Stir/Shaken Puts Your Reputation On The Line

ZipDX, leveraging the FCC’s STIR/SHAKEN call authentication mandate, has developed a new system designed to quickly detect suspect robocall activity and report details back to the signing provider.

This platform, called RRAPTOR, gives telecommunications providers new opportunities to play an even larger role in solving the illegal robocall problem that has been plaguing all of us for more than a decade.

No provider wants their reputation sullied by an association with unseemly robocalls. That can make other providers reluctant to carry your traffic and can spur investigations by enforcement authorities.

Email notifications are sent by RRAPTOR to a signing provider when the system detects a stream of suspect calls signed by that provider. For each call captured, RRAPTOR delivers the date and time, the called and calling numbers, a transcript of the message received, and a link to hear the original audio. Also displayed is the OrigID – a value embedded by the signer in the call’s authentication data.

What are the best steps when you receive one of these notifications?

1. Inspect the specific calls at issue. Listen to the recordings and review transcriptions. If the calls are obviously legitimate, respond to the notification with your findings. If not, continue your investigation with all haste.
2. Use the data in the notification(s) to determine the source(s) that sent you the calls. It may be easiest to use the OrigID in the signatures; you can also cross-reference the individual calls to your CDRs. Now perform these steps (for each source separately, if more than one):
   1. Consider suspending all traffic from the source to prevent further damage to your reputation while you investigate.
   2. Engage with the source to get their explanation of the traffic; set a deadline for response.
   3. Diligently review the source’s explanation, including any corrective action that they have taken. Ensure compliance with ALL applicable regulations. Err on the side of caution; there is no law mandating leniency when you are accepting traffic via private contract.
   4. If you re-enable traffic from this source, establish appropriate limits for call volume and establish an allow-list for Caller-ID values.
   5. Prioritize this source for the PREVENTION steps in the next section.
   6. Report your findings and actions back to the RRAPTOR platform. If you’ve uncovered a bad actor, it is important to let the rest of the calling community know so they can take appropriate precautions.

Every service provider wants to maintain a stellar reputation. Ideally, you would never sign an illegal robocall. That means that you would know your customers very well; you would be certain that their traffic is entirely legitimate; and in particular, if they are sending non-conversational calls, you would ask them what exactly they are doing, what messages they are playing, what phone numbers are they using, and monitor to ensure they do not go rogue on you.

PREVENTION is the best medicine. For any source that is a Service Provider, follow these best practices:

1. Verify that your source is in the Robocall Mitigation and 499A databases, and that all the data is consistent. Review their Robocall Mitigation Plan if applicable. Review the source’s website for consistency and veracity.
2. Require that your source sends you only signed calls, particularly if they have certified in the RMD that they have a Complete STIR/SHAKEN implementation. They can be signed by your source, or your source’s customer. Audit the calls to ensure that they are validly signed. Better to have their name on any problematic calls that slip through, rather than yours.
3. If your source cannot send you signed calls (because they lack the technology, or you have a legacy interconnect with them that does not support authentication), use the OrigID field to let others downstream know immediately the upstream source should issues arise.
4. Separately monitor traffic metrics for each source. Elevate your level of scrutiny for any source with an average call duration of less than two minutes.

For sources for whom you are originating calls:

5. If you expect this customer to make only conversational calls, monitor their traffic to ensure their average call duration is at least two minutes. Monitor the caller-ID values they use.
6. Otherwise, insist on a thorough explanation of the type(s) of automated calling they are doing and the audio messages they are using.
7. Have your compliance department engage with theirs to ensure 100% of calls are in line with all applicable federal and state regulations. If consent is required for the calls, verify that the process used is credible given the call volume.
8. Generate alarms if a customer attempts to use a caller-ID value not on the list you have pre-screened with them.

In all cases:

9. When you detect an issue with a specific call, do more than just block that call. Take it is a red flag warning that this call source is not operating prudently.
10. Save your A- and B-level attestations for situations where you truly know the caller and are certain their calls are legitimate. For other situations, use C-level attestation, or even better, persuade your customer to get their own token so their reputation is at stake rather than yours.
11. Make sure your service agreements make it quick and easy for you to take all available actions when you suspect improper use of your network. Do not get stuck protecting bad actors with promises of confidentiality. Advise customers that they will forfeit deposits and prepayments if they violate your Terms of Service.

Your reputation is on the line. You need to do more than the minimum to protect it. The best way to earn a positive reputation regarding robocalling is to be part of the solution – not a contributor to the problem.