FCC Adopts New Rules Regarding Third-Party Authentication

The Federal Communications Commission has adopted a Report and Order concerning voice services providers' ("VSPs") use of third-party authentication to fulfill their STIR/SHAKEN-implementation obligations. The FCC is now explicitly allowing VSPs to use third-party authentication, subject to certain conditions. The FCC views those conditions as necessary to ensure the responsibility for properly authenticating a call's caller ID information remains with the party that has a STIR/SHAKEN-implementation obligation. These new rules do not apply to non-facilities based VSPs that do not have a STIR/SHAKEN implementation obligation.¹ Below we dive into the new rules contained in that report and order and their (possible) effective date.

FCC's Eighth Report and Order Regarding Call Authentication

The FCC's order is mainly concerned with VSPs' reliance on third parties to fulfill their STIR/SHAKEN-implementation obligations. While the FCC recognizes the benefits of third-party authentication, it is concerned that such involvement of third parties has resulted in improperly authenticated calls and diminished accountability among VSPs. The FCC adopted the following new rules to, as it explains, "allow providers to realize the economic benefits and efficiencies of working with third parties on the technical aspects of STIR/SHAKEN authentication while maintaining the integrity of the framework for the protection of consumers."

• Third-Party Authentication

Under the new rules, VSPs can partner with third-party authentication services as part of fulfilling their STIR/SHAKEN-implementation obligations. But such partnerships are subject to the following requirements:

1. The third-party authenticator must sign all calls using the certification obtained by the VSP (this requirement relates to new obligations imposed on VSPs, which we discuss in more detail in the next section).
2. The VSP must make all attestation-level decisions regarding the caller identification information of each SIP call it originates.
3. There must be a written agreement between the VSP and the third-party authenticator that meets the following requirements:
   • It must (i) specifically identify the tasks the third-party authenticator will perform on the VSP's behalf and (ii) confirm that the VSP shall make all attestation-level decisions for calls signed pursuant to the agreement and those calls shall be signed using the VSP's Secure Telephone Identity certificate.
   • It must be maintained for as long as the partnership between the VSP and third-party authenticator exists.
   • The VSP must retain a copy of the written agreement with the third-party authenticator while the agreement is effective and for two (2) years after the end or termination of the agreement.

• VSPs SPC Token and Digital Certifications

STIR/SHAKEN consists of two components. The first involves the technical process of authenticating and verifying caller ID information. The second involves the certificate governance process. That process relies on digital certificates issued to VSPs. As part of that process, a VSP first obtains a Service Provider Code ("SPC") token from the STIR/SHAKEN Policy Administrator (iconectiv, currently). Then the VSP presents its SPC token to a STIR/SHAKEN Certification Authority to obtain a certificate stating the VSP is the entity it claims to be and that it has the right to authenticate the caller ID information. Some VSPs with STIR/SHAKEN-implementation obligations have relied on a downstream provider to sign the traffic they originate using the downstream provider's SPC token. The FCC's new rules seek to put an end to that practice.

Under the FCC's new rules, all VSPs with STIR/SHAKEN-implementation obligations must be registered with the STIR/SHAKEN Policy Administrator and obtain their own SPC tokens. Then those VSPs must use their SPC tokens to obtain Secure Telephone Identity certificates from a Secure Telephone Identity Certificate Authority. Those VSPs must use those certificates to authenticate and verify caller ID information.

• Effects on RMD Certification

As part of these new obligations, a VSP cannot certify to partial or complete STIR/SHAKEN implementation in its Robocall Mitigation Database ("RMD") filings unless it:

1. Is registered with the STIR/SHAKEN Policy Administrator;
2. Has obtained its own SPC token from the Policy Administrator;
3. Uses its SPC token to generate a certificate with the Certificate Authority; and
4. Authenticates all calls with that certificate, whether directly or through a third party.

VSPs with a STIR/SHAKEN-implementation obligation that have certified to partial or complete STIR/SHAKEN implementation in their RMD filings, but do not meet each of those four requirements, would need to update their RMD filings.

What is the Effective Date for These New Rules?

The quickest answer is, TBD. June 20, 2025 is the earliest these new rules could become effective. But their exact effective date, or if they will ever become effective, is an open question due to an executive order issued by the President on January 20, 2025. That executive order directed all executive departments and agencies to delay the effective dates for new rules until a President Trump-appointed agency head has reviewed and approved them. At this time it is unknown what effect, if any, that executive order will have on these new rules.

Footnote

1.In its Order, the FCC recognized that VSPs that lack control over the network infrastructure necessary to implement STIR/SHAKEN do not have a STIR/SHAKEN implementation obligation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.