Privacy and Digital Signatures

1
Privacy and Digital Signatures

• Presented by
• Tom Levandowski
• Educaid

2
Consumer Privacy Rights

• Federal Laws Protecting Privacy Rights - A
  partial list
• Gramm-Leach Bliley Act. (Summary to follow)
• The Fair Credit Reporting Act. (Places
  conditions on sharing consumer report information
  between affiliates)
• The Child Online Protection Act (Imposes notice
  and consent rules on websites directed to
  children that collect personal information or
  websites where the owner has actual knowledge
  that personal information is collected from
  children)
• FTC Act - Violating ones privacy policy may
  qualify as a deceptive trade practice under the
  FTC Act. Not clear whether collecting data
  without having a privacy policy can be a
  deceptive trade practice under the FTC Act.

3
Consumer Privacy Rights

• State Laws Protecting Privacy Rights - The real
  wild-card.
• Gramm-Leach-Bliley only preempts state privacy
  laws that are inconsistent with GLB
  requirements. States may enact legislation or
  rules providing greater protection that that
  afforded by the GLB rules (i.e., a state law is
  not inconsistent if it provides greater privacy
  protections).
• Closely watch state law developments regarding
  consumer privacy!!!!!

4
Privacy Provisions of Gramm-Leach-Bliley Act

• Law Gramm-Leach Bliley Act signed into law in
  November 1999.
• Agency Rules Federal banking agencies (OCC,
  Federal Reserve, FDIC and OTS), the Federal Trade
  Commission, and the Securities and Exchange
  Commission each passed regulations implementing
  the privacy provisions of GLB. Regulations
  largely identical.
• Require financial institutions to provide notice
  to customers about their privacy policies and
  practices
• Describe conditions under which financial
  institutions may disclose nonpublic personal
  information about consumers to nonaffiliated 3rd
  parties
• Provide consumers the opportunity to prevent
  disclosures to most nonaffiliated 3rd parties by
  opting-out (subject to extensive list of
  exceptions)
• Effective Date The regulations issued by the
  federal agencies take effect on July 1, 2001.

5
Gramm-Leach-Bliley Privacy Rules

• Scope Regulates the sharing of (1) nonpublic
  personal information about individuals (2) who
  obtain financial products or services (3) from
  financial institutions primarily for personal,
  family or household purposes. Restricts
  financial institutions from disclosing NPI with
  most nonaffiliates without disclosure and choice.
• NPI is collected to make education loans (NPI
  information collected on Loan App)
• Education Loan (e.g. FFELP, Perkins, Private)
  financial productunder the GLB Act
• Under the GLB privacy rules, schools, lenders,
  guarantors, 3rd-party servicers,
  origination/disbursement subcontractors,
  secondary markets, and collection agencies are
  financial institutions by virtue of their
  typical activities in offering, processing or
  administering education loans. Even includes DOE
  as DL lender (or when DOE takes assignment of
  FFELP loans).

6
Gramm-Leach-Bliley Privacy Rules

• Social Policy
• Place information about the privacy policies and
  practices of financial institutions in the hands
  of consumers so consumers can use that
  information to select the financial
  institutions they want to receive financial
  products and services from.
• Give consumers control - - via opt-out right - -
  over how financial institutions use and share the
  consumers nonpublic personal information.

7
Gramm-Leach-Bliley Privacy Rules

• Consumer vs. Customer - The obligations imposed
  on financial institutions by the GLB privacy
  rules vary depending on whether the information
  being shared pertains to a consumer or a
  customer.
• Whats the difference?
• Consumer an individual who obtains a financial
  product/service.
• Student who applies for, but does not receive, a
  loan consumer
• Loan application denied or withdrawn
• Includes individuals who submit preapproval
  request but are not preapproved
• Individual who uses an ATM machine from an
  institution that the individual does not bank
  with consumer
• Isolated transactions only give rise to a
  consumer relationship
• Customer consumer who establishes continuing
  relationship with a financial institution.
• Student or parent who receives a loan customer

8
Gramm-Leach-Bliley Privacy Rules

• Special Rule for Loans Only one customer
  relationship attaches to an education loan. A
  loan transaction gives rise to only one customer
  relationship.
• Many entities touch an education (FFELP or
  Private) loan
• Lender, School
• Guarantor/Insurer
• Disbursement/Origination Agent, 3rd Party
  Servicer
• DOE (Title IV Loans only)
• Collection Firm
• Billing Service subcontractor (e.g, Perkins Loan)
• Who has the customer relationship??

9
GLB Privacy Rules - Who has the Customer
Relationship?

• At the time an education loan is disbursed, the
  lender that funds the loan has the customer
  relationship (e.g. bank on a FFELP Loan or the
  school on a Perkins Loan). The lender is the
  entity providing the financial product or
  service.
• Just to be clear
• Although a school establishes the initial
  customer relationship with respect to a Perkins
  Loan, a school does not establish a customer
  relationship by certifying a students
  eligibility for a FFELP loan
• A guarantor/insurer does not establish a customer
  relationship by issuing to the lender its
  guarantee/insurance on the FFELP Loan or private
  student loan.
• An origination/disbursement agent does not
  establish a customer relationship by performing
  loan origination and/or disbursement functions on
  the lenders behalf.
• A billing service or collection firm does not
  establish a customer relationship by performing
  services on a schools behalf (e.g. Perkins)
  pursuant to a services contracts.

10
GLB Privacy Rules - Transferring the Customer
Relationship

• Does the entity that establishes a customer
  relationship always keep the customer
  relationship?
• Customer Relationship Transfer Events
• Loan Sales. When a holder of a student loan
  sells the whole loan to a purchasing party, the
  customer relationship transfers to the loan
  purchaser.
• Whole loan loan asset and the right to
  service the loan asset (servicing rights)
• Examples of loan sales
• Secondary market transactions - Sales of loan
  portfolios
• Assignment of FFELP or Perkins Loan to the DOE
• Recourse events, E.g.
• Payment of default claim on a FFELP Loan to
  lender by Guarantor
• Servicer purchase obligation for servicing errors
• Repurchase obligation by Seller (prior holder)
  with respect to a Loan

11
GLB Privacy Rules - Transferring the Customer
Relationship

• Customer Relationship Transfer Events (cont.)
• Sale of Servicing Rights. The customer
  relationship transfers from bank (FFELP) or
  school (Perkins) to entity that purchases the
  servicing rights to the loan (i.e. regardless of
  whether the purchasing party purchases the loan
  itself).
• Sale of servicing rights apart from sale of
  loan asset not a typical event in education loan
  industry.
• Lender that hires a 3rd party to perform loan
  servicing under a fee for service contractual
  arrangement, or a guarantor that contracts with a
  collection firm to perform debt collection, does
  not sell servicing rights to the 3rd party
  servicer or collection firm.
• Unless the contract describes a sale of the
  servicing rights, or effectively gives the
  subcontractor ownership of servicing rights, the
  lender or the guarantor retains the customer
  relationship. Servicing contracts typically

12
GLB Privacy Rules - Chief Obligations of
Financial Institutions
thomas paul levandowski Financial Institutions
subject to GLB who are not schools and cant
claim FERPA exemption

• Chief Obligation 1 Privacy Notices A
  financial institution must provide customers a
  (1) clear and conspicuous notice that accurately
  reflects its privacy policies and practices, and
  (2) when applicable, a reasonable opportunity to
  opt-out.
• Existing Customer Notice - Notice must be sent so
  all existing customers have reasonable time to
  opt-out prior to 7/1/01.
• New Customer Notice - Notice must be sent for all
  new customer relationships established on or
  after 7/1/01.
• Initial Notice (at time customer relationship is
  established)
• paper process - at time other federally mandated
  disclosures are provided
• electronic process - at time of on-line
  transaction. The customer must consent to receive
  notice electronically, and the notice must then
  be provided to customer as a necessary step in
  completing the on-line transaction.

13
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• New Product Notice (when additional
  products/services are provided)
• Timing is the same as for Initial notice above
• Only needed if prior privacy notice received in
  connection with other products/services is not
  accurate with respect to the new product
• E.g. A financial institution is not required to
  send another notice with each loan made under an
  MPN if the notice provided with the first loan
  remains accurate with respect to each subsequent
  loan.
• Annual Customer Notice
• Must provide recurring annual notice of privacy
  policies and practices during the continuation of
  the customer relationship.
• Notice must be provided on a 12-month consistent
  basis

14
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Annual Notice (cont.)
• No need to provide annual notice to former
  customers
• e.g. Customer who has paid-off all loans held by
  a financial institution or customer whose loan(s)
  are sold to another entity
• Any use of NPI of former customer must comply
  with notice previously given to such former
  customer
• Paper vs. Electronic Delivery
• Revised Customer Notice - A financial institution
  must provide a new notice to all existing
  customers if the institution changes its privacy
  policies/practices in a way that makes the prior
  notice no longer accurate.

15
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Notices on Joint Accounts. The basics
• Parties to a Joint Account
• the parent and endorse on an endorsed PLUS Loan
• the primary borrower (e.g. student) and cosigner
  (e.g. parent) on an alternative student loan
  product
• spouses on a spousal FFELP Consolidation Loans
• When notices are required, a financial
  institution has the option of providing only one
  notice per loan account, even if two or more
  customers are jointly obligated on the loan
  account.

16
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Notices on Joint Accounts (cont.)
• A single opt-out notice on a joint account must
  state whether an opt-out election by one of the
  joint parties will automatically apply to all
  joint parties or whether each joint party can
  opt-out separately. If the notice describes
  separate opt-outs, the financial institution must
  still allow one of the joint parties to opt-out
  on behalf of all of the holders.
• If a single notice is provided to one of the
  joint parties and the notice does not address the
  opt-out rights of other joint parties, the
  financial institution must still allow any other
  joint party to opt-out.

17
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• FYI - A bankruptcy condition does not excuse
  required GLB notices. A GLB Notice is not an
  attempt to collect a debt, and so does not
  violate an automatic stay.
• Notices to Consumers -
• No notices required unless and until the
  consumers NPI will actually be shared. Notice,
  and a reasonable opportunity to opt-out (when
  required), must be provided to consumer prior to
  sharing of consumers NPI.
• E.g. Student dependent on a PLUS Loan is a
  consumer, not a customer.
• E.g. Student or parent who applies for but does
  not receive a loan is a consumer, not a
  customer(unless the financial institution holds
  other prior loans for the student/parent).

18
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Content of Privacy Notices. The principal
  information required in the initial, annual and
  revised privacy notices includes, as applicable
• The categories of NPI collected
• The categories of NPI disclosed to others
• The categories of affiliates and nonaffiliated
  3rd parties to whom such information is disclosed
  (other than those parties who receive information
  under an exception)
• The categories of NPI disclosed about former
  customers and the categories of parties to whom
  such disclosures are made (other than those
  parties who receive information under and
  exception)
• Any Fair Credit Reporting Act disclosures
• An explanation of the consumer's opt-out rights,
  and
• The policies and practices for protecting the
  confidentiality and security of NPI.

19
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Good News The gathering and sharing of
  consumer/customer information that is critical to
  the bread and butter business of education
  lending falls under numerous exceptions to the
  notice and opt-out requirements.
• Result Customer opt-out does not apply to the
  customary sharing of NPI that is undertaken to
  certify, process, make, guarantee, administer or
  service an education loan.
• Result Streamlined notice content requirements
• Not required to provide detailed description of
  sharing that falls within an exception (it is
  sufficient to say we share your customer
  information with third party companies as
  permitted by law)
• No need to describe an opt-out with respect to
  nonaffiliate-sharing that falls within an
  exception
• Reminder Even if customer NPI is only shared
  under one or more of the exceptions, a financial
  institution must still provide an Initial Notice
  to customers. However, the notice does not need
  to describe NPI-sharing that falls within an
  exception in any detail or to provide an opt-out
  from such sharing.

20
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Good News (cont.)
• Some of the Applicable Exceptions Customer
  notice does not need to describe, or provide an
  opt-out, for NPI-sharing that falls under the
  following categories
• Processing transactions at consumer's request.
  Disclosures made
• As necessary to effect, administer, or enforce a
  student loan that a student loan consumer
  requests or authorizes or
• In connection with
• Servicing or processing a student loan product
  or service that a consumer requests or
  authorizes
• Maintaining or servicing the student loan
  customers account with the financial institution
• A proposed or actual securitization, secondary
  market sale, or similar transaction related to
  customers student loan.
• Legal requirements, judicial process, or
  regulatory compliance. Disclosures to comply with
  federal, state, or local laws, rules and other
  applicable legal requirements.

21
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Applicable Exceptions (cont.)
• Consent. Disclosures made with the consent or at
  the direction of consumer.
• Rating or Guaranty agencies. Disclosures to
  provide information to rating agencies, insurance
  rate advisory organizations, guaranty funds or
  agencies, and persons assessing the financial
  institutions compliance with industry standards.
  
• Credit bureaus. Disclosures to a consumer
  reporting agency in accordance with the Fair
  Credit Reporting Act, or from a consumer report
  reported by a consumer reporting agency.
• Sale or merger. Disclosures made in connection
  with a proposed or actual sale or merger of all
  or a portion of a business or operating unit of
  the financial institution, or in connection with
  a loan sale, if the disclosure of the NPI
  concerns solely consumers of such business or
  unit or attached to the portfolio for sale.
• Antifraud. Disclosures to protect against or
  prevent actual or potential fraud, unauthorized
  transactions, claims, or other liability. E.g.
  Skip-tracing.

22
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Chief Obligation 2 - Reuse/Redisclosure.
• Applies to all entities who receive NPI of
  education loan borrowers but who do not have the
  customer relationship
• E.g. Guarantor/Insurer, Origination/Disbursement
  Agent, or 3rd party servicer who receives NPI
  from a Lender
• School reuse/redisclosure obligations related to
  the loan information determined by FERPA.
• When a nonaffiliated 3rd party receives NPI
  pursuant to one of the exceptions, the 3rd
  party may disclose and use such NPI only as
  follows
• The 3rd party may disclose the information to the
  financial institutions affiliates
• The 3rd party may disclose the information to the
  3rd partys affiliates, but its affiliates may,
  in turn, disclose and use the information only to
  the extent that the 3rd party may disclose and
  use the information and

23
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Chief Obligation 2 - Reuse/Redisclosure (cont.)
• The 3rd party may disclose and use the
  information pursuant to one of the exceptions
  in the ordinary course of business in order to
  carry out the activity covered by the exception
  under which it received the information.
• Parties who receive NPI from a School must comply
  with FERPAs reuse/redisclosure requirements and
  stand in schools shoes.
• Financial Institutions are not required to
  monitor the use of NPI by nonaffiliated 3rd
  parties to whom it properly (in accordance with
  notice and applicable opt-out requirements)
  discloses such information.

24
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Chief Obligation 3 - Establish Information
  Security Program for customer records and
  information. Banking Agencies only at this point
  (not FTC).
• The Program must establish appropriate
  administrative, technical, and physical
  safeguards appropriate to the size and complexity
  of the institution and the nature and scope of
  its activities.
• The what Requirement The Program must (1)
  ensure the security and confidentiality of
  customer information (2) protect against any
  anticipated threats or hazards to the security or
  integrity of such information and (3) protect
  against unauthorized access to or use of such
  information that could result in substantial harm
  or inconvenience to any customer or risk to the
  safety and soundness of the financial institution.

25
GLB Privacy Rules - Chief Obligations of
Financial Institutions

• Chief Obligation 3 - (cont.)
• The how Requirement. Financial Institutions
  must (1) identify and assess the risks that may
  threaten customer information (2) develop a
  written plan containing policies and procedures
  to manage and control these risks (3) implement
  and test the plan and (4) adjust the plan on a
  continuing basis to account for changes in
  technology, the sensitivity of customer
  information, and internal or external threats to
  information security.
• Duty to Monitor 3rd parties. The financial
  institution remains responsible for safeguarding
  customer information even when it gives a service
  provider, agent or subcontractor access to that
  information.
• It must use due diligence to manage and monitor
  its outsourcing arrangements to confirm that its
  service providers, agents, subcontractors have
  implemented an effective information security
  program to protect customer information and
  customer information systems consistent with the
  joint banking agencies guidelines.

26
GLB Privacy Rules - Perform a Self-Assessment

• Determine if other non-loan customer
  relationships exist
• Lenders, servicers, guarantors, collection firms,
  origination agents, secondary markets, schools,
  marketing firms should take an inventory of all
  products and services offered to students (e.g.
  default aversion workshops, credit counseling,
  online pre-loan services) and determine whether
  such activities establish an independent customer
  relationship with a consumer and trigger GLB
  notice and opt-out compliance.
• An inventory of such activities should examine
  whether
• the consumer of any such product/service is the
  student or the school (GLB requirements do no
  apply to products/services offered to schools,
  corporations, commercial partners),
• the product/service falls under the GLB
  definition of a financial product or service.
  An evaluation of this item should examine whether
  the activity is a distinct product/service
  separate from the borrowers loan (remember the
  loan gives rise to only 1 customer relationship),

27
GLB Privacy Rules - Perform a Self-Assessment

• Inventory (cont.)
• the product/service constitutes an isolated
  transaction as described in the definition of
  customer relationship (per an isolated
  transaction gives rise to a consumer
  relationship and not a customer relationship),
  and
• NPI of the consumer is collected and/or retained
  as part of the activity (if no consumer NPI is
  collected/retained, then sharing of NPI cannot
  occur).

28
GLB Privacy Rules - Grey-Areas

• Privacy Rule Applicability to States, State
  Instrumentalities (e.g. state Guarantors)
• Whether GLB privacy rules apply hinges not on
  what you are, but rather on what you do. Unless
  an explicit "entity-type" carve-out applies, the
  privacy rules require you to look at what you do
  and to determine whether you engage in activities
  that are financial in nature or incidental to
  such financial activities as described in the
  Bank Holding Company Act.
• The FTC and the OCC have both stated publicly
  that guaranty agencies are financial
  institutions, and that a guarantor establishes a
  customer relationship in connection with a FFELP
  Loan when it pays an insurance claim on the loan.
  

29
GLB Privacy Rules - Grey-Areas

• Privacy Rule Applicability to States (cont.)
• The DOE's comments to the proposed FTC rule
  stipulate that guarantors (as well as lenders,
  servicers and ED itself) are subject to GLB in
  the performance of their guaranty agency
  functions.
• What about other state entity functions?
• State scholarship or grant programs - - with our
  without potential repayment components?
• prepaid tuition programs?
• Securitizations - Does the customer relationship
  transfer to the securitization trust?

30
GLB Privacy Rules - Watch Issues

• Use of Social Security Numbers/Account Numbers
• Account numbers may not be shared to
  nonaffiliated 3rd parties for marketing purposes
  (i.e., telemarketing, direct mail marketing, or
  other marketing). If account numbers are not
  disclosed for such marketing purposes, then
  disclosure of account numbers is not subject to
  this limitation.
• A financial institution typically provides
  account numbers (e.g. social security numbers) to
  nonaffiliated 3rd parties - - for FFELP loans and
  private loans - - as part of providing NPI
  under one of the numerous exceptions. As long
  as student loan account numbers are shared with
  nonaffiliated 3rd parties for one of the
  exceptions, the sharing is not subject to the
  account number disclosure limitations.
• Watch for federal or state legislation seeking to
  eliminate use of SSN for account identifier
  purposes.

31
GLB Privacy Rules - Watch Issues

• Closely watch state law developments regarding
  consumer privacy. For example, states are
  expected to pursue an opt-in prerequisite to any
  sharing and also restrictions on the ability to
  share information with affiliates.
• Financial Institutions who conduct business in
  multiple states will need to comply with the
  privacy laws of each such state (per GLB gives
  states the right to enact greater protections
  than that afforded by GLB).

32
GLB Privacy Rules

• Questions??

33
State/Federal Laws - Electronic Signatures
Records

• State Uniform Electronic Transactions Act
  (UETA).
• UETA sets forth requirements concerning
  electronic contracts, signatures and records.
• Enacted as is by 22 states 7 states have
  introduced legislation based on UETA.
• Certain states, like California, have adopted
  UETA and included additional consumer protections
  that could affect a transaction.

34
State/Federal Laws - Electronic Signatures
Records

• Federal The Electronic Signatures in Global and
  National Commerce Act (E-Sign)
• E-Sign Effective Dates
• enacted 6/30/00
• generally effective 10/1/01 delayed until 3/1/01
  for state or federal record retention
  requirements.
• Consumer consent provisions effective for FFELP,
  Perkins and DL 6/30/01.

35
State/Federal Laws - Electronic Signatures
Records

• Federal (cont.)
• E-Sign Preemption
• Preempts state laws that interfere with
  electronic commerce, except that
• The state UETA will apply instead of E-Sign if
  the state adopted UETA as is (corollary state
  modifications to UETA that are inconsistent with
  E-Sign are preempted)
• State law will apply if it (1) specifies
  alternative procedures or requirements for using
  electronic signatures that are consistent with
  E-Sign, (2) is technology-neutral, and (3) is
  enacted after the 6/30/00 E-sign effective date.

36
E-Sign General Principles

• Electronic signatures and contracts are valid
  (i.e, a contract cannot be denied legal effect
  because it is signed electronically)
• Any legal requirement to give information in
  writing to a consumer, is satisfied if given in
  electronic form.
• Electronic record retention is valid

37
E-Sign - Electronic Signatures

• General Rule A signature cant be denied legal
  affect solely because it is in electronic form.
• What is an electronic signature?
• An electronic sound symbol or process
• Attached to or logically associated with a
  contract or other record
• Executed or adopted by a person with the intent
  to sign the record
• Note E-Sign does not require consumers to use
  electronic signatures.

38
E-Sign - Electronic Signatures

• E-Sign does not (1) require the use of any
  particular technology, or (2) specify what makes
  an electronic signature enforceable.
• Types of E-signature technologies
• Password
• I agree button
• Digitized image of signature
• PIN number
• Digital signature (Public Key Infrastructure -
  PKI)
• Biometrics
• Smart Card

39
E-Sign - Electronic Signatures

• Although not detailed by E-Sign, all types of
  electronic signatures should provide certain
  safeguards, as appropriate for the document being
  signed, in order to withstand legal challenge.

40
E-Sign - Electronic Signatures

• Electronic signatures, regardless of technology,
  should assure
• Data Integrity - How does the lender know that
  the borrower has signed the document the lender
  provided?
• Attribution - How does the lender know that the
  borrower, as opposed to a 3rd party, actually
  signed the document?
• Non-repudiation - How does the lender refute a
  borrowers claim that he/she didnt sign the
  document?
• Reliability - How does the lender and borrower
  prove that neither has altered the document after
  execution?
• There is a greater burden on electronically
  signed p.notes to meet these assurances than
  other documents

41
E-Sign - Electronic Signatures

• SFA PIN Process
• Getting the PIN
• 1. Borrower requests SFA PIN at the SFA Website.
  SFA matches borrower name, SSN and DOB with SSA
  database.
• 2. SSA authenticates data to SFA.
• 3. SFA issues PIN to Borrower (PIN is mailed and
  includes name, SSN, and DOB).
• Using the PIN in FFELP
• 1. School sends electronic certification to
  Lender
• 2. Borrower completes on-line app/note at
  Lenders website. At an appropriate point in the
  on-line transaction, the lenders website
  displays the SFA PIN web pages

42
E-Sign - Electronic Signatures

• Using the PIN (cont.)
• (actually transfers the borrower to the SFA
  website without losing the look and feel of the
  lenders site) and the borrower signs the
  app/note by providing his/her SFA PIN.
• 3. SFA Website processes PIN through separate PIN
  Database sends a confirmation of the validity
  of the Borrowers PIN to Lender.
• 4. Record of Transaction is generated and
  retained (including corroborating evidence such
  as the origination record, disbursement, etc.)
• SSA has indicated its okay for DOE to share SFA
  PIN (which includes Borrower SSN) with all Title
  IV trading partners. DOE apparently pushing to
  allow SFA PIN use for other state-based grant
  programs involving Title IV funds (e.g. SSIG)

43
E-Sign - Electronic Notices

• General Rule Any legal requirement to give
  information in writing to a consumer is satisfied
  if given in electronic form, provided 3 basic
  conditions are met
• 1. Consumer Consent - The consumer has
  affirmatively consented to the use of
  electronic communications and has not withdrawn
  such consent
• 2. Informed Consent - Prior to consent, the
  consumer is provided a clear conspicuous
  statement which
• describes the categories of records covered by
  the consent
• explains the right to have the record provided in
  writing (and how to obtain the paper copy and
• explains the right to withdraw consent, the
  procedures for withdrawing consent, and the
  conditions that apply if consent is withdrawn

44
E-Sign - Electronic Notices

• Consumer consent conditions (cont.)
• 3. Hardware and software requirements - Prior to
  consent, the consumer is given a statement of the
  hardware and software requirements for accessing
  and retaining electronic records. The consumer
  must then give or confirm consent electronically
  in a manner that reasonably demonstrates the
  consumer can access electronic records. (Duty to
  provide revised requirements also.)
• If these requirements are met, an electronic
  record (e.g. e-mail or web-posting) can be
  substituted for a consumer notice required to be
  in writing.

45
E-Sign - Electronic Notices

• Consumer consent conditions (cont.)
• What kinds of written consumer notices can be
  provided electronically? Truth-in-Lending
  disclosures. FFELP due diligence notices and
  other documents that FFELP requires to be
  provided in writing to borrowers.
• Important Points
• These consumer consent provisions apply only to
  electronic delivery of certain consumer notices,
  i.e., those required by law to be in writing, and
  not to the formation of consumer contracts using
  electronic signatures. So, the consumer consent
  conditions do not apply to electronically signed
  education loan promissory notes.
• All consumers who consented to receive
  electronic notices prior to 10/1/00 can continue
  to receive electronic notices (no need to comply
  with E-Sign consent provisions in these cases).

46
E-Sign - Electronic Retention of Contracts and
Records

• In addition to facilitating electronically signed
  contract, E-Sign also encourages electronic
  record retention.
• General Rule If an existing statute or
  regulation requires contracts or records to be
  retained, that requirement is met by retaining an
  electronic record of the information provided
  that the electronic record
• accurately reflects the information set forth in
  the contract or record,
• remains accessible in a form capable of being
  accurately reproduced for later reference by all
  parties who are entitled to retain the contract
  or other record,
• is retained for the required time period

47
E-Sign - Electronic Retention of Contracts and
Records

• E-sign also supersedes laws or regulations
  requiring that a contract or record be kept in
  writing or in its original form to be
  enforceable.
• Before replacing paper records with electronic
  records, determine whether adequate safeguards
  (technological, procedural or administrative) are
  in place to assure that the electronic records
• are an accurate reproduction of the paper
  records, and
• have not been tampered with.
• E-Sign electronic record retention should apply
  broadly to any FFELP regulation requiring
  retention of a document in writing or in its
  original form.

48
E-Sign - Electronic Signature Records

• What is the DOEs response to E-Sign?
• The DOE is making the SFA PIN process available.
• The DOE is drafting standards for
• electronic signatures
• electronic notices
• electronic record retention

49
E-Sign - Electronic Signature Records

• DOE guidance is not required to take advantage of
  electronic signatures under E-Sign. However, the
  industry is pushing for high-level standards that
  provide a safe harbor for keeping insurance,
  reinsurance and other FFELP benefits intact.
• The DOE is drafting a detailed document based on
  Freddie Mac (mortgage industry) standards,
  resulting in proposed standards that are largely
  inappropriate or unnecessary within Title IV
  lending.

50
E-Sign - Benefits of Electronic Signature
Records

• Convenience with valid electronic signatures,
  parties to a contract do not need to exchange
  physical copies of the contract to have a valid,
  binding agreement. All required disclosures can
  be provided on line.
• Time savings transactions can be closed
  instantly, speeding up the business cycle.
• Enhanced security depending on the technology
  used, an encrypted digital signature can
  establish a tamper-proof electronic record.
• Cost savings it is much more efficient and
  cost-effective to generate and retain electronic
  records than paper records.

51
Issues

• Student loan specific technology probably not
  cost effective
• Need for acceptance of interoperable multi-use
  technology