FCC Traceback Requirements

Q: What if I don't have records for the requested call?

Respond within 24 hours indicating that you've searched your records and don't have the requested information. Explain why.

Q: How long must I retain call records?

The FCC recommends at least 18 months. Many carriers retain for 2 years or longer.

What is Traceback?

Traceback is the process of tracing an illegal or suspicious call back through the telephone network to identify its origin. When consumers receive robocalls, government agencies or industry groups work backwards through the call path — from the terminating carrier to each intermediate carrier, ultimately reaching the originating provider who can identify the caller.

The traceback process is critical because robocallers typically use complex call routing, often spanning multiple carriers and sometimes multiple countries, to obscure their identity. Without cooperative traceback, it would be nearly impossible to hold bad actors accountable.

Why Traceback Matters

Traceback serves multiple purposes in the fight against illegal robocalls:

Law enforcement — Identifying callers for FCC enforcement actions and DOJ prosecutions
Industry accountability — Finding carriers that originate or pass illegal traffic
Network hygiene — Identifying and blocking sources of bad traffic
Consumer protection — Stopping ongoing scam campaigns
Regulatory compliance — Demonstrating good faith efforts to combat robocalls

The Regulatory Framework

FCC Traceback Rules

The FCC has established clear requirements for voice service provider participation in traceback. These requirements are codified in the Commission's rules and reinforced through orders and enforcement actions:

Mandatory cooperation — All voice service providers must cooperate with traceback requests
24-hour response — Providers must respond to traceback requests within 24 hours
Accurate information — Responses must include accurate call detail records
Robocall Mitigation Database filing — Providers must certify their traceback cooperation

TRACED Act Requirements

The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act of 2019 significantly strengthened traceback requirements:

Mandated creation of a single consortium for traceback (the ITG)
Required the FCC to establish rules for traceback cooperation
Increased penalties for robocall violations
Extended the statute of limitations for enforcement actions
Required the FCC to consider traceback cooperation in enforcement decisions

Robocall Mitigation Database Integration

Voice service providers must file in the FCC's Robocall Mitigation Database (RMD), certifying either STIR/SHAKEN implementation or a robocall mitigation program. The filing must include certification of:

Commitment to respond to traceback requests within 24 hours
Contact information for traceback requests
Description of traceback cooperation procedures

Providers who fail to file or who are identified as non-responsive to traceback may be removed from the database, triggering blocking of their traffic by downstream carriers.

Streamline your traceback compliance. Our Traceback Search API helps you quickly identify call origins and maintain compliance.

Traceback Search API

The Traceback Process Step-by-Step

Step 1: Complaint or Detection

Traceback investigations typically begin with:

Consumer complaints to the FCC, FTC, or state attorneys general
Honeypot detection by carriers or research organizations
Pattern analysis identifying suspicious traffic volumes or characteristics
Law enforcement requests for specific investigations

Step 2: Initial Analysis

The Industry Traceback Group (ITG) or requesting party analyzes the complaint to determine:

Whether the call appears to violate FCC rules or laws
The terminating carrier from the complaint data
Time and date parameters for the traceback
Any available caller ID information

Step 3: Traceback Request Chain

The traceback proceeds backwards through the call path:

Terminating carrier receives request, provides upstream carrier information
Each intermediate carrier responds with their upstream source
Originating carrier identifies the customer who placed the call

Each carrier in the chain must respond within 24 hours with the requested call detail records (CDRs) and information about where the call came from.

Step 4: Origin Identification

Once the traceback reaches the originating provider, that carrier must provide:

Customer identification information
Account details and contract information
Traffic patterns and volume data
Any actions already taken (warnings, suspensions)

Step 5: Enforcement or Mitigation

Based on traceback results, various actions may follow:

FCC enforcement — Formal investigations and potential fines
Provider action — Customer termination or traffic blocking
Law enforcement referral — Criminal investigation for serious violations
Industry notification — Alerts about bad actors

Traceback Response Requirements

The 24-Hour Rule

Voice service providers must respond to traceback requests within 24 hours. This means:

Business hours don't matter — 24 hours means 24 hours, including weekends and holidays
Automated systems help — Consider implementing automated traceback response capabilities
Designated contacts — Maintain 24/7 contact availability for urgent requests
Escalation procedures — Have clear processes for after-hours response

Required Information

Traceback responses must include:

Data Element	Description
Upstream provider	Identity of the carrier or entity from whom you received the call
Call detail records	Time, date, duration, ANI, DNIS for the specific call
Trunk/circuit ID	Technical routing information
Customer info (if originating)	Identity of the customer who placed the call
Contact information	Who to contact for follow-up questions

Record Retention Requirements

To respond to traceback requests, you must maintain adequate call records:

Minimum retention — Keep CDRs for at least 18 months (FCC recommendation)
Quick access — Records must be retrievable within the 24-hour window
Complete data — Include all routing and timing information
Secure storage — Protect records from tampering or loss

The Industry Traceback Group (ITG)

ITG Structure and Function

The Industry Traceback Group, operated by USTelecom, is the primary industry consortium for conducting tracebacks:

Recognized by the FCC as the official traceback consortium
Operates the traceback portal and coordination system
Manages relationships with voice service providers
Reports findings to the FCC and law enforcement

ITG Membership and Participation

Voice service providers can participate in the ITG in several ways:

Full membership — Active participation in traceback operations
Cooperative agreement — Commitment to respond to ITG requests
Portal access — Self-service traceback capabilities

ITG Best Practices

The ITG recommends several best practices for traceback cooperation:

Register a dedicated traceback contact with current contact information
Implement automated response systems where possible
Monitor for patterns of suspicious traffic proactively
Take action against bad actors before traceback requests arrive
Document all traceback responses and actions taken

Traceback Compliance Best Practices

Organizational Readiness

Prepare your organization for traceback requirements:

Designate a traceback coordinator — Single point of responsibility
Establish 24/7 coverage — Ensure responses don't wait for business hours
Train relevant staff — Everyone who might receive requests should know the process
Create response templates — Standardize your response format
Document procedures — Written procedures for audit and training

Technical Infrastructure

Build the technical capabilities needed for traceback:

CDR systems — Robust call detail record collection and storage
Search capabilities — Quick lookup by ANI, time, date, or other parameters
Integration with ITG portal — Automated response where possible
Alerting systems — Notification when traceback requests arrive

Proactive Monitoring

Don't wait for traceback requests — identify problems proactively:

Traffic analysis — Monitor for unusual patterns or volumes
Complaint correlation — Connect customer complaints to traffic sources
Industry intelligence — Monitor for known bad actor indicators
Self-traceback — Investigate suspicious traffic internally

Consequences of Non-Compliance

Regulatory Actions

Failure to cooperate with traceback can result in:

RMD removal — Removal from the Robocall Mitigation Database
Traffic blocking — Downstream carriers required to block your traffic
FCC enforcement — Formal investigations and potential fines
Citation in FCC orders — Public naming as a non-cooperative provider

Industry Consequences

Beyond regulatory action, non-compliance affects your industry relationships:

Carrier trust — Other carriers may refuse to do business with you
Reputation damage — Being known as a "bad actor haven"
Customer loss — Legitimate customers may leave
Insurance and banking — Potential issues with service providers

Recent Enforcement Examples

The FCC has taken action against carriers for traceback failures:

Multiple carriers removed from RMD for non-responsiveness
Cease-and-desist orders for carriers originating robocall traffic
Proposed forfeitures in the millions for egregious violations
Referrals to DOJ for criminal prosecution

Using Traceback Search for Self-Investigation

Benefits of Self-Traceback

Proactive traceback capabilities offer several advantages:

Early detection — Find bad actors before regulators do
Faster response — Take action immediately rather than waiting for complaints
Compliance documentation — Demonstrate good faith efforts
Customer protection — Keep legitimate customers from being impacted

What to Look For

When conducting self-traceback investigations, watch for:

High call volumes from individual customers
Low answer rates combined with high call volumes
Patterns matching known robocall campaigns
Calls to numbers on DNC lists
Customer complaints about specific originating numbers

Implementing Self-Traceback

Build traceback capabilities into your operations:

# Example: Query for suspicious calling patterns
suspicious_activity = traceback_api.search(
    date_range="last_7_days",
    min_calls_per_number=1000,
    answer_rate_below=0.15,
    include_carrier_chain=True
)

for activity in suspicious_activity:
    # Review and take action
    if activity.risk_score > 0.8:
        alert_compliance_team(activity)
        consider_traffic_block(activity.customer_id)

Documentation and Audit Trail

What to Document

Maintain comprehensive documentation of your traceback activities:

All traceback requests received — Date, source, scope
Response times — When you responded, how long it took
Information provided — What data you shared
Actions taken — Customer notifications, suspensions, terminations
Follow-up communications — Any additional requests or clarifications

Audit Preparation

Be ready for regulatory audits of your traceback compliance:

Organize records by date and case
Maintain copies of all correspondence
Document your policies and procedures
Track metrics (response times, resolution rates)
Keep evidence of proactive monitoring

Future Developments

Enhanced Traceback Requirements

The FCC continues to strengthen traceback requirements:

Potential reduction of response time requirements
Expanded data retention mandates
Enhanced reporting requirements
Stricter consequences for non-cooperation

Technology Improvements

Traceback technology continues to evolve:

Real-time traceback capabilities
Automated response systems
Integration with STIR/SHAKEN data
Machine learning for pattern detection

Frequently Asked Questions

Who can send traceback requests?

Traceback requests primarily come from the Industry Traceback Group (ITG), the FCC, the FTC, and state attorneys general. Law enforcement agencies may also request tracebacks for criminal investigations. You should verify the legitimacy of any traceback request before responding with sensitive information.

What if I don't have records for the requested call?

You should respond within 24 hours indicating that you've searched your records and don't have the requested information. Explain why (the call may not have transited your network, or records may have aged out). Be honest — false claims of no records when records exist is a serious compliance violation.

How long must I retain call records?

While there's no strict FCC mandate, the Commission recommends retaining call detail records for at least 18 months. Many carriers retain for 2 years or longer. Longer retention helps you respond to traceback requests for older calls and demonstrates good faith compliance efforts.

What happens if I'm identified as an originating provider for robocalls?

Being identified as originating illegal robocall traffic doesn't automatically mean you're in trouble, but you must take action. Investigate the customer, suspend or terminate their service if violations are confirmed, and document your actions. The FCC considers your response when determining liability. Proactive action and cooperation work in your favor.

Can I be held liable for traffic I only transited?

Generally, intermediate carriers have limited liability for traffic they merely transit. However, if you repeatedly transit traffic from known bad actors without taking action, or if you fail to cooperate with traceback, you may face regulatory scrutiny. Know-your-customer obligations extend throughout the call path.

Key Takeaways