Written by: Matt Beucler, CEO, Plura AI
Key Takeaways
- The TRACED Act established STIR/SHAKEN caller ID authentication for domestic U.S. networks, while the Foreign Robocall Elimination Act (S.2666) targets foreign-originated robocalls through an FCC task force and bond requirements.
- Both laws interact with the FCC NPRM (CG Docket No. 26-52) and increase pressure on carriers and AI platforms to prove 100% U.S. origination, model hosting, and data storage.
- Foreign-originated calls remain the largest compliance gap, and S.2666 narrows that gap by creating formal oversight and traceback immunity for registered consortia.
- Downstream providers must block traffic from non-RMD-registered or noncompliant carriers, which makes upstream carrier compliance a core dependency for contact centers and AI platforms.
- Plura AI operates as its own FCC-licensed carrier with 100% U.S. infrastructure and STIR/SHAKEN authentication at the carrier level, so talk to Plura to evaluate domestic-focused infrastructure strategies.
How the Foreign Robocall Elimination Act Shifts Responsibility
The Foreign Robocall Elimination Act (S.2666), introduced in the 119th Congress, addresses a gap the TRACED Act left open: robocalls that originate outside the United States. The TRACED Act concentrated on domestic carrier authentication, while S.2666 targets the foreign-origination pipeline directly.
S.2666 directs the FCC to establish a task force on unlawful robocalls originating overseas and submit a report to Congress within 360 days of the task force being established. The bill grants a consortium of private-sector entities registered with the FCC immunity from prosecution for publishing information on suspected fraudulent or unlawful robocalls and limits the right of action for entities that might otherwise seek damages for the sharing of traceback information.
The Senate version is more prescriptive than the House companion bill (H.R. 6152).
How S.2666 Addresses TRACED Act Gaps
The TRACED Act’s STIR/SHAKEN framework was built for IP-based domestic networks. In 2025, Tier-1 U.S. carriers had 85% of traffic signed with STIR/SHAKEN while smaller carriers had 17.5%, largely because smaller providers rely on non-IP legacy infrastructure and international gateway traffic creates persistent authentication challenges.3
Numeracle reports that 93.4% of robocall traffic from the most prolific robocall signers now carries A-level attestations, and 48% of illegal calls are A-attested.3,4 These numbers show that bad actors have learned to exploit the authentication system itself. Foreign-originated calls entering through gateway providers remain the most persistent gap.
S.2666 responds by establishing a task force on foreign-originated unlawful robocalls and by formalizing traceback cooperation across borders.
FCC Task Force and Related Foreign-Robocall Actions
The FCC task force provision in S.2666 is the bill’s most operationally significant element for compliance officers. The task force structure creates a formal oversight mechanism for foreign-originated call traffic that did not exist under the TRACED Act framework.
Separately, the FCC has been active on related fronts. The FCC adopted a Further Notice of Proposed Rulemaking that would strengthen Know-Your-Upstream-Provider requirements and clarify STIR/SHAKEN obligations for voice service providers at its May 2026 open meeting. The FCC also set the effective date for Do-Not-Originate (DNO) blocking rules as December 15, 2025, and adopted new rules on third-party authentication in STIR/SHAKEN on November 21, 2024.
The FCC has also proposed requiring voice service providers to implement measures that help consumers recognize calls originating from outside the United States and to prohibit spoofing of U.S. telephone numbers for calls originating from outside the United States. That proposal, part of the FCC NPRM (CG Docket No. 26-52), interacts directly with the task-force mandate in S.2666.
TRACED Act vs. S.2666: Operational Comparison
| Act | Enforcement Tools | Scope | Carrier / AI Platform Requirements |
|---|---|---|---|
| TRACED Act (P.L. 116-105, 2019) | Expanded FCC monetary forfeitures, extended statute of limitations for intentional violations, 24-hour traceback cooperation requirement, RMD removal for noncompliant providers | Domestic IP-network caller ID authentication, all voice service providers interconnected with the PSTN (public switched telephone network) | STIR/SHAKEN implementation, RMD registration and robocall mitigation plan filing, Know Your Customer (KYC) verification under 47 C.F.R. §64.1200(n)(4) |
| Foreign Robocall Elimination Act (S.2666, 119th Congress) | FCC task force with congressional reporting, traceback immunity for registered private-sector consortia, limited right of action for traceback information sharing | Foreign-originated unlawful robocalls, providers transmitting calls into the United States | N/A |
Key Milestones from TRACED to S.2666
The TRACED Act was signed into law on December 30, 2019. It directed the FCC to initiate rulemaking for caller ID authentication, which led to the original STIR/SHAKEN rules adopted on March 31, 2020. Large voice service providers had to implement STIR/SHAKEN in IP networks by June 30, 2021. Facilities-based smaller voice service providers received STIR/SHAKEN extensions through June 30, 2023, as noted earlier.
Enforcement activity accelerated through 2024 and 2025. The August 21, 2024 FCC enforcement settlement with Lingo Telecom addressed spoofed robocalls using generative-AI voice cloning and imposed a $1 million civil penalty plus a compliance plan tied to STIR/SHAKEN verification requirements. In December 2024, the FCC Enforcement Bureau issued an order notifying more than 2,400 companies of deficiencies in their RMD certifications.
The FCC adopted annual RMD recertification requirements under rules published in the Federal Register on January 6, 2026, requiring all RMD filers to recertify their submissions by March 1, 2026. In early August 2025, the FCC revoked RMD certification for 185 providers and removed them from the database.
S.2666 was ordered reported by the Senate Committee on Commerce, Science, and Transportation on October 21, 2025. As of the April 28, 2026 publication date of Broadband Breakfast’s coverage, the bill remained proposed legislation that had not yet been enacted. Compliance officers should consult qualified counsel and monitor Congress.gov for current status.
What These Rules Mean for U.S. Infrastructure
The combined regulatory picture from the TRACED Act, S.2666, and the FCC NPRM (CG Docket No. 26-52) creates a clear directional pressure. Voice traffic that cannot be authenticated to a domestic origination point faces increasing friction at every layer of the network.
Downstream providers are prohibited from accepting traffic from unregistered voice service providers (VSPs). This rule creates a network-level enforcement mechanism that can block noncompliant traffic originating from either U.S. or foreign-based providers using U.S. numbers. The bond requirement in S.2666 would add a financial layer on top of that network-level block.
For AI platforms and contact centers, the infrastructure question directly affects deliverability and risk. Platforms that route voice through third-party CPaaS (Communications Platform as a Service) providers inherit the upstream carrier’s RMD registration status, STIR/SHAKEN attestation level, and compliance posture. STIR/SHAKEN attestation levels include A-level (full attestation) when customer identity and authorization to use the specific number are verified, B-level (partial) when origin is authenticated but number authorization cannot be fully confirmed, and C-level (gateway) when the call enters from an upstream provider. A-level attestation requires the originating carrier to verify both the caller’s identity and their authorization to use the specific number being presented.
Platforms that do not own their carrier stack cannot issue A-level attestations independently. They depend on the upstream CPaaS to do it, and they inherit whatever compliance gaps exist at that layer.
Plura AI operates as its own FCC-licensed audio bridging carrier. Voice originates on Plura’s domestic infrastructure, not through a third-party CPaaS. STIR/SHAKEN authentication runs at the carrier level on every outbound call. Branded caller ID is issued directly, not through a reseller. The RMD registration, robocall mitigation plan, and KYC obligations under 47 C.F.R. §64.6305 and §64.1200(n)(4) are Plura’s own, not a downstream dependency. Voice origination, model hosting, data storage, and call recording all run on 100% U.S. infrastructure, which reduces the foreign-origination exposure that S.2666 and the FCC NPRM target.
Plura supports compliance with TCPA, DNC, HIPAA, SOC 2, and ISO certification requirements.1,2 Customers remain responsible for their own regulatory obligations and certifications.
Next Steps for Leaders Evaluating Domestic Infrastructure
Compliance officers and contact center leaders briefing executives on S.2666 and the TRACED Act should address four operational questions before the next planning cycle.
First, identify where your voice traffic originates. If your AI voice platform routes calls through a third-party CPaaS, your RMD registration and STIR/SHAKEN attestation level depend on that provider’s compliance posture, not your own. Failure to maintain valid RMD certification can result in removal from the database, which obligates other providers to block all traffic from the noncompliant entity, with reinstatement potentially taking up to a year or longer. This origination audit determines which of the following steps apply to your infrastructure.
Second, audit your RMD filing. The FCC implemented multi-factor authentication for RMD access and adopted annual recertification requirements effective January 6, 2026. Once you confirm who controls your origination point, verify that entity’s RMD status is current and that recertification occurred on time.
Third, assess your bond exposure under S.2666. The bill has not been enacted as of this writing, but the Senate committee report signals the direction of federal policy. The bond requirement would build on the RMD filing obligation and add a financial layer to the registration process you just audited. Carriers and AI platforms transmitting high volumes of calls into the United States should model the operational impact of a $100,000 bond requirement on their RMD certification process.
Fourth, evaluate whether your infrastructure can document 100% U.S. origination. The FCC NPRM (CG Docket No. 26-52) proposes requirements that would penalize foreign infrastructure dependencies. Platforms built on domestic carrier infrastructure by architecture, not by contractual promise, are positioned to satisfy those documentation requirements without major operational restructuring. This documentation requirement ties directly to the foreign-infrastructure restrictions proposed in the FCC NPRM and to the task-force provisions in S.2666.
Plura’s platform addresses each of these layers directly: FCC-licensed carrier origination, STIR/SHAKEN authentication at the carrier level, real-time DNC scrubbing, TCPA compliance support, and the domestic infrastructure architecture described above.
Compare plans and rates side by side at plura.ai/pricing.
Frequently Asked Questions
What is the difference between the TRACED Act and the Foreign Robocall Elimination Act?
The TRACED Act (P.L. 116-105), signed into law in December 2019, established the legal foundation for STIR/SHAKEN caller ID authentication across domestic U.S. voice networks. It expanded FCC enforcement authority, increased monetary forfeitures for TCPA violations, and required all voice service providers to register in the Robocall Mitigation Database and cooperate with traceback requests within 24 hours. Its primary focus is domestic network authentication and carrier accountability within the U.S. public switched telephone network.
The Foreign Robocall Elimination Act (S.2666), introduced in the 119th Congress and ordered reported by the Senate Commerce Committee in October 2025, targets the gap the TRACED Act left open: robocalls that originate outside the United States before entering the domestic network. S.2666 establishes the task force and immunity provisions described earlier while adding a bond requirement for RMD certification. The two acts are complementary rather than competing. TRACED built the domestic authentication framework, and S.2666 extends financial and oversight pressure to the foreign-origination pipeline.
What is the Robocall Mitigation Database and why does it matter for contact centers?
The Robocall Mitigation Database (RMD) is the FCC’s central compliance registry for voice service providers. Every provider interconnected with the public switched telephone network must register in the RMD, file a robocall mitigation plan describing their STIR/SHAKEN implementation status, and recertify annually under rules that took effect in January 2026. The operational consequence of noncompliance is direct. Downstream carriers must block all traffic from providers not validly registered in the RMD.
For contact centers, this means that any AI voice platform or dialer routing calls through an unregistered or noncompliant upstream carrier risks having its traffic blocked at the network level, regardless of the contact center’s own compliance posture. Contact centers evaluating AI voice platforms should verify that the platform’s carrier holds a current, valid RMD registration and maintains A-level STIR/SHAKEN attestation on outbound calls.
What does FCC NPRM CG Docket No. 26-52 propose for foreign robocalls?
The FCC’s Notice of Proposed Rulemaking under CG Docket No. 26-52 proposes several measures relevant to foreign-originated call traffic. The FCC has proposed requiring voice service providers to implement measures that help consumers identify calls originating from outside the United States and to prohibit spoofing of U.S. telephone numbers for calls originating from outside the United States. The NPRM also seeks comment on using Rich Call Data to enhance caller identity information and on eliminating outdated robocall rules.
Separately, the NPRM proposes capping offshore customer-service calls at 30% and prohibiting offshore handling of sensitive consumer data including passwords, multi-factor authentication codes, Social Security numbers, and banking and card data. These proposals interact directly with the task-force mandate and bond requirements in S.2666 and create a regulatory environment that favors carriers and AI platforms operating on 100% U.S. infrastructure. Operators should consult qualified counsel regarding how these proposals may apply to their specific operations.
How does STIR/SHAKEN attestation level affect call deliverability?
STIR/SHAKEN assigns one of three attestation levels to outbound calls. A-level (full attestation) is assigned when the originating carrier has verified both the caller’s identity and their authorization to use the specific number being presented. B-level (partial attestation) is assigned when the carrier can authenticate the call’s origin but cannot fully confirm number authorization. C-level (gateway attestation) is assigned when the call enters the network from an upstream provider whose identity the gateway carrier cannot fully verify.
Terminating carriers and call-screening systems use attestation level as a signal when deciding whether to deliver, flag, or block a call. Calls carrying A-level attestation are less likely to be labeled as spam or intercepted by call-screening layers. Platforms that do not own their carrier stack cannot independently issue A-level attestations, and they depend on the upstream CPaaS provider’s verification processes. Plura AI operates as its own FCC-licensed carrier and issues STIR/SHAKEN authentication at the carrier level on every outbound call.
What should compliance officers do now to prepare for S.2666 and the FCC NPRM?
S.2666 has not been enacted as of June 2026, but the Senate Commerce Committee’s October 2025 report signals the direction of federal policy. Compliance officers can take four preparatory steps.
First, audit the RMD registration status of every carrier in the voice traffic path, including any third-party CPaaS providers used by AI voice platforms. Second, verify that annual RMD recertification was completed by the March 1, 2026 deadline, because providers that missed it face enforcement exposure and mandatory traffic blocking. Third, document the geographic origination of all voice traffic, model hosting, and data storage to assess exposure under the FCC NPRM’s proposed foreign-infrastructure restrictions. Fourth, model the operational impact of a $100,000 bond requirement on RMD certification if S.2666 is enacted. Operators should consult qualified telecommunications counsel before making infrastructure or vendor decisions based on proposed rules that have not yet been finalized.
1 Plura AI maintains SOC 2, HIPAA, ISO, and GDPR posture as part of its platform infrastructure. References to compliance frameworks in this article describe Plura’s platform capabilities and do not constitute a guarantee that any customer using Plura will themselves be compliant with applicable laws or standards. Customers remain solely responsible for their own regulatory obligations, certifications, consent management, recordkeeping, and the claims they make to their own end users. Consult qualified legal counsel for guidance specific to your use case.
2 This article describes regulatory frameworks at a general level and does not constitute legal advice. Laws and regulations vary by jurisdiction, change over time, and apply differently depending on facts and circumstances. Readers should consult qualified legal counsel before making compliance decisions.
3 Performance figures, customer outcomes, and industry statistics referenced in this article are drawn from cited third-party sources or Plura customer case studies. Individual results vary based on implementation, use case, industry, audience, and execution. Past or aggregate performance is not a guarantee of future results.
4 References to third-party products, services, companies, or research are made for informational and comparative purposes only. Plura AI is not affiliated with, endorsed by, or sponsored by any third party named in this article unless explicitly stated. Trademarks and product names referenced remain the property of their respective owners.
This article is provided for informational purposes only and reflects Plura AI’s understanding at the time of publication. Product capabilities, integrations, and specifications are subject to change. For the most current information, visit plura.ai.
This article was produced with the assistance of AI tools and reviewed by Plura AI prior to publication.