What changed in the FCC SHAKEN second order

The FCC released the final approved version of their Second Report and Order on SHAKEN implementation. There was a major deadline change, along with a few minor changes from the draft version released three weeks earlier. Here’s an overview of what the second order contains and what changed in the final version.

Report and Second Order on SHAKEN

Here’s a table of contents for the second order:

1. Definitions and Scope. This defines “voice services” and explains that “voice service providers” are entities that provide voice services. Over-the-top providers are included.
2. Caller ID Authentication in Non-IP Networks. Providers satisfy the “reasonable measures” criteria in the TRACED Act by participating in a trade association that’s considering the matter. The FCC declines to mandate Out-of-Band SHAKEN until standards are finalized and solutions commercially available. At the same time, the report and order observes that no meaningful alternatives have been proposed, and standards work requires both constructive input and compromise on the part of all parties and stakeholders.
3. Extension of the Implementation Deadline and Robocall Mitigation Mandate. Providers taking an extension on SHAKEN implementation must implement a robocall mitigation program for calls it originates. Four extensions were granted:
   1. Providers with fewer than 100,000 subscriber lines, 2 years
   2. Providers that cannot obtain SHAKEN certificates, until they can
   3. Services scheduled for section 214 discontinuance, 1 year
   4. Non-IP networks, until a solution is reasonably available
4. Voluntary STIR/SHAKEN Implementation Exemption. The TRACED Act provides for an exemption if a provider files a notice that they have voluntarily implemented SHAKEN by December 30, 2020. The second order establishes a deadline of December 1, 2020 to file. The intent was to encourage faster implementation of STIR/SHAKEN. However, it is not clear how filing for a voluntary exemption would have any benefit. Providers still must implement SHAKEN and file a certification by June 30, 2021.
5. Line Item Charges. Providers cannot put a line item charge on consumer or small business invoices to recover the costs of implementing STIR/SHAKEN. However, they can recover these costs by other means, such as a general rate increase.
6. Intermediate Providers. These providers are given one mandate and a mandate-with-a-waiver:
   • Intermediate providers that receive signed calls on an IP network and pass these calls to a downstream IP network must leave the SHAKEN token intact.
   • Intermediate providers must authenticate unauthenticated calls. However, this obligation is waived if the provider participates in and cooperates with traceback.
7. Other Issues. The FCC was asked to provide other exemptions, but they declined.

What changed in the final version

A few things did change in the final version. Here’s what we found, by paragraph.

Section C — Extension of Implementation Deadline

48. This is a new paragraph, in which the order explains that the FCC declines USTelecom’s request to exclude small providers that originate a disproportionate amount of traffic relative to their subscriber base. While the Commission sees value in the proposal, they don’t know how to establish appropriate criteria to implement such a policy.

75. The order acknowledges other commenters who suggested robocall mitigation should be required in conjunction with STIR/SHAKEN call authentication. As before, the Commission decided not to impose this requirement at this time. The order does state that the Commission will revisit this issue if necessary.

86. The draft order stated that intermediate and terminating providers must stop accepting traffic directly from unregistered providers 30 days after the deadline for certification, or July 30, 2021. The final order pushed back this deadline to 90 days after the deadline for certification, or September 28, 2021.

There’s an important footnote to this paragraph that explains that the FCC will import all listings from the Intermediate Provider Registry so that all registered intermediate providers will be represented in the certification database.

88. This is a new paragraph that responds to a suggestion that intermediate and terminating providers should be required to give originating providers notice that they will block their traffic because they have not filed a certification in the robocall mitigation database. The FCC declined this suggestion.

89. This is another new paragraph that responds to two proposals: (1) that intermediate providers should file a certification of their compliance to this rule, and (2) that intermediate providers should be required to implement robocall mitigation. The Commission declined both suggestions.

92. This is a new paragraph that adopts a broader definition of “foreign voice service provider” to mean any entity outside the U.S. that has the ability to originate voice service that terminates in a point outside that foreign country or terminate voice service that originates from points outside that foreign country.

94. This is a new paragraph in which the Commission was asked to seek further comment on the new rules regarding foreign-originated calls. The Commission declined this suggestion.

Section F — Intermediate Providers

140. This paragraph describes the requirement for intermediate providers to authenticate unauthenticated calls. The draft order stated that this requirement is waived if the intermediate provider registers with the traceback consortium. The final version of the order states that the requirement is waived if the intermediate provider cooperatively participates with traceback.

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms. Contact us today to learn more.