At its April 2025 opening meeting, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) focused on addressing a known vulnerability in our telecommunications network that has hindered efforts to prevent these nuisance calls: the non-Internet Protocol (IP) caller ID authentication gap. This NPRM is the latest in a series of steps the Commission has taken to combat illegal robocalls and fraud through technical solutions, a path directed by Congress in the TRACED Act.

According to FCC data, illegal robocalls remain a significant burden and source of harm to the public, contributing to billions of dollars drained from the U.S. economy annually due to wasted time, nuisance, and fraud. Victims can lose hundreds to thousands of dollars individually, with collective losses reaching an estimated $850 million annually from scams, and total costs from wasted time, nuisance, and fraud draining an estimated $13.5 billion out of the U.S. economy in 2020 alone. This widespread disruption erodes confidence in the nation’s telephone network.

In response, the FCC has been at the forefront of efforts to protect Americans. A key tool in this fight is the STIR/SHAKEN caller ID authentication framework. Mandated by the TRACED Act, STIR/SHAKEN allows providers to verify that a caller’s number matches the caller ID information transmitted with a call, which helps in identifying and blocking illegal robocalls. This framework works by having the originating provider authenticate the call source and number and add encrypted information (a PASSporT) that travels with the call, allowing the terminating provider to decrypt and verify the caller ID. To participate in STIR/SHAKEN, providers must be verified by a neutral governance authority.

However, a significant challenge exists: STIR/SHAKEN only works effectively in IP networks. When a call traverses non-IP technology at any point, the STIR/SHAKEN information can be stripped out, creating a gap that bad actors can exploit. This loss of information significantly undermines the value of the framework and can lead to improper spam labeling or blocking of legitimate calls by downstream providers.

Current FCC rules stemming from the TRACED Act require providers using non-IP networks to either upgrade to IP or work on developing an alternative non-IP caller ID authentication solution. Providers materially reliant on non-IP networks were granted a continuing extension from compliance until an effective non-IP authentication protocol was developed and reasonably available.

The new NPRM proposes to conclude that effective non-IP caller ID authentication frameworks have now been developed and are reasonably available. It proposes criteria for evaluating these frameworks, based on whether they are “developed and reasonably available” and “effective”. “Developed” means fully developed and finalized by industry standards, with underlying technical elements published and accessible. “Reasonably available” means the necessary equipment and software are commercially available. “Effective” means operating to produce the intended result of authenticating calls as described in the applicable standards.

Based on these proposed criteria, the FCC proposes to conclude that frameworks using two existing ATIS standards—In-Band Authentication (ATIS-1000095.v002) and Out-of-Band Multiple STI-CPS Authentication (ATIS-1000096)—meet the TRACED Act’s requirements. They seek comment on a third standard, Out-of-Band Agreed STI-CPS Authentication (ATIS-1000105), and whether it meets the criteria. The NPRM also seeks comment on other potential non-IP frameworks, including proprietary solutions like AB Handshake and a standard being developed by the IETF.

Significantly, the NPRM proposes to repeal the continuing extension previously granted to providers relying on non-IP technology. It also proposes modifying the “reasonable measures” rule to require providers still using non-IP networks to either complete their transition to IP and implement STIR/SHAKEN or implement one or more effective non-IP caller ID authentication frameworks. This would apply to voice service providers, gateway providers, and non-gateway intermediate providers receiving calls directly from an originating provider.

To facilitate this, the FCC proposes a two-year compliance timeline from the effective date of the rules. They seek comment on whether this timeline is appropriate, considering potential technical/financial obstacles and past implementation deadlines for STIR/SHAKEN. They also seek comment on whether providers with 100,000 or fewer voice service subscriber lines should receive an extension.

As part of the compliance requirements, the NPRM proposes adding a new certification in the Robocall Mitigation Database. Providers relying on non-IP networks would need to certify that they have implemented one or more effective non-IP caller ID authentication frameworks.

This NPRM underscores the FCC’s strategic reliance on developing and mandating technical solutions to proactively address the problem of illegal calls. By focusing on authenticating calls and closing technical gaps like the non-IP vulnerability, the Commission aims to prevent fraudulent calls from reaching consumers in the first place, thereby reducing financial losses and restoring trust in the network. This approach prioritizes prevention and technical enforcement over relying solely on reactive measures like litigation after harm has occurred.