Advanced Methods To Target and Eliminate Unlawful Robocalls, Call Authentication Trust Anchor

Published date26 October 2021
Citation86 FR 59084
Record Number2021-23164
SectionProposed rules
CourtFederal Communications Commission
Federal Register, Volume 86 Issue 204 (Tuesday, October 26, 2021)
[Federal Register Volume 86, Number 204 (Tuesday, October 26, 2021)]
                [Proposed Rules]
                [Pages 59084-59109]
                From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
                [FR Doc No: 2021-23164]
                =======================================================================
                -----------------------------------------------------------------------
                FEDERAL COMMUNICATIONS COMMISSION
                47 CFR Part 64
                [CG Docket No. 17-59, WC Docket No. 17-97; FCC 21-105; FR ID 53781]
                Advanced Methods To Target and Eliminate Unlawful Robocalls, Call
                Authentication Trust Anchor
                AGENCY: Federal Communications Commission.
                ACTION: Proposed rule.
                -----------------------------------------------------------------------
                SUMMARY: In this document, the Commission adopted a Further Notice of
                Proposed Rulemaking that proposes and seeks comment on a number of
                actions aimed at stopping illegal robocalls from entering U.S.
                networks. The document proposes to require gateway providers to apply
                STIR/SHAKEN caller ID authentication to, and perform robocall
                mitigation on, foreign-originated calls with U.S. numbers. It also
                proposes and seeks comment on a number of additional requirements to
                ensure that gateway providers take steps to prevent foreign-originated
                calls from entering the U.S. network.
                DATES: Comments are due on or before November 26, 2021, and reply
                comments are due on or before December 27, 2021. Written comments on
                the Paperwork Reduction Act proposed information collection
                requirements must be submitted by the public, Office of Management and
                Budget (OMB), and other interested parties on or before December 27,
                2021.
                ADDRESSES: Pursuant to Sec. Sec. 1.415 and 1.419 of the Commission's
                rules, 47 CFR 1.415, 1.419, interested parties may file comments and
                reply comments on or before the dates indicated in this document.
                Comments and reply comments may be filed using the Commission's
                Electronic Comment Filing System (ECFS). See Electronic Filing of
                Documents in Rulemaking Proceedings, 63 FR 24121 (1998). Interested
                parties may file comments or reply comments, identified by CG Docket
                No. 17-59 and WC Docket No. 17-97 by any of the following methods:
                 Electronic Filers: Comments may be filed electronically
                using the internet by accessing ECFS: https://www.fcc.gov/ecfs/.
                 Paper Filers: Parties who choose to file by paper must
                file an original and one copy of each filing.
                 Filings can be sent by commercial overnight courier, or by
                first-class or overnight U.S. Postal Service mail. All filings must be
                addressed to the Commission's Secretary, Office of the Secretary,
                Federal Communications Commission.
                 Commercial overnight mail (other than U.S. Postal Service
                Express Mail and Priority Mail) must be sent to 9050 Junction Drive,
                Annapolis Junction, MD 20701.
                 U.S. Postal Service first-class, Express, and Priority
                mail must be addressed to 45 L Street NE, Washington, DC 20554.
                 Effective March 19, 2020, and until further notice, the
                Commission no longer accepts any hand or messenger delivered filings.
                This is a temporary measure taken to help protect the health and safety
                of individuals, and to mitigate the transmission of COVID-19. See FCC
                Announces Closure of FCC Headquarters Open Window and Change in Hand-
                Delivery Policy, Public Notice, 35 FCC Rcd 2788 (March 19, 2020),
                https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
                 In addition to filing comments with the Secretary, a copy of any
                comments on the Paperwork Reduction Act proposed information collection
                requirements contained herein should be submitted to the Federal
                Communications Commission via email to [email protected] and to Nicole
                Ongele, FCC, via email to [email protected].
                FOR FURTHER INFORMATION CONTACT: For further information, please
                contact either Jonathan Lechter, Attorney Advisor, Competition Policy
                Division, Wireline Competition Bureau, at [email protected] or
                at (202) 418-0984, or Jerusha Burnett, Attorney Advisor, Consumer
                Policy Division, Consumer and Governmental Affairs Bureau, at
                [email protected]. For additional information concerning the
                Paperwork Reduction Act proposed information collection requirements
                contained in this document, send an email to [email protected] or contact
                Nicole Ongele at (202) 418-2991.
                SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Fifth
                Further Notice of Proposed Rulemaking and Fourth Further Notice of
                Proposed Rulemaking (FNPRM) in CG Docket No. 17-59 and WC Docket No.
                17-97, FCC 21-105, adopted on September 30, 2021, and released on
                October 1, 2021. The full text of this document is available for public
                inspection at the following internet address: https://docs.fcc.gov/public/attachments/FCC-21-105A1.pdf. To request materials in accessible
                formats for people with disabilities (e.g., Braille, large print,
                electronic files, audio format, etc.), send an email to [email protected]
                or call the Consumer & Governmental Affairs Bureau at (202) 418-0530
                (voice), or (202) 418-0432 (TTY).
                [[Page 59085]]
                Initial Paperwork Reduction Act of 1995 Analysis
                 This document contains proposed information collection
                requirements. The Commission, as part of its continuing effort to
                reduce paperwork burdens, invites the general public to comment on the
                information collection requirements contained in this document, as
                required by the Paperwork Reduction Act of 1995, Public Law 104-13.
                 Comments should address: (a) Whether the proposed collection of
                information is necessary for the proper performance of the functions of
                the Commission, including whether the information shall have practical
                utility; (b) the accuracy of the Commission's burden estimates; (c)
                ways to enhance the quality, utility, and clarity of the information
                collected; (d) ways to minimize the burden of the collection of
                information on the respondents, including the use of automated
                collection techniques or other forms of information technology; and (e)
                way to further reduce the information collection burden on small
                business concerns with fewer than 25 employees. In addition, pursuant
                to the Small Business Paperwork Relief Act of 2002, Public Law 107-198,
                see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might
                further reduce the information collection burden for small business
                concerns with fewer than 25 employees.
                Synopsis
                I. Introduction
                 1. In this Further Notice of Proposed Rulemaking (FNPRM), we
                propose to take decisive action to stem the tide of foreign-originated
                illegal robocalls. Eliminating illegal robocalls that originate abroad
                is one of the most vexing challenges we face in eliminating the scourge
                of robocalling because of the difficulties presented by foreign-based
                robocallers. The rules we propose today will help to address this
                problem by placing new obligations on the gateway providers that are
                the point of entry for foreign calls into the United States, requiring
                them to lend a hand in the fight against illegal robocalls originating
                abroad.
                 2. Specifically, we propose to require gateway providers to apply
                STIR/SHAKEN caller ID authentication to, and perform robocall
                mitigation on, foreign-originated calls with U.S. numbers. This
                proposal would subject foreign-originated calls, once they enter the
                United States, to requirements similar to those of domestic-originated
                calls, by placing additional obligations on gateway providers in light
                of the large number of illegal robocalls that originate abroad and the
                risk such calls present to Americans. We further propose and seek
                comment on a number of additional robocall mitigation requirements to
                ensure that gateway providers take steps to prevent illegal calls from
                entering the U.S. network. Doing so will continue our aggressive and
                multi-pronged approach to combatting illegal robocalls.
                 3. We also take this opportunity to make general improvements to
                our anti-robocalling rules by seeking comment on revisions to the
                information that filers must submit to the Robocall Mitigation Database
                and by clarifying the obligations of voice service providers and
                intermediate providers with respect to calls to and from Public Safety
                Answer Points (PSAPs) and other emergency services providers.
                II. Background
                 4. Unwanted calls, which include illegal robocalls, are
                consistently the Commission's top source of consumer complaints. The
                Commission received approximately 232,000 such complaints in 2018,
                193,000 in 2019, 154,000 in 2020, and 131,000 in 2021 as of September
                28th. Multiple factors can affect these numbers, including outreach
                efforts and media coverage on how to avoid unwanted calls. Complaint
                numbers declined significantly during the first four months of the
                COVID-19 pandemic, reducing the total number of complaints the
                Commission received in 2020. Consumer harm from unwanted and illegal
                calls ranges from simple irritation to fraud and financial loss. In
                fact, the Federal Trade Commission (FTC) reports that American
                consumers lost $436 million to fraud over the phone and $86 million to
                fraud by text message in 2020. This reported fraud is only a fraction
                of the approximately $13.5 billion in estimated annual costs from
                illegal robocalls. Caller ID spoofing--the practice whereby a caller
                misrepresents, or ``spoofs,'' the information in the caller ID field--
                poses a particular problem because the identity of the calling party is
                falsified.
                 5. The Commission and Congress have long acknowledged that illegal
                robocalls that originate abroad are a significant part of the robocall
                problem. In a 2011 report to Congress, the Commission stated that
                ``caller ID spoofing directed at the United States by people and
                entities operating outside the country can cause great harm.'' Congress
                highlighted this problem in 2018, when it amended the Communications
                Act of 1934, as amended (the Act), to prohibit spoofing calls or texts
                originating outside the U.S. Similarly, in 2020, the North American
                Numbering Council (NANC), the Commission's advisory committee of
                outside experts on telephone numbering matters, stated that ``it is a
                long-standing problem that international gateway traffic is a
                significant source of fraudulent traffic.'' While these calls pose a
                significant problem, our jurisdiction does not generally apply directly
                to foreign entities.
                 6. Types of Illegal Calls. Illegal calls can come in many forms.
                Perhaps the most well-known illegal calls are those that are simply
                fraudulent, where the caller poses as a business, or even a government
                entity, in order to obtain payment or personal information. Fraudulent
                calls may violate any of a number of state or federal statutes. These
                calls can take a number of forms, but some common scams include callers
                posing as the Internal Revenue Service (IRS) or Social Security
                Administration (SSA), scams following natural disasters, or auto
                warranty scams. The IRS continues to warn consumers about phone scams,
                or ``vishing'' as part of its annual ``Dirty Dozen'' scams, stating
                that while overall it has seen a decline in reports of scammers
                claiming to be the IRS, consumers should remain cautious. The SSA also
                warns consumers to be wary of phone scams, providing tips to consumers
                on how to recognize these calls. Taken together, the FTC received over
                700,000 reports of fraud by phone or text in 2020 alone.
                 7. But calls need not be fraudulent to be illegal. Calls can
                violate the Telephone Consumer Protection Act (TCPA), which prohibits
                initiating ``any telephone call to any residential telephone line using
                an artificial or prerecorded voice to deliver a message without the
                prior express consent of the called party,'' with certain statutory
                exemptions. The TCPA exempts from this prohibition calls for emergency
                purposes. In addition, in all but one instance, artificial or
                prerecorded voice messages must state the identity of the business,
                individual, or other entity that is responsible for initiating the call
                clearly at the beginning of the message as well as the telephone number
                either during or at the end of the message. Finally, the TCPA
                authorizes the Commission to adopt regulatory exemptions to 47 U.S.C.
                227(b)(1)(B) for certain types of calls, including those not made for
                commercial purposes or that do not include an unsolicited
                advertisement. Similarly, the TCPA prohibits, without the prior express
                consent of the called party, any call using an automatic telephone
                dialing system or an artificial or prerecorded
                [[Page 59086]]
                voice to any telephone number ``assigned to a . . . cellular telephone
                service, . . . or any service for which the called party is charged for
                the call'' unless a statutory exemption applies. The TCPA grants the
                Commission authority to exempt certain calls from the requirements of
                47 U.S.C. 227(b)(1)(A)(iii).
                 8. Calls are also illegal in some instances where the caller ID
                information has been spoofed. The Truth in Caller ID Act of 2009 made
                it illegal to transmit false or misleading caller ID information in
                order to defraud, cause harm, or wrongfully obtain something of value.
                And as we explained, in 2018, Congress extended this prohibition to
                reach spoofing activities directed at consumers in the United States
                from foreign actors, and applied the prohibition to alternative voice
                and text message services.
                 9. In enforcement actions, the Commission has found that
                robocalling campaigns, regardless of the content of the robocalls, may
                violate the Truth in Caller ID Act and its implementing rules.
                Specifically, the Commission has found that when an entity spoofs a
                large number of calls in a robocall campaign, it causes harm to: (1)
                The subscribers of the numbers that are spoofed; (2) the consumers who
                receive the spoofed calls; and (3) the terminating carriers forced to
                deliver the calls to consumers and handle ``consumers' ire,'' thereby
                increasing their costs. The Commission has held that the element of
                ``harm'' is broad and ``encompasses financial, physical, and emotional
                harm'' and that ``intent'' can be found when the harms can be shown to
                be ``substantially certain'' to result from the spoofing. When an
                entity knowingly uses a number that does not belong to it ``to make a
                large number of calls . . . the intent to harm may be imputed'' to the
                spoofing entity. Moreover, the Commission has found that repeated
                spoofing of unassigned numbers is ``a strong indication'' that the
                caller has the intent to defraud or cause harm.
                 10. STIR/SHAKEN Caller ID Authentication. While the Truth in Caller
                ID Act made spoofing illegal in certain instances, it did not by itself
                solve a fundamental technical problem: How to identify spoofing in the
                first instance and track down the call originator after discovering
                spoofing had occurred. To address this challenge, technologists from
                the internet Engineering Task Force (IETF) and the Alliance for
                Telecommunications Industry Solutions (ATIS) developed standards to
                allow for the authentication and verification of caller ID information
                carried over internet Protocol (IP) networks. The result of their
                efforts is the STIR/SHAKEN caller ID authentication framework, which
                allows for authenticated caller ID information to securely travel with
                the call itself throughout the entire length of the call path. More
                specifically, a working group of the IETF called the Secure Telephony
                Identity Revisited (STIR) developed several protocols for
                authenticating caller ID information. And ATIS, in conjunction with the
                SIP Forum, produced the Signature-based Handling of Asserted
                information using toKENs (SHAKEN) specification, which standardizes how
                the protocols produced by STIR are implemented across the industry. The
                Commission, consistent with Congress's direction in the Pallone-Thune
                Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED)
                Act, adopted rules requiring voice service providers to implement STIR/
                SHAKEN in the IP portions of their voice networks by June 30, 2021,
                subject to certain exceptions. In this Further Notice of Proposed
                Rulemaking, we use the terms ``voice service provider'' and
                ``intermediate provider'' consistent with the definitions in Part 64,
                Subpart HH of the Commission's rules, unless otherwise specified. Thus,
                ``voice service provider'' as used in this FNPRM refers, unless
                otherwise specified, to a provider of ``service that is interconnected
                with the public switched telephone network and that furnishes voice
                communications to an end user using resources from the North American
                Numbering Plan'' and ``intermediate provider'' refers to ``any entity
                that carries or processes traffic that traverses or will traverse the
                PSTN at any point insofar as that entity neither originates nor
                terminates that traffic.'' The term ``voice service provider'' has a
                different meaning in the Commission's Call Blocking Orders, and there
                includes intermediate providers. Our use of the term ``voice service
                provider'' in this FNPRM does not expand on or narrow that phrase as
                used in those Orders and associated rules.
                 11. At a high level, the STIR/SHAKEN framework consists of two
                components: (1) The technical process of authenticating and verifying
                caller ID information; and (2) the certificate governance process that
                maintains trust in the caller ID authentication information transmitted
                along with a call. Regarding the technical process, STIR/SHAKEN
                requires that the provider authenticating the call attach additional,
                encrypted information to the metadata that travels along with a call,
                which allows the terminating voice service provider to verify that the
                caller ID is legitimate. The authenticating provider must include in
                this information its own identity as the provider that authenticated
                the call and an ``attestation level'' to signify what it knows about
                the calling party and its right to use the number in the caller ID. The
                current STIR/SHAKEN standards allow for three attestation levels. The
                highest level of attestation--called ``full'' or ``A-level''--asserts
                that the authenticating provider can confirm the identity of the
                subscriber making the call and that it is using its associated
                telephone number. The next-highest level of attestation--called
                ``partial'' or ``B-level''--asserts that the authenticating provider
                can confirm the identity of the subscriber but not the telephone
                number. The lowest level of attestation--called ``gateway'' or ``C-
                level''--asserts only that the provider is the point of entry to the IP
                network for a call that originated elsewhere and has no relationship to
                the call initiator. The authenticating provider must also include a
                digital ``certificate'' which says, in essence, that the provider is
                the entity it claims to be and that it has the right to authenticate
                the caller ID information.
                 12. To maintain trust and accountability in the providers that
                vouch for the caller ID information, a neutral governance system issues
                these certificates. The STIR/SHAKEN governance system requires several
                roles in order to operate: (1) A Governance Authority, which defines
                the policies and procedures for which entities can issue or acquire
                certificates (This role is currently filled by the Secure Telephone
                Identity Governance Authority); (2) a Policy Administrator, which
                applies the rules set by the Governance Authority, confirms that
                Certification Authorities are authorized to issue certificates, and
                confirms that voice service providers are authorized to request and
                receive certificates (After a request for proposals process, the
                Governance Authority selected iconectiv to fill this role); (3)
                Certification Authorities, which issue the certificates used to
                authenticate and verify calls (As the Policy Administrator, iconectiv
                vets and approves organizations interested in serving as a
                Certification Authority. The Policy Administrator website reflects that
                there are currently eight approved Certification Authorities.); and (4)
                the authenticating providers themselves, which select an approved
                Certification Authority from which to request a certificate. Under the
                current Governance Authority rules, a provider
                [[Page 59087]]
                must meet certain requirements to receive a certificate.
                 13. The Commission requires voice service providers subject to an
                extension from the requirement to implement STIR/SHAKEN--including
                smaller voice service providers and voice service providers with non-IP
                technology--to adopt and implement robocall mitigation practices in
                lieu of caller ID authentication. The Commission specifically directed
                voice service providers that must implement robocall mitigation to
                ``take reasonable steps to avoid originating illegal robocall
                traffic.'' The Commission adopted this standards-based approach to
                ``allow . . . voice service providers to innovate and draw from the
                growing diversity and sophistication of anti-robocall tools and
                approaches available,'' and because it found that ``there is no one-
                size-fits-all robocall mitigation solution that accounts for the
                variety and scope of voice service provider networks.'' The prohibition
                went into effect on September 28, 2021. The Commission established just
                one prescriptive requirement: A commitment to respond ``in a timely
                manner to all traceback requests from the Commission, law enforcement,
                and the industry traceback consortium, and to cooperate with such
                entities in investigating and stopping any illegal robocalls that use
                its service to originate calls.'' The Commission explained that if it
                determined that its standards-based approach was not sufficient, it
                would ``not hesitate to revisit the obligations we impose through
                rulemaking at the Commission level.''
                 14. The Commission also required voice service providers to, by
                June 30, 2021, submit a certification to the Robocall Mitigation
                Database, stating whether they had implemented STIR/SHAKEN on all or
                part of their networks and, if they had not fully implemented STIR/
                SHAKEN, describe their robocall mitigation program and ``the specific
                reasonable steps the voice service provider has taken to avoid
                originating illegal robocall traffic.'' The Commission stated that a
                robocall mitigation program is sufficient if it ``includes detailed
                practices that can reasonably be expected to significantly reduce the
                origination of illegal robocalls,'' and stated that ``the voice service
                provider must comply with the practices it describes.'' As of September
                28, 2021, 4,948 voice service providers have filed in the Robocall
                Mitigation Database: 1,302 attest to full STIR/SHAKEN implementation,
                1,202 state that they have implemented a mix of STIR/SHAKEN and
                robocall mitigation, and 2,437 state that they rely solely on robocall
                mitigation.
                 15. The Commission prohibited intermediate providers and
                terminating voice service providers from accepting calls directly from
                a voice service provider not listed in the Robocall Mitigation
                Database, finding that such a prohibition would ``encourage all voice
                service providers to implement meaningful and effective robocall
                mitigation programs . . . during the period of extension from the STIR/
                SHAKEN mandate.'' The Commission extended this prohibition to traffic
                originated by foreign voice service providers that use ``North American
                Numbering Plan resources that pertain to the United States to send
                voice traffic to residential or business subscribers in the United
                States.'' We note that CTIA and the Voice on the Net Coalition (VON)
                filed petitions for reconsideration of the prohibition as it relates to
                foreign-originated traffic. This prohibition became effective on
                September 28, 2021. While the Commission made clear that it did ``not
                require foreign voice service providers to file a certification,'' it
                found that the rule ``create[d] a strong incentive for . . . foreign
                voice service providers'' to do so to avoid having their traffic
                blocked. The Commission concluded that the rule's ``indirect effect''
                on foreign providers is consistent with the Commission's and courts'
                past conclusions regarding the scope of Commission jurisdiction. As of
                September 28, 2021, 609 foreign voice service providers have filed in
                the Robocall Mitigation Database, out of a total 4,948 voice service
                provider filings.
                 16. In addition to placing these obligations on voice service
                providers, the Commission required intermediate providers to implement
                STIR/SHAKEN in their IP networks. In the Second Caller ID
                Authentication Report and Order, the Commission placed two requirements
                on intermediate providers. First, regarding calls an intermediate
                provider receives with authenticated caller ID information, the
                Commission required intermediate providers to pass the authenticated
                caller ID information unaltered to the next provider in the call path.
                The Commission created two exceptions from this rule under which an
                intermediate provider may remove the authenticated caller ID
                information: (1) Where necessary for technical reasons to complete the
                call; and (2) where the intermediate provider reasonably believes the
                caller ID authentication information presents an imminent threat to its
                network security. Second, regarding calls an intermediate provider
                receives without authenticated caller ID information, the Commission
                gave intermediate providers two options. An intermediate provider could
                either authenticate caller ID information for these calls, or, in the
                alternative, an intermediate provider must cooperatively participate
                with the industry traceback consortium and respond fully and in a
                timely manner to all traceback requests. The Commission concluded that
                it had authority to place these obligations on intermediate providers
                under section 251(e) of the Act and the Truth in Caller ID Act.
                 17. In adopting these rules, the Commission defined ``voice
                service,'' consistent with section 4 of the TRACED Act, in part as
                ``any service that is interconnected with the public switched telephone
                network and that furnishes voice communications to an end-user using
                resources from the North American Numbering Plan or any successor.'' It
                defined an ``intermediate provider'' as ``any entity that [carries] or
                processes traffic that traverses or will traverse the PSTN at any point
                insofar as that entity neither originates nor terminates that
                traffic.'' The Commission also established that its rules governing
                voice service providers and intermediate providers apply on a ``call-
                by-call'' basis; under this approach, ``[a] single entity . . . may act
                as a voice service provider for some calls on its network and an
                intermediate provider for others.''
                 18. Call Blocking. In parallel with its caller ID authentication
                work, the Commission has encouraged voice service providers, including
                intermediate providers, to block unwanted and illegal calls in certain
                situations, while also imposing requirements to reduce the risk that
                legitimate calls are blocked. Similarly, the Commission has adopted
                affirmative obligations for voice service providers, which include
                intermediate providers for purposes of our call blocking rules, to help
                eliminate illegal calls from the network.
                 19. To date, the Commission has taken a mostly permissive approach
                to call blocking, encouraging terminating voice service providers and,
                occasionally, all voice service providers (including intermediate
                providers) to block in certain instances and protecting them from
                liability under the Commission's rules if they block in error. The
                Commission, in the 2017 First Call Blocking Order, took a clear,
                bright-line approach by authorizing voice service providers, including
                intermediate providers, to block calls that purport to be from invalid,
                unallocated, or unused numbers without first obtaining customer
                [[Page 59088]]
                consent. The Commission reasoned that there is no legitimate reason for
                a caller to spoof these numbers, and therefore these calls are highly
                likely to be illegal. As a result, no reasonable consumer would want to
                receive such calls. The First Call Blocking Order also permitted
                blocking of calls using a do-not-originate list, which includes numbers
                that should never be used to originate calls. The Commission determined
                that these rules apply to foreign-originated calls that purport to
                originate from U.S. North American Numbering Plan (NANP) numbers on the
                grounds that many illegal calls originate from call centers abroad.
                 20. Subsequent Commission action ensured that terminating voice
                service providers can respond to the evolving tactics of bad actors.
                First, in the Call Blocking Declaratory Ruling and Further Notice of
                Proposed Rulemaking, adopted in 2019, the Commission made clear that
                terminating voice service providers may block calls based on reasonable
                analytics so long as consumers are given the opportunity to opt out of
                such blocking. The Commission, in the 2020 Third Call Blocking Order
                and Further Notice of Proposed Rulemaking, then adopted a safe harbor
                from violations of the Act and the Commission's rules for terminating
                voice service providers that block based on reasonable analytics
                designed to identify unwanted calls, so long as the analytics take into
                account caller ID authentication information and consumers are given
                the opportunity to opt out. The Second Report and Order in CG Docket
                No. 17-59 concerns the Reassigned Numbers Database and is not directly
                relevant to our discussion here. The Commission also established a safe
                harbor for voice service providers (including intermediate providers)
                to block calls from a bad-actor upstream provider that fails to
                effectively mitigate illegal traffic after being notified of such
                traffic by the Commission. Finally, the Commission, in that Order, took
                steps to reduce the risk of erroneous blocking. In the 2020 One Ring
                Scam Order, the Commission permitted voice service providers (including
                intermediate providers) to use reasonable analytics on a network-wide
                basis to block calls from numbers that are highly likely to be
                associated with one-ring scams and extended the existing safe harbor to
                include such blocking. Providers may block such calls if they ``appear
                to be one-ring scam calls, even if such identification proves to be
                erroneous in a particular instance.''
                 21. Most recently, in the December 2020 Fourth Call Blocking Order,
                the Commission expanded the safe harbor for blocking based on
                reasonable analytics to include certain network-level blocking, without
                consumer opt out, designed to identify calls that are highly likely to
                be illegal. The safe harbor is available to terminating voice service
                providers that disclose to consumers that they are engaging in such
                blocking. The Commission also adopted enhanced transparency and redress
                requirements for voice service providers that block calls. Beyond
                blocking, the Commission, in the Fourth Call Blocking Order,
                established three affirmative obligations that apply to voice service
                providers (including intermediate providers). First, voice service
                providers must respond to all traceback requests from the Commission,
                law enforcement, or the industry traceback consortium, fully and
                timely. Second, voice service providers must take steps to effectively
                mitigate illegal traffic when notified of such traffic by the
                Commission. The Commission noted that ``blocking may be necessary for
                gateway providers to comply with these requirements.'' Finally, voice
                service providers must adopt affirmative, effective measures to prevent
                new and renewing customers from using the network to originate illegal
                calls.
                III. Discussion
                 22. Now that voice service providers have implemented STIR/SHAKEN
                or a robocall mitigation program, a key component of our anti-robocall
                efforts is in effect. However, bad actors abroad continue to remain
                largely outside of our caller ID authentication scheme. At present, our
                rules only require the gateway providers that bring foreign calls into
                the United States to pass along preexisting authenticated caller ID
                information unaltered, participate in traceback, and take steps to
                effectively mitigate illegal traffic when notified of such traffic by
                the Commission. While these obligations are valuable, they are not
                enough for the task at hand: Stopping illegal robocalls that originate
                abroad and the fraudulent actors producing those calls from preying on
                Americans.
                 23. To that end, we propose to place additional requirements on
                gateway providers to ensure that they are doing their part to combat
                the scourge of illegal robocalls. Specifically, we propose to require
                gateway providers to authenticate all SIP calls and employ robocall
                mitigation techniques on calls that they allow into the United States
                from abroad that display a U.S. number in the caller ID field, which
                implies to the call recipient that the call originated in the United
                States. In this FNPRM, where we refer to caller ID information or the
                number in the caller ID field, we rely on the definition of ``caller
                identification information'' in our rules.
                A. Need for Action
                 24. Current Rules Addressing Foreign-Originated Robocalls Are
                Insufficient. We tentatively conclude that our current rules addressing
                foreign-originated robocalls are not sufficient to resolve the problem
                of foreign-originated illegal robocalls:
                 Under our caller ID authentication rules, gateway
                providers--as intermediate providers--are required to pass along
                authenticated caller ID information unaltered. Although intermediate
                providers are also required to apply STIR/SHAKEN to unauthenticated
                calls they receive, they are excused from that requirement if they
                elect to cooperatively participate with the industry traceback
                consortium and respond fully and in a timely manner to all traceback
                requests they receive from the Commission, law enforcement, and the
                industry traceback consortium regarding calls for which they act as an
                intermediate provider. Since May 6, 2021, however, under our call
                blocking rules, intermediate providers (again, including gateway
                providers) are also subject to a separate requirement to respond fully
                and in a timely manner to all traceback requests from those same
                entities. This rule was adopted in the Fourth Call Blocking Order and
                took effect on May 6, 2021. By complying with that new rule,
                intermediate providers also meet the traceback requirement in our
                caller ID authentication rules (Sec. 64.6302(b)) and, under that rule,
                are excused from complying with the requirement to apply STIR/SHAKEN to
                unauthenticated calls. In addition, intermediate providers are not
                subject to any requirement under the caller ID authentication rules to
                perform robocall mitigation. This means that even though gateway
                providers are where a call first enters the U.S. network, they are not
                subject to the same obligations that apply to domestic originating
                voice service providers.
                 Foreign entities are prohibited from spoofing caller ID
                with the intent to defraud, cause harm, or wrongfully obtain anything
                of value when placing calls to recipients in the United States. While
                this prohibition is valuable, the very nature of spoofing makes it
                difficult to identify spoofing in the first instance, and track down
                the call originator after discovering spoofing has occurred.
                 Foreign originating voice service providers that use NANP
                resources that
                [[Page 59089]]
                pertain to the United States to send traffic to the United States may
                have their traffic blocked if they are not in our Robocall Mitigation
                Database, which requires certification of STIR/SHAKEN implementation or
                the use of a robocall mitigation program. But this requirement is
                limited by the fact that the prohibition applies only to traffic
                received ``directly'' from a foreign voice service provider not listed
                in the Robocall Mitigation Database; a foreign voice service provider
                is not currently required to file if it always routes traffic destined
                for U.S. consumers over intermediate provider networks before they
                reach the U.S. gateway, and a bad actor could easily exploit this
                loophole.
                 Our call blocking rules require voice service providers
                (including intermediate providers) to respond to traceback requests and
                take steps to effectively mitigate illegal traffic and require
                originating providers to take steps to prevent new and renewing
                customers from using the network to originate illegal calls. However,
                because a foreign voice service provider upstream from the gateway
                provider is outside of the scope of our rules, these requirements may
                not always allow the call originator to be identified or the traffic to
                be stopped before it reaches United States consumers.
                 25. We tentatively conclude that it would benefit Americans to
                subject foreign-originated robocalls, once they reach a gateway
                provider in the United States, to the same types of measures applied to
                calls originated in the United States: Caller ID authentication and
                robocall mitigation. We further tentatively conclude the unique
                challenges associated with foreign-originated robocalls demand that
                gateway providers be subject to additional caller ID authentication and
                robocall mitigation requirements, to ensure Americans are protected
                from calls originating abroad. Unlike other providers, gateway
                providers have visibility into the foreign network where the call
                originates and have the ability to identify instances when a call that
                purports to originate from a U.S. number in fact originated
                internationally, which can reduce the accuracy and effectiveness of
                blocking analytics. And unlike terminating voice service providers,
                gateway providers can stop illegal calls to customers of many
                terminating voice service providers. We seek comment on these tentative
                conclusions. Are our current rules addressing foreign-originated
                robocalls sufficient? Rather than adopt new rules, should we leverage
                our existing rules in new ways to stop such calls? Or should we adopt
                new rules that rely on methods other than caller ID authentication and
                robocall mitigation? If so, what type of rules should we adopt?
                 26. A Large Portion of Illegal Robocalls Originate Abroad.
                Available evidence indicates that a large portion of unlawful robocalls
                terminating within the United States originate outside the United
                States. USTelecom states that fraudulent calls are ``almost always are
                coming from overseas,'' while ZipDX states that traceback data ``have
                implicated foreign entities as a primary source of the worst kinds of
                robocalls.'' While some fraudulent traffic carries caller ID
                information matching the origination country (e.g., a call from France
                carries French caller ID), ``the portion of this traffic to the overall
                fraudulent call volume is relatively small,'' and it appears that most
                foreign-originated fraudulent traffic carries a U.S. number in the
                caller ID field. We seek comment on this evidence, the relative
                proportion of domestic- and foreign-originated illegal robocalls, the
                prevalence of caller ID spoofing in foreign-originated robocalls, and
                trends in foreign-originated robocalling targeted at the United States
                over time. We also seek comment on the causes of any identified shift
                from domestic- to foreign-originated illegal robocall campaigns. Have
                the recent steps the Commission has taken in its call blocking and
                caller ID authentication orders and the June 30, 2021 STIR/SHAKEN
                implementation deadline pushed an increasing proportion of illegal
                robocall origination abroad? Are there other explanations for a shift
                to foreign-originated robocalls?
                 27. Role of Gateway Providers. While foreign-originated illegal
                robocalls are a major problem, these calls can only reach U.S.
                consumers and businesses after they pass through a gateway provider.
                The NANC has recognized that, to access the U.S. market, foreign
                originators must send traffic to a gateway provider that is unwilling
                or unable to block that traffic.
                 28. The Commission's Enforcement Bureau has repeatedly identified
                gateway providers as playing a key role in bringing illegal robocalls
                to the United States. In letters sent to multiple gateway providers in
                February 2020 to ``assist the . . . Commission in stopping the flow of
                malicious robocalls originating from sources outside the United
                States,'' the Enforcement Bureau noted that a gateway provider, ``[a]s
                the point of entry for this traffic into the U.S. telephone network, is
                uniquely situated to . . . combat apparently illegal robocalls.'' In
                spring 2020, in conjunction with a Division of the Federal Trade
                Commission, the Enforcement Bureau warned international ``gateway
                providers facilitating COVD-19 related scam robocalls originating
                abroad that they must cut off these calls or face serious
                consequences.'' In April 2020, the FTC and FCC wrote to three gateway
                providers and demanded that they stop facilitating scam COVID-19-
                related robocalls from India and Pakistan. In May 2020, the FTC and FCC
                sent an additional three letters to three separate gateway providers
                regarding similar campaigns originating in the UK, Germany, and other
                destinations abroad. Most recently, in spring 2021, the Enforcement
                Bureau sent cease-and-desist letters to ten providers, including some
                gateway providers, making clear that, should they not cease
                transmitting illegal robocall campaigns immediately, ``other network
                operators [would] be authorized to block traffic from these
                companies.''
                 29. The Department of Justice (DOJ) has also brought enforcement
                actions against gateway providers that allow illegal robocall traffic
                into the country. In two recent DOJ cases, DOJ states that ``the
                defendants engaged in wire fraud schemes by knowingly serving as
                `gateway carriers' for fraudulent calls; that is, the defendants
                received fraudulent robocalls from foreign customers and relayed those
                calls into the United States telecommunications system.'' The schemes,
                according to the DOJ, would not have worked unless the defendants, were
                ``willing to accept the fraudsters' robocall traffic into the U.S.
                telephone system. . . . The [defendants] provide the crucial interface
                between foreign internet-based phone traffic and the U.S. telephone
                system.'' We seek comment on whether these cases are representative of
                the role that some gateway providers play in allowing illegal robocalls
                to reach U.S. subscribers.
                 30. We seek comment on the relationship between gateway providers
                and illegal robocalls entering the U.S. market. Is the problem driven
                by a few unscrupulous gateway providers that have entered into business
                arrangements to transit illegal foreign-originated robocall traffic? In
                a recent case, the DOJ noted that the defendant gateway providers
                ``specifically market their services to foreign call centers and
                foreign VoIP providers looking to transmit high volumes of robocalls
                into the United States.'' Or is the problem more widespread, for
                instance because gateway providers do not or cannot easily identify bad
                actors sending illegal robocalls to the United States through the
                gateway provider's network? If the
                [[Page 59090]]
                problem is widespread, why do gateway providers today decline to
                identify and act to restrict bad actors and unlawful robocalls? Do
                foreign originators send illegal robocall traffic to the gateway
                indirectly, through one or more foreign intermediate providers, in
                order to conceal the nature of the call before it reaches the U.S.
                gateway? Are there other mechanisms by which foreign originators of
                illegal robocalls send their traffic to the United States such that it
                would be brought onto the U.S. network by an unsuspecting gateway
                provider?
                 31. We also seek comment on how foreign robocallers and the voice
                service providers that serve them use U.S. numbers in the caller ID
                field for their illegal robocall campaigns. Do these entities primarily
                spoof U.S. numbers? Or do these bad actors also use U.S. numbers that
                the voice service provider or their customer has obtained the right to
                use, either directly from the Numbering Administrator or indirectly
                through another provider? We note that the Commission recently proposed
                rules to help prevent VoIP providers from obtaining numbers directly
                from the Numbering Administrator for use in illegal robocall campaigns,
                and there are existing reporting rules regarding number usage. Are
                there other safeguards we should consider to prevent foreign providers
                from using U.S. NANP numbers in illegal robocall campaigns?
                B. Scope of Requirements and Definitions
                 32. In light of their unique role in bringing foreign-originated
                illegal robocalls onto U.S. networks, we propose to impose new
                obligations on gateway providers for foreign-originated calls that use
                U.S. numbers in the caller ID field. We believe that this approach will
                narrowly target those providers best able to stop those calls that have
                the greatest likelihood to be part of illegal robocall campaigns that
                harm Americans--foreign-originated calls carrying U.S. numbers in the
                caller ID field.
                 33. While the Commission has imposed requirements on intermediate
                providers, including gateway providers, it has never defined ``gateway
                provider'' as a distinct category of entities. We now propose to define
                a ``gateway provider'' as the first U.S.-based intermediate provider in
                the call path of a foreign-originated call that transmits the call
                directly to another intermediate provider or a terminating voice
                service provider in the United States. We do not include in this
                proposed definition a gateway provider that terminates calls in the
                U.S. To the extent a gateway provider terminates a call in the U.S., it
                is acting as a terminating voice service provider and is already
                subject to our existing caller ID authentication and/or robocall
                mitigation rules. In this proposed definition, by ``U.S.-based,'' we
                mean that the provider has facilities in the U.S. including a U.S.
                located point of presence. We seek comment on this proposed definition.
                Should we define ``gateway provider'' differently? Should we define
                ``U.S.-based'' differently? Should our definition include the first
                U.S.-based provider in the call path for a foreign-originated call that
                also terminates that call? Should we extend some or all of the
                requirements we propose today to such terminating voice service
                providers, or are existing requirements sufficient? Should we exclude
                from the definition those providers that serve as a gateway for only a
                de minimis amount of foreign originated traffic? Are such providers
                unlikely to be the source of illegal robocalls? If so, how should we
                define de minimis for this purpose? Is there another way to effectively
                limit our definition to apply only to those gateway providers that are
                especially likely to be the source of illegal calls on the U.S.
                network? Does our definition need to be modified to take into account
                the scenario where a call originates in the U.S., is routed
                internationally (over the same provider or a different provider's
                facilities), and then is routed back to a U.S. end-user through a
                gateway provider? What about a scenario where a call enters the U.S.
                through a gateway provider, is routed outside of the U.S. and then back
                into the U.S. through the same or different gateway provider?
                 34. We seek comment on whether U.S.-based providers that fall under
                our proposed definition of gateway provider also, in some instances,
                originate calls from abroad carrying U.S. NANP numbers that are brought
                into the U.S. by that same provider. In other words, are there
                instances where the provider that brings the call into the U.S. is also
                acting as an originating provider? For such calls, the U.S.-based
                provider would not fall under our proposed gateway provider definition
                where it is not acting as an intermediate provider. For example, a
                U.S.-based provider acts as a gateway provider for calls foreign
                providers send to it. The same U.S-based provider may also serve an
                end-user customer in another country that is originating traffic in
                that country and sending traffic over that U.S.-based provider's
                network into the U.S. marketplace. In such an instance, the U.S.-based
                provider is not acting as an intermediate provider and thus would not
                fall within our proposed definition of gateway provider. However, if a
                U.S.-based provider has contracted with a foreign provider or customer
                to allow calls into the U.S. marketplace and the call is brought to the
                U.S.-based providers' U.S. network by a foreign provider, the U.S.-
                based provider would be an ``intermediate provider'' and therefore fall
                within our proposed definition. Are certain arrangements that are not
                covered by our proposed definition likely to be part of an illegal
                robocall campaign? If so, should we broaden or otherwise modify our
                proposed definition to ensure that such calls fall within the scope of
                the protections we propose in this FNPRM? Alternatively, should we
                explicitly include these situations for the purposes of specific rules,
                such as our proposed mandatory blocking rules?
                 35. As we have elsewhere in our caller ID authentication rules, we
                propose to classify providers as gateway providers on a call-by-call
                basis rather than on a class basis. Thus, a provider would be a
                ``gateway provider''--and subject to rules applied to that class of
                provider--only for those calls for which it acts as a gateway provider;
                it would be an ``intermediate provider'' or ``voice service
                provider''--and subject to rules applied to those classes of provider--
                for all other calls, e.g., for domestic-originated calls that it
                carries. We believe it is appropriate to apply that approach here not
                only for regulatory symmetry, but also because it would capture all
                instances in which an entity acts as a gateway provider. At the same
                time, this approach would not subject all traffic handled by an entity
                to enhanced obligations simply because a portion of that traffic
                originates abroad. We seek comment on this proposal. Should we instead
                diverge from our ``call-by-call'' approach for gateway providers? Do
                providers have the ability to treat foreign-originated calls
                differently on a call-by-call basis? If we were to establish that a
                provider is a gateway provider for all of its traffic, if any traffic
                it transits originates abroad, would such an approach place
                unreasonable obligations on a provider's domestic traffic simply
                because some traffic is foreign-originated?
                 36. We further propose to limit the scope of our proposed
                requirements for gateway providers to those calls that are carrying a
                U.S. number in the caller ID field. By a ``U.S. number,'' we are
                referring to NANP resources that pertain to the United States. Under
                this approach, we would exclude from the scope of our rule those calls
                that carry a U.S. number in the ANI field but
                [[Page 59091]]
                display a foreign number in the caller ID field. We believe that this
                approach is consistent with our goal to prevent illegal spoofing, which
                is dependent upon manipulating the caller ID field that is visible to
                the call recipient. We further propose to apply this requirement on a
                ``call-by-call'' basis. Under this approach, a gateway provider would
                be subject to these requirements for those calls it transits that carry
                a U.S. number in the caller ID field, but that same gateway provider
                would not be subject to these requirements for calls displaying numbers
                associated with another country. We seek comment on these proposals. We
                also seek comment on the feasibility and desirability of widening the
                scope of our proposed rules to cover calls carrying non-U.S. numbers in
                the caller ID field or a subset of non-U.S. numbers. If we include a
                subset of non-U.S. numbers, what numbers should we include?
                 37. Limiting our proposed rules to calls that use U.S. numbers in
                the caller ID field is similar to the approach in our current rule that
                requires intermediate providers and voice service providers to not
                accept calls directly from a foreign voice service provider that is
                carrying U.S. numbers if the foreign voice service provider is not
                listed in the Robocall Mitigation Database. In that context, we limited
                application of our rule to foreign voice service providers that ``use[
                ] North American Numbering Plan resources that pertain to the United
                States.'' We seek comment on whether it is appropriate, in this
                context, to take a narrower or more expansive approach than we did in
                the context of foreign voice service providers whose traffic must be
                blocked if they are not listed in the Robocall Mitigation Database.
                C. Authentication
                 38. To combat foreign-originated robocalls, we propose to require
                gateway providers to authenticate caller ID information consistent with
                STIR/SHAKEN for SIP calls that are carrying a U.S. number in the caller
                ID field.
                 39. As the Commission has previously explained, application of
                caller ID authentication by intermediate--including gateway--providers
                ``will provide significant benefits in facilitating analytics,
                blocking, and traceback by offering all parties in the call ecosystem
                more information.'' At the time the Commission reached this conclusion,
                in light of record concerns that an authentication requirement on all
                intermediate providers ``was unduly burdensome in some cases,'' the
                Commission established that intermediate providers could ``register and
                participate with the industry traceback consortium as an alternative
                means of complying with our rules,'' in lieu of authenticating
                unauthenticated calls.
                 40. Since the Commission established those requirements in the
                Second Caller ID Authentication Report and Order, in the Fourth Call
                Blocking Order, the Commission subsequently required all voice service
                providers--which include gateway providers and other intermediate
                providers under our call blocking rules--to cooperate with traceback
                requests. This rule has effectively mooted the choice given to
                intermediate providers in the earlier Second Caller ID Authentication
                Report and Order to authenticate calls or cooperate with traceback
                requests. We propose concluding that, given the key role gateway
                providers play in allowing foreign calls into the United States,
                gateway providers should be required to authenticate unauthenticated
                foreign-originated SIP calls that they receive and cooperate with
                traceback requests with respect to those same calls. Requiring gateway
                providers to authenticate caller ID information for all unauthenticated
                foreign-originated SIP calls will offer information to the downstream
                providers regarding where a foreign-originated robocall entered the
                call path, facilitating analytics and promoting traceback efforts. We
                seek comment on this proposal.
                 41. Illegal robocalls cost Americans over $13.5 billion annually.
                Given the prevalence of robocalls from abroad, we anticipate that the
                deterrence that arises from authenticating unauthenticated foreign-
                originated calls is likely to be highly beneficial and that those
                benefits outweigh any concerns about C-level attestations not carrying
                sufficient information to assist in the policing of illegal robocalling
                campaigns. Even with a ``C-level'' (gateway) attestation, we anticipate
                that authenticating unauthenticated calls will facilitate faster
                traceback and improve call analytics. We seek comment on this analysis
                and on the possible benefits of the requirement we propose.
                 42. We also seek comment on the proposal's costs for gateway
                providers. While the Commission previously acknowledged claims that it
                was ``unduly burdensome in some cases'' to require all intermediate
                providers to authenticate unauthenticated calls, we anticipate that our
                proposal will not be unusually costly for gateway providers compared to
                voice service providers already required to implement caller ID
                authentication. Further, as more and more providers implement STIR/
                SHAKEN, we anticipate that technology and solutions will be more widely
                available and less costly to implement. We seek comment on this
                analysis. Is there any reason to believe that authentication is more
                costly for gateway providers compared to other providers or that the
                benefit of lower-level attestations would be limited?
                 43. Requirements. We propose that, to comply with the requirement
                to authenticate calls, a gateway provider must authenticate caller ID
                information for all SIP calls it receives for which the caller ID
                information has not been authenticated and which it will exchange with
                another provider as a SIP call. This proposal follows the caller ID
                authentication rule governing intermediate provider authentication of
                unauthenticated calls they receive, where intermediate providers elect
                authentication instead of cooperation with tracebacks. As noted, the
                call blocking rules have mooted this choice. We seek comment on whether
                and how to alter this proposal. Are there any scenarios in which
                transmitting a call with authenticated caller ID information is not
                possible, and if so, how should we address any such circumstances?
                Should we adopt a technical feasibility exception, as we have
                established for voice service providers with respect to the obligation
                to transmit an authenticated call with authenticated caller
                identification information to the next voice service provider or
                intermediate provider in the call path? Would establishing exceptions
                present the possibility for abuse?
                 44. We propose that, as with our requirement on voice service
                provider authentication, a gateway provider satisfies this requirement
                if it adheres to the three ATIS standards that are the foundation of
                STIR/SHAKEN--ATIS-1000074, ATIS-1000080, and ATIS-1000084--and all
                documents referenced therein. We also propose that compliance with the
                most current versions of these standards as of the date of release of
                any Report and Order following this FNPRM, including any errata as of
                that date or earlier, represents the minimum requirement to satisfy our
                rules. We seek comment on this approach. Are there any reasons these
                standards are not appropriate for gateway providers? Are there any
                technical challenges that may emerge (e.g., will the addition of the
                authenticated Identity Header in the SIP message cause UDP
                fragmentation)? And if so, how can they be mitigated? Alternatively,
                are there other standards we should require gateway providers to adhere
                to? Should we require compliance with standards current as of an
                earlier date? If so, which date?
                [[Page 59092]]
                 45. Because we propose permitting gateway providers to authenticate
                caller ID information in a manner consistent with industry standards,
                we do not propose limiting the attestation level they may assign to a
                given call. To the extent standards allow a gateway provider to assign
                ``full'' (A-level) or ``partial'' (B-level) attestation to a call,
                under this proposal they are free to do so; they would not be limited
                to assigning ``gateway'' (C-level) attestation. Stakeholders previously
                supported this approach regarding intermediate providers, and we seek
                comment on whether this continues to be the best approach to
                attestations by gateway providers, a subset of intermediate providers.
                Is there a reason we should limit gateway providers to assigning a
                certain attestation level or levels, and if so what level? Under what
                circumstances would gateway providers be able to assign, and anticipate
                assigning, an A- or B-level attestation?
                 46. Non-IP Network Technology. As we have explained, the STIR/
                SHAKEN framework is an IP-based solution. How should we address gateway
                providers that use non-IP network technology? How prevalent is non-IP
                network technology among gateway providers? Are gateway providers using
                non-IP network technology less likely or more likely to be the point of
                entry for foreign-originated illegal robocalls onto the U.S. network?
                Our rules require voice service providers with non-IP network
                technology to either upgrade their network to IP and implement STIR/
                SHAKEN, or work with a working group, standards group, or consortium to
                develop a non-IP caller ID authentication solution. Should we adopt a
                similar requirement here? We do not currently apply a similar
                requirement to intermediate providers, including gateway providers. In
                our preliminary view, however, adopting such a requirement for gateway
                providers may be warranted to prevent evasion of any restrictions we
                establish by bad actors. We seek comment on this view. The Commission
                previously stated that it would ``continue to evaluate whether an
                effective non-IP caller ID authentication framework emerges'' and, ``if
                and when [it] identif[ies] an effective framework, [it] expect[s] to .
                . . shift . . . from focusing on development to focusing on
                implementation.'' We seek comment on adopting this same approach with
                respect to gateway providers here. Should we instead mandate that
                gateway providers with non-IP network technology implement a non-IP
                caller ID authentication solution, such as Out-of-Band STIR? Should
                gateway providers relying on non-IP technology continue to be fully
                exempt from any obligation to implement caller ID authentication, like
                other intermediate providers?
                 47. Token Access. Does the Governance Authority's token access
                policy serve as a barrier to participation in STIR/SHAKEN for all or a
                subset of gateway providers? That policy requires entities to have a
                current FCC Form 499-A on file with the Commission, have been assigned
                an Operating Company Number (OCN), and have either direct access to
                numbering resources or filed a certification in the Robocall Mitigation
                Database in order to obtain a token necessary to participate in STIR/
                SHAKEN. We assume that gateway providers that are already acting as
                voice service providers and are subject to the duty to authenticate
                calls they originate or terminate may have already obtained a token in
                order to comply with their duties as a voice service provider. Is that
                assumption correct? How many gateway providers also serve as voice
                service providers? While providers so situated may already possess the
                necessary token, will other gateway providers have difficulty obtaining
                tokens under the current policy? Do some or all gateway providers have
                no obligation to file an FCC Form 499-A because they do not fall under
                one of the categories of entities required to submit the form? If so,
                should we encourage the Governance Authority to waive for such
                providers the requirement to file an FCC Form 499-A to obtain a token?
                Are some or all gateway providers unable to obtain an OCN based on the
                National Exchange Carrier Association's (NECA) policies? If certain
                gateway providers are not required to file a Form 499-A or cannot
                readily obtain an OCN, should we encourage or require the Governance
                Authority to modify its token access policy to ensure that gateway
                providers are able to obtain a token and comply with an authentication
                requirement? And do we need to make changes to our Robocall Mitigation
                Database to allow compliance with the Governance Authority's filing
                requirement?
                 48. Compliance Deadline. We seek comment on when we should require
                gateway providers' authentication obligation to become effective,
                mindful of the public interest of prompt implementation by gateway
                providers with the need for these providers to have sufficient time to
                implement our proposed obligation. We note that the STIR/SHAKEN caller
                ID authentication obligations in the TRACED Act became effective 18
                months following its enactment, and voice service providers were able
                to meet that deadline. Our rules adopted pursuant to the TRACED Act
                grant certain providers exemptions and extensions from this deadline.
                Accordingly, would a March 1, 2023 deadline, falling approximately 18
                months after we adopt this FNPRM, be a reasonable deadline for
                implementation of our authentication obligation? Would an earlier or
                later deadline for all gateway providers better balance the benefit of
                the rule against the burden?
                 49. Should we modify our proposed deadline for certain classes of
                gateway providers? For example, should we identify a subset of gateway
                providers that are most likely to be the conduit for illegal robocalls
                and subject them to an accelerated timeline? How should we identify
                such providers? Should we identify those gateway providers that have
                received at least a certain number of traceback requests or other
                indicia of involvement in illegal robocalling? If so, what would be an
                appropriate threshold? What deadline should we give such providers?
                Instead, should we expect faster implementation of STIR/SHAKEN by those
                gateway providers that are also voice service providers under our STIR/
                SHAKEN rules, are not subject to an extension or exemption, and
                therefore are already authenticating caller ID information for calls
                they originate? Will a provider so situated be in a better position to
                implement STIR/SHAKEN quickly? If so, why?
                 50. In the Second Caller ID Authentication Report and Order, the
                Commission granted several categories of voice service providers that
                faced undue hardship in implementing STIR/SHAKEN additional time for
                compliance, consistent with the directive of the TRACED Act: Small
                voice service providers, providers unable to receive a token from the
                Governance Authority, and services subject to discontinuance. Should we
                grant any categories of gateway providers extensions or exceptions from
                our proposed authentication requirement on the basis of undue hardship
                or for another reason? Are the extensions the Commission previously
                granted for STIR/SHAKEN based on undue hardship relevant to the context
                of gateway providers? For instance, should we grant small gateway
                providers an extension from any deadline we establish, and, if so,
                which gateway providers should we define as ``small?'' Or would doing
                so undermine the value of any requirements we adopt? If we grant an
                extension to some gateway providers, how much additional time would be
                appropriate in light of the public interest of prompt
                [[Page 59093]]
                participation in the STIR/SHAKEN framework? If we grant an exemption,
                how would any exemption square with the importance of ubiquitous STIR/
                SHAKEN? Instead of a categorical approach, should we rely on
                individualized waiver requests pursuant to the Commission's
                longstanding waiver standard? The Commission may exercise its
                discretion to waive a rule where the particular facts at issue make
                strict compliance inconsistent with the public interest. In considering
                whether to grant a waiver, the Commission may take into account
                considerations of hardship, equity, or more effective implementation of
                overall policy on an individual basis.
                D. Robocall Mitigation
                 51. While our caller ID authentication rules require voice service
                providers to implement STIR/SHAKEN or, if they are subject to an
                extension, to implement an appropriate robocall mitigation program, in
                this Notice we propose requiring gateway providers to apply both of
                these protections to calls they bring onto the U.S. network. We further
                propose and seek comment on additional requirements on gateway
                providers, at least some of which go beyond those that currently apply
                to voice service providers. First, we propose to require gateway
                providers to respond to all traceback requests from the Commission, law
                enforcement, and the industry traceback consortium within 24 hours.
                Second, we propose and seek comment on imposing mandatory blocking
                requirements on gateway providers. Third, we seek comment on
                establishing know-your-customer requirements for gateway providers.
                Fourth, we seek comment on requiring gateway providers to adopt certain
                contractual provisions with foreign providers from which they accept
                calls. Finally, in addition to adopting one or more of these robocall
                mitigation requirements, we propose to establish a general duty on
                gateway providers to mitigate illegal robocalls.
                1. 24-Hour Traceback Requirement
                 52. We propose to require gateway providers to respond fully to all
                traceback requests from the Commission, civil or criminal law
                enforcement, and the industry traceback consortium within 24 hours of
                receiving such request. This requirement would be stricter than our
                general obligation, which requires that voice service providers
                (including intermediate providers) respond to traceback requests ``in a
                timely manner.'' As we have stated in the past, traceback is an
                essential part of identifying the source of illegal calls. Information
                gained from traceback can both aid in enforcement after calls are
                placed and be used proactively to stop further calls from a particular
                source. We believe that time is of the essence in all tracebacks, but
                particularly for foreign-originated calls where the Commission or law
                enforcement may need to work with international regulators to obtain
                information from providers outside of U.S. jurisdiction.
                 53. We seek comment on this proposal. Is a mandatory 24-hour
                response time appropriate, or should we consider a different response
                time? Because gateway providers are already required to respond to
                traceback ``timely,'' we believe that this enhanced requirement
                presents a minimal burden on gateway providers. We seek comment on this
                tentative conclusion. Are there any instances where a gateway provider
                may need more time to respond? If so, what would cause such a delay
                (e.g., what are the technical and/or operational challenges that would
                contribute to the delay)? How might we address any such problems to
                best enable gateway providers to meet such a requirement? Should we
                instead consider requiring response in a shorter time than 24 hours?
                Are there additional benefits or burdens to requiring a faster response
                time? Are there any other issues we should consider in adopting such a
                requirement, such as the impact on small gateway providers?
                 54. We seek comment on other means to improve traceback when calls
                originate internationally. Are there other, or additional, steps the
                Commission could take to improve this process and make bad actors
                easier to identify and stop? Should the Commission consider taking
                these steps in addition to, or instead of, requiring gateway providers
                to respond within 24 hours? What benefit would these approaches
                provide? Are there any particular burdens or concerns the Commission
                should consider when weighing these options?
                 55. Compliance Deadline. We propose to require gateway providers to
                comply with this requirement by 30 days after publication of the notice
                of an Order adopting this requirement in the Federal Register. Because
                gateway providers are already required to respond to traceback requests
                ``fully and timely,'' we do not believe there is any reason to further
                delay implementation of this requirement. We seek comment on this
                proposal and analysis. Would a different compliance deadline be more
                appropriate and, if so, why?
                2. Mandatory Blocking
                 56. To date, the Commission has generally taken a permissive
                approach to call blocking, allowing voice service providers the
                flexibility to block in certain instances, but not requiring blocking.
                In adopting the effective mitigation requirement, the Commission did
                make clear that gateway providers may be required to block in order to
                comply. The Commission's rules also direct intermediate and voice
                service providers to only accept calls using NANP numbers sent directly
                from voice service providers with a filing in the Robocall Mitigation
                Database. This requirement is distinct from our blocking requirements.
                Unfortunately, illegal calls continue to plague American consumers.
                When calls originate outside the United States, enforcement against, or
                even identification of, the caller is much more difficult. Gateway
                providers are positioned to reduce the flood of foreign-originated
                illegal calls before they reach American consumers. If a gateway
                provider stops a single calling campaign before it enters the U.S.
                network, no American consumers will receive those calls. Because
                gateway providers may, in many cases, not have direct relationships
                with American consumers, they may lack incentive to take aggressive
                action absent a mandate. To address these issues, we seek comment on
                several possible approaches to requiring gateway providers to block
                calls, particularly where those calls bear a U.S. number in the caller
                ID field.
                 57. Gateway Provider Blocking Based on Commission Notification of
                Illegal Calls. In the Fourth Call Blocking Order, the Commission
                adopted rules requiring voice service providers, including gateway
                providers, to ``take steps to effectively mitigate'' illegal traffic
                when notified of such traffic by the Commission. The Commission noted
                that gateway providers may need to block calls in order to comply with
                this requirement as, unlike originating voice service providers, they
                often do not have a direct relationship with the call originator. We
                believe that modifying this rule to affirmatively require gateway
                providers to block calls upon receipt of notification from the
                Commission through its Enforcement Bureau would better protect American
                consumers from illegal calls and thus seek comment on whether to do so.
                We therefore propose to strengthen our existing effective mitigation
                requirement as to gateway providers. Specifically, we propose to
                require gateway providers, following a prompt investigation to
                [[Page 59094]]
                determine whether the traffic identified in the Enforcement Bureau's
                notice is illegal, to promptly block all traffic associated with the
                traffic pattern identified in that notice. We seek comment on this
                proposal.
                 58. We seek comment on whether allowing gateway providers to
                investigate prior to blocking strikes the correct balance. Currently,
                our rules do not specify how quickly a voice service provider must act,
                but do require that it investigate and report to the Commission
                ``promptly.'' The report must include any steps taken to effectively
                mitigate the identified traffic or an explanation as to why the
                provider has concluded that the identified calls were not illegal. Is
                this the correct approach given the heightened risk of foreign-
                originated illegal robocalls, or should we adopt a stricter standard
                for gateway providers? For example, should gateway providers block
                calls prior to investigation? If so, should we require that gateway
                providers implement blocking immediately upon receipt of notification?
                If not, what is an appropriate delay prior to implementing a block? If
                we require blocking prior to investigation, how can we ensure that
                gateway providers are granted due process? What are the risks
                associated with a too-long or too-short time, and how might we mitigate
                those risks? Are there any other issues we should consider in
                determining how quickly a gateway provider must block calls and whether
                to allow investigation prior to blocking?
                 59. We seek comment on the contours of the blocking obligation.
                Should we require the notified gateway provider to block all calls that
                meet criteria identified by the Enforcement Bureau in its notice that
                make it highly likely that the calls are part of the same call pattern
                as those calls that the Commission has determined to be illegal? The
                Fourth Call Blocking Order established specific details that the
                Enforcement Bureau must include in its notice. Or should we allow
                gateway providers some discretion to determine the scope of the block
                based on the Enforcement Bureau's notice? If we allow discretion,
                should we instead establish general guidelines in our rules, to ensure
                that a gateway provider can know that it is in full compliance with our
                rules? If so, what might these guidelines look like? If we adopt our
                proposal of permitting a gateway provider to investigate prior to
                blocking, should we require the gateway provider to indicate what
                criteria it is using, based on the Enforcement Bureau's notice and its
                own investigation, in its response to the Commission? Alternatively,
                should we require that gateway providers, regardless of the specifics
                of the call pattern, block all calls that purport to originate from the
                same number(s) as the identified illegal traffic? Is there some other
                approach that we should consider? What are the risks of each approach?
                Specifically, what is the risk that lawful calls will be blocked, or
                that illegal calls will continue from the same source despite the
                gateway provider's compliance? How can we reduce unnecessary burdens on
                gateway providers under each approach? Are there any other issues we
                should consider in determining how a gateway provider may comply with
                this requirement, such as the impact on small businesses?
                 60. Requiring Downstream Providers to Block Calls from Bad-Actor
                Gateway Providers. A complementary approach to requiring gateway
                providers to block calls is to require the voice service provider or
                intermediate provider downstream from the gateway provider to block
                where the Commission determines a particular gateway provider is a bad
                actor. In the Third Call Blocking Order and Further Notice of Proposed
                Rulemaking, we used the phrase ``bad actor'' when discussing
                originating or terminating providers that fail to take appropriate
                steps to prevent their networks from being used to originate or
                transmit illegal calls. Here, we expand our use of that term to include
                gateway providers that fail to comply with the rules we propose above.
                This approach provides a strong incentive for the gateway provider to
                avoid having its traffic blocked by ensuring that it complies with our
                rules. In the Third Call Blocking Order and Further Notice of Proposed
                Rulemaking, the Commission encouraged, without requiring, such blocking
                by establishing a safe harbor for terminating voice service providers
                and intermediate providers that choose to block calls from bad-actor
                upstream providers once certain criteria are met. In conjunction with
                our mandatory blocking proposal above, we propose that, should a
                gateway provider fail to comply with those requirements, the
                Commission, through its Enforcement Bureau, may send a notice to all
                providers immediately downstream from the gateway provider in the call
                path. Upon receipt of such notice, all providers must promptly block
                all traffic from the identified gateway provider, with the exception of
                911 and PSAP calls. We seek comment on this approach.
                 61. Currently, our rules allow a downstream provider to block and
                cease accepting all traffic from a bad-actor upstream provider which,
                upon receipt of Commission notice of illegal traffic, fails to either
                effectively mitigate that traffic or fails to take steps to prevent new
                and renewing customers from originating illegal calls. If a gateway
                provider fails to effectively mitigate illegal traffic, calls continue
                to reach American consumers, and enforcement only comes after the fact.
                For these reasons, we believe there is value in requiring the voice
                service provider or intermediate provider immediately downstream from a
                gateway provider to block all calls from that gateway provider in the
                event that the gateway provider fails to effectively mitigate, or block
                if required, illegal traffic once notified of such traffic by the
                Commission via the Enforcement Bureau. We seek comment on this view.
                 62. We seek comment on how much time gateway providers should have
                to begin effectively mitigating, or blocking, calls before directing
                downstream providers to block all calls from that gateway provider.
                Should we require that gateway providers take such steps ``promptly,''
                consistent with our existing rules? If we instead adopt a stricter
                requirement for gateway provider action, should we immediately notify
                downstream providers to block, or allow additional time before taking
                that step? If we determine more time is appropriate, how long should we
                delay our notification to downstream providers? If we use the
                ``promptly'' standard, how should we determine what is ``prompt'' for
                these purposes? Should we notify gateway providers before directing
                downstream providers to block and thereby give the gateway provider an
                additional chance to mitigate the traffic? What are the costs and
                benefits of each approach?
                 63. We seek comment on how much time to permit downstream providers
                to begin blocking calls from the identified gateway provider. Should we
                require that the downstream provider begin blocking immediately? Are
                there any technical or practical barriers to immediate blocking? If so,
                how can we address them? If we do not require immediate blocking, how
                much time should we allow? What are the costs and benefits of each
                approach? Are there any other issues we should consider around timing?
                 64. We seek comment on how best to notify downstream providers when
                blocking is required. Where there are multiple providers immediately
                downstream from the gateway provider, should we directly notify them
                all? If so, how can we ensure that every relevant provider is notified?
                Alternatively, should we notify a single entity, such as the industry
                traceback consortium, and
                [[Page 59095]]
                require that downstream providers work with that entity to obtain this
                information? If so, does this alter the timeline for compliance? Is
                there some other approach that would be more appropriate, such as a
                public notice or use of the Robocall Mitigation Database? We also seek
                comment on how we can determine whether a downstream provider is
                complying with this blocking requirement. Should we require the
                downstream provider to block all calls from the identified gateway
                provider, or just those that are part of the identified call pattern?
                 65. Finally, we recognize that blocking of all traffic from a
                particular gateway provider is likely to have a profound impact on that
                gateway provider's ability to do business. We therefore seek comment on
                whether to adopt additional due process steps or requirements to ensure
                that these rules are not erroneously applied to gateway providers. Is
                allowing investigation prior to requiring blocking sufficient, or
                should we adopt additional protections? If we do not allow
                investigation prior to blocking, should we adopt additional due process
                protections prior to directing downstream providers to block?
                Additionally, should we adopt rules to direct downstream providers to
                cease blocking if the gateway provider later takes appropriate steps to
                effectively mitigate or block the identified traffic? If so, what
                should be included in these rules? When would it be appropriate to
                direct downstream providers to cease blocking? How much time should we
                allow for this to occur? Should we use the same means of notification?
                We seek comment on any other issues we should consider in adopting such
                a requirement, including the impact on small businesses.
                 66. Blocking Based on Reasonable Analytics. Our rules currently
                permit broad blocking based on reasonable analytics by terminating
                voice service providers only and, in most cases, require those
                providers to allow customers to opt out. One-ring scam blocking also
                uses ``reasonable analytics'' and may be used by any voice service
                provider or intermediate provider in the call path without requiring
                any opt-out provisions. However, the use of analytics for one-ring scam
                calls is more narrowly tailored, designed to identify only one
                particular type of illegal call. In contrast, the Commission's other
                authorizations of blocking based on reasonable analytics have permitted
                terminating voice service providers broad discretion to block unwanted
                calls or calls that are highly likely to be illegal and are not limited
                to analytics designed to identify a specific, identified, type of call.
                The Fourth Call Blocking Order expanded the safe harbor for blocking
                based on reasonable analytics to include network-based blocking without
                any opt-out requirement where the provider's analytics are designed to
                identify calls that are ``highly likely to be illegal'' so long as they
                meet other requirements. In all cases of broad authorizations of
                blocking based on reasonable analytics, the voice service provider must
                disclose to customers that it is engaging in this blocking. Because
                these broad authorizations allow only terminating voice service
                providers to block calls, only customers of those voice service
                providers that block calls are protected. In our effort to increase
                protection for American consumers, we propose to require gateway
                providers to block calls that are highly likely to be illegal based on
                reasonable analytics, preventing these calls from entering the U.S.
                network. We further propose additional requirements around this
                blocking consistent with our existing authorization of blocking based
                on reasonable analytics designed to identify calls that are highly
                likely to be illegal for terminating voice service providers.
                Specifically, we propose to require gateway providers to: (1)
                Incorporate caller ID authentication information where available; (2)
                manage the blocking with human oversight and network monitoring
                sufficient to ensure that it blocks only calls that are highly likely
                to be illegal, which must include a process that reasonably determines
                that the particular call pattern is highly likely to be illegal before
                initiating blocking of calls that are part of that pattern; (3) cease
                blocking calls that are part of the call pattern as soon as the gateway
                provider has actual knowledge that the blocked calls are likely lawful;
                and, (4) apply all analytics in a non-discriminatory, competitively
                neutral manner. We seek comment on these proposals.
                 67. We believe requiring gateway providers to use reasonable
                analytics to block will increase blocking of illegal calls entering the
                U.S. network, and will build on the success of current reasonable
                analytics blocking. We thus believe using the ``highly likely to be
                illegal'' standard for gateway provider blocking makes sense. We seek
                comment on this view. We also recognize that a standard with
                flexibility, such as this one, can result in over- or under-inclusive
                blocking and that, unlike terminating voice service provider blocking,
                consumers will have no recourse for erroneous gateway provider
                blocking.
                 68. How should we address this potential problem? We propose to
                require gateway providers to manage the blocking with human oversight
                and network monitoring sufficient to ensure that only calls that are
                highly likely to be illegal are blocked. This is consistent with our
                requirement for terminating voice service providers that block calls
                that are highly likely to be illegal without consumer opt out. Is this
                the correct approach? If not, should we require a different process? If
                so, what would this process look like? Are there steps we could take to
                otherwise reduce the risk that lawful calls will be blocked? Should we
                adopt additional requirements to ensure that a gateway provider can be
                certain that its blocking is within the scope of our rules, rather than
                under- or over-inclusive? Would a gateway provider that makes use of
                comparatively conservative blocking analytics be subject to liability
                for under-blocking? If so, how might we address this issue? Are there
                any other issues we should consider in taking this approach?
                 69. Consistent with our existing safe harbor for the blocking of
                calls based on reasonable analytics, we propose to require gateway
                providers to incorporate caller ID authentication information, where
                that information is available, and to ensure that all analytics are
                applied in a non-discriminatory, competitively neutral, manner. Is this
                the appropriate approach? Should we modify or remove either of these
                requirements in this context? If so, how might we change them? We also
                propose to require that gateway providers cease blocking calls that are
                part of the call pattern as soon as the gateway provider has actual
                knowledge that the blocked calls are likely lawful. We believe that
                this is the best approach to reduce the risk of lawful calls being
                blocked. We seek comment on this belief. Should we modify our approach
                in this context? For example, should we require gateway providers to
                obtain further confirmation that calls are lawful? Or, in contrast to
                that option, should we require a gateway provider to cease blocking
                whenever it receives information that particular calls may be lawful?
                If we take this approach, should we require gateway providers to
                investigate this information to determine whether it is accurate and,
                if it is inaccurate, resume blocking?
                 70. Should we provide further guidance as to what constitutes
                ``reasonable analytics'' in this context? Other than in the First Call
                Blocking Order, we have declined to establish
                [[Page 59096]]
                specific standards, both out of a concern that such standards will
                create a road map for bad actors seeking to avoid blocking and to allow
                flexibility in response to evolving threats. Under the First Call
                Blocking Order, voice service providers, as well as intermediate
                providers, are permitted to block based on the number in the caller ID
                field. Specifically, blocking is permitted where the number is unused,
                unallocated, or invalid, or where the subscriber to the number has
                indicated that it does not use the number to originate calls and
                requests that all calls purporting to originate from that number be
                blocked. However, we want to ensure that a gateway provider has notice
                as to whether or not it is in compliance with our rules. Are there
                standards we could adopt here that would provide certainty to gateway
                providers without allowing bad actors to easily circumvent blocking?
                Would this approach reduce the burden on small businesses by providing
                certainty? We further seek comment on whether we should consider bases
                for blocking other than reasonable analytics and how they would better
                serve consumers. Are there any other issues we should consider if we
                set specific standards?
                 71. Gateway Provider Do Not Originate. The Commission has
                authorized voice service providers (including intermediate providers)
                to block calls where: (1) The subscriber to the number indicated that
                that number should never be used to originate calls; (2) the number was
                unallocated; (3) the number was unused; or, (4) the number was invalid.
                Voice service providers and intermediate providers need not obtain
                consumer consent for blocking these calls, as there is no valid reason
                for these numbers to originate calls. There are at least two do-not-
                originate list implementations in use by industry that take different
                approaches to the issue. We seek comment on requiring gateway providers
                to block calls purporting to originate from numbers on a do-not-
                originate list.
                 72. Should we require gateway providers to block calls from numbers
                on a do-not-originate list? If so, what numbers should be included on
                the list? The Industry Traceback Group, for example, maintains a
                ``measured and tightly controlled process'' for adding numbers to the
                do-not-originate list it operates based on the rules adopted in the
                First Call Blocking Order. Its policies allow for a do-not-originate
                request from federal and state government entities where the number is
                legitimately used for inbound calls only, is currently spoofed to
                perpetrate impersonation-focused fraud, is authorized for participating
                in the list by the party to which the telephone number is assigned, and
                is recognized by consumers as belonging to a legitimate entity. Private
                entities that wish to have numbers added to the list must meet
                additional requirements. The additional policies for private entities
                include a thorough vetting process and a requirement that there be
                ``active and significant fraudulent activity'' involving spoofing.
                There also may be an administrative charge assessed. Should we take a
                similar approach for adding numbers to a do-not-originate list?
                Alternatively, should we take a broader approach and allow any number
                that should never be originating calls outside the United States to be
                added by the person or entity to which the number is assigned? Should
                we include other categories of numbers, such as unused or unallocated
                numbers? Are there any specific standards or vetting processes we
                should adopt to ensure that numbers are not added in error? What
                benefits and risks would each specific approach create? Are there any
                other factors we should consider in determining what numbers may be
                added to the list?
                 73. We seek comment on how we might implement such a list. Who
                should maintain the list? For example, should it be the maintained by
                the Commission, the industry traceback consortium, or some other
                entity? What are the advantages and disadvantages of each approach?
                Should the list be public or private? If public, how can we ensure that
                bad actors cannot abuse the list? If private, how can we ensure the
                security of the list? How might we collect these numbers, and how can
                we ensure that the costs of collecting, vetting, and maintaining the
                list are recouped? Should the list be combined with an existing do-not-
                originate list, such as the Industry Traceback Group's list, or should
                it be completely separate? Should we adopt a formal process for
                removing numbers from the list? Are there any approaches that would
                reduce these costs without eliminating the benefits? Are there any
                other particular issues we should consider in determining how to
                implement the list, including the impact on small businesses?
                 74. Alternative Blocking Programs. We seek comment on other
                potential mandatory blocking programs for gateway providers. Are there
                any other approaches to mandatory blocking we should consider? If so,
                what are the specifics of each approach, and what issues should we
                consider when adopting rules? What benefits would the blocking provide?
                What risks would the blocking pose, including the risk of blocking
                lawful calls? What burdens would the blocking pose for gateway
                providers? Should we consider the approach instead of, or in
                conjunction with, another type of blocking?
                 75. Protections for Lawful Calls. We believe that all blocking
                contains some risk of erroneous blocking, e.g., blocking calls that are
                not illegal. For example, a particular caller's call patterns could
                look similar enough to the patterns of an illegal caller and a gateway
                provider, acting in good faith, could believe that the caller is
                placing illegal calls and thus block them. We seek comment on
                appropriate transparency and redress options that could accompany
                mandatory blocking requirements for gateway providers. What
                transparency and redress requirements should we adopt? Are the
                requirements we have already adopted sufficient, or are there reasons
                to adopt additional, or alternative, requirements? Should our
                transparency and redress requirements vary depending on what blocking
                approach we adopt? If so, how? Are there steps we should take to reduce
                issues related to language barriers? Are there any other issues we
                should consider?
                 76. We want to be particularly careful of the risk of blocking
                emergency calls, such as calls to 911, or calls from PSAPs and
                government emergency outbound numbers. We seek additional comment on
                protections for public safety calls more broadly elsewhere in this
                item. We seek comment on how to address these concerns. What is the
                risk of such calls being blocked under each of our proposals? Should we
                require that gateway providers never block such calls, or is a
                different approach more appropriate?
                 77. Limitation of Liability for Compliance with Mandatory Blocking.
                Aside from the Commission's prior statement that gateway providers may
                need to block calls in order to comply with the requirement to
                effectively mitigate illegal traffic, our existing rules generally do
                not require blocking. Instead, they focus on permitting blocking and
                ensuring that voice service providers will not be subject to liability
                under the Act and the Commission's rules when blocking in certain
                instances. We seek comment on whether, if we adopt mandatory blocking
                requirements, we should take a similar approach here. Our previous safe
                harbors were designed to incent blocking by ensuring that providers do
                not face liability for good faith blocking. Here, blocking would be
                mandatory. Given this, is there a need for such a safe harbor? Could
                gateway providers be
                [[Page 59097]]
                subject to liability under the Act or the Commission's rules for steps
                taken to comply with any of the blocking options we discuss in this
                FNPRM? If so, what is the source of this liability? Should we provide a
                blanket safe harbor under the Act and the Commission's rules, or should
                we limit that protection to actions taken to comply in good faith? If
                we have a good faith requirement, should we define good faith, and, if
                so, how? Should gateway providers be required to make a particular
                showing to demonstrate good faith sufficient to absolve them of
                liability for inadvertently blocking legal calls? For example, should
                we require an officer of a gateway provider to certify to the
                Commission, in the company's Robocall Mitigation Database certification
                or elsewhere, that they have acted in good faith and complied with our
                redress requirements? Are there any other issues we should consider?
                 78. We seek comment on how to determine whether a gateway provider
                has met its obligation to block under each of these options. As the
                Commission has previously concluded, ``we do not expect perfection in
                mitigation.'' To address this concern, should we establish a good faith
                standard under which a gateway provider making its best, good faith
                efforts to block is not liable in cases where illegal traffic is not
                blocked? What would this obligation look like? How might we determine
                that a gateway provider is acting in good faith rather than willful
                ignorance? Should we make clear that a gateway provider will not be
                liable for failing to block where the information is not readily
                available, or should we adopt a different standard? We seek comment on
                what information is ``readily available'' to gateway providers at the
                time of the call. Is certain information available to gateway
                providers, but too expensive or inconsistently available to be
                considered ``readily available'' for all or some providers? What
                information might not be readily available at the time of the call but
                is readily available after the fact, allowing or requiring gateway
                providers to mitigate or block the traffic from the same source at a
                later time? Are there specific criteria we should use to provide
                regulatory certainty? Are there other issues we should consider?
                 79. Compliance Deadline. We propose to require gateway providers to
                comply with any mandatory blocking requirement by 30 days after
                publication of the notice of any Order adopting blocking requirements
                in the Federal Register or the publication of notice of Office of
                Management and Budget (OMB) approval under the Paperwork Reduction Act
                (PRA), where appropriate. We seek comment on this proposal. Should we
                allow additional implementation time for any or all of the proposed
                blocking requirements? If so, how much of a delay is appropriate and,
                if so, why?
                3. ``Know Your Customer'' Requirements for Gateway Providers
                 80. Our rules currently require a voice service provider to
                ``[t]ake affirmative, effective measures to prevent new and renewing
                customers from using its network to originate illegal calls, including
                knowing its customers and exercising due diligence in ensuring that its
                services are not used to originate illegal traffic.'' This rule
                generally applies to originating providers and, under our proposed
                definition, gateway providers do not have a direct relationship with
                the call originator and instead receive calls from a number of upstream
                originating or intermediate providers. As a result, gateway providers
                may not have a ``customer'' to ``know'' for the purpose of complying
                with a ``know your customer'' requirement. We believe, however, that
                extending ``know your customer'' obligations to gateway providers could
                benefit U.S. consumers. First, we propose and seek comment on requiring
                gateway providers to confirm that a foreign call originator is
                authorized to use a particular U.S. number that purports to originate
                the call. We then seek comment on whether, and how, to apply additional
                ``know your customer'' requirements to gateway providers to reduce the
                risk of illegal calls entering the U.S. network, including who the
                gateway provider's ``customer'' should be for this purpose.
                 81. Use of U.S. NANP Numbers for Foreign-Originated Calls. While
                there are valid reasons for some U.S. numbers to originate calls
                internationally, spoofing allows a bad-actor foreign caller to appear
                to a consumer as a U.S.-based entity, making it more likely a U.S.
                consumer will answer the phone. We propose and seek comment on
                requiring gateway providers to confirm that a foreign originator is
                authorized to use the particular U.S. number that purports to originate
                the call. We further propose to make clear that this requirement
                applies only when an originator seeks to place a high volume of calls
                using a U.S. number, and does not apply to traffic consistent with
                private, individual use.
                 82. We seek comment on how a gateway provider can best comply with
                this requirement. Is it feasible for a gateway provider to obtain
                useful information? If so, can the gateway provider reliably gather
                this information prior to calls being placed? If so, how? If
                information is not available until after some calls have been placed,
                should we instead require the gateway provider to obtain this
                information within a set amount of time after receiving the first call
                purporting to originate from a particular U.S. number? How might a
                gateway provider get this information? How long is appropriate for
                gathering this information? Should our requirement be based on the
                number of calls placed, or the time since the first call was placed? We
                also seek comment on whether there is the possibility for gateway
                providers to have contractual relationships with call originators,
                distinct from their position on the call path, such that they will
                transmit all calls for a particular caller. If so, does this change the
                feasibility of obtaining useful information? Should any requirement we
                adopt apply to all gateway providers, or only to gateway providers with
                contractual relationships with callers, distinct from the relationship
                between a caller and originating voice service provider?
                 83. We seek comment on the scope and extent of this requirement.
                Should we adopt a carve out to ensure that gateway providers do not
                prevent origination of emergency calls, including calls to 911, calls
                from PSAPs, or calls from government emergency outbound numbers? If so,
                what might this look like? In addition, we specifically propose to
                impose this requirement only where the originator seeks to place a high
                volume of calls. We seek comment on this proposal. We are concerned
                about ensuring that individual callers, such as U.S. residents
                traveling abroad, are not prevented from placing calls using a number
                to which they are subscribed while in a foreign country. To address
                this, should the requirement only be triggered after the gateway
                provider sees a set number of calls purporting to originate from a
                particular U.S. number? If so, what is the appropriate threshold to
                constitute a ``high volume'' of calls? Are there other measures we
                could adopt that would ensure that traffic consistent with individual
                use does not trigger this requirement without allowing the rule to be
                circumvented by clever callers? Are there any other issues we should
                consider?
                 84. Upstream Provider as the ``Customer.'' Alternatively, should we
                impose a requirement similar to the rule adopted in the Fourth Call
                Blocking Order, and require gateway providers to take steps to know the
                upstream providers from which they receive
                [[Page 59098]]
                traffic and prevent those providers from originating illegal traffic
                onto the U.S. network? While at least a step removed from the call
                originator, the provider upstream from a particular gateway provider
                does have a direct relationship with that gateway provider. As a
                result, it is more likely for a gateway provider to have ready access
                to information about that upstream provider. We therefore seek comment
                on defining the provider immediately upstream from the gateway provider
                to be the gateway provider's ``customer.'' If we adopt this definition,
                what should the gateway provider ``know'' to be able to reasonably
                claim it ``knows'' this ``customer''? Should we limit our requirement
                to information readily available to the gateway provider, or should we
                require additional information that may be more difficult for a gateway
                provider to obtain? What information would provide the most benefit in
                stopping illegal calls? Is such information readily available to the
                gateway provider? If not, what costs or challenges might the gateway
                provider face in obtaining this information? Are there ways we could
                reduce or eliminate these costs or complications? What should a gateway
                provider be required to do with this information? For example, should
                we require gateway providers to cease accepting traffic from upstream
                providers that meet certain criteria? Should this requirement only
                apply to foreign-originated calls that use a U.S. number in the caller
                ID field? How does this approach compare to the approach of considering
                the call originator the ``customer'' discussed further below? Are there
                any other technical, legal, or policy considerations we should pay
                particular attention to if we define the customer as the upstream
                provider, including the impact on small businesses?
                 85. Call Originator as the ``Customer.'' Alternatively, should we
                consider the call originator the gateway provider's ``customer'' for
                purposes of such a requirement? We believe that the originator, as the
                entity placing the calls, is probably the most relevant ``customer''
                for the purpose of stopping illegal calls. Unfortunately, the gateway
                provider, in many cases, may have no direct relationship with the
                originator, making it significantly more difficult to obtain
                information. We seek comment on considering the call originator the
                ``customer'' for purposes of a know-your-customer requirement. What
                would be sufficient for a gateway provider to reasonably claim that it
                ``knows'' this ``customer''? What are the barriers to gateway providers
                obtaining necessary information from originators and how could we
                address those barriers? How does this approach compare to the approach
                of considering the upstream provider the ``customer,'' discussed above?
                Are there any other technical, legal, or policy considerations we
                should pay particular attention to if we define the customer as the
                call originator?
                 86. Compliance Deadline. We propose to require gateway providers to
                comply with ``know-your-customer'' requirements by 30 days after
                publication of the notice of any Order adopting such a requirement in
                the Federal Register. We seek comment on this proposal. Is there any
                need to delay compliance? If so, why and how much time do gateway
                providers reasonably need to comply?
                4. Contractual Provisions
                 87. The NANC and industry stakeholders have recommended that
                gateway providers require their customers to adopt contractual
                provisions that would help mitigate illegal robocalling. We seek
                comment on whether, in light of increased risk of foreign-originated
                illegal robocall campaigns and the critical role gateway providers play
                in allowing such calls to reach the U.S. market, we should require
                gateway providers to adopt specific contractual provisions addressing
                robocall mitigation with foreign providers from which the gateway
                provider directly receives traffic carrying U.S. NANP numbers, and, in
                some cases, traffic from their foreign-end user customers (collectively
                for purposes of this subsection, foreign partners). Under our proposed
                definition of gateway provider above, a U.S.-based provider would fall
                outside of the definition of gateway provider if it is not also acting
                as an intermediate provider with respect to a particular call.
                Consistent with that definition, we are also seeking comment on
                imposing mandatory contractual obligations on gateway providers where
                they have entered into contracts with foreign end-user customers to
                accept their traffic into the U.S, marketplace. To the extent we adopt
                a broader definition of gateway provider to include those instances
                where the U.S.-based provider originates calls outside of the U.S. and
                the U.S.-based provider is not acting as an intermediate provider, we
                also seek comment on whether we should apply mandatory contractual
                provisions in those cases. What are the benefits and costs of requiring
                such contractual amendments?
                 88. We seek comment on what specific contractual provisions, if
                any, we should require. Should we require gateway providers to ensure
                by contract that their foreign partners validate that the calling party
                is authorized to use the U.S. NANP telephone numbers, for calls with
                such numbers in the caller ID display? Are we correct in anticipating
                that if a foreign partner cannot validate the number, there is a
                significant risk that the number is being spoofed and is therefore
                likely to be involved in an illegal robocalling campaign? How should we
                address circumstances in which the foreign partner cannot validate the
                number on its own? For instance, should we require the gateway provider
                to require foreign partners by contract to use a third-party telephone
                number validation service? Should we require gateway providers to
                ensure that their foreign partners employ know-your-customer practices,
                and if so should we mandate requiring specific know-your-customer
                practices? Should we require gateway providers to contractually
                obligate foreign partners to submit a certification to the Robocall
                Mitigation Database? We seek comment on what similar contractual
                provisions providers already have in place, their effectiveness in
                stopping illegal robocall traffic, and how widespread they are.
                 89. We seek comment on implementation of any requirement to adopt
                specific contractual provisions. Should we expand, contract, or alter
                the scope of foreign partners with which we would require gateway
                providers to enter into specific contractual provisions? What steps, if
                any, should we require gateway providers to take to ensure that foreign
                partners are living up to their contractual commitments? Should we
                require gateway providers to impose specific consequences, such as a
                refusal to accept traffic, on foreign partners that fail to live up to
                any required contractual provisions? What consequences should we impose
                a gateway provider that fails to enter into or enforce any required
                contractual provisions?
                 90. Consistent with the other mitigation obligations proposed in
                this FNPRM, we propose to require gateway providers comply with any
                contractual provisions 30 days after the effective date of an Order
                adopting such requirements. We seek comment on this proposal. We also
                seek comment on whether such a period provides sufficient time to
                comply with such obligations with respect to existing contracts in
                order to negotiate contractual amendments with foreign partners. Should
                we modify the deadline for certain classes of providers based on their
                burden or the benefit that would result in those classes'
                [[Page 59099]]
                compliance with the rule? Should we consider any other issues in
                setting a compliance deadline?
                5. General Mitigation Standard
                 91. In addition to the specific mitigation requirements for which
                we seek comment above, we also propose to require gateway providers to
                meet a general obligation to mitigate illegal robocalls. Robocallers
                have shown that they can adapt to specific safeguards targeting illegal
                traffic. A general obligation can serve as an effective backstop to
                ensure that robocallers cannot evade any granular requirements we
                adopt. In the Second Caller ID Authentication Report and Order, the
                Commission required those voice service providers subject to a robocall
                mitigation requirement to take ``reasonable steps to avoid originating
                illegal robocall traffic,'' and established that a robocall mitigation
                program is sufficient if it ``includes detailed practices that can
                reasonably be expected to significantly reduce the origination of
                illegal robocalls'' and the provider ``compl[ies] with the practices it
                describes.'' The Commission stated that a program is ``insufficient if
                a provider knowingly or through negligence serves as the originator for
                unlawful robocall campaigns.'' We believe imposing an analogous
                requirement on gateway providers would provide a valuable backstop and
                help reduce the likelihood that illegal robocalls might make their way
                to U.S. consumers. Under this approach, gateway providers would be
                required to take reasonable steps to avoid transiting illegal robocall
                traffic. What would be the benefits and drawbacks of doing so? What
                would constitute ``reasonable steps'' in this context, aside from any
                of the actions proposed in this FNPRM? Would the consistency of
                obligations between gateway providers and voice service providers
                facilitate innovation and development of novel, effective robocall
                mitigation techniques? Would it ease compliance? Is a standards-based
                approach sufficient to address the difficult task of mitigating
                foreign-originated illegal robocalls? Should we adopt a standards-based
                approach but establish a different standard for effective robocall
                mitigation for gateway providers? What should that standard be? Does a
                standards-based approach make compliance more difficult, particularly
                for small entities that may less easily be able to identify appropriate
                practices?
                 92. Instead of establishing a general mitigation standard based on
                the standard in the Second Caller ID Authentication Report and Order,
                should we instead adopt a general standard by building upon the
                obligation in the Fourth Call Blocking Order for voice service
                providers (including intermediate providers) to mitigate robocall
                traffic by adopting ``affirmative, effective measures to prevent new
                and renewing customers from using their network to originate illegal
                calls''? This duty differs in certain respects from the duty for voice
                service providers subject to a robocall mitigation requirement to take
                ``reasonable steps to avoid originating illegal robocall traffic.'' For
                example, there is no duty for gateway providers to take action with
                respect to existing customers. Should we establish a general mitigation
                obligation for gateway providers based on a modified version of this
                duty? What should those modifications be? Should we require gateway
                providers to take affirmative, effective measures to prevent current,
                new, and renewing customers from using their network to transit illegal
                calls? Are other modifications appropriate? Instead or in addition to
                making such modifications, should we provide additional guidance to
                gateway providers about what measures would be deemed ``affirmative''
                and ``effective''? What should that guidance be?
                 93. We seek comment on an appropriate deadline for any general
                mitigation standard we adopt. We believe that any compliance deadline
                we adopt should, at a minimum, be consistent with the time and effort
                necessary to implement the standard, balanced against the public
                benefit that will result in rapid implementation of the standard. We
                therefore urge commenters proposing a standard to propose a specific
                deadline consistent with these principles.
                E. Robocall Mitigation Database
                 94. We propose to require gateway providers to submit a
                certification to the Robocall Mitigation Database describing their
                robocall mitigation practices and stating that they are adhering to
                those practices. We also take this opportunity to address other issues
                related to the Robocall Mitigation Database that are not specifically
                related to gateway providers. First, we seek comment on revisions to
                the information that filers must submit to the Robocall Mitigation
                Database. Second, we clarify the obligations of voice service providers
                and intermediate providers with respect to calls to and from PSAPs and
                other emergency services providers.
                 95. Gateway Providers. While we declined to impose a filing
                requirement on intermediate providers that had no robocall mitigation
                obligations in the Second Caller ID Authentication Report and Order, we
                believe that requiring gateway providers to do so now in conjunction
                with any new robocall mitigation obligations we adopt is appropriate
                and situates gateway providers consistently with voice service
                providers under our STIR/SHAKEN rules. We seek comment on our proposal
                to require gateway providers to submit a certification. We anticipate
                that requiring certification will encourage compliance and facilitate
                enforcement efforts and industry cooperation to address problems. We
                also anticipate that a registration requirement would not be more
                costly for gateway providers than voice service providers. We seek
                comment on this analysis. Are there additional benefits of requiring
                registration? Do gateway providers face additional costs compared to
                voice service providers that we should consider? Rather than require
                gateway providers to file in the Robocall Mitigation Database, should
                we instead impose some other filing obligation? What would that
                obligation be?
                 96. We propose requiring gateway providers to submit the same
                information that voice service providers must submit under Commission
                rules. Specifically, we propose requiring gateway providers to certify
                to the status of STIR/SHAKEN implementation and robocall mitigation on
                their networks; submit contact information for a person responsible for
                addressing robocall mitigation-related issues; and describe in detail
                their robocall mitigation practices. In the alternative, we seek
                comment on whether to alter or remove any of these obligations as
                applied to gateway providers, and whether gateway providers should
                submit any additional information beyond the information required from
                originating and terminating voice service providers. If we adopt
                specific robocall mitigation requirements, should we relieve gateway
                providers of the obligation to describe their robocall mitigation
                practices? Would this belt-and-suspenders approach to certification
                only add compliance costs with limited benefit? If we did not require
                gateway providers to describe their robocall mitigation practices,
                should they be required to submit any alternative information? If so,
                what should that be? We seek comment on any modifications we should
                make to the filing process for those gateway providers that are also
                voice service providers.
                 97. Similar to our recently proposed rules for VoIP direct access
                applicants, should we require gateway providers to ``inform the
                Commission'' through an
                [[Page 59100]]
                update to the Robocall Mitigation Database filing, if the gateway
                provider is ``subject . . . to a Commission, law enforcement, or
                regulatory agency action, investigation, or inquiry due to its robocall
                mitigation plan being deemed insufficient or problematic, or due to
                suspected unlawful robocalling or spoofing . . .'' ? We propose that
                information in any gateway provider certification would also be subject
                to the existing duty to update that certification within 10 business
                days, ensuring that the information is kept up to date. Is another time
                period appropriate for some or all of the information we require?
                Should we establish a materiality threshold for circumstances in which
                an update is necessary, and if so what threshold should we set?
                 98. We propose to extend the prohibition on accepting traffic from
                unlisted providers to gateway providers. Under this proposal,
                intermediate providers and terminating voice service providers would be
                prohibited from accepting traffic from a gateway provider not listed in
                the Robocall Mitigation Database. We believe that a gateway provider
                Robocall Mitigation Database filing requirement and an associated
                prohibition against accepting traffic from gateway providers not in the
                Robocall Mitigation Database will ensure regulatory symmetry between
                voice service providers and gateway providers and underscore the key
                role gateway providers play in stemming illegal robocalls. We seek
                comment on that conclusion and this proposal. Taking into consideration
                the time between the effective date of the prohibition on voice service
                providers (September 28, 2021) from accepting traffic from other
                unlisted voice service providers and the comment due date of this
                FNPRM, is there any preliminary evidence that the prohibition has been
                beneficial in the ways the Commission envisioned? We also propose that
                this prohibition should go into effect 90 days following the effective
                date of the requirement for gateway providers to submit a certification
                to the Robocall Mitigation Database. Ninety days between the effective
                date of the filing obligation and the beginning of the requirement to
                reject traffic from non-filers is the same time period as that adopted
                in the Second Caller ID Authentication Report and Order for voice
                service providers. We seek comment on providers' experience with that
                90-day timeframe and whether it would be appropriate in this instance.
                Should we set a shorter time period to ensure Americans benefit from
                this scheme sooner? Or do voice service providers and intermediate
                providers need additional time, beyond 90 days, to come into compliance
                with any blocking obligation and, if so, why? How, if at all, should we
                tailor the information that gateway providers must submit to the
                Robocall Mitigation Database to ensure that a downstream provider has
                sufficient information to know whether to block calls depending on the
                call-by-call ``role'' of the upstream provider? For example, if an
                upstream provider is acting as a gateway provider for a call and has
                submitted a certification as a voice service provider to the Robocall
                Mitigation Database, but has not submitted its certification as a
                gateway provider, what information does that downstream provider need
                to know to block the call under our proposed rule if and when it
                becomes effective?
                 99. In line with our proposals above to require gateway providers
                to implement mitigation requirements by 30 days after publication of
                the notice of an Order adopting this requirement in the Federal
                Register, we propose to require gateway providers to submit a
                certification to the Robocall Mitigation Database by that same date and
                to thereafter amend such certification of compliance to attest to STIR/
                SHAKEN compliance by the deadline established in this proceeding,
                subject to publication in the Federal Register of notice of approval by
                OMB of any associated PRA obligations. We seek comment on this approach
                and any alternatives. For example, should we instead require gateway
                providers submit an interim certification by an earlier date so that
                the Commission and the general public know the status of gateway
                providers' STIR/SHAKEN implementation? Would the benefits of requiring
                an additional interim filing outweigh the burdens? What other
                considerations should we take into account in setting any filing
                deadlines?
                 100. Identifying Information for All Filers. We take this
                opportunity to seek comment on whether we should require Robocall
                Mitigation Database filers--including voice service providers and, if
                required, gateway providers--to submit additional identifying indicia,
                such as a Carrier Identification Code, Operating Company Number, and/or
                Access Customer Name Abbreviation. We anticipate that requiring some
                additional identifying information may ease compliance by facilitating
                searches within the Robocall Mitigation Database and cross-checking
                information within the Robocall Mitigation Database against other
                sources. Do commenters agree? If so, what additional information should
                we require? What are the benefits and costs of such a requirement? We
                recognize that as of the date we adopt this FNPRM, a large number of
                voice service providers have already filed in the Robocall Mitigation
                Database, and requiring any additional information would require these
                providers to revise their filings. As we have explained, to date,
                approximately 4,948 voice service providers have submitted information
                into the Robocall Mitigation Database. Additionally, we realize that
                the September 28 blocking deadline has passed and that the identifying
                information we seek comment on may not be as useful as it would have
                been prior to this deadline. Based on these facts, does the benefit of
                requiring additional information nonetheless outweigh the burden of
                asking such a high number of voice service providers to refile? If not,
                should we consider applying this requirement on a prospective-only
                basis? Would this approach still have benefit even if only some filers
                submitted this information? Are there any categories of filer, such as
                foreign voice service providers that use NANP resources that pertain to
                the United States, that are unlikely to have this identifying
                information? If so, how should any new requirements address these
                filers? Alternatively, should we consider making the submission of this
                additional information voluntary to avoid a refiling requirement and
                account for filers that do not possess the information? Or would
                submission on a voluntary basis provide little benefit? If we require
                submission of additional information by some or all filers, what
                deadline for filing should we set?
                 101. Public Safety Calls. We take this opportunity to clarify that
                even if a voice service provider (or, if we adopt our proposal in
                today's FNPRM, a gateway provider) is not listed in the Robocall
                Mitigation Database, other voice service providers and intermediate
                providers in the call path must make all reasonable efforts to avoid
                blocking calls from PSAPs and government outbound emergency numbers.
                Additionally, consistent with the Commission's previous statement that
                its call-blocking rules ``do not authorize the blocking of calls to 911
                under any circumstances,'' calls to 911 must not be blocked, even if
                originated by a voice service provider not in the Robocall Mitigation
                Database or otherwise subject to blocking. And as regards outbound
                emergency calls, we reiterate the Commission's position that all voice
                service providers and intermediate providers ``must make all reasonable
                efforts to ensure that calls from PSAPs and government outbound
                [[Page 59101]]
                emergency numbers are not blocked.'' We adopt this clarification to
                ensure completion of emergency calls and to clarify that the scope of
                the exception for emergency calls is identical between our call
                blocking rules and our rules prohibiting acceptance of traffic from
                voice service providers not listed in the Robocall Mitigation Database.
                 102. We seek comment on whether we should modify our rules to
                reflect this clarification. We also seek comment on whether we should
                expand upon our clarification. Does our clarification contain any
                ambiguities that we should address, and if so how should we address
                them? For example, should we make clear what ``reasonable efforts'' we
                expect voice service providers and intermediate providers to take to
                ensure completion of outbound emergency calls? If so, what specific
                steps should we require? Would prohibiting providers from blocking
                calls on a ``whitelist'' of public safety numbers be effective, or
                would it instead provide a roadmap for bad actors to exploit? We note
                that the Commission has previously declined to adopt such a list,
                finding that it ``would likely to do more harm than good.'' We seek
                comment on whether circumstances have changed since the Commission's
                prior decision that would make this option more viable. Are there fewer
                concerns for such a list in the context of gateway providers? Are there
                other ways bad actors could exploit this emergency exception to
                originate illegal robocalls, either directed at PSAPs (because calls to
                911 may not be blocked) or directed to the general public by posing as
                emergency callers (because providers must make all reasonable efforts
                to ensure that calls from PSAPs and government outbound emergency
                numbers are not blocked)? If so, what steps can we take to minimize
                that threat while ensuring the vital goal of emergency call completion?
                How should we account for emergency calls if we require gateway
                providers to file in the Robocall Mitigation Database? Are emergency
                calls to U.S. PSAPs likely to originate abroad? We also propose that
                any calls to and from PSAPs and government outbound emergency numbers
                that may be otherwise subject to mandatory call blocking duties adopted
                pursuant to this FNPRM should be subject to the same emergency call
                exception and clarification that we adopt today, as well as any further
                clarifications that we adopt pursuant to the questions above, and we
                seek comment on this proposal.
                F. Alternative Approaches
                 103. We seek comment on alternative approaches to stop illegal
                foreign-originated robocalls. This FNPRM proposes imposing obligations
                on gateway providers because they are in the unique position of acting
                as the conduit for all foreign-originated calls. We anticipate that
                rules focused on gateway providers would be the most efficient and
                effective way to prevent illegal robocalls from reaching U.S. consumers
                and businesses from abroad. At the same time, we want to explore all
                available options and thus seek comment on whether we should instead
                pursue alternative approaches to enhancing our rules to target foreign-
                originated robocalls.
                 104. We first seek comment on strengthening our prohibition on
                U.S.-based providers accepting traffic carrying U.S. NANP numbers that
                is received ``directly from'' foreign voice service providers that are
                not in the Robocall Mitigation Database. By its terms, this rule does
                not require U.S.-based providers to reject foreign-originated traffic
                carrying U.S. NANP numbers that is received by a U.S. provider directly
                from a foreign intermediate provider--at present, the prohibition only
                applies to traffic received directly from the originating foreign
                provider. Some have argued that this loophole allows a significant
                portion of foreign-originated robocall traffic carrying U.S. NANP
                numbers to reach the U.S. outside of the prohibition. We seek comment
                on whether this is the case and, if so, whether we should expand the
                prohibition and require U.S.-based providers to reject traffic carrying
                U.S. NANP numbers directly from any foreign provider not in the
                Robocall Mitigation Database. What are the benefits and burdens of this
                approach? Should we require U.S.-based providers to ensure that foreign
                intermediate providers comply with specific robocall mitigation
                practices, such as know-your-customer practices, and describe in their
                certifications the specific robocall mitigation practices they have
                implemented? Are most foreign intermediate providers also originating
                and exchanging traffic with U.S. NANP numbers directly with U.S.
                providers, indicating that most foreign providers are already covered
                under the current prohibition? 609 foreign voice service providers have
                already filed in the Robocall Mitigation Database. We seek comment on
                what percentage of foreign providers currently subject to the
                prohibition this represents, compared to the percentage of foreign
                providers that would be subject to our proposed expanded prohibition.
                If we expand the prohibition to encompass foreign intermediate
                providers, what compliance deadline should we set?
                 105. Conversely, should we limit or eliminate the foreign provider
                prohibition rather than expand it? Some argue that the compliance
                burden of the current rule on foreign voice service providers is
                significant, that many providers did not register by the deadline, and
                therefore there is a significant risk that domestic providers will
                unnecessarily block foreign-originated calls. We seek comment on the
                validity of these assertions and whether a rule expansion would
                compound those burdens and risks. Others argue that, at a minimum,
                foreign voice service providers needed additional time to submit a
                certification to the Robocall Mitigation Database. If the burdens of
                the current rule are large and the benefits small, should we consider
                eliminating the current rule, particularly if we adopt effective
                measures for gateway providers to stop illegal robocall traffic from
                entering the U.S. market?
                 106. In light of the unique difficulties foreign service providers
                may face in timely registering with the Commission's new Robocall
                Mitigation Database, the fact that the foreign provider prohibition can
                be evaded by transmitting traffic via one or more foreign intermediate
                providers, and in order to avoid the potential disruption associated
                with such delays while permitting the Commission to explore these
                potentially more effective measures, we conclude that the public
                interest will be served by not enforcing the foreign provider
                prohibition during the pendency of this proceeding. While ZipDX
                suggests a ``narrower deferment'' that would allow enforcement if a
                foreign provider is responsible for a ``significant or on-going illegal
                robocalling activity,'' we decline taking such an approach because it
                would involve engaging in a line-drawing exercise for which we do not
                have sufficient guidance and data and ZipDX does not suggest a
                specific, administrable approach. We anticipate that we will make a
                final decision regarding whether to eliminate, retain, or enhance the
                foreign provider prohibition as part of our larger consideration of how
                best to address illegal robocalls originating abroad in the order
                issued pursuant to this FNPRM. Therefore, until that time, domestic
                voice service providers and intermediate providers may accept traffic
                carrying U.S. NANP numbers sent directly from foreign voice service
                [[Page 59102]]
                providers not listed in the Robocall Mitigation Database.
                G. Expected Benefits and Costs
                 107. As noted above, a large portion of illegal robocalls originate
                abroad, and that share may be growing. We therefore anticipate that the
                benefits of our proposals will far outweigh the costs imposed on
                gateway providers.
                 108. As to expected benefits, the Commission found in the First
                Caller ID Authentication Report and Order and Further Notice of
                Proposed Rulemaking that widespread deployment of STIR/SHAKEN will
                increase the effectiveness of the framework for both voice service
                providers and their subscribers, producing a potential benefit of at
                least $13.5 billion annually due to the reduction in nuisance calls and
                fraud. In addition, the Commission identified many non-quantifiable
                benefits, such as restoring confidence in incoming calls and reliable
                access to emergency and healthcare communications.
                 109. We anticipate that the impact of our proposals, including the
                deterrence that arises from authenticating unauthenticated foreign-
                originated calls, will account for a large share of that $13.5 billion
                benefit because of the significant share of illegal calls originating
                outside our country. While each of the proposed requirements on their
                own may not fully accomplish that goal, viewed collectively, we expect
                that they will achieve a large share of the $13.5 billion minimum
                benefit. We seek comment on this analysis and on the possible benefits
                of the requirements we propose.
                 110. We believe that the costs imposed on gateway providers by our
                proposed changes, at least some of which are likely minimal, will be
                far exceeded by the expected benefits. For example, many intermediate
                providers that would be classified as gateway providers under our
                proposed definition are already voice service providers and have
                already implemented or are required to soon implement STIR/SHAKEN
                authentication on their networks. Moreover, as the Commission stated in
                the First Caller ID Authentication Report and Order and Further Notice
                of Proposed Rulemaking, an overall reduction in illegal robocalls will
                greatly lower providers' network costs by eliminating both the unwanted
                traffic congestion and the labor costs of handling numerous customer
                complaints. We therefore believe that the proposals in this FNPRM would
                impose only minimal short-term costs on gateway providers while
                lowering long-term network costs for gateway providers and other
                domestic service providers. We seek comment on this analysis and
                whether it remains valid in light of industry experience in
                implementing STIR/SHAKEN and the Commission's various blocking regimes?
                Is it equally applicable to gateway providers? We also seek detailed
                comment on the potential costs associated with each proposal. Will
                these costs vary according to the size of the provider? Does the
                benefit of each proposal outweigh its cost? How do the proposed
                compliance deadlines for each requirement and possible alternative
                deadlines affect the benefits and costs?
                 111. Digital Equity and Inclusion. The Commission, as part of its
                continuing effort to advance digital equity for all, including people
                of color, persons with disabilities, persons who live in rural or
                Tribal areas, and others who are or have been historically underserved,
                marginalized, or adversely affected by persistent poverty or
                inequality, invites comment on any equity-related considerations and
                benefits (if any) that may be associated with the proposals and issues
                discussed herein. Section 1 of the Communications Act of 1934, as
                amended, provides that the FCC ``regulat[es] interstate and foreign
                commerce in communication by wire and radio so as to make [such
                service] available, so far as possible, to all the people of the United
                States, without discrimination on the basis of race, color, religion,
                national origin, or sex.'' The term ``equity'' is used here consistent
                with Executive Order 13985 as the consistent and systematic fair, just,
                and impartial treatment of all individuals, including individuals who
                belong to underserved communities that have been denied such treatment,
                such as Black, Latino, and Indigenous and Native American persons,
                Asian Americans and Pacific Islanders and other persons of color;
                members of religious minorities; lesbian, gay, bisexual, transgender,
                and queer (LGBTQ+) persons; persons with disabilities; persons who live
                in rural areas; and persons otherwise adversely affected by persistent
                poverty or inequality. Specifically, we seek comment on how our
                proposals may promote or inhibit advances in diversity, equity,
                inclusion, and accessibility, as well the scope of the Commission's
                relevant legal authority.
                H. Legal Authority
                 112. We propose to adopt the foregoing obligations pursuant to the
                legal authority we relied upon in prior caller ID authentication and
                call blocking orders.
                 113. Caller ID Authentication. We propose to find authority to
                impose caller ID authentication obligations on gateway providers under
                section 251(e) of the Act and the Truth in Caller ID Act. In the Second
                Caller ID Authentication Report and Order, the Commission found it had
                the authority to impose caller ID authentication obligations on
                intermediate providers under these provisions. It reasoned that
                ``[c]alls that transit the networks of intermediate providers with
                illegally spoofed caller ID are exploiting numbering resources'' and so
                found authority under section 251(e). And it found additional,
                independent authority under the Truth in Caller ID Act on the basis
                that such rules were necessary to ``prevent . . . unlawful acts and to
                protect voice service subscribers from scammers and bad actors,'' and
                it stressed that intermediate providers ``play an integral role in the
                success of STIR/SHAKEN across the voice network.'' While that Order did
                not specifically discuss gateway providers, we propose to conclude that
                we can impose an authentication obligation on gateway providers on the
                same basis. Indeed, we propose to define gateway providers as a subset
                of intermediate providers; thus, we tentatively conclude that the
                Second Caller ID Authentication Report and Order already accounted for
                the actions we propose today. We seek comment on this proposal. Should
                we revisit the Commission's earlier conclusion that it has authority to
                place these obligations on intermediate--including gateway--providers?
                Are there other sources of authority, including the TRACED Act, that we
                could invoke to impose our caller ID authentication rules on gateway
                providers?
                 114. Robocall Mitigation and Call Blocking. We propose to adopt our
                robocall mitigation and call blocking provisions on gateway providers
                pursuant to sections 201(b), 202(a), 251(e), the Truth in Caller ID
                Act, the TRACED Act, and, where appropriate, our ancillary authority,
                consistent with the authority we invoked to adopt analogous rules in
                the Second Caller ID Authentication Report and Order and our Call
                Blocking Orders. We seek comment on this proposal.
                 115. In the Second Caller ID Authentication Report and Order, the
                Commission concluded ``section 251(e) gives us authority to prohibit
                intermediate providers and voice service providers from accepting
                traffic from both domestic and foreign voice service providers that do
                not appear in [the Robocall Mitigation Database],'' noting that its
                ``exclusive jurisdiction over numbering policy provides authority to
                take action to prevent the
                [[Page 59103]]
                fraudulent abuse of NANP resources.'' The Commission observed that
                ``[i]llegally spoofed calls exploit numbering resources whenever they
                transit any portion of the voice network--including the networks of
                intermediate providers'' and that ``preventing such calls from entering
                an intermediate provider's or terminating voice service provider's
                network is designed to protect consumers from illegally spoofed
                calls.'' The Commission also found that the Truth in Caller ID Act
                provided additional authority for our actions to protect voice service
                subscribers from illegally spoofed calls. We propose to conclude that
                section 251(e) and the Truth in Caller ID Act authorize us to prohibit
                intermediate providers and voice service providers from accepting
                traffic from gateway providers that do not appear in the Robocall
                Mitigation Database. The Commission also relied on the TRACED Act in
                adopting mitigation duties for voice service providers and we propose
                to conclude that it authorizes us to require voice service providers to
                submit additional information to the Robocall Mitigation Database.
                 116. In the Fourth Call Blocking Order, the Commission required
                voice service providers ``to take affirmative, effective measures to
                prevent new and renewing customers from originating illegal calls,''
                which includes a duty to ``know'' their customers. Additionally, the
                Commission required voice service providers, including intermediate
                providers, to ``take steps to effectively mitigate illegal traffic when
                notified by the Commission,'' which may require blocking when applied
                to gateway providers. The Commission also adopted traceback
                obligations. The Commission concluded that it had the authority to
                adopt these requirements pursuant to sections 201(b), 202(a), and
                251(e) of the Act, as well as the Truth in Caller ID Act and its
                ancillary authority. Sections 201(b) and 202(a) provide the Commission
                with ``broad authority to adopt rules governing just and reasonable
                practices of common carriers.'' Accordingly, the Commission found that
                the new blocking rules were ``clearly within the scope of our section
                201(b) and 202(a) authority'' and ``that it is essential that the rules
                apply to all voice service providers,'' applying its ancillary
                authority in section 4(i). The Commission also found that section
                251(e) and the Truth in Caller ID Act provided the basis ``to prescribe
                rules to prevent the unlawful spoofing of caller ID and abuse of NANP
                resources by all voice service providers,'' a category that includes
                VoIP providers and, in the context of our call blocking orders gateway
                providers. We believe that these same statutory provisions authorizing
                our current mitigation and blocking rules support the mandatory
                mitigation and blocking obligations we propose to impose on gateway
                providers here. Are there additional sources of authority that we
                should consider?
                 117. We propose to find additional authority in section 7 of the
                TRACED Act. The Commission initiated a rulemaking to ``help protect a
                subscriber from receiving unwanted calls or text messages from a caller
                using an unauthenticated number'' in the Third Call Blocking Order and
                Further Notice of Proposed Rulemaking but declined to take further
                action in the Fourth Call Blocking Order. We believe that several of
                the proposals we make today would have the effect of protecting
                consumers from unwanted calls from unauthenticated numbers. In
                particular, we believe that our mandatory blocking and ``know-your-
                customer'' proposals would further these goals. We seek comment on this
                belief. Is this an appropriate use of the authority granted in TRACED
                Act section 7? What should we consider, including the considerations
                listed in section 7(b) of the TRACED Act, in determining whether any
                rules we adopt are consistent with our authority under that section?
                 118. While we propose to conclude that our direct sources of
                authority provide an ample basis to adopt our proposed rules on all
                gateway providers, we believe that our ancillary authority in section
                4(i) provides an independent basis to do so with respect to gateway
                providers that have not been classified as common carriers, and we seek
                comment on this view. We anticipate that the proposed regulations are
                ``reasonably ancillary to the Commission's effective performance of its
                . . . responsibilities.'' Specifically, gateway providers
                interconnected with the public switched telephone network and
                exchanging IP traffic clearly constitutes ``communication by wire and
                radio.'' We believe that requiring gateway providers to comply with our
                proposed rules is reasonably ancillary to the Commission's effective
                performance of its statutory responsibilities under section 152(a), as
                well as reasonably ancillary to our exercise of authority under
                sections 201(b), 202(a), 251(e), and the Truth in Caller ID Act as
                described above. With respect to sections 201(b) and 202(a), absent
                application of our proposed rules to gateway providers that are not
                classified as common carriers, originators of international robocalls
                could circumvent our proposed scheme by sending calls only to such
                gateway providers to reach the U.S. market. We seek comment on this
                analysis.
                 119. Indirect Effect on Foreign Service Providers. We propose to
                conclude that, to the extent any of the rules we seek to adopt today
                have an effect on foreign service providers, that effect is only
                indirect and therefore consistent with the Commission's authority. In
                the Second Caller ID Authentication Report and Order, the Commission
                acknowledged an indirect effect on foreign providers but concluded that
                it was permissible under past Commission precedent confirmed by the
                courts. This includes the authority, pursuant to section 201, for the
                Commission to require U.S. providers to modify their contracts with a
                foreign provider with respect to ``foreign communication'' to ensure
                that the charges and practices are ``just and reasonable.'' We seek
                comment on whether any of our proposed rules exceed the scope of our
                jurisdiction over foreign communications that enter the United States.
                We also seek comment on whether any of our proposed rules would be
                contrary to any of our international treaty obligations, other
                international laws and rules, or create a risk of foreign retaliation.
                IV. Initial Regulatory Flexibility Analysis
                 120. As required by the Regulatory Flexibility Act of 1980, as
                amended (RFA), the Commission has prepared this Initial Regulatory
                Flexibility Analysis (IRFA) of the possible significant economic impact
                on small entities by the policies and rules proposed in this FNPRM. The
                Commission requests written public comments on this IRFA. Comments must
                be identified as responses to the IRFA and must be filed by the
                deadlines for comments provided on the first page of the FNPRM. The
                Commission will send a copy of the FNPRM, including this IRFA, to the
                Chief Counsel for Advocacy of the Small Business Administration (SBA).
                In addition, the FNPRM and IRFA (or summaries thereof) will be
                published in the Federal Register.
                A. Need for, and Objectives of, the Proposed Rules
                 121. In order to continue the Commission's work combating illegal
                calls, this FNPRM proposes to impose several obligations on gateway
                providers. Specifically, the FNPRM proposes to require gateway
                providers to authenticate and employ robocall
                [[Page 59104]]
                mitigation techniques on all SIP calls that they allow into the United
                States from abroad that display a U.S. number in the caller ID field.
                The FNPRM also proposes that gateway providers should engage in
                robocall mitigation by (1) responding to all traceback requests from
                the Commission, law enforcement, and the industry traceback consortium
                within 24 hours; (2) complying with mandatory call blocking
                requirements; (3) complying with enhanced know-your-customer
                obligations; (4) complying with a general duty to mitigate illegal
                robocalls; and (5) filing a certification in the Robocall Mitigation
                Database. The Commission also proposes one blocking requirement for
                intermediate and terminating providers immediately downstream from the
                gateway provider, which would require those providers to block all
                traffic from a gateway provider that fails to block or effectively
                mitigate illegal traffic when notified of such traffic by the
                Commission.
                B. Legal Basis
                 122. The FNPRM proposes to find authority largely under those
                provisions through which it has previously adopted rules to stem the
                tide of robocalls in its Call Blocking and Call Authentication Orders.
                Specifically, the FNPRM proposes to find authority under sections
                201(a) and (b), 202(a), 251(e), the Truth in Caller ID Act, the TRACED
                Act and, where appropriate, ancillary authority. The FNPRM also
                proposes to conclude that, to the extent any of the rules we seek to
                adopt today have an effect on foreign service providers, that effect is
                only indirect and therefore consistent with the Commission's authority.
                The FNPRM solicits comment on these proposals.
                C. Description and Estimate of the Number of Small Entities to Which
                the Proposed Rules Will Apply
                 123. The RFA directs agencies to provide a description of and,
                where feasible, an estimate of the number of small entities that may be
                affected by the proposed rules and by the rule revisions on which the
                Notice seeks comment, if adopted. The RFA generally defines the term
                ``small entity'' as having the same meaning as the terms ``small
                business,'' ``small organization,'' and ``small governmental
                jurisdiction.'' In addition, the term ``small business'' has the same
                meaning as the term ``small-business concern'' under the Small Business
                Act. A ``small-business concern'' is one which: (1) Is independently
                owned and operated; (2) is not dominant in its field of operation; and
                (3) satisfies any additional criteria established by the SBA.
                1. Wireline Carriers
                 124. Wired Telecommunications Carriers. The U.S. Census Bureau
                defines this industry as ``establishments primarily engaged in
                operating and/or providing access to transmission facilities and
                infrastructure that they own and/or lease for the transmission of
                voice, data, text, sound, and video using wired communications
                networks. Transmission facilities may be based on a single technology
                or a combination of technologies. Establishments in this industry use
                the wired telecommunications network facilities that they operate to
                provide a variety of services, such as wired telephony services,
                including VoIP services, wired (cable) audio and video programming
                distribution, and wired broadband internet services. By exception,
                establishments providing satellite television distribution services
                using facilities and infrastructure that they operate are included in
                this industry.'' The SBA has developed a small business size standard
                for Wired Telecommunications Carriers, which consists of all such
                companies having 1,500 or fewer employees. U.S. Census Bureau data for
                2012 show that there were 3,117 firms that operated that year. Of this
                total, 3,083 operated with fewer than 1,000 employees. Thus, under this
                size standard, the majority of firms in this industry can be considered
                small.
                 125. Local Exchange Carriers (LECs). Neither the Commission nor the
                SBA has developed a size standard for small businesses specifically
                applicable to local exchange services. The closest applicable NAICS
                Code category is Wired Telecommunications Carriers. Under the
                applicable SBA size standard, such a business is small if it has 1,500
                or fewer employees. U.S. Census Bureau data for 2012 show that there
                were 3,117 firms that operated for the entire year. Of that total,
                3,083 operated with fewer than 1,000 employees. Thus under this
                category and the associated size standard, the Commission estimates
                that the majority of local exchange carriers are small entities.
                 126. Incumbent LECs. Neither the Commission nor the SBA has
                developed a small business size standard specifically for incumbent
                local exchange services. The closest applicable NAICS Code category is
                Wired Telecommunications Carriers. Under the applicable SBA size
                standard, such a business is small if it has 1,500 or fewer employees.
                U.S. Census Bureau data for 2012 indicate that 3,117 firms operated the
                entire year. Of this total, 3,083 operated with fewer than 1,000
                employees. Consequently, the Commission estimates that most providers
                of incumbent local exchange service are small businesses that may be
                affected by our actions. According to Commission data, one thousand
                three hundred and seven (1,307) Incumbent Local Exchange Carriers
                reported that they were incumbent local exchange service providers. Of
                this total, an estimated 1,006 have 1,500 or fewer employees. Thus,
                using the SBA's size standard the majority of incumbent LECs can be
                considered small entities.
                 127. Competitive Local Exchange Carriers (Competitive LECs),
                Competitive Access Providers (CAPs), Shared-Tenant Service Providers,
                and Other Local Service Providers. Neither the Commission nor the SBA
                has developed a small business size standard specifically for these
                service providers. The appropriate NAICS Code category is Wired
                Telecommunications Carriers and under that size standard, such a
                business is small if it has 1,500 or fewer employees. U.S. Census
                Bureau data for 2012 indicate that 3,117 firms operated during that
                year. Of that number, 3,083 operated with fewer than 1,000 employees.
                Based on these data, the Commission concludes that the majority of
                Competitive LECS, CAPs, Shared-Tenant Service Providers, and Other
                Local Service Providers, are small entities. According to Commission
                data, 1,442 carriers reported that they were engaged in the provision
                of either competitive local exchange services or competitive access
                provider services. Of these 1,442 carriers, an estimated 1,256 have
                1,500 or fewer employees. In addition, 17 carriers have reported that
                they are Shared-Tenant Service Providers, and all 17 are estimated to
                have 1,500 or fewer employees. Also, 72 carriers have reported that
                they are Other Local Service Providers. Of this total, 70 have 1,500 or
                fewer employees. Consequently, based on internally researched FCC data,
                the Commission estimates that most providers of competitive local
                exchange service, competitive access providers, Shared-Tenant Service
                Providers, and Other Local Service Providers are small entities.
                 128. We have included small incumbent LECs in this present RFA
                analysis. As noted above, a ``small business'' under the RFA is one
                that, inter alia, meets the pertinent small-business size standard
                (e.g., a telephone communications business having 1,500 or fewer
                employees) and ``is not dominant in its field of operation.'' The SBA's
                Office of Advocacy contends that, for RFA purposes, small incumbent
                [[Page 59105]]
                LECs are not dominant in their field of operation because any such
                dominance is not ``national'' in scope. We have therefore included
                small incumbent LECs in this RFA analysis, although we emphasize that
                this RFA action has no effect on Commission analyses and determinations
                in other, non-RFA contexts.
                 129. Interexchange Carriers (IXCs). Neither the Commission nor the
                SBA has developed a small business size standard specifically for
                Interexchange Carriers. The closest applicable NAICS Code category is
                Wired Telecommunications Carriers. The applicable size standard under
                SBA rules is that such a business is small if it has 1,500 or fewer
                employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms
                operated for the entire year. Of that number, 3,083 operated with fewer
                than 1,000 employees. According to internally developed Commission
                data, 359 companies reported that their primary telecommunications
                service activity was the provision of interexchange services. Of this
                total, an estimated 317 have 1,500 or fewer employees. Consequently,
                the Commission estimates that the majority of interexchange service
                providers are small entities.
                 130. Cable System Operators (Telecom Act Standard). The
                Communications Act of 1934, as amended (the Act), also contains a size
                standard for small cable system operators, which is ``a cable operator
                that, directly or through an affiliate, serves in the aggregate fewer
                than one percent of all subscribers in the United States and is not
                affiliated with any entity or entities whose gross annual revenues in
                the aggregate exceed $250,000,000.'' As of 2018, there were
                approximately 50,504,624 cable video subscribers in the United States.
                Accordingly, an operator serving fewer than 505,046 subscribers shall
                be deemed a small operator if its annual revenues, when combined with
                the total annual revenues of all its affiliates, do not exceed $250
                million in the aggregate. We note that the Commission neither requests
                nor collects information on whether cable system operators are
                affiliated with entities whose gross annual revenues exceed $250
                million. Therefore we are unable at this time to estimate with greater
                precision the number of cable system operators that would qualify as
                small cable operators under the definition in the Act.
                 131. Other Toll Carriers. Neither the Commission nor the SBA has
                developed a size standard for small businesses specifically applicable
                to other toll carriers. This category includes toll carriers that do
                not fall within the categories of interexchange carriers, operator
                service providers, prepaid calling card providers, satellite service
                carriers, or toll resellers. The closest applicable size standard under
                SBA rules is for Wired Telecommunications Carriers. The U.S. Census
                Bureau defines this industry as ``establishments primarily engaged in
                operating and/or providing access to transmission facilities and
                infrastructure that they own and/or lease for the transmission of
                voice, data, text, sound, and video using wired communications
                networks. Transmission facilities may be based on a single technology
                or a combination of technologies. Establishments in this industry use
                the wired telecommunications network facilities that they operate to
                provide a variety of services, such as wired telephony services,
                including VoIP services, wired (cable) audio and video programming
                distribution, and wired broadband internet services. By exception,
                establishments providing satellite television distribution services
                using facilities and infrastructure that they operate are included in
                this industry.'' Under that size standard, such a business is small if
                it has 1,500 or fewer employees. Census data for 2012 show that there
                were 3,117 firms that operated that year. Of this total, 3,083 operated
                with fewer than 1,000 employees. Thus, under this category and the
                associated small business size standard, the majority of other toll
                carriers can be considered small.
                2. Wireless Carriers
                 132. Wireless Telecommunications Carriers (except Satellite). This
                industry comprises establishments engaged in operating and maintaining
                switching and transmission facilities to provide communications via the
                airwaves. Establishments in this industry have spectrum licenses and
                provide services using that spectrum, such as cellular services, paging
                services, wireless internet access, and wireless video services. The
                appropriate size standard under SBA rules is that such a business is
                small if it has 1,500 or fewer employees. For this industry, U.S.
                Census Bureau data for 2012 show that there were 967 firms that
                operated for the entire year. Of this total, 955 firms employed fewer
                than 1,000 employees and 12 firms employed of 1,000 employees or more.
                Thus under this category and the associated size standard, the
                Commission estimates that the majority of wireless telecommunications
                carriers (except satellite) are small entities.
                 133. The Commission's own data--available in its Universal
                Licensing System--indicate that, as of August 31, 2018 there are 265
                Cellular licensees that will be affected by our actions. The Commission
                does not know how many of these licensees are small, as the Commission
                does not collect that information for these types of entities.
                Similarly, according to internally developed Commission data, 413
                carriers reported that they were engaged in the provision of wireless
                telephony, including cellular service, Personal Communications Service
                (PCS), and Specialized Mobile Radio (SMR) Telephony services. Of this
                total, an estimated 261 have 1,500 or fewer employees, and 152 have
                more than 1,500 employees. Thus, using available data, we estimate that
                the majority of wireless firms can be considered small.
                 134. Satellite Telecommunications. This category comprises firms
                ``primarily engaged in providing telecommunications services to other
                establishments in the telecommunications and broadcasting industries by
                forwarding and receiving communications signals via a system of
                satellites or reselling satellite telecommunications.'' Satellite
                telecommunications service providers include satellite and earth
                station operators. The category has a small business size standard of
                $35 million or less in average annual receipts, under SBA rules. For
                this category, U.S. Census Bureau data for 2012 show that there were a
                total of 333 firms that operated for the entire year. Of this total,
                299 firms had annual receipts of less than $25 million. Consequently,
                we estimate that the majority of satellite telecommunications providers
                are small entities.
                3. Resellers
                 135. Local Resellers. The SBA has not developed a small business
                size standard specifically for Local Resellers. The SBA category of
                Telecommunications Resellers is the closest NAICs code category for
                local resellers. The Telecommunications Resellers industry comprises
                establishments engaged in purchasing access and network capacity from
                owners and operators of telecommunications networks and reselling wired
                and wireless telecommunications services (except satellite) to
                businesses and households. Establishments in this industry resell
                telecommunications; they do not operate transmission facilities and
                infrastructure. Mobile virtual network operators (MVNOs) are included
                in this industry. Under the SBA's size
                [[Page 59106]]
                standard, such a business is small if it has 1,500 or fewer employees.
                U.S. Census Bureau data from 2012 show that 1,341 firms provided resale
                services during that year. Of that number, all operated with fewer than
                1,000 employees. Thus, under this category and the associated small
                business size standard, the majority of these resellers can be
                considered small entities. According to Commission data, 213 carriers
                have reported that they are engaged in the provision of local resale
                services. Of these, an estimated 211 have 1,500 or fewer employees and
                two have more than 1,500 employees. Consequently, the Commission
                estimates that the majority of local resellers are small entities.
                 136. Toll Resellers. The Commission has not developed a definition
                for Toll Resellers. The closest NAICS Code Category is
                Telecommunications Resellers. The Telecommunications Resellers industry
                comprises establishments engaged in purchasing access and network
                capacity from owners and operators of telecommunications networks and
                reselling wired and wireless telecommunications services (except
                satellite) to businesses and households. Establishments in this
                industry resell telecommunications; they do not operate transmission
                facilities and infrastructure. MVNOs are included in this industry. The
                SBA has developed a small business size standard for the category of
                Telecommunications Resellers. Under that size standard, such a business
                is small if it has 1,500 or fewer employees. 2012 Census Bureau data
                show that 1,341 firms provided resale services during that year. Of
                that number, 1,341 operated with fewer than 1,000 employees. Thus,
                under this category and the associated small business size standard,
                the majority of these resellers can be considered small entities.
                According to Commission data, 881 carriers have reported that they are
                engaged in the provision of toll resale services. Of this total, an
                estimated 857 have 1,500 or fewer employees. Consequently, the
                Commission estimates that the majority of toll resellers are small
                entities.
                 137. Prepaid Calling Card Providers. Neither the Commission nor the
                SBA has developed a small business definition specifically for prepaid
                calling card providers. The most appropriate NAICS code-based category
                for defining prepaid calling card providers is Telecommunications
                Resellers. This industry comprises establishments engaged in purchasing
                access and network capacity from owners and operators of
                telecommunications networks and reselling wired and wireless
                telecommunications services (except satellite) to businesses and
                households. Establishments in this industry resell telecommunications;
                they do not operate transmission facilities and infrastructure. Mobile
                virtual networks operators (MVNOs) are included in this industry. Under
                the applicable SBA size standard, such a business is small if it has
                1,500 or fewer employees. U.S. Census Bureau data for 2012 show that
                1,341 firms provided resale services during that year. Of that number,
                1,341 operated with fewer than 1,000 employees. Thus, under this
                category and the associated small business size standard, the majority
                of these prepaid calling card providers can be considered small
                entities. According to Commission data, 193 carriers have reported that
                they are engaged in the provision of prepaid calling cards. All 193
                carriers have 1,500 or fewer employees. Consequently, the Commission
                estimates that the majority of prepaid calling card providers are small
                entities that may be affected by these rules.
                4. Other Entities
                 138. All Other Telecommunications. The ``All Other
                Telecommunications'' category is comprised of establishments primarily
                engaged in providing specialized telecommunications services, such as
                satellite tracking, communications telemetry, and radar station
                operation. This industry also includes establishments primarily engaged
                in providing satellite terminal stations and associated facilities
                connected with one or more terrestrial systems and capable of
                transmitting telecommunications to, and receiving telecommunications
                from, satellite systems. Establishments providing internet services or
                voice over internet protocol (VoIP) services via client-supplied
                telecommunications connections are also included in this industry. The
                SBA has developed a small business size standard for ``All Other
                Telecommunications'', which consists of all such firms with annual
                receipts of $35 million or less. For this category, U.S. Census Bureau
                data for 2012 show that there were 1,442 firms that operated for the
                entire year. Of those firms, a total of 1,400 had annual receipts less
                than $25 million and 15 firms had annual receipts of $25 million to
                $49,999,999. Thus, the Commission estimates that the majority of ``All
                Other Telecommunications'' firms potentially affected by our action can
                be considered small.
                D. Description of Projected Reporting, Recordkeeping, and Other
                Compliance Requirements for Small Entities
                 139. The FNPRM proposes to impose several obligations on gateway
                providers, many of whom may be small entities. Specifically, we propose
                to require gateway providers to authenticate and employ robocall
                mitigation techniques on all SIP calls that they allow into the United
                States from abroad that display a U.S. number in the caller ID field.
                The FNPRM also proposes that gateway providers should engage in
                robocall mitigation by (1) responding to all traceback requests from
                the Commission, law enforcement, and the industry traceback consortium
                within 24 hours; (2) complying with mandatory call blocking
                requirements; (3) complying with enhanced know-your-customer
                obligations; (4) complying with a general duty to mitigate illegal
                robocalls; and (5) filing a certification in the Robocall Mitigation
                Database. The FNPRM also proposes one blocking requirement for
                intermediate and terminating providers immediately downstream from the
                gateway provider, which would require those providers to block all
                traffic from a gateway provider that fails to block or effectively
                mitigate illegal traffic when notified of such traffic by the
                Commission. This proposal may also cover small entities.
                E. Steps Taken To Minimize the Significant Economic Impact on Small
                Entities, and Significant Alternatives Considered
                 140. The RFA requires an agency to describe any significant
                alternatives that it has considered in reaching its proposed approach,
                which may include the following four alternatives (among others): (1)
                The establishment of differing compliance or reporting requirements or
                timetables that take into account the resources available to small
                entities; (2) the clarification, consolidation, or simplification of
                compliance and reporting requirements under the rules for such small
                entities; (3) the use of performance rather than design standards; and
                (4) an exemption from coverage of the rule, or any part thereof, for
                such small entities.
                 141. The FNPRM seeks comment on the particular impacts that the
                proposed rules may have on small entities. The FNPRM seeks comment on
                whether the costs of the proposed gateway provider authentication
                requirement may vary by provider, including those providers that have
                not yet implemented STIR/SHAKEN, such as small voice service providers.
                The FNPRM also seeks
                [[Page 59107]]
                comment on the burdens on ``small gateway providers'' of a 24-hour
                traceback requirement. It also seeks comment on the impact on small
                businesses whose traffic may be blocked under our proposed blocking
                rules and know your customer obligations. The FNPRM also seeks comment
                on whether a general mitigation approach may make compliance more
                difficult for small entities.
                F. Federal Rules That May Duplicate, Overlap, or Conflict With the
                Proposed Rules
                 142. None.
                V. Procedural Matters
                 143. Initial Regulatory Flexibility Analysis. As required by the
                Regulatory Flexibility Act, the Commission has prepared an Initial
                Regulatory Flexibility Analysis (IRFA) of the possible significant
                economic impact on small entities of the policies and rules addressed
                in this FNPRM. Written public comments are requested on the IRFA.
                Comments must be filed by the deadlines for comments on the FNPRM
                indicated on the first page of this document and must have a separate
                and distinct heading designating them as responses to the IRFA. The
                Commission's Consumer and Governmental Affairs Bureau, Reference
                Information Center, will send a copy of this FNPRM, including the IRFA,
                to the Chief Counsel for Advocacy of the SBA.
                 144. Paperwork Reduction Act. The FNPRM contains proposed new
                information collection requirements. The Commission, as part of its
                continuing effort to reduce paperwork burdens, invites the general
                public and OMB to comment on the information collection requirements
                contained in this document, as required by the Paperwork Reduction Act
                of 1995, Public Law 104-13. In addition, pursuant to the Small Business
                Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C
                3506(c)(4), we seek specific comment on how we might further reduce the
                information collection burden for small business concerns with fewer
                than 25 employees.
                 145. Ex Parte Presentations--Permit-But-Disclose. The proceeding
                this FNPRM initiates shall be treated as a ``permit-but-disclose''
                proceeding in accordance with the Commission's ex parte rules. Persons
                making ex parte presentations must file a copy of any written
                presentation or a memorandum summarizing any oral presentation within
                two business days after the presentation (unless a different deadline
                applicable to the Sunshine period applies). Persons making oral ex
                parte presentations are reminded that memoranda summarizing the
                presentation must (1) list all persons attending or otherwise
                participating in the meeting at which the ex parte presentation was
                made, and (2) summarize all data presented and arguments made during
                the presentation. If the presentation consisted in whole or in part of
                the presentation of data or arguments already reflected in the
                presenter's written comments, memoranda or other filings in the
                proceeding, the presenter may provide citations to such data or
                arguments in his or her prior comments, memoranda, or other filings
                (specifying the relevant page and/or paragraph numbers where such data
                or arguments can be found) in lieu of summarizing them in the
                memorandum. Documents shown or given to Commission staff during ex
                parte meetings are deemed to be written ex parte presentations and must
                be filed consistent with Sec. 1.1206(b) of the Commission's rules. In
                proceedings governed by Sec. 1.49(f) of the Commission's rules or for
                which the Commission has made available a method of electronic filing,
                written ex parte presentations and memoranda summarizing oral ex parte
                presentations, and all attachments thereto, must be filed through the
                electronic comment filing system available for that proceeding, and
                must be filed in their native format (e.g., .doc, .xml, .ppt,
                searchable .pdf). Participants in this proceeding should familiarize
                themselves with the Commission's ex parte rules.
                VI. Ordering Clauses
                 146. Accordingly, IT IS ORDERED, pursuant to sections 4(i), 4(j),
                201, 202, 217, 227, 227b, 251(e), 303(r), and 403 of the Communications
                Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 202, 217, 227,
                227b, 251(e), 303(r), 403, that this Further Notice of Proposed
                Rulemaking is adopted.
                 147. It is further ordered that the Commission's Consumer and
                Governmental Affairs Bureau, Reference information Center, SHALL SEND a
                copy of this Further Notice of Proposed Rulemaking, including the
                Initial Regulatory Flexibility Analysis (IRFA), to the Chief Counsel
                for Advocacy of the Small Business Administration.
                List of Subjects in 47 CFR Part 64
                 Carrier equipment, Communications common carriers, Reporting and
                recordkeeping requirements, Telecommunications, Telephone.
                Federal Communications Commission.
                Katura Jackson,
                Federal Register Liaison Officer.
                Proposed Rules
                 For the reasons discussed in the preamble, the Federal
                Communications Commission proposes to amend 47 CFR part 64 as follows:
                0
                1. The authority for part 64 continues to read as follows:
                 Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220,
                222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 276,
                403(b)(2)(B), (c), 616, 620, 1401-1473, unless otherwise noted; Pub.
                L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.
                0
                2. Amend Sec. 64.1200 by adding new paragraph (f)(19), revising
                paragraphs (n)(1) through (3), adding paragraphs (o) and (p) to read as
                follows:
                Sec. 64.1200 Delivery restrictions.
                * * * * *
                 (f) * * *
                 (19) The term gateway provider means the first U.S.-based
                intermediate provider in the call path of a foreign-originated call
                that transmits the call directly to another intermediate provider or a
                terminating voice service provider in the United States.
                * * * * *
                 (n) * * *
                 (1) Respond fully and in a timely manner to all traceback requests
                from the Commission, civil law enforcement, criminal law enforcement,
                and the industry traceback consortium. Where the voice service provider
                is a gateway provider, it must respond within 24 hours of receipt of
                such a request;
                 (2) Take affirmative, effective measures to prevent new and
                renewing customers from using its network to originate illegal calls,
                including knowing its customers and exercising due diligence in
                ensuring that its services are not used to originate illegal traffic;
                and,
                 (3) Take steps to effectively mitigate illegal traffic when it
                receives actual written notice of such traffic from the Commission
                through its Enforcement Bureau.
                 (i) In providing notice, the Enforcement Bureau shall identify with
                as much particularity as possible the suspected traffic; provide the
                basis for the Enforcement Bureau's reasonable belief that the
                identified traffic is unlawful; cite the statutory or regulatory
                provisions the suspected traffic appears to violate; and direct the
                voice service provider receiving the notice that it must comply with
                this section;
                 (ii) Each notified provider must promptly investigate the
                identified
                [[Page 59108]]
                traffic. Each notified provider must then promptly report the results
                of its investigation to the Enforcement Bureau, including any steps the
                provider has taken to effectively mitigate the identified traffic or an
                explanation as to why the provider has reasonably concluded that the
                identified calls were not illegal and what steps it took to reach that
                conclusion. Should the notified provider find that the traffic comes
                from an upstream provider with direct access to the U.S. Public
                Switched Telephone Network, that provider must promptly inform the
                Enforcement Bureau of the source of the traffic and, if possible, take
                steps to mitigate this traffic;
                 (iii) If the notified provider is a gateway provider, that provider
                must, after conducting the investigation described in paragraph (ii) of
                this section, promptly block all traffic associated with the traffic
                pattern identified in the Enforcement Bureau's notice; and
                 (iv) Should a gateway provider fail to comply with the requirements
                of paragraph (iii) of this section, the Commission, through its
                Enforcement Bureau, may send a notice to all providers immediately
                downstream from the gateway provider in the call path. Upon receipt of
                such notice, all providers must promptly block all traffic from the
                identified gateway provider.
                 (o) A gateway provider must block calls that it reasonably
                determines, based on reasonable analytics that include consideration of
                caller ID authentication information where available, that calls are
                part of a call pattern that is highly likely to be illegal.
                 (1) The gateway provider must manage this blocking with human
                oversight and network monitoring sufficient to ensure that it blocks
                only calls that are highly likely to be illegal, which must include a
                process that reasonably determines that the particular call pattern is
                highly likely to be illegal before initiating blocking of calls that
                are part of that pattern.
                 (2) The gateway provider ceases blocking calls that are part of the
                call pattern as soon as the gateway provider has actual knowledge that
                the blocked calls are likely lawful;
                 (3) All analytics are applied in a non-discriminatory,
                competitively neutral manner.
                 (p) A gateway provider must confirm that the originator of a high
                volume of foreign-originated calls that use a U.S. North American
                Numbering Plan number in the caller ID field is authorized to use that
                number to originate calls.
                0
                3. Amend Sec. 64.6300 by redesignating paragraphs (d) through (1) as
                paragraphs (e) through (m) and adding new paragraph (d) to read as
                follows:
                Sec. 64.6300 Definitions.
                * * * * *
                 (d) Gateway Provider. The term ``gateway provider'' means the first
                U.S.-based intermediate provider in the call path of a foreign-
                originated call that transmits the call directly to another
                intermediate provider or a terminating voice service provider in the
                United States.
                * * * * *
                0
                4. Amend Sec. 64.6305 by revising paragraph (a) introductory text,
                redesignating paragraphs (b) and (c) as paragraphs (c) and (e),
                respectively, and by adding new paragraphs (b) and (d) to read as
                follows:
                Sec. 64.6305 Robocall mitigation and certification.
                 (a) Robocall mitigation program requirements for voice service
                providers.
                * * * * *
                 (b) Robocall mitigation program requirements for gateway providers.
                 (1) Each gateway provider shall implement an appropriate robocall
                mitigation program with respect to calls that use North American
                Numbering Plan resources that pertain to the United States.
                 (2) Any robocall mitigation program implemented pursuant to
                paragraph (b)(1) of this section shall include reasonable steps to
                avoid carrying or processing illegal robocall traffic and shall include
                a commitment to respond fully and within 24 hours to all traceback
                requests from the Commission, law enforcement, and the industry
                traceback consortium, and to cooperate with such entities in
                investigating and stopping any illegal robocallers that use its service
                to carry or process calls.
                 (c) Certification by voice service providers in the Robocall
                Mitigation Database.
                 (1) Not later than June 30, 2021, a voice service provider,
                regardless of whether it is subject to an extension granted under Sec.
                64.6304, shall certify to one of the following:
                 (i) It has fully implemented the STIR/SHAKEN authentication
                framework across its entire network and all calls it originates are
                compliant with Sec. 64.6301(a)(1) and (2);
                 (ii) It has implemented the STIR/SHAKEN authentication framework on
                a portion of its network and calls it originates on that portion of its
                network are compliant with Sec. 64.6301(a)(1) and (2), and the
                remainder of the calls that originate on its network are subject to a
                robocall mitigation program consistent with paragraph (a) of this
                section; or
                 (iii) It has not implemented the STIR/SHAKEN authentication
                framework on any portion of its network, and all of the calls that
                originate on its network are subject to a robocall mitigation program
                consistent with paragraph (a) of this section.
                 (2) A voice service provider that certifies that some or all of the
                calls that originate on its network are subject to a robocall
                mitigation program consistent with paragraph (a) of this section shall
                include the following information in its certification:
                 (i) Identification of the type of extension or extensions the voice
                service provider received under Sec. 64.6304, if the voice service
                provider is not a foreign voice service provider;
                 (ii) The specific reasonable steps the voice service provider has
                taken to avoid originating illegal robocall traffic as part of its
                robocall mitigation program; and
                 (iii) A statement of the voice service provider's commitment to
                respond fully and in a timely manner to all traceback requests from the
                Commission, law enforcement, and the industry traceback consortium, and
                to cooperate with such entities in investigating and stopping any
                illegal robocallers that use its service to originate calls.
                 (3) All certifications made pursuant to paragraphs (c)(1) and (2)
                of this section shall:
                 (i) Be filed in the appropriate portal on the Commission's website;
                and
                 (ii) Be signed by an officer in conformity with 47 CFR 1.16.
                 (4) A voice service provider filing a certification shall submit
                the following information in the appropriate portal on the Commission's
                website.
                 (i) The voice service provider's business name(s) and primary
                address;
                 (ii) Other business names in use by the voice service provider;
                 (iii) All business names previously used by the voice service
                provider;
                 (iv) Whether the voice service provider is a foreign voice service
                provider; and
                 (v) The name, title, department, business address, telephone
                number, and email address of one person within the company responsible
                for addressing robocall mitigation-related issues.
                 (5) A voice service provider shall update its filings within 10
                business days of any change to the information it must provide pursuant
                to paragraphs (c)(2) through (4) of this section.
                 (i) A voice service provider or intermediate provider that has been
                aggrieved by a Governance Authority
                [[Page 59109]]
                decision to revoke that voice service provider's or intermediate
                provider's SPC token need not update its filing on the basis of that
                revocation until the sixty (60) day period to request Commission
                review, following completion of the Governance Authority's formal
                review process, pursuant to Sec. 64.6308(b)(1) expires or, if the
                aggrieved voice service provider or intermediate provider files an
                appeal, until ten business days after the Wireline Competition Bureau
                releases a final decision pursuant to Sec. 64.6308(d)(1).
                 (ii) If a voice service provider or intermediate provider elects
                not to file a formal appeal of the Governance Authority decision to
                revoke that voice service provider's or intermediate provider's SPC
                token, the provider need not update its filing on the basis of that
                revocation until the thirty (30) day period to file a formal appeal
                with the Governance Authority Board expires.
                 (d) Certification by gateway providers in the Robocall Mitigation
                Database.
                 (1) Not later than March 1, 2023, a gateway provider shall certify
                that it has fully implemented the STIR/SHAKEN authentication framework
                across its entire network and all calls it carries or processes are
                compliant with Sec. 64.6302(a) and (c);
                 (2) A gateway provider shall include the following information in
                its certification:
                 (i) The specific reasonable steps the gateway provider has taken to
                avoid carrying or processing illegal robocall traffic as part of its
                robocall mitigation program; and
                 (ii) A statement of the gateway provider's commitment to respond
                fully and within 24 hours to all traceback requests from the
                Commission, law enforcement, and the industry traceback consortium, and
                to cooperate with such entities in investigating and stopping any
                illegal robocallers that use its service to carry or process calls.
                 (3) All certifications made pursuant to paragraph (d)(1) of this
                section shall:
                 (i) Be filed in the appropriate portal on the Commission's website;
                and
                 (ii) Be signed by an officer in conformity with 47 CFR 1.16.
                 (4) A gateway provider filing a certification shall submit the
                following information in the appropriate portal on the Commission's
                website.
                 (i) The gateway provider's business name(s) and primary address;
                 (ii) Other business names in use by the gateway provider;
                 (iii) All business names previously used by the gateway provider;
                 (iv) Whether the gateway provider or any affiliate is also a
                foreign voice service provider; and
                 (v) The name, title, department, business address, telephone
                number, and email address of one person within the company responsible
                for addressing robocall mitigation-related issues.
                 (5) A gateway provider shall update its filings within 10 business
                days of any change to the information it must provide pursuant to
                paragraphs (d)(2) through (4) of this section, subject to the
                conditions set forth in paragraphs (c)(5)(i)-(ii) of this section.
                 (e) Intermediate provider and voice service provider obligations.
                 (1) Beginning September 28, 2021, intermediate providers and voice
                service providers shall accept calls directly from a voice service
                provider, including a foreign voice service provider that uses North
                American Numbering Plan resources that pertain to the United States to
                send voice traffic to residential or business subscribers in the United
                States, only if that voice service provider's filing appears in the
                Robocall Mitigation Database in accordance with paragraph (c) of this
                section.
                 (2) Additional intermediate provider and voice service provider
                obligations. Beginning ninety days after the deadline for filing
                certifications pursuant to paragraph (d) of this section, intermediate
                providers and voice service providers shall accept calls directly from
                a gateway provider only if that gateway provider's filing appears in
                the Robocall Mitigation Database in accordance with paragraph (d) of
                this section.
                [FR Doc. 2021-23164 Filed 10-25-21; 8:45 am]
                BILLING CODE 6712-01-P
                

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT