Skip to main content

Telephone and Texting Compliance News: Regulatory Update — Federal Communications Commission Allows Third-Party Call Authentication

The Federal Communications Commission (Commission) adopted a Report and Order authorizing telecommunications service providers with a STIR/SHAKEN caller ID authentication obligation (i.e., originating, intermediate, and gateway providers) to engage third parties to perform the technological act of “signing” calls on their behalf consistent with the technical requirements of the STIR/SHAKEN standards.

Under the new rules, to take advantage of third-party authentication, a service provider must meet two conditions: first, the provider with the STIR/SHAKEN obligation must make all “attestation-level” decisions consistent with the STIR/SHAKEN technical standards, and second, all calls “signed” by the third party must use the service provider’s Service Provider Code (SPC) token and digital certificate.

The Commission’s rules will also require all service providers with a STIR/SHAKEN obligation to obtain their own SPC token and digital certificate if they certify complete or partial STIR/SHAKEN implementation in the Robocall Mitigation Database. Combined, these requirements seek to ensure that the party with the STIR/SHAKEN obligation can be held responsible where illegally spoofed calls are still transmitted across that provider’s network.

In adopting the rules, Chairwoman Rosenworcel noted that third-party authentication “make[s] sense for some carriers because it can keep costs down and help keep junk off the line” but that it is also a practice that has drawn some scrutiny before the Commission because it “allow[s] carriers to turn the other way and make the mess of unwanted calls someone else’s responsibility.” Thus, by adopting the new third-party authentication requirements, “[the Commission] set[s] the ground rules for how to use a third party for call authentication and make[s] clear that carriers bear ultimate responsibility for compliance,” thereby ensuring accountability for the continued flood of illegally spoofed calls.

The Report and Order also contains recordkeeping obligations that require providers to enter into written agreements for any third-party authentication and that those agreements remain in place for the duration of the arrangement. The agreements are required to specify the tasks the third party will perform on the provider’s behalf and confirm that the provider will: (1) make all attestation-level decisions for calls signed pursuant to the agreement and (2) ensure that all calls will be signed using the provider’s certificate.

The third-party authentication rules will be effective the later of 30 days after the Report and Order is published in the Federal Register or June 20, 2025.

 

Subscribe To Viewpoints

Authors

Russell H. Fox is a wireless communications attorney at Mintz. He guides clients through federal legislative, regulatory, and transactional matters. Russell also participates in FCC proceedings, negotiates spectrum agreements, and represents clients in spectrum auctions.
Jonathan Garvin is an attorney at Mintz who focuses on legal challenges facing companies in the communications and media industries. He advises clients on transactional, regulatory, and compliance issues before the FCC involving wireless, broadband, broadcast, and cable matters.