FCC moves to tighten industry reporting rules for robocalls

The Federal Communications Commission is tightening up reporting requirements that are meant to prove agencies are cracking down on robocalling and phone number spoofing.

The commission voted Wednesday to adopt new rules that would put in place stricter filing requirements for the Robocall Mitigation Database, a system used by communications providers to report compliance with federal regulations around combating robocalls.

The new rules require voice service providers to make updates to the database within 10 days of getting new information and sets fines of $10,000 and $1,000 for submitting false or inaccurate information. It also requires voice service providers to annually re-certify that their submissions are accurate and sets up a process for implementing two-factor authentication to access the database.

“Companies using America’s phone networks must be actively involved in protecting consumers from scammers,” FCC Chairwoman Jessica Rosenworcel said in a statement.  “We are tightening our rules to ensure voice service providers know their responsibilities and help stop junk robocalls.”

While the changes may seem minor, they’re designed to address reporting shortfalls that have cropped up around the way telecommunications firms prove to the government that they’re working to prevent robocalls on their network.

The database was created by Congress through the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act in 2021. That law also mandated that communications providers use a new set of protocols, dubbed STIR/SHAKEN, to certify to the government that they have done due diligence to ensure that phone numbers making calls over the Internet Protocol portions of their network are being used by the rightful owner.

STIR/SHAKEN protocols were designed to create verified trails for phone calls as they travel over different networks, with each carrier attesting that they have verified the caller’s identity. This creates a chain of custody for government and private-sector organizations, like the Industry Traceback Group, to investigate. It also ostensibly puts each carrier on the hook for ensuring that mass phone-number spoofing isn’t happening on covered parts of their network.

The Robocall Mitigation Database is how companies report their compliance with STIR/SHAKEN. However, the Biden AI robocall incident ahead of the January 2024 New Hampshire Democratic presidential primary highlighted compliance reporting gaps in the government’s approach.

The calls sent to New Hampshire voters spoofed the phone number of a prominent former state Democratic official and Lingo Telecom, the voice service provider that carried them and signed off on their authenticity with an A-level rating — the highest level of confidence a carrier can provide about the validity of the caller.   

The FCC fined Lingo Telecom $1 million and sent a cease-and-desist letter threatening to block their call traffic to other providers if they did not do more to ensure that they are complying with the rules, but the episode also made it clear that the certifications being made by carriers were not being verified or updated in a timely fashion.

“The [Robocall Mitigation Database] is an essential resource in State [Attorneys General] efforts to combat illegal robocalls. However, too often the information submitted by providers to the RMD is clearly false or inaccurate and demonstrates contempt for the Commission’s requirements and the consumers those requirements protect,” the agency said in its order.

Robocalling continues to be a scourge on American society. According to a 2022 report from the National Consumer Law Center and the Electronic Privacy Information Center, Americans received more than 21 billion robocalls in 2021.

In an interview last month, Rosenworcel, the outgoing FCC chair, told CyberScoop that the frequency of robocalling has actually gotten worse since then, as a 2021 Supreme Court decision adopted a definition for autodialing that essentially “froze the definition of the technology in 1991.” She pushed for Congress to update that authority for modern telecommunications technology and give the agency the authority to take bad actors to court to enforce their mandates.

David Frankel, CEO of ZipDX, a robocall surveillance platform, told CyberScoop that the new rules are welcome and could improve the accuracy of protocols like STIR/SHAKEN.

“By cross-referencing that signer to their entry in the [database], you can know something about that entity,” Frankel said. “And over time, each provider earns a reputation — good or bad — based on real-life experience with the calls they are signing.” 

Frankel said the impact of the new rules probably won’t be noticed by consumers right away, but they could reach a very important group within the telecom ecosystem. While there are bad actors who are “truly rotten and manipulating the system” to facilitate mass robocalling, there is a large group of telecoms — including major players like AT&T, T-Mobile and Verizon — who aren’t explicitly gaming the system but also aren’t incentivized to do much about the problem.

“What this new order may do is give more of the ‘middle of the road’ players cover to do more,” Frankel said. “Those players need to ‘just say no’ to the really bad guys. We’ll see.”