Call Authentication Trust Anchor; Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions

AGENCY:

Federal Communications Commission.

ACTION:

Final rule.

SUMMARY:

In this document, the Federal Communications Commission (the Commission) adopts rules establishing a process for voice service providers aggrieved by a token revocation decision of the private STIR/SHAKEN Governance Authority to file a request for review to the Commission. Without this process the private STIR/SHAKEN Governance Authority can place other private entities out of compliance with the Commission's STIR/SHAKEN implementation rules without oversight from the Commission. The adopted rules will provide appropriate oversight and ensure due process for voice service providers aggrieved by a Governance Authority token revocation decision.

DATES:

Effective September 30, 2021.

FOR FURTHER INFORMATION CONTACT:

Alexander Hobbs, Attorney Advisor, Competition Policy Division, Wireline Competition Bureau, at (202) 418-7433, or email: Alexander.Hobbs@fcc.gov.

SUPPLEMENTARY INFORMATION:

This is a summary of the Commission's Report and Order in WC Docket Nos. 17-97, 21-291, FCC 21-93, adopted on August 5, 2021, and released on August 6, 2021. The complete text of this document is available for download at https://docs.fcc.gov/public/attachments/FCC-21-93A1.pdf. To request materials in accessible formats for people with disabilities (Braille, large print, electronic files, audio format), send an email to fcc504@fcc.gov or call the Consumer and Governmental Affairs Bureau at (202) 418-0530 (voice), (202) 418-0432 (TTY).

Synopsis

I. Introduction

Caller ID authentication using the STIR/SHAKEN framework is a key component of our multi-pronged effort to combat the scourge of illegal robocalls. STIR/SHAKEN is a set of technological standards that helps to prevent illegal “spoofing,” a practice that involves falsifying caller ID information in order to trick unsuspecting Americans into thinking that calls are trustworthy because the caller ID information appears as if the call came from a neighbor or a familiar or reputable source. With voice service providers required by our rules to implement STIR/SHAKEN in the internet Protocol (IP) portions of their networks by June 30, 2021, Americans are now in a position to answer their phones with greater confidence that the number displayed is correct.

To guard against bad actors and preserve trust within the distributed caller ID authentication system, the ability of a voice service provider to participate in STIR/SHAKEN can be revoked by the private Governance Authority that oversees the STIR/SHAKEN framework. This revocation process effectively allows the private Governance Authority to make decisions that render voice service providers noncompliant with our rules. To provide appropriate oversight and ensure due process, today we establish a process for voice service providers to appeal such revocation decisions to the Commission.

II. Background

To address the issue of illegal caller ID spoofing, technologists from the internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS) developed standards to allow for the authentication and verification of caller ID information for calls carried over IP networks. The result of their efforts is the STIR/SHAKEN caller ID authentication framework, which allows for the caller ID information to securely travel with the call itself throughout the entire length of the call path. A key component of the STIR/SHAKEN framework is the transmission of a digital “certificate” along with the call. This certificate essentially states that the voice service provider authenticating the caller ID information is the voice service provider it claims to be, it is authorized to authenticate this information and, thus, the voice service provider's claims about the caller ID information can be trusted. To maintain trust and accountability in the voice service providers that vouch for the caller ID information, a neutral governance system issues the certificates.

The STIR/SHAKEN governance system is comprised of several different entities fulfilling specialized roles. The Governance Authority, managed by a board consisting of representatives from across the voice service industry, defines the policies and procedures for which entities can issue or acquire certificates. The Policy Administrator applies the rules the Governance Authority establishes, confirms that Certification Authorities are authorized to issue certificates, and confirms that voice service providers are authorized to request and receive certificates. Certification Authorities, of which there are several, issue the certificates that voice service providers use to authenticate and verify calls. Finally, the voice service providers, when acting as call initiators, select an approved Certification Authority from which to request a certificate, and when acting as call recipients, check with Certification Authorities to ensure that the certificates they receive were issued by the correct Certification Authority.

To receive a digital certificate, a voice service provider must first apply to the Policy Administrator for a Service Provider Code (SPC) token. To obtain a token, the Governance Authority policy requires that a voice service provider must (1) have a current FCC Form 499A on file with the Commission, (2) have been assigned an Operating Company Number (OCN), and (3) have certified with the FCC that they have implemented STIR/SHAKEN or comply with the Commission's Robocall Mitigation Program requirements and are listed in the FCC Robocall Mitigation Database. The token then permits the voice service provider to obtain the digital certificates it will use to authenticate calls from one of the approved Certification Authorities. The token, therefore, is a prerequisite for a voice service provider to participate in the STIR/SHAKEN ecosystem endorsed by section 4 of the TRACED Act (and the Commission's implementing rules), and management of token access is the mechanism by which the Policy Administrator and Governance Authority protect the system from abuse and misuse.

The Policy Administrator grants tokens to voice service providers that meet the three eligibility criteria conditioned on the execution of a signed agreement with each voice service provider, stating that the voice service provider will follow the ATIS SHAKEN specifications. This agreement establishes that if the Policy Administrator deems the voice service provider to be in breach of the agreement, it has the authority to suspend or revoke a voice service provider's token. The Policy Administrator may revoke a service provider's service token on its own initiative in certain circumstances or when directed by the Governance Authority. In the SPC Token Revocation Policy, the Governance Authority lists the reasons for which a token may be revoked: (1) In the situation of compromised credentials, i.e., a voice service provider's private key has been lost, stolen, or compromised, or a certification authority has been compromised; (2) the voice service provider exits the STIR/SHAKEN ecosystem and closes its account with the Policy Administrator; (3) the voice service provider failed to adhere to the policy and technical requirements of the STIR/SHAKEN ecosystem, including the SPC Token Access Policy, funding requirements, or technical specifications regarding the use of STIR/SHAKEN; or (4) when directed by a court, the Commission, or another body with relevant legal authority due to a violation of Federal law related to caller ID authentication. When a service provider's credentials are compromised or it exits the ecosystem (the former two scenarios), the Policy Administrator may revoke a service provider's token without prior direction from the Governance Authority because in either circumstance revocation is clearly appropriate. However, when revocation is because a service provider failed to adhere to a policy or technical requirement, or is effected at the direction of a governmental body (the latter two scenarios), the Governance Authority conducts the revocation process according to the process outlined in the SPC Token Revocation Policy.

Token Revocation Procedure. Before the Governance Authority revokes a token due to a voice service provider's violation of a policy, technical, or legal requirement, the Governance Authority follows a multi-step process described by the SPC Token Revocation Policy, which allows the voice service provider to respond to the alleged infraction and appeal any adverse decision according to the Governance Authority's operating procedures. According to the SPC Token Revocation Policy, the revocation review process is triggered when a voice service provider, the Policy Administrator, a Certification Authority, or a regulatory authority (such as the Commission) reports a potential issue to the Governance Authority, generally via a complaint. After a preliminary review of the complaint, the Governance Authority decides whether or not to move forward with the review process. If the Governance Authority determines there is sufficient information to move forward, notice of the complaint will be sent to the Governance Authority Board. After the Governance Authority Board receives notice of the complaint, additional notices are sent to the complainant and to all other parties in the investigation process notifying them of the confidentiality requirements of the revocation proceeding. The Governance Authority also sends notice to the subject of the complaint—which has five business days to provide a preliminary response—and to the Policy Administrator who, after consulting with the Certification Authority if necessary, provides further information on facts related to the complaint and a proposed recommendation to the Governance Authority Board on whether to move forward with the complaint review. The Governance Authority Board then decides to either reject the complaint review, agrees review is necessary and accepts the complaint for review, or, if required, assigns it to the Technical Committee for further review.

If the Governance Authority Board decides to accept the complaint for review, it will reach out to the entity that is the subject of the complaint to provide another notification, this time stating that the complaint is being investigated and requesting a substantive written response. If the Governance Authority Board determines that additional review by the Technical Committee is also necessary, it will send the complaint to the Technical Committee, which will review the complaint and provide a recommendation to the Governance Authority Board. The Governance Authority will then review the Technical Committee's recommendation and request further investigation or discussion for the complaint, including submitting questions to all entities involved in the complaint review process. After reviewing all the material, including the Technical Committee's recommendation if necessary, the Governance Authority Board votes on whether to revoke the token, requiring a two-thirds vote of the Governance Authority Board to approve the revocation. If the Governance Authority Board votes to revoke the token, the decision is transmitted to the affected voice service provider, the complainant, and the Policy Administrator. The Policy Administrator then will execute the token revocation by deactivating the voice service provider's account and notifying all Certification Authorities to stop assigning new certificates to the voice service provider.

The aggrieved voice service provider may appeal an adverse decision by the Governance Authority Board through a formal appeal process outlined in the Governance Authority's Operating Procedures. In addition to the Governance Authority Board reviewing the complaint and issuing a written response, the formal appeal process includes the potential for a hearing before an independent panel of three individuals. Following a hearing, the appeal panel issues a written decision stating its findings of fact, conclusions, and the reasoning for its conclusions. If a voice service provider loses the appeal, or chooses not to appeal, it may seek reinstatement to the STIR/SHAKEN ecosystem if the Governance Authority approves of its plan of action to remedy the issue or issues underlying the token revocation.

On January 14, 2021, the Commission released a Second Caller ID Authentication Further Notice of Proposed Rulemaking proposing and seeking comment on establishing an oversight role for the Commission to oversee token revocation decisions made by the Governance Authority. The Commission specifically proposed adopting an appeal process similar to our process for reviewing decisions by the Universal Service Administrative Company (USAC). All commenters in the docket generally supported the proposal to establish such a role for the Commission. The Governance Authority Board states that “[g]iven the impact token revocation decisions will have on providers' abilities to comply with the Commission's call authentication rules, it is appropriate that the Commission should have a role in reviewing these decisions.” INCOMPAS “supports an oversight role for the agency in the certificate revocation process” while VON “recognizes the benefits to all stakeholders” from such a role, and USTelecom states “the Commission has a critical role in reviewing any [Governance Authority] revocation decisions.”

III. Discussion

After reviewing the record, we conclude that the Commission should have an oversight role and therefore establish a review process of the Governance Authority's token revocation decisions. We do so to provide proper due process for voice service providers aggrieved by Governance Authority token revocation decisions and to “ensure that the STIR/SHAKEN ecosystem remains robust.” We detail the specific appeals process we adopt below. As we explain, we largely adopt the proposals in the Second Caller ID Authentication Further Notice. We deviate from those proposals in several respects, however, such as by requiring parties seeking review of a Governance Authority decision to file their requests for review in a dedicated public docket in the Commission's Electronic Comment Filing System (ECFS) and by directing the Wireline Competition Bureau (Bureau) to review all appeals in the first instance. As we explain below, we make these changes from our initial proposals because we find doing so will facilitate efficient review based on a full record.

A. Appeals Process and Requirements

Exhaustion of Governance Authority Appeals Process Required. We will require parties seeking review by the Bureau to first exhaust the Governance Authority appeal process, including completing the Governance Authority's formal appeal process. In the Second Caller ID Authentication Further Notice, the Commission proposed to require exhaustion of the Governance Authority's process before accepting appeals, stating that such a requirement would “enable the dispute to fully develop before potentially reaching the Commission, thereby making it easier for the Commission to identify the relevant facts and issues.” All commenters addressing the issue support this proposal. We agree with USTelecom that “[r]equiring exhaustion of the [Governance Authority] process will ensure that the [Governance Authority] can complete its process and render an independent decision before the FCC intervenes.” Doing so will ensure that only “serious challenges” will end up in front of the Commission, and will avoid wasting Commission resources by preventing us from “duplicating efforts and expending resources to develop the same facts [as the Governance Authority].” As VON notes, requiring exhaustion of the Governance Authority's process will “resolve a large majority of complaints without Commission action” ensuring the Commission does not waste time on issues that can be properly resolved by the Governance Authority.

Parties Permitted to Seek Review. We establish that any voice service provider aggrieved by a Governance Authority decision to revoke that provider's token may seek review by the Bureau after exhausting the appeals process established by the Governance Authority. We only allow appeals by the aggrieved party that suffered the token revocation, and not another party on its behalf, to ensure efficient use of limited Commission resources and provide finality and certainty for affected parties seeking an appeal. Third parties, including the Governance Authority, may participate to the extent that they may file oppositions and replies. This procedure mirrors the process in Universal Service appeals, where only the aggrieved party may appeal a USAC decision and other interested third parties may participate by filing oppositions and replies as appropriate, as well as supportive filings. We find that this approach—in addition to being consistent with the well-established process for USAC appeals—best balances competing arguments in the record. VON argues that voice service providers that rely on a delegated certification from a token holder should also be allowed to participate in the appeal as “intervenors” or have “interested party status.” VON states that some voice service providers “required to participate in the STIR/SHAKEN ecosystem may not obtain their own certificates and may instead rely on delegated certification from a token-holder.” Therefore, it asserts, “revoking a token would not just result in potential injury to the token-holder, but also to any other service provider that relies on the token-holder's continued authorization.” We disagree that voice service providers that rely on delegated tokens should be accorded special status because allowing them to participate in the appeal as interested parties “is not likely to give them the relief they need if the token holder is abusing its token.” Furthermore, the impact to a voice service provider with a delegated token is irrelevant as to whether the token holder acted in violation of rules such that token revocation is appropriate. USTelecom, in contrast with VON, argues that “[o]nly the token holders should participate in the appeal process.” To the extent USTelecom is arguing that third parties should not be able to participate in an appeal in any capacity, we disagree; we see no compelling reason to diverge with our standard procedures and not allow third parties, including voice service providers that rely on delegated tokens, to file oppositions and replies.

We note that any voice service provider that relies on a delegated token from another entity may seek a waiver of our STIR/SHAKEN rules for a limited time period if the token it relies upon is revoked. We agree with USTelecom that in typical cases, a 90-day waiver period, from the date the Governance Authority revokes a provider's token in the first instance, should give a voice service provider sufficient time to transfer its delegated token to a new partner and continue to participate in the STIR/SHAKEN framework. This time period balances the need for an affected voice service provider to have adequate time to receive another certificate with the public interest of broad STIR/SHAKEN participation. However, affected providers are free to request a different waiver period accompanied by an explanation of good cause for such a time period. We direct the Bureau to rule on all such waiver requests. Review of waivers of Commission rules is consistent with the Bureau's authority and will ensure waiver requests are reviewed in a timely and efficient manner to maintain the efficacy of the STIR/SHAKEN ecosystem.

Filing Deadlines. We establish that aggrieved providers have 60 days to seek Bureau review after the Governance Authority upholds its adverse token revocation decision. Specifically, a voice service provider requesting Bureau review of a Governance Authority decision to revoke that voice service provider's token shall file such a request electronically in ECFS within 60 days from the date the Governance Authority upholds its token revocation decision. Sixty days will provide sufficient time to an aggrieved voice service provider to receive notice and file a request for review and is equivalent to the time given parties in our Universal Service appeals process. The only commenter to address this issue, INCOMPAS, opposed our proposal and suggested we give aggrieved voice service providers 30 days to request review instead of 60 days in order to expedite the review process because “[r]evoking a voice service provider's access to SPC tokens will have significant repercussions for the provider and its customers.” We disagree with INCOMPAS's proposed shorter deadline. Because of the importance of the token to our STIR/SHAKEN rules we want to ensure providers have sufficient time to request review of any token revocation. Thirty days may not give affected voice service providers enough time to receive notice of the Governance Authority decision and then to prepare and file a request for review with the Bureau. We note that the 60-day deadline does not prevent providers from filing appeals sooner to expedite a review. We also note that 60 days is the same timeframe provided for in our Universal Service appeal process.

We also establish that any commenters shall adhere to the time periods for filing oppositions and replies as set forth in § 1.45 of our rules. This follows the procedure in our USAC appeals process and was unopposed in the record.

We establish a 180-day “shot clock” for the Bureau's review period, similar to the procedure used in our pole access complaint resolution proceedings. One hundred eighty days will typically be sufficient time for staff to complete reviews even if they present novel and potentially complex factual issues, and for staff to have time to present follow-up questions to the appealing party or the Governance Authority if necessary, while also ensuring parties can set expectations for when the review will be completed. As with pole access complaints, we expect the Bureau to meet the shot clock “except in extraordinary circumstances.”

The record support in favor of establishing a specific time limit for the Bureau's review persuades us to deviate from our proposal not to impose such a limit. VON argues we should impose a time limit on Bureau review “since revocation of a token can substantially impact a provider's business.” INCOMPAS suggests the Commission adopt a 30-day time limit for the Bureau to complete its review, arguing that speedy resolution is necessary because it “will give impacted voice service providers and their customers the information and clarity they need to make plans beyond the Commission's review.” And the Governance Authority Board states, “it is important that the Commission conclude its review and issue a decision as quickly as reasonably possible.” Nonetheless, while we agree with these commenters that prompt review is important, we disagree with INCOMPAS that the review period should be 30 days. INCOMPAS does not explain how the Bureau can adequately account for the potential novel and complex factual issues each appeal could raise in 30 days. Instead, we think a 180-day period is sufficient to ensure that the Bureau has time to render a carefully considered review for each appeal while also ensuring the review is completed in a timely and reasonable manner. And if an appeal were not to pose novel or complex issues, we think it could be completed well before 180 days.

We establish that the shot clock will start when the request for review is filed in ECFS. This procedure is identical to the one used in our pole access complaint proceedings and will ensure the Bureau and all parties are on notice of when the shot clock begins counting down in order to set expectations of when the review will be completed. We also establish that the Bureau will have discretion to pause the 180-day review period when actions outside the Bureau's control delay the Bureau's review. For example, the Bureau may pause the shot clock if parties need additional time to provide key information requested by the Bureau. The Bureau will resume the shot clock when the cause for pausing the shot clock has been resolved. We direct the Bureau to provide written notice of any pause in the shot clock, as well as when the shot clock is resumed. This procedure similarly draws from the one we use in pole access complaint review and will ensure the Bureau has adequate time to complete its review if faced with delays outside its control and that all parties are duly informed whenever the shot clock is paused or resumed.

Filing Requirements. We establish that requests for review shall be filed electronically in WC Docket No. 21-291, Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions, in ECFS. The request for review shall be captioned “In the matter of Request for Review by (name of party seeking review) of Decision of the Governance Authority to Revoke an SPC Token.” The request for review shall contain (1) a statement setting forth the voice service provider's asserted basis for appealing the Governance Authority's decision to revoke the token; (2) a full statement of relevant, material facts with supporting affidavits and documentation, including any background information the voice service provider deems useful to the Bureau's review; and (3) the question presented for review, with reference, where appropriate, to any underlying Commission rule or Governance Authority policy. Moreover, we establish that requests for review need not include a statement of the relief sought. We assume that the relief sought will always be the reversal of the Governance Authority's revocation decision. We establish that the party seeking review shall send a copy of the request for review to the Governance Authority via sti-ga@atis.org or another method specified in the Governance Authority's Operating Procedures. Filers may request confidential treatment for filings pursuant to § 0.459 of our rules. These proposals were all unopposed in the record. In the Second Further Notice we proposed that filers would submit requests for review to the Commission's non-docketed inbox where they would not be viewable by the public. We deviate from this proposal and require filers to submit their requests to ECFS in order to allow public notice and opportunity to comment by third parties.

Governance Authority Record. We encourage the Governance Authority to submit to the Bureau the full record of a token revocation appeal within five days of receiving notice of a voice service provider's request for Bureau review. We ask the Governance Authority to file the record materials in WC Docket No. 21-291, Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions, in ECFS. Governance Authority submission of such materials to the Bureau will “increase efficiency and fairness” of the Bureau's review process. The full record should include, as suggested by the Governance Authority Board, “the completed SPC token Complaint Submission Form, the notice of complaint that was sent to the [Governance Authority] Board, written responses from the provider at issue, the final written decision of the [Governance Authority] Board, any materials provided by the service provider as part of an appeal of the decision under the [Governance Authority] Operating Procedures, as well as the written decision by the [Governance Authority] Board regarding the appeal.” We agree with the Governance Authority Board that it does not need to submit drafts of the required documents or Board discussions to protect the confidentiality of its internal deliberations. We also recognize the Governance Authority Board's concern that the materials submitted by the Governance Authority Board merit confidential treatment and should be treated as such because they are likely to contain privileged or confidential “provider-specific” commercial information. Accordingly, the Governance Authority may request confidential treatment for its submissions pursuant to § 0.459 of our rules (as set forth in our rules, the Governance Authority Board would need to identify the specific information for which it is requesting confidential treatment. The Governance Authority Board also would need to submit a version of the filing that can be made public with the confidential material redacted. We encourage the Governance Authority Board to work with the voice service provider seeking review to determine which information is confidential or to put procedures in place that will require voice service providers to identify confidential information when submitting information to the Governance Authority Board and to identify any categories of internal documents it considers confidential.).

We do not expect the Governance Authority to submit a statement in opposition to the request for review. We will rely “on the entirety of the record developed” by the Governance Authority during its review process and will “only engage the [Governance Authority] in an appeal to the extent necessary to understand [Governance Authority's] policies and procedures and the [Governance Authority's] interpretations of them.” USTelecom argues that “[r]equiring the [Governance Authority] to file a statement in opposition to the FCC review request would needlessly make the [Governance Authority] a party to the proceeding rather than a neutral, independent arbiter in its own right.” USTelecom also notes that in the USAC appeals process “USAC does not file a statement in opposition to the review request.” We agree with USTelecom that the Governance Authority should remain a neutral party in the appeals process. However, we do not affirmatively prohibit the Governance Authority from participating beyond submission of the record should it find it appropriate to do so.

Wireline Competition Bureau Review. We establish that the Wireline Competition Bureau will review and issue decisions in the first instance in all appeals of decisions from the Governance Authority (in the Second Caller ID Authentication Further Notice the Commission proposed that the Bureau would review all appeals with one exception: the Commission would review appeals that presented “novel questions of fact, law, or policy.” That approach followed our USAC appeals procedure. We deviate from our USAC appeals procedure because, after further consideration, we expect most, if not all, appeals to present fact-specific and technically complicated issues; the Bureau is best situated to review such appeals in the first instance in a speedy manner.). Accordingly, we direct the Bureau to review all requests for review in the first instance, with applications for review to the Commission available after the Bureau issues a final decision. We direct the Bureau to ensure its decisions maintain the integrity and efficacy of the STIR/SHAKEN ecosystem to protect the public from unlawfully spoofed calls and unlawful robocalls. By directing the Bureau to review all appeals in the first instance we ensure voice service providers receive speedy resolution of their disputes by agency experts and those voice service providers whose tokens are determined to be rightfully revoked are promptly required to update their Robocall Mitigation Database certifications. We reiterate that, as with any decision adopted on delegated authority, an affected party may seek review by the full Commission of a decision issued by the Bureau, thus ensuring Commission oversight of all decision-making and availability to any interested party. No party addressed the appropriate scope of review by the Bureau in the record.

Standard of Review. We establish that the standard of review by the Bureau will be de novo. Specifically, we direct the Bureau to conduct de novo review of Governance Authority decisions to revoke a voice service provider's token. We agree with the Governance Authority Board that de novo review “will allow the Commission to independently verify the [Governance Authority] Board's decisions and better ensure that the SHAKEN ecosystem continues to operate in a fair and equitable manner.” Such an approach also avoids the concern expressed by VON that “anything more deferential than de novo review would inevitably result in [Governance Authority] decisions receiving precedential treatment, and would turn the STI-GA into a de facto policymaking body in place of the FCC.” A de novo standard of review was unopposed in the record and commenters all agreed a de novo standard is appropriate.

Status During Pendency of Appeals. We adopt a new rule establishing that throughout the review period, starting from when the Governance Authority revokes a voice service provider's token and including the duration of the Governance Authority's formal appeals process, until the Bureau issues a decision on the appeal, a voice service provider will not be judged to be in violation of the Commission's STIR/SHAKEN rules as a result of the revocation. We agree with USTelecom that it would be unreasonable for the agency to judge a voice service provider as noncompliant during the pendency of an appeal before it evaluates a revocation decision. USTelecom and NCTA supported this proposal. We find it necessary to satisfy due process for a party to have the opportunity to appeal the decision of the private Governance Authority and, if it appeals, to obtain a decision by the Bureau before being judged noncompliant. VON argues that we also not judge “delegated certificate customers” of a voice service provider that has its token revoked noncompliant during the pendency of an appeal. We disagree with VON. Establishing that a voice service provider that relies on a delegated token not be judged in violation of our rules during the pendency of an appeal would be redundant because such a provider may seek a waiver of our rules if the token it relies upon is revoked.

More specifically, we clarify that a provider subject to a revocation will not be in violation of our STIR/SHAKEN rules as a result of the revocation during (1) the time period in which it may file an appeal to the Governance Authority; (2) the pendency of any appeal before the Governance Authority; (3) the time period in which it may file an appeal to the Bureau; and (4) if it files an appeal with the Bureau, until the Bureau releases a final decision regarding the appeal (should the Bureau uphold or otherwise decide not to overturn the Governance Authority's decision, an aggrieved voice service provider may file a petition for reconsideration or application for review within the time periods permitted by our rules, but such filing will not protect the provider from a finding of noncompliance while the petition or application is pending.). The exclusion from liability applies specifically to rule 64.6301, which requires implementation of STIR/SHAKEN. In addition, because a voice service provider that has been aggrieved by an adverse Governance Authority service token revocation decision is not considered in violation of 64.6301 during the pendency of its appeal to the Bureau, it will not need to submit an amended filing to the Robocall Mitigation Database until its window to appeal to the Governance Authority or the Bureau lapses or, if it appeals, until the Bureau issues a final decision regarding its appeal. Specifically, while a voice service provider has the opportunity to appeal and while a filed appeal is pending, the voice service provider will not be judged in violation of the requirement to file an updated filing within 10 business days of any change to the information it must provide to the Commission pursuant to § 64.6305 of our rules. After the Bureau issues its decision, the voice service provider must update its Robocall Mitigation Database filing within 10 business days, if necessary (if the Bureau upholds a token revocation decision, the affected provider will be in violation of the § 64.6301(a) requirement to participate in STIR/SHAKEN because, without a token, the provider will not be able to authenticate calls it originates consistent with the STIR/SHAKEN standards. A voice service provider that has its token revoked will not be eligible for the extension for voice service providers that cannot obtain a SPC token. The Commission established the extension for voice service providers for whom it is unfeasible to obtain a token in the first instance under the Governance Authority's Token Access Policy, not for providers that are subject to token revocation.).

In the Second Caller ID Authentication Further Notice, the Commission proposed that a voice service provider would not be judged in violation of the TRACED Act during the pendency of an appeal. We decline to adopt this proposal. The TRACED Act contains no STIR/SHAKEN implementation obligation for voice service providers; rather it directs the Commission to require voice service providers to implement STIR/SHAKEN. There is therefore no need to establish that voice providers will not be judged in violation of the TRACED Act during the pendency of an appeal.

We conclude that after revocation by the Governance Authority, a voice service provider may not maintain possession and use of its token regardless of whether it files an appeal to the Bureau. In effect, this means that although a voice service provider will not be judged in violation of our rules it will not be able to continue to exchange STIR/SHAKEN-authenticated traffic during the pendency of an appeal. The only commenter to address the subject supports the approach we adopt, and we agree that we do not want to create an incentive for bad-actor voice service providers to appeal the Governance Authority decision for the sole purpose of delaying revocation of their tokens. For the same reason, should the Bureau uphold or otherwise decide not to overturn the Governance Authority's decision, a voice service provider will not regain the right to use its token by filing a petition for reconsideration or application for review. This proposal was unopposed in the record.

B. Legal Authority

We conclude that section 4(b)(1) of the TRACED Act grants us authority to establish an oversight role for the Commission to review token revocation decisions made by the Governance Authority. Section 4(b)(1) directs the Commission to require the implementation of the STIR/SHAKEN framework. Establishing an oversight role for the Commission is consistent with the TRACED Act's caller ID authentication implementation mandate because it will make revocation decisions by the Governance Authority that have the effect of putting entities outside of our STIR/SHAKEN implementation rules reviewable by the Commission. We also conclude we have authority to establish an oversight role for the Commission under section 251(e) of the Communications Act of 1934, as amended. Section 251(e) grants the Commission exclusive jurisdiction over North American Numbering Plan resources in the United States and, within that broad grant, provides us with authority to mandate caller ID authentication. We find that section 251(e) grants us the corresponding authority to review decisions that have the impact of preventing a voice service provider from complying with our caller ID authentication rules. No party opposed our assertion of legal authority.

IV. Procedural Matters

Final Regulatory Flexibility Analysis. As required by the Regulatory Flexibility Act of 1980 (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was incorporated in the Second Caller ID Authentication Further Notice of Proposed Rulemaking. The Commission sought written public comment on the possible significant economic impact on small entities regarding proposals addressed in the Second Caller ID Authentication Further Notice of Proposed Rulemaking, including comments on the IRFA. Pursuant to the RFA, a Final Regulatory Flexibility Analysis is set forth in Appendix B. The Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, will send a copy of this Third Report and Order, including the FRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA).

Paperwork Reduction Act. This document contains new or modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. These requirements have been reviewed and approved by the Office of Management and Budget (OMB) pursuant to 44 U.S.C. 3507(d) (The new information collection requirements were preapproved by the Office of Management and Budget under OMB Control No. 3060-1287 on June 3, 2021.) In addition, we note that pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, we previously sought comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees. This document also contains non-substantive modifications to the approved information collection. These modifications will be submitted to OMB for review and approval pursuant to OMB's non-substantive change process.

Congressional Review Act. The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, concurs, that this rule is “non-major” under the Congressional Review Act, 5 U.S.C. 804(2). The Commission will send a copy of this Third Report and Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A).

Contact Person. For further information about the Third Report and Order, contact Alexander Hobbs, Attorney Advisor, Competition Policy Division, Wireline Competition Bureau, at (202) 418-7433 or Alexander.Hobbs@fcc.gov.

V. Initial Final Regulatory Flexibility Analysis

As required by the Regulatory Flexibility Act of 1980, as amended, an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into the Second Caller ID Authentication Further Notice of Proposed Rulemaking. The Commission sought written public comments on the proposals in the Second Caller ID Authentication Further Notice, including comments on the IRFA. No comments were filed addressing the IRFA. This present Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.

Need for, and Objectives of, the Proposed Rules

This Third Report and Order continues the Commission's efforts to combat illegal spoofed robocalls. Specifically, the Third Report and Order establishes an oversight role for the Commission of the STIR/SHAKEN governance system's token revocation process. Under the adopted procedure, any voice service provider or intermediate provider that has its Service Provider Code (SPC) token revoked may seek review of this decision by the Commission through established procedures. The procedures in the Third Report and Order will help promote effective caller ID authentication through STIR/SHAKEN.

The Third Report and Order finds authority for these proposed rules under the TRACED Act. Section 4(b)(1) of the TRACED Act provided authority to require the implementation of the STIR/SHAKEN framework. We believe that to effectively direct the implementation of STIR/SHAKEN consistent with the TRACED Act, the Commission must have a role in decisions to revoke Service Provider Code tokens because the result of such a decision could place the service provider in noncompliance with our rules. The Third Report and Order also finds independent authority under section 251(e) of the Communications Act of 1934, as amended (the Act).

Summary of Significant Issues Raised by Public Comments in Response to the IRFA

There were no comments filed that specifically addressed the proposed rules and policies presented in the IRFA.

Response to Comments by the Chief Counsel for Advocacy of the SBA

Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (SBA), and to provide a detailed statement of any change made to the proposed rules as a result of those comments.

The Chief Counsel did not file any comments in response to the proposed rules in this proceeding.

Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply

The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the proposed rules and by the rule revisions on which the Notice seeks comment, if adopted. The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” In addition, the term “small business” has the same meaning as the term “small-business concern” under the Small Business Act. A “small-business concern” is one which: (1) Is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA.

Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as “establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet services. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry.” The SBA has developed a small business size standard for Wired Telecommunications Carriers, which consists of all such companies having 1,500 or fewer employees. U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated that year. Of this total, 3,083 operated with fewer than 1,000 employees. Thus, under this size standard, the majority of firms in this industry can be considered small.

Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated for the entire year. Of that total, 3,083 operated with fewer than 1,000 employees. Thus under this category and the associated size standard, the Commission estimates that the majority of local exchange carriers are small entities.

Incumbent LECs. Neither the Commission nor the SBA has developed a small business size standard specifically for incumbent local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms operated the entire year. Of this total, 3,083 operated with fewer than 1,000 employees. Consequently, the Commission estimates that most providers of incumbent local exchange service are small businesses that may be affected by our actions. According to Commission data, one thousand three hundred and seven (1,307) Incumbent Local Exchange Carriers reported that they were incumbent local exchange service providers. Of this total, an estimated 1,006 have 1,500 or fewer employees. Thus, using the SBA's size standard the majority of incumbent LECs can be considered small entities.

Competitive Local Exchange Carriers (Competitive LECs), Competitive Access Providers (CAPs), Shared-Tenant Service Providers, and Other Local Service Providers. Neither the Commission nor the SBA has developed a small business size standard specifically for these service providers. The appropriate NAICS Code category is Wired Telecommunications Carriers and under that size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms operated during that year. Of that number, 3,083 operated with fewer than 1,000 employees. Based on these data, the Commission concludes that the majority of Competitive LECS, CAPs, Shared-Tenant Service Providers, and Other Local Service Providers, are small entities. According to Commission data, 1,442 carriers reported that they were engaged in the provision of either competitive local exchange services or competitive access provider services. Of these 1,442 carriers, an estimated 1,256 have 1,500 or fewer employees. In addition, 17 carriers have reported that they are Shared-Tenant Service Providers, and all 17 are estimated to have 1,500 or fewer employees. Also, 72 carriers have reported that they are Other Local Service Providers. Of this total, 70 have 1,500 or fewer employees. Consequently, based on internally researched FCC data, the Commission estimates that most providers of competitive local exchange service, competitive access providers, Shared-Tenant Service Providers, and Other Local Service Providers are small entities.

We have included small incumbent LECs in this present RFA analysis. As noted above, a “small business” under the RFA is one that, inter alia, meets the pertinent small-business size standard (e.g., a telephone communications business having 1,500 or fewer employees) and “is not dominant in its field of operation.” The SBA's Office of Advocacy contends that, for RFA purposes, small incumbent LECs are not dominant in their field of operation because any such dominance is not “national” in scope. We have therefore included small incumbent LECs in this RFA analysis, although we emphasize that this RFA action has no effect on Commission analyses and determinations in other, non-RFA contexts.

Interexchange Carriers (IXCs). Neither the Commission nor the SBA has developed a small business size standard specifically for Interexchange Carriers. The closest applicable NAICS Code category is Wired Telecommunications Carriers. The applicable size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate that 3,117 firms operated for the entire year. Of that number, 3,083 operated with fewer than 1,000 employees. According to internally developed Commission data, 359 companies reported that their primary telecommunications service activity was the provision of interexchange services. Of this total, an estimated 317 have 1,500 or fewer employees. Consequently, the Commission estimates that the majority of interexchange service providers are small entities.

Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, also contains a size standard for small cable system operators, which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.” As of 2018, there were approximately 50,504,624 cable video subscribers in the United States. Accordingly, an operator serving fewer than 505,046 subscribers shall be deemed a small operator if its annual revenues, when combined with the total annual revenues of all its affiliates, do not exceed $250 million in the aggregate. We note that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million. Therefore we are unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act.

Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services. The appropriate size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees. For this industry, U.S. Census Bureau data for 2012 show that there were 967 firms that operated for the entire year. Of this total, 955 firms employed fewer than 1,000 employees and 12 firms employed of 1,000 employees or more. Thus under this category and the associated size standard, the Commission estimates that the majority of wireless telecommunications carriers (except satellite) are small entities.

The Commission's own data—available in its Universal Licensing System—indicate that, as of August 31, 2018 there are 265 Cellular licensees that will be affected by our actions. The Commission does not know how many of these licensees are small, as the Commission does not collect that information for these types of entities. Similarly, according to internally developed Commission data, 413 carriers reported that they were engaged in the provision of wireless telephony, including cellular service, Personal Communications Service (PCS), and Specialized Mobile Radio (SMR) Telephony services. Of this total, an estimated 261 have 1,500 or fewer employees, and 152 have more than 1,500 employees. Thus, using available data, we estimate that the majority of wireless firms can be considered small.

Satellite Telecommunications. This category comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” Satellite telecommunications service providers include satellite and earth station operators. The category has a small business size standard of $35 million or less in average annual receipts, under SBA rules. For this category, U.S. Census Bureau data for 2012 show that there were a total of 333 firms that operated for the entire year. Of this total, 299 firms had annual receipts of less than $25 million. Consequently, we estimate that the majority of satellite telecommunications providers are small entities.

Local Resellers. The SBA has not developed a small business size standard specifically for Local Resellers. The SBA category of Telecommunications Resellers is the closest NAICs code category for local resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. Under the SBA's size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data from 2012 show that 1,341 firms provided resale services during that year. Of that number, all operated with fewer than 1,000 employees. Thus, under this category and the associated small business size standard, the majority of these resellers can be considered small entities. According to Commission data, 213 carriers have reported that they are engaged in the provision of local resale services. Of these, an estimated 211 have 1,500 or fewer employees and two have more than 1,500 employees. Consequently, the Commission estimates that the majority of local resellers are small entities.

Toll Resellers. The Commission has not developed a definition for Toll Resellers. The closest NAICS Code Category is Telecommunications Resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. MVNOs are included in this industry. The SBA has developed a small business size standard for the category of Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. 2012 Census Bureau data show that 1,341 firms provided resale services during that year. Of that number, 1,341 operated with fewer than 1,000 employees. Thus, under this category and the associated small business size standard, the majority of these resellers can be considered small entities. According to Commission data, 881 carriers have reported that they are engaged in the provision of toll resale services. Of this total, an estimated 857 have 1,500 or fewer employees. Consequently, the Commission estimates that the majority of toll resellers are small entities.

Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a small business definition specifically for prepaid calling card providers. The most appropriate NAICS code-based category for defining prepaid calling card providers is Telecommunications Resellers. This industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual networks operators (MVNOs) are included in this industry. Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2012 show that 1,341 firms provided resale services during that year. Of that number, 1,341 operated with fewer than 1,000 employees. Thus, under this category and the associated small business size standard, the majority of these prepaid calling card providers can be considered small entities. According to Commission data, 193 carriers have reported that they are engaged in the provision of prepaid calling cards. All 193 carriers have 1,500 or fewer employees. Consequently, the Commission estimates that the majority of prepaid calling card providers are small entities that may be affected by these rules.

All Other Telecommunications. The “All Other Telecommunications” category is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Establishments providing internet services or voice over internet protocol (VoIP) services via client-supplied telecommunications connections are also included in this industry. The SBA has developed a small business size standard for “All Other Telecommunications”, which consists of all such firms with annual receipts of $35 million or less. For this category, U.S. Census Bureau data for 2012 show that there were 1,442 firms that operated for the entire year. Of those firms, a total of 1,400 had annual receipts less than $25 million and 15 firms had annual receipts of $25 million to $49,999,999. Thus, the Commission estimates that the majority of “All Other Telecommunications” firms potentially affected by our action can be considered small.

Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities

The Third Report and Order adopts new rules requiring voice service providers to update their filings to the robocall mitigation database if the Bureau upholds an adverse service token revocation decision made by the Governance Authority. Some voice service providers required to amend their filings in this way may be small voice service providers.

Steps Taken To Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered

The RFA requires an agency to describe any significant alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): (1) The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rules for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.

The Third Report and Order adopts rules establishing an oversight role for the Commission within the STIR/SHAKEN governance system's token revocation process. Under our newly adopted rules entities, including small entities, that have their SPC token revoked by the private STIR/SHAKEN Governance Authority may appeal that decision to the Commission.

Federal Rules That May Duplicate, Overlap, or Conflict With the Proposed Rules

None.

Report to Congress

The Commission will send a copy of the Third Report and Order, including this FRFA, in a report to Congress pursuant to the Congressional Review Act. In addition, the Commission will send a copy of the Third Report and Order, including the FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Third Report and Order and FRFA (or summaries thereof) will also be published in the Federal Register.

VI. Ordering Clauses

Accordingly, it is ordered, pursuant to sections 4(i), 4(j), 201(b), 227b, 251(e), and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201(b), 227b, 251(e), and 303(r), that this Third Report and Order is adopted.

It is further ordered that parts 0 and 64 of the Commission's rules are amended as set forth in Appendix A, and that, pursuant to §§ 1.4(b)(1) and 1.103(a) of the Commission's rules, 47 CFR 1.4(b)(1), 1.103(a), this Third Report and Order shall be effective 30 days after publication of this Third Report and Order in the Federal Register, which will occur after the Commission receives OMB approval of the non-substantive changes contained herein.

It is further ordered that the Commission shall send a copy of this Third Report and Order to Congress and to the Government Accountability Office pursuant to the Congressional Review Act, see 5 U.S.C. 801(a)(1)(A).

List of Subjects in 47 CFR Parts 0 and 64

• Authority delegations (government agencies)
• Communications common carriers

Final Rules

For the reasons discussed in the preamble, the Federal Communications Commission amends 47 parts 0 and 64 as follows:

PART 0—COMMISSION ORGANIZATION

1. The authority citation for part 0 continues to read as follows:

Authority: 47 U.S.C. 151, 154(i), 154(j), 155, 225, and 409, unless otherwise noted.

2. Amend § 0.91 by adding paragraph (r) to read as follows:

PART 64—MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

3. The authority citation for part 64 continues to read as follows:

Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220, 222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 276, 403(b)(2)(B), (c), 616, 620, 1401-1473, unless otherwise noted; Pub. L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.

4. Amend § 64.6305 by adding paragraphs (b)(5)(i) and (ii) to read as follows:

5. Add § 64.6308 to subpart HH to read as follows: