The registry that becomes a compliance choke point

A regional internet registry is not a bank, a sanctions ministry, a customs authority or a capital-control office. LACNIC does not clear dollar payments, write foreign-policy lists, inspect cargo, lend against address blocks or decide whether a telecom operator may do business in a country. Its public function is narrower and more technical: to administer internet number resources for Latin America and the Caribbean, maintain coherent registration data, support reverse resolution and related services, process transfers under policy, and give networks a recognised point of reference for IPv4, IPv6 and autonomous system numbers.

That narrowness is exactly why sanctions and compliance pressure matter. A registry can become a choke point without choosing to become one. It may simply depend on banks, payment processors, screening vendors, corporate documents, legal advice, account-status systems, staff review, dispute flags and transfer procedures. Each component looks ordinary. Together they can decide whether an operator remains in good standing, whether an IPv4 transfer closes, whether a buyer can rely on finality, whether a block remains easy to certify through RPKI, whether reverse DNS remains maintainable, whether WHOIS and RDAP records stay current, and whether an abuse contact remains reachable. The registry does not have to punish a network to create pressure. It only has to let unrelated compliance ambiguity spill into recognition.

This is the central LACNIC question. The region contains large economies with sophisticated banking and legal capacity. It also contains small island markets, operators dependent on a few foreign-currency payment corridors, public networks with slow procurement systems, family-owned ISPs, cross-border carrier groups, universities, data centres, cloud platforms and local access providers whose continuity can be damaged by a compliance hold that is opaque, broad or slow. A rule that looks neutral from a regional institution may land very differently in Brazil, Mexico, Argentina, Chile, Colombia, Jamaica, Trinidad and Tobago, Barbados, Belize, Haiti or a smaller island jurisdiction where an international wire transfer is a management event rather than a back-office click.

The risk is not that LACNIC should ignore law. It cannot, and should not. If a binding legal order applies, if a party is truly prohibited, if a payment would violate a relevant rule, if a transfer is fraudulent, or if an account is being used to conceal control, the registry must protect the record and obey law. The risk is over-compliance: the institutional habit of treating every bad-looking name, currency problem, country flag, bank refusal, ownership question, legal request, abuse complaint or unfamiliar document as a reason to degrade the whole registry relationship. Over-compliance is rational inside many institutions because the cost of denial is often borne by someone else. At a registry, that someone else may be an operator, its customers, a buyer, a seller, a lender, an upstream provider, an abuse desk or a public service that depends on address continuity.

LACNIC's exposure is not the same as RIPE NCC's exposure to European sanctions policy, APNIC's exposure to Australian law and Asia-Pacific state-security complexity, ARIN's exposure to United States sanctions law, or AFRINIC's exposure to crisis governance and litigation-driven continuity risk. LACNIC's distinctive pressure sits in the middle of a diverse regional economy where US-dollar payment practices, correspondent banking, currency restrictions, sanctions-screening tools, local corporate documentation, multilingual procedure and the scarcity value of IPv4 all meet the same registry account. The registry layer is not the financial system. But it can inherit the financial system's caution and convert it into a recognition problem.

The right frame is therefore not "should LACNIC enforce sanctions?" That is too blunt. The right frame is narrower: when compliance pressure reaches LACNIC through payment rails, legal requests, KYC and AML habits, vendor de-risking, transfer review or account standing, which registry functions must remain protected unless a specific legal or security reason requires interruption? The answer should start with continuity. RPKI, reverse DNS, WHOIS and RDAP accuracy, abuse-contact correction, authenticated account access, transfer finality and the last verified registration state are not ordinary add-ons. They are the continuity surfaces through which networks remain legible to the rest of the internet.

The strongest compliance design is not lax. It is exact. It says no when law requires no. It pauses a value-changing transaction when a real match or binding request requires review. It refuses forged documents. It keeps records of why decisions were made. But it also distinguishes a blocked transfer from a routine contact correction, a bank's unexplained caution from a confirmed legal prohibition, a fuzzy name match from a true listed party, a payment delay from abandonment, and a disputed ownership file from a network's need to maintain route-security metadata. That distinction is where registry legitimacy now sits.

Compliance infrastructure, not headline sanctions

Most sanctions discussions begin with lists and governments. At the registry layer, the more important system is often quieter: the infrastructure of compliance. That infrastructure includes screening databases, bank risk rules, payment processors, correspondent banks, beneficial-ownership questions, legal letters, customer-due-diligence forms, card-network country policies, invoice wording, account-standing flags, document authentication, and staff decisions about how much uncertainty is acceptable. None of these instruments is unique to LACNIC. The regional texture is in how they arrive.

Latin America and the Caribbean do not form a single payment environment. Some operators work inside large domestic banking systems with established treasury functions. Others depend on a local bank whose foreign correspondent may change risk appetite without much warning. Some earn mostly in local currency and must settle regional or international obligations in dollars. Some face inflation, exchange-rate volatility, procurement delays or formal currency controls. Some public networks cannot pay until a budget line, invoice form or approval chain is complete. Small Caribbean operators may have high fixed costs for wire transfers and limited leverage when a bank asks why a modest payment is going to an internet registry in another country for an intangible resource.

That is not sanctions in the theatrical sense. It is compliance friction. Yet for a registry account the difference can be small. A member that is willing to pay may appear unpaid because a bank rejected the transfer, requested more evidence, held the payment in a correspondent chain, refused a jurisdiction, flagged a common name, objected to a remittance description, or required confirmation that no listed party benefits. If the registry treats the result as ordinary delinquency, banking caution becomes account discipline. If account discipline then blocks portal access, contact updates, reverse-DNS changes, RPKI maintenance or transfer processing, the payment system has quietly become a registry-control system.

This is why LACNIC should be analysed as a non-bank continuity institution. It does not need to judge the whole payment system. It does need to decide what its own account rules do when the payment system misfires. The distinction between refusal to pay and inability to complete a payment through ordinary rails is not sentimental. It is operational. A member that ignores invoices after notice is different from a member that produces evidence of timely payment attempts, bank questions and continued engagement. The first may require ordinary enforcement. The second requires a lawful standstill path that preserves core maintenance while the payment problem is clarified.

The same is true of payment processors and vendors. A processor may decline a transaction because its own risk model is conservative, not because law prohibits service. A screening vendor may produce a possible match because a name resembles a listed person, not because the account holder is the listed person. A bank may de-risk a country, sector or currency corridor because the cost of investigation exceeds the revenue. LACNIC may receive only the downstream symptom: failed payment, unclear source of funds, incomplete corporate data, or an account that feels risky. If registry procedure cannot separate those causes, it will over-block.

The institutional habit to resist is binary account status. A registry account should not be only clean or blocked. Compliance pressure requires graduated status: verified holder under payment review; transfer paused pending specific legal analysis; account authority under review but maintenance preserved; payment attempted and awaiting bank response; possible sanctions match under identity verification; confirmed legal prohibition; court-restrained change; suspected fraud; non-responsive account; abandoned account. Each category should have different effects. A confirmed prohibition may require refusal or restriction. A possible match should trigger review, not automatic degradation. A payment-rail problem should not be treated like concealment. A transfer hold should not block an abuse-mailbox correction.

This classification matters because the registry is not merely protecting itself. It is protecting reliance by third parties. WHOIS and RDAP data are used by other networks, abuse teams, buyers, lawyers and security responders. Reverse DNS is used in operations, troubleshooting, mail handling and customer systems. RPKI provides route-origin assurance. Account access lets the responsible party correct errors. If these functions are interrupted because of an unrelated payment or compliance ambiguity, the registry has converted private risk avoidance into public reliability loss.

The point is not to make LACNIC a bank examiner. The point is to keep LACNIC from inheriting bank behaviour where the registry's public function requires greater precision. Banks often de-risk whole categories because they can choose customers. A regional registry has a different burden. For a resource already recognised, the last verified state should be preserved unless law, fraud, clear abandonment, duplicate claim, security-integrity danger or a competent order requires a narrower action. That principle does not weaken compliance. It protects the registry's purpose from being absorbed by compliance infrastructure it does not control.

The legal floor and the over-compliance ceiling

Every compliance system has a floor and a ceiling. The floor is law. LACNIC must obey binding legal duties that apply to it. It should not process a prohibited transaction, knowingly facilitate evasion, ignore a valid court order, accept forged authority, or let a known listed party use the registry relationship in a way that the law forbids. No credible registry-continuity argument requires illegality. The stability of the number system depends on institutions that can act within law and explain why they do so.

The ceiling is over-compliance. It is reached when an institution goes beyond what law requires because refusal is easier than analysis, because the institution fears reputational criticism, because a bank or vendor will not explain a risk flag, because staff treat foreign lists as if every one of them is equally binding in every context, or because the cost of cautious denial falls on the operator rather than on the registry. Over-compliance can look prudent inside a file. Across a region it becomes a tax on unfamiliar jurisdictions, smaller operators, complicated ownership histories and payments that do not travel through privileged corridors.

LACNIC's legal home in Uruguay gives it a stable institutional base. It also means the registry must navigate a service region whose business reality extends far beyond any single legal system. A payment involving a Caribbean operator may be touched by a local bank, a US-dollar correspondent bank, a card processor, a compliance vendor and a final account relationship with LACNIC. A transfer involving a seller in one country and a buyer in another may require registry approval, bank comfort, corporate documents, signatures, broker coordination, escrow conditions and possibly another regional registry. Law enters at several points. So does private caution.

The registry should therefore insist on legal specificity. What is the legal basis for the restriction? Which party, resource or transaction is affected? Is the issue an asset freeze, payment prohibition, ownership or control question, court order, document-authenticity concern, account takeover risk, or payment-processor refusal? Is the restriction temporary pending verification, or final? Does it apply to new transfers only, to payments, to account access, to publication services, to RPKI, to reverse DNS, to WHOIS and RDAP updates, or to all of them? If the answer is unclear, the default should not be maximum disruption. The default should be preservation while the specific issue is clarified.

The most dangerous language in a registry context is "risk" without category. Risk of what? Legal violation is one category. Fraud is another. Theft of resource control is another. Non-payment is another. Reputational discomfort is another. Political sensitivity is another. Abuse by downstream customers is another. A registry should not treat these as interchangeable. A confirmed fraud risk may justify locking a transfer. A reputational concern should not block reverse-DNS maintenance. A payment uncertainty may justify limits on new benefits, but not the removal of the last verified public record. A court order may require action, but the action should match the order.

This matters especially because IPv4 scarcity has made registry decisions economically material. LACNIC's waiting list was created after the last available IPv4 block was assigned in August 2020. Public waiting-list material has described the expected wait for the last request as measured in many years, with a small maximum block size and recovered-space uncertainty. Whatever one thinks of the fairness of that waiting list, it confirms the market fact: significant IPv4 capacity now depends on existing holders, transfers, mergers, acquisitions, routing arrangements, leases and operational conservation. A compliance hold is therefore not just a delayed service request. It can immobilise scarce capital.

The ceiling of over-compliance is also harder to see because it often operates through silence. A member may not receive a formal denial. It may receive additional document requests, payment reminders, partial answers, portal restrictions, or a file that waits for legal review. A buyer may not know whether a transfer is delayed by the seller, the recipient review, a sanctions concern, a bank problem, another registry, or ordinary workload. A seller may not know whether price, geography, counterparty risk or missing evidence is the issue. This silence creates its own market. Repeat players learn how to interpret it. Occasional participants pay for help or accept discounts.

The correct institutional response is reason-giving within lawful limits. LACNIC need not disclose sensitive legal analysis, private personal data or investigative detail. But it can identify decision categories. "Payment attempted, bank review pending, core maintenance preserved" is different from "confirmed legal prohibition, transfer refused." "Possible name match, identity documents requested, no service interruption at this stage" is different from "court-restrained resource, no change permitted." "Authority to act is unclear" is different from "counterparty appears on a sanctions list." Categories lower the cost of compliance for honest members and make over-compliance harder to hide.

Payment standing should not become registry punishment

The most likely compliance choke point for many LACNIC members is not an explicit sanctions order. It is payment standing. A registry must collect fees and ensure members meet obligations. That is uncontroversial. The difficult question is what happens when payment is delayed by the financial system rather than by a member's refusal.

The region supplies many hard cases. A small ISP may have only one bank that handles international transfers. A public university may need a formal invoice format before a payment office can release funds. A municipal network may be moved between agencies while the bank account remains in transition. A Caribbean operator may face a correspondent-bank request for additional information because a payment references "internet addresses" or "number resources." A company may have changed name after a merger and need the invoice corrected before its bank will process it. An operator in a currency-stressed economy may have local funds but lack timely access to settlement currency. None of these situations should be romanticised. Some files will contain real non-payment. But not all payment delay is delinquency in the ordinary moral sense.

If the registry treats every unpaid state alike, it imports financial-system inequality into the registry. A large operator can use another bank, involve counsel, route payment through a group treasury, escalate with a relationship manager or carry the delay. A small operator may have no such path. The same account-standing rule therefore produces unequal continuity risk. It may be formally neutral and economically discriminatory.

The registry's own service design can reduce or amplify this inequality. A blunt account hold amplifies it. If payment delay disables the portal, prevents a contact correction, blocks reverse-DNS management, freezes RPKI changes and stops any transfer-related step, the registry has made the bank's caution operationally powerful. A narrower design reduces it. It preserves the last verified registration state, keeps security and contact functions available, allows documented cure, and restricts only those actions that would create new value or additional exposure while payment status remains unresolved.

This is not a call for indefinite free service. LACNIC has to fund staff, systems, security, outreach and operational continuity. It cannot let unpaid accounts remain open without limit. The point is sequencing. A member that is responsive, produces evidence of attempted payment, and is not confirmed as legally prohibited should have a limited continuity status. During that status, the member may not receive new discretionary benefits, but it should be able to keep public data accurate, maintain abuse-contact reachability, preserve routing-security records, and resolve the payment problem without the additional threat that every registry function will be treated as leverage.

Public-sector procurement deserves separate attention. Government agencies, universities, research networks and public utilities often cannot act like private firms. They may need purchase orders, budget certifications, exchange approvals, supplier registration, contract renewals or ministerial sign-off. Their delay can be bureaucratic rather than evasive. A registry that treats public-sector timing as ordinary default may endanger public-service continuity. At the same time, a registry should not allow public bodies to use bureaucracy as a perpetual excuse. The proper response is a documented cure path with dates, responsible contacts, evidence of internal process and preservation of core maintenance while the file is active.

Currency friction is another regional reality. Some LACNIC members may be willing and solvent in local terms but constrained by conversion limits, foreign-exchange availability, bank compliance review or payment channel cost. A payment obligation denominated or settled through an international rail can therefore become a test of financial access rather than willingness. The registry does not have to solve macroeconomics. It does have to avoid mistaking every currency bottleneck for bad faith. Evidence of attempted payment, engagement with the registry and an alternative route should matter.

There is also a transfer-market angle. If sellers, buyers or brokers learn that a payment-standing ambiguity can contaminate transfers, they will price the risk. A holder in a jurisdiction with weak payment rails may receive a lower offer, face more onerous escrow conditions or be excluded by cautious buyers. This is how compliance pressure becomes a scarcity premium. The number resource has not changed. The perceived reliability of recognition has. A registry cannot abolish such market pricing, but it can reduce needless uncertainty by making clear which account problems affect transfer eligibility and which maintenance functions remain preserved.

The payment rule should therefore be a service-continuity firewall. It should separate invoice collection from registry recognition. Non-payment after notice can have consequences. Deliberate evasion can have consequences. Confirmed legal prohibition can have consequences. But payment-rail friction should not automatically impair the last verified record, abuse-contact correction, RPKI maintenance or reverse DNS. A bank's caution is not a registry adjudication.

Transfers, finality and the cost of a compliance hold

IPv4 transfers are where compliance pressure becomes most visible because money, scarcity and recognition meet in one file. A transfer is not merely a sale between private parties. It is a request that the registry recognise a change in the right party for number-resource purposes. The registry does not set the commercial price, but its approval is the market's settlement layer. Until recognition occurs, the buyer does not have the same certainty. Until refusal is clear, the seller may not know whether the value is blocked, delayed or merely waiting.

This gives transfer review a quasi-financial role even though LACNIC is not a financial institution. The registry's timing, evidence requests, account-standing checks and inter-regional coordination affect financing conditions, escrow releases, merger schedules, cloud-deployment plans, data-centre commitments and broker reputation. A long compliance hold can reduce the effective value of a block. A vague hold can reduce the value more than a clear refusal because no one knows how to close, reprice or walk away.

Latin America and the Caribbean add practical complexity. A seller may be a family-owned ISP whose founder is still the historical contact. A buyer may be a regional data-centre group with entities in several countries. The payment may move in dollars through a correspondent bank. The contract may be in Spanish, Portuguese or English. The buyer's bank may want comfort that the resource transfer is legitimate. A broker may coordinate evidence across time zones and legal traditions. A public-sector seller may need approval from a ministry or procurement office. A Caribbean company may rely on counsel who rarely handles internet-number transfers. None of these facts proves risk. Together they create files that look untidy.

The registry's job is not to make every file tidy by suspending recognition until all discomfort disappears. Its job is to identify the fact that matters. Does the current holder have authority to transfer? Is the recipient eligible under policy? Are the parties who they claim to be? Is there a legal restriction on the transaction? Are documents authentic? Is the resource subject to dispute, court order or suspected hijacking? Is another registry involved? Is the payment between private parties outside the registry's role, or is the registry's own fee the issue? Each question can justify a different action. Lumping them together under "compliance" is administratively convenient and economically expensive.

Transfer finality should therefore be designed as a sequence of visible milestones. A party should be able to tell when the file is received, when identity or authority evidence is complete, when policy eligibility is under review, when legal review is triggered, when a possible sanctions match is being disambiguated, when another registry must act, when the final recognition step will occur, and when a refusal is final. Not every detail can be public. But counterparties can be told enough to manage risk without guessing.

Inter-regional transfers raise the stakes. A block moving between registry regions may face different legal environments, document expectations, transfer policies and operational-service transitions. LACNIC should be especially clear about what happens to RPKI, reverse DNS, WHOIS and RDAP during such movement. A buyer should not discover after closing that route-security maintenance, reverse delegation or public record updates were caught by an avoidable ambiguity. A seller should not find its existing operational services impaired because a recipient-side review is slow.

The most important boundary is between transaction risk and continuity risk. A transfer can be paused without damaging the existing holder's ability to keep the record accurate. A recipient can be asked for documents without implying that the source holder is suspect. A possible match can be reviewed without treating the resource itself as tainted. A court order can block a change without erasing the current public state. If these separations are not maintained, every transfer review becomes a potential sanction on the whole account.

Finality also matters for fraud prevention. A clear process reduces opportunities for impostors, forged authorisations and pressure tactics. When milestones are known, counterparties can verify them. When reasons are categorical, buyers can demand the right conditions. When a hold is specific, a fraudulent actor has less room to exploit silence. Precision is therefore not merely pro-market. It is pro-integrity.

KYC habits in a multilingual region

KYC and AML practices were built for financial institutions, but their logic has migrated widely. Registries now encounter beneficial-ownership questions, corporate-authority checks, politically exposed person screens, document authentication, address verification and sanctions-name matching. Some of this is necessary. A registry must know who controls an account, especially when scarce IPv4 blocks can be sold, leased, pledged, transferred or hijacked. The problem begins when financial-sector habits are imported without adjustment for registry function.

The registry is not opening a lending relationship. It is maintaining a recognition record. That difference should shape the proof required. Routine contact maintenance should not require the same evidence as a transfer. A corporate-name correction should require proof of continuity, not a full commercial due-diligence file. A suspected account takeover should require stronger controls than an abuse-mailbox update. A legacy regularisation should ask for authority and continuity, not every document a bank would request for a new credit relationship. A confirmed legal prohibition is different again.

The proof ladder matters in a multilingual region. Spanish, Portuguese and English documents may differ in form, terminology and legal effect. A company registry extract, public-sector authorisation, notarial document, corporate resolution, tax certificate or municipal approval may not look like a US or European compliance template. A small operator may not know which fact LACNIC needs the document to prove. If a request says only "provide more information", the member may over-provide, under-provide or disengage. The registry then sees a messy file and asks for more. Delay compounds.

A better design would state the fact being proved. Authority to act. Legal continuity after a name change. Beneficial ownership where relevant. Power to transfer. Absence of a known legal prohibition. Payment attempt. Current contactability. Control of the account email. Each fact has a proportionate evidence set. A notarial certificate may be useful for one. A board resolution for another. A government purchase order for another. A bank receipt for another. The member should not be left to guess the category.

KYC over-compliance can also produce discriminatory error. Large groups keep corporate documents ready. Small firms and public bodies often do not. Family firms may have founders, heirs, operating companies and licences whose names diverge. Rural networks may have historical assignments under a predecessor. Caribbean entities may have company documents from small registries that screening vendors rarely parse well. Public agencies may be authorised through decrees or internal memoranda rather than private corporate resolutions. A process that treats unfamiliar form as suspicious form will punish exactly the members with the least capacity to absorb delay.

False precision is another danger. A screening score or document checklist may appear objective, but it can hide uncertainty. A common name may resemble a listed person. A Spanish surname may produce multiple hits. A public entity may share words with a sanctioned institution elsewhere. A city, ministry or utility may have a politically sensitive name without being the prohibited party. A vendor database may be stale or over-inclusive. A registry should not turn such outputs into automatic account restrictions. It should use them as triggers for human disambiguation.

The regional language issue is not just translation. It is procedural intelligibility. A member must understand what action is being requested, what service is at risk, how long it has to respond, whether the problem is legal, payment-related, authority-related or document-related, and what evidence will close the matter. Guidance should be practical in Spanish, Portuguese and English, with examples that fit small Caribbean operators, Brazilian companies, Spanish-speaking SMEs, public universities and cross-border groups. Linguistic equality is part of compliance accuracy.

KYC can be useful when it is tied to registry risk. It protects against account theft, forged transfers, concealed control and disputes. It becomes harmful when it expands into a general licence to judge the comfort of a member, jurisdiction or commercial transaction. LACNIC's institutional discipline should be to ask: what registry fact is uncertain, and which service should be limited until it is resolved? If that question cannot be answered, the hold is probably too broad.

False positives and the geography of suspicion

Sanctions screening is notorious for false positives. At a registry, the cost of a false positive is not limited to an awkward onboarding delay. It can affect recognition, marketability and operational continuity. A possible match may cause a staff member to slow a transfer, ask for more documents, involve counsel, restrict account status or leave a file in limbo. Even if the match is later cleared, the member may have lost time, bargaining power or confidence.

Latin America and the Caribbean are fertile ground for ambiguous matches. Common surnames recur across borders. Public-sector entities may share generic words such as ministry, telecom, development, infrastructure or national. State-owned or formerly state-owned operators may have complex histories. Cross-border groups may hold subsidiaries with similar names. Caribbean companies may use service providers, corporate administrators or bank intermediaries whose names appear in unrelated compliance databases. A regional operator may have customers in several jurisdictions without being controlled by any of them. A public university may be treated as state-linked in one risk model and educational in another.

The problem is not only names. It is geography. Some compliance systems assign higher risk to countries, currencies, political relationships or sectors. A bank or vendor may flag a transaction because it involves a jurisdiction considered costly to investigate. A payment may be delayed because a correspondent bank wants additional comfort. A transfer may look suspicious because the seller is small and the buyer is foreign. These signals can be useful as indicators. They are dangerous as conclusions.

LACNIC should therefore have a false-positive clearing process that is fast, documented and bounded. A possible match should generate a category-level notice, an evidence request tied to identity or control, a timeline for review and a statement of which services remain available. The member should not be told only that the file is under compliance review. That phrase is too broad. It damages reputation without giving the member a path to cure.

The clearing process should also avoid hidden stigma. Once a possible match is resolved, the member should not remain in an informal risk bucket that slows future maintenance or transfers. Records may need to preserve the fact of review for audit purposes, but operational treatment should return to normal unless a concrete risk remains. Otherwise a false positive becomes a permanent private sanction.

There is a regional trust dimension. Operators in smaller or politically less familiar jurisdictions may suspect that compliance is really a test of geography. The registry can reduce that suspicion only through narrow categories, consistent timing and aggregate data. How many possible matches are cleared? How long do they take? How often do they affect service continuity? How often do they turn into confirmed legal prohibitions? Aggregate answers would show whether screening is a precise control or a broad filter.

False positives also affect market behaviour. If legitimate members fear that ordinary transactions will trigger opaque suspicion, they may avoid formal transfers, delay record cleanup, rely on intermediaries, leave stale contacts untouched or structure use through informal leasing arrangements. That makes the registry less accurate. Over-compliance therefore can undermine the transparency it claims to protect. A narrow, reviewable clearing process keeps legitimate activity inside the visible system.

Time discipline is crucial. A possible match cannot remain possible forever. The registry should define when it has enough evidence to clear, when it must seek legal advice, when it must refuse, and when non-response by the member becomes a separate issue. Open-ended review is not caution; it is shadow denial. In a scarce IPv4 market, shadow denial has a price.

RPKI, reverse DNS, WHOIS and RDAP are continuity surfaces

The sanctions and compliance debate is often framed around transfers and payments. That is too narrow. The most consequential registry functions under compliance pressure may be the ordinary continuity services: RPKI, reverse DNS, WHOIS and RDAP data, account authentication, and abuse-contact maintenance. These services do not move money. They let the network remain legible and trusted.

RPKI is a good example. Route Origin Authorisations help networks validate that an autonomous system is authorised to originate a prefix. A ROA does not itself route packets, and routing practice remains distributed. But as more operators rely on origin validation, the ability to maintain accurate route-origin data becomes part of the economic quality of an address block. A transfer buyer wants to know whether the block can be certified cleanly after closing. A current holder wants to know whether a payment issue or compliance review will prevent it from aligning ROAs with its routing. A customer wants assurance that a registry dispute will not turn into a routing-confidence problem.

Reverse DNS is less glamorous but similarly important. It appears in mail systems, logs, security tools, diagnostics, customer configurations, hosting services and abuse response. A holder that cannot maintain reverse delegation may still announce the prefix, but its operational credibility can suffer. For an operator serving business customers, government users, payment platforms, hotels, hospitals or cloud clients, reverse DNS continuity is not an optional courtesy.

WHOIS and RDAP data are public-reliance tools. They let other parties identify the recognised holder, contacts and responsibility points. They support abuse reports, due diligence, procurement checks, legal notices, routing coordination and transfer review. If an account under compliance review cannot correct stale contact data, the public record becomes less accurate. That outcome does not protect anyone. It makes the operator harder to reach and the registry less useful.

Abuse-contact continuity deserves special care. An abuse mailbox may be the very channel through which problems are resolved. If a payment hold or compliance ambiguity prevents a member from correcting an abuse contact, the registry has created a public-safety and trust problem. A member under review should not be rewarded with freedom from responsibility. It should be kept reachable so that responsibility can be enforced and observed.

These functions should be governed by a preservation presumption. Unless law, court order, proven fraud, clear account takeover, duplicate claim, security-integrity danger or abandonment requires a narrower action, the last verified state should remain stable and authenticated maintenance should continue. If a value-changing transaction is paused, maintenance should not be. If a payment is delayed, route-security data should not be casually impaired. If a transfer is refused, the existing holder's contactability should remain intact. If a possible sanctions match is under review, the public record should not be made worse while identity is clarified.

There will be hard exceptions. A court may order a specific restriction. A confirmed prohibited party may require service limits. An account compromise may require temporary lockout. A fraudulent request may require suspension of changes. A holder that disappears after repeated notice may force the registry to protect the record from abandonment. The preservation presumption does not eliminate these cases. It forces the registry to identify them precisely and avoid collateral damage.

The economics are straightforward. An address block whose RPKI, reverse DNS and public data remain dependable under review is worth more than a block whose operational services can be caught in broad account status. A buyer discounts uncertainty. A lender discounts uncertainty. A customer discounts uncertainty. A small operator pays more because it has fewer substitutes. Compliance design therefore affects asset quality.

LACNIC can also reduce market uncertainty by explaining service treatment during transfers and compliance holds. In inter-regional transfers, operational services may be affected and may not be immediately available. That warning should be developed into practical guidance: what usually happens to RPKI, reverse DNS, WHOIS and RDAP during outbound and inbound transfers; what steps the source and recipient should plan; what pauses are expected; what evidence is needed to preserve continuity; and what happens if a compliance review begins mid-transfer. Such guidance would not guarantee perfection. It would convert uncertainty into manageable risk.

The registry should be especially careful not to use RPKI or reverse DNS as leverage in disputes unrelated to their integrity. Route-security services are trust infrastructure. Reverse DNS is operational infrastructure. Public registration data is accountability infrastructure. When these services are used as broad pressure points, the registry becomes not only a ledger but a sanctions administrator by another route. The proper discipline is to keep each function tied to the specific risk it was designed to address.

Small islands, large countries and unequal review capacity

LACNIC's service region contains several economic maps at once. One map is linguistic: Spanish, Portuguese and English. Another is geographic: continental economies, Central American corridors, Caribbean islands, territories dependent on submarine cables, countries with major internet exchanges and countries where traffic still moves through distant hubs. Another is financial: stable banking, volatile currency, dollar scarcity, correspondent-bank dependence, public procurement, informal business practice and cross-border groups. A single registry rule lands on all of them.

The large-country advantage is not simply size. Large markets tend to have more registry experience, more policy participants, more counsel familiar with internet-number transactions, more banks that understand technology payments, more brokers, more buyers and sellers, and more staff who can absorb documentation requests. A large carrier in Brazil or Mexico can treat a transfer file as a specialised matter. A global cloud provider can hire counsel in several jurisdictions. A major regional group can keep compliance documents ready. These actors still face delays and legal risk, but they can professionalise the burden.

Small operators face a different risk function. A Caribbean access provider may have limited staff, one or two upstream options, costly equipment procurement, high disaster exposure and a small domestic market. A /24 may be operationally and financially significant. A payment hold or transfer delay may affect a real expansion plan or recovery budget. An English-speaking operator may have to navigate guidance written for a broader Spanish- and Portuguese-speaking centre. A bank may treat the registry invoice as unusual. A compliance questionnaire may require management time that would otherwise go to customers or outages.

The same is true of smaller Latin American operators outside major capitals. A rural wireless ISP, municipal network, regional host, university network or cooperative provider may not have a policy department. It may know its network perfectly and still struggle to produce registry documents in the expected form. It may have acquired assets from a predecessor whose records were never updated. It may have a founder as historical contact, a local lawyer unfamiliar with IPv4 transfers, and a bank that does not understand why address space has market value. A compliance hold turns these ordinary business histories into cost.

This inequality should shape LACNIC's compliance design. Formal equality is not enough. If a process can be completed only by organisations with lawyers, brokers and registry specialists, the process will push smaller operators toward dependence on intermediaries. Intermediaries are not inherently bad; brokers and advisers can reduce search and closing cost. But a market in which process knowledge is indispensable gives repeat players power over members that the registry is supposed to serve directly.

The registry can reduce that dependence by publishing operational guidance that speaks to small participants. Not legal theory, but practical steps: how to prepare for a transfer; how to keep account contacts current; how to document a corporate name change; what to do when a bank blocks payment; how to report a possible screening false positive; how to preserve RPKI and reverse DNS during a review; how to distinguish a payment problem from abandonment; how to request escalation when a file is time-sensitive. The point is not to guarantee approval. It is to lower the fixed cost of understanding.

Small-island dependency also argues for service-continuity safeguards. Islands and small markets can be more exposed to natural disasters, cable damage, narrow supplier choices and public-service concentration. If a registry account becomes hard to maintain during a payment or compliance dispute, the effect can reach customers who have no relation to the disputed fact. A hotel, hospital, government service, payment processor or local enterprise may depend on the operator's continuity. The registry should not casually convert a payment ambiguity into a service trust problem.

Large-country gravity creates another issue. Policy and procedure may be shaped by the experience of the most visible markets. Those markets have real concerns: fraud, scarcity, large transfers, cloud demand, security, legacy records and cross-border corporate groups. But smaller members need their incidence to be visible. A compliance rule that is efficient for large repeated participants may be costly for one-off small files. LACNIC should measure that cost through processing data, abandonment rates, delay reasons, language support demand and payment-friction categories. What is not measured will be described by the centre and paid for by the edge.

The legitimacy of narrow compliance depends on the region believing that narrowness is available to everyone. If small operators experience compliance as a private test of sophistication, trust erodes even when the registry has not acted unlawfully. If they experience it as categorical, explainable and survivable, compliance becomes part of ordinary administration rather than a shadow licensing system.

The boundary between lawful compliance and private sanctions administration

The most important institutional boundary is between lawful compliance and private sanctions administration. Lawful compliance is specific. It identifies the legal duty, the affected party, the prohibited transaction or required action, the evidence supporting the decision, the scope of restriction and the path for review or future change where allowed. Private sanctions administration is broader. It uses the vocabulary of risk to decide which operators, geographies, counterparties, business models or transactions are too uncomfortable to recognise, even when a clear legal prohibition has not been established.

No registry should want to become a private sanctions administrator. The role is a poor fit. LACNIC does not have the democratic mandate of a state, the investigative capacity of a sanctions office, the customer-choice freedom of a bank, the remedial authority of a court or the sectoral remit of a telecom regulator. Its legitimacy comes from maintaining a reliable number-resource ledger and associated services. When it goes beyond that, it imports powers without the corresponding accountability.

The boundary is easiest to see in examples. A binding court order requiring a specific restriction is lawful compliance. A vague concern that a jurisdiction is politically sensitive is not. A confirmed match to a legally relevant restricted party may justify refusal or limits. A common-name false positive does not. A documented account takeover justifies a temporary lock. A bank's unexplained payment refusal does not automatically justify disabling maintenance. A transfer involving forged documents should be refused. A transfer involving a high price or broker should not be slowed merely because it offends a conservation instinct.

The same distinction applies to abuse. Abuse reports matter. Contactability matters. Fraud and hijacking matter. But an abuse complaint about downstream conduct is not automatically a reason to impair registration continuity. The registry can require accurate abuse contacts, preserve responsibility, and cooperate within law. It should be cautious about turning contested abuse-handling quality into transfer denial, RPKI impairment or reverse-DNS removal unless an adopted rule, competent order or direct record-integrity problem justifies the action. Otherwise the registry becomes an enforcement body for issues better handled by networks, customers, providers, courts or regulators.

Private sanctions administration often arrives through institutional convenience rather than ambition. Staff may lack a granular status option and therefore choose a broad hold. Counsel may advise caution without specifying collateral damage. A bank may refuse to explain a payment flag. A vendor may produce a risk score rather than evidence. A member may be slow to respond because the request is unclear. The file then becomes harder, and hardness is mistaken for danger. A well-designed registry process resists that drift by forcing categorisation.

Reviewability is the central safeguard. A member affected by a compliance restriction should be able to learn the category of decision, the services affected, the evidence needed, the expected timing, and the route for escalation. Where law forbids disclosure, the registry can still provide a lawful high-level category. Where a decision is discretionary, it should be reviewable by someone not invested in the first decision. Where the matter affects essential continuity, the review should be timely. The aim is not litigation. It is disciplined administration.

Aggregate transparency is the second safeguard. LACNIC can publish statistics without exposing private files: number of payment-friction cases, transfer holds by category, average and long-tail review times, false-positive clearances, cases involving legal orders, cases involving suspected fraud, account-maintenance restrictions, RPKI or reverse-DNS interruptions tied to account status, and abandonment after document requests. Such data would let members see whether compliance is narrow or expanding. It would also help the registry defend itself when criticism is unfair.

The third safeguard is service separation. A restriction should affect the function connected to the risk. A transfer concern should restrict the transfer, not unrelated public-data correction. A payment concern should restrict new benefits after notice, not automatically degrade RPKI or reverse DNS. An authority concern should require proof before changes, not necessarily erase the last verified state. A legal prohibition should be scoped to the prohibited dealing. Service separation turns compliance from a blunt sanction into precise governance.

These safeguards are not anti-compliance. They are the only way compliance can remain legitimate at a registry. The broader the registry's economic importance becomes, the narrower its discretionary sanctions posture must be.

Legacy records and compliance renewal

Legacy resources complicate the sanctions and compliance question because they join old history to modern risk controls. Legacy IPv4 records may have been assigned before current contractual expectations, transfer markets, RPKI reliance and contemporary screening habits. The holder in the historical record may have changed name, merged, been privatised, moved under a different public body, gone through family succession, or outsourced operations. The address block may still be in real use. The paperwork may be old.

LACNIC has a legitimate interest in cleaning such records. Stale legacy entries create risk. They can make theft easier, complicate abuse response, confuse buyers, weaken routing-security trust and raise dispute costs. A registry that never asks old holders to update evidence will eventually face records that no one can confidently rely on. Regularisation is therefore a continuity function, not merely an administrative campaign.

Compliance pressure changes how regularisation is experienced. A legacy holder asked to prove right of use may hear a reasonable record-quality request. It may also hear a threat that old imperfections could become service loss. If banks, sanctions-screening tools, corporate documents and regional politics are in the background, the holder may worry that engagement will expose it to broad review rather than narrow recognition. That fear can deter the very cleanup the registry wants.

The solution is a narrow promise. Legacy review should identify the present responsible party, lawful continuity, authority to act, contactability, services requested, transfer eligibility and any dispute. It should not use the occasion to revisit every old allocation through modern economic preference. Historical messiness is not fraud. A public university, former state telecom, municipal network, research institution, family ISP or privatised utility may have a complicated chain without any bad faith. The registry's task is to make the chain reliable enough for modern use.

Compliance categorisation is especially important here. If a legacy holder has a possible sanctions-screening issue, say that at the category level. If the problem is authority to act, do not imply sanctions. If the problem is payment, distinguish it from identity. If the holder is non-responsive, record that separately. If a document is unfamiliar, explain what fact it fails to prove. A legacy holder should not face an undifferentiated demand to prove comfort.

The treatment of services also matters. If a legacy holder seeks RPKI or other modern services, the registry may require a service relationship and authentication standards. That is reasonable. But service terms should be tied to operational integrity rather than broad leverage. A holder should not be forced to accept uncertainty over unrelated compliance discretion simply to obtain security functions that the market increasingly expects. The more RPKI becomes part of normal routing hygiene, the less it can be treated as a discretionary luxury.

The 12- to 24-month horizon matters because legacy cleanup, sanctions screening and IPv4 scarcity are converging. As transfers become more important and routing-security expectations rise, old records will face new pressure. LACNIC can either make that pressure a disciplined path to stable recognition or allow it to become a source of fear. The first protects the ledger. The second pushes activity into informal arrangements.

Reviewable reasons as market infrastructure

Reason-giving may sound like administrative courtesy. In a scarce number-resource market it is infrastructure. A reason tells a member what to fix, tells a buyer what risk to price, tells a seller whether delay is curable, tells counsel how to draft conditions, tells banks whether a concern is legal or procedural, and tells the community whether the registry is acting within its mandate. Silence forces everyone to infer.

LACNIC does not need to disclose everything. Compliance files may include sensitive legal advice, personal data, confidential corporate documents, bank communications, fraud indicators or court-related constraints. But the registry can still provide categories. A decision can be described as payment standing, sanctions identity, ownership and control, authority to act, document authenticity, dispute over holder status, legal order, policy eligibility, fraud suspicion, account compromise, inter-registry dependency, or member non-response. Each category tells the market something different.

Reviewable reasons also discipline staff and legal advisers. If a restriction must be tied to a category, it is harder to use "compliance" as a container for discomfort. If the affected services must be listed, it is harder to impose a broad hold by default. If a timeline or next step must be given, it is harder for a file to become a shadow denial. If a second review is available for non-emergency decisions that affect continuity, the first decision is likely to be better.

The review path should recognise urgency. A routine document gap can wait. A transfer closing tied to financing, a payment hold near suspension, an RPKI maintenance issue affecting a migration, or an abuse-contact correction during an incident may need faster escalation. Urgency should not guarantee a favourable outcome. It should guarantee that the institution understands the cost of delay.

There is also a case for published processing statistics. Medians alone are not enough. Long-tail cases are where economic damage appears. LACNIC should know how long routine transfers take, how long inter-regional transfers take, how many files pause for payment, how many pause for recipient justification, how many pause for legal review, how many involve possible sanctions matches, how many are cleared, how many are refused, how many are abandoned, and how often RPKI or reverse-DNS continuity is affected. These numbers need not name members. They would let the region see whether compliance pressure is contained or growing.

For small operators, reasons lower fixed cost. They reduce the need to hire counsel simply to learn what the problem is. They help a member decide whether to escalate, provide more documents, change payment route, amend a contract, or abandon a transaction. They also reduce dependence on informal relationships. A member should not need to know the right person or broker to understand why a file is stuck.

The most valuable reasons are negative as well as positive. LACNIC can say what it is not deciding. "This review concerns authority to act and does not assess the commercial price." "This payment hold does not affect existing RPKI maintenance during the cure period." "This possible screening match does not constitute a finding that the member is prohibited." "This transfer pause does not alter the current holder record." Such statements prevent market rumours from turning narrow review into broad suspicion.

In the long run, reviewable reasons reduce litigation and conflict. Operators are more likely to accept hard decisions when the basis is clear, the scope is narrow and the path for correction is visible. Opaque compliance invites suspicion even when the registry is right. In a region where trust, language and capacity vary widely, reason-giving is one of the cheapest forms of institutional insurance.

Designing lawful narrowness

The best compliance architecture for LACNIC would be built around lawful narrowness. It would start from a simple premise: the registry must obey law and protect the record, but every restriction should be no broader than the legal or registry-integrity problem that justifies it. That premise can be made operational.

First, separate account status from service functions. A member can be current, overdue, under payment-friction review, under identity review, under transfer review, under legal restraint, under suspected fraud review, compromised, non-responsive or abandoned. Each state should map to specific effects. Core publication of the last verified record should be preserved wherever lawful. Authenticated maintenance of contact, abuse, reverse DNS and RPKI should continue unless the risk directly concerns the authority or integrity of those actions. New allocations, value-changing transfers or discretionary services can be treated differently.

Second, create a payment-friction protocol. The protocol should require timely member notice, evidence of attempted payment, bank or processor response where available, and continued engagement. It should allow a limited continuity status if no confirmed legal prohibition exists. It should define what is paused, what remains available and when the status expires. It should document final outcomes. This would prevent a bank's unexplained caution from becoming automatic registry punishment.

Third, use a proof ladder. Routine maintenance, account-authority changes, corporate name changes, transfers, mergers, legacy regularisation, suspected fraud and confirmed legal restrictions should not carry the same evidence burden. For each category, LACNIC should define the fact being proved and the usual evidence. That will help staff, members and counterparties avoid both under-proof and over-proof.

Fourth, isolate transfer compliance from operational continuity. A transfer may be paused or refused because of a specific compliance problem. That should not casually impair the source holder's current RPKI, reverse DNS, WHOIS, RDAP or abuse-contact maintenance. If the recipient is under review, the review should not taint the existing holder unless the same facts support such action. Transfer finality should be clear enough for escrow and closing documents to align with registry milestones.

Fifth, define possible-match handling. A possible sanctions-screening match should trigger identity disambiguation, not broad punishment. The member should receive a category-level explanation, an evidence request tied to the ambiguity, a timeline and a statement of service continuity during review. If the match is cleared, the file should close without leaving the member in a vague risk category. If it is confirmed, the resulting action should be scoped.

Sixth, keep legal orders specific. If a competent order requires action, LACNIC should do what the order requires and no more unless another basis exists. Where disclosure is permitted, the affected party and the market should understand that the action follows a legal order rather than ordinary discretion. Where disclosure is limited, the registry can still use a lawful category.

Seventh, protect RPKI and reverse DNS as trust infrastructure. These services should not be treated as ordinary leverage for invoices or unrelated disputes. The more the internet relies on validation and accurate reverse resolution, the more the registry's service-continuity duties matter. Interruptions should be rare, documented and tied to direct authority, security or legal issues.

Eighth, build language equity into compliance. Important guidance should be equally practical in Spanish, Portuguese and English. Translation should not merely reproduce words; it should make procedure usable. Examples should include small operators, public bodies, universities, family firms, Caribbean entities, Brazilian companies, Spanish-speaking SMEs and cross-border groups. The registry should not assume that the most visible market experience is the regional norm.

Ninth, protect a service-continuity firewall. A registry can decline a prohibited transfer, refuse a forged authorisation, pause a disputed change and still preserve the last verified public record. It can collect fees without using route-security metadata as a general collection instrument. It can ask for ownership evidence without degrading abuse-contact reachability. The firewall is not a loophole. It is a way to keep lawful compliance from spreading into unrelated recognition functions.

Finally, maintain the public distinction between registry function and financial enforcement. LACNIC can say plainly that it is not a bank, does not administer private sanctions policy, does not judge commercial prices, and does not treat payment-rail friction as proof of misconduct. It can also say that it will comply with law, refuse prohibited actions, reject fraud and protect the record. That combination is stronger than vague neutrality. It is precise institutional modesty.

Lawful narrowness is not a weak position. It is the only position that fits a registry whose decisions can affect scarce capital but whose mandate is not capital allocation. The alternative is a slow drift in which compliance infrastructure, payment systems and risk vendors decide who remains operationally legible in the region.

What to watch over the next 12 to 24 months

The next two years will test whether LACNIC can keep compliance pressure narrow while IPv4 scarcity, payment friction and route-security reliance deepen. The watchpoints are practical.

The first is payment handling. Members and observers should watch whether LACNIC distinguishes ordinary non-payment from documented payment-rail friction. A rise in suspensions, portal restrictions or transfer blocks tied to failed payments would be significant if the causes are not classified. The important evidence will not be a public scandal. It will be whether the registry can explain, in aggregate, how many cases involve willing members, bank delays, processor refusals, currency problems, public-procurement delays, non-response or confirmed legal prohibition.

The second is transfer timing. As IPv4 supply remains scarce, transfer finality becomes more valuable. LACNIC should be watched for long-tail delays, repeated document rounds, unclear recipient-justification standards, inter-regional handoff friction and cases where compliance ambiguity becomes a broad account hold. The healthiest sign would be clearer milestones, better reason categories and fewer cases in which parties cannot tell why recognition is delayed.

The third is service-continuity treatment during review. If payment or compliance concerns begin to affect RPKI, reverse DNS, WHOIS/RDAP updates, abuse-contact correction or authenticated account access, the risk profile changes. Even rare cases matter because they set expectations. A registry that protects operational services during narrow review reduces market anxiety. A registry that uses them as broad leverage increases the discount on every address block touched by possible compliance friction.

The fourth is false-positive clearing. Sanctions-screening pressure is likely to grow, not shrink. Common names, state-linked entities, politically exposed geographies and cross-border ownership will continue to create ambiguous hits. LACNIC's legitimacy will depend on how quickly and clearly it clears false positives, and whether a possible match remains contained while it is checked.

The fifth is legacy regularisation. Old records will continue to meet modern compliance expectations. If LACNIC gives legacy holders a bounded path to stable recognition, the market benefits. If the process feels like open-ended reopening of old rights under contemporary discomfort, holders may avoid engagement and buyers will discount the space. Watch whether legacy review focuses on identity, authority, contactability and service status, or drifts into broad economic judgement.

The sixth is small-operator incidence. The most important compliance harms may not appear in large public disputes. They may appear as abandoned transfers, delayed account cleanup, dependence on brokers, stale contacts, payment anxiety and quiet discounts borne by smaller networks. LACNIC should be assessed by how well its guidance works for those operators, not only by whether major participants can navigate the system.

The seventh is legal-request treatment. A registry that receives a competent order should act within law, but the region should watch whether legal requests are translated into precise service effects or broad account shadows. The difference matters. A specific restriction preserves institutional legitimacy. A broad shadow makes other operators wonder whether any difficult file can become an invisible sanction.

The final watchpoint is institutional vocabulary. LACNIC should resist describing every hard file as stewardship and every cautious hold as compliance. Those words are too broad. The region needs narrower language: legal prohibition, possible match, payment friction, authority defect, disputed holder, suspected fraud, inter-registry dependency, document insufficiency, non-response, service-preserved review. Narrow language produces narrow action.

LACNIC's advantage is that it does not face the same public institutional crisis that has defined some other registry debates. It has an opportunity to design before crisis hardens habits. The institution can comply with law, protect the ledger and still avoid becoming a private sanctions administrator. That requires accepting a modest but demanding principle: when the financial and legal world pushes uncertainty toward the registry account, the registry's job is not to amplify that uncertainty. Its job is to preserve recognition where lawful, explain restrictions where necessary, and keep the continuity surfaces of the internet from being casually disrupted by payment and compliance ambiguity.

For Latin America and the Caribbean, that principle is not abstract governance tidiness. It is economic infrastructure. It affects whether a small island operator can remain reachable while a bank asks questions, whether a buyer can close a transfer without pricing rumours, whether a public network can update contacts during a restructuring, whether RPKI and reverse DNS remain dependable in a hard case, and whether scarce IPv4 value can move through the region without forcing the registry to become something it is not. A registry that keeps that boundary clear will be more trusted precisely because it is less ambitious. A registry that lets compliance pressure expand across the account will discover that it has become a choke point before anyone voted to make it one.