E-Signature Webcast for Financial Services Legal Counsel (Slides)


Published on

Slides from the October 20, 2011 Silanis Webcast "E-Signature Webcast for Financial Services Legal Counsel"


  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

E-Signature Webcast for Financial Services Legal Counsel (Slides)

  1. 1. E-Signatures for FinancialServicesLegal & Regulatory UpdateThursday, October 20, 2011 © Silanis Technology Inc., 2011 All Rights Reserved
  2. 2. Welcome TELECONFERENCE Toll Free 888-600-4866 Toll: 913-312-9303 TELECONFERENCE PASSCODE 939743 LIVE MEETING TECHNICAL SUPPORT 1-866-493-2825 #1 Margo Tank R David Whitaker Michael Laurie Partner Sr. Company Counsel Vice President Strategic Development BuckleySandler B kl S dl LLP Wells Fargo W ll F Silanis Technology © Silanis Technology Inc., 2011 All Rights Reserved
  3. 3. Key Drivers for E-Signatures within Banks CUSTOMER REDUCING COST EXPERIENCE OPERATIONAL AND TRANSFORMATION RISK EFFICIENCY“The big banks’ investments in “Robo-signing could ultimately2Q10 in online banking ideally invalidate tens of thousands of “Banks’ interest in adoptingwill position them to better home ownership documents documents, e-signatures e signatures has skyrocketedoffer their customers more say legal experts. Analysts say in the past 12 to 24 months…personalization capabilities.” it could top $20 billion” thinner profit margins, and the need to cut costs internally,– Gartner, October – September, Huffington Post has sparked the financial services industry to adopt “High street banks were under an electronic strategy that intense pressure to give up embraces efficient, straight their fight against paying out“Banks IT spending research through processing.” claims for mis-selling paymentindicatesi di t an emphasis on h i protection insurance, after – Forrester, Januaryretail customer-oriented Lloyd’s Banking Group’sinvestments.” surprise £3.2bn provision to cover claims by millions of– Gartner, October customers. – May, The Guardian © Silanis Technology Inc., 2011 All Rights Reserved
  4. 4. E-Signature Benefits Risk Reduction “Key CFPB regulations to define terms such as ‘excessive’ and ‘abusive’ are forthcoming. However, it is important to recognize right away that violations of these provisions will be costly, and risk mitigation activities should commence” – August 2010, PWC, A Closer Look Dodd-Frank “New consumer credit rules require lenders to make sure borrowers understand the details of a loan and carry out thorough checks on any borrowers, so you can be confident that what you receive is suitable for your circumstances.” – February 2011, The Guardian “Judges have ruled that foreclosing based on flawed or missing evidence violates longstanding laws meant to protect all Americans property rights.” - July 2011, Reuters © Silanis Technology Inc., 2011 All Rights Reserved
  5. 5. Online Business Transactions - Challenges People P l Business B i Clients, Agents Products, Channels Documents ComplianceDocuments, Disclosures, etc. Laws & Regulations Systems Rules E commerce 3rd Party E-commerce, Process, Parameters P P © Silanis Technology Inc., 2011 All Rights Reserved
  6. 6. The E-Signature Advantage • More control • Enforce required compliance p q p processes and rules • More visibility • Monitor transactions and receive notifications in real-time • More evidence • How transaction documents were viewed and signed • More flexibility • Automate efficiency for branch, online, mobile and partners • Less Risk • Reduce compliance and legal risk with better processes © Silanis Technology Inc., 2011 All Rights Reserved
  7. 7. Overview  Federal d State L F d l and St t Law Validate U of El t i Si V lid t Use f Electronic Signatures t – Federal E-SIGN Act since 2000 – UETA Adopted in 49 jurisdictions  For over a decade, government/industry have relied on ESIGN/UETA’s decade ESIGN/UETA s fundamental premise: electronic records and signatures cannot be denied solely because of their electronic form  Overarching focus in 2011 is moving from understanding legal framework to implementation i l t ti  Questions Become: – How reliable are electronic signatures and records? – How do authenticate individuals? – How can I minimize transaction and compliance risk? – Are contested electronic records and signatures admissible and enforceable? – Will subsequent transaction parties or the government accept electronic signatures and records?1
  8. 8. Legal Framework for eSignatures and eRecords  ESIGN and UETA:  Enable the Presentation of Information (e.g., Disclosures) and Electronically Signed Agreements Where Ink and Paper Would Have Been Required  Designing Systems to Sign/Store Electronic Records Requires Firm Grasp Of:  Interaction Between the Electronic Processes Used to Sign and Store Electronic Records  E-SIGN/UETA R E SIGN/UETA Requirements i t  Underlying Substantive Law (e.g., TILA, GLBA, State Disclosure & Record Retention Laws)  Regulator Acceptance  Judicial Precedent2
  9. 9. ESIGN and UETA Basics  Basic Rules: – A record or signature may not be denied legal effect or enforceability because it is in electronic form. – A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation. – Any law th t requires “ writing” will b satisfied b an electronic record. A l that i “a iti ” ill be ti fi d by l t i d – Any “signature” requirement in the law will be met if there is an electronic signature.  Electronic Record: A record, created, generated, sent, communicated, received or stored by electronic means and is retrievable in perceivable form An electronic form. record includes a transferable record.  Electronic Signature: – Any sound, symbol or process; – Attached to or logically associated with an electronic record; and – Executed or adopted with the intent to sign the electronic record. – May be accomplished through technology, through processes and procedures, or through a combination of both.3
  10. 10. ESIGN and UETA Basics  ESIGN and UETA: – Both laws act as overlay statutes; – Both laws will likely apply to the transaction; – Both laws recognize electronic signatures – any kind; – Both laws recognize electronic records – disclosures and agreements;4
  11. 11. ESIGN and UETA Basics – Both laws require transaction p y consent; q party ; – Both laws accept electronic records for retention/admission process. The record holder must be prepared to demonstrate that the electronic record: – Accurately reflects the information contained in the record at the time it was signed or delivered; – Is accessible to anyone entitled to access the record holder’s copy of the Record under an applicable rule of law or agreement; – C b accurately reproduced f l t reference; and Can be t l d d for later f d – Is capable of being retained (in some cases at the time the record is provided) by transaction participants to whom it has been made available for review or signature.5
  12. 12. ESIGN and UETA Basics – Both laws exclude:  Wills, codicils and testamentary trusts;  Funds transfers (covered by UCC Article 4A);  Letters of Credit (covered by revised UCC Article 5);  Securities (covered by UCC Revised Article 8);  Security interests in goods and intangibles ( y g g (covered by UCC Revised Article y 9);  Software licensing laws (if State has adopted UCITA);  Most laws concerning checks.6
  13. 13. ESIGN and UETA Basics – Both apply to: pp y  Consumer protection laws;  Negotiable instrument equivalents (transferable records);  Laws governing real estate transactions (subject to special rules concerning documents to be filed of record);  Laws of agency;  Laws covering powers of attorney;  Laws requiring notarization of documents;  Laws governing trusts (except testamentary trusts);  Laws concerning th submission of d L i the b i i f documents t or i t to, issuance of d f documents t by, government authorities (subject to special rules ).7
  14. 14. Creating a Reliable Electronic Record  Creating reliable electronic signatures and records are g g critical for a number of reasons: – Comply with state or federal “writing,” “signing” and “original” requirements – Meet state or federal record retention requirements – Obtain admission of electronic records into evidence in the event of a dispute (t e e e act that o at o as been created a d sto ed t (the mere fact t at information has bee c eated and stored within a co pute computer system does not make that information reliable or authentic).8
  15. 15. Identifying Risks  Authentication Risk:  The risk is that the signer says “that is not my signature;” – Is the signer: » who they say they are » d th h do they have th authority t bi d the th it to bind  Company relying on the signature has to bear the burden of proof.  Compliance Risk:  The risk is that the rules and regulations that govern the transaction are not met.  For example: Disclosure was not provided in the right format or at the right time in the transaction (possible statutory penalties).  For example: ESIGN & UETA requirements are not met (consequence may include statutory penalties based on conclusion that required disclosure was not provided because ESIGN/UETA consent was not obtained) obtained).9
  16. 16. Identifying Risks  Repudiation Risk: p – The risk is that the signer says “that is not the record that I signed or the disclosure that I received.”  Admissibility Risk: – The risk is that the electronic record is not admissible into evidence or for regulatory purposes.  Introduction into evidence will require proof of integrity: – Identification to original transaction – Freedom from alteration10
  17. 17. Regulatory Activity  FRB - Electronic Communication Rules for Consumer protection statutes ( (e.g., R Z R D R E) Reg Z, Reg D, Reg  OCC – Bulletins on Consumer Consent and Record Retention  HUD/FHA – Mortgagee Letter on Purchase and Sale Contracts  FFIEC – Authentication in an Online Banking Environment  2011 Supplement: periodic risk assessment, minimum controls, layered security it  States – Disclosures, Record Retention, Mail Requirements11
  18. 18. Emerging Principles/Significant Cases Involving Electronic Records  Authentication and Authority – The Prudential Ins. Co. of America v. Dukoff, No. 07-1080, 674 F.Supp. 2d 401 (E.D.N.Y. Dec. 18, 2009) (materially false statements made by reasonably authenticated insurance applicants may be used to challenge the validity of the application); National Auto Lenders, Inc. v. SysLOCATE, Inc., No. 09-21765, 686 F.Supp. F Supp 2d 1318 (S.D. Fla Feb 10 2010) (Online agreement held (S D Fla. Feb. 10, unenforceable where website operator knew the persons accepting the agreement lacked actual or apparent authority).  Electronic Signat res meet Stat te of Signatures Statute Frauds Writing Requirements – Shattuck v. Klotzbach, 14 Mass. L. Rptr. 360 (Super. Ct., Mass., December 11, 2001); (Signed emails could be used to prove the existence of a real estate sale ) ( g contract); but see Rosenfeld v. Zerneck, 4 Misc. 3d 193, 776 N.Y.S.2d 458 (Sup. Ct., Kings Co. 2004); Vista Developers Corp. v. VFP Realty LLC, 17 Misc. 3d 914, 847 N.Y.S.2d 416 (Sup. Ct., Queens Co. 2007)(no agreement reached on essential terms of transaction).12
  19. 19. Emerging Principles/Significant Cases Involving Electronic Records  Clearly Presented Agreements and Disclosures will be Enforced Unless Unconscionable, No Opportunity to View Terms, or for Reasons other than being Solely in Electronic Form – Evans v. Linden Research, 763 F. Supp. 2d 735 (E.D. Pa. 2011) (mandatory forum selection clause contained in terms of service for on line life community not unconscionable under on-line California law where users had to check box to agree to terms each time there was a change); Berry v. Webloyalty.com, 2011 U.S. Dist. Lexis 39581 (S.D. Cal. April 11, 2011) (disclosures made on online club enrollment page “sufficient to place reasonable consumers on notice” and sufficiently “clear and readily understandable” to satisfy the Federal Reserve Board’s standard for electronic signatures); Fusha v. Delta Airlines, Inc., 2011 U.S. Dist. Lexis 97295 (D. Md. Aug. 30, 2011) (customer bound by forum selection clause contained in terms of use, even where she did not remember reading the terms); but see Koch Industries v. John Does, 2011 U.S. Dist. Lexis 49529 (May 9, 2011) (terms of use unenforceable where available only through a link at the bottom of with no prominent notice that a user would be bound by them); Schnabel v. Trilegiant Corp., 2011 U.S. Dist. LEXIS 18132 (D. Conn. Feb. 24,. 2011) (court refused to enforce arbitration clause in website agreement where plaintiffs were not presented with chance to view terms before acceptance)13
  20. 20. Emerging Principles/Significant Cases Involving Electronic Records  Preserving evidence of data integrity, screen shots and process flows is essential – Lorraine v. Markel American Ins. Co., 241 F.R.D. 534, 538 (D.Md. 2007). Judge Grimm in Lorraine v. Markel American Ins. Co., 241 F.R.D. 534, 538 (D.Md. 2007): [C]onsidering the significant costs associated with discovery of ESI, it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration during summary judgment because the proponent cannot lay a sufficient foundation to get it admitted. – In Re Vee Vinhnee, 336 B.R. 437 (9th Cir. BAP (Cal.) 2005) – Court refused to admit electronic credit card transaction records due to inadequate authentication.  11-Factor Foundation For Electronic Records: – The business uses a computer. – The computer is reliable reliable. – The business has developed a procedure for inserting data into the computer. – The procedure has built-in safeguards to ensure accuracy and identify errors. – The business keeps the computer in a good state of repair. – The witness had the computer readout certain data. – The witness used the proper p p p procedures to obtain the readout. – The computer was in working order at the time the witness obtained the readout. – The witness recognizes the exhibit as the readout. – The witness explains how he or she recognizes the readout. – If the readout contains strange symbols or terms, the witness explains the meaning of the symbols or terms for the trier of fact. Id. at 14 (citing Edward J. Imwinkelried, Evidentiary Foundations 4.03[2] 4 03[2] (5th ed 2002)) ed. 2002)).14
  21. 21. Emerging Principles/Significant Cases Involving Electronic Records  The primary authenticity issue as identified by the court in In Re Vee Vinhnee, Vinhnee 336 B.R. 437 (9th Cir BAP (Cal ) 2005), focuses on: BR Cir. (Cal.) 2005) – . . . what has, or may have, happened to the record in the interval between when it was placed in the files and the time of trial. In other words, the record being proffered must be shown to continue to be an accurate representation of the records that originally was created . . . . Hence, the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record during the time it is in the file so as to assure that the document being proffered is the same as the document that was originally created.  The court focused on the 4th factor and noted that for electronically stored information: – [t]he logical questions extend beyond the identification of the particular computer equipment and programs used. The entity’s policies and procedures for the use of the equipment, database, and programs are important. How access to the pertinent database is controlled and, separately, how access to the specific program is controlled are important questions. How changes i th d t b H h in the database are l logged or recorded, as well as th structure and d d d ll the t t d implementation of backup systems and audit procedures for assuring the continuing integrity of the database, are pertinent to the question of whether the records have been changed since their creation.15
  22. 22. Emerging Principles/Significant Cases Involving Electronic Records  American with Disabilities Act and the Internet – Earll v. eBay, Inc., No. 5:11-cv-00262-JF (N.D. Cal. Sept. 7, 2011)(Class Action Alleges eBays Identity Verification Policy Violates the ADA); National Federation of Blind v. Target Corp., 582 F.Supp.2d 1185, N.D.Cal., 2007.16
  23. 23. ESIGN and UETA – An Analytical Model  Look to UETA Official Comments, and Congressional , g Record at time of ESIGN adoption in House and Senate, for interpretive rules  When interpreting ambiguous provisions, ask: if Wh i t ti bi i i k interpretation serves purpose of statute and meets “common sense” test  What would I do with a paper document?17
  24. 24. Analyzing Systems for Creating, Storing and Retrieving Binding Agreements – A Provisional Checklist  Agreement to Electronic Transaction g – Identify parties who must agree  Direct participants  Vendors and service providers  Indirect stakeholders – Establish manner of agreement  B2B  C Consumer ( (special ESIGN rules f consent) i l l for t) – Agreement to system rules18
  25. 25. Analyzing Systems for Creating, Storing and Retrieving Binding Agreements – A Provisional Checklist  Execution – Signature  Authority to sign  Evidence of intent  Intent to sign  Purpose of signature – Per document basis – Logically L i ll associated with record i t d ith d – Process – Attribution19
  26. 26. Analyzing Systems for Creating, Storing and Retrieving Binding Agreements – A Provisional Checklist  Document Format and Delivery y – Compliance with existing formatting rules – Standards for document formats  Non-proprietary  Self-contained – Delivery methods  Mailing or hand delivery currently required  M ili Mailing or h d d li hand delivery not currently required t tl i d20
  27. 27. Analyzing Systems for Creating, Storing and Retrieving Binding Agreements – A Provisional Checklist  Record Integrity: g y – Tracking alterations or versions – Preventing alteration of executed documents – Associating records – Replacing records – Identifying authoritative copies – Encryption of executed documents to prevent undetected alteration – Use f h h l ith U of hash algorithms and d t and ti d date d time stamp t h l t technology  Record Management Controls: – Control of access to databases – Recording and logging of changes – Backup practices – Audit procedures21
  28. 28. Analyzing Systems for Creating, Storing and Retrieving Binding Agreements – A Provisional Checklist  Document Access – Access based on role in transaction – Access levels – Methods of access – Person responsible for providing and maintaining access  Principal  Custodian  S b Subcontractors t t – Timeframe for access – Data Survivability/Migration22
  29. 29. Controlling Risks with SPeRS (Standards and Procedure for Electronic Records and Signatures) g )  A cross-industry initiative to establish commonly understood “rules rules of the road” available to all parties seeking to take advantage of the powers conferred by ESIGN and UETA;  Helps create the implementation guidance not present in ESIGN and UETA  Initially published 2003; update coming in November 2011;  Founded on the proposition that much of the time and effort being invested by companies “re-inventing the wheel” could be avoided if re inventing wheel cross-industry standards for these elements of electronic transactions could be established;  Focused on the behavioral and legal aspects of the interaction between parties to the transaction not on technology SPeRS is transaction, technology. intended to be technology neutral;  Standards are not necessarily legal minimums, but implementing the standards should enhance reliability and sufficiency.23
  30. 30. The SPeRS Structure  SPeRS is divided into five sections: – A h Authentication i i – Consent – Agreements, notices and disclosures – Electronic signatures – Record retention  Each section provides 5 to 10 high-level standards to guide systems designers in developing p g p g processes that will meet the new legal g requirements.  Each Standard is supported by: – Plain-English discussions of the underlying issues, – Ch kli t outlining specific strategies and options f Checklists tli i ifi t t i d ti for implementing the standards, – Examples and illustrations, and – Legal commentary to assist in-house counsel in house counsel.24
  31. 31. Industry Adoption – Mortgage (http://www.mersinc.org/MersProducts/index.aspx?mpid=19) – https://www.efanniemae.com/sf/guides/ssg/relatedsellinginfo/emt g/pdf/emtgguide.pdf http://www.freddiemac.com/singlefamily/elm/pdf/eMortgage_Gui de.pdf – Student Lending (http://ifap.ed.gov/dpcletters/attachments/gen0106Arevised.pdf) – Variable Annuities (http://www.irionline.org/standards) – Electronic Chattel Paper p (http://www.standardandpoors.com/prot/ratings/articles/en/us/?a ssetID=1245199808682) – Online Banking g (http://www.ffiec.gov/pdf/authentication_guidance.pdf) – SPeRS (http://www.spers.org/spers/index.htm)25
  32. 32. Questions? Margo H K Tank H. K. Buckley Kolar LLP 1250 24th Street, NW Suite S ite 700 Washington, DC 20037 D: 202.349.8050 E: t k@b kl k l E mtank@bucklekolar.com F: 202.349.8080 www.buckleykolar.com26
  33. 33. Agenda Delivering Disclosures, Agreements and Notices Electronic S l Signatures– Attribution, Authority and b h d Intent I t d i Introducing El t Electronic R i Records i t E id d into Evidence © 2011 R. David Whitaker. All rights reserved. No copyright claimed on images licensed from others. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, photocopying recording or otherwise) without the express prior signed permission of the author This author. presentation is for purposes of education and discussion. It is intended to be informational only and does not constitute legal advice regarding any specific situation, product or service. 0
  34. 34. Delivering Disclosures, Agreements and Notices – The Record Management Cycle Record Life Generate Deliver Store Manage Destroy Cycle Track Create Active Propagate Extract & Data Record Audit Trails Data Index Data Processes Versions & Reports Audit Trails Primary Transaction-specific Screen Shots Record Boilerplate Docs for Enrollment, Docs & Process FlowsCategories Delivery/Signing Secure and Consistent Record Management Quality & Search and Record Business Key AccessSystemsS t Integrity Report Destruction Continuity Controls C t l Issues Controls Capabilities Record Management Responsibility Secure Communication Record Management Audit Trails & Reports Company Policies and Guidelines 1
  35. 35. Delivering Disclosures, Agreements and Notices –Regulatory Guidance for Record Management – GLBA Information Security Guidelines – FFIEC Authentication Guidance – Identity Theft Red Flags Regulation and Guidelines – FFIEC Information Security Booklet – FFIEC E-Banking Booklet – FFIEC Supervision of TSPs Booklet – FFIEC Outsourcing Technology Services Booklet – FFIEC Development & Acquisition Booklet – FIL-44-2008, Managing Third Party Risk 2
  36. 36. Delivering Disclosures, Agreements and Notices –Key Requirements from ESIGN and UETA Key Requirements – Consent is required if law otherwise requires info delivered eq i ed la othe ise eq i es deli e ed in writing • ESIGN Consumer Consent Process • B-to-B Consent – UETA delivery provisions not preempted by ESIGN • Need Agreement (express or implied) on Delivery Method • Need to deal with bouncebacks in many cases – Popular Delivery Options • Display as part of an interactive session, • Delivery in the body of an email or as an email attachment, or • Delivery of an email or other electronic notice that has a URL e bedded embedded in it t at the consumer may activate to review the t that t e co su e ay act ate e e t e information. 3
  37. 37. Delivering Disclosures, Agreements and Notices –Key Requirements from ESIGN and UETA More Key Requirements – Elect onic records a e not enfo ceable against a recipient if Electronic eco ds are enforceable ecipient the sender inhibits the recipient’s ability to print or retain a copy – Customer must be able to retain a copy for later reference – Electronic Records retained by sender must be accurate, remain accessible for later reference – All formatting, timing and display requirements must be observed. “Timing” includes: • Proper sequence within transaction • Any time frames or deadlines for delivery • Length of time the information/document remains accessible 4
  38. 38. Delivering Disclosures, Agreements and Notices –General Delivery/Signature Strategy Clear Call to Action Prompt for Retention/ Offer Retention-Friendly Version Presented in Scroll Box, PDF or Behind Clearly-Labeled Hyperlink Key Information/Document Above or to the Left of Call to Action Obtain Obt i Get Consent Draw Attention Present Document Signature 5
  39. 39. Delivering Disclosures, Agreements and Notices – The Design ProcessDelivery Design Choices Design Execution– Secure or Unsecure? – Enrollment / consent process – Establish agreement on delivery – Audit trails and reporting –When deemed delivered– Push out in email/SMS, or send – Transmittal message contents –Delivery address “ready notice” and pull behind – Authentication process for access p –Obligation to update address g p firewall? fi ll? to secure data (if applicable) – Obtain ESIGN Consent– Embedded hyperlinks in “ready – Record generation and posting to – Generate records notice” email? delivery system – Send notice or attachments– Permit target to set delivery – Message or notice – Provide opportunity to retain preferences? generation/transmission – Generate audit trail– Permit target to designate multiple – Record retention/destruction process – Handle “bouncebacks” recipients? – Record generation/posting – Handle withdrawal of consent– Forced review or bypassable? Key C id K Considerations iKey Considerations − 2 Factor Authentication required? Key Considerations- Will the records contain sensitive information? − How will cross-system compatibility/communication − Addressing electronic delivery channels issues be addressed? − Agreement on what constitutes “sending” and- Will the records contain required disclosures or notices? − How much of design will be automated or manual? “receipt” (Note some state UETAs limit variation- Are multiple delivery methods possible/desirable? − Is system intended for use with targets without prior by agreement)- Are there “phishing” or “pharming” issues to address? phishing pharming electronic relationship with sender? l t i l ti hi ith d ? − Agreement on obligation t update electronic A t bli ti to d t l t i- Need to maintain control over display and audit trails? − Regulatory requirements for timing, delivery, addresses- Need to obtain ESIGN Consumer Consent? proximity, conspicuousness, forced review? − Managing bouncebacks and withdrawal of consent 6
  40. 40. Electronic Signatures –Key Elements Electronic Signature Key Elements Definition of signature -- “Electronic  ESIGN and UETA require that: Signature” means an electronic identifying sound, symbol, or process attached to or – The signature be attributable to logically connected with an electronic the signer and associated with record and executed or adopted by a the records person with present intention to authenticate a record. th ti t d – The signing party have authority This definition includes (for example): to sign – Typed names, – The signing party must have the – A click-through on a software intent to affix a signature to the program’s dialog box combined with record some other identification procedure,  ESIGN and UETA do not require – Personal identification numbers, that: – Biometric measurements, – A digitized picture of a handwritten – The signature process itself signature, provide proof of identity – Use of SecureID™ or Defender™ – The signature process itself number generators, and protect the record from – A complex, encrypted authentication alteration without detection system. Note that a click-through probably does not satisfy the requirements for an electronic signature under Article 9 of the UCC. 7
  41. 41. Electronic Signatures –Attribution Attribution basics Attribution in the electronic world Legal sufficiency vs. attribution -  In an electronic environment, - UETA and ESIGN’s signature attribution is often proven by f rules: associating the signature with use – Answer the question “is it a of a “credential.” A credential is a g signature?” method for establishing the – Do NOT answer the question identity of the signer, and may “is it your signature?” involve use of a password, employment of a token (such as a Attribution must be proven: random number generator), g ), – Attribution may be proven by biometrics, or demonstration of any means, including knowledge of a “shared secret,” or surrounding circumstances or some combination of the above (or efficacy of agreed-upon similar devices/approaches). Use security procedure of the credential gives the person – The burden of proof is usually receiving the signed record a on the person seeking to reasonable basis to believe that the enforce signature signature was created by the intended signer. 8
  42. 42. Electronic Signatures –Attribution Creating a Credential Notes on credentials A credential may be:  Note that the effectiveness of the credential for • Assigned to the signer directly by attribution depends on the integrity and the intended recipient of the signed reliability of the p y process for first creating and g record, either in advance or at the assigning the credential to the individual. time of signing. • So, if it is easy to get a credential under false • Assigned to the signer indirectly, pretenses, then the value of the credential for through a hierarchical model, where attribution is diluted. the intended recipient gave a “root” • But, if the process for first issuing the or “master” credential to a person credential to the correct person is who is then authorized to provide demonstrably reliable, then the later use of derivative credentials to others the credential will usually constitute strong (e.g. (e g Recipient gives a master User evidence of attribution. attribution ID and password for its Treasury  In more sophisticated applications the customer Services website to an executive at may be given multiple credentials to permit two Company X and the executive then or three-factor authentication, depending on the establishes passwords for other p risk level of the specific requested transaction. Company X employees). So, for example, a banking customer may be able • Created spontaneously (often to access general online banking services using through the use of biometrics or a a User ID and Password, but then be required to “shared secret”) at the time it is also provide a one-time password or PIN from a needed for the signing. random-number generator before completing a funds transfer during the online session. 9
  43. 43. Electronic Signatures –Attribution Common Strategies for Credential Creation/Distribution – Customer-initiated online/mobile • Validated used existing shared information, or • Self-asserted (usually just for initial contact/applications) – Delivered • May be persistent or one-time (OTP, random number generator) M b i t t ti (OTP d b t ) • Sent to known address (email or postal) or phone number (sms or voice) • May be further validated on first use or each use y  Use of dedicated hyperlink contained in message to access platform  Confirmation using shared information – Self-assigned • Response t invitation R to i it ti  Use of dedicated hyperlink contained in message to access platform  Created on platform  Sometimes -- Confirmation using shared information • Assigned via heirarchical model (more later) 10
  44. 44. Electronic Signatures –Authority ESIGN and UETA incorporate the existing common law rule requiring that the signing party have the q g g gp y authority to sign. – Individuals – identity, age, capacity – capacity is usually taken for granted with any person over the y g yp age of 18, unless there are indications to the contrary – Representatives – identity, age, capacity, and authorization to take the contemplated action on h i i k h l d i behalf of the represented party. The authority to act is not automatic just because a person is an appointed representative (e.g. an agent or (e g employee). Authority must be either expressly or implicitly conferred by the represented person. 11
  45. 45. Electronic Signatures –Authority for Representatives y p Very often used with small companies. It presumes that in a small company anyone taking action with respect to bank services must have authority to do so because unauthorized activity is so difficult to conceal. This involves a “cost/benefit” risk analysis, since historically small business “Hail Mary” employees have proven quite adept at using bank accounts and banking relationships to commit fraud under the noses of their co-employees and owners. In the most formal of situations, a certificate is required from the company’s owners or controlling body (Board of Directors, General Partners, Members, etc.) confirming the authority of a particular Certificate of person to sign as a representative of the company. In some cases confirmation of authority is company cases, Authority incorporated into an opinion letter from outside counsel, creating a potential claim against outside counsel in case of a later dispute. Situational Where authority is not formally established, it may alternatively be established by circumstance. “actual” or Job titles and/or known supervision and review of the proposed agreement by senior management “apparent” may establish either actual or apparent authority to act. y authority In this model, the potential recipient of the signed records (e.g. the bank) assigns a master credential, credential through a highly reliable and carefully controlled process to a company representative process, (e.g. the Senior Vice President for Treasury Management Services) whose authority to establish The the initial relationship is beyond question (either because of certification or situational Hierarchical verification). In turn, the recipient’s system of record permits the trusted company representative Model to create lower-level credentials for other company employees. These credentials come with assigned rights, which may include the right to enter into additional agreements with the recipient. Presumably, Presumably the master agreement between the recipient and the company establishes the recipient’s right to rely on the “hierarchical model” to establish the authority of the lower-level employees to sign. 12
  46. 46. Electronic Signatures –Intent to Sign Elements of Intent Samples of Notices to Establish Intent The signer’s intent is composed of two elements:  …By clicking "I Accept" at the end By I Accept – The intent to sign of this Agreement, you agree that – The purpose of the signature you have read and understand this The intent to sign may be established by the Agreement and that you will be surrounding circumstances. In an electronic bound by and comply with all of its environment, environment the easiest way to establish an intent to sign is to advise the signer that the terms… action he or she is about to take (click through,  …by typing your name in the entrance of PIN, typing of name, etc.) will constitute a signature. signature box on the account Purpose of signature signup page, you are signing and – There are four basic purposes a signature agreeing to the terms and i t th t d may serve with respect to a record: conditions of this Agreement… 1. I agree to it 2. It came from me  BY CLICKING ON THE “SIGN NOW” 3. I’ve seen it BUTTON BELOW, YOU ARE SIGNING 4. 4 I got it THIS AGREEMENT CLICKING ON AGREEMENT. – Which of these purposes is applicable to a THE “SIGN NOW” BUTTON WILL particular signature may be established by RESULT IN AN ENFORCEABLE surrounding circumstances or may be specifically stated as part of the signature LEGAL CONTRACT, JUST AS IF YOU process. In many cases the signature HAD SIGNED YOUR NAME TO AN serves more than one of these purposes. h f h AGREEMENT ON PAPER. The signer’s intent must be established separately in some manner for each signature that is applied to the record. 13
  47. 47. Electronic Signatures –Selecting a Process Three primary criteria – Boilerplate Document vs. Transaction- Specific Document – Size of transaction or liability exposure – Extent to which transaction “self-validates” • Physical presence at signing • Services are personal to signer (e.g. medical, legal) • Physical product being shipped • Product or service is customized to individual 14
  48. 48. Electronic Signatures –Selecting a ProcessBoilerplate Per TransactionClick-Through Capture Audit Trail A dit T il Preserve Process Flows Preserve Template Document Preserve Generic Screen Shots Obtain Obt iEstablish Identity Present Record Prompt Retention Click-through 15
  49. 49. Electronic Signatures –Selecting a ProcessTransaction-Specific Signatures Capture Audit Trail A dit T il Anticipate Obsolescence Generally, Retain A Copy of the Dynamic Signed Record, Not g Just a Flat File Document, Once Signed, Should Be Protected Against Undetected Alt A i t U d t t d Alteration tiEstablish Identity Present Record Obtain Signature Prompt Retention 16
  50. 50. Introducing Electronic Records into Evidence --Basis for Admission The Federal Rules of Evidence and the Uniform Rules of Evidence contain identical provisions that taken that, together, address the admissibility of electronic business records:  The “Business Record” Rule, and  The “Best Evidence” Rule. 17
  51. 51. Introducing Electronic Records into Evidence --Basis for Admission The Business Record rule permits the introduction into evidence of business records of regularly conducted business activity. A business record will be admissible:  If it is a record, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, and if:  Th record is kept in the course of a regularly conducted The di k i h f l l d d business activity, and  It was a regular practice of that business activity to make the memorandum, report, record or data compilation, all as shown by the testimony of the custodian or other qualified witness, or y y q , by certification that complies with the Rules of Evidence,  Unless the source of information or the method or circumstances of preparation indicate the record is not trustworthy.People v. Huehn, 53 P 3d 733 (Colo.App. 2002)P l H h P.3d (C l A 18
  52. 52. Introducing Electronic Records into Evidence --Basis for Admission Even though a record is admissible under the business records exception to the hearsay rule, it must also satisfy the Best Evidence Rule.  The Best Evidence Rule, sometimes called the “Original Writing Rule,” provides that in order to “… prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required except as otherwise provided in these rules required, or by Act of Congress.”  An “original” is defined as: [T]he writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it. … If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the i t t th t t d bl b i ht h t fl t th data accurately, is an “original.”People v. McFarlan, 744 N.Y.S.2d 287, (N.Y. Sup. 2002) 19
  53. 53. Introducing Electronic Records into Evidence --Basis for Admission The UETA and ESIGN extend the existing principles of the “Best Evidence” rule, providing:  A Any requirement t preserve or produce an “original” record is i t to d “ i i l” di satisfied by an electronic record of the information in the record to be produced, so long as the electronic record:  Accurately reflects the information in the record to be produced after it was first generated in its final form and form,  Remains accessible for later reference.  Evidence of a record may not be excluded solely because it is in electronic form. 20
  54. 54. Introducing Electronic Records into Evidence --Proof of Document Integrity Introduction into evidence will require proof of integrity  Id tifi ti Identification to original transaction t i i lt ti  Freedom from alteration 21
  55. 55. Introducing Electronic Records into Evidence --Proof of Document Integrity Courts evaluating the integrity of an electronic record may be expected to focus on systemic protections -- y p y p  division of labor  complexity of systems  Encryption of executed documents to p yp prevent undetected alteration  activity logs  security of copies stored offsite to verify content 22
  56. 56. Some Additional Resources – Standards and Procedures for electronic Records and Signatures – available for purchase at www.spers.org FFIEC Information Technology Examination Handbook – available at http://ithandbook.ffiec.gov/ FFIEC Guidance On Electronic Financial Services And Consumer Compliance – available at www.ffiec.gov/PDF/EFS.pdf FTC Guidance on Dot Com Disclosures – available at http://business.ftc.gov/documents/bus41-dot-com-disclosures- information-about-online-advertising g FTC Staff Report on Improving Consumer Mortgage Disclosures – available at www.ftc.gov/opa/2007/06/mortgage.shtm AIIM Recommended Practice Report on Electronic Document Management Systems (AIIM ARP1 2006) – available at M S ARP1-2006) il bl www.aiim.org/documents/standards/arp1-2006.pdf Lorraine v. Markel American Insurance Co., 241 F.R.D. 534 (D. Md. May 4, 2007) – available at y , ) http://www.mdd.uscourts.gov/Opinions/Opinions/Lorraine%20v.%20 Markel%20-%20ESIADMISSIBILITY%20OPINION.pdf 23
  57. 57. UPCOMING CONFERENCE Electronic Signature & Records Association Annual Conference November 9 & 10, 2011 Washington, DC http://esignrecords.org/events/ © Silanis Technology Inc., 2011 All Rights Reserved
  58. 58. QUESTIONS? © Silanis Technology Inc., 2011 All Rights Reserved
  59. 59. © Silanis Technology Inc., 2011 All Rights Reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.