Voice Compliance - STIR/SHAKEN & KYC

  • Published on Aug 14, 2025
  • 3 minute(s) read
Prev

Introduction

Two hot topics of 2025 have been STIR/SHAKEN and KYC compliance in response to increasing regulatory requirements by the FCC. Mitch Kahl, Director of Sales, and Ben Macalindong, General Manager of E-Commerce, present on upcoming telecom compliance items and address partner questions and feedback surrounding these topics.

IMPORTANT: Please note this is not legal advice. The goal of Flowroute is to support our partners and their business models through sharing our knowledge and experience as a provider with meeting industry regulatory requirements.

Key Points:

  • Risk of Failure - An explanation on why compliance matters and key changes coming to how Flowroute operates with its partners.

  • KYC & STIR/SHAKEN - Learn the definitions and roles of these regulatory measures in the telecom industry.

  • RMD Registration - An outline of the requirements with the FCC when registering your business.

  • Safe or Not Safe? - Defining your ownership profile regarding how you maintain compliance for your business in the new landscape.

The main takeaways are summarized below for you to follow along with the video presentation.

Important Terminology:

  • Call Authentication

  • Robo Mitigation

  • FCC Mandate

  • SIP Protocol

  • Call Signing

  • Attestation Levels

  • STIR/SHAKEN

  • Secure Telephony

  • Certificate Authority

What is KYC?

  • "Know Your Customer" - A process used by businesses to verify the identity of its customers and partners.

  • Why is it important? - Proper identification helps fight fraud, mitigates illegal calling, and contributes to regulatory compliance for Flowroute.

  • Flowroute holds a zero-tolerance stance regarding failure to uphold KYC guidelines.

  • KYC is required by the FCC, but is not prescriptive.

Examples of KYC Components

  • Customer Identification

    • Business name

    • Business address

    • EIN

    • Confirmation with Secretary of State database

    • D&B lookup

    • Utility Bill

    • Bank reference number

  • Risk Assessment

    • Utilize tools to verify information and evaluate fraud

  • Ongoing Monitoring and Mitigation

    • Monitor usage to detect suspicious traffic patterns

    • Limit customer capacity

    • Integrate tools to detect suspicious patterns

STIR/SHAKEN Third-Party Authentication

The FCC's STIR/SHAKEN requirements still have not gone into effect despite the initial stated effective date of June 20, 2025. A new date has yet to be announced, but when the date is announced, the industry will have 30 days to comply.

  • Third-Party Signing Allowed - Resellers can choose to use third-party entities to sign calls with STIR/SHAKEN authentication.

  • Responsibility for Attestation - Resellers must determine the attestation level (A, B, or C) for each call, even when using third-party signing.

  • Use of Own SPC Token - Resellers must use their own Service Provider Code (SPC) token for signing calls, prohibiting third parties from using their own tokens.

  • Own Digital Certificate - Resellers must obtain and use their own digital certificate for STIR/SHAKEN authentication, ensuring accountability.

  • With 3rd party call signing, partners are treated just like a provider in that they must own the legitimacy of their calls.

Call Signing Attestation

The main purpose of STIR/SHAKEN is to verify call signing authenticity. Originating providers must sign calls with a digital certificate from an authorized Service Provider Identification Provider (SPID) to grade the legitimacy of the caller:

  • A (Full Attestation): Provider knows the customer and their right to use the number.

  • B (Partial): Provider knows the customer but not the number's origin.

  • C (Gateway): Provider only knows the call's entry point.

Robocall Mitigation Database (RMD)

  • All providers, including those with non-IP networks or extensions, must file a certification in the RMD (available at [EXTERNAL] FCC RMD).

  • A submission to the RMD includes business details and STIR/SHAKEN implementation status (full, partial, or non-IP).

  • The main decision a partner needs to make with using a third-party STIR/SHAKEN implementation is whether or not they wish to own the responsibility of registering with the RMD and meeting its compliance requirements.

  • Compliance requires building a Robocall Mitigation Plan (RMP) which must include:

    • Steps to prevent illegal robocall origination.

    • Commitment to cooperate with FCC traceback requests within 24 hours to identify robocall sources.

    • Must be filed with the RMD and actively enforcing requirements.

STIR/SHAKEN Ownership Profile

Know which category your business model falls under so that you can choose the right path. One of the main questions you need to answer for yourself is do you own the bill and do you want to own the responsibility of your customers and the resulting requirements to run operations within compliance of the FCC.

If Flowroute directly bills your customer, we are handling our own KYC checks.

Flowroute can handle your call signing, or you can choose to implement your own for more flexibility, but with greater accountability responsibilities.

If you own the bill for your customer (meaning Flowroute bills you directly) that DOES put you in a position where you will be treated like a provider and be expected to own responsibility for KYC and STIR/SHAKEN.

Check with your legal team to develop a strategy that works for you.

Reach out to your Flowroute Sales representative if you're looking for more industry information or are looking to connect with other professionals that can share their expertise on what's working for them.

Related articles