FCC STIR/SHAKEN Compliance for Small VoIP Providers

If you operate a small VoIP business in the United States, a CLEC, a regional ILEC, an interconnected VoIP provider, or a non-facilities-based reseller, the rules that used to give you breathing room no longer do. Every meaningful STIR/SHAKEN extension for small voice service providers has expired. The Robocall Mitigation Database (RMD) is now a gating requirement for interconnection, and the FCC has shown it will use that gate.

In August 2025, the FCC removed 185 voice service providers from the RMD in a single enforcement action, then removed more than 1,200 additional providers later the same month. Any traffic from those companies is now blocked from U.S. networks until they cure their certifications, and they cannot refile without approval from both the Enforcement Bureau and the Wireline Competition Bureau.

This guide walks small VoIP operators through the 2026 compliance picture: who is now obligated, what the August 2025 enforcement signaled, the annual RMD recertification cycle, what is actually required to comply without a Tier 1 carrier budget, and what is coming next under the FCC’s April 2026 Know-Your-Upstream-Provider proposal.

Are You Actually Obligated? The Definitions That Matter

The first source of confusion for small operators is whether STIR/SHAKEN even applies to them. The 2026 answer is almost always yes. The FCC’s caller ID authentication rules under 47 CFR Subpart HH apply to four overlapping categories of voice service provider.

A facilities-based voice service provider is any carrier that owns at least part of the network infrastructure used to deliver its service. Traditional CLECs and small ILECs sit here. A non-facilities-based voice service provider delivers service over infrastructure it does not own, including most VoIP resellers and white-label operators. An interconnected VoIP provider is any provider whose service enables real-time two-way voice and originates or terminates calls to the public switched telephone network. A gateway provider is any U.S.-based intermediate carrier that brings foreign-originated calls onto domestic networks.

If you originate, terminate, or pass calls and you fall into any of those four categories, you have a STIR/SHAKEN implementation obligation. The most common assumption that gets small operators in trouble is that “we’re too small to be on the FCC’s radar.” The August 2025 enforcement actions removed providers of every size, including operators with only a handful of customer numbers.

The one common carve-out remaining: pure resellers and MVNOs that do not control any signing infrastructure are exempt from the own-certificate requirement specifically, because they have no infrastructure on which to perform signing. They still have RMD certification obligations through their robocall mitigation program, and they still need a written agreement with the upstream provider that signs on their behalf.

The Small-Provider Extension Is Gone, and the FCC May Repeal What’s Left

When STIR/SHAKEN first rolled out, the FCC granted small voice service providers (those with 100,000 or fewer voice subscriber lines under the same OCN) an extension until June 30, 2023, before they had to implement signing in the IP portions of their networks. That extension is the source of a great deal of stale advice still circulating online.

Here is the actual timeline that matters in 2026:

The direction is consistent: extensions narrow, certifications expand, and the cost of falling behind moves from “FCC inquiry letter” to “your traffic is blocked.” The April 29, 2026 Fact Sheet from the FCC explicitly proposes to repeal undue-hardship extensions for the providers who still have them, including categories of satellite providers and operators that cannot obtain an SPC token. If you are still relying on any kind of small-provider grace period, treat it as already gone.

What the August 2025 Enforcement Actually Signaled

The numbers from August 2025 are worth understanding in detail because they show what the FCC considers actionable. The process actually began in December 2024, when the Enforcement Bureau ordered 2,411 providers to cure their RMD filings or explain why they should remain in the database. By the August deadline, 2,226 providers had cured their filings to the FCC’s satisfaction. Of the 2,411 ordered to cure, 185 were removed on August 6, 2025 and more than 1,200 additional providers were removed on August 25, 2025.

The cited violations fell into three overlapping patterns. Providers had filed deficient certifications, meaning the RMD entry was missing required information, inaccurate, or had not been updated within 10 business days of a material change. Providers had apparently participated in illegal robocall campaigns, either by originating them or by failing to act on traceback requests. And providers had failed to support official investigations, either by ignoring subpoenas or by not maintaining the records the FCC asked for.

The operational consequence is severe. Once a provider is removed from the RMD, every other voice service provider in the U.S. is required to block its traffic. The removed company also cannot refile in the RMD without prior approval from both the Enforcement Bureau and the Wireline Competition Bureau, which is not an administrative formality but a separate review that can take months.

For a small operator, the practical reading is that the RMD entry is not a paperwork exercise. It is the live document that determines whether your traffic moves at all.

The Annual RMD Recertification Cycle Every Small Operator Needs on Their Calendar

Beyond the 10-business-day update rule, the RMD requires annual recertification from every voice service provider with a filing. The recertification window opens February 1 each year, and certifications must be filed by March 1. Missing the window does not give you a grace period; it produces an RMD record that is presumptively non-compliant.

The certification itself is not complex. You confirm one of three implementation statuses: full STIR/SHAKEN implementation, partial implementation with a robocall mitigation program covering the rest, or a robocall mitigation program in lieu of STIR/SHAKEN where signing is technically infeasible. You also confirm your contact information, your signing arrangement (your own infrastructure, a third party using your certificate, or both), and that your robocall mitigation program is documented and operational.

The pieces most small operators miss are the supporting documents that the FCC may request as part of any audit or investigation: your robocall mitigation program description, the written agreement with any third-party signing service, evidence of your traceback procedures, and your customer onboarding records demonstrating that you verify the identity of new customers before assigning numbers to them. None of these need to be filed with the RMD itself, but if you cannot produce them when asked, your RMD certification is functionally deficient.

The New Layer: VoIP Direct-Number-Access Certifications

On December 18, 2025, the FCC adopted a Third Report and Order modifying the certifications required for interconnected VoIP providers that have direct access to numbering resources. If you obtained your direct-access authorization before August 8, 2024, the new rules apply to you and you must submit updated certifications within 30 days of the rule’s effective date or risk suspension or revocation of your numbering authorization.

The updated certifications now require pre-existing authorization holders to attest that they will not knowingly use numbers to transmit, encourage, assist, or facilitate illegal robocalls, illegal spoofing, or fraud. They must certify full compliance with STIR/SHAKEN caller ID authentication and robocall mitigation requirements. And they must certify that neither the company nor its key personnel are subject to investigations by the Commission, law enforcement, or other regulatory agencies. The filing must include evidence of compliance with 911/NG911, CALEA, Access Stimulation rules, and FCC Forms 499 and 477.

For a small VoIP provider, this matters because the FCC is now using numbering authorization as a second compliance gate, parallel to the RMD. A provider with a clean RMD entry but a deficient numbering certification can still lose access to numbers, which has the same operational effect as being blocked.

What Compliance Actually Requires for a Small VoIP Provider

For an operator without a Tier 1 budget, the right model is to think of compliance as five concrete artifacts rather than as a project.

1. Your OCN. Apply through NECA if you do not already have one. The OCN is the foundation for every downstream filing.
2. Your SPC token. Request a Service Provider Code token from iconectiv (the U.S. Policy Administrator). The token is your authenticated identity for the STIR/SHAKEN ecosystem.
3. Your STI certificate. Take your SPC token to an authorized STI Certificate Authority and obtain your own digital certificate. This is what your signing service uses on every call. For the full mechanics of the own-certificate rule, see the FCC STIR/SHAKEN Own Certificate Rule guide.
4. A signing arrangement. Either deploy signing on your own SBC integrated with an STI-AS partner such as TransNexus ClearIP or Neustar, or use a third-party signing service under a written agreement that confirms they sign with your certificate and that attestation decisions remain yours. The technical flow is covered in the STIR/SHAKEN SBC Implementation Guide.
5. Your RMD certification, kept current. File on time during the annual February 1 to March 1 window, update within 10 business days of any material change, and keep your supporting documentation (robocall mitigation program, KYC records, traceback procedures) ready for inspection.

What you do not need is a custom-built signing infrastructure or a dedicated compliance engineer. The combination of an open-architecture SBC, a validated signing service partner, and disciplined documentation is the realistic path for an operator with anywhere from a hundred to several thousand concurrent sessions.

If You Run a CLEC, STIR/SHAKEN Is One Compliance Surface Among Several

For a CLEC specifically, STIR/SHAKEN compliance does not sit in isolation. It overlaps with several other FCC obligations that small operators have to maintain in parallel, and a failure in any one of them creates downstream exposure for the others.

Local Number Portability (LNP) requires you to honor port-in and port-out requests within the FCC’s prescribed intervals and to maintain accurate number-to-customer assignment records, which is also a prerequisite for honest A-level attestation. E911 and NG911 obligations require accurate location records for every number, which means your customer database is doing double duty. CNAM display obligations require correct caller-name records, which is increasingly important because terminating carriers correlate CNAM with attestation level when deciding whether to label a call as spam (the relationship is explained in the CNAM Lookup guide).

The practical implication is that a CLEC’s customer onboarding process becomes the single source of truth for several FCC obligations at once. The KYC documentation you collect to support A-level attestation also supports your LNP records, your E911 address records, and your CNAM accuracy. Treating these as separate workstreams creates inconsistencies that surface during audits.

What’s Coming in 2026: KYUP, Extension Repeal, and the State Patchwork

Three developments in the first half of 2026 are worth tracking carefully because each tightens the compliance perimeter further.

The FCC’s April 29, 2026 Fact Sheet announced a draft Know-Your-Upstream-Provider (KYUP) FNPRM, scheduled for a vote at the May 20, 2026 Open Meeting. If adopted, KYUP would require voice service providers to validate the identity and operating practices of every upstream partner sending traffic into their networks. For a small VoIP operator, this means your interconnection contracts and your traffic-source records will become a regulated artifact, not just a commercial matter.

The same Fact Sheet proposes to repeal the remaining hardship extensions for STIR/SHAKEN attestations, specifically for satellite providers and for voice service providers that have been unable to obtain an SPC token. The signal is clear: the FCC does not intend to maintain a long tail of carve-outs.

Separately, state legislatures are beginning to enact their own caller ID authentication and STIR/SHAKEN rules, creating a fragmented patchwork that small operators serving multiple states will have to navigate independently of the federal framework. The CommLaw Group has called on the FCC to preempt this patchwork, but until the FCC acts, small providers with multi-state footprints should monitor state legislation alongside FCC rulemaking.

How ProSBC Fits the Small-Operator Compliance Path

The reason an open-architecture SBC matters for small operators is that compliance now requires flexibility across signing partners, attestation logic, and integration patterns, but does not justify a six-figure platform investment.

ProSBC is positioned for exactly this segment. The signing service integration is configured through the routing engine rather than embedded in firmware, so you can sign with TransNexus ClearIP or Neustar today and migrate to a different partner tomorrow by updating a route configuration. Attestation level is set per call through the routing logic, which keeps the attestation decision (the FCC’s central requirement under the own-certificate rule) at the layer where it belongs. The architectural argument is covered in STIR/SHAKEN and Call Authentication.

For operators evaluating cost, ProSBC publishes its per-session pricing ($1.25 per session per year on the base tier) and offers a permanent free ProSBC Lab license at three sessions that includes full STIR/SHAKEN signing and verification capability. That is enough to validate a signing service integration end-to-end before any production commitment. Operators that prefer a fully managed model, including for the ongoing RMD and signing-service compliance work, can deploy through ProSBC Managed Service, which includes 1+1 HA and 24×7 support.

For MSPs serving multiple small carrier customers, the multi-tenant model is documented in the SBC for MSPs guide, which covers the operational structure for managing STIR/SHAKEN signing across dozens of client tenants on a single instance.

The Compliance Bar Is Where the Industry Bar Is

The framing that small VoIP providers benefit from regulatory leniency is now historical. The 100,000-line extension expired in 2023. The own-certificate rule applies in 2025. The RMD removed more than 1,400 providers in August 2025. The numbering-authorization certifications added a parallel gate in December 2025. The April 2026 FCC Fact Sheet signals that the remaining extensions are being repealed.

What this means in practice is that a small CLEC, ILEC, or interconnected VoIP provider has to operate at the same compliance bar as a Tier 1 carrier, but with a fraction of the resources. The only sustainable response is to keep the moving parts small: one OCN, one SPC token, one STI certificate, one signing arrangement, one RMD entry maintained on schedule, and one source-of-truth customer database that feeds STIR/SHAKEN, LNP, E911, and CNAM consistently. The technology choices that support that discipline (an open-architecture SBC, a validated signing partner, transparent pricing, optional managed support) are now the differentiators that determine whether compliance is sustainable for a small operator or whether it slowly becomes the bottleneck that consumes the business.