Updated: May, 2025 to reflect changes as per the Third Party Authentication Order
FTC’s data for 2024 showed that reported losses to fraud rose to $12.5 billion in 2024—a 25% increase YoY. Interestingly, the total number of fraud reports remained stable YoY but the percentage of people who reported losing money to a fraud or scam increased from 27% to 38%. Email, phone call, and text message were the top three reported channels for fraud.
Evolving fraud demands evolving guardrails. So, the FCC is tightening the net around fraudulent robocalls and illegal phone number spoofing by strengthening requirements for caller authentication. The FCC has released the Third Party Authentication Order with an effective date as early as June 20, 2025.
- If you’re new to STIR/SHAKEN implementation, start here.
- If you’re wondering what’s changing in terms of attestation and what’s not? Let’s take a look below.
How does STIR/SHAKEN call attestation work?
In a STIR/SHAKEN environment, there are three ways a call can be attested to or signed by a service provider: full, partial, or gateway.
| Attestation level | Description |
|---|---|
| Full or “A” | The service provider knows the caller and their association with the calling phone number. |
| Partial or “B” | The service provider knows the caller, but not their relationship with the calling phone number. |
| Gateway or “C” | The service provider is transiting the call but can’t authenticate the call source in instances like an international gateway. |
*The full standards regarding attestation are listed in ATIS-1000074, available here.
Approved service providers, like Bandwidth, are vetted by the STI Policy Administrator (STI-PA) and issued a digital STIR/SHAKEN certificate by a STI Certificate Authority (STI-CA) in the US.
2025 update:
FCC requires all voice service providers with a STIR/SHAKEN implementation obligation to obtain their own STIR/SHAKEN certificate(s) and authenticate (sign and attest) their own calls in accordance with the Third-Party Authentication Order, starting as early as June 20, 2025.
- Obtain a Service Provider Code (SPC) token from the Policy Administrator and use that token to obtain a digital certificate from a STIR/SHAKEN Certification Authority
- Sign calls using their own digital certificate
- Determine the attestation level of all calls themselves, not rely on a third party to do so
Are you a voice service provider who hasn’t obtained your certificate or is struggling to sign your own calls? This STIR/SHAKEN implementation checklist is for you.
How does Bandwidth help simplify call attestation implementation?
Voice providers need to take steps and consult with their own legal counsel to ensure they’ve met all the evolved requirements for STIR/SHAKEN call attestation.
That said, Bandwidth has been a notable proponent and participant in shaping STIR/SHAKEN standards. We’ve supported call signing for billions of calls. We’ve set up and scaled IP interconnections with major carriers to help support the transmission and delivery of STIR/SHAKEN information. And now, we’ve launched a solution that supports our customers in the technical function of call signing and in implementing their attestation policies for our reseller customers using their own certificates.
For voice service providers: Hosted Signing Service
Bandwidth’s Hosted Signing Service technologically supports you in complying with the FCC’s Third-Party Authentication Order’s call signing requirements. Voice Service Providers who’ve obtained their own STIR/SHAKEN certificate can easily load their certificate to Bandwidth and assign call attestation levels following their own call signing policies to their traffic.
For Bandwidth’s direct enterprise customers
For direct Enterprise customers of Bandwidth only, calls placed using U.S. phone numbers allocated through your Bandwidth App are automatically authenticated with full or “A,” attestation. Separate policies apply to Bandwidth reseller customers. This verification enhances the credibility of your calls and can reduce the likelihood of them being flagged or blocked by the receiving carrier. These benefits are even greater when combined with Bandwidth’s Number Reputation Management service.
BONUS: Is attestation the same as call blocking?
Attestation is not the same as call blocking or spam identification. Those are features within the terminating service provider’s network. As carriers and providers deploy STIR/SHAKEN, many terminating carriers also leverage call analytics, either using their own proprietary tools or software available via third-party providers such as First Orion, Hiya, Nomorobo, TNS Call Guardian, and YouMail.
Different call analytics solutions have different decision-making parameters and may or may not treat STIR/SHAKEN information the same from one to the next. For this reason, calls that are signed with an “A” aren’t necessarily guaranteed to be delivered without a “spam” label. At the same time, calls that are signed with a “B” should not automatically be blocked or labeled.
Still stumped by regulations?
Our unique Product Compliance Operations team and regulations experts can help. Enterprise and telecom leaders rely on us for our local regulatory knowledge in our 65+ markets.
