Skip to content
Stopping Illegal Robocalls Where They Start

Service Provider Compliance with 47 CFR § 64.1200(n)(4) – Part II

In our previous post, we explained how the FCC regulations obligate telephone service providers to play an important role in keeping illegal calls off the network. The FCC does not dictate what a provider needs to do, but we have collected below a set of reasonable steps that can help an originating voice service provider meet the FCC mandate.

Intermediate providers (those taking voice calls from another provider, rather than directly from the calling party) should implement these four steps:

  1. All calls with a USA caller-ID must carry the STIR/SHAKEN signature of the originating provider
  2. All non-conversational traffic must flow via SIP (no TDM/legacy connections)
  3. Upstream providers must impose these steps 1 through 4 on their upstreams
  4. Originating providers must follow the steps below.

Each provider should adjust and augment these steps to ensure that what they are doing is effective.

Most providers distinguish between “conversational traffic” and “non-conversational traffic” (also known as “dialer” or “call center” traffic). Because conversational traffic is less likely to include large numbers of illegal calls, the most important tool, beyond KYC vetting and monitoring, is on-going evaluation of Call Detail Records (CDRs) to ensure the traffic consistently meets the conversational standard. Look for average call duration of at least two minutes, and at least 30% of calls lasting longer than two minutes. Treat traffic (and customers) not meeting both of these metrics as non-conversational.

Non-conversational traffic necessitates much greater scrutiny. Customers sending both types of traffic should segregate it into two streams (CT and NCT) so that the provider can monitor each appropriately.

Know-Your-Customer (KYC): Ensure your KYC process includes collection of the items shown below and verify the validity.

  • Customer Legal Name
  • Obtain a copy of official business registration
  • Name(s) of Owners and Executives
  • Name of Primary Contact
    • Physical address where work is performed (not a PO box)
    • Direct phone number (not an auto-attendant)
    • Direct email address (not a general email)
  • Company web site(s)
  • For CONVERSATIONAL traffic:
    • General description of services offered and customers served
    • How calling telephone numbers (ANIs) are obtained & verified
    • Copy of Acceptable Use Policy if services are resold
  • For NON-CONVERSATIONAL traffic:
    • Nature of business & campaigns
    • How called numbers are obtained (including, if applicable, lead sourcing strategy and use of third parties and web sites (URLs) where consents are obtained)
    • Strategies for ensuring validity of consents (given that so many consents are found to be fabricated or fraudulent)
    • Doing-business-as names used in outbound calls
    • Caller-ID strategy (how ANIs are associated with campaigns; frequency with which ANIs change) & how calls are answered when those numbers are called back
    • Proof of DNC subscription (DNC SAN) and any special considerations for DNC-listed numbers (or explanation of how DNC does not apply)
    • Technical details including call volumes, hours, per-called-number limit, predictive dialer settings, voice-mail treatment, human vs. recorded vs. soundboard /AI /other tech
    • If a predictive dialer (or similar technology) is used, details for failed calls including how calls that fail to transfer to an agent within two seconds are treated, the announcement played, and what fraction of calls can fail
    • If using artificial or pre-recorded voice (including AI) technology, how each element of 47 CFR § 64.1200 (b) and (d) are addressed, including submission of applicable documentation (written policies, training materials)
    • If doing telemarketing or telephone solicitations (irrespective of technology), how each element of 47 CFR § 64.1200 (c) and (d) are addressed, including submission of applicable documentation (written policies, training materials)
    • If not making calls to “residential subscribers” how the determination is made that a called number does not belong to a residential subscriber, and in particular when that number is listed on the Federal DNC list.
    • Name & contact information for telecom regulatory counsel

This information needs to be captured when a new customer is onboarded, and it needs to be reverified periodically and also correlated with each customer’s actual traffic.

Acceptable Use Policy (AUP): Because a voice service provider gets paid by its customer to put their calls onto the Public Telephone Network, the provider has a vested interest in making sure those calls are legal and, ideally, wanted by the called party. Each provider sets its own terms and conditions for customers that go beyond what the law requires. Consider including these requirements in an AUP to which each customer sending non-conversational traffic must agree:

  • Consents must be valid, reputable, reliable
  • One Caller-ID per campaign (changeable every 4 weeks)
  • DBA(s) used must be readily searchable on the web
  • Calls to voice-mail must result in a substantive message being left (no hang-ups)
  • Callers that hang up after connecting must explain the reason for disconnection
  • Silent calls (disconnect after answer without announcement) are not permitted
  • When called back, every Caller-ID used must answer, identify & give contact info
  • Use of a caller-ID with an area code indicative of a state where the calling entity does not maintain a physical presence is not permitted
  • Called parties must be respected; human & AI agents must respond to questions
  • There is zero tolerance for fraud. Discovery of a fraudulent call will result in immediate blocking of all non-conversational traffic.

Technology Tools: Deploying the tools below helps mitigate illegal calling:

  • OrigID – this parameter in the STIR/SHAKEN header is intended by the applicable standards to group calls by customer (without disclosing that customer’s identity). It should be populated per the standard, rather than using a unique OrigID for each call, or the same OrigID for all calls from all customers.
  • CDR Analysis by Customer over a selected time window (7 days)
    • Average length of call (ALOC)
    • Number of calls to the same destination number
    • Calls to DNC-listed numbers
    • Distribution of call lengths (<1 min, >3 mins)
  • Use the CDR analysis to detect traffic pattern shifts and thoroughly investigate with the customer’s cooperation
  • Engagement Ratio – calculate this as the total number of calls divided bv the number of calls lasting 3 minutes or more and use as an indicator what fraction are likely wanted by the called party. The goal is 2.0 or less; establish a dialog with failing customers to meet the target within 10 days.
  • Content monitoring – establish a means to audit the content of NCT (including requiring each customer’s permission to do so) and/or use third-party monitoring services. Act immediately on any non-compliant findings.

Summary: Cumulatively, the steps outlined above, when diligently applied, will significantly improve a provider’s chances of staying in compliance with 47 CFR § 64.1200(n)(4). The level of technical, human, and business effort necessary is commensurate with that required for fundamental call processing – whether a provider processes a thousand, a million, or a billion calls a day, they will have the appropriate scale to handle the chores described here. There is an associated expense, and that is a cost of doing business in this domain.

Comments (1)

  1. […] Reasonable: This word is not in (n)(4) but we see it in the common definition of “due diligence.” What is “reasonable” in this context? It is reasonable to ask whatever questions are necessary, and insist on credible answers, as part of KYC. It is reasonable to deploy any available technology, even if it eats into profits, as part of due diligence. More in our next article. […]

Leave a Reply