The FCC Allows Third Party STIR/SHAKEN Authentication With Conditions

If you are not signing your IP-calls with your own STIR/SHAKEN certificate, you should read this alert. Virtually all providers are now required to implement STIR/SHAKEN into the IP portions of their network and to report on the status of their implementation in the Robocall Mitigation Database (RMD). Some providers rely on third parties to authenticate their calls using the third party’s certificate. These providers have not obtained a Service Provider Code (SPC) token from the STIR/SHAKEN Policy Administrator. The SPC token is required to obtain a STIR/SHAKEN Certificate, which is used to “sign” the call with the appropriate attestation level.

            The providers that currently rely on a third party to sign their calls using the third party’s certificate will now be required to obtain their own SPC tokens. Although they may still use a third party to technically sign their calls, the third party must use the originating provider’s certificate and the originating provider must dictate which attestation level to use.

           The FCC’s Order, found here, will require providers that have stated in their RMD filings that they have implemented STIR/SHAKEN but use a third party to sign calls may need to update their RMD filings. Citing estimates from TransNexus, the Order states that about 64% of providers in the Robocall Mitigation Database that claim STIR/SHAKEN implementation do not have their own SPC token. Additionally, the Order may require parties to update their agreements with third parties signing their calls.

            There is an important exception to these requirements that involves resellers and value added service providers. Not every entity serving end user customers needs to obtain their own token and can continue to have another entity sign their calls without having to obtain their own token or make any other changes.

What Is and What Is Not Third Party Authentication

            Under the Order, “third-party authentication” refers to scenarios in which a provider with a STIR/SHAKEN implementation obligation under the Commission’s rules enters into an agreement with another party—a “third party”—to perform the technological act of signing calls on the provider’s behalf. Relying heavily on the analysis in ATIS 1000088, A Framework for SHAKEN Attestation and Origination Identifier, the FCC recognized that a provider may have another entity sign for them if that provider is a reseller or “value added service provider” (VASP). ATIS 1000084 can be found here. The FCC does not consider this scenario to constitute third party authentication. Rather, under this scenario, the signing entity is signing for its reseller or VASP customer, even if that customer is not an end user. Providers may wish to refer to ATIS 1000088 to assess whether the arrangement that they are using constitutes third party authentication.  

Conditions for Third Party Authentication

            The FCC confirms that third party authentication is allowed but with certain guardrails. Principally, a third party may be used by an entity with a STIR/SHAKEN implementation obligation to undertake the technical work of signing calls as long as the party with the implementation obligation: (1) makes all attestation level decisions (e.g., levels A, B, or C) consistent with the STIR/SHAKEN technical standards; and (2) ensures that all calls are signed using its own certificate obtained from a STIR/SHAKEN Certificate Authority—not the certificate of a third party. Additionally, the FCC will require all providers with a STIR/SHAKEN implementation obligation to: (1) obtain an SPC Token and digital certificate; (2) certify to complete or partial implementation in the Robocall Mitigation Database only if they have obtained an SPC token and digital certificate and sign calls with their certificate; and (3) memorialize and maintain records of any third-party authentication agreement(s) they have entered into, subject to certain limitations.

            As a reminder, to obtain a token, a provider must: (1) have a current form 499A on file with the FCC; (2) have been assigned an Operating Company Number (OCN); and (3) have certified with the FCC that it has implemented STIR/SHAKEN or complies with the FCC’s Robocall Mitigation Program requirements and is listed in the RMD, or that it has direct access to telephone numbers from the Toll-Free Number Administrator (TFNA).   All three requirements must be met to obtain a token.

            RMD Update  

The Order prohibits any provider with a STIR/SHAKEN implementation obligation from certifying to complete or partial implementation in the Robocall Mitigation Database unless they have obtained an SPC token and digital certificate and sign calls with their certificate, either themselves or when working with a third party to perform the technological act of signing calls having met the necessary conditions imposed in this Order. (Again, this requirement does not apply for resellers or VASPs that are direct customers of an entity with the STIR/SHAKEN implementation obligation that signs their calls as explained in the Order and ATIS 1000088).

Third Party Contract

Providers that choose to work with a third party to perform technological act of signing calls do so pursuant to a written agreement. The agreement must specify the specific tasks that the third party will perform on the provider’s behalf and confirm that the provider will: (1) make all attestation-level decisions for calls signed pursuant to the agreement, and (2) ensure that all calls will be signed using the provider’s certificate. Providers may be required to submit a copy of the agreement to the FCC in connection with a review of the provider’s compliance with the FCC’s rules or an investigation by the Enforcement Bureau. The FCC requires that a current agreement be in place for as long as any third-party authentication arrangement exists, and that all copies of third-party agreements be maintained for a period of two years from the end or termination of the agreement.

Compliance Deadline

These new requirements will take effect 30 days after publication of the Order following OMB approval, or 210 days after release of the Order, whichever is later. The Order was released on November 22, 2024.

Please feel free to contact Michael Pryor, mpryor@bhfs.com or CCA’s regulatory committee if you have questions or want more information.