Full Report
The new rules are designed to ensure voice service providers are actually confirming the identity of callers using their network. The post FCC moves to tighten industry reporting rules for robocalls appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: FCC Stricter Robocall Mitigation Database Filing Requirements
## Overview
The Federal Communications Commission (FCC) has adopted new rules to tighten reporting requirements for voice service providers using the Robocall Mitigation Database (RMD). This database is critical for tracking compliance with federal regulations aimed at combating robocalling and phone number spoofing, particularly concerning the implementation of the STIR/SHAKEN protocols. The goal is to ensure that providers are actively verifying caller authenticity and reporting compliance accurately.
## Key Details
- Issuing Authority: Federal Communications Commission (FCC)
- Effective Date: Not explicitly stated for the *new* rules, but implementation follows the vote; built upon the 2021 TRACED Act.
- Jurisdiction: United States communications networks and voice service providers.
- Status: In Effect (Rules adopted by Commission vote).
## Requirements
### Mandatory Requirements
1. **RMD Updates:** Voice service providers must update the Robocall Mitigation Database (RMD) within ten (10) days of receiving new, relevant information.
2. **Annual Re-certification:** Providers must annually re-certify the accuracy of their RMD submissions.
3. **STIR/SHAKEN Implementation (Underlying Mandate):** Communications providers must use STIR/SHAKEN protocols on IP portions of their network to certify that they have performed due diligence to ensure originating numbers are used by the rightful owner.
4. **Database Access Security:** Establish and implement a process for using two-factor authentication (2FA) to access the RMD.
### Recommended Practices
1. Providers should actively monitor and verify the information submitted regarding call authentication to prevent inaccurate reporting, especially concerning the STIR/SHAKEN attestation levels.
2. Proactively disengage or "just say no" to known bad actors attempting to utilize network services.
## Affected Organizations
- Industries: Telecommunications, Voice Service Providers (carrying calls over IP networks).
- Organization Size: Applicable to all voice service providers engaged in US communications traffic.
- Geographic Scope: United States.
## Compliance Timeline
- **2021:** TRACED Act enacted, mandating STIR/SHAKEN and the creation of the RMD.
- **Recent Date (Wednesday):** FCC voted to adopt stricter filing requirements for RMD.
- **Post-Adoption:** Timelines for annual re-certification and 10-day update windows commence upon implementation of the new rules.
- **Final deadline:** Annual re-certification must be completed on an ongoing basis.
## Implementation Guidance
### Assessment Phase
- Review current data submission workflows for the RMD to confirm they meet the new 10-day update requirement.
- Audit existing access controls for the RMD to scope the implementation of two-factor authentication.
### Implementation Phase
- Modify internal operational procedures to mandate RMD updates within 10 days of any relevant change in compliance status or information.
- Develop and deploy the necessary technical implementation for 2FA access to the RMD system.
- Establish a schedule to ensure RMD submissions are re-certified annually.
### Validation Phase
- Conduct internal audits to ensure documentation confirms RMD updates occurred within the 10-day window.
- Verify that 2FA is correctly enforced for all RMD administrative access.
## Technical Requirements
- **STIR/SHAKEN Execution:** Must be utilized to create verified call trails and attest to caller identity legitimacy.
- **RMD Security:** Implementation of multi-factor authentication (specifically 2FA) for database access credentials.
## Penalties & Enforcement
- Fines:
* **$10,000:** For submitting false information to the RMD.
* **$1,000:** For submitting inaccurate information to the RMD.
- Other Consequences: The FCC may issue cease-and-desist letters and threaten to block call traffic to non-compliant providers (as seen in the Lingo Telecom case).
- Enforcement: Via direct FCC oversight, investigation of compliance shortfalls (like those highlighted by traceback groups), and imposing statutory fines.
## Related Standards
- **TRACED Act (2021):** The enabling legislation that established the RMD and mandated STIR/SHAKEN.
- **STIR/SHAKEN Protocols:** Technical standards necessary for creating verified call attestation and chains of custody.
## Resources
- Official Documentation: FCC document adopting the new rules ([link defanged](https://www.fcc.gov/document/fcc-adopts-stricter-robocall-mitigation-database-filing-requirements-0) reference).
- Guidance Documents: Reference to the original TRACED Act documentation ([link defanged](https://www.federalregister.gov/documents/2021/09/23/2021-14711/pallone-thune-telephone-robocall-abuse-criminal-enforcement-and-deterrence-act-traced-act) reference).
## Practical Recommendations
1. **Prioritize RMD Hygiene:** Treat RMD data accuracy as a primary regulatory requirement, subject to high monetary fines for inaccuracies.
2. **Automate Monitoring:** Implement systems to track data changes affecting the RMD and trigger mandatory updates within the 10-day limit.
3. **Secure Access:** Immediately initiate the project to mandate and implement two-factor authentication for all administrative accounts accessing the RMD.
4. **Certify Diligently:** Ensure the data used for annual re-certification accurately reflects operational adherence to robocall mitigation efforts, as intentional disregard results in significant penalties.