Let’s talk about digital identity with Drummond Reed, Director of Trust Services at Gen and Andy Tobin, Commercial Director, Europe at Gen.

In this series opener of Season 5, Drummond Reed and Andy Tobin join Oscar to explore vLEIs and Self Sovereign Identity (SSI). They explore what LEIs and vLEIs are, how SSI principles are used within vLEIs, the benefits of vLEIs, which sectors and industries will benefit the most, and some use cases of where the vLEI has been leveraged.

[Transcript below]

“If LEIs were digitised in a way that could be instantly verifiable, it could transform company onboarding.”

Drummond Reed PhotoDrummond has spent a quarter-century in Internet identity, security, privacy, and trust infrastructure. He is Director, Trust Services at Gen, previous Avast after their acquisition of Evernym, where he was Chief Trust Officer. He is co-author of the book, ‘Self-Sovereign Identity’ (Manning Publications, 2021) and co-editor of the W3C Decentralized Identifiers (DID) 1.0 specification. At the Trust Over IP Foundation, Drummond is a member of the Steering Committee and co-chair of the Governance Stack Working Group and the Concepts and Terminology Working Group. At the Sovrin Foundation, he served as co-chair of the Sovrin Governance Framework Working Group for five years.

From 2005-2015 he was co-chair of the OASIS XDI Technical Committee, a semantic data interchange protocol that implements Privacy by Design. Drummond also served as Executive Director for two industry foundations: the Information Card Foundation and the Open Identity Exchange, and as a founding board member of the OpenID Foundation, ISTPA, XDI.org, and Identity Commons. In 2002 he received the Digital Identity Pioneer Award from Digital ID World, and in 2013 he was cited as an OASIS Distinguished Contributor.

Connect with Drummond on LinkedIn.

Andy Tobin PhotoAndy Tobin leads European and eIDAS strategy for Gen’s Digital Trust Services business. He is one of the pioneers of self-sovereign identity and helped to establish Evernym as the world leader in this field. He is a well-known public speaker and writer on the topic of digital identity and has delivered some of the largest SSI projects to date.

His career has spanned the three rapidly converging sectors of identity, mobile and payments. He has written code to control cash machines, built the world’s first mCommerce server, run a £1.2bn mobile messaging network and been CTO for Europe’s first fully mobile bank. He is a passionate technology strategist who believes that the identity ecosystem and the personal information economy is poised for massive change, enabled by the capabilities being built right now by Avast.

Connect with Andy on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 96.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Oscar Santolalla: Welcome back to Season 5 of the Let’s Talk about Digital Identity podcast. In this series opener I am joined by Drummond Reed and Andy Tobin, from Gen Digital, joining us to delve into vLEIs and Self-Sovereign Identity (SSI). Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

 Oscar: Today, we are very happy to have two expert guests, Drummond and Andy. And today, we are going to discuss vLEIs and what is the connection with self-sovereign identity.

First of all, we have Drummond Reed. He is Director of Trust Services at Gen, previously Avast after their acquisition of Evernym, where he was the Chief Trust Officer. He is co-author of the book Self-Sovereign Identity, published by Manning Publication in 2021. And he’s co-editor of the W3C Decentralised Identifiers, DID 1.0 Specification. At the Trust Over IP Foundation, Drummond is a member of the steering committee and co-chair of the Governance Stack Working Group and the Concepts and Terminology Working Group. At the Sovrin Foundation, he serves as a co- chair of the Sovrin Governance Framework Working Group for five years. Hello, Drummond.

Drummond Reed: Hello, Oscar. It’s very good to be here.

Oscar: Welcome Drummond. Our second guest is Andy Tobin. Andy Tobin leads European and eIDAS strategy for Gen Digital’s Trust Services Business. He is one of the pioneers of self-sovereign identity and helped to establish Evernym, as a world leader in this field. He is a well-known public speaker and writer on the topic of digital identity and has delivered some of the largest SSI projects to date. His career has spanned the three rapidly converging sectors of identity, mobile, and payments. He has written code to control cash machines, built the world’s first mCommerce server, run a £1.2 billion mobile messaging network, and been the CTO for Europe’s first fully mobile bank. Hello, Andy.

Andy Tobin: Hi, Oscar. Nice to be here.

Oscar: Welcome as well. I’m very happy to have both of you, Drummond and Andy.

So, let’s talk about digital identity, and as usual in this show we want to hear a bit more about our guests. So please, both of you tell us a bit about yourself and your journey to this world of identity.

Drummond: Oh, the journey. I don’t think we have long enough in this podcast to cover the whole journey. Yes, I’ll just say, originally, I was very interested and focused on solving problems of what we’d now call decentralised data exchange, and how people can share data, sort of directly peer to peer over wide area networks, like the internet, when it was first getting going. And I had no idea that to do that you actually had to solve the problem of digital identity and trust. And so, working on that led me over into this area.

We didn’t even call it identity when first working on it, we just said, “Hey, there’s this challenge that you have to be able to establish a trust network.” And turned out that the problem there was identity. And doing that on a decentralised basis. And at that time, I was working on it was really centralised identity. Where you have an account with every different system you were interacting with. That was the norm, and it was – the pain was such that we had to have some solution to that. And so we thought it was federated identity, where you could take one account and reuse it in a whole bunch of other places. And in the end that’s what most people, encounter with social login. The login with Facebook, or Google or Twitter now X, whatever.

And so, we spent 15 years and three generations of standards developing a federated identity. And it seemed like we could get there and then it just – we hit the ceiling. It just – federated identity by putting an intermediary in there made it – you could solve certain problems, but you couldn’t solve others. And then blockchain came along and sort of taught us, “Oh, there’s a way to make this fully decentralised that actually simplifies things tremendously.” And so that era, I really, market starting in 2015, 2016 that’s when Evernym came together, which is where Andy and I met. And we’ve been working on decentralised ever since. Over to Andy to talk about his journey.

Andy: Yeah. Thanks, Drummond. I think the thing I like to look at most frequently, and that gets me most engaged is – seeing how megatrends that emerge affect existing businesses and capabilities. So, I’ve seen, for example, the digitisation of payments happening. And then digitisation of telephony happening and the emergence of mobile phones. And then the digitisation of commerce through the internet.

And with the digitalisation of identity, we’re seeing really something a little bit different, which is – we need to have the ability as people to identify ourselves or prove things about ourselves – it doesn’t need to be identity, it could be anything – without having to rely on anyone else to help us really to do that. So really, we’re looking at a return, if you like, to the world we used to inhabit where you could go along with a piece of paper and show it to someone, like a passport, for example, and say, “Hey, look, this is me.” We don’t have a digital way of doing that.

And so, there’s lots of, what I call, work around solutions in place and Drummond’s just talked about a bunch of them that fudge the problem. The problem is solved properly by giving people digital versions of the paper documents they’ve got and giving them to those people in a way that enhances their privacy and security online. And when you have that capability, you can apply equally to companies who find it very difficult to prove who they are online, and also to things as well.

And as we move into the next megatrend of artificial intelligence. Underpinning artificial intelligence is – how do you know who or what is at the other end. And as it gets much easier to fake everything, there’s going to be an explosion of trust issues. And if we can solve that with some of the techniques that we’re working on, which we can, artificial intelligence gets a lot less scary.

Oscar: Yeah, indeed, through your life, I could see the reasons why this topic of self-sovereign entity had to happen. But just a few years ago it is getting, mainstream finally in these very recent years. And now we talk also about the future, there’s a lot, a lot of problems to solve still.

In this conversation, let’s go into much more specific topic related to self-sovereign identity. This is going to be about vLEIs. But to give a bit of concept, if one of you could throw a simple definition. What is an LEI?

Drummond: The LEI, that’s pretty straightforward. In fact, what’s ironic, is an LEI is really a classic, what we would call federated identifier, it fits into that second category. And that’s because – so it’s, to be very, very concrete, it’s a 20-digit identifier of a legal entity. And it’s important to clarify that term legal entity, because it can – in some legal jurisdictions, a legal entity is either a person or a corporation. They call it a legal person.

But what LEI means are – the legal entity in LEI means – a legal entity that’s not a person. So, anything that’s legal entity that’s not a person – a corporation, a partnership, government agencies, whatever it is, it’s to identify what we would generally call an organisation.

And so, the LEI is 20-digit identifier, and then it is issued. GLEIF, the Global Legal Entity Identifier Foundation, is a public-private partnership that operates the GLEIF LEI system. And they’re based in – it’s a Swiss nonprofit, it’s headquartered in Frankfurt. And they oversee I think it’s roughly in the mid-30s, the number of, they’re called Local Operating Units or LEI issuers around the world.

They have to be qualified, and when a business or organisation wants an LEI, they have to apply for it. They have to basically go through what we call identity proofing for individuals, but this for an organisation. You have to prove yes, you whoever supplying is a legal representative of that organisation. They have to provide their local business identifiers, like identifiers that they’ve registered like a corporation ID or a tax ID in one or more jurisdictions, and some other what they call reference data. And that entry, the reference data entry is then associated with the LEI. It’s all verified and then the LEI is issued. It’s good for a year. You have to renew it every year and it goes into a global database, a public database, anyone can check to verify the LEI for an organisation.

Oscar: Very, very good explanation. And so, something that caught my attention, you mentioned that it’s still the federated model, right? So, which it is –

Drummond: Yes.

Andy: There’s a central body that is in charge of the governance of the whole LEI capability. And there are, as Drummond said, regional bodies that do the actual certification. But they’re all approved by the central body as well.

Oscar: Exactly.

Drummond: Right. So that makes it a federated identifier system, which is going to setup this wonderful conversation we have about how that fits into the SSI model.

Oscar: Exactly. So now let’s move to – what is vLEI?

Andy: So vLEI is a digital equivalent of an LEI, so Verifiable Legal Entity Identifier. Now, when I was contacted by Stephan Wolf, the Chief Exec of GLEIF years back now, six years ago probably. Who had been following this emergence of SSI very, very closely and thought there’s something in this. Because underpinning self-sovereign identity is a technology called verifiable credentials.

And verifiable credentials are packets of data, they can contain anything that can be passed from an issuer to a holder. So, an issuer, like an LEI issuance body, to a holder, like your company. And that holder can then present that data and it can be verified by a verifier, which could be a tax authority, a government and other company, instantly as being authentic and the integrity of the data is preserved. So that’s the technology underneath it.

And what Stephan wanted to know was – how these verifiable credentials could be used for LEIs. Because he could see the direction of travel, of the digitisation of identity documents and paper identity information. And he saw that if LEIs were digitised in a way that could be instantly verifiable, it could transform company onboarding for bank accounts, for example, supply chain management, et cetera.

So, we sat down and included also Karla and Stephan from GLEIF, I think it was in an office in Canary Wharf, and we designed the way the vLEIs would work.

We designed a cascading chain of authority that allowed a local LEI issuance body to be certified by GLEIF and have a credential themselves that says they are a certified LEI issuer. And they were then able to issue these vLEIs to companies. It’s essentially a very similar set of information, but a bit more detail in there, than in the LEI. But issue that as a verifiable credential to a company, and the company would keep that in a digital wallet that the company runs.

But enhanced on top of that is that then employees of that company could prove that they work for that company. And those employees could themselves have verifiable credentials saying, “I’m an employee of Gen, and Gen is this business with this vLEI. And you can check the vLEI is authentic, because it came from this vLEI issuer. And you can check the vLEI issue is authentic because it came from GLEIF.” So, you can run all the way back up the chain.

And then you can also add the ability to provide employees with – for example, confirmation they’re allowed to submit accounts to the tax authorities. So, it could be – “Andy Tobin, who’s a member of Gen is allowed to do X”. So, you end up with a cascading hierarchy, which is driven by the vLEI as the identifier for the company and then that being chained into lots of other relationships relating to that company and to the employees of that company.

Oscar: And how do the vLEI use the self-sovereign identity principles?

Drummond: OK so, as I mentioned earlier, the definition of a federated identity system is it has one or a relatively small group of organisations that almost – in fact, I’ve never heard of federated identity system with an individual that run it, they are always organisations or governments that run it at the centre. And then there, it’s federated around them. So, for instance, when we we’re using social login, it’s Google, Facebook, X, LinkedIn, they’re the – called the identity providers. You have an account there, and then you go use it in other places.

And so, the GLEIF LEI system, as we said earlier, it’s a federated identifier system. GLEIF is at the centre, they authorise a set of the LEI issuers around the world, and they issue the LEIs. And that’s how you can sort of trust the whole thing. So, some folks look at that and say, “Ah, well, that’s a federated identifier system, how is this self-sovereign?”

So, with self-sovereign identity, as Andy said, it’s all about the entity that is being identified that needs to prove their identity to anyone else. Having a digital wallet, and a set of credentials they can use to prove their identity.

What GLEIF did with the vLEI was say – Hey, we are a federated identifier system. But we can provide verifiable credentials as one issuer, one hierarchy of issuers to organisations around the world, any place that can in turn, as Andy explained, then issue the next credential in the chain to their employees, or their contractors or their alumni or anything to prove their relationship with the legal entity that then can prove its relationship to the issuer and all the way up to GLEIF.

Fundamentally, what Stephan Wolf and Karla McKenna and the GLEIF team saw was, we can take a federated identifier system, and actually bring it into the world of self-sovereign identity credentials, digital credentials, from hundreds, thousands, to maybe eventually, millions of different issuers, that all serve as what we call Root of Trust, right? And, yes, GLEIF is one Root of Trust, and the whole GLEIF, what we call digital trust ecosystem, it may end up being one of the largest in the world. And it’s very important, I think, to note that it is adjacent to – it doesn’t replace government issued identifiers to organisations, but it’s adjacent to it, and it’s worldwide.

It is – the G is global. So, you can get an LEI and any entity in the world, any legal government or other entity can recognise it, and then translate it to the local identifiers that it might need. But that credential, once it’s issued into a digital wallet, is just like any other credential in that digital wallet. It can be used for that entity, in this case, an organisation, to prove its legal identity any place that’s needed. That is exactly what self-sovereign identity is about.

Andy: And I think it’s really worthwhile here describing the incentive. So why is this interesting, right? Why is a vLEI interesting? And at the moment, it’s very, very difficult for a company to prove that it’s a legitimate company and it has a bunch of certifications, it’s got the right ecological credentials, it’s got the right qualifications in place to operate as a company in the business it does. And that causes huge problems for supply chains.

As an example, I was talking to some very large pharmaceutical companies, we call them big pharma in Switzerland about this very problem. And they spend millions and millions and millions and millions of Swiss Francs trying to work out who is in their supply chain. And they kicked off something called Pharma Ledger, which was an initiative to use this concept of digital identity for companies and the qualifications and certifications they have, to allow an onboarding of a new supplier in a few seconds rather than weeks and weeks and months.

And the same thing with banking, it’s very, very difficult for a company to get a bank account. You’ve got to supply lots of pieces of paper, you got to send them in, they’re going to be notarised and signed by somebody. It’s horrendously complex, and very, very slow and very costly. So, the dream here is instantaneous, you know, a few seconds verification that a company is legitimate, and the person acting for that company is legitimate. And the potential savings are in the billions and billions and billions of dollars worldwide. So that’s why people are interested in it. And I think people get a bit hung up on the tech under the skin. And this term, self-sovereign identity, which I kind of wish we’d never promoted in a way because it’s about…

Oscar: Scary.

Andy: … the credentials under the skin, rather than yeah.

So, this ability for an organisation to have verifiable data about itself digitally, which anyone can check is authentic. Without that company having to go back to GLEIF and say, “Hey, please give me a new version of this that I can use today.” That’s the sort of self-sovereign, the company has this information, they can use it wherever and whenever they want, for whatever reason they want. And the verifier can, or the recipient can check it’s authentic, instantaneously. Even if GLEIF cease to exist, you could still do that.

So that’s the big picture here. And the vLEIs are one aspect, but a very important aspect of this new digital ecosystem for organisations. There’s an anchoring credential that says this company is this company. In some jurisdictions, you legally have to have an LEI – vLEI makes things a lot easier. So, it’s the anchoring credential that says this company is this company, and then you can hang lots of other verifiable credentials on the back of it as well.

Drummond: I want to make that point that Andy just did. So, the LEI, because of its cross jurisdictional characteristics is legally required in certain jurisdictions for certain kinds of transactions. For instance, in Canada, if you’re involved in the financial services industry, you have to have an LEI. The regulators, and GLEIF has a board of I think it’s roughly 72-75 regulators from around the world. It’s called the ROC, the Regulatory Oversight Committee. Those regulators are now – the next step is to start to mandate the vLEI. Because the regulator is saying, “Hey, it’s really expensive for us to have to, verify, audit companies and the records and everything when we have to manually process papers.” So, they’re basically saying you must do these things digitally. The Securities and Exchange Commission here in the United States requires electronic submission of reports.

So, the emergence of the vLEI as a credential, for example, digitally signing those submissions to regulatory authorities is starting to be mandated by regulators. And I expect it’s just going to grow and grow and grow. And so, in certain places, organisations, as part of their formation and maintenance they’re going to get maintained vLEIs in order to be – handle their regulatory documents. At a minimum of this many other uses.

Oscar: Yeah, indeed, you explained very interesting cases, problems that are being solved by this concept. And also, when you put it in numbers, it also sounds very convincing. Indeed, to understand a bit more what is – how does it work in practice, I think you have explained pretty well.

But let’s say, if I want to visualise, ‘so what is the vLEI?’ So vLEI is – will be registered in an app? So where can I see if my company has registered a vLEI, where can I see it?

Andy: Yeah. So, vLEI, we need to introduce here the concept of an organisational wallet. So, you’ll be familiar with digital wallets that you might have on your phone at the moment as a person, so an Apple wallet and a Google Wallet. Gen has launched its own digital wallet called MyD and there are others that are being launched as well.

So digital wallets are going to be huge. And there’s going to be a big fight about who’s going to have the best digital wallet. And a digital wallet is a container that you put these verifiable credentials in. And in the case of you, as a person, that might be a digital version of your passport. In Europe, it might be the new personal identity data credential from eIDAS. They could be a driving license, a boarding pass, et cetera.

Imagine the same thing for a company, rather than sitting on a phone, it’s going to reside probably in a server somewhere. I guess it could sit on a phone. But it’s the same concept. It’s a secure container that will hold a company’s credentials, including a vLEI. And that’s just like your own wallet, you control that wallet yourself, and you have a fingerprint or something else.

Access to the organisational wallet will be most likely controlled by a number of people who have credentials that they can use, that will prove that they work for that company, and they have the right to access and execute transactions from that wallet. So, you can see the way the personal credentials and organisational credentials come together. And a vLEI will sit in an organisational wallet, it could manifest in many different ways. It could be embedded in the enterprise planning software that that company has. It could be in a cloud-based software facility that company is using, well, names like SAP workspace, that kind of thing might do something like that. I don’t know if they have or not, but it would be logical for them to do so.

So that’s how the vLEI would manifest. And it would be used when a business transaction requires the company to prove something, prove who they are, prove their legitimate organisation. And a lot of those interactions at the moment are handled fairly manually, something will pop up into somebody’s queue. And then they will have to go off and do something and then they’ll go in and fax some document that they’ve had signed by some notary or whatever it might be.

In this new world, all that gets digitised and happens in milliseconds. So, requests will come in digitally saying, “Hey company, please prove who you are.” The organisational wallet will respond back immediately saying, “Here’s my vLEI. You can go verify it.” And that will be verified instantly. So, the business process improvement you get from this, this is what this all comes down to is optimising and digitising business processes that so far had been too expensive or complex to optimise. There’s been no good way of doing it. vLEIs are the key enabler that helps you to get those digitised business processes working.

Oscar: Yeah, excellent. The concept of organisational wallets I think it’s something that yeah, it’s – well, it’s new in this equation of the LEIs as compared to how we see it today.

You have already explained some examples of some industries in which vLEI will help tremendously. But if I ask you what are the top industries or sectors that will benefit the most, which one would be?

Drummond: I’ll start out with one of – what has become one of my very favourite examples. And I’m going to do that by reading you some texts that I have recently received. The first one is, “Hello, are you the dentist that Candy introduced me to? When do you have time?” The next one is, “Your Amazon – spelled with a little accent in it – your Amazon has been locked. Click here to fix all your bills”. My Netflix subscription is on hold. I have to renew that one. And then “Hi, it’s Hillary, can you join me for lunch as you promised?” OK? I get – I don’t know about anyone else. I’m getting several of these a day now.

It’s called smishing. Right? It’s SMS phishing. They’re just trying to get me to respond, to click a link, to do whatever. So, once you know spam and phishing attempts have moved into our phones. And of course, they’re also, they’re hitting me now on iMessage, on WhatsApp. We’re getting to a level where yeah, we’ve learned to live with spam in email. But when it starts hitting our phones and our most intimate ways of communicating, it’s not just a pain. All right, a lot of money is lost that way, and it erodes confidence in our most important communications infrastructure.

So, my personal favourite use of LEIs, vLEIs – well both actually. Because if we’ve never said it, we want to make it clear, the vLEI credential contains the LEI as one of the pieces of the data in it. So that’s how it all ties together. It is going to be used for signed, digitally signed text messages. Initially it will be used by the telcos themselves that deliver that message. They will do the filtering out of the spam because they will be able to basically differentiate and say, “Oh, this is a digitally signed message from a legitimate company, and we can deliver that.” Give it the green light to the consumer and anything else is going to be suspect.

That doesn’t mean that suddenly you’re going to stop getting any smishing attempts. But it’s going to introduce a fundamental solution that over time will, I think, essentially stamp out that industry. And this is not theoretical, there are several companies working on putting this in place. I think it’s going to start going operational in 2024. So that’s one example.

Andy: Yeah, I think I’d add in any regulated industry, banking, particularly, especially corporate banking, where you need to know who the corporation is, and there’s so many rules, they are coming in about identifying which corporate you’re dealing with. This was one of the main use cases when we were designing vLEIs in the first place with GLEIF, which was if you’ve got a corporation, you need to find the ultimate beneficial owner of that corporation in order to give that corporation a bank account.

If that corporation has a bunch of shareholders and those shareholders of other corporations and those, some of those corporations have shareholders at the other corporations. You get an exponentially worsening problem of trying to work out who everybody is, because they all have to provide information about who they are and who their shareholders are.

And this is the case with Evernym when we set little Evernym in the UK in 2017, I needed to get a bank account. And to get that bank and I had to prove who Evernym UK was and the ultimate beneficial owner of Evernym UK was Evernym, Inc. in the US. And Evernym, Inc. had a bunch of shareholders. And I then had to prove who all those shareholders were. And this involved getting the largest shareholders over 10% to provide documentation about who they were and notarised certificates and so on and so on. And the ones that were corporates then had to give me their shareholders. And I think, eight months to get their bank account setup, which is insane. So, you can imagine the potential benefits there.

I’d also point as well to the European eIDAS program. Which is the eIDAS 2.0 it’s the next evolution of the European digital identity scheme. There’s a consortia and there are four consortia working on large scale pilots now. One of them that Gen is in called EWC has two use cases for people, which is travel and payments, and a use case for organisational identity as well. And that’s been championed by the governments of Sweden and Finland. And has got a lot of traction now, because the same technology that is being used for credentials, for people and personal wallets can be used for organisations as well.

So, I see a lot of potential for vLEIs and other organisational credentials, like VAT number and tax identity and Companies House type information. To be provided digitally in that way to transform business processes with corporate to corporate. But also in our human use cases with people. If I’m using my eIDAS wallet to book travel, the vLEI or organisational credential will allow me to check the travel agency I’m booking it with is legitimate. And if they’re ABTA based and certified and are they the right company, all of the problems that Drummond outlined, these scammers pretending to be companies, those will go away because I’ll be able to instantly verify if a company is authentic or not.

Oscar: Yeah, you have listed at least three very important sectors, industries, in which it’s very clear the benefit that will come. We know that vLEIs are available now, you have explained pretty well the cases, how they can help to solve these problems. When do you estimate that the full benefits will be realised? So, we are still in 2023, what we say it’s a time in which, OK, it is a massive impact the vLEI have done.

Andy: Yeah, it’s good question actually. I think in Europe with the eIDAS program running, I think that’s going to be a big catalyst. And we’ll see how that evolves, these large-scale pilots are going to run for two years. And the actual eIDAS regulation when it comes into place, the governments of the EU will have two years to implement it and get wallets issued.

I think we need to look back at the incentives and companies move quickly when the incentives are big enough. So, there’ll be a number of market proving pilots that happen and the output that comes from those will say, “Hey, this is actually real. It really works. And here’s how much you can save.” When the suppliers of software, that businesses used to run their operations start embedding vLEIs into their businesses just like email, or just like, you know, web pages. It’s going to be completely transformational at that point.

Drummond: Exactly. It really depends on the industry and the use case. I compare the adoption of SSI digital wallets and credentials, there’s a precedent, the adoption of the web, right? It won’t happen everywhere all at once. OK, that’s not how these things ever happen. Right? It’ll be particular, just like you had certain websites, it started out with physics websites, right? And then authors got involved and said, “Hey, this is a great way to publish.” And eventually we had blogs and things like that. And then pretty soon the web is pervasive.

We’re working the same way. There are pockets, as we said that, you know, like the smishing problem.  I think one of the important things to keep an eye on is governments are, you know, they’ve inherently been in the identity industry. They always are, because they’re foundational issuers of identity. And some governments, forward leaning governments that have gone straight, or are seeing the benefits have already moved into. One of the ones I’m closest to here in Seattle, is the province of British Columbia in Canada, which already has a digital wallet that’s all based on open-source code that’s in market and they’re starting to issue credentials to British Columbia citizens. And they’re already using vLEIs for organisations.

Another of my most favourite example is the small but very influential country of Bhutan, which has basically said they just adopted a National Digital Identity Act, implementing or mandating a self-sovereign identity infrastructure for the whole country. And that will require LEIs for every legal entity that is signed up and going to be part of that SSI ecosystem. Every organisation, every bank, travel agency, grocery store, it doesn’t matter, if you’re in the Bhutan SSI ecosystem, as an organisation, you sign up and have to get an LEI and a vLEI to participate in that. So that’s the kind of thing that can really generate large adoption.

Oscar: Indeed, yes, super interesting discussion about vLEIs and the state of the self-sovereign entity. I’ll ask you a final question for both of you. For all business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today?

Andy: I think that one would be to get up to speed on vLEIs and verifiable credentials, generally. Not to worry too much about the technology under the skin and keys and encryption and DIDs and so on. But to understand the business implications of digitising processes that they haven’t been able to digitise so far, and the benefits to them of doing that.

There’s a significant competitive advantage to a business, to digitise processes that a vLEI will enable you to do. And the companies that do that soonest, or a bank, for example, if a bank can onboard a corporate customer in 10 seconds, instead of 10 months, they’re going to have a massive, massive advantage competitively against the other banks in the market. So that’s where the prize is. So, they need to understand the implications.

And generally, I think, what would be the word, get into the program. That’s probably not the right way of saying it, but it’s about understanding what is coming down the line. And if they don’t move fast, then somebody else will out compete them very, very quickly. It’s a bit like the early days of the web, get online, get digitised and if you’re not, you’re not in the game.

Drummond: Yeah, I think we clearly saw with the web, those companies that got a website early and started to have a digital presence, they significantly expanded. In some cases, they completely dominated new industries, because they went fast.

I’m going to provide a very, very concrete step. If your organisation doesn’t have an LEI today, just a regular LEI, just go check out the GLEIF website. You’re going to find very easily how you can get one and go through that process. It doesn’t necessarily take very long, but it will educate you about that. And then ask your LEI issuer, whoever you choose, “Are you issuing vLEIs? When will you be issuing it? Educate me about that.” And you know, just start to climb the path.

Oscar: Yeah, indeed, very actionable. Thank you very much, both Drummond and Andrew. It was a fascinating conversation with such experts in this topic. So finally, tell us if someone would like to follow you or continue this conversation with you, what are the best ways?

Drummond: For me, yeah, @drummondreed on X. It’s the first time I’ve ever had to say that on a podcast, and it just doesn’t sound like the same.

Andy: Does that still exist?

Drummond: Yeah, I’m really seriously worried about it. I, you know, I’m finding it degrading and I’m not sure how much longer I’m going to use it. Or [email protected]. You can contact me via email too.

Andy: Yeah. And I’m [email protected].

Oscar: And are you at X, formerly known as Twitter?

Andy: I am but I’m broadcast only because it’s just too much hard work. LinkedIn is kind of interesting. You can find me on LinkedIn as well. I write on the topic of digital identity and verifiable credentials and eIDAS quite frequently and I know Drummond does as well.

Drummond: Yeah, yeah, we do. And I’m more and more paying attention to LinkedIn that way.

Oscar: Fantastic. Again, thank you very much for this conversation and all the best.

Andy: Thanks, Oscar.

Drummond: Thank you, Oscar. You bet.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.