Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we shed light and bring truth to emerging topics in the communications industry. I’m Rebekah Johnson, Founder and CEO of Numeracle, and I’ll be co-hosting today’s session with Kevin Rupy, Partner at Wiley LLC. It's so great to have you joining us today, Kevin, welcome.
Kevin Rupy: Well, thank you, Rebekah. It’s great to be here. I’m looking forward to the discussion.
Rebekah Johnson: Before we get started, I have to give everyone a little bit of background on what you've done and what you've accomplished so it gives credit to what you're going to say and why they should really listen.
Kevin is a nationally recognized authority on key issues affecting the telecom industry, particularly those relating to legal and illegal robocalls. Prior to his arrival at the firm, Kevin was Vice President of Law & Policy at USTelecom where he represented Fortune 500 companies in the wireline broadband marketplace. In that role, he frequently served as a liaison between association members and government agencies, and Congress.
During his tenure at USTelecom, Kevin established and led the Industry Traceback Group, which is now the FCC’s officially designated Traceback Consortium. He advises robocall analytics providers, voice service providers, and enterprise callers on FCC regulations and proceedings resulting from the passage of the TRACED Act.
So, Kevin, with all of that background and experience, could you possibly walk us through how we got to the point where we have this June 2021 deadline fifteen days from now around the Robocall Mitigation Plan?
Kevin Rupy: First of all, thank you for that introduction, Rebekah, thanks so much.
It's been a long road and at the end of the day that's really how we got here, as you and I know, we've known each other for years. Robocalls really splashed onto the scene around 2015. The FTC, the FCC, and Congress started paying closer attention to robocalls and really focusing on mitigating and solving this problem. What that culminated in was in late 2019 when Congress, on an incredibly bipartisan basis, passed the TRACED Act.
The TRACED Act is this highly substantive legislation that was passed in an overwhelmingly bipartisan manner, I think there were four dissenting votes in the House and Senate, that's it. But the TRACED Act really hits on multiple areas that are all focused on trying to solve this vexing robocall problem. The key component, a real key focus of the TRACED Act, was this mandate that basically requires voice service providers to implement the STIR/SHAKEN call authentication standards. The way the statute was structured, it basically said within a year of passage of the Act, voice service providers have to deploy the standard, and that deadline is basically June 30th, 2021. As you noted, that deadline is fifteen days away.
Now, what happened between the passage of the TRACED Act and where we are today, once this legislation was signed into law in early 2020 the FCC, in particular, went through a host of rule-making proceedings and establishing various orders and regulations, many of which relate to the implementation of the STIR/SHAKEN Standard but also which established this Robocall Mitigation Database and the framework for that Robocall Mitigation Database.
At a really high level, in my mind, what that Robocall Mitigation Database seeks to do is, I view it as sort of a circle of trust. Because the way the FCC structured the STIR/SHAKEN implementation deadline, and the June 30th deadline, and the database, was as follows: if you are a voice service provider, if you provide voice service, and that term is broadly defined in the TRACED Act and the accompanying FCC regulations, come June 30th you have to certify to one of two things. That you've either entirely or partially deployed the STIR/SHAKEN standard, and if you have not deployed the STIR/SHAKEN standard, then you have implemented and are following what's called a Robocall Mitigation Plan. A short while back several weeks ago, the FCC released its public notice saying they're opening the Robocall Mitigation Database, voice service providers have to file by June 30th, 2021, and they have to certify by June 30th, 2021.
The other piece of that database that's important and interesting is you have the voice service providers, which again are broadly defined generally as any entity that enables two-way voice communications, interconnects to the PSTN, and utilizes North American Numbering Plan resources or numbers. You've got to register in that database. Now you also have these transit providers that neither originate nor terminate traffic. The FCC has imported all of those intermediate providers into the database and the way this structure is going to work is basically, come September 28th if you're not listed in that Robocall Mitigation Database and you’re voice service providers any other voice service provider or intermediate provider is prohibited from accepting your traffic. That's really important if you want to provide voice service to customers.
Rebekah Johnson; Kevin, this is an infamous deadline. It has almost become a sort of kill switch deadline. All kinds of things are being said such as, “Your calls are going to be blocked if they're not signed come July 1st.” But you just provided another deadline of September 28th and nobody is talking about that one. We're all focused on the July 1st deadline, so as the leading industry expert, what is your response to all of this?
Kevin Rupy: That's a great question, Rebekah. There is a fair amount of misunderstanding and misconceptions around what these various deadlines actually mean, so let's unpack that a little bit.
The June 30th deadline: that is a certification and registration deadline. If you are a provider of voice service, whether wireless, cable, VoIP, interconnected VoIP, one-way VoIP, two-way VoIP...you have to register and certify in that database no later than June 30th. What I mean by both of those things (registration and certification), the certification piece is really important because when you enter your information in the database, whether you've deployed STIR/SHAKEN or if you’ve partially deployed STIR/SHAKEN or if you haven't but you have a Robocall Mitigation Plan, you have to certify to that to the FCC under penalty of perjury.
You are basically putting your information into the database to say you have deployed the standard or you’ve implemented this Robocall Mitigation Plan and I am following it.
Rebekah Johnson: I don't want to miss the point that you just made there because you really added some extra scary words. I think people are thinking that they just fill out a little piece of paper, they file with the FCC and they're not understanding what they're setting themselves up for. And, Kevin, I view this from my privacy and security days, if I wrote a privacy policy and I published it on my website and I then have some kind of violation within my company regarding what I stated I was going to do on my privacy violation, that was the opportunity for the FTC to come in under Unfair and Deceptive Practices. No holds barred, you're at their mercy at that point if you just thought you were told to put a bit of privacy policy up and you just copy and pasted it from some big company and stuck it on there.
Kevin Rupy: Rebekah, that’s a key point because I will tell you that when the FCC established this framework for the Robocall Mitigation Plan, in particular, they did it in a very non-prescriptive manner. They didn't tell you what you had to do, or how you had to do it, or what the details were. That's up to the voice service provider. What they did say is whatever plan you put in there has to include a detailed description of measures that you put in place that can reasonably be expected to significantly reduce the origination of illegal robocalls.
So it has to be detailed, but to your point, whatever you put in there you have to be following and you've got to keep doing. Keep in mind, for folks who are listening now or going to listen to this later, you have to be doing that no later than June 30th. Once you submit that plan and certify to that plan, to your point, you're literally telling the FCC these are the things that I'm doing. So every voice service provider has to be doing those things, they can't just do this as a book report exercise and submit something in. I think you're right, that that could potentially open a voice provider up to potential enforcement action if indeed, your network continues or does originate illegal robocalls and the FCC finds out that the company hasn't been following its detailed procedures. That's huge.
That other piece is you are putting your company's information in there: who you are, where you operate out of, what the name of your company is...because come September 28th, you have to be in that database if you want to complete voice traffic. There’s definitely a lot of misconceptions. There’s the June 30th registration and certification deadline. There’s the September 28th prohibition on accepting traffic from voice providers that aren’t in the database, so that is definitely a key point.
Rebekah Johnson: I've been looking at and watching the Robocall Mitigation Database as it gets updated. Do you have some current stats as of just now with regards to where the industry is saying they are? Is it good? Is it positive? Has everybody been working on this, saying thanks so much for the opportunity for us to tell you how awesome are we? Are we seeing more of those who are not quite there yet?
Kevin Rupy: Based on the data as of right now today, we’re seeing just under about 1,000 certifications and registrations in the database, which I think is a good start. Obviously, between now and June 30th we're going to see those numbers increase, certainly hopefully significantly. The interesting thing that you can see when you look at the data in the database is how it breaks out.
As of right now, there are just over 100 voice providers who have completely implemented STIR/SHAKEN. They don't have to worry about a Robocall Mitigation Plan because they've deployed the standard. There are about 500 that have done either no STIR/SHAKEN implementation or partial. They're doing, and have implemented, a Robocall Mitigation Plan, and we can talk about that in a bit. If you look at the data, there's actually one category that says N/A and that's about 400 providers. What that N/A is are the intermediate providers that have basically been put into the Robocall Mitigation Database. They're not under an obligation, currently, to do a Robocall Mitigation Plan. They have no choice but to deploy the standard so they have been rolled into the Database.
I would say that's a fairly positive number, right now, at about 1,000. As I said, we'll see that number increasing, I think significantly, in the days and weeks ahead.
Rebekah Johnson: Is there any data that you see in there, with regards to people registering, that stood out as interesting that they're registering?
Kevin Rupy: What do you mean by that, Rebekah?
Rebekah Johnson: Maybe people who just don't understand with the Databases is for, do we have foreign VSPs applying because they think there's some kind of deadline here and they just have to get their name in it so their calls go to the U.S.? I can see a ‘panic mode’ of people just trying to get their name on a list.
Kevin Rupy: That's another interesting wrinkle in the FCC's framework where they technically require foreign voice service providers to register in the Database. Now, a lot of folks out there are probably saying wait a minute, the FCC doesn't have jurisdiction over foreign voice service providers. What the FCC did was acknowledge that. They essentially said if you’re a foreign voice service provider and you’re utilizing NANP resources, if you want your calls completed to the United States then you've got to register in the Database. You either have to say you’ve deployed STIR/SHAKEN or have a Robocall Mitigation Plan.
The way the FCC framed it was by saying they’re not putting the obligation on you. The obligation is on intermediate providers or else domestic voice service providers here in the United States won't be able to take your traffic. If you want it accepted you need to put yourself and register and certify in the database. Keep in mind, that this applies to foreign voice service providers that are utilizing North America Numbering Resources. It’s a small subset, arguably. Generally speaking, foreign providers should only in limited instances be using NANP resources.
The other wrinkle is, technically, since the FCC can't impose a deadline on foreign voice service providers, they could theoretically certify and register as late as September 27th. I would certainly advise against that but they're not subject to the June 30th deadline.
Rebekah Johnson: Well, speaking of the June 30th deadline, I do believe I’ve heard there’s some kind of extension for certain categories or groups. Can you provide some insight on that?
Kevin Rupy: The FCC realized that when they established the STIR/SHAKEN mandate there were certain voice providers that either couldn't meet the deadline or could be subject to a reasonable extension. They set up four categories, and at a really high level, what those four categories are:
- Small Voice service providers: providers with 100,000 or fewer subscriber lines. Think about a rural voice provider with 10,000 subscribers. The FCC gave smaller providers an automatic two-year extension.
- Providers who don't operate or don't have an IP network. As you know, Rebekah, STIR/SHAKEN requires all IP. If you're operating a TDM copper line network you get an indefinite extension.
The other two categories are corner cases.
- A provider that is going to discontinue their service in a year gets a one-year extension, but they have to discontinue their service within that year.
- The final category is providers that can’t obtain, for whatever reason, the token necessary to deploy the STIR/SHAKEN Standard. So an example is a voice provider that doesn't have access to numbering resources. They also can get an extension.
So that goes for the certification, when those providers register and certify in the database they'll be given an opportunity to identify in which of the four categories they can avail themselves of an extension. But for any voice provider doing a Robocall Mitigation Plan, you have to disclose the category in your plan, which extension category you have and you’re certified to that extension category.
Rebekah Johnson: So, Kevin, we’ve covered everything that needs to be done and I would say it’s achievable. It really is achievable. You have to be organized, you have to have good counsel and I’m sure you know where to find some.
So let’s talk about what happens to those who are not taking our words of wisdom here and decide it’s not really that big of a deal. What's going to happen to them? I know you know because you can go back to the USTelecom space and the Traceback Group. What are they going to be doing to identify and what kind of action they intend to take?
Kevin Rupy: That's a great question. Keep in mind what we talked about at the beginning of the discussion: the FCC is very non-prescriptive but the two things they said were detailed plans that can reasonably be expected to significantly reduce the origination of robocalls, and you’ve got to follow those plans.
If a voice provider fails to do any of that, in my mind, they could potentially open themselves up to enforcement action especially if their network is used as a platform for originating illegal robocalls. If they put in a three-sentence Mitigation Plan that really doesn't include any teeth, they're going to have a hard time explaining to the FCC see how that plan could reasonably be expected to reduce the origination of illegal robocalls. Voice providers really need to think about that and they've got to think about what they can put in their plans to reduce that likelihood whether it’s contractual terms, termination provisions, network monitoring, Know Your Customer… those are all things that you want to hit in your plan to make sure that you don't end up on the enforcement side of this.
Rebekah Johson: For the executives who are listening to this podcast, because one of the listeners today said, “Don’t take it from me, take it from the experts,” they’re going to want the summary. Give us three important points that the audience needs to know as it relates to the Robocall Mitigation Database.
Kevin Rupy
- Point one: I gave a presentation on this about a month ago and my first point was, “Don't panic, you've got time.” Point one is panic. You've got two weeks to get your plan together and get it submitted and certified through the RMD, the database, by June 30th. So get cracking, time's a-wastin’.
- Point number two: whatever plan you put together you really have to make sure it includes detailed procedures that can reasonably be expected to prevent the origination of illegal robocalls.
- Third, and finally, comply with what you're doing. Follow it to a T because if you don't do that, I think you're facing some risk there.
Rebekah Johnson: Kevin, we’ve actually gotten a lot of questions in advance of this recording. Molly, if you would, let's cover some audience questions.
Molly Weis: Question number one today is, have you heard any rumblings as to whether the FCC will proactively review the submitted Mitigation Plans and address potential inadequacies?
Kevin Rupy: I have not heard that, but I would flag that in the FCC’s order establishing the Robocall Mitigation Plans they flagged that as a possibility. In other words, they stated if people don't put in good plans and see that they're not having the desired effect, we may go back and look at this whole plan framework, including through a rule-making. So I haven't heard anything affirmatively that they're going to do that but they certainly left the door open to allow them to do that.
Molly Weis: Do you see any possibility that bad actors could exploit the Robocall Mitigation Database by looking for providers who may have vulnerabilities within their Mitigation Plan, targeting them as a pathway to conduct fraud?
Kevin Rupy: I suppose potentially. My view has always been there are really only a very small number of providers out there that actively participate in this space. At the end of the day, I think the bad guy robocallers know where to find these complicit voice providers. My sense is that robocallers will not use the database to find potential providers that might be able to help them. Now that said, I don't think it's outside the realm of possibility, it could happen. My sense is they're going to work with the providers that they already know, but their days are numbered, I do believe that.
Molly Weis: Have you reviewed any of the plans that have been submitted? If so, is there anything you’ve seen in submitted plans that jumped out to you as problematic?
Kevin Rupy: Great question. Two things I’d flag quickly are:
- I’ve seen a lot of plans that are far from detailed and are literally just two or three sentences. That’s just not going to cut it.
- The other thing I would flag is I have seen a couple of plans that focus on what the service provider is doing to prevent robocalls from coming into their network. That’s not what your plan has to be. Your plan has to focus on ensuring that robocalls do not originate from your network.
As you move forward on this, if you think that you’re answer is deploying a robocall blocking tool on your network, unless it’s blocking originating traffic, you’ve missed the mark. You have to focus on originating traffic.
Rebekah Johnson: There are some other questions that came in. This is one I think we need to address. So, Kevin, there’s a lot of confusion with regards to the June 30th deadline having to do with the implementation of STIR/SHAKEN, A-Level Attestation, and signing calls, all being bundled up. I don’t know if you’ve seen that, but there’s a lot of confusion. There’s this concept or misconception on the enterprise that come July 1st if my provider is not signing calls with A-Level Attestation, then the terminating carriers are going to reject and block calls. That’s the kill switch that we talked about earlier. I know I can say all day long that that’s not going to happen, but I would love to have you join in on that conversation and have an opinion.
Kevin Rupy: I agree with you wholeheartedly, Rebekah. The fact of the matter is that come July 1st, voice providers that have deployed the standards are going to start signing calls. My view is whether it has an A, B, or C-Level Attestation, especially early on, and by early on I mean in the coming years like the next year or two, that really isn’t going to have any impact on the ability of a legitimate enterprise caller to make outbound calls. What I mean by that is, there is no voice provider, in fact, they’re prohibited by FCC rules, they cannot block a call based on attestation level alone. I think concerns about attestation levels are somewhat overblown and I would share your caution on that.
Rebekah Johnson: I think it was in one of our meetings that we had with ATIS who did a presentation on STIR/SHAKEN and that's where I saw the attestations and I remember wanting to pause and talk about what this means. It really is the responsibility of the service provider. The standard was basically outlining, to the point you just made about making sure these bad calls do not originate on the network. The attestation is all about that upfront work and asking “What do you know? Are you authorized to use that number?” The standard says what it should say, it's a local policy.
When we tie this back to a Robocall Mitigation Plan, that’s essentially your local policy and how you will assign A, B, or C because you're attestation of what you know about the traffic on your network. So fine, you sign your calls, you can implement STIR/SHAKEN, but if you don't know anything about who's delivering and originating calls on your network hopefully you don't sign it with an A, let’s at least hope you don’t go down to that level. To me you're signing it down with a C, I knows it’s also called Gateway in the standards where there are some other words around it. It basically means “I don’t know. I got the call and I’m delivering the call.”
Okay, that's fine, but the due diligence on what you're doing to make sure that you're originating good traffic is really what I see the regulators and enforcement side really going to focus on. Do you just take a credit card and then that's it and then they're up and running? So, it is good, I think, for the enterprises to have the conversation with their service provider because I feel like that’s a nice pressure on service providers to have to implement a policy.
So the good guys are actually kind of forcing contractual changes, they’re forcing these policies to be implemented. Because they do want to have their call signed with an A and I think that's valid and legitimate. I think we’ve got a good pressure coming from the enterprise side but the concept of just cutting off all calls if they're not signed with A, unfortunately, there is marketing out there that is saying that. We try to debunk that all the time, but anyway, that's an interesting diversion.
Kevin Rupy: And Rebekah, keep in mind, you and I have been saying for years that STIR/SHAKEN does not tell you whether a call is good, bad, indifferent, or illegal. It just tells you the number is valid and who originated it or where it came from. So even an A-Level call could be a bad call or illegal.
Rebekah Johnson: I miss arguing with you about legal versus illegal, wanted versus unwanted.
Thanks for joining us on another episode of Tuesday Talks. We hope to see all of you again on Tuesday, June 29th, where we’ll be joined by Sam Fadel of the International Association of Financial Crimes Investigators (IAFCI) to discuss the importance of fraud monitoring on the voice channel. Thank you.
