BITS, the technology arm of the Financial Services Roundtable, has published a set of specifications for new “high-security” generic top-level domains such as .bank and .pay.
The wide-ranging spec covers 31 items such as registration and acceptable use policies, abusive conduct, law enforcement compliance, registrar relations and data security.
It would also ban Whois proxy/privacy services from financial gTLDs and oblige those registries to verify that all Whois records were fully accurate at least once every six months.
The measures could be voluntarily adopted by any new gTLD applicant, but BITS wants them made mandatory for gTLDs related to financial services, which it calls “fTLDs”.
A letter sent by BITS and the American Bankers Association to ICANN management in late December (pdf) is even a bit threatening on this point:
We strongly urge that ICANN accept the [Security Standards Working Group’s] proposed standards and require their use in the evaluation process. We request notification by 31 January 2012 that ICANN commits to use these fTLD standards in the evaluation of the appropriate gTLD applications. BITS, the American Bankers Association (ABA), and the organizations involved in this effort are firmly committed to ensuring fTLDs are operated in a responsible and secure manner and will take all necessary steps to ensure that occurs.
BITS, it should be pointed out, is preparing its own .bank bid (possibly also .invest and .insure) so the new specs give a pretty good indication of what its own gTLD applications will look like.
ICANN’s Applicant Guidebook does not currently mandate any security standard, but it does say that security practices should be commensurate with the level of trust expected from the gTLD string.
Efforts within ICANN to create a formal High Security Zone Top Level Domain (HSTLD) standard basically fizzled out in late 2010 after ICANN’s board said it would not endorse its results.
That said, any applicant that chooses to adopt the new spec and can demonstrate it has the wherewithal to live up to its very strict requirements stands a pretty good chance of scoring maximum points in the security section of the gTLD application.
Declining to implement these new standards, or something very similar, is likely to be a deal-breaker for any company currently thinking about applying for a financial services gTLD.
Even if ICANN does not formally endorse the BITS-led effort, it is virtually guaranteed that the Governmental Advisory Committee will be going through every financial gTLD with a fine-toothed comb when the applications are published May 1.
The US government, via NTIA chief Larry Strickling, said this week that the GAC plans to reopen the new gTLD trademark protection debate after the applications are published.
It’s very likely that any dodgy-looking gTLDs purporting to represent regulated industries will find themselves under the microscope at that time.
The new spec was published by BITS December 20. It is endorsed by 17 companies, mostly banks. Read it in PDF format here.