gateway 
providers, at least some of which go beyond those that currently apply 
to voice service providers. First, we propose to require gateway 
providers to respond to all traceback requests from the Commission, law 
enforcement, and the industry traceback consortium within 24 hours. 
Second, we propose and seek comment on imposing mandatory blocking 
requirements on gateway providers. Third, we seek comment on 
establishing know-your-customer requirements for gateway providers. 
Fourth, we seek comment on requiring gateway providers to adopt certain 
contractual provisions with foreign providers from which they accept 
calls. Finally, in addition to adopting one or more of these robocall 
mitigation requirements, we propose to establish a general duty on 
gateway providers to mitigate illegal robocalls.
1. 24-Hour Traceback Requirement
    52. We propose to require gateway providers to respond fully to all 
traceback requests from the Commission, civil or criminal law 
enforcement, and the industry traceback consortium within 24 hours of 
receiving such request. This requirement would be stricter than our 
general obligation, which requires that voice service providers 
(including intermediate providers) respond to traceback requests ``in a 
timely manner.'' As we have stated in the past, traceback is an 
essential part of identifying the source of illegal calls. Information 
gained from traceback can both aid in enforcement after calls are 
placed and be used proactively to stop further calls from a particular 
source. We believe that time is of the essence in all tracebacks, but 
particularly for foreign-originated calls where the Commission or law 
enforcement may need to work with international regulators to obtain 
information from providers outside of U.S. jurisdiction.
    53. We seek comment on this proposal. Is a mandatory 24-hour 
response time appropriate, or should we consider a different response 
time? Because gateway providers are already required to respond to 
traceback ``timely,'' we believe that this enhanced requirement 
presents a minimal burden on gateway providers. We seek comment on this 
tentative conclusion. Are there any instances where a gateway provider 
may need more time to respond? If so, what would cause such a delay 
(e.g., what are the technical and/or operational challenges that would 
contribute to the delay)? How might we address any such problems to 
best enable gateway providers to meet such a requirement? Should we 
instead consider requiring response in a shorter time than 24 hours? 
Are there additional benefits or burdens to requiring a faster response 
time? Are there any other issues we should consider in adopting such a 
requirement, such as the impact on small gateway providers?
    54. We seek comment on other means to improve traceback when calls 
originate internationally. Are there other, or additional, steps the 
Commission could take to improve this process and make bad actors 
easier to identify and stop? Should the Commission consider taking 
these steps in addition to, or instead of, requiring gateway providers 
to respond within 24 hours? What benefit would these approaches 
provide? Are there any particular burdens or concerns the Commission 
should consider when weighing these options?
    55. Compliance Deadline. We propose to require gateway providers to 
comply with this requirement by 30 days after publication of the notice 
of an Order adopting this requirement in the Federal Register. Because 
gateway providers are already required to respond to traceback requests 
``fully and timely,'' we do not believe there is any reason to further 
delay implementation of this requirement. We seek comment on this 
proposal and analysis. Would a different compliance deadline be more 
appropriate and, if so, why?
2. Mandatory Blocking
    56. To date, the Commission has generally taken a permissive 
approach to call blocking, allowing voice service providers the 
flexibility to block in certain instances, but not requiring blocking. 
In adopting the effective mitigation requirement, the Commission did 
make clear that gateway providers may be required to block in order to 
comply. The Commission's rules also direct intermediate and voice 
service providers to only accept calls using NANP numbers sent directly 
from voice service providers with a filing in the Robocall Mitigation 
Database. This requirement is distinct from our blocking requirements. 
Unfortunately, illegal calls continue to plague American consumers. 
When calls originate outside the United States, enforcement against, or 
even identification of, the caller is much more difficult. Gateway 
providers are positioned to reduce the flood of foreign-originated 
illegal calls before they reach American consumers. If a gateway 
provider stops a single calling campaign before it enters the U.S. 
network, no American consumers will receive those calls. Because 
gateway providers may, in many cases, not have direct relationships 
with American consumers, they may lack incentive to take aggressive 
action absent a mandate. To address these issues, we seek comment on 
several possible approaches to requiring gateway providers to block 
calls, particularly where those calls bear a U.S. number in the caller 
ID field.
    57. Gateway Provider Blocking Based on Commission Notification of 
Illegal Calls. In the Fourth Call Blocking Order, the Commission 
adopted rules requiring voice service providers, including gateway 
providers, to ``take steps to effectively mitigate'' illegal traffic 
when notified of such traffic by the Commission. The Commission noted 
that gateway providers may need to block calls in order to comply with 
this requirement as, unlike originating voice service providers, they 
often do not have a direct relationship with the call originator. We 
believe that modifying this rule to affirmatively require gateway 
providers to block calls upon receipt of notification from the 
Commission through its Enforcement Bureau would better protect American 
consumers from illegal calls and thus seek comment on whether to do so. 
We therefore propose to strengthen our existing effective mitigation 
requirement as to gateway providers. Specifically, we propose to 
require gateway providers, following a prompt investigation to

[[Page 59094]]

determine whether the traffic identified in the Enforcement Bureau's 
notice is illegal, to promptly block all traffic associated with the 
traffic pattern identified in that notice. We seek comment on this 
proposal.
    58. We seek comment on whether allowing gateway providers to 
investigate prior to blocking strikes the correct balance. Currently, 
our rules do not specify how quickly a voice service provider must act, 
but do require that it investigate and report to the Commission 
``promptly.'' The report must include any steps taken to effectively 
mitigate the identified traffic or an explanation as to why the 
provider has concluded that the identified calls were not illegal. Is 
this the correct approach given the heightened risk of foreign-
originated illegal robocalls, or should we adopt a stricter standard 
for gateway providers? For example, should gateway providers block 
calls prior to investigation? If so, should we require that gateway 
providers implement blocking immediately upon receipt of notification? 
If not, what is an appropriate delay prior to implementing a block? If 
we require blocking prior to investigation, how can we ensure that 
gateway providers are granted due process? What are the risks 
associated with a too-long or too-short time, and how might we mitigate 
those risks? Are there any other issues we should consider in 
determining how quickly a gateway provider must block calls and whether 
to allow investigation prior to blocking?
    59. We seek comment on the contours of the blocking obligation. 
Should we require the notified gateway provider to block all calls that 
meet criteria identified by the Enforcement Bureau in its notice that 
make it highly likely that the calls are part of the same call pattern 
as those calls that the Commission has determined to be illegal? The 
Fourth Call Blocking Order established specific details that the 
Enforcement Bureau must include in its notice. Or should we allow 
gateway providers some discretion to determine the scope of the block 
based on the Enforcement Bureau's notice? If we allow discretion, 
should we instead establish general guidelines in our rules, to ensure 
that a gateway provider can know that it is in full compliance with our 
rules? If so, what might these guidelines look like? If we adopt our 
proposal of permitting a gateway provider to investigate prior to 
blocking, should we require the gateway provider to indicate what 
criteria it is using, based on the Enforcement Bureau's notice and its 
own investigation, in its response to the Commission? Alternatively, 
should we require that gateway providers, regardless of the specifics 
of the call pattern, block all calls that purport to originate from the 
same number(s) as the identified illegal traffic? Is there some other 
approach that we should consider? What are the risks of each approach? 
Specifically, what is the risk that lawful calls will be blocked, or 
that illegal calls will continue from the same source despite the 
gateway provider's compliance? How can we reduce unnecessary burdens on 
gateway providers under each approach? Are there any other issues we 
should consider in determining how a gateway provider may comply with 
this requirement, such as the impact on small businesses?
    60. Requiring Downstream Providers to Block Calls from Bad-Actor 
Gateway Providers. A complementary approach to requiring gateway 
providers to block calls is to require the voice service provider or 
intermediate provider downstream from the gateway provider to block 
where the Commission determines a particular gateway provider is a bad 
actor. In the Third Call Blocking Order and Further Notice of Proposed 
Rulemaking, we used the phrase ``bad actor'' when discussing 
originating or terminating providers that fail to take appropriate 
steps to prevent their networks from being used to originate or 
transmit illegal calls. Here, we expand our use of that term to include 
gateway providers that fail to comply with the rules we propose above. 
This approach provides a strong incentive for the gateway provider to 
avoid having its traffic blocked by ensuring that it complies with our 
rules. In the Third Call Blocking Order and Further Notice of Proposed 
Rulemaking, the Commission encouraged, without requiring, such blocking 
by establishing a safe harbor for terminating voice service providers 
and intermediate providers that choose to block calls from bad-actor 
upstream providers once certain criteria are met. In conjunction with 
our mandatory blocking proposal above, we propose that, should a 
gateway provider fail to comply with those requirements, the 
Commission, through its Enforcement Bureau, may send a notice to all 
providers immediately downstream from the gateway provider in the call 
path. Upon receipt of such notice, all providers must promptly block 
all traffic from the identified gateway provider, with the exception of 
911 and PSAP calls. We seek comment on this approach.
    61. Currently, our rules allow a downstream provider to block and 
cease accepting all traffic from a bad-actor upstream provider which, 
upon receipt of Commission notice of illegal traffic, fails to either 
effectively mitigate that traffic or fails to take steps to prevent new 
and renewing customers from originating illegal calls. If a gateway 
provider fails to effectively mitigate illegal traffic, calls continue 
to reach American consumers, and enforcement only comes after the fact. 
For these reasons, we believe there is value in requiring the voice 
service provider or intermediate provider immediately downstream from a 
gateway provider to block all calls from that gateway provider in the 
event that the gateway provider fails to effectively mitigate, or block 
if required, illegal traffic once notified of such traffic by the 
Commission via the Enforcement Bureau. We seek comment on this view.
    62. We seek comment on how much time gateway providers should have 
to begin effectively mitigating, or blocking, calls before directing 
downstream providers to block all calls from that gateway provider. 
Should we require that gateway providers take such steps ``promptly,'' 
consistent with our existing rules? If we instead adopt a stricter 
requirement for gateway provider action, should we immediately notify 
downstream providers to block, or allow additional time before taking 
that step? If we determine more time is appropriate, how long should we 
delay our notification to downstream providers? If we use the 
``promptly'' standard, how should we determine what is ``prompt'' for 
these purposes? Should we notify gateway providers before directing 
downstream providers to block and thereby give the gateway provider an 
additional chance to mitigate the traffic? What are the costs and 
benefits of each approach?
    63. We seek comment on how much time to permit downstream providers 
to begin blocking calls from the identified gateway provider. Should we 
require that the downstream provider begin blocking immediately? Are 
there any technical or practical barriers to immediate blocking? If so, 
how can we address them? If we do not require immediate blocking, how 
much time should we allow? What are the costs and benefits of each 
approach? Are there any other issues we should consider around timing?
    64. We seek comment on how best to notify downstream providers when 
blocking is required. Where there are multiple providers immediately 
downstream from the gateway provider, should we directly notify them 
all? If so, how can we ensure that every relevant provider is notified? 
Alternatively, should we notify a single entity, such as the industry 
traceback consortium, and

[[Page 59095]]

require that downstream providers work with that entity to obtain this 
information? If so, does this alter the timeline for compliance? Is 
there some other approach that would be more appropriate, such as a 
public notice or use of the Robocall Mitigation Database? We also seek 
comment on how we can determine whether a downstream provider is 
complying with this blocking requirement. Should we require the 
downstream provider to block all calls from the identified gateway 
provider, or just those that are part of the identified call pattern?
    65. Finally, we recognize that blocking of all traffic from a 
particular gateway provider is likely to have a profound impact on that 
gateway provider's ability to do business. We therefore seek comment on 
whether to adopt additional due process steps or requirements to ensure 
that these rules are not erroneously applied to gateway providers. Is 
allowing investigation prior to requiring blocking sufficient, or 
should we adopt additional protections? If we do not allow 
investigation prior to blocking, should we adopt additional due process 
protections prior to directing downstream providers to block? 
Additionally, should we adopt rules to direct downstream providers to 
cease blocking if the gateway provider later takes appropriate steps to 
effectively mitigate or block the identified traffic? If so, what 
should be included in these rules? When would it be appropriate to 
direct downstream providers to cease blocking? How much time should we 
allow for this to occur? Should we use the same means of notification? 
We seek comment on any other issues we should consider in adopting such 
a requirement, including the impact on small businesses.
    66. Blocking Based on Reasonable Analytics. Our rules currently 
permit broad blocking based on reasonable analytics by terminating 
voice service providers only and, in most cases, require those 
providers to allow customers to opt out. One-ring scam blocking also 
uses ``reasonable analytics'' and may be used by any voice service 
provider or intermediate provider in the call path without requiring 
any opt-out provisions. However, the use of analytics for one-ring scam 
calls is more narrowly tailored, designed to identify only one 
particular type of illegal call. In contrast, the Commission's other 
authorizations of blocking based on reasonable analytics have permitted 
terminating voice service providers broad discretion to block unwanted 
calls or calls that are highly likely to be illegal and are not limited 
to analytics designed to identify a specific, identified, type of call. 
The Fourth Call Blocking Order expanded the safe harbor for blocking 
based on reasonable analytics to include network-based blocking without 
any opt-out requirement where the provider's analytics are designed to 
identify calls that are ``highly likely to be illegal'' so long as they 
meet other requirements. In all cases of broad authorizations of 
blocking based on reasonable analytics, the voice service provider must 
disclose to customers that it is engaging in this blocking. Because 
these broad authorizations allow only terminating voice service 
providers to block calls, only customers of those voice service 
providers that block calls are protected. In our effort to increase 
protection for American consumers, we propose to require gateway 
providers to block calls that are highly likely to be illegal based on 
reasonable analytics, preventing these calls from entering the U.S. 
network. We further propose additional requirements around this 
blocking consistent with our existing authorization of blocking based 
on reasonable analytics designed to identify calls that are highly 
likely to be illegal for terminating voice service providers. 
Specifically, we propose to require gateway providers to: (1) 
Incorporate caller ID authentication information where available; (2) 
manage the blocking with human oversight and network monitoring 
sufficient to ensure that it blocks only calls that are highly likely 
to be illegal, which must include a process that reasonably determines 
that the particular call pattern is highly likely to be illegal before 
initiating blocking of calls that are part of that pattern; (3) cease 
blocking calls that are part of the call pattern as soon as the gateway 
provider has actual knowledge that the blocked calls are likely lawful; 
and, (4) apply all analytics in a non-discriminatory, competitively 
neutral manner. We seek comment on these proposals.
    67. We believe requiring gateway providers to use reasonable 
analytics to block will increase blocking of illegal calls entering the 
U.S. network, and will build on the success of current reasonable 
analytics blocking. We thus believe using the ``highly likely to be 
illegal'' standard for gateway provider blocking makes sense. We seek 
comment on this view. We also recognize that a standard with 
flexibility, such as this one, can result in over- or under-inclusive 
blocking and that, unlike terminating voice service provider blocking, 
consumers will have no recourse for erroneous gateway provider 
blocking.
    68. How should we address this potential problem? We propose to 
require gateway providers to manage the blocking with human oversight 
and network monitoring sufficient to ensure that only calls that are 
highly likely to be illegal are blocked. This is consistent with our 
requirement for terminating voice service providers that block calls 
that are highly likely to be illegal without consumer opt out. Is this 
the correct approach? If not, should we require a different process? If 
so, what would this process look like? Are there steps we could take to 
otherwise reduce the risk that lawful calls will be blocked? Should we 
adopt additional requirements to ensure that a gateway provider can be 
certain that its blocking is within the scope of our rules, rather than 
under- or over-inclusive? Would a gateway provider that makes use of 
comparatively conservative blocking analytics be subject to liability 
for under-blocking? If so, how might we address this issue? Are there 
any other issues we should consider in taking this approach?
    69. Consistent with our existing safe harbor for the blocking of 
calls based on reasonable analytics, we propose to require gateway 
providers to incorporate caller ID authentication information, where 
that information is available, and to ensure that all analytics are 
applied in a non-discriminatory, competitively neutral, manner. Is this 
the appropriate approach? Should we modify or remove either of these 
requirements in this context? If so, how might we change them? We also 
propose to require that gateway providers cease blocking calls that are 
part of the call pattern as soon as the gateway provider has actual 
knowledge that the blocked calls are likely lawful. We believe that 
this is the best approach to reduce the risk of lawful calls being 
blocked. We seek comment on this belief. Should we modify our approach 
in this context? For example, should we require gateway providers to 
obtain further confirmation that calls are lawful? Or, in contrast to 
that option, should we require a gateway provider to cease blocking 
whenever it receives information that particular calls may be lawful? 
If we take this approach, should we require gateway providers to 
investigate this information to determine whether it is accurate and, 
if it is inaccurate, resume blocking?
    70. Should we provide further guidance as to what constitutes 
``reasonable analytics'' in this context? Other than in the First Call 
Blocking Order, we have declined to establish

[[Page 59096]]

specific standards, both out of a concern that such standards will 
create a road map for bad actors seeking to avoid blocking and to allow 
flexibility in response to evolving threats. Under the First Call 
Blocking Order, voice service providers, as well as intermediate 
providers, are permitted to block based on the number in the caller ID 
field. Specifically, blocking is permitted where the number is unused, 
unallocated, or invalid, or where the subscriber to the number has 
indicated that it does not use the number to originate calls and 
requests that all calls purporting to originate from that number be 
blocked. However, we want to ensure that a gateway provider has notice 
as to whether or not it is in compliance with our rules. Are there 
standards we could adopt here that would provide certainty to gateway 
providers without allowing bad actors to easily circumvent blocking? 
Would this approach reduce the burden on small businesses by providing 
certainty? We further seek comment on whether we should consider bases 
for blocking other than reasonable analytics and how they would better 
serve consumers. Are there any other issues we should consider if we 
set specific standards?
    71. Gateway Provider Do Not Originate. The Commission has 
authorized voice service providers (including intermediate providers) 
to block calls where: (1) The subscriber to the number indicated that 
that number should never be used to originate calls; (2) the number was 
unallocated; (3) the number was unused; or, (4) the number was invalid. 
Voice service providers and intermediate providers need not obtain 
consumer consent for blocking these calls, as there is no valid reason 
for these numbers to originate calls. There are at least two do-not-
originate list implementations in use by industry that take different 
approaches to the issue. We seek comment on requiring gateway providers 
to block calls purporting to originate from numbers on a do-not-
originate list.
    72. Should we require gateway providers to block calls from numbers 
on a do-not-originate list? If so, what numbers should be included on 
the list? The Industry Traceback Group, for example, maintains a 
``measured and tightly controlled process'' for adding numbers to the 
do-not-originate list it operates based on the rules adopted in the 
First Call Blocking Order. Its policies allow for a do-not-originate 
request from federal and state government entities where the number is 
legitimately used for inbound calls only, is currently spoofed to 
perpetrate impersonation-focused fraud, is authorized for participating 
in the list by the party to which the telephone number is assigned, and 
is recognized by consumers as belonging to a legitimate entity. Private 
entities that wish to have numbers added to the list must meet 
additional requirements. The additional policies for private entities 
include a thorough vetting process and a requirement that there be 
``active and significant fraudulent activity'' involving spoofing. 
There also may be an administrative charge assessed. Should we take a 
similar approach for adding numbers to a do-not-originate list? 
Alternatively, should we take a broader approach and allow any number 
that should never be originating calls outside the United States to be 
added by the person or entity to which the number is assigned? Should 
we include other categories of numbers, such as unused or unallocated 
numbers? Are there any specific standards or vetting processes we 
should adopt to ensure that numbers are not added in error? What 
benefits and risks would each specific approach create? Are there any 
other factors we should consider in determining what numbers may be 
added to the list?
    73. We seek comment on how we might implement such a list. Who 
should maintain the list? For example, should it be the maintained by 
the Commission, the industry traceback consortium, or some other 
entity? What are the advantages and disadvantages of each approach? 
Should the list be public or private? If public, how can we ensure that 
bad actors cannot abuse the list? If private, how can we ensure the 
security of the list? How might we collect these numbers, and how can 
we ensure that the costs of collecting, vetting, and maintaining the 
list are recouped? Should the list be combined with an existing do-not-
originate list, such as the Industry Traceback Group's list, or should 
it be completely separate? Should we adopt a formal process for 
removing numbers from the list? Are there any approaches that would 
reduce these costs without eliminating the benefits? Are there any 
other particular issues we should consider in determining how to 
implement the list, including the impact on small businesses?
    74. Alternative Blocking Programs. We seek comment on other 
potential mandatory blocking programs for gateway providers. Are there 
any other approaches to mandatory blocking we should consider? If so, 
what are the specifics of each approach, and what issues should we 
consider when adopting rules? What benefits would the blocking provide? 
What risks would the blocking pose, including the risk of blocking 
lawful calls? What burdens would the blocking pose for gateway 
providers? Should we consider the approach instead of, or in 
conjunction with, another type of blocking?
    75. Protections for Lawful Calls. We believe that all blocking 
contains some risk of erroneous blocking, e.g., blocking calls that are 
not illegal. For example, a particular caller's call patterns could 
look similar enough to the patterns of an illegal caller and a gateway 
provider, acting in good faith, could believe that the caller is 
placing illegal calls and thus block them. We seek comment on 
appropriate transparency and redress options that could accompany 
mandatory blocking requirements for gateway providers. What 
transparency and redress requirements should we adopt? Are the 
requirements we have already adopted sufficient, or are there reasons 
to adopt additional, or alternative, requirements? Should our 
transparency and redress requirements vary depending on what blocking 
approach we adopt? If so, how? Are there steps we should take to reduce 
issues related to language barriers? Are there any other issues we 
should consider?
    76. We want to be particularly careful of the risk of blocking 
emergency calls, such as calls to 911, or calls from PSAPs and 
government emergency outbound numbers. We seek additional comment on 
protections for public safety calls more broadly elsewhere in this 
item. We seek comment on how to address these concerns. What is the 
risk of such calls being blocked under each of our proposals? Should we 
require that gateway providers never block such calls, or is a 
different approach more appropriate?
    77. Limitation of Liability for Compliance with Mandatory Blocking. 
Aside from the Commission's prior statement that gateway providers may 
need to block calls in order to comply with the requirement to 
effectively mitigate illegal traffic, our existing rules generally do 
not require blocking. Instead, they focus on permitting blocking and 
ensuring that voice service providers will not be subject to liability 
under the Act and the Commission's rules when blocking in certain 
instances. We seek comment on whether, if we adopt mandatory blocking 
requirements, we should take a similar approach here. Our previous safe 
harbors were designed to incent blocking by ensuring that providers do 
not face liability for good faith blocking. Here, blocking would be 
mandatory. Given this, is there a need for such a safe harbor? Could 
gateway providers be

[[Page 59097]]

subject to liability under the Act or the Commission's rules for steps 
taken to comply with any of the blocking options we discuss in this 
FNPRM? If so, what is the source of this liability? Should we provide a 
blanket safe harbor under the Act and the Commission's rules, or should 
we limit that protection to actions taken to comply in good faith? If 
we have a good faith requirement, should we define good faith, and, if 
so, how? Should gateway providers be required to make a particular 
showing to demonstrate good faith sufficient to absolve them of 
liability for inadvertently blocking legal calls? For example, should 
we require an officer of a gateway provider to certify to the 
Commission, in the company's Robocall Mitigation Database certification 
or elsewhere, that they have acted in good faith and complied with our 
redress requirements? Are there any other issues we should consider?
    78. We seek comment on how to determine whether a gateway provider 
has met its obligation to block under each of these options. As the 
Commission has previously concluded, ``we do not expect perfection in 
mitigation.'' To address this concern, should we establish a good faith 
standard under which a gateway provider making its best, good faith 
efforts to block is not liable in cases where illegal traffic is not 
blocked? What would this obligation look like? How might we determine 
that a gateway provider is acting in good faith rather than willful 
ignorance? Should we make clear that a gateway provider will not be 
liable for failing to block where the information is not readily 
available, or should we adopt a different standard? We seek comment on 
what information is ``readily available'' to gateway providers at the 
time of the call. Is certain information available to gateway 
providers, but too expensive or inconsistently available to be 
considered ``readily available'' for all or some providers? What 
information might not be readily available at the time of the call but 
is readily available after the fact, allowing or requiring gateway 
providers to mitigate or block the traffic from the same source at a 
later time? Are there specific criteria we should use to provide 
regulatory certainty? Are there other issues we should consider?
    79. Compliance Deadline. We propose to require gateway providers to 
comply with any mandatory blocking requirement by 30 days after 
publication of the notice of any Order adopting blocking requirements 
in the Federal Register or the publication of notice of Office of 
Management and Budget (OMB) approval under the Paperwork Reduction Act 
(PRA), where appropriate. We seek comment on this proposal. Should we 
allow additional implementation time for any or all of the proposed 
blocking requirements? If so, how much of a delay is appropriate and, 
if so, why?
3. ``Know Your Customer'' Requirements for Gateway Providers
    80. Our rules currently require a voice service provider to 
``[t]ake affirmative, effective measures to prevent new and renewing 
customers from using its network to originate illegal calls, including 
knowing its customers and exercising due diligence in ensuring that its 
services are not used to originate illegal traffic.'' This rule 
generally applies to originating providers and, under our proposed 
definition, gateway providers do not have a direct relationship with 
the call originator and instead receive calls from a number of upstream 
originating or intermediate providers. As a result, gateway providers 
may not have a ``customer'' to ``know'' for the purpose of complying 
with a ``know your customer'' requirement. We believe, however, that 
extending ``know your customer'' obligations to gateway providers could 
benefit U.S. consumers. First, we propose and seek comment on requiring 
gateway providers to confirm that a foreign call originator is 
authorized to use a particular U.S. number that purports to originate 
the call. We then seek comment on whether, and how, to apply additional 
``know your customer'' requirements to gateway providers to reduce the 
risk of illegal calls entering the U.S. network, including who the 
gateway provider's ``customer'' should be for this purpose.
    81. Use of U.S. NANP Numbers for Foreign-Originated Calls. While 
there are valid reasons for some U.S. numbers to originate calls 
internationally, spoofing allows a bad-actor foreign caller to appear 
to a consumer as a U.S.-based entity, making it more likely a U.S. 
consumer will answer the phone. We propose and seek comment on 
requiring gateway providers to confirm that a foreign originator is 
authorized to use the particular U.S. number that purports to originate 
the call. We further propose to make clear that this requirement 
applies only when an originator seeks to place a high volume of calls 
using a U.S. number, and does not apply to traffic consistent with 
private, individual use.
    82. We seek comment on how a gateway provider can best comply with 
this requirement. Is it feasible for a gateway provider to obtain 
useful information? If so, can the gateway provider reliably gather 
this information prior to calls being placed? If so, how? If 
information is not available until after some calls have been placed, 
should we instead require the gateway provider to obtain this 
information within a set amount of time after receiving the first call 
purporting to originate from a particular U.S. number? How might a 
gateway provider get this information? How long is appropriate for 
gathering this information? Should our requirement be based on the 
number of calls placed, or the time since the first call was placed? We 
also seek comment on whether there is the possibility for gateway 
providers to have contractual relationships with call originators, 
distinct from their position on the call path, such that they will 
transmit all calls for a particular caller. If so, does this change the 
feasibility of obtaining useful information? Should any requirement we 
adopt apply to all gateway providers, or only to gateway providers with 
contractual relationships with callers, distinct from the relationship 
between a caller and originating voice service provider?
    83. We seek comment on the scope and extent of this requirement. 
Should we adopt a carve out to ensure that gateway providers do not 
prevent origination of emergency calls, including calls to 911, calls 
from PSAPs, or calls from government emergency outbound numbers? If so, 
what might this look like? In addition, we specifically propose to 
impose this requirement only where the originator seeks to place a high 
volume of calls. We seek comment on this proposal. We are concerned 
about ensuring that individual callers, such as U.S. residents 
traveling abroad, are not prevented from placing calls using a number 
to which they are subscribed while in a foreign country. To address 
this, should the requirement only be triggered after the gateway 
provider sees a set number of calls purporting to originate from a 
particular U.S. number? If so, what is the appropriate threshold to 
constitute a ``high volume'' of calls? Are there other measures we 
could adopt that would ensure that traffic consistent with individual 
use does not trigger this requirement without allowing the rule to be 
circumvented by clever callers? Are there any other issues we should 
consider?
    84. Upstream Provider as the ``Customer.'' Alternatively, should we 
impose a requirement similar to the rule adopted in the Fourth Call 
Blocking Order, and require gateway providers to take steps to know the 
upstream providers from which they receive

[[Page 59098]]

traffic and prevent those providers from originating illegal traffic 
onto the U.S. network? While at least a step removed from the call 
originator, the provider upstream from a particular gateway provider 
does have a direct relationship with that gateway provider. As a 
result, it is more likely for a gateway provider to have ready access 
to information about that upstream provider. We therefore seek comment 
on defining the provider immediately upstream from the gateway provider 
to be the gateway provider's ``customer.'' If we adopt this definition, 
what should the gateway provider ``know'' to be able to reasonably 
claim it ``knows'' this ``customer''? Should we limit our requirement 
to information readily available to the gateway provider, or should we 
require additional information that may be more difficult for a gateway 
provider to obtain? What information would provide the most benefit in 
stopping illegal calls? Is such information readily available to the 
gateway provider? If not, what costs or challenges might the gateway 
provider face in obtaining this information? Are there ways we could 
reduce or eliminate these costs or complications? What should a gateway 
provider be required to do with this information? For example, should 
we require gateway providers to cease accepting traffic from upstream 
providers that meet certain criteria? Should this requirement only 
apply to foreign-originated calls that use a U.S. number in the caller 
ID field? How does this approach compare to the approach of considering 
the call originator the ``customer'' discussed further below? Are there 
any other technical, legal, or policy considerations we should pay 
particular attention to if we define the customer as the upstream 
provider, including the impact on small businesses?
    85. Call Originator as the ``Customer.'' Alternatively, should we 
consider the call originator the gateway provider's ``customer'' for 
purposes of such a requirement? We believe that the originator, as the 
entity placing the calls, is probably the most relevant ``customer'' 
for the purpose of stopping illegal calls. Unfortunately, the gateway 
provider, in many cases, may have no direct relationship with the 
originator, making it significantly more difficult to obtain 
information. We seek comment on considering the call originator the 
``customer'' for purposes of a know-your-customer requirement. What 
would be sufficient for a gateway provider to reasonably claim that it 
``knows'' this ``customer''? What are the barriers to gateway providers 
obtaining necessary information from originators and how could we 
address those barriers? How does this approach compare to the approach 
of considering the upstream provider the ``customer,'' discussed above? 
Are there any other technical, legal, or policy considerations we 
should pay particular attention to if we define the customer as the 
call originator?
    86. Compliance Deadline. We propose to require gateway providers to 
comply with ``know-your-customer'' requirements by 30 days after 
publication of the notice of any Order adopting such a requirement in 
the Federal Register. We seek comment on this proposal. Is there any 
need to delay compliance? If so, why and how much time do gateway 
providers reasonably need to comply?
4. Contractual Provisions
    87. The NANC and industry stakeholders have recommended that 
gateway providers require their customers to adopt contractual 
provisions that would help mitigate illegal robocalling. We seek 
comment on whether, in light of increased risk of foreign-originated 
illegal robocall campaigns and the critical role gateway providers play 
in allowing such calls to reach the U.S. market, we should require 
gateway providers to adopt specific contractual provisions addressing 
robocall mitigation with foreign providers from which the gateway 
provider directly receives traffic carrying U.S. NANP numbers, and, in 
some cases, traffic from their foreign-end user customers (collectively 
for purposes of this subsection, foreign partners). Under our proposed 
definition of gateway provider above, a U.S.-based provider would fall 
outside of the definition of gateway provider if it is not also acting 
as an intermediate provider with respect to a particular call. 
Consistent with that definition, we are also seeking comment on 
imposing mandatory contractual obligations on gateway providers where 
they have entered into contracts with foreign end-user customers to 
accept their traffic into the U.S, marketplace. To the extent we adopt 
a broader definition of gateway provider to include those instances 
where the U.S.-based provider originates calls outside of the U.S. and 
the U.S.-based provider is not acting as an intermediate provider, we 
also seek comment on whether we should apply mandatory contractual 
provisions in those cases. What are the benefits and costs of requiring 
such contractual amendments?
    88. We seek comment on what specific contractual provisions, if 
any, we should require. Should we require gateway providers to ensure 
by contract that their foreign partners validate that the calling party 
is authorized to use the U.S. NANP telephone numbers, for calls with 
such numbers in the caller ID display? Are we correct in anticipating 
that if a foreign partner cannot validate the number, there is a 
significant risk that the number is being spoofed and is therefore 
likely to be involved in an illegal robocalling campaign? How should we 
address circumstances in which the foreign partner cannot validate the 
number on its own? For instance, should we require the gateway provider 
to require foreign partners by contract to use a third-party telephone 
number validation service? Should we require gateway providers to 
ensure that their foreign partners employ know-your-customer practices, 
and if so should we mandate requiring specific know-your-customer 
practices? Should we require gateway providers to contractually 
obligate foreign partners to submit a certification to the Robocall 
Mitigation Database? We seek comment on what similar contractual 
provisions providers already have in place, their effectiveness in 
stopping illegal robocall traffic, and how widespread they are.
    89. We seek comment on implementation of any requirement to adopt 
specific contractual provisions. Should we expand, contract, or alter 
the scope of foreign partners with which we would require gateway 
providers to enter into specific contractual provisions? What steps, if 
any, should we require gateway providers to take to ensure that foreign 
partners are living up to their contractual commitments? Should we 
require gateway providers to impose specific consequences, such as a 
refusal to accept traffic, on foreign partners that fail to live up to 
any required contractual provisions? What consequences should we impose 
a gateway provider that fails to enter into or enforce any required 
contractual provisions?
    90. Consistent with the other mitigation obligations proposed in 
this FNPRM, we propose to require gateway providers comply with any 
contractual provisions 30 days after the effective date of an Order 
adopting such requirements. We seek comment on this proposal. We also 
seek comment on whether such a period provides sufficient time to 
comply with such obligations with respect to existing contracts in 
order to negotiate contractual amendments with foreign partners. Should 
we modify the deadline for certain classes of providers based on their 
burden or the benefit that would result in those classes'

[[Page 59099]]

compliance with the rule? Should we consider any other issues in 
setting a compliance deadline?
5. General Mitigation Standard
    91. In addition to the specific mitigation requirements for which 
we seek comment above, we also propose to require gateway providers to 
meet a general obligation to mitigate illegal robocalls. Robocallers 
have shown that they can adapt to specific safeguards targeting illegal 
traffic. A general obligation can serve as an effective backstop to 
ensure that robocallers cannot evade any granular requirements we 
adopt. In the Second Caller ID Authentication Report and Order, the 
Commission required those voice service providers subject to a robocall 
mitigation requirement to take ``reasonable steps to avoid originating 
illegal robocall traffic,'' and established that a robocall mitigation 
program is sufficient if it ``includes detailed practices that can 
reasonably be expected to significantly reduce the origination of 
illegal robocalls'' and the provider ``compl[ies] with the practices it 
describes.'' The Commission stated that a program is ``insufficient if 
a provider knowingly or through negligence serves as the originator for 
unlawful robocall campaigns.'' We believe imposing an analogous 
requirement on gateway providers would provide a valuable backstop and 
help reduce the likelihood that illegal robocalls might make their way 
to U.S. consumers. Under this approach, gateway providers would be 
required to take reasonable steps to avoid transiting illegal robocall 
traffic. What would be the benefits and drawbacks of doing so? What 
would constitute ``reasonable steps'' in this context, aside from any 
of the actions proposed in this FNPRM? Would the consistency of 
obligations between gateway providers and voice service providers 
facilitate innovation and development of novel, effective robocall 
mitigation techniques? Would it ease compliance? Is a standards-based 
approach sufficient to address the difficult task of mitigating 
foreign-originated illegal robocalls? Should we adopt a standards-based 
approach but establish a different standard for effective robocall 
mitigation for gateway providers? What should that standard be? Does a 
standards-based approach make compliance more difficult, particularly 
for small entities that may less easily be able to identify appropriate 
practices?
    92. Instead of establishing a general mitigation standard based on 
the standard in the Second Caller ID Authentication Report and Order, 
should we instead adopt a general standard by building upon the 
obligation in the Fourth Call Blocking Order for voice service 
providers (including intermediate providers) to mitigate robocall 
traffic by adopting ``affirmative, effective measures to prevent new 
and renewing customers from using their network to originate illegal 
calls''? This duty differs in certain respects from the duty for voice 
service providers subject to a robocall mitigation requirement to take 
``reasonable steps to avoid originating illegal robocall traffic.'' For 
example, there is no duty for gateway providers to take action with 
respect to existing customers. Should we establish a general mitigation 
obligation for gateway providers based on a modified version of this 
duty? What should those modifications be? Should we require gateway 
providers to take affirmative, effective measures to prevent current, 
new, and renewing customers from using their network to transit illegal 
calls? Are other modifications appropriate? Instead or in addition to 
making such modifications, should we provide additional guidance to 
gateway providers about what measures would be deemed ``affirmative'' 
and ``effective''? What should that guidance be?
    93. We seek comment on an appropriate deadline for any general 
mitigation standard we adopt. We believe that any compliance deadline 
we adopt should, at a minimum, be consistent with the time and effort 
necessary to implement the standard, balanced against the public 
benefit that will result in rapid implementation of the standard. We 
therefore urge commenters proposing a standard to propose a specific 
deadline consistent with these principles.

E. Robocall Mitigation Database

    94. We propose to require gateway providers to submit a 
certification to the Robocall Mitigation Database describing their 
robocall mitigation practices and stating that they are adhering to 
those practices. We also take this opportunity to address other issues 
related to the Robocall Mitigation Database that are not specifically 
related to gateway providers. First, we seek comment on revisions to 
the information that filers must submit to the Robocall Mitigation 
Database. Second, we clarify the obligations of voice service providers 
and intermediate providers with respect to calls to and from PSAPs and 
other emergency services providers.
    95. Gateway Providers. While we declined to impose a filing 
requirement on intermediate providers that had no robocall mitigation 
obligations in the Second Caller ID Authentication Report and Order, we 
believe that requiring gateway providers to do so now in conjunction 
with any new robocall mitigation obligations we adopt is appropriate 
and situates gateway providers consistently with voice service 
providers under our STIR/SHAKEN rules. We seek comment on our proposal 
to require gateway providers to submit a certification. We anticipate 
that requiring certification will encourage compliance and facilitate 
enforcement efforts and industry cooperation to address problems. We 
also anticipate that a registration requirement would not be more 
costly for gateway providers than voice service providers. We seek 
comment on this analysis. Are there additional benefits of requiring 
registration? Do gateway providers face additional costs compared to 
voice service providers that we should consider? Rather than require 
gateway providers to file in the Robocall Mitigation Database, should 
we instead impose some other filing obligation? What would that 
obligation be?
    96. We propose requiring gateway providers to submit the same 
information that voice service providers must submit under Commission 
rules. Specifically, we propose requiring gateway providers to certify 
to the status of STIR/SHAKEN implementation and robocall mitigation on 
their networks; submit contact information for a person responsible for 
addressing robocall mitigation-related issues; and describe in detail 
their robocall mitigation practices. In the alternative, we seek 
comment on whether to alter or remove any of these obligations as 
applied to gateway providers, and whether gateway providers should 
submit any additional information beyond the information required from 
originating and terminating voice service providers. If we adopt 
specific robocall mitigation requirements, should we relieve gateway 
providers of the obligation to describe their robocall mitigation 
practices? Would this belt-and-suspenders approach to certification 
only add compliance costs with limited benefit? If we did not require 
gateway providers to describe their robocall mitigation practices, 
should they be required to submit any alternative information? If so, 
what should that be? We seek comment on any modifications we should 
make to the filing process for those gateway providers that are also 
voice service providers.
    97. Similar to our recently proposed rules for VoIP direct access 
applicants, should we require gateway providers to ``inform the 
Commission'' through an

[[Page 59100]]

update to the Robocall Mitigation Database filing, if the gateway 
provider is ``subject . . . to a Commission, law enforcement, or 
regulatory agency action, investigation, or inquiry due to its robocall 
mitigation plan being deemed insufficient or problematic, or due to 
suspected unlawful robocalling or spoofing . . .'' ? We propose that 
information in any gateway provider certification would also be subject 
to the existing duty to update that certification within 10 business 
days, ensuring that the information is kept up to date. Is another time 
period appropriate for some or all of the information we require? 
Should we establish a materiality threshold for circumstances in which 
an update is necessary, and if so what threshold should we set?
    98. We propose to extend the prohibition on accepting traffic from 
unlisted providers to gateway providers. Under this proposal, 
intermediate providers and terminating voice service providers would be 
prohibited from accepting traffic from a gateway provider not listed in 
the Robocall Mitigation Database. We believe that a gateway provider 
Robocall Mitigation Database filing requirement and an associated 
prohibition against accepting traffic from gateway providers not in the 
Robocall Mitigation Database will ensure regulatory symmetry between 
voice service providers and gateway providers and underscore the key 
role gateway providers play in stemming illegal robocalls. We seek 
comment on that conclusion and this proposal. Taking into consideration 
the time between the effective date of the prohibition on voice service 
providers (September 28, 2021) from accepting traffic from other 
unlisted voice service providers and the comment due date of this 
FNPRM, is there any preliminary evidence that the prohibition has been 
beneficial in the ways the Commission envisioned? We also propose that 
this prohibition should go into effect 90 days following the effective 
date of the requirement for gateway providers to submit a certification 
to the Robocall Mitigation Database. Ninety days between the effective 
date of the filing obligation and the beginning of the requirement to 
reject traffic from non-filers is the same time period as that adopted 
in the Second Caller ID Authentication Report and Order for voice 
service providers. We seek comment on providers' experience with that 
90-day timeframe and whether it would be appropriate in this instance. 
Should we set a shorter time period to ensure Americans benefit from 
this scheme sooner? Or do voice service providers and intermediate 
providers need additional time, beyond 90 days, to come into compliance 
with any blocking obligation and, if so, why? How, if at all, should we 
tailor the information that gateway providers must submit to the 
Robocall Mitigation Database to ensure that a downstream provider has 
sufficient information to know whether to block calls depending on the 
call-by-call ``role'' of the upstream provider? For example, if an 
upstream provider is acting as a gateway provider for a call and has 
submitted a certification as a voice service provider to the Robocall 
Mitigation Database, but has not submitted its certification as a 
gateway provider, what information does that downstream provider need 
to know to block the call under our proposed rule if and when it 
becomes effective?
    99. In line with our proposals above to require gateway providers 
to implement mitigation requirements by 30 days after publication of 
the notice of an Order adopting this requirement in the Federal 
Register, we propose to require gateway providers to submit a 
certification to the Robocall Mitigation Database by that same date and 
to thereafter amend such certification of compliance to attest to STIR/
SHAKEN compliance by the deadline established in this proceeding, 
subject to publication in the Federal Register of notice of approval by 
OMB of any associated PRA obligations. We seek comment on this approach 
and any alternatives. For example, should we instead require gateway 
providers submit an interim certification by an earlier date so that 
the Commission and the general public know the status of gateway 
providers' STIR/SHAKEN implementation? Would the benefits of requiring 
an additional interim filing outweigh the burdens? What other 
considerations should we take into account in setting any filing 
deadlines?
    100. Identifying Information for All Filers. We take this 
opportunity to seek comment on whether we should require Robocall 
Mitigation Database filers--including voice service providers and, if 
required, gateway providers--to submit additional identifying indicia, 
such as a Carrier Identification Code, Operating Company Number, and/or 
Access Customer Name Abbreviation. We anticipate that requiring some 
additional identifying information may ease compliance by facilitating 
searches within the Robocall Mitigation Database and cross-checking 
information within the Robocall Mitigation Database against other 
sources. Do commenters agree? If so, what additional information should 
we require? What are the benefits and costs of such a requirement? We 
recognize that as of the date we adopt this FNPRM, a large number of 
voice service providers have already filed in the Robocall Mitigation 
Database, and requiring any additional information would require these 
providers to revise their filings. As we have explained, to date, 
approximately 4,948 voice service providers have submitted information 
into the Robocall Mitigation Database. Additionally, we realize that 
the September 28 blocking deadline has passed and that the identifying 
information we seek comment on may not be as useful as it would have 
been prior to this deadline. Based on these facts, does the benefit of 
requiring additional information nonetheless outweigh the burden of 
asking such a high number of voice service providers to refile? If not, 
should we consider applying this requirement on a prospective-only 
basis? Would this approach still have benefit even if only some filers 
submitted this information? Are there any categories of filer, such as 
foreign voice service providers that use NANP resources that pertain to 
the United States, that are unlikely to have this identifying 
information? If so, how should any new requirements address these 
filers? Alternatively, should we consider making the submission of this 
additional information voluntary to avoid a refiling requirement and 
account for filers that do not possess the information? Or would 
submission on a voluntary basis provide little benefit? If we require 
submission of additional information by some or all filers, what 
deadline for filing should we set?
    101. Public Safety Calls. We take this opportunity to clarify that 
even if a voice service provider (or, if we adopt our proposal in 
today's FNPRM, a gateway provider) is not listed in the Robocall 
Mitigation Database, other voice service providers and intermediate 
providers in the call path must make all reasonable efforts to avoid 
blocking calls from PSAPs and government outbound emergency numbers. 
Additionally, consistent with the Commission's previous statement that 
its call-blocking rules ``do not authorize the blocking of calls to 911 
under any circumstances,'' calls to 911 must not be blocked, even if 
originated by a voice service provider not in the Robocall Mitigation 
Database or otherwise subject to blocking. And as regards outbound 
emergency calls, we reiterate the Commission's position that all voice 
service providers and intermediate providers ``must make all reasonable 
efforts to ensure that calls from PSAPs and government outbound

[[Page 59101]]

emergency numbers are not blocked.'' We adopt this clarification to 
ensure completion of emergency calls and to clarify that the scope of 
the exception for emergency calls is identical between our call 
blocking rules and our rules prohibiting acceptance of traffic from 
voice service providers not listed in the Robocall Mitigation Database.
    102. We seek comment on whether we should modify our rules to 
reflect this clarification. We also seek comment on whether we should 
expand upon our clarification. Does our clarification contain any 
ambiguities that we should address, and if so how should we address 
them? For example, should we make clear what ``reasonable efforts'' we 
expect voice service providers and intermediate providers to take to 
ensure completion of outbound emergency calls? If so, what specific 
steps should we require? Would prohibiting providers from blocking 
calls on a ``whitelist'' of public safety numbers be effective, or 
would it instead provide a roadmap for bad actors to exploit? We note 
that the Commission has previously declined to adopt such a list, 
finding that it ``would likely to do more harm than good.'' We seek 
comment on whether circumstances have changed since the Commission's 
prior decision that would make this option more viable. Are there fewer 
concerns for such a list in the context of gateway providers? Are there 
other ways bad actors could exploit this emergency exception to 
originate illegal robocalls, either directed at PSAPs (because calls to 
911 may not be blocked) or directed to the general public by posing as 
emergency callers (because providers must make all reasonable efforts 
to ensure that calls from PSAPs and government outbound emergency 
numbers are not blocked)? If so, what steps can we take to minimize 
that threat while ensuring the vital goal of emergency call completion? 
How should we account for emergency calls if we require gateway 
providers to file in the Robocall Mitigation Database? Are emergency 
calls to U.S. PSAPs likely to originate abroad? We also propose that 
any calls to and from PSAPs and government outbound emergency numbers 
that may be otherwise subject to mandatory call blocking duties adopted 
pursuant to this FNPRM should be subject to the same emergency call 
exception and clarification that we adopt today, as well as any further 
clarifications that we adopt pursuant to the questions above, and we 
seek comment on this proposal.

F. Alternative Approaches

    103. We seek comment on alternative approaches to stop illegal 
foreign-originated robocalls. This FNPRM proposes imposing obligations 
on gateway providers because they are in the unique position of acting 
as the conduit for all foreign-originated calls. We anticipate that 
rules focused on gateway providers would be the most efficient and 
effective way to prevent illegal robocalls from reaching U.S. consumers 
and businesses from abroad. At the same time, we want to explore all 
available options and thus seek comment on whether we should instead 
pursue alternative approaches to enhancing our rules to target foreign-
originated robocalls.
    104. We first seek comment on strengthening our prohibition on 
U.S.-based providers accepting traffic carrying U.S. NANP numbers that 
is received ``directly from'' foreign voice service providers that are 
not in the Robocall Mitigation Database. By its terms, this rule does 
not require U.S.-based providers to reject foreign-originated traffic 
carrying U.S. NANP numbers that is received by a U.S. provider directly 
from a foreign intermediate provider--at present, the prohibition only 
applies to traffic received directly from the originating foreign 
provider. Some have argued that this loophole allows a significant 
portion of foreign-originated robocall traffic carrying U.S. NANP 
numbers to reach the U.S. outside of the prohibition. We seek comment 
on whether this is the case and, if so, whether we should expand the 
prohibition and require U.S.-based providers to reject traffic carrying 
U.S. NANP numbers directly from any foreign provider not in the 
Robocall Mitigation Database. What are the benefits and burdens of this 
approach? Should we require U.S.-based providers to ensure that foreign 
intermediate providers comply with specific robocall mitigation 
practices, such as know-your-customer practices, and describe in their 
certifications the specific robocall mitigation practices they have 
implemented? Are most foreign intermediate providers also originating 
and exchanging traffic with U.S. NANP numbers directly with U.S. 
providers, indicating that most foreign providers are already covered 
under the current prohibition? 609 foreign voice service providers have 
already filed in the Robocall Mitigation Database. We seek comment on 
what percentage of foreign providers currently subject to the 
prohibition this represents, compared to the percentage of foreign 
providers that would be subject to our proposed expanded prohibition. 
If we expand the prohibition to encompass foreign intermediate 
providers, what compliance deadline should we set?
    105. Conversely, should we limit or eliminate the foreign provider 
prohibition rather than expand it? Some argue that the compliance 
burden of the current rule on foreign voice service providers is 
significant, that many providers did not register by the deadline, and 
therefore there is a significant risk that domestic providers will 
unnecessarily block foreign-originated calls. We seek comment on the 
validity of these assertions and whether a rule expansion would 
compound those burdens and risks. Others argue that, at a minimum, 
foreign voice service providers needed additional time to submit a 
certification to the Robocall Mitigation Database. If the burdens of 
the current rule are large and the benefits small, should we consider 
eliminating the current rule, particularly if we adopt effective 
measures for gateway providers to stop illegal robocall traffic from 
entering the U.S. market?
    106. In light of the unique difficulties foreign service providers 
may face in timely registering with the Commission's new Robocall 
Mitigation Database, the fact that the foreign provider prohibition can 
be evaded by transmitting traffic via one or more foreign intermediate 
providers, and in order to avoid the potential disruption associated 
with such delays while permitting the Commission to explore these 
potentially more effective measures, we conclude that the public 
interest will be served by not enforcing the foreign provider 
prohibition during the pendency of this proceeding. While ZipDX 
suggests a ``narrower deferment'' that would allow enforcement if a 
foreign provider is responsible for a ``significant or on-going illegal 
robocalling activity,'' we decline taking such an approach because it 
would involve engaging in a line-drawing exercise for which we do not 
have sufficient guidance and data and ZipDX does not suggest a 
specific, administrable approach. We anticipate that we will make a 
final decision regarding whether to eliminate, retain, or enhance the 
foreign provider prohibition as part of our larger consideration of how 
best to address illegal robocalls originating abroad in the order 
issued pursuant to this FNPRM. Therefore, until that time, domestic 
voice service providers and intermediate providers may accept traffic 
carrying U.S. NANP numbers sent directly from foreign voice service

[[Page 59102]]

providers not listed in the Robocall Mitigation Database.

G. Expected Benefits and Costs

    107. As noted above, a large portion of illegal robocalls originate 
abroad, and that share may be growing. We therefore anticipate that the 
benefits of our proposals will far outweigh the costs imposed on 
gateway providers.
    108. As to expected benefits, the Commission found in the First 
Caller ID Authentication Report and Order and Further Notice of 
Proposed Rulemaking that widespread deployment of STIR/SHAKEN will 
increase the effectiveness of the framework for both voice service 
providers and their subscribers, producing a potential benefit of at 
least $13.5 billion annually due to the reduction in nuisance calls and 
fraud. In addition, the Commission identified many non-quantifiable 
benefits, such as restoring confidence in incoming calls and reliable 
access to emergency and healthcare communications.
    109. We anticipate that the impact of our proposals, including the 
deterrence that arises from authenticating unauthenticated foreign-
originated calls, will account for a large share of that $13.5 billion 
benefit because of the significant share of illegal calls originating 
outside our country. While each of the proposed requirements on their 
own may not fully accomplish that goal, viewed collectively, we expect 
that they will achieve a large share of the $13.5 billion minimum 
benefit. We seek comment on this analysis and on the possible benefits 
of the requirements we propose.
    110. We believe that the costs imposed on gateway providers by our 
proposed changes, at least some of which are likely minimal, will be 
far exceeded by the expected benefits. For example, many intermediate 
providers that would be classified as gateway providers under our 
proposed definition are already voice service providers and have 
already implemented or are required to soon implement STIR/SHAKEN 
authentication on their networks. Moreover, as the Commission stated in 
the First Caller ID Authentication Report and Order and Further Notice 
of Proposed Rulemaking, an overall reduction in illegal robocalls will 
greatly lower providers' network costs by eliminating both the unwanted 
traffic congestion and the labor costs of handling numerous customer 
complaints. We therefore believe that the proposals in this FNPRM would 
impose only minimal short-term costs on gateway providers while 
lowering long-term network costs for gateway providers and other 
domestic service providers. We seek comment on this analysis and 
whether it remains valid in light of industry experience in 
implementing STIR/SHAKEN and the Commission's various blocking regimes? 
Is it equally applicable to gateway providers? We also seek detailed 
comment on the potential costs associated with each proposal. Will 
these costs vary according to the size of the provider? Does the 
benefit of each proposal outweigh its cost? How do the proposed 
compliance deadlines for each requirement and possible alternative 
deadlines affect the benefits and costs?
    111. Digital Equity and Inclusion. The Commission, as part of its 
continuing effort to advance digital equity for all, including people 
of color, persons with disabilities, persons who live in rural or 
Tribal areas, and others who are or have been historically underserved, 
marginalized, or adversely affected by persistent poverty or 
inequality, invites comment on any equity-related considerations and 
benefits (if any) that may be associated with the proposals and issues 
discussed herein. Section 1 of the Communications Act of 1934, as 
amended, provides that the FCC ``regulat[es] interstate and foreign 
commerce in communication by wire and radio so as to make [such 
service] available, so far as possible, to all the people of the United 
States, without discrimination on the basis of race, color, religion, 
national origin, or sex.'' The term ``equity'' is used here consistent 
with Executive Order 13985 as the consistent and systematic fair, just, 
and impartial treatment of all individuals, including individuals who 
belong to underserved communities that have been denied such treatment, 
such as Black, Latino, and Indigenous and Native American persons, 
Asian Americans and Pacific Islanders and other persons of color; 
members of religious minorities; lesbian, gay, bisexual, transgender, 
and queer (LGBTQ+) persons; persons with disabilities; persons who live 
in rural areas; and persons otherwise adversely affected by persistent 
poverty or inequality. Specifically, we seek comment on how our 
proposals may promote or inhibit advances in diversity, equity, 
inclusion, and accessibility, as well the scope of the Commission's 
relevant legal authority.

H. Legal Authority

    112. We propose to adopt the foregoing obligations pursuant to the 
legal authority we relied upon in prior caller ID authentication and 
call blocking orders.
    113. Caller ID Authentication. We propose to find authority to 
impose caller ID authentication obligations on gateway providers under 
section 251(e) of the Act and the Truth in Caller ID Act. In the Second 
Caller ID Authentication Report and Order, the Commission found it had 
the authority to impose caller ID authentication obligations on 
intermediate providers under these provisions. It reasoned that 
``[c]alls that transit the networks of intermediate providers with 
illegally spoofed caller ID are exploiting numbering resources'' and so 
found authority under section 251(e). And it found additional, 
independent authority under the Truth in Caller ID Act on the basis 
that such rules were necessary to ``prevent . . . unlawful acts and to 
protect voice service subscribers from scammers and bad actors,'' and 
it stressed that intermediate providers ``play an integral role in the 
success of STIR/SHAKEN across the voice network.'' While that Order did 
not specifically discuss gateway providers, we propose to conclude that 
we can impose an authentication obligation on gateway providers on the 
same basis. Indeed, we propose to define gateway providers as a subset 
of intermediate providers; thus, we tentatively conclude that the 
Second Caller ID Authentication Report and Order already accounted for 
the actions we propose today. We seek comment on this proposal. Should 
we revisit the Commission's earlier conclusion that it has authority to 
place these obligations on intermediate--including gateway--providers? 
Are there other sources of authority, including the TRACED Act, that we 
could invoke to impose our caller ID authentication rules on gateway 
providers?
    114. Robocall Mitigation and Call Blocking. We propose to adopt our 
robocall mitigation and call blocking provisions on gateway providers 
pursuant to sections 201(b), 202(a), 251(e), the Truth in Caller ID 
Act, the TRACED Act, and, where appropriate, our ancillary authority, 
consistent with the authority we invoked to adopt analogous rules in 
the Second Caller ID Authentication Report and Order and our Call 
Blocking Orders. We seek comment on this proposal.
    115. In the Second Caller ID Authentication Report and Order, the 
Commission concluded ``section 251(e) gives us authority to prohibit 
intermediate providers and voice service providers from accepting 
traffic from both domestic and foreign voice service providers that do 
not appear in [the Robocall Mitigation Database],'' noting that its 
``exclusive jurisdiction over numbering policy provides authority to 
take action to prevent the

[[Page 59103]]

fraudulent abuse of NANP resources.'' The Commission observed that 
``[i]llegally spoofed calls exploit numbering resources whenever they 
transit any portion of the voice network--including the networks of 
intermediate providers'' and that ``preventing such calls from entering 
an intermediate provider's or terminating voice service provider's 
network is designed to protect consumers from illegally spoofed 
calls.'' The Commission also found that the Truth in Caller ID Act 
provided additional authority for our actions to protect voice service 
subscribers from illegally spoofed calls. We propose to conclude that 
section 251(e) and the Truth in Caller ID Act authorize us to prohibit 
intermediate providers and voice service providers from accepting 
traffic from gateway providers that do not appear in the Robocall 
Mitigation Database. The Commission also relied on the TRACED Act in 
adopting mitigation duties for voice service providers and we propose 
to conclude that it authorizes us to require voice service providers to 
submit additional information to the Robocall Mitigation Database.
    116. In the Fourth Call Blocking Order, the Commission required 
voice service providers ``to take affirmative, effective measures to 
prevent new and renewing customers from originating illegal calls,'' 
which includes a duty to ``know'' their customers. Additionally, the 
Commission required voice service providers, including intermediate 
providers, to ``take steps to effectively mitigate illegal traffic when 
notified by the Commission,'' which may require blocking when applied 
to gateway providers. The Commission also adopted traceback 
obligations. The Commission concluded that it had the authority to 
adopt these requirements pursuant to sections 201(b), 202(a), and 
251(e) of the Act, as well as the Truth in Caller ID Act and its 
ancillary authority. Sections 201(b) and 202(a) provide the Commission 
with ``broad authority to adopt rules governing just and reasonable 
practices of common carriers.'' Accordingly, the Commission found that 
the new blocking rules were ``clearly within the scope of our section 
201(b) and 202(a) authority'' and ``that it is essential that the rules 
apply to all voice service providers,'' applying its ancillary 
authority in section 4(i). The Commission also found that section 
251(e) and the Truth in Caller ID Act provided the basis ``to prescribe 
rules to prevent the unlawful spoofing of caller ID and abuse of NANP 
resources by all voice service providers,'' a category that includes 
VoIP providers and, in the context of our call blocking orders gateway 
providers. We believe that these same statutory provisions authorizing 
our current mitigation and blocking rules support the mandatory 
mitigation and blocking obligations we propose to impose on gateway 
providers here. Are there additional sources of authority that we 
should consider?
    117. We propose to find additional authority in section 7 of the 
TRACED Act. The Commission initiated a rulemaking to ``help protect a 
subscriber from receiving unwanted calls or text messages from a caller 
using an unauthenticated number'' in the Third Call Blocking Order and 
Further Notice of Proposed Rulemaking but declined to take further 
action in the Fourth Call Blocking Order. We believe that several of 
the proposals we make today would have the effect of protecting 
consumers from unwanted calls from unauthenticated numbers. In 
particular, we believe that our mandatory blocking and ``know-your-
customer'' proposals would further these goals. We seek comment on this 
belief. Is this an appropriate use of the authority granted in TRACED 
Act section 7? What should we consider, including the considerations 
listed in section 7(b) of the TRACED Act, in determining whether any 
rules we adopt are consistent with our authority under that section?
    118. While we propose to conclude that our direct sources of 
authority provide an ample basis to adopt our proposed rules on all 
gateway providers, we believe that our ancillary authority in section 
4(i) provides an independent basis to do so with respect to gateway 
providers that have not been classified as common carriers, and we seek 
comment on this view. We anticipate that the proposed regulations are 
``reasonably ancillary to the Commission's effective performance of its 
. . . responsibilities.'' Specifically, gateway providers 
interconnected with the public switched telephone network and 
exchanging IP traffic clearly constitutes ``communication by wire and 
radio.'' We believe that requiring gateway providers to comply with our 
proposed rules is reasonably ancillary to the Commission's effective 
performance of its statutory responsibilities under section 152(a), as 
well as reasonably ancillary to our exercise of authority under 
sections 201(b), 202(a), 251(e), and the Truth in Caller ID Act as 
described above. With respect to sections 201(b) and 202(a), absent 
application of our proposed rules to gateway providers that are not 
classified as common carriers, originators of international robocalls 
could circumvent our proposed scheme by sending calls only to such 
gateway providers to reach the U.S. market. We seek comment on this 
analysis.
    119. Indirect Effect on Foreign Service Providers. We propose to 
conclude that, to the extent any of the rules we seek to adopt today 
have an effect on foreign service providers, that effect is only 
indirect and therefore consistent with the Commission's authority. In 
the Second Caller ID Authentication Report and Order, the Commission 
acknowledged an indirect effect on foreign providers but concluded that 
it was permissible under past Commission precedent confirmed by the 
courts. This includes the authority, pursuant to section 201, for the 
Commission to require U.S. providers to modify their contracts with a 
foreign provider with respect to ``foreign communication'' to ensure 
that the charges and practices are ``just and reasonable.'' We seek 
comment on whether any of our proposed rules exceed the scope of our 
jurisdiction over foreign communications that enter the United States. 
We also seek comment on whether any of our proposed rules would be 
contrary to any of our international treaty obligations, other 
international laws and rules, or create a risk of foreign retaliation.

IV. Initial Regulatory Flexibility Analysis

    120. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), the Commission has prepared this Initial Regulatory 
Flexibility Analysis (IRFA) of the possible significant economic impact 
on small entities by the policies and rules proposed in this FNPRM. The 
Commission requests written public comments on this IRFA. Comments must 
be identified as responses to the IRFA and must be filed by the 
deadlines for comments provided on the first page of the FNPRM. The 
Commission will send a copy of the FNPRM, including this IRFA, to the 
Chief Counsel for Advocacy of the Small Business Administration (SBA). 
In addition, the FNPRM and IRFA (or summaries thereof) will be 
published in the Federal Register.

A. Need for, and Objectives of, the Proposed Rules

    121. In order to continue the Commission's work combating illegal 
calls, this FNPRM proposes to impose several obligations on gateway 
providers. Specifically, the FNPRM proposes to require gateway 
providers to authenticate and employ robocall

[[Page 59104]]

mitigation techniques on all SIP calls that they allow into the United 
States from abroad that display a U.S. number in the caller ID field. 
The FNPRM also proposes that gateway providers should engage in 
robocall mitigation by (1) responding to all traceback requests from 
the Commission, law enforcement, and the industry traceback consortium 
within 24 hours; (2) complying with mandatory call blocking 
requirements; (3) complying with enhanced know-your-customer 
obligations; (4) complying with a general duty to mitigate illegal 
robocalls; and (5) filing a certification in the Robocall Mitigation 
Database. The Commission also proposes one blocking requirement for 
intermediate and terminating providers immediately downstream from the 
gateway provider, which would require those providers to block all 
traffic from a gateway provider that fails to block or effectively 
mitigate illegal traffic when notified of such traffic by the 
Commission.

B. Legal Basis

    122. The FNPRM proposes to find authority largely under those 
provisions through which it has previously adopted rules to stem the 
tide of robocalls in its Call Blocking and Call Authentication Orders. 
Specifically, the FNPRM proposes to find authority under sections 
201(a) and (b), 202(a), 251(e), the Truth in Caller ID Act, the TRACED 
Act and, where appropriate, ancillary authority. The FNPRM also 
proposes to conclude that, to the extent any of the rules we seek to 
adopt today have an effect on foreign service providers, that effect is 
only indirect and therefore consistent with the Commission's authority. 
The FNPRM solicits comment on these proposals.

C. Description and Estimate of the Number of Small Entities to Which 
the Proposed Rules Will Apply

    123. The RFA directs agencies to provide a description of and, 
where feasible, an estimate of the number of small entities that may be 
affected by the proposed rules and by the rule revisions on which the 
Notice seeks comment, if adopted. The RFA generally defines the term 
``small entity'' as having the same meaning as the terms ``small 
business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small-business concern'' under the Small Business 
Act. A ``small-business concern'' is one which: (1) Is independently 
owned and operated; (2) is not dominant in its field of operation; and 
(3) satisfies any additional criteria established by the SBA.
1. Wireline Carriers
    124. Wired Telecommunications Carriers. The U.S. Census Bureau 
defines this industry as ``establishments primarily engaged in 
operating and/or providing access to transmission facilities and 
infrastructure that they own and/or lease for the transmission of 
voice, data, text, sound, and video using wired communications 
networks. Transmission facilities may be based on a single technology 
or a combination of technologies. Establishments in this industry use 
the wired telecommunications network facilities that they operate to 
provide a variety of services, such as wired telephony services, 
including VoIP services, wired (cable) audio and video programming 
distribution, and wired broadband internet services. By exception, 
establishments providing satellite television distribution services 
using facilities and infrastructure that they operate are included in 
this industry.'' The SBA has developed a small business size standard 
for Wired Telecommunications Carriers, which consists of all such 
companies having 1,500 or fewer employees. U.S. Census Bureau data for 
2012 show that there were 3,117 firms that operated that year. Of this 
total, 3,083 operated with fewer than 1,000 employees. Thus, under this 
size standard, the majority of firms in this industry can be considered 
small.
    125. Local Exchange Carriers (LECs). Neither the Commission nor the 
SBA has developed a size standard for small businesses specifically 
applicable to local exchange services. The closest applicable NAICS 
Code category is Wired Telecommunications Carriers. Under the 
applicable SBA size standard, such a business is small if it has 1,500 
or fewer employees. U.S. Census Bureau data for 2012 show that there 
were 3,117 firms that operated for the entire year. Of that total, 
3,083 operated with fewer than 1,000 employees. Thus under this 
category and the associated size standard, the Commission estimates 
that the majority of local exchange carriers are small entities.
    126. Incumbent LECs. Neither the Commission nor the SBA has 
developed a small business size standard specifically for incumbent 
local exchange services. The closest applicable NAICS Code category is 
Wired Telecommunications Carriers. Under the applicable SBA size 
standard, such a business is small if it has 1,500 or fewer employees. 
U.S. Census Bureau data for 2012 indicate that 3,117 firms operated the 
entire year. Of this total, 3,083 operated with fewer than 1,000 
employees. Consequently, the Commission estimates that most providers 
of incumbent local exchange service are small businesses that may be 
affected by our actions. According to Commission data, one thousand 
three hundred and seven (1,307) Incumbent Local Exchange Carriers 
reported that they were incumbent local exchange service providers. Of 
this total, an estimated 1,006 have 1,500 or fewer employees. Thus, 
using the SBA's size standard the majority of incumbent LECs can be 
considered small entities.
    127. Competitive Local Exchange Carriers (Competitive LECs), 
Competitive Access Providers (CAPs), Shared-Tenant Service Providers, 
and Other Local Service Providers. Neither the Commission nor the SBA 
has developed a small business size standard specifically for these 
service providers. The appropriate NAICS Code category is Wired 
Telecommunications Carriers and under that size standard, such a 
business is small if it has 1,500 or fewer employees. U.S. Census 
Bureau data for 2012 indicate that 3,117 firms operated during that 
year. Of that number, 3,083 operated with fewer than 1,000 employees. 
Based on these data, the Commission concludes that the majority of 
Competitive LECS, CAPs, Shared-Tenant Service Providers, and Other 
Local Service Providers, are small entities. According to Commission 
data, 1,442 carriers reported that they were engaged in the provision 
of either competitive local exchange services or competitive access 
provider services. Of these 1,442 carriers, an estimated 1,256 have 
1,500 or fewer employees. In addition, 17 carriers have reported that 
they are Shared-Tenant Service Providers, and all 17 are estimated to 
have 1,500 or fewer employees. Also, 72 carriers have reported that 
they are Other Local Service Providers. Of this total, 70 have 1,500 or 
fewer employees. Consequently, based on internally researched FCC data, 
the Commission estimates that most providers of competitive local 
exchange service, competitive access providers, Shared-Tenant Service 
Providers, and Other Local Service Providers are small entities.
    128. We have included small incumbent LECs in this present RFA 
analysis. As noted above, a ``small business'' under the RFA is one 
that, inter alia, meets the pertinent small-business size standard 
(e.g., a telephone communications business having 1,500 or fewer 
employees) and ``is not dominant in its field of operation.'' The SBA's 
Office of Advocacy contends that, for RFA purposes, small incumbent

[[Page 59105]]

LECs are not dominant in their field of operation because any such 
dominance is not ``national'' in scope. We have therefore included 
small incumbent LECs in this RFA analysis, although we emphasize that 
this RFA action has no effect on Commission analyses and determinations 
in other, non-RFA contexts.
    129. Interexchange Carriers (IXCs). Neither the Commission nor the 
SBA has developed a small business size standard specifically for 
Interexchange Carriers. The closest applicable NAICS Code category is 
Wired Telecommunications Carriers. The applicable size standard under 
SBA rules is that such a business is small if it has 1,500 or fewer 
employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms 
operated for the entire year. Of that number, 3,083 operated with fewer 
than 1,000 employees. According to internally developed Commission 
data, 359 companies reported that their primary telecommunications 
service activity was the provision of interexchange services. Of this 
total, an estimated 317 have 1,500 or fewer employees. Consequently, 
the Commission estimates that the majority of interexchange service 
providers are small entities.
    130. Cable System Operators (Telecom Act Standard). The 
Communications Act of 1934, as amended (the Act), also contains a size 
standard for small cable system operators, which is ``a cable operator 
that, directly or through an affiliate, serves in the aggregate fewer 
than one percent of all subscribers in the United States and is not 
affiliated with any entity or entities whose gross annual revenues in 
the aggregate exceed $250,000,000.'' As of 2018, there were 
approximately 50,504,624 cable video subscribers in the United States. 
Accordingly, an operator serving fewer than 505,046 subscribers shall 
be deemed a small operator if its annual revenues, when combined with 
the total annual revenues of all its affiliates, do not exceed $250 
million in the aggregate. We note that the Commission neither requests 
nor collects information on whether cable system operators are 
affiliated with entities whose gross annual revenues exceed $250 
million. Therefore we are unable at this time to estimate with greater 
precision the number of cable system operators that would qualify as 
small cable operators under the definition in the Act.
    131. Other Toll Carriers. Neither the Commission nor the SBA has 
developed a size standard for small businesses specifically applicable 
to other toll carriers. This category includes toll carriers that do 
not fall within the categories of interexchange carriers, operator 
service providers, prepaid calling card providers, satellite service 
carriers, or toll resellers. The closest applicable size standard under 
SBA rules is for Wired Telecommunications Carriers. The U.S. Census 
Bureau defines this industry as ``establishments primarily engaged in 
operating and/or providing access to transmission facilities and 
infrastructure that they own and/or lease for the transmission of 
voice, data, text, sound, and video using wired communications 
networks. Transmission facilities may be based on a single technology 
or a combination of technologies. Establishments in this industry use 
the wired telecommunications network facilities that they operate to 
provide a variety of services, such as wired telephony services, 
including VoIP services, wired (cable) audio and video programming 
distribution, and wired broadband internet services. By exception, 
establishments providing satellite television distribution services 
using facilities and infrastructure that they operate are included in 
this industry.'' Under that size standard, such a business is small if 
it has 1,500 or fewer employees. Census data for 2012 show that there 
were 3,117 firms that operated that year. Of this total, 3,083 operated 
with fewer than 1,000 employees. Thus, under this category and the 
associated small business size standard, the majority of other toll 
carriers can be considered small.
2. Wireless Carriers
    132. Wireless Telecommunications Carriers (except Satellite). This 
industry comprises establishments engaged in operating and maintaining 
switching and transmission facilities to provide communications via the 
airwaves. Establishments in this industry have spectrum licenses and 
provide services using that spectrum, such as cellular services, paging 
services, wireless internet access, and wireless video services. The 
appropriate size standard under SBA rules is that such a business is 
small if it has 1,500 or fewer employees. For this industry, U.S. 
Census Bureau data for 2012 show that there were 967 firms that 
operated for the entire year. Of this total, 955 firms employed fewer 
than 1,000 employees and 12 firms employed of 1,000 employees or more. 
Thus under this category and the associated size standard, the 
Commission estimates that the majority of wireless telecommunications 
carriers (except satellite) are small entities.
    133. The Commission's own data--available in its Universal 
Licensing System--indicate that, as of August 31, 2018 there are 265 
Cellular licensees that will be affected by our actions. The Commission 
does not know how many of these licensees are small, as the Commission 
does not collect that information for these types of entities. 
Similarly, according to internally developed Commission data, 413 
carriers reported that they were engaged in the provision of wireless 
telephony, including cellular service, Personal Communications Service 
(PCS), and Specialized Mobile Radio (SMR) Telephony services. Of this 
total, an estimated 261 have 1,500 or fewer employees, and 152 have 
more than 1,500 employees. Thus, using available data, we estimate that 
the majority of wireless firms can be considered small.
    134. Satellite Telecommunications. This category comprises firms 
``primarily engaged in providing telecommunications services to other 
establishments in the telecommunications and broadcasting industries by 
forwarding and receiving communications signals via a system of 
satellites or reselling satellite telecommunications.'' Satellite 
telecommunications service providers include satellite and earth 
station operators. The category has a small business size standard of 
$35 million or less in average annual receipts, under SBA rules. For 
this category, U.S. Census Bureau data for 2012 show that there were a 
total of 333 firms that operated for the entire year. Of this total, 
299 firms had annual receipts of less than $25 million. Consequently, 
we estimate that the majority of satellite telecommunications providers 
are small entities.
3. Resellers
    135. Local Resellers. The SBA has not developed a small business 
size standard specifically for Local Resellers. The SBA category of 
Telecommunications Resellers is the closest NAICs code category for 
local resellers. The Telecommunications Resellers industry comprises 
establishments engaged in purchasing access and network capacity from 
owners and operators of telecommunications networks and reselling wired 
and wireless telecommunications services (except satellite) to 
businesses and households. Establishments in this industry resell 
telecommunications; they do not operate transmission facilities and 
infrastructure. Mobile virtual network operators (MVNOs) are included 
in this industry. Under the SBA's size

[[Page 59106]]

standard, such a business is small if it has 1,500 or fewer employees. 
U.S. Census Bureau data from 2012 show that 1,341 firms provided resale 
services during that year. Of that number, all operated with fewer than 
1,000 employees. Thus, under this category and the associated small 
business size standard, the majority of these resellers can be 
considered small entities. According to Commission data, 213 carriers 
have reported that they are engaged in the provision of local resale 
services. Of these, an estimated 211 have 1,500 or fewer employees and 
two have more than 1,500 employees. Consequently, the Commission 
estimates that the majority of local resellers are small entities.
    136. Toll Resellers. The Commission has not developed a definition 
for Toll Resellers. The closest NAICS Code Category is 
Telecommunications Resellers. The Telecommunications Resellers industry 
comprises establishments engaged in purchasing access and network 
capacity from owners and operators of telecommunications networks and 
reselling wired and wireless telecommunications services (except 
satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. MVNOs are included in this industry. The 
SBA has developed a small business size standard for the category of 
Telecommunications Resellers. Under that size standard, such a business 
is small if it has 1,500 or fewer employees. 2012 Census Bureau data 
show that 1,341 firms provided resale services during that year. Of 
that number, 1,341 operated with fewer than 1,000 employees. Thus, 
under this category and the associated small business size standard, 
the majority of these resellers can be considered small entities. 
According to Commission data, 881 carriers have reported that they are 
engaged in the provision of toll resale services. Of this total, an 
estimated 857 have 1,500 or fewer employees. Consequently, the 
Commission estimates that the majority of toll resellers are small 
entities.
    137. Prepaid Calling Card Providers. Neither the Commission nor the 
SBA has developed a small business definition specifically for prepaid 
calling card providers. The most appropriate NAICS code-based category 
for defining prepaid calling card providers is Telecommunications 
Resellers. This industry comprises establishments engaged in purchasing 
access and network capacity from owners and operators of 
telecommunications networks and reselling wired and wireless 
telecommunications services (except satellite) to businesses and 
households. Establishments in this industry resell telecommunications; 
they do not operate transmission facilities and infrastructure. Mobile 
virtual networks operators (MVNOs) are included in this industry. Under 
the applicable SBA size standard, such a business is small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2012 show that 
1,341 firms provided resale services during that year. Of that number, 
1,341 operated with fewer than 1,000 employees. Thus, under this 
category and the associated small business size standard, the majority 
of these prepaid calling card providers can be considered small 
entities. According to Commission data, 193 carriers have reported that 
they are engaged in the provision of prepaid calling cards. All 193 
carriers have 1,500 or fewer employees. Consequently, the Commission 
estimates that the majority of prepaid calling card providers are small 
entities that may be affected by these rules.
4. Other Entities
    138. All Other Telecommunications. The ``All Other 
Telecommunications'' category is comprised of establishments primarily 
engaged in providing specialized telecommunications services, such as 
satellite tracking, communications telemetry, and radar station 
operation. This industry also includes establishments primarily engaged 
in providing satellite terminal stations and associated facilities 
connected with one or more terrestrial systems and capable of 
transmitting telecommunications to, and receiving telecommunications 
from, satellite systems. Establishments providing internet services or 
voice over internet protocol (VoIP) services via client-supplied 
telecommunications connections are also included in this industry. The 
SBA has developed a small business size standard for ``All Other 
Telecommunications'', which consists of all such firms with annual 
receipts of $35 million or less. For this category, U.S. Census Bureau 
data for 2012 show that there were 1,442 firms that operated for the 
entire year. Of those firms, a total of 1,400 had annual receipts less 
than $25 million and 15 firms had annual receipts of $25 million to 
$49,999,999. Thus, the Commission estimates that the majority of ``All 
Other Telecommunications'' firms potentially affected by our action can 
be considered small.

D. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements for Small Entities

    139. The FNPRM proposes to impose several obligations on gateway 
providers, many of whom may be small entities. Specifically, we propose 
to require gateway providers to authenticate and employ robocall 
mitigation techniques on all SIP calls that they allow into the United 
States from abroad that display a U.S. number in the caller ID field. 
The FNPRM also proposes that gateway providers should engage in 
robocall mitigation by (1) responding to all traceback requests from 
the Commission, law enforcement, and the industry traceback consortium 
within 24 hours; (2) complying with mandatory call blocking 
requirements; (3) complying with enhanced know-your-customer 
obligations; (4) complying with a general duty to mitigate illegal 
robocalls; and (5) filing a certification in the Robocall Mitigation 
Database. The FNPRM also proposes one blocking requirement for 
intermediate and terminating providers immediately downstream from the 
gateway provider, which would require those providers to block all 
traffic from a gateway provider that fails to block or effectively 
mitigate illegal traffic when notified of such traffic by the 
Commission. This proposal may also cover small entities.

E. Steps Taken To Minimize the Significant Economic Impact on Small 
Entities, and Significant Alternatives Considered

    140. The RFA requires an agency to describe any significant 
alternatives that it has considered in reaching its proposed approach, 
which may include the following four alternatives (among others): (1) 
The establishment of differing compliance or reporting requirements or 
timetables that take into account the resources available to small 
entities; (2) the clarification, consolidation, or simplification of 
compliance and reporting requirements under the rules for such small 
entities; (3) the use of performance rather than design standards; and 
(4) an exemption from coverage of the rule, or any part thereof, for 
such small entities.
    141. The FNPRM seeks comment on the particular impacts that the 
proposed rules may have on small entities. The FNPRM seeks comment on 
whether the costs of the proposed gateway provider authentication 
requirement may vary by provider, including those providers that have 
not yet implemented STIR/SHAKEN, such as small voice service providers. 
The FNPRM also seeks

[[Page 59107]]

comment on the burdens on ``small gateway providers'' of a 24-hour 
traceback requirement. It also seeks comment on the impact on small 
businesses whose traffic may be blocked under our proposed blocking 
rules and know your customer obligations. The FNPRM also seeks comment 
on whether a general mitigation approach may make compliance more 
difficult for small entities.

F. Federal Rules That May Duplicate, Overlap, or Conflict With the 
Proposed Rules

    142. None.

V. Procedural Matters

    143. Initial Regulatory Flexibility Analysis. As required by the 
Regulatory Flexibility Act, the Commission has prepared an Initial 
Regulatory Flexibility Analysis (IRFA) of the possible significant 
economic impact on small entities of the policies and rules addressed 
in this FNPRM. Written public comments are requested on the IRFA. 
Comments must be filed by the deadlines for comments on the FNPRM 
indicated on the first page of this document and must have a separate 
and distinct heading designating them as responses to the IRFA. The 
Commission's Consumer and Governmental Affairs Bureau, Reference 
Information Center, will send a copy of this FNPRM, including the IRFA, 
to the Chief Counsel for Advocacy of the SBA.
    144. Paperwork Reduction Act. The FNPRM contains proposed new 
information collection requirements. The Commission, as part of its 
continuing effort to reduce paperwork burdens, invites the general 
public and OMB to comment on the information collection requirements 
contained in this document, as required by the Paperwork Reduction Act 
of 1995, Public Law 104-13. In addition, pursuant to the Small Business 
Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C 
3506(c)(4), we seek specific comment on how we might further reduce the 
information collection burden for small business concerns with fewer 
than 25 employees.
    145. Ex Parte Presentations--Permit-But-Disclose. The proceeding 
this FNPRM initiates shall be treated as a ``permit-but-disclose'' 
proceeding in accordance with the Commission's ex parte rules. Persons 
making ex parte presentations must file a copy of any written 
presentation or a memorandum summarizing any oral presentation within 
two business days after the presentation (unless a different deadline 
applicable to the Sunshine period applies). Persons making oral ex 
parte presentations are reminded that memoranda summarizing the 
presentation must (1) list all persons attending or otherwise 
participating in the meeting at which the ex parte presentation was 
made, and (2) summarize all data presented and arguments made during 
the presentation. If the presentation consisted in whole or in part of 
the presentation of data or arguments already reflected in the 
presenter's written comments, memoranda or other filings in the 
proceeding, the presenter may provide citations to such data or 
arguments in his or her prior comments, memoranda, or other filings 
(specifying the relevant page and/or paragraph numbers where such data 
or arguments can be found) in lieu of summarizing them in the 
memorandum. Documents shown or given to Commission staff during ex 
parte meetings are deemed to be written ex parte presentations and must 
be filed consistent with Sec.  1.1206(b) of the Commission's rules. In 
proceedings governed by Sec.  1.49(f) of the Commission's rules or for 
which the Commission has made available a method of electronic filing, 
written ex parte presentations and memoranda summarizing oral ex parte 
presentations, and all attachments thereto, must be filed through the 
electronic comment filing system available for that proceeding, and 
must be filed in their native format (e.g., .doc, .xml, .ppt, 
searchable .pdf). Participants in this proceeding should familiarize 
themselves with the Commission's ex parte rules.

VI. Ordering Clauses

    146. Accordingly, IT IS ORDERED, pursuant to sections 4(i), 4(j), 
201, 202, 217, 227, 227b, 251(e), 303(r), and 403 of the Communications 
Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 202, 217, 227, 
227b, 251(e), 303(r), 403, that this Further Notice of Proposed 
Rulemaking is adopted.
    147. It is further ordered that the Commission's Consumer and 
Governmental Affairs Bureau, Reference information Center, SHALL SEND a 
copy of this Further Notice of Proposed Rulemaking, including the 
Initial Regulatory Flexibility Analysis (IRFA), to the Chief Counsel 
for Advocacy of the Small Business Administration.

List of Subjects in 47 CFR Part 64

    Carrier equipment, Communications common carriers, Reporting and 
recordkeeping requirements, Telecommunications, Telephone.

Federal Communications Commission.
Katura Jackson,
Federal Register Liaison Officer.

Proposed Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission proposes to amend 47 CFR part 64 as follows:

0
1. The authority for part 64 continues to read as follows:

    Authority:  47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220, 
222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 276, 
403(b)(2)(B), (c), 616, 620, 1401-1473, unless otherwise noted; Pub. 
L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.

0
2. Amend Sec.  64.1200 by adding new paragraph (f)(19), revising 
paragraphs (n)(1) through (3), adding paragraphs (o) and (p) to read as 
follows:


Sec.  64.1200  Delivery restrictions.

* * * * *
    (f) * * *
    (19) The term gateway provider means the first U.S.-based 
intermediate provider in the call path of a foreign-originated call 
that transmits the call directly to another intermediate provider or a 
terminating voice service provider in the United States.
* * * * *
    (n) * * *
    (1) Respond fully and in a timely manner to all traceback requests 
from the Commission, civil law enforcement, criminal law enforcement, 
and the industry traceback consortium. Where the voice service provider 
is a gateway provider, it must respond within 24 hours of receipt of 
such a request;
    (2) Take affirmative, effective measures to prevent new and 
renewing customers from using its network to originate illegal calls, 
including knowing its customers and exercising due diligence in 
ensuring that its services are not used to originate illegal traffic; 
and,
    (3) Take steps to effectively mitigate illegal traffic when it 
receives actual written notice of such traffic from the Commission 
through its Enforcement Bureau.
    (i) In providing notice, the Enforcement Bureau shall identify with 
as much particularity as possible the suspected traffic; provide the 
basis for the Enforcement Bureau's reasonable belief that the 
identified traffic is unlawful; cite the statutory or regulatory 
provisions the suspected traffic appears to violate; and direct the 
voice service provider receiving the notice that it must comply with 
this section;
    (ii) Each notified provider must promptly investigate the 
identified

[[Page 59108]]

traffic. Each notified provider must then promptly report the results 
of its investigation to the Enforcement Bureau, including any steps the 
provider has taken to effectively mitigate the identified traffic or an 
explanation as to why the provider has reasonably concluded that the 
identified calls were not illegal and what steps it took to reach that 
conclusion. Should the notified provider find that the traffic comes 
from an upstream provider with direct access to the U.S. Public 
Switched Telephone Network, that provider must promptly inform the 
Enforcement Bureau of the source of the traffic and, if possible, take 
steps to mitigate this traffic;
    (iii) If the notified provider is a gateway provider, that provider 
must, after conducting the investigation described in paragraph (ii) of 
this section, promptly block all traffic associated with the traffic 
pattern identified in the Enforcement Bureau's notice; and
    (iv) Should a gateway provider fail to comply with the requirements 
of paragraph (iii) of this section, the Commission, through its 
Enforcement Bureau, may send a notice to all providers immediately 
downstream from the gateway provider in the call path. Upon receipt of 
such notice, all providers must promptly block all traffic from the 
identified gateway provider.
    (o) A gateway provider must block calls that it reasonably 
determines, based on reasonable analytics that include consideration of 
caller ID authentication information where available, that calls are 
part of a call pattern that is highly likely to be illegal.
    (1) The gateway provider must manage this blocking with human 
oversight and network monitoring sufficient to ensure that it blocks 
only calls that are highly likely to be illegal, which must include a 
process that reasonably determines that the particular call pattern is 
highly likely to be illegal before initiating blocking of calls that 
are part of that pattern.
    (2) The gateway provider ceases blocking calls that are part of the 
call pattern as soon as the gateway provider has actual knowledge that 
the blocked calls are likely lawful;
    (3) All analytics are applied in a non-discriminatory, 
competitively neutral manner.
    (p) A gateway provider must confirm that the originator of a high 
volume of foreign-originated calls that use a U.S. North American 
Numbering Plan number in the caller ID field is authorized to use that 
number to originate calls.
0
3. Amend Sec.  64.6300 by redesignating paragraphs (d) through (1) as 
paragraphs (e) through (m) and adding new paragraph (d) to read as 
follows:


Sec.  64.6300  Definitions.

* * * * *
    (d) Gateway Provider. The term ``gateway provider'' means the first 
U.S.-based intermediate provider in the call path of a foreign-
originated call that transmits the call directly to another 
intermediate provider or a terminating voice service provider in the 
United States.
* * * * *
0
4. Amend Sec.  64.6305 by revising paragraph (a) introductory text, 
redesignating paragraphs (b) and (c) as paragraphs (c) and (e), 
respectively, and by adding new paragraphs (b) and (d) to read as 
follows:


Sec.  64.6305  Robocall mitigation and certification.

    (a) Robocall mitigation program requirements for voice service 
providers.
* * * * *
    (b) Robocall mitigation program requirements for gateway providers.
    (1) Each gateway provider shall implement an appropriate robocall 
mitigation program with respect to calls that use North American 
Numbering Plan resources that pertain to the United States.
    (2) Any robocall mitigation program implemented pursuant to 
paragraph (b)(1) of this section shall include reasonable steps to 
avoid carrying or processing illegal robocall traffic and shall include 
a commitment to respond fully and within 24 hours to all traceback 
requests from the Commission, law enforcement, and the industry 
traceback consortium, and to cooperate with such entities in 
investigating and stopping any illegal robocallers that use its service 
to carry or process calls.
    (c) Certification by voice service providers in the Robocall 
Mitigation Database.
    (1) Not later than June 30, 2021, a voice service provider, 
regardless of whether it is subject to an extension granted under Sec.  
64.6304, shall certify to one of the following:
    (i) It has fully implemented the STIR/SHAKEN authentication 
framework across its entire network and all calls it originates are 
compliant with Sec.  64.6301(a)(1) and (2);
    (ii) It has implemented the STIR/SHAKEN authentication framework on 
a portion of its network and calls it originates on that portion of its 
network are compliant with Sec.  64.6301(a)(1) and (2), and the 
remainder of the calls that originate on its network are subject to a 
robocall mitigation program consistent with paragraph (a) of this 
section; or
    (iii) It has not implemented the STIR/SHAKEN authentication 
framework on any portion of its network, and all of the calls that 
originate on its network are subject to a robocall mitigation program 
consistent with paragraph (a) of this section.
    (2) A voice service provider that certifies that some or all of the 
calls that originate on its network are subject to a robocall 
mitigation program consistent with paragraph (a) of this section shall 
include the following information in its certification:
    (i) Identification of the type of extension or extensions the voice 
service provider received under Sec.  64.6304, if the voice service 
provider is not a foreign voice service provider;
    (ii) The specific reasonable steps the voice service provider has 
taken to avoid originating illegal robocall traffic as part of its 
robocall mitigation program; and
    (iii) A statement of the voice service provider's commitment to 
respond fully and in a timely manner to all traceback requests from the 
Commission, law enforcement, and the industry traceback consortium, and 
to cooperate with such entities in investigating and stopping any 
illegal robocallers that use its service to originate calls.
    (3) All certifications made pursuant to paragraphs (c)(1) and (2) 
of this section shall:
    (i) Be filed in the appropriate portal on the Commission's website; 
and
    (ii) Be signed by an officer in conformity with 47 CFR 1.16.
    (4) A voice service provider filing a certification shall submit 
the following information in the appropriate portal on the Commission's 
website.
    (i) The voice service provider's business name(s) and primary 
address;
    (ii) Other business names in use by the voice service provider;
    (iii) All business names previously used by the voice service 
provider;
    (iv) Whether the voice service provider is a foreign voice service 
provider; and
    (v) The name, title, department, business address, telephone 
number, and email address of one person within the company responsible 
for addressing robocall mitigation-related issues.
    (5) A voice service provider shall update its filings within 10 
business days of any change to the information it must provide pursuant 
to paragraphs (c)(2) through (4) of this section.
    (i) A voice service provider or intermediate provider that has been 
aggrieved by a Governance Authority

[[Page 59109]]

decision to revoke that voice service provider's or intermediate 
provider's SPC token need not update its filing on the basis of that 
revocation until the sixty (60) day period to request Commission 
review, following completion of the Governance Authority's formal 
review process, pursuant to Sec.  64.6308(b)(1) expires or, if the 
aggrieved voice service provider or intermediate provider files an 
appeal, until ten business days after the Wireline Competition Bureau 
releases a final decision pursuant to Sec.  64.6308(d)(1).
    (ii) If a voice service provider or intermediate provider elects 
not to file a formal appeal of the Governance Authority decision to 
revoke that voice service provider's or intermediate provider's SPC 
token, the provider need not update its filing on the basis of that 
revocation until the thirty (30) day period to file a formal appeal 
with the Governance Authority Board expires.
    (d) Certification by gateway providers in the Robocall Mitigation 
Database.
    (1) Not later than March 1, 2023, a gateway provider shall certify 
that it has fully implemented the STIR/SHAKEN authentication framework 
across its entire network and all calls it carries or processes are 
compliant with Sec.  64.6302(a) and (c);
    (2) A gateway provider shall include the following information in 
its certification:
    (i) The specific reasonable steps the gateway provider has taken to 
avoid carrying or processing illegal robocall traffic as part of its 
robocall mitigation program; and
    (ii) A statement of the gateway provider's commitment to respond 
fully and within 24 hours to all traceback requests from the 
Commission, law enforcement, and the industry traceback consortium, and 
to cooperate with such entities in investigating and stopping any 
illegal robocallers that use its service to carry or process calls.
    (3) All certifications made pursuant to paragraph (d)(1) of this 
section shall:
    (i) Be filed in the appropriate portal on the Commission's website; 
and
    (ii) Be signed by an officer in conformity with 47 CFR 1.16.
    (4) A gateway provider filing a certification shall submit the 
following information in the appropriate portal on the Commission's 
website.
    (i) The gateway provider's business name(s) and primary address;
    (ii) Other business names in use by the gateway provider;
    (iii) All business names previously used by the gateway provider;
    (iv) Whether the gateway provider or any affiliate is also a 
foreign voice service provider; and
    (v) The name, title, department, business address, telephone 
number, and email address of one person within the company responsible 
for addressing robocall mitigation-related issues.
    (5) A gateway provider shall update its filings within 10 business 
days of any change to the information it must provide pursuant to 
paragraphs (d)(2) through (4) of this section, subject to the 
conditions set forth in paragraphs (c)(5)(i)-(ii) of this section.
    (e) Intermediate provider and voice service provider obligations.
    (1) Beginning September 28, 2021, intermediate providers and voice 
service providers shall accept calls directly from a voice service 
provider, including a foreign voice service provider that uses North 
American Numbering Plan resources that pertain to the United States to 
send voice traffic to residential or business subscribers in the United 
States, only if that voice service provider's filing appears in the 
Robocall Mitigation Database in accordance with paragraph (c) of this 
section.
    (2) Additional intermediate provider and voice service provider 
obligations. Beginning ninety days after the deadline for filing 
certifications pursuant to paragraph (d) of this section, intermediate 
providers and voice service providers shall accept calls directly from 
a gateway provider only if that gateway provider's filing appears in 
the Robocall Mitigation Database in accordance with paragraph (d) of 
this section.

[FR Doc. 2021-23164 Filed 10-25-21; 8:45 am]
BILLING CODE 6712-01-P