Electronic signatures are widely accepted in Canada and many other countries. Each Canadian jurisdiction has general electronic commerce statutes that deem electronic signatures acceptable and equivalent to “wet” or handwritten ones, with certain exceptions, and if they meet stated requirements. Regulators, other third-parties, corporate by-laws and resolutions, and other legislation, for instance, business incorporation statutes, may impose additional restrictions or requirements. IT departments can help business units to assess the risks associated with electronic signatures and propose software to mitigate those risks.
An electronic signature involves the use of electronics, for example, computer, digital, wireless, or similar capabilities, to make a signature. An electronic signature may be as simple as a Portable Documents File (PDF) scan of a handwritten signature or typing a name at the bottom of an email. At the other end of the continuum, secure or digital electronic signatures using cryptographic technology provide a high degree of assurance or confidence that an electronic signature is reliable and bona fide.
The decision to use, provide, or accept a simple electronic signature with lower levels of assurance versus a digital or secure electronic signature, requires an assessment of risks, including the following:
- Identity theft or impersonation of the person purportedly giving an electronic signature;
- Repudiation, or the signer later denying that they signed the document;
- Unintentionally binding an entity or individual. For example, by exchanging text messages, an employee may unintentionally enter into a contract with a supplier because texts and other electronic communications can create binding agreements;
- Exceeding authority, for instance, not being authorized to sign at all or not getting the required pre-approval before signing;
- Inappropriate choice of an electronic signature when the law, organizational policies and procedures, or a third-party requires a wet or handwritten signature. The resulting contract or document may be found invalid.; and
- Loss of data integrity or the changing of a document post-signing.
Costly disputes may arise in each of the scenarios above.
Implementing or streamlining electronic signature policies and procedures will benefit from a cross-functional team, including the IT department, that can address legal, compliance, and technology considerations in addition to business processes. With IT’s help, users and their business units can specify the level of assurance or confidence required for different categories of electronically signed documents and select, implement, and maintain appropriate software solutions.
IT departments can assess vendors and software capabilities, including the following:
- Availability of multiple authentication methods, including remote access and dynamic knowledge-based authentication (KBA), which uses challenge questions about past financial transactions or other information that typically changes over a person’s lifetime. The alternative is static KBA, based on demographic information like mother’s maiden name, place of birth, and other information that does not change. Dynamic KBA provides improved authentication.;
- Availability of embedded audit trails in electronically signed documents to allow long-term validation of electronic signatures without involving the software provider. If the software provider goes out of business or is otherwise unavailable even decades later, embedded audit trails would remain available to validate an electronic signature;
- Reliable evidence of robust cloud security, privacy controls, and compliance. Evidence may include certification and frequent and current security audits. International Standards Organization (ISO) certification (see the new ISO/IEC 23751 – Information technology — Cloud computing and distributed platforms — Data sharing agreement (DSA) framework), or System and Organization Controls (SOC) 2 or SOC 3 reports are independent sources of evidence; and
- User-friendliness, for instance, a user’s ability to sign with one or few clicks.
Meeting your duty of care: IT departments should be involved in implementing electronic signature policies and practices to ensure compliance with laws, policies and procedures, and other best practices. IT will help users assess the assurance or confidence levels required for various documents, evaluate and source software solutions that meet compliance needs, and provide training and technical support for the solutions implemented.
The upcoming release for First Reference’s Information Technology PolicyPro includes a new policy on electronic signatures.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, here.