vLEI Demystified Part 3: QVI Qualification Program
Authors: Yanisa Sunanchaiyakarn & Nuttawut Kongsuwan, Finema Co. Ltd.
vLEI Demystified Series:
This blog is the third part of the vLEI Demystified series. The previous two, vLEI Demystified Part 1: Comprehensive Overview and vLEI Demystified Part 2: Identity Verification, have explained the foundation of the pioneering verifiable Legal Entity Identifier (vLEI) ecosystem as well as its robust Identity Verification procedures. In this part, we will share with you our journey through the Qualification of vLEI Issuers, called Qualified vLEI Issuers (QVIs), including the requirements and obligations that QVIs have to fulfill once they are authorized by GLEIF to perform their roles in the ecosystem.
The Qualification of vLEI Issuers is the evaluation process conducted by the Global Legal Entity Identifier Foundation (GLEIF) to assess the suitability of organizations aspiring to serve as Qualified vLEI Issuers within the vLEI ecosystem. GLEIF has established the Qualification Program for all interested organizations, which can either be the current LEI Issuers (Local Operating Units: LOUs) or new business partners who wish to explore the emerging vLEI ecosystem. The organizations that complete the Qualification Program under the GLEIF vLEI Ecosystem Framework (EGF) are authorized to perform verification, issuance, and revocation of vLEI credentials to legal entities seeking the credentials and also their representatives.
Step 1: Start the Qualification Program
To kick start the qualification process, the organizations interested in becoming QVIs must first review Appendix 2: vLEI Issuer Qualification Program Manual, which provides an overview of the required Qualification Program, and the vLEI Ecosystem Governance Framework (vLEI EGF) to make sure that they understand how to incorporate the requirements outlined in the framework to their operations. Once they have decided to proceed, the interested organizations may initiate the Qualification Program by sending an email to qualificationrequest@gleif.org along with a Non-Disclosure Agreement (NDA) signed by an authorized signatory of the interested organization.
Unless GLEIF has a mean to verify the signatory’s authority by themselves, the interested organization may be required to submit proof of the signatory’s authority. In the case where the NDA signer’s authority is delegated, the power of attorney may also be required.
After GLEIF reviews the qualification request, they will countersign the NDA and organize an introductory meeting with the interested organization, now called a candidate vLEI issuer, to discuss the next step of the Qualification Program.
Step 2: Implement the Qualification Program Requirements
To evaluate if a candidate vLEI issuer has both the financial and technical capabilities to perform the QVI role, the candidate vLEI issuer is required to implement the Qualification Program Requirements, which consist of business and technical qualifications. Throughout this process, the candidate vLEI issuer may schedule up to two meetings with GLEIF to clarify program issues and requirements.
Complete the Qualification Program Checklist
A candidate vLEI issuer is required to complete Appendix 3: vLEI Issuer Qualification Program Checklist to demonstrate that they are capable of actively participating in the vLEI ecosystem as well as being in good financial standing. The checklist and supporting documents can be submitted via online portals provided by GLEIF.
The Qualification Program Checklist is divided into 12 sections from Section A to Section L. The first five sections (Section A to Section E) focus mainly on the business aspects while the last seven sections (Section F to Section L) cover the technical specifications and relevant policies for operating the vLEI issuer Services.
Note: vLEI Issuer Services are all of the services related to the issuance, management, and revocation of vLEI credentials provided by the QVI.
Section A: Contact Details:
This section requires submission of the candidate vLEI issuer’s general information as well as contact details of the key persons involved in the vLEI operation project, namely: (1) Internal Project Manager, (2) Designated Authorized Representative (DAR), (3) Key Contact Operations, and (4) Key Contact Finance
Section B: Entity Structure
This section requires submission of the candidate vLEI issuer’s organization structure, regulatory internal and external audit reports, operational frameworks, and any third-party consultants that the candidate vLEI issuer has engaged with regarding their business and technological evaluation.
Section C: Organization Structure
This section requires submission of the current organization chart for all vLEI operations and a complete list of all relevant third-party service providers that support the vLEI operations.
Section D: Financial Data, Audits & General Governance
This section requires submission of financial and operational conditions of the candidate vLEI issuer’s business, including:
- Audited financial statements for the prior year
- Financial auditor reports
- Formal vLEI Issuer Operation Budget
Section E: Pricing Model
In this section, the candidate vLEI issuer outlines their strategy to generate revenue from the vLEI operations and ensure that they are committed to managing the funding and monetization of the services they plan to offer. This includes the pricing model and business plan regarding the vLEI issuer services
Section F: vLEI Issuer Services
In this section, the candidate vLEI issuer shall outline their detailed plans and processes related to the issuance and revocation of vLEI credentials, including:
- Processes for receiving payments from legal entity (LE) clients.
- Processes for identity verification in accordance with the vLEI EGF.
- Processes for validating the legal identity of official organization role (OOR) persons as well as using GLEIF API to choose the correct OOR code.
- Processes for calling the vLEI Reporting API for each issuance of LE and OOR vLEI credentials
- Processes for verifying the statuses of legal entity clients’ LEI. The clients must be notified 30 days before their LEI expires.
- Processes for revoking all vLEIs issued to the legal entity client whose LEI has lapsed
- Processes for monitoring compliance with the Service Level Agreement (Appendix 5)
- Processes for monitoring witnesses for erroneous or malicious activities
Section G: Records Management
In this section, the candidate vLEI issuer provides their internal Records Management Policy that defines the responsibilities of the personnel related to records retention to ensure that the records management processes are documented, communicated, and supervised.
Section H: Website Requirements
In this section, the candidate QVI’s websites are required to display the following items:
- QVI Trustmark
- Applications, contracts, and required documents for legal entities to apply for vLEI credentials.
Section I: Software
In this section, the candidate vLEI issuer provides their internal policy for the Service Management Process including:
- Processes for installing, testing, and approving new software
- Processes for identifying, tracking, and correcting software errors/bugs
- Processes for managing cryptographic keys
- Processes for recovering from compromise
The candidate vLEI issuer must also specify their policies and operations related to management for private keys and KERI witnesses as follows:
- Processes and policies for managing thresholded multi-signature scheme, where at least 2 out of 3 qualified vLEI issuer authorized representatives (QARs) are required to approve issuance or revocation of vLEI credentials
- Processes for operating KERI witnesses, where at least 5 witnesses are required for the vLEI issuer services
Section J: Networks and Key Event Receipt Infrastructure (KERI)
In this section, the candidate vLEI issuer describes their network architecture including KERI witnesses and the details of third-party cloud-based services as well as a process monitoring of the vLEI Issuer-related IT infrastructure. The candidate vLEI issuer must also provide the following internal policies:
- Disaster Recovery and/or Business Continuity Plan
- Backup Policies and Practices
- The vetting process for evaluating the reliability of third-party service providers
Section K: Information Security
In this section, the candidate vLEI issuer provides their internal Information Security Policy that includes, for example, formal governance, revision management, personnel training, physical access policies, incident reports, and remediation from security breaches.
Section L: Compliance
QVI candidates must declare that they will abide by the general and legal requirements as a vLEI Issuer by:
- Execute a vLEI Issuer Qualification Agreement with GLEIF
- Execute a formal contract, of which the template follows the Agreement requirements, with a Legal Entity before the issuance of a vLEI credential
- Comply with the requirements for Qualification, vLEI Ecosystem Governance Framework, and any other applicable legal requirements
Respond to Remediation (if any)
After the candidate vLEI issuer has submitted the qualification program checklist and supporting documents through online portals, GLEIF will review the submission and provide the review results and remediation requirements, if any. Subsequently, the candidate vLEI issuer must respond to the remediation requirements along with corresponding updates to their qualification program checklist and supporting documents.
Undergo Technical Qualification
After the qualification program checklist has been submitted, reviewed, and remediated, the candidate vLEI issuer then proceeds to the technical part of the qualification program. GLEIF and the candidate vLEI issuer then organize a dry run to test that the candidate vLEI issuer is capable of:
- Performing OOBI sessions and authentication
- Generating and managing a multi-signature group AID
- Issuing, verifying and revoking vLEI credentials
The purpose of the dry run is to make sure that the candidate vLEI issuer has the technical capability to operate as a QVI as well as identify and fix any technical issue that may arise. A dry run may take multiple meeting sessions if required.
After the candidate vLEI issuer completes the dry run, they may proceed to the official technical qualification, which repeats the process during the dry run. vLEI credentials issued during the official session are official and may be used in the vLEI ecosystem.
Step 3: Sign the Qualification Agreement
Once the vLEI candidates have completed all of the business and technical qualification processes, GLEIF will notify the organization regarding the result of the Qualification Program. The approval of the qualification application will result in the candidate vLEI Issuer signing the vLEI Issuer Qualification Agreement with GLEIF. The candidate vLEI Issuer will then officially become a QVI.
Beyond the Qualification Program
Once officially qualified, the QVI must ensure strict compliance with the vLEI EGF and the requirements that they completed in the Qualification Program Checklist. For example, their day-to-day operations must comply with Appendix 5: Qualified vLEI Issuer Service Level Agreement (SLA) as well as comply with their internal policies such as the Records Management Policy and Information Security Policy. They must also continuously monitor their services and IT infrastructure including the witnesses.
Annual vLEI Issuer Qualification
The QVI is also subject to the Annual vLEI Issuer Qualification by GLEIF to ensure that they continue to meet the requirements of the vLEI Ecosystem Governance Framework. If the QVI has made significant changes to their vLEI issuer services, IT infrastructure, or internal policies, the QVI must document the details of the changes and update corresponding supporting documentation. GLEIF will then review the changes and request for remediation actions, if any.
Conclusion
The processes of the QVI Qualification Program are designed to be extensively rigorous to ensure the trustworthiness of the vLEI ecosystems as QVIs play a vital role in maintaining trust and integrity among the downstream vLEI stakeholders. We at Finema are committed to promoting the vLEI ecosystem, and would be delighted to assist should you be interested in embarking on your journey to participate in the ecosystem.
