VerifiedID@SG

FREQUENTLY ASKED QUESTIONS

 

1.      What is the purpose of implementing VerifiedID@SG?

2.      How does VerifiedID@SG work?

3.      What domain names are subject to the VerifiedID@SG scheme?

4.      Why is the VerifiedID@SG scheme applied only to domain name registrations made after 2 May 2013?

5.      Why must I provide real identities when registering for domain names?

6.      Why do you ask the administrative contact instead of the registrant itself to verify the identity of the registrant?

7.      If the registrant is an individual with a Singpass account or an organisation with a Corppass account, can the registrant verify his own identity instead of requiring another entity to verify?

8.      With VerifiedID@SG in place, what is the responsibility and accountability of an administrative contact?

9.      Will the administrative contact be held accountable if the registrant’s identity or contact information (i.e. address, postal code, telephone number, fax number and email address) turns out to be inaccurate, incomplete, or even false?

10.   Will the administrative contact be held accountable for the wrongdoing of the registrant?

11.   Why has SGNIC implemented the VerifiedID@SG?

12.   What do I need to do when I apply for a new ‘.sg’ domain name?

13.   How long will the verification process take?

14.   What will happen if the administrative contact does not perform verification for a newly registered ‘.sg’ domain name?

15.   What should the administrative contact do if he cannot remember the Singpass/Corppass password?

16.   Who are eligible to apply for a Singpass account?

17.   Who are eligible to apply for a Corppass account?

18.   Where can I find more information about Corppass?

19.   Can I use an organisation without a Corppass account or individual without a Singpass account as the administrative contact?

20.   How do I apply for an SGNICID?

21.   My domain name has successfully undergone the verification process. What should I do when I change the registrant or administrative contact of the domain name?

22.   What is considered a ‘change of identity’?

23.   What is considered a ‘change of contact information’?

24.   How do I know if I need to perform verification for my domain name?

25.   Does the administrative contact need to perform verification of the registrant’s identity and contact information when the domain name is renewed?

26.   How can I check whether my domain name has or has not been verified?

27.   The administrative contact information can be viewed in the public ‘.sg’ WHOIS display system. What safeguards are there to protect the privacy of the personal information?

28.   As the administrative contact, can I choose to stop receiving daily reminders to perform verification for a domain name that has not been verified?

29.   What if I am not the administrative contact even though records show that I am?

 

1.       What is the purpose of implementing VerifiedID@SG?

 

VerifiedID@SG requires the administrative contact of a ‘.sg’ domain name to verify the identity and contact information of the registrant. VerifiedID@SG is aimed at mitigating the use of fake information associated with a ‘.sg’ domain name registration, which will in turn minimise the abuses of the domain name and further enhance the trust among the users of .sg websites.  

 

2.       How does VerifiedID@SG work?

 

VerifiedID@SG requires all new .sg domain names registered from 2 May 2013 to undergo compulsory verification using Singpass/Corppass. The verification is to be carried out by the administrative contact of a domain name to verify the identity and contact information of the registrant. The verification involves two steps:

(a)  Login to Singpass as Individual (sample screen shot) or Business User* (sample screen shot); and

(b)  click on a “Verify Identity” button. (sample screen shot)

 

The administrative contact will be given a grace period of 21 calendar days from the date of registration to verify the registrant’s identity and contact information. If the administrative contact has not done this after the grace period, SGNIC will suspend the domain name.

 

As an exception under specific conditions, registrants who are unable to arrange for individuals/organisations who possess a Singpass/Corppass account to act as an administrative contact can appoint an organisation with a valid “SGNICID” as the administrative contact. For details, see question 19.

 

* From 11 April 2021, the login process for Corppass has been changed to verify the user’s identity via Singpass first before accessing and transacting with government digital services. While Singpass is used for logins, Corppass will continue to be the one-stop authorisation system for entities to authorise or remove their employees’ access to government digital services on their behalf.

 

3.       What domain names are subject to the VerifiedID@SG scheme?

 

Domain names registered from 2 May 2013 onwards will be subject to the scheme*.

 

(Effective from 19 April 2020) Domain names registered before 2 May 2013 will be subject to the scheme* once the identity or contact information of the registrant is changed.

 

If SGNIC has doubts over the registrant's authenticity of any domain name that is not subject to the scheme, SGNIC may require the administrative contact to verify the identity of the registrant.

 

* Subject to the scheme requires administrative contact to perform first verification for the name; and subsequent verification(s) as and when there is change in the identity or contact information of the registrant, or a change in identity of the administrative contact on the domain name.

 

4.       Why is the VerifiedID@SG scheme applied only to domain name registrations made after 2 May 2013?

 

VerifiedID@SG was implemented on 2 May 2013. In view of the inconvenience that the large pool of existing registrants (with domain names registered before 2 May 2013) will face if they are required to replace existing administrative contacts with administrative contacts with Singpass/Corppass accounts, SGNIC will not mandate VerifiedID@SG for such registrants until there is a change of such registrants' identity or contact information. Nevertheless, if SGNIC has doubts over the identity of any existing registrants, SGNIC may subject the domain names to verification via the VerifiedID@SG scheme on a case-by-case basis. SGNIC may extend the scheme to all existing domain names if deemed necessary.

 

To check if your domain name falls under the scheme, you can perform a WHOIS search via http://www.sgnic.sg on the domain name.  If your domain name does not have a ‘VerifiedID@SG-Mandatory” status, it means that the domain name is not subjected to the VerifiedID@SG scheme until there is change of the domain name registrant's identity or contact information.

 

5.       Why must I provide real identities when registering for domain names?

 

All domain names have to be registered by real organisations or individuals. By registering, they are in turn responsible for the safe and lawful use of the domain names.

 

6.       Why do you ask the administrative contact instead of the registrant itself to verify the identity of the registrant?

 

Some of the ‘.sg’ registrants are foreign organisations. At the moment there is no convenient system or method for foreign organisations to verify their identity online. For the registrants to prove their identities, one way is for them to provide paper-based documentary proof, such as the company registration certificates and personal identity documents. This process, however, is time-consuming, and creates inconvenience for registrants.

 

Each .sg domain registration requires a Singapore administrative contact. Entities in Singapore can conveniently be identified online using Singpass or Corppass because Singapore citizens, PRs and foreigners working in Singapore could have been issued with a Singpass account, and Corppass account could be issued to businesses and various other types of organisations in Singapore. An entity with Singpass or Corppass account can thus act as the administrative contact for a ‘.sg’ domain name and assist in verifying the identity and contact information of the registrant via a convenient online process.

 

7.     If the registrant is an individual with a Singpass account or an organisation with a Corppass account, can the registrant verify his own identity instead of requiring another entity to verify?

 

Yes, he can. He should however act as the administrative contact since the system is designed for the administrative contact to verify the identity and contact information of the registrant. This will help simplify the communications and workflow for all parties (registrants, registrars and SGNIC) and minimise any potential confusion.

 

8.       With VerifiedID@SG in place, what is the responsibility and accountability of an administrative contact?

 

As an administrative contact, his obligation is to exercise due diligence to check the identity and contact information of the registrant and confirm that it is true. In the event that a domain name is found to be abused for undesirable activities (e.g. fraud) and the identity or contact information of the registrant is incorrect, the administrative contact may be asked to assist SGNIC or any other relevant authority in their respective investigations.

 

9.      Will the administrative contact be held accountable if the registrant’s identity or contact information (i.e. address, postal code, telephone number, fax number and email address) turns out to be inaccurate, incomplete, or even false?

 

No, provided that he can show that he has exercised due diligence to check the accuracy of the identity and contact information of the registrant. In this case, SGNIC will need his assistance in its investigation.

 

Where SGNIC believes that the administrative contact has made a false declaration or has provided false, misleading or inaccurate information, SGNIC may bar the administrative contact from performing the task for any new .sg domain name.

 

10.   Will the administrative contact be held accountable for the wrongdoing of the registrant?

 

No. Registrants themselves are accountable for the proper usage of domain names including the content that is displayed on the website.

 

11.   Why has SGNIC implemented the VerifiedID@SG?

 

Among the many domain name registries in the world, the industry norm is to allow an applicant to register domain names online. Traditionally, registries trust that the applicant has provided accurate and complete registration details such as his identity and contact information. Unfortunately, some applicants abuse this trust and engage in identity theft or provide fake information. Such fake registrations can potentially harm the Internet community. They are often pre-cursors to using the domain names in malicious ways (such as malware distribution, phishing or scams) or any act of misconduct. In addition, in cases of identity theft, the victimised party whose identity has been stolen often suffer the inconvenience and distress of having to prove his innocence.

 

As Internet applications continue to grow, so does the possibility for abuses in domain names. As more people rely on the Internet for work and leisure, identity theft and fake identity is a growing concern among domain name registries globally.

 

An effective way of preventing identity theft and fake identity is to require the applicant of a domain name to provide paper-based documentary proof, such as the company registration certificate and personal identity documents before accepting the domain name application; This is a time-consuming process. Not only will it slow down registrations but also creates inconvenience for registrants and registrars. A convenient and highly accessible way is to allow verification to take place online for most of the registrations.

 

SGNIC registration system is able to leverage on “Singpass” (Singapore Personal Access) and “Corppass” (Singapore Corporate Access) to know the identity of the administrative contact of the domain name. The administrative contact can verify the identity and contact information of the registrant and be contacted by SGNIC in its investigations into any inaccurate or false information about the registrant.

 

12.   What do I need to do when I apply for a new ‘.sg’ domain name?

 

When you apply for a new domain name from 2 May 2013 onwards, you will need to provide details of an individual-type administrative contact that has a valid Singpass ID (i.e. Singapore NRIC or FIN)* or an organisation-type administrative contact that has a valid Unique Entity Number (UEN)**.

The administrative contact must, within 21 calendar days from the date of registration, complete the verification process via the VerifiedID@SG Portal. This can be done by the administrative contact via two ways:

a.     Click on the link in an email that will be sent by SGNIC to the administrative contact’s email (sample screen shot), or;

b.     Go to VerifiedID@SG portal directly at URL: http://verifiedid.sgnic.sg

 

*Please note that ‘personalised’ Singpass ID, implemented under the Enhanced Singpass, cannot be accepted because the ‘personalised’ Singpass ID is designed to be accepted during the Singpass login process within Singpass’s authentication system. E-services such as SGNIC’s system can only accept Singpass ID in the format of Singapore NRIC or FIN. Please also see question 16 on who is eligible for a Singpass ID.

 

**Please note that the “UEN” of the organisation, instead of a “Singpass ID” linked to the organisation’s Corppass account, should be provided in the administrative contact because the Singpass ID is designed to be used during the Corppass login process within Corppass’s authentication system to identify which user is designated by the organisation to transact with the e-service. Please also see question 17 on who is eligible for Corppass.

 

13.   How long will the verification process take?

 

It should take less than 5 minutes to perform the verification. The process entails a two-step process:

(1)  Login to Singpass as Individual (sample screen shot) or Business User* (sample screen shot); and

(2) Click on a button to verify the registrant’s identity and contact information upon confirming that the details are accurate. (sample screen shot)

 

An administrative contact who has proven his online identity via a successful (Individual/Business user*) Singpass login can have a more direct one-step verification process for future domain name registrations. To have this added convenience, the administrative contact must add his email to the list of ‘authorised email’ in the VerifiedID@SG portal (after successful login). For future domain name registrations, SGNIC’s initial email to the administrative contact will contain a special hyper-link that the user can click to login directly to the VerifiedID@SG portal and continue with the verification process (without the need to login).

 

* From 11 April 2021, the login process for Corppass has been changed to verify the user’s identity via Singpass first before accessing and transacting with government digital services. While Singpass is used for logins, Corppass will continue to be the one-stop authorisation system for entities to authorise or remove their employees’ access to government digital services on their behalf.

 

14.   What will happen if the administrative contact does not perform verification for a newly registered ‘.sg’ domain name?

 

If a newly registered domain name is not verified by the administrative contact within 21 calendar days of registration, the domain name registration will be suspended (i.e. its website and emails will cease to function). When the domain name has been suspended, anyone can seek a temporary extension of the verification due date by 7 days via this link. The due date can only be extended once.  

 

The domain name will also not be renewable until the administrative contact completes the verification process.

 

15.   What should the administrative contact do if he cannot remember the Singpass password?

 

To reset the Singpass password, please visit to Singpass “Reset Password” page <here>.

 

If the administrative contact cannot obtain the password in time to complete the VerifiedID@SG verification process, the registrant can consider appointing another person as the administrative contact.  The registrar of the domain name can assist the registrant to change the administrative contact.

 

16.   Who are eligible to apply for a Singpass account?

 

Under Singpass current guidelines, the following groups of users are eligible to apply for Singpass account:

·       Singapore Citizen and Permanent Resident

·       Employment Pass and Personalised Employment Pass holders

·       EntrePass holders

·       S-Pass holders

·       Dependant Pass holders (of EP, PEP, EntrePass and S-Pass holders)

·       Selected Work Permit Holders

 

17.   Who are eligible to apply for a Corppass account?

 

Under Corppass current guidelines, the following group of entities is eligible to apply for Corppass account:

·       Local Entities with Unique Entity Number (UEN) - Locally registered organisations that have been issued a UEN by the Accounting and Corporate Regulatory Authority (ACRA) or other UEN-issuance agency.

 

18.   Where can I find more information about Corppass?

 

To find out more and learn about Corppass, visit the Corppass “Find Out More” page <here>.

 

Should you require further support on Corppass, please visit the Corppass “FAQ” page <here>.

 

To learn more about Corppass functionalities and how to use them, you may view Corppass step-by-step guides and video guides <here>.

 

19.   Can I use an organisation without a Corppass account or individual without a Singpass account as the administrative contact?

 

All registrants should appoint a local administrative contact with a Singpass account or Corppass account. However, under special exceptions listed below, you may ask your administrative contact to apply for a “SGNICID”.

Entities that may apply for SGNICID are:

·       A local organisation, without a Corppass account and is in the business of registering and managing domain names (e.g. registrars, resellers, law firms, etc.) and is managing a sizable number of .sg domain names (to be determined by SGNIC on case-by-case basis) at the point of application;

·       A foreign organisation or foreign individual (without a Singpass account or Corppass account) who is unable to appoint a local administrative contact with a Singpass account or Corppass account; or

·        An entity that, in SGNIC's sole discretion, would require a SGNICID.

 

Note that all the entities above must have a local presence and valid Singapore postal address in order to be appointed as an administrative contact for .sg domain names.

 

20.   How do I apply for an SGNICID?

 

SGNICID is only issued under exceptional circumstances (please see question 19 for the pre-requisites).

 

The SGNICID will be issued after SGNIC has verified the true identity of the applicant. To apply for a SGNICID, the applicant will have to submit the completed form (http://verifiedid.sgnic.sg/sgnicid_app.pdf) with the supporting documents (refer to Annex of the form) for pre-screening and approval (email dnq@sgnic.sg or fax to 66592532). SGNIC will make an appointment with the applicant to submit the application and collect the SGNICID in person at SGNIC’s office. The applicant will need to bring along the documents stated in the form.

 

 

21.   My domain name has successfully undergone the verification process. What should I do when I change the registrant or administrative contact of the domain name?

 

Whenever there is a change of the identity or contact information of the registrant or a change of the identity of the administrative contact, the administrative contact needs to perform the verification. If the verification is not performed, the domain name cannot be renewed.  A check on SGNIC WHOIS for the domain name will show that the verification of the domain name is pending (“VerifiedID@SG-Pending”), and cannot be renewed (“Server Renew Prohibited”).

 

22.   What is considered a ‘change of identity’?

 

A.    For a contact (registrant or administrative contact) that has specified an identification number (e.g. UEN, NRIC, etc.), a change of identity occurs when there is a change of the identification number. If there is a change of the “name” but not the identification number, the system will not flag it as a ‘change of identity’. This is to cut down the need for identity re-verification by the administrative contact. For example, if a registrant “Joe Pte Ltd” with Unique Entity Number (UEN) 53001111W has changed its name to “Joe (Singapore) Pte Ltd” but the UEN stays the same as 5300111W, it will not be considered as a ‘change of identity’ and the administrative contact need not perform a re-verification.

 

B.    For a contact (registrant or administrative contact) that has not specified an identification number, a change of identity occurs when there is a change of the organisation name (for organisation-type contact) or first/last name (for individual-type contact) or when an identification number is provided. For example, if a registrant “Peter Goh” with no identification number provided updates to his information with NRIC “8012345A” or change his name to “Peter Goh B C”, it will be detected as a change of identity.

 

23.   What is considered a ‘change of contact information’?

 

A change of contact information occurs when there is a change of the registrant’s address, postal code, telephone number, fax number or email address.

 

24.   How do I know if I need to perform verification for my domain name?

 

The following scenarios will trigger an email to the administrative contact that requires him/her to perform first verification for the name:

 

For names registered on or after 2 May 2013:

 

·       New domain name registrations

 

(Effective from 19 April 2020) For names registered before 2 May 2013:

 

·       Change in identity of registrant

·       Change in contact information of registrant

 

After the first verification, a subsequent change in the identity or contact information of the registrant, or a change in identity of the administrative contact on all domain names could trigger an email to the administrative contact to request for him/her to perform the verification again.

 

Registrants should ensure that the administrative contact is aware that he or she has been appointed as the administrative contact for the domain name and should perform the verification timely.

 

To ensure that the notification email reaches the administrative contact, registrants have to ensure that the correct email address is provided. Registrants should also ensure that the email address will remain valid for the whole duration of the domain name’s registration period.

 

Please also see question 26.

 

25. Does the administrative contact need to perform verification of the registrant’s identity and contact information when the domain name is renewed?

 

No. As long as there are no changes to the identity or contact information of the registrant or identity of the administrative contact, there is no need to perform verification.

 

26.   How can I check whether my domain name has or has not been verified?

 

You can perform a WHOIS search via http://www.sgnic.sg on the domain name. Domain names that are verified will have a status of “VerifiedID@SG-OK”. (sample screen shot)

 

Domain names that are pending verification will show a status of ‘VerifiedID@SG-Pending”. (sample screen shot)

 

If your domain name does not have a ‘VerifiedID@SG-Mandatory” status, it means that the domain name is not subject to the VerifiedID@SG scheme.

 

27.  The administrative contact information can be viewed in the public ‘.sg’ WHOIS display system. What safeguards are there to protect the privacy of the personal information?

 

SGNIC will display only the name of the administrative contact in the public ‘.sg’ WHOIS. All other details will not be displayed.

 

28.  As the administrative contact, can I choose to stop receiving daily reminders to perform verification for a domain name that has not been verified?

 

You can login to VerifiedID@SG portal, click on the domain name, click "Stop Daily Reminder Email" button at the bottom of the domain details page and click on the "Confirm" button.

 

The system will stop sending the daily notification email to you.

 

29.   What if I am not the administrative contact even though records show that I am?

 

You can login to VerifiedID@SG portal, click on the domain name, click "Stop Daily Reminder Email" button at the bottom of the domain details page, put a tick on the box which states "(optional) I am NOT the Administrative Contact of this domain name..." and click on the "Confirm" button.

 

The system will stop sending the daily notification email to you and also notify the domain name registrant and sponsoring registrar to take appropriate actions.