STIR/SHAKEN compliance basics for voice calling
What STIR/SHAKEN is
A telecom framework introduced in 2021 to combat robocall fraud:
- STIR (Secure Telephony Identity Revisited). Cryptographic standard for caller ID.
- SHAKEN (Signature-based Handling of Asserted information using toKENs). Implementation framework.
Together: carriers sign every call with an attestation level (A, B, or C). Receiving carriers verify the signature and display "Verified" or warn "Likely Spam".
Attestation levels
Three levels:
- Level A (Full). Caller and number both verified by the originating carrier.
- Level B (Partial). Caller verified, number not directly attributable.
- Level C (Gateway). No verification; call passed through.
Receiving carriers may block or flag Level B and C calls. Level A clears.
When this matters
Only for outbound voice calls in US and Canada:
- Inbound calls. Not affected.
- SMS. Not affected (covered by A2P 10DLC).
- International outbound. Varies by country; many adopting STIR/SHAKEN-equivalent frameworks.
If you only use voice for inbound IVR, STIR/SHAKEN is essentially handled by your carrier; you don't need direct action.
How Twilio handles it
Twilio is a STIR/SHAKEN-compliant originating carrier. They:
- Sign all outbound calls with the appropriate attestation level.
- Use Level A when you've registered the number for your business.
- Drop to Level B for unregistered numbers or shared lines.
Most legitimate outbound calls auto-clear Level A through Twilio.
Registering for Level A
To ensure your outbound calls get Level A:
- Twilio Console > Trust Hub > Customer Profiles.
- Complete Business Profile (similar to A2P 10DLC).
- Submit for verification. 1 to 3 business days.
- Once verified, all outbound calls signed Level A automatically.
If unverified: outbound calls sign Level B. Some carriers still pass; some flag.
Cost
- Twilio Business Profile: about $4 to $40 one-time depending on scope.
- No per-call fee for STIR/SHAKEN signing.
- Cost of unverified: higher rejection rate, lower CSAT.
Inbound IVR considerations
For inbound voice (most AskVault voice deployments):
- STIR/SHAKEN unaffected by AskVault config.
- Caller's number may show as "Verified" or "Likely Spam" based on the caller's own carrier setup.
- The bot still accepts calls regardless of attestation.
Useful: log the attestation level in conversation audit for spam-pattern analysis.
Beyond US/Canada
Other regions adopting similar frameworks:
- UK. Discussion ongoing; Ofcom proposed similar regulation.
- EU. GDPR-aligned caller-verification under consideration.
- India. Recent TRAI rules require verified caller display for transactional calls.
- France. Outbound spam-call rules from 2023.
For now, US/Canada is the most strictly enforced.
Limits
- Attestation levels. 3 levels (A, B, C).
- Verification time. Typically 24 to 72 hours.
- Approval rate. About 90% for legitimate businesses.
- Signed calls. No platform-side limit on requests per second.
- Implementation time. 30 minutes for Twilio profile setup.
- Audit retention. 365 days standard.
Common pitfalls
Outbound calls flagged "Likely Spam". Number not Level-A-signed. Complete Twilio Business Profile.
Caller-display works on one carrier but not another. Verifying carrier varies. Industry-wide compliance still ramping.
Inbound calls from your own staff flagged as spam. Their own personal carriers don't sign. Not an AskVault issue; raise with their carrier.
Planned features (on the roadmap)
- Outbound campaign mode. Today, AskVault voice is inbound-only. Compliance-gated outbound planned.
- Per-call attestation logging. Today, basic. Detailed attestation insight planned.
FAQ
Does AskVault need to do anything for STIR/SHAKEN?
For inbound-only voice: no. Twilio's carrier signing is sufficient.
Will my number be rejected without registration?
Outbound: increasingly yes. Inbound: no.
Does STIR/SHAKEN affect message-template approval (WhatsApp/SMS)?
No. Separate framework.