Gabor de Wit

KYC at the RIPE NCC: How We Keep Member Information Accurate

Author image
Gabor de Wit

10 min read

ripe members operational
0
Article lead image

Becoming a RIPE NCC member is straightforward, but keeping a trusted registry means doing careful checks behind the scenes. This article explains how we verify members at onboarding, monitor changes over time, and follow up on escalations.

As the RIPE NCC, we’re proud to be one of the organisations that make up the core infrastructure that the Internet relies on to function properly. One of our chief responsibilities in this role is to maintain accurate records of Internet number resources, so that it’s always clear who holds which resources and under what conditions. To do that, we first need to be sure who our members are. So while becoming a RIPE NCC member might seem straightforward, it's underpinned by detailed onboarding and KYC processes that happen behind the scenes.

Our goal in this article is to shed light on the due diligence processes we have in place to make sure not only that new membership applications are properly vetted, but that members are also continuously evaluated through the lifecycle of their membership and participation within the RIPE community. To that end, we'll take a closer look at each of the three main lifecycle stages: onboarding, continuous monitoring, and complaint handling, and the various validations we apply along the way.

The RIPE NCC membership lifecycle, highlighting key events and changes that trigger check ins and validation processes

Our membership lifecycle

Onboarding

After the RIPE NCC receives a new membership request, there is an initial set of validations done to ensure that the membership can proceed. These mainly revolve around the following questions:

  • Does the requesting entity or person exist and will it be able to pay the membership fee?
  • Is the person a natural person or acting on behalf of a company, and entitled to act on behalf of this company?
  • Is the person or entity sanctioned under the sanctions lists applicable to the RIPE NCC?

To be able to answer these questions, we undertake various validation activities. For instance, to determine whether the person or entity in question exists, we either validate the identification documents or the registration papers provided as part of the application. In both cases, we rely on specialised companies and tools that are able to provide these services. For identity verification, a tool called iDenfy is used to validate that the user and the provided documents are in fact valid and can be trusted, while for company verification, a specialised vendor called Altares Dun & Bradstreet is used together with validation of business registries in the applicable geography.

Once identity and company verification has been carried out, information from Dun & Bradstreet is cross-checked against the Dow Jones registry. Dow Jones Risk & Compliance products aggregate information from numerous government bodies and official lists, allowing for the identification of sanctioned entities, politically exposed persons, and other high-risk parties. Checking information on prospective members against this data allows us to validate that they are not subject to international sanctions and helps us meet our obligation to comply with EU and other applicable sanctions regimes, while preserving the accuracy and integrity of the registry. As we shall see, this is applied throughout the full membership lifecycle (read more on how sanctions affect the work we do).

The choice to rely on external tools and providers is straightforward: a company like Dun & Bradstreet's core business is company registrations, and the size and revenue of this company far exceeds any staffing numbers the RIPE NCC would be able to cover internally.

Automated monitoring

Once someone becomes a member, the work to ensure that their data is accurate doesn’t stop there. Relying on third-party data and our internal processes, we continuously monitor the accuracy of the registry by screening members against sanctions lists and running structured due diligence on transfers and other mutations of registration data. These activities are supported by a dedicated Registry Monitoring team that investigates suspicious patterns, flagged accounts, and disputed resources.

To track changes to legal details for members, such as company name, legal address and registration number, we once again rely on business information from Altares Dun & Bradstreet. As part of our 2025 commitments, this functionality is being extended to provide alerting for sponsored End Users with PI resources and ASNs as well. Dun & Bradstreet’s registry data is used to keep registration records current and to detect significant corporate events (for example, mergers, acquisitions, or changes to legal entities) that may affect resource holdership and contractual relationships. When RIPE NCC presentations refer to projects related to MORA, it is this integration and monitoring they are referring to: our ability to automatically track changes to information associated with its members.

As emphasised above, the work we do to identify sanctioned entities in connection with resource registrations is as vital at this stage of the lifecycle as it is during onboarding. Integrating the data available from Dun & Bradstreet and Dow Jones into our processes supports both data quality and compliance, ensuring that updates or anomalies in company information are quickly assessed against sanctions lists. This also applies to updates to sanctions lists themselves: using Dow Jones, we monitor the addition, removal and mutation of sanctions affecting active members.

Assisted Registry Checks (ARCs)

Automated checks and third-party data help us monitor registry accuracy at scale, but they don’t replace direct contact with our members. That’s where ARCs come in.

ARCs are a practical way to make sure information about our members stays current, so that registry records continue to reflect the legal entity that holds resources and the people authorised to manage them. They are usually triggered when we haven’t heard from a member for a while, since low contact makes it more likely that details such as contacts or organisational information have changed without being updated. An ARC can either start with us reaching out to a member to arrange a check, or with a member booking time with us directly using the scheduling tool.

Ahead of the call, members are asked to review their details in the LIR Portal. Many updates can be made directly, and anything that isn’t straightforward can be handled during the ARC itself. The goal is to ensure members know where the relevant information lives and how to maintain it, so data stays accurate over time. The outcome is fewer stale records, fewer surprises when changes or transfers need to be processed, and a registry the community can continue to rely on.

Handling change

Next to automated systems, there are also RIPE NCC procedures that describe how changes, such as transfers, mergers, acquisitions and legal name changes, have to be communicated and registered. These procedures require that both the offering and receiving parties follow defined steps so that Internet number resources and associated registration records remain accurate and associated with the correct legal entity. The goal of these procedures is not only to validate that a requesting user is real, but also that this user is entitled to act on behalf of the company.

In the context of legacy resources and inter-RIR transfers, we perform due diligence to confirm that the offering party is the legitimate holder and that all relevant policy requirements in the sending and receiving regions are met.

When a transfer is requested, we initiate a due diligence workflow that includes the following publicly documented steps:

  • Verification of legal existence and identity of both parties using recent registration papers or equivalent official documents.
  • Confirmation that the signatories on the transfer agreement are authorised representatives with legal capacity to act on behalf of their organisations, supported by company extracts or power-of-attorney style documentation.
  • Validation that the offering party is the legitimate holder of the Internet number resources in question, including checks against internal registry history and, for legacy space, supporting documentation of original assignment or subsequent agreements.
  • Review of the status of the allocations or assignments (for example, whether any policies or contractual obligations could prevent or restrict transfer).
  • Cross-checks against sanctions and third-party data (via Dow Jones and Dun & Bradstreet) to ensure that neither party is subject to sanctions or other compliance blockers that would prohibit the transfer.

For inter-RIR transfers, we also coordinate with the other RIR so that both sides approve the transfer and confirm that their respective policies and due diligence requirements have been satisfied before the transfer is executed. If conflicting claims or objections arise, we always reserve the right to request further documentation and, where necessary, to reverse or decline transfers to maintain registry accuracy and policy compliance.

Working with members - escalations and investigations

To ensure that we follow up on escalations and investigations, we have a dedicated Registry Monitoring function within our Registry team. This area is responsible for key areas such as registry accuracy, compliance and integrity. This function focuses on systematic auditing, follow-up on alerts from third-party tools, and oversight of controls related to sanctions, data quality, and suspicious account activity flagged via the public RIPE NCC forms.

Registry investigations are initiated when suspicious behaviour or potential abuse of the registry is detected, such as unusual account updates, fraudulent documentation or attempts to gain unauthorised control over resources. In such cases, our investigation processes include auditing account histories, reverting unauthorised changes (including transfers where necessary), reporting fraudulent activities to law enforcement where appropriate, and, in serious cases, terminating memberships and imposing future membership bans.

Closing words

Over the years, the RIPE NCC has significantly invested in procedures and tools that aim to ensure due diligence processes are followed and that members are properly monitored and kept up to date. That said, we do realise that there are domains that have an element of greyness in them.

There are also areas where we would like to see improvements. When it comes to sponsorship of LIRs, for example, the sponsoring member is ultimately responsible for the KYC procedure on the sponsored entity. As such, the KYC principles we apply should also be followed by the sponsor, but there is no formal policy (yet) to ensure this. Of course, the information provided to us for sponsored entities is always validated against the same external datasets, but more formal requirements here would be beneficial.

The same goes for data curated by members themselves. Data not governed by the RIPE NCC is subject to a member’s ability to keep all member-curated data up to date. Of course, we will follow up on any reported escalations about incorrect data as mandated by RIPE Policies. However, we are keen to find supporting mechanisms to ensure that member-curated data is up to date at all times.

Legacy resources raise similar concerns. Due to the freedom legacy holders have within our service region under the current RIPE policies, there is quite a bit of information missing that would allow us to help protect the resources governed by these legacy holders. This is actively being discussed under more recent policy proposals, but is not in place yet.

As we carry on the work we do to keep our knowledge of our members up to date, and particularly as we continue to look for ways to improve in those areas highlighted here, we would love to hear more feedback from the community. If you have proposals or suggestions, please contact us, or bring them to our events or the mailing lists.

ripe members operational
0

You may also like

View more
eu law

How Sanctions Affect the RIPE NCC

Author image
Athina Fragkouli
digital stop

Automated Self-Service to End Sponsoring of Independent Resources

Author image
Marco Schmidt
legacy_ip

10 Years of Legacy Policy

Author image
Xavier Le Bris
apb_cover

Building Resilience: The RIPE NCC’s Draft Activity Plan and Budget 2025

Author image
Hans Petter Holen

About the author

Author image
Gabor de Wit Based in Amsterdam

Gabor de Wit is the Chief Registry Officer at the RIPE NCC. He leads the RIPE NCC’s registry operations, ensuring the accuracy, security and integrity of Internet number resource management across the organisation’s service region. Gabor oversees critical registry processes, including IPv4, IPv6, and ASN allocations, and drives initiatives to continuously improve registry services and automation. He works closely with members, the RIPE community, and global Internet stakeholders to maintain a robust and trusted registry system facilitating a well‑organized, resilient Internet.

Comments 0