Thank you very much for the kind introduction Yaba and thank you Arno for laying the groundwork for so many international standards because if you want this to work internationally, then you need international standards. We're gonna talk about organizational identity with the verifiable legal entity identifier today or short VLEI and we're going right into it because we only have 15 minutes.
So we will start with a very brief overview of the global LEI foundation because this is foundational knowledge necessary to understand the VLEI then quickly go over the need for secure verifiable organizational identity, how problems like this are solved today and why we think that and verifiable organizational credentials be are needed. And then quickly cover at the end a use case that we're currently doing together with the European Banking Authority and private sector to public sector reporting.
So the G 20 leaders supported the creation of a legal entity identifier in 2011.
That was after the financial crisis in 2008 to enable unique identification of organizations preliminary in the financial sector. But legal entities identifiers can be applied much more broadly. Every organization basically that is recognized in the jurisdiction can receive a legal entity identifier and that in all countries on the planet. So the global LEI system consists of three parts. First is a, so-called regulatory oversight committee. This is the public sector representation in the system.
Organizations like the European Central Bank, Deutsche Bundes, bank B or Fed in the US are in there, but many others. Secondly, the Global Legal Entity Identifier Foundation and because it's so hard to say, we shorten it and save life, that's the organization I represent and we are implementing the rules that are laid out by the policy of the Rock, the Regulatory Oversight Committee and manage the system. And the third part are the, so-called local operating units. That's a bit a technical term. We usually call them LEI issuers.
These are about 40 organizations worldwide who take care of LEI issuance and the management of the reference data that is connected to these leis.
The foundation itself is a Swiss, not-for-Profit Foundation created by the Financial Stability Board. The Financial Stability Board is located at the Bank for International Settlements in Basil in Switzerland. And that's why the foundation's legal home is also in basil in Switzerland. We're overseen as already mentioned by the regulatory oversight committee, which consists of 68 regulators and 24 observers worldwide from about 50 countries.
And in addition to that we have a board of directors, which is also internationally sourced, but from the private sector there are experienced experts in there from also various countries, 15 in total who look after life and as I mentioned, 39 I think is the latest number, LEI, issuers and getting more. And these allow every organization on the planet to receive a legal entity identifier if they like to or they have to based on a mandate. There are more than 2.6 million leis issued to date. And these are all publicly available on the Clive website.
And all the data is accessible by anybody for free and without any restrictions. It's an open public good.
The legal entity identifier itself is a 20 digit code. It consists of numbers and letters and has no special meaning other than to check digits at the end. The same principle that that you maybe know from the IBAN codes. And can I quickly ask for a hand sign? Who of you have ever seen a legal entity identifier an AI code? Not too many.
Okay, thank you very much. So as I said, it's a, it's a 20 digit code that is assigned to organizations. And what is perhaps important to say is, as it said here, it's owned by the legal entity. That means these codes are never changed, they are never deleted and alien was issued, never walks away. Even if the organization that is identified by by it ceases operations, the LEI will still be in the Clive database and there will be an attribute to the reference data that shows that the organization is not active anymore.
But that's it.
So there will always be only one LEI for an organization and one code will also be used only for one organization. So it's clearly unique. It points to key reference data. Not too many data fields, but a few important ones. For example, the legal name of an organization, the legal address headquarters address the local business register code where the, where the company is registered primarily and some other identifiers that live maps to the LEI, for example, the big code, if the organization has one codes and other organizational identifiers where we work with the official organizations.
So SWIFT for example, for the big to create and provide these mappings. And yes, the LEI is a ISO standard. We heard a lot about standards now. So this is also important here and perhaps also interesting, Clive also collects the ownership information of legal entities. So if a legal entity is owned by another organization that also has an LEI and this relationship is also available in the reference data that we provide.
All right, coming to the need for secure certain and verifiable organization identity, I believe here at A IC, this doesn't have to be explained very long, but when you are dealing online with an organization, you wanna be sure that you can rely on that you're really dealing with the organization that you think you're dealing with. And if that is not the case, then all these problems here can happen. Including identity impersonation, fraud, social engineering or robocalls. That's something that specially happens in the United States.
And while I mentioned in the beginning the legal entity identifier was originally created to identify organizations in the financial sector, it can do much more and we think it can be used in digital transactions and identify organizations in a broader way. We have defined organizational identity at life to be sure to know what we're talking about. For us organizational identity is the ability of a person or a thing. So industry 4.0, internet of things, you know to prove their authority to represent an organization outside the boundaries of that organization.
So organizational identity is about verifiable authority in the end.
And how is it done today we know existing solutions to, to address this problem. We have digital certificates where people have a certificate and digitally sign a PDF document or the emails or on the organization level we have e EALs and then of course all these other things of multifactor authentication with your usernames and passwords for your many accounts that you have with all the companies that you're dealing with or your receiving these verification codes.
You all know these are your robot challenges, callbacks, ER verification, all of this. And also verifiable credential solutions, mostly based on blockchains which are a bit more flexible but they still lack the cryptographic binding to a secure route of trust and the linking of credentials mostly. So there are ways to come around this, but they are costly and time consuming and that is what we would like to overcome and this is why we present and verifiable organizational credentials in the form of Weis.
And the concept is relatively simple.
There are three pieces of information in the real world. There's an organization, there's a person and the person has a role in this organization. And this is what we put in the VLEI credentials in the form of the organization as their legal entity identifier. So their LEI code, that never changes the person identity is usually the person's name. And the role can be different things can be a string, but we will see later there's also an ISO standard.
So again, standards, ISO five or nine has defined official organizational roles. So there are codes for official roles worldwide depending on the organization that somebody represents. So the the legal form and the legal jurisdiction.
And another very important building block for the VLEI is what we call the BLEI trust chain. And we are using a technology called carry the key event receipt infrastructure for secure and strong key management. And together with that comes a credential format called A CDC. That's not the Australian rock band that is short for authentic chain data containers.
And I would like to highlight the word chain in this context because as you can see here in the visual at the bottom are the persons representing an organization because in the end an organization does not act. It's always a person or a thing that acts for an organization. This can be verified and checked if the credential has been revoked. But not only that, there is this trust chain now. So you can check does the organization exist?
Is the issuer who has issued this credential actually one that was qualified by Clive and up to life as a route of trust, a central root of trust, whether this is an authentic credential or no at any point in time, real time and automatically there are two type of role credentials that we have defined for the VLEI. This is the first one, official organizational role credentials. These are for roles like C-E-O-C-F-O or board member, especially these roles that can be third party validated and that is a technical and organizational requirement.
A VEI issuer who issues such a credential to a person must check whether the person really has this role based either on a business register or on other proofs. So that this is basically double checked.
The second type of role credential are what we call engagement context, role credentials or short ECRs. And these are a bit more flexible. So the roles can be anything and the credentials can be also issued to any kind of person in the context of an organization does not even have to be an employee. It could be a supplier or a customer depending on the use case that you wanna fulfill.
So we have here two examples, procurement manager that would be an employee. So the example would be you issue your colleagues a credential which says you can purchase up to 50,000 euros for example. And then they can use that to authenticate transactions or you could issue such credentials to your suppliers and ask them to digitally sign all invoices that they send to you and only accept invoices with such a signature. And by this avoid invoicing fraud, which is of course also a big problem these days.
And technology is the one thing.
But another very important piece for the BLEI is a very strong governance framework. So you have seen that the global LEI foundation also already has a very strong foundation with the three 20 backing and the regulatory oversight committee from worldwide regulators and then the federated system with the issuers and the VLEI on top comes with a very strong governance framework where all the roles in the VLEI system are described including their obligations. And this is not an invention that we did at Clive, but we based it on trust over IP standards, trust over IP foundation.
There's also a panel discussion on Friday if you're interested in more details, has created an ecosystem governance framework, metamodel so to speak, a framework for such ecosystem governance frameworks. And Clive has created for the VLEI an implementation of that. And unless I have overheard something, it's still the most comprehensive ecosystem governance model that has ever been created on the trust over IP stack.
And we're coming to the use case. So the European Banking Authority is a European regulator and also a rock member. This is how they learned about it.
And they were faced with the situation that today they collect reports from several banks or basically from all banks in Europe via what they call national competent authorities. These are the central banks and all the European countries or in Germany, this would be the BUNES bank and then and Spain, the ARD Denia and all of that.
So a couple of dozens of central banks report to them and basically log into web portal and upload these files and they're managing user accounts, username and password with a small team of people to allow new users to be added or passwords to reset all the usual things that happen when you do user management. And now there's a new regulation coming up where the EBA has to receive directly from all of the European banks the reports.
And that means now suddenly 600 organizations with multiple users each.
And the question was how should they even deal with the user management with this increase in size? And when they learned about the VLEI, they discussed with us and we are currently doing a pilot project with them with 17 of these banks to test it, that the banks could just receive A-V-L-E-I credential and issue for their employees who are supposed to report to the EBAA role credential that basically authorizes them to upload to the EBA and thus the whole user management is decentralized.
And the only thing the EBA has to check when somebody uploads a report is is the LEI that is inside the VLEI credential on my list of banks that I want to receive a report from and is the role the right one that I as EBA have defined and I don't care what the name of the person is, it's it's efficient to understand that the person has been authorized.
And here's just a quick visual, it looks more complicated than it is. It is three reporting banks under each other.
And you see on the right upper corner, the QVI, that's the qualified VLEI issuer who would issue VLEI credentials to persons at the bank. And they then take that to first of all sign the reporting package and secondly, use this VLEI credential to authenticate them sense against the EBA portal so they get access to that and that's as easiest that and I'm hopeful that we are successful and then we would see this rolled out in the next year I believe.
And yes, these are the benefits. So there's authentication towards the portal by using the VLEI. There is also integrity and repudiation because the files are digitally signed with the vies. These are the advantages for the European Banking authority not having to do this user management.
And for the banks on the other hand, they get more control over their own users and not having to call at the EBA if they need a password reset or a new user they can get to to A QBI that they choose and do this independently and also use this tool of course for other purposes, either within between the banks or towards their, their business customers. So we think these are benefits on all sides. And with that I'm at the end.
Well that was an impress impressive presentation. Thank you.
So I hope that companies and in general the Audi, everyone starts to get to more, be more acquainted with the VL and Clive because I tr often ask people, do you know Clive and I have often hor here? No. So I wish that that would be propagated as well as you are doing in it here. This
Is why I'm coming here and talking about it.
So we're ending DEI dust track at this moment. There'll be a next speaker and I will leave the stage and Warwick Ashford will take over from now. Thanks everyone for listening for the AIDA track. Thanks for all the speakers and Warwick over to you.
Alright, thank.
