Electronic signatures are core requirements for new account opening for financial services products. I certainly do not claim to be an expert in this area so I’m hoping to use this as a starting point, by laying out some of the issues that need to be addressed, and laying out a little of what I know as background.
What is a signature?
In simple terms a signature is a proof of identity or used to represent the intention of informed consent. Signing a document or contract is surrounded by a certain ceremony to reinforce the ‘will’ of the agreement – a signature is really not enforceable if the signing process was disguised or the agreement terms were hidden.
Wikipedia has some background on the meanings and traditions surrounding signatures.
A use case
Imagine that I go to Fidelity’s web site to apply for a new account. As a customer without a history with the institution there are various challenges to me opening a new account and signing an agreement as to my rights and obligations for running it.
Fidelity needs to enforce several steps:
- Create a reusable identity for me
- Ensure that I am who I say I am, and live where I say I live
- Create a customer profile to enforce risk and Anti-Money Laundering controls
- Gain and prove my acceptance of their agreement terms
In this online world they need to do all of this without ever seeing me in person, or seeing any physical evidence of who I claim to be. In the future, ensuring that I do not deny ownership of the account or agreement with its term is essential to the institution. Unfortunately non-repudiation is hard to achieve when an institution doesn’t already have a relationship me. In this case a signature without a valid and verifiable profile is worthless, either in the manual or online world.
Creating and confirming identity
The first step when setting up a relationship with a new customer is for the financial institution to create and confirm the customer’s identity. In its most basic form this is a set of some uniquely identifiable information about the customer, name, date of birth, residential address, social security number, etc. This provides a base identity for the person. A signature is then assigned to enable the customer to in future confirm they are who they say they are, for contracts and transactions, without having to re-examine their details in more depth.
In the paper application world, I would walk into a branch of Bank of America, fill in a form, present three forms of identification to the customer services rep and sign a ‘signature card’. The signature card provides a record of the customer’s signature for future reference if ever required to confirm the customer’s identity. In the
In the online world things work slightly differently, but the principles are the same. In this world I’ll go back to the Fidelity web site. I fill in a series of personal details that enables them to uniquely identify me. This enables Fidelity to pull my credit report from Equifax. Here I am presented a series of questions to confirm the providers of certain services that are listed on my report over the last few years. The combination of correct answers for these questions enables Fidelity to be reasonably sure that I am who I say I am, especially as the credit report is tied to my social security number and mailing address. After filling some more information I have to select a username and password for access to my new online account. For low value or low risk accounts (standard brokerage accounts being one), this is considered enough identification to authenticate my agreements and transactions with the username / password combination as my signature.
For commercial consumer, especially financial services transactions, there are two key laws addressing the issue of electronic signature.
The Uniform Electronic Transactions Act (UETA) provides a uniform state legal framework for electronic transactions. This gives them the same legal weight as equivalent paper based processes and wet signatures.
The Electronic Signatures in Global and National Commerce Act (E-SIGN) provides a federal backdrop for electronic signatures, governing situations where there is an absence of state law, or states make changes to UETA.
Special provisions have been put in place to protect consumers, controlling when organizations can demand the use of electronic transactions and documents and how organizations ensure that customers have the facilities to accept electronic delivery of documents.
The financial services industry has looked at providing best practices and rules, combining electronic records and signatures issues. This is the Standards and Procedures for Electronic Records and Signatures (SPeRS).
Wikipedia refers to additional laws.
As you can see, many of the issues in financial services related to signatures are tightly coupled with validating, managing and authenticating the identity of an individual. The approaches that organizations take to perform this in an online world mirrors what is required in a paper world. For higher value and higher risk products the current online model is considered insufficient and much work is needed to strengthen both the signature and general identity management issues.
More to come
In the next post I will address some of the deeper issues around electronic signatures as they relate to higher value or higher risk accounts, as well as the hot topic of biometrics.