Effective digitalisation is the foundation of any advanced, forward-thinking business. The proliferation of software in our work life has led some of our basic elements of conducting business to transform into ground-breaking nuances in our corporate life. Everything is moving on the web,and so should our signatures. The breakthrough that our signatures have received, liberated our businesses from inefficient and obsolete administration and imperatives of manually written 'wet' signatures.
The concept of the signature has been one of the most enduring components of the decade which has been acting as a foundation of legally-binding negotiations, closing several deals since a long time now.
However, the role of technology in shaping the world, and more specifically in business practices, has led to the adoption of e-signature software. Even though the meaning in its entirety has remained largely the same, the structure has taken on a more prominent significance in the recent times.
What is electronic signature?
Electronic Signature or eSign are the counterparts of the traditional handwritten signatures in the offline world. An electronic signature is not only a digitised version of our handwritten signature. They are 100% legally binding and admissible in court, referring to the signer’s intent to consent to the substance of a report or information to which the signature relates.
The alarming rates at which cyber crimes are increasing, there have been certain strict compliance regulations that are to be followed before choosing an e-sign vendor, to avoid any kind of exposure to mishaps. It is critical to know the vendor’s data security and privacy procedures to mitigate the risks involved in taking the signing process over the web. It is the vendor's responsibility to safeguard all the documents and data from unnoticed contract changes, stolen information and fraudulent signatures.
In this article, we look into the esign security checklist and the necessary compliance rules that one should follow to avoid any exposure to mishaps. Let's have a look at the features of an efficient eSignature software.
Features of eSignature solution:
Ease of Use
Simplicity is the key, yet, it is not a simple thing to offer. The best eSign service delights you with its ease of use. Ideally, the new user must be able to adapt with complete confidence in the process.
The eSignature is more secure than the physical signature for a particular reason – Each Aadhaar based eSignature is validated by an Audit Trail which records the signature and the signer’s identity. The eSignature can never be tampered or accessed by the unauthorized. Most providers offer such basic assurance. However, financial or government organizations may have specific needs.
A good service provider never hides any charges. One could do well to compare the pricing of different providers.Sometimes, the eSignature that carries an added value like a personalized document or an extended security may have a relatively higher price.
Receptive To Multiple Applications
A physical signature can be made on any paper/document. The Aadhaar based electronic signature must provide the same flexibility too.One should be able to eSign on any virtual document, be it an MS Word, ERP, Adobe Acrobat, Auto CAD, well, just anything.
The Aadhaar based eSign and the Dongle based Digital Signature Certificate are the only valid types of eSignatures in India according to the Information Technology Act of 2000. In essence, the eSignature must comply with the regulations of your country. The regulations are also to be in sync with your industry standards.
Imagine, you eSign the documents and send it to the other party – now, it shouldn’t be a gobbledygook of a problem for the other signer. He/She must be able to easily understand the process and do it with confidence, ideally, without seeking help from Google
The main purpose of the Aadhaar based eSignature is to provide convenience to the signer. The service must be easily available on the web as well as the phone. It must be adaptive to all browsers at any given point of time and in any part of the world.
An agreement always has two parties – one who makes an offer and the one who agrees for the same. Hence, multiple parties should be able to make an eSignature on the document. The process involves a simple Aadhaar based authentication for all parties involved.
List of eSignature compliance rules
Currently, lenders can utilize e-signature technology for documents like loan applications, disclosure packets, letters of explanation and conditional approvals. However, for these documents to be considered valid, the e-signature process must meet compliance standards set forth in the E-Sign Act.
Intent to sign - Like traditional signatures, e-signatures are only valid if all parties intend to sign.
Consent to do business electronically - All parties must agree for the document to be signed in this manner. The E-Sign Act dictates that, before acquiring consent from a client, an institution must:
Inform the client they have a right to paper copies of the document.
Identify whether the consent applies only to a transaction or to ongoing transactions.
Inform the client they have the right to withdraw from consent, of the consequences of withdrawing consent, and of any fees imposed in case of withdrawal.
Provide the procedures for withdrawing consent and updating contact information.
Obtain client consent electronically in a manner that reasonably demonstrates the client’s ability to access information electronically.
Association of signature with the record - The system used to capture the transaction must keep an associated record that reflects the process by which the signature was created or by creating a graphic or textual statement to be added to the signed record.
Record retention- Electronic signature records must be capable of retaining and accurately reproducing for reference by all parties permitted to retain the document.
Keep in mind that, as with paper versions of these documents, there is a delivery timing requirement. Closing disclosures must be sent out at least 72 hours before the signing of a loan application to meet compliance standards.
List of E-signature security rules
In order to avoid the e-signature security issues, it is important to understand the e-signature security checklists and rules properly. So, the following discussion would take a look at some of the important e-signature security rules. In addition, the discussion would also focus on a security checklist for electronic signatures. Let's have a look:
The first rule for secure electronic signature is to comply with eIDAS, UETA and ESIGN definitions of electronic signature. If these precedents are not applicable, then the e-signature should comply with other national/local regulations. For example, you have the Information Technology Act in India. When you select an e-signature solution in the US, make sure that it complies with the requirements of UETA, ESIGN, and GPEA. It is very important to measure the eligibility of e-signatures for additional requirements that make it legally defensible. Most important of all, you should ensure that high-risk transactions do not use e-signature technologies for low-risk transactions.
The second e-signature security rule refers to the use of the same e-signature technology for all signatures on a document. If this condition is not fulfilled, then successive signatures should not destroy the evidence about previous signatures. On the other hand, if a document needs signatures from multiple signatories, then the same signature technology should be used. As a result, the intent, information, and integrity of the signature tend to remain unharmed. This is one of the most important precedents for e-signature security.
The third rule in e-signature security implies capturing the intent to sign at each instance of the signature. A person having the intent to sign an electronic record should adopt an electronic form of signature. The intent specifies the approval for information in a document by the concerned individual. The intent capture should be done for each signature as well as at the time of each signature. The intent should form a part of granular evidence within the audit trail of the e-signature. In addition, the intent should also represent the desire to sign for the signing process. Representation of the intent to sign should also be included as granular evidence in the audit trail of the e-signature. Failing to produce the evidence can render the e-signature invalid.
Now, we move towards our next rule for e-signature security by taking a hint from the previous rule discussed above. Every signed document should have an audit trail that includes the intent to sign for each signature. In addition, the audit trail should include consistent, timestamped, and granular evidence as we might have learned till now. Every e-signature should track and record all the steps in the signature process so that users could track a document. Users could observe different states of a document in a particular transaction through the audit trail.
The fifth rule of e-signature security refers to attaching an electronic signature to the electronic record being signed. Also, every signature should follow the established standards. The independent verification of the signature should not depend on the electronic signature service or website for validation. Another important concern related to e-signature is that association and integrity are not related together. Therefore, secure e-signature solutions should always ensure integrity as well as association. A reliable e-signature solution should prove the integrity of an e-signature alongside proving the association of the signature with a document. Proprietary means are ideal for achieving association that follows international standards for electronic signatures.
The sixth rule for security in electronic signature refers to multi-factor authentication. However, you can limit two-factor authentications in this case. The two-factor authentication would involve an email password or an OTP and a mobile device for accessing the password. According to the level of risk, some forms and documents may need higher levels of authentication.
The final rule for e-signature security refers to an instrument for preserving the integrity of a signed record. The signed record should be portable, tamper-evident, granular and independently verifiable. In addition, the record should also qualify for verification in the long-term. Therefore, integrity is highly crucial in order to prevent any tampering with electronic documents. Organizations should define the application of integrity to an electronic document. A standards-based e-signature is ideal in such cases. The governance of e-signatures depends on international standards. Furthermore, you could be at risk if the vendor does not have specific standards or they just provide password protection. Therefore, you have to focus on four core issues for ensuring the verification and integrity of signatures. The first aspect refers to portability or independent verification. The other aspects include tamper-evidence, long-term verification, and granularity.
eSign security checklist
Now let's talk about the most important concern that is the e-signature security checklist. The security checklist is basically a tool to verify all the precedents of security for e-signature. You should always have the security checklist handy for determining the reliability of an e-signature solution. It also ensures that the integrity of the e-signature is always intact. So, let’s have a look at the e-signature security checklist.
The first aspect that is included in the checklist for e-signature security refers to user authentication. In this aspect, you should ensure the authentication of users before e-signing and integrate the authentication with the e-signature and record. The different factors that you should focus on in this aspect refer to a solution for supporting multiple authentication methods.
In addition, the solution should have capabilities for configuring different authentication methods in the same transaction. The solution shall provide flexibility for adapting authentication methods to the risk profile of an organization alongside automation of each process. The solution should also give flexible alternatives for attributing in-person signatures such as SMS password and affidavits.
Audit Trail of the Signature
The next important factor in the e-signature security checklist is the audit trail. The audit trail provides additional security for an e-signature. esign documents online that can have independent verification and archive have an additional layer of security. Vendor independence is possible only if the solutions can embed e-signatures, audit trail, and timestamp directly in the e-signed document.
Therefore, you need to have a self-contained, portable record that can act as evidence. In this case, you need to look out specifically for two factors. The first factor implies the abilities for independent verification of document authenticity. The second factor refers to the capability for indexing, storing and retrieving the e-signed document in the preferred system of record.
Securing the Document as well as a Signature
The aspect of document and signature security should also be one of the important agendas for e-signature security. The e-signature solution should ensure security at the signature level as well as the document level. The important aspects that you should look out for are highly important for safeguarding sensitive information. You should verify that each document and signature have security for e-signature.
Furthermore, you should have a comprehensive audit trail showing the date and time of each signature. The audit trail should also provide secure embedding in the document and proper link with each signature. You should also check for the facility of one-click signature and document verification. The ability for verification of signed record validity offline is also crucial in this aspect. Another important factor is that the document should remain accessible to all parties in the transaction.
Audit Trail of the Signing Process and Compliance Programs
You should also note the audit trail of the signing process for checking the security of e-signatures. It makes sure that the audit trail contains the IP address, date, and timestamp of all events and others. The other factors include the length of time for reviewing each document and all the web pages, disclosures, and documents presented. In addition, the audit trail should also represent intent and other actions taken during the transaction. Finally, you should ensure that the e-signature vendor has appropriate compliance programs in place to deal with data breaches. The recommended compliance program is SOC2 while the other two are SSAE 16/SOC 1 and ISO 27001.
We recommend capturing a comprehensive audit trail of the signing process, because it enables you to demonstrate exactly how a customer completed a transaction on the web or through a mobile device. Most e-signature solutions in the market fall short when proving compliance, because they don’t have the ability to capture a full record of the signer’s actions.
In addition to the criteria listed above, look at the protocols an e-signature vendor has in place to identify and prevent data breaches. It’s important to understand the vendor’s security practices, certifications, track record, and the frequency of their security audits. Performing due diligence around a vendor’s security practices and infrastructure could expose past privacy breaches, incidents of data loss/leakage, or other risks such as insufficient cloud security expertise. In addition to leveraging cloud service providers that follow compliance programs and frameworks for security and data protection at the data centre level, partner with a vendor that meets additional security control and compliance requirements at the application layer. This ensures that the e-signature solution is secure and customer data is protected.
In this discussion, we were able to learn the importance of rules for e-signature security. The most important part of the discussion was dealing with the rules only. The most crucial rule for the security of e-signature among all the e-signature rules primarily refers to the integrity and association. You should always ensure the facility of an audit trail to track the e-signing process. Always remember that security is always the best policy so understand the e-signature security checklist and rules first before using electronic signatures for your business!