Gleif hopes to entice LEI laggards with new digital identifier

Though it’s hard to imagine now, there was a time when the internet was regarded with suspicion. During a trip to Europe in the 90s, telecom industry veteran Randy Warshaw traveled the continent as an “internet evangelist,” spreading the word about the Internet Protocol, a set of rules for routing data across networks to their intended destinations.

“People in Europe were very skeptical. They said, ‘Oh, that’s an American invention,’ and things like that,” he recalls.

Ironically, a forerunner to the World Wide Web already pervaded households in France in the form of the Minitel, a computer terminal rolled out by the French phone and postal service in 1982. Users could query the phone directory, make train reservations, and even check stock prices on the boxy installation.

In the face of this reluctance to follow through on the work started by the Minitel, Warshaw emphasized the scale of the coming digital transformation, telling naysayers, “You’re going to see how big this is when you don’t even realize you’re using it anymore,” he says.

Sure enough, the internet has crept its way into almost every facet of everyday life—even if it takes a router meltdown or neighborhood outage to remind us that our smart TVs or radios are internet devices.

Many years later, Warshaw, now the CEO of startup Provenant, has picked evangelism back up with his latest project: the verifiable legal entity identifier, or vLEI. The potential use cases, he says, are limitless, but understanding and uptake of the innovation are thus far lacking and slow. “I want to help make this technology just as ubiquitous and integrated and usable. But right now, we’re far from that point,” he concedes.

The vLEI, which is already in production, is essentially a digital ID card. In theory, it would allow the holder to automatically confirm their identity in any digital interaction.

[The vLEI] will demonstrate that digital communications can be signed. And if you can do that in telecoms, certainly you can do it in transactions, in supply chains, in regulatory document filings and submissions.

Randy Warshaw, Provenant

As the name suggests, it is a digitally verifiable version of the legal entity identifier (LEI), a 20-digit code that uniquely identifies legal entities around the world that can participate in financial transactions. The vLEI is an LEI encased in a data container that’s cryptographically signed with the user’s private key. It can be presented to counterparties in digital interactions, and those counterparties can automatically verify that it comes from the key’s owner.

There are already over 2 million LEIs and counting, but the introduction of digital verification is a crucial step forward in an increasingly digital world. While the LEI and other identifiers are effective at verifying entities, they are not the silver bullet of identity management because they cannot prove authenticity, offering determined fraudsters a path to victims. But a trusted verification system—something that proves a person is who they say they are—can offer a way around the persistent problem of trust.

It’s a problem that many have tried to solve. In one notable development, chat and collaboration provider Symphony began tackling it in 2020, when the company announced it would make know-your-customer (KYC) solutions part of its offering. The project has morphed into a bid to build an identity management service and directory in the style of LinkedIn—solely for financial markets participants.

In a similar vein, a bank consortium named Danie led by Societe Generale launched in 2020—months before FinCEN Files leaked—with the objective of allowing peer firms to collaborate on and cross-check one another’s KYC and other non-competitive reference data in a cryptographically secure way.

But despite new tech, the problem of verifying entities and people, and establishing trust, has remained a painful compliance burden, a truth that was keenly felt last year as international bodies increased sanctions following Russia’s invasion of Ukraine.

While working in telecommunications—Warshaw spent 25 years in roles related to web and mobile application development and messaging engineering—he was struck by the complexity of establishing authenticity and origin for SMS messages and voice calls. American companies that were able to comply with the rigorous demands of the Federal Communications Commission would then have to fight to get their traffic approved by terminating carriers in Europe or elsewhere.

Confronted with cross-channel and cross-border difficulties in establishing organizational identity, Warshaw was acutely aware of the need for a solution that could verify an entity’s traffic across every channel globally. “I was stumped,” he says.

In December 2020, Warshaw was introduced to the Global Legal Entity Identifier Foundation (Gleif), the standards body that oversees the LEI. “I didn’t know anything about the LEI. And when they said, ‘We want to make a digital, cryptographically verifiable version,’ I thought, ‘This is the answer!’”

Though it has struggled to reach critical mass since its introduction in 2011, the LEI is sanctioned by the G20, the Financial Stability Board, and the Regulatory Oversight Committee. The weight those backers carry wasn’t lost on Warshaw.

“That was why I felt like the vLEI was so well suited to solve the problems of authenticating international digital traffic. It seemed tailor made,” he says.

Warshaw’s Provenant, which he co-founded in 2020, is currently the only vLEI issuer in the world. Provenant is trying to bring the standard to telecoms as a way of verifying the origins of calls and texts, but Warshaw believes this is only the first use case. “It will demonstrate that digital communications can be signed. And if you can do that in telecoms, certainly you can do it in transactions, in supply chains, in regulatory document filings and submissions. Suddenly, people will see the possibilities for signing every digital thing.”

Branching out

Managing access to the thousands of business applications within a financial institution is a very intricate operation. Some applications will have a simple login, while others might have a matrix-style access control model. Most financial firms use a patchwork of identity and access management systems to keep on top of all these applications and their logins. Identity and access control systems are most often deployed, operated, and licensed by specialized vendors, helping firms stay compliant with the regulatory requirement to modify or remove access permissions as individuals change roles or leave an organization.

The vLEI could help cut complexity and cost in identity and access management by unambiguously verifying the identity not only of an organization, but also of the individuals within it.

Digital identity company Esatus has built a digital wallet that can be used to store the vLEI, akin to a payment card wallet on a mobile phone. André Kudra, chief information officer of Esatus, believes that the implications in the world of identity and access management could be transformative. “We saw that decentralized identity had great potential to get large-scale enterprises off these bespoke, heavyweight, high-fee installations that they have for managing identities,” Kudra says.

In addition to an organization’s vLEI, individuals in official roles—such as C-suite executives—can obtain identifiers confirming their position in the organization.

“When we looked into official roles, it became very clear that this is something that nobody has ever addressed. There is no gold standard,” says Stephan Wolf, CEO of Gleif. Gleif approached the International Organization for Standardization (ISO) to create a standard for official company roles. Each role was assigned a number, and what qualifies for an official role is precisely defined.

Finance is just a galaxy in the whole universe of use cases

Stephan Wolf, Gleif

With the standard now established, it is possible for an organization to use a vLEI to verify that the role assigned to an individual really exists, that the individual holds that role, and that the individual works at a given company.

“On paper, this wouldn’t even come up as an issue. This has all been going on for hundreds of years in notary documents and others. But on the digital side, that’s not the case,” says Wolf.

In addition to official roles, corporates can also use the vLEI to issue internal role credentials to individuals who are authorized to perform certain actions, access given systems, or even open designated doors. The vLEI acts as a tree of credentials that can be traced back to the organization’s LEI, which sits at the root. This means that it may one day be a viable alternative to the cumbersome access management systems used by financial institutions.

To maintain data privacy, the vLEI is built on a “network of networks” underpinned by the Key Event Receipt Infrastructure (Keri) protocol. This decentralized model gives the identity holder control of their own personal data, as well as to whom that data is revealed. Unlike traditional identity management systems, decision power is not concentrated in the hands of the identity provider (IDP), mitigating the risk of getting locked out of a system if the connection to the IDP fails.

Managing expectations

For all its lofty ambitions and promise, the project, much like the original LEI, has not advanced as rapidly as its main proponents expected.

“Me and my company are now eight years into this whole topic. We had really hoped it would pick up earlier because we thought these advantages were obvious,” says Esatus’ Kudra. “But we are very happy that it has now gained regulatory attention around the world. I think everyone is now seeing the benefits which it can bring,” he adds.

Now that vLEIs are being issued, the main challenges are spreading the word and driving uptake.

eIDAS, the regulation governing electronic identification for EU citizens, is currently being updated to include a framework that will enable an ecosystem of wallets to store digital identifiers, potentially offering a boost for the vLEI project.

In the meantime, Provenant and Gleif have been trying to demonstrate the value of the vLEI to users. They built an email plugin for clients to sign attachments, allowing the recipient to ascertain that the attachment came from the apparent sender.

One day, the creators say, the vLEI could be used to verify everything from gym membership to car access. “Finance is a big application for it. But finance is just a galaxy in the whole universe of use cases,” says Wolf.