Summary

  • On 23 July 2021, Cloud Innovation obtained provisional authority to attach AFRINIC funds held at SBM Bank (Mauritius) and Mauritius Commercial Bank up to USD 50 million; the order remained consequential until it was declared null and void on 15 October.
  • AFRINIC's later annual report said all its bank accounts were frozen and that it could not honour financial commitments, despite ending the year with USD 11.91 million in cash, USD 9.997 million in reserves and a USD 1.917 million surplus.
  • The failure was not a lack of assets but a lack of usable separation: ordinary payments, strategic reserves and litigation-exposed corporate cash sat inside a perimeter that banks could restrain together.
  • Donations of USD 504,000 and board authority to recognise up to USD 600,000 of debt kept the institution afloat, but emergency dependence on interested third parties created governance, disclosure and independence risks of its own.
  • A defensible continuity design would not hide money from creditors; it would predefine essential functions, segregate modest operating runway, document beneficiaries and costs, invite court supervision, and preserve effective security for legitimate claims.

A rich institution that could not pay

The revealing figure in AFRINIC's 2021 accounts is not the USD 50 million stated in the attachment order. It is USD 11.91 million. That was the organisation's closing cash position, according to its annual report, up from USD 9.246 million a year earlier. Total reserves reached USD 9.997 million. Membership-fee income rose to USD 5.978 million. The annual surplus was USD 1.917 million. On conventional balance-sheet measures, AFRINIC was liquid and profitable.

Yet the same report says that all its bank accounts were frozen from 23 July until 15 October and that it was unable to honour its financial commitments. Stakeholders donated USD 504,000. In August, the board authorised the chief executive to acknowledge debts to third parties up to USD 600,000 to keep the company afloat. Staff welfare measures referred directly to the strain of the account freeze.

This is not a contradiction in accounting. It is a contradiction in institutional design. Cash on a balance sheet is not the same as cash that can be paid. A reserve placed on fixed deposit may appear conservative, but if it is held by a garnishee subject to an attachment, it can be unavailable when wages, hosting, bandwidth, insurance or security services fall due. A three-signature rule can prevent an improper internal transfer while doing nothing against an external judicial restraint.

The crisis therefore cannot be understood as a simple contest between a claimant and a debtor. AFRINIC was a Mauritian company and could not claim immunity from ordinary courts. It was also the organisation through which a continent's number-resource records, reverse-DNS delegations, routing-security administration and member services were coordinated. Corporate money financed functions with consequences far beyond the corporate parties.

The 2021 episode showed that those roles had not been financially isolated enough. Litigation against the company reached the accounts. The accounts reached payroll and vendors. Payroll and vendors reached registry continuity. The legal claim travelled through an unbroken chain that governance should have interrupted before the first order was served.

What the July order did, and what the record does not prove

Cloud Innovation's 26 July public release states that a Judge's Order dated 23 July attached funds held in AFRINIC's accounts at SBM Bank (Mauritius) and Mauritius Commercial Bank, up to USD 50 million, in support of its damages claim. AFRINIC's case list describes the first step as a Provisional Authorisation to Attach Order. The later minutes of proceedings identify the two banks as garnishees and record that, on 15 October, the judge declared the provisional order null and void and set aside the validation application with costs.

Those documents establish the formal outline. They do not establish that AFRINIC held USD 50 million. Its audited figures indicate a much smaller cash position. Nor does the provisional order establish that Cloud Innovation was entitled to damages, that the claimed amount would be awarded, or that AFRINIC had dissipated assets. Attachment is a protective measure in litigation, not a final adjudication of liability.

The record also needs precision about scope. AFRINIC's annual report says all accounts were frozen. The board chair's message on 24 July said the organisation had been notified by one bank that its accounts had been temporarily frozen. Cloud Innovation's release referred to funds at two named banks. These statements can be consistent at different moments, but they answer different questions. A sound analysis should not enlarge the order beyond the documents or minimise the operational effect because one early message mentioned one bank.

The relevant point is narrower and better supported. AFRINIC reported that the restraint prevented it from honouring commitments. Its board sought urgent reduction or removal of frozen amounts. It later authorised emergency debt. The attachment therefore reached usable liquidity, whatever the exact account-by-account sequence.

Nor does the order's eventual nullity prove that the preceding operational risk was imaginary. A measure can later fail in law and still impose real constraints while banks obey it. Conversely, the inconvenience caused by attachment does not prove that the claimant acted improperly. The governance lesson survives either litigation outcome: a regional registry had no transparent, prearranged financial boundary between assets available to answer claims and money needed to maintain essential services.

Banks were not passive plumbing

The order became operational through banks. A judge authorised attachment; the garnishees controlled payment rails; AFRINIC's account balances became unavailable to varying extents. The institution's technical systems did not need to be seized. It was enough to interrupt the means by which people and suppliers were paid.

This makes banks part of the continuity map, even though they were not responsible for registry policy. They had duties under the order and their own compliance rules. They could not simply accept AFRINIC's assertion that its mission justified release. At the same time, a bank receiving a broadly framed order may have little basis for distinguishing a strategic reserve, payroll account, vendor payment or disputed sum unless those purposes were documented beforehand or clarified by court.

Bank diversification is often proposed as the answer. It is not sufficient. Two accounts at two branches of one legal system can be reached by the same order. Accounts at two banks in the same jurisdiction can both be garnished, as the named presence of SBM and MCB demonstrates. An offshore account may create additional legal, tax, governance and reputational risks and may still be reachable. The issue is not the number of bank logos. It is legal perimeter, account purpose, access authority and court-recognised treatment.

Nor is cash outside a bank necessarily resilient. Physical custody would create obvious security and audit problems. Prepaid facilities can fail or be frozen. A vendor holding advance payments may become an unsecured counterparty. A related organisation can introduce conflicts and creditor challenges. Every alternative changes the risk rather than abolishing it.

A mature registry should therefore treat its principal banks as critical service providers. It should maintain current contacts for legal orders and continuity incidents, pre-agree the evidence needed for account-purpose verification, test alternative payment rails and ensure that no single compliance interpretation disables every authorised payment. That arrangement cannot override a court. It can make the court's actual scope executable without unnecessary over-freezing.

The May reserve solved the wrong problem

Two months before the attachment, AFRINIC's board added USD 2 million to its Strategic Cash Reserve and directed that a new fixed-deposit account be created. Withdrawals or transfers required the signatures of the chief executive, head of finance and either the chair or vice-chair. The annual report later placed the Strategic Cash Reserve at USD 6.384 million.

This looked like prudent treasury management. It increased reserves and imposed strong internal authority. It protected against casual spending, unilateral management action and some forms of fraud. It did not protect access during attachment. Indeed, concentrating cash into a fixed deposit at a garnishee could make a larger amount visible within the same corporate boundary, depending on the account and order.

The distinction is between internal control and external resilience. Internal control asks who may authorise a payment. External resilience asks whether any authorised person can make a payment after a legal, banking, cyber or political event. Three signatures improve the first question. They can worsen the second if all signers, accounts or banking channels are affected together.

The reserve label also lacked functional content in the public resolution. "Strategic" can mean protection against revenue decline, capital investment, litigation, disaster recovery or organisational transition. Those risks require different liquidity and legal structures. A fixed deposit optimised for yield and spending discipline may be poorly suited to an urgent continuity event. A litigation reserve should remain available to satisfy or secure claims. An essential-services reserve should be sized to verified minimum expenditure and released only for defined operations.

Treating them as one pool creates ambiguity at the moment of crisis.

The 2021 experience therefore does not show that AFRINIC had too little reserve. It shows that reserve quantity was mistaken for reserve availability. The board had accumulated enough cash to cover substantial operating expenditure, yet the institution still needed donations and credit. Resilience is the ability to deploy resources under the event for which they are held, not the size of the year-end number.

The missing wall was between claims and functions

An ordinary company cannot declare its operating accounts untouchable merely because attachment is inconvenient. Creditors and claimants need meaningful remedies. A registry should not manufacture protected status after a dispute arises, move assets beyond reach or use public dependence as leverage against a lawful claim. That would convert continuity into impunity.

The legitimate objective is narrower: preserve specified services while keeping sufficient assets available to the court and claimant. The wall is functional, transparent and supervised. It does not say "no attachment". It says "identify what must remain payable for a limited period, why, to whom and under which controls; restrain the balance or require alternative security."

This model is familiar in principle wherever legal remedies touch systems serving third parties. Courts can supervise businesses, preserve perishable assets, allow ordinary expenses, require bonds, appoint custodians and vary restraints. The exact Mauritian procedure and availability of each remedy depend on law and case facts. But the evidentiary task is universal: separate the amount needed to preserve the subject and public-effect services from money available for disposition or security.

For a registry, the protected entity should not be "AFRINIC" as a whole. It should be a list of functions: maintaining authoritative registration data; keeping authentication and security response available; sustaining reverse DNS; supporting route-origin administration; preserving backups and logs; retaining the minimum staff and vendors required to operate those functions; and communicating accurately with members during the incident.

The rest remains contestable. Conferences, discretionary projects, expansion, public campaigning, nonessential travel and even some new allocation activity may be paused. Legal fees need their own scrutiny. A function-based wall prevents management from sheltering every corporate preference under the Internet while preventing a claimant from using unrelated networks as pressure.

A four-pocket treasury would have made the choices visible

The simplest conceptual repair is to stop treating all cash as one reserve. A regional registry needs at least four separately governed pockets, even if the exact legal vehicles differ.

The first is ordinary operating cash. It receives fees and pays routine obligations. It should hold only the amount needed for a defined short horizon, with excess swept under policy. Its exposure is accepted because commerce requires a usable account.

The second is essential-services runway. It covers a tightly defined minimum for perhaps 60 or 90 days: critical technical staff, security response, hosting, connectivity, key management, insurance, backups and necessary member support. The beneficiary schedule and release rules should be approved before any dispute. Payments should go directly to named categories under dual control and independent reporting.

The third is litigation and claims security. It is available to meet judgments, settlements, bonds and court-directed security. Its existence demonstrates that continuity design is not an attempt to defeat creditors. The amount can be linked to assessed exposure and reviewed by the audit committee, external auditor and, when litigation is active, the court.

The fourth is strategic and transition reserve. It supports longer revenue shocks, major recovery, lawful institutional handover or replacement of failed infrastructure. It should not be confused with immediate payroll cash. Some of it may appropriately be fixed-term, diversified or subject to joint RIR support arrangements.

Separation on a spreadsheet is not enough. Each pocket needs a clear purpose, account or custody arrangement where lawful, signatories, replenishment rule, disclosure and stress test. The legal advice must ask how each would be treated under attachment, insolvency and receivership. If every pocket remains unavoidably attachable, the court pack must be ready to seek a prompt carve-out with evidence. The goal is reliable differentiation, not magical immunity.

The minimum-service budget should have existed before court

AFRINIC's July communication said the board had identified alternative funding so the company could cover expenses required to run services. The August debt resolution authorised up to USD 600,000. These were emergency figures. The public material does not show a pre-existing, court-ready minimum-service budget activated on the first day.

Such a budget should be built from dependencies rather than historical averages. Payroll must distinguish staff essential to continuous technical and security operation from positions whose work can pause. Vendor costs must identify hosting, network links, domain and certificate services, identity systems, monitoring, backup storage, incident response and support channels. Each line needs a due date, currency, payment method, termination consequence and substitute.

The budget should cover more than keeping servers powered. Registry integrity depends on people able to validate changes, protect credentials, answer incidents and preserve audit trails. If staff are unpaid, departure or divided loyalty can become a security event. If insurance lapses, directors and specialists may be unwilling to act. If a domain, certificate or cloud service expires, the resulting interruption may be faster than any court return date.

At the same time, the budget must be sceptical. Vendors and managers have incentives to describe every cost as critical. Independent technical review should test whether a service can be paused, substituted or reduced. The court needs a range: the absolute survival floor, the safe operating minimum and the normal budget. It can then authorise the least amount consistent with the chosen service level.

Monthly totals alone are weak. Payment timing matters. A three-month reserve does not help if an annual hosting invoice is due tomorrow and no alternate method exists. The continuity schedule should therefore model daily cash need for the first two weeks, weekly need for two months and monthly need thereafter. It should be updated after every material contract change.

Payroll is infrastructure when expertise is scarce

The African IXP Association warned in August 2021 that the freeze could prevent AFRINIC from paying staff and operating costs, including data-centre and bandwidth providers. The letter was advocacy from an interested ecosystem body, not proof that each predicted event would occur. AFRINIC's own annual report later confirmed the more general point: it could not honour financial commitments and the episode affected staff.

For a regional registry, payroll is not merely an employment expense. Some employees hold specialised knowledge of resource records, routing-security systems, reverse-DNS operations, authentication, abuse handling and member history. Documentation and access controls should prevent any one employee from becoming indispensable, but institutional knowledge cannot be replaced overnight.

An account freeze can therefore trigger a delayed technical incident. The first missed payment may not take a service offline. Repeated uncertainty can prompt resignations, prevent contractors from working or cause vendors to demand advance payment. Remaining staff may prioritise immediate survival over control improvement. Security fatigue accumulates. By the time a visible outage occurs, the causal event may be weeks old.

Continuity protection should nevertheless avoid privileging executives while junior staff wait. A protected payroll schedule needs bands, roles and rationale. It should cover all staff necessary to preserve safe operation, with ordinary labour obligations respected. Extraordinary management bonuses, discretionary allowances and unrelated recruitment should not enter the protected pocket. The court or independent overseer should receive aggregate reporting and exceptions.

Succession matters too. Critical credentials and procedures should be held under role-based, multi-person arrangements. If a payment crisis removes an employee, another trained person must be able to assume duties without uncontrolled credential sharing. Financial resilience and access resilience are one system: money keeps the people available; governance ensures no person's departure can hold the registry hostage.

Vendor contracts turn cash interruption into technical interruption

The fastest path from a frozen account to a service incident may run through a vendor's automated billing rule. A data centre can suspend for arrears. A connectivity provider can restrict service. A software supplier can revoke access. A certificate or domain-related service can expire. A security provider can stop monitoring. None needs to understand the litigation.

Critical contracts should therefore contain continuity clauses negotiated before trouble. A vendor could agree to a cure period after verified legal restraint, accept payment from an approved continuity facility, recognise instructions from a court-appointed officer and provide export or transition assistance. The registry should avoid clauses allowing immediate deletion or loss of data after a missed payment.

Vendor concentration is as important as bank concentration. If authentication, monitoring and backups depend on one supplier, keeping that invoice current does not solve substitution risk. Contracts should be mapped to function and ranked by recovery time. Essential data should remain exportable in standard formats. Configuration and keys should not be trapped in a commercial account that can be closed for nonpayment.

Prepayment can buy time but creates another exposure. Large prepaid balances may be inaccessible, non-refundable or vulnerable if the vendor fails. It may also shift value away from claimants. The amount should be proportionate to ordinary contract practice and disclosed in treasury policy. Last-minute prepayment after litigation begins is much harder to defend than a longstanding continuity arrangement.

The aim is not to make vendors immune from payment risk. It is to ensure that a bank restraint does not produce automatic deletion or unsafe shutdown before the court can assess consequences. A few carefully drafted days can be the difference between a legal dispute and a regional recovery exercise.

Donations kept the lights on but created another dependency

AFRINIC reported receiving USD 504,000 in donations during the freeze. That support demonstrated ecosystem willingness to sustain the registry. It also complicated the institution's independence. A donor may be a member, another registry, an industry body or an organisation with policy interests. Even without conditions, emergency money can create perceived obligation.

The source, terms, timing and use of such support should therefore be disclosed, subject to legitimate confidentiality. Was money a donation, loan, advance fee or payment by a vendor? Could it be recalled? Did the donor have pending requests, election interests, litigation exposure or commercial relationships? Which expenses did it fund? Who approved acceptance?

Emergency dependence also changes power inside the organisation. Management able to secure private support may gain discretion over survival spending. Members who contributed may expect influence. Members who could not contribute may fear unequal access. A registry built on collective stewardship should not allow an emergency treasury to become an informal franchise market.

This does not mean AFRINIC should have rejected help while accounts were constrained. It means the institution needed a standing emergency-support policy: eligibility, conflict review, no-influence terms, public reporting, repayment where appropriate and independent audit. Donations should enter a controlled continuity account, not a general pool used for discretionary spending.

The August authority to recognise up to USD 600,000 of debts raises parallel issues. Credit can bridge delayed access, but who becomes creditor matters. Interest, security, priority and related-party status should be recorded. A lender supporting essential services should not quietly acquire leverage over future governance. Emergency debt is a continuity tool only when its terms are visible and bounded.

The joint RIR backstop was too remote to be the first answer

The Number Resource Organization established a Joint RIR Stability Fund in 2015. The announced purpose was reliable operation during unforeseen disruption or serious financial distress, with more than USD 2.1 million pledged at the time. Support was meant for core registry and policy functions, subject to transparency and financial controls. AFRINIC's financial statements recorded its own pledge to the arrangement.

This was exactly the category of collective safeguard that a regional system needs. One registry's disruption can affect the global consistency of number administration. Other RIRs can provide money, staff and operational assistance. Mutual support reduces the chance that a local corporate crisis becomes a system failure.

But a pledged backstop is not the same as an immediately spendable operating account. The NRO announcement said pledged amounts remained within the individual RIRs' reserves until called. A request, approval and transfer may take time. Recipient banking channels may themselves be affected. Conditions and public reporting have to be satisfied. The total pledge was small relative to the USD 50 million ceiling in the attachment and smaller than AFRINIC's own year-end cash.

The fund should therefore sit behind local separation, not replace it. AFRINIC needed enough accessible runway for the first days; a prepared request for the following weeks; and in-kind arrangements if payment remained blocked. The support mechanism also needed a lawful way to pay essential vendors directly or through a supervised facility where a transfer into the restrained company account would simply be caught.

Mutual aid can preserve services without deciding the litigation. Donor RIRs should not fund advocacy, damages or discretionary corporate activity. They should support specified core functions under reporting that the court and members can inspect. This boundary protects the global system while preserving the claimant's right to pursue the corporate debtor.

The court needed a service map, not a claim of exceptionalism

When AFRINIC sought removal or reduction of the attachment, the persuasive case was not that an Internet registry should be beyond judicial reach. It was that a defined amount, paid under controls, was necessary to prevent harm to third parties while leaving meaningful security in place. That case requires evidence.

A court-ready service map would connect each requested payment to a function, beneficiary, due date and consequence of nonpayment. It would identify available cash, all accounts, expected fee receipts, alternative funding, existing reserves and liabilities. It would state which expenses could pause. An independent accountant could verify amounts; a technical expert could verify consequences.

The map should also confront the claimant's concern. If attachment was sought because of feared dissipation or to preserve assets for a potential judgment, unrestricted release would defeat the measure. Safeguards could include direct vendor payment, a capped monthly allowance, dual approval, weekly statements, prohibition on transfers to insiders, preservation of a separate security amount and rapid return to court.

Later AFRINIC case records describe a separate October application that proposed a USD 10 million attachment with permission for monthly withdrawals of USD 100,000 for vital expenses. That later figure is evidence that a carve-out concept entered the litigation, not proof that USD 100,000 was the correct operational minimum. The right amount should come from a tested service budget, not round-number bargaining.

Judicial restraint becomes more legitimate when it is granular. The court can protect a claim and preserve services at the same time if parties supply the necessary map. Broad institutional claims force a false choice between total release and total freeze. Good governance prepares the third option before a hearing.

A claimant also has reason to prefer continuity

At first glance, the claimant's incentive is to maximise pressure. A frozen account may bring a defendant to negotiate and preserve assets. But destroying the debtor's operating capacity can reduce the value available for any eventual judgment. It can also create third-party claims, regulatory intervention and reputational cost.

A continuity allowance can therefore serve both sides. It preserves the institution as a going concern, maintains fee income, prevents vendor penalties and protects records needed to litigate. The claimant receives reporting and security rather than an uncontrolled collapse. If liability is later established, a functioning organisation is more capable of payment.

The claimant should be entitled to challenge inflated essential costs. It can ask why a vendor is necessary, whether salaries are proportionate, whether reserves were moved, and whether insiders are receiving preference. It can request an independent monitor or direct payments. What it should not receive is leverage over unrelated technical functions merely because corporate finance and public-effect services share an account.

This reciprocal structure reduces moral hazard. Management cannot invoke continuity to preserve every expense. The claimant cannot invoke attachment to suppress every payment. Each must justify the marginal dollar. The court becomes supervisor of a bounded financial arrangement rather than arbiter of competing catastrophe narratives.

Settlement can use the same architecture. Parties might agree to place disputed security in escrow while releasing a minimum operating amount, with neither concession treated as an admission. The arrangement can expire or be revisited. Continuity then becomes a shared preservation interest, not partisan rhetoric.

Account segregation must be lawful before it is clever

Any proposal to separate funds invites an obvious objection: debtors could label money "essential" and frustrate creditors. That risk is real. A continuity design is credible only if created in ordinary times, proportionate to verified need, disclosed in audited statements and incapable of unilateral expansion after a claim emerges.

Legal form matters. A separate bank account owned by the same company may still be attachable. A trust or separate entity may be inappropriate, invalid against creditors or inconsistent with member control. Contractual restrictions may not bind a court. Cross-border accounts can look like evasion. The correct structure requires Mauritian legal advice, member approval where necessary and advance engagement with auditors and banks.

The safer principle is not asset protection in the commercial-planning sense. It is continuity identification. Even where no legal segregation can guarantee release, a separately accounted and transparently governed pocket gives the court evidence for a carve-out. It shows that the requested amount was not invented after attachment and that payments cannot be redirected to insiders.

The amount should be capped by policy. Replenishment should occur through routine fee allocation, not hurried transfers after service of proceedings. Use should trigger public reporting and independent audit. Funds unused after the incident should remain within the same approved purpose or return according to policy. Directors should face explicit duties not to misuse the facility.

This design accepts judicial supremacy. The court may still freeze the pocket if law and facts require it. But it will do so with visibility into consequences and alternatives. Institutional resilience cannot promise immunity from lawful authority; it can promise that lawful authority receives a well-structured choice.

Geographic diversification is a second-order control

Because the 2021 order named two Mauritian banks, one response is to place continuity cash in another jurisdiction. Geographic diversification can help with local outages, capital controls, natural disasters or a single bank failure. It can also complicate attachment. Those benefits must be weighed against governance costs.

A regional registry serves many countries but is incorporated somewhere. Moving money abroad may expose it to foreign sanctions, exchange controls, tax rules, correspondent-bank restrictions and conflicting court orders. Members may see it as removing assets from the jurisdiction that holds directors accountable. Access can depend on a small number of officers or legal documents that fail during governance transition.

If used, geographic diversification should be modest, transparent and purpose-limited. The board should publish the rationale, legal ownership, currency exposure, custodians, access rules and audit treatment. The account should support only essential-service payments and should not receive disputed asset transfers after litigation begins. Courts should be informed when relevant.

Operational diversification may matter more. A registry can maintain more than one method to pay critical vendors, such as bank transfer and supervised card facility, without hiding balances. It can arrange direct support from the joint RIR mechanism. It can negotiate vendor grace periods. It can ensure payroll can be processed through a lawful alternate provider. These controls reduce dependence on one rail while preserving accountability.

The lesson from SBM and MCB is therefore not "find a third bank". It is that institutional continuity must survive a jurisdiction-wide legal event. Bank diversity helps only when combined with legal analysis, functional budgets and court-ready disclosure.

Members were entitled to more than reassurance

On 24 July, AFRINIC's chair told members that one bank had notified the organisation of the temporary freeze and that the board had identified alternate funding. That message served an immediate purpose: it indicated services had a funding route and legal response would follow. It did not answer the accountability questions that members, as funders and users, were entitled to ask.

What expenses were protected? How many days of runway existed? Who offered funds, on what terms? Were staff and critical vendors current? Did the attachment reach the strategic reserve? Which services faced deadlines? What controls prevented donor influence? What did the board ask the court to release? These questions could have been answered in aggregate without prejudicing litigation.

Silence creates two opposite rumours. One says the registry is hours from collapse; the other says the crisis is exaggerated for legal advantage. Both damage trust. A weekly continuity statement could report service status, protected cash horizon, material payment exceptions, emergency financing and next court date. It should separate verified facts from scenarios.

Members also needed a post-incident account. The annual report supplied important figures, including donations and inability to meet commitments, but an annual retrospective is too slow for operational accountability. A dedicated lessons report should have shown which controls failed, how funds moved, what obligations were delayed, whether service levels changed and what policy was amended.

Financial transparency is not disclosure of every bank detail. Exact account numbers, security procedures and commercially sensitive contracts should remain protected. Transparency means the governing body can demonstrate that member fees were allocated according to a continuity plan and that emergency benefactors acquired no hidden power.

The finance committee needed to think like a resilience committee

Traditional finance oversight focuses on budget, reserves, investment, controls and audit. AFRINIC's 2021 board records show attention to those matters. The reserve was increased; withdrawals required three signatures; the finance committee existed; audited reporting later showed strong results. Yet the attachment turned that apparently prudent structure into inaccessibility.

The finance committee should therefore own a legal-liquidity risk register alongside the balance sheet. For each material account it should record owner, jurisdiction, bank, purpose, attachability advice, signatories, alternate rail, recovery time and dependent services. For each critical payment it should record what happens if the account is restrained for one day, one week or three months.

The committee should receive litigation exposure in ranges rather than only legal updates. A claim may be weak yet capable of producing interim restraint. Probability of ultimate loss and probability of temporary liquidity interruption are different. The first informs provisioning; the second informs continuity. AFRINIC's episode demonstrates why a low-confidence damages claim can still create a high-impact cash event.

Audit should test availability, not merely existence. Bank confirmations prove balances. A resilience exercise should simulate inability to use those balances. Can the institution pay the minimum budget through authorised alternatives? Can it produce evidence for urgent court relief? Can vendors recognise a substitute payer? Can another RIR supply in-kind support?

The board should set risk appetite explicitly. It may decide that some functions can pause for weeks while core registry services must survive 90 days. It may hold security for claims while protecting a smaller runway. These are governance choices. Leaving them implicit allows a court order and bank compliance team to make them by default.

Stress tests should include lawyers, banks and technicians

A desktop exercise confined to finance will miss the sequence that made 2021 dangerous. The scenario should begin with service of an attachment order late on a Friday. One bank freezes all accounts conservatively. A second asks for clarification. Payroll is due in four days. A hosting invoice is due tomorrow. The chief executive is travelling. A critical vendor will accept payment only from the contracting entity. Social media claims the registry will shut down.

The legal team must identify the order's scope and prepare a variation application. Finance must produce balances and a minimum budget. Technical leaders must rank services and consequences. Communications must issue accurate updates. Directors must approve emergency authority without taking over operations. Banks must know whom to contact. Donor support must pass conflict review. Every action should be timed.

The exercise should then remove an assumed safeguard. What if the alternate bank is also bound? What if a signatory resigns? What if the court return date is three weeks away? What if a donor offers money with conditions? What if the claimant challenges payroll as excessive? What if the vendor refuses third-party payment? Resilience appears in the exceptions.

Results should produce concrete repairs: a contract amendment, new signer, pre-approved affidavit, updated vendor list, smaller reserve pocket or clearer member report. The audit committee should track closure. At least one exercise should involve the banks and external counsel, because internal confidence does not predict how outsiders will interpret documents during a crisis.

Stress testing also protects against overstatement. If a simulated account freeze shows core technical services can continue for weeks without emergency cash, public claims of immediate collapse should be moderated. If it shows one missed payment can disable a critical service, that dependency should be fixed before it becomes litigation rhetoric.

The October release ended the restraint, not the design failure

On 15 October 2021, the court declared the provisional attachment order null and void and set aside the validation application. AFRINIC's communication described the result as a victory. In litigation terms, it restored access and defeated that application. In governance terms, it removed the pressure that might have forced structural reform.

The accounts became available again, but the same legal entity still combined corporate assets and public-effect services. The reserve could again look ample. Donations and emergency credit could be treated as an exceptional episode. A future claimant, receiver, insolvency proceeding, sanctions event, bank failure or governance deadlock could exploit the same chain through a different legal mechanism.

The correct post-incident question was not whether Cloud Innovation could repeat the precise order. It was why AFRINIC could report record cash and inability to pay in the same year. That counterfactual should drive policy. If the October order had remained for another three months, which service would have failed first? If donations had not arrived, what authority existed? If the board could not meet, who could activate support?

A released attachment also requires reconciliation. Which obligations were delayed? Did vendors charge penalties? Were donations restricted? Were debts repaid? Did any employee leave? Did service or security work accumulate? Did legal spending displace planned resilience investment? Public records reviewed here do not answer all of these questions.

The absence of a visible failure is not evidence that continuity controls worked. It may mean staff, creditors and supporters absorbed the strain. Robust governance converts that hidden effort into a repeatable system rather than relying on another round of goodwill.

A continuity covenant could bind registry, members and court

The strongest long-term device would be a published continuity covenant approved by members and reflected in contracts, reserve policy and court materials. It would define essential functions, minimum service levels, protected expenditure categories, activation events, oversight and reporting. It would state equally clearly that AFRINIC remains subject to lawful claims and that the covenant cannot be used to move assets after a dispute arises.

Members would accept that a small share of fees funds essential runway and mutual support. The board would accept limits on use and mandatory disclosure. Management would maintain the service map and payment schedule. Banks would receive account-purpose documentation. Critical vendors would recognise supervised alternate payment. External auditors would test balances and controls. The NRO would know what evidence accompanies a support request.

In litigation, the covenant would not bind the court automatically. It would provide a credible starting record. The claimant could challenge amounts. The registry could show that the arrangement predated the dispute. The court could preserve, vary or reject it with knowledge of consequences. That is far stronger than arriving after attachment with an assertion that every account supports the Internet.

Activation should be graduated. A bank notice may trigger daily liquidity reporting. Loss of one payment rail may trigger vendor confirmation. Restraint of all ordinary accounts may activate the essential-services pocket and a joint RIR request. Prolonged restriction may shift selected functions to supervised external support. Each stage should have an expiry and review.

The covenant should survive management change. Instructions, custodians and technical access must attach to roles rather than personalities. A receiver or court-appointed officer should be able to understand it quickly. Continuity that depends on the incumbent board's legitimacy is weakest exactly when litigation challenges that legitimacy.

Public-effect service does not mean sovereign immunity

The hardest objection deserves a direct answer. AFRINIC was not a state and did not own the Internet. Why should its money receive treatment unavailable to an ordinary Mauritian company? Because the proposed protection follows function and third-party harm, not institutional prestige.

Courts routinely distinguish between preserving a claim and destroying value. The registry's role adds evidence about affected third parties, but it does not erase the claimant. A supervised allowance for critical operations can be justified if the same amount would preserve the debtor's value and prevent disproportionate harm. If AFRINIC exaggerates the dependency, the court should refuse or reduce it.

The protection must also be portable. If another lawful operator temporarily performs a function, funds should follow the function under supervision rather than remain with AFRINIC management. This prevents incumbents from turning continuity into entrenchment. It recognises that the public interest lies in accurate, secure number services, not in a particular executive group.

Nor should every member-facing activity receive the same status. Policy meetings, training and development programmes can be important without being immediately essential. The covenant should rank them. Emergency support can preserve core records and security while suspending discretionary activity. Institutional discomfort is not system failure.

This narrowness is the price of legitimacy. A registry asking for special operational treatment must accept exceptional transparency, independent verification and limits on discretion. The public effect of its service creates duties before it creates privileges.

The account freeze was a governance audit conducted by litigation

The 2021 attachment exposed facts that ordinary financial reporting obscured. AFRINIC had accumulated cash but could not reliably access it under legal restraint. A strategic reserve existed but did not constitute spendable continuity runway. Two banks were present, yet one judicial process could reach the relevant accounts. Emergency donations and debt replaced ordinary member-funded payment. The board had to improvise while resisting litigation generated by its own enforcement dispute.

None of these facts resolves Cloud Innovation's claim or AFRINIC's contractual allegations. The attachment was later declared null and void. The damages merits were not established by the provisional order. The design failure is independent of which party should ultimately have prevailed.

Corporate finance and registry service had been treated as if their boundaries coincided. They did not. Corporate assets must answer lawful obligations. Essential number services must survive a dispute between the corporation and one member. When both depend on the same unrestricted cash perimeter, either claimant rights are weakened by appeals to continuity or continuity is endangered by ordinary enforcement. The arrangement serves neither well.

The repair is not secrecy, offshore flight or blanket immunity. It is explicit partition: ordinary cash, essential runway, claims security and long-term transition reserve; a verified service budget; vendor and payroll maps; bank and court protocols; conflict-controlled emergency support; mutual RIR assistance; and member-visible stress tests. Every pocket remains auditable, every special payment justified, every claimant able to challenge.

AFRINIC's year-end surplus makes the lesson sharper. This was not fundamentally a story about poverty. It was a story about unusable wealth. The institution had resources, but its legal and financial architecture could not guarantee that the small portion needed for continuous operation would remain available while a commercial dispute was heard. Litigation reached operations because governance had left no wall between them.