FCC Adopts STIR/SHAKEN Third-Party Authentication Rules

Russell H. Fox

Email

202-434-7483

Bio and Articles

Jonathan P. Garvin

Email

202-434-7357

Bio and Articles

Find Your Next Job !

Legal Support Specialist
Greenberg Traurig, LLP

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Litigation Paralegal
Greenberg Traurig, LLP

Chief Operating Officer / Business Manager
On Balance Search Consultants

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Explore More Job Openings

Telephone and Texting Compliance News: Regulatory Update — Federal Communications Commission Allows Third-Party Call Authentication

by: Russell H. Fox, Jonathan P. Garvin of Mintz - Mintz Insights

Wednesday, November 27, 2024

Print Mail Download info_icon_img

/>i

The Federal Communications Commission (Commission) adopted a Report and Order authorizing telecommunications service providers with a STIR/SHAKEN caller ID authentication obligation (i.e., originating, intermediate, and gateway providers) to engage third parties to perform the technological act of “signing” calls on their behalf consistent with the technical requirements of the STIR/SHAKEN standards.

Under the new rules, to take advantage of third-party authentication, a service provider must meet two conditions: first, the provider with the STIR/SHAKEN obligation must make all “attestation-level” decisions consistent with the STIR/SHAKEN technical standards, and second, all calls “signed” by the third party must use the service provider’s Service Provider Code (SPC) token and digital certificate.

The Commission’s rules will also require all service providers with a STIR/SHAKEN obligation to obtain their own SPC token and digital certificate if they certify complete or partial STIR/SHAKEN implementation in the Robocall Mitigation Database. Combined, these requirements seek to ensure that the party with the STIR/SHAKEN obligation can be held responsible where illegally spoofed calls are still transmitted across that provider’s network.

In adopting the rules, Chairwoman Rosenworcel noted that third-party authentication “make[s] sense for some carriers because it can keep costs down and help keep junk off the line” but that it is also a practice that has drawn some scrutiny before the Commission because it “allow[s] carriers to turn the other way and make the mess of unwanted calls someone else’s responsibility.” Thus, by adopting the new third-party authentication requirements, “[the Commission] set[s] the ground rules for how to use a third party for call authentication and make[s] clear that carriers bear ultimate responsibility for compliance,” thereby ensuring accountability for the continued flood of illegally spoofed calls.

The Report and Order also contains recordkeeping obligations that require providers to enter into written agreements for any third-party authentication and that those agreements remain in place for the duration of the arrangement. The agreements are required to specify the tasks the third party will perform on the provider’s behalf and confirm that the provider will: (1) make all attestation-level decisions for calls signed pursuant to the agreement and (2) ensure that all calls will be signed using the provider’s certificate.

The third-party authentication rules will be effective the later of 30 days after the Report and Order is published in the Federal Register or June 20, 2025.