Though electronic signatures have been legal since the passing of the ESIGN act in 2000, many business owners are still unsure of how to properly utilize e-sign tools to best protect themselves. In today’s world, where meeting in person for a signature is becoming less and less common amidst social distancing requirements, it is more important than ever, to know how to accept e-signatures safely. According to CPA Practice Advisor, there are six questions you should ask yourself regarding your electronic signature process.
The Six Questions
Signer Authentication– Do you know who signed the document? You can use an IP address to verify the identity of a signer.
Affirmative Act- Do you know they meant to sign the document?
Compliance- Has proper disclosure and consent been given? Sending a consent form can help to verify that the signature is both compliant and an affirmative act.
Document Authentication- Has the document been changed? Digital hashtagging, encryption, and public key infrastructure are all effective ways to make it impossible for anyone to alter a document without anyone knowing.
Access- Can everyone who e-signed, access the document? Provide a digital copy of the document or continuous access to it through an online portal.
Evidence- Can I prove compliance with all of the above?
Being able to prove that you are complying with rules involving signer authentication, affirmative act, compliance, document authentication, access, and evidence is the most important part of making sure that your company is protected when you accept e-signatures. You can keep an audit trail of the document including details such as time, date, IP address, and computer used to make each change to the document. This will help you verify the non-repudiation of the signature. According to CPA Practice Advisor, you should create this trail in a “write once, read many” format to ensure that it can’t be altered or deleted. This format provides the most protection to the document and complies with SEC and FINRA standards.
Some parties, including the IRS, go even further and take additional security measures when accepting e-signatures. One way to do this is to enable multi-factor authentication and/or One-Time Passcodes that are sent to the user’s mobile device. Yet another is to use Knowledge-Based Authentication, wherein a third-party software verifies a signer’s identity by asking them verifiable personal questions. The answers to these questions are pulled from public databases, and can include things like previous addresses or the signer’s high school mascot.
Depending on your industry, there may be additional compliance requirements associated with accepting electronic signatures. This is particularly true if you are handling client financial information. Regardless of your industry, though, you should always make sure that you are tracking your compliance and creating an audit trail that will enable you to verify the legitimacy of any e-signatures you collect.