Caller ID Authentication Rules for Phone Providers
Summary
In this document, the Federal Communications Commission (Commission) adopts rules that strengthen the Commission's caller ID authentication requirements by establishing clear practices for providers that rely on third parties to fulfill their STIR/SHAKEN implementation obligations. The rules authorize providers with a STIR/ SHAKEN implementation obligation to engage third parties to perform the technological act of digitally "signing" calls consistent with the requirements of the STIR/SHAKEN technical standards so long as: the provider with the implementation obligation makes the "attestation- level" decisions for authenticating caller ID information; and all calls are signed using the certificate of the provider with the implementation obligation--not the certificate of a third party. The rules also explicitly require all providers with a STIR/SHAKEN implementation obligation to obtain a Service Provider Code (SPC) token from the STIR/SHAKEN Policy Administrator and present that token to a STIR/SHAKEN Certificate Authority to obtain a digital certificate. Additionally, the rules include recordkeeping requirements for third- party authentication arrangements to enable the Commission to monitor compliance with and enforce Commission rules.
Compliance Requirements
- #1
Providers with a STIR/SHAKEN implementation obligation must make all attestation-level decisions, consistent with the requirements of the technical standards; All calls must be signed using the certificate of the provider with the implementation obligation—not the certificate of a third party; All providers with a STIR/SHAKEN implementation obligation must obtain a Service Provider Code (SPC) token from the STIR/SHAKEN Policy Administrator; Providers must present the SPC token to a STIR/SHAKEN Certificate Authority to obtain a digital certificate; Any provider certifying to partial or complete STIR/SHAKEN implementation in the Robocall Mitigation Database must be registered with the STIR/SHAKEN Policy Administrator; Providers must maintain recordkeeping requirements regarding third-party authentication arrangements; Providers must utilize reasonable 'Know Your Customer' (KYC) protocols to establish a credible evidentiary basis for a direct authenticated relationship with their customer and/or verification of their customer's right to use the telephone number
Market Impacts
Explicit authorization for third-party authentication creates new market opportunities for companies providing hosted SHAKEN and carrier SHAKEN services, enabling specialized providers to offer technical signing services to obligated providers; Prohibition on using third-party certificates for call signing restricts certain business models and requires all calls to be signed using the obligated provider's own certificate; Clear definition of 'third-party authentication' excludes resellers and providers without network infrastructure control from being considered 'first parties', creating barriers for certain business models; Authorization of third-party authentication enables cost-effective STIR/SHAKEN implementation for legacy IP equipment that would otherwise be cost-prohibitive to upgrade; Mandatory requirement for all providers with STIR/SHAKEN implementation obligation to obtain SPC token from Policy Administrator and present it to Certificate Authority
Validated Company Impacts
TELEPHONE & DATA SYSTEMS INC /DE/
TDS operates as a voice service provider through its TDS Telecom segment, which directly falls under the STIR/SHAKEN implementation obligation requirements. The company provides voice telecommunications services to 1.1 million connections, making it clearly subject to all caller ID authentication, certificate management, and recordkeeping requirements specified in the rule. The company's disclosed risk factors show minimal alignment with this telecommunications-specific rule, as their primary risks focus on financial transactions, network deployment delays, and regulatory approvals rather than call authentication or STIR/SHAKEN compliance. The rule addresses specialized telecommunications security requirements that are not reflected in the company's identified risk categories, which include only general regulatory compliance risks without specific mention of voice service obligations or caller ID authentication.
AT&T INC.
AT&T operates as a major voice service provider that originates calls and falls directly under the STIR/SHAKEN implementation obligations. As a telecommunications carrier providing wireless services, AT&T must comply with all requirements including making attestation-level decisions, obtaining SPC tokens, maintaining proper certificates, and implementing KYC protocols for call authentication. The rule focuses on telecommunications call authentication requirements, which does not directly address any of the company's disclosed risk factors. The company's regulatory compliance risks relate to spectrum availability for mobile broadband, not voice call authentication protocols, and its cybersecurity risks are general technology threats rather than specific STIR/SHAKEN implementation obligations.
Frontier Communications Parent, Inc.
Frontier Communications operates as a major voice service provider with extensive telecommunications infrastructure across 25 states, directly falling under the STIR/SHAKEN implementation obligations. The company's core business of providing broadband and voice services through fiber-optic and copper networks aligns perfectly with the rule's requirements for call authentication, certificate management, and Know Your Customer protocols. The rule focuses on telecommunications call authentication requirements for voice service providers, which does not align with the company's disclosed risk factors that primarily concern fiber build delays, merger approvals, borrowing costs, and market demand. The company's limited regulatory compliance risks (2 identified) are not specific to telecommunications authentication protocols like STIR/SHAKEN.
T-Mobile US, Inc.
T-Mobile US operates as a major wireless voice service provider that originates calls, placing it directly within the scope of the STIR/SHAKEN implementation obligation requirements. The company's core wireless communications services involve call origination and transmission, making it subject to all compliance requirements including attestation-level decisions, certificate management, SPC token acquisition, and recordkeeping obligations. The rule focuses on telecommunications call authentication requirements and STIR/SHAKEN implementation obligations, which do not align with the company's disclosed risk profile. The company's primary risks center around cybersecurity threats, industry competition, and operational dependencies, with no mention of telecommunications regulatory compliance or call authentication systems.
VERIZON COMMUNICATIONS INC
Verizon is a major voice service provider that originates calls and operates as a gateway provider, directly falling under the STIR/SHAKEN implementation obligations. The company's core telecommunications operations require call authentication and compliance with FCC regulations, making this rule highly relevant to its business activities. The rule focuses on telecommunications call authentication requirements for voice service providers, which does not align with the company's disclosed risk factors that primarily concern wireless equipment amortization, AI technology dependence, and competitive pressures. The company's minimal regulatory compliance risk category (only 2 risks identified) shows limited exposure to this type of telecommunications regulation.