How are registrar audits conducted? - Knowledgebase / Routines - Support Portal | Registry Services

How are registrar audits conducted?

Updated 18 Sep, 2024

Registrar audits

The work with registrar audits is part of the registry's ongoing quality activities with the registrars. In this article the procedures related to this is described so that registrars know what to expect when an audit begins.

The audits will be planned and carried out continuously throughout the year. The registrars have the opportunity to request which month the audit should start within the next six months from the time the request is made. We will then conduct the audit during that month if possible.

For company groups with more than one registrar account, a request can be made to conduct the audit for all companies at the same time if desired. In such a case, the registrar need to inform us in advance.

Selection of Registrar

Audits will be conducted for all registrars, but prioritization usually occurs based on one or more of the following criteria:

- Lack of information on the registrar's website based on requirements in the registrar agreement
- Registrars with high abuse rates
- Registrars with many complaints from end customers
- Registrars that mainly work with resellers where end customers experience problems with the resellers
- Registrars with a high level of incorrect data
- Registrars with a high discrepancy in holder information between the registry and the registrar

Timeline

When a planned audit begins, we adhere to the following timeline:

Day 1 - Audit questions are sent via email to the registrar's specified admin email address. The questions must be answered within two weeks from the time the audit is sent out. If additional response time is needed and requested, we can usually accommodate it.
Day 15 - If no response has been received, a reminder is sent via email with a one-week deadline.
Day 22 - If no response has been received, we try to contact the registrar by phone. We will attempt to make contact for a maximum of five working days.
Day 30 - If no response has been received, the registrar is informed via email that they have 30 days to answer the audit questions to prevent being put in "restricted" status and subsequently deregistered after an additional 30 days. "Restricted" status means that new domain registrations cannot be performed.
Day 60 - If no response has been received, the registrar is put in "restricted" status.
Day 90 - If no response has been received, the registrar is deregistered.

Response Received
When responses are received, they are checked.

- If all requirements are met: No further action.

- If requirements are not met: We inform which points need to be addressed and the registrar is asked to provide an action plan on how to meet the requirements. We also inform about the period within which the actions need to be implemented. Depending on the severity of the deficiency, the period for action may vary between 2 weeks to a maximum of 3 months.

Follow-Up After Actions
After the period for meeting the requirements has passed, a follow-up is conducted to check that the actions have been implemented.

- If the action points are implemented: No further action.

- If the action points are not implemented: The registrar is informed via email that they have 30 days to address the deficiencies to prevent being put in "restricted" status and subsequently deregistered after an additional 30 days. "Restricted" status means that new domain registrations cannot be performed.

Audit Questions

The questions that may be asked and the documentation that may be requested are listed below. The audit will include one or more of the points below, which may change based on needs.

Lists and Documentation

List of domains with obviously incorrect data, manually checked by Internetstiftelsen staff. (Unlimited number)
The registrar must contact the domain holder and set domains on client hold if the domain holder does not update to correct data within a reasonable time.

List of domains that appear to be some type of privacy/proxy registrations. (Unlimited number)
The question is whether the registration data is correct or provided instead of the actual owner to protect identity.

List of 10-50 random domains
Documentation showing that the registration terms have been accepted and how the domain holder was verified will be requested.

List of up to 10 ownership changes conducted in the past year
Documentation showing that the ownership change was ordered by the current domain holder and how both the current and new domain holder were verified will be requested.

List of domains that received eID discount
Documentation showing that the customer was validated via eID at the time of new registration will be requested.

Questions

Please describe how a customer orders the following services:
- Change of name server
- Change of DS record
- Request for auth ID
- DNSSEC (if DNS services are offered by the registrar)

Please provide a link to information on how you handle abuse cases and a description of how to find this information when navigating from your homepage.

Please describe how you assist your domain holders if they have problems with their reseller or if the reseller is not contactable.

Please describe how you ensure that your resellers comply with the requirements for .se and .nu registration services.

Please describe how you handle sending updated customer data to the registry.

Please describe how you verify and check the accuracy of the holder's data.

Please describe how you handle domains with incorrect registrant information in cases where you are informed of this by a third party or the Internet Foundation.

Please verify that the information in the registrar list about you as a registrar is correct.


Print Download