Understand STIR-SHAKEN and know about the obligations you may have under its rules
STIR-SHAKEN is really two things: a technology and a policy.
STIR/SHAKEN is a technology framework designed to reduce illegal robocalls. STIR stands for Secure Telephony Identity Revisited. SHAKEN stands for Secure Handling of Asserted information using toKENs. STIR/SHAKEN combines a trusted Caller ID authentication process along with the introduction of an automated traceback capability.
STIR-SHAKEN is also a policy, created by the U.S. government and implemented through a series of rules for the purpose of stopping illegal robocalls from reaching U.S.-based called parties. The policy creates a new U.S. regulator – the Industry Traceback Group – to work with carriers to trace illegal robocalls back to the originating carrier.
STIR-SHAKEN generally applies to carriers originating, transporting and terminating IP-based calls to the U.S. when those originating and terminating phone numbers are associated with a U.S. state or territory, i.e., the United States and are in the North American Numbering Plan Format 1+(NPA)(NXX)(XXXX).
While this may seem surprising to many non-U.S. carriers, STIR-SHAKEN rules apply and obligations extend to the relationship between U.S. carriers and many foreign carriers.
The FCC’s rule to register in the Robocall Mitigation Database and to file an Robocall Mitigation Plan (“RMP”) covering all calls you originate but for which you do not create a STIR-SHAKEN header applies to what the FCC calls a “voice service provider” (“VSP”). Is your company a VSP? Ask yourself a few questions: Do you:
If you answered “No” to one or more of these questions, you may not be subject to the FCC’s STIR-SHAKEN Rules.
However, if you answered “Yes” to these two questions, then you are likely subject to the FCC’s STIR-SHAKEN Rules for those calls subject to the STIR-SHAKEN Rules, so please keep reading.
Registering as a Voice Service Provider with the FCC
By June 30, 2021, you must register as a Voice Service Provider (“VSP”) with the FCC. Certifications, identification information, and contact information must be submitted via a portal on the FCC’s website.
As a VSP, beginning June 30, 2021, you must assist the FCC, ITG, or other authorized U.S. entity in inquiries regarding illegal robocalls you may have (knowingly or unknowingly) originated, transmitted, or terminated, and you need to undertake good faith efforts to ensure that you are not willfully transmitting such calls. If you are subject to the STIR-SHAKEN Rules, you must abide by them: failure to do so may result in U.S. carriers being absolutely prohibited from receiving voice service traffic from you.
Of equal importance when you register as a VSP, you must also certify to the FCC as to whether all, some or none of your voice service calls originated on your IP network are signed by you using STIR-SHAKEN protocols. What does it mean to sign calls using STIR-SHAKEN protocols? We’ll discuss that below. But first, let’s assume that at least initially, none or at least some of your voice service calls will be signed. If less than all of your voice service calls are signed using STIR-SHAKEN protocols, these unsigned calls are subject to what the FCC calls a Robocall Mitigation Program. A RMP is, essentially, an explanation of the steps you are taking to ensure that you are not originating illegal robocalls. One way may be through knowing your customers and the traffic they originate. Other ways may be through studying the traffic you originate and looking for indicators of illegal robocalls. If you look on the FCC’s registration website, you will see many carriers that have filed RMPs. A review of these plans may provide suggestions for you to adopt into your own RMP.
A critical component of a RMP is your stated commitment to respond fully and in a timely manner to requests from the FCC, ITG or other authorized U.S. entity. When thinking about signing your calls using STIR-SHAKEN protocols and developing an RMP, keep in mind the FCC’s stated goal: that the only voice traffic to traverse voice networks in the U.S. is from those voice service providers that have either fully implemented STIR-SHAKEN on their entire networks or that have implemented a RMP on those portions of their networks that are not STIR-SHAKEN-enabled.
Certifications, identification information, and contact information must be submitted as part of your RMP via a portal on the FCC’s website here on or before June 30, 2021. Instructions for submitting a certification and this information can be found here. VSPs must submit any necessary updates because of changes to their certification, identification information, or contact information to the Commission within 10 business days of the change.
The Robocall Mitigation Database is available on the Commission’s website here.
A list of VSPs that have submitted certifications, may be downloaded from here.
When a call is made, a SIP invite is initiated by the calling party. The originating voice service provider receives it and checks the source of the call and calling number to determine the attestation level.
The originating service provider – either on its own or via a third-party authentication service – creates an encrypted SIP identity header that includes:
Then, the SIP Invite, along with the SIP identity header, is sent to the intermediate or terminating provider, who – either on its own or via a third-party service – attempts to verify the SIP invite.
In a STIR-SHAKEN call, the originating service provider attests via data in the SIP header to their relationship with the caller and the caller’s right to use the calling number. One part of the data is the Attestation level. There are three levels of attestation that can be applied to a call:
Full or “A” Attestation:
The voice service provider knows the end-user customer and their right to use the phone number.
Partial or “B” Attestation:
The voice service provider knows the end-user customer but not the source of the phone number.
Gateway or “C” Attestation:
The service provider has originated the call onto the network but cannot authenticate the call source e.g., international gateway.
Once a call has been given an Attestation level, that level may not be changed by another carrier.
To become authorized to implement SIP Headers with an Attestation Level, a voice service provider must file an application with the Secure Telephone Identity Policy Administrator (“STI-PA”). The STI-PA is a company called “iconectiv” and the information they provide on how to obtain a Service Provider Account is found here
The Service Provider Token Access Policy requires that Voice Service Providers seeking to register also meet three criteria:
You can file for an FCC 499A from this page
You can obtain an OCN from this page (If you are not a telephone company, you can apply for an IP Enabled Service OCN (“IPES OCN“))
We have discussed the requirements for #3 above in this article.
If you are not in compliance with the FCC’s STIR-SHAKEN Rules – specifically, if you are not registered with the FCC and with (at least) a RMP on file as discussed above – beginning September 28, 2021, for those calls you originate that are subject to the FCC’s STIR-SHAKEN Rules, no voice service provider will be able to accept these calls for termination in the U.S. because it will be a violation of U.S. law to do so.
If you are registered with the FCC and have a RMP on file, we will be able to accept your calls after September 28, 2021: we will assign them the appropriate Attestation level. There are some additional things IDT can do to help you to comply with the FCC’s STIR-SHAKEN Rules. We cannot be your legal counsel; we cannot help you fill out forms and we cannot provide legal advice. If you would like to better understand what we can do for you, contact IDT Express sales team.