14,932
edits
Changes
→=2022 Round of Audits
In addition, the percentage of complaints received that lacked evidence of noncompliance or fell outside of ICANN org's contractual scope increased. For example, many complainants believe that the registration data is "missing" from the public Registration Data Directory Service (or WHOIS service), privacy or proxy service data are redactions, or all non-European data should be displayed. While Contractual Compliance efforts to educate complainants on contractual requirements increased, the number of actual investigations into registrars' compliance with registration data accuracy obligations decreased.<ref name="gdpr" /></blockquote>
In addition, the percentage of complaints received that lacked evidence of noncompliance or fell outside of ICANN org's contractual scope increased. For example, many complainants believe that the registration data is "missing" from the public Registration Data Directory Service (or WHOIS service), privacy or proxy service data are redactions, or all non-European data should be displayed. While Contractual Compliance efforts to educate complainants on contractual requirements increased, the number of actual investigations into registrars' compliance with registration data accuracy obligations decreased.<ref name="gdpr" /></blockquote>
===SSAD Design and Contractual Compliance===
At [[ICANN 72]], the [[SSAD]] [[Operational Design Phase]] team presented on the progress of the operational design phase for the System for Standardized Access/Disclosure.<ref name="ssadblog">[https://www.icann.org/en/blogs/details/ssad-odp-update-contractual-compliance-and-identity-verification-methodology-2-11-2021-en ICANN.org Blog - SSAD ODP Update: Contractual Compliance and Identity Verification Methodology], November 2, 2021</ref> The presentation included a description of the Contractual Compliance department's role in the new system. Noting that the "alert mechanism is not an appeal mechanism,"<ref name="ssadpreso">[https://www.icann.org/en/system/files/files/presentation-ssad-odp-project-update-community-discussion-28oct21-en.pdf ICANN 72 Archive - SSAD ODP Project Update Presentation Slides], October 28, 2021 (PDF)</ref>, the design team notes that compliance complaints could be filed within narrow procedural contraints in two categories:
* Procedural failures regarding alert mechanisms & complaints regarding contracted party behavior. For example, a contracted party fails to provide a sufficient rationale for a denial of an information request; or a contracted party dismisses a request without first seeking additional information from the requesting party; and
* Failure to respond to urgen requests within the timeframes listed in the contracted party's [[Service Level Agreement]].<ref name="ssadpreso" />
Although the design team anticipated that there may be changes in the scope and method of Contractual Compliance's complaint processes related to SSAD, the recommendations of the [[Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data (EPDP)|EPDP on the Temporary Specification for gTLD Registration Data]] anticipate that the SSAD system will have its own processes, as well as avenues of legal recourse for people requesting registration data. As such, they presently anticipate that Contractual Compliance will have limited and specific involvement with the SSAD.<ref name="ssadpreso" />
==Monitoring==
==Monitoring==
Prior to the creation of the base RA, audit provisions tended to be limited to financial records and technical reports. For example, Verisign's Registry Agreement to manage the [[.com]] domain contained no mention of compliance audits until its amendment in December 2012.<ref>[https://www.icann.org/en/registry-agreements/com/com-registry-agreement-1-12-2012-en ICANN.org - .com Registry Agreement], as amended December 1, 2012. Compare with [https://www.icann.org/en/registry-agreements/com/com-registry-agreement---1-march-2006-amended-22-september-2010-22-9-2010-en the .com Registry Agreement] as amended September 22, 2010</ref>
Prior to the creation of the base RA, audit provisions tended to be limited to financial records and technical reports. For example, Verisign's Registry Agreement to manage the [[.com]] domain contained no mention of compliance audits until its amendment in December 2012.<ref>[https://www.icann.org/en/registry-agreements/com/com-registry-agreement-1-12-2012-en ICANN.org - .com Registry Agreement], as amended December 1, 2012. Compare with [https://www.icann.org/en/registry-agreements/com/com-registry-agreement---1-march-2006-amended-22-september-2010-22-9-2010-en the .com Registry Agreement] as amended September 22, 2010</ref>
===2007 Announcement of Compliance Audit Processes===
ICANN's earliest posted report of registrar compliance dates from October 2006.<ref name="06update">[https://www.icann.org/resources/newsletter/registrar-update-2006-10-01-en ICANN.org - Registrar Compliance Update], October 1, 2010</ref> That report indicated that ICANN intended to introduce audit processes for registrars, "similar to the registry audit program already in place."<ref name="06update" /> In March 2007, Contractual Compliance announced its intention to begin auditing the contractual and operational compliance of both registries and registrars.<ref>[https://www.icann.org/en/blogs/details/updated-contractual-compliance-program-24-3-2007-en ICANN.org Blog - Updated Contractual Compliance Program], March 24, 2007</ref> Three days earlier, ICANN's CEO at the time, [[Paul Twomey]], announced that review and revision of ICANN's Registrar Accreditation process was necessary to ensure consumer protection and enforcement goals.<ref>[https://www.icann.org/en/announcements/details/registrar-accreditation-policy-and-process-must-be-reviewed-21-3-2007-en ICANN.org - Registrar Accreditation Policy and Process must be reviewed], March 21, 2007</ref> The announcement was prompted in part by the termination of [[RegisterFly]] due to a large volume of customer complaints. Some commentators criticized ICANN at the time for failing to act sooner.<ref>[https://domainnamewire.com/2007/03/27/icann-lets-learn-from-registerfly/ Domain Name Wire - ICANN: Let's Learn from RegisterFly], March 27, 2007</ref> ICANN executives at the time identified the lack of enforcement mechanisms apart for revocation of accreditation hampered ICANN's capacity to respond.<ref>[https://www.cbc.ca/news/science/icann-to-review-domain-name-regulations-1.671879 CBC News - ICANN to Review Domain Name Regulations], March 27, 2007</ref>
At the time of the announcement, there were no contractual provisions for such audits, except to the extent that individual registry agreements might grant a right to audit technical records of registry operators. However, review of the RAA was discussed at [[ICANN 28]] in Lisbon at the end of March.<ref>[https://www.icann.org/resources/board-material/resolutions-2007-03-30-en#_Toc36876525 ICANN Board Meeting Minutes], June 30, 2007</ref> In June 2007, the ICANN Board initiated its Consultation on Registrar Accreditation Agreements.<ref>[https://www.icann.org/resources/board-material/resolutions-2007-06-29-en#k Resolutions 07.50-07.52 of the Board], June 29, 2007</ref> This process resulted in the 2009 amendments to the RAA.
====Initial Audits====
Contractual Compliance performed periodic compliance audits starting in 2007. The audits were initially conceived as multiple periodic phases of review.<ref name="07auditrep">[https://www.icann.org/en/resources/compliance/reports/contractual-compliance-audit-report-18oct07-en.pdf ICANN.org - October 2007 Semi-Annual Contractual Compliance Report], October 18, 2007 (PDF)</ref> The first registrar audit report presented a proposed schedule for 2007 and beyond:<ref name="07auditrep" />
{| class="wikitable"
|-
! Quarter
! Registrar Audits
! Registry Audits
! Notes
|-
| Q1
| WHOIS Data Problem Report Findings<br />Primary Contact Information<br />
| Code of Conduct<br />Non-Discriminatory Access<br />
|
|-
| Q2
| Registrar Fees<br />Website Compliance<br />
| Registry Fees<br />Performance Specifications<br />
|
|-
| Q3
| WHOIS Server Accessibility<br />Registrar Data Retention*<br />
| WHOIS Data Accuracy
| *New Audit Process
|-
| Q4
| Insurance Verification<br />WHOIS Data Acuracy*<br />Inter-Registrar Transfer Policy*<br />
| Data Escrow<br />Registration Restrictions<br />
| *New Audit Process
|}
The initial report noted that the level of activity and work required for each audit varied from quarter to quarter.<ref name="07auditrep" /> Audits related to this plan continued for roughly two years, with additional reports being issued in July 2008<ref>[https://www.icann.org/en/resources/compliance/reports/contractual-compliance-audit-report-29jul08-en.pdf ICANN.org - July 2008 Semi-Annual Contractual Compliance Report], July 29, 2008 (PDF)</ref> and February 2009.<ref>[https://www.icann.org/en/resources/compliance/reports/contractual-compliance-report-27feb09-en.pdf ICANN.org - February 2009 Semi-Annual Contractual Compliance Report], February 27, 2009 (PDF)</ref> The last report apparently related to this program was issued in December 2009.<ref>[https://www.icann.org/en/resources/compliance/reports/contractual-compliance-report-24dec09-en.pdf ICANN.org - December 2009 Semi-Annual Contractual Compliance Report], December 24, 2009 (PDF)</ref>
===Three-Year Audit Program, 2012-2014===
===Three-Year Audit Program, 2012-2014===
|}
|}
In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> Of the remaining 111 registrars, 92 cured all reported deficiencies before the end of the audit's remediation phase. 19 registrars were unable to cure all deficiencies within the audit timeframe, and negotiated due dates with Contractual Compliance for completion of their work to cure.<ref name="21audit" />
In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> Of the remaining 111 registrars, 92 cured all reported deficiencies before the end of the audit's remediation phase. Nineteen registrars were unable to cure all deficiencies within the audit timeframe and negotiated due dates with Contractual Compliance for completion of their work to cure.<ref name="21audit" />
===2022 Round of Audits===
On April 4, 2022, Contractual Compliance sent pre-audit notifications to Registry Operators for 28 gTLDs. The selected Registry Operators received a Request for Information containing the audit questions.<ref>[https://www.icann.org/en/announcements/details/icanns-contractual-compliance-announces-new-audit-round-13-04-2022-en Contractual Compliance announces new audit round, ICANN Announcements, April 13, 2022]</ref><br/> The selection criteria for the 28 gTLDs included:
* not previously audited in a standard full-scope RA Audit
* at least 100 domains
* highest abuse score as reported by publicly available [[RBL|Reputation Blocklists]] (excluding spam)
When these criteria resulted in multiple gTLDs operated by the same Registry Operator, ICANN selected one gTLD to represent the Registry Operator.
==Outreach==
==Outreach==
Contractual Compliance presents frequently at [[ICANN Meetings|ICANN meetings]], and conducts seminars and other educational programs throughout the ICANN regions.<ref>[https://www.icann.org/resources/compliance/outreach ICANN.org - Contractual Compliance Outreach Activities]</ref>
Contractual Compliance presents frequently at [[ICANN Meetings|ICANN meetings]], and conducts seminars and other educational programs throughout the ICANN regions.<ref>[https://www.icann.org/resources/compliance/outreach ICANN.org - Contractual Compliance Outreach Activities]</ref>
==Roles at ICANN==
==ICANN CC Staffers==
* Senior Manager, Contractual Compliance Risk and Audit
* [[Leticia Castillo Sojo]], [[Jonathan Denison]], [[Roger Lim]]: Directors, Contractual Compliance
* SVP, Contractual Compliance & U.S. Government Engagement
* [[Yan Agranonik]]: Senior Manager, Contractual Compliance Risk and Audit
* Contractual Compliance Risk and Audit Senior Specialist
* [[Jamie Hedlund]]: SVP, Contractual Compliance & Consumer Safeguards, Managing Director
* Contractual Compliance Lead
* [[Joseph Restuccia]]: Contractual Compliance Risk and Audit Senior Specialist
* Sr. Manager, Contractual Compliance
* [[Amanda Rose]]: Contractual Compliance Lead
* Contractual Compliance Analyst
* [[Zuhra Salijanova]]: Sr. Manager, Contractual Compliance
* Contractual Compliance Specialist
* [[Mehdi Kurdmisto]], [[Genie Chou]], [[Mariana Solano]], [[Dickson Chew]], [[HuiYing Lim]], [[Leah Symekher]], [[Laine Tan]], [[Amanda Weddle]]: Contractual Compliance Analysts
* Contractual Compliance Senior Specialist
* [[Nicholas Axelrod-McLeod]], [[Charmaine Lim]], [[Bryan Tan]]: Contractual Compliance Specialists
* [[May Kim]], [[Holida Yanik]], [[Selim Manzak]], [[Jinzaemon Kimoto]]: Contractual Compliance Senior Specialists
* [[Pamela Howard]]: Performance Measurement & Reporting Senior Manager
* [[Cynthia Tinsley]]: Contractual Compliance Executive Assistant
==References==
==References==
{{reflist}}
{{reflist}}
[[Category:ICANN Organization]]
[[Category:ICANN Organization]]