e-signature webcast for financial services legal counsel (slides)

E-Signatures for Financial Services

© Silanis Technology Inc., 2011 All Rights Reserved

Legal & Regulatory UpdateThursday, October 20, 2011

WelcomeTELECONFERENCETELECONFERENCE

Toll Free 888-600-4866Toll: 913-312-9303

TELECONFERENCE PASSCODETELECONFERENCE PASSCODE939743

LIVE MEETING TECHNICAL SUPPORT1-866-493-2825 #11-866-493-2825 #1

Margo TankPartnerB kl S dl LLP

Michael LaurieVice President Strategic Development

R David WhitakerSr. Company CounselW ll F


BuckleySandler LLP Silanis TechnologyWells Fargo

Key Drivers for E-Signatures within Banks

CUSTOMEREXPERIENCE

REDUCINGOPERATIONAL

COSTAND

TRANSFORMATION“The big banks’ investments in2Q10 in online banking ideallywill position them to better

RISK EFFICIENCY

“Banks’ interest in adopting e signatures has skyrocketed

“Robo-signing could ultimately invalidate tens of thousands of home ownership documentswill position them to better

offer their customers morepersonalization capabilities.”

– Gartner, October

e-signatures has skyrocketed in the past 12 to 24 months… thinner profit margins, and the need to cut costs internally, has sparked the financial

home ownership documents, say legal experts. Analysts say it could top $20 billion”

– September, Huffington Post

services industry to adopt an electronic strategy that embraces efficient, straight through processing.”“Banks IT spending research

i di t h i

“High street banks were under intense pressure to give up their fight against paying out claims for mis-selling payment

– Forrester, Januaryindicates an emphasis on retail customer-oriented investments.”

– Gartner, October

protection insurance, after Lloyd’s Banking Group’s surprise £3.2bn provision to cover claims by millions of customers.


customers. – May, The Guardian

E-Signature Benefits Risk Reduction

“Key CFPB regulations to define terms such as ‘excessive’ and ‘abusive’ are

forthcoming. However, it is important to recognize right away that violations of

these provisions will be costly, and risk mitigation activities should commence”– August 2010, PWC, A Closer Look Dodd-Frank

“New consumer credit rules require lenders to make sure borrowers understand

the details of a loan and carry out thorough checks on any borrowers, so you can

be confident that what you receive is suitable for your circumstances.”

– February 2011, The Guardian

“Judges have ruled that foreclosing based on flawed or missing evidence

violates longstanding laws meant to protect all Americans' property rights.”


- July 2011, Reuters

B iP lOnline Business Transactions - Challenges

Products, ChannelsBusiness

Clients, AgentsPeople

Laws & RegulationsCompliance

Documents, Disclosures, etc.Documents

P PRules

E commerce 3rd PartySystems


Process, ParametersE-commerce, 3rd Party

The E-Signature Advantage

• More control

• Enforce required compliance processes and rulesq p p

• More visibility

• Monitor transactions and receive notifications in real-time

• More evidence

• How transaction documents were viewed and signed

• More flexibility

• Automate efficiency for branch, online, mobile and partners

• Less Risk

• Reduce compliance and legal risk with better processes


Overview

F d l d St t L V lid t U f El t i Si t Federal and State Law Validate Use of Electronic Signatures– Federal E-SIGN Act since 2000 – UETA Adopted in 49 jurisdictions

For over a decade government/industry have relied on ESIGN/UETA’s For over a decade, government/industry have relied on ESIGN/UETA s fundamental premise: electronic records and signatures cannot be denied solely because of their electronic form

Overarching focus in 2011 is moving from understanding legal framework to i l t tiimplementation

Questions Become: – How reliable are electronic signatures and records?– How do authenticate individuals? – How can I minimize transaction and compliance risk? – Are contested electronic records and signatures admissible and enforceable? – Will subsequent transaction parties or the government accept electronic signatures and

records?

1

Legal Framework for eSignatures and eRecordsfor eSignatures and eRecords

ESIGN and UETA: Enable the Presentation of Information (e.g., Disclosures) and Electronically

Signed Agreements Where Ink and Paper Would Have Been Required

Designing Systems to Sign/Store Electronic Records Designing Systems to Sign/Store Electronic Records Requires Firm Grasp Of:

Interaction Between the Electronic Processes Used to Sign and Store Electronic RecordsE SIGN/UETA R i t E-SIGN/UETA Requirements

Underlying Substantive Law (e.g., TILA, GLBA, State Disclosure & Record Retention Laws)

Regulator Acceptance Judicial Precedent Judicial Precedent

2

ESIGN and UETA Basics

Basic Rules:

– A record or signature may not be denied legal effect or enforceability because it is in electronic form.

– A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.A l th t i “ iti ” ill b ti fi d b l t i d– Any law that requires “a writing” will be satisfied by an electronic record.

– Any “signature” requirement in the law will be met if there is an electronic signature.

Electronic Record: A record, created, generated, sent, communicated, received or stored by electronic means and is retrievable in perceivable form An electronicstored by electronic means and is retrievable in perceivable form. An electronic record includes a transferable record.

Electronic Signature:– Any sound, symbol or process; – Attached to or logically associated with an electronic record; and– Executed or adopted with the intent to sign the electronic record.– May be accomplished through technology, through processes and procedures, or through a

combination of both.

3

ESIGN and UETA BasicsESIGN and UETA Basics

ESIGN and UETA:

– Both laws act as overlay statutes;

– Both laws will likely apply to the transaction;

– Both laws recognize electronic signatures – any kind;

– Both laws recognize electronic records – disclosures and agreements;

4


– Both laws require transaction party consent;q p y ;

– Both laws accept electronic records for retention/admission process. The record holder must be prepared to demonstrate that the electronic record:

– Accurately reflects the information contained in the record at the time itAccurately reflects the information contained in the record at the time it was signed or delivered;

– Is accessible to anyone entitled to access the record holder’s copy of the Record under an applicable rule of law or agreement; C b t l d d f l t f d– Can be accurately reproduced for later reference; and

– Is capable of being retained (in some cases at the time the record is provided) by transaction participants to whom it has been made available for review or signature.

5


– Both laws exclude:

Wills, codicils and testamentary trusts; Funds transfers (covered by UCC Article 4A); Funds transfers (covered by UCC Article 4A); Letters of Credit (covered by revised UCC Article 5); Securities (covered by UCC Revised Article 8); Security interests in goods and intangibles (covered by UCC Revised Article y g g ( y

9); Software licensing laws (if State has adopted UCITA); Most laws concerning checks.

6


– Both apply to:pp y

Consumer protection laws; Negotiable instrument equivalents (transferable records); Negotiable instrument equivalents (transferable records); Laws governing real estate transactions (subject to special rules concerning

documents to be filed of record); Laws of agency; Laws covering powers of attorney; Laws requiring notarization of documents; Laws governing trusts (except testamentary trusts);

L i th b i i f d t t i f d t Laws concerning the submission of documents to, or issuance of documents by, government authorities (subject to special rules ).

7

Creating a Reliable Electronic Record

Creating reliable electronic signatures and records are g gcritical for a number of reasons:

– Comply with state or federal “writing,” “signing” and “original” requirements – Meet state or federal record retention requirements– Obtain admission of electronic records into evidence in the event of a dispute

(the mere fact that information has been created and stored within a computer (t e e e act t at o at o as bee c eated a d sto ed t a co putesystem does not make that information reliable or authentic).

8

Identifying Risks

Authentication Risk: The risk is that the signer says “that is not my signature;”

– Is the signer:» who they say they are

d th h th th it t bi d» do they have the authority to bind Company relying on the signature has to bear the burden of proof.

Compliance Risk: Compliance Risk: The risk is that the rules and regulations that govern the transaction are not

met. For example: Disclosure was not provided in the right format or at the right For example: Disclosure was not provided in the right format or at the right

time in the transaction (possible statutory penalties). For example: ESIGN & UETA requirements are not met (consequence may

include statutory penalties based on conclusion that required disclosure was not provided because ESIGN/UETA consent was not obtained)

9

not provided because ESIGN/UETA consent was not obtained).

Identifying Risks

Repudiation Risk: p– The risk is that the signer says “that is not the record that I signed or the

disclosure that I received.”

Admissibility Risk:– The risk is that the electronic record is not admissible into evidence or for

regulatory purposes. Introduction into evidence will require proof of integrity:

– Identification to original transaction– Freedom from alteration

10

Regulatory Activity

FRB - Electronic Communication Rules for Consumer protection ( R Z R D R E)statutes (e.g., Reg Z, Reg D, Reg E)

OCC – Bulletins on Consumer Consent and Record Retention

HUD/FHA – Mortgagee Letter on Purchase and Sale Contracts

FFIEC – Authentication in an Online Banking Environment

2011 Supplement: periodic risk assessment, minimum controls, layered itsecurity

States – Disclosures, Record Retention, Mail Requirements

11

Emerging Principles/Significant Cases Involving Electronic Records

Authentication and Authority– The Prudential Ins. Co. of America v. Dukoff, No. 07-1080, 674 F.Supp. 2d 401

(E.D.N.Y. Dec. 18, 2009) (materially false statements made by reasonably authenticated insurance applicants may be used to challenge the validity of the application); National Auto Lenders, Inc. v. SysLOCATE, Inc., No. 09-21765, 686 F Supp 2d 1318 (S D Fla Feb 10 2010) (Online agreement heldF.Supp. 2d 1318 (S.D. Fla. Feb. 10, 2010) (Online agreement held unenforceable where website operator knew the persons accepting the agreement lacked actual or apparent authority).

Electronic Signat res meet Stat te of Electronic Signatures meet Statute of Frauds Writing Requirements

– Shattuck v. Klotzbach, 14 Mass. L. Rptr. 360 (Super. Ct., Mass., December 11, 2001); (Signed emails could be used to prove the existence of a real estate sale ) ( gcontract); but see Rosenfeld v. Zerneck, 4 Misc. 3d 193, 776 N.Y.S.2d 458 (Sup. Ct., Kings Co. 2004); Vista Developers Corp. v. VFP Realty LLC, 17 Misc. 3d 914, 847 N.Y.S.2d 416 (Sup. Ct., Queens Co. 2007)(no agreement reached on essential terms of transaction).

12


Clearly Presented Agreements and Disclosures will be Enforced Unless Unconscionable, No Opportunity to View Terms, or for Reasons other than being Solely in Electronic Form

– Evans v. Linden Research, 763 F. Supp. 2d 735 (E.D. Pa. 2011) (mandatory forum selection clause contained in terms of service for on line life community not unconscionable underclause contained in terms of service for on-line life community not unconscionable under California law where users had to check box to agree to terms each time there was a change); Berry v. Webloyalty.com, 2011 U.S. Dist. Lexis 39581 (S.D. Cal. April 11, 2011) (disclosures made on online club enrollment page “sufficient to place reasonable consumers on notice” and sufficiently “clear and readily understandable” to satisfy the Federal Reserve Board’s standard for electronic signatures); Fusha v. Delta Airlines, Inc., 2011 U.S. Dist. Lexis 97295 (D. Md. Aug. 30, 2011) (customer bound by forum selection clause contained in terms of use, even where she did not remember reading the terms); but see Koch Industries v. John Does, 2011 U.S. Dist. Lexis 49529 (May 9, 2011) (terms of use unenforceable where available only through a link at the bottom of with no prominent notice that a user would beavailable only through a link at the bottom of with no prominent notice that a user would be bound by them); Schnabel v. Trilegiant Corp., 2011 U.S. Dist. LEXIS 18132 (D. Conn. Feb. 24,. 2011) (court refused to enforce arbitration clause in website agreement where plaintiffs were not presented with chance to view terms before acceptance)

13


Preserving evidence of data integrity, screen shots and process flows is essential

– Lorraine v. Markel American Ins. Co., 241 F.R.D. 534, 538 (D.Md. 2007). Judge Grimm in Lorraine v. Markel American Ins. Co., 241 F.R.D. 534, 538 (D.Md. 2007): [C]onsidering the significant costs associated with discovery of ESI, it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration during summary judgment because the proponent cannot lay a sufficient foundation to get it admitted.

– In Re Vee Vinhnee, 336 B.R. 437 (9th Cir. BAP (Cal.) 2005) – Court refused to admit electronic credit card transaction records due to inadequate authentication. 11-Factor Foundation For Electronic Records:

– The business uses a computer. The computer is reliable– The computer is reliable.

– The business has developed a procedure for inserting data into the computer. – The procedure has built-in safeguards to ensure accuracy and identify errors. – The business keeps the computer in a good state of repair. – The witness had the computer readout certain data. – The witness used the proper procedures to obtain the readout. p p p– The computer was in working order at the time the witness obtained the readout. – The witness recognizes the exhibit as the readout. – The witness explains how he or she recognizes the readout. – If the readout contains strange symbols or terms, the witness explains the meaning of the

symbols or terms for the trier of fact. Id. at 14 (citing Edward J. Imwinkelried, Evidentiary Foundations§ 4 03[2] (5th ed 2002))

14

Foundations § 4.03[2] (5th ed. 2002)).


The primary authenticity issue as identified by the court in In Re Vee Vinhnee 336 B R 437 (9th Cir BAP (Cal ) 2005) focuses on:Vinhnee, 336 B.R. 437 (9th Cir. BAP (Cal.) 2005), focuses on:

– . . . what has, or may have, happened to the record in the interval between when it was placed in the files and the time of trial. In other words, the record being proffered must be shown to continue to be an accurate representation of the records that originally was created . . . . Hence, the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record during the time it is in the file so as tothe circumstances of the preservation of the record during the time it is in the file so as to assure that the document being proffered is the same as the document that was originally created.

The court focused on the 4th factor and noted that for electronically stored information:

– [t]he logical questions extend beyond the identification of the particular computer equipment and programs used. The entity’s policies and procedures for the use of the equipment, database, and programs are important. How access to the pertinent database is controlled and, separately, how access to the specific program is controlled are important questions. H h i th d t b l d d d ll th t t dHow changes in the database are logged or recorded, as well as the structure and implementation of backup systems and audit procedures for assuring the continuing integrity of the database, are pertinent to the question of whether the records have been changed since their creation.

15


American with Disabilities Act and the Internet– Earll v. eBay, Inc., No. 5:11-cv-00262-JF (N.D. Cal. Sept. 7, 2011)(Class Action

Alleges eBay's Identity Verification Policy Violates the ADA); National Federation of Blind v. Target Corp., 582 F.Supp.2d 1185, N.D.Cal., 2007.

16

ESIGN and UETA – An Analytical Model

Look to UETA Official Comments, and Congressional , gRecord at time of ESIGN adoption in House and Senate, for interpretive rulesWh i t ti bi i i k if When interpreting ambiguous provisions, ask: if interpretation serves purpose of statute and meets “common sense” test

What would I do with a paper document?

17

Analyzing Systems for Creating, Storing and Retrieving Binding Agreements – A Provisional Checklist

Agreement to Electronic Transactiong– Identify parties who must agree

Direct participants Vendors and service providers Indirect stakeholders

– Establish manner of agreement B2B

C ( i l ESIGN l f t) Consumer (special ESIGN rules for consent)– Agreement to system rules

18


Execution– Signature

Authority to sign Evidence of intent Intent to sign Purpose of signature

– Per document basisL i ll i t d ith d– Logically associated with record

– Process– Attribution

19


Document Format and Deliveryy– Compliance with existing formatting rules– Standards for document formats

Non-proprietary Self-contained

– Delivery methods Mailing or hand delivery currently required

M ili h d d li t tl i d Mailing or hand delivery not currently required

20


Record Integrity:g y– Tracking alterations or versions– Preventing alteration of executed documents– Associating records– Replacing records– Identifying authoritative copies– Encryption of executed documents to prevent undetected alteration

U f h h l ith d d t d ti t t h l– Use of hash algorithms and date and time stamp technology

Record Management Controls:– Control of access to databases – Recording and logging of changes– Backup practices – Audit procedures

21


Document Access– Access based on role in transaction– Access levels– Methods of access– Person responsible for providing and maintaining access

Principal Custodian

S b t t Subcontractors– Timeframe for access– Data Survivability/Migration

22

Controlling Risks with SPeRS (Standards and Procedure for Electronic Records and Signatures)g )

A cross-industry initiative to establish commonly understood “rules A cross-industry initiative to establish commonly understood rules of the road” available to all parties seeking to take advantage of the powers conferred by ESIGN and UETA;

Helps create the implementation guidance not present in ESIGN and UETAUETA

Initially published 2003; update coming in November 2011; Founded on the proposition that much of the time and effort being

invested by companies “re-inventing the wheel” could be avoided ifinvested by companies re inventing the wheel could be avoided if cross-industry standards for these elements of electronic transactions could be established;

Focused on the behavioral and legal aspects of the interaction between parties to the transaction not on technology SPeRS isbetween parties to the transaction, not on technology. SPeRS is intended to be technology neutral;

Standards are not necessarily legal minimums, but implementing the standards should enhance reliability and sufficiency.

23

The SPeRS Structure

SPeRS is divided into five sections:A h i i– Authentication

– Consent– Agreements, notices and disclosures

Electronic signatures– Electronic signatures– Record retention

Each section provides 5 to 10 high-level standards to guide systems designers in developing processes that will meet the new legal g p g p grequirements.

Each Standard is supported by:– Plain-English discussions of the underlying issues,

Ch kli t tli i ifi t t i d ti f– Checklists outlining specific strategies and options for implementing the standards,

– Examples and illustrations, and– Legal commentary to assist in-house counsel

24

Legal commentary to assist in house counsel.

Industry Adoption

– Mortgage (http://www.mersinc.org/MersProducts/index.aspx?mpid=19)

– https://www.efanniemae.com/sf/guides/ssg/relatedsellinginfo/emtg/pdf/emtgguide.pdfhttp://www.freddiemac.com/singlefamily/elm/pdf/eMortgage_Guide.pdf

– Student Lending (http://ifap.ed.gov/dpcletters/attachments/gen0106Arevised.pdf)

– Variable Annuities (http://www.irionline.org/standards)– Electronic Chattel Paper p

(http://www.standardandpoors.com/prot/ratings/articles/en/us/?assetID=1245199808682)

– Online Banking

25

g(http://www.ffiec.gov/pdf/authentication_guidance.pdf)

– SPeRS (http://www.spers.org/spers/index.htm)

Questions?

Margo H K TankMargo H. K. TankBuckley Kolar LLP

1250 24th Street, NWS ite 700Suite 700

Washington, DC 20037D: 202.349.8050

E t k@b kl k lE: [email protected]: 202.349.8080

www.buckleykolar.com

26

Agenda

Delivering Disclosures, Agreements and Noticesl S b h d Electronic Signatures– Attribution, Authority and

IntentI t d i El t i R d i t E id Introducing Electronic Records into Evidence

© 2011 R. David Whitaker. All rights reserved. No copyright claimed on images licensed from others. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying recording or otherwise) without the express prior signed permission of the author This

00

photocopying, recording or otherwise) without the express prior signed permission of the author. This presentation is for purposes of education and discussion. It is intended to be informational only and does not constitute legal advice regarding any specific situation, product or service.

Delivering Disclosures, Agreements and Notices –The Record Management Cycle

Generate Deliver Store Manage DestroyRecord

Life Cycle

Propagate Data

TrackRecord

Versions

Extract & Index Data

Create Audit Trails

& Reports

ActiveData

Processes

Boilerplate Docs Transaction-specific Docs

Audit Trails for Enrollment, Delivery/Signing

Screen Shots & Process Flows

Primary Record

Categories

Secure and Consistent Record Management

Access C t l

Quality & Integrity

Record Destruction

Business Continuity Key

S t

Delivery/SigningCategories

Search and Report

Secure CommunicationRecord Management Responsibility

Controls IntegrityControls

Destruction Continuity Systems Issues

Report Capabilities

1

Company Policies and GuidelinesRecord Management Audit Trails & Reports

Delivering Disclosures, Agreements and Notices –Regulatory Guidance for Record ManagementRegulatory Guidance for Record Management

– GLBA Information Security Guidelines – FFIEC Authentication Guidance – Identity Theft Red Flags Regulation and

Guidelines – FFIEC Information Security Booklet – FFIEC E-Banking Booklet – FFIEC Supervision of TSPs Booklet – FFIEC Outsourcing Technology Services Booklet – FFIEC Development & Acquisition Booklet

2

– FIL-44-2008, Managing Third Party Risk

Delivering Disclosures, Agreements and Notices –Key Requirements from ESIGN and UETAKey Requirements from ESIGN and UETA

Key RequirementsConsent is eq i ed if la othe ise eq i es info deli e ed – Consent is required if law otherwise requires info delivered in writing

• ESIGN Consumer Consent Process• B-to-B Consent

– UETA delivery provisions not preempted by ESIGN• Need Agreement (express or implied) on Delivery Method• Need to deal with bouncebacks in many cases

– Popular Delivery Options• Display as part of an interactive session, Display as part of an interactive session, • Delivery in the body of an email or as an email attachment, or • Delivery of an email or other electronic notice that has a URL

embedded in it that the consumer may activate to review the

3

e bedded t t at t e co su e ay act ate to e e t einformation.

Delivering Disclosures, Agreements and Notices –Key Requirements from ESIGN and UETAKey Requirements from ESIGN and UETA

More Key RequirementsElect onic eco ds a e not enfo ceable against a ecipient if – Electronic records are not enforceable against a recipient if the sender inhibits the recipient’s ability to print or retain a copy

– Customer must be able to retain a copy for later reference– Electronic Records retained by sender must be accurate,

remain accessible for later reference– All formatting, timing and display requirements must be

observed. “Timing” includes:• Proper sequence within transactionProper sequence within transaction• Any time frames or deadlines for delivery• Length of time the information/document remains accessible

4

Delivering Disclosures, Agreements and Notices –General Delivery/Signature StrategyGeneral Delivery/Signature Strategy

Clear Call

to Action

Prompt for Retention/

Presented in Scroll Box, PDF or Behind Clearly-Labeled Hyperlink

Offer Retention-Friendly Version

Key Information/Document Above or to the Left of Call to Action

Clearly-Labeled Hyperlink

Key Information/Document Above or to the Left of Call to Action

Obt i

5

Get Consent Draw Attention Present Document Obtain Signature

Delivering Disclosures, Agreements and Notices –The Design ProcessThe Design Process

DesignDelivery Design Choices Execution

– Secure or Unsecure? – Push out in email/SMS, or send

“ready notice” and pull behind fi ll?

– Enrollment / consent process– Audit trails and reporting– Transmittal message contents– Authentication process for access

– Establish agreement on delivery–When deemed delivered–Delivery address–Obligation to update addressfirewall?

– Embedded hyperlinks in “ready notice” email?

– Permit target to set delivery preferences?

pto secure data (if applicable)

– Record generation and posting to delivery system

– Message or notice generation/transmission

g p– Obtain ESIGN Consent– Generate records– Send notice or attachments– Provide opportunity to retain

Generate audit trail

K C id i

preferences?– Permit target to designate multiple

recipients?– Forced review or bypassable?

generation/transmission– Record retention/destruction process– Record generation/posting

– Generate audit trail– Handle “bouncebacks”– Handle withdrawal of consent

Key Considerations- Will the records contain sensitive information?- Will the records contain required disclosures or notices?- Are multiple delivery methods possible/desirable?

Are there “phishing” or “pharming” issues to address?

Key Considerations− 2 Factor Authentication required?− How will cross-system compatibility/communication

issues be addressed?− How much of design will be automated or manual?− Is system intended for use with targets without prior

l t i l ti hi ith d ?

Key Considerations− Addressing electronic delivery channels− Agreement on what constitutes “sending” and

“receipt” (Note some state UETAs limit variation by agreement)A t bli ti t d t l t i

6

- Are there phishing or pharming issues to address?- Need to maintain control over display and audit trails?- Need to obtain ESIGN Consumer Consent?

electronic relationship with sender?− Regulatory requirements for timing, delivery,

proximity, conspicuousness, forced review?

− Agreement on obligation to update electronic addresses

− Managing bouncebacks and withdrawal of consent

Electronic Signatures –Key Elements

Electronic Signature

Definition of signature -- “Electronic

Key Elements

ESIGN and UETA require that:Signature” means an electronic identifying sound, symbol, or process attached to or logically connected with an electronic record and executed or adopted by a person with present intention to

th ti t d

ESIGN and UETA require that:– The signature be attributable to

the signer and associated with the records

– The signing party have authorityauthenticate a record. This definition includes (for example):

– Typed names,– A click-through on a software

program’s dialog box combined with

The signing party have authorityto sign

– The signing party must have the intent to affix a signature to the record

some other identification procedure,– Personal identification numbers,– Biometric measurements,– A digitized picture of a handwritten

signature,

ESIGN and UETA do not require that:– The signature process itself

provide proof of identity– Use of SecureID™ or Defender™

number generators, and– A complex, encrypted authentication

system. Note that a click-through probably does

– The signature process itself protect the record from alteration without detection

7

not satisfy the requirements for an electronic signature under Article 9 of the UCC.

Electronic Signatures –AttributionAttribution

Attribution basics

Legal sufficiency vs. attribution -

Attribution in the electronic world

In an electronic environment, f- UETA and ESIGN’s signature

rules: – Answer the question “is it a

signature?”

attribution is often proven by associating the signature with use of a “credential.” A credential is a method for establishing the g

– Do NOT answer the question “is it your signature?”

Attribution must be proven:

identity of the signer, and may involve use of a password, employment of a token (such as a random number generator),

– Attribution may be proven by any means, including surrounding circumstances or efficacy of agreed-upon

g ),biometrics, or demonstration of knowledge of a “shared secret,” or some combination of the above (or similar devices/approaches). Use

security procedure– The burden of proof is usually

on the person seeking to enforce signature

similar devices/approaches). Use of the credential gives the person receiving the signed record a reasonable basis to believe that the signature was created by the

8

enforce signature signature was created by the intended signer.

Electronic Signatures –Attribution

Creating a Credential A credential may be:

• Assigned to the signer directly by the intended recipient of the signed

Notes on credentials Note that the effectiveness of the credential for

attribution depends on the integrity and reliability of the process for first creating and the intended recipient of the signed

record, either in advance or at the time of signing.

• Assigned to the signer indirectly, through a hierarchical model, where

y p gassigning the credential to the individual. • So, if it is easy to get a credential under false

pretenses, then the value of the credential for attribution is diluted.

the intended recipient gave a “root” or “master” credential to a person who is then authorized to provide derivative credentials to others (e g Recipient gives a master User

• But, if the process for first issuing the credential to the correct person is demonstrably reliable, then the later use of the credential will usually constitute strong evidence of attribution(e.g. Recipient gives a master User

ID and password for its Treasury Services website to an executive at Company X and the executive then establishes passwords for other

evidence of attribution. In more sophisticated applications the customer

may be given multiple credentials to permit two or three-factor authentication, depending on the risk level of the specific requested transaction.p

Company X employees).• Created spontaneously (often

through the use of biometrics or a “shared secret”) at the time it is

risk level of the specific requested transaction. So, for example, a banking customer may be able to access general online banking services using a User ID and Password, but then be required to also provide a one-time password or PIN from a

9

needed for the signing. random-number generator before completing a funds transfer during the online session.

Electronic Signatures –AttributionAttribution Common Strategies for Credential Creation/Distribution

– Customer-initiated online/mobile• Validated used existing shared information, or• Self-asserted (usually just for initial contact/applications)

– DeliveredM b i t t ti (OTP d b t )• May be persistent or one-time (OTP, random number generator)

• Sent to known address (email or postal) or phone number (sms or voice)

• May be further validated on first use or each usey Use of dedicated hyperlink contained in message to access platform Confirmation using shared information

– Self-assignedR t i it ti• Response to invitation Use of dedicated hyperlink contained in message to access platform Created on platform Sometimes -- Confirmation using shared information

10

• Assigned via heirarchical model (more later)

Electronic Signatures –AuthorityAuthority

ESIGN and UETA incorporate the existing common law rule requiring that the signing party have the q g g g p yauthority to sign.

– Individuals – identity, age, capacity – capacity is usually taken for granted with any person over the y g y page of 18, unless there are indications to the contrary

– Representatives – identity, age, capacity, andh i i k h l d i authorization to take the contemplated action on

behalf of the represented party. The authority to act is not automatic just because a person is an appointed representative (e g an agent or appointed representative (e.g. an agent or employee). Authority must be either expressly or implicitly conferred by the represented person.

11

Electronic Signatures –Authority for Representatives

“Hail Mary”

Very often used with small companies. It presumes that in a small company anyone taking action with respect to bank services must have authority to do so because unauthorized activity is so difficult to conceal. This involves a “cost/benefit” risk analysis, since historically small business employees have proven quite adept at using bank accounts and banking relationships to commit

y p

Certificate of

fraud under the noses of their co-employees and owners.

In the most formal of situations, a certificate is required from the company’s owners or controlling body (Board of Directors, General Partners, Members, etc.) confirming the authority of a particular person to sign as a representative of the company In some cases confirmation of authority is

Situational

Certificate of Authority

person to sign as a representative of the company. In some cases, confirmation of authority is incorporated into an opinion letter from outside counsel, creating a potential claim against outside counsel in case of a later dispute.

Where authority is not formally established, it may alternatively be established by circumstance.

y

“actual” or “apparent” authority

Job titles and/or known supervision and review of the proposed agreement by senior management may establish either actual or apparent authority to act.

In this model, the potential recipient of the signed records (e.g. the bank) assigns a master credential through a highly reliable and carefully controlled process to a company representative

The Hierarchical

Model

credential, through a highly reliable and carefully controlled process, to a company representative (e.g. the Senior Vice President for Treasury Management Services) whose authority to establish the initial relationship is beyond question (either because of certification or situational verification). In turn, the recipient’s system of record permits the trusted company representative to create lower-level credentials for other company employees. These credentials come with assigned rights, which may include the right to enter into additional agreements with the recipient. Presumably the master agreement between the recipient and the company establishes the

12

Presumably, the master agreement between the recipient and the company establishes the recipient’s right to rely on the “hierarchical model” to establish the authority of the lower-level employees to sign.

Electronic Signatures –Intent to Sign

Elements of Intent

The signer’s intent is composed of two

Samples of Notices to Establish Intent

By clicking "I Accept" at the end elements:– The intent to sign– The purpose of the signature

The intent to sign may be established by the surrounding circumstances. In an electronic environment the easiest way to establish an

…By clicking I Accept at the end of this Agreement, you agree that you have read and understand this Agreement and that you will be bound by and comply with all of its

environment, the easiest way to establish an intent to sign is to advise the signer that the action he or she is about to take (click through, entrance of PIN, typing of name, etc.) will constitute a signature.

Purpose of signature

terms… …by typing your name in the

signature box on the account signup page, you are signing and

i t th t d – There are four basic purposes a signature may serve with respect to a record:1. I agree to it2. It came from me3. I’ve seen it4 I got it

agreeing to the terms and conditions of this Agreement…

BY CLICKING ON THE “SIGN NOW” BUTTON BELOW, YOU ARE SIGNING THIS AGREEMENT CLICKING ON 4. I got it

– Which of these purposes is applicable to a particular signature may be established by surrounding circumstances or may be specifically stated as part of the signature process. In many cases the signature

h f h

THIS AGREEMENT. CLICKING ON THE “SIGN NOW” BUTTON WILL RESULT IN AN ENFORCEABLE LEGAL CONTRACT, JUST AS IF YOU HAD SIGNED YOUR NAME TO AN

13

serves more than one of these purposes. The signer’s intent must be established

separately in some manner for each signature that is applied to the record.

AGREEMENT ON PAPER.

Electronic Signatures –Selecting a ProcessSelecting a Process

Three primary criteria–Boilerplate Document vs. Transaction-

Specific Document–Size of transaction or liability exposure–Extent to which transaction “self-validates”

• Physical presence at signing• Services are personal to signer (e.g. medical, legal)• Physical product being shipped• Product or service is customized to individual

14

Electronic Signatures –Selecting a Process

Capture A dit T il

Boilerplate

Click-ThroughPer Transaction

Audit Trail

Preserve Process Flows

Preserve Template Document

Preserve Generic Screen ShotsPreserve Generic Screen Shots

Obt i

15

Establish Identity Present Record Prompt Retention Obtain Click-through

Electronic Signatures –Selecting a Process

Capture A dit T il

Transaction-

Specific SignaturesAudit Trail

Anticipate Obsolescence

Generally, Retain A Copy of the Dynamic Signed Record, Not

Obsolescence

Document, Once Signed, Should Be ProtectedA i t U d t t d Alt ti

gJust a Flat File

Against Undetected Alteration

16

Establish Identity Present Record Obtain Signature Prompt Retention

Introducing Electronic Records into Evidence --Basis for AdmissionBasis for Admission

The Federal Rules of Evidence and the Uniform Rules of Evidence contain identical provisions that taken Evidence contain identical provisions that, taken together, address the admissibility of electronic business records: The “Business Record” Rule, and The “Best Evidence” Rule.

17


The Business Record rule permits the introduction into evidence of business records of regularly conducted business activity. A business record will be admissible: record will be admissible:

If it is a record, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, and if:

Th d i k i h f l l d d The record is kept in the course of a regularly conducted business activity, and

It was a regular practice of that business activity to make the memorandum, report, record or data compilation, all as shown by the testimony of the custodian or other qualified witness, or y y q ,by certification that complies with the Rules of Evidence,

Unless the source of information or the method or circumstances of preparation indicate the record is not trustworthy.

P l H h 53 P 3d 733 (C l A 2002)People v. Huehn, 53 P.3d 733 (Colo.App. 2002)

18


Even though a record is admissible under the business records exception to the hearsay rule, it must also satisfy the Best Evidence Rule. Rule.

The Best Evidence Rule, sometimes called the “Original Writing Rule,” provides that in order to “… prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required except as otherwise provided in these rules photograph is required, except as otherwise provided in these rules or by Act of Congress.”

An “original” is defined as: [T]he writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it. … If data are stored in a computer or similar device,

i t t th t t d bl b i ht h t fl t th any printout or other output readable by sight, shown to reflect the data accurately, is an “original.”

People v. McFarlan, 744 N.Y.S.2d 287, (N.Y. Sup. 2002)

19


The UETA and ESIGN extend the existing principles of the “Best Evidence” rule, providing:

A i t t d “ i i l” d i Any requirement to preserve or produce an “original” record is satisfied by an electronic record of the information in the record to be produced, so long as the electronic record: Accurately reflects the information in the record to be produced

after it was first generated in its final form andafter it was first generated in its final form, and Remains accessible for later reference.

Evidence of a record may not be excluded solely because it is in electronic form.

20

Introducing Electronic Records into Evidence --Proof of Document IntegrityProof of Document Integrity

Introduction into evidence will require proof of integrityId tifi ti t i i l t ti Identification to original transaction Freedom from alteration

21

Introducing Electronic Records into Evidence --Proof of Document IntegrityProof of Document Integrity

Courts evaluating the integrity of an electronic record may be expected to focus on systemic protections --y p y p division of labor complexity of systems Encryption of executed documents to prevent yp p

undetected alteration activity logs security of copies stored offsite to verify content

22

Some Additional Resources

– Standards and Procedures for electronic Records and Signatures – available for purchase at www.spers.orgSignatures available for purchase at www.spers.org

FFIEC Information Technology Examination Handbook – available at http://ithandbook.ffiec.gov/

FFIEC Guidance On Electronic Financial Services And Consumer Compliance – available at www.ffiec.gov/PDF/EFS.pdf

FTC Guidance on Dot Com Disclosures – available at http://business.ftc.gov/documents/bus41-dot-com-disclosures-information-about-online-advertisingg

FTC Staff Report on Improving Consumer Mortgage Disclosures –available at www.ftc.gov/opa/2007/06/mortgage.shtm

AIIM Recommended Practice Report on Electronic Document M S (AIIM ARP1 2006) il bl Management Systems (AIIM ARP1-2006) – available at www.aiim.org/documents/standards/arp1-2006.pdf

Lorraine v. Markel American Insurance Co., 241 F.R.D. 534 (D. Md. May 4, 2007) – available at

23

y , )http://www.mdd.uscourts.gov/Opinions/Opinions/Lorraine%20v.%20Markel%20-%20ESIADMISSIBILITY%20OPINION.pdf

UPCOMING CONFERENCE

Electronic Signature & Records Association Annual ConferenceNovember 9 & 10, 2011 Washington, DC

http://esignrecords.org/events/


QUESTIONS?


e-signature webcast for financial services legal counsel (slides)

Technology

electronic processes

electronic means

electronic strategy

legal risk

guardian silanis technology

reuters silanis technology

compliance risk

esignatures e signatures