Ftld Registrar - Frequently Asked Questions (FAQ)

fTLD Registrar - Frequently Asked Questions (FAQ)

How do I become an fTLD registrar? See the information at BECOME AN fTLD REGISTRAR for details on the process. fTLD Registry System Who operates the fTLD Registry System? Verisign is the Registry Service Provider and Symantec is the Verification Agent. Is there a web interface available for registrars to process registrations for fTLD? No, fTLD registration is not supported by a web interface to EPP. Registration is initially first-come, first-served, but what is used to determine which registration arrived first? The registration that arrives at the EPP editor first and is put into pending create will lock the domain name until verification is either approved or rejected. Can eligible registrants register any domain name(s) they want? Any domain name(s) that corresponds to the registrant’s trademarks, trade names or service marks can be registered during General Availability. For guidance on selecting domains, please see the fTLD Name Selection Policies and their Implementation Guidelines here. Are there any differences between the “corresponds to” rule for domain names in .BANK and .INSURANCE? Yes, in .INSURANCE domain names must correspond to a trademark, trade name or service mark of the Applicant in bona fide use for the offering of goods or services, or provision of information, in the jurisdiction where the registrant is licensed, approved or certified to conduct business. Please consult section 3.1 of the .INSURANCE Name Selection Policy for specific information. When does the five-day (5) Add Grace Period start since domain names are put into a pending create status when initially registered? The five-day (5) Add Grace Period starts when the domain name has been put in pending create status by Verisign.

Can a registrar delete a domain name after the five-day (5) Add Grace Period? Yes, a domain name can be deleted after the Add Grace Period. However, the registrar would not receive any refund from Verisign.

Are there specific instances where an exemption will not be given to registrars for the AGP (Add Grace Period) Limits Policy? Exemptions will not be made under the AGP Limits Policy if the registrant submits multiple domain names for registration and verification and then deletes all but one domain name during the Add Grace Period. Registrars should discourage the potential use of this process by registrants. Is Registry Lock available for domain names? No, Verisign’s Registry Lock service is currently unavailable for domain names. When Verisign is ready to support it, all approved registrars will be notified of its availability. How is the registrar notified when a registration has been approved or rejected? When fTLD confirms (either approval or rejection) the verification order, Symantec will generate an email to the registrar and registrant unless the registrar has turned off the notification feature. When fTLD confirms the Verisign registration, an EPP polling message to update the status of the transaction will be generated. How is the registrant notified when their registration has been approved or rejected? Once fTLD confirms the verification performed by Symantec on the Verisign system, the registrar should generate their standard message to the registrant confirming that the registration has been approved or rejected based on the EPP message from Verisign. When a domain name is approved or rejected on Symantec, an email on that action is also sent to the registrar and registrant unless the registrar has turned that feature off as described in the Symantec Verification Guide for .BANK and Symantec Verification Guide for .INSURANCE (“Symantec Verification Guides”). Can a domain name in the pending create status be registered by someone else? No, a domain name in the pending create status is not available for registration and will return a “domain is not available” message for any EPP inquiries on the domain name. If a registrar submits 15 domain names for verification in one order and five of the domain names are not approved, will all 15 domain names be rejected? No, each domain name is verified separately and the ten that pass all validations including the relevant fTLD Name Selection Policy will be approved and the other five will be rejected. If all of the domain names are rejected or the registrant verification fails then the entire order will be rejected with an order status of Cancelled. If any of the domains are approved, then the order status will be set to Completed. The status of each domain will be reflected in the Domain Information area as either Rejected or Approved. Does fTLD accept all single and two-character names for registration? fTLD has made single-character and most two-character names available in .BANK and .INSURANCE (except certain two-letter domains still reserved by ICANN). These previously reserved names are available on first-come, first-served basis subject to fTLD’s Registrant Eligibility and Name Selection Policies. As these names are deemed premium, they are subject to a higher initial and renewal registration fee. For more information about the specific two-character names that are available please see the information here. Are there any premium names in .BANK and .INSURANCE? Yes, the premium names in .BANK and ,INSURANCE are currently all single-character and certain two- letter names as detailed here.

Are there any special requirements by Verisign or Symantec for registrars to be able to offer fTLD Premium Names? Yes, registrars need to select the appropriate option in Exhibit A of Verisign’s Platform Access Order Form for each fTLD domain supported to be able to sell fTLD premium names. If a registrar did not initially select this option for the desired fTLD domain, they should contact Verisign at cao@verisign- grs.com to update their Form(s). There are no specific requirements from Symantec to be able to offer premium names. Will fTLD be using a specific auction provider to handle premium name sales and other auction opportunities? There is currently no auction process established for fTLD. Registrars will be notified if a process is created. Can fTLD registrants sell/transfer their domain names? Yes, domain names can be sold/transferred. However, the new registrant must meet fTLD’s Registrant Eligibility and Name Selection Policies for the domain name and must also successfully be verified by Symantec. If fTLD does not approve the transfer, registrars will need to work with fTLD to restore the domain name ownership to the original verified registrant.

Where can I find the lists of fTLD’s Reserved Names in .BANK and .INSURANCE? The lists are available here. What information is available to registrars and registrants to assist in the activation of fTLD Domains? The following resources have been developed in consultation with members of the financial services community and are intended to:  Support the planning and implementation of an fTLD Domain  Provide a framework for communicating an fTLD Domain plan to registrant employees, customers and other stakeholders  Educate registrant executives, technology teams and/or third-party providers about the value of the robust security technologies and practices of an fTLD Domain. fTLD has incorporated the lessons learned and implementation solutions from early adopters into three guides that are designed to help registrants transition to a new fTLD domain. In addition, a planning checklist is provided to highlight the tasks that need review by a registrant implementation team.  Implementation Planning Checklist  Planning and Communications Guide  Executive Guide to Security Requirements  Technical Guide to Security Requirements

These guides and the checklist can be downloaded here. fTLD Verification Is there a way to submit Symantec Orders without using the Symantec API? Yes, a web interface (“Web Form”) is available for registrars to submit Symantec orders if they have or anticipate having less than 50 total .BANK or .INSURANCE domain names under management. Registrars can also use the Web Form for Bi-annual Re-verification Orders even if they have more than 50 .BANK or .INSURANCE registrations under management.

If you want to see if you are eligible to use the Symantec Web Form to submit your Symantec orders, please contact fTLD at [email protected] for more details. Please note that all information needed for the API version is still needed for the Web Form version.

What information is provided to Symantec for use in the fTLD verification process? Complete information for all fields in the Symantec order is provided in the Symantec Verification Order API Developer's Guide (“Symantec API documentation”), which is provided to fTLD approved registrars. For both .BANK and .INSURANCE, a Re-verification Type is required for Symantec orders submitted for existing domains. The specific requirement can be found in the Special Instructions field of the Symantec API documentation. What additional information is required for .BANK verification and how is it provided to Symantec? This additional information specific to .BANK is provided in the Special Instructions field that is detailed in the Symantec API documentation:

 Government Regulatory Authority Name – This information is required unless it is not applicable to the registrant type (e.g., trade associations, service providers).

 Regulatory ID Number – This information is required unless it is not applicable to the registrant type (e.g., trade associations, service providers).

 Human Resources Contact name and telephone number – Contact information to verify the employment information of the registrant contact.

 Registrant’s Management Contact name and telephone number – Contact information to verify that the registrant contact is authorized to register the domains requested.

What additional information is required for .INSURANCE verification and how is it provided to Symantec? In addition to the Human Resources and Registrant’s Management Contact information, the following information is required for .INSURANCE orders and is detailed in the Special Instructions field of the Symantec API documentation.

 Category - select one: Carrier, (Company that offers and/or underwrites insurance policies) SP (Service Provider), Assn (Association), Gov’t. (Government Agency), Agent/Agency, Broker/Brokerage. Other terms used in the insurance community such as “Intermediaries” and “Representatives” can be classified as Agent/Agency or Broker/Brokerages based on self- identification during the registration process.

 Primary Government Regulatory Authority Name – This information is required unless it is not applicable to the registrant type (e.g., trade associations, service providers). The primary government agency with which the organization is registered. Since insurance entities are often regulated by multiple entities, this should be the government regulatory authority where the business is physically located.

 Primary Government Regulatory Authority ID Number - This information is required unless it is not applicable to the registrant type (e.g., trade associations, service providers). The ID number provided by the named (i.e., primary) government regulatory authority. Agents or other sole proprietorships should provide the individual’s contact name and telephone number instead of the Human Resources and Registrant’s Management Contact information.

Is the Special Instructions information required for the verification process for new registrants or domains?

Yes, the Special Instructions field is mandatory for fTLD Domain Symantec orders effective April 29, 2016. How does Symantec secure additional verification information from registrants? If additional information is needed for verification, Symantec will first attempt a call to the registrant contact or other appropriate contact (such as the HR Representative) and leave a voice mail if there is no answer. They will also follow-up with an email to the registrant contact and registrar or other appropriate contact (such as the HR Representative) repeating the request for specific information. In both the voice mail and email, Symantec will provide a security code so that the follow-up by phone or email can be confirmed to ensure the security of the verification process. For details, please review the Symantec Verification Guides. Symantec will send a copy of each email that is sent to the registrant contact to the registrar contact specified in the “TechContact” field of the Symantec Order so that the registrar can assist as needed in the verification process. Some exchanges such as those confirming employment or authority to register are not shared with the registrant contact or registrar for security purposes. Can supporting information or documentation requested by Symantec be provided in languages other than English? Yes, materials in other languages can be provided to Symantec. Can information in the Symantec Order be provided in non-Latin characters? Yes, Special Instructions information such as the HR Contact can be provided in other character sets (e.g., Chinese, Korean) to ensure correct information is available to Symantec. Other information in the order can also be provided is non-Latin characters if requested by Symantec to be able to complete the verification. Does Symantec verify all of the contacts that are provided? Symantec only verifies the information provided in the Organization and Admin Contact as defined in their system which relate to the Registrant Contact information in the EPP data. The Symantec Technical and Billing contact information does not relate to the similarly named fields in the EPP data. The Symantec Technical contact data contains the registrar contact information for the individual or group responsible for fTLD Domain support as provided by the registrar. The Billing contact information is required on the API transaction but is not used by Symantec. Registrars generally use the same information as the Symantec Technical Contact but other reference information can be used as this displayed in the Partner Portal screens. Please review the Symantec API documentation for exact requirements. May an organization’s core processor or third-party provider register domain names on its behalf? Yes, this is permissible. However, the Registrant Contact information provided in the registration process must be for the entity eligible to make the registration for Symantec to conduct a successful verification. If the core processor or third-party provider includes its own name and contact information for a registration it is making on behalf of an eligible registrant, the Symantec verification will fail. When registrants have provided registrars with a Power of Attorney, can they register domain names on behalf of the registrant? Although the registrar could perform the request for registration, the registrant contact must be a full-time employee authorized by the registrant organization. The EPP Administrative and Technical contacts are not required to be from the registrant organization.

If a Regulatory ID Number is provided for a bank in the United States, which number should it be? It depends on the regulatory authority for the bank. For example, if the Office of the Comptroller of the Currency (OCC) is the regulator, the OCC charter number should be provided.

If a registrant registers domain names at different times, will they need to be re-verified multiple times? The initial verification of a registrant and registrant contact will occur at the time of the registration of the first .BANK or .INSURANCE domain name. If additional .BANK or .INSURANCE domain names are registered after this, the domain name itself will be verified based on the relevant policies, but the registrant and registrant contact will not be re-verified unless the registrant or contact information has changed. A registrant will be verified once every two years so if they register additional names within that period and the Registrant Contact information has not changed, there will be no additional verification performed on the registrant information. Verification for .BANK and .INSURANCE are considered separately even if the organization is the same. Should registrars do some preliminary review of eligibility to filter out ineligible registrants for an fTLD Domain? Registrars may want to implement some initial screening process to reduce the possibility of failed registrations that may result in chargebacks and fTLD fees associated with processing requests for registrations. The information provided in the Symantec Verification Guides should prove useful to registrars for adapting their registration process to support any desired “pre-screening.”

If a registrar becomes aware that the contact is no longer at an organization or the organization name has changed, should fTLD be contacted about the change? The registrar should work with the registrant to ensure that the data is updated in the registrar system as quickly as possible. Changes to the Organization Name should trigger a Symantec order with a Re- verification Type of “Organization” Please note that if this change is done at the same time as a renewal, transfer or bi-annual re-verification, that only one order should be triggered as Symantec will automatically do an organization re-verification if a change from the previously verified organization name is detected. What data is used for domain name re-verification? Does a registrar need to submit a transaction to trigger the re-verification? When a domain name is first registered it will be verified using the data submitted to Symantec via the API or Web Form. Registrars are required to generate orders for each “trigger” event including renewals, transfers, bi-annual re-verifications for registrations of three years or more, changes to the Organization Name and at the request of fTLD. Please review the Symantec API documentation to identity the triggers for a re-verification order and the requirements for identification of those orders which are included in the details for the Special Instructions data. What information is required in the Special Instructions field for any re-verification? Because the Special Instructions field is mandatory, it must have at least the fTLD Re-Verification Type as defined in the Symantec API documentation. If the registrar has updated or more current Special Instructions information, then that should be provided in the re-verification order. Otherwise, the registrar should place the information provided in the last Symantec order for that registrant/domain in the Special Instructions field. Without this information, verification is likely to take longer.

Who is responsible for verifying requests for domain names? fTLD is responsible for approving requests for domain names. fTLD has contracted with Symantec to serve as its Registry Verification Agent. Symantec is responsible for reviewing the information provided by the registrar/registrant and providing a recommendation to fTLD to approve or reject a request. fTLD makes the final decision. Why is a third-party like Symantec involved in the fTLD verification process? Symantec is a global leader in security and verifying the authenticity of organizations. The use of a third- party in the verification process ensures an impartial and expert entity for the initial examination of eligibility for registration of each registrant and provides registrants and registrars with global support in this important process.

When is the verification information passed to the Symantec API? The registrar will first submit the transaction to the Verisign EPP. Once Verisign confirms via EPP to the registrar that the registration is in a “pending create” status, the registrar system should initiate the verification order for the Symantec API or it should be entered via the Web Form. This two-step process is necessary to ensure that the only orders that are submitted to Symantec for verification are those that have passed all of the Verisign registration edits and have a pending create status. When should re-verification information be passed to the Symantec API? A re-verification order should be passed to the Symantec API as soon as Verisign accepts the related EPP transaction. Registrars may also wish to implement a process in-line with their current approach such as passing orders in bulk to the Symantec API on at least on a weekly basis. Orders should be generated within 10 days of the related EPP transaction to prevent fTLD compliance follow-up.

Can a registrar submit a Symantec order before the related transaction has been processed with Verisign? No, every order placed with Symantec must only occur after the EPP registration transaction has been processed successfully by Verisign. If this process is not followed, the registrar may be liable for a registration-verification fee. Do the Verisign EPP and Symantec API systems operate on the same servers? No, these systems operate on separate servers and are totally separate systems. What are the Symantec order statuses and what do they mean? The following statuses are displayed on the Symantec Partner system: Pending Verification – Symantec: Under review by Symantec. Pending Verification – fTLD: Symantec has completed the review and the verification is waiting for Approval or Rejection by fTLD. Completed: Verification has been completed and all or some of the domains in the order have been approved/rejected by both Symantec and fTLD; fTLD has approved/rejected the domain registration(s) in Verisign in line with the Symantec domain status if this order was for verification of new domain names. Cancelled: Verification has been completed and the domain names have been rejected in Verisign if this was an order for new domains. To determine whether specific domains have been approved or rejected, review the Status in the Domain Information section on the order in the Symantec Partner system. The domain status is not final until the order status is Completed or Cancelled.

What does the “Pending Verification – fTLD” status mean? As documented in the Symantec Verification Guides, Symantec will initially verify the eligibility of each registrant as well as the requested domain names. Once Symantec has completed the verification process for the registrant and domain name(s) the order will be placed in this status so that fTLD can review and confirm the verification recommendation. fTLD will then also confirm the transaction with Verisign. fTLD may either accept the recommendation made by Symantec or change the final status based on additional review and/or information provided by the registrant. How do I check to see the status of an order in the Symantec system? Login to your Symantec Partner account and sort the order information to find the desired registration and its status. You can also use the Quick Search function to search by Symantec Order number or the domain name. The status of any order can also be checked using the API command “GetPreAuthOrderbyPartnerOrderID”. How long will fTLD registration and verification take? Registration begins when the registrar submits the transaction to the Verisign EPP and it is accepted and placed in a pending create status, which will happen within milliseconds. If accepted by Verisign, verification is then initiated by the registrar submission of the verification order to Symantec via the API or Web Form. Approval is generally expected to conclude within days. However, because the verification process requires telephone contact with the registrant’s organization to verify certain information (i.e., the requestor is a full-time employee of the company and it authorized to make registrations on its behalf), the verification may take longer to complete. Registrants can expedite verification by ensuring that all individuals that may be contacted are aware of the need to respond to these requests as quickly as possible. How many domain names may be submitted in a Symantec verification order? The API or Web Form can accommodate up to 30 domain names. Registrars should submit all domain names registered by one registrant in a single day as one Symantec order to expedite the verification process and reduce potential registrant-verification fees for any rejected domains. If you have more than 30 domains, then orders in multiples of 30 domains should be used. Is fTLD verification by Symantec the same as Whois (RDDS) verification? No, the verification process facilitated by Symantec is the process that fTLD has mandated for all fTLD Domain registrations. In contrast, the Whois verification process is required by ICANN to be conducted annually by registrars to confirm accurate contact information. Registrars are required to contact their registrants to conduct this verification and a positive confirmation of details is required. Registrants may risk having their domain name suspended or cancelled for failure to respond to this verification request. If information reflected in the verification order is corrected by Symantec or fTLD during the verification process, do these changes need to be reflected in the Verisign system? Yes, all corrections made to the order information by Symantec or fTLD during the verification process must be reflected in the Verisign system before fTLD will approve the order and related registration in Verisign. Some changes will have been confirmed with the registrar and registrant before fTLD review, but registrars may be notified of the needed corrections by fTLD during final review. Registrars should apply the changes as soon as notified by Symantec or fTLD to avoid delays in the approval process using their internal processes for completion of the updates.

Costs What is the cost for the fTLD verification process to registrars? There is no separate cost for the verification process. fTLD’s wholesale domain name fee to registrars includes the charge fTLD pays to Symantec for verification services. There are no additional costs for re- verifications that are performed during the term of the registration. However, since Verisign will refund the registration fee to registrars in the event fTLD rejects a registration in the pending create status or a registration is auto-deleted because verification was not completed within the 90-day pending create period, a registration-verification fee may be assessed by fTLD and invoiced to the registrar to recoup the cost of the Symantec order and related fTLD expenses. Is there a difference in the cost between standard and premium domain names? Yes, there is a difference in cost. This information is included in the .BANK and .INSURANCE RRAs and is available to registrars that have completed step one of the fTLD Registrar application process here. When is a registrar charged for a domain name by Verisign? The registrar is charged for a domain name as soon as the domain passes all EPP edits and is put in a pending create status. If a domain name is rejected because of EPP errors, then there is no charge to the registrar. If a domain name fails verification by Symantec and is rejected by fTLD while in the pending create status then the registration fee is refunded to the registrar by Verisign. If the verification process is not completed within the 90-day pending create period, then the domain name will be automatically deleted (auto-delete) on the Verisign system and the registration fee is refunded to the registrar by Verisign. When a registration is rejected by fTLD while in pending create status or if a Symantec order is rejected because the Verisign registration has auto-deleted after 90 days, a registration-verification fee may be assessed and invoiced, generally on a quarterly basis, directly by fTLD. Who prepares the statement or invoice for fTLD registrations fees for both standard and premium names? A monthly statement or invoice is prepared by Verisign for registration fees. Registration-verification fees or non-compliant bulk verification request fees will be invoiced, generally on a quarterly basis, by fTLD directly to the registrar. When will a refund be provided for a domain name registration? Refunds for domain name registrations will be provided to registrars by Verisign under the following conditions: 1. The domain name is deleted before the end of the five-day (5) Add Grace Period. 2. The domain name is rejected by fTLD while in pending create status. (Note: Registrars must coordinate the rejection in the Verisign system with fTLD; if the registrar rejects the domain then Verisign will NOT provide a refund.) 3. The domain name is automatically deleted by Verisign because it has been in pending create status for more than 90 days. Registration-verification fees may be assessed by fTLD to offset the refunds provided under conditions #2 and #3. Is a fee charged to change data in a registration? There are no fees for changing any information. fTLD requires registrants to maintain accurate information in order to maintain a trusted, verified and more secure environment. Although a complete re-

9 verification is performed by Symantec when certain data is changed, there is no additional fee for are- verification. Is there a fee for a transfer of a domain name between registrars? Although there is a charge for a mandatory one-year renewal, there are no additional fees for transfers in the fTLD system. What is the Sync fee? The Sync fee is charged for resetting the expiration date for a domain name. This fee is charged based on the number of months between the original expiration date and the new expiration date. The entire fee is charged at the time the Sync transaction is processed by Verisign. There is no related Symantec order for a Sync operation with Verisign. What is the Registration-Verification fee? This fee is charged to fTLD registrars for domain names that are rejected by fTLD while in a pending create status. The fee will also be charged if the verification process is not completed within the 90-day pending create period and the domain name is automatically deleted (auto-delete) on the Verisign system and the domain in the related Symantec order is rejected as well.

What is the Non-Compliant Bulk Verification Request fee? This fee is charged to fTLD registrars who do not submit multiple domain name requests for a single registrant on a given day in one order using the bulk submission feature provided for in the Symantec system. These fees are directly billed, generally on a quarterly basis, by fTLD

Security & Implementation What are the Security Requirements for fTLD? fTLD requires compliance with a set of requirements that are not currently mandated by the operators of other commercially available gTLDs, including:

 Mandatory Verification and Re-Verification of Licensure/Authorized Person/Names for Regulated Entities to ensure that only legitimate members of the specific fTLD community are awarded domain names.  Domain Name System Security Extensions (DNSSEC) to ensure that internet users are landing on participants’ actual websites and not being misdirected to malicious ones.  Email Authentication to ensure brand protection by mitigating spoofing, phishing and other malicious email-borne activities.  Multi-Factor Authentication by registry and registrars to ensure that any change to registration data is made only by authorized users of the registered entity.  Strong Encryption (i.e., Transport Layer Security) to ensure confidentiality and integrity of communications and transactions over the internet.  Prohibition of Proxy/Privacy Registration Services to ensure full disclosure of domain name registration information so bad actors cannot hide.  .BANK Domain Names must be hosted on .BANK Name Servers to ensure compliance with all technical security requirements.  .INSURANCE Domain Names must be hosted on .INSURANCE Name Servers to ensure compliance with all technical security requirements.

Please review the Security Requirements document for specific requirements for registrars and registrants.

Can Security Requirements change? If so, how are these changes made and how will registrars and registrars know about them? Yes, Security Requirements can change. The Security Requirements specify that fTLD will periodically review and amend the requirements to respond to changing needs in security or the community. The amendment process includes a review by fTLD’s Security Requirements Working Group (SRWG) and consideration and approval of its recommendations by fTLD’s Board of Directors. Any approved changes to the requirements will be communicated directly to registrars and broadly announced to stakeholders via information posted to fTLD’s websites as well as other means for sharing such details. Adequate notification to stakeholders and time for implementation is provided when changes are required to processes and technical infrastructure by new or modified requirements. Please contact fTLD at [email protected] if you would like to participate in future efforts of the Security Requirements Working Group. Do any of the fTLD Security Requirements apply to registrars? Yes, there are some additional requirements for registrars that are included in the Registry-Registrar Agreement (RRA). The following Security Requirements should be reviewed: 7, 8, 10, 12, 13, 14, 15, 16, 22, 23, 24, 25, 26, 28, 29 and 30. Who is responsible for enforcing the Security Requirements and Policies for fTLD? fTLD is ultimately responsible for enforcing all of the requirements for fTLD Domains. Registrars will play a role in enforcement as they have the direct relationship with the registrant. fTLD always retains the right to take action if the registrar fails to do so. If there is a violation of an fTLD Security Requirement, how will this be handled? Will the registrar be involved? fTLD will work with the registrant and registrar to address the violation. Repeated violations of any requirements may lead to suspension or termination of the registration and failure of the registrar/registrant to provide a timely response and a remediation plan to fTLD can result in the domain name being removed from the fTLD Domain zone or more significant actions.

Does fTLD permit Proxy/Privacy Registrations? No, these services are prohibited for fTLD registrations. This is specifically noted in the RRA and is part of the fTLD Security Requirements.