R. David Whitaker - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

R. David Whitaker

Description:

R. David Whitaker. Senior Company Counsel. Strategy & Operational Risk Group. Wells Fargo Bank, N.A. 'So You Want To Take Your Business Electronic' -- The Sequel ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 18
Provided by: davidwh
Category:
Tags: david | fargo | wells | whitaker

less

Transcript and Presenter's Notes

Title: R. David Whitaker


1
So You Want To Take Your Business Electronic --
The Sequel Implementing electronic records and
signatures across a corporate platform -- A
round-up of pivotal issues
  • R. David Whitaker
  • Senior Company Counsel
  • Strategy Operational Risk Group
  • Wells Fargo Bank, N.A.

2
Agenda
  • When last we left our heroes
  • A review of key points from last years program
  • Aim low, boys, theyre ridin Shetland ponies
  • The small wins strategy
  • Howdy, stranger
  • Addressing attribution and authority to sign
  • Them varmints have cut the telegraph wires!
  • Dealing with notice and delivery issues
  • Showdown at the OK Corral
  • Managing electronic records
  • Riding off into the sunset
  • With apologies to Lewis Grizzard

3
When Last We Left Our Heroes -- Paving the Cow
Path Vs. Blazing a Trail
Replacing writings with electronic signatures and
records in an existing process
Building new processes and systems to take
advantage of electronic signatures and records
  • Advantages
  • Relatively easy numerous third-party solutions
    exist that will fit with existing systems
  • Tends to be less expensive and faster to
    implement
  • Preserves existing roles and functions for
    employees
  • When it makes sense
  • For repetitive documents that need to be
    completed, signed, transmitted and stored, but
    are not (or dont have to be) part of a larger
    process flow
  • For taking in information or agreements online
    that would otherwise come in through the mail or
    by facsimile, but not further processed (license
    agreements, contracts to use online services,
    etc.)
  • As a first step to blazing a trail
  • Be aware of
  • Managing the files after they are created
  • Dependence on vendor solutions
  • Advantages
  • Offers significant efficiency and cost savings
    over time
  • Improves quality control
  • May improve and automate records management
    functions
  • When it makes sense
  • For transactions where information has to be
    promulgated across multiple systems
  • For transactions with manual steps that can be
    automated if key data is machine-readable
  • When your company is performing well and can
    absorb the cost
  • Watch for
  • Internal resistance
  • Underestimating complexity
  • Unrealistic time frames
  • Leaving out key stakeholders
  • Cost overruns
  • Ignoring mundane design issues
  • Ignoring long-term quality control and risk
    management issues

4
When Last We Left Our Heroes -- Hired Hands v.
Hired Guns?
  • Tend to have a better grasp of business needs
  • Less likely to have labor-based cost overruns
  • Build off existing relationships
  • Solid understanding of existing systems

Using in-house resources
  • Better grasp of industry standards/practices
    (sometimes)
  • Experience with other implementations often can
    suggest innovative problem-solving strategies
  • May have turn-key solutions for portions of the
    project
  • More likely to introduce, or be open to, new
    approaches

Using outside vendors
5
When Last We Left Our Heroes -- Are The Hired
Guns Sharpshooters, or Shooting Blanks?
Watch for
Be sure your contract covers
  • PowerPoint Products
  • Scalability
  • Licensing dependencies
  • Solvency
  • Lack of knowledge of your specific industry and
    applicable standards
  • In the contract
  • Unrealistic liability limitations
  • Warranty disclaimers that contradict promises
    made
  • A detailed description of services and products
  • Clear handling of intellectual property issues
  • Warranties reflecting promises made
  • For ASPs Warranties reflecting the business
    model
  • For ASPs Service standards
  • Exit strategies for
  • Inadequate service
  • Breach of warranty
  • Merger or acquisition
  • Insolvency
  • Loss of key license
  • Realistic time frames for exit
  • Realistic liability and indemnity
  • Protection against self-help remedies (beware MD
    and VA)
  • Protection against future price-gouging

6
When Last We Left Our Heroes -- Herding Cats
  • Blazing a trail often means leaving comfortable
    roles behind
  • Internal resistance and roadblocks may come from
  • Those who see their role/importance diminished
  • Those who see their role eliminated
  • Those who will be required to learn new skills
  • Those who will be required to revise system
    designs/infrastructure
  • Those who will be asked to take responsibility

7
When Last We Left Our Heroes How to Prevent a
Range War
  • Attempts to foster/exaggerate third party
    objections
  • Refusal to recognize a change in roles
  • Unwillingness to modify existing infrastructure
    designs
  • The dreaded phrase Out of Scope
  • Assertions of legal/compliance uncertainty

Watch for
  • Lead from the top down
  • Directly explore/confirm third party objections
  • Incent/enforce necessary changes in roles
  • Support and fund the necessary infrastructure
    changes
  • Seek outside advice to supplement internal sources

Be prepared to
8
Aim Low, Boys, Theyre Ridin Shetland Ponies --
The Small Wins Strategy
Execute
Qapla!
Desirable Enhancements
Start Here
Priority Value-Added Features or Services
Foundational Infrastructure Development
Access Authenticate
Send Receive Docs / other communication
Manifestation of Assent
Records and Data Management
9
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
Electronic Signature
Key Elements
  • Definition of signature -- Electronic Signature
    means an electronic identifying sound, symbol, or
    process attached to or logically connected with
    an electronic record and executed or adopted by a
    person with present intention to authenticate a
    record.
  • This definition includes (for example)
  • Typed names,
  • A click-through on a software programs dialog
    box combined with some other identification
    procedure,
  • Personal identification numbers,
  • Biometric measurements,
  • A digitized picture of a handwritten signature,
  • Use of SecureID or Defender number generators,
    and
  • A complex, encrypted authentication system.
  • Note that a click-through probably does not
    satisfy the requirements for an electronic
    signature under Article 9 of the UCC.
  • ESIGN and UETA require that
  • The signature be attributable to the signer and
    associated with the records
  • The signing party have authority to sign
  • The signing party must have the intent to affix a
    signature to the record
  • ESIGN and UETA do not require that
  • The signature process itself provide proof of
    identity
  • The signature process itself protect the record
    from alteration without detection

10
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
Attribution basics
Attribution in the electronic world
  • Legal sufficiency vs. attribution -- UETA and
    ESIGNs signature rules
  • Answer the question is it a signature?
  • Do NOT answer the question is it your
    signature?
  • Attribution must be proven
  • Attribution may be proven by any means, including
    surrounding circumstances or efficacy of
    agreed-upon security procedure
  • The burden of proof is usually on the person
    seeking to enforce signature
  • In an electronic environment, attribution is
    often proven by associating the signature with
    use of a credential. A credential is a method
    for establishing the identity of the signer, and
    may involve use of a password, employment of a
    token (such as a random number generator),
    biometrics, or demonstration of knowledge of a
    shared secret, or some combination of the above
    (or similar devices/approaches). Use of the
    credential gives the person receiving the signed
    record a reasonable basis to believe that the
    signature was created by the intended signer.

11
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
Creating a Credential
Notes on credentials
  • A credential may be
  • Assigned to the signer directly by the intended
    recipient of the signed record, either in advance
    or at the time of signing.
  • Assigned to the signer indirectly, through a
    hierarchical model, where the intended recipient
    gave a root or master credential to a person
    who is then authorized to provide derivative
    credentials to others (e.g. Recipient gives a
    master User ID and password for its Treasury
    Services website to an executive at Company X and
    the executive then establishes passwords for
    other Company X employees).
  • Created spontaneously (often through the use of
    biometrics or a shared secret) at the time it
    is needed for the signing.
  • Note that the effectiveness of the credential for
    attribution depends on the integrity and
    reliability of the process for first creating and
    assigning the credential to the individual.
  • So, if it is easy to get a credential under false
    pretenses, then the value of the credential for
    attribution is diluted.
  • But, if the process for first issuing the
    credential to the correct person is demonstrably
    reliable, then the later use of the credential
    will usually constitute strong evidence of
    attribution.
  • In more sophisticated applications the customer
    may be given multiple credentials to permit two
    or three-factor authentication, depending on the
    risk level of the specific requested transaction.
    So, for example, a banking customer may be able
    to access general online banking services using a
    User ID and Password, but then be required to
    also provide a one-time password or PIN from a
    random-number generator before completing a funds
    transfer during the online session.

12
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
  • ESIGN and UETA incorporate the existing common
    law rule requiring that the signing party have
    the authority to sign.
  • Individuals identity, age, capacity capacity
    is usually taken for granted with any person over
    the age of 18, unless there are indications to
    the contrary
  • Representatives identity, age, capacity, and
    authorization to take the contemplated action on
    behalf of the represented party. The authority
    to act is not automatic just because a person is
    an appointed representative (e.g. an agent or
    employee). Authority must be either expressly or
    implicitly conferred by the represented person.

13
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
Hail Mary
Very often used with small companies. It
presumes that in a small company anyone taking
action with respect to bank services must have
authority to do so because unauthorized activity
is so difficult to conceal. This involves a
cost/benefit risk analysis, since historically
small business employees have proven quite adept
at using bank accounts and banking relationships
to commit fraud under the noses of their
co-employees and owners.
Certificate of Authority
In the most formal of situations, a certificate
is required from the companys owners or
controlling body (Board of Directors, General
Partners, Members, etc.) confirming the authority
of a particular person to sign as a
representative of the company. In some cases,
confirmation of authority is incorporated into an
opinion letter from outside counsel, creating a
potential claim against outside counsel in case
of a later dispute.
Situational actual or apparent authority
Where authority is not formally established, it
may alternatively be established by circumstance.
Job titles and/or known supervision and review
of the proposed agreement by senior management
may establish either actual or apparent authority
to act.
The Hierarchical Model
In this model, the potential recipient of the
signed records (e.g. the bank) assigns a master
credential, through a highly reliable and
carefully controlled process, to a company
representative (e.g. the Senior Vice President
for Treasury Management Services) whose authority
to establish the initial relationship is beyond
question (either because of certification or
situational verification). In turn, the
recipients system of record permits the trusted
company representative to create lower-level
credentials for other company employees. These
credentials come with assigned rights, which may
include the right to enter into additional
agreements with the recipient. Presumably, the
master agreement between the recipient and the
company establishes the recipients right to rely
on the hierarchical model to establish the
authority of the lower-level employees to sign.
14
Them varmints have cut the telegraph wires! --
Dealing with Notice and Delivery Issues
Delivery Design Choices
Execution
Design
  • Enrollment / consent process
  • Audit trails and reporting
  • Transmittal message contents
  • Authentication process for access to secure data
    (if applicable)
  • Record generation and posting to delivery system
  • Message or notice generation/transmission
  • Record retention/destruction process
  • Record generation/posting
  • Establish agreement on delivery
  • When deemed delivered
  • Delivery address
  • Obligation to update address
  • Obtain ESIGN Consent
  • Generate records
  • Send notice or attachments
  • Provide opportunity to retain
  • Generate audit trail
  • Handle bouncebacks
  • Handle withdrawal of consent
  • Secure or Unsecure?
  • Push out in email/SMS, or send ready notice and
    pull behind firewall?
  • Embedded hyperlinks in ready notice email?
  • Permit target to set delivery preferences?
  • Permit target to designate multiple recipients?
  • Forced review or bypassable?
  • Key Considerations
  • 2 Factor Authentication required?
  • How will cross-system compatibility/communicatio
    n issues be addressed?
  • How much of design will be automated or manual?
  • Is system intended for use with targets without
    prior electronic relationship with sender?
  • Regulatory requirements for timing, delivery,
    proximity, conspicuousness, forced review?
  • Key Considerations
  • Will the records contain sensitive information?
  • Will the records contain required disclosures or
    notices?
  • Are multiple delivery methods possible/desirable?
  • Are there phishing or pharming issues to
    address?
  • Need to maintain control over display and audit
    trails?
  • Need to obtain ESIGN Consumer Consent?
  • Key Considerations
  • Addressing electronic delivery channels
  • Agreement on what constitutes sending and
    receipt (Note some state UETAs limit variation
    by agreement)
  • Agreement on obligation to update electronic
    addresses
  • Managing bouncebacks and withdrawal of consent

15
Showdown at the OK Corral -- Managing Electronic
Records
Record Life Cycle
Destroy
Generate
Deliver
Store
Manage
Create Audit Trails Reports
Propagate Data
Track Record Versions
Extract Index Data
Active Data Processes
Boilerplate Docs
Transaction-specific Docs
Audit Trails for Enrollment, Delivery/Signing
Screen Shots Process Flows
Primary Record Categories
Secure and Consistent Record Management
Access Controls
Quality Integrity Controls
Record Destruction
Business Continuity
Search and Report Capabilities
Key Systems Issues
Record Management Responsibility
Secure Communication
Record Management Audit Trails Reports
Company Policies and Guidelines
16
Who was that masked man?
17
Some Additional Resources
  • SM Standards and Procedures for
    electronic Records and Signatures available for
    purchase at www.spers.org
  • FFIEC Information Technology Examination Handbook
    available at www.ffiec.gov/ffiecinfobase/html_pa
    ges/it_01.html
  • FFIEC Guidance On Electronic Financial Services
    And Consumer Compliance available at
    www.ffiec.gov/PDF/EFS.pdf
  • FTC Guidance on Dot Com Disclosures available
    at www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/ind
    ex.html
  • FTC Staff Report on Improving Consumer Mortgage
    Disclosures available at www.ftc.gov/opa/2007/06
    /mortgage.shtm
  • AIIM Recommended Practice Report on Electronic
    Document Management Systems (AIIM ARP1-2006)
    available at www.aiim.org/documents/standards/arp1
    -2006.pdf
Write a Comment
User Comments (0)
About PowerShow.com