…and How to Address Them
Moving business processes online without introducing new risks is not a simple task. The fraud, repudiation, admissibility and compliance risks are challenging enough to address when executing transactions on paper. If not done properly in the electronic world, these risks can be far greater. This paper discusses how a well-designed process, supported by new-generation electronic signature technology, can actually reduce risk and increase the enforceability of e-transactions compared to paper processes.
While the E-SIGN Act was passed nearly ten years ago giving electronically signed records the same legal validity as their pen and paper counterparts, it does not guarantee that e-records will be admitted into court as evidence, or provide adequate defense to ensure a positive outcome in the event of a dispute. Moreover, meeting the basic requirements of the E-SIGN Act does not mitigate against several other important risks associated with bringing high-value, consumer transactions online.
A new generation of electronic signature technology has emerged as a response to evolving market demands for a more comprehensive solution that provides better compliance and control of highly regulated, transactions. This new technology, known as E-Signature Process Management, goes beyond simple signature capture to control the execution of transactions electronically from start to finish, reducing risk and producing better legal evidence than with paper.
This article explains how E-Signature Process Management addresses the top six risks of bringing processes online as identified by leading e-commerce law firm, Locke Lord Bissell & Liddell that has guided Fortune 500 companies in the design and implementation of electronic signature processes.
1. USER AUTHENTICATION RISK: “This Isn’t My Signature”
While the vast majority of legal disputes challenge the terms and conditions of a signed document, not whether a signature belongs to a person, user authentication is still a risk organizations must address, especially when doing business with new and unknown customers over the web.
Locke Lord Bissell & Liddell defines the user authentication issue as the risk that a document is signed by someone other than who the person actually signing claims to be, and therefore, a forger. The risk, according to Locke Lord Bissell & Liddell, is that a company will not be able to enforce the document against the person with whom the company thought it was contracting because the person claims, “That is not my signature!”
It is important to note, however, that a signer’s identity is rarely authenticated in one instance or based on a single point technology, regardless of whether transactions take place over the web or in a customer-facing, retail environment. Normally, a combination of events and evidence is used to establish the identity of a party to a transaction including conversations with agents or representatives, the provision of personal information, and signatures.
E-Signature Process Management combined with a solid business process can mitigate user authentication risk with a number of identity and credential verification techniques.
A well-designed, e-signature process management solution supports a wide variety of methods of identification and credential verification, including knowledge-based authentication, user ID and password, and smart cards. This enables organizations to leverage existing user authentication systems and to calibrate the level of authentication to the risk associated with each process. In some instances, the customer will already have been identified and issued a credential such as a user ID and password that can be leveraged in a current transaction.
In the event that a person denies having signed a record, a point to consider for determining the legitimacy of the claim is did the person, subsequent to the transaction, make a payment to obtain the product or service? Further, what would motivate the person to make a fraud claim, knowing that without the existence of a valid contract, the relationship would be rendered null and void and the claim would be moot?
2. REPUDIATION RISK: “That’s Not What I Signed”
Locke Lord Bissell & Liddell defines the second risk, repudiation, as the risk that a person claims the document was altered after he or she signed it. “The risk is that a company relying on an applicant’s electronic signature seeks to enforce the terms of the signed document bearing the applicant’s signature and the applicant claims, “Yes, that is my signature, but the terms and conditions of what I signed are different than that document!”
Repudiation generally occurs when a customer has provided false information in a document or now disagrees with terms and conditions to which he had originally agreed. Therefore the customer is asserting that although they did sign a document, either the document or their signature has been altered.
E-Signature Process Management can mitigate repudiation risk by ensuring that a person’s signature is permanently bound to the exact contents of the record at the time of signing.
A secure, e-signature process management solution uses digital signature cryptography to create a link between the electronic record, the user authentication data and any additional evidence related to the transaction. A digital ‘fingerprint’ of the record is taken at the time of signing using industry-standard hashing algorithms. This fingerprint can then be used to detect even the smallest change to the signed document. A person cannot, therefore, claim that someone tampered with the e-signed record, nor can the person claim that his or her signature was fraudulently added to another document because the solution would visibly invalidate the electronic signature.
3. ADMISSIBILITY RISK: “Objection, Your Honor”
Locke Lord Bissell & Liddell defines the risk of admissibility as the risk that an e-contract cannot be enforced because it does not provide strong enough evidence and, therefore, is not admissible in court. Laying the proper foundation, according to Locke Lord Bissell & Liddell, is critical.
Producing reliable and persuasive electronic evidence, however, can be challenging, especially when processes take place over the web. Web interfaces and processes change frequently in response to compliance requirements and usability feedback, making it difficult for webmasters to recreate a customer experience that occurred months or years past. Even if historical Web interface information is retained, it is likely stored in a number of separate databases and content management systems, making it difficult to retrieve and reproduce in a reliable manner. This information is then available to a company’s records custodian to help in laying the foundation for the reliability, and therefore admissibility, of such records.
E-Signature Process Management mitigates admissibility risk by enabling organizations to capture and reproduce every step that occurred during the transaction execution.
An e-signature process management solution captures evidence of the entire e-transaction from beginning to end. This offers organizations better visibility into processes and stronger evidence than possible with paper. Organizations can then accurately and reliably reproduce the entire e-transaction for litigation, regulatory and internal control purposes. This includes the signing act itself, as well as all web pages viewed; all legal disclosures and documents presented for review, acceptance and signing; all actions taken by signers; and the delivery of e-signed copies to all parties and systems. The web pages and process information are stored in a database and a secure link is created between the process evidence and the corresponding e-signed records.
4. COMPLIANCE RISK: “I Never Saw That”
In addition to the E-SIGN Act, organizations must comply with rules and regulations for presenting documents, disclosures and other information at specific stages during a transaction. Failure to comply can cost organizations dearly, including possibly rendering the signed document null and void. Locke Lord Bissell & Liddell explains that organizations can be sanctioned by regulatory authorities and the other party involved in the transaction may be permitted to avoid its obligations under the documents signed. Further, depending on the industry, organizations may be subjected to hefty fines, lose accreditation status or compromise brand equity.
E-Signature Process Management can mitigate compliance risk by enforcing regulatory requirements and proving that compliant processes were followed throughout a transaction.
A well-designed, e-signature process enables organizations to configure the business logic needed to control the execution of transactions so that compliant processes are followed throughout. This includes ensuring that ESIGN consent is obtained, that all required documents, disclosures and information are presented in the correct format, sequence and timeframe; that no signatures are missing; and that all parties receive a copy of the final records. Moreover, because the transaction remains electronic, there is no need to re-key data and potentially introduce errors.
5. ADOPTION RISK: “Am I Done Yet?”
While user adoption is not a legal risk per se, it is important to consider in the context of this discussion. Organizations often look to adopt more rigorous security systems and settings in an attempt to address legal or compliance risk. This approach is not recommended however because security and usability are most always in conflict and adopting excessive security measures can negatively impact return-on-investment. Locke Lord Bissell & Liddell defines adoption risk as “the risk that the e-process takes longer than the traditional process or is not as convenient as the traditional process and consequently, adoption of the process is slow. The risk is that a company invests considerable resources to design an e-process only to find that there is little use of the e-process.”
In an effort to address the user authentication and admissibility risk, organizations often inadvertently make the electronic process more complex and difficult to use because they set a higher standard for security than is normally required. It is important to remember that the primary reason for moving transactions online is to make them more efficient and convenient for all parties involved. If e-transactions become too complex, users will simply abandon the process and an organization will not realize the full potential of its investment.
E-Signature Process Management can mitigate adoption risk by offering flexible options for e-signing, security and authentication, to accommodate the unique requirements of each process.
A flexible, e-signature process management solution provides organizations with numerous options for authenticating customers, presenting documents and applying electronic signatures to ensure high adoption and the optimal user experience across all channels and processes. For instance, organizations can use knowledge-based authentication, backed by usernames and passwords, to authenticate unknown, online applicants. In point-of-sale environments, documents can be presented to customers in paper format for review and can add their signature to records by hand-signing on an electronic pad. For Web processes, customers “click-to-sign” documents directly within their web browser, thereby eliminating the need to download and install special software. These options mean organizations do not have to compromise on requirements and can achieve the optimal balance between security and usability.
6. RELATIVE RISK: “How Does It Compare to the Traditional Way?”
Locke Lord Bissell & Liddell defines relative risk as the risk the e-process poses compared to traditional processes: “There are authentication risks, repudiation risks and compliance risks with the traditional process of using wet ink and hard copy paper to complete transactions. Many companies have not examined such risks until they begin developing an e-process. For most electronic signature and e-discovery processes, the goal will be to have the transaction, on the whole, be no riskier than the current processes.”
E-Signature Process Management decreases overall risk compared to paper by providing greater control and visibility into processes.
When processes fall to paper, organizations not only decrease their operational efficiency and incur unnecessary costs, they lose control and visibility into their processes. The only evidence that a business agreement or transaction took place is the resulting document or contract. While this paper evidence captures signing intent, it does not reproduce all events leading up to the act of signing which may render a document ineffective or unenforceable. Further, paper documents are more easily lost and destroyed, and may be archived in a manner that makes them difficult and time-consuming to retrieve for litigation, regulatory and internal control purposes.
When processes remain electronic, organizations gain unprecedented control and visibility into their business. E-Signature process management fully executes and captures e-signing processes electronically from start to finish to enforce business, legal and regulatory requirements and enables organizations to reliably reproduce all events and actions. And because processes remain electronic, they can be monitored for anomalies and security breaches, and system administrators can be alerted.
The ESIGN team at Locke Lord Bissell & Liddell has concluded that a reasonably well designed process, which includes making sure the correct version of the mandated forms and state versions are used, supported by technology such as the Silanis (ApproveIt Web Server 3.0) solution, can reduce the authentication, repudiation, admissibility and compliance risk below the levels of traditional paper and wet ink process where there is not a reliable record of the entire transaction.