XBRLchain = XBRL secured by Blockchain
- Jesus Ruiz, CTO at Alastria Blockchain Ecosystem. firstname.lastname@example.org
- Javier Mora, XBRL senior expert. Javier.Mora@xbrl.org.es
- Ignacio Boixo, Openfiling Association, Founder. email@example.com
Where is the problem to solve?
The key point in regulatory disclosure is that a business report is legally binding for the issuer when that business report is filed by the issuer to the supervisor and, consequently, published by the supervisor. Then the Supervisor is providing the characteristic of non-repudiation (acting as a Notary) to the business report: the issuer cannot deny having sent the business report. The customary approach for secure a business report is simply download it from the supervisor’s website, as exemplified in the cases of CNMV. The consumer is therefore secure that the report is the actual report legally filed by the issuer to the supervisor. However, the business report itself lacks of any security feature. In the case of a non-supervisory searcher, as Arelle Filing Index, the solution is hyperlink by URL to the supervisory webpage SEC .
Why if simply the issuer put its digital signature in the report? For an IT point of view is an optimal solution. BUT (in practical terms) the existing digital signatures depends on Certification Authorities, that unfortunately are far away of establishing enough reciprocal trusted relations, hence lacking of interoperability and extensibility for most consumers. Moreover, the digital signature must be published somewhere, well concatenated to the report or well in an independent file.
Hence, each different consumer must download independently the same report from the supervisor website as security feature, being this download the only proof of integrity (report unmodified) and non-repudiation (the issuer cannot successfully dispute its filing -hence authorship-) of the report.
The supervisor website acts as a Web Notary. But a Supervisory-based notarization leaves out relevant issuers’ non-regulatory reports, hence not published by the Supervisor, as Corporate Social Responsibility, Integrated Reporting, Environmental Impact and so on. Let see the diagram below.
Anna and Bob trust in the public website of their respective national Supervisor or Officially Appointed Mechanism. However, when Carol receives a report from a third party supply chain, she has no other method to check its Integrity and Non-repudiation than compare the report with its original supervisory publication website.
Note the URL of the original supervisory publication is NOT necessarily part of the report. Find a particular report in a foreign supervisor website is not necessarily an easy task. See now the same situation but with a public & indelible ledger based in blockchain:
Carol can now check the report’s Hash code using whatever Check Server she want (or directly if she owns an Observer node). If the hash code is found in the Ledger, Carol can be sure of (a) the Integrity of the report (no modifications) and (b) the Identity of who Notarize the report (such Notary –strongly identified by the blockchain- cannot successfully dispute its Notarization: Non-repudiation).
Note the report do not necessarily must be public. As the hash code is an inherent characteristic of each particular report, having the report derivate its hash code is trivial. However, having a hash code provides no information at all about the original report (this one-way function is known as cryptographic hash function). Made a hash code public do not compromise report’s confidentiality: it is equivalent to get a key but ignore where is the lock.
See below a running Proof of Concept example, with testing credentials for free use.
However, nothing is perfect. When Anna consult the OAM website used by Bob, or Bob consult the Supervisory website used by Anna, or Carol consult whatever the OAM website or the Supervisory website, all the three folks may find difficulties if not fluent on the language or other characteristics of the websites.
This approach is an evolution (currently in PoC development) of the XBRLchain concept, now optionally storing also the stable URL of each report in the blockchain, in addition to the hash code and the Identity of who Notarizes the report. A characteristic of blockchain is that all the nodes have an on-line local copy of the ledger. Therefore, when someone notarizes a report, such notarization is simultaneously updated in all the nodes. A smart contract functionality can be implemented, triggering an event when a new notarization is propagated. A Financial Gateway (currently in PoC development) can immediately read the report from the publication website by using the Notarized URL and including its attributes in an index of reports. See the sequence below:
David can now query the updated Financial Gateway about the reports matching a set of attributes, obtaining a list of URLs as answer. David can then download the selected reports directly from the respective websites. There are other interesting characteristics of this approach, not represented in the diagram for the sake of clarity. The Financial Gateway can also (a) check the hash code of the reports, (b) store the reports in full (e.g. as backup or accelerator of original publishing websites), (c) safely index non-regulatory reports (e.g. environmental, social responsibility, and so on), (d) be a Business Intelligence public server, (e) act as Notary by default if a publication website fails in its Notarization function, among many other functions.
Moreover, there can be several Financial Gateways running independently, without interferences. Note no agreement, communication channel, link, RSS, or any special mechanism is required between the Gateway and the publication nodes: with the Notarization in blockchain is enough. All the information for starting from scratch the index of reports or re-synchronizing it can be obtaining by reading the Notarizations in the local copy of the ledger. As the Notarizations are propagated simultaneously to all the blockchain nodes, and the publication websites are of public access by nature, there are no restrictions for entrepreneurs or public initiatives in building all the Financial Gateways with specific features they want.
This kind of challenge will surely arise in Europe 2020+, when all the listed companies should report in the same European Single Electronic Format (ESEF) but trough near 30 different websites. An initiative affording this challenge is the European Financial Transparency Gateway (EFTG SMART 2016/9488, see video video and presentation), as proposed by the European Commission. Our proposal hereby presented is the use of the XBRLchain concept as EFTG infrastructure layer. At the end of the day, no changes in the current Supervisory/OAM publication websites functionality are required at all. The only new feature is Notarize each report when made it public, and even this function can be requested to be assumed by the EFTG acting as Notary by default.
Blockchain to secure the integrity and non-repudiation of a document, typically an XBRL instance document containing a business report.
How XBRLchain works?
The document is digested in a unique and secure code with a standard hash algorithm, and this code is indelibly written (notarization) by an authorized party in the blockchain ledger. Checking the validity of a document is done calculating again the code and comparing it with the one in the ledger, also retrieving the authorized party identification. The code provides integrity (report unmodified) and the authorized party identification provides non-repudiation (the authorized party cannot successfully dispute its notarization of the report).
Note that several authorized parties (issuer, auditor and supervisor) can sign independently the same document.
Identification of issuer, type of report, period, and so on is already mandatorily included in XBRL instance documents by the XBRL specification. The only requirement in that the XBRL instance document must by self-containing (not dependent of external references). Other information about authorized party additional identification and timestamp is trivial of implement.
How to notarize a document?
The authorized party invokes a notary webserver authorized to writing in the blockchain. The blockchain system must have a secure interface with the server, and a micro smart contract definition interacting with the ledger.
How to check a document?
Each check webserver with read access to the blockchain can retrieve each code written, with the respective authorized party/ies acting as notary/ies for such code. For demo purposes in this proof of concept, the code is a simple CRC32 concatenated as a XML comment at the end of the file.
Testing by yourself?
Go to www.xbrlchain.info and check the following file examples (use userId/Password test/test for Notarize, but once only each 10 minutes).
|File name||TESTING CODE?||Valid hash code?||Registered in blockchain?|
|Example_2.xhtml||Yes (2676830881)||No (must be 2676830882)||N.A.|
The development of this Proof of Concept (PoC) is a webpage with two functions: Notarize and Check.
The web page runs in the website www.xbrlchain.info, created and managed by XBRL Spain on a standard web hosting. This web page is open to the public, with testing credentials for Notarization and free for Checking. The website is a Client that invokes an Observer Node of Alastria.
For Notarizing, the Observer Node starts a transaction with the Validator Nodes using the Ethereum Quorum protocol. The Validator Nodes prepare a block with the ordered list of transactions (if any) received each cycle of one second (or less depending on workload). The block is distributed to all the Nodes (following the blockchain architecture), which execute the Smart Contract, confirm the result and update the local Ledger copy accordingly. See diagram at right. At the end of the cycle, a new block has been added to the local Ledger copy existing in all and each one of the Observer Nodes and Validator Nodes as well.
For Checking, the Observer Node simply returns the required information from its local Ledger copy. Note the Ethereum Quorum throughput for reading is several orders of magnitude better than for writing. See more at Introduction to Quorum: Blockchain for the Financial Sector.
More? See below the minimalistic source code used for:
- ProofOfExistence.sol Smart Contract (Alastria)
- NotarizeServlet.java Notarize (Java XBRL ES)
- CheckServlet.java Check (Java XBRL ES)
- CommonFunctions.java Common (Java XBRL ES)
- poe.py Python interface Java <> Smart Contract
Even more? Consult the authors for further details
Who provides the notary web server/s and the check web server/s?
The market. It would be also an inhouse integration of webserver/local service. In this proof of concept it is used testing webservers developed by the authors (see the code below).
Blockchain technical details?
Each Node belongs to a different permissioned company, running an independent installation of the blockchain software and storing a local copy of the Ledger. By the blockchain architecture, the network remains fully operational and reliable even up to one third on the Validator Nodes are compromised (i.e. ten or more Validator Nodes captured simultaneously by an undetected attacker). This distributed network architecture provides a very high resilience having not a single point of failure, providing a clear advantage over traditional hierarchical approaches in the financial sector.
Why a permissioned Blockchain?
Facilities as accessible & available laboratory in the development of Proof of Concepts for test cases. One of the authors of XBRchain is the Chief Technical Officer of Alastria, the Blockchain Ecosystem (300+ members) running in Spain for the World.
Strong Identity facilities, to be based in the works of the Identity Commission (firstname.lastname@example.org Leader: Carlos Pastor (BME), Sponsor: Moisés Menendez (Everis)) Develop an identity solution inspired by the SSI model and based on uPort. Develop mechanisms that allow for the rapid creation of Alastria identities inter-operating with existing identity mechanisms.
Performance and adequacy. See below a comparison of consensus approaches, (slide 21: IBM, Making Blockchain Real for Business) according to which a permissioned blockchain as Alastria is the optimum solution.
Who is who?
Alastria can be summarized as a semipublic, independent, permissioned and neutral Blockchain/DLT network, designed to be accordant with the existent regulation, that enables the 250 associates to experiment this technologies in a cooperative environment.
XBRL Spain is a non-for-profit association for the diffusion of technological standards, focused in the eXtensible Business Reporting Language
Openfiling is an open community of practice for filing and XBRL with Open Source.
Copyright (mandatory citation).
The design of the XBRLchain concept, the development of the proof of concept, and the publication of the results are an intellectual property of the authors, dated 2018-10-07, and working in most cases out of business hours and in weekends. The authors hereby grant a license Creative Commons BY (Creative Commons Attribution 4.0 International License), hence expressly requesting their attribution, as moral authorship right.