Fraud and Scam Prevention Series: FCC’s Robocall Regulations Are Complex and Unrelenting – Voice Service Providers Need to Stay Ahead
In this second installment of Wiley’s series on fraud and scam prevention, we focus on the Federal Communications Commission’s (FCC) continued regulatory and enforcement efforts on illegal and unwanted robocalls. Since Congress passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act in 2019, the agency has issued numerous rulemakings and orders and adopted a series of regulations aimed at mitigating such calls.
The many obligations placed on voice providers throughout the call path generally fall into two categories: (1) robocall mitigation; and (2) call authentication. To date, the FCC’s regulatory obligations include requirements for voice service providers to implement the STIR/SHAKEN call authentication framework to verify caller ID information for calls carried over Internet Protocol (IP) networks, mandatory and permissive blocking frameworks, and the filing of certifications in the FCC’s Robocall Mitigation Database (RMD), which must include detailed Robocall Mitigation Plans (RMPs) describing voice providers’ efforts to prevent illegal robocalls. The FCC’s scrutiny and regulation in this area continues to expand, and voice providers throughout the call path must ensure they are in compliance with the agency’s complex regulatory framework. An overview of just some of these obligations is provided below.
FCC Bolsters RMD Certification Requirements.
In January 2025, the FCC released an Order adopting new rules for RMD filings, which included establishing forfeitures for submitting inaccurate or false certification data to the RMD and for failures to timely update RMD filings, among other requirements. Voice service providers who fail to submit RMPs that comply with the Commission’s detailed rules risk being removed from the RMD. Voice service providers will also be required to recertify in the RMD on an annual basis. Because voice service providers may only accept traffic from providers listed in the RMD, removal from the RMD has serious consequences – a voice service provider removed from the RMD is effectively removed from the U.S. voice ecosystem. The FCC’s Enforcement Bureau has already removed nearly 1,400 voice service providers’ certifications from the RMD for deficient filings this year.
FCC Requires Voice Service Providers to ‘Know Your Customer.’
The Commission’s rules require a voice service provider to “[t]ake affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic.”[1] Although the FCC has not mandated specific actions to comply with its Know Your Customer (KYC) rule, voice service providers must establish policies and frameworks to ensure compliance with the regulations. Further, FCC regulations require voice service providers to establish similar policies to know their upstream providers. Lack of compliance with these regulations can place voice service providers at risk of significant enforcement exposure. For example, earlier this year, the FCC issued a substantial Notice of Apparent Liability for Forfeiture against voice service provider Telnyx LLC (Telnyx) of nearly $4.5 million for alleged violations of its KYC requirements. Specifically, the FCC alleged that Telynx overlooked “obvious” errors in the onboarding information and collected only “very limited” identifying information while onboarding a new customer.
Broader Range of Voice Service Providers Are Now Responsible for Deploying STIR/SHAKEN.
Following passage of the TRACED Act, many voice service providers relied on their downstream carrier to perform call signing under the STIR/SHAKEN framework. However, the FCC adopted a third-party authentication order in 2024 that now requires providers with a STIR/SHAKEN implementation obligation who work with third parties to perform the “technological act” of assigning attestation levels, or “signing” calls, to ensure that all calls are signed using the provider’s own certificate obtained from a STIR/SHAKEN Certificate Authority – not the certificate of the third party with whom they are working.
The 2024 order has also resulted in some regulatory “blind spots” for voice service providers. Because obtaining a STIR/SHAKEN token requires filing a Form 499-A with the FCC, this could open voice service providers to Universal Service Fund (USF) contribution obligations, unless they are found to be exempt from contributions. As Wiley detailed previously, such providers could also be subject to late fees and penalties from the Universal Service Administrative Company, as well as potential enforcement exposure from the FCC for failure to file timely USF reports and pay timely contributions.
Proposed FCC Rules Could Increase Vetting Obligations and Impact Foreign Originated Calls.
The Commission also recently approved a Ninth Further Notice of Proposed Rulemaking (FNPRM) in its Advanced Methods to Target and Eliminate Unlawful Robocalls and Call Authentication Trust Anchor proceedings that proposes to impose increased regulatory obligations on providers throughout the entire call path. Specifically, the FNPRM proposes to require: (1) terminating providers to display call verified name information (i.e., a verified personal or business name) if a call receives an A-level attestation that is displayed on the subscriber’s handset; (2) terminating providers to display a mark designating whether the call originates from outside of the U.S.; (3) originating providers to employ “reasonable measures” to verify caller identity information; (4) gateway providers to mark calls that originate from outside of the U.S.; (5) non-gateway intermediate providers within a call path to pass unaltered caller-ID information identifying the call as having originated from outside of the U.S.; (6) terminating providers to transmit to called parties an indicator that a call originated from outside of the U.S. when they know or have a reasonable basis to know the call originated from outside of the U.S.; and (7) providers that use reasonable analytics to block calls to include whether a call originated from outside of the U.S. as a factor in their analytics.
If the Commission moves forward with these proposals, they would impose even more complex requirements on providers throughout the call chain. Comments and Reply Comments on the FNPRM will be due 30 and 60 days, respectively, after publication in the Federal Register, which has yet to occur.
Wiley Has Extensive Experience Handling Robocall Compliance.
As the FCC considers additional regulatory and enforcement actions related to call authentication, KYC, and other FCC compliance frameworks related to illegal robocalling, Wiley’s multidisciplinary team is uniquely positioned to assist. We help industry develop internal compliance strategies to establish KYC processes and other robocall mitigation procedures. This includes drafting and revising KYC intake forms, drafting and revising internal policies for robocall mitigation, updating and filing RMPs in the RMD, and responding to FCC and other federal and state enforcement inquiries into alleged robocalling violations. We also assist in developing forward-thinking advocacy on complex FCC proceedings aimed at establishing new rules and regulations for robocall mitigation – whether through call authentication frameworks or additional RMD requirements.
Wiley attorneys have extensive and unparalleled experience in navigating the complex framework of robocall mitigation requirements and possible enforcement actions. For more information or assistance, please contact one of the authors listed on this alert.
[1] 47 CFR § 64.1200(n)(4).
