sender-id-registry-service — Service Risk Register
Version: 1.0 Status: Draft Owner: Trust and Safety + Regulator-facing + SRE Last Updated: 2026-04-21 References: FAILURE_MODES.md, SECURITY_MODEL.md, ADR-0004
Known service-level risks with owners, mitigations, and residual-risk classification. The service is the platform's bid to become the national sender-ID authority, so risk management here has a regulator-and-reputation dimension beyond engineering. Scored 1–5 Likelihood × Impact; residual must be ≤ Medium for GA.
1. Risk Summary
| ID | Risk | Category | Likelihood | Impact | Pre-mitigation | Residual | Owner |
|---|---|---|---|---|---|---|---|
| SID-RISK-01 | KYC document forgery (fake commercial licence) | Security | 3 | 4 | High | Medium | Trust & Safety |
| SID-RISK-02 | Restricted-pattern false-positive blocks legitimate brand | Correctness | 3 | 3 | Medium | Low | Trust & Safety |
| SID-RISK-03 | Homoglyph / Unicode bypass of restricted patterns | Security | 3 | 4 | High | Low | Security |
| SID-RISK-04 | Public-search scraping causes tenant-intelligence leak | Security | 4 | 3 | High | Low | Security |
| SID-RISK-05 | Reputation-score gaming via cooperative tenants | Trust & Safety | 2 | 3 | Medium | Low | Trust & Safety |
| SID-RISK-06 | Regulator schema change without notice | Dependency | 3 | 3 | Medium | Medium | Regulator Liaison |
| SID-RISK-07 | Multi-region replication conflict on sender-ID row | Correctness | 2 | 3 | Medium | Low | Platform Arch |
| SID-RISK-08 | GDPR right-to-erasure on KYC documents | Legal | 2 | 4 | Medium | Low | Legal |
| SID-RISK-09 | Auto-suspension weaponised against competitors | Trust & Safety | 2 | 3 | Medium | Medium | Trust & Safety |
| SID-RISK-10 | Fraud-feed latency leaves reputation stale during abuse | Performance | 3 | 3 | Medium | Low | SRE |
| SID-RISK-11 | Notary-whitelist compromise | Legal | 2 | 4 | Medium | Medium | Legal |
| SID-RISK-12 | HSM unavailability blocks audit-hash + KYC DEK wrapping | Dependency | 2 | 3 | Medium | Low | Security |
| SID-RISK-13 | S3 KYC bucket misconfiguration exposes documents | Security | 1 | 5 | High | Low | Security + SRE |
| SID-RISK-14 | Regulator requires new verification level | Regulatory | 2 | 3 | Medium | Medium | Regulator Liaison |
| SID-RISK-15 | Tenant legal challenge to rejection | Legal | 3 | 3 | Medium | Low | Legal |
| SID-RISK-16 | Fail-closed Verify during Postgres incident blocks OTP | Availability | 2 | 5 | High | Medium | SRE |
2. Risk Details
SID-RISK-01 — KYC document forgery
Bad actor uploads a forged commercial licence or notarised document to claim a brand-sounding sender-ID.
Mitigation. Dual-reviewer approval for restricted-pattern submissions; notary whitelist; cross-reference against Afghan Ministry of Commerce registry where API exists; homoglyph/typosquatting check against existing brands; tenant attestation signed at submission; AI-assisted document authenticity check (Phase 2 per AI_INTEGRATION.md).
Residual. Medium — determined forger can still pass first-review; detection deferred to complaint stream.
SID-RISK-02 — Restricted-pattern false-positive
Pattern catches legitimate brand (e.g., BANK-FRUIT rejected due to BANK* pattern).
Mitigation. Pattern authoring requires matching + non-matching example corpus; dry-run against existing catalog before publish; exception request workflow; dual-control on pattern changes.
Residual. Low.
SID-RISK-03 — Homoglyph / Unicode bypass
BАNK (Cyrillic А) registers despite BANK* pattern.
Mitigation. NFKC normalisation at submit; Unicode TR39 confusables applied before match; ASCII-only alpha-IDs by default, non-ASCII requires NOTARISED; 500+ homoglyph corpus test.
Residual. Low.
SID-RISK-04 — Public-search scraping
Scraper iterates through registry enumerating tenant sender-IDs.
Mitigation. Registrant name shown (not tenant-ID); Kong rate-limit + JA3 tarpit; minimum 3-char query; result set cap + CAPTCHA after first page; weekly deny-list of repeat offenders.
Residual. Low.
SID-RISK-05 — Reputation gaming
Cooperative tenants inflate a sender-ID's reputation via synthetic traffic.
Mitigation. Fraud-intel signals weighted ×10 in formula; anomaly detection on delivery patterns; manual cap by Trust & Safety.
Residual. Low.
SID-RISK-06 — Regulator schema change
ATRA changes export schema mid-year.
Mitigation. Adapter pattern for export; 90-day rolling forecast owned by Regulator Liaison; parallel-schema window (up to 30 days) during transition.
Residual. Medium.
SID-RISK-07 — Multi-region replication conflict
Concurrent writes to same sender-ID row in different regions.
Mitigation. Logical replication with LWW+HLC; state transitions append-only in audit; hourly reconciliation cron.
Residual. Low.
SID-RISK-08 — GDPR erasure on KYC documents
Registrant invokes right-to-erasure on KYC document containing their PII.
Mitigation. KYC retained only while sender-ID is ACTIVE + 1 year post-REVOKED; erasure triggers PII redaction (face blur + name replacement) with encrypted copy retained per regulator requirement; Legal-signed retention policy.
Residual. Low.
SID-RISK-09 — Auto-suspension weaponisation
Coordinated dummy events push a competitor's sender-ID below 30.
Mitigation. 1-hour grace window with sender-owner notification; contested suspensions pause pending manual review; fraud-intel detects coordinated STOP campaigns and discounts them.
Residual. Medium — depends on reviewer triage speed.
SID-RISK-10 — Fraud-feed latency
Fraud-intel event takes > 60 s to propagate.
Mitigation. NATS lag alert at 60 s; direct gRPC short-circuit for critical-severity events; incremental reputation application.
Residual. Low.
SID-RISK-11 — Notary whitelist compromise
Whitelisted notary later found fraudulent.
Mitigation. Quarterly whitelist review by Legal; notary removal triggers batch re-verification of their approvals; annual audit of fraud / complaint rates per notary.
Residual. Medium.
SID-RISK-12 — HSM unavailability
HSM outage blocks audit-hash and KYC-document DEK wrapping.
Mitigation. HSM HA with regional quorum per ADR-0004 §11; audit writes queue with ≤ 5 min buffer; registration pauses new KYC uploads but existing processing continues.
Residual. Low.
SID-RISK-13 — S3 KYC bucket misconfiguration
IAM or bucket policy change exposes documents publicly.
Mitigation. S3 Block Public Access at account level; bucket policy change requires dual-control; weekly automated scan (no public read, encryption on, versioning on); immediate alert on any public-read attempt.
Residual. Low.
SID-RISK-14 — Regulator requires new verification level
e.g., biometric verification for bank-class sender-IDs.
Mitigation. Verification level is an enum — additive change; re-submit flow framework already supported; quarterly Regulator Liaison forecast.
Residual. Medium.
SID-RISK-15 — Tenant legal challenge to rejection
Tenant sues platform for rejecting their sender-ID.
Mitigation. Every rejection carries written reason + regulatory reference; restricted-pattern list digitally signed by Legal + CISO; appeal workflow before litigation.
Residual. Low.
SID-RISK-16 — Fail-closed Verify blocks OTP
Postgres outage blocks Verify; compliance-engine blocks traffic.
Mitigation. Postgres HA with synchronous replica; Redis hot-cache masks up to 5 min outage; trusted-tenant fast-path per EP-CE-13 bypasses Verify for pre-approved templates; multi-region manual fail-over ≤ 15 min.
Residual. Medium.
3. Residual-Risk Summary
| Residual | Count | Acceptance |
|---|---|---|
| Low | 10 | Accepted for GA |
| Medium | 6 | Accepted with mitigation commitments and named owners |
| High | 0 | — |
4. Risk Review Cadence
- Weekly during development (Platform Architecture).
- Monthly post-GA (Trust & Safety + SRE + Security + Legal).
- Quarterly regulator-risk review (Regulator Liaison + Legal + CTO).