Policy Compliance Dashboard (Draft-2)

Proposal

 

1. Summary of the problem being addressed by this proposal

The AFRINIC RSA* mandates members to comply with the AFRINIC policies developed via the PDP.

Section 4.C of the RSA states the irrevocable commitment of the member for using the services for the purpose for which it was requested and in full unreserved compliance with AFRINIC policies.

This is of key importance, because a member not following the policies may be impacted in the evaluation of future requests by AFRINIC, the revocation of the services or even the closure of the member (section 4.b.iii).

Just to be clear, “services” are defined in the RSA, under section 1.C, and those include number resources, among others. So, the impact for a member that is not following the PDP process and CPM changes, may be of catastrophic business consequences.

The PDP is continuously updating the CPM, and it is obvious that some members may not be following, up to date, all the details and possible impact in their services/resources, while the RSA states that AFRINIC, at its own discretion, can investigate the use of the services.

Every Policy in the CPM indicates what and how things should be done. Lack of conformity with any part of the CPM, even if not clearly stated, it is considered a lack of compliance, following a coherent interpretation of both the RSA and the CPM.

Consequently, members should be protected against this situation, in a simple manner that allows them to know their up-to-date policy compliance, get alerts about the lack of compliance and consequently react to address those.

The RSA specifies a generic procedure to resolve the situation with members, and facilitate the actual compliance. There should be a clearer timeline and sufficient opportunities to resolve the situation, in a fair way to all the members, instead of taking irreversible decisions on the first occasion of any policy violation in case of no response in 30 days.

There should be always equal opportunities for any member to correct mistakes before reaching a fatal point.

  

2. Summary of how this proposal addresses the problem

This proposal provides the framework for a “Policy Compliance Dashboard”, to be developed by AFRINIC, and incorporated into MyAFRINIC (and future members communications platforms).

The dashboard will show all possible details to match the CPM and RSA, such as:

1. Contractual non-compliance:
   • Generic contractual obligations (such as status of payments or documents).
   • Lack of response from the member.
   • Unauthorised transfers. (Remove as this check cannot be automated unless the intent here is for staff to manually update the dashboard upon detection of this issue)
   • Submission of fraudulent documents (Remove as this check cannot be automated, unless the intent here is for staff to manually update the dashboard upon detection of this issue)
2. Policy non-compliance:
   • Unused or unannounced resources (where mandatory).
   • Unavailable or outdated Whois information.
   • Lack of maintenance of the reverse delegation.
   • Forbidden sub-assignments (from PI assignments). (Remove as the WHOIS can be configured to deny sub-assignments
   • Generic repeated and/or continued policy violations.

Note that the above are examples, as the RSA and CPM could evolve and incorporate other non-compliance reasons.

This proposal will allow periodically review of the policy compliance status of each member, as much automated as possible, so they can receive automated notifications of any issue. Warnings will be also sent to the staff, and only in cases of a continued and repeated lack of compliance, or severe violation of certain aspects of the CPM, AFRINIC will be able to take further actions according to the RSA.

AFRINIC will implement this policy in phases, according to Board and internal decisions, depending on the availability of resources, in order to avoid impact in day-to-day operations. For example, a first phase may be integrating into the MyAFRINIC the overall dashboard framework (GUI, notifications, non-compliance tracking), followed by the already existing automated tools (as indicated by analysis impact 4.3 on v1 of this proposal). Then, each part of the RSA and CPM can be addressed, one by one, or even several of them in parallel. This way, there is not a specific timeframe, and it can be accommodated to the available resources, results for each part of the RSA/CPM being integrated and tickets being generated and resolved, etc.

It is clear that there is a one-time investment in implementation, as with the majority of the policies, however, the advantages for the staff, community and membership are obvious, including a huge saving of resources in manual tracking and allowing the membership to be up-to-date with the compliance even with policy changes. Those advantages may also be considered by the board in terms of recruiting staff for the implementation, if needed, depending on the progress of the implementation project.

 

3. Proposal

Adding a new section in the CPM, numbered as best fits according to the staff criteria, as follows:

1 Policy Compliance AFRINIC services are provided to members under the umbrella of the RSA mandate, which in turn ask for compliance with policies. Those policies are documented in the CPM, which is continuously updated by the PDP.

2 Policy Compliance Dashboard AFRINIC “Policy Compliance Dashboard” shows to each member its status of compliance with the Registration Services Agreement and applicable resource policies, collected by means of a periodical review, automated as much as possible. The dashboard automation will need to be accommodated along the evolution of the CPM evolves through the PDP, in order to display new details.

3 Notifications The dashboard: Is subject to review periodically based on updates to the RSA and resource policies. Will automatically send notifications to members as soon as non-compliance against the RSA/policy is detected. Will send reminders to the members for non-compliance Will send notifications to AFRINIC staff for persistent non-compliance after 3 months. A persistent non-compliance, in this case, means non-compliance unresolved during that period. AFRINIC shall consider that a member is persisting in non-compliance in case more than 3 confirmed violations happen in a 12 months timeframe. This trigger will be reset once there are no policy violations after 12 months

4 Lack of Compliance AFRINIC will be able to initiate a more exhaustive investigation and take further actions, according to the RSA, when there is evidence suggesting that there is a persistent lack of compliance.

5 Service Withholding, Revocation, or Member Closure Contractual non-compliance, such as unauthorized transfers, lack of payment or document fraud, once confirmed, will cause the revocation of the services and member closure, following the RSA. Non-compliance with the RSA and/or policies will trigger actions by AFRINIC through communication with the member in order to resolve the non-compliance and thereafter, actions taken are then aligned with the applicable RSA clauses. Repeated and/or continued policy non-compliance, once confirmed, may be because of service withholding and resource revocation. Towards that, AFRINIC must have a process containing at least the following steps: AFRINIC must attempt to contact the member and rectify the situation. If the situation can’t be regularized, AFRINIC will publish on a specific public web page the resources that are to be recovered for a maximum of three months. During this period, the organization may still regularize the situation. If the situation is not resolved, two months after the resources are published, AFRINIC will proceed to backup and remove the NS records pointing to the authoritative nameservers of the resources involved. This information may be restored once the organization reestablishes contact with AFRINIC and resolves the lack of compliance. If three months after the resources are published the organization has not regularized the situation, the resources will be recovered and the records of the holders of these resources will be removed from AFRINIC’s database. All other provisions specified in the RSA and Bylaws will apply.

6 Exceptionalities When the revocation of resources involves essential strategic infrastructure that is necessary for the operation of the Internet in the region, or in exceptional situations such as natural disasters or political instability, the AFRINIC Board may extend the resource revocation period, with prior assessment by the Staff, once such an exceptional situation is detected.

 

4. References

• AFRINIC RSA: https://afrinic.net/membership/agreements | https://afrinic.net/ast/pdf/services/afrinic-rsa-en-201801.pdf   
• Similar policies or procedures, for the same/similar purposes, also exist in the other regions.
  • APNIC: https://www.apnic.net/community/policy/resources#4.2.-Closure-and-recovery 
  • ARIN: https://www.arin.net/participate/policy/nrpm/#12-resource-review 
  • LACNIC: An equivalent proposal reached consensus and has been ratified (being implemented in phases): 
https://politicas.lacnic.net/politicas/detail/id/LAC-2019-9?language=en
  • RIPE NCC: https://www.ripe.net/publications/docs/ripe-694 | https://www.ripe.net/publications/docs/ripe-716 

 

Revision History

Revision History

Date	Details
9 Nov 2021	Version 2 AFPUB-2021-GEN-003-DRAFT02 Updates to correct typos
18 Oct 2021	Version 1: AFPUB-2021-GEN-003-DRAFT01 Inputs from the previous discussion and impact analysis Removed resource return text, to be tackled by an independent proposal

 

AFRINIC Policy Impact Assessment

 

AFRINIC Staff Assessment

 

15 November 2021

 

1.0) Staff Interpretation & Understanding of the proposal

The proposal requests AFRINIC to set up a dashboard on its system so that its Resource Members are shown their status of compliance with respect to the Registration Service Agreement and the applicable resource policies. The dashboard will also send notifications to the members as soon as non-compliance is detected, followed by reminders. Should non-compliance persist for 3 months and be unresolved, the dashboard will then send a notification to AFRINIC staff.

According to the proposal, persistent non-compliance is determined in case more than three confirmed violations have happened in a 12 months timeframe. In accordance with the Registration Service Agreement, AFRINIC is able to initiate a more exhaustive investigation of the resource member.

The proposal also states that following the RSA, certain non-contractual non-compliance will entail revocation of services and member closure. It also mentions that in cases of repeated and/or continued non-compliance, AFRINIC may cause service withholding and resource revocation. The proposal lists the steps that AFRINIC shall mandatorily take, which constitute of:-

1. Engaging with the Resource Member and rectifying the situation
2. Publish on a specific webpage for a period of a maximum of 3 months, the resources that are to be recovered
3. In case the member does not resolve its compliance two months after the publication of intended revocation, AFRINIC will withhold the reverse DNS service
4. Three months after the publication of intended revocation, AFRINIC shall revoke the resources

Under exceptional circumstances such as resources are being used on strategic infrastructure for the operation of the Internet in the region, or exceptional situations such as natural disasters and political stability, the Board may extend the resource revocation period with a prior assessment conducted by staff.

 

2.0) Staff Comments On Areas of Impact

Impact on Registry Functions

1. New sub-process/procedure to be developed for the overall non-compliance workflow
2. The dashboard on the member portal needs to be configured to send notifications as well as periodical reminders of non-compliance to the members.
3. Dashboard on member portal needs to be configured to send notifications of persistent non-compliance after 3 months
4. Resource Members follow-up in regard to persistent non-compliance will also be required
5. The dashboard will also evolve with any new resource policies that come into effect.

 

Legal Assessment

The legal observations are as follows:

 

(a) Ex-facie the aforesaid policy proposal and while the intention of the authors is evident, yet this proposal, as styled, has the effect of:

(i) Encroaching on the internal management and operations of AFRINIC insofar as contract management of the Registration Service Agreement (RSA) is concerned.

(ii) The fact that AFRINIC will only be able to execute the provisions of the RSA upon “3 confirmed violations” during a 12 months’ timeframe makes it impractical and unrealistic in as much as a breach(es) committed by resource members will differ from the organisation to organisation. It is difficult to envisage how this proposal is workable in practice.

 

(b) Besides, the RSA already empowers AFRINIC to initiate such reviews or investigations whenever it has good cause to do so. The RSA also provides for the withholding (suspension) and/or revocation of resources in cases where the concerned resource member fails to cooperate with AFRINIC. Therefore, the proposal that AFRINIC shall only trigger the termination process in cases where there is a persistent non-compliance on the part of the resource member is misconceived for the reason stated above.

 

(c) Should the aforesaid policy proposal, as styled, reaches consensus, it is highly likely that the board of directors acting through its management will face difficulty to give full effect to the existing terms of the RSA since AFRINIC will be debarred from taking any actions under the RSA unless and until at least 3 violations on the part of the resource member have been recorded.

At this juncture, it is apposite to recall that sub-section 8.2(ii) of the AFRINIC’s bylaws empowers the board of directors, acting reasonably and in good faith, to determine that the resource member has ceased to satisfy the criteria for admission to membership. Likewise, clause 11(d)(iii) of the RSA provides that AFRINIC (i.e. its board acting through its management) shall have the right to terminate the agreement upon giving the resource member such written notice of its intention and inviting the latter to show cause why such action shall not be taken against it.

 

(d) Further, by the time that a resource member ends up being persistently non-compliant, it is highly probable that the RSA which has an initial tenure of one calendar year would have automatically been renewed for another calendar year such that the identified breaches would then become ‘caduc’. Consequently, any identified breach(es) of the RSA on the part of the resource member would be deemed to have been regularised by the mere fact that the RSA has been renewed.

In the circumstances, it is recommended that the scope of this policy proposal be reviewed by the authors so that it is limited to the creation of a policy compliance dashboard in order for both parties (i.e. AFRINIC and the resource member) to have better visibility of the member’s compliance; and that the issue of contract management be left to AFRINIC’s board of directors acting through its management.

 

Financial Assessment

None.

 

3.0) Implementation

Implementation of the dashboard can be effected by Q3-2022. AFRINIC is currently implementing a new member portal (myAFRINICv2) which already has a dashboard feature. The dashboard on MyAFRINIC V2 is not limited to policy but will also give best practices and recommendations to members; hence the nine monthly implementation period will coincide with the go-live of myAFRINICv2. The implementation of the full scope of checks with respect to RSA and policies will be phased and cover batches of compliance checks in each release of the dashboard.