The request for a customer's signature at the point of applicationis not a one off event just to confirm agreement with the terms. It is the mechanism that a customer uses to confirm that he is the same 'Mr X' that owns the account (not the other 'Mr X' who could be posing to be him). Signing a document is the ceremony that represents his acceptance of terms or consent to perform a transaction, and may be compared to the original if Mr X ever tries to claim an incorrect or fraudulent transaction.
In an online world it is tough to ensure the security and integrity of electronic signatures. For different scenarios something stronger than username and password is required, since the agreements and transaction consents may high value and high risk to both institution and customer.
Electronic signature approaches
For higher value or higher risk accounts, such as annuities, mutual funds, etc, the identification, profiling and signature requirements for opening the account are greater than those for a simple financial product. The customer needs to provide more profile information to enable product suitability to be assessed and is needs to demonstrate understanding of the product terms more effectively.
From a signature standpoint a simple username and password is not considered strong enough for authentication of identity, so other approaches to collecting signatures are being used or investigated by organizations:
1) Digital pen signature pad
2) Physical token
3) Biometric identification
Digital pen signature pad
The digital pen signature pad enables an institution to use a traditional written signature in an electronic form. It captures not only the signature shape, but also the pressure and velocity of the pen, enabling forensic proof to be applied to signatures if required.
To my mind this type of signature seems hard to validate automatically, although I have not really researched software that has been proven to do this. The limitations of 'sampled validation' performed by organizations with wet signatures may apply, where they only check a sample of set of signatures, since it could be impossible to reasonably check every signature.
The availability of signature pads may also limit its widespread adoption, especially since these devices are unlikely to be easily portable between PCs, limiting the mobility of online transactions, for example where a customer uses a home and office PC for financial matters.
One advantage of this type of signature is that it can be used to record the appearance of a traditional signature, where the institution may need a comparison for a wet signature in the future. An example is where an organization provides checks or plastic cards and needs to keep a 'signature card' for validating signed checks or debit/credit card slips.
The second option, using a physical token, has been deployed in some environments, requiring a customer to hold some type of smart card or electronic tag. The physical possession and use of the token only represents part of the signature, and is completed when combined with a traditional password.
Some tokens are limited by the need to swipe them over a reader, again limiting mobility of the usage to PCs with an appropriate reader. Tokens that provide an updating passcode display enable them to be used without being attached to a PC, promoting mobility. These devices have been trusted for remote administrative access to IT systems for several years and as such should be recognized by an organization's IT/IS group as being reliable.
The effectiveness of this approach as a signature comes from the possession of a token that is unique to the user. It ensures a far greater degree of certainty than a password alone, but must be used in combination with a password, much like you would expect to use a bank card in an ATM with a PIN. Pure possession of the token does not guarantee that the unseen user is the person that really owns the token, due to possible loss or theft.
A drawback of this approach is that it requires the physical distribution of a token by the financial institution, or the requirement that a customer already possess an accepted token from a third party.
Physical distribution (i.e. snail-mail) injects a lag into the account setup process, but also adds the opportunity to confirm the customer’s address is correct, since otherwise the token would be difficult to receive. In some circumstances snail-mail or other trusted delivery (FedEx, UPS) of a token, bank card or PIN is the only way to ensure that the customer's address is what they claimed on the application.
Biometrics are a hot topic at the moment, and devices for reading fingerprints are becoming more common, as PC manufacturers (such as Lenovo) build them in to promote access security. This may be encouraging to financial services firms, since it enables them access to an authentication mechanism that is becoming widespread, and does not carry the distribution lag or cost associated with physical tokens.
In much the same way that a customer could sign up with Fidelity and select a username and password for their online identity, the customer could also just swipe their fingertip over a sensor on their laptop to be recorded on their digital signature card. In future, this fingerprint swipe acts as a signature consenting to a transaction.
Unfortunately, biometrics typically rely on identification markers on a human being that are readily visible, and therefore subject to spoofing. The Electronic Frontier Foundation has raised concerns around the use of biometrics.
When used in combination with a password (an attribute that is not visible), the security of the signature for non-repudiation purposes may be considered sufficient. Financial services institutions should be tracking this technology, and its effectiveness.
Managing identity and recording signature transactions
Special attention will be required to handle the sharing of signatures, signed transactions and documents. This will be maybe the toughest area to solve without standards in place.
In general, I need to do much more research in this area, but hopefully this short introduction provides a placeholder for future analysis. As ever, any feedback from anyone with experience in this area would be appreciated.
Financial service institutions need to be looking both at their own requirements for electronic signatures for high value and high risk accounts, as well as what the marketplace in general is likely to adopt. Widespread adoption of an approach will most likely lead to the most cost-effective and hopefully trusted mechanism for online signatures for authentication and non-repudiation.
There are a range of other issues to be addressed, from the recording of signatures against actions, to digitally signing documents to ensure accuracy, I have not addressed fully. Hopefully I will get round to doing this soon.
As ever, any feedback on the ideas and information I have presented here is welcome.