FCC Acts to Curb Foreign-Originated Illegal Robocalls, Imposes Several New Requirements on Gateway Providers

Recently, on May 20, 2022, the Federal Communications Commission (“FCC”) issued a Report and Order (“Order”), as well as a Further Notice of Proposed Rulemaking (all available here), with a plain objective:  to “take further steps to stem the tide of foreign-originated illegal robocalls and seek comment on additional ways to address all such calls.”  Order1.  As stated by the FCC, “reducing illegal robocalls that originate abroad is one of the most vexing challenges we face in tackling the problem of illegal robocalls.”  Id.  The Order was adopted by a unanimous, 4-0 vote by the FCC after it had received comments over the last nine months on various topics, including whether so-called “gateway providers” should be required to authenticate caller identification information and implement other efforts to reduce the number of illegal prerecorded and/or artificial voice “robocalls” originating overseas.

A “gateway provider” is a U.S.-based provider that acts as an intermediary for an international call by receiving a call directly from a foreign provider before transmitting that call downstream to other U.S.-based providers for termination.  Order ¶ 25.  This definition is not static but rather one that applies on a call-by-call basis, i.e., a provider is a gateway provider—and subject to the FCC’s new Order—only for those calls in which it acts as a gateway provider.  Id. ¶ 28.  Per the FCC, commenters “overwhelmingly” supported the imposition of additional requirements on gateway providers in order to “stop the flood of foreign-originated illegal calls.”  Id. ¶ 21.

Why focus specifically on gateway providers?  In its press release, the FCC described such providers as “the on-ramps for international call traffic” and a “critical choke-point for reducing the number of illegal robocalls received by American consumers.”  The FCC also cited a 2021 report by the Industry Traceback Group as the impetus for its new rules, noting a finding that “65% of the voice service providers identified as transmitting illegal robocalls were either foreign-based or gateway providers.”  Simply put, the FCC’s existing rules have focused on preventing illegal robocalls that originate in the U.S., which has resulted in more and more of such calls originating in other countries that have less stringent regulation.  As a result, the FCC shifted its regulatory focus to gateway providers, which are on the “front lines” of foreign-based illegal calls.

The Order imposes several new rules focused exclusively on gateway providers.  Although the new rules are technical and nuanced, they can generally be summarized in three broad categories.

First, the FCC requires gateway providers to implement STIR/SHAKEN caller identification authentication protocols (discussed previously here) for foreign-originated “Session Initiation Protocol” (or “SIP”) calls to U.S. numbers.  The FCC imposed a deadline of June 30, 2023, for gateway providers to comply with this new obligation.

Second, the FCC requires gateway providers to submit a certification and mitigation plan to the Robocall Mitigation Database describing their robocall mitigation practices and certifying that they are adhering to those practices—a requirement to which voice service providers are already subject under existing FCC rules.

Third, the Order imposes four new robocall mitigation requirements for gateway providers:  (a) a new rule that gateway providers must respond to FCC and law enforcement traceback requests within 24 hours to help determine the foreign source of a suspected illegal call; (b) new mandatory call-blocking requirements under which gateway providers must now block calls from an identified provider if notified by the FCC of illegal traffic from that provider; (c) a “know your upstream provider” requirement (where the gateway provider must take certain steps to ensure that the upstream foreign provider is not using the gateway provider to process a high volume of traffic); and (d) a requirement that all gateway providers adopt a “general mitigation standard” to take “reasonable steps to avoid carrying or processing illegal robocall traffic.”

A gateway provider’s failure to comply with the new rules could generate significant consequences, including its removal from the Robocall Mitigation Database and mandatory blocking by other network participants, “essentially ending its ability to operate.”

With any new regulatory undertaking, two key questions arise.  Initially, will it be effective to address the problem it is attempting to solve?  The FCC wrote in its Order that “the authentication and mitigation requirements we adopt today will ensure that American consumers are protected.”  Order ¶ 19.  But of course, only time will tell.  Conversely, is there a possibility that the new rules could be too effective?  In other words, will they impose unwarranted burdens and additional costs on gateway providers yet block too many legal calls—thus negatively impacting legitimate, well-intentioned businesses?  Again, it remains to be seen whether the Order will, in practice, effectively accomplish the FCC’s stated objectives or otherwise fall short.

Nevertheless, the FCC shows no sign of slowing down in this effort.  In addition to issuing the new rules aimed at gateway providers, the FCC also sought comment on expanding its new robocall mitigation requirements to all domestic intermediate providers, not just gateway providers.  We will continue to track the FCC’s activity in this area and report back on further developments.