‘Digital identity passports for companies?’ Vespia’s flaming RegTech revolution

June 22, 2022

by Blessing Oyetunde

Co-author and postgraduate student

Did you know there are 213.65 million companies worldwide? So how can one be sure that all businesses and organisations being onboarded to one’s company are legitimate ventures? And not financial crime fronts or linked with fraudulent activities, intentionally or not? It was hard and almost impossible until Vespia and other revolutionising RegTech startups sprung up. 

Established in 2020 by former Veriff founding member and RegTech evangelist Julia Ront, Vespia is an innovative AI-powered tool for verifying and onboarding businesses. Upon initiation, the platform quickly scans through over 4000 AML databases and the commercial registers of 300 jurisdictions, providing real-time information on the searched company as well as further recommendations. With the tool, businesses can check various information and data such as AML, beneficial owners (UBOs), ownership structures, and adverse media. 

According to Mike Tiffin, Vespia’s business development manager, “identity verification is now straightforward. You take a picture, complete one or two other processes, and you’re done. But it wasn’t always like that. So, what Vespia is doing is similar; making business verification smooth and helping businesses onboard quicker, faster, and easier.” “We’re in the process of becoming the standard for Knowing Your Business (KYB),” Julia added.

Business verification in 30 seconds

Business verification has always been challenging, whether conducting business locally or internationally. Varying jurisdictions with differing regulations and data formats, unclear compliance guidelines, missing, unreliable databases, and lengthy business verification durations were some of the challenges Vespia noticed when they decided to revolutionise the terrain. “The traditional way of doing business verification is that you spend anything from a week to maybe four months to six months researching the companies you intend to onboard. There are some tools you can use here and there to check sanctions and to do identity verification. But there are also limitations; you need to combine different tools and access different databases,” Julia pointed out.

“Aside from that, you actually need to communicate with the businesses, back and forth emailing, ‘send us this document. Oh, not this document, a new one’ even before the verification. But with Vespia, you can do all that fully automated, and we cover all aspects of the business verification process in one place,” she continued. According to her, the traditional way of doing business verification takes a lot of time, but Vespia does it in 30 seconds. The average cost is anything from 150 to 20,000 euros; 20,000 euros! if you hire an auditing team to do it. Meanwhile, Vespia is 37 times cheaper.

A nimble frame for convenience

Realising that modular platforms offer the best access to flexibility and adaptability in this era so characterised by disruption and unpredictability, most businesses won’t settle for less. Aware of this, Vespia was designed as agile as possible to meet the needs of users. Companies can verify their customers using Vespia’s one-click business verification dashboard or by integrating it with their existing systems. 

“We built Vespia in a modular way so you can switch certain modules off as you want and build your own flow. Another thing is that many companies are already using something for AML, maybe for their sanctions lists or identity verification. We saw that it’s a huge pain for many companies to switch because they have already committed to some programme and need to wait for that contract to end before switching. But with us, you don’t need to switch. We can integrate it with your existing system; we can turn certain things off, and we can rearrange it,” Julia stated.

The global business register

She highlighted that one of the biggest challenges they faced while setting up Vespia was the many existing gaps regarding company profiles and data. These gaps ended up spurring the Vespia global business register, which is to be a digital house for verified profiles of companies all around the world. “We saw that the existing registers and databases are lacking data. Meanwhile, companies are not motivated to provide ample information there either. So we are building this new system, where we want to include the companies in the verification process and let them earn rewards for providing more data on their profiles.” 

She also explained that aside from the companies wanting to do the onboarding, the current system is just as unfavourable and inconvenient for the companies wishing to be onboarded. To this end, they want to issue digital identity passports to companies, something they can readily show wherever and whenever there’s a need for verification. Furthermore, Julia pointed out that currently, businesses never know who is viewing their profile. But with the digital identity, they would be able to monitor and control the visibility and accessibility of their data. The financing from their seed round closing in August will be towards developing these solutions. “The seed is between 3-5 million, and we already have some committed investors, but there is still room for more angels,” she disclosed.

Always on the improvement and collaboration watch

Like any forward-looking business, Vespia is keen on constant improvement and innovation, whether through in-house product development or partnerships. Julia disclosed that they have numerous requests from clients wanting them to introduce some specific features and solutions, and they are open to them. Likewise, she expressed their interest in collaborating with KYC solution providers. “We’re already working with a few solutions partners but always open to expanding that. We actually would like to cooperate with KYC solutions providers because it takes a lot of resources to build a business verification solution,” she said.

Mike also noted that he hopes more Estonian companies collaborate. “Everyone has a slightly different speciality. Salv is very much into transactions and a lot of intelligence and big data, mainly dealing with bigger financial institutions. Veriff is into identity verification and does that really well. But actually, if we collaborate, and this is something I wish Estonian companies would do more of because together we are stronger, we’ll achieve much more.”

Where’s RegTech headed?

Vespia is disrupting RegTech, an industry still trying to come out of the shadow of its older and more famous sibling, FinTech. Probably now, RegTech might start receiving the attention it truly deserves. Julia does see great potential here. According to her, “At Vespia, we see RegTech becoming more than just about anti-money laundering and more about trust in numerous sectors. We see it expanding to other sectors and coming out of the shadow of FinTech and finance in general.” That carries weight because, according to ReportLinker, the global RegTech market size is expected to reach $22.3 billion by 2027.

Julia noted that although there has yet to be anything incredibly revolutionary in RegTech, they plan to change that. “We at Vespia are preparing to become that big thing here,” she stated. Meanwhile, their heart is in the right place too. “Small businesses and startups are usually of small teams and often don’t have a compliance department or people who fully understand compliance. We are striving to make compliance smooth and uncomplicated for them,” she stated.

✈️  Can’t travel but want to hear the e-Estonia story or implement e-services in your country or company? Take a look at our services and get in touch – we’ve got you covered!

Resource: e-estonia

Estonia outranks most of the world in Global Cybersecurity Index

June 15, 2022

by Peeter Vihma

As war thunders in Europe, so are threats in cyberspace on the rise. Nations worldwide are ramping up their cyber security capabilities. According to National Cyber Security Index (NCSI),  Estonia does better in cyber security than most of the world. Estonia’s index 90,91 is 48 percentage points above the world’s average and 17 points better than the European average. Estonia is highly ranked also in the ITU Global Cybersecurity Index, holding 3rd place in the world.

In the NCSI, the 15 Eastern European countries are doing well. They reach an average of almost 20% higher (50.82) than the global cybersecurity index average (42.71). Four of them – Estonia, Lithuania, Latvia and Ukraine — rank exceptionally high. Lithuania, with a score of 93.51, is first of the group, and Estonia is second. These two countries’ cybersecurity score is higher than Australia, France, Canada, the US, the UK, and Russia.

The reasons? To start with, cybersecurity becomes important when a country is dependent on many digital tools. Paper bureaucracy countries do not need to deal with this. But the main motivation comes from fighting off Russian cyber threats for decades. An aggressive neighbour is forcing to take cybersecurity seriously, and allocate funds and attention.

Russia itself has not particularly high cyber defences (71.43, 2.5% lower than the European average), but still comparable to Singapore, Austria, Israel and Japan. And its defences are being tested, especially since Russia invaded Ukraine in 2022. It has experienced a 136% spike in data breaches, with close to 3.6 million internet users affected.

History of cyber warfare

Estonia was one of the first to come under attack from the modern form of hybrid warfare by Russia 15 years ago. On the excuse of the removal of a military memorial from the centre of Tallinn, Estonia’s capital, in 2007, Russia instigated riots among Estonia’s Russian-speaking minority. 150 people were injured and one killed.  Also, Russia launched a cyber operation that later became colloquially known as Cyber War One. For several weeks, Estonia was targeted with repeated distributed denial of service (DDoS) attacks.

Ever since, Russian hackers target governmental bodies, military, and infrastructure with the full arsenal of tools, from phishing to DDoS attacks and malware. High ranking in the index shows that, as a response, Estonia has developed robust cybersecurity defences. Like during Cyber War One, both government-related and private sector defence mechanisms generally worked also against later attacks.

Cyber Defence League – model to follow?

Besides triggering state-led initiatives, one fundamental outcome of the 2007 incident and the security reassessment that followed, was the creation of the Estonian Cyber Defence League (CDL) as a component of the Estonian Defence League (a volunteer defence organization, something similar to the US National Guard or Peace Corps).

At first, two smaller units were created as a bottom-up initiative. In 2011, these units were reformed as the CDL. The League consists of volunteers, often leading IT experts, who donate their time by preparing for cyberattacks.

The strengths of this kind of engagement are two-fold: while it allows flexible engagement besides regular duties and thus attracts a wide scope of specialists, it is still part of the military chain of command and can thus be easily involved in missions, and training exercises.

A recent article in “Studies in conflict and terrorism” analysed whether such a model would be useful and applicable for the US. Shortage of skilled professionals and gap between needs and resources due to austerity measures are part of the challenges in developing US cyber defence capabilities.

The article found that while there are obvious difficulties due to size and cultural differences between the countries, this kind of volunteer yet a military way of organizing has indeed great potential. It can build on existing engagement of civilians in defence on federal and state level, such as Code Corps working with the New York City Mayor’s Office that helped with the aftermath of Hurricane Sandy, or cybersecurity units at National Guards of some states.

Measuring cyber security capabilities can help develop them

As reliance on digital services increases, so do the associated risks. Measuring cyber security capacity is becoming more important in assessing vulnerabilities. NCSI, the index referenced here, is not the only cybersecurity index in the world. One of the most widely used is the ITU Global Cybersecurity Index. However, the NCSI index, developed by the Estonian e-Government Academy in 2016, is significantly more transparent.

“Countries received regular information about their place in the ITU rankings. But ITU does not disclose on the basis of what information or whose assessment such a place arose. This does not allow reflexive development of capacity,” commented Epp Maaten, Programme Director of Cyber Security.

According to Ms Maaten, the principle of NCSI has been to create an open database of key indicators that anyone can check. In this way, NCSI database becomes a study material for all countries that want to study practices elsewhere and understand how their own capabilities are growing.

The methodology of NCSI is to identify the threats a country faces and the corresponding security measures it takes. The index consists of groupings of values given to legislation, organizations, cooperation formats and outcomes of these parts in defending against cyberattacks.

Resource: e-estonia

Estonia – a fully digitised nation

Post date: June 3, 2022

The former president of Estonia, Toomas Hendrik Ilves discusses the benefits of full governmental digitisation in his country with a world-renowned journalist Charlie Rose.  

We transcribed the interview below:

Charlie Rose

If you look at Estonia today, I mean, the government is online.

Toomas Hendrik Ilves

Well, there are three things you cannot do in Estonia online. [After the Covid pandemic era, only two public services remain – getting married and divorced – that require a physical presence.- e-Estonia.] You can’t get married online, you can’t get divorced online. You have to show up for both events. And finally, which is also important for New York City and Miami, and London, is that you cannot do transfers of real property or real estate online. You have to show up, we don’t allow anonymous shell companies to be beneficiary owners, so you don’t end up with Russian mafiosi buying apartments in Trump Tower, which, in fact, has happened. We need to know in my country who’s buying property.

Charlie Rose

But you can do all these other things… I mean, you can do your medicine, and you can do education, and you can do your taxes. And you can do all these government functions, which makes the government more efficient and makes the government more responsive and makes the government more modern, and

Toomas Hendrik Ilves

And far less corrupt. One of the least corrupt countries now in the world, which, especially for a former communist country, is quite the accomplishment.

Charlie Rose

So that means that Estonia, today, is one of the most advanced digitised countries in the world?

Toomas Hendrik Ilves

Yes.

Charlie Rose

Compared with…I would assume South Korea?

Toomas Hendrik Ilves

South Korea, though they’re not very advanced in services. Singapore, probably

Charlie Rose

Singapore – a city-state.

Toomas Hendrik Ilves

Yeah.

Charlie Rose

But everybody can be what Singapore and Estonia are.

Toomas Hendrik Ilves

Yes, but these are never tech questions. These are always questions of political will.

Charlie Rose

Right. Just political will?

Toomas Hendrik Ilves

95%, if not more political will because

Charlie Rose

What will be the resistance?

Toomas Hendrik Ilves

Well, for example, you do need a secure and unique digital identity for this to work. I mean, if you recall 1993, there was this great cartoon in the New Yorker where one dog says to the other, ‘on the internet, no one knows you’re a dog’.

Charlie Rose

Well, that’s the problem

Toomas Hendrik Ilves

The problem is that in order to have a safe internet, no one should be able to spoof you or rather be you. Or you should know that the government needs to know you are you and you need to know the government is sending you something that is really from the government. And so that is the first sine qua non. It’s having security… secure and unique, everything requires two-factor authentication, which is something you have and something you know… put together, like a chip card and a code. And then you need to have a distributed architecture, which means things are they’re not all in one database, which leads to

Charlie Rose

Has led, especially in the United States, to complete and utter disasters, where some foreign country sucks out all records of all US federal employees. Has happened in 2015.

Charlie Rose

But how do you put all the advantages of a digitised nation into the current controversy about disinformation? President Obama has been speaking out on that. Facebook has been answering questions about that for several years now. We’ve had hacking going crazy, in terms of nation-states doing it.

Toomas Hendrik Ilves

Well, the hacking part is what we are especially robust in… defending all government services. So that part’s easy. Disinformation actually doesn’t relate directly to the digitalization of the country. We are fairly

Charlie Rose

But it gives you the power to do it, does it not?

Toomas Hendrik Ilves

Well, I mean we’re also number one in the world in internet freedom so we don’t interfere at all and we are number five in the world in the freedom of the press and the US is like 36 or something. So we’re doing fairly well on that. We don’t interfere in those things, but we do monitor very carefully what is done and make public when there is this information. Which is… I mean that’s what we do. We have not had too many cases of anyone really taking seriously political disinformation. It’s been a little worse with vaccinations but that’s not country-specific. People read all kinds of stuff.

Charlie Rose

But it is internet-specific

Toomas Hendrik Ilves

It is internet specific. But whereas… I mean, disinformation about your country, about something happening there

Charlie Rose

Conspiracy theories coming from everywhere

Toomas Hendrik Ilves

Right. I mean, so you can read an American anti-vaxxer page and get your whatever theories there. Whereas I mean, making up stories about what’s going on in Estonia is very country-specific. And those things we counter and say, well, this is disinformation.

Charlie Rose

Did Russia attack… Estonia?

Toomas Hendrik Ilves

Yes. I mean digitally.

Charlie Rose

Yes.

Toomas Hendrik Ilves

Yes. In 2007, 15 years ago, more or less this week. We were subject to massive cyber attacks, they were

Charlie Rose

To shut down the country

Toomas Hendrik Ilves

Correct! They were… The key thing to understand is that these are called DDoS or distributed denial of service attacks. And the way they work is you overload servers so they can’t respond anymore. So government sites, newspapers, banks, and most importantly, we’re unable to function. And this was… Well, I characterise it as that it was the first public state on state attack, which means digital attack, which qualifies it according to von Clausewitz, as the continuation of policy by other means. So you-

Charlie Rose

I read his theories on war.

Toomas Hendrik Ilves

Right. So what’s the definition of war? And basically, most history books now, already, it’s been enough time when writing about cyber issues say, well, the first place this anything was actually done in a sort of hostile way, is Estonia. Clearly, there had been hacking for years before that. But that was always sub rosa. No one really… We know afterward that in 1999, the Russians hacked into the Defense Department. But they didn’t announce it at the time. Later on, we found out there was this attack, even had its own name, wound-like mile, and… all that came out later. But this was… in real-time things are shut down.

Charlie Rose

And how bad was it?

Toomas Hendrik Ilves

Bad!

Charlie Rose

What did you learn from it?

Toomas Hendrik Ilves

That we have to have much more robust defences than we had and since then, we have come under considerable attack, but it has not shut anything down. And, we, in fact, have helped a number of countries including Ukraine in the past seven years, eight years. When they come under this kind of attack, we have ameliorating measures that can be taken so that in fact, if servers are being overloaded, you can shift some of the traffic somewhere else. So we host so-called mirror sites, so people in Ukraine can continue to use the internet or say, their banking or something like that. And there have been huge numbers of those kinds of attacks ever since 2007, in Estonia, and some of them have been quite huge elsewhere. But we have not suffered from one after that.

Charlie Rose

But are you advising the Ukrainians today as to how to resist that if, in fact, the Russians, who are the aggressors here, tend to use it as a weapon of war?

Toomas Hendrik Ilves

Well, there are many things you can do online, and this is one of them. And so we help with that. But also for example, when the Russians shut down the electrical grid in a number of bigger areas in Ukraine in 2015, our cybersecurity people went immediately down there to advise them. And I mean since that time, we have been hosting the NATO Centre of Excellence for Cyber Defense.

📺 Watch the full episode at charlierose.com.

Resouce: e-estonia

KSI blockchain provides truth over trust

June 2, 2022

by Indrek Mäe

for “Life in Estonia” magazine

Integrity, accountability, and authenticity – are among the key characteristics required from information- and data exchange in all fields of activity today. A unique data integrity solution is offered by the KSI blockchain, developed in Estonia, which can be set up to cover a range of products and services in cloud technology, cyber security, healthcare, finance, and much more to advance digitalisation and adoption of emerging technologies with full assurance.

“The KSI blockchain was invented to replace trust between people with digital truth. It is our mission to make the information that moves around the world totally reliable,” says Silver Kelk, Business Development Manager at Guardtime, a firm that was founded in Tallinn and is today active in Switzerland, the USA as well as the EU.

More specifically, the KSI blockchain makes it possible to cryptographically prove the correctness of data and information moving in networks and systems. With this task, the KSI Blockchain has held a critical role in the e-Estonia framework. “Our technology provides a long-term and easily consumable mathematical proof that everything is safe and correct, even across huge data flows and the most complex digital value chains.”

Used in multiple fields

Kelk explains that Guardtime’s proprietary KSI blockchain has been used in multiple fields. Over the past 15 years, the deep-tech and the research-oriented company has built multiple services and products on top of the KSI blockchain. “We have a horizontally applicable technology that brings the unlimited potential for cybersecurity and process verification in governmental, healthcare, finance, supply chain, and other sectors. Over the past decade, we have built sector-specific products on that platform,” says Kelk.

Since 2020, the KSI Blockchain is also accredited as the first blockchain-based trust service under eIDAS regulation, giving it legal power in the EU, if required in a lawsuit. But even more importantly, eIDAS certification has been a major milestone for Estonian blockchain technology as recognition and proof of its undisputable security.

A value-adding technological component

Guardtime’s journey has always been driven by the goal of blockchain utility – making it a truly value-adding technological component in contemporary digital systems. Today, this need is higher than ever. “Scalability issues, as well as limited transaction throughputs and speed, have been major issues related to the adoption of blockchain globally. Our technology design goal has been to eliminate them,” explains Kelk. To meet this goal, Guardtime has grown to be one of the leading technology innovation hubs in the region, investing continually in core cryptography research and inventing solutions to serve the needs of the future.

A typical route to market is long and difficult, except in Estonia

Such a business strategy has not been the easiest to pull off. “While we were very fortunate to get the Estonian government on board from the very early days of Guardtime, typically the route to market for many of our blockchain-based solutions has been long and difficult.” Typically, for emerging technologies, the challenge comes from the market’s readiness and incentives to push innovation adoption. Guardtime has been balancing between validated use-cases and the next innovation projects. Their current lead tracks, with some of the most demanding clients on earth, have taken many long years to actually become sustainable businesses, but this has paved solid ground and unique positioning for their next big targets globally.

Today, the technological maturity and the wide range of opportunities for the KSI blockchain are confirmed by Guardtime’s customer base from very different fields. For example, KSI blockchain-related services are implemented by the US telecom company Verizon, pharmaceutical companies Roche and AstraZeneca, scientific organisations European Space Agency, defence industry group Lockheed Martin, financial actors such as SEB Bank, and the governments of many countries, including Estonia and the Netherlands.

The era of digital sovereignty and continuous compliance

According to Kelk, one of the core values of the KSI blockchain is the ability to verify and monitor digital processes across huge data volumes and complex systems. “An increasing number of our everyday actions leave a digital trail, a log recording of who did what and when,” he explains. “Those systems that back our societies and services can be monitored against specified rules, i.e. approved configurations and defined process steps in case of cyberattacks, disputes, or system malfunctions.”

One of Guardtime’s latest solutions, the TrueTrail product, is an example of further development from the KSI Blockchain. TrueTrail enables monitoring audit trails as a whole and provides heightened situational awareness of the state of underlying systems. “TrueTrail enables organisations to streamline compliance reporting, handle disputes, and maintain true situational awareness,“ claims the product introduction. TrueTrail integrates with existing audit trail management and security information systems to give stakeholders full trust in critical operations and their underlying data. The first TrueTrail integrations have been found in the state infrastructure and the banking sector that is driven by stricter compliance and security regulations.

The new model for cybersecurity assurance

However, it is common that the desire for trusted and verifiable processes comes from the organisations themselves, rather than regulations. Thus, Guardtime’s technology shows its strength when it comes to assessing whether customer data is properly protected – whether the control systems are working as defined in service level agreements, and whether every involved user has the appropriate rights to use the system. Albeit the so-called old-school audit also enables us to verify those points, they remain too static and limited to support modern solutions. Any changes made in the period between the two audits and the system’s correspondence to requirements will not be detected. Traditional monitoring audits do not provide assurance that the systems were not made compliant with the requirements only for the time of the audit, whilst, with KSI blockchain-based tools, clients can detect unauthorised changes made in the system in real-time. “We see this as a part of the new model for cybersecurity assurance and information systems auditing. The world is starting to adopt continuous compliance models,” affirms Kelk.

Trust for cloud consumers

Another trend that Guardtime’s technology addresses is the push for digital sovereignty – a term that is, especially in Europe, often heard in the context of public cloud adoption. Kelk gives an example: “If the Estonian healthcare or governmental institutions move their digital infrastructure into the cloud, they face a new environment that is, to a large degree, controlled by the cloud service provider (CSP), typically one such as Microsoft, Amazon, or Google. And this is good since these environments are the best to support further digitalisation. But it also creates a new model for accountability and transparency.” Past years have shown that when we deal with sensitive data and critical processes, some customers require advanced tools for monitoring these new environments. Without such guarantees, cloud adoption could be hindered or just turned into much more expensive private cloud projects with a lot of overregulation. A solution for overregulation and inefficiency, which derive from the lack of trust, could come from independent oversight of cloud service providers’ processes – e.g. improved means of verifying data residency demands or detecting any misconfigurations. In other words – cryptographically provable truth.

“Guardtime’s TrueTrail solution protects and monitors logs and processes independently from the CSPs, which means that even if the cloud providers wanted to, they would not be able to present partial or selected data, or manipulate any audit trails to cover some mistakes,” explains one of the typical use case for the KSI blockchain. In essence, this means that whereas today the control of data and information movement belongs to the cloud providers, with the KSI blockchain it is possible to independently check the information reported by them.

Tracking human mistakes

In addition, Guardtime’s solutions enable tracking human mistakes that lead to data loss. “People often make mistakes, unintentionally. Applications are frequently configured incorrectly and this might lead to severe system vulnerabilities, sensitive data compromises, and non-compliance with regulations. This is why you need a security network that reports quickly when something goes wrong,” explains Kelk. With the help of KSI Blockchain-based solutions, the reporting time from a misconfiguration to an alert can be reduced from the current 5-10 minutes to near-real-time. In the cloud security world, such independent oversight and rapid reporting is a big step forward.

Oriented to collaboration and partnerships

Growing digitalisation, as well as the related digital threats, continue to be fuel for Guardtime’s success. As a research and innovation-oriented company, Guardtime strives to align its core technology and new solutions with emerging trends. From AI to digital payments, from e-governance to the backbone of WEB3 and tokenisation, Guardtime’s blockchain technology provides a great outlook for the following years. Valuing its Estonian roots and retaining all key research and engineering capabilities in Tallinn and Tartu, Guardtime pursues business opportunities globally. In partnership with other technology companies and world-leading enterprises, as well as with growing developer communities in the WEB3 and crypto space, Guardtime’s business model remains tied to collaboration and joint product commercialisation. “Definitely, our doors are open. Estonia and Guardtime were the pioneers in blockchain adoption already a while ago, but we are ready to show that we all have been just in day one of blockchain technology. The next years will be very interesting.”

✈️  Can’t travel but want to hear the e-Estonia story or implement e-services in your country or company? Take a look at our services and get in touch – we’ve got you covered.

Resouce: e-estonia