Summary
- “Non-compliant” is a conclusion that needs a legal and institutional address. A reviewer must identify whether the invoked text is community policy, a contractual term, a corporate rule, a technical standard or public law.
- A policy breach can carry serious private consequences when an applicable service agreement validly incorporates the policy. That does not turn the policy into a statute or make the breach a criminal offence.
- ARIN's NRPM, RSA, RSA FAQ and Bylaws serve different functions. Policy content, bilateral obligation, explanation and corporate authority should be traced in sequence rather than blended into a general claim of illegality.
- The same conduct may independently engage several layers. False information, for example, could breach a registry rule and a contractual representation and also violate a statute in a named jurisdiction, but each proposition requires separate elements, evidence, decision-maker and remedy.
- Legitimate enforcement states the historical rule, incorporation bridge, allegation, evidence, cure opportunity, proportional consequence and review route. Public reporting should use equally precise language.
The word non-compliant conceals the decisive question
A regional Internet registry may tell a resource holder that its records, transfer request, documentation or conduct is non-compliant. The statement sounds complete. It is not. Non-compliant with what?
The answer could be a provision in a number-resource policy manual. It could be a promise in a registration services agreement. It could be a procedure incorporated by that agreement. It could be a condition of membership. It could be an internal corporate rule governing how the registry itself must act. It could be a statutory or regulatory requirement imposed by a state. These sources can overlap, but they produce different powers and consequences.
The classification problem is not an attempt to minimise misconduct. Private obligations can be important. A breach of contract may justify termination, damages, suspension or another agreed remedy even when no legislature has created an offence. A policy rule may protect accurate records and equal allocation. Corporate rules can constrain decision-makers. Public law can impose independent civil, administrative or criminal consequences.
Confusion begins when the institution moves between these layers without saying so. A community policy is described as “the law.” A contractual remedy is presented like a regulatory penalty. Corporate authority is inferred from technical necessity. An informational standard is treated as a source of private liability. The holder then cannot tell what must be answered, and the public cannot assess legitimacy.
A sound compliance decision therefore starts with classification. It names the conduct, date, resource, actor, text, version, source of authority, decision-maker and proposed consequence. Only then can evidence be tested against the correct rule.
Four layers, four different questions
Policy asks what common rule the registry community or institution has adopted for number-resource administration. The relevant questions are whether the policy was validly developed, what it says, when it took effect and to whom it applies. Policy legitimacy often rests on openness, technical reasoning, recorded objections and a recognised adoption route.
Contract asks what the registry and holder agreed. A service agreement can reproduce a policy rule, incorporate policies dynamically, require accurate information, allocate risk and authorise remedies. The contract inquiry focuses on parties, assent, incorporation, governing law, performance, breach and remedy.
Corporate governance asks who may act for the registry. Bylaws and association rules allocate powers among members, board, officers and committees. They can determine whether a decision was properly authorised. They usually do not, standing alone, create every holder obligation asserted by the service provider.
Public law asks what a recognised state authority has required. A statute or regulation has a jurisdiction, authorised regulator or court, defined elements and public-law consequences. Criminal offences require especially clear legal authority and procedure. A private organisation cannot create a statutory offence by publishing a manual.
The four layers can connect. Corporate authority may permit ARIN to enter an RSA. The RSA may incorporate applicable policy. The policy may define a transfer condition. Public law may independently prohibit fraud in the transaction. But the chain works through identifiable bridges. It should not be compressed into the phrase “the rules were broken.”
Begin with conduct, not with institutional labels
An enforcement review should first describe what allegedly happened in neutral terms. A holder submitted a document on a date. A registration record contained a particular field. A transfer request lacked specified evidence. A fee remained unpaid. A contact failed to respond. A representation conflicted with another record. This factual statement should be possible before anyone decides which rule applies.
Starting with conduct prevents the allegation from expanding through rhetoric. If the notice begins by calling the holder unlawful, fraudulent or abusive, later reasoning may bend to support the label. A neutral chronology allows the institution to test alternative explanations: clerical error, outdated contact, corporate succession, misunderstanding, disputed ownership, technical failure or deliberate deception.
The date is essential because policies and agreements change. The current manual may not have governed historical conduct. A later RSA may not bind an older holder. A procedure may have been announced but not yet effective. Public law may have changed. Enforcement based on today's text can become retroactive by accident.
The actor also matters. A contractor, employee, corporate affiliate, customer or former officer may have supplied information. The holder's responsibility depends on the applicable policy and contract, not merely on association with the account. Authority to submit a technical update is not necessarily authority to make a legal representation.
Only after the factual statement is fixed should the reviewer ask which policy, agreement, procedure or law addresses it. This sequence reduces overcharging and makes the eventual notice understandable.
The NRPM is a policy manual, not a penal code
The ARIN Number Resource Policy Manual contains substantive rules for number-resource administration. Its provisions can define eligibility, evaluation, transfer and other policy conditions within ARIN's system. It is a central governance instrument.
Calling it a manual does not make it weak. Policy can guide consequential decisions. It can constrain staff, promote equal treatment and provide a public benchmark against which a request is assessed. A holder that seeks a service governed by an applicable policy cannot reasonably demand that the policy be ignored.
But the NRPM is not a legislature's criminal code. A departure from a policy provision is not, for that reason alone, a statutory offence. The policy does not create a public prosecutor, criminal burden of proof or state sentence. Nor does every provision automatically create a contractual warranty or authorise revocation.
To move from policy to a holder-facing contractual consequence, ARIN should identify the bridge in the applicable agreement. The decision should state whether the policy is incorporated, whether it applied to the resource and date, and what remedy the agreement permits. If staff are simply denying a new request because eligibility is not met, the analysis may differ from withdrawing an established service or altering an existing registration.
Historical versioning is critical. The current NRPM page can show today's rule but not necessarily the text in force when the conduct occurred. An authoritative archive, adoption record and effective date should accompany any serious allegation. Policy enforcement without chronology risks converting later consensus into earlier obligation.
The RSA supplies private obligations and remedies
The ARIN Registration Services Agreement performs a different function. It establishes a bilateral registration-services relationship, includes representations and duties, defines or incorporates Service Terms, addresses breach and remedies, and specifies dispute arrangements. Within its scope, it can give policy requirements contractual force.
That contractual force is substantial. A promise does not need to be statutory to matter. If a holder gives inaccurate information in breach of an RSA representation, ARIN may have contractual responses. If the agreement requires compliance with applicable policy, a proved policy departure may also be a contract breach. The result depends on the exact language and governing version.
The RSA does not make ARIN a legislature. Its remedies arise from agreement and applicable private law. A termination, suspension or registration consequence should be described as contractual or service action, not as a criminal penalty. The distinction affects procedure, forum, burden and public language.
Version protection adds another discipline. An analyst should not assume that the newest RSA governs every holder. The institution should identify the signed or accepted version, later amendments and incorporated Service Terms. A clause in version 14.0 cannot simply be projected onto a relationship governed by an earlier form.
The contract also limits the institution. If a proposed remedy is not authorised, policy importance cannot create it by implication without careful analysis. A general duty to comply should not be treated as an unlimited power to impose any consequence staff consider useful. The agreement's notice, cure, proportionality and dispute provisions remain part of the enforcement architecture.
An FAQ explains; it does not enlarge liability
The ARIN RSA Version 14.0 FAQ helps readers understand the published agreement. Explanatory material can improve transparency by summarising version changes, protections and practical effects. It can also reveal the institution's contemporaneous interpretation.
Yet the FAQ correctly occupies a subordinate role. It is not the agreement. It should not create a new duty, broaden a remedy or cure ambiguous drafting. If the FAQ and RSA appear inconsistent, the controlling text and applicable law require attention.
This matters in compliance notices because explanations are tempting shortcuts. Staff may quote a web answer rather than the agreement clause. A holder may rely on a reassuring summary while missing an exception. A later FAQ may describe current practice without proving what an older holder was told.
The right use is navigational. The notice can link the FAQ for accessibility, but it should cite the authoritative RSA and policy provisions. It should preserve the version of the explanation that existed at the relevant time if reliance matters.
Institutional explanations can also state what they do not decide. They can distinguish policy ineligibility from contract breach, clarify that private non-compliance is not automatically unlawful, and tell holders when public authorities may have separate jurisdiction. Such clarity would reduce sensational claims without weakening enforcement.
Bylaws answer who may act, not every question of what is owed
The ARIN Bylaws establish the organisation's corporate governance. They identify offices, bodies, membership structures and decision routes. In a disputed enforcement action, they may help answer whether the board, officers or another body had authority.
Authority inside the corporation is necessary but not sufficient. A properly authorised officer can act for ARIN, yet the action must still fall within the RSA and applicable policy. Conversely, a substantively plausible action may be defective if taken by the wrong body or through the wrong process.
Bylaws should not be treated as if every resource holder personally agreed to every corporate provision. Some holders may not have identical membership status. Corporate membership and registration-service relationships can overlap without being the same. The relevant contract must connect internal authority to external effect.
The separation also protects the policy process. Community consensus may establish policy content, while corporate organs implement or ratify it according to the governing structure. A board should not describe its own preference as community policy if the recognised process was not used. A community discussion should not be treated as a corporate resolution if formal authority was required.
For accountability, a compliance decision should identify both tracks when they matter: the corporate actor authorised to decide and the substantive policy or contract provision applied. That dual citation lets reviewers test mandate and merits separately.
RFC 7020 explains coordination, not offence creation
RFC 7020, The Internet Numbers Registry System, describes a coordinated framework for administering Internet number resources. It explains why uniqueness, registration and stewardship require common structures and why regional registries perform important operational roles.
This is powerful context for policy. Inaccurate or conflicting administration can harm more than one contracting party. Common rules support routing, security and reliable records. A registry therefore has a legitimate reason to insist on defined procedures.
The RFC does not create a private penal code. It does not make every deviation illegal, supply a contractual remedy or decide a holder-specific dispute. Its status and purpose should be described accurately. Technical necessity can justify policy design, but it cannot replace the agreement clause that gives the policy holder-facing effect.
The same caution applies when technical terms sound mandatory. Words such as must and should have meaning within the document's framework. They do not automatically correspond to statutory commands. A technical nonconformance may require correction without constituting a legal offence.
Accurate classification strengthens technical governance. Engineers can state that a practice conflicts with registry-system requirements without being asked to pronounce criminal liability. Lawyers and decision-makers can then determine which agreement or law gives that conflict consequences. Each discipline contributes within its competence.
ICP-2 concerns recognition and legitimacy, not individual guilt
ICP-2 sets criteria associated with establishing a new regional Internet registry. Community support, neutrality, technical expertise, continuity and bottom-up policy are institutional concerns. They help explain why an RIR is recognised and what qualities legitimate regional administration should display.
Recognition does not give an RIR legislative sovereignty over its service region. ICP-2 is not a statute enacted by every state in that region. It does not define offences for number-resource holders or adjudicate an alleged breach. Nor does it replace the RIR's contracts and corporate rules.
Institutional legitimacy still matters to compliance. A registry that applies policy neutrally, maintains continuity and uses open processes has a stronger claim to deference and voluntary cooperation. An opaque or discriminatory process undermines confidence even if a contract remedy remains available.
The correct argument therefore runs from recognition to responsibility, not from recognition to unlimited power. A recognised registry is entrusted with coordination functions. It should exercise them through transparent policy, valid agreements, authorised corporate action and respect for applicable public law.
This distinction also clarifies the role of the wider Internet community. Community support can validate institutional design and policy direction. It does not convict a particular holder. Individual enforcement still requires a factual record and the rule applicable to that party.
Comparative contracts show different incorporation bridges
Regional registries do not all connect policy and contract in the same way. The RIPE NCC Standard Service Agreement references current RIPE policies and RIPE NCC procedures and includes a General Meeting route for amending the agreement. That structure links policy, procedure, membership governance and contract through express language.
The Standard APNIC Membership Agreement uses annual renewal and APNIC Documents as amended. The renewal structure can provide a recurring contractual moment at which current documents matter.
The AFRINIC Registration Service Agreement requires compliance with the agreement and applicable resource policies and connects non-compliance to serious contractual consequences. The word applicable requires attention to resource, party, conduct and date.
These comparisons show why “RIR policy is binding” is too imprecise. Binding through what? A General Meeting amendment, annual renewal, dynamic incorporation, a signed addendum or a service-specific request? The answer affects notice, historical versions and remedy.
The contracts also sit under different governing laws and corporate forms. A clause interpreted in the Netherlands cannot be mechanically transferred to Queensland, Mauritius or Virginia. Comparison can reveal design choices, not one universal legal result.
The useful benchmark is transparency. Each institution should make the bridge visible enough that a holder can trace policy adoption to contractual effect. If the bridge cannot be identified, enforcement rests on institutional assertion rather than demonstrated obligation.
One act can engage several layers without merging them
Suppose a holder submits materially false documentation in support of a transfer. An applicable policy may require specified evidence and make the request ineligible. The RSA may contain a representation that information is accurate and authorise a contractual remedy for breach. A fraud statute in a named jurisdiction may also apply if its elements, territorial connection and required state of mind are proved.
Those are three propositions, not one. Policy ineligibility may be established by the registry under its process. Contract breach may be decided through the agreement's review, arbitration or court route. Criminal liability belongs to public authorities and courts with jurisdiction. Evidence sufficient for one decision may not satisfy another burden.
The same separation applies to sanctions, privacy, competition, insolvency and telecommunications law. A registry may be legally required to act under public law while also exercising contract rights. It should identify the legal mandate and jurisdiction rather than disguising the action as ordinary policy enforcement.
Conversely, the absence of a statutory offence does not nullify policy or contract. A holder can fail an eligibility requirement without committing a crime. It can breach a service promise without attracting a public fine. The remedy should match the layer.
This is the central discipline of compliance analysis: overlap permits cumulative consequences only when each source is independently established. It does not allow the strongest language from one layer to be borrowed to make another sound more authoritative.
“Illegal” is often the wrong public description
Public language shapes reputational consequences. Calling a holder illegal, criminal or fraudulent can cause harm beyond the service decision. Those terms should be reserved for circumstances in which the relevant legal basis and adjudicative status support them.
If the established finding is that a transfer request did not satisfy NRPM evidence requirements, say that. If ARIN alleges breach of an RSA representation, describe it as an allegation until resolved. If a court has found a statutory violation, identify the jurisdiction, decision and status of appeal. Precision is not softness; it is factual accuracy.
The institution should also distinguish investigation from outcome. A request for documents is not proof of non-compliance. Temporary protective action is not a final finding. A referral to authorities is not a conviction. Settlement may resolve a dispute without admission.
Journalists and community entities carry the same responsibility. Registry enforcement can be newsworthy, but legal adjectives should not be inferred from service terminology. “Revoked for policy non-compliance” and “convicted of an offence” describe fundamentally different events.
Careful language protects the registry too. Overstatement can undermine otherwise valid enforcement, invite claims of unfairness and make later correction difficult. A precise notice demonstrates institutional confidence in the actual rule rather than reliance on stigma.
The decision-maker must match the source of authority
Different questions belong to different decision-makers. Policy eligibility may initially be assessed by registry staff applying published criteria. A contract dispute may proceed through an internal review, arbitration or court route specified in the agreement. Corporate validity may require a board or membership decision. Public-law liability belongs to authorised regulators, prosecutors and courts.
An organisation may perform more than one role, but it should announce which role it is exercising. Staff applying policy should not imply that they are deciding a crime. A board approving litigation should not be described as making community policy. A community working group should not decide an individual holder's disputed facts unless the framework expressly gives it that function and protects confidentiality.
Separation of functions can improve fairness. Investigators gather facts. A decision-maker applies the rule. A reviewer examines errors. Complete institutional separation may be impractical, but conflict controls and recorded reasons reduce concentration of power.
The holder should know where to direct each argument. A claim that the policy was misread differs from a claim that the RSA did not incorporate it. A claim that the decision-maker lacked authority differs from a claim that public law forbids performance. The process should permit these arguments to be raised without forcing them into one undifferentiated appeal.
Published jurisdiction maps would help. They could show which body handles policy interpretation, contractual breach, member governance and legal compliance. Clear routing makes enforcement more efficient as well as more legitimate.
Evidence must prove the elements of the chosen rule
Once the institution identifies the rule, it should state what must be proved. If policy requires a particular document, the question may be whether a valid document was supplied by the deadline. If the RSA prohibits a knowing misrepresentation, knowledge and falsity may matter. If public law imposes strict regulatory duties, different elements apply.
Evidence should be connected to each element. A database discrepancy may show inconsistency but not intentional deception. A bounced email may show delivery failure but not refusal to cooperate. A corporate registry extract may raise identity questions but not resolve control. Technical logs may prove an action occurred without proving who authorised it.
The holder should receive enough information to respond, subject to legitimate confidentiality and security limits. A bare statement that unspecified policy was violated prevents correction and meaningful review. The notice should identify dates, records, provisions and proposed consequences.
The burden and standard should also be clear. A routine service eligibility decision need not mimic a criminal trial. A severe action affecting established registrations deserves stronger evidence than a request for clarification. Where facts are uncertain, interim protection and further inquiry may be preferable to a final stigmatic finding.
Reasons matter. A written decision should explain which evidence was accepted, how conflicting material was assessed and why the rule applied. That record allows review and helps future staff treat similar cases consistently.
Chronology prevents current rules from rewriting the past
A complete chronology begins with the holder's agreement version and the resource's registration history. It then adds the policy text in force at each relevant act, adoption and effective dates of amendments, notices, responses, cure periods, decisions and reviews.
This sequence can reveal that an apparent breach did not exist when the conduct occurred. It can also show that a continuing duty remained unsatisfied after a later effective date and proper notice. The distinction between completed and continuing conduct should be explicit.
The current website is limited public evidence historical evidence. Manuals are updated. Explanations change. Links move. The institution should preserve authoritative versions and stable dates. A quoted clause should be traceable to the text actually in force.
Contract chronology is equally important. A holder may have accepted an older RSA, later signed an amendment, renewed under changed Service Terms or never adopted the newest base form. Each event changes the analysis. Publication alone does not establish substitution.
Public law has its own temporal rules, including commencement, transition and restrictions on retroactive liability. A registry should not imply legal violation based on a later statute without competent analysis.
Chronology is one of the simplest safeguards against overreach. It replaces the vague idea of current compliance with a dated account of duty and conduct.
Notice and cure should fit the alleged failure
Many registry problems can be corrected. A stale contact can be updated. Missing evidence can be supplied. A corporate succession can be documented. An inaccurate record can be reconciled. A cure process protects registry accuracy more effectively than immediate punishment where the failure is remediable.
Notice should state the layer of obligation. “This transfer request does not meet NRPM section X” is clearer than “you are violating ARIN rules.” If the same facts also appear to breach an RSA representation, that should be separately identified with the proposed contractual consequence.
The cure period should reflect complexity and risk. An urgent security problem may require temporary measures. A cross-border corporate reorganisation may require more time to obtain official records. The institution can preserve the system while allowing a fair response.
Not every breach requires cure. Deliberate deception, repeated refusal or immediate operational harm may justify stronger action. Even then, the decision should explain why cure was unavailable or inadequate.
Notice is also the point at which public-law obligations should be separated. If ARIN must act because of a binding government order, the holder should receive the lawful disclosure that the order permits. If ARIN merely suspects conduct may violate law, it should not announce a legal conclusion beyond its competence.
A staged process—question, notice, response, cure, decision, review—creates a reliable record. It demonstrates that enforcement seeks compliance and system integrity rather than rhetorical victory.
Remedy must be authorised and proportionate
A policy may define whether a new request qualifies. Denial of that request can be closely matched to the rule. A different step, such as altering established registrations or terminating all services, requires a stronger contractual and factual basis.
Proportionality asks whether the consequence fits the breach, risk, duration, intent, harm, correction and history. A minor clerical error should not be treated like deliberate fabrication. A failure affecting one request should not automatically contaminate unrelated resources. Repeated conduct after clear notice may justify escalation.
Authorisation comes first. A desirable remedy is not available merely because it would promote compliance. The institution should identify the RSA, policy or law that permits it. If discretion is broad, published factors and review become more important.
Operational consequences deserve special attention. Changes to registry records, reverse DNS or routing-security information can affect third parties. A remedy intended to discipline a holder should not create avoidable instability. Transition, stays and narrowly tailored measures can protect system integrity.
Public-law sanctions remain separate. A private suspension is not a fine. A resource revocation is not imprisonment. If a regulator orders action, the legal authority should be named. Using accurate remedy language helps everyone understand the stakes.
Proportional enforcement strengthens voluntary compliance. Holders are more likely to accept decisions they can connect to a published rule and measured response.
Review should test classification as well as facts
An appeal that asks only whether staff made a factual error may miss the central dispute. The holder may argue that the cited text is guidance rather than policy, that the policy was not incorporated, that the wrong RSA version was used, that the decision-maker lacked authority or that the remedy belongs to public law rather than contract.
A meaningful review route should permit each argument. It should examine classification, chronology, evidence, authority and proportionality. The reviewer should be sufficiently independent from the original decision to reconsider rather than defend it.
Written reasons are essential. A conclusion that the first decision was “consistent with policy” does not answer a contractual objection. The review should identify the bridge from policy to consequence and address material submissions.
Temporary preservation may be appropriate during review, especially when irreversible record changes are proposed and immediate risk can be managed. A stay is not always possible, but the decision should explain urgency.
Aggregate review data would reveal institutional health. How many decisions were challenged? How many were affirmed, modified, withdrawn or reversed? Which issues recurred? Without denominators, the public sees isolated disputes but cannot assess consistency.
Review is not an obstacle to registry authority. It is the mechanism that distinguishes bounded authority from unilateral assertion. A registry confident in its policy and contract should be able to explain both under scrutiny.
Public law should be identified by jurisdiction and provision
When a registry invokes law, specificity is mandatory. Which country or subdivision enacted the rule? Which statute, regulation, order or judgment applies? What territorial connection exists? Which authority interprets and enforces it? What conduct and state of mind are required?
The service region is not itself a legal jurisdiction. ARIN operates across multiple countries and territories. A holder may be incorporated in one place, operate in another and serve customers elsewhere. “Regional law” is therefore an inadequate phrase.
The RSA's governing law answers contractual questions within its scope. It does not make Virginia or United States law the only public law relevant to every holder, nor does it transform ARIN policy into that law. Mandatory rules elsewhere may apply independently.
If the institution is responding to a court order, sanctions requirement or regulatory duty, it should distinguish compelled action from discretionary policy enforcement. If disclosure is restricted, it can still state the legal category and process to the extent permitted.
Public authorities, in turn, should not assume that control of a registry record equals ownership or physical control of networks. Their orders should be interpreted according to their text and jurisdiction. Technical expertise may be necessary to avoid unintended effects.
The discipline of naming public law prevents both exaggeration and evasion. A holder cannot dismiss a valid legal duty as mere policy, and a registry cannot elevate a private rule by calling it law.
A practical compliance notice can keep the layers separate
A strong notice could use a short sequence. First: “Conduct alleged,” with neutral facts and dates. Second: “Policy basis,” identifying the historical NRPM provision and why it applies. Third: “Contract basis,” identifying the holder's RSA version and incorporation or representation clause. Fourth: “Corporate authority,” identifying the decision-maker if disputed. Fifth: “Public-law basis,” used only when a named external legal duty independently applies.
The next fields would state evidence, proposed consequence, cure, response deadline, interim measures and review. Links would lead to preserved authoritative texts. The notice would avoid characterising unresolved conduct as criminal.
This format is not bureaucratic excess. It reduces argument about what is being alleged. The holder can cure a policy defect, contest a contract interpretation or obtain advice on a legal order without guessing which issue drives the action.
It also helps staff. A required contract-basis field exposes cases where policy is being asked to support a remedy it does not authorise. A historical-version field prevents reliance on current text. A proportionality field forces the decision-maker to connect consequence to risk.
For the public, anonymised summaries using the same structure would make enforcement more legible. Observers could see that an action rested on contract rather than statute, or that a public-law order independently constrained the registry.
Denominators matter more than dramatic cases
Public debate often centres on one high-profile revocation, lawsuit or accusation. Those cases may expose important weaknesses, but they do not show ordinary practice. Institutional accountability requires denominators.
ARIN could publish annual counts of compliance inquiries, formal notices, policy bases invoked, RSA breaches alleged, cures completed, requests denied, services suspended, registrations changed, reviews filed, decisions reversed and matters referred to public authorities. Categories could be designed to protect confidential information.
The data should distinguish new-request eligibility from action against established resources. It should separate administrative correction from contested breach. It should identify how often public law, rather than ordinary policy or contract, compelled action.
Time measures would help too: median response period, cure duration and review time. Version data could show which historical RSAs generate recurring disputes. Reasons for reversal could identify unclear policy or training needs.
Without these denominators, neither praise nor criticism is well grounded. A dramatic case may be exceptional. Quiet corrections may represent most work. A low appeal rate could reflect satisfaction, cost or lack of awareness. Counts need explanation, but absence of counts is worse.
Metrics should support learning rather than quotas. Staff should not be rewarded for more findings or fewer reversals. The goal is to reveal whether the institution uses each source of authority consistently and proportionately.
The strongest argument against excessive formalism
Registries must act. Technical administration would fail if every policy decision required a court judgment. Eligibility reviews need workable procedures. Fraud and security risks may demand speed. Private contracts exist precisely so parties can create duties beyond statute.
The distinction among policy, contract and law should not become a tactic for endless delay. A holder that accepted an RSA incorporating applicable policy cannot defeat enforcement merely by saying the policy is not legislation. Absence of a crime does not create entitlement to service.
Nor must every routine decision reproduce a legal treatise. The explanation can be proportionate. A request that plainly lacks a required document may need a concise notice and cure opportunity. A severe action against established resources requires more detail.
Institutional expertise deserves respect within its domain. Registry staff understand operational records and policy application. Community processes can produce legitimate common rules. Courts and regulators should avoid casually substituting assumptions about network administration.
These arguments reinforce, rather than defeat, classification. Clear authority lets institutions act faster. A notice grounded in the correct policy and RSA clause is harder to evade. A separate public-law track protects urgent legal compliance. Precision is an operational asset.
The burden proposed here is not to turn ARIN into a state. It is to stop speaking as though it already is one when exercising private and community-based authority.
What the available evidence cannot establish
Published manuals and standard agreements reveal architecture. They do not establish the facts of a specific holder dispute. The governing RSA version, resource history, notice, evidence, corporate authority and public-law jurisdiction would need to be retrieved.
The documents also do not provide enforcement denominators. It remains unclear how many notices rely solely on policy, how many allege contract breach, how many involve external legal orders, how often holders cure, and how often review changes the result.
Comparative texts cannot resolve interpretation across jurisdictions. Dutch, Queensland, Mauritius and Virginia legal settings differ. The same phrase may operate differently. No universal conclusion should be inferred from wording alone.
Nor can the absence of a cited statute prove that no public law applies. A specific case may involve fraud, sanctions, insolvency, privacy or other mandatory rules. The point is that such law must be identified and proved, not assumed from the policy breach.
These limitations counsel careful reporting. The strongest defensible statement may be that conduct appears inconsistent with a named policy and may breach a named agreement, while legal liability remains for the competent forum. That formulation conveys seriousness without inventing authority.
Compliance is strongest when its authority is visible
Regional registry governance relies on several forms of legitimacy. Community policy supplies common technical and administrative rules. Contracts connect those rules to holders and authorise private remedies. Corporate instruments allocate decision-making power. Public law imposes independent duties through state institutions. Technical standards and recognition criteria explain purpose and institutional setting.
Each layer is valuable. Confusion does not strengthen them; it makes enforcement easier to challenge. A policy should stand on its adopted text. A contract should stand on assent and incorporation. Corporate action should stand on authority. Public-law claims should stand on jurisdiction and provision.
The phrase non-compliant can begin an inquiry, but it cannot finish one. The institution must state non-compliant with which rule, in which version, through which obligation, on what evidence and with what consequence. The holder must answer that case rather than a vague accusation. The reviewer must test classification as well as facts.
A statutory offence is not required for meaningful registry compliance. Private and community rules can legitimately govern access to services and administration of shared resources. Their legitimacy is greatest when they are described honestly as the kind of authority they are.
That is the practical boundary: do not trivialise policy because it is not statute, and do not inflate policy into law because the institution wants a stronger word. Name the layer, prove the bridge and match the remedy. Visible authority is more durable than borrowed authority.

