Legal Entity Identifiers and call authentication

Could a standardized “Legal Entity Identifier” (LEI) help with call authentication? Some organizations believe it could. They’ve encouraged the FCC to incorporate LEI provisions into the Commission’s call authentication rules. Let’s have a look.

Global Legal Entity Identifier

The LEI initiative was established by the Financial Stability Board (FSB) in 2014. They wanted to find a better way to identify the parties behind financial transactions, especially securities trading. Regulators agreed that the 2008 financial crisis demonstrated the benefits that a standardized LEI could provide.

The FSB established the Global Legal Entity Identifier Foundation (GLEIF) as a non-profit organization to support the implementation and use of the LEI.

LEI creation is done by a network of approved vetting organizations that review and approve LEI applications and add entity-identifying information to a centralized database.

The LEI is a 20-character unique identifier. The LEI holder uses this number to identify itself with other organizations, who then look up identifying information about the LEI holder in the database.

Although its initial use was for participants in securities markets, the LEI framework could be useful in other Know-Your-Customer (KYC) situations, including call authentication.

LEI potential uses in call authentication

We can think of several call authentication use cases in which the LEI would add value:

1. STI Policy Administrator (STI-PA) vetting of STI Certification Authority (STI-CA) applicants
2. STI-PA vetting of SHAKEN-authorized service provider applicants for an SPC token
3. STI-PA vetting of telephone number provider applicants for an SPC CA token
4. STI-CA vetting of STI certificate applicants
5. STI-CA vetting of telephone number provider applicants for a Subordinate CA certificate
6. Subordinate CA vetting of delegate certificate applicants

In these situations, the reviewing entity needs identifying information from the applicant. The LEI framework could provide some of the information needed in a standardized format. This would speed up the vetting process.

Verifiable LEI

What prevents a bad actor from impersonating another organization and spoofing its LEI?

The GLEIF thought of that and came up with a solution: Verifiable LEI. Of course, we’ll need an acronym, so they dubbed this the vLEI.

The vLEI is packaged in a digitally signed Verifiable Credential (VC). The vLEI holder presents its VC to a relying party, who then verifies it using Public Key Infrastructure (PKI) techniques.

Does this ring a bell? That’s right—it’s like the PKI techniques used with STI certificates in STIR/SHAKEN.

In the use case scenarios listed above, reviewers would leverage LEIs or vLEIs during the vetting process, not during call processing. Reviewers would have quick access to information in a standard format to support their vetting decisions.

For more information, see this ex parte notice submitted to the FCC by Numeracle and GLEIF to advocate for LEI use with STIR/SHAKEN.

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.