Standards and Procedures For Electronic Records and Signatures
ELECTRONIC RECORDS AND SIGNATURES -- CHALLENGE AND OPPORTUNITY
New eCommerce laws make possible the widespread replacement of paper documents with electronic records. They also enable the broad use of electronic signatures. Many businesses have begun converting their operations to avail themselves of the enormous advantages offered by electronic records systems.
While the new eCommerce laws permit the use of electronic records and signatures, they also require that electronic systems and processes meet specific standards for:
- Obtaining consent to use electronic records and signatures,
- Presentation of information,
- Execution of signatures and creation of agreements,
- Record retention,
- Printing, and
- Delivery.
SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
http://esignrecords.files.wordpress.com/2009/03/spers-summary1.pdf
SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 1
Section 1 Summary Statement of Standards to Guide Systems Design Teams
STANDARD 1-1. IDENTIFYING AND EVALUATING THE APPROPRIATE
AUTHENTICATION STRATEGY – CREATING THE RELATIONSHIP
SPERS STANDARD 1-1
The System Design Team should determine the appropriate Authentication Process for
establishing a Relationship with each Transaction Participant. The assessment and selection
Process should include:
• Assessing the legal liability and Transaction risk associated with failing to correctly
identify the Transaction Participant,
• Assessing the practical and system considerations that may affect the choice of an
Authentication Process,
• Determining whether the Authentication Process for the Transaction must comply with
specific legal or regulatory requirements,
• Selecting an Authentication strategy that provides an appropriate level of security and
certainty, based on the preceding considerations, and
• Determining what information will be required in order to implement the selected
Authentication strategy.
STANDARD 1-2. IDENTIFYING AND EVALUATING THE APPROPRIATE
AUTHENTICATION STRATEGY – CREDENTIALS
SPERS STANDARD 1-2
The System Design Team should determine the appropriate Credential for a Participant
conducting a Transaction as part of an established Relationship. The process for selecting a
Credential should include:
• Assessing the risks associated with unauthorized access to conduct the Transaction,
• Determining whether there are specific legal or regulatory requirements for a Credential
associated with the Transaction;
• Determining the types of Credentials appropriate to the Transaction based on the risk
assessment and any applicable legal or regulatory requirements,
• Determining the cost of establishing and using a particular Credential,
• Assessing the relative speed with which the Credential may be established and used,
• Assessing any specific hardware or software requirements to use a particular Credential
and whether such requirements are appropriate to the Transaction, and
• Evaluating the information that needs to be obtained from, and provided to, the
Transaction Participant to implement and maintain a particular Credential.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 2
STANDARD 1-3. PROVIDING CONSUMERS INFORMATION CONCERNING THE
DISTRIBUTION OF RISK OF UNAUTHORIZED TRANSACTIONS
SPERS STANDARD 1-3
Where appropriate, and particularly in Consumer Transactions, the System Design Team should
consider providing a Transaction Participant with an opportunity to obtain information
concerning the risks associated with unauthorized Transactions, including:
• The Transaction Participant’s responsibilities with respect to protecting Credentials,
• The potential consequences of unauthorized use of Credentials, and
• The procedure for giving notice that a Credential has been stolen or compromised.
STANDARD 1-4. ESTABLISHING THE AUTHORITY OF REPRESENTATIVES
SPERS STANDARD 1-4
Where appropriate, the System Design Team should consult with legal counsel or compliance
personnel to determine whether it is likely that individuals will be representing Transaction
Participants (either individuals or legal entities such as corporations or trusts) other than
themselves, and if so:
• Determine whether it is advisable to obtain some representation or evidence of the
individual’s authority to act as a representative, and
• Establish appropriate methods for obtaining representations or evidence of the
representative’s authority.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 3
Section 2 Summary of Statement of Standards
STANDARD 2-1. GENERAL AGREEMENT TO USE ELECTRONIC RECORDS AND
SIGNATURES
SPERS STANDARD 2-1
Systems should be designed to obtain either:
• The Transaction Participants’ express Agreement to use Electronic Records and
Signatures; or
• The Transaction Participants’ implied Agreement in a fashion that allows a reasonable
inference that Transaction Participants have assented to use Electronic Records and
Signatures.
STANDARD 2-2. APPLICABILITY OF THE ESIGN CONSUMER CONSENT PROCESS
SPERS STANDARD 2-2
With respect to business to-Consumer Transactions, the System Design Team should consult
with legal counsel or a compliance officer concerning application of the ESIGN Consumer
Consent Process. The ESIGN Consumer Consent Process should be used if:
• The Consent Process is required by any Rule of Law, or
• The System Design Team determines that its voluntary use would be beneficial and its
use would not hamper, confuse or unduly complicate the Transaction.
1
STANDARD 2-3. THE ESIGN CONSUMER CONSENT DISCLOSURES
SPERS STANDARD 2-3
When the System Design Team has determined that the ESIGN Consumer Consent Process
should be employed, it should implement the Consent Process:
• In compliance with the requirements of the ESIGN Consumer Consent Disclosures; and
• With the goal of providing the Consumer with information designed to assist the
Consumer in making an informed choice with respect to the use of Electronic Records
and Signatures.
1
“Voluntary use” refers to the use of all, or part of the ESIGN Consumer Consent Process.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 4
STANDARD 2-4. THE ESIGN CONSUMER CONSENT DISCLOSURES – FORMAT
AND TIMING
SPERS STANDARD 2-4
When presenting the ESIGN Consumer Consent Disclosures to the Consumer they must be
provided:
• In a clear and conspicuous format;
• At a meaningful time in the Transaction; and
• Prior to the Consumer providing his or her affirmative consent to engage in business
electronically.
2
STANDARD 2-5. OBTAINING THE CONSUMER’S AFFIRMATIVE CONSENT -
METHODS AND TIMING
SPERS STANDARD 2-5
When employing the Consumer Consent Process systems will need to be designed to obtain the
Consumer’s affirmative consent to access Required Consumer Information.
Providers should obtain the Consumer’s affirmative consent either::
• Prior to, or at the time Required Consumer Information is presented, or
• After Required Consumer Information is presented but before the time when the
Consumer becomes obligated on the Transaction.
STANDARD 2-6. REASONABLE DEMONSTRATION OF ACCESS
SPERS STANDARD 2-6
If the ESIGN Consumer Consent Process will be employed, the System Design Team should
create a mechanism, method of process that enables a Consumer’s provision of consent to
Reasonably Demonstrate that the Consumer can access the electronic method(s) and format(s)
the system will use to provide or make available Electronic Records such as notices, disclosures,
and agreements over the course of the Transaction.
2
The methods for, and the timing of obtaining the Consumer’s affirmative consent are discussed in SPeRS
Standard 2-5.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 5
Section 3 Summary Statement of Standards
STANDARD 3-1. GENERAL PRINCIPLES FOR DISPLAY AND PRESENTATION OF
INFORMATION
SPERS STANDARD 3-1
The System should be designed to display and present information efficiently and effectively.
Absent special circumstances, the System Design Team should provide a reasonable opportunity
to access information, whether it is part of an agreement, Notice or Disclosure, so that:
• The information is displayed or made available in a manner and/or format that complies
with any applicable Rule of Law.
• The opportunity to access the information occurs:
• At the point in the Transaction required by an applicable Rule of Law, or
• If there is no applicable Rule of Law, at or before the point in the Transaction where
having access to the information is appropriate for the recipient, but not later than the
point at which the recipient is asked to indicate agreement with, or acknowledge
access to, the information.
• During the course of the Transaction, the information may be retained by the recipient, or
accessed by the recipient at a later time, consistent with the purpose of the Transaction, the
nature of the information and applicable Rule of Law (See SPeRS Section 5).SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 6
STANDARD 3-2. DELIVERING AND DISPLAYING RECORDS AND INFORMATION
SPERS STANDARD 3-2
When developing a process that includes the electronic display and delivery of Agreements,
Notices or Disclosures, the System Design Team should:
• Identify the Records and information that will be delivered electronically to each
Transaction Participant in the course of the Transaction;
• Consult with legal counsel or compliance personnel to determine whether any of the
Records or information to be provided are subject to any specific delivery requirements
under an applicable Rule of Law;
• Accomplish delivery by providing access or the opportunity to access the Record, as
applicable;
• Determine the appropriate method(s) for providing access to the Records and
information, taking into account:
• The nature of the Transaction and the intended audience,
• Whether the Records and information will be provided or made available as part of an
interactive session with the recipient, as part of a unilateral transmission to the
recipient, some combination of the two, or through other means,
• Whether the Records and information to be provided or made available include
sensitive or confidential information,
• The time period for which the Records and information should remain available for
access by the recipient during the course of the Transaction, and
• Whether the recipient should be required to access any of the Records and
information in order to proceed with the Transaction.
STANDARD 3-3. DELIVERING AND DISPLAYING RECORDS AND INFORMATION –
RETENTION OF RECORDS BY OTHER TRANSACTION PARTICIPANTS
SPERS STANDARD 3-3
For Electronic Records that must be signed, or that contain Required Information, the System
Design Team:
• Should provide the Transaction Participant signing or accessing an Electronic Record
with:
• An explanation of the options that the Transaction Participant will have during the
Transaction to retain a copy of the Record, including any Disclosure or explanation
required by the ESIGN Consumer Consent Process (See SPeRS Standard 2-2), and
• A reasonable opportunity to retain a copy of the Record for later reference.
• May wish to provide the Transaction Participant with an opportunity to agree to the
methods being provided for retaining a copy of the Record.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 7
STANDARD 3-4. INDICATING AGREEMENT
SPERS STANDARD 3-4
When developing a process that includes the electronic delivery or display of agreements to
Transaction Participants, the System Design Team should:
• Consult with legal counsel or compliance personnel to determine:
• Which Records or information being delivered or displayed require some indication
of agreement by a Transaction Participant
• The level of formality or ceremony required for each indication of agreement
• Implement a process design which, in the context of the Transaction and the particular
information or Record in question:
• Offers the Transaction Participant:
• A clear choice to either agree or decline to agree, and
• A clear method to express agreement or decline to agree
• Provides an explanation of the consequences are inherently obvious in the context of
the Transaction, and
• When appropriate, offers the Transaction Participant an opportunity to correct an
election to assent or refuse assent made in error except when impractical or
unnecessary.
SECTION 3-5: ACKNOWLEDGING ACCESS OR DELIVERY
SPERS STANDARD 3-5
When developing a process that includes the electronic display and of and opportunity to access
Disclosures and Notices to Transaction Parties, the System Design Team should:
• Consult with legal counsel or compliance personnel to determine:
• Which Records or information being displayed or provided require some
acknowledgement of access or opportunity to access by a Transaction Participant, and
• The level of formality or ceremony required for each acknowledgement of access or
opportunity to access.
• For Records that require acknowledgement of access or delivery, implement a process
design which, in the context of the Transaction and the particular information or Record
in question, offers the Transaction Participant a clear method to acknowledge access or
opportunity to access.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 8
STANDARD 3-6. CLEAR AND CONSPICUOUS DISCLOSURE
SPERS STANDARD 3-6
When developing a process that includes the electronic display of or access to agreements,
Notices or Disclosures to Transaction Parties, the System Design Team should:
• Consult with legal counsel or compliance personnel to determine whether any of the
Records or information to be provided are subject to “conspicuous disclosure”
requirements under an applicable Rule of Law, and
• If “conspicuous disclosure” is required:
• Implement a process design which, in the context of the Transaction and the
particular information or Record in question, delivers the required Record or
information in a form which is:
• Reasonably understandable, and
• Designed to call attention to the information that must be disclosed.
• Employ electronic tools and display techniques so as to effectively convey the
information.
STANDARD 3-7. USING HYPERLINKS AND OTHER NAVIGATIONAL CUES
SPERS STANDARD 3-7
When displaying information electronically, the System Design Team should consider using
navigational cues in order to better organize, enhance or protect the presentation of information.
When using a navigational cue, the System Design Team should label or title the navigational
cue, or provide explanatory information for use of the navigational cue, reasonably sufficient to
permit the Transaction Participant to understand the general nature of the Records or information
associated with the navigational cue.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 9
Section 4 Summary Statement of Standards
STANDARD 4-1. SELECTING A SIGNATURE PROCESS
SPERS STANDARD 4-1
The selection of an appropriate signature technology for a particular application should be based
on a determination of the relevant factors and circumstances, including:
• Applicable hardware and software requirements
• Any Rule of Law limiting the type of Electronic Signature that may be used
• Characteristics of the signer
• Susceptibility of the technology to repudiation
• Ability of the signature to protect the Record from undetected alteration after signing
• Portability of the signature process
• Suitability of the signature for:
• non-repetitive in-person Transactions
• repetitive in-person Transactions
• non-repetitive remote Transactions
• repetitive remote Transactions
• Ease of use for multiple signatures by same signer in one Record
• Ease of use for multiple signers in one Record
STANDARD 4-2. PROVIDING INFORMATION ON THE SIGNING PROCESS
SPERS STANDARD 4-2
The execution of an Electronic Signature should be preceded by an opportunity for the signer to
review:
• A description and explanation of the procedure used to create the Electronic Signature,
and
• A description of the sequence of events that will result in the signature becoming final
and effective.
Provided, however, that the signature process may be sufficiently familiar or self-explanatory
that a description is superfluous or would be repetitive.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 10
STANDARD 4-3. ESTABLISHING THE INTENT TO SIGN
SPERS STANDARD 4-3
The process used to create an Electronic Signature should be designed so that:
• It is clear that the signer intended to create a signature, and
• When not reasonably apparent under the circumstances, the signer is advised that the
signature fulfills one or more purposes:
• Affirming the accuracy of information in the record
• Affirming assent or agreement with the information in the Record
• Affirming the signer’s opportunity to become familiar with information in the
Record,
• Affirming the source of the information in the record, or
• Other specified purposes.
STANDARD 4-4. ASSOCIATING A ELECTRONIC SIGNATURE WITH A RECORD
SPERS STANDARD 4-4
A process for signing records should be designed so that:
• The Record is presented for signature before the signature becomes effective, and
• The signature is attached to, or logically associated with, the Record presented.
STANDARD 4-5. ATTRIBUTING A SIGNATURE
SPERS STANDARD 4-5
A process for signing Records should be designed so that either:
• The signature itself provides evidence of the signer’s identity, or
• The process surrounding creation or affirmation of the signature:
• provides evidence of the signer’s identity, and
• is in some manner preserved, evidenced, or capable of recall or recreation during the
life of the Transaction.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 11
STANDARD 4-6. ELECTRONIC AGENTS
SPERS STANDARD 4-6
A system designed to implement an agreement and signature by an Electronic Agent:
• Should require a clear and detailed definition of the parameters of the electronic agent’s
authority to form an agreement and sign on behalf of the represented Participant, and
• May either reflect the use of an electronic agent in the signature information provided as
part of the signed Record, or present the signature as the act of the represented Participant
without reference to the use of an electronic agent.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 12
Section 5 Summary Statement of Standards
STANDARD 5-1. MEETING ACCURACY, ACCESSIBILITY AND RETENTION
REQUIREMENTS
SPERS STANDARD 5-1
Electronic Record retention systems should be designed to ensure the information contained in
the Electronic Records remain:
• Protected from undetected and unauthorized alteration, and
• Accessible to the Record Holder and others entitled by Rule of Law or Agreement to
access, or obtain a copy of, the Record Holder’s copy of the Record
See also SPeRS Standard 3-3 for the Record Provider’s obligation to provide access or copies of
Records to other Transaction Participants (e.g., Consumers).
STANDARD 5-2. VERIFYING THE INTEGRITY AND ACCURACY OF ELECTRONIC
RECORDS/THE PHYSICAL AND LOGICAL ENVIRONMENT
SPeRS STANDARD 5-2
As part of the infrastructure necessary to protect the integrity of Electronic Records, the System
Design Team should establish a commercially reasonable design for:
• The physical environment in which the records are maintained that takes into account:
• The types of transactions evidenced by the Electronic Records,
• The value of the transactions evidenced by the Electronic Records,
• The value or confidentiality of the information contained in the Electronic Records,
including whether the record is subject to state or federal privacy laws, and
• The impact of loss, destruction or theft of the Electronic Records on the operations of
the Record Holder.
• The technical environment in which the records are maintained that takes into account:
• · Network controls,
• · Hardware controls, and
• · Software controls.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 13
STANDARD 5-3. VERIFYING THE CONSISTENCY AND INTEGRITY OF
ELECTRONIC RECORDS
SPERS STANDARD 5-3
When appropriate, the System Design Team should consider including in the process for
creating, delivering and submitting Electronic Records commercially reasonable checks to
confirm that:
• The Record:
• Contains information that is both internally consistent and consistent with other
Transaction Records;
• For signed Electronic Records, the Record appears to have been electronically signed
by each of the targeted signers before being accepted as final and complete;
• Has not been altered without authorization once it is effective; and
• Is retrievable in a form perceivable by an individual.
• Any set of Transaction documents intended to be reviewed, completed, and/or signed as a
group is complete and that all necessary tasks have been performed before being
submitted and/or accepted in final form.
STANDARD 5-4. DOCUMENT CONVERSION
SPERS STANDARD 5-4
System design teams should develop guidelines and procedures for the preservation and
conversion of paper to electronic documents to meet the following objectives:
• Promote cost and organizational efficiency;
• Ensure safekeeping of documents;
• Ensure compliance with state and federal requirements regarding Record retention,
access to Records, and document destruction;
• Maintain secure, reliable, long-term access to Records; and
• Establish data integrity to satisfy the Rules of Evidence.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 14
STANDARD 5-5. VENDOR RELATIONSHIPS
SPERS STANDARD 5-5
When using third party vendors to perform Record retention functions, Providers should adopt a
risk management process that includes:
• Proper due diligence to identify and select a third-party provider;
• Contracts that outline duties, obligations, and responsibilities of the parties involved; and
• Ongoing oversight of the third parties and third-party activities.
STANDARD 5-6. INTERACTION WITH GOVERNMENTAL AGENCIES
SPERS STANDARD 5-6
The System Design Team should consult with legal counsel or compliance personnel to
determine whether there are any state or federal regulatory requirements that may affect the for
or methods used to create, file or maintain the Records.
STANDARD 5-7. TRANSFERABLE RECORDS AND ELECTRONIC CHATTEL PAPER
SPERS STANDARD 5-7
If the system is intended to manage the creation, execution, transfer and/or storage of electronic
equivalents of negotiable promissory notes, bills of lading, warehouse receipts, retail installments
sales contracts, debt obligations secured by personal property, or leases of tangible personal
property, the System Design Team should consult with legal counsel or compliance personnel to
determine the special requirements for:
• Controlling the transfer of ownership of the Electronic Record
No comments:
Post a Comment