- Gateway & Intermediate Providers' role in foreign-originated robocall traffic
- Robocall Mitigation Plans & Database
- Do Not Originate (DNO) List call blocking
- Know Your Upstream Provider Requirements
- Robocall Mitigation efforts and STIRS/SHAKEN deployment
- Industry Traceback Group & traceback requirements
- FCC Further Notice of Proposed Rule making (FNPRM)
Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand identity and the communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle, and I'll be co-hosting today's session with Kevin Rupy, Partner at Wiley Rein LLP. It's great to have you join us again, Kevin. Welcome back.
Kevin Rupy: Well, thank you again for having me, Rebekah. I love being here.
Rebekah Johnson: Today's topic has been discussed in the industry, not just from the main target or focus area of the ruling for the FCC, but enterprises, service providers, standards groups, and law firms who are representing providers, and that is gateway providers. The FCC has implemented a lot of incredible strategies and rules.
I think the industry has collectively come together and we've implemented robocalled mitigation plans. But this last targeted focus on the gateway providers is a result of the realization and the fact that illegal robocalls are originating outside of the United States. I'm not saying every originating provider here in the United States of America doesn't deliver calls that might be on the unwanted or illegal side, but the reality is a lot of the ones that we're truly trying to block and stop the ones who are going after Grandma and taking money from her are originating outside of the United States.
This last order from the FCC was focused on shedding light on the group that they believe is the number one area through which these illegal calls are coming in through. Gateway providers have to step up their game and have to fall in line with a lot of the other requirements that service providers have already been adhering to and implementing. But it seems like it's just going a little step further, maybe a little bit of a harder hand slap on the gateway providers.
Kevin, we're looking forward to diving into that because you're a lot more intimate with what those rules are and what the impacts are on gateway providers. But first, I want to start with we oftentimes assume everybody knows what the definitions are that we use. I think it's good to start with what a gateway provider is. At least on Tuesday Talks, we talked so much about originating service providers and terminating service providers. Who is this third group that we're introducing? What is a gateway provider?
Kevin Rupy: Rebekah, that is a key question, that's an important question. They (gateway providers) do play a very unique role in this space. To answer your question, the way the FCC defines a gateway provider, they define it as, "A US-based intermediate provider that receives a call directly from a foreign-originating provider or foreign intermediate provider at its US-based facilities before transmitting the call downstream to another US-based provider."
The key thing in my mind on that definition of the gateway is they don't originate the traffic and they don't terminate the traffic. What they do is they are the first US domestic point of presence that receives foreign-originated calls to the United States and that's either from another intermediate/transit provider or directly from the originating foreign provider.
One other key component of this whole FCC framework is that in the context of the FCC's rules, it only focuses on those calls that come to the gateway provider that is using NANP Resources, or US numbers. To your point, at the end of the day, this is a targeted group of providers and they're a component or a sub-component of intermediate providers, but think of them as the doorway onto the domestic voice network.
Rebekah Johnson: I think it's important to call this out too, are gateway providers typically just purely gateway providers, or could they also play multiple roles?
Kevin Rupy: They can play multiple roles and that's why over the years you've seen, as the FCC has continued to release orders on these topics, they often talk about looking at this whole issue on a call-by-call basis. You're correct, Rebekah, a provider's role can change from call to call. Now, to be fair, there almost certainly are providers that do nothing but act as a gateway, but your point is, as usual, spot on.
Rebekah Johnson: As we go through some of the requirements for gateway providers, that's what's in the back of my mind on providers; are they able to distinguish between the traffic that's coming in internationally versus other traffic? Those are things that each of these providers are at least considering and getting some more lines drawn with the traffic that they are carrying, passing, whatever it may be. And then what rules do they need to apply to it? Because it might be just a little bit different depending on if they are serving as an originating service provider to US customers versus external. You'll have to set up procedures for both, you can't just take one approach.
I think it's also important to mention that I know that I was saying that after the FCC when through all these efforts, now they're focusing on the child that they forgot. That's not necessarily true and I will back it up with the Industry Traceback Group which has been around long enough to be able to gather some statistics. In 2021 they did report that 65% of the voice service providers identified as transmitting those illegal robocalls we were talking about, were either foreign-based or through gateway providers.
Since the FCC cannot regulate foreign-based companies, we can regulate the gateway providers. Let's dive into some of the components specific to the gateway providers. I want to start with one of the first ones that you mentioned. Initially, I didn't think about the turnaround time, but there's a 24 hours traceback requirement and that is different from other providers and their responses.
Kevin Rupy: That's absolutely correct. The FCC's earlier orders that established affirmative obligations on voice providers established a general obligation. The FCC said if you are either a voice provider, you originate or terminate calls, or you are an intermediate provider, you are under an affirmative obligation to respond to the Industry Traceback Group or Traceback Consortium in a timely manner.
The FCC, as I recall in a footnote said that they generally expect a response within 24 hours but realize that can change, it's going to vary by provider. But with this proceeding and with this order, the FCC made it an affirmative obligation. They have to respond within 24 hours, no questions asked. Now, the FCC did add some clarifying language about how the clock tolls, in other words, that's within standard business hours and doesn't include weekends, etc., but at the end of the day, they singled out the gateways with only 24 hours to respond.
They did that in part for the very reasons you cited, Rebekah, that a lot of this traffic does originate from overseas, so the FCC mandated that by rule, and when that rule goes into effect, it's subject to what's called PRA approval. That's going to be one of many obligations on gateway providers.
Rebekah Johnson: If gateway providers hadn't considered it yet, they should establish their internal policies for reacting and responding to those notices. I used to do that in a prior life for healthcare-type notifications and you absolutely need to establish some kind of procedure, an email group, or whatever it is that you're going to process to make sure that you can't respond with, oh, I'm sorry, I was on vacation and didn't know. It's not going to fly. It's not going to fly.
Kevin Rupy: That dog doesn't hunt.
Rebekah Johnson: No, it doesn't. I want to move on into the area that has a lot more components to it and that's on the blocking side. You and I, in preparation for our Tuesday Talk today, had some pretty interesting conversations around it and there were some things that I didn't maybe fully even understand until we spoke. I'm going to give you a little bit more time here to go through some of those main components for blocking the gateway providers need to be aware of.
Kevin Rupy: Yes, to that point, I think the initial takeaway that everybody listening in today or on the future podcast needs to take into account is this is the first time the FCC has stepped into a mandatory blocking obligation. When you look at the FCC's preceding orders regarding blocking in the network or blocking by terminating carriers or even the four initial blocking categories that were established in its 2017 framework, those are all permissive.
So any voice provider or intermediate provider was not under an affirmative obligation to block but the gateway order changed all that. This is the FCC saying you have to block, gateway providers shall block. In fairness, the FCC has narrowed what that mandatory blocking framework is and it's basically across two categories. The first category where a gateway provider has to block is when it's notified by the FCC of unlawful traffic transiting their networks.
But the second category is an ongoing obligation to block calls based on any reasonable Do Not Originate (DNO) list. For those who aren't familiar with the Do Not Originate list or DNO list, that is a category of phone numbers, typically toll-free numbers, that are used for inbound calls only. These are phone numbers that should never show up in the caller ID as making an outbound call. The reason the FCC wanted those calls blocked, to use an example, is that in 2017 scammers were using the IRS 800 number, which the last four was 1040, like your IRS form, but that was an inbound-only number. The bad guys were making outbound calls with that DNO list.
The way the DNO list works is whoever is assigned that number, whether it's the IRS or Social Security or whomever, that number gets added to a list, and where a provider sees that number making the outbound call, they block it. That DNO list is a curated, evolving list. But basically, the FCC is telling gateway providers that they have to implement a "reasonable DNO list" and start blocking those calls. So two categories of calls, each have their own unique issues, but we are in a mandated blocking world once those rules go into effect.
Rebekah Johnson: I want to call out some of the challenges with the DNO list from the enterprise perspective. Obviously, the enterprise has to play a role in identifying which numbers are being used for inbound-only and have internal processes that prevent that number from being attached to outbound calls, because that has happened already. I don't know how familiar you are with how to set up dialers and campaigns and all of that, but a lot of human error can occur and be introduced and it can be detrimental if the inbound-only number was accidentally assigned to outbound calls.
I think it's important to call out that there is no designated or ordained Do Not Originate list so that makes it challenging for a gateway provider who is probably far removed from an enterprise. It's not like you see them putting on their website, hey, add your number to our DNO list. Is an enterprise supposed to do that with thousands? I don't see that happening. This is another one of those where there's this requirement, but there's no solid solution or a solution you would maybe like to have ordained and then get a safe harbor with it, but I know there's no safe harbor.
Kevin Rupy: No safe harbor.
Rebekah Johnson: Usually a safe harbor is a great motivation to go do it, just like the Reassigned Number Database. That one is very specific, and there are some safe harvesters associated with it. I find it interesting that the FCC didn't stick in line with that Reassigned Database and how they do not originate. I know Somos has one; they've been working on one and building one for quite some time now. Do you have any insights into why there wasn't one specifically identified and a safe harbor added to it?
Kevin Rupy: Those are two very different issues, but we can talk through each. You're absolutely correct, Rebekah, the FCC didn't specify any particular list to use. What they did say was the list has to be reasonable; that's the only criteria they have for the DNO list. As you know, Somos maintains a DNO list, the FCC's order, in Footnote 254, points out that the list maintained by the Industry Traceback Group is considered a reasonable DNO list. The FCC, for a variety of reasons, did not want to specify a list because they wanted to give gateway providers certain flexibility in how they implemented.
But to your point, these are dynamic lists. Numbers don't get assigned as inbound only. That is a changing component of how enterprises use any particular number. They can go from inbound only to inbound and outbound, they can be sent back to whoever they got it from and put out a service. So those lists do have to be maintained and monitored and curated. As an example, if you look at the ITG's policies and procedures for its DNO list, they talk about that. They talk about how they need to ensure certain criteria for DNO and they don't want to put any and all numbers on a DNO list for a variety of reasons.
But maintaining that list and ensuring the integrity of that list, is important for everybody and for whoever's doing the blocking and whoever owns that phone number. At the end of the day, gateway providers will have to institute some type of DNO list. The only other thing I would flag on that point is the FCC says that such a list may include invalid, unallocated, and unused numbers, as well as numbers where the owner of the number has requested that it be blocked. They can be broad lists or narrow lists, they just have to be reasonable.
Rebekah Johnson: I think that's what you'll end up having to argue, is just how reasonable it is. Just having the list isn't going to be enough.
Kevin Rupy: If you have two numbers on your list, you might have a tough argument there.
Rebekah Johnson: If I was in the gateway provider's position, my advice would be and take it with a grain of salt, it would be to leverage an already established industry DNO list and maybe leverage multiple. There's nothing wrong with connecting with multiple ones. Let's move on to the Robocall Mitigation plan. I know there are some elements to that as well, so gateway providers, just like everybody else, have to submit a Robocall Mitigation plan. Can you speak to those?
Kevin Rupy: That's another big change in this Gateway Order. When the FCC initially rolled out its Robocall Mitigation Database (RMD) and that whole accompanying framework, there was only one small category of providers that had to submit what's called a Robocall Mitigation plan. And those were voice service providers that originate terminate voice traffic, that has not deployed the STIR/SHAKEN standard. So because they didn't deploy the standard, they had to put together what's called a Robocall Mitigation plan. They had to certify in the RMD that they have not deployed STIR/SHAKEN, or only partially deployed STIR/SHAKEN and submit a plan.
Under the FCC's new framework for gateway providers, they have to certify and submit a plan in the RMD. Why that's particularly notable for gateways is they are a subset of intermediate providers, and under the FCC's original RMD framework, or existing RMD framework, intermediate providers did not have to certify. They got automatically populated into the RMD from the FCC's rural call completion database so they didn't have to do anything. In this new framework adopted by the FCC, if you are a gateway provider, you are going to have to affirmatively submit a certification and mitigation plan through the RMD.
Now, the plan that you submit will be focused primarily on what your Know Your Upstream Provider protocols are. In other words, what you are doing to ensure that the foreign intermediate or foreign originating providers, how you know those customers and are ensuring that they're not sending you or originating illegal robocall traffic. At the end of the day, this is an affirmative step for gateway providers that they have to take. So they got to develop a plan and then sign on the dotted line to certify.
Rebekah Johnson: I think with that last part, hopefully, lessons were learned from the first round of submitting plans and how it's not just a sheet of paper that says they'll do it. The FCC has figured out enough to know that's not going to fly. Is there any framework or outline or format that can be used as a standard? Or is it still really up to the gateway provider and their idea of how they want to draft their plan.
Kevin Rupy: It's going to be up to the gateway provider. The FCC generally steps away from being overly prescriptive and telling people what you have to do. But at the end of the day, whatever plan they put in there they've got to ensure, to your point, that it meets the requirements of establishing appropriate Know Your Upstream protocols and what you're doing to stop bad traffic.
Rebekah Johnson: It makes me wonder what would be included in the Know Your Upstream because it's a way of saying know the originator who's in another country that we have no authority over, know them. Or we can flip it and say these are the rules for anyone outside the US to be able to deliver calls into the US.
Kevin Rupy: I think different gateway providers are going to have different requirements. For the gateway providers that want to stay out of these crosshairs, they are going to have, they should have, in my mind, robust Know Your Upstream protocols in place. If a foreign voice provider is going to send that gateway traffic from wherever, whether it's India, the Philippines, or Mexico, it doesn't matter, they've got to have criteria in place that establishes how they get onto that gateway provider's network. Do they require their originating providers to identify what outbound numbers, NANP numbers, they're going to be using? Are they monitoring the traffic? Are they verifying who their customers are? Are they validating that this is a legitimate company with appropriate foreign authorizations? There's no silver bullet to how these plans get written but for companies that want to stay in this space and operate in this space, my advice would be to make sure you have robust mechanisms in place and what your mitigation and now blocking steps will be for that traffic.
Rebekah Johnson: If we could get a gateway provider to come on Tuesday Talks, I think it'd be great, but I also fully understand that it would put a spotlight on them, and maybe it's the best time to lay low and not have opinions until you see how things shake out.
I think it would be insightful also to understand is, is all traffic that originates outside the US and comes in through their gateway is truly foreign-originated, or was that just part of a route from a US base outside of and then back into the US? People get creative with routing their traffic so I think there are probably a lot of different challenges with just identifying the traffic itself and whether or not that truly is an origination outside the US or was it just handed along?
Kevin Rupy: At the end of the day, for the gateway that ultimately sends that traffic on to termination, it's going to be up to them and they're going to have to implement appropriate measures. Keep in mind, that gateway providers have the mandatory blocking scheme, but there are things they can do to monitor their traffic to make sure that they're not sending in unwanted bad traffic.
Rebekah Johnson: What are the next steps that the FCC is looking at beyond gateway providers? Is there another area that they're going to focus on?
Kevin Rupy: That's another great question. In the FCC's item, they issued the Order and there are multiple requirements on gateway providers. I think step one in each of these rules has different implementation dates, so folks should keep tabs on when these rules go into effect and when they're going to be under the obligation to do whatever it is, whether it's responding in 24 hours or registering.
The FCC also adopted what's called a Further Notice of Proposed Rulemaking (FNPRM) that proposes a host of new rules that include things like expanding 24 hours traceback requirements on all domestic providers. That's currently limited to gateways but the FCC is asking, should we make everybody respond within 24 hours? They've got proposals to extend a General Mitigation standard to all voice service providers that have implemented STIR/SHAKEN.
They've talked about extending STIR/SHAKEN to intermediate providers. Under the current framework, intermediate providers can satisfy the STIR/SHAKEN obligation by passing through any SIP traffic unaltered and responding to tracebacks, but the FCC is saying, maybe we should make you deploy the standard and have no more of this workaround by mandating STIR/SHAKEN for intermediate providers.
At the end of the day, there are many additional proposals that the FCC is kicking around and the FCC has been aggressive and moving rapidly on a lot of these robocall-related issues. I suspect more work coming for everybody, not me necessarily, just saying industry.
Rebekah Johnson: These types of rules, as I said, they affect back to the enterprise, especially on the DNO part of it. It's getting at what you and I have talked about for years, that it's going to take everyone in the ecosystem and those who originate the calls who have the decision to decide that they're going to call an individual, and then everyone in between that makes that call occur. It's not simple, it's quite complex, but it does take all of us to do our part.
That's always been at the heart of, at least for me and my goals and objectives that I've had, is I truly believe the enterprise needed to step up to the table and at least identify and say, hey, we're the good guys, we're the good callers, and we can contribute by at least identifying ourselves so you can separate that bad traffic from the good traffic. There's still more to come.
All right, Kevin, I want to thank you for joining us yet again. I'm sure we'll have you back as another guest to talk about more stuff coming out of the FCC.
Kevin Rupy: Thanks Rebekah, anytime.
Rebekah Johnson: We'd like to thank all of you for joining us today for another episode of Tuesday Talks. We will be skipping our next recording to celebrate Independence Day, so I'll wish you all a very happy and blessed 4th of July in advance. We'll see you again on Tuesday, July 19th, when we'll be joined by Pierce Gorman, an industry legend and newcomer to the Numeracle team. We hope to see you there!
Rebekah Johnson is the industry’s leading expert in establishing trust in omnichannel communications through Numeracle’s Entity Identity Management™ platform. With over ten years of regulatory government and compliance experience, businesses have leaned on Rebekah’s expertise to guide them through the evolving complexities of maintaining successful call delivery and positive brand reputation in a changing ecosystem.
Rebekah is an active member of the FCC Hospital Robocall Protection Group, Chair of the Enterprise Communications Advocacy Coalition, and also represents the voice of the enterprise through her leadership on the ATIS IP-NNI Task Force, co-author of the SHAKEN standards. Prior to founding Numeracle, Rebekah served on the FCC’s Robocall Strike Force on behalf of the Empowering Consumer Choice Working Group.
Kevin Rupy is a nationally recognized authority on key issues affecting the telecom industry, particularly those relating to legal and illegal robocalls. Prior to his arrival at the firm, Kevin was Vice President of Law & Policy at USTelecom where he represented Fortune 500 companies in the wireline broadband marketplace. In that role, he frequently served as a liaison between association members and government agencies, and Congress. During his tenure at USTelecom, Kevin established and led the Industry Traceback Group, which is now the FCC’s officially designated Traceback Consortium. He advises robocall analytics providers, voice service providers, and enterprise callers on FCC regulations and proceedings resulting from the passage of the TRACED Act.