r. david whitaker senior company counsel strategy & operational risk group wells fargo bank,...
Post on 20-Dec-2015
219 views
TRANSCRIPT
R. David Whitaker
Senior Company Counsel
Strategy & Operational Risk Group
Wells Fargo Bank, N.A.
R. David Whitaker
Senior Company Counsel
Strategy & Operational Risk Group
Wells Fargo Bank, N.A.
““So You Want To Take Your Business So You Want To Take Your Business Electronic” -- The SequelElectronic” -- The SequelImplementing electronic records and signatures across a Implementing electronic records and signatures across a corporate platform -- A round-up of pivotal issuescorporate platform -- A round-up of pivotal issues
AgendaAgenda “When last we left our heroes…”
A review of key points from last year’s program “Aim low, boys, they’re ridin’ Shetland ponies”*
The “small wins” strategy “Howdy, stranger”
Addressing attribution and authority to sign “Them varmints have cut the telegraph wires!”
Dealing with notice and delivery issues “Showdown at the OK Corral”
Managing electronic records “Riding off into the sunset”
*With apologies to Lewis Grizzard
“When last we left our heroes…” A review of key points from last year’s program
“Aim low, boys, they’re ridin’ Shetland ponies”* The “small wins” strategy
“Howdy, stranger” Addressing attribution and authority to sign
“Them varmints have cut the telegraph wires!” Dealing with notice and delivery issues
“Showdown at the OK Corral” Managing electronic records
“Riding off into the sunset”
*With apologies to Lewis Grizzard
When Last We Left Our Heroes -- Paving the Cow Path Vs. Blazing a TrailWhen Last We Left Our Heroes -- Paving the Cow Path Vs. Blazing a Trail
Replacing writings with electronic signatures and records in an existing process
Replacing writings with electronic signatures and records in an existing process
Advantages Relatively easy – numerous third-party
solutions exist that will fit with existing systems
Tends to be less expensive and faster to implement
Preserves existing roles and functions for employees
When it makes sense For repetitive documents that need to
be completed, signed, transmitted and stored, but are not (or don’t have to be) part of a larger process flow
For taking in information or agreements online that would otherwise come in through the mail or by facsimile, but not further processed (license agreements, contracts to use online services, etc.)
As a first step to blazing a trail
Be aware of… Managing the files after they are created Dependence on vendor solutions
Advantages Relatively easy – numerous third-party
solutions exist that will fit with existing systems
Tends to be less expensive and faster to implement
Preserves existing roles and functions for employees
When it makes sense For repetitive documents that need to
be completed, signed, transmitted and stored, but are not (or don’t have to be) part of a larger process flow
For taking in information or agreements online that would otherwise come in through the mail or by facsimile, but not further processed (license agreements, contracts to use online services, etc.)
As a first step to blazing a trail
Be aware of… Managing the files after they are created Dependence on vendor solutions
Building new processes and systems to take advantage of electronic signatures and recordsBuilding new processes and systems to take
advantage of electronic signatures and records
Advantages Offers significant efficiency and cost
savings over time Improves quality control May improve and automate records
management functions
When it makes sense For transactions where information has to
be promulgated across multiple systems For transactions with manual steps that
can be automated if key data is machine-readable
When your company is performing well and can absorb the cost
Watch for… Internal resistance Underestimating complexity Unrealistic time frames Leaving out key stakeholders Cost overruns Ignoring mundane design issues Ignoring long-term quality control and risk
management issues
Advantages Offers significant efficiency and cost
savings over time Improves quality control May improve and automate records
management functions
When it makes sense For transactions where information has to
be promulgated across multiple systems For transactions with manual steps that
can be automated if key data is machine-readable
When your company is performing well and can absorb the cost
Watch for… Internal resistance Underestimating complexity Unrealistic time frames Leaving out key stakeholders Cost overruns Ignoring mundane design issues Ignoring long-term quality control and risk
management issues
Using in-house
resources
Using in-house
resources
Using outside vendors
Using outside vendors
Tend to have a better grasp of business needs Less likely to have labor-based cost overruns Build off existing relationships Solid understanding of existing systems
Better grasp of industry standards/practices (sometimes) Experience with other implementations – often can
suggest innovative problem-solving strategies May have turn-key solutions for portions of the project More likely to introduce, or be open to, new approaches
When Last We Left Our Heroes -- Hired Hands v. Hired Guns?When Last We Left Our Heroes -- Hired Hands v. Hired Guns?
Watch for…Watch for…
“PowerPoint Products” Scalability Licensing dependencies Solvency Lack of knowledge of
your specific industry and applicable standards
In the contract – Unrealistic liability
limitations Warranty disclaimers
that contradict promises made
Be sure your contract covers…Be sure your contract covers…
A detailed description of services and products
Clear handling of intellectual property issues
Warranties reflecting promises made For ASPs – Warranties reflecting the
business model For ASPs – Service standards Exit strategies for
Inadequate service Breach of warranty Merger or acquisition Insolvency Loss of key license
Realistic time frames for exit Realistic liability and indemnity Protection against self-help remedies
(beware MD and VA) Protection against future price-
gouging
When Last We Left Our Heroes -- When Last We Left Our Heroes -- Are The Hired Guns Sharpshooters, or Shooting Blanks?Are The Hired Guns Sharpshooters, or Shooting Blanks?
When Last We Left Our Heroes -- Herding CatsWhen Last We Left Our Heroes -- Herding Cats
Blazing a trail often means leaving comfortable roles behind
Internal resistance and roadblocks may come from: Those who see their role/importance diminished Those who see their role eliminated Those who will be required to learn new skills Those who will be required to revise system
designs/infrastructure Those who will be asked to take responsibility
Blazing a trail often means leaving comfortable roles behind
Internal resistance and roadblocks may come from: Those who see their role/importance diminished Those who see their role eliminated Those who will be required to learn new skills Those who will be required to revise system
designs/infrastructure Those who will be asked to take responsibility
Watch for…
Watch for…
Be prepared
to…
Be prepared
to…
Attempts to foster/exaggerate third party objections Refusal to recognize a change in roles Unwillingness to modify existing infrastructure designs The dreaded phrase “Out of Scope…” Assertions of legal/compliance uncertainty
Lead from the top down Directly explore/confirm third party objections Incent/enforce necessary changes in roles Support and fund the necessary infrastructure changes Seek outside advice to supplement internal sources
When Last We Left Our Heroes – How to Prevent a Range WarWhen Last We Left Our Heroes – How to Prevent a Range War
Aim Low, Boys, They’re Ridin’ Shetland Ponies -- The “Small Wins” StrategyAim Low, Boys, They’re Ridin’ Shetland Ponies -- The “Small Wins” Strategy
Qapla!
Foundational Infrastructure Development
Priority Value-Added Features or Services
Desirable Enhancements
Access &Authenticate
Send & Receive Docs / other
communicationManifestation of Assent
Records and Data Management
Execute
Start Here
Howdy, Stranger -- Addressing Attribution and Authority to Sign Howdy, Stranger -- Addressing Attribution and Authority to Sign
Electronic SignatureElectronic Signature
Definition of signature -- “Electronic Signature” means an electronic identifying sound, symbol, or process attached to or logically connected with an electronic record and executed or adopted by a person with present intention to authenticate a record.
This definition includes (for example): Typed names, A click-through on a software
program’s dialog box combined with some other identification procedure,
Personal identification numbers, Biometric measurements, A digitized picture of a handwritten
signature, Use of SecureID™ or Defender™
number generators, and A complex, encrypted
authentication system. Note that a click-through probably does
not satisfy the requirements for an electronic signature under Article 9 of the UCC.
Key ElementsKey Elements
ESIGN and UETA require that: The signature be attributable to
the signer and associated with the records
The signing party have authority to sign
The signing party must have the intent to affix a signature to the record
ESIGN and UETA do not require that: The signature process itself
provide proof of identity The signature process itself
protect the record from alteration without detection
Howdy, Stranger -- Addressing Attribution and Authority to SignHowdy, Stranger -- Addressing Attribution and Authority to Sign
Attribution basicsAttribution basics
Legal sufficiency vs. attribution -- UETA and ESIGN’s signature rules: Answer the question “is it a
signature?” Do NOT answer the question
“is it your signature?” Attribution must be proven:
Attribution may be proven by any means, including surrounding circumstances or efficacy of agreed-upon security procedure
The burden of proof is usually on the person seeking to enforce signature
Legal sufficiency vs. attribution -- UETA and ESIGN’s signature rules: Answer the question “is it a
signature?” Do NOT answer the question
“is it your signature?” Attribution must be proven:
Attribution may be proven by any means, including surrounding circumstances or efficacy of agreed-upon security procedure
The burden of proof is usually on the person seeking to enforce signature
Attribution in the electronic worldAttribution in the electronic world
In an electronic environment, attribution is often proven by associating the signature with use of a “credential.” A credential is a method for establishing the identity of the signer, and may involve use of a password, employment of a token (such as a random number generator), biometrics, or demonstration of knowledge of a “shared secret,” or some combination of the above (or similar devices/approaches). Use of the credential gives the person receiving the signed record a reasonable basis to believe that the signature was created by the intended signer.
In an electronic environment, attribution is often proven by associating the signature with use of a “credential.” A credential is a method for establishing the identity of the signer, and may involve use of a password, employment of a token (such as a random number generator), biometrics, or demonstration of knowledge of a “shared secret,” or some combination of the above (or similar devices/approaches). Use of the credential gives the person receiving the signed record a reasonable basis to believe that the signature was created by the intended signer.
Howdy, Stranger -- Addressing Attribution and Authority to SignHowdy, Stranger -- Addressing Attribution and Authority to Sign
Creating a CredentialCreating a Credential
A credential may be:• Assigned to the signer directly by
the intended recipient of the signed record, either in advance or at the time of signing.
• Assigned to the signer indirectly, through a hierarchical model, where the intended recipient gave a “root” or “master” credential to a person who is then authorized to provide derivative credentials to others (e.g. Recipient gives a master User ID and password for its Treasury Services website to an executive at Company X and the executive then establishes passwords for other Company X employees).
• Created spontaneously (often through the use of biometrics or a “shared secret”) at the time it is needed for the signing.
A credential may be:• Assigned to the signer directly by
the intended recipient of the signed record, either in advance or at the time of signing.
• Assigned to the signer indirectly, through a hierarchical model, where the intended recipient gave a “root” or “master” credential to a person who is then authorized to provide derivative credentials to others (e.g. Recipient gives a master User ID and password for its Treasury Services website to an executive at Company X and the executive then establishes passwords for other Company X employees).
• Created spontaneously (often through the use of biometrics or a “shared secret”) at the time it is needed for the signing.
Notes on credentialsNotes on credentials Note that the effectiveness of the credential
for attribution depends on the integrity and reliability of the process for first creating and assigning the credential to the individual. • So, if it is easy to get a credential under
false pretenses, then the value of the credential for attribution is diluted.
• But, if the process for first issuing the credential to the correct person is demonstrably reliable, then the later use of the credential will usually constitute strong evidence of attribution.
In more sophisticated applications the customer may be given multiple credentials to permit two or three-factor authentication, depending on the risk level of the specific requested transaction. So, for example, a banking customer may be able to access general online banking services using a User ID and Password, but then be required to also provide a one-time password or PIN from a random-number generator before completing a funds transfer during the online session.
Note that the effectiveness of the credential for attribution depends on the integrity and reliability of the process for first creating and assigning the credential to the individual. • So, if it is easy to get a credential under
false pretenses, then the value of the credential for attribution is diluted.
• But, if the process for first issuing the credential to the correct person is demonstrably reliable, then the later use of the credential will usually constitute strong evidence of attribution.
In more sophisticated applications the customer may be given multiple credentials to permit two or three-factor authentication, depending on the risk level of the specific requested transaction. So, for example, a banking customer may be able to access general online banking services using a User ID and Password, but then be required to also provide a one-time password or PIN from a random-number generator before completing a funds transfer during the online session.
Howdy, Stranger -- Addressing Attribution and Authority to SignHowdy, Stranger -- Addressing Attribution and Authority to Sign
ESIGN and UETA incorporate the existing common law rule requiring that the signing party have the authority to sign.
Individuals – identity, age, capacity – capacity is usually taken for granted with any person over the age of 18, unless there are indications to the contrary
Representatives – identity, age, capacity, and authorization to take the contemplated action on behalf of the represented party. The authority to act is not automatic just because a person is an appointed representative (e.g. an agent or employee). Authority must be either expressly or implicitly conferred by the represented person.
ESIGN and UETA incorporate the existing common law rule requiring that the signing party have the authority to sign.
Individuals – identity, age, capacity – capacity is usually taken for granted with any person over the age of 18, unless there are indications to the contrary
Representatives – identity, age, capacity, and authorization to take the contemplated action on behalf of the represented party. The authority to act is not automatic just because a person is an appointed representative (e.g. an agent or employee). Authority must be either expressly or implicitly conferred by the represented person.
“Hail Mary” “Hail Mary”
Situational “actual” or “apparent” authority
Situational “actual” or “apparent” authority
Certificate of Authority
Certificate of Authority
Very often used with small companies. It presumes that in a small company anyone taking action with respect to bank services must have authority to do so because unauthorized activity is so difficult to conceal. This involves a “cost/benefit” risk analysis, since historically small business employees have proven quite adept at using bank accounts and banking relationships to commit fraud under the noses of their co-employees and owners.
In the most formal of situations, a certificate is required from the company’s owners or controlling body (Board of Directors, General Partners, Members, etc.) confirming the authority of a particular person to sign as a representative of the company. In some cases, confirmation of authority is incorporated into an opinion letter from outside counsel, creating a potential claim against outside counsel in case of a later dispute.
Where authority is not formally established, it may alternatively be established by circumstance. Job titles and/or known supervision and review of the proposed agreement by senior management may establish either actual or apparent authority to act.
Howdy, Stranger -- Addressing Attribution and Authority to Sign
The Hierarchical Model
The Hierarchical Model
In this model, the potential recipient of the signed records (e.g. the bank) assigns a master credential, through a highly reliable and carefully controlled process, to a company representative (e.g. the Senior Vice President for Treasury Management Services) whose authority to establish the initial relationship is beyond question (either because of certification or situational verification). In turn, the recipient’s system of record permits the trusted company representative to create lower-level credentials for other company employees. These credentials come with assigned rights, which may include the right to enter into additional agreements with the recipient. Presumably, the master agreement between the recipient and the company establishes the recipient’s right to rely on the “hierarchical model” to establish the authority of the lower-level employees to sign.
Them varmints have cut the telegraph wires! -- Dealing with Notice and Delivery IssuesThem varmints have cut the telegraph wires! -- Dealing with Notice and Delivery Issues
Key Considerations- Will the records contain sensitive information?- Will the records contain required disclosures or notices?- Are multiple delivery methods possible/desirable?- Are there “phishing” or “pharming” issues to address?- Need to maintain control over display and audit trails?- Need to obtain ESIGN Consumer Consent?
Key Considerations− 2 Factor Authentication required?− How will cross-system compatibility/communication
issues be addressed?− How much of design will be automated or manual?− Is system intended for use with targets without prior
electronic relationship with sender?− Regulatory requirements for timing, delivery,
proximity, conspicuousness, forced review?
Key Considerations− Addressing electronic delivery channels− Agreement on what constitutes “sending”
and “receipt” (Note some state UETAs limit variation by agreement)
− Agreement on obligation to update electronic addresses
− Managing bouncebacks and withdrawal of consent
• Secure or Unsecure? • Push out in email/SMS, or send
“ready notice” and pull behind firewall?
• Embedded hyperlinks in “ready notice” email?
• Permit target to set delivery preferences?
• Permit target to designate multiple recipients?
• Forced review or bypassable?
• Enrollment / consent process• Audit trails and reporting• Transmittal message contents• Authentication process for access to
secure data (if applicable)• Record generation and posting to
delivery system• Message or notice
generation/transmission• Record retention/destruction
process• Record generation/posting
• Establish agreement on delivery•When deemed delivered•Delivery address•Obligation to update address
• Obtain ESIGN Consent• Generate records• Send notice or attachments• Provide opportunity to retain• Generate audit trail• Handle “bouncebacks”• Handle withdrawal of consent
DesignDelivery Design Choices Execution
Secure CommunicationRecord Management Responsibility
Showdown at the OK Corral -- Managing Electronic RecordsShowdown at the OK Corral -- Managing Electronic Records
Generate Deliver Store Manage DestroyRecord
Life Cycle
Propagate Data
TrackRecord
Versions
Extract & Index Data
Create Audit Trails & Reports
Secure and Consistent Record Management
ActiveData
Processes
Access Controls
Quality & IntegrityControls
Record Destruction
Business Continuity
Key Systems
Issues
Boilerplate DocsTransaction-specific
Docs
Audit Trails for Enrollment, Delivery/Signing
Screen Shots & Process Flows
Primary Record
Categories
Search and Report
Capabilities
Company Policies and Guidelines
Record Management Audit Trails & Reports
Some Additional ResourcesSome Additional Resources
SM
– Standards and Procedures for electronic Records and Signatures – available for purchase at www.spers.org
FFIEC Information Technology Examination Handbook – available at www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
FFIEC Guidance On Electronic Financial Services And Consumer Compliance – available at www.ffiec.gov/PDF/EFS.pdf
FTC Guidance on Dot Com Disclosures – available at www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html
FTC Staff Report on Improving Consumer Mortgage Disclosures – available at www.ftc.gov/opa/2007/06/mortgage.shtm
AIIM Recommended Practice Report on Electronic Document Management Systems (AIIM ARP1-2006) – available at www.aiim.org/documents/standards/arp1-2006.pdf
SM
– Standards and Procedures for electronic Records and Signatures – available for purchase at www.spers.org
FFIEC Information Technology Examination Handbook – available at www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
FFIEC Guidance On Electronic Financial Services And Consumer Compliance – available at www.ffiec.gov/PDF/EFS.pdf
FTC Guidance on Dot Com Disclosures – available at www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html
FTC Staff Report on Improving Consumer Mortgage Disclosures – available at www.ftc.gov/opa/2007/06/mortgage.shtm
AIIM Recommended Practice Report on Electronic Document Management Systems (AIIM ARP1-2006) – available at www.aiim.org/documents/standards/arp1-2006.pdf