Login
Book a demo
  • AI Contact Centers

Foreign Robocall Elimination Act FCC Guidelines for Gateways

Foreign Robocall Elimination Act FCC Guidelines for Gateways

ON THIS PAGE

Written by: Matt Beucler, CEO, Plura AI

Updated June 2026

Key Takeaways

  • The Foreign Robocall Elimination Act (S.2666) creates four core mandates for gateway providers: DNO blocking, 24-hour traceback cooperation, annual RMD recertification, and STIR/SHAKEN authentication for international traffic.2
  • Gateway providers must also run Know-Your-Customer (KYC) checks on foreign network customers and monitor traffic for robocall-pattern anomalies before accepting calls.
  • Non-compliance can trigger removal from the Robocall Mitigation Database, loss of traffic-acceptance rights, and potential bonding requirements of up to $100,000 for repeat offenders.
  • The bill extends the TRACED Act framework by tightening rules at the international-to-domestic handoff point and authorizing an FCC task force on overseas robocalls.
  • Plura AI’s FCC-licensed carrier infrastructure helps operators address these requirements by design, and Plura AI supports compliance across high-volume contact operations.

Scope of the Foreign Robocall Elimination Act

S.2666 focuses on the point where illegal foreign robocalls enter the U.S. public switched telephone network: the gateway provider. A gateway provider is a voice service provider that receives calls from foreign networks and hands them to domestic carriers for termination. The Act extends the FCC’s existing robocall-mitigation authority under the TRACED Act (P.L. 116-105) by adding specific blocking, authentication, traceback, and Know-Your-Customer (KYC) obligations at this handoff point. It also authorizes the FCC to create a task force on unlawful robocalls originating overseas and to require a bond of up to $100,000 before a provider files an RMD certification where the FCC determines a bond is necessary to preserve RMD integrity.

See how Plura’s carrier-level infrastructure addresses these mandates.

Mandate 1: DNO Blocking for Foreign-Originated Calls

Do-Not-Originate (DNO) blocking requires gateway providers to screen inbound foreign traffic against a list of numbers that should never originate calls. This list includes spoofed U.S. government numbers and numbers the FCC flags as persistent sources of illegal robocalls. The FCC proposes that providers ensure consumers know which calls originate outside the United States and prohibit spoofing of U.S. numbers on foreign-originated calls.

Carrier-level implementation steps for DNO blocking:

  1. Obtain and integrate the FCC’s current DNO list into the gateway’s call-screening layer.
  2. Configure real-time number matching at ingress before any domestic routing occurs.
  3. Log every blocked call with timestamp, originating number, and block reason for audit support.
  4. Refresh the DNO list on a cadence aligned with FCC updates, typically at least weekly.
  5. Document the blocking policy in the provider’s RMD filing as a named mitigation measure.

Mandate 2: 24-Hour Traceback Response

FCC rules require all voice service providers to cooperate with Industry Traceback Group (ITG) requests within 24 hours. Failure to cooperate can result in removal from the Robocall Mitigation Database. The ITG, created in 2015 by USTelecom, coordinates traceback investigations among hundreds of providers, including AT&T, Verizon, and T-Mobile.3

24-hour traceback compliance checklist:

  • Designate a named traceback point of contact and register that contact with the ITG.
  • Maintain call detail records (CDRs) detailed enough to identify the upstream foreign provider for any call.
  • Configure automated alerts so ITG requests reach the designated contact within one hour of receipt.
  • Document the response workflow and test it at least quarterly.
  • Retain CDRs for the period specified in FCC rules to support retroactive traceback requests.

Mandate 3: Annual Robocall Mitigation Database Recertification

The Robocall Mitigation Database (RMD) requires providers to self-certify their robocall mitigation plans. These plans include STIR/SHAKEN implementation or alternative measures, which downstream providers use to verify compliance before accepting traffic. S.2666 adds an annual recertification requirement and authorizes the FCC to condition filing on a bond of up to $100,000 for providers with a history of non-compliance.

RMD recertification process:

  1. Review and update the robocall mitigation plan to reflect infrastructure or policy changes from the prior year.
  2. Confirm STIR/SHAKEN implementation status or document the alternative mitigation measures in use.
  3. Submit the updated certification through the FCC’s RMD portal before the annual deadline.
  4. Notify downstream providers of recertification status, since they may refuse traffic from providers not listed in the RMD.
  5. Retain supporting documentation for the certification period in case of an FCC audit.

Mandate 4: STIR/SHAKEN on International Traffic

Foreign gateway providers handling international calls have been required to implement STIR/SHAKEN since June 30, 2023. This requirement is part of the TRACED Act implementation framework. S.2666 reinforces this requirement and extends its scope. The FCC proposes that terminating providers transmit verified caller name or other identity information on handsets whenever they indicate A-level attestation.

STIR/SHAKEN implementation checklist for gateway providers:

  • Obtain a Service Provider Code (SPC) token from the Policy Administrator to sign calls.
  • Implement PASSporT (Personal Assertion Token) signing at origination for all calls entering from foreign networks.
  • Assign A-level attestation only where the provider has a direct relationship with the caller and can verify number assignment.
  • Transmit the Identity header through the call path without stripping or modifying it.
  • Audit attestation-level accuracy quarterly and correct systematic misattribution.

Gateway-Provider KYC and Traffic Monitoring

The FCC is considering more prescriptive KYC obligations for originating providers, and S.2666 reinforces this direction at the gateway level. KYC obligations require gateway providers to verify the identity and legitimacy of foreign network customers before accepting their traffic. Providers also monitor ongoing traffic for patterns consistent with illegal robocall campaigns.

Core KYC obligations for gateway providers under the S.2666 framework include:

  • Collecting and verifying legal entity documentation for each foreign network customer before activating traffic.
  • Screening customers against FCC enforcement actions and known bad-actor lists.
  • Monitoring traffic volumes and call-completion patterns for anomalies consistent with robocall campaigns.
  • Suspending traffic from customers who cannot provide documentation or who show prohibited patterns.
  • Retaining KYC records for the period specified in FCC rules to support enforcement inquiries.

Mandates and Carrier Actions at a Glance

Mandate Carrier-Level Action Reference Source
DNO Blocking Screen inbound foreign traffic against FCC DNO list at ingress, then block and log prohibited numbers in real time. S.2666; FCC spoofing prohibition Federal Register 2025-22063
24-Hour Traceback Respond to ITG traceback requests within 24 hours and maintain CDRs sufficient to identify the upstream foreign provider. TRACED Act; S.2666 extension CRS R48941
RMD Annual Recertification File an updated robocall mitigation plan annually; downstream providers may refuse traffic from uncertified providers. FCC RMD rules; S.2666 bond authority CRS R48941
STIR/SHAKEN for International Traffic Sign calls with PASSporT tokens at gateway ingress, transmit Identity headers intact, and assign attestation levels accurately. TRACED Act; S.2666; FCC NPRM Federal Register 2025-22063
Gateway KYC Verify foreign customer identity before activating traffic, monitor for robocall-pattern anomalies, and suspend non-compliant customers. S.2666; FCC KYC NPRM DLA Piper, May 2026

How S.2666 Builds on the TRACED Act

The TRACED Act (P.L. 116-105), signed on December 30, 20192, expanded the FCC’s authority to address illegal robocalls. It created the Robocall Mitigation Database, mandated STIR/SHAKEN deployment across IP networks, and directed the FCC to designate the ITG as the official traceback consortium. S.2666 builds on this framework by adding annual recertification to the RMD model, reinforcing the 24-hour traceback window, and extending STIR/SHAKEN obligations to the international gateway context where spoofed U.S. numbers enter the domestic network. The bond authority in S.2666 introduces a new enforcement tool that gives the FCC a financial deterrent for providers with documented non-compliance histories.

2026 Legislative Status and Monitoring

S.2666 has been approved by the Senate Committee on Commerce, Science, and Transportation. The bill has cleared committee and is positioned for Senate floor consideration, although no floor vote date has been publicly scheduled as of June 2026. Compliance directors tracking this legislation can monitor Congress.gov for floor scheduling and any amendments adopted during floor debate, since committee-approved text can change before final passage.

Explore how Plura’s compliance framework prepares operators for these requirements.

How Plura’s U.S. Infrastructure Aligns with S.2666

Each S.2666 mandate maps to a specific layer of the carrier stack, which favors enforcement at origination rather than through add-on tools. Providers that control their own carrier infrastructure can apply blocking, authentication, and logging directly where calls enter the network.

Plura AI is an FCC-licensed audio bridging carrier. Voice originates on Plura’s domestic infrastructure, not on a third-party CPaaS. That architecture supports the S.2666 mandate set in the following ways:

  • DNO blocking. Plura’s real-time DNC scrubbing and TCPA-litigator list filtering operate at the carrier level before any call is placed, with every outbound contact checked against federal and state registries in real time.
  • STIR/SHAKEN caller ID verification. Plura runs STIR/SHAKEN authentication on every outbound voice call through its own carrier identity layer and issues branded caller ID directly, instead of inheriting a third-party CPaaS attestation reputation.
  • Immutable consent logging. Consent records are timestamped and immutable, which supports audit trails that RMD recertification and traceback cooperation rely on.
  • 100% U.S. infrastructure by architecture. Voice origination, model hosting, data storage, and call recording all sit on domestic infrastructure, which reduces the foreign-infrastructure exposure that S.2666 and the FCC’s broader robocall-mitigation framework address.

Plura supports TCPA compliance, DNC compliance, SHAKEN/STIR caller ID verification, SOC 2, HIPAA, ISO certification, and GDPR across its platform.1 Operators remain responsible for their own regulatory obligations and should consult qualified counsel on how S.2666 applies to their specific operations. Plura provides the carrier and application infrastructure; compliance posture downstream of that infrastructure remains the operator’s responsibility.

Plura Security & Compliance dashboard highlighting SOC 2, ISO, and GDPR standards with secure trust verification management.
Plura Security & Compliance supports SOC 2, ISO, and GDPR standards with trust registration, verification management, and secure AI communications.

Plura’s compliance framework includes SOC 2-compliant infrastructure, TCPA and STIR/SHAKEN enforcement, integration with Blacklist Alliance for DNC screening, and Number Verifier for caller ID reputation.1 Twilio-based API resellers operate as software layers on top of another carrier and cannot issue branded caller ID at the carrier level or enforce real-time DNC scrubbing as a first-class platform layer.3 Plura owns its telecom infrastructure and holds an FCC carrier license, while platforms that depend on Twilio do not hold a carrier license.3

Conclusion: Preparing Gateway Stacks for S.2666

The Foreign Robocall Elimination Act (S.2666) introduces four FCC-directed mandates for gateway providers: DNO blocking, 24-hour traceback cooperation, annual RMD recertification, and STIR/SHAKEN for international traffic, along with KYC obligations for foreign network customers. The bill cleared the Senate Commerce Committee as of March 2026 and extends the TRACED Act framework with bond authority and a dedicated overseas-robocall task force. Compliance directors and contact-center leaders at high-volume U.S. operators can map each mandate to their carrier stack now, before floor passage converts committee text into enforceable FCC rules.

Gateway providers should evaluate whether their current infrastructure can enforce these obligations at origination or whether compliance will require third-party integrations. Plura’s FCC-licensed carrier stack, STIR/SHAKEN caller ID verification, real-time DNC scrubbing, and immutable consent logging are built into the platform by architecture, not added later as a separate compliance layer.

Request a compliance assessment for your operation.

Frequently Asked Questions

What is the difference between the Foreign Robocall Elimination Act and the TRACED Act?

The TRACED Act, signed in December 2019, created the core U.S. robocall-mitigation framework. It established the Robocall Mitigation Database, mandated STIR/SHAKEN deployment across IP voice networks, and directed the FCC to designate the Industry Traceback Group as the official traceback consortium. The Foreign Robocall Elimination Act (S.2666) builds on that framework by targeting the specific entry point where illegal foreign robocalls reach U.S. consumers, which is the gateway provider. S.2666 adds annual RMD recertification, potential bond requirements for providers with compliance histories that raise integrity concerns, a dedicated FCC task force on overseas robocalls, and more prescriptive KYC obligations for providers that accept traffic from foreign networks. The TRACED Act set the foundation, and S.2666 tightens the rules at the international-to-domestic handoff point.

Who qualifies as a gateway provider under the S.2666 framework?

A gateway provider is a voice service provider that receives calls originating on foreign networks and routes them onto the U.S. public switched telephone network for domestic termination. This category includes providers that operate international points of presence, accept SIP trunks from foreign carriers, or serve as the first domestic handler of calls that originate outside the United States. The FCC’s existing robocall-mitigation rules already apply STIR/SHAKEN obligations to gateway providers, and S.2666 extends those obligations with annual recertification, traceback cooperation requirements, and KYC rules. Operators that only handle domestic-to-domestic traffic are not gateway providers under this definition, although they still fall under the broader TRACED Act STIR/SHAKEN and RMD requirements.

What happens if a gateway provider fails to recertify in the Robocall Mitigation Database?

Intermediate and terminating providers may refuse traffic from providers that are not listed in the RMD. A gateway provider that misses its annual recertification window, or whose certification is revoked, can see its traffic rejected by downstream carriers, which can effectively cut it off from the U.S. network. S.2666 adds a bond requirement of up to $100,000 as a possible condition of filing for providers the FCC determines pose an integrity risk, which creates a financial barrier to re-entry for repeat non-compliant providers. Many operators treat RMD recertification as a hard annual deadline with the same operational priority as license renewals, because the downstream consequence of missing it is traffic rejection rather than only a monetary penalty.

How does STIR/SHAKEN apply to calls that originate on foreign networks where full attestation is not possible?

STIR/SHAKEN attestation levels show how confident a provider is about the caller’s identity and number assignment. A-level attestation applies when the provider has a direct relationship with the caller and can verify that the caller is authorized to use the number. B-level attestation applies when the provider can verify the call’s origin but not the number assignment. C-level attestation applies when the provider can only verify that the call entered its network at a specific point. For foreign-originated calls, gateway providers typically assign B or C-level attestation because they cannot verify the foreign caller’s number assignment. The FCC’s proposed rules would require terminating providers to transmit verified caller identity information when A-level attestation is indicated, which increases the importance of accurate attestation-level assignment throughout the call path. Gateway providers that systematically over-attest calls face enforcement risk under both the TRACED Act framework and the S.2666 extensions.

How does Plura’s infrastructure address the S.2666 mandate set for high-volume operators?

As described in the infrastructure section above, Plura’s FCC-licensed carrier architecture addresses each S.2666 mandate at the origination layer rather than as a bolt-on compliance feature. The platform applies caller ID verification, consent logging, and DNC screening within its carrier stack, which supports the operational requirements that S.2666 places on gateway providers. See the infrastructure section for the complete mapping of mandates to Plura’s capabilities. Operators remain responsible for their own regulatory obligations and should consult qualified counsel on how S.2666 applies to their specific operations.

1 Plura AI maintains SOC 2, HIPAA, ISO, and GDPR posture as part of its platform infrastructure. References to compliance frameworks in this article describe Plura’s platform capabilities and do not constitute a guarantee that any customer using Plura will themselves be compliant with applicable laws or standards. Customers remain solely responsible for their own regulatory obligations, certifications, consent management, recordkeeping, and the claims they make to their own end users. Consult qualified legal counsel for guidance specific to your use case.

2 This article describes regulatory frameworks at a general level and does not constitute legal advice. Laws and regulations vary by jurisdiction, change over time, and apply differently depending on facts and circumstances. Readers should consult qualified legal counsel before making compliance decisions.

3 References to third-party products, services, companies, or research are made for informational and comparative purposes only. Plura AI is not affiliated with, endorsed by, or sponsored by any third party named in this article unless explicitly stated. Trademarks and product names referenced remain the property of their respective owners.

This article is provided for informational purposes only and reflects Plura AI’s understanding at the time of publication. Product capabilities, integrations, and specifications are subject to change. For the most current information, visit plura.ai.

This article was produced with the assistance of AI tools and reviewed by Plura AI prior to publication.

See how Plura AI transforms AI voice agents
Get a Live Demo