Last updated 2026-07-10

TL;DR
Any voice service provider that originates, carries, or terminates calls on the U.S. phone network must register in the FCC's Robocall Mitigation Database. Registration is free, done through the FCC's online portal, and requires a written robocall mitigation program if the provider has not fully deployed STIR/SHAKEN. Miss the filing and other providers can block all your traffic.
What is the FCC Robocall Mitigation Database and why does it exist?
The FCC built the Robocall Mitigation Database in 2021 under its Second Report and Order in WC Docket No. 17-97 [1]. It came out of the TRACED Act, signed into law in December 2019, which told the FCC to require voice providers to authenticate calls and to keep a record of who was doing it [2].
The idea is simple. STIR/SHAKEN is the technical standard that digitally signs caller ID so the receiving end can verify whether the number shown is real. Not every provider can deploy it fully, especially on older TDM (copper-based) networks. For those that can't, the FCC requires a written robocall mitigation program that spells out what they're doing instead. The database is the public record of who has done which.
Here's the part that matters. When a downstream provider (one that receives calls) checks the database and finds that an originating provider isn't listed, the downstream provider has to block all traffic from that originating provider [3]. That's the enforcement mechanism. It's not a fine. It's a total traffic block that kills your ability to complete calls.
For any company that originates calls on the U.S. public switched telephone network (PSTN), this is infrastructure, not paperwork. Skip the database and your calls don't complete. Full stop.
Who is required to register in the robocall mitigation database?
The FCC's rules cover "voice service providers" as defined in 47 CFR 64.6300 [4]. That catches several kinds of company:
- U.S.-based originating providers (companies that put calls onto the PSTN)
- Gateway providers (companies that bring foreign-originated calls into the U.S. network)
- Intermediate providers that carry or hand off calls between originating and terminating providers
- Terminating providers that complete calls to end users
The obligation is tiered. Originating providers carry the heaviest load: they have to certify their STIR/SHAKEN status and, if they're not fully implemented, file a robocall mitigation program. Gateway providers have had their own hard deadline since June 30, 2022 [1]. Intermediate and terminating providers register too, but with lighter documentation.
Small voice providers (those with 100,000 or fewer subscriber lines) got extra time to implement STIR/SHAKEN on their TDM networks. They still had to be in the database by the original June 30, 2021 registration deadline [1].
Run an outbound sales team that buys voice from a carrier? You're probably not the "voice service provider" and you don't register yourself. Your carrier does. But confirm your carrier is in the database, because their absence blocks your calls. If you run your own SIP infrastructure or act as a reseller that terminates calls through your own numbers, talk to a telecom attorney about whether you count as a provider.
For companies running cold calling campaigns, this matters because the STIR/SHAKEN attestation level your carrier gives your calls (A, B, or C) affects whether they show as "Likely Spam" on recipients' phones.
What are the registration deadlines for the FCC database?
The original deadline for most U.S.-based voice service providers to register was June 30, 2021 [1]. By that date, providers had to be in the database with either a STIR/SHAKEN certification or a robocall mitigation program on file.
Gateway providers, which handle foreign-originated traffic entering the U.S., had a separate deadline of June 30, 2022 [10]. The FCC keeps tightening rules for gateway providers because international robocall traffic has been a stubborn problem.
Missed the original deadline? You are not permanently barred. The database takes new registrations on a rolling basis. But every day you're unregistered is a day downstream providers can legally block your traffic. File now.
The FCC has also ordered downstream providers to check the database and block traffic from unregistered providers within 30 days of a provider landing on the FCC's non-compliant list [3]. The cost of a missed deadline is real and near-immediate.
What information do you need before you start the registration?
Before you log into the FCC filing system, pull these items together. Miss one and your submission stalls.
FCC Registration Number (FRN). Every filer needs one. You get it through the FCC's CORES system (Commission Registration System). If your company has ever filed anything with the FCC, you probably already have one [5].
Your 499 Filer ID. If you file an FCC Form 499 (the annual revenue report most voice providers file), you need that ID. Some smaller providers are exempt from Form 499 but still register in the database.
Legal company name and principal business address. These have to match your FRN record exactly.
STIR/SHAKEN implementation status. You certify one of four things: (1) fully implemented on your entire network, (2) partially implemented with a mitigation program for the rest, (3) not yet implemented but with a mitigation program, or (4) you qualify for an exemption (very small providers below certain thresholds).
Your robocall mitigation program document. If you can't certify full implementation, you need a written program. The FCC doesn't mandate a format, but the program has to describe the specific steps you take to keep your network from being used to originate illegal robocalls. This is where you describe customer vetting, traffic monitoring, and how you handle traceback requests from the Industry Traceback Group [9].
A designated contact. The database wants a name, email, and phone number for the person responsible for robocall mitigation at your company.
How do you actually complete the FCC Robocall Mitigation Database registration step by step?
Here's how the process runs.
Step 1: Get or confirm your FRN. Go to the FCC's CORES system and log in or create an account [5]. The FRN is a 10-digit number. Write it down.
Step 2: Reach the Robocall Mitigation Database portal. The FCC hosts the database and links to it from its caller ID authentication guidance [7]. You log in with your FCC credentials.
Step 3: Create or update your provider record. The system asks for your legal name, FRN, 499 Filer ID if applicable, and contact information. Fill every field. Partial records get rejected.
Step 4: Select your STIR/SHAKEN status. The dropdown maps to the four certification categories above. Be accurate. Certifying full implementation when you haven't done it is a false statement to a federal agency.
Step 5: Upload your robocall mitigation program (if required). If you're not fully STIR/SHAKEN compliant, you upload a PDF or Word document describing your program. The FCC reviews these for completeness, not word count, but vague documents get flagged [1].
Step 6: Submit and save your confirmation. You'll get a confirmation screen and, usually, an email. Screenshot the confirmation. The FCC system has had intermittent hiccups and you want proof of submission.
Step 7: Check the public listing. After processing (a few business days), your company should show up in the searchable public database. Search by company name or FRN to confirm you're visible.
Update your STIR/SHAKEN status later (say, once you finish deploying authentication across your full network) and you have to return to the portal and change your record. This is a living certification, not a one-time filing.
What should a robocall mitigation program actually say?
This is where most providers get stuck. The FCC hasn't published a rigid template, which leaves real uncertainty about what counts as "good enough." Based on the FCC's guidance in its Second Report and Order and later orders [1], a solid mitigation program covers these elements:
Customer vetting. Describe how you screen new customers before you let them originate calls on your network. What documentation do you require? Do you check against any lists?
Traffic monitoring. Describe how you watch for odd call patterns: sudden volume spikes, high rates of short-duration calls (a classic robocall signature), or calls to non-working numbers.
Response to traceback requests. The Industry Traceback Group, a consortium designated by the FCC, sends traceback requests when it traces an illegal robocall through the network. Your program has to state how fast you respond (the FCC expects rapid response, generally within 24 hours) and what you do with the information [9].
Call blocking or labeling. Describe any analytics-based blocking or labeling you apply to calls that match suspicious patterns.
Upstream and downstream agreements. If you have contractual commitments with your upstream providers about robocall mitigation, name them.
A program that says "we monitor our network and terminate bad actors" with no specifics tends to draw an FCC follow-up. Be specific. Name the tools. Describe the workflow. If you use a third-party analytics provider, name it.
For outbound teams running cold call programs, understanding your carrier's mitigation program pays off, because it shapes the attestation level your calls receive. Full A-level attestation (you're the customer, the number is yours, you've authorized the call) gives the best delivery and display outcomes.
What happens if a provider is not in the database or has an incomplete filing?
The fallout comes in two forms: FCC enforcement and network-level blocking.
On the network side, FCC rules require intermediate and terminating providers to block calls from any originating provider not listed in the database [3]. The FCC publishes a list of non-compliant providers [11]. Once your name lands on that list, other providers have 30 days to block your traffic. After that window closes, any provider that keeps passing your calls can face FCC scrutiny itself.
On the enforcement side, the FCC can issue citations and forfeitures under 47 U.S.C. 227 [6]. The TRACED Act gave the FCC authority to move faster against knowing violations. The FCC Enforcement Bureau has fined providers for STIR/SHAKEN non-compliance [8], though the harder pressure comes from the traffic-blocking mechanism, not direct fines.
If you're worried about broader TCPA exposure, keep this straight: database non-compliance and TCPA violations are related but separate. A carrier missing from the database doesn't by itself create a private TCPA lawsuit. It can feed spam-labeling that drives consumer complaints, which the FCC and state attorneys general use to build enforcement cases. For a sense of what large-scale liability looks like, see the cash app tcpa class action settlement.
The FCC can also revoke operating authority from providers that repeatedly fail to comply. That's the nuclear option. It has been used.
How does STIR/SHAKEN attestation affect your calls in the database?
STIR/SHAKEN assigns one of three attestation levels to each call [7]:
| Attestation | Code | Meaning |
|---|---|---|
| Full | A | Provider knows the customer and that they're authorized to use the number |
| Partial | B | Provider knows the customer but can't verify the number belongs to them |
| Gateway | C | Provider only knows the call entered the network at a certain point; can't verify origin |
A-level calls get the best treatment from analytics providers like First Orion, Hiya, and TransUnion that power the "Spam Likely" labels on AT&T, T-Mobile, and Verizon handsets. C-level calls are far more likely to get labeled or blocked.
Register in the database and certify full STIR/SHAKEN implementation, and you're telling the network you can sign calls at A-level. Certify a mitigation program instead, and your calls still transit the network, but they may sign at B or C depending on how the receiving provider handles unsigned or partly-signed calls.
For outbound sales teams running legitimate cold calling programs, this is a big deal. A call that shows "Spam Likely" on the screen gets answered far less often. There's no clean public study on the exact drop-off. Analytics providers presenting at industry conferences have shown answer rates falling somewhere in the 50 to 80 percent range on labeled calls, but nobody has solid public data here, so treat that as directional.
Database registration is the upstream fix. Getting your carrier to sign your calls at A-level is the practical result.
Can a non-carrier business register, and what about VoIP resellers?
This is where it gets genuinely murky.
Buy minutes from a major carrier and make outbound calls? You're the customer of the voice service provider, not the provider yourself. You don't register. Your carrier does.
But if you run your own SIP infrastructure, hold your own direct interconnections with other providers, and control call routing, the FCC may treat you as a provider. The line between "customer" and "provider" isn't always clean in the FCC's rules, especially for cloud communications platforms, CPaaS companies, and large enterprises running their own phone systems.
VoIP resellers sit in a gray zone. Buy wholesale VoIP and resell it under your own brand, and the FCC has increasingly looked at whether that relationship makes you an "intermediate provider" under 47 CFR 64.6300 [4]. The 2022 gateway provider rules tightened this a lot [10].
Uncertain? Ask your upstream carrier directly: "Are you signing our calls, and at what attestation level?" Then verify your carrier is in the database yourself by searching the public portal. If they're not listed, escalate immediately or find a carrier that is.
If you also do text message marketing, note that STIR/SHAKEN and the Robocall Mitigation Database cover voice calls only. SMS runs on its own authentication track (10DLC registration, a separate process entirely).
How do you search the database to check if a carrier or provider is registered?
The database is public and searchable. Anyone can look up any provider. Go to the FCC's caller ID authentication guidance, which links to the Robocall Mitigation Database search page [7].
You can search by:
- Company name (partial matches work)
- FRN (10-digit FCC Registration Number)
- 499 Filer ID
- State of principal office
Results show the company's registration status, the date they last updated their filing, and their stated STIR/SHAKEN certification level. You can also see whether they've filed a mitigation program.
What you can't see through the search interface is the actual content of the mitigation program. Those documents may be accessible through the FCC's Electronic Comment Filing System (ECFS) depending on how they were submitted.
For outbound sales operations, run this check quarterly. Carrier status changes. If your carrier gets flagged as non-compliant or their registration lapses, you want to know before your call volume drops off a cliff.
LeadCompliant's free compliance checklist includes a carrier database check in its outbound call setup workflow, which is a handy reminder to build into your own quarterly review.
How does the robocall mitigation database connect to TCPA compliance more broadly?
The database is a carrier-level obligation, but it sits inside a larger compliance system that outbound sales teams have to understand.
The TCPA (Telephone Consumer Protection Act, 47 U.S.C. 227) is the federal law that governs how you contact consumers by phone and text [6]. STIR/SHAKEN and the Robocall Mitigation Database don't change the TCPA's consent requirements, the rules on calling times, or your obligation to honor do not call list registrations. Those stay the same.
What the database changes is delivery. Even with perfect TCPA consent and clean scrubbing against the do not call telemarketer list, calls from an unregistered or poorly-attested carrier may never reach the consumer because they get blocked upstream. That's not a TCPA problem. It still kills the campaign.
Think of the two systems this way. TCPA governs whether you're legally allowed to make the call. STIR/SHAKEN and the database govern whether the call physically gets delivered. You need both to work.
As of mid-2025, courts have not held that carrier non-compliance with the database creates a new private right of action for consumers. The TCPA's private right of action still centers on the consent and do-not-call requirements in 47 U.S.C. 227(b) and (c) [6]. FTC and state AG enforcement, though, has used spam-call labeling as evidence in broader fraud and deceptive practice cases.
For teams that want the full picture (consent obligations plus delivery requirements), a structured kit covering both TCPA consent documentation and carrier verification is the fastest place to start. That's what we built the LeadCompliant compliance kit around.
What are common mistakes providers make when registering?
Since the database launched in 2021, the recurring errors cluster into a few buckets.
Certifying full STIR/SHAKEN when you haven't finished. This is the worst one. It's a false certification to a federal agency. If the FCC audits or a traceback shows your calls aren't actually signed at A-level, you've built a far bigger problem than the original non-compliance.
Filing a vague mitigation program. One-page documents that say "we take robocalls seriously and will block bad actors" are not mitigation programs. The FCC has sent back registrations and flagged providers for thin documentation.
Not updating after a change. Finish full STIR/SHAKEN deployment after first filing a mitigation program? Update the database. Change your contact person? Update it. This is a live certification, not a one-time filing.
Using the wrong FRN. Companies with multiple FRNs (which happens after mergers or when different business lines registered separately) can pick the wrong one, creating a mismatch that keeps your registration from showing up correctly in searches.
Ignoring the gateway provider obligation. Companies handling traffic from foreign carriers have to register as gateway providers under the stricter post-2022 rules. Some operators who thought of themselves as domestic intermediate providers found out they also had gateway obligations.
Not confirming the public listing. Filing and being listed are two different things. Always search the database after submission to confirm you appear.
Frequently asked questions
Is FCC Robocall Mitigation Database registration free?
Yes, registration itself is free. The FCC charges no filing fee to register in the database or to update your record. The costs are internal: staff time to prepare the robocall mitigation program document, any legal review you want, and the technical work of STIR/SHAKEN implementation if you haven't done it yet. STIR/SHAKEN deployment costs vary widely by network type and size.
What is the difference between STIR/SHAKEN and the Robocall Mitigation Database?
STIR/SHAKEN is the technical call-authentication standard that digitally signs caller ID information so receiving providers can verify it. The Robocall Mitigation Database is the FCC's public registry where providers certify their STIR/SHAKEN status and, if not fully implemented, file a written mitigation program. STIR/SHAKEN is the technology. The database is the compliance record showing who has deployed it.
What happens if my carrier is not in the FCC robocall mitigation database?
Downstream providers are required by FCC rules to block all voice traffic from originating providers not listed in the database. If your carrier is missing, your outbound calls may get blocked before they reach the recipient, regardless of whether you have valid TCPA consent. Verify your carrier's database listing before launching any outbound call program and confirm it quarterly.
Do I need to register if I only send text messages, not voice calls?
No. The Robocall Mitigation Database and STIR/SHAKEN apply to voice calls on the PSTN. SMS and MMS messaging has its own compliance infrastructure, specifically 10DLC (10-digit long code) registration through The Campaign Registry for business texting. Those are separate systems with separate registration processes. If you do both voice and SMS, you may need to comply with both frameworks.
How long does FCC Robocall Mitigation Database registration take to process?
The online submission itself takes 20 to 60 minutes if your materials are ready. The FCC processes registrations within a few business days in most cases, after which your company should appear in the searchable public database. Processing can stretch during high-volume periods. Submit well before any deadline and confirm your public listing after 3 to 5 business days.
Can a small business or startup voice provider qualify for a STIR/SHAKEN exemption?
The FCC granted implementation deadline extensions (not permanent exemptions) to small voice providers, generally those with 100,000 or fewer subscriber lines, for deploying STIR/SHAKEN on TDM portions of their networks. Even so, exempt providers still had to register in the database and file a robocall mitigation program by the original June 30, 2021 deadline. No provider is exempt from database registration entirely.
What is an Industry Traceback Group request and how does it affect my registration?
The Industry Traceback Group (ITG), designated by the FCC, investigates illegal robocall campaigns by tracing calls backward through the carrier chain. When the ITG contacts your company as part of a traceback, you're expected to respond rapidly, typically within 24 hours. Your robocall mitigation program filed in the database should describe your traceback response process. Slow or non-responsive providers draw FCC attention and can land on the non-compliant provider list.
Does the FCC database registration affect TCPA consent requirements?
No, they are separate legal obligations. TCPA consent requirements under 47 U.S.C. 227 govern whether you're legally permitted to contact a consumer. The Robocall Mitigation Database governs carrier-level authentication and network delivery. A fully registered carrier with A-level attestation doesn't excuse you from needing proper prior express written consent for automated calls. You have to satisfy both frameworks independently.
How do I find my FCC Registration Number (FRN) to complete database registration?
Go to the FCC's CORES system and log in or search by company name. If your company has previously filed anything with the FCC, including Form 499, an FRN exists. If not, you create one through CORES before accessing the Robocall Mitigation Database portal. The FRN is a 10-digit number. Keep it on file; you'll need it for all future FCC filings.
What attestation level will my calls get after my carrier registers?
Attestation level depends on your carrier's relationship with your account and number. Full A-level attestation means the carrier can verify you're their customer and the number is authorized to you. B-level means they know you but can't verify the number. C-level is a gateway stamp only. To get A-level, confirm with your carrier that your numbers are properly provisioned under your account and that they sign outbound calls with full attestation.
Can the FCC remove a provider from the robocall mitigation database?
Yes. The FCC can flag providers as non-compliant, which triggers the downstream blocking obligation. The FCC can also revoke operating authority in severe cases. Providers that fail to respond to FCC investigations, submit false certifications, or repeatedly originate illegal robocall traffic face removal or de-listing. The FCC's Enforcement Bureau handles these actions, and it has picked up the pace since the TRACED Act took effect.
How often do I need to update my FCC Robocall Mitigation Database registration?
There is no fixed annual renewal, but you must update your registration whenever your information changes materially: your STIR/SHAKEN status changes, your contact person changes, or your mitigation program is revised. The FCC expects the database to reflect your current state, not a snapshot from initial filing. Treating it as a one-time task and forgetting it is one of the most common compliance errors providers make.
Does registering in the database protect me from TCPA lawsuits?
No. Database registration creates no safe harbor from TCPA private litigation. TCPA lawsuits, like the well-publicized Credit One case (see the credit one tcpa settlement for context on settlement scale), arise from consent failures, not from carrier authentication status. Registration helps your calls get delivered and not labeled as spam, but TCPA liability depends entirely on whether you had proper consent and honored do-not-call requests.
Sources
- FCC, Second Report and Order, WC Docket No. 17-97 (STIR/SHAKEN and Robocall Mitigation): The FCC created the Robocall Mitigation Database and set the June 30, 2021 registration deadline for most providers; gateway providers had a June 30, 2022 deadline.
- Congress.gov, TRACED Act (Pub. L. 116-105, S. 151, 116th Congress): The TRACED Act, signed December 2019, directed the FCC to require call authentication standards and enforcement against illegal robocallers.
- FCC, Call Blocking Resources and Consumer Guides: Downstream providers are required to block calls from originating providers not listed in the Robocall Mitigation Database within 30 days of the provider appearing on the FCC's non-compliant list.
- Electronic Code of Federal Regulations, 47 CFR 64.6300: 47 CFR 64.6300 defines 'voice service provider' and the categories of providers subject to STIR/SHAKEN and robocall mitigation obligations.
- FCC, Commission Registration System (CORES): The FCC's CORES system is where providers obtain their FCC Registration Number (FRN), required to access the Robocall Mitigation Database portal.
- Cornell Law School Legal Information Institute, 47 U.S.C. 227 (TCPA): 47 U.S.C. 227 is the Telephone Consumer Protection Act, governing consent requirements, do-not-call rules, and private rights of action for robocall and telemarketing violations.
- Industry Traceback Group (ITG), USTelecom: The Industry Traceback Group, designated by the FCC, conducts traceback investigations of illegal robocall campaigns and expects provider responses within approximately 24 hours.
- FCC, Gateway Provider Report and Order, WC Docket No. 17-97: The FCC extended STIR/SHAKEN and robocall mitigation obligations to gateway providers handling foreign-originated traffic, with a June 30, 2022 compliance deadline.
- FCC, Robocall Mitigation Database: The FCC publishes a list of voice service providers found non-compliant with Robocall Mitigation Database registration requirements, triggering mandatory blocking by downstream providers.