The TRACED Act and the FCC's Robocall Mitigation Database are the regulatory framework for fighting illegal robocalls in the United States. If you originate, terminate, or transit voice traffic on the US PSTN, the rules apply to you — including small VoIP providers, resellers, and self-hosted PBX operators with SIP trunks.
The Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, known as the TRACED Act, was signed into law in December 2019. It directs the FCC to take action against illegal robocalls and gives them the authority to enforce caller ID authentication and robocall mitigation requirements.
The Act has several provisions, but the practical effect on VoIP operators centers on three things:
The TRACED Act also extended the statute of limitations for robocall enforcement, increased forfeiture penalties, and authorized the FCC to require gateway providers to take action against illegal calls entering the US.
The Robocall Mitigation Database (RMD) is a public FCC database where voice service providers attest to their compliance with the TRACED Act's caller ID authentication and robocall mitigation requirements. It went live in October 2021.
Every voice service provider that originates, terminates, or transmits calls over the US PSTN must be registered in the RMD. As of June 2021, intermediate providers and gateway providers also must register.
Calls from providers not registered in the RMD must be blocked by terminating providers. This is the enforcement mechanism: if you are not in the database, your traffic does not reach US phone numbers.
The database contains:
The compliance obligation is broad and catches many operators who may not consider themselves “voice service providers” in the traditional sense:
Any provider that takes a call from an end user and puts it on the network. This includes UCaaS platforms, hosted PBX providers, SIP trunk resellers, and traditional CLECs and ILECs.
Providers that deliver calls to end users. Same set as originating providers, plus carriers that complete calls to landlines and mobile phones.
Carriers that transmit calls between originating and terminating providers without serving end users directly. Long-distance carriers, transit providers, and some wholesale SIP networks.
Providers that take international or non-IP traffic and place it on the US PSTN. Subject to additional STIR/SHAKEN signing obligations as of June 2023.
End users and businesses operating their own PBX for their own employees are not voice service providers and do not need to register. The line is whether you are providing voice service to others. If you are reselling SIP trunks or providing UCaaS to customers, you are a provider.
Voice service providers must sign outgoing calls with STIR/SHAKEN where they can. Full implementation means signing all originated calls with the appropriate attestation level (A, B, or C). For traffic over non-IP networks (TDM-only paths), full STIR/SHAKEN is technically infeasible, and the provider may use a robocall mitigation program instead.
Calls received from another provider should be verified using the verstat header or equivalent mechanism to determine signing status. Signed calls with valid attestation should pass through; unsigned or fail-validation calls may be subject to blocking depending on terminating provider policy.
Providers who cannot fully implement STIR/SHAKEN must document a robocall mitigation program describing the steps they take to prevent originated traffic from being illegal robocalls. The program must address:
The ITG sends traceback requests asking providers to identify the upstream source of suspected illegal calls. Providers must respond within 24 hours with the requested information or face FCC enforcement.
The Truth in Caller ID Act prohibits transmitting misleading or inaccurate caller ID with intent to defraud, harm, or wrongfully obtain anything of value. STIR/SHAKEN attestation provides the technical mechanism, but the underlying obligation is broader.
Registration is done through the FCC's RMD portal at fccprod.servicenowservices.com/rmd. The process is free.
Registration requires:
The robocall mitigation program PDF is the most substantive part. The FCC does not approve or reject the program — it is the provider's certification of what they do. But the program is publicly visible in the database and can be cited in enforcement actions if it appears inadequate.
Once registered, the provider must keep the information current. Material changes (new ownership, change in STIR/SHAKEN status, change in mitigation program) require updating the RMD entry.
The consequences for failing to comply with TRACED Act and RMD obligations are significant:
Terminating providers must block calls from voice service providers not registered in the RMD. As of June 2021 for originating providers and September 2022 for intermediate providers, this is enforced. Unregistered traffic does not reach US phone numbers.
The FCC can issue forfeiture orders for non-compliance, with penalties up to $10,000 per violation, and per-call penalties for illegal robocall origination. The Notice of Apparent Liability (NAL) mechanism allows the FCC to identify violators publicly even before final enforcement.
The FCC can remove providers from the RMD for failing to respond to traceback requests, providing false information, or operating an inadequate mitigation program. Removal triggers the same blocking treatment as never registering.
Most wholesale SIP trunk providers require RMD registration as a condition of service. Loss of registration typically means loss of carrier service.
Civil liability under the Telephone Consumer Protection Act (TCPA) is unchanged by TRACED Act compliance — providers can still be sued by recipients of illegal calls regardless of their RMD status, but RMD compliance is part of demonstrating good faith effort to mitigate.
The TRACED Act (Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act) is a US federal law signed in December 2019 that directs the FCC to combat illegal robocalls. It requires voice service providers to implement STIR/SHAKEN caller ID authentication, document robocall mitigation programs, register in the FCC Robocall Mitigation Database (RMD), and respond to traceback requests within 24 hours.
Every voice service provider that originates, terminates, or transmits calls over the US PSTN must register in the RMD. This includes UCaaS platforms, hosted PBX providers, SIP trunk resellers, CLECs, ILECs, intermediate carriers, and gateway providers. End users and businesses operating their own PBX for their own employees are not providers and do not need to register. The compliance line is whether you provide voice service to others.
Calls from providers not registered in the RMD must be blocked by terminating providers. Unregistered traffic does not reach US phone numbers. The FCC can also issue forfeiture orders with penalties up to $10,000 per violation. Most wholesale SIP trunk providers require RMD registration as a condition of service, so loss of registration typically means loss of carrier service.
Paste your SIP trace into SIPSymposium. The analyzer identifies STIR/SHAKEN Identity headers, verstat status, and attestation levels to help validate your TRACED Act compliance.