The FCC recently updated its rules to let Voice Service Providers (VSPs)—companies like Clearly IP that deliver voice services over the internet (VoIP)—use third-party services for STIR/SHAKEN call authentication. This framework fights caller ID spoofing and robocalls, but the new rules come with strict conditions to keep VSPs accountable. Here’s what you need to know:
What’s a VSP in VoIP?
A VSP provides voice communication over the internet. Think Clearly IP, Vonage, or RingCentral. These rules apply to VSPs that control network infrastructure and thus have STIR/SHAKEN obligations.
Third-Party Authentication Rules:
VSPs can outsource the tech side of STIR/SHAKEN to a third party, but the third party must use the VSP’s own certification to “sign” calls.
The VSP—not the third party—decides the attestation level (e.g., verifying how legitimate a caller ID is) for every call.
A written agreement between the VSP and third party is mandatory, spelling out roles and ensuring the VSP retains control over attestation. Hang onto it for 2 years after the partnership ends.
Credential Requirements:
VSPs must register with the STIR/SHAKEN Policy Administrator (iconectiv) and get their own Service Provider Code (SPC) token.
Using this token, they obtain a Secure Telephone Identity certificate to authenticate all calls—whether they do it themselves or through a third party. Borrowing someone else’s token won’t cut it anymore.
Robocall Mitigation Database (RMD) Impact:
VSPs can only claim STIR/SHAKEN compliance in their RMD filings if they follow these rules. If they’ve already filed and aren’t compliant, they’ll need to update their status.
When Does This Start?
The earliest effective date is June 20, 2025, but a January 2025 executive order from President Trump requires his appointees to approve new rules, so this could shift.
Who’s Affected?
Any VSPs with STIR/SHAKEN duties.
Disclaimer: I’m not a lawyer, I don’t play one on tv, and this isn’t legal advice. These rules can get tricky, so if you’re a VSP or just curious, consult a professional for the full scoop.
A lot of smaller VSPs relying on third party certificates for signing are going to end up having a hard time now that they have to start filing 499s and doing the entire thing. I wouldn’t be surprised if this can gets kicked down the road again.
Uhm, regardless of if they are letting their upstreams sign their calls. The 499 stuff and being registered is a requirement outside of STIR/SHAKEN since all VSP’s need to be registered with the FCC. They need to be in the RMDB showing their STIR/SHAKEN status even if it’s using a 3rd party. All these things are required the only thing changing is BulkVS, ClearlyIP, etc can no longer use their token and give your calls attestation on your behalf.
At this point, any VSP using a 3rd party for S/S should only have to get their SPC, get their cert and have the 3rd party do the tech side. All the other stuff should already be done because it’s been required for sometime.
Just because it’s required doesn’t mean they are doing it. You are mistaken if you think every single small VSP is filing their 499 and have their own OCN. This is the first time that these companies will now actually have to do the right things to avoid service interruption - getting an FRN and filing in the RMDB is trivial.
I do not see them kicking the can down the road. The blocking of spam and robo calls remains their top focus. It’s only going to get even more aggressive and both political parties are aligned with stopping spam calling.
The problem is that lobbyists that are funded by the big players are in their pockets. We all know that their ultimate goal is to make it difficult for small providers for a number of reasons.
If the FCC really wanted to crack down on spam calls, they’d be able to do that in a matter of weeks. Tracebacks existed for years, they just simply won’t fine their donors.
Yes but pre STIR/SHAKEN they were not accurate and took way longer to deal with. Previously, I could buy from Bandwdith, you’d buy from me and then you sell to Client A who may have subclients. The traceback would have been sent to Bandwidth who then has to go down the line to find the actual bad actor. Now with STIR/SHAKEN the traceback should be going straight to the VSP that first originated the call and signed the call.
This is exactly how tracebacks should work—if anyone actually enforced them. You can trace a bomb threat call to its source in hours, but suddenly when it’s robocalls, everyone acts clueless? They’ve had the tools for years. Fine the big carriers at the top, and watch how fast they’ll cough up the downstream carriers responsible.
But they don’t. Why? Negligence. Money in their pockets. The top carriers and lawmakers are so tangled up that real enforcement never happens. Instead, they roll out half-baked rules that do nothing but crush small businesses—all so they can say “Look, we’re doing something!”
Meanwhile, simpler solutions? Ignored. Open CAs for authentication? Nope. Streamlined verification processes? Too logical. They’d rather keep this broken system alive, because who benefits? The same people writing the rules.
That’s how it was done previously. Given my previous example, the FCC would put the pressure on Bandwidth who in turn would do it to me and I would in turn do it to you. The end result is in order for me to avoid getting cut off, I’d just cut you off because your end user (or you) are dragging your feet.
I think what you seem to be ignoring is the fact that for the first 20+ years of VoIP it had no regulations. Everyone and their brother, including you, could just sign up with a wholesale carrier like BulkVS or even Flowroute setup a FreePBX system and say “Look Ma, Imma VSP”.
Take a look back at the Kari’s Law stuff, they found that the biggest offenders of unregistered locations and sending calls to regional PSAPs were…VoIP providers. I knew of plenty of VSPs that were happy to pay the one time $80 fee for an unregistered number because “They make one call a year, if that”.
You still haven’t explain how the FCC would crack down on all this in a matter of weeks. You just complained the current solutions. So what do you believe can be done in a matter of weeks to stop all this? Love to hear what the solution is the FCC is ignoring.
I think the frustration is that all these rules are going into place and the problems aren’t getting any better. Honestly I haven’t looked at a report in over year but last I saw Robocalling was still ongoing and 80-90% of the robocalls had attestations of A or B.
So I guess the quesiton really is, are these rules having any positive affect?
Here’s some details from the 2019-2023 5 year reports release at the end of 2024 (the one released at the end of 2025 will cover 2020-2024). The total number of complaints that fall under the TRACED Act and Truth in CallerID was 1,351,317 which was just under 10K more than the 2018-2022 report. Keep in mind that 2018 was the largest amount of complaints with about 330K+ with 2019 roughly having 271K+.
Now keep in mind that 2018 was before we had to start following the TRACED Act/Truth in CallerID but 2019 was the start of it. So between the year of highest complaints to the first year of TRACED Act, etc (includes S/S) it was down by 60K.
Here’s the amount of complaints year to year from 2019 to 2023 notice the serious downward trend:
So yes, it’s working but as I keep saying over and over and over again, there’s three criteria to get an A attestation from the carrier and there are bad seed carriers like Onvoy, etc that will allow anyone on their networks. The other thing to keep in mind is that as of 2024, we now have to do Know Your Customer and as Telnyx found out earlier this year…not following KYC and having that new customer send spam/fraud/robo calls you end up with a 7 figure fine and risk being cut off by carriers if it isn’t dealt with in the proper time frame.
“Onvoy” seems to get a disproportionate number of mentions on the forums for being a bad actor. Where’s the data to back it up?
I asked my pal Claude.ai to help me find instances of FCC enforcement against “Onvoy” (and included “Onvoy”'s other aliases and proper current name) and came up empty. No citings for fraud, STIR/SHAKEN noncompliance (unlike Bandwidth), KYC noncompliance (unlike Telnyx), or customer privacy violations (basically all US wireless carriers).
So, what might be the issue with “Onvoy”?
Well when you have a carrier footprint bigger than anyone else in the US you are going to be seen more than anyone else in the US for both good and bad traffic. On top of that, naive PBX operators who get spam calls and look up the caller ID find a DID owned by “Onvoy,” not taking into consideration whatsoever that some other provider allowed the ID to be used as a spoof.
I don’t know of a lot of ways to get a bona-fide “Onvoy” DID and service without signing up through well-vetted channels. Vitelity used to be one way in (though I believe sign-ups are closed), and Sinch’s programmable voice (Twilio-like) services are a way, but you get verified. If you’re big you can arrange SIP trunking service at enterprise level but you’ll be on a contract for that and how many fly-by-night fraudsters are signing contracts?
In conclusion, for anyone who wants to call out a specific carrier as a bad actor, let’s see the data. Tom I’m not challenging you specifically; I’ve seen this from several folks, and it seems like oft-repeated “common knowledge” that doesn’t have data behind it.
Apparently, that’s not what actually happened. You can dig into some (public) Facebook groups—some run by scammers—where they bragged about never hearing a peep from their carriers. Names like Peerless, popular Bandwidth downstream providers, and other recognizable ones were dropped there like it was no big deal.
There’s a huge gap between regulating VoIP and rolling out absurd rules that don’t fix the robocalling mess one bit.
As I’ve said multiple times, if the FCC actually fined the big carriers—real, hefty fines—then, like you pointed out, those carriers would have to cut off downstream providers. They’d hate that, so they’d do anything to avoid it. This would force downstream carriers to properly screen signups, enforce real KYC (Know Your Customer), and monitor and shut down endpoints the second they spot potential scam-like calls.
Look at the finance industry for a sec—it’s heavily (and maybe over-) regulated. Big banks drop downstream services like a hot potato the moment they detect serious fraud, just to stay out of hot water with the DOJ, FINRA, or the SEC. Same logic could work here: hit the top of the chain hard, and the rest falls in line fast.
Do you not remember what happened last year with Twilio and Phonebarn? Phonebarn did very bad things and Twilio got a notice that if they continued to allow Phonebarn to originate calls they would have a shut down order in 24 hours. Meaning that no other LEC would be allow to accept termination from Twilio’s network.
Twilio cut off Phonebarn but within 30 days Phonebarn was running again under another carrier.
You mean like what these regulations do? Telnyx just got a 1M+ fine this year for failure of KYC and Robocall Mitigation (i.e. they didn’t follow their own required plan submitted to the FCC). Their end user wasn’t even another carrier, it was a fraud call center. What happen to Telnyx is a bit of a big deal since they were the first carrier to be hit with penalties and fines after all the grace periods for these new regulations had passed.
The LECs are now only allowed to terminate calls from VoIP based carriers/providers that are in the RMDB and have valid S/S Tokens. If your S/S token/cert gets revoked by the FCC/governing bodies then no carrier should accept calls from you.
So if you were to sign up and be a bad actor on a carrier’s network the FCC would go after you and your upstream carrier for allowing you on their network because they most likely failed KYC and RMDB processes. Until that upstream can show they actually didn’t fail at those, such as they did proper KYC and you presented yourself fraudulently or they caught you doing robocalls and cut you off per their RMDB plan, they are getting fined and penalized. You on the other hand will be cut off and also fined by the FCC.
So your suggested solution is now what is happening in 2025 and going forward. It’s not going to stop there, there’s going to more rules and changes down the road. I mean in the last 5-6 years, I have had to spend at least some portion of the year dealing with new regulation compliances from the FCC or FTC. I already had two this year and it’s only April.
TangoPBX is a trademark of TangoPBX LLC, FreePBX is a trademark of Sangoma US Inc, Asterisk is a trademark of Digium Inc.
