kmckenna-gleif
commented
9 months ago Thank you Nuttawut for raising this issue. The outsourcing of services in the first 'part' of Identity Verification process (Identity Assurance or Proofing) is allowed within the vLEI EGF to be outsourced to third-parties by the QVI. However, the second part of the Identity Verification process, the Identity Authentication session which involves a continuous remote in-person OOBI session is expected to be performed unbroken in process by the Qualified vLEI Issuer Authorised Representatives (QARs) who both would complete the exchange of identifiers, Challenge-Response process, verification of signatures and required 'maker-checker' approval of issuance of the vLEI credentials. So this requirement will remain unchanged in the vLEI EGF.
Document
Legal-Entity-Engagement-Context-Role-vLEI-Credential-Framework
Section Name
For issuance by a Legal Entity with more than one authorized signer or employee
Row number
204-206
Question/Comment
The document gives a requirement for a LAR to meet an ECR person in person or in a continuous web meeting.
I have a concern that this might be very difficult to enforce in practice as neither GLEIF nor QVIs will be monitoring if LARs strictly comply with the ecosystem governance framework. In my opinion, it is highly likely that some LARs will get sloppy with their identity authentication process.
One way I can think of is for QVIs to provide an identity-authentication application to LARs where the application is designed such that it is difficult for LARs to become sloppy. However, lazy LARs will probably find a way to get around such an application.