Understanding the potential of the vLEI – the Organisation verifiable credential
We’ve been involved in some really cool work over the last few weeks focusing on the issuance of vLEIs and associated role credentials. Specifically, Ubisecure was the credential issuer for the GLEIF’s vLEI proof of concept project and issued the world’s first vLEI to the GLEIF, which was then used to sign the GLEIF’s 2021 annual report.
The system works really well, but stepping back from the entire process there is a lot of technology and complexity involved behind the vLEI, as there is with most identity and/or cryptographic platforms. Like many complex systems we can break it down and take a more understandable view on what a vLEI actually is, what they do, and how we expect them to be used in the future.
What is a vLEI?
We are going to make a few assumptions here, the main one is that you already know about LEI (short for Legal Entity Identifiers). If you want to know more about the LEI itself we have some great material in our LEI Knowledge Base.
The v in vLEI stands for “verifiable”, but what does that mean? The term verifiable in this case comes from the term “Verifiable Credential”. A verifiable credential is just a collection of information with a mechanism that allows a computer to verify that the information has not been modified and that the information was originally stated to be correct by some third party (maybe a bank, or the driving license authority). Often (almost always really) the information will include a link to the entity the information is about.
With those three things the verifiable credential can be used to provide information to others in a way that allows the receiver to be very confident about the claims made by the information.
Let’s take a simple, parallel example based around a driving license. Fred has his driving license as a plastic card in his wallet as issued to him by his national driving authority. He loses his card, but shortly gets a call from the local police station saying it has been handed in and he should come and claim it. When Fred gets to the police station the desk sergeant spends a long time looking at the photo (which is quite out of date now, time has not been kind to Fred!), asking Fred questions about his address, date of birth etc. Eventually the sergeant feels that Fred has answered enough correctly and hands over the license.
Alice also has a driving license but her license is on her mobile phone. Unfortunately, Alice loses her phone, but again shortly gets a call from the police to say it has been handed in. When Alice gets to the station, she can prove it is her phone by using her fingerprint to unlock it. The desk sergeant does not need to use his judgement, Alice has proved control over the phone and so it must be hers.
Verifiable Credentials work in the same kind of way, there is the ability to prove ownership of the credential. This process is understood by computer systems and so all the checks can be performed electronically online and in turn that allows automation and significant cost saving.
Back to the vLEI, at the basic level the vLEI is simply an LEI code, a unique organisation identifier, stored as part of the information set in a verifiable credential. A standard mechanism exists to prove ‘control’ over any given vLEI and so it is possible to determine, automatically, if the entity presenting the vLEI is entitled to do so. This capability now allows organisations to participate in trusted automatic transactions.
Wait, there’s more to vLEI than just the organisation
The vLEI standards define more than just a verifiable credential for the legal entity. Two further verifiable credentials are defined that allow information on people associated with the organisation.
The first of those two credentials is the “Official Organisation Role” credential (OOR). The OOR links an individual with an organisation in a well-known role. The roles are limited to an official set of ‘official’ roles as defined by an ISO standard (ISO 5009_2022). This list includes roles such as ‘Director’, ‘Chief Executive Officer’, ‘Chief Financial Officer’. With an OOR credential an individual is able to present themselves as holding an official role for a given organisation, and all the claims presented can be electronically verified in real time.
The second of these two credentials is the “Engagement Context Role” credential (ECR). The ECR is very similar to the OOR except that the role is custom, the legal entity can define any role they wish and place that in the ECR. For example, “customer of”, “supplier to”, “contractor for”.
In the below example we see the GLEIF annual report signed using vLEI, OOR and ECRs. The browser-based document viewer displays the signers, their roles and their organisation association:
What can we do with a vLEI
There are many reasons why vLEIs will see a rising prominence in the coming months and years:
- Document signing: document signing solutions exist, however they currently use ‘standard’ signatures. These do not have the ability to link between signatures. Credentials from the vLEI ecosystem can provide the same level of security of signature and also provide linkage information between the various signing parties.
- KYC/KYB: It is currently quite challenging to determine that an individual is empowered to act in a certain capacity for an organisation. The vLEI credentials solve this challenge by design, massively reducing onboarding and ongoing verification costs.
- Delegation: The ability to understand the linkage between an individual and an organisation allows for electronic delegation of rights and responsibilities. Delegation capabilities brings significant cost saving to organisations where complex inter-company relationships need to be electronically enabled and enforced, see Ubisecure’s Finnish Government Katso case study for an example. However whereas Katso was a closed community operating just within one jurisdiction, the vLEI offers the same potential using a trusted, standardised, globally verifiable credential.
- Representation Governance: Parameterising delegation (think individual expense sign off levels as an example) moves delegation into the role of representation governance. This capability then allows all the business process that have been manual to be automated with the obvious cost savings. Whilst this is already possible in some regions the vLEI ecosystem enables this capability on a global basis.
It’s all about trust (frameworks)
There are more credentials in the broader framework than have been covered here, and that broader framework is quite important.
We have already understood that a credential wraps information and that systems can automatically verify the information to determine the original issuer of the information and that it is unaltered. This allows someone receiving the credential to know the Legal Entity in question and the nature of the relationship between that Legal Entity and the individual representing them. But how do we know that the person didn’t manage to get a fake identity through the system?
That assurance comes from the vLEI ecosystem having a defined Trust Framework, and an audit system that validates compliance to the Trust Framework.
When the credential is originally issued the issuer (known as a ‘Qualified vLEI Issuer’ or QVI) is required to perform identity checks to a globally defined standard. This is the same as you having to present your passport when you open a bank account or create a mobile phone account. As more national Ids become available the national ids will be able to provide the individual information meaning that a manual check will not be needed. In fact eIDaS 2 will be based on verifiable credentials itself.
What happens now
The GLEIF, along with stakeholders like Ubisecure, have been working incredibly hard to progress the vLEI project. Now the proof of concept has been released, the ecosystem will continue to develop the issuance technology and policy frameworks to make the vLEI a commercial reality. We are excited to continue to contribute to this exciting organisation identity advancement.
If you would like to know more about LEIs, vLEIs or any of the underlying Identity and Access Management work that sits underneath them please get in contact with us and we’d be delighted to help.