Co-authored by Stephan Wolf, CEO of GLEIF, and Karla McKenna, Head of Standards for GLEIF.
In 2014, through its Financial Stability Board (FSB), the G20 carried out one of its decisions from the aftermath of the 2008 Financial Crisis: it formed GLEIF, the Global Legal Entity Identifier Foundation. GLEIF is as neutral as can be: it is a Swiss non-profit supranational entity created by mandate of the G20 and governed by its newly formed Regulatory Oversight Committee; it has no ties to any industry or country.
There is only one GLEIF and there can only be one GLEIF, formed by the 20 largest countries on Earth to do one thing: manage the issuance of globally unique 20-character identifiers to legal entities anywhere that follow the stringent requirements to get one. But the FSB formed GLEIF only after exploring all other options, and after the Legal Entity Identifier (LEI) had already been conceived; GLEIF was created to bring the LEI to the world, not the other way around.
Why Create a New Identifier?
The inspiration behind the LEI standard is fully captured in the “linchpin” paper written in 2010 by John Bottega and Linda Powell, with contributions from many US and other regulators who would later join the Regulatory Oversight Committee (ROC), formed by the G20 to oversee GLEIF. To understand the many global factors that played into the decision by global regulators to conceive the LEI, and the detailed explanations of why existing identifiers would not be suitable, read that paper. For these reasons the regulatory community asked ISO to create a standard for a Legal Entity Identifier (LEI), and to establish a global business-register-like facility in an open, federated, non-proprietary operating model.
Instrumental for creating this ISO LEI standard was Karla McKenna, now head of standards for GLEIF. Well before the FSB’s decision to create the Global LEI System, Karla was helping regulators develop the business requirements for the LEI to address vulnerabilities discovered by the FSB’s post-financial crisis investigation. At that time she worked for Citibank, and happened to be the chair of the ISO technical committee responsible for financial standards including the Business Identifier Code (BIC). This experience made Karla intimately familiar with the strengths and weaknesses of the BIC and other entity identifiers, and ideally suited to analyze the appropriateness of any system that would satisfy the FSB’s requirements.
In case it were feasible, it was initially considered for the FSB to adopt and tweak an existing identifier system rather than develop a new one, but the list of requirements made it clear early on that nothing existing would work. That list of requirements, detailed at length in the “linchpin” paper referenced above, included the following:
- International standard — the identifier must be an international standard
- Unique — no duplicate identifiers
- Permanent — identifiers must be permanently registered to their legal entities (also see Persistent below)
- Persistent — identifiers and records will not be deleted from the registry; updates in status will be used for identifiers that have been retired, for example
- No embedded intelligence — An identifier must not contain any embedded intelligence about the legal entity being identified. For example, embedding another identifier that identifies the legal entity within an identifier is not permitted. Identification is referential using the identifier reference data records.
- Freely accessible — there must be no costs to data users, no licensing required, and no restrictions on copying, publishing, distributing, transmitting, citing or adapting identifiers and associated reference data.
One by one these requirements eliminated existing identifier systems from consideration, and with Karla’s research and assistance the decision to develop a new kind of legal entity identifier was confirmed by the FSB, and the LEI — and GLEIF to manage it — were born.
GLEIF’s mandate from the FSB was straightforward:
- Develop an international standard (ISO 17442) for strongly verifying the existence and primary attributes of legal entities in any jurisdiction in the world;
- Enlist Local Operating Units (LOUs) throughout the world to perform the standardized vetting process for a nominal fee (there’s now 40 LOUs globally, GLEIF itself does not perform the vetting, they just manage the rules);
- Use the LOUs to issue a globally unique 20-character Legal Entity Identifier (LEI) to legal entities who are successfully vetted;
- Maintain a free, publicly available registry of all LEI holders’ records that follows the requirements above, a veritable ‘registry of registries’.
Any legal entity that pays the annual fee — which varies, it’s set by each Local Operating Unit and not mandated — will have their primary attributes strongly vetted: legal name, address, jurisdiction, and parent-child relationships to other legal entities. The result is the issuance of an LEI, a rigorous, standardized, neutral, globally acceptable legal entity identifier.
Here are some examples:
JP Morgan Chase Bank: 8I5DZWZKVSZI1NUHU748
Coca Cola: UWJKFUJFZ02DKWI3RY53
Halifax Hospital Medical Center: 549300H6HDJUXLEMUW23
The Glen at Hiland Meadows: 5493000F7PSK3TI9IH08
State of Washington: 549300X3TODFMUKLQ364
Bank of China: 549300KIPGRYLXDQDD87
Dominos Pizza Australia: 54930034RFI409JZ3179
African Development Fund: 549300GT4BDQ5463KW73
United Nations: 549300HYGYJKXU2J8X74
LEI adoption is accelerating. LEIs are now used in the financial sector in every industrialized country, with rapidly growing adoption in other industries and global trade. An LEI is now required for any company to be listed on any EU stock exchange, regardless of industry. 2.3 million LEIs have been issued so far.
The vLEI: Binding Flesh-to-Digital
The LEI is not an ‘authenticator’ or ‘authorizer’, it’s just a 20-character alphanumeric string. An LEI tells you precisely which organization someone claims to represent, but alone provides no way to verify that claim. An LEI is like a Social Security Number, birthday, or any other number that can be easily written onto a piece of paper: the binding between the identifier and the individual presenting it must be verified separately and manually.
Many governments globally try to solve this for citizens with unique ID cards equipped with a RFI-ready chip. This way a natural person could prove his/her existence and identity across many boundaries, but this is not possible for legal entities; national ID cards for citizens do not convey the binding between an entity and its representatives, and neither does any form of identity in the digital realm. Online or offline, you could prove that Steve Smith is Steve Smith, but not that he works for ACME Inc. or that he’s the CFO, authorized to sign financial statements on behalf of ACME.
For this reason GLEIF developed the “verifiable LEI” or “vLEI” using verifiable credentials and other open standards: to create a verifiable binding between an organization and its representatives, binding flesh to digital. When first learning of the vLEI some think that an entity that has an LEI can somehow now prove its existence, but that is only partly true; the vLEI is actually a verifiable credential that must be held by a person, a human being, because entities can act only through people.
We’ve found this point to be confusing to people, so we’ll say it again a different way: when a legal entity is required to make a regulatory filing, for example, it has no way to act for itself to make the filing, some human with authority must attest to its validity. Even if a submission process is automated, any filing with a regulator must be accountably signed by someone with the requisite authority. Organizations don’t make calls, send messages, or make statements; ultimately, people with authority to represent the organization do those things, or they don’t happen. Imagine the absurd opposite, a CEO saying, “I had no idea, none of us humans knew a thing about it, the company just did it by itself.”
Simply put, organizations can’t act for themselves, people act on an organization’s behalf, as representatives, and the vLEI makes it globally provable when they do, for the first time.
Decentralized Organizational Identity and Verifiable Authority
The vLEI acts as a first or root-level “organizational credential” (OC) for an entity, provably binding top-level authorized representatives to the legal entity. This first OC forms the basis of Decentralized Organizational Identity (OI), as now the organization has the power to delegate credentials and authority throughout the organization, enabling every authorized person (or thing) to prove the scope of their authority in the digital realm anywhere they please, inside or outside the organization’s boundaries.
Never before has it been possible for representatives of an organization to do this. The recent advent of verifiable credentials in the world of decentralized identity first made it possible for data to be portable across digital boundaries, and now the LEI and vLEI take that breakthrough capability and use it to convey a provable line of authority, from any representative back through unlimited levels of delegation all the way to the legal entity itself.
We call it “verifiable authority”. It’s gonna be big.
To learn more, see “The Dawn of Decentralized Organizational Identity, Part 1: Identifiers.”