R. David Whitaker

1
So You Want To Take Your Business Electronic --
The Sequel Implementing electronic records and
signatures across a corporate platform -- A
round-up of pivotal issues

• R. David Whitaker
• Senior Company Counsel
• Strategy Operational Risk Group
• Wells Fargo Bank, N.A.

2
Agenda

• When last we left our heroes
• A review of key points from last years program
• Aim low, boys, theyre ridin Shetland ponies
• The small wins strategy
• Howdy, stranger
• Addressing attribution and authority to sign
• Them varmints have cut the telegraph wires!
• Dealing with notice and delivery issues
• Showdown at the OK Corral
• Managing electronic records
• Riding off into the sunset
• With apologies to Lewis Grizzard

3
When Last We Left Our Heroes -- Paving the Cow
Path Vs. Blazing a Trail
Replacing writings with electronic signatures and
records in an existing process
Building new processes and systems to take
advantage of electronic signatures and records

• Advantages
• Relatively easy numerous third-party solutions
  exist that will fit with existing systems
• Tends to be less expensive and faster to
  implement
• Preserves existing roles and functions for
  employees
• When it makes sense
• For repetitive documents that need to be
  completed, signed, transmitted and stored, but
  are not (or dont have to be) part of a larger
  process flow
• For taking in information or agreements online
  that would otherwise come in through the mail or
  by facsimile, but not further processed (license
  agreements, contracts to use online services,
  etc.)
• As a first step to blazing a trail
• Be aware of
• Managing the files after they are created
• Dependence on vendor solutions

• Advantages
• Offers significant efficiency and cost savings
  over time
• Improves quality control
• May improve and automate records management
  functions
• When it makes sense
• For transactions where information has to be
  promulgated across multiple systems
• For transactions with manual steps that can be
  automated if key data is machine-readable
• When your company is performing well and can
  absorb the cost
• Watch for
• Internal resistance
• Underestimating complexity
• Unrealistic time frames
• Leaving out key stakeholders
• Cost overruns
• Ignoring mundane design issues
• Ignoring long-term quality control and risk
  management issues

4
When Last We Left Our Heroes -- Hired Hands v.
Hired Guns?

• Tend to have a better grasp of business needs
• Less likely to have labor-based cost overruns
• Build off existing relationships
• Solid understanding of existing systems

Using in-house resources

• Better grasp of industry standards/practices
  (sometimes)
• Experience with other implementations often can
  suggest innovative problem-solving strategies
• May have turn-key solutions for portions of the
  project
• More likely to introduce, or be open to, new
  approaches

Using outside vendors
5
When Last We Left Our Heroes -- Are The Hired
Guns Sharpshooters, or Shooting Blanks?
Watch for
Be sure your contract covers

• PowerPoint Products
• Scalability
• Licensing dependencies
• Solvency
• Lack of knowledge of your specific industry and
  applicable standards
• In the contract
• Unrealistic liability limitations
• Warranty disclaimers that contradict promises
  made

• A detailed description of services and products
• Clear handling of intellectual property issues
• Warranties reflecting promises made
• For ASPs Warranties reflecting the business
  model
• For ASPs Service standards
• Exit strategies for
• Inadequate service
• Breach of warranty
• Merger or acquisition
• Insolvency
• Loss of key license
• Realistic time frames for exit
• Realistic liability and indemnity
• Protection against self-help remedies (beware MD
  and VA)
• Protection against future price-gouging

6
When Last We Left Our Heroes -- Herding Cats

• Blazing a trail often means leaving comfortable
  roles behind
• Internal resistance and roadblocks may come from
• Those who see their role/importance diminished
• Those who see their role eliminated
• Those who will be required to learn new skills
• Those who will be required to revise system
  designs/infrastructure
• Those who will be asked to take responsibility

7
When Last We Left Our Heroes How to Prevent a
Range War

• Attempts to foster/exaggerate third party
  objections
• Refusal to recognize a change in roles
• Unwillingness to modify existing infrastructure
  designs
• The dreaded phrase Out of Scope
• Assertions of legal/compliance uncertainty

Watch for

• Lead from the top down
• Directly explore/confirm third party objections
• Incent/enforce necessary changes in roles
• Support and fund the necessary infrastructure
  changes
• Seek outside advice to supplement internal sources

Be prepared to
8
Aim Low, Boys, Theyre Ridin Shetland Ponies --
The Small Wins Strategy
Execute
Qapla!
Desirable Enhancements
Start Here
Priority Value-Added Features or Services
Foundational Infrastructure Development
Access Authenticate
Send Receive Docs / other communication
Manifestation of Assent
Records and Data Management
9
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
Electronic Signature
Key Elements

• Definition of signature -- Electronic Signature
  means an electronic identifying sound, symbol, or
  process attached to or logically connected with
  an electronic record and executed or adopted by a
  person with present intention to authenticate a
  record.
• This definition includes (for example)
• Typed names,
• A click-through on a software programs dialog
  box combined with some other identification
  procedure,
• Personal identification numbers,
• Biometric measurements,
• A digitized picture of a handwritten signature,
• Use of SecureID or Defender number generators,
  and
• A complex, encrypted authentication system.
• Note that a click-through probably does not
  satisfy the requirements for an electronic
  signature under Article 9 of the UCC.

• ESIGN and UETA require that
• The signature be attributable to the signer and
  associated with the records
• The signing party have authority to sign
• The signing party must have the intent to affix a
  signature to the record
• ESIGN and UETA do not require that
• The signature process itself provide proof of
  identity
• The signature process itself protect the record
  from alteration without detection

10
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
Attribution basics
Attribution in the electronic world

• Legal sufficiency vs. attribution -- UETA and
  ESIGNs signature rules
• Answer the question is it a signature?
• Do NOT answer the question is it your
  signature?
• Attribution must be proven
• Attribution may be proven by any means, including
  surrounding circumstances or efficacy of
  agreed-upon security procedure
• The burden of proof is usually on the person
  seeking to enforce signature

• In an electronic environment, attribution is
  often proven by associating the signature with
  use of a credential. A credential is a method
  for establishing the identity of the signer, and
  may involve use of a password, employment of a
  token (such as a random number generator),
  biometrics, or demonstration of knowledge of a
  shared secret, or some combination of the above
  (or similar devices/approaches). Use of the
  credential gives the person receiving the signed
  record a reasonable basis to believe that the
  signature was created by the intended signer.

11
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
Creating a Credential
Notes on credentials

• A credential may be
• Assigned to the signer directly by the intended
  recipient of the signed record, either in advance
  or at the time of signing.
• Assigned to the signer indirectly, through a
  hierarchical model, where the intended recipient
  gave a root or master credential to a person
  who is then authorized to provide derivative
  credentials to others (e.g. Recipient gives a
  master User ID and password for its Treasury
  Services website to an executive at Company X and
  the executive then establishes passwords for
  other Company X employees).
• Created spontaneously (often through the use of
  biometrics or a shared secret) at the time it
  is needed for the signing.

• Note that the effectiveness of the credential for
  attribution depends on the integrity and
  reliability of the process for first creating and
  assigning the credential to the individual.
• So, if it is easy to get a credential under false
  pretenses, then the value of the credential for
  attribution is diluted.
• But, if the process for first issuing the
  credential to the correct person is demonstrably
  reliable, then the later use of the credential
  will usually constitute strong evidence of
  attribution.
• In more sophisticated applications the customer
  may be given multiple credentials to permit two
  or three-factor authentication, depending on the
  risk level of the specific requested transaction.
  So, for example, a banking customer may be able
  to access general online banking services using a
  User ID and Password, but then be required to
  also provide a one-time password or PIN from a
  random-number generator before completing a funds
  transfer during the online session.

12
Howdy, Stranger -- Addressing Attribution and
Authority to Sign

• ESIGN and UETA incorporate the existing common
  law rule requiring that the signing party have
  the authority to sign.
• Individuals identity, age, capacity capacity
  is usually taken for granted with any person over
  the age of 18, unless there are indications to
  the contrary
• Representatives identity, age, capacity, and
  authorization to take the contemplated action on
  behalf of the represented party. The authority
  to act is not automatic just because a person is
  an appointed representative (e.g. an agent or
  employee). Authority must be either expressly or
  implicitly conferred by the represented person.

13
Howdy, Stranger -- Addressing Attribution and
Authority to Sign
Hail Mary
Very often used with small companies. It
presumes that in a small company anyone taking
action with respect to bank services must have
authority to do so because unauthorized activity
is so difficult to conceal. This involves a
cost/benefit risk analysis, since historically
small business employees have proven quite adept
at using bank accounts and banking relationships
to commit fraud under the noses of their
co-employees and owners.
Certificate of Authority
In the most formal of situations, a certificate
is required from the companys owners or
controlling body (Board of Directors, General
Partners, Members, etc.) confirming the authority
of a particular person to sign as a
representative of the company. In some cases,
confirmation of authority is incorporated into an
opinion letter from outside counsel, creating a
potential claim against outside counsel in case
of a later dispute.
Situational actual or apparent authority
Where authority is not formally established, it
may alternatively be established by circumstance.
Job titles and/or known supervision and review
of the proposed agreement by senior management
may establish either actual or apparent authority
to act.
The Hierarchical Model
In this model, the potential recipient of the
signed records (e.g. the bank) assigns a master
credential, through a highly reliable and
carefully controlled process, to a company
representative (e.g. the Senior Vice President
for Treasury Management Services) whose authority
to establish the initial relationship is beyond
question (either because of certification or
situational verification). In turn, the
recipients system of record permits the trusted
company representative to create lower-level
credentials for other company employees. These
credentials come with assigned rights, which may
include the right to enter into additional
agreements with the recipient. Presumably, the
master agreement between the recipient and the
company establishes the recipients right to rely
on the hierarchical model to establish the
authority of the lower-level employees to sign.
14
Them varmints have cut the telegraph wires! --
Dealing with Notice and Delivery Issues
Delivery Design Choices
Execution
Design

• Enrollment / consent process
• Audit trails and reporting
• Transmittal message contents
• Authentication process for access to secure data
  (if applicable)
• Record generation and posting to delivery system
• Message or notice generation/transmission
• Record retention/destruction process
• Record generation/posting

• Establish agreement on delivery
• When deemed delivered
• Delivery address
• Obligation to update address
• Obtain ESIGN Consent
• Generate records
• Send notice or attachments
• Provide opportunity to retain
• Generate audit trail
• Handle bouncebacks
• Handle withdrawal of consent

• Secure or Unsecure?
• Push out in email/SMS, or send ready notice and
  pull behind firewall?
• Embedded hyperlinks in ready notice email?
• Permit target to set delivery preferences?
• Permit target to designate multiple recipients?
• Forced review or bypassable?

• Key Considerations
• 2 Factor Authentication required?
• How will cross-system compatibility/communicatio
  n issues be addressed?
• How much of design will be automated or manual?
• Is system intended for use with targets without
  prior electronic relationship with sender?
• Regulatory requirements for timing, delivery,
  proximity, conspicuousness, forced review?

• Key Considerations
• Will the records contain sensitive information?
• Will the records contain required disclosures or
  notices?
• Are multiple delivery methods possible/desirable?
• Are there phishing or pharming issues to
  address?
• Need to maintain control over display and audit
  trails?
• Need to obtain ESIGN Consumer Consent?

• Key Considerations
• Addressing electronic delivery channels
• Agreement on what constitutes sending and
  receipt (Note some state UETAs limit variation
  by agreement)
• Agreement on obligation to update electronic
  addresses
• Managing bouncebacks and withdrawal of consent

15
Showdown at the OK Corral -- Managing Electronic
Records
Record Life Cycle
Destroy
Generate
Deliver
Store
Manage
Create Audit Trails Reports
Propagate Data
Track Record Versions
Extract Index Data
Active Data Processes
Boilerplate Docs
Transaction-specific Docs
Audit Trails for Enrollment, Delivery/Signing
Screen Shots Process Flows
Primary Record Categories
Secure and Consistent Record Management
Access Controls
Quality Integrity Controls
Record Destruction
Business Continuity
Search and Report Capabilities
Key Systems Issues
Record Management Responsibility
Secure Communication
Record Management Audit Trails Reports
Company Policies and Guidelines
16
Who was that masked man?
17
Some Additional Resources

• SM Standards and Procedures for
  electronic Records and Signatures available for
  purchase at www.spers.org
• FFIEC Information Technology Examination Handbook
  available at www.ffiec.gov/ffiecinfobase/html_pa
  ges/it_01.html
• FFIEC Guidance On Electronic Financial Services
  And Consumer Compliance available at
  www.ffiec.gov/PDF/EFS.pdf
• FTC Guidance on Dot Com Disclosures available
  at www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/ind
  ex.html
• FTC Staff Report on Improving Consumer Mortgage
  Disclosures available at www.ftc.gov/opa/2007/06
  /mortgage.shtm
• AIIM Recommended Practice Report on Electronic
  Document Management Systems (AIIM ARP1-2006)
  available at www.aiim.org/documents/standards/arp1
  -2006.pdf