Guardianship and Organisations

This article is part of a series that we’re writing on how we might best implement a digital model for Guardianship, and what that might mean in our personal and professional lives. It looks at how organisations and the people that work in them can take part in online guardianship scenarios, support those that need it and differentiate themselves in a good way.

The articles in the series are based on the work we (Jo Spencer and John Phillips) performed as co-chairs of the Sovrin Foundation Guardianship Working Group and our work with the Technical Stream of that Working Group.

The previous articles in this series so far are:

When we think of guardianship, it’s normally focused on people supporting other people, and rarely looking at the role of organisations. In a previous article we considered the concept of a jurisdiction, the actors for which can include people working for organisations.  This article considers the role of organisations as guardians and how organisational enablement of guardianship relationships can improve trust in digital interactions for the good of all.  

We discuss how Verifiable Credentials and Decentralized Identifiers – the building blocks of Self-Sovereign Identity (SSI) based solutions – can be used to document and prove guardianship arrangements and improve the trust of organisations and their officers and delegates. 

In this broad topic there are a few angles to cover:

The difference between guardianship and delegation (and the closely related topic of thing control) was a huge topic in the Sovrin Guardianship Task Force whitepaper in 2019 and kept becoming a big topic for the Working Group that put together the Requirements Specification and Implementation Guideline in 2020. Whilst we’re focusing on guardianship, the topic of delegation and role allocation can become blurred when talking about organisations. We’ll try to unravel this later in the article.

Enhancing trust in an organisation is good for all concerned.  We deal with organisations in the physical and digital worlds when we buy things, get them to do things for us and when they act on our behalf.  Organisations can be legal, financial, commercial, etc., from massive conglomerates, down to a single person operator.  It’s essential that we can trust them and the people that work for them every time we need to.

Online, organisations can be one thing, but are typically multiple separate entities, operating separately with organisational structures and people which are different and constantly changing. When dealing with organisations, we need to know that:

Organisations also need to be known by other organisations for business-to-business interactions of all sorts (suppliers, partners, networks…).  Going back to the financial perspective of a previous article in this series, this turns the typical know-your-customer (KYC) into a know-your-business (KYB) scenario (even though businesses are customers too).  From a purely payments perspective for example:

So, being able to trust who’s who and the information used in an online or physical interaction removes uncertainty, and seriously reduces fraud opportunities and process inefficiencies.  Let’s have a look at how we can enable this efficiently.

Creating a trusted ecosystem requires a trust framework that puts in place considerations and standards that help coordinate identification mechanisms and the use of the information in digital and physical scenarios.  Countries come at this in different ways.  Arguably the most active and developed of these at the moment is Canada, with the government looking to define a trust ecosystem underpinned by global standards and interoperable, privacy preserving solutions. The Pan-Canadian Trust Framework provides the structure for government and commercial considerations that will enable trust between people, organisations and even things. 

In the same way that people have physical or digital credentials, organisations should have credentials that identify who they are, identify things about them and information that makes them better and easier to deal with online. At present, most of our online organisation verification relies upon the Certificate Authority Certificate that enables more secure web browsing (SSL and TSL), and provides confirmation that the organisation has registered a CA certificate (but little else beyond that, it doesn’t prove that they are a bank, university, or government for example). 

On the other hand, W3C Verifiable Credentials (VCs) can be issued by other trusted authorities (not just CAs), such as regulators, government agencies (e.g. tax office) or any other registry (e.g. directorship registration) such that the organisation can share and prove their information digitally.

Using that verifiable recognition, the organisation can issue credentials to their staff that reflect their role(s), rights and duties – a delegation of authority that can be verified as having been issued by the organisation.  The combination of the verifiable organisation identity and verifiable delegation credentials provides the trust required for staff activity.

Organisations traditionally identify customers and staff using Identity and Access Management (IAM) solutions.  These, combined with single sign-on solutions, work well at identifying the staff inside their own organisation’s digital environment.  But this approach is useless for identifying these people outside of the organisation and have serious limitations in the sharing of associated data.  A number of specialist global solution providers have evolved traditional models of IAM to support VCs, using VCs to provide flexibility, access and technical resilience required for large and complex ecosystems.

All ecosystems (national, regional and international jurisdictions) require registries of organisations that are known within the ecosystem.  Each provider of these lists uses their own identifier and manages the definition of the organisation in their own terms. For example, the tax office tends to be a trusted source and the identifier provided would be a business tax number.  In Australia, the company identifiers are either a Australian Business Number (ABN) or Australian Company Number (ACN) managed by the Australian Business Register (ABR).

That works for national identifiers, but there are a large number of identifiers that exist for identification processes across borders.  Two of many such examples in the financial world are the: 

The LEI can be used in a number of ways in digital interactions. To enhance trust, authenticity and usage flexibility, GLEIF has recently announced the introduction of the verifiable LEI, a VC that can be verified globally and offline. This GLEIF initiative points at the global transition to VCs for the digital enablement of all sorts of identifiers and other trusted data.

It’s not common that an organisation needs to be a person’s guardian, or more specifically, is seen to be a person’s guardian in digital scenarios. It’s more often that organisations need to understand people as guardians.  However, in some difficult and sensitive scenarios, organisations need to provide guardianship support for people.  These can include:

As part of the work in identifying solution requirements in the use of Verifiable Credentials (VCs) for guardianship, we assumed that VCs are allocated to each party to the arrangement, the dependent and each guardian, as part of establishing the guardianship arrangement through the jurisdictions defined process.  If an organisation has the responsibility of being a guardian, it’s reasonable (following that logic) to assume that the organisation will hold its own credentials as a guardian.  However, whilst the legal responsibility may be with the organisation (government agency, NGO etc.), it’s rarely the organisation itself that acts on behalf of the dependent.  For that, the guardian organisation may delegate roles and responsibilities to one or many members of staff to carry out the day to day support of the dependent.  The delegation of a guardianship responsibility can similarly be reflected by the VC provided to the staff member, whilst the guardianship role is not relinquished by the organisation. In that way, the delegated authority can be spread to various delegates and each delegate can have their own VC which stipulates their individual rights and duties.

As you can imagine, these relationships and responsibilities can become fragmented and complicated, and the interactions need to refer back to the underlying guardianship arrangement.  The power of VCs is significant, but it could be that the better approach is to use complementary technologies, such as smart contracts underpinned by VC trusted data, to reflect complex arrangements.  VCs can then be used for the authentication of decentralised interactions that reflect the broader contract.

There’s certainly more work to be done and concepts to be proven in these scenarios.

The distinction between delegation and guardianship has been a hot topic of discussion amongst the Sovrin Guardianship Task Force and Working Group from 2018 onwards. It’s often confusing.  Verifiable delegation is often necessary for trusted identification in digital interactions, and would provide massive benefits in addressing online fraud. Both Guardianship and Delegation point to a relationship between two actors and the requirements from a technical perspective may be the same.  But, to date, the Working Group has focused on the scenarios and special considerations for people and organisational guardianship (thinking that delegation was a simplified scenario of guardianship). 

Organisations delegate roles, rights and duties to members of staff – the basis for access / authority management.  Where a delegation role is required, a VC issued by the organisation can specifically identify which actions, rights and duties are delegated to an employee (similar to guardianship rights and duties in a guardianship arrangement).  The organisation would be the Issuer and the staff member would be the Holder.

With organisations as customers, having to reflect organisational structure, user membership and ever-changing access rights is a nightmare for banks and other online service providers.  An online user (noting the distinction between a customer, the organisation, and the user who’s their delegate) should be able to prove that they have the ability to do what they are requesting to do, without having to understand the organisational structure of the organisation.  

So staff can be authorised to have roles and responsibilities.  The interesting scenario in the work of the Guardianship Working Group was the consideration of “Mya”, a young refugee.  In this use case, Julia is allocated Mya’s care in the refugee camp and you would assume that others can be an alternative delegate for Mya’s care at the same time or subsequently, without changing the fundamental responsibility for the NGO as Mya’s guardian. By combining the proof of responsibility for Mya’s care to include both the guardianship definition and the delegation VCs, the chain of trust can be ensured and any revocation would invalidate the verification process in real-time.

In a previous article looking at Guardianship and People, we discussed how sensitive life and death events were very badly handled by society and online organisations.  Lasting powers of attorney, will executor and other supporting roles are not easily reflected into the customer-provider relationship and used to improve the user experience or back-office activities.

Feedback from the publication of that article was overwhelming agreement that guardianship was really badly handled by online businesses, especially when it came to financial services (banks, insurance providers, pension schemes etc.).  The need for online trust meant that fractured and inefficient physical processes were exacerbated by the need to interact digitally.

The most interesting reader’s suggestion was that handling guardianship better would be a massive business differentiator.  If you think about it, a significant sector of customers and their responsible agents are put off or promoted by the experience in these trying situations.  Those customers requiring guardianship are typically the most “mature”, profitable, complicated and long-standing ones.  A negative experience for their guardians is unlikely to enamour them to the service provider, leading to the immortal words “I’d never use or suggest anyone uses that bank ever again”.  If we were to look at this in a positive way, handling guardianship and even the combination of multiple guardianship scenarios is an opportunity for a service offering, capable of massively differentiating a service provider at a most critical event.  Food for thought in a massively competitive ecosystem…

So, in the Sovrin Guardianship Working Group, we tried to break the model of Verifiable Credentials or at least push it to a natural limit.  We asked the question, “can an organisation be the guardian of another organisation?” 

If you think about it, guardianship of organisations could be said to occur as mergers or acquisitions take place or where organisations need to be looked after by an “administrator”.  The liability for the actions of the dependent organisation could be said to be owned by the guardians.

It was a great discussion, and whilst the model of issuing and using VCs could support the issuance and use of organisation-to-organisation guardianship relationships, I don’t think we’ve settled on whether this is a sensible use case for VCs (or it would be better to just issue new credentials for the controlling organisation).  But in principle, the SSI model of VC-based relationships certainly supports these situations.

The Sovrin Guardianship Working Group has provided a basis to move ahead with the use of Verifiable Credentials underpinned by W3C standards.  We’re convinced that this can support the secure and trusted process to support guardianship. We’d love to show you how you can make it simpler and better for your customers, differentiating your offerings and services to support those involved in sensitive life-events and situations.