STIR/SHAKEN may sound like preparations for a James Bond martini, but the framework of interconnected standards and protocols—and its impending deadline for compliance—will have a dramatic impact on any businesses using call centers as well as carriers that authorize robocalls on their networks.
The framework is designed to reduce fraudulent robocalls and illegal phone number spoofing by blocking any calls that don’t hold a digital certificate from the service provider, ensuring that the call originates from a legitimate source. The new guidelines will change how businesses are able to contact consumers in the U.S., especially those that rely on automated calls to share critical information.
“This is a seminal moment in the industry. It’s all about maintaining the fidelity of the network and enhancing and embracing the technology we use to communicate,” said Mark Iannuzzi, president, and founder of TelNet Worldwide, a Madison Heights, Mich.-based communications services firm. “It’s not the easiest thing to wrap your head around, especially below the surface, but it’s very important.”
How Did We Get Here?
STIR stands for Secure Telephony Identity Revisited. SHAKEN stands for Secure Handling of Asserted information using toKENs. To enforce the framework, Congress passed and the President signed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act in 2019, which requires robocall carriers and service providers to implement a STIR/SHAKEN solution by June 30, 2021. Non-compliance could mean their calls may be blocked from reaching recipients, according to telecommunications and digital technology leaders.
For several decades, the federal government looked for the communications industry to police itself, of sorts, according to Iannuzzi. “They didn’t want to get their nose in it, but the TRACED Act was put into play after people got tired of being ripped off. That gave the FCC authority to do something about it. That’s why there are deadlines and requirements that service providers need to follow for STIR/SHAKEN in their networks,” Iannuzzi said.
Robocalls and call spoofing have long been systemic problems in the telecom industry, a concern that worsened when VoIP and other newer technologies created new ways for callers to target consumers.
“I think the industry knew there was a problem to solve, but the thing that was missing was the teeth to enforce it. IP-based technology liberated everybody, and you had a whole new generation of cloud service providers that looked at themselves more as software companies selling an application, not as telecom companies. IP-based technology created a lot of opportunity for spoofing and other problems to accelerate.”
While STIR/SHAKEN was designed to prevent consumers from getting inundated with spam robocalls, it could also prevent many relevant automated calls from getting through to users.
“Not all robocalls are illegal. You get automated calls from your pharmacy that your prescription is ready, or that school is closed for snow,” said Allen Wills, founder and CEO of Tecvine, a network-, cloud- and mobility-focused solution provider. “I think people recognize that there are some automated calls that we need. There’s a lot of work to do, but this will put some trust back into voice communications.”
How Does It Work?
Although the number of robocalls declined in 2020 during the COVID-19 pandemic, more than 45 billion were placed in the U.S. last year, according to the YouMail Robocall Index. It appears that number may be increasing again.
Alerts and reminders accounted for just 26% of all U.S. robocall traffic in 2020, according to YouMail, with scams (46%), payment reminders and collections (16%), and telemarketing (13%) comprising the remainder.
STIR/SHAKEN should curtail much of the problem, but there’s still confusion over roles, responsibilities, and actions to take in order to be compliant, according to Iannuzzi. “I get a lot of people asking, ‘What am I supposed to do?’ Everybody wants a hand-hold to make it correct and complete,” he said.
Under STIR/SHAKEN, there are three levels of attestation provided by the originating service provider of each call. Full or “A” attestation means the digital technology provider knows the customer and attests that the customer has the right to use that phone number. Partial or “B” attestation means the service provider knows the customer but not the source of the phone number. Gateway or “C” attestation means the service provider can’t authenticate the call source.
“Call centers need to be prepared. If you’re a customer of Company X, are you sure their calls are going to be an A-level call? If they’re B or C level calls, they may look like suspicious calls and get blocked,” said Wills.
Why Should Solution Providers and MSPs Care?
The guidelines—and the deadline—have been vetted out, especially for larger carriers, but smaller, local and regional carriers and service providers can request an exemption for up to two years to achieve STIR/SHAKEN compliance. However, companies that delay compliance might find themselves at a competitive disadvantage in the market. After all, would you prefer to do business with a company that’s compliant now, or one that says it will be down the road?
Even if you don’t directly sell telecom services or offer call center solutions, i.e., if you provide them through a third party, your business could be impacted. Most businesses, of all sizes, want to know their partner is certified and that there won’t be a problem down the road, Iannuzzi said.
“If you’re an MSP, helping your customer with their LAN, internet, telephony solutions, etc., you want to make sure you’re working with a telecom provider fully complaint with STIR/SHAKEN. It’s as simple as that. That’s a threshold condition. There are plenty of other opportunities to set service providers apart. First, check that [STIR/SHAKEN] box,” he said.
‘If You’re Not on the Good List You’re on the I Don’t Know List’
Simply put, it’s critical for any service provider or digital technology advisor with outbound call capabilities to file a plan with the FCC by June 30. Non-compliance could have a very significant, very negative impact on business, Wills and Iannuzzi said.
“There is some tune-up of things to take place, but there is no excuse out there for a service provider that knows what has to be done. If you’re not on the good list you’re on the I don’t know list,” Wills said. “The rules are in place to allow you to get into the club. Get in the club. Have the right technology, the right solution, and you won’t have a problem.”
What are your thoughts on STIR/SHAKEN? Leave us a comment or idea below that may help us develop additional content for the telecommunications and digital technology markets. And for more CompTIA research and information, download our Research & Market Intelligence Overview.