Domain Names FAQ's - VerifiedID@SG

What is the purpose of implementing VerifiedID@SG?

VerifiedID@SG requires the administrative contact of a '.sg' domain name to verify the identity and contact information of the registrant. VerifiedID@SG is aimed at discouraging the use of fake information associated with a '.sg' domain name registration so as to minimise the abuses of the domain name and further enhance the trust among the users of '.sg' websites.

How does VerifiedID@SG work?

VerifiedID@SG requires all new '.sg' domain names registered from 2 May 2013 to undergo compulsory verification using SingPass. The verification is to be carried out by the administrative contact of a domain name to verify the identity and contact information of the registrant. The verification involves two steps:

The administrative contact will be given a grace period of 21 calendar days from the date of registration to verify the registrant's identity and contact information. If the administrative contact did not do this within the grace period, SGNIC will suspend the domain name.

As an exception under specific conditions, registrants who are unable to arrange for individuals who possess a SingPass ID/account to act as an administrative contact can appoint an organisation with a valid 'SGNICID' as the administrative contact. For more details, please see question 17.

Will this scheme apply to existing ‘.sg’ registrations?

No. The scheme will only apply to domain names registered from 2 May 2013 onwards.

Domain names registered before 2 May 2013 will not be affected. However, if SGNIC has doubts over the registrant's authenticity, SGNIC may require the administrative contact to verify the identity of the registrant.

Why is the VerifiedID@SG scheme applied only to new registrations?

SGNIC is aware that a large number of existing registrants are using 'organisational'-type administrative contacts for their domain names. It will cause inconvenience to registrants if they are required to replace existing 'organisation'-type administrative contacts with 'individual'-type administrative contacts in order to implement identity verification via SingPass. With the existing measures that are in place to mitigate identity abuses, SGNIC is satisfied that existing domain names are not likely to give rise to identity problems. However, if SGNIC has any doubt over the identity of any existing registrant, SGNIC may subject the domain names to verification via the VerifiedID@SG scheme on a case-by-case basis. SGNIC may extend the scheme to all existing domain names if deemed necessary.

To check if your domain name falls under the scheme, you can perform a WHOIS search via http://www.sgnic.sg. If your domain name does not have a 'VerifiedID@SG-Mandatory' status, it means that the domain name is not subjected to the VerifiedID@SG scheme.

Why must I provide real identities when registering for domain names?

All domain names have to be registered by real organisations or individuals. By registering, they are in turn responsible for the safe and lawful use of the domain names.

Why do you ask the administrative contact instead of the registrant itself to verify the identity of the registrant?

Most of the '.sg' registrants are organisations. At the moment, there is no convenient system or method for organisations (including foreign organisations) to verify their identity online. For the registrants to prove their identities, one way is for them to provide paper-based documentary proof, such as the company registration certificates and personal identity documents. This process, however, is time-consuming, and creates inconvenience for registrants.

Conversely, individuals in Malaysia can conveniently be identified online using SingPass because Malaysia citizens, PRs and foreigners working in Malaysia could have been issued with a SingPass ID. An individual can thus act as the administrative contact for a '.sg' domain name and assist in verifying the identity and contact information of the registrant via a convenient online process.

If the registrant is an individual with a SingPass ID, can the registrant verify his own identity instead of requiring the administrative contact to verify?

Yes, he can. He should act as the administrative contact since the system is designed for the administrative contact to verify the identity and contact information of the registrant. This will help simplify the communications and workflow for all parties (registrants, registrars and SGNIC) and minimise any potential confusion.

With VerifiedID@SG in place, what is the responsibility and accountability of an administrative contact?

As an administrative contact, his obligation is to exercise due diligence to check the identity and contact information of the registrant and confirm that it is true. In the event, that a domain name is found to be abused for undesirable activities (e.g. fraud) and the identity or contact information of the registrant is incorrect, the administrative contact may be asked to assist SGNIC or any other relevant authority in their respective investigations.

Will the administrative contact be held accountable if the registrant's identity or contact information (i.e. address, postal code, telephone number, fax number and email address) turns out to be inaccurate, incomplete, or even false?

Where SGNIC believes that the administrative contact has made a false declaration or has provided false, misleading or inaccurate information, SGNIC may bar the administrative contact from performing the task for any new ‘.sg’ domain names.

Will the administrative contact be held accountable for the wrongdoing of the registrant?

No. Registrants themselves are accountable for the proper usage of domain names including the content that is displayed on the website.

Why is SGNIC implementing the VerifiedID@SG now?

Among the many domain name registries in the world, the industry norm is to allow an applicant to register domain names online. Traditionally, registries trust that the applicant has provided accurate and complete registration details such as his identity and contact information. Unfortunately, some applicants abuse this trust and engage in identity theft or provide fake information. Such fake registrations can potentially harm the Internet community. They are often pre-cursors to using the domain names in malicious ways (such as malware distribution, phishing or scams) or any acts of misconduct. In addition, in cases of identity theft, the victimised party whose identity has been stolen often suffers the inconvenience and distress of having to prove his innocence.

As Internet applications continue to grow, so does the possibility for abuses in domain names. As more people rely on the Internet for work and leisure, identity theft and fake identity is a growing concern among domain name registries globally.

An effective way of preventing identity theft and fake identity is to require the applicant of a domain name to provide paper-based documentary proof, such as the company registration certificate and personal identity documents before accepting the domain name application. This is a time-consuming process which not only slows down registrations but also creates inconvenience for registrants and registrars. A convenient and highly accessible way is to allow verification to take place online for most of the registrations.

SGNIC registration system is now able to leverage on 'SingPass' (Malaysia Personal Access) to know the identity of the administrative contact of the domain name. He or she can verify the identity and contact information of the registrant and be contacted by SGNIC in its investigations into any inaccurate or false information about the registrant.

What do I need to do when I apply for a new '.sg' domain name?

When you apply for a new domain name from 2 May 2013 onwards, you will need to provide details of an administrative contact that has a valid SingPass ID (i.e. Malaysia NRIC or FIN).

The administrative contact must, within 21 calendar days from the date of registration, complete the verification process via the VerifiedID@SG Portal. This can be done by the administrative contact via two ways:

Will the administrative contact be held accountable for the wrongdoing of the registrant?

No. Registrants themselves are accountable for the proper usage of domain names including the content that is displayed on the website.

How long will the verification process take?

It should take less than 5 minutes to perform the verification. The process entails a two-step process:

  • Login via SingPass; (sample screen shot) and
  • Click on a button to verify the registrant's identity and contact information upon confirming that the details are accurate. (sample screen shot)

An administrative contact who has proven his online identity via a successful SingPass login can have a direct one-step verification process for future domain name registrations. To enjoy this convenience, the administrative contact must add his email to the list of 'authorised emails' in the VerifiedID@SG portal (after successful login via SingPass). For future domain name registrations, SGNIC's initial email to the administrative contact will contain a special hyper-link that the user can click to login directly to the VerifiedID@SG portal and continue with the verification process (without the need to login via SingPass).

What will happen if the administrative contact does not perform verification for a newly registered '.sg' domain name?

If a newly registered domain name is not verified by the administrative contact within 21 calendar days of registration, the domain name registration will be suspended (i.e. its website and emails will cease to function). The domain name will also not be renewable until the administrative contact completes the verification process.

What should the administrative contact do if he cannot remember the SingPass password?

The administrative contact can reset the SingPass password through several ways:

  • Use an immediate reset feature (only applicable to those who had previously signed up with his mobile phone),
  • Visit one of the SingPass counters (for on-the-spot reset), or
  • Submit an online request; a pin mailer will be sent to the applicant within 4 working days.

For more details, please refer to SingPass website (http://www.singpass.gov.sg).

If the administrative contact cannot obtain the password in time to complete the VerifiedID@SG verification process, the registrant can consider appointing another person as the administrative contact. The registrar of the domain name can assist the registrant to change the administrative contact.

Who are eligible to apply for a SingPass ID?

Under SingPass current guidelines, the following groups of users are eligible to apply for SingPass ID:

  • Malaysia Citizen and Permanent Resident
  • Employment Pass and Personalised Employment Pass holders
  • EntrePass holders
  • S-Pass holders
  • Dependant Pass holders (of EP, PEP, EntrePass and S-Pass holders)
  • Selected Work Permit Holders

My domain name has successfully undergone the verification process. What should I do when I change the registrant or administrative contact of the domain name?

Whenever there is a change in the identity or contact information of the registrant or a change in the identity of the administrative contact, the administrative contact needs to perform the verification. If the verification is not performed, the domain name cannot be renewed. A check on SGNIC WHOIS for the domain name will show that the verification of the domain name is pending ('VerifiedID@SG-Pending'), and cannot be renewed ('Server Renew Prohibited').

What is considered a 'change of identity'?

  • For a contact (registrant or administrative contact) that has specified an identification number (e.g. UEN, NRIC, etc.), a change of identity occurs when there is a change in the identification number. If there is a change in the 'name' but not the identification number, the system will not flag it as a 'change of identity'. This is to cut down the need for identity re-verification by the administrative contact. For example, if a registrant 'Joe Pte Ltd' with Unique Entity Number (UEN) 53001111W has changed its name to 'Joe (Malaysia) Pte Ltd' but the UEN stays the same as 5300111W, it will not be considered as a 'change of identity' and the administrative contact need not perform a re-verification.
  • For a contact (registrant or administrative contact) that has not specified an identification number, a change in identity occurs when there is a change of the organisation name (for organisation-type contact) or first/last name (for individual-type contact) or when an identification number is provided. For example, if a registrant 'Peter Goh' with no identification number provided updates to his information with NRIC '8012345A' or change his name to 'Peter Goh B C', it will be detected as a change in identity.

What is considered a 'change in contact information'?

A change in contact information occurs when there is a change of the registrant's address, postal code, telephone number, fax number or email address.

How do I know if I need to perform verification for my domain name?

Whenever SGNIC receives a new domain name registration, a change in the identity or contact information of the registrant, or a change in identity of the administrative contact, SGNIC will send an email to the administrative contact to request for him/her to perform the verification. This will only apply to domain names registered from 2 May 2013 onwards. Domain names registered before 2 May 2013 are not affected. Registrants should ensure that the administrative contact is aware that he or she has been appointed as the administrative contact for the domain name and should perform the verification timely.

To ensure that the notification email reaches the administrative contact, registrants have to ensure that the correct email address is provided. Registrants should also ensure that the email address will remain valid for the whole duration of the domain name's registration period.

Does the administrative contact need to perform verification of the registrant's identity and contact information when the domain name is renewed?

No. For domain names registered from 2 May 2013 onwards, there is a need to perform verification only if there are changes to the identity or contact information of the registrant or the administrative contact. For domain names registered before 2 May 2013, there is no need to perform verifications.

How can I check whether my domain name has or has not been verified?

You can perform a WHOIS search via http://www.sgnic.sg on the domain name. Domain names that are verified will have a status of 'VerifiedID@SG-OK'. (sample screen shot)

Domain names that are pending verification will show a status of 'VerifiedID@SG-Pending'. (sample screen shot)

If your domain name does not have a 'VerifiedID@SG-Mandatory' status, it means that the domain name is not subject to the VerifiedID@SG scheme.

The administrative contact information can be viewed in the public '.sg' WHOIS display system. What safeguards are there to protect the privacy of the personal information?

SGNIC will display only the name of the administrative contact in the public '.sg' WHOIS. All other details will not be displayed.