%20formatted-1.png?width=2528&height=739&name=SIGNiX%20Logo%20Main%20(white)%20formatted-1.png)
The Association for Cooperative Operations Research and Development, commonly known as ACORD, has released an informative document detailing federal and state electronic signature laws and providing guidelines and recommendations for the insurance industry on implementing electronic signature solutions. You can download the ACORD document by clicking here.
The document, written by well-known attorneys in the e-signature space, starts by analyzing the federal ESIGN and state-implemented UETA laws and their interactions with one another. It also describes in some detail the delivery of electronic documents and disclosures, with special attention paid to particular classes of documents. The Guidelines paper then concludes by discussing specific recommendations for choosing an e-signature solution.
We thought it would be interesting to see how SIGNiX matches up to the guidelines and best practices described in the ACORD document.
Authentication
Authenticating users of an e-signature service through passwords, shared secrets, or other methods provides assurances as to who signed the document. The Guidelines document suggests that companies:
“match the Authentication steps according to the risk of forgery to the type of transaction. Neither ESIGN or UETA specify methods of authentication. Neverthless, we consider applying the appropriate level of Authentication as a Legal Requirement, not just Best Practices.”
The SIGNiX digital signature service provides users with a wide variety of authentication methods to choose from. Low risk transactions authenticate users with access to a specific email address, while higher risk transactions can take advantage of our seamless integration with SMS text messaging and top-of-the-line knowledge-based authentication (KBA), which requires users to answer specific questions pulled from 30 years of public data.
Repudiation
A critical aspect of any signature process is the ability for it to prevent repudiation – a signer claiming that he or she did not sign the document in the first place. The Guidelines document specifies that:
“an Electronic Signature process should include an Audit Trail in the process [and] a technology to apply the Tamper Seal to Electronic Records signed using an Electronic Signature. [Both features] will improve the likelihood of Electronic Records with Electronic Signatures being admitted into court and will improve their persuasiveness to prove what the person actually signed.”
At SIGNiX, we generate a highly detailed audit trail that can track when a transaction started, who received the document, when they came to the site to view it, if they successfully authenticated, the signer’s consent to eSignature, as well as the time and date of each signature and initial.
SIGNiX also uses standards-based PDF digital signatures for every signature and initial on a document…not just a final cover signature after everyone’s ‘signed.’ With this, documents are independently verifiable, future-proof, and can even show what each individual signer was seeing at the time of signature. Organizations need not check back with SIGNiX simply to validate the signatures on a document and the overall integrity of the executed document. These signatures also clearly demonstrate tamper-evidence by changes to validity icons at the top of the screen in free, standards-based PDF viewers.
Admissibility Requirements
As we’ve suggested in this blog before, getting the document into court is just the first step. Organizations may need to defend the lifecycle of the electronic document and the signature process as well. For this, it’s important that:
“…the company seeking to enforce terms and conditions in a record (such as a false statement in an application for life insurance or an election to waive uninsured motorist coverage) must have a person (referred to as the Records Custodian) with first-hand knowledge of the Electronic Signature process at the time the consumer is said to have signed the document.”
The Custodian must be able to describe these aspects of the system:
- “How the Electronic Signature process worked at the time the document was signed…”
The SIGNiX audit log provides clear evidence of each step of the transaction, and SIGNiX provides a variety of documentation and educational materials to explain our technology and these events in even more detail.
- “…the basis for concluding that the record offered into evidence is a true and accurate copy of what was signed or acknowledged…”
The SIGNiX audit log as well as server records can be used to track the submission of the document into the system. The fingerprint (hash) of the document is also included in the audit trail. Finally, digital signatures used to represent each signer’s signature and initial provide easily explainable evidence as to the document’s integrity throughout the signature process.
- “…the information captured by the Audit Trail…”
Each event in the SIGNiX audit trail is timestamped and includes a specific transaction ID. Moreover, all of the digital signature details (certificate information, document hash, etc.) are included in that audit trail as well.
- “…how the Tamper Seals on the Electronic Records works[sic] and show lack of tampering with the Electronic Records.”
As explained above, SIGNiX uses a fully standards-compliant PDF digital signature for each signature and initial event on each document. This means that Custodians can directly refer to published standards such as ISO 32000-1 (PDF), as well as RSA, DSA, SHA, and other public key cryptography-related standards, when describing how every signature was applied, how they assure the integrity of the document, how they can be validated even without reference to SIGNiX, and finally how they clearly show any tampering with a document.
Specific Best Practices
The Guidelines document recommends that rather than delivering sensitive documents via email, users should be sent emails with a link to a “secure website to retrieve such Electronic Records, which the Audit Trail captures.” SIGNiX follows this best practice and goes further by requiring signers to create a Signing PIN, which not only provides additional evidence as to their signatures and consents but also restricts access to sensitive documents once they are completed.
The document also stipulates that consumer consent to sign be electronically captured and that identity be authenticated at the same time. As described above, SIGNiX meets these requirements with our detailed consent procedures as well as our seamless and scalable authentication capabilities.
Other best practices mentioned include selecting a tamper sealing mechanism as well as how to make sure the consumer is clearly aware of the legal significance of the process. SIGNiX’s patented process allows organizations to choose the assurance provided by digital signatures minus the traditional worries associated with them (provisioning, cost, complexity) as users simply follow a wizard to prepare and sign documents…and SIGNiX handles the rest.
Technology Trusted by the Insurance and Annuity Space
SIGNiX’s ability to consistently exceed these guidelines and best practices is part and parcel of our DNA. We built security in early on because we know that high-value documents, especially those in markets like insurance, need to be trusted and verifiable into the future…not just signed off for expedience by any e-signature service.
In fact, SIGNiX is the only solution certified by the annuity industry through IRI, the Insured Retirement Institute, as compliant with the rigorous standards adopted by the leading investment and insurance firms that comprise its membership.
