Trust Chain Position:

1. GLEIF (root of trust) →
2. Qualified vLEI Issuers (QVIs) (authorized credential issuers) →
3. Legal Entities (credential holders) →
4. Official Organizational Role (OOR) Persons (official representatives) →
5. Engagement Context Role (ECR) Persons (functional representatives)

Legal entities serve as the primary subjects of LEI assignments and the primary holders of Legal Entity vLEI Credentials. They are the organizational entities whose identity and authorization structure the vLEI ecosystem is designed to verify and attest.

GLEIF Context

GLEIF's mission centers on providing unique identification for legal entities through the Global LEI System (GLEIS). The LEI serves as the foundational identifier that:

• Uniquely identifies legal entities globally
• Provides a standardized 20-character alphanumeric code (ISO 17442)
• Links to verified reference data about the entity
• Enables the "who is who" and "who owns whom" transparency in financial markets

The vLEI extends this foundation by providing cryptographically verifiable digital credentials that prove:

• The legal entity's identity
• The authorization of its representatives
• The validity of its organizational roles

Related Governance Entities

Legal entities interact with several key governance entities in the vLEI ecosystem:

Designated Authorized Representatives (DARs): Legal entities designate DARs who have authority to:

• Authorize vLEI Issuer Qualification Program Checklists
• Execute vLEI Issuer Qualification Agreements
• Designate/replace Authorized vLEI Representatives (AVRs)

[Legal Entity Authorized Representatives (LARs)]: Representatives authorized by the legal entity to:

• Request issuance of vLEI credentials
• Authorize QVIs to issue role credentials
• Manage the legal entity's credential lifecycle

QVIs: Organizations qualified by GLEIF to issue Legal Entity vLEI Credentials to legal entities after proper verification.

Roles & Responsibilities

Primary Responsibilities

As credential holders in the vLEI ecosystem, legal entities have several key responsibilities:

Identity Verification Compliance:

• Maintain a valid, active LEI with appropriate registration status
• Ensure LEI reference data remains current and accurate
• Undergo identity verification procedures as required by QVIs
• Comply with identity assurance requirements (typically NIST 800-63A IAL2 or equivalent)

Representative Authorization:

• Designate DARs with appropriate authority
• Authorize [LARs] to act on behalf of the organization
• Manage authorization for OOR and ECR credential issuance
• Maintain accurate records of authorized representatives

Credential Management:

• Request issuance of Legal Entity vLEI Credentials
• Issue OOR Authorization and ECR Authorization credentials to QVIs
• Manage credential lifecycle including renewal and revocation
• Ensure proper use of credentials by authorized representatives

AID Management:

• Establish and maintain Autonomic Identifiers using KERI infrastructure
• Implement appropriate multi-signature configurations (recommended minimum 3 LARs with 2-of-N threshold)
• Perform key rotation operations as needed for security
• Maintain witness configurations for identifier security

Authority and Permissions

Legal entities possess specific authorities within the vLEI ecosystem:

Credential Issuance Authority:

• Direct issuance: Legal entities can directly issue ECR credentials to individuals for functional roles
• Delegated issuance: Legal entities authorize QVIs to issue OOR and ECR credentials through authorization credentials
• Authorization control: Legal entities control which QVIs can issue which types of credentials to which individuals

Representative Management Authority:

• Designate and revoke DARs
• Authorize and revoke [LARs]
• Approve OOR and ECR credential requests
• Define organizational roles and engagement contexts

Governance Participation:

• Contract with QVIs for credential services
• Participate in vLEI ecosystem governance through feedback mechanisms
• Request credential revocation when necessary

Limitations

Legal entities face specific limitations within the vLEI ecosystem:

Cannot Issue QVI Credentials: Only GLEIF can issue QVI credentials - legal entities cannot authorize other entities to become QVIs.

Cannot Issue Legal Entity Credentials: Legal entities cannot issue Legal Entity vLEI Credentials to other legal entities - this authority is reserved for QVIs.

LEI Dependency: Legal entities must maintain a valid, active LEI to participate in the vLEI ecosystem. If the LEI lapses or is retired, associated vLEI credentials become invalid.

Governance Framework Compliance: Legal entities must comply with the vLEI Ecosystem Governance Framework policies, including:

• Information Trust Policies
• Privacy and data protection requirements
• Security policy implementation
• Incident reporting obligations

Multi-Signature Requirements: For entities with multiple authorized signers, credentials must be signed according to the signing threshold of the Legal Entity vLEI Credential's AID, typically requiring coordination among multiple [LARs].

Credential Lifecycle

Issuance Process

The Legal Entity vLEI Credential issuance process follows a structured workflow:

Pre-Issuance Phase:

1. LEI Verification: QVI Authorized Representatives (QARs) verify the legal entity's LEI is valid and active in the Global LEI System
2. LAR Identity Verification: [LARs] undergo identity assurance procedures (minimum IAL2 or equivalent digital identity credentials)
3. AID Establishment: Legal entity creates a KERI AID, typically using multi-signature configuration
4. OOBI Exchange: Legal entity and QVI exchange Out-Of-Band Introductions to establish communication

Issuance Phase:

1. Credential Request: [LAR] submits request to QVI for Legal Entity vLEI Credential
2. ACDC Creation: QVI creates Authentic Chained Data Container containing:
   • Legal entity's AID
   • LEI identifier
   • Issuance datetime
   • Schema reference
   • Edge reference to QVI credential
3. TEL Registration: Credential is registered in Transaction Event Log for status tracking
4. Credential Delivery: QVI delivers credential to legal entity via IPEX protocol

Post-Issuance Phase:

1. Credential Storage: Legal entity stores credential in secure keystore
2. Authorization Credential Issuance: Legal entity can now issue OOR Authorization and ECR Authorization credentials
3. Presentation Capability: Legal entity can present credential to verifiers as proof of identity

Verification Procedures

Verifiers validate Legal Entity vLEI Credentials through:

Cryptographic Verification:

• Verify SAID integrity of credential
• Validate digital signatures from QVI
• Check edge chain to QVI credential
• Verify QVI credential chains to GLEIF root

Status Verification:

• Query TEL registry for credential status
• Verify credential has not been revoked
• Check LEI remains active in Global LEI System
• Validate issuance datetime is within acceptable range

Schema Verification:

• Verify credential conforms to official Legal Entity vLEI Credential schema
• Validate all required fields are present
• Check schema SAID matches expected value

Revocation Conditions

Legal Entity vLEI Credentials may be revoked under several conditions:

LEI Status Changes:

• LEI lapses (not renewed)
• LEI is retired
• LEI registration status becomes invalid
• LEI entity status becomes inactive

Governance Violations:

• Legal entity violates vLEI Ecosystem Governance Framework policies
• Legal entity fails to maintain required security standards
• Legal entity misuses credentials or enables misuse by representatives

Voluntary Revocation:

• Legal entity requests revocation
• Legal entity ceases operations
• Legal entity no longer requires vLEI credentials

QVI Actions:

• QVI loses qualification status
• QVI determines credential was issued in error
• QVI identifies fraudulent information in credential

Revocation Process:

1. Authorized party initiates revocation request
2. QVI or legal entity updates TEL registry
3. Revocation event is anchored to KEL
4. Credential status changes to revoked
5. Dependent credentials (OOR, ECR) may also be revoked

Related Governance Documents

Primary Governance Frameworks

vLEI Ecosystem Governance Framework v3.0: The overarching governance document establishing GLEIF's authority and the complete vLEI ecosystem structure.

Legal Entity vLEI Credential Governance Framework: Specific framework detailing requirements for Legal Entity vLEI Credentials, including:

• Issuer qualifications and policies
• Holder requirements
• Verifier policies
• Identity verification procedures
• Credential schema specifications

Legal Entity Official Organizational Role vLEI Credential Governance Framework: Framework for OOR credentials issued to official representatives of legal entities.

Legal Entity Engagement Context Role vLEI Credential Governance Framework: Framework for ECR credentials issued to functional representatives of legal entities.

Policy Documents

vLEI Ecosystem Information Trust Policies: Comprehensive policies covering:

• Regulatory compliance requirements
• Privacy and data protection standards
• Security policy frameworks
• Incident management procedures
• Availability and confidentiality requirements

Trust Assurance Framework: Detailed compliance matrix mapping governance requirements to implementation standards including ISO 20000 certification and vLEI Issuer Qualification Program requirements.

Risk Assessment: Comprehensive risk analysis for the vLEI ecosystem covering legal entity-specific risks including:

• Credential issuance without proper verification
• Credential validity management
• Operational risks
• Governance compliance risks

Technical Specifications

Technical Requirements Part 1: KERI Infrastructure: Specifications for KERI implementation including:

• AID generation requirements
• Witness pool configuration
• Key management standards
• Cryptographic strength requirements

Technical Requirements Part 2: vLEI Credentials: Specifications for credential implementation including:

• ACDC structure requirements
• CESR encoding standards
• IPEX protocol requirements
• TEL registry specifications

Technical Requirements Part 3: vLEI Credential Schema Registry: Registry of official credential schemas including:

• Legal Entity vLEI Credential schema (SAID: ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY)
• OOR Authorization schema
• ECR Authorization schema
• OOR credential schema
• ECR credential schema

Standards References

ISO 17442:2020: International standard for Legal Entity Identifiers, defining:

• LEI structure and format
• Entity types included/excluded
• Reference data requirements
• Maintenance procedures

ISO 20275: Standard for entity legal forms, used in LEI reference data.

ISO 5009: Standard for official organizational roles, referenced in OOR credential frameworks.

NIST 800-63A: Digital Identity Guidelines for identity assurance, establishing IAL2 requirements for representative verification.

Practical Implications

Legal entities participating in the vLEI ecosystem gain several practical benefits:

Enhanced Digital Identity: Cryptographically verifiable organizational identity that can be presented across contexts without requiring repeated verification.

Streamlined Onboarding: Reduced friction in KYC/KYB processes when interacting with financial institutions, regulators, and business partners.

Authorized Representative Management: Clear, verifiable authorization chains for individuals acting on behalf of the organization.

Cross-Border Recognition: Global interoperability through standardized LEI-based credentials.

Regulatory Compliance: Simplified compliance with identity verification requirements in regulated industries.

Fraud Prevention: Cryptographic proof of organizational identity and representative authorization reduces impersonation and fraud risks.

The legal entity concept is foundational to the vLEI ecosystem, serving as the bridge between traditional legal identity (LEI) and cryptographically verifiable digital identity (vLEI).

International Operations: Legal entities operating across jurisdictions should ensure their LEI and vLEI credentials are recognized in all relevant jurisdictions.

Credential Presentation: Legal entities should establish policies for when and how to present credentials to verifiers, including privacy considerations for selective disclosure.