Lesson 5: System Requirements for Receiving e-Signatures
This lesson has already described the requirements for acceptable e-document receiving systems, per § 3.2000(b) of CROMERR. § 3.2000 also stipulates that systems receiving e-documents with e-signatures must also demonstrate certain functionality requirements. An approvable system must be able to provide proof of the following requirements.
- Signature valid at time of signing
- Document cannot be altered without detection after signing
- Opportunity to review content
- Opportunity to review certification statement
- Receipt acknowledgement
- E-signature agreements
- Identity Proofing with Legal Certainty
Review each requirement for more information.
Signature valid at time of signing
The system must be able to prove that the e-signature is valid at the time of signing.
When the document is signed, the e-signature must meet the requirements of a valid e-signature, as previously described in this lesson.
Note: This requirement must be met at the time the signature is executed.
Document cannot be altered without detection after signing
The system must be able to prove the e-document cannot be altered without detection after signing.
E-documents with e-signatures cannot be altered at any time—during or after transmission—after signing without detection. A system must be able to prove that the document content is the same as the content at the time of signing. Currently, this generally involves some sort of encryption software.
Note: This requirement must be met at the time the signature is executed.
Opportunity to review content
The system must be able to prove signatories have had the opportunity to review content.
Before actually signing, signatories must have an opportunity to review the content for which their signature is being requested.
Note: This requirement must be met at the time the signature is executed.
Opportunity to review certification statement
The system must be able to prove signatories reviewed the certification statement.
Before actually signing, signatories must have an opportunity to review certification statements, including warnings that false certification carries criminal penalties, to establish that they understood the implications of their signature and meant to sign. This is important should someone ever be prosecuted for criminal fraud.
Note: This requirement must be met at the time the signature is executed.
Receipt acknowledgement
The system must be able to prove an acknowledgement of receipt.
The system automatically sends an acknowledgment As defined in § 3.3 of CROMERR, a confirmation of electronic document receipt. of receipt of the document to an "out-of-band" address. This is usually paper mail or an email address that does not share the same controls as those used to access the online submission account. This ensures that if, by chance, the signature device was compromised, the owner of the device will be notified outside of the system that someone made submissions in their name. This is a common practice used by online shopping sites—after making a purchase on a site, you are notified that the purchase was made with a confirmation in a separate email system.
Note: This requirement must be met at the time of signatory registration.
E-signature agreements
The system must be able to prove signatories have signed e-signature agreements.
Signatories have executed e-signature agreements related to using their signature devices. The e-signature agreement can be done electronically, but can also be done on paper.
The agreement must include the following:
- The signatory agrees to protect their signature device, such as a password or hardware token, from compromise In relationship to an , refers to when the device's code or mechanism is available for use by any other person.;
- The signatory agrees to report any evidence of compromise; and
- The signatory understands that the signature they submit electronically with the device carries the same legal force and obligation as a hand written signature.
Usually, signatories execute this agreement when they register with the system to receive their electronic signature device As defined in § 3.3 of CROMERR, a code or other mechanism that is used to create electronic signatures. Where the device is used to create an individual's electronic signature, then the code or mechanism must be unique to that individual at the time the signature is created and he or she must be uniquely entitled to use it. The device is compromised if the code or mechanism is available for use by any other person..
Note: This requirement must be met at the time of signatory registration.
Identity Proofing with Legal Certainty
The system must be able to prove identities with legal certainty.
This is a requirement that serves to establish the identity of an individual who is issued (or registers) an electronic signature device with enough evidence that it will hold up in a court of law. This is the one instance in all these requirements in which CROMERR is tiered in terms of priority and non-priority reports As defined in § 3.3 of CROMERR, the reports listed in Appendix 1 to part 3..
- For Non-Priority Reports, the requirement does not specify how identity proofing is to be carried out.
- For Priority Reports, the identity proofing must be done prior to signature execution, and must be done with one of two specified methods.
Priority reports and their associated identity proofing requirements will be discussed in more detail later in this lesson.
Note: This requirement must be met at the time of signatory registration.