Investment in Evernym An Equity Opportunity

This Document is Confidential

The information provided by Evernym is subject to the terms and conditions of a confidentiality

and non-disclosure agreement. The information should not be shared with anyone or used for

any purpose other than determining whether the Mountain West Credit Union Association or

its subsidiary, Strategic Partners, will make an investment in Evernym.

Background and Rationale

For the past 14 months, we have been researching distributed ledger technology. The potential

is extremely exciting. We have continued to pursue this initiative because we firmly believe

that it could make a huge difference for the credit union movement. In May, the National

Credit Union Roundtable chose to engage in this pursuit as well. This move created an

opportunity for the Credit Union National Association (CUNA) to assume a leadership role.

Since May we have been meeting with senior staff at CUNA on a regular basis.

In a Credit Union Times article this week, CUNA’s Chief of Staff/COO Rich Meade said, “This

could be a real game changer,” speaking of this initiative, “This technology could be the next

email, the next internet, the next big thing, so we’re really excited about doing that.”

Is there risk in this venture, absolutely. However, Mark Zuckerberg, founder of Facebook, said,

“The biggest risk is not taking any risk... In a world that’s changing really quickly, the only

strategy that is guaranteed to fail is not taking risks.”

Our recommendation, as management, is that we make an investment in Evernym. As many of

you will recall, we received an email from Steve Kelly, CEO of Metrum Credit Union telling us his

board had made the decision to disaffiliate from the Association. While this email was

disheartening, Steve made a point that resonates. He wrote, “Maybe it is time to use the

capital built,” referring the capital in the Association and Service Corporation, “to once again

provide business solutions internally, which can be provided to credit unions at a reduced rate

over the for-profit business sector.”

There is no question this is a big leap and we could lose our investment. However, we have

done our due diligence, which is contained in this packet, and feel like the potential upside can

really be a “game changer” for credit unions.

We selected two firms for review of Evernym. The first is SDR Ventures, a Denver-based

mergers, acquisitions and capital advisory services firm. We felt SDR’s private capital-market

experience would help us get a solid picture on the strength of an investment in Evernym. As a

supplement to the SDR report, we also engaged Best Innovations Group (BIG) to review the

market and the applicability of Evernym offerings in the credit union space. John Best, BIG’s

CEO, has been working with us since January. He has a strong knowledge of the credit union

landscape and what the potential for this type of technology would mean for credit unions.

Our strategic plan lists innovation as one of the five key elements of our mission. It says, “We

will lead and help credit unions be competitive in an ever-changing marketplace.”

This is an opportunity to lead.

Summary Information

Evernym’s initial Capital Investment Opportunity

The Association has been presented with an opportunity to make a significant investment in

Evernym in exchange for company equity.

As background, there are two separate tracks being pursued by the CU industry. The

Association is supporting both initiatives.

Track one is CULedger. CULedger is assembling a consortia of credit unions and CUSOs to

initially push a “research to action” initiative resulting in the build-out of a private permissioned

ledger network. This network could be operated by a national CUSO dedicated to the needs of

credit unions. The initiative will prototype new applications for the network as well as re-launch

existing products and services. Additionally, new monetization concepts will also be developed

by the CULedger initiative.

Track two is a direct equity investment in Evernym. Sovrin, developed by Evernym, is a public permissioned ledger network designed exclusively for self-sovereign identity. A person or business or a credit union with a Sovrin identity may use it with any site, app, or system in the world that recognizes Sovrin identities—including other distributed ledgers like CULedger. It is important to note there are two specific points of synergy between the CULedger network and the Evernym Sovrin network:

1. The CULedger network may use the Sovrin network for identity (and credit unions that are part of the CULedger network can also run nodes on the Sovrin network).

2. The CULedger network may use the same underlying distributed ledger technology (DLT) that Sovrin uses (called Plenum, a DLT optimized for high performance, high reliability permissioned ledgers). However this is not yet determined—the ultimate choice of DLT will be made by the CULedger governing body.

The legal structure of the CULedger governing body is still being determined by the CULedger organizing group, which is raising funds from credit unions and CUSOs to pay for research and development for CULedger. This group is spearheaded by CUNA, the National Credit Union Roundtable, Best Innovation Group and us. Recent additions to CULedger participating organizations include CO-OP, PSCU, CSCU, and CUNA Mutual Group. There are multiple credit unions also playing a key role. Further, as additional background, the Evernym Sovrin network will be governed by the international non-profit Sovrin Foundation. This non-profit is currently being set up by the Sovrin Foundation Organizing Committee, chaired by Phil Windley, Enterprise Architect of Brigham Young University. The Association is a member of the Sovrin Foundation Organizing

Committee. The Sovrin Foundation Board of Trustees will consist of representatives of trusted institutions from around the world, including credit unions and USAA. Desert Schools is an initial member of The Sovrin Foundation Board of Trustees. Lastly, Evernym is the Utah-based startup that developed the Plenum DLT and conceived of building the Sovrin public permissioned ledger for self-sovereign identity. Evernym is doing a funding round that is entirely separate from the funding being raised for CULedger research and development. As management, we are recommending a capital investment of $1 Million in Evernym, referred to as Track two in this document. The recommended investment would be evenly split between Strategic Partners and the Association. At our joint board meeting on August 11, the leadership of Evernym will attend, do an investor

presentation and be available to respond to questions.

Frequently Asked Questions

Below are a series of links for your consideration and review prior to the upcoming joint board

meeting on August 11. All of the information is important background but please review in

detail the section below titled “Evernym Investor FAQs”.

Who is Evernym?

Executive Summary

What is the nature of the investment?

Investor Summary

Why is MWCUA considering an investment in Evernym?

Use Cases for Self-Sovereign Identity

How does the credit union movement benefit from an investment in Evernym?

How Credit Unions Can Win Universal Identity,

and Why They Should

Focus Presentation: Valuation

Big Dot Flyer

Does Evernym have the technical skills needed for the investment to pay-off?

Evernym technology has been presented to many of the top credit union support organizations and some of the largest credit unions including: Boeing Employees Credit Union (BECU), Desert Schools Federal Credit Union, Suncoast Credit Union, Ent Credit Union, Public Service Credit Union, CFE Credit Union, CO-OP, CUNA Mutual Group, CU Direct, CUDC, CUSN, CUNA, and now Canadian credit unions as well. Outside our industry, USAA is a potential lead investor and values the ties to the credit union movement. They have been involved in over 24 hours of meetings with the Evernym team and are considering a significant series A investment. Microsoft has also expressed interested in using the Sovrin platform for their Azure cloud based platform as well as Active Directory worldwide.

Evernym Investor FAQ

Third Party Reviews

The following pages contain the reports, first, from SDR Ventures and second, from Best Innovations Group. Please let us know if there are any questions we can answer or track down prior to Thursday.

EVERNYM REPORTAUGUST 4, 2016

CONFIDENTIAL

Disclosure

This report (the “Report”) has been prepared by SDR Ventures, Inc. (“SDR”) solely for informational

purposes, based upon information supplied by the Mountain West Credit Union Association and

(“MWCUA) and Evernym (the “Company”). The information contained herein has been prepared by SDR

to assist the MWCUA in making their own evaluation of the Company and does not purport to be all-

inclusive or to contain all of the information a prospective investor may desire. In all cases, interested

persons should conduct their own investigation and analysis of the Company and the data set forth in

this Report.

SDR makes no representation or warranty as to the accuracy or completeness of this Report, and shall

not have any liability for any representations (expressed or implied) regarding information contained in,

or for any omissions from, this Report or any other written or oral communications transmitted to the

recipient in the course of its evaluation of the Company. No person has been authorized in connection

with this Report to give any information or make any representations other than those contained herein

and, if given or made, must not be relied upon as having been authorized. Only those representations

and warranties, if any, which may be made to an investor in a definitive written agreement, when, as

and if executed, and subject to such limitations and restrictions as may be specified therein, will have any

legal effect.

The analysis contained herein is based on SDR’s assessment of the Company’s information. No assurance

can be given that any of the assumptions on which the information is based will prove to be correct or

that projected figures will be attained. Actual results will vary from the projections, and the variations

may be both material and adverse. The projected financial statements have not been examined,

reviewed or compiled by independent accountants and, accordingly, they have expressed no opinion or

any other form of assurance thereon.

This Report is not, and should not be construed as, an offer to sell or a solicitation of an offer to buy

securities of the Company.

By accepting this Report, recipient acknowledges the information contained herein is confidential and

proprietary and agrees not to make copies hereof or disclose any of this information without the

permission of the MWCUA and to take reasonable steps to prevent inadvertent disclosures to any other

party.

Confidential 1

EXECUTIVE SUMMARY

Distributed ledger initiatives are quickly gaining momentum and attention throughout the world. This

technology appears to have numerous useful applications for meeting the challenges of personal

identity authentication and secure financial transactions. It is clear that over the next five to ten years,

national and even global adoption for distributed ledger technology will continue to accelerate into a

growth phase, ultimately reaching maturity within the technology sector in ten to fifteen years.i It

remains uncertain which organization, network or platform will prove dominant in what will become the

“new normal” for transaction, identity and digital security protocols.

Evernym, Inc. (aka “Evernym” or “the Company”) was created to harness the potential of this

technology. Evernym is an early stage technology company that is building Sovrin, an identity network,

using highly modified distributed ledger technology. The Company intends to provide a universal “self-

sovereign” identity available to everyone (a permanent, private, secure digital identity that cannot be

taken away by a company or government).

Evernym has raised a $1.5 million seed round and is seeking a $1 million bridge to a $20-$25 million

series A. It is our understanding that the investor syndicate will likely be comprised of strategic

investors, including several potential Sovrin partners/adopters, including the Mountain West Credit

Union Association (MWCUA). According to the Company’s business plan, the proceeds of the equity

round will be used for the development of the Sovrin network, building out messaging and payments

capabilities, as well as marketing and business development.

The company is implementing an “adoption first, monetize later” go-to-market strategy. That is to say,

the Company will not generate profits from the adoption of Sovrin. Identities will be free to users.

However, as the originator of the platform, Evernym believes it will be well positioned to offer a suite of

services to consumers and partners once a critical mass of participants is achieved.

We believe Evernym has identified and squarely placed itself at the intersection of a key market

problem and opportunity. It has also built and continues to expand on a solid business plan which

outlines a credible financing and operating path for executing on the opportunity. In the evolving

landscape of digital identity and security, what makes Evernym’s model unique and informs our view of

its likely success are two key factors: a scalable technology platform and a scalable adoption model.

THE EVERNYM INITIATIVE AND THE TARGET MARKET

Evernym is working to develop the world’s most advanced identity solution. The Company’s initiative is

extremely broad reaching, with potential use by entities both large and small, from governments and

world health organizations, to credit unions, small businesses and even peer-to-peer transactions.

Evernym is a first-mover in the market to create universal identity through a permissioned distributed

ledger system.

Confidential 2

The Company seeks to deploy a B2B2C business model, by working with commercial partners and

creating solutions that serve their interests along with their client’s needs. The Company’s value

propositions for Sovrin users and partners are as follows:

Consumers: Enhanced convenience, greater security, and increased control over transactions

within a trusted platform.

Commercial and Industry Partners: Reducing the costs and burden associated with managing

highly sensitive user data. Building trust and loyalty with customers, employees, and

commercial partners.

There are over 1,000 distributed ledger start-ups across the world according to a detailed report written

recently by Outlier Venturesii. The majority of the companies are focused on providing products and

services that require identity, but are not focused on identity specifically (financial services, sharing

economy, infrastructure, etc.). Yet, in addition to Evernym, there are a number of companies taking

different approaches to decentralizing identity. Examples include:

Blockstack: Is one of the earliest to offer personal identities backed by a permissionless

blockchain. They have grown their user base to more than 50,000 registered identities.

ShoCard: Has built a blockchain-backed digital identity platform that protects consumer privacy,

optimized for mobile. They have successfully tested a prototype for air traveler identification.

Airbitz: Has pivoted from offering a Bitcoin wallet to a full security platform, encrypting data all

the way from the end user while making it available as needed.

uPort: Is a ConsenSys platform, which has recently partnered with Microsoft to build an open

source, self-sovereign, blockchain-based identity system.

In terms of venture investing, the distributed ledger industry as a whole has seen over $1 billion in

venture capital investments made through Q1 2016iii. In addition, more than 50 “traditional institutions”

(includes governments, central banks, financial institutions and other large strategic investors)

announced investments in blockchain start-ups in Q1 2016, up from 34 in Q4 2015iv. Looking at the

trends in dollars invested and the number of start-ups in the blockchain distributed ledger space, there

is clearly evidence of the belief that there are benefits the technology can provide on a social and

economic level.

The main industry question at this early stage is adoption. Despite the growth in venture and early-stage

activity in the distributed ledger world, rapid adoption remains to be seen. At this stage it is unknown

when the technology will mature, generating widespread adoption. Adoption is also the key to

Evernym’s success. However, as discussed in the business plan below, this does not appear to be an “all

or nothing” metric (in other words, the Company can still be successful with other distributed ledger

systems existing in the market).

Confidential 3

The Company’s adoption approach for deploying their identity solution is through strategic partnerships

with member-based institutions (vertical adoption) as well as inbound opportunistic opportunities that

support growth on a large scale through social and government organizations (horizontal adoption). The

combination of vertical and horizontal partnerships seems to support the roll-out of the Company’s

sovereign-identity initiative on a large scale.

The Company appears to be on the leading edge of a technological movement and forming solutions for

global identity problems. Although Evernym’s initiative is ambitious (to solve the world’s identity

problems), major companies and industry groups have publicized their interest and investments in

distributed ledger technologies (e.g. R3, clearXchange for financial institutions and Microsoft’s

Blockchain as a service platform). Governments and international bodies are also discussing the

implications of distributed ledgers on local and global economies.

Although the majority of the buzz is around financial services, there are potentially more robust

applications of the technology that go well beyond this sector. From identity, to intellectual property, to

smart contracts, there are competitive advantages that distributed ledgers providev.

Undoubtedly, there are strong market tailwinds supporting Evernym’s initiative for creating a universal

identity solution. Although the industry is in its infancy, the market is ripe for disruption. The Company is

engaging specific strategic initiatives that could support widespread market adoption. Partnerships with

organizations such as credit unions, USAA, Microsoft, etc. should enhance Evernym’s first-mover

advantage in the distributed ledger identity market.

BUSINESS PLAN ANALYSIS

Go-To -Market Strategy

Evernym’s go-to-market strategy is three fold: Stand-alone applications, Acceptors First, and Entire

Ecosystems. Evernym is building stand-alone applications on top of Sovrin to provide clear benefits to

members and partners (Enterprise messaging, password-less authentication, applicant vetting, etc.).

These stand-alone applications are intended to have a viral impact, creating a network effect. The

Company is also pushing vertical adoption through early acceptors like the credit unions, Microsoft and

USAA. By launching through these strategic partners in different industries, Evernym is positioning

Sovrin for widespread adoption. Finally, adoption by entire ecosystems could include universities and

entire countries. In this case, adoption is mandatory for individuals within each system (active

discussions include BYU and the country of Myanmar).

Perhaps the greatest risk to the go-to-market strategy would be a lack of focus on execution of the

primary pillars of the plan. Evernym is receiving interest from potential “Horizontal” partners that could

be distractions from the business plan’s core initiatives. These potential distractions may also consume

valuable time and resources.

Evernym’s management team seems to recognize this risk and appears to be mitigating by prioritizing

the vertical partnerships (e.g. USAA and Credit Unions) critical to widespread adoption and

Confidential 4

monetization. The Company’s partnerships with USAA and the Credit Unions could lead to momentum

in the marketplace. Evernym is also discussing a partnership with Microsoft, which will make Sovrin

identity attributes globally accessible through the Azure API. This could lead to easier integration into

large corporate identity environments.

Competitive Landscape

From a competitive standpoint, Evernym does have direct competition in the identity space. The top

two appear to be Blockstack whose product focuses on the Bitcoin blockchain and Consensys’ Uport

identity wallet which uses the Ethereum blockchain. The primary difference between Evernym and these

two competitors is the permissioned distributed ledger system vs. the permissionless systems designed

by Blockstack and Consensys. The Company believes that the distributed governance of a permissioned

system will increase trust and drive participation in highly regulated industries, which will likely play a

critical role in adoption and eventual monetization. The research seems to suggest that there is solid

reason for this view.vi There are also a number of indirect competitors that are either (i) not focused on

self-sovereign identity and/or (ii) do not use distributed ledger technology.

A risk to Evernym’s plan is the ability to differentiate itself within this expanding and competitive

landscape. A key assumption of the forecast and Series A investment size revolves around the

assumption that adoption rates will reflect those of the OTT messaging industry, with more than 500

million Sovrin users by FY2021.

Evernym appears to be leading the way as a first mover in the universal self-sovereign identity space

applying permissioned distributed ledger technology. The Company also seems to be separating itself

by focusing on identity first and building the Sovrin system around solving identity related problems that

have global application. This could prove valuable to both vertical and horizontal partners. Additionally,

given the diffused nature of this emerging market, Evernym’s strategy has the potential to be executed

on less than a global scale. By providing tangible benefits to strategic partners, the Company will likely

have opportunities to build simultaneous user communities.

Overall, Evernym’s approach to focusing solely on universal self-sovereign identity using permissioned

distributed ledger technology does appear to be unique in the market.

Monetization

Evernym will not make money off of the adoption of Sovrin itself, but by building layers on top of the

identity platform (Evernym’s “Sovrin Stack”), offering a software-as-a-service (SaaS) platform to Sovrin

nodes and layering products and services on top of the SaaS platform. Monetization under this platform

is scheduled to begin in Q1 2017. According to the forecast, the Company becomes profitable in mid-

2019, at which time active users exceed 100 million.

As seen in the Company’s financial forecast for FY2016 to FY2021, the near term revenues are driven

largely by the SaaS menu offered to partner institutions (i.e. registration, authentication, authorization,

Confidential 5

reputation, messaging, data sharing, key sharing). Over time, the Company anticipates being able to

build on the additional products.

A hurdle to successful monetization will be Evernym’s ability to create commercial opportunities on the

Sovrin platform. Evernym’s monetization plan is predicated on layering products on top of a massive

adoption footprint. This would provide a vast and captive user base for rolling out applications. Support

for this effort comes from Sovrin’s focus on large market opportunities that rely on identity at their core.

These include P2P messaging and payments as well as enterprise messaging.

For example, the P2P payments industry was $16 billion in the U.S. in 2015 and is forecasted to grow to

$86 billion by 2018 according to a recent report by Goldman Sachsvii. In the same year, close to 113

million mobile phone users in the United States accessed OTT messaging apps to communicate. This

figure is projected to grow to 173.2 million users by 2020viii.

Additionally, the market for secure enterprise mobile messaging is growing rapidly as people look to

replace email with more secure and productive ways of communicating/collaborating at work. In other

words, the market for enterprise messaging could be as large as the market for email. Slack, the leader

in the enterprise messaging space, latest reported stats, from August 2015, revealed that 1.25 million

people use the service each day, and 370,000 have paid accountsix.

BUSINESS AND MARKET RISKS

Even with the significant groundwork established and the thoughtful approached utilized by Evernym to

date, it will not be immune to the business and market risks of any new venture, business model or

major innovation.

As it continues to roll out its solution to this large market, Evernym, and its partners, will encounter

three risk factors in establishing itself as a successful option in growing market of identity based

solutions:

Will the solution and model adequately address the current challenge/opportunity?

Is there real market potential and is there a clear path to adoption?

What are the regulatory barriers and limitations?

Will the solution model adequately address the current challenge/opportunity?

This question gets to both the technology question and delivery model. In the current digital economy,

identity threats increasingly account for major economic loss, major organizational costs, and personal

disruption. A model seeking to address these challenges with a new, disruptive, platform will need to

build a solution with a technology structure solid enough to serve as a foundation but flexible enough

for collaboration and widespread use.

Evernym’s effort to address these challenges and opportunity is to reshape the landscape with a new,

universal identify solution. At the heart of Sovrin’s technology is Plenum, the Evernym developed

Confidential 6

advanced algorithm that provides cutting-edge encryption protocols. Plenum exhibits low latency

characteristics which addresses one of the key technical challenges for a distributed ledger based

solution. Plenum was created to be an open source technology making it more likely that collaboration

and further development will take place. The Company has developed defensible IP, consisting of

patents (granted and pending) around creating a system that is an attribute-based, sovereign identity

graph platform on an advanced, dedicated permissioned distributed ledger (aka Sovrin).

The attributes-based nature of the Sovrin platform has been created for an individual identity holder on

the Sovrin network to reveal only the attributes (Social Security number, date of birth, address, etc.)

relevant to the transaction or desired purpose. These attributes are controlled and owned by the

identity holder and can only be authorized for sharing by the identity holder.

In our view, a major sign of business maturity and one of Evernym’s efforts to mitigate risk in its model is

the merger with Respect Network. Evernym’s merger with Respect Network has accelerated its

capability and understanding of the business rules that have to sit on top of the technology platform

itself. According to a research director at Caribou Digital, a top research firm focused on the digital

economy, none of the other players in this space have spent as much time working through the business

values that will sit on top of the platform to make their technology work.x Additional third party

validators such as Microsoft have confirmed the advanced and stable nature of the technology platform

by allowing it to integrate into their product set.

Finally, Evernym holds patents on the important components of the Sovrin platform which mitigates

significant risk to early investors or partners. A would-be competitor would need to work around the

unique features of Sovrin, or choose to collaborate thereby increasing adoption of the core platform.

Is there real market potential and a clear path to adoption?

Most, if not all, of the developing identity based technology platforms have the same inherent risk

factor that will determine their success: adoption. It is difficult to overstate how important the

adoption case and challenge is.

Early traction in adoption is a critical success factor on the road to broad based adoption. On that front,

Evernym’s approach in early partnerships with financial institutions and education organizations gives it

a head start among other identity solutions. In the open and permissioned platforms, Evernym is well

ahead in its ability to successfully correlate use cases with adoption partners.xi Specifically, partnerships

with USAA and Credit Unions would create a competitive advantage in this race for adoption.

Partnerships between these organizations creates a foundation layer for use cases that will infuse the

adoption momentum with insights that are critical to the success of building the Sovrin adoption

footprint.

One of the possible accelerants to Evernym’s success is that the characteristics of the Sovrin identity are

built to actually be sovereign – meaning the individual owns it and is in control of it. Privacy and security

breaches continue to cast doubt about the identity protection and verification of large internet

platforms such as Facebook and Google. These players pose a significant risk to firms such as Evernym

Confidential 7

seeking to build new platforms for secure and trusted identify. However, it appears these large internet

companies are not inclined to trade short term economic gains in order to move towards creating more

open, collaborative and user owned identity platforms. If this trend continues, they will continue to lose

the trust of its users. This clearly creates a window of opportunity for platforms such as Sovrin to gain

adoption traction as a “trust worthy platform” in what experts are calling the new “Trust Protocol” for

the exchange of information, goods and services.xii

True global reach and adoption would include credentials used by and/or issued by governments. This is

a complicated and often perilous area of identity adoption and it is extremely unlikely that government

authorities will give up control in maintaining a verification system for its citizens (Social Security

number, national ID, etc.). However, a government identity system could conceivably sit within a

broader identity platform such as Sovrin. There is a business case that can be made for governments

exiting the platform and infrastructure business entirely and instead issuing credentials that would

reside in a permissioned and open identity platform such as Sovrin.

Universal adoption is the overarching goal for the Sovrin identity platform. Yet, competitive pressures,

regulatory requirements, and technology advancements could make a multi- platform scenario a real

possibility. In the long term, the industry landscape might include several relevant platforms adding

value in identity, authentication, and security for various sectors of the economy and society as a whole.

In this scenario, Sovrin may be one of several platforms and/or Evernym may be one of various firms

building products for the Sovrin platform. This outcome could lead to a significant win for Evernym and

its partners both in terms of direct internal use and economic benefit.

Finally, it is clear that private capital investors and the largest strategic players such as Google,

Facebook, Microsoft and others will continue to invest in the expanding identity and distribute ledger

technology. An open question for big technology incumbents is if they are prepared to pivot from their

current model to successfully incorporate the requirements of trusted, secure, sovereign, universal

identity. A likely scenario is that these players will acquire companies with the ability to monetize

products and services on top of developing identity platforms. This could be a real outcome for Evernym

which could also generate meaningful returns for its stakeholders.

What are the regulatory barriers and limitations?

As the Credit Union community is very familiar with, financial transactions have emerged as the largest

focus and most often sited use case for identify and authentication technology solutions. This sector is

experiencing arguably the greatest security and monetary impact in our society. Given the incredible toll

security breaches and identity theft are taking on society, governments are continuing to step up policy

efforts to more effectively address these growing threats. It is clear that there are strong regulatory

tailwinds in this industry.

Still, distributed ledgers raise a number of questions for policy makers at the national and international

level. As with any new technology, new regulatory policies will need to be developed. The timing and

reach of regulatory framework is unclear at this point in time.

Confidential 8

There are numerous initiatives by government organizations supporting the growth and adoption of

distributed ledger technologies to address commercial and social issues. U.S. Federal Reserve system

officials have highlighted distributed Ledger potential, recognizing the benefits and potential

applications in the financial communityxiii. Similarly, the U.S. Commodity Futures Trading Commissioner

calls for “examination of rules that may inhibit Distributed Ledger technology innovation”xiv. The UK

government’s Chief Scientific advisor recently released a report recommending pursuit and adoption of

blockchain technologiesxv.

In the U.S., the government has created a contest called “Blockchain and Its Emerging Role in Healthcare

and Health-related Research” with the goal of having participants create white papers on the topic of

blockchain technology and its use cases within the healthcare industry. Perhaps most importantly,

governments and Central Banks are directly funding distributed ledger research. For example, the

Department of Homeland Security recently announced grants to six companies working with distributed

ledger technologies for Identification Services (Including Evernym via Respect Network).

The risk for companies working within such a nascent industry is that despite government’s strong

encouragement to solve the stated problem, regulator’s “preferred” methods and processes frequently

remain elusive. A key regulatory burden that must be met is one of enforceability and the finality of a

given transaction. A company undertaking such a large task will face the potential risk of building a

solution that fails to meet the regulatory approval necessary for achieving broad based adoption and

certainty of the transactions flowing through its platform.

As it seeks to scale across geographic markets, what may help Evernym avoid these hurdles is its

permissioned and transparent identity model. Sovrin can also accommodate numerous and diverse

credentials while permitting only authorized nodes, or screened and approved participants in the

platform, to verify identity protocols. This is vital component to broad based regulatory approval.xvi

Building on the momentum around standardization for identity, Sorvin’s permissioned protocol,

advanced cryptography, and open structure appears to position Evernym to successfully address the

competing questions around real universality and high security protocol standards. Obtaining regulatory

acceptance for use in financial transactions, educational institutions, healthcare records, and

government systems is a high bar that Evernym seems to be uniquely prepared to meet.

CONCLUSION

Security threats and regulatory requirements will undoubtedly continue to create tremendous business

challenges for financial institutions like the Credit Unions. There appears to be a similar accumulation of

risk in not being deeply involved in the expanding area of digital identity technology. Financial services

firms or any organization that manages sensitive customer data cannot afford to stand on the sidelines

as advances in customer identity, security and engagement take hold. Organizations who fail to adopt a

plan for incorporating advanced identity and digital security technologies for their internal systems,

customers and members will more than likely find themselves requesting permission to participate in

someone else’s. Doing so may come at a great economic and reputational cost. As such, perhaps the

Confidential 9

ultimate question facing a financial services organization considering investing in and/or adopting

advanced identity verification and distributed ledger technology is not if, but when.

Sovrin and the Evernym model are built on an infrastructure platform that is open. As the industry

experts repeatedly remind us, any identity solution is only as good as the number of people who will

trust it and use it. The Sovrin platform is built so that that other ecosystem participants can build on top

of it. Evernym’s merger with Respect Network has accelerated its capability and understanding of the

business rules that have to sit on top of the technology platform itself. This key differentiator from

other solutions positions Everynym to succeed in the large task of building a scalable technology

platform with broad based adoption.

Although the buzz and excitement around this fast moving technology may create uncertainty around

which path to move down, the MWCUA has carved out an advantageous position in its discussions with

Evernym. In addition to the relevant use cases explored as well as the work being developed with

CULedger, the direct Evernym investment may fortify the MWCUA’s position even further. An

investment in Evernym could very well create the path for a Credit Union industry-wide framework for

establishing the necessary elements that build a technology foundation and a collaborative ecosystem in

which multiple value streams are explored, nourished and implemented. More specifically, the

partnership with Evernym has three complimentary value proposition for the MWCUA:

Access to the core technology and platform of the Sovrin network.

Continuous innovation of products for direct beneficial use within the Credit Union community

and by its members.

Commercial returns from Evernym products built on the Sovrin platform.

We believe the MWCUA should strongly consider utilizing this partnership with Evernym as an

opportunity to advance its position with its members and within the broader financial services market

landscape. Working alongside an organization with the technical and industry validation advantages of

Evernym has the potential to generate both near-term and long-term benefit for MWCUA members. At

the same time, it may greatly reduce the looming and eventual costs and risks associated with a

prolonged evaluation of the many options for engaging in the digital identity and security arena.

A strong partnership or investment with Evernym would plant the flag and create a clear direction for

successfully navigating a digital identify based future for the MWCUA. It will not be perfect, and many

pivots will necessarily take place to respond to the evolving technological, regulatory, and global

adoption challenges. However, having an internal, front row seat will allow the MWCUA and its

member organizations to adapt and respond with more useful assets and knowledge. Business

scenarios where partners with different core missions provide tangible, mutual, and long-term value

creation are rare. We believe this could be one of those scenarios.

Confidential 10

Sources:

i https://www.accenture.com/t00010101T000000__w__/au-en/_acnmedia/PDF-6/Accenture-Blockchain-Enabled-Distributed-Ledgers.pdf. ii Lundy, Lawrence 5 Things We learned From Analyzing The Location of 950+ Blockchain Startups (July 9, 2016) iii Hileman, Garrick State of Blockchain Q1 2016: Blockchain Funding Overtakes Bitcoin (May 11, 2016) iv Hileman, Garrick State of Blockchain Q1 2016: Blockchain Funding Overtakes Bitcoin (May 11, 2016) v McLean, Sue and Deane-Johns, Simon Demystifying Blockchain and Distributed Ledger Technology (April 5, 2016) vi http://www.ofnumbers.com/wp-content/uploads/2015/04/Permissioned-distributed-ledgers.pdf vii Goldman Sachs, The Future of Finance 2015, pg. 51 (March 2015) viii eMarketer, eMarketer.com (June 2016) ix Captain, Sean The Messaging Apps Gunning for Slack, Fast Company (October 21, 2015) x Pon, Bryan (Caribou Digital Research Director). Phone interview. August 2, 2016. xi Pon, Bryan (Caribou Digital Research Director). Phone interview. August 2, 2016. xii Don and Alex Tapscott, Blockchain Revolution (New York: Penguin, 2016). xiii Coindesk, State of Blockchain Q1 2016 (May 11, 2016) xiv Coindesk, State of Blockchain Q1 2016 (May 11, 2016) xv Palmer, Daniel 5 Must Read Excerpts From the UK Governments Blockchain Report (January 24, 2016) xvi http://www.ofnumbers.com/wp-content/uploads/2015/04/Permissioned-distributed-ledgers.pdf.

Identity Research Findings, 08/04/2016

Best Innovation Group

Executive Summary

This document is intended to provide a summary of the research conducted by Best Innovation Group (BIG) into the identity space with regards to Credit Union opportunities, technology, security ,feasibility and monetization. The document will describe the process of review and the documented outcomes as well as a final recommendation. Market Analysis

Research Team An Identity research team was created consisting that consisted of team members from BIG was created:

● John Best (CEO) ● Ed Gonzalez (President/COO) ● Tom Stacy (CTO) ● Elliot Cotto (CCO)

Each interview was open to all members of the Identity research team. Interviewees As part of the identity market analysis, BIG interviewed identity experts in the field to determine the current state of the identity industry. The following industry experts were interviewed. Andrew Tobin

○ Tech Strategy Advisor, Telesign ○ Specialties: digital identity, mobile fintech, NFC, digital ID, retail payments, m-Commerce,

infrastructure virtualisation, app development, real-time transaction processing. Bryan Pon

○ Director of research at Caribou Digital ○ Senior researcher and analyst for mobile and energy sectors, especially in emerging markets.

Tim Swanson

○ Director of Market Research at R3 ○ Distributed ledger technology and design expert

Doc and Joyce Searls

○ Director of ProjectVRM ○ Fostered pioneering development of VRM (Vendor Relationship Management) tools and services

Phil Windley

○ Enterprise Architect, Brigham Young University ○ Board Chair, XDI.ORG

Approach The following questions were asked of each interviewee.

● What is the current state of identity in the industry ? ● What has changed in this space that has moved the identity industry forward ? ● What is the minimum viable network necessary to make a identity (or any blockchain related network)

functional ? ● How will adoption play out? ● Who in your estimation is leading the identity industry?

Summary of Findings All interviewees, with the exception of Tim Swanson (who abstained from giving an opinion), stated that the concept of sovereign identity was the most important feature of a new Identity system. All interviewees stated that Distributed Ledger technology has been the catalyst for the recent advancements in the Identity movement. The minimum viable network question had a range of answers, but the numbers were smaller than expected for a true network. The lowest number given was 5 nodes and the highest number was 150 nodes. BIG believes that the answer is a mixed node selection based on large validator nodes as well as observer nodes or examiner nodes. Adoption was split between two ideologies:

1. A grassroots adoption method whereby adoption slowly gains ground.

2. The U.S. government will get behind a identity platform and as a result adoption will move more quickly.

Many of the respondees mentioned evernym by name, Tim Swanson had a notable response in that he declined to provide a response. He did mention that they had spoken to many of the platforms that are available and that there was a internal opinion at R3. BIG believes that this response denotes the importance of identity based on R3’s clients and position relative to the financial industry.

Competition

As part of the analysis, vendors were invited to demonstrate their products. Each product was reviewed and analyzed as to where it fit in the credit union solutions.

Overall breakdown by feature

Company Feature Integration Competitor Analysis

Evernym Public Permissioned Identity platform based on distributed ledger

Private and certified API integration based on Semantic WEB

Base platform Supports other competitors

Trunomi On boarding and checking credentials via EU GDPR, PDS2 regulatory compliant certificates for all data interactions

Highly mature API. Compliments the evernym sovrin identity platform by providing an on- boarding identity verification process.

Shocard Provides digitized versions of plastic cards

API Could benefit from using the sovrin platform , today it operates on bitcoin.

ShoCard

● Co-Founder and CEO: Armin Abrahimi ● Co-founder: Jeff Weitzman ● Founded: February 2015 ● Location: Palo Alto, CA ● Annual Revenue: $.06M[1] ● Employees: 1-10 [2]

Business Model ● B2B: CEO Ebrahimi says ShoCard is targeting card issuers and will verify the identity of cardholders

during mobile transactions.[3] ● First clients will be credit and debit issuing banks that issue nearly a billion cards.

Brand ● ShoCard is a digital identity that protects consumer privacy and is as easy to understand and use as

showing a driver’s license. It’s optimized for mobile and so secure that a bank can rely on it. ● Easy To Use. Bank-Level Security. ● Identity for a Mobile World ● It's the one identity verification system that works the way consumers and businesses need it to for

security, privacy, and always-on fraud protection

Products

ShoCard is a digital identity card used through a mobile app (ShoCard Mobile App). The company meets the needs:

● Trustless and decentralized. Your Identity is not under the control of any institution (either Government or commercial).

● Immutable. Nobody can change a record; they can only append a new record.[4] ShoCard wants to use the blockchain to authenticate identification. Rather than an individual providing personal–and financial, details every time during the e-commerce checkout process, customers can store their information securely with ShoCard and enter it on request. Additionally, ShoCard could also be used for other financial systems, such as storing your online banking login details. The main benefit of ShoCard is that it can only be modified by the consumer.

Technology ShoCard is explicitly built for mobile, and also utilizes TouchID. ShoCard protects and verifies identity using strong public/private key encryption with multiple keys, data hashing, out-of-band communication, data matching, and two-factor authentication. A ShoCard is basically a tiny file that only the owner can manipulate. When a ShoCard is created by a user, they first scan their identity document (e.g., Drivers License) and sign it. Then, the mobile app will generate a private and public key to seal that record. It is encrypted, hashed and sent to the network of communicating nodes running bitcoin software for later use. After this initial creation process, it is accessed by the user via the ShoCard’s mobile app where they can retrieve their information.[5] Users are able to, in effect, give financial institutions temporary access to the private side of this blockchain record in order to verify identity. Once that is done, the bank creates its own record that can be consulted in the future to determine that Joe Smith is really Joe Smith.

Funding

Figure 1 ShoCard's $1.5M Seed Investors [6]

Traction According to Mattermark, the company has an estimate 198 unique monthly visits (though it is important to note that the company is a Mobile App based product).

Figure 2 ShoCard Web Traffic [7]

Figure 3 ShoCard's Mobile App–Available on iTunes–No users logged NOTE: It is important to note that neither ShoCard nor Trunomi have their own Blockchain–a fact highlighted indirectly by the companies–where users feel assured that no one has control over, or owns his online identification except himself. (i.e., Trustless and decentralized–an identity is not under the control of any institution (either Government or commercial).

References ● [1] http://www.hoovers.com/company-information/company-search.html?term=shocard ● [2] https://www.linkedin.com/company/shocard-inc- ● [3]

http://bankinnovation.net/2015/05/shocard-will-help-banks-authenticate-users-with-the-blockchain/ ● [4]

http://bankinnovation.net/2015/05/blockchain-based-digital-identity-will-disrupt-commerce-and-government/

● [5] http://techcrunch.com/2015/05/05/shocard-is-a-digital-identity-card-on-the-blockchain/ ● [6] https://www.crunchbase.com/organization/shocard-inc#/entity ● [7] https://mattermark.com/companies/shocard.com

Trunomi

● Founder and CEO: Stuart Lacey ● Founded: October 2013 ● Location: HQ San Jose, CA (Offices in Bermuda and London) ● Annual Revenue: $.37M[1] ● Employees: 11-50[2] (12)[3]

Business Model B2B: Based on the premise that regulatory evolution, political will, customer choice, and data security risks will push financial institutions to adopt “informed consent” for customer data usage: Trunomi delivers end-to-end solutions that integrate with financial institutions’ existing technology, from digital customer interfaces through to our powerful API platform. Institutions are enabled to offer fully digital customer onboarding and customer data management. We streamline business processes and deliver amazing and seamless customer experiences. Solutions include mobile account opening, know your customer (KYC), data personalization and the delivery of new value-added services that all rely on the access to and analysis of Customer Personal Information. The proprietary Trunomi platform accelerates, simplifies and secures the data collection and sharing process, with a powerful combination of enterprise compliance solutions and mobile technology. This approach enables institutions and their customers to easily create auditable, digitized sets of customer identification data and then simply manage and securely share them anytime, anywhere; in full compliance with international privacy and regulatory requirements.[5] A primary selling point according to Trunomi is that once a customers verified data is collected, the bank can create its own record that can be consulted in the future to determine not only that Joe Smith is really Joe Smith, but also to customize offerings to that customer base on their data.

Brand ● Revolutionizing the way that financial institutions create, manage, and interact with customer data. ● Trunomi provides Know Your Customer (KYC) compliance technologies for regulated entities (RE)

through a platform that accelerates, simplifies and secures the customer on-boarding process. The company offers B2Me solutions (i.e., marketing to an individual based on the desires of that individual) that enable REs and their customers to easily create auditable “Golden Source” digitized sets of customer identification data and then simply and securely share them anytime, anywhere; in full compliance with global privacy and regulatory requirements.

● Our customers are financial institutions and our products create new revenue streams and eliminate inefficiencies. Financial institutions are more than happy to pay our user-based fees, which are less than 10% of their current KYC expenses.[4]

Products ● TruMobile is a mobile app that empowers financial institutions’ customers to control and share their

personal identification data. ● TruHub is an enterprise-class KYC on-boarding system. ● TruLink is a data sharing solution that replaces call centers and solves customer-not-present card

and transaction verification.

Technology

Figure 1 The Trunomi Platform[6]

Figure 2 Company Description: Distributed, Consent-based data sharing platform. Open API framework with a single point of integration.

● The company is a decentralized and distributed data solution[7] and does not keep copies of customer data.

● The company supports the open API standard, welcoming third party applications and services to integrate with our platform.

● Working with Trunomi, eID&V providers can benefit from easy access to international financial institutions that rely on the highest levels of customer data checking.[8]

Funding ● Funding: $5.3M ($3M Venture, $2.3M Angel)

Figure 3 Trunomi Investors [9]

Traction

Trunomi does not talk about their numbers which indicates that they are still rather small (Estimated total monthly unique visits to the website–743[10]).

Figure 4 Trunomi Website Traffic and Trends. [11]

References ● [1] http://www.hoovers.com/company-information/company-search.html?term=trunomi ● [2] https://www.linkedin.com/company/trunomi ● [3] https://mattermark.com/companies/trunomi.com ● [4] http://www.verdictfinancial.com/finovate-interview-trunomi/ ● [5]

http://www.businesswire.com/news/home/20150908005955/en/Trunomi-Completes-3-Million-Capital-Raise

● [6] http://www.trunomi.com/our-platform/ ● [7] http://www.trunomi.com/our-platform/ ● [8] http://www.trunomi.com/about-us/#collaborate ● [9] https://www.crunchbase.com/organization/trunomi/investors ● [10] As ohttps://mattermark.com/companies/trunomi.com ● [11] https://mattermark.com/companies/trunomi.com

Evernym, Inc.

● Co-founder and CEO: Timothy Ruff (Also an investor–amount unavailable) ● Co-founder, CTO, Chairman: Jason Law ● Founded: April 12, 2014 ● Location: Herriman, UT, 84096 United States ● Annual Revenue: .16M [1] ● Employees: 15 [2]

Business Model

Gateway platform dedicated to and engineered for universal, private, non-tracked, easy-to-use, self-sovereign identity. Supports the entire continuum of the identity graph, from anonymity to pseudonymity to strongly-proven full legal identity. The company differentiates itself based on a distributed blockchain technology as opposed to a decentralized model based on the work of Tim Swanson of Rev C3.[3] (Specifically see Consensus-as-a-service: a brief report on the emergence of permissioned, distributed ledger systems.)

Brand ● We’re building an open-source sovereign identity platform on a permissioned blockchain, and ● we’re giving it away. ● This ain’t your daddy’s blockchain. It’s a high-speed permissioned distributed ledger that’s engineered

and dedicated solely for identity. ● Identity is a mess. Help us clean it up. ● We all have too many accounts, usernames, and passwords, too much identity theft and fraud, too

many data breaches, too little control, too little privacy, and an unacceptable 3 billion people “unbanked.”

Products ● Distributed-ledger-based Evernym Identity Platform, a highly advanced, “sovereign” solution to the

global identity problem that restores privacy and control where it belongs: you. ● A high-speed permissioned distributed ledger that’s engineered and dedicated solely for identity. ● Sovrin: a universal, private, non-tracked, easy-to-use, self-sovereign identity that supports the entire

continuum of the identity graph, from anonymity to pseudonymity to strongly proven full legal identity.

Technology

● Apache2/Open Source ● Online platform ● Permissioned distributed ledger ● OASIS XDI (Extensible Data Interchange) protocol

Funding ● Ron Hammond–Advisor, Investor, Board member (Also an investor–“significant funding”– amount

unavailable)[4]

Traction

● Unavailable, but see website traction ● Estimate monthly unique: 20 [5]

Figure 1: Evernym Website Traffic and Trends from Mattermark [6]

Figure 2 Evernym Patent Applications [7]

References ● [1] http://www.hoovers.com/company-information/company-search.html?term=evernym%20inc ● [2] https://gust.com/companies/evernym_inc ● [3] http://evernym.com/technology/#permissioned-section ● [4] https://angel.co/evernym/jobs ● [5] https://mattermark.com/companies/evernym.com ● [6] https://mattermark.com/companies/evernym.com ● [7] http://www.faqs.org/patents/assignee/evernym-inc/

FInal Recommendation

Overview After many interviews and technology research that included prototyping a blockchain platform on several different operating systems. BIG recommends that if a investment were to be made in the identity industry, Evernym should be considered for the following reasons.

1. All the other identity platforms relied on either BITCOIN or Ethereum, both of which are public permissioned networks. Evernym’s Sovrin platform is the only purpose-built distributed ledger technology that BIG can find on the market.

2. The marriage of respect.network and Evernym is particularly important because of the XDI layer, a

standard that will allow multiple entities to connect directly on a decentralized network . Drummond Reed is one of the foremost authorities in the world on the semantic web - this will be the secret of Sovrin’s success. The other solutions don’t have this and didn’t exhibit the ability to adopt this technology. It is our belief that XDI is as important as Sovrin, if not more so.

3. None of the three companies reviewed (Trunomi, ShoCard, and Evernym) are able to function as a

standalone unit at this time; each brings a different piece of the puzzle to the table. However, the base for everything is clearly the Sovrin platform. In that regard, Sovrin is the most significant of the solutions we have seen as it will likely serve as the foundation for the integration of many platforms/products. This is because Sovrin is the only true public permissioned distributed ledger that is purpose-built for identity.

4. Security and encryption is strong in the Sovrin platform because of Jason Law’s work with Dimitri

Khovratovich (https://www.cryptolux.org/index.php/Dmitry_Khovratovich). Both are well-respected and bring a high level of world-class expertise in cryptology.

5. The overall business case on fraud alone is compelling. If this was a product related only to

reducing fraud, it would be best in class - the monetary losses in fraud alone would pay for any Credit Union to implement the platform. Another important consideration is the the loss of trust in the Credit Union experienced by the member when their account is compromised. That loss cannot always quantified or restored.

6. The Department of HomeLand service SBIR for research is an important aspect of the identity

implementation as it brings a reason for people to use the identity platform. A government relationship or mandate for sovereign identities would bring instant credibility to the platform as well as expedite adoption.

7. While this document has focused on fraud and security as the overarching reason to invest in

identity solution. There are many other use cases that will bring value to the credit union community. Expediting filling out forms, creating smart contracts around identity solutions, and new payment paradigms are among the most compelling use cases. However for purposes of this research BIG chose to focus on the fraud and technology aspects as the use cases are not completely worked out and it would be difficult to quantify the value without speculating.

Areas of Focus

1. Sovrin has yet to crack the issue of Key management , in fact none of the solutions really showed any of their key management tools , In this regard all solutions are really behind. The key management issue will be the most difficult to tackle and has the most potential to slow down adoption. Sovrin needs to make a substantial investment in Key management for the nodes as well as for the users.

2. Execution and adoption will continue to be a issue without a world class project plan as well as a killer application as its first product. Identity alone is difficult to sell. Improved security is a much easier sell , and a new product that takes advantage of the selling points of the Sovrin Platform is even better.

Strategy and Implementation Evernym spent much of 2016 introducing Sovrin at various identity conferences around the world and credit union events in the U.S. It is critical for Evernym to focus very carefully on the most strategic opportunities to gain traction in the market and establish its platform as the defacto industry standard. The Public permissioned ledger space is likely to be very exclusive and as a result players will need to stake out their place early. Evernym has stated they have selected the following market focus areas, in order of priority:

1. Member-driven financial institutions in the U.S. This category encompasses USAA, with over 14M members, and the U.S. credit union (CU) industry, which has over 100M members.

a. BIG believes this should be top priority as it makes the most sense to use Financial institutions as the initial claims providers for identity.

2. Government-sponsored healthcare ID projects in Indonesia and Myanmar. The Indonesian project

encompasses 230M citizens; the Myanmar project 68M citizens. a. BIG has some concern that this approach while important because it establishes sovrin as

world wide could distract Evernym from the financial institutions. BIG recommends a tiered approach or perhaps a separation of the international investments.

3. The Doctor's Link physician credentialing project in the U.K. Although this project does not involve a

large population of users (<100K doctors in the U.K.), it is a highly strategic illustration of how Sovrin identity and credential verification can solve a high-value trust problem in healthcare spanning the UK General Medical Council and leading UK hospitals.

a. This seems like a better use case to achieve international acceptance. In BIG’s investigations BIG uncovered the fact that the U.K is clearly ahead in the identity market. BIG would recommend this be prioritized ahead of indonesia and Myanmar

For the first opportunity, Evernym and its implementation partners have stated they will be focused on four initial products:

1. Passwordless biometric authentication. For USAA, this already a market-leading feature—what Sovrin and the Evernym Sovrin SaaS platform will do is enable USAA to offer this feature to sites outside of USAA. For U.S. credit unions, it will allow them to establish Sovrin login as an industry standard not only among their own sites, but at the sites their members frequent.

a. This of course depends on scale , the potential is clearly here based on the 114 million consumers , however this assumes that the entire CU market will use the product. This is not likely, so it is important to understand that even a smaller scale could move the needle for identity. The key value for this will be the quality of the Credit Unions that are early adopters.

2. Credit card anti-fraud protection. Sovrin-secured push notifications and one-touch biometric authentication will provide a simple, strong, standard mechanism for CU members to prevent account takeover and authorize significant purchases, stopping fraud before it can happen.

a. Evernym has been exploring a relationship with PSCU who owns a patent on the credit card lock process that Discover and others use. This process combined with a sovereign identity platform could re-invigorate the card control market and create a new paradigm at the register.

3. KYC/AML. Sovrin identity authentication and credential verification can dramatically lower the cost for CUs to comply with KYC/AML regulation while at the same time reducing friction for consumers.

a. There are key products such as switch kits and member on boarding that a product like sovrin can enable. These are however going to take time and adoption to achieve scale. While this is a compelling product , fraud reduction is the most profitable and easy business case to make.

4. Portable reputation. Sovrin credential verification can include reputation statements from USAA or

CUs that will enable their members to assert their financial reputation at other sites, providing a significant new source of value.

a. Claims or attestations will likely become a marketplace. With providers selling their attestations. Which means that Credit Unions could lead in this market. An attestation or claim from a Credit Union would be worth more than a attestation from a social provider.

Because these relationships and projects are already substantially in place, implementing the products in these focus areas will require only a small increase in Evernym's current business development and sales resources (3 additional headcount). So the balance of resources required are all in product development, design, and engineering. In these areas Evernym plans to grow headcount from 12 to approximately 40 employees and contractors by the end of 2017. Evernym will also focus on building key integrator relationships in its target markets: Best Innovation Group in the member-driven financial institution industry; iRespond and Microsoft Asia in the Indonesia and Myanmar projects; and Ctrl-Shift and Capgemini for Doctor's Link. Execution in this area is critical and needs to be continuously monitored if a investment is made. It is important to embrace an agile project management approach and include the Credit Union’s in the use cases. This will allow the investors to monitor the growth and gain.

Acquisitions Evernym's acquisition of Respect Network includes Respect Network's Small Business Innovation Research grant from the U.S. Department of Homeland Security to research and design a privacy-respecting identity management system based on blockchain technology. Respect Network received this contract shortly before Evernym came out of stealth last March with its announcement of Sovrin. Sovrin's public permissioned architecture for a distributed ledger for self-sovereign identity met all the requirements Respect Network had identified in its DHS SBIR application. Respect Network is currently at the mid-point of its R&D work under the SBIR grant, nearing completion of the second phase (design and architecture). In the third phase, it will implement a POC of the design using Sovrin and DID (decentralized identifier) objects. This will prove DHS thesis that blockchain identity can provide both the strongest (from a security standpoint) and most private (from a decentralization and user-control standpoint) solution for Internet-scale identity management. DHS has already confirmed that this will satisfy immediate and strong demands from it's customers, including TSA, and will enable the U.S. government to address persistent data security and privacy problems such as the OPM data breach.

Based on the DHS relationship, Respect Network has also submitted a DARPA SBIR grant application for blockchain-based secure messaging based on Sovrin. Regulatory drivers

Privacy is gaining ground in europe, specifically to personal identity information (PII). An example of this in the united states would be the Credit Card FACT act. (Fair and Accurate Transactions) which in part was designed to reduce identity theft. The ACLU has been actively pursuing similar legislation in the U.S. Bills that are being introduced revolve around personal privacy , location tracking and student data privacy. 16 states have adopted some form of these bills (https://www.aclu.org/map/takectrl-nationwide-privacy-push). The Evernym Sovrin platform represents an elegant solution to the privacy problem and it would be wise to consider the effect and value of these privacy laws to the membership. Credit Unions have traditionally been hesitant to share private data for profit , this position could allow them to push past the banks by providing an advanced privacy solution. Also it appears that privacy can be monetized and would be a possible new source of income. The information and policies below represents the latest global thinking in privacy.

GDPR The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) [2] from 1995. Perhaps confusingly for some, there is a new directive as well as a new regulation; it will apply to police procedures, which will continue to vary from one Member State to the other.[3]

The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by governments.[4]

PDS2

The revised Payment Services Directive (PSD2) was proposed by the European Commission in 2013, and the objective was to create a level playing field by:

● Standardising, integrating and improving payment efficiency in the European Union ● Offering better consumer protection ● Promoting innovation in the payments space and reducing costs ● Incorporating and providing clarity on the use of emerging payment methods such as mobile

payments and online payments ● Create a equal playing field for payment service providers - enabling new companies to get into the

payments space ● Harmonise pricing and improve security of payment processing across the European Union ● Incorporate new and emerging payment services into the regulation

Source : http://www.sepaforcorporates.com/single-euro-payments-area/5-things-need-know-psd2-payment-services-directive/

StateECPA

● Student Information Systems Privacy: Requires express and specific parental or student permission before student data is used for a non-educational purpose by a third party

● “1-to-1 Device” Privacy: On computing devices that are loaned to students, limits the ability of schools and third parties to access, track, and utilize information about student behavior and communications made.

● Student Personal Technology on Campus: Ensures that the same warrant protections that apply to students’ personal electronic devices away from school apply when students are on campus.

● Student Social Media Privacy: Prohibits educational institutions from demanding access to students’ social media accounts, except under specific, limited circumstances.

● Employee Social Media Privacy: Prohibits companies from demanding access to current or prospective employees’ social media accounts, except under specific, limited circumstances.

● State Electronic Communications Privacy (StateECPA): Prohibits the government from reading the contents of electronic communications without a warrant, and, in some cases, applies the same standard to location tracking. Builds on the recent bipartisan passage of the nation’s strongest digital privacy law enacted to date, the California Electronic Communications Privacy Act (CalECPA)

● Cell Site Simulators (a.k.a. Stingrays): Requires a warrant for the government to use cell site simulators to track a person’s location as well as rapid deletion of data inadvertently collected about people who are not suspected of any wrongdoing.

● Automatic License Plate Readers (ALPRs): Requires rapid deletion of ALPR-collected data about persons who are not suspected of any wrongdoing.

Source : https://www.aclu.org/news/16-states-dc-introduce-legislation-limit-surveillance-and-protect-student-and-employee-privacy

Security Traditional infrastructure security relies on firewalls, secure key management, and other best practices. If a database server is hacked, data could be exposed. The Evernym blockchain is protected by a "distributed consensus" pool of servers leveraging "Byzantine Agreement." to ensure security. If one or more servers were to be compromised for any reason, and malicious code installed, other servers in the pool would detect the unpredictable behavior and logically sequester that particular server. Servers participating in the consensus pool are called "nodes," and are physically and logically separate servers owned and operated by vetted entities such as financial institutions. There will eventually be hundreds or even thousands of nodes in the pool. Byzantine Fault Tolerance is built on a premise that we don't take for granted that every server is benevolent. In fact, there is distrust of any information not verified through consensus. Constant, mutual monitoring and redundant replicas ensure detection of non‐performant or suspicious behavior. To compromise the system, a hacker must hack into one‐third of all of the nodes, and even then the data is fully encrypted. All data on the blockchain is protected with digital signatures and encryption using Elliptic Curve Cryptography, symmetric encryption using the AES‐256 algorithm, and cryptographically secure hashing using the likes of the SHA 2 algorithm. This ensures that sensitive information cannot be accessed even if every single server in the consensus pool were to be compromised. This in no way alleviates the requirement that we, and other participating entities who host nodes, employ the very best traditional security practices. To maximize availability and minimize the chance of an exposure due to a common security misconfiguration, we will host our own nodes at multiple physical locations in at least three cloud computing providers, Amazon's AWS, Google's Cloud Engine, and Microsoft's Azure. If Credit Union adoption is achieved it will also bring more diversity to the network and allow the Credit Unions to further leverage their security services. User experience

Evernym plans on monetizing its platform by building applications on top of the Sovrin Global Public utility. The stack that they will build upon consists a public, private and product layer. Because everything revolves around the Sovrin global public layer, it is of critical importance that the process to onboard new members be seamless and intuitive. Evernym has discussed investing in a firm that specializes in user experience. BIG recommends that this be a contractual obligation as part of the investment. To date the registration process has not been disclosed. Other features of the product such as passwordless login and the identity dashboard are well-designed despite the absence of a designer. One can conclude they have the capability of delivering top-notch user experiences in house. However, the Sovrin member registration process is so vital to the product that BIG suggests outsourcing the work in addition to leveraging the in-house resources.

Evernym technology stack

Fraud Reduction Identity-related losses have cost the industry $10,900,000 in phishing, vishing, smishing financial loss and mitigation costs as it relates to card , prepaid and debit fraud alone. [1] The annual cost to the average credit union can be as much as $2,348,432.

● $1,897,087 in contact center costs ● $451,345 in direct account takeover costs.

Contact Center Costs ● A contact center person handles about 50 calls per day

● The average cost of an inbound call is about $4.50

● Between 10 - 30% (5 to 15) of these calls are about account access problems. The range depends

on the strength of the security processes: more complex processes result in more difficulty for the member and therefore more calls.

Therefore:

● Cost of account access in the contact center is somewhere in the $22.50 to $67.50 per day per contact center employee.

● With 77 agents in the average contact center, the costs are between $634,602 and $1,897,087

annually. According to Javelin’s 2016 identity fraud survey, customer service-oriented call centers are serious contributors to the problem of account takeovers: To accomplish account takeover, fraudsters will frequently target customer service representatives as the weakest link in the account access process.

Recognizing this problem, 41% of issuers indicate that successful social engineering of customer service staff is either the most or second most difficult challenge in mitigating account takeover

Losses Related to Account Take Over for Banks and Credit Unions ATO fraud is about a $5 billion annual cost to financial institutions. Most of the consumer costs are borne by financial institutions due to Regulation E. Liability for business accounts is less clear and subject to litigation. ATO fraud represents about 40% of all fraud claims; and biggest source of ATO is data breach. Cyber criminals load stolen credentials into bots that ping thousands of commercial websites looking to get in. Since 58% of consumers reuse the same credentials, this is low hanging fruit. In fact, 1 in 3 of the folks that receive a breach notice become victims of cybercrime. The criminals buy prepaid cards and other services for small amounts to remain undetected and fly under the radar of “shifting risk of loss” action by financial institutions, who just eat the costs under a certain level. Average costs per financial institution calculated as follows:

$5B in annual costs divided by 11,078 financial institutions in the US = $451,345 . The deployment of EMV chips has doubled new account fraud – In 2015 the U.S. switched to EMV, which is designed to reduce in-person fraud and the profitability of counterfeit card operations. Fraudsters have reacted by moving away from existing card fraud to focus on new account fraud. This drove a 113 percent increase in incidence of new account fraud, which now accounts for 20 percent of all fraud losses.

Figure 1: Javelin Strategy & Research, Identity Fraud Study [2]

Losses Related to Phishing, Smishing, and Vishing

According to the latest Ponemon research report [3], the average business can expect 66.78 successful attacks a year due to phishing (and other forms of social engineering). Those attacks result in about an average of $5.7M costs annually.

● Phishing is the gateway to other cybercrime, including ATO mentioned above and data breach. Recent tests as outlined in the 2016 Verizon Data Breach Investigations Report showed that 25% of all people opened a phishing email in 1 minute and 40 seconds. 13% clicked on the infected link in under 4 minutes.

Every day - 156 million phishing emails are sent, 16 million make it through spam filters, 8 million are opened, 800,000 links are clicked, and 80,000 give their credentials to the bad guys.

● Vishing is an attack used to gain access to a user’s system to install malware that allows free access to valuable assets within the business.

4.6 million vishing calls are launched every year, many launched at small to medium sized businesses like community banks and CUs.

● Smishing is spam texting. This is less prevalent as the costs associated with messaging do not lend itself to the mass attack methods used in email. However, it is effective in spear phishing type attacks, where the texter is known to the receiver.

Figure 2: Javelin Strategy & Research, Identity Fraud Study [4]

Sources

● [1] https://www.lexisnexis.com/risk/downloads/whitepaper/card-issuer-fraud-study-2016.pdf ● [2]

https://www.javelinstrategy.com/press-release/javelin-reveals-2016-consumer-identity-safety-leaders-credit-cards-issuers

● [3] http://www.ponemon.org/local/upload/file/NokNokWP_FINAL_3.pdf ● [4] https://www.javelinstrategy.com/coverage-area/2016-identity-fraud-fraud-hits-inflection-point

Sovrin Glossary

Trustee A member of the Sovrin Foundation Board of Trustees

Steward An organization permissioned by the Sovrin Foundation to operate Sovrin ledger node (e.g., a credit union, university, a hospital, etc.)

Sponsor An organization that has permission to register new identities on the Sovrin ledger

Agent A legal entity that hosts and provides services for Sovrin member nodes (e.g., Evernym and its competitors)

Member A person or organization (of any kind) that has a Sovrin identity

Validator Node A Sovrin ledger node that validates and writes new transactions

Observer Node A read-only version of a Sovrin ledger node (to support scale)

Member Node A P2P network endpoint representing a Sovrin member

Sovrin

Validator Pool

Sovrin

Observer Pool

Edge Devices and Client Apps

Sovrin

Member Nodes

App App

AppApp

CU

CULedger

Network

The Relationship of CULedger and Sovrin

Sovrin

Network

• Private permissioned ledger• CUs and CUSOs only• Financial services only• Governed by CULedger Body

• Public permissioned ledger• Trusted institutions only• Self-sovereign identity only• Governed by Sovrin Foundation

CU

CUSO

CU

CU

Univ

Bank

Gov

Hospital

Hospital Bank

Gov

Univ

NGO

CU

CU

CUSO

CUSOCU

CU

CU

CUSO

CU

CU

The Relationship of CULedger and Sovrin

CULedger

Sovrin

Plenum Distributed Ledger Technology

App #1 App #2 App #3 App #4