Robocall Mitigation Database (RMD) — the US registry, the operational blocking lever, and the enforcement turn
The Robocall Mitigation Database is the registry that operationalizes US caller-authentication compliance. It’s the FCC’s mechanism for binding a provider’s regulatory status to its ability to send traffic into the US phone network — a provider that’s not in the RMD, or that has been removed for deficient filings, cannot have its traffic accepted by intermediate or terminating providers. The mechanism is simple and severe: stay compliant or lose network access.
The RMD was established by the FCC’s Second Caller ID Authentication Report and Order (FCC 20-136, adopted September 29, 2020) and codified at 47 CFR § 64.6305. The Wireline Competition Bureau opened the database in April 2021, and the filing requirements have steadily expanded across successive rulemakings. What started as a registry of originating voice-service providers’ STIR/SHAKEN implementation status has become the central operational instrument of US robocall enforcement — a database that, when used as designed, is the gating mechanism for participation in US voice networks.
The first three years of RMD operation were largely administrative. The 2024–2025 turn under Chairman Brendan Carr has made the enforcement mechanism operational in a way it hadn’t been before. Over 1,200 providers were removed from the database in August 2025 alone, with a first-of-its-kind national-security-grounded action following in December 2025. The substantive analysis behind the rules came largely from the NANC CATA Working Group, where I participated and edited the reports the Commission relied on. The framing here is from inside that work.
What the RMD is, structurally
The RMD is a public-facing database operated by the Wireline Competition Bureau in coordination with the FCC’s Office of the Managing Director. Each filer creates a record using its FCC Registration Number (FRN) via the CORES registration system, then files a certification document and a robocall mitigation plan (RMP).
The certification establishes three things:
- Provider category. The filer identifies whether it is a voice service provider (originating or terminating), a gateway provider, or a non-gateway intermediate provider. The obligations differ slightly between categories but the filing requirement is universal — every entity that handles US voice traffic in any of these roles must be in the RMD. The Sixth Caller ID Authentication Report and Order (March 2023) extended the universal filing obligation to non-gateway intermediate providers, closing a category that had been outside the original requirement.
- STIR/SHAKEN implementation status. The filer certifies whether it has implemented STIR/SHAKEN on all IP portions of its network, partially implemented it, or not implemented it (with an explanation of any extension or exemption claimed). The status field is the regulatory anchor — providers asserting they don’t have a STIR/SHAKEN obligation must explicitly cite the rule that exempts them and explain in detail why the exemption applies.
- Robocall mitigation program. The filer commits to a set of mitigation practices — vetting customers, monitoring traffic for abuse, responding to traceback requests within 24 hours, and cooperating with the Industry Traceback Group at USTelecom. The commitments must be substantive enough that the program “can reasonably be expected to significantly reduce” illegal-robocall origination or carriage.
Each filer also submits a written robocall mitigation plan — a more detailed description of the mitigation practices the provider has in place. The plan can have a public version and a confidential unredacted version (with confidentiality requested under 47 CFR § 0.459 procedures); only the public version is visible in the database. The plan must address the categories expanded in the Sixth Caller ID Authentication Order: customer vetting (including for resellers), traffic-pattern monitoring, KYC-style customer-information collection, and any past formal enforcement actions or investigations the filer or its common-ownership affiliates have been subject to.
How the blocking mechanism works
The RMD is enforced through a chain-of-trust rule embedded in 47 CFR § 64.6305 itself. The relevant operational text: intermediate providers and voice service providers shall accept calls directly from a voice service provider, gateway provider, or non-gateway intermediate provider only if that provider’s filing appears in the Robocall Mitigation Database. The corollary follows directly: if a provider’s filing is missing or has been delisted by enforcement action, every downstream provider in the US must immediately cease accepting its traffic.
This is the operational lever that makes the RMD consequential. A provider can hold STIR/SHAKEN certificates, run signing infrastructure, and otherwise be technically compliant with the authentication framework, but if its RMD filing is removed for deficiency or fraud, every downstream provider is required to block its traffic. The enforcement effect is immediate and total — it doesn’t depend on the provider being identified as the source of specific illegal calls; it follows from the filing status itself.
The mechanism dovetails with the Industry Traceback Group’s operational role. ITG investigates robocall campaigns by walking back through the carrier chain to identify originators; its findings inform Enforcement Bureau decisions about which providers to investigate and pursue for RMD removal. A provider that fails to respond to traceback requests, or that has been identified by ITG as the source of multiple illegal-robocall campaigns, becomes a candidate for the formal removal process.
┌────────────────────────────────────────────┐
│ Provider files in RMD │
│ (description of mitigation practices) │
│ Required for any provider whose calls │
│ enter the U.S. network │
└────────────────────┬───────────────────────┘
│
│ baseline compliance
▼
┌────────────────────────────────────────────┐
│ Provider in good standing — downstream │
│ providers may accept its traffic │
└────────────────────┬───────────────────────┘
│
│ ongoing investigation
▼
┌────────────────────────────────────────────┐
│ ITG traceback: investigates robocall │
│ campaigns by walking back through the │
│ carrier chain to identify originators │
└────────────────────┬───────────────────────┘
│
│ findings inform
▼
┌────────────────────────────────────────────┐
│ FCC Enforcement Bureau review │
│ │
│ Provider may be cited for: │
│ - failing to respond to traceback requests │
│ - repeatedly originating illegal robocalls │
│ - deficient or fraudulent RMD filing │
└────────────────────┬───────────────────────┘
│
│ formal removal process
▼
┌────────────────────────────────────────────┐
│ Provider delisted from RMD │
└────────────────────┬───────────────────────┘
│
│ § 64.6305 chain-of-trust
│ rule kicks in immediately
▼
┌────────────────────────────────────────────┐
│ All downstream U.S. providers must │
│ IMMEDIATELY cease accepting traffic from │
│ this provider │
│ │
│ Effect: provider operationally cut off │
│ regardless of certificate status or other │
│ technical compliance │
└────────────────────────────────────────────┘
Filing obligations have grown across successive rulemakings
The RMD’s information requirements have expanded substantially from the original 2020 specification. Each major caller-ID authentication rulemaking has tightened the filing obligation:
- Second Caller ID Authentication R&O (September 2020) — Established the RMD with the original certification requirement (STIR/SHAKEN implementation status plus a mitigation program commitment). Filing was required only for voice service providers initially.
- Gateway Provider Order (June 2022) — Extended the filing obligation to gateway providers, which had been a category outside the original rule.
- Sixth Caller ID Authentication R&O (March 16, 2023) — The most consequential expansion. Made the filing obligation universal: every voice service provider, gateway provider, and non-gateway intermediate provider must file. Substantially expanded the information required — provider role in the call chain, detailed STIR/SHAKEN implementation status with specific exemption rationale, customer-vetting practices, traffic-monitoring practices, prior enforcement actions, and ownership/affiliate disclosure.
- Seventh Call Blocking R&O (May 2023) — Added a commitment that filers respond fully to traceback requests from the registered consortium (USTelecom’s ITG).
- Eighth Caller ID Authentication R&O (November 2024, effective September 18, 2025) — Established new third-party signing rules. Providers can use third-party authentication platforms but must retain control over the attestation decisions and use a certificate tied to their own SPC token. Required RMD filings to certify to “partial or complete STIR/SHAKEN implementation” with the new requirements reflected.
- 2024 RMD Order (“Improving the Effectiveness of the Robocall Mitigation Database”) — Adopted in late 2024, Federal Register publication January 6, 2026, effective February 5, 2026. Established a base forfeiture of $10,000 per violation for filers that submit false or inaccurate information, and $1,000 per violation for failure to update changed information within 10 business days. Required CORES registrants to submit updates within 10 business days of any information change. Directed development of two-factor authentication for RMD access. Established a dedicated reporting mechanism for deficient filings.
The 2024–2025 changes cluster around a single enforcement intuition: the RMD only works as a trust mechanism if filings are accurate and current, and the original rule didn’t have strong-enough penalties to make compliance reliable. The 2024 RMD Order and the Eighth R&O between them tightened the obligations and added per-violation forfeitures, with the February 2026 effective date marking when the new penalty regime fully takes effect.
Annual recertification by March 1 has been a constant requirement throughout — every filer must reaffirm the accuracy of its filing each year, with new content if anything has changed.
The 2024–2025 enforcement turn
The first three years of RMD operation were largely administrative — providers filed, the database accumulated records, but enforcement consequences for deficient filings were rare. That changed in late 2024 and accelerated through 2025.
December 2024 Show Cause Order. The Enforcement Bureau notified 2,411 providers that their RMD filings were deficient under the Sixth R&O’s expanded requirements (the February 26, 2024 deadline had been the trigger). Each provider was given the choice to cure the deficiency by April 29, 2024 or be referred to the Bureau for removal proceedings.
August 6, 2025 Initial Removal Order (DA 25-694). The Bureau removed 185 providers from the RMD — the first time the removal mechanism had been used at scale. The Bureau emphasized that these providers had been notified of deficiencies, given multiple opportunities to cure, and had also been identified by ITG as having transmitted suspicious traffic and failed to respond to traceback requests. A companion order directed all intermediate providers and terminating providers to cease accepting calls from the 185 companies.
August 25, 2025 Final Removal Order. A much larger follow-up action: over 1,200 additional providers removed, effective immediately. The combined Aug 6 + Aug 25 actions removed nearly 1,400 providers from the database in twenty days. The Final Removal Order established a refiling restriction — providers listed in Appendix A may not refile in the RMD without consent of both the Enforcement Bureau and the Wireline Competition Bureau.
September 15, 2025 Chase Tech LLC removal. A single-provider action removing Chase Tech for submitting false information — specifically, using the personally identifiable information of an unaffiliated individual in multiple required fields, then failing to respond to a notice of deficiency. The action established that the RMD’s penalty posture covers not just absent or stale filings but intentionally false ones, with removal as a consequence.
December 8, 2025 national-security action. A first-of-its-kind shift: orders to three Chinese telecommunications providers — China Unicom (Hong Kong) Operations Limited, China Mobile Hong Kong Company Limited, and China Telecom Global Limited — directing them to cure deficiencies in their RMD certifications and to explain why their inclusion in the RMD is not contrary to the public interest. Where prior removal orders had cited deficient filings or false information, these orders cited national security concerns as an independent basis for removal. The orders explicitly stated that even if the deficiencies are cured, removal “may still be warranted if the Compan[ies] cannot offer convincing evidence that [their] presence in the RMD is not a threat to national security and is in the public interest.” The action operationalizes the RMD as a tool not just for robocall enforcement but for the broader security posture of the US phone network — a significant doctrinal expansion.
Chairman Carr’s framing across these actions has been consistent: providers that fail to do their compliance duty “have no place in our networks.” The enforcement posture is likely to continue tightening.
Why this matters for the framework
The RMD is the operational instrument that makes caller-authentication policy enforceable. STIR/SHAKEN as a technical framework establishes who can sign calls; the RMD establishes who can connect to the US network at all. Together they describe the regulatory shape of US voice-network participation: a provider must hold STIR/SHAKEN credentials issued under recognized governance (STI-GA → STI-PA → certificate authority), maintain an accurate RMD filing, and operate a substantive robocall mitigation program. Failure on any of these three legs is grounds for losing network access.
For new providers entering the US market — including international originators using NANP numbers — the RMD filing requirement is the first compliance gate. A foreign provider that doesn’t file in the RMD has no path to having its traffic accepted by US intermediate providers, regardless of whether it implements STIR/SHAKEN. The combination of universal RMD filing plus the Sixth R&O’s explicit treatment of foreign providers using NANP numbers creates a regulatory perimeter around the US phone network that’s enforced at the RMD layer.
The relationship to STIR/SHAKEN itself runs in both directions. RMD removal cuts off a provider’s ability to use STIR/SHAKEN in practice — even with valid certificates, nobody downstream will accept the signed calls. Conversely, the September 2025 third-party signing rules made the RMD filing the place where a provider’s third-party signing arrangements are disclosed and certified. The RMD is no longer just a compliance artifact; it’s the connective tissue between technical authentication and regulatory accountability.
Where this fits
This page sits in trust governance because the RMD is the within-jurisdiction enforcement layer that makes US caller-authentication policy operational. The FCC Robocall Strike Force page covers the institutional moment that established STIR/SHAKEN as the framework; the NANC CATA Working Group page covers the substantive analysis that fed the RMD rulemakings; the FCC current rulemaking page covers the current FNPRMs (Ninth, KYC, KYUP) that are layering additional requirements on top of the RMD compliance baseline. The four pages together describe US within-jurisdiction governance from institutional formation through current enforcement.
The technical content — STIR/SHAKEN itself, the attestation model, the certificate hierarchy — lives in STIR/SHAKEN. The RMD doesn’t change the technical framework; it determines who is allowed to use it.