ESRA IRS Briefing 20150519

www.eSignRecords.org© ESRA Confidential & Proprietary
Information
Session
1
Online Authentication
Principles and Practices
Internal Revenue Service Briefing
May 19, 2015

10:00 AM ESRA Overview & Introductions
10:10 AM
Electronic Transactions
 Today’s IRS Challenge
 Electronic Signatures and Records: ESIGN & GPEA
 Attribution – How do I know who signed?
10:25 AM
Risk Assessment
 Classifications of risks associated with online transactions
 Risk tolerance
 Mitigation
10:35 AM
Attribution, Authentication & Identity
 Identity Management
 Government Assurance Levels
 Federated Identity
10:55 AM
Use Cases and Best Practices
 Private sector examples
 Public sector examples
 DOD
 FDA
 HUD-FHA
 SBA
11:10 AM
IRS Use Cases and Approach
 The PIN
 Non-return guidance: ESIGN compliance
 8878/8879 Guidance
 Up close: IRS e-Transcript program
11:25 AM Q&A
12:00 PM Close
2
Agenda

© ESRA Confidential & Proprietarywww.eSignRecords.org
ESRA is the premier global trade association focused on the
advancement of electronic signatures and records
 Technology-neutral forum comprised of both users and providers
 Advocates public policy that promotes the inherent compliance, efficiency and
transparency benefits of electronic processes
 Develops thought leadership, events and education around the most pressing
legal, regulatory and operational issues associated with e-signed records
ESRA Vision: Positively impact consumers, businesses and
government through the promotion of electronic signatures and records
ESRA Mission: Globally, lead endeavors to advocate the use of
electronic signatures and records, promote process efficiencies and
provide educational resources to the public, businesses and government
ESRA
Electronic Signature and Records Association
3

 Electronic Financial Services Council (EFSC)
 National trade association established in the late 1990s by a group of
professionals from various industries who realized the need for public policy
initiatives and the promotion of electronic signature and records technology
 Promoted legislation and regulation designed to ensure that electronic commerce
continued to revolutionize the availability and delivery of financial services
 Advocated positions on public policies affecting the offering of financial products and
services, including mortgage loans, insurance products, investment products,
consumer loans and online banking, in e-commerce
 Led the charge to make electronic signatures a legally binding way to sign documents
 Instrumental in the passage of the Electronic Signatures in Global and National
Commerce Act (E-Sign Act), which became a law on June 30, 2000
ESRA was later established in 2006 to lead efforts that optimize the
understanding and encourage further adoption of these practices
4
ESIGN Act Champions

Education
Events
• Annual Conference -
eSignRecords
• Member Newsletters &
Bulletins
• Online Resources – Premier
Access
• Federal Legislative
Developments, Compliance,
and Regulatory Updates
Public Policy
Advocacy
• Ad-hoc meetings with federal
/ state level legislators &
regulators
• Coordination with other
organizations on specific
topics of interest
ESRA
Meetings
• Bi-annual membership
meeting (Winter / Summer)
• Membership Only Legislative
and Regulatory Conference
Calls
• Regular committee meetings
• Quarterly and special
meetings of the Board of
Directors
Member
Opportunities
• Reduced fees to attend,
exhibit, and/or sponsor at
ESRA events
• Exposure on website –
Member List
• Network with peers at
conferences & events
• Thought leadership: media
placements and speaking
engagements
5
Shared Knowledge & Collaboration
Maximize the value of membership;
volunteer to get involved

ESRA Mission
Globally, lead
endeavors to
advocate the use of
electronic signatures
and records, promote
process efficiencies
and provide
educational
resources to the
public, businesses
and government
6
...lead endeavors to
advocate the use of
and records

7
Public Policy Committee

Adobe Systems
AlphaTrust
Corporation
AssureSign
BuckleySandler,
LLP
California
Association of
Realtors
Citibank
Communication
Intelligence
Corporation
(CIC)
Consumer Financial
Protection Bureau
(CFPB)
Corporation
Service
Company (CSC)
DocMagic DocuSign DocuTech DocVerify DotLoop
Eastern Funding Ellie Mae eOriginal, Inc. eLynx Equifax eSignSystems Experian
Fidelity National
Financial (FNF)
GoPaperless
Solutions
IMM iPipeline Locke Lorde LLP NotaryCam
Pennsylvania
Employee State
Credit Union
(PESCU)
Property Records
Industry Association
(PRIA)
RouteOne SpringLeaf Finance Silanis Technology Simplifile SIGNiX
TeleTrust - EU IT
Security Association
Topaz Systems USAA US Bank Wells Fargo Wolters Kluwer William Mills Agency
8
A Collective Voice
Sample List of Member Organizations

Electronic
Notary
WY: e-Recording
NE: e-Delivery
Regulation
OH: e-Signed
Security
Agreements
Federal
Agencies
SBA e-Signature
Acceptance
IRS Audit
Requirements For
4506-T
e-Signature
Acceptance on
SSA-89
Federal Reserve
Bank Acceptance
AICPA Letter to
IRS Regarding
Authentication
State Law
CA:
Nonconforming
UETA
TX: Department
of Information
Resources
VA: State e-ID
Bills
WA:
Nonconforming e-
Signature Statute
International
European e-ID
regulation (eIDaS)
European Privacy
Legislation
Real Estate
/ Mortgage
NASAA Real
Estate Investment
Trust (REIT)
Guidelines
FHA guidance for
Lenders (ML 14-3)
CFPB e-Closing
Pilots
Federal Home
Loan Banks
Acceptance
Motor
Vehicles
DMV recognition
of Electronic
Power Of Attorney
Federal e-
Odometer Law
9
Sample Public Policy Issues – 2015

ESRA Mission
Globally, lead
endeavors to
advocate the use of
and provide
educational
resources to the
public, businesses
and government
10
...promote process
efficiencies

ESRA Mission
Globally, lead
endeavors to
advocate the use of
and provide
educational
resources to the
public, businesses
and government
11
…provide educational
resources to the public,
businesses and
government

IRS Challenge
Electronic
Signatures
Attribution
12
Electronic Transactions

Establish a high-assurance, low friction
means of identifying taxpayers and other
stakeholders remotely, allowing IRS to
deliver services in an online environment
without increasing risk.
13
Today’s IRS Challenge

 The Uniform Electronic Transactions Act (UETA) and the companion federal
law, Electronic Signatures in Global and National Commerce Act (ESIGN),
provide assurance that electronic signatures will be granted the same legal
authority as traditional ink signatures on paper.
 If an electronic transaction meets the requirements of the electronic signature laws, the
transaction cannot be repudiated based on the fact that the transaction was conducted
electronically, rather than on paper.
 ESIGN does not give guidance on how to identify and authenticate signatories.
14
U.S. Legality of e-Signed Records
Establishes the legal
equivalence of electronic
records and signatures with
paper writings and
manually-signed
signatures, removing
barriers to electronic
commerce
UETA Confirms that states must
allow the use of electronic
signatures if the two parties
involved agree to this
method of signing.
ESIGN applies to interstate
commerce, foreign
commerce, and business
transactions with the
Federal Government.
ESIGN Requires Federal agencies,
by October 21, 2003, to allow
individuals or entities that
deal with the agencies the
option to submit information
or transact with the agency
electronically, when
practicable, and to maintain
records electronically, when
practicable.
GPEA

Four Basic
Purposes
For Signing
I agree to
it
It came
from me
I’ve seen
it
I got it
 Signer must intend to
“sign” the document
 Purpose of signature
derived from surrounding
circumstances
15
Intent & Authentication

Attribution
 Legal sufficiency vs. attribution
 ESIGN answers the question “is it a signature?”
 Does NOT answer the question “is it your signature?”
 Attribution must be proven
 May be proven by any means, including surrounding circumstances or
efficacy of agreed-upon security procedure
 Burden of proof is on person seeking to enforce signature
 Non-repudiation is a legal condition, not a technology feature

Identity
Management
Federated
Credentials
17
Attribution, Authentication &
Identity

 “Electronic authentication is essential for establishing accountability on
line.”
 Electronic authentication
 provides a level of assurance as to whether someone is who he claims to be in
a digital environment.
 plays a key role in the establishment of trust relationships for electronic
commerce, electronic government and many other social interactions.
 is also an essential component of any strategy to protect information systems
and networks, financial data, personal information and other assets from
unauthorized access or identity theft.
- Organisation for Economic Co-operation and Development (OECD) Recommendation on Electronic
Authentication and OECD Guidance for Electronic Authentication, June 2007
18
Authentication and Accountability

Who are
you?
How can
you
prove it?
What
should
you be
allowed
to do?
Verifying the identity of a
person or entity that:
o seeks remote access to
a corporate system,
o authors an electronic
communication, or
o signs an electronic
document
19
Identity Management

 Answers question: Who
are you?
 Also called “identity
proofing” or “enrolment
 Gathers “attributes”
 One-time event
 Can be done remotely,
but often requires
physical appearance
 Scope
Which information
collected
How much
 Accuracy
Reliability of source
See assurance levels
20
Identification

 Identification
Scope and Accuracy
Issuance of credential
 Authentication
 Authorization
21
Identity Management Basics
Seek access Identify
CredentialAuthenticate
Authorize

Issuance of Credential
e.g. userid e.g. password
Identifier
Authenticat
or (token) Credential
A credential is
data that is used
to authenticate
the claimed
digital identity or
attributes of a
person
22
Issuance of
Credential
Trust in both the PROCESS and the
SECURITY of the data is critical

Who are
you?
How can
you
prove it?
What
should
you be
allowed
to do?
 Establishing confidence in
a person’s claimed identity
 Transaction-specific
 Process always involves
cross-checking claimed
identity against one or
more authentication
“factors”, including
 Something the person knows;
 Something the person
possesses; or
 Something the person is.
23
Authentication

24
• Passwords
• personal identification numbers
(PINs),
• digital certificates using a
public key infrastructure (PKI),
• physical devices such as smart
cards,
• one-time passwords,
• USB plug-ins or other types of
“tokens,”
• transaction profile scripts,
• biometric identification
Authentication
types

 Grant of rights or
privileges
 Access control to
networks
 Verify identify sender of
data message
 Verify identify signer of
an electronic record
25
Authorization
Who are
you?
How can
you
prove it?
What
should
you be
allowed
to do?

Confidence that:
 the identity information
being presented actually
represents the person
named in it, and
 the person identified in the
credential is the person who
is actually engaging in the
electronic transaction
26
Assurance
Assurance Level:
Strength of
identification and
authentication
processes

 Reliance on 3d party for
identification services.
 Roles, Functions &
Duties split between:
Subject
Identity Provider
Relying Party
27
Federated Identity Credentials
Seek access Identify
CredentialAuthenticate
Authorize

Relying party
must be able to
trust Identity
Provider
Trust
28

Identification
Assessment
Mitigation
29
Risk

 Repudiation Risk
 Compliance Risk
 Admissibility Risk
 Adoption Risk
 Relative Risk
 Authentication Risk
30
Key E-Signature Risks

 Inconvenience,
distress, or damage to
standing or reputation
 Financial loss
 Harm to agency
programs or public
interests
 Privacy
 Personal safety
 Civil or criminal
violation
 Unauthorized release of
sensitive information
31
Key Impacts of Authentication Errors (OMB)

 Technology
 Process
 Performance
Identification
Authentication
 Privacy
 Data Security
 Liability
 Enforceability
 Regulatory Compliance
32
Key Identity Risks

Use Cases
Agency
policies
33
Lessons Learned

ML 2010-14 set e-signature
requirements for “third
party” documents on FHA
Single Family Loans.
 Data subjects: individual
borrowers
 Ecosystem: Open
 Paper authentication:
None
 Risk: Low
 Mitigation method:
ESIGN compliance
(basic)
 Result: Risk mitigation
methods set by lenders
35
FHA Single Family Loan Program - 1

ML 2014-3 set e-signature
requirements for lender-
generated documents for
FHA Single Family Loans.
 Authentication refers to the
process used to confirm an
individual’s identity as a
party in a transaction.
 Attribution is the process of
associating the identity of
an individual with his or her
signature.
 Data subjects: individual
borrowers
 Ecosystem: Open
 Paper authentication: None
 Risk: Low
 Mitigation method: Various
 Result: Confusion among
lenders
36
FHA Single Family Loan Program - 2

SBA Procedural Notice
5000-1323 allows 7(a)
and 504 lenders to use
electronic signatures on
SBA documents.
.
 Data subjects: small
business entities
 Ecosystem: Open
 Paper authentication:
Low
 Risk: Low
 Mitigation method: NIST
Level 3 (High)
 Result: No adoption
37
SBA Loan Program guidelines

Guidance for government agencies

Unique challenges for agencies
 Regulators may be faced with electronic records in any or
all of these situations:
 Regulating transactions between parties
 Record retention
 Filing requirements
 Government as market participant
 Direct-to-citizen transactions
 Risk appetite for government service providers is lower than
most private sector levels

Where to start?
ESIGN
GPEA
OMB
guidance
NIST
Other
federal
agencies
Private
industry
eID
Initiatives

Statutory framework
 ESIGN/UETA
Statutes are consistent in their message:
remove barriers to paperless transactions

Factors affecting
assurance levels:
- Nature of ID process
- Type of authenticator
(token) used
- Security of remote
authentication
mechanism
Very High
Confidence
Level
4
High Confidence
Level
3
Some Confidence
Level
2
Little or No
Confidence
Level
1
42
U.S. Government Assurance Levels

Outlines a 5-step process by which agencies should meet their e-
authentication assurance requirements:
1. Conduct a risk assessment of the government system.
2. Map identified risks to the appropriate assurance level.
3. Select technology based on e-authentication technical guidance.
4. Validate that the implemented system has met the required assurance
level.
5. Periodically reassess the information system to determine technology
refresh requirements.
43
OMB Guidance (M-04-04)

 Guidelines for implementing the third step of the OMB M-04-04
process.
 Specific technical requirements for each of the four levels of assurance
in the following areas:
 Identity proofing and registration of Applicants,
 Tokens (typically a cryptographic key or password) for authentication,
 Token and credential management mechanisms used to establish and maintain
token and credential information,
 Protocols used to support the authentication mechanism between the Claimant
and the Verifier,
 Assertion mechanisms used to communicate the results of a remote
authentication if these results are sent to other parties.
44
NIST SP 800-63-2

NIST recommendation provides
technical guidelines to agencies to
allow an individual to remotely
authenticate his or her identity to a
Federal IT system.
OMB M-04-04 applies to remote
authentication of human users of
Federal agency IT systems for the
purposes of conducting government
business electronically (or e-
government).
.
NIST Special
Publication 800-
63-2
OMB M-04-04
45
U.S.
Government
Assurance
Levels

GSA/OMB 2013 e-signature
guidelines
Exec Order 13681
By Jan. 2015, agencies to present
plan to ensure use of multi-factor
authentication for citizen access to
personal data.
Implementation required by April
2016.
46

Other entities – Private & Public Sector
 Private industry
 SPeRS
 FFIEC
 Independent standards bodies such as ISO
 Current initiatives
 NSTIC/IDESG
 OpenID

48
SPeRS Standard 1-1

 eProcess should not be riskier or more
burdensome than the traditional process
of using wet ink and hard copy paper
 Validate the identity of the signatory
 The individual who will be signing the
form must provide their consent to
receive and sign documents electronically
 Demonstrate that the document has made
it into the correct hands
 After the electronic signature is collected,
the document should be made tamper-
evident (as opposed to tamper-proof)
 Signature event audit log should remain
available with the record in a secure
environment; captures acknowledgement 49
Best Practices
for e-Signed Records
“Wet” Ink vs.
Electronic
Identity
Validation
Signer’s
Consent
E-Process
Audit Log
Tamper-
Evident Seal

 Introduction to Online Identity Management By Thomas J. Smedinghoff,
http://www.uncitral.org/pdf/english/colloquia/EC/Smedinghoff_Paper_ -
_Introduction_to_Identity_Management.pdf
 Organisation for Economic Co-operation and Development (OECD)
Recommendation on Electronic Authentication and OECD Guidance for
Electronic Authentication, June 2007,
http://www.oecd.org/dataoecd/32/45/38921342.pdf
 Federal Financial Institutions Examination Council (“FFIEC”),
“Authentication in an Internet Banking Environment,” October 12, 2005,
http://www.ffiec.gov/pdf/authentication_guidance.pdf
 National Institute of Standards and Technology, "Electronic Authentication
Guideline," Special Pub. No. 800-63-2 (August, 2013),
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
 SBA Procedural Notice 5000-1323 (October 21, 2014),
https://www.sba.gov/sites/default/files/lender_notices/5000-1323.pdf
50
Resources

1250 24th Street NW
Washington, DC 20037
800-560-ESRA (3772)
ESRA@eSignRecords.org
51
Thank you!

 Individual
Reliance on integrity of post office
In-person identification
Signature sample
 Representatives
Certificates of authority
Identity – current practices in a paper world

 Unique identifier
 Surrounding circumstances
 Third-party tools
 Credit check
 “out of wallet” identification
Identity in remote transactions

 SSN verification services
 Credit card billing address verification
 Address verification
 Transaction structure – e.g. all credit balances must be
sent to the same account that is being debited.
Verification online

ESRA IRS Briefing 20150519

More Related Content

What's hot

Viewers also liked

Similar to ESRA IRS Briefing 20150519

ESRA IRS Briefing 20150519