Data-Driven Company Registry — Guidance Note © 2022 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work and does not assume responsibility for any errors, omissions, or discrepancies in the information, or liability with respect to the use of or failure to use the information, methods, processes, or conclusions set forth. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e- mail: pubrights@worldbank.org. Acknowledgments The development of this work was led by Goran Vranic (Senior Private Sector Specialist) as author and Gabriel Martin Hernandez (Consultant) as co-author. The work was done under the general guidance and supervision of Asya Akhlaque (Practice Manager, Investment Climate Unit) and Sylvia Solf (Senior Private Sector Specialist, Investment Climate Unit). The case studies in Appendix 1 were based on the webinars on the use of emerging technologies for company registration delivered by the World Bank Group for Argentina, Cordoba company registry. The authors would like to thank Ernesto Franco-Temple (Senior Operations Officer) and Jessica Michelle Victor (Consultant) for their support in organizing the webinars, and Gerasimos Georgopoulos (Head of Company Law & Greek Business Register) and Carsten Ingerslev (Head of Advanced Analytics, Smart Government and Virk.dk at Danish Business Authority) for their presentations and inputs. The authors are grateful for the valuable peer review comments received from Josef Gasimov (Interim Administrator, Business and Professional Licensing Administration, and Superintendent of Corporations, Corporations Division at Department of Consumer and Regulatory Affairs of District of Columbia), Markus Kimani (Operations Officer), and Yan Liu (Economist). Nguyet Minh Nguyen (Program Assistant) provided administrative assistance. Design and editing were provided by Diego Catto Val and Susan Boulanger, respectively. 2 Table of Contents Executive Summary 5 Data-Driven Company Registry Defined 6 Summary of Key Policies 8 Key Functionalities 10 Transformational Roadmap 11 Appendix 1. Case Studies 15 Denmark 15 Key Policies 15 Implementation Considerations 17 Benefits Realized 19 Greece 20 Key Policies 21 Implementation Considerations 23 Benefits Realized 24 Appendix 2. Data-Driven Company Registry Functionalities 26 3 List of Acronyms AI Artificial intelligence AML Anti-money laundering BPM Business process management CMM Capability maturity model COTS Commercial off-the-shelf CTF Combating the financing of terrorism DBA Danish Business Authority DCED Donor Committee for Enterprise Development G2B Government to business GSB Government service bus HTML HyperText markup language IC Investment climate ICT Information and communications technology ID Identification IPF Investment policy financing JSON JavaScript object notation LLC Limited liability company ML Machine learning MSME Micro-, small-, and medium-sized enterprises RegTech Regulatory technology RUP Rational Unified Process WBG Word Bank Group XML Extensible markup language 4 Executive Summary The accelerated expansion of digital economy ecosystems mandates company registries to digitalize and connect to these ecosystems responding to new business dynamics. A company register belongs to a country base register and serves as the sole trusted source of information about companies.1 Through an initial company registration, a new company is born and receives a legal identity to operate in domestic and international markets. Frontier developments in the company registration domain involve fully automated real-time company registration, integrated company registry data, and emerging technologies for predictive analytics and fraud prevention. Company registries that achieve such advanced data use can be called data-driven company registries. Results of implementing data-driven company registries include duplicating new business density along with an increase in the annual revenue of company registries. Such results and increased revenues contribute to the sustainability of transformations and allow continuous improvements. Achieving data-driven company registries requires considerable effort to improve data management. Traditional company registration typically enables online processes by scanning unstructured documents. The data-driven approach demands that all such documents be replaced with structured data. The first step in this process is to design the company register’s mandatory data requirements, including input data from applicants as well as shared data from other agencies, such as tax and social security authorities. The design of data requirements is followed by initial data consolidation to improve data quality and rectify the status of companies. Improving data management thus becomes a continuous task for data-driven company registries. Some jurisdictions achieved significant automation of company registration procedures through digitalization. These approaches require minimum or no intervention from a company registrar to process applications and issue decisions on an initial registration or on registration changes. The utmost level of automation is a real-time company registration that fully eliminates any human interaction with the system by the registrar, meaning company registration cases are processed by a digital algorithm. Attaining such a level of automation requires data validation using high-quality company registry data, complementary data, and shared data exchanged between stakeholders. The real-time company registration switches the company registrar’s focus from checking and processing registration applications to continuously improving data management and AI algorithms. Real-time company registration requires fraud prevention mechanisms. Significant levels of simplification of company registration and removal of in-person interactions require improvement in fraud prevention and detection. Company registries have become key stakeholders in anti-money laundering and in combating the financing of terrorism (AML/CFT)2. Evolving approaches to fraud prevention require further development and integration of business databases, including general company registers data, financial accounts, registers of beneficial owners, and company ownership 1. “The law should provide that the business registry is established for the purposes of (a) Providing to a business an identity that is recognized by the enacting State; and (b) Receiving, storing, and making information in respect of registered businesses accessible to the public” (UNICITRAL 2019). 2. “The Danish Business Authority has the supervisory duty with the non-financial undertakings there are subject to the Anti- Money Laundering Act,” https://danishbusinessauthority.dk/money-laundering-and-terror-financing, accessed on July 15, 2022. 5 registers. The fraud prevention digital algorithms involve big data and the use of advanced techniques for data intelligence, including graph theory and AI/machine learning. The digitalization of a company registry requires a seamless cross-border digital identity. Jurisdictions are looking to simplify the onboarding for digital identity and the requirements for digital signature in the company registration procedures. Making company registration accessible for domestic and foreign founders and investors has become a mandatory improvement. Recent solutions involve the use of blockchain for digital business identity and online onboarding using biometrics and AI/machine learning for identity validation.3 Furthermore, some initiatives at the regional level aim to interconnect national business registers belonging to a region, allowing business intelligence through cross-border comparability of data and improving access to information on companies in a cross-border context.4 Data-Driven Company Registry Defined Data-driven organizations effectively and consistently use data in their decision-making processes across all levels of the organization. Organizations establish a data-driven culture through processes and systems to drive change and innovation, delight customers, and enhance employee productivity. Recent developments in company registries show that registry organizations embrace the data-driven model. Data-driven company registries embrace data-driven culture through regulations, procedures, and digital solutions for efficient company registry processes, trustworthy business data, and prevention of fraudulent behavior. Company registries worldwide are beginning to exploit the value of data. Greece implemented real-time company registration that allows fully automated application processing and issues registration decisions without human intervention (Figure 1). Denmark applies advanced data intelligence to prevent and identify frauds related to company registration and annual accounts. A recent survey of the company registries of 85 jurisdictions5 shows that 55 percent of entities are funded through customer fees versus government and other funding. Several jurisdictions have achieved a significant share of revenue from commercial services based on company registry data sharing, such as bulk data sharing or annual report 3. Marusic, Vranic (2021), “Is the Self-Sovereign Digital Identity the Future Digital Business Registry?” (blog), https://blogs.worldbank.org/psd/self-sovereign-digital-identity-future-digital-business-registry. 4. The Business Registers Interconnection System (BRIS) is a joint effort by EU governments and the European Commission to share information on companies in a cross-border context (see https://e- justice.europa.eu/489/EN/business_registers__search_for_a_company_in_the_eu?clang=en). In southeastern Europe, a system called BIFIDEX (Business and Financial Data Exchange) was established to enable extensive business intelligence by combining financial and statutory information from directly connected registry sources (see https://www.bifidex.com/en/about). 5. International Association of Commercial Administrators (2021), International Business Registers Report, available at https://app.powerbi.com/view?r=eyJrIjoiOTQyMGY3ZmEtYmVkNC00ZmIwLWI3NGEtMzVlMGNkYTRlMmRlIiwidCI6IjU4Y2JkZGM 0LWM3NGYtNDk1OC05ZjFiLWQzZWRiNGZmNmRlNSJ9&pageName=ReportSection. 6 data sharing.6 The revenue streams from such data monetization contribute to the self-sustainability of a company registry and support investments for the continuous modernization of registry services. Figure 1. Illustration of real-time company registration Registration processed with human intervention Decides Automatic validation Company Registrar cannot be done Data validation/ AI algorithms Data sharing Single Company with external Applicant register application databases and form Data entries are agencies automatically validated Registration processed without human intervention Source: The authors. The table below (Table 1) shows a capability maturity model for a data-driven company registry. It shows how data is collected, transmitted, and analyzed to facilitate more efficient company registration and more accurate company data and to prevent of fraudulent behavior. Table 1. Capability maturity model (CMM) towards data-driven company registries INITIAL REPEATABLE DEFINED MANAGED OPTIMIZING Single Unstructured Simple Single Single application DATA documents application application application form form and submitted for form and form for and standard COLLECTION standard company unstructured company articles of articles of registration documents registration incorporation incorporation Integrated Integrated Exchange of Data exchange company data company data DATA No data documents for integrated warehouse/data warehouse TRANSMISSION exchange (paper or company lake allowing through data scanned) registration predictive exchange modeling 6. Estonian Commercial Registry (RIK) established a price list for services that exploits data value. The price list is available at https://ariregister.rik.ee/est/pricelist. 7 Statistical Advanced data Simple reports analysis of analytics for Ad hoc Drill-down DATA (e.g., number of company real-time statistical reports and ANALYSIS new information and registration and report alerts registrations) basic fraud forecasting prevention Source: The authors. The capability maturity level ranges from initial to optimizing, while the characteristics of each level are developed based on the analyzed case studies described in Appendix 1 and the authors’ experience supporting company registry transformation. The stages are as follows: (1) At the initial level, data is collected through unstructured documents submitted by companies to the registry; no data is exchanged between the involved stakeholders, and the analysis is rudimentary, mainly tracking the number of new companies registered. (2) At the repeatable level, a simple, specially designed application form for company registration is submitted, still accompanied by unstructured documents, exchanged between involved stakeholders on paper or as scanned documents; the process is ad hoc and does not standardize statistical reporting. (3) At the defined level, company registration involves a single application form with mandatory data requirements; requests from the company registry and other institutions (such as the Tax Authority) for information from applicants are not duplicated, and data in the company register is consolidated, allowing drill-down statistical reporting. (4) At the managed level, along with a single application form, standardized articles of incorporation with minimum content are designed to allow digital processes without the use of unstructured documents. The company data warehouse is implemented by combining general company data, financial accounts, and ownership data, allowing advanced statistical reporting and basic forecasting. (5) At the optimizing level, an advanced integrated company data warehouse or data lake is implemented, along with models allowing predictive modeling (such as graph theory or the AI/machine learning applied by the Danish Business Authority). This allows automated data to validate real-time company registration and prevent fraudulent behavior. Summary of Key Policies A crucial aspect of a data-driven company registry is interoperability between different data sources. Data quality relies on data sharing between stakeholders involved in the company registration procedure. Involved stakeholders and registers include the company registry authority, the tax authority, social security, business regulators, the natural persons register, the address register, commercial banks, and others. It is common that different administrations have their own business-related databases with different information. However, it is important that these databases be interoperable and that a mechanism be in place for sharing information between the databases. This allows real-time data validation and reduces the amount of input data required to perform the company registration. Reducing the input data requirements to a minimum and removing data duplication simplifies company registration. A good strategy to achieve this goal is to allow a single online point of contact that initiates, 8 processes, and completes the company registration. In this way all information is gathered and managed at the same place, simplifying the procedures. For instance, in the case of Greece, implementation of an electronic one-stop shop (e-OSS) for business registration allows real-time registration of businesses. Another key aspect to simplify procedures is to allow articles of incorporation with minimum content. For instance, in the case of the Danish Business Authority (DBA), registration is performed directly by saving the input forms’ information as structured data in a database, thus removing the necessity of an article of incorporation. In the case of Greece, however, the articles of incorporation were simplified, with minimum content, and an online form is used that creates the articles using the data entries. In both cases, the simplified procedures allowed real-time business registration. A well-established framework for digital identification is also a crucial aspect of data-driven business registration. Allowing electronic signatures for digital identification promotes the use of digital means over traditional paper-based applications. Facilitating access to digital IDs with single sign-on system accessible to everybody, including foreigners, eases wider use of the digital administration. For instance, the DBA implemented a system for foreigners that allows them to access the digital ID by applying computer vision technology using their passports. This facilitates business creation for foreigners, thus promoting foreign investment. Unifying payments of different taxes associated with business registration into one centralized digital payment is critical to simplifying the process. A central authority may be in charge of orchestrating the payments to the different public bodies into a process transparent to the user, who will only have to pay a single, integrated administrative fee. Later, the authority in charge of orchestrating payments may distribute the integrated fee to the different administrations involved. Reducing the constraints on business naming is another basic policy that facilitates and simplifies business registration. Complex rules for naming and prevention of trademark infringement may be out of the scope of the business register, instead requiring solution in court through litigation. Removing these requirements from business registration simplifies the process. For instance, in the case of the Danish Business Authority, the identifier of a business is not its name, but a machine-generated identifier. In the case of Greece, a complex digital system was developed to automate validation of company names. Starting a public-private dialogue about digital transformation is essential before taking any action. The company registries should establish working groups with leaders from the various actors and organize public consultations before drafting the Law's revisions. A good collaboration between the different actors affected is decisive in preventing strong interest group opposition that could impede the changes. Table 2. Summary of key regulatory policies for a data-driven company registry Key policy Description 1. Mandate interoperability and data Data quality relies on data sharing between involved sharing between involved stakeholders in the company registration procedure. stakeholders 2. Authorize a single authority for A single authority must be designated as the single point of initiating, processing, and contact and the authority responsible for deciding on the completing the company company registration and managing the integrated company registration register. 9 Key policy Description 3. Unify payments of administrative A single authority should be designated to receive a single digital fees into one centralized payment and integrated payment of fees related to the company registration. 4. Define minimum data requirements All input and shared data in a company register must be clearly for the company register defined, including mandatory and optional input data, and data should be shared between the stakeholders. 5. Allow free public access to The company register data should be published online and allow company register data free searching and browsing of individual company data. 6. Simplify requirements for articles of Articles of incorporation can be standardized by defining a incorporation minimum content that will allow automated validation of data entries and avoid any attachments to applications for initial company registration or registration of changes. 7. Establish an easy but secure Lowering the requirements for digital signature and defining a framework for a digital ID single sign-on digital ID facilitates public access to the online services of a company registry. 8. Implement a unique business A unique business identifier should be assigned at the initial identifier company registration and shared across the government to facilitate interoperability and business data sharing. It allows the government and businesses to uniquely identify legal entities in various transactions and regulatory interactions.7 9. \Reduce constraints for company Clear rules regarding company names should be defined that naming at registration allow in most cases automated name validation without human intervention. Alternatively, removing complex rules for naming and prevention of trademark infringement at registration facilitates and simplifies the company registration process, i.e., only a unique identifier is assigned to newly registered companies, while the validation of the company name is not a matter for company registration. 10. Initiate a mandatory process of When drafting the Law’s revisions and developing digital public-private dialogue and systems, involve the different actors through public collaboration consultations or encourage public groups to contribute or comment to prevent future opposition to the changes. Key Functionalities Standard functionalities of company registry digital platforms involve public portal, backend processing automation, and integration interfaces for data sharing. The public portal allows access to information on company registration regulations and procedures, online searches of the company register, and completion of digital transactional services (Figure 2). The prerequisite e-Government shared services involve an e-Payment service for digital payment of registration fees; cloud hosting; and an interoperability system for data exchange with stakeholders, such as tax authorities and social security agencies. A preferred option for digital ID is the use of e-Government single sign-on and digital signatures; however, jurisdictions also allow use of alternative digital identity mechanisms to improve accessibility 7. World Bank Group (2016), Implementing a Unique Business Identifier in Government, https://documents1.worldbank.org/curated/en/471531468196759403/pdf/103570-REVISED-Implementing-a-unique-business- identifier-in-government.pdf. 10 and enable cross-border digital identification. These mechanisms are further explored in the case studies described in Appendix 1. More advanced functionalities involve an integrated company data warehouse or data lake, real-time company registration, and advanced data analytics for fraud prevention. The implementation of these advanced functionalities requires high-quality company register data, data standardization and integrated data management, and use of emerging technologies, such as AI/machine learning. Using a company register data alone does not allow implementing advanced functionalities. Also required is integrating internal and external registers and databases through data exchange, such as ownership data, and transforming the data to allow advanced analytics. More details about the functionalities of data-driven company registry digital platforms appear in Appendix 2. Figure 2. High-level decomposition of functionalities of e-Company Register Source: The authors. Transformational Roadmap Recent developments show that the digital transformation of company registries is best accomplished using an agile approach. The agile approach is mandatory when designing and applying emerging technologies for company registry processes, such as AI/machine learning to validate company names or supervise fraud prevention activities. It allows learning and experimentation through trial and error, reducing risks and complexity. Agility is also necessary for large transformations, such as the complete overhaul of company registry systems undertaken in Greece and Denmark. The agile approach ensures flexibility in uncertain environments, keeps legal and software developments moving in tandem, and supports faster launch of new digital platforms and services, thus maintaining momentum for the transformation. 11 Comprehensive transformations of the company registry require significant coordination among legal, institutional, and digital developments. Necessary legal developments typically involve a company’s act and a framework law or implementing regulations on company and business registration to define procedural aspects. The legislation must be designed with awareness of the possibilities for data management and the use of emerging technologies. Identification of key stakeholders and ensuring commitment are key in the analysis stage. In the case of large transformations, high-level political support must be incorporated from the onset, along with the budgetary resources. The high-level design and technical blueprint must allow an agile approach to implementation. Compared to a traditional waterfall or Rational Unified Processes (RUPs),8 in which the technical blueprints include detailed descriptions of functional and other requirements and implementation plans, in the agile approach, requirements focus more on the scope and the outcome and less on how the outcome will be achieved. This approach allows more flexibility in designing and implementing iterations (“sprints”) that follow the priorities and advancements of other transformational activities, such as legal and institutional capacity developments. At the same time, the approach requires strengthening project governance by forming a strong core team at the outset and consistently applying agile project management.9 Data management is a key development for digital transformations of company registries. The main product of a company registry is data. The data is the “fuel” for the sustainable functioning of a company registry and for the registry to fulfill its role of providing reliable company registry data. The application of emerging technologies, such as AI/machine learning for fraud detection in Denmark or automated business name validation in Greece, required most of the resources available, first to develop the data necessary to feed into the AI algorithms, and second to develop the AI algorithms themselves. Large-scale transformations of company registries invest significant resources into the data consolidation of those registries. Recent experience in Greece, which undertook data consolidation through interoperability and by combining business data from several sources, such as the taxpayer’s registry and the social security database, demonstrates this. In another example, Bosnia and Herzegovina undertook massive digitization of the paper archives, metadata recording, and ex-officio deregistration to consolidate its company registry data and remove dormant companies. 8. Per Wikipedia, Rational Unified Process is an iterative software development process framework created by the Rational Software Corporation, a division of IBM since 2003. 9. The agile approach offers iterative flexibility, with small parts of projects being built and tested simultaneously. See Tom Relihan (2018), “Agile, at Scale, Explained” (MIT Sloan School of Management, Cambridge, MA), https://mitsloan.mit.edu/ideas-made- to-matter/agile-scale-explained. 12 Figure 3. Digital company registry implementation roadmap Source: The authors. The importance of selecting and procuring the digital technology platform or components should not be underestimated. Success of the transformation largely depends on the capability of involved parties, software packages, and previous experience implementing similar transformations. Selecting the right software package for a certain transformational challenge is critical. This was clearly shown in the case of the Danish Business Authority and its selection of the graph theory and packages for large data transformations (Apache Kafka)10 to deal with the fraud prevention challenge. For large-scale digital transformations, the decision will be between off-the-shelf, highly configurable software packages versus custom software development. Often the advantage is with the former. The market provides off-the-shelf solutions, both as open-source software and commercial software packages.11 Use of highly configurable off-the-shelf packages can speed implementation and adoption of good practices and reduce software shortcomings and cybersecurity vulnerabilities. At the same time, use of off-the-shelf products leaves the company registry dependent on the software package developer. This dependence requires long-term commitments for sustainability that should be adequately addressed in the agreements, such as the license or software assurance agreement.12 10. As noted in Wikipedia, Apache Kafka is a distributed event storage and stream-processing platform. It is an open-source system developed by the Apache Software Foundation and written in Java and Scala. The project aims to provide a unified, high- throughput, low-latency platform for handling real-time data feeds. 11. The UNCTAD Business Facilitation Program offers an open-source package that is highly configurable for data, forms, and workflow management, and it is already deployed by several company registries. For more information, see “UNCTAD’s Digital Government Platform for Investment Facilitation,” available at https://businessfacilitation.org/. 12. Software assurance provides a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its life cycle, and that the software functions in the intended manner (Committee on National Security Systems 2010). 13 For large-scale digital transformations of a company registry, agile implementation and rollout are organized according to the legal entity type. In Greece, the rollout was phased by digitalizing first the procedures for single-member and multi-member private companies, followed by general and limited partnerships, and finally by procedures for limited and joint stock companies. The initial stage is to design the company registry data, including mandatory data requirements and the data validation rules. This task also involves the design of the application and document forms, including forms for the initial registration and registration changes and the form for standard articles of incorporation. Internal and external communication is key for change management. Internal communication is required to develop staff awareness and capacity concerning new procedures and digital systems. External communication and outreach must be organized to inform businesses and citizens about the company digital platform's new procedures and online services. For example, in Greece, G.E.MI. invested significant effort from the outset in communication activities around the transformation. The new digital platform (e-OSS) was even published for three months during the testing stage to capture feedback from businesses and citizens that was then incorporated into the final improvements made before the official launch. 14 Appendix 1. Case Studies Denmark The Danish Business Authority (DBA) conducted a deep transformation of their business registration process that took advantage of digitalization and emerging machine learning technologies. In 2009, the DBA was paper-based, and it took up to two years to register a company. Business owners needed to hire lawyers to guide the process. Today, all processes have been digitized, and business owners can register their companies easily online in less than 24 hours. Digitalization of the business registry makes it possible to gather structured data, which is key for using machine learning technologies. The registration service is available 24/365 and is fully automated. The machine learning system looks for suspicious cases and refers them for later review by human experts. Manually revising all the cases would be impossible, due to the large number of business registration applications. By using machine learning technologies, however, the complex models developed by the DBA can assess hundreds of variables and determine which cases present the highest risk of being fraudulent. Furthermore, the system pinpoints why the cases should be looked at more closely. The machine learning system provides key points for further examination, significantly reducing the time human employees must spend reviewing each suspect case and thus increasing DBA staff productivity. The advantages of this are twofold: on one hand, legitimate businesses get easier and faster registrations, while on the other, suspicious businesses are manually reviewed in a guided way. Furthermore, the cases with higher probability of being fraudulent are prioritized, and only a manageable number of cases are referred to the available human employees, thus maximizing DBA staff productivity. Key Policies The machine learning system uses a high number of different variables that are gathered from different governmental sources, such as the tax authority, the civil register, and bank information. Data sharing between different governmental sources is necessary to highlight relevant information that could indicate fraudulent activity. Furthermore, the DBA is legally entitled to gather information from both public and private bodies for fraud detection purposes. Digitalizing and implementing the machine learning system has required DBA to reconsider and transform its business registration processes at a deep level. Before this change, the registry used a very complex process that was driven by lawyers, and it took up to two years to complete a registration; currently, the business owner on his or her own can present the application. The change from paper- based application to online forms containing the information required by the business registry authority has been key to the transition. The system compares the information on the forms with information gathered by other governmental sources and uses machine learning to verify whether any risk of fraudulent activity is associated with the company. If it detects some risk, the system will raise an alert and the case will be handled manually; if not, the business will automatically be registered. The system automatically generates a unique business identifier, and the business registry does not validate a company name. This simplifies the process of business registration because the business 15 register does not look into possible name coincidences or intellectual property issues that might require a separate process involving litigation. The registration consists of a set of structured data in a database. The application does not produce any final document to be signed or published. The registration consists of a set of structured data in a database that can be publicly accessed for consultation. This simplifies the process, as the documents do not need to be double-checked, and the only source of truth is the database containing the information the business owner has introduced into the system when registering the company. Denmark's second-generation national eID (NemID), introduced in 2010, made the shift to digital-first possible. Legal requirements imposed between 2012 and 2015 made it mandatory for Danish citizens to use digital self-service options. The eID serves as a shared login for online banking and public and private self-service applications. The third generation eID, known as MitID in Denmark, was released in 2022 as a result of a long-standing partnership between the public sector and the banks. MitID is now used by organizations, individuals, and government agencies. The MitID partnership was established out of a strong desire to develop a single, appealing national eID solution that could be applied to both public and private services and thus provide coherence for end users. With MitID, brokers serve as a gateway between service providers and the MitID solution. Also, MitID allows service providers to authenticate their users, and only a few brokers are certified. One of the main brokers, NemLog-in, provides a single log-on solution giving access to the public authority self-service solutions in municipalities, regions, and the national government. Figure 4. MetID solution architecture Source: Agency for Digital Government Danish Ministry of Finance. The MetID system allows foreigners to identify themselves through automatic passport validation. National citizens can migrate directly from the old NemID, but foreigners can obtain credentials on the MetID system only using their passports. The application uses computer vision technology to verify the 16 individual’s identity and validate their passport. With this information, the system readily identifies the foreigner. All required transformations were made at the national level. This facilitates the changes and transformations, because all the various local and other government administrations apply the same changes at the same time. The system is under continuous development, and different machine learning models are trained and improved using new data obtained from new applications. Furthermore, new models are constantly developed. Continuous improvements produce large and profound transformations if maintained over long periods of time. Implementation Considerations Developing the machine learning models requires close collaboration between in-house data scientists and legal experts. It is important to use in-house data scientists and not external consultants because these experts work at the core of the business register authority. Furthermore, close collaboration between data scientists and legal advisors is key. This is because data scientists have the technical expertise to develop the machine learning models, but very little knowledge about legal matters, while the legal advisors typically have no expertise in machine learning methodologies. High-quality machine learning models can thus only emerge from this close collaboration. The cloud provides elastic infrastructure on demand to deploy machine learning systems. The elasticity of cloud services is very convenient for deploying and training the machine learning systems. However, use of cloud service providers also brings legal challenges in terms of data protection and data privacy. If the cloud service providers are third-party private corporations located overseas, the registry has no control over the protected data. The DBA has more than 26 machine learning models in production. Some models can forecast with high accuracy when in the ensuing 24 months a company will commit a crime. This is a sensitive area, and model explainability is consequently important: it is important to know why a model reaches every decision it makes. For instance, if a model detects some fraudulent activity, staff must be able to determine why the model considers the company to have exhibited suspicious behavior. At DBA, all the models provide explanations, and their decisions are fully traceable. In addition, the machine learning models do not have the last word. Because machine learning models have a high rate of false positive cases, they provide humans with insights into which cases should be reviewed. All final decisions are made by human experts. The machine learning models learn their own criteria for detecting suspicious behaviors based on training examples of fraudulent businesses. This is one main advantage of these systems; instead of a human defining a criteria on what is or is not suspicious, the algorithm learns about suspicious activity criteria from the examples given. Because machines can handle many millions of cases with hundreds of variables at a time, they can learn to sort cases for potential fraud much more efficiently than humans. Machine learning is a powerful tool that should be used only within some ethical considerations. The main ethical principle considered by the DBA is that the technology and information are only used for specific and well-defined purposes. It is important that all machine learning models have a purpose and 17 that all data be used only with a clear purpose. This main principle ensures the accountability of DBA operations. Other ethical rules include not storing lists of people. If some person has been detected to have performed some fraudulent or suspicious behavior in the past, the system will not take that into consideration in future predictions, because it would be discriminatory. Structured data gathered from the applications is stored in a graph database. The graph database helps to trace the relationships between different data nodes. Metadata is also produced from original data points and stored in the database. For instance, it is possible to produce a time series from data for different fiscal years or to merge information from different sources to increase the amount of information available for the machine learning process. Furthermore, the related data points in the database are grouped. Finally, some machine learning models produce metadata for other machine learning models. A platform has been developed to train and deploy the ML models. These models are periodically revised and a human is always in the loop to guarantee that the models are working properly and do not produce incorrect answers. All models are trained and deployed on the cloud. From DBA experience, with the developed platform now in place, it is possible to develop, train, test, and deploy new models within 16 weeks. Development is typically done by an internal team of experts; for example, the module for fraud detection was developed by team of 15 DBA experts.13 A new agile methodology was implanted in the models to lead to continuous and iterative development. Before agile development was introduced, the DBA used a traditional waterfall planning approach that was slow and resistant to change. With the introduction of the agile methodology, continuing development can be more flexible to change, as the agile methodology is based on sprints and continuous development. This is more user friendly as well, since the changes are gradual (Error! Reference source not found.). Gradual implementation provides users time to adapt to changes and makes it easier to detect possible errors and resolve any bad decisions. 13. A video illustrating fraud detection with graphs at Danish Business Authority is available on YouTube at https://www.youtube.com/watch?v=FAJaWAUTGOI. 18 Figure 5. Agile principles were established in DBA and used in training the organization in the new approach and to become a true learning organization. Source: Danish Business Authority. Benefits Realized As a result of these changes, the number of limited liability companies (LLCs) and the level of new business density14 has undergone dramatic change since 2014 when the new systems were deployed. Figure 6 demonstrates the great increase in new LLCs and of new business density from 2006 to 201815. Figure 6. Number of limited liability companies (LLC) and the new business density from 2008 to 2018 in Denmark Source: World-Bank Group. 14 The new business density measures new registrations per 1,000 people ages 15-64. 15 The increase in business activity is also driven by overall economic activity. 19 Greece The Greek Commercial Registry (G.E.MI.) was challenged by the private sector for its inefficiency and lack of online services for company registration. The Law on Simplification of Business Start-Up Procedures,16 adopted in 2016, allowed G.E.MI. to implement digital and paperless company registration. G.E.MI. realized that such advancements require significant improvement in the quality and management of company registry data. An earlier case study presented the entire 15-year journey to reform company registration in Greece,17 but the focus in this guidance note is on the policies pursued and developments achieved between 2016 and 2020 that enabled data-driven, fully automated real-time company registration. Error! Reference source not found. shows the number of registrations processed through digital means — paperless and contactless — versus those done through in-person visits to the OSS office before May 2022. Most of the registrations for all legal entity types are now done digitally through the e-OSS digital platform (https://www.businessportal.gr/) without in-person interactions, paper forms, or documents. Figure 7. Digital (e-OSS) vs. in-person (OSS) applications for business registration by May 2022 e-OSS OSS 100% 88% 90% 100% 77% 80% 62% 38% 60% 23% 12% 10% 40% 0% OSS 20% e-OSS 0% Private General Limited Limited Joint Stock Companies Partnerships Partnerships Companies Companies e-OSS 100% 88% 90% 62% 77% OSS 0% 12% 10% 38% 23% Source: Gerasimos Georgopoulos, Head of Company Law & Greek Business Register (G.E.MI.), Building an Efficient e-OSS: The Greek Paradigm. The G.E.MI. is one of the few company registries that has succeeded in implementing a fully automated, real-time company registration. The online service is available 24/7, and most cases do not require any human intervention from the G.E.MI. staff to process the registration application. That means that the applications for both an initial company registration and any registration changes are processed automatically by the digital platform without any back-office human intervention. Implementing such an 16. The Law on Simplification of Business Start-Up Procedures, Removal of Regulatory Barriers to Competition and Other Provisions 4441/2016, https://www.kodiko.gr/nomothesia/document/245220/nomos-4441-2016. 17. World Bank Group (2021), “Reforming Business Registration in Greece, ” https://openknowledge.worldbank.org/handle/10986/36259. 20 advanced level of automation required significant improvement in the data quality in the company registry database. The process before the transformation relied on scanned paper documents, without recording the data in a structured format, which in turn required significant efforts to improve the existing register’s data. G.E.MI. pursued other developments as well to achieve this advanced level of digital automation, including digital payment of administrative fees, digital signature, company name validation, and process orchestration among all involved stakeholders, including the Tax Authority and Social Security. G.E.MI. designed regulatory policies to overcome these challenges and to allow digitalization of the company registration. For instance, a regulatory policy on interoperability of digital systems for data sharing was crucial to improving the quality of data in the company registry database and implementing real-time validation of input data entries. Another important regulatory policy lowered requirements for using digital signatures in online applications for company registration. The key policies for achieving digital, real-time company registration in Greece are described further in the following section. Key Policies Enabling interoperability for data sharing between involved stakeholders in the company registration procedure was the key policy for improving data quality. The process for improving data quality involved the existing G.E.MI. registry data, as well as data from other business-related databases, including the taxpayer’s registry managed by the Tax Authority (IAPR), the database of the Social Security Organization (EFKA), and the Citizen Database (ERMIS). G.E.MI. first designed the company registry database by identifying mandatory data items and then conducted a one-off exercise to incorporate the business data from external business data sources to improve the registry’s data quality. In tandem, interoperability was implemented to validate real-time data entries from online applications for company registration. For example, entry of the founder’s name is automatically validated against the Citizen Database; similarly, the address of the company headquarters is validated against electric power company databases. The latter provides a good example of using private sector data to improve the efficiency of public service delivery. Authorizing G.E.MI. to initiate, process, and complete the business registration enabled a single online point of contact for Greece’s company registry. G.E.MI. was identified as an owner of the digital platform for company registration (e-OSS). Through e-OSS, G.E.MI. implemented an integrated process, including a single application form for company registration and a single administrative fee. Assigning authority to G.E.MI. to decide on company registration cases removed duplicate data entries and processes for completing the procedure, such as with the Tax Authority and Social Security Organization. The process is completely orchestrated through the e-OSS digital platform, with data provided once only by an applicant and shared automatically with all involved authorities. Through initial registration in e-OSS, the G.E.MI. assigns a unique business identifier (G.E.MI. number) to the newly established entity, as well as the Tax Identification Number (TIN) through the data exchange with the Tax Authority. All other relevant authorities are internally notified through digital data exchange about the company’s initial registration or registration changes. A final decision on business registration is issued by G.E.MI., delivered in a digital form to an applicant and published on the e-OSS online portal. 21 The policy on standard articles of incorporation enabled real-time business registration. The Law on Simplification of Business Start-Up Procedures defined standard articles of incorporation with minimum content that may be used to establish limited, joint-stock, and private companies. These legal provisions enabled G.E.MI. to integrate an online form for standard articles of incorporation within the e-OSS digital platform. G.E.MI. also implemented automated validation of input data entries, allowing creation of articles of incorporation using only the structured data inputs to the e-OSS without requesting any additional document. This approach made it possible not only to remove the need for any scanned documents from the registration process but also to fully automate real-time company registration without any backend intervention by the registrar. If real-time validation of data entries can be done using existing registry data or shared data from other relevant authorities, the registration is processed automatically by the e-OSS algorithm, including issuing the digital decision on company registration. The processing requires the registrar's intervention only in specific cases when the data cannot be validated or an applicant chooses to use customized articles of incorporation. Following this approach, the role of the G.E.MI. registrar shifted from processing individual company registrations to improving data management, algorithm design, and overall supervision and operation of the digital platform. The Law defined clear rules for company names that allowed fully automated company name validation. These legally defined rules allowed G.E.MI. to develop a digital algorithm to fully automate the validation of desired company names. The developed algorithm compares proposed names to the registry; suggests company names in Greek, Latin, and English; captures punctuation marks (dots, commas, and other symbols); and rejects inappropriate terms using the internal and shared data. G.E.MI. developed comprehensive dictionaries to prevent use of inappropriate terms. If the desired company name cannot be automatically validated, the algorithm requests human intervention. G.E.MI. uses these cases, as well as the annual analysis, to update the developed dictionary databases and improve the algorithm. A policy was adopted to lower the requirements for digital signatures in company registry transactions. The EU eIDAS regulation18 defines three levels of digital signature: simple, advanced, and qualified. While advanced and qualified digital signatures, according to eIDAS, require the use of public key infrastructure (PKI) to generate a digital signature, a simple digital signature can be any data in electronic form that can be attached to the other data and serve as a method of authentication. Use of a simple digital signature for company registration in Greece is authorized under the Law on Simplification of Business Start-Up Procedures. G.E.MI. implemented the Tax Authority single sign-on (TAXISnet SSO) user authentication that, along with e-OSS, allows a paperless process using simple digital signatures. Introducing standard articles of incorporation supported this approach by eliminating the need to upload an article of incorporation document. User authentication is done through the TAXISnet SSO, while the e-OSS authorizes the founders to create and confirm the articles of incorporation. Lowering requirements for digital signatures allowed quick uptake of the company registry online services, as Greek citizens are allowed to use their existing TAXISnet SSO without obtaining an advanced or qualified digital signature as a prerequisite to access the online services. Still, cross-border digital identity has not been implemented 18. Regulation (EU) No 910/2014 of the European Parliament and of the Council, of July 23, 2014, on electronic identification and trust services for electronic transactions in the internal market. 22 in Greece, so in practice foreign founders must authorize a representative in Greece who then conducts company registry transactions on their behalf. Table 3. Summary of key regulatory policies for the data-driven company registry in Greece Key policy Description 1. Enable interoperability for data Improved interoperability and data governance made it possible sharing between involved to enhance and maintain data quality in the company registry. stakeholders. Interoperability uses the G.E.MI. unique identifier19 and TIN to facilitate data sharing. 2. Authorize single authority for A single authority (G.E.MI.) was designated as the single point of initiating, processing, and contact and the authority deciding on company registration in completing the company Greece. The policy defines G.E.MI. as an owner of the e-OSS. registration. 3. Define standard articles of A standard article of incorporation with minimum content allows incorporation. the implementation of fully automated real-time company registration. 4. Introduce clear rules for a business Clear rules allow automated company name validation without name and business registration human intervention in most cases. processing. 5. Lower the requirements for digital Lower requirements for digital signatures allow use of TAXISnet signatures. SSO and e-OSS as a simple digital signature for company registration. Implementation Considerations These legal, institutional, and digital developments took place over the course of five years (between 2016 and 2020). This was the third modernization cycle for Greece’s company registry. The roll-out was organized in phases, first with single-member and multi-member private companies (July and September 2018), followed by general and limited partnerships (January and April 2019), and finally by limited and joint stock companies (June and November 2019). Three months before the new e-OSS became available, a testing digital platform was published online that allowed anyone to comment before G.E.MI. made its final improvements before the official launch. G.E.MI. engaged in public-private dialogue from the onset of the digital transformation. It created collaboration groups with staff from the different actors and organized public consultations to draft changes to be introduced into the Law on Simplification of Business Start-Up Procedures. This approach helped limit any strong interest group opposition to the transformation, such as from lawyers and notaries. Intense communication efforts allowed all actors to be well-informed on how the process would work and when the changes would be introduced. G.E.MI. developed a calendar of changes, providing 19. A World Bank Group guidance note, Implementing Unique Business Identifiers, published in 2016, provided practical considerations and a roadmap for implementing a unique business identifier for use in company and business registries to facilitate business data sharing; see https://documents1.worldbank.org/curated/en/471531468196759403/pdf/103570- REVISED-Implementing-a-unique-business-identifier-in-government.pdf. A 2021 blog post examines more recent considerations, focusing on the use of decentralized identifiers applying blockchain and other distributed databases ; see “Is the Self-Sovereign Digital Identity the Future Digital Business Registry?” at https://blogs.worldbank.org/psd/self-sovereign-digital-identity-future- digital-business-registry. 23 detailed information and promoting the new systems and online services for companies and other interested parties. The transformation to real-time company registration required a new company register and a new digital solution for the company registration process (e-OSS). G.E.MI. developed two integrated digital subsystems from scratch: the company register database and the digital processing platform, mainly relying on in-house software development (only the algorithm for validating desired company names was outsourced to an external vendor). Benefits Realized Greece ranked sixth worldwide and first in the EU for the Starting a Business regulatory area, according to the IMD World Digital Competitiveness Index.20 Greece implemented an advanced digital platform for its company registry, instituted a significant number of online services, and shared an enormous amount of data with partner institutions. This effort is very effective in helping the economy. Many companies in Greece today were registered in real-time using the e-OSS algorithm, even if their applications arrived outside G.E.MI.’s working hours. These and other advancements of company registration allowed a significant positive increase in new business density and overall new businesses registered, from fewer than 6,000 newly registered LLCs in 2016 to 12,000 new LLCs registered in 2020 ( Figure 8). Both new businesses and business density show an exponential increase in Greece from 2016 to 2020.21 The country achieved ranges comparable to other countries in the region that had implemented company registry reforms and digital company registries (e.g., Albania and Serbia). The annual revenue G.E.MI. generates by providing company registry services reached €60 million, ensuring the return on investment of the digital transformation, as well as covering future investments and expenses for the e-OSS for business continuity and sustainability. 20. World Digital Competitiveness Rankings 2021, https://www.imd.org/centers/world-competitiveness-center/rankings/world- digital-competitiveness/. 21. World Bank Group, Entrepreneurship Database, https://www.worldbank.org/en/programs/entrepreneurship. 24 Figure 8. New business registered and new business density in Albania, Greece, and Serbia World Bank's Entrepreneurship Database World Bank's Entrepreneurship Database Number of new LLCs New business density (new registrations per 1,000 people ages 15 14,000 – 64) 12,000 2.5 10,000 2 8,000 1.5 6,000 1 4,000 0.5 2,000 0 0 Albania Greece Serbia Albania Greece Serbia Source: World Bank’s Entrepreneurship Database. 25 Appendix 2. Data-Driven Company Registry Functionalities The following table lists functionalities of data-driven company registry digital platforms. It was developed based on the analyzed case studies and the authors’ experience in other projects to modernize national company registry frameworks and systems. Table 4. Functionality checklist for data-driven company registry digital platforms # Functionality Description Public Portal 1. Online information on entity types and The online portal of the digital company registry (or e-Government portal) company registration requirements shall publish the information on the legal entity types, their specifics, and the requirements of the company registration procedure for easy navigation by business applicants. 2. Online company registry search The online company registry search shall be available free of charge with public access without requiring a prior user authentication. 3. Reservation of company name The company name reservation shall be offered as an optional online service. Business applicants can apply for initial company registration without the reserved company name. 4. Online preparation of articles of The online service for preparing articles of incorporation with minimum incorporation content shall allow the development of the articles using the data and real- time data validation. Using standard articles of incorporation allows a significant level of automation of the registration procedure and opens avenues to reduce requirements for the use of digital signatures. The applicants should also be allowed to use custom articles of incorporation and attach the digitally signed articles’ document to the application form for company registration. 5. Single application form for initial An online single application form for company registration shall be designed company registration with mandatory and optional data elements. The form shall allow an integrated registration procedure with all involved “public” institutions, including the registrar, tax authority, and social security. The form shall include all data items required to complete the registration process with all involved public institutions. 6. Online payment of company The administrative fee payment for company registration shall be made registration administrative fee through integration with the e-Payment platform. The e-Payment platform shall provide a digital receipt for the payment, automatically eliminating a request for such information from a business applicant. In case the administrative fee combines fees for several beneficiaries, the e-Payment platform shall distribute automatically the single payment made by the applicant to those beneficiaries. The e-Payment platform shall support various digital payment means, such as credit and debit cards, digital wallets, and online banking. 7. Online submission of the company The platform shall support online submission of the company registration registration application application and automatic receipts with the date and time of the submission. 8. Information about the status of the The platform shall provide an applicant with constant updates about the business registration process application’s progress, notify the applicant about any additional information required, and allow the online submission of any additional information. 9. Receiving business registration The platform shall automate issuing a digital company registration certificate certificate and its delivery to an applicant. Some jurisdictions have implemented QR codes on the company registration certificates that allow easy online validity verification. 10. Opening bank account The platform shall support the selection of the commercial bank and an automated procedure for opening a bank account through interoperability 26 # Functionality Description and data exchange. The selected bank shall receive all information from the digital company registry, and additional visits should not be required to finalize the bank account opening procedure. 11. Submit business registration The platform shall digitalize all registration change transactions. All “public” application for changes (e.g., change of institutions shall be automatically notified about changes in the company address, authorized persons, and registry data. similar interest/share allocation, founders’ names) 12. Submission of annual and financial Good practice shows that the integration of annual and financial reports reports supports keeping company registry data updated and contributes to the overall sustainability. Backend processing 13. Receiving business registration The platform shall allow receiving online applications for company application and attachments registrations by the Registrar and forming the case files. 14. Validating and approving the The platform shall implement a completely automated algorithm to validate requested business name the company name. 15. Internal processing of a business The platform shall support an integrated procedure for processing the case registration case file with all involved public institutions. The process must be fully orchestrated by the platform, the deadlines must be tracked, and the information on the processing status must be published to an applicant. 16. Access to the business registration The platform shall have a complete digital archive linked with the company archive to process the registration registry database. All documents in the archive must be digitally signed with changes metadata to allow the document search. 17. Assigning a unique business identifier Every registered company shall be assigned a unique business identifier (UBI). The UBI must be implemented in all public institution databases to enable interoperability and data sharing on businesses. 18. Publishing information on business The platform shall enable the publishing of the registration certificates and registration decisions on registration online for public access. The online publications of registration certificates and decisions shall fully replace publication in the official gazette. 19. Providing data from the company The platform shall enable automated data sharing of company registry data registry for the needs of other public institutions (such as the statistical office) or to the private sector according to the commercial terms (such as bulk data on businesses, data from annual and financial reports, etc.). 20. Processing business closure (i.e., The platform shall fully digitalize the voluntary liquidation procedure. The business exit) platform shall implement an integrated procedure and allow the publishing of information for creditors. For insolvency liquidation, the platform can implement the content management functionalities (i.e., document and status management) without a process orchestration. 21. Receiving information from other The digital platform shall support receiving notifications from other agencies agencies on potential changes not that may require registry data updates. The Registrar shall process these registered or court rulings for ex-officio notifications or court rulings according to the registration procedures. changes (e.g., from business licensing or inspection agencies) Data Intelligence 22. Integrated company data Advanced data intelligence in the company registry domain requires warehouse/data lake combining general company register data with financial accounts and ownership data. Also, such data intelligence requires transformation for the application of advanced data analytics (such as graph databases). The management of large amounts of data and processing capacity requirements necessitate establishing data warehouses or data lakes. Good practice from the analyzed cases is to use cloud hosting for the data warehouse/data lake. 27 # Functionality Description 23. Data validation and real-time company Advanced data integration and sharing allows implementation of real-time registration data validation in application forms and standardized articles of incorporation for a real-time company registration. If the data entries can be validated automatically, the digital algorithm processes the company registration without need for human interaction. If the validation cannot be done, the human intervention by registrar staff is required. In all cases, the digital platform and algorithms are supervised by company registry experts. 24. Advanced data analytics for fraud The advanced data analytics for fraud prevention use a combination of various prevention data on companies to indicate potential fraud behavior and request human intervention to process the company registration. The Danish Business Authority applied graph databases and AI/machine learning for fraud prevention. 25. Predictive modeling for forecasting The integrated company registry and business data allows forecasting, such as forecasting of company’s life expectancy, as considered by the Estonian Commercial Register (RIK). Integration Interfaces 26. Integration of e-Government services The data-driven company registry digital platform must be developed using the horizontal e-Government shared services as a foundation. That means that the company registry digital platform must be integrated with the horizontal digital ID, signature, and e-Payment platform and must use the e- Government cloud hosting and interoperability system (like Estonian X-Road) for data exchange and sharing. 27. Integration of other involved agencies Data exchange and sharing with other agencies involved with company (tax, social security) registration must enable a fully integrated and orchestrated initial company registration and registration of changes without requesting duplicate information provision from applicants. The implemented data sharing shall only ask the applicant once for information, and the information will be shared with all relevant stakeholders involved in the process. 28. Data sharing with external consumers Data sharing with external customers includes commercial banks for opening transactional company bank accounts, as well as with the private sector digital platform based on commercial agreements. Configuration 29. Configuration of workflows The digital platform must allow the configuration of workflows following business process management (BPM) principles. The processes must be configurable through the system management console without a need to update software source code and should enable a continuous optimization of registration processes. 30. Configuration of register data The platform must allow configuration of registers and data items without software coding. It should allow adding new registers, data fields, and data validation rules through the system management console. 31. Forms configuration The digital platform must allow adding and changing the configuration of the forms and linking the forms to the register data items. Forms management should be integrated into the system management console, allowing changes in the data inputs and layout of the forms without software coding. 32. User accounts and roles The module for management of user accounts and roles must allow authorized access to the protected resources, including functionalities and data. The user permission managed through user roles defines the access level to the protected resources in the digital platform. 28