E-Signature Webcast for Financial Services Legal Counsel (Slides)

E-Signatures for Financial
Services
Legal & Regulatory Update
Thursday, October 20, 2011
© Silanis Technology Inc., 2011 All Rights Reserved

Welcome
TELECONFERENCE
Toll Free 888-600-4866
Toll: 913-312-9303
TELECONFERENCE PASSCODE
939743
LIVE MEETING TECHNICAL SUPPORT
1-866-493-2825 #1

Margo Tank R David Whitaker Michael Laurie
Partner Sr. Company Counsel Vice President Strategic Development
BuckleySandler
B kl S dl LLP Wells Fargo
W ll F Silanis Technology


Key Drivers for E-Signatures within Banks

CUSTOMER REDUCING COST
EXPERIENCE OPERATIONAL AND
TRANSFORMATION RISK EFFICIENCY
“The big banks’ investments in “Robo-signing could ultimately
2Q10 in online banking ideally invalidate tens of thousands of “Banks’ interest in adopting
will position them to better home ownership documents
documents, e-signatures
e signatures has skyrocketed
offer their customers more say legal experts. Analysts say in the past 12 to 24 months…
personalization capabilities.” it could top $20 billion” thinner profit margins, and the
need to cut costs internally,
– Gartner, October – September, Huffington Post has sparked the financial
services industry to adopt
“High street banks were under
an electronic strategy that
intense pressure to give up
embraces efficient, straight
their fight against paying out
“Banks IT spending research through processing.”
claims for mis-selling payment
indicates
i di t an emphasis on
h i protection insurance, after – Forrester, January
retail customer-oriented Lloyd’s Banking Group’s
investments.” surprise £3.2bn provision to
cover claims by millions of
– Gartner, October
customers.
– May, The Guardian


E-Signature Benefits Risk Reduction

“Key CFPB regulations to define terms such as ‘excessive’ and ‘abusive’ are
forthcoming. However, it is important to recognize right away that violations of
these provisions will be costly, and risk mitigation activities should commence”
– August 2010, PWC, A Closer Look Dodd-Frank

“New consumer credit rules require lenders to make sure borrowers understand
the details of a loan and carry out thorough checks on any borrowers, so you can
be confident that what you receive is suitable for your circumstances.”
– February 2011, The Guardian

“Judges have ruled that foreclosing based on flawed or missing evidence
violates longstanding laws meant to protect all Americans' property rights.”
- July 2011, Reuters


Online Business Transactions - Challenges
People
P l Business
B i
Clients, Agents Products, Channels

Documents Compliance
Documents, Disclosures, etc. Laws & Regulations

Systems Rules
E commerce 3rd Party
E-commerce, Process, Parameters
P P


The E-Signature Advantage

• More control
• Enforce required compliance p
q p processes and rules
• More visibility
• Monitor transactions and receive notifications in real-time
• More evidence
• How transaction documents were viewed and signed
• More flexibility
• Automate efficiency for branch, online, mobile and partners
• Less Risk
• Reduce compliance and legal risk with better processes


Overview

 Federal d State L
F d l and St t Law Validate U of El t i Si
V lid t Use f Electronic Signatures
t
– Federal E-SIGN Act since 2000
– UETA Adopted in 49 jurisdictions

 For over a decade, government/industry have relied on ESIGN/UETA’s
decade ESIGN/UETA s
fundamental premise: electronic records and signatures cannot be denied
solely because of their electronic form
 Overarching focus in 2011 is moving from understanding legal framework to
implementation
i l t ti
 Questions Become:
– How reliable are electronic signatures and records?
– How do authenticate individuals?
– How can I minimize transaction and compliance risk?
– Are contested electronic records and signatures admissible and enforceable?
– Will subsequent transaction parties or the government accept electronic signatures and
records?

1

Legal Framework
for eSignatures and eRecords

 ESIGN and UETA:
 Enable the Presentation of Information (e.g., Disclosures) and Electronically
Signed Agreements Where Ink and Paper Would Have Been Required

 Designing Systems to Sign/Store Electronic Records
Requires Firm Grasp Of:
 Interaction Between the Electronic Processes Used to Sign and Store
Electronic Records
 E-SIGN/UETA R
E SIGN/UETA Requirements
i t
 Underlying Substantive Law (e.g., TILA, GLBA, State Disclosure & Record
Retention Laws)
 Regulator Acceptance
 Judicial Precedent

2

ESIGN and UETA Basics

 Basic Rules:

– A record or signature may not be denied legal effect or enforceability because it is in
electronic form.
– A contract may not be denied legal effect or enforceability solely because an electronic
record was used in its formation.
– Any law th t requires “ writing” will b satisfied b an electronic record.
A l that i “a iti ” ill be ti fi d by l t i d
– Any “signature” requirement in the law will be met if there is an electronic signature.

 Electronic Record: A record, created, generated, sent, communicated, received or
stored by electronic means and is retrievable in perceivable form An electronic
form.
record includes a transferable record.

 Electronic Signature:
– Any sound, symbol or process;
– Attached to or logically associated with an electronic record; and
– Executed or adopted with the intent to sign the electronic record.
– May be accomplished through technology, through processes and procedures, or through a
combination of both.

3


 ESIGN and UETA:

– Both laws act as overlay statutes;

– Both laws will likely apply to the transaction;

– Both laws recognize electronic signatures – any kind;

– Both laws recognize electronic records – disclosures
and agreements;

4


– Both laws require transaction p y consent;
q party ;

– Both laws accept electronic records for
retention/admission process. The record holder must
be prepared to demonstrate that the electronic record:
– Accurately reflects the information contained in the record at the time it
was signed or delivered;
– Is accessible to anyone entitled to access the record holder’s copy of
the Record under an applicable rule of law or agreement;
– C b accurately reproduced f l t reference; and
Can be t l d d for later f d
– Is capable of being retained (in some cases at the time the record is
provided) by transaction participants to whom it has been made
available for review or signature.

5


– Both laws exclude:

 Wills, codicils and testamentary trusts;
 Funds transfers (covered by UCC Article 4A);
 Letters of Credit (covered by revised UCC Article 5);
 Securities (covered by UCC Revised Article 8);
 Security interests in goods and intangibles (
y g g (covered by UCC Revised Article
y
9);
 Software licensing laws (if State has adopted UCITA);
 Most laws concerning checks.

6


– Both apply to:
pp y

 Consumer protection laws;
 Negotiable instrument equivalents (transferable records);
 Laws governing real estate transactions (subject to special rules concerning
documents to be filed of record);
 Laws of agency;
 Laws covering powers of attorney;
 Laws requiring notarization of documents;
 Laws governing trusts (except testamentary trusts);
 Laws concerning th submission of d
L i the b i i f documents t or i
t to, issuance of d f documents
t
by, government authorities (subject to special rules ).

7

Creating a Reliable Electronic Record

 Creating reliable electronic signatures and records are
g g
critical for a number of reasons:

– Comply with state or federal “writing,” “signing” and “original” requirements
– Meet state or federal record retention requirements
– Obtain admission of electronic records into evidence in the event of a dispute
(t e e e act that o at o as been created a d sto ed t
(the mere fact t at information has bee c eated and stored within a co pute
computer
system does not make that information reliable or authentic).

8

Identifying Risks

 Authentication Risk:
 The risk is that the signer says “that is not my signature;”
– Is the signer:
» who they say they are
» d th h
do they have th authority t bi d
the th it to bind
 Company relying on the signature has to bear the burden of proof.

 Compliance Risk:
 The risk is that the rules and regulations that govern the transaction are not
met.
 For example: Disclosure was not provided in the right format or at the right
time in the transaction (possible statutory penalties).
 For example: ESIGN & UETA requirements are not met (consequence may
include statutory penalties based on conclusion that required disclosure was
not provided because ESIGN/UETA consent was not obtained)
obtained).

9

Identifying Risks

 Repudiation Risk:
p
– The risk is that the signer says “that is not the record that I signed or the
disclosure that I received.”

 Admissibility Risk:
– The risk is that the electronic record is not admissible into evidence or for
regulatory purposes.
 Introduction into evidence will require proof of integrity:

– Identification to original transaction
– Freedom from alteration

10

Regulatory Activity

 FRB - Electronic Communication Rules for Consumer protection
statutes (
(e.g., R Z R D R E)
Reg Z, Reg D, Reg

 OCC – Bulletins on Consumer Consent and Record Retention

 HUD/FHA – Mortgagee Letter on Purchase and Sale Contracts

 FFIEC – Authentication in an Online Banking Environment

 2011 Supplement: periodic risk assessment, minimum controls, layered
security
it

 States – Disclosures, Record Retention, Mail Requirements

11

Emerging Principles/Significant Cases Involving
Electronic Records

 Authentication and Authority
– The Prudential Ins. Co. of America v. Dukoff, No. 07-1080, 674 F.Supp. 2d 401
(E.D.N.Y. Dec. 18, 2009) (materially false statements made by reasonably
authenticated insurance applicants may be used to challenge the validity of the
application); National Auto Lenders, Inc. v. SysLOCATE, Inc., No. 09-21765, 686
F.Supp.
F Supp 2d 1318 (S.D. Fla Feb 10 2010) (Online agreement held
(S D Fla. Feb. 10,
unenforceable where website operator knew the persons accepting the
agreement lacked actual or apparent authority).

 Electronic Signat res meet Stat te of
Signatures Statute
Frauds Writing Requirements
– Shattuck v. Klotzbach, 14 Mass. L. Rptr. 360 (Super. Ct., Mass., December 11,
2001); (Signed emails could be used to prove the existence of a real estate sale
) ( g
contract); but see Rosenfeld v. Zerneck, 4 Misc. 3d 193, 776 N.Y.S.2d 458 (Sup.
Ct., Kings Co. 2004); Vista Developers Corp. v. VFP Realty LLC, 17 Misc. 3d
914, 847 N.Y.S.2d 416 (Sup. Ct., Queens Co. 2007)(no agreement reached on
essential terms of transaction).

12

Electronic Records

 Clearly Presented Agreements and Disclosures will
be Enforced Unless Unconscionable, No Opportunity to View
Terms, or for Reasons other than being Solely in Electronic Form
– Evans v. Linden Research, 763 F. Supp. 2d 735 (E.D. Pa. 2011) (mandatory forum selection
clause contained in terms of service for on line life community not unconscionable under
on-line
California law where users had to check box to agree to terms each time there was a
change); Berry v. Webloyalty.com, 2011 U.S. Dist. Lexis 39581 (S.D. Cal. April 11, 2011)
(disclosures made on online club enrollment page “sufficient to place reasonable consumers
on notice” and sufficiently “clear and readily understandable” to satisfy the Federal Reserve
Board’s standard for electronic signatures); Fusha v. Delta Airlines, Inc., 2011 U.S. Dist.
Lexis 97295 (D. Md. Aug. 30, 2011) (customer bound by forum selection clause contained in
terms of use, even where she did not remember reading the terms); but see Koch Industries
v. John Does, 2011 U.S. Dist. Lexis 49529 (May 9, 2011) (terms of use unenforceable where
available only through a link at the bottom of with no prominent notice that a user would be
bound by them); Schnabel v. Trilegiant Corp., 2011 U.S. Dist. LEXIS 18132 (D. Conn.
Feb. 24,. 2011) (court refused to enforce arbitration clause in website agreement where
plaintiffs were not presented with chance to view terms before acceptance)

13

Electronic Records

 Preserving evidence of data integrity, screen shots and process flows is
essential

– Lorraine v. Markel American Ins. Co., 241 F.R.D. 534, 538 (D.Md. 2007). Judge Grimm in Lorraine v. Markel
American Ins. Co., 241 F.R.D. 534, 538 (D.Md. 2007): [C]onsidering the significant costs associated with
discovery of ESI, it makes little sense to go to all the bother and expense to get electronic information only to
have it excluded from evidence or rejected from consideration during summary judgment because the
proponent cannot lay a sufficient foundation to get it admitted.

– In Re Vee Vinhnee, 336 B.R. 437 (9th Cir. BAP (Cal.) 2005) – Court refused to admit electronic credit card
transaction records due to inadequate authentication.
 11-Factor Foundation For Electronic Records:
– The business uses a computer.
– The computer is reliable
reliable.
– The business has developed a procedure for inserting data into the computer.
– The procedure has built-in safeguards to ensure accuracy and identify errors.
– The business keeps the computer in a good state of repair.
– The witness had the computer readout certain data.
– The witness used the proper p
p p procedures to obtain the readout.
– The computer was in working order at the time the witness obtained the readout.
– The witness recognizes the exhibit as the readout.
– The witness explains how he or she recognizes the readout.
– If the readout contains strange symbols or terms, the witness explains the meaning of the
symbols or terms for the trier of fact. Id. at 14 (citing Edward J. Imwinkelried, Evidentiary
Foundations 4.03[2]
4 03[2] (5th ed 2002))
ed. 2002)).

14

Electronic Records

 The primary authenticity issue as identified by the court in In Re Vee
Vinhnee,
Vinhnee 336 B.R. 437 (9th Cir BAP (Cal ) 2005), focuses on:
BR Cir. (Cal.) 2005)
– . . . what has, or may have, happened to the record in the interval between when it was
placed in the files and the time of trial. In other words, the record being proffered must be
shown to continue to be an accurate representation of the records that originally was created
. . . . Hence, the focus is not on the circumstances of the creation of the record, but rather on
the circumstances of the preservation of the record during the time it is in the file so as to
assure that the document being proffered is the same as the document that was originally
created.
 The court focused on the 4th factor and noted that for electronically
stored information:
– [t]he logical questions extend beyond the identification of the particular computer equipment
and programs used. The entity’s policies and procedures for the use of the equipment,
database, and programs are important. How access to the pertinent database is controlled
and, separately, how access to the specific program is controlled are important questions.
How changes i th d t b
H h in the database are l
logged or recorded, as well as th structure and
d d d ll the t t d
implementation of backup systems and audit procedures for assuring the continuing integrity
of the database, are pertinent to the question of whether the records have been changed
since their creation.

15

Electronic Records

 American with Disabilities Act and the Internet
– Earll v. eBay, Inc., No. 5:11-cv-00262-JF (N.D. Cal. Sept. 7, 2011)(Class Action
Alleges eBay's Identity Verification Policy Violates the ADA); National Federation
of Blind v. Target Corp., 582 F.Supp.2d 1185, N.D.Cal., 2007.

16

ESIGN and UETA – An Analytical Model

 Look to UETA Official Comments, and Congressional
, g
Record at time of ESIGN adoption in House and Senate,
for interpretive rules
 When interpreting ambiguous provisions, ask: if
Wh i t ti bi i i k
interpretation serves purpose of statute and meets
“common sense” test
 What would I do with a paper document?

17

Analyzing Systems for Creating, Storing and Retrieving
Binding Agreements – A Provisional Checklist

 Agreement to Electronic Transaction
g
– Identify parties who must agree
 Direct participants
 Vendors and service providers
 Indirect stakeholders
– Establish manner of agreement
 B2B
 C
Consumer ( (special ESIGN rules f consent)
i l l for t)
– Agreement to system rules

18


 Execution
– Signature
 Authority to sign
 Evidence of intent
 Intent to sign
 Purpose of signature
– Per document basis
– Logically
L i ll associated with record
i t d ith d
– Process
– Attribution

19


 Document Format and Delivery
y
– Compliance with existing formatting rules
– Standards for document formats
 Non-proprietary
 Self-contained
– Delivery methods
 Mailing or hand delivery currently required
 M ili
Mailing or h d d li
hand delivery not currently required
t tl i d

20


 Record Integrity:
g y
– Tracking alterations or versions
– Preventing alteration of executed documents
– Associating records
– Replacing records
– Identifying authoritative copies
– Encryption of executed documents to prevent undetected alteration
– Use f h h l ith
U of hash algorithms and d t and ti
d date d time stamp t h l
t technology
 Record Management Controls:
– Control of access to databases
– Recording and logging of changes
– Backup practices
– Audit procedures

21


 Document Access
– Access based on role in transaction
– Access levels
– Methods of access
– Person responsible for providing and maintaining access
 Principal
 Custodian
 S b
Subcontractors
t t
– Timeframe for access
– Data Survivability/Migration

22

Controlling Risks with SPeRS (Standards and
Procedure for Electronic Records and Signatures)
g )

 A cross-industry initiative to establish commonly understood “rules
rules
of the road” available to all parties seeking to take advantage of the
powers conferred by ESIGN and UETA;
 Helps create the implementation guidance not present in ESIGN and
UETA
 Initially published 2003; update coming in November 2011;
 Founded on the proposition that much of the time and effort being
invested by companies “re-inventing the wheel” could be avoided if
re inventing wheel
cross-industry standards for these elements of electronic
transactions could be established;
 Focused on the behavioral and legal aspects of the interaction
between parties to the transaction not on technology SPeRS is
transaction, technology.
intended to be technology neutral;
 Standards are not necessarily legal minimums, but implementing the
standards should enhance reliability and sufficiency.

23

The SPeRS Structure

 SPeRS is divided into five sections:
– A h
Authentication
i i
– Consent
– Agreements, notices and disclosures
– Electronic signatures
– Record retention
 Each section provides 5 to 10 high-level standards to guide systems
designers in developing p
g p g processes that will meet the new legal
g
requirements.
 Each Standard is supported by:
– Plain-English discussions of the underlying issues,
– Ch kli t outlining specific strategies and options f
Checklists tli i ifi t t i d ti for
implementing the standards,
– Examples and illustrations, and
– Legal commentary to assist in-house counsel
in house counsel.

24

Industry Adoption

– Mortgage
(http://www.mersinc.org/MersProducts/index.aspx?mpid=19)
– https://www.efanniemae.com/sf/guides/ssg/relatedsellinginfo/emt
g/pdf/emtgguide.pdf
http://www.freddiemac.com/singlefamily/elm/pdf/eMortgage_Gui
de.pdf
– Student Lending
(http://ifap.ed.gov/dpcletters/attachments/gen0106Arevised.pdf)
– Variable Annuities (http://www.irionline.org/standards)
– Electronic Chattel Paper
p
(http://www.standardandpoors.com/prot/ratings/articles/en/us/?a
ssetID=1245199808682)
– Online Banking g
(http://www.ffiec.gov/pdf/authentication_guidance.pdf)
– SPeRS (http://www.spers.org/spers/index.htm)
25

Questions?

Margo H K Tank
H. K.
Buckley Kolar LLP
1250 24th Street, NW
Suite
S ite 700
Washington, DC 20037
D: 202.349.8050
E: t k@b kl k l
E mtank@bucklekolar.com
F: 202.349.8080
www.buckleykolar.com

26

Agenda

 Delivering Disclosures, Agreements and Notices
 Electronic S
l Signatures– Attribution, Authority and
b h d
Intent
 I t d i
Introducing El t
Electronic R
i Records i t E id
d into Evidence

© 2011 R. David Whitaker. All rights reserved. No copyright claimed on images licensed from others. No
part of this document may be reproduced or transmitted in any form, by any means (electronic,
photocopying,
photocopying recording or otherwise) without the express prior signed permission of the author This
author.
presentation is for purposes of education and discussion. It is intended to be informational only and does not
constitute legal advice regarding any specific situation, product or service.

0

Delivering Disclosures, Agreements and Notices –
The Record Management Cycle
Record
Life Generate Deliver Store Manage Destroy
Cycle

Track Create
Active Propagate Extract &
Data Record Audit Trails
Data Index Data
Processes Versions & Reports

Audit Trails
Primary Transaction-specific Screen Shots
Record Boilerplate Docs for Enrollment,
Docs & Process Flows
Categories Delivery/Signing
Secure and Consistent Record Management
Quality & Search and Record Business
Key Access
Systems
S t
Integrity Report Destruction Continuity
Controls
C t l
Issues Controls Capabilities
Record Management Responsibility
Secure Communication
Record Management Audit Trails & Reports
Company Policies and Guidelines

1

Regulatory Guidance for Record Management

– GLBA Information Security Guidelines
– FFIEC Authentication Guidance
– Identity Theft Red Flags Regulation and
Guidelines
– FFIEC Information Security Booklet
– FFIEC E-Banking Booklet
– FFIEC Supervision of TSPs Booklet
– FFIEC Outsourcing Technology Services Booklet
– FFIEC Development & Acquisition Booklet
– FIL-44-2008, Managing Third Party Risk
2

Key Requirements from ESIGN and UETA
 Key Requirements
– Consent is required if law otherwise requires info delivered
eq i ed la othe ise eq i es deli e ed
in writing
• ESIGN Consumer Consent Process
• B-to-B Consent
– UETA delivery provisions not preempted by ESIGN
• Need Agreement (express or implied) on Delivery Method
• Need to deal with bouncebacks in many cases
– Popular Delivery Options
• Display as part of an interactive session,
• Delivery in the body of an email or as an email attachment, or
• Delivery of an email or other electronic notice that has a URL
e bedded
embedded in it t at the consumer may activate to review the
t that t e co su e ay act ate e e t e
information.

3

Key Requirements from ESIGN and UETA
 More Key Requirements
– Elect onic records a e not enfo ceable against a recipient if
Electronic eco ds are enforceable ecipient
the sender inhibits the recipient’s ability to print or retain a
copy
– Customer must be able to retain a copy for later reference
– Electronic Records retained by sender must be accurate,
remain accessible for later reference
– All formatting, timing and display requirements must be
observed. “Timing” includes:
• Proper sequence within transaction
• Any time frames or deadlines for delivery
• Length of time the information/document remains accessible

4

General Delivery/Signature Strategy
Clear
Call
to Action

Prompt for Retention/

Offer Retention-Friendly Version

Presented in Scroll Box, PDF or Behind
Clearly-Labeled Hyperlink

Key Information/Document Above or to the Left of Call to Action

Obtain
Obt i
Get Consent Draw Attention Present Document
Signature

5

The Design Process

Delivery Design Choices Design Execution

– Secure or Unsecure? – Enrollment / consent process – Establish agreement on delivery
– Audit trails and reporting –When deemed delivered
– Push out in email/SMS, or send
– Transmittal message contents –Delivery address
“ready notice” and pull behind
– Authentication process for access
p –Obligation to update address
g p
firewall?
fi ll?
to secure data (if applicable) – Obtain ESIGN Consent
– Embedded hyperlinks in “ready – Record generation and posting to – Generate records
notice” email? delivery system – Send notice or attachments
– Permit target to set delivery – Message or notice – Provide opportunity to retain
preferences? generation/transmission – Generate audit trail
– Permit target to designate multiple – Record retention/destruction process – Handle “bouncebacks”
recipients? – Record generation/posting – Handle withdrawal of consent
– Forced review or bypassable?
Key C id
K Considerations
i
Key Considerations − 2 Factor Authentication required? Key Considerations
- Will the records contain sensitive information? − How will cross-system compatibility/communication − Addressing electronic delivery channels
issues be addressed? − Agreement on what constitutes “sending” and
- Will the records contain required disclosures or notices?
− How much of design will be automated or manual? “receipt” (Note some state UETAs limit variation
- Are multiple delivery methods possible/desirable? − Is system intended for use with targets without prior by agreement)
- Are there “phishing” or “pharming” issues to address?
phishing pharming electronic relationship with sender?
l t i l ti hi ith d ? − Agreement on obligation t update electronic
A t bli ti to d t l t i
- Need to maintain control over display and audit trails? − Regulatory requirements for timing, delivery, addresses
- Need to obtain ESIGN Consumer Consent? proximity, conspicuousness, forced review? − Managing bouncebacks and withdrawal of
consent

6

Electronic Signatures –
Key Elements
Electronic Signature Key Elements

 Definition of signature -- “Electronic
 ESIGN and UETA require that:
Signature” means an electronic identifying
sound, symbol, or process attached to or – The signature be attributable to
logically connected with an electronic the signer and associated with
record and executed or adopted by a the records
person with present intention to
authenticate a record.
th ti t d – The signing party have authority
 This definition includes (for example): to sign
– Typed names, – The signing party must have the
– A click-through on a software intent to affix a signature to the
program’s dialog box combined with record
some other identification procedure,
 ESIGN and UETA do not require
– Personal identification numbers,
that:
– Biometric measurements,
– A digitized picture of a handwritten – The signature process itself
signature, provide proof of identity
– Use of SecureID™ or Defender™ – The signature process itself
number generators, and protect the record from
– A complex, encrypted authentication
alteration without detection
system.
 Note that a click-through probably does
not satisfy the requirements for an
electronic signature under Article 9 of the
UCC.

7

Attribution
Attribution basics Attribution in the electronic world
 Legal sufficiency vs. attribution -  In an electronic environment,
- UETA and ESIGN’s signature attribution is often proven by
f
rules: associating the signature with use
– Answer the question “is it a of a “credential.” A credential is a
g
signature?” method for establishing the
– Do NOT answer the question identity of the signer, and may
“is it your signature?” involve use of a password,
employment of a token (such as a
 Attribution must be proven:
random number generator),
g ),
– Attribution may be proven by biometrics, or demonstration of
any means, including knowledge of a “shared secret,” or
surrounding circumstances or some combination of the above (or
efficacy of agreed-upon similar devices/approaches). Use
security procedure of the credential gives the person
– The burden of proof is usually receiving the signed record a
on the person seeking to reasonable basis to believe that the
enforce signature signature was created by the
intended signer.

8

Attribution
Creating a Credential Notes on credentials
 A credential may be:  Note that the effectiveness of the credential for
• Assigned to the signer directly by attribution depends on the integrity and
the intended recipient of the signed reliability of the p
y process for first creating and
g
record, either in advance or at the assigning the credential to the individual.
time of signing. • So, if it is easy to get a credential under false
• Assigned to the signer indirectly, pretenses, then the value of the credential for
through a hierarchical model, where attribution is diluted.
the intended recipient gave a “root” • But, if the process for first issuing the
or “master” credential to a person credential to the correct person is
who is then authorized to provide demonstrably reliable, then the later use of
derivative credentials to others the credential will usually constitute strong
(e.g.
(e g Recipient gives a master User evidence of attribution.
attribution
ID and password for its Treasury  In more sophisticated applications the customer
Services website to an executive at may be given multiple credentials to permit two
Company X and the executive then or three-factor authentication, depending on the
establishes passwords for other
p risk level of the specific requested transaction.
Company X employees). So, for example, a banking customer may be able
• Created spontaneously (often to access general online banking services using
through the use of biometrics or a a User ID and Password, but then be required to
“shared secret”) at the time it is also provide a one-time password or PIN from a
needed for the signing. random-number generator before completing a
funds transfer during the online session.

9

Attribution
 Common Strategies for Credential Creation/Distribution
– Customer-initiated online/mobile
• Validated used existing shared information, or
• Self-asserted (usually just for initial contact/applications)
– Delivered
• May be persistent or one-time (OTP, random number generator)
M b i t t ti (OTP d b t )
• Sent to known address (email or postal) or phone number (sms or
voice)
• May be further validated on first use or each use
y
 Use of dedicated hyperlink contained in message to access platform
 Confirmation using shared information
– Self-assigned
• Response t invitation
R to i it ti
 Use of dedicated hyperlink contained in message to access platform
 Created on platform
 Sometimes -- Confirmation using shared information
• Assigned via heirarchical model (more later)

10

Authority
 ESIGN and UETA incorporate the existing common
law rule requiring that the signing party have the
q g g gp y
authority to sign.
– Individuals – identity, age, capacity – capacity is
usually taken for granted with any person over the
y g yp
age of 18, unless there are indications to the
contrary
– Representatives – identity, age, capacity, and
authorization to take the contemplated action on
h i i k h l d i
behalf of the represented party. The authority to
act is not automatic just because a person is an
appointed representative (e.g. an agent or
(e g
employee). Authority must be either expressly or
implicitly conferred by the represented person.

11

Authority for Representatives
y p
Very often used with small companies. It presumes that in a small company anyone taking action
with respect to bank services must have authority to do so because unauthorized activity is so
difficult to conceal. This involves a “cost/benefit” risk analysis, since historically small business
“Hail Mary” employees have proven quite adept at using bank accounts and banking relationships to commit
fraud under the noses of their co-employees and owners.

In the most formal of situations, a certificate is required from the company’s owners or controlling
body (Board of Directors, General Partners, Members, etc.) confirming the authority of a particular
Certificate of person to sign as a representative of the company. In some cases confirmation of authority is
company cases,
Authority incorporated into an opinion letter from outside counsel, creating a potential claim against outside
counsel in case of a later dispute.

Situational Where authority is not formally established, it may alternatively be established by circumstance.
“actual” or Job titles and/or known supervision and review of the proposed agreement by senior management
“apparent” may establish either actual or apparent authority to act.

y
authority

In this model, the potential recipient of the signed records (e.g. the bank) assigns a master
credential,
credential through a highly reliable and carefully controlled process to a company representative
process,
(e.g. the Senior Vice President for Treasury Management Services) whose authority to establish
The the initial relationship is beyond question (either because of certification or situational
Hierarchical verification). In turn, the recipient’s system of record permits the trusted company representative
Model to create lower-level credentials for other company employees. These credentials come with
assigned rights, which may include the right to enter into additional agreements with the recipient.
Presumably,
Presumably the master agreement between the recipient and the company establishes the
recipient’s right to rely on the “hierarchical model” to establish the authority of the lower-level
employees to sign.

12

Intent to Sign
Elements of Intent Samples of Notices to Establish Intent

 The signer’s intent is composed of two
elements:
 …By clicking "I Accept" at the end
By I Accept
– The intent to sign of this Agreement, you agree that
– The purpose of the signature you have read and understand this
 The intent to sign may be established by the Agreement and that you will be
surrounding circumstances. In an electronic
bound by and comply with all of its
environment,
environment the easiest way to establish an
intent to sign is to advise the signer that the terms…
action he or she is about to take (click through,
 …by typing your name in the
entrance of PIN, typing of name, etc.) will
constitute a signature. signature box on the account
 Purpose of signature signup page, you are signing and
– There are four basic purposes a signature agreeing to the terms and
i t th t d
may serve with respect to a record:
conditions of this Agreement…
1. I agree to it
2. It came from me
 BY CLICKING ON THE “SIGN NOW”
3. I’ve seen it BUTTON BELOW, YOU ARE SIGNING
4.
4 I got it THIS AGREEMENT CLICKING ON
AGREEMENT.
– Which of these purposes is applicable to a THE “SIGN NOW” BUTTON WILL
particular signature may be established by
RESULT IN AN ENFORCEABLE
surrounding circumstances or may be
specifically stated as part of the signature LEGAL CONTRACT, JUST AS IF YOU
process. In many cases the signature HAD SIGNED YOUR NAME TO AN
serves more than one of these purposes.
h f h
AGREEMENT ON PAPER.
 The signer’s intent must be established
separately in some manner for each signature
that is applied to the record.

13

Selecting a Process

 Three primary criteria
– Boilerplate Document vs. Transaction-
Specific Document
– Size of transaction or liability exposure
– Extent to which transaction “self-validates”
• Physical presence at signing
• Services are personal to signer (e.g. medical, legal)
• Physical product being shipped
• Product or service is customized to individual

14

Selecting a Process
Boilerplate
Per Transaction
Click-Through Capture
Audit Trail
A dit T il

Preserve Process Flows

Preserve Template Document

Preserve Generic Screen Shots

Obtain
Obt i
Establish Identity Present Record Prompt Retention
Click-through

15

Selecting a Process
Transaction-
Specific Signatures Capture
Audit Trail
A dit T il

Anticipate
Obsolescence

Generally, Retain A Copy of the
Dynamic Signed Record, Not
g
Just a Flat File

Document, Once Signed, Should Be Protected
Against Undetected Alt
A i t U d t t d Alteration
ti

Establish Identity Present Record Obtain Signature Prompt Retention

16

Introducing Electronic Records into Evidence --
Basis for Admission

 The Federal Rules of Evidence and the Uniform Rules of
Evidence contain identical provisions that taken
that,
together, address the admissibility of electronic business
records:
 The “Business Record” Rule, and
 The “Best Evidence” Rule.

17

Basis for Admission
 The Business Record rule permits the introduction into evidence of
business records of regularly conducted business activity. A business
record will be admissible:

 If it is a record, in any form, of acts, events, conditions, opinions, or
diagnoses, made at or near the time by, or from information
transmitted by, a person with knowledge, and if:
 Th record is kept in the course of a regularly conducted
The di k i h f l l d d
business activity, and
 It was a regular practice of that business activity to make the
memorandum, report, record or data compilation, all as shown
by the testimony of the custodian or other qualified witness, or
y y q ,
by certification that complies with the Rules of Evidence,
 Unless the source of information or the method or circumstances of
preparation indicate the record is not trustworthy.

People v. Huehn, 53 P 3d 733 (Colo.App. 2002)
P l H h P.3d (C l A

18

Basis for Admission
 Even though a record is admissible under the business records
exception to the hearsay rule, it must also satisfy the Best Evidence
Rule.

 The Best Evidence Rule, sometimes called the “Original Writing
Rule,” provides that in order to “… prove the content of a writing,
recording, or photograph, the original writing, recording, or
photograph is required except as otherwise provided in these rules
required,
or by Act of Congress.”
 An “original” is defined as: [T]he writing or recording itself or any
counterpart intended to have the same effect by a person executing
or issuing it. … If data are stored in a computer or similar device,
any printout or other output readable by sight, shown to reflect the
i t t th t t d bl b i ht h t fl t th
data accurately, is an “original.”

People v. McFarlan, 744 N.Y.S.2d 287, (N.Y. Sup. 2002)

19

Basis for Admission
 The UETA and ESIGN extend the existing principles of the “Best
Evidence” rule, providing:
 A
Any requirement t preserve or produce an “original” record is
i t to d “ i i l” di
satisfied by an electronic record of the information in the record to
be produced, so long as the electronic record:
 Accurately reflects the information in the record to be produced
after it was first generated in its final form and
form,
 Remains accessible for later reference.
 Evidence of a record may not be excluded solely because it is in
electronic form.

20

Proof of Document Integrity

 Introduction into evidence will require proof of integrity
 Id tifi ti
Identification to original transaction
t i i lt ti
 Freedom from alteration

21

Proof of Document Integrity

 Courts evaluating the integrity of an electronic record
may be expected to focus on systemic protections --
y p y p
 division of labor
 complexity of systems
 Encryption of executed documents to p
yp prevent
undetected alteration
 activity logs
 security of copies stored offsite to verify content

22

Some Additional Resources

 – Standards and Procedures for electronic Records and
Signatures – available for purchase at www.spers.org
 FFIEC Information Technology Examination Handbook – available at
http://ithandbook.ffiec.gov/
 FFIEC Guidance On Electronic Financial Services And Consumer
Compliance – available at www.ffiec.gov/PDF/EFS.pdf
 FTC Guidance on Dot Com Disclosures – available at
http://business.ftc.gov/documents/bus41-dot-com-disclosures-
information-about-online-advertising
g
 FTC Staff Report on Improving Consumer Mortgage Disclosures –
available at www.ftc.gov/opa/2007/06/mortgage.shtm
 AIIM Recommended Practice Report on Electronic Document
Management Systems (AIIM ARP1 2006) – available at
M S ARP1-2006) il bl
www.aiim.org/documents/standards/arp1-2006.pdf
 Lorraine v. Markel American Insurance Co., 241 F.R.D. 534 (D. Md.
May 4, 2007) – available at
y , )
http://www.mdd.uscourts.gov/Opinions/Opinions/Lorraine%20v.%20
Markel%20-%20ESIADMISSIBILITY%20OPINION.pdf

23

UPCOMING CONFERENCE

Electronic Signature & Records
Association Annual Conference
November 9 & 10, 2011
Washington, DC

http://esignrecords.org/events/


QUESTIONS?


E-Signature Webcast for Financial Services Legal Counsel (Slides)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to E-Signature Webcast for Financial Services Legal Counsel (Slides)

Similar to E-Signature Webcast for Financial Services Legal Counsel (Slides) (20)

More from eSignLive by VASCO

More from eSignLive by VASCO (9)

Recently uploaded

Recently uploaded (20)

E-Signature Webcast for Financial Services Legal Counsel (Slides)