Three-Tier Governance Model:

1. Regulatory Oversight Committee (ROC): Provides regulatory oversight with representatives from global financial regulators
2. GLEIF: Ensures operational integrity and manages the Global LEI System
3. Local Operating Units (LOUs): Issue LEIs to legal entities after Know Your Business (KYB) processes

This hierarchical structure ensures that GLEIF operates under regulatory supervision while maintaining operational independence necessary for a global utility.

vLEI Ecosystem Role

Within the vLEI ecosystem, GLEIF serves multiple critical functions:

Root of Trust: GLEIF establishes the cryptographic root of trust through the GLEIF Root AID (Autonomic Identifier), which serves as the apex of the vLEI trust hierarchy. All vLEI credentials ultimately trace their authority back to GLEIF's root identifier through cryptographic delegation chains.

Delegated Identifier Management: GLEIF manages two primary delegated AIDs:

• GLEIF Internal Delegated AID (GIDA): Used for GLEIF's internal operations and credential issuance to GLEIF representatives
• GLEIF External Delegated AID (GEDA): Used to manage relationships with and authorize Qualified vLEI Issuers (QVIs) within the vLEI ecosystem

These delegated identifiers enable GLEIF to separate operational concerns while maintaining cryptographic accountability through KERI's delegation mechanisms.

QVI Qualification Authority: GLEIF is the sole authority that can qualify organizations to become Qualified vLEI Issuers (QVIs). This qualification process involves:

• Evaluation against the vLEI Issuer Qualification Program requirements
• Execution of the vLEI Issuer Qualification Agreement
• Issuance of QVI vLEI Credentials that authorize downstream credential issuance
• Ongoing annual qualification reviews and extraordinary qualification procedures

Related Governance Entities

GLEIF operates within a broader ecosystem of governance entities:

Regulatory Oversight Committee (ROC): Provides oversight of GLEIF's operations and ensures alignment with regulatory objectives. The ROC Charter establishes the committee's authority and responsibilities.

Qualified vLEI Issuers (QVIs): Organizations that have been qualified by GLEIF to issue Legal Entity vLEI Credentials, Official Organizational Role (OOR) vLEI Credentials, and Engagement Context Role (ECR) vLEI Credentials. QVIs operate under contractual obligations defined in the vLEI Issuer Qualification Agreement.

Legal Entities: Organizations that hold LEIs and can receive vLEI credentials. Legal Entities designate Designated Authorized Representatives (DARs) and Legal Entity Authorized Representatives (LARs) to manage their vLEI credential lifecycle.

Trust Over IP Foundation: GLEIF collaborates with the Trust Over IP Foundation on technical standards development, particularly for KERI, ACDC, and related protocols that underpin the vLEI ecosystem.

Roles & Responsibilities

Primary Responsibilities

Global LEI System Management: GLEIF operates the Global LEI Index, a freely accessible, searchable centralized repository containing LEI records with organizational data. As of 2022, over 2 million LEIs were in use globally, primarily driven by regulatory mandates in financial services.

vLEI Ecosystem Governance: GLEIF establishes and maintains the vLEI Ecosystem Governance Framework, which includes:

• Business Requirements: Defining use cases and operational requirements
• Governance Requirements: Establishing policies and oversight mechanisms
• Technical Requirements: Specifying KERI infrastructure, credential schemas, and implementation standards
• Information Trust Policies: Defining security, privacy, availability, confidentiality, and processing integrity policies
• Risk Assessment: Identifying and mitigating ecosystem risks
• Trust Assurance Framework: Establishing compliance and audit requirements

Cryptographic Root of Trust Establishment: GLEIF generates and manages the GLEIF Root AID with the highest duty of care, recognizing that this identifier constitutes the security foundation of the entire vLEI ecosystem. The Root AID generation follows rigorous requirements:

• Dual key pair sets with approximately 128 bits of cryptographic strength
• Random number generation using cryptographically-secure pseudo-random number generators (CSPRNG)
• Cryptographic derivation from digests of public keys and configuration parameters
• Multi-signature control by GLEIF Authorized Representatives (GARs)

QVI Qualification and Management: GLEIF conducts qualification processes for organizations seeking to become QVIs, including:

• Initial Qualification: Evaluation against the vLEI Issuer Qualification Program Checklist
• Annual Qualification: Ongoing evaluation to ensure continued compliance
• Extraordinary Qualification: Evaluation triggered by specific events or concerns
• Credential Issuance: Issuing QVI vLEI Credentials that authorize downstream credential operations
• Revocation: Revoking QVI credentials when qualification fails or LEI lapses

Schema Registry Management: GLEIF maintains the official vLEI Credential Schema Registry, which provides:

• Normative JSON Schema definitions for all vLEI credential types
• Self-Addressing Identifiers (SAIDs) for each schema version
• Semantic versioning for backward compatibility tracking
• ACDC-compliant schema structures with composition operators

Identity Assurance Services: Through GLEIF Authorized Representatives (GARs), GLEIF performs identity verification requirements needed to issue QVI vLEI Credentials, ensuring that only properly verified organizations can participate as credential issuers in the vLEI ecosystem.

Authority and Permissions

Exclusive QVI Credential Issuance: GLEIF is the only entity authorized to issue QVI vLEI Credentials. This exclusive authority ensures centralized control over who can issue Legal Entity credentials while enabling distributed credential issuance through the QVI network.

Governance Framework Authority: GLEIF has the authority to:

• Establish and modify the vLEI Ecosystem Governance Framework
• Define technical requirements for KERI infrastructure and vLEI credentials
• Set information trust policies that apply to all ecosystem participants
• Establish qualification criteria for QVIs
• Define credential schemas and their evolution

Delegation Authority: GLEIF can delegate authority through KERI's cooperative delegation mechanism:

• Creating delegated AIDs for internal and external operations
• Delegating QVI AIDs that enable credential issuance
• Revoking delegations when necessary

Regulatory Reporting: GLEIF operates the vLEI Reporting API (Sally), which enables:

• Tracking of issued vLEI credentials
• Verification of credential presentations
• Transparency into the vLEI ecosystem's operational state

Limitations

Regulatory Oversight: GLEIF operates under oversight from the Regulatory Oversight Committee, which constrains GLEIF's operational autonomy and ensures alignment with regulatory objectives.

No Direct Legal Entity Credential Issuance: GLEIF does not directly issue Legal Entity vLEI Credentials, OOR vLEI Credentials, or ECR vLEI Credentials. These credentials are issued by QVIs, creating a separation of concerns between qualification authority and operational credential issuance.

Contractual Obligations: GLEIF's relationship with QVIs is governed by the vLEI Issuer Qualification Agreement, which establishes mutual obligations and constraints on both parties.

Technical Standards Compliance: GLEIF must comply with established technical standards including:

• KERI protocol specifications
• ACDC credential format requirements
• CESR encoding standards
• JSON Schema 2020-12 compliance
• ISO standards for LEI (ISO 17442)

Privacy and Data Protection: GLEIF must comply with applicable data protection regulations including GDPR and ISO/IEC 27001, with the Swiss Federal Data Protection Act serving as the minimum standard where no local legislation exists.

Credential Lifecycle

While GLEIF does not issue Legal Entity credentials directly, it manages the lifecycle of QVI vLEI Credentials, which are foundational to the vLEI ecosystem.

QVI Credential Issuance Process

Qualification Phase:

1. Candidate organization applies to the vLEI Issuer Qualification Program
2. GLEIF evaluates the candidate against the Qualification Program Checklist
3. Candidate demonstrates compliance with technical, operational, and governance requirements
4. GLEIF and candidate execute the vLEI Issuer Qualification Agreement

Identity Verification Phase:

1. GLEIF Authorized Representatives (GARs) verify the candidate's LEI status
2. GARs perform identity assurance of QVI Authorized Representatives (QARs) to at least IAL2 (Identity Assurance Level 2) per NIST 800-63A
3. GARs conduct real-time OOBI (Out-Of-Band Introduction) sessions with QARs
4. Challenge-response authentication verifies control of QVI AID

Credential Issuance Phase:

1. GLEIF creates a delegated QVI AID through cooperative delegation
2. GLEIF issues a QVI vLEI Credential containing:
   • QVI's LEI
   • Grace period (default 90 days)
   • Authorization scope for downstream credential issuance
3. Credential is anchored to GLEIF's KEL through cryptographic seals
4. Credential is registered in a Transaction Event Log (TEL) for revocation tracking

Verification Procedures

Verifiers of QVI vLEI Credentials must:

Verify Cryptographic Chain:

1. Validate the QVI AID's delegation from GLEIF External Delegated AID (GEDA)
2. Verify GEDA's delegation from GLEIF Root AID
3. Confirm all delegation events are properly signed and witnessed

Verify Credential Integrity:

1. Validate the credential's SAID (Self-Addressing Identifier)
2. Verify the credential conforms to the QVI credential schema
3. Check the credential's signature by GLEIF's issuing AID

Verify Credential Status:

1. Query the credential's Transaction Event Log (TEL) for revocation status
2. Verify the TEL is properly anchored to GLEIF's KEL
3. Confirm the credential is within its grace period if applicable

Verify LEI Status:

1. Check that the QVI's LEI has Active Entity Status in the Global LEI System
2. Verify appropriate Registration Status (Issued, Pending Transfer, or Pending Archival)

Revocation Conditions

GLEIF revokes QVI vLEI Credentials under specific conditions:

Qualification Failure:

• QVI fails to successfully complete Annual vLEI Issuer Qualification
• QVI fails to remediate qualification issues documented during qualification
• QVI violates terms of the vLEI Issuer Qualification Agreement

LEI Status Changes:

• QVI's LEI lapses or is retired
• QVI's LEI status changes to a non-qualifying state

Security Incidents:

• QVI experiences a security breach affecting credential issuance
• QVI's cryptographic keys are compromised
• QVI demonstrates inability to maintain required security standards

Operational Failures:

• QVI fails to maintain required infrastructure (witnesses, watchers, agents)
• QVI fails to meet service level agreements
• QVI demonstrates systematic operational deficiencies

Revocation Process:

1. GLEIF creates a revocation event in the credential's TEL
2. Revocation event is anchored to GLEIF's KEL
3. Grace period (default 90 days) allows for transition to new QVI
4. After grace period, credential is fully revoked and cannot be used

Related Governance Documents

Core Governance Framework

vLEI Ecosystem Governance Framework v3.0: The primary governance document establishing GLEIF's authority and the vLEI ecosystem's operational framework. This document includes:

• Primary Document (v1.1, 2023-08-30)
• Governance Requirements (v1.0, 2022-12-16)
• Business Requirements (various versions)
• Technical Requirements Parts 1-3 (KERI Infrastructure, vLEI Credentials, Schema Registry)
• Information Trust Policies (v1.2, 2025-04-16)
• Risk Assessment (v1.2, 2023-12-15)
• Trust Assurance Framework (v1.5, 2025-04-16)
• Glossary (v1.3, 2023-12-15)

Credential-Specific Frameworks

Qualified vLEI Issuer Identifier Governance Framework and vLEI Credential Framework (v1.5, 2025-04-16): Defines requirements for QVI Delegated AIDs and QVI vLEI Credentials, including:

• QVI qualification requirements
• Multi-signature group formation
• Witness pool configuration
• Identity verification procedures
• Credential schema specifications

Legal Entity vLEI Credential Framework (v1.4, 2025-04-16): Establishes requirements for Legal Entity credentials issued by QVIs, including:

• Identity assurance and authentication procedures
• Multi-signature requirements
• Credential schema and structure
• Issuance and revocation procedures

Legal Entity Official Organizational Role vLEI Credential Framework (v1.4, 2025-04-16): Defines requirements for OOR credentials representing official roles within legal entities.

Legal Entity Engagement Context Role vLEI Credential Framework (v1.4, 2025-04-16): Establishes requirements for ECR credentials representing functional or engagement-specific roles.

Qualified vLEI Issuer Authorization vLEI Credential Framework (v1.3, 2025-04-16): Defines authorization credentials that enable Legal Entity Authorized Representatives to instruct QVIs on credential issuance and revocation.

Contractual Documents

vLEI Issuer Qualification Agreement (v1.0, 2022-12-06): The binding contract between GLEIF and QVIs, including:

• Appendix 1: Non-Disclosure Agreement
• Appendix 2: Service Level Agreement
• Appendix 3: vLEI Issuer Qualification Program Checklist
• Appendix 4: vLEI Issuer Contact Details

Technical Specifications

KERI Specifications: GLEIF's vLEI ecosystem is built on KERI protocol specifications maintained by the Trust Over IP Foundation and WebOfTrust GitHub organization.

ACDC Specifications: Authentic Chained Data Container specifications define the credential format used for all vLEI credentials.

CESR Specifications: Composable Event Streaming Representation specifications define the encoding used for KERI events and ACDC credentials.

vLEI Credential Schema Registry (Part 3 of Technical Requirements): Defines official JSON Schema definitions for all vLEI credential types with SAIDs for version tracking.

Organizational Documents

GLEIF Statutes and By-laws: Establish GLEIF's legal structure and governance.

Regulatory Oversight Committee Charter: Defines the ROC's authority and responsibilities.

ISO 20000 Certification Materials: Document GLEIF's compliance with information technology service management standards.

GLEIF Code of Conduct: Establishes ethical standards for GLEIF staff and representatives.

Conflict of Interest Policy: Defines procedures for managing conflicts of interest.

Whistleblowing Policy: Establishes mechanisms for reporting concerns.

External Standards

ISO 17442: International standard for Legal Entity Identifiers (Part 1: Assignment, Part 2: Application in digital certificates).

NIST 800-63A: Digital Identity Guidelines for identity assurance levels.

ISO/IEC 27001: Information security management standards.

GDPR: EU General Data Protection Regulation for privacy compliance.

eIDAS: EU regulation for electronic identification and trust services.

These governance documents collectively establish GLEIF's authority, responsibilities, and operational framework within the vLEI ecosystem, ensuring that the organization operates with appropriate oversight, transparency, and accountability while serving as the cryptographic root of trust for verifiable legal entity identification globally.