If you operate a call center, YOU CANNOT IGNORE STIR/SHAKEN. It’s fundamentally about authenticating caller IDs to combat spoofed robocalls.
We’ve asked attorney Michele Shuster, compliance expert and founding partner of Mac Murray & Shuster LLP, to contribute a guest blog to help us all better understand what call center businesses really need to know about STIR/SHAKEN. We offer some compliance safeguards your dialer should be providing at the end.
“American consumers are sick and tired of unwanted robocalls, this consumer among them. Caller ID authentication will be a significant step towards ending the scourge of spoofed robocalls. It’s time for carriers to implement robust caller ID authentication.” – FCC Chairman Ajit Pai
Guest Blog Post by Michele Shuster
With ongoing implementation of the STIR/SHAKEN authentication framework, your business’s calls to consumers are at greater risk of being blocked. Here’s what you need to know and the steps you can take to prepare and protect your organization.
What is STIR/SHAKEN?
STIR/SHAKEN (Secure Telephone Identity Revisited/Signature-Based Handling of Asserted Information Using toKENs) is an industry-developed set of rules and procedures designed to enhance call integrity through authenticating caller ID information associated with telephone calls by assigning each call an encrypted “digital fingerprint.”
Why is STIR/SHAKEN being adopted?
STIR/SHAKEN is aimed at combating malicious robocalling and illegal spoofing, which remain at the top of consumer complaints filed with the Federal Communications Commission (FCC). However, the challenge is to create an authentication process that addresses these abusive calls without threatening the ability of businesses to contact consumers for legitimate purposes such as prescription reminders, travel notifications, customer service calls, and school closings – communications that consumers need and want.
How does STIR/SHAKEN work?
In the STIR/SHAKEN framework, originating service providers are responsible for authenticating calls they originate onto the telephone network. This is done by digitally assigning an encrypted attestation rating asserting the degree of confidence that the caller is entitled to use the indicated phone number. The terminating service provider can then use this information and a decryption key to validate the calling party’s number and screen spoofed calls to its customers. There are three levels of attestation that can be assigned by the originating service provider:
Full Attestation (A) – the service provider has authenticated its relationship with the customer making the call and that the customer is authorized to use the calling number.
Partial Attestation (B) – the service provider has authenticated its relationship with the customer making the call, but cannot verify that the customer is authorized to use the calling number.
Gateway Attestation (C) – the service provider has authenticated that it has placed the call on its network, but has no relationship with the originator of the call (for example, a call received from an international gateway or using legacy equipment).
Is STIR/SHAKEN the same as call blocking?
No. With STIR/SHAKEN, attestation ratings are used by the carrier’s analytics partner as an input into its blocking algorithm. These algorithms take into account hundreds of variables including complaints, calling patterns, call duration, etc.
“A” rated calls are likely to be treated favorably, while “B” and “C” rated calls will be viewed with suspicion. Analytics firms have been reticent on how much weight they are giving to attestation ratings but have indicated that it will increase over time.
What are some limitations of STIR/SHAKEN?
While STIR/SHAKEN provides improved screening of malicious robocalling and facilitates traceback of calls, there are also several limitations:
- The authentication process does not indicate whether a call is legal/illegal or wanted/unwanted.
- Because STIR/SHAKEN only works on IP-based telephone networks, service providers will not be able to properly authenticate calls originating from legacy non-IP systems or equipment.
- “B” ratings are likely if using caller ID’s values obtained from Carrier A when placing calls using Carrier B (may arise in contact centers using clients’ caller IDs, least cost routing, or fail-over systems). This “enterprise problem” is currently being studied by the Alliance for Telecommunications Industry Solutions (ATIS) and technical solutions are in development.
What is the timeline for implementation of STIR/SHAKEN?
Deployment of STIR/SHAKEN began in 2019. Although only major carriers are utilizing the framework currently, its usage is expanding. The TRACED Act requires that STIR/SHAKEN be fully deployed by June 30, 2021, although the FCC can grant extensions in certain circumstances.
Are other countries participating in STIR/SHAKEN?
Currently, the STIR/SHAKEN framework does not address international gateway calls; however, conversations with other regulatory bodies are ongoing.
Can businesses create their own STIR/SHAKEN and authentication framework?
Currently, STIR/SHAKEN is a carrier framework only.
What do businesses need to do to prepare for STIR/SHAKEN?
There are a number of steps businesses can take to prepare their organizations for STIR/SHAKEN:
- Businesses should contact their carrier(s) to inquire how their STIR/SHAKEN implementation is progressing and how they can ensure their calls receive an “A” rating.
- If a business finds that it is having trouble with calls being blocked, it should work with a service to rotate calling numbers used, or preferably, validate its calling with the carriers and their analytics partners.
- Businesses should conduct test calls and report inaccurate labels or blocking to the carrier or app provider.
Michele Shuster CIPP/US, CECP, is a Founding Partner at Mac Murray & Shuster LLP. She is also the former Chief of the Ohio Attorney General’s Consumer Protection Section.
- Advises highly regulated businesses on a wide range of privacy, advertising, and other consumer protection issues.
- Deep background in the teleservices industry.
- Represents clients in matters before federal / state regulatory agencies, issues legal opinions on outbound dialing solutions, and conducts telemarketing compliance audits.
Compliance Safeguards Your Outbound Dialer Should Be Providing
Contact Center Compliance Solutions
- Be proactive to manage your caller ID reputation.
- Scrub against an internal Do Not Call list.
- Don’t over-dial leads.
- Use 3rd party compliance integrations [e.g., Trusted Form, ActiveProspect, Jornaya].
- Set up dynamic scripting for your agents.
- Use skill-based routing for state compliance.
- Keep up to date with State Calling Restrictions.