1.1. Summary: This is a space the continuing examination of the ICANN compliance function to ensure that ICANN is completely transparent and accountable in its public commitment. At-Large has been at the forefront for several years in documenting the effectiveness and responsiveness of ICANN compliance.
1.2. Basic Issue: There is a major discrepancy in who directs compliance, more specifically, who compliance reports to. As many of us know, Fadi moved compliance out from under ICANN legal upon his arrival and made the department report directly to the CEO. This was a move welcomed by the community. However, this does not in fact appear to be the case. In terms of portfolio management and budget control, compliance is under the direction of ICANN domain business. This is a serious problem. The attached memo explains the situation and provides some suggestions for remeidying the issue in order to ensure true accountability of ICANN especially as the IANA transition moves forward.
As we consider IANA Transition work in the context of accountability and transparency to the stakeholder community I would encourage all to review the current structure of ICANN’s compliance functions. What ICANN has at the moment is an inherent conflict of interest in the management of compliance. Early in his arrival, CEO Fadi Chehade moved the compliance department out from under ICANN legal and had it report directly to the CEO. This was done following various concerns from the community about the independence of the compliance department. However, now there is a curious situation of the compliance department actually reporting to the business division. See the screen captures below from ICANN’s portfolio management page (prior to August 2015 - see 2.5.) :
Akram Atallah is ICANN’s Global Domain Division President. His core function is in overseeing the commercial aspects of ICANN and specifically in “Relationship Management” for the contracted parties. This is in complete contradiction to his additional portfolio role which includes Contractual Compliance Functions and Initiatives. Even on an optical level, this presents a poor image. In fact, there is no firewall inside of ICANN that ensures compliance truly serves the public interest. Additionally, the domain business president functions appear far-reaching in comparison to other top-level ICANN officers.
This structure is also in contradiction to the ICANN staff organizational chart which shows the head of compliance reporting directly to the CEO. However, ICANN’s FY2016 budget proposals specify that the compliance budget is part of the Global Domains budget and even a portion of the compliance budget is still controlled by ICANN legal. This is not what the CEO promised the community.
To be direct, this structure where the head of commercial business is also head of the compliance function represents an inherent conflict of interest for the organization. Multi-stakeholder accountability cannot be realized in this scheme. The business of ICANN is to close to, in essence on top of, compliance. In a structure where compliance reported to legal, the spirit of compliance is guided purely by protection of the organization and not in the public interest. Now, the spirit of compliance is overshadowed by domain business decisions. This is also not in the public interest and may be less preferable to the pervious model.
The best model, one which serves the multi-stakeholder community and the public interest, would be one in which compliance is completely divorced form ICANN’s business. ICANN’s core function is in managing contracts with registries and registrars. The compliance function is the ultimate protective force for the organization and the greater Internet community. Without an effective compliance function, ICANN is merely a pass-through for domain industry money. My recommendation is to place compliance outside the ICANN structure, possibly reporting directly to the board. Obviously, the functions should remain in ICANN’s offices to ensure continuity, but true structural independence is required for ICANN to deliver its mandate of public interest accountability and transparency.
1.3. Segregation of Duties as a Best Practice
The ICANN Bylaws include a provision for (#8) "Making decisions by applying documented policies neutrally and objectively, with integrity and fairness." ICANN's compliance function is its most critical department for applying documented policies as the enforcement impacts registries, registrars, registrants and users at-large. The need for objectivity, fairness and neutrality of this function cannot be underscored enough. The goal of ICANN's business division is to expand business. A compliance department run by business cannot effectively be neutral, objective, or fair. The second Accountability and Transparency Review Team (pB-6) specifically recommended that: "ICANN should act to ensure that its compliance function is managed in accordance with best practice principles." What are best practice principles?
2. Actual ICANN Structure vs. Public Claims
As explained above, the President of the Global Domains Division is the "owner" of compliance. This is a fact that distinguishes the compliance director from other CEO direct reports who run their own portfolios (i.e., Theresa Swinehart, John Jeffrey, Tarek Kamel, Sally Costerton, Susanna Bennett, David Olive, Ashwin Rangan, etc.). As a direct report to the CEO, the compliance director has no independence in terms of portfolio management, it's clearly a priority of the President of the Global Domains Division. This differs clearly from the the organizational chart but the GDD control of compliance is supported by other documentation including budgets over the last few years.
2.1. FY13 Budget Discrepancies
In looking at the budget we find a number of discrepancies between structural fact and the current organizational chart. The FY13 budget showed compliance funding completely under the control of Akram Atallah.
Another smaller portion of the compliance budget still came from Legal.
2.2. FY16 Budget Discrepancies
The FY16 Budget no longer uses names but rather goals, portfolios, etc. However, in the budget spreadsheet compliance functions fall under section 2.3-Support the evolution of domain name marketplace to be robust, stable and trusted. The other budget items in this section are (2.3.11) Next gTLD Round, (2.3.12) Outreach and Relationship Management with Existing and new Registry, Registrar Community, (2.3.13) Registrar Services, (2.3.14) Registry Services, (2.3.2) Domain Name Services, (2.3.8) GDD Online Services Product Management, and (2.3.9) IDNs. Again, all functions of the President of the Global Domains Division.
The ICANN Draft FY16 Operating Plan & Budget document adds even more specificity to the GDD control of compliance, on page 17 it is stated: "Priority areas: Global Domains Division (GDD) service platform ramp-up and expansion of Contractual Compliance"
This places compliance expansion under GDD. On Page 41 Contractual Compliance Functions (daily operations) are under the umbrella of "marketplace" priorities.
Within the budget spreadsheet we find under 2.1.7 GDD Operations Total: “includes the implementation of Tier one customer service for Registrars and Compliance functions as they implement their proceses on salesforce CRM.” Here compliance funding is tied to customer service (for contracted parties) and sales; this is a $0.2M budget item.
In this case a portion of compliance funding is directly tied to customer service and sales. CRM is "customer relationship management" and implies this is a business-driven process and the greater Internet community is not served. Also not that a portion of this portfolio is "In Trouble" but there is no additional information here.
Atallah previously served as the COO and Interim-CEO ("Whereas, Akram Atallah served as both ICANN's Chief Operating Officer ("COO") andICANN's President and CEO from 1 July 2012 through 13 September 2012. Whereas, when the Board appointed Akram Atallah to serve as ICANN's President and CEO, the Board agreed that rather than increase Mr. Atallah's base salaray, they would pay him a compensation supplement for his service.")
According to the ICANN WIKI: "Atallah's role was then expanded to include oversight of Registry and Registrar Services, Security, and the new gTLD program" Well, that's kind of everything important that the organization does. "Oversight" says compliance, which is explicitly stated as a "goal" of Atallah.
2.3. Legal Influence Continues in Compliance Actions
We see several examples above of compliance taking management direction and as well as their budget from the Domains Division. However, ICANN Legal still has much influence in the department. First there is the specific budget item of "Reports to the Community" being controlled by Legal. It is not clear why the compliance reports of a supposedly transparent public-interest entity need legal authorization. To be very, specific Legal funds the "Contractual Compliance ICANN Meeting Updates" which implies some need for editorial control. Legal is also still part of the cycle of registrar breaches and terminations. While terminating a contract is a legal issue. Then there is a breach sent to the registry for .JOBS which was exclusively signed by the head of legal. In that case Legal is the driving force behind the breach and it does not even appear to come from Compliance. Current Compliance has noted this information is old (see "Comments" below), but we need to be conscious of this and ask for specifics as to when absolute control ended and how deep is the influence now.
2.4. GDD President is Outside the ICANN Structure?
A different ICANN organizational chart demonstrates the seriousness of the issue. This one shows the GDD President completely outside the ICANN structure. Here the domain business president does not report to the CEO, or anyone else for that matter. He is also on the same organizational level as the ICANN CEO.
Secondly, It is important to note location of compliance in this structure, under the COO and not under the CEO. If this chart is to be taken on its face, compliance reports to the COO and the domain business is unaccountable to the CEO, or anyone else. ICANN staff has questioned the origin of this document. It has been suggested that "that document was prepared and posted by a member of the community" (see comments). The full original document can be found here: https://community.icann.org/download/attachments/41899319/ICANN%20Management%20Org%20Chart.pdf?version=1&modificationDate=1379370144000&api=v2. Regardless of the origin, it remains a curious artifact which should be discussed and fully fleshed out.
2.5. UPDATE August 7, 2015
Allen Grogan has posted an additional response to this page (see below) in which he has indicated ICANN made changes to the ICANN Portfolio Management System Plan Overview. The first major change was to make a "Portfolio Goal" for Allen Grogan who was absent from the top-level management previously. This "Goal" is part of the "Promote role clarity and establish mechanisms to increase trust within ecosystem rooted in the public interest" efforts. The second change to the overall context was to change "Owner" to "Shepherd" for each portfolio goal. The third change was to apparently divide the former management priorities of Akram Atallah. "Contractual Compliance Functions" and "Contractual Compliance Initiatives" are now under Grogan. "WHOIS Core Function/Service & Improvement" and "Security, Stability and Resiliency of Internet Identifiers" are now under David Conrad. (Also see Grogan's summary in the "Comments" section at the bottom of this page). However, for reasons explained below in 2.6, there are more serious budget issues as they relate to management. In summary, if we are to believe the updated plan which indicates Grogan as the manager ("Shepherd") of compliance, the budget and portfolio management place Akram Atallah between him and the CEO. This is not the draft, but the approved budget.
2.6. A More Detailed Look at Akram Atallah's Role in terms of Portfolio and Budget (Following August update above)
Following ICANN's August changes to the PMS we still basically see the GDD President as the "Shepherd" of most of the organization including compliance, as shown below in 2.6.1. and 2.6.2.
2.6.1. "Support the evolution of domain name marketplace to be robust, stable and trusted"
The budget has become more obfuscated, removing names and titles, as opposed to the version seen above in 2.1 from FY13. Without more specifics being provided by ICANN we have to compare the Portfolio Goals with the Budget Line Items, particularly Akram Atallah's FY16 portfolio goals as "Shepherd". In terms of the ICANN Portfolio Management System Atallah has two major Goals as Shepherd which match major budget sections: Foster and coordinate a healthy, secure, stable, and resilient identifier ecosystem and Support the evolution of domain name marketplace to be robust, stable and trusted. (The following is a composite image from the ICANN Portfolio system and the FY16 Budget):
The budget section entitled: 2.3-Support the evolution of domain name marketplace to be robust, stable and trusted includes the following budget line items: 2.3.10 New gTLD Program, 2.3.11 Next gTLD Round, 2.3.12 Outreach and Relationship Management with Existing and new Registry, Registrar Community, 2.3.13 Registrar Services, 2.3.14 Registry Services, 2.3.2. Domain Name Services, 2.3.5 Contractual Compliance Functions, 2.3.6 Contractual Compliance Initiatives & Improvements, 2.3.7 Contractual Compliance & Consumer Safeguard, 2.3.8 GDD Online Services Product Management, and 2.3.9 Internationalized Domain Names. The Compliance budget falls under a portfolio that Atallah is the "Shepherd" of and is bundled with the Global Domains Division budget and other items that Atallah manages. It is important to note that the budget document is titled "FY16 Budget By Portfolio and Project" which makes a direct reference to the Portfolio Goals of the "Shepherds".
2.6.2. "Foster and coordinate a healthy, secure, stable, and resilient identifier ecosystem"
According to the FY16 Operating Plan and Budget Adopted by ICANN Board at ICANN 53 in Buenos Aires, all the Contractual Compliance functions fall under "Foster and coordinate a healthy, secure, stable, and resilient identifier ecosystem" which has Akram Atallah as the "Shepherd".
From the "Fadi Chehade, Shepherd" page click on "Foster and coordinate a healthy, secure, stable, and resilient identifier ecosystem", this will open the "Akram Atallah, Shepherd" page. View the FY16 Budget by Project and Portfolio to see that Contractual Compliance Functions are part of the "Foster..." portfolio. The budget control of compliance is still under Akram Atallah.
2.6.3. As the CEO Steps Down, Akram Steps Up (again)
It was announced August 17 2015 that NTIA would be extending the IANA contract for another year. This happened at the same time as Fadi's announcement that he would distancing himself from ICANN's operation. The IANA contract had to be modified in order to accommodate the change in schedule. Who signed the new contract? Akram Atallah:
The document makes it clear what entity Atallah is signing on behalf of:
2.6.4. President of Global Domains Division issues Public Statements of Compliance Policy
Beyond what we see above in the historical organizational structure and budget documents, we also see Akram Atallah making public policy statements on compliance. The following are excerpts from last October's Wall Street Journal article on ICANN:
"I don't know how contractually we could do something different than [what] we are doing says Akram Atallah, president of Icann's global domains division"
So, here we have the GDD President definitively stating what the limits of contractual compliance are. As a side note, it is clear from the record that the issue in question was a contractual issue, but Atallah has declared publicly it was not. Why is the GDD President making the declaration and not the CEO, especially if the head of compliance supposedly reports to the CEO?
The following is portion of a June 18 2015 letter by the GDD President on a compliance matter:
"ICANN's enforcement authority is limited to enforcing compliance with the terms and conditions of its agreements
...
ICANN is considering these responses and will continue to monitor Vox Populi's compliance with ICANN's Registry Agreement for the .SUCKS TLD."
Again, GDD is making public policy definitions of the compliance role and responding to compliance issues from the community.
3. True Impact of Compliance Activity
While we have seen an increase in general compliance activity in recent years, the effects are marginal. The 24 registrars breached so far in 2015 represent about 0.46% of the domain market. The 5 registrars terminated so far in 2015 represent about 0.0043% of the domain market. One of the registrars only had 4 .COM domains and another only 38. The motivation for enforcement appears to be financial. Registrars with breaches have something in common, they owe fees to ICANN. Combine the two factors (tiny portfolios and debt) and compliance appears to be a bill collector for registrars who are not contributing enough to the pot. While ICANN must watch its bottom line and remove inefficient contracted parties, this seems to be the only trigger for enforcement.
4. Recommendations for ALAC
ALAC should issue a clear statement supporting the reorganization of the compliance department outside of ICANN's domain business. Having the GDD President oversee compliance and controlling the compliance budget does not engender trust within the community. A compliance department which is truly independent of ICANN's business better serves the entire community.
4.1. ICANN AoC
The issue of ICANN business must be examined through the AoC. The Affirmation of Commitments (AoC) is an agreement between ICANN and the U.S. Department of Commerce. There are many statements within the agreement which are applicable here. In reference to the budget it is stated: "ICANN commits to adhere to transparent and accountable budgeting processes" If we are to believe the various budget documents detailed above, there there is a problem with ICANN's presentation of the staff hierarchy. If the hierarchy is correct then the budget as presented to the community is not accurate. The agreement further states that "[ICANN] ensure that decisions made related to the global technical coordination of the DNS are made in the public interest and are accountable and transparent". It is difficult to see how decisions can be made in the public interest if compliance is run by the business division, this issue made even more explicit in the AoC by requiring that ICANN's decisions are "not just the interests of a particular set of stakeholders." The stakeholders represented by the Global Domains Division are the contracted parties, for the Present of GDD to also run compliance makes ICANN's commitment highly questionable.
4.2. At-Large Accountability and Transparency Review
At-Large has been at the forefront of ATRT, which is an outgrowth of the AoC. The ATRT2 Recommendations plainly states: "there is still a lack of faith in the community that Contractual Compliance is being sufficiently well addressed..." The ATRT2 also boasts as an acheivement: "Compliance restructured and reports to CEO", but we see from the above this is not the case. The ATRT goes into much more specific detail about the compliance function and its recommended structure.
A lack of independence is underscored by the Global Domains Division directing compliance. The only interest, it would appear, is commercial.
Has such a sub-committee been created?
Having compliance report to the Global Domain Division seems a primary conflict, beyond the lack of an independent governance of compliance as required by the ATRT2. By ICANN Board resolution, these recommendations are supposed to be implemented. Control of compliance by the Global Domains Division appears to violate these recommendations.
4.3. CWG Accountability Work
ALAC has affirmed its stance that "ICANN has a responsibility to develop policies that will foster user trust in the DNS" in specific relation to the IANA transfer. Compliance oversight should be moved outside of the commercial portion of ICANN to further foster that trust. This should be a part of any further work in terms of the transfer. This would fall under CWG Work Stream 1: "focused on mechanisms enhancing ICANN accountability that must be in place or committed to within the time frame of the IANA Stewardship Transition";
4.4. ICANN Bylaws
As noted above, the ICANN Bylaws include a provision for (#8) "Making decisions by applying documented policies neutrally and objectively, with integrity and fairness." Compliance cannot be neutral, objective or fair when controlled by the business section of an organization.
5. Historical Information on this work
ICANN’s relationship with the community in terms of its Compliance function (memo to ALAC)
NARALO Reports on ICANN Compliance - January 2015
NARALO Chair Reports on ICANN Compliance - November 2012
Compliance Issues Timeline 2011 - 2014