Electronic Signatures : Principles
Anyone new to this area can be easily confused about what constitutes an electronic signature and how different types of e-signatures compare in terms of evidential power and legality.
At a basic level any mark on an electronic document can be used to capture the signer’s intent to approve or accept the contents of that document. The form of the “mark” or how it was created is not important. What is important is proving who made the mark and that the document was not changed subsequently.
Three signature types exist:
Basic, Advanced and Qualified Electronic signatures
Basic Electronic signature
Some business applications require users to sign documents immediately without requiring the user to register and have their identity verified with the SignMit system. Typically use cases include a potential customer visiting a bank, office or shop in person and needing to sign some initial paperwork.
Documents signed with a basic e-signature show that the digital e-seal (technically a digital signature) was applied by the organisation.
Advanced Electronic Signature (AES)
- uniquely linked to the signatory;
- capable of identifying the signatory;
- created using means that the signatory can maintain under their sole control; and
- linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
Signatys implements such signatures using standard PKI cryptography. Each user has a unique PKI signing key and associated digital certificate. The certificate acts as the person’s “digital identity” and is embedded in each signature they create – thereby securely binding the signer’s identity to their signed documents. The signing key which is used to create the signature is private and remains under the sole control of the owner, only accessible after appropriate authentication and authorisation checks.
Qualified Electronic Signature (QES)?
- built on the Advanced Electronic Signatures (AES) format but where also:
- the user’s digital certificate is issued by a trusted Qualified CA
- the user’s signing key is managed within a trusted Qualified Signature Creation Device (QSCD
QES are a more trusted version of AES. Cross-border recognised, QES require the highest levels of security for the protection of the user’s signing key and also a formal registration process for the user to verify their identity by a qualified Certificate Authority. From a legal perspective QES can be considered even stronger than handwritten signatures as the burden of proof shifts to the signer to prove that they did not sign!
Regulation Zertes, eIDAS
What is Zertes ?
ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic and digital signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services
Acting in geographical proximity of the European Community, it is not surprising that ZertES is conceived similarly to eIDAS, in particular when looking at the tiered structure and legal value. ZertES has multiple assurance levels, the highest of which is the QES level equivalent to a handwritten one and mandatory for many official documents.
What is eIDAS ?
The eIDAS regulation has been enforceable across the EU Since 1st July 2016. eIDAS classifies two types of secure electronic and digital signatures standards;
1) the Advanced Signature and
2) the Qualified Signature.
Under eIDAS, citizens and businesses can use their native eIDS when accessing public services within other EU Member States that use eIDS. This regulation defines the conditions in which the Member States will recognize electronic identification from users.
Additionally, this regulation implements standards for digital signatures, time stamps, electronic seals, and other proof of authentication, including digital certification and registered delivery services that give those electronic transactions the same legal status as if they were conducted on paper. Signatys provides remote signing solutions for both types.
Regulation MiFID II
The aim of MIFID II (Markets In Financial Instruments Directive), implementation on 3rd of January 2018, is to increase the efficiency and transparency of the European financial markets and enhance protection for investors (clients). For many market participants and especially banks, implementing and executing the obligatory assessments of MiFiD II, which are an element of suitability and appropriateness, into their company processes in a client-oriented and efficient way is a major challenge.
All financial institutions are impacted by MiFID II. Consequently, each investment firm will make strategic choices as to how to stay relevant to their clients in a sustainable (and profitable) way. A sound balance between what is required by legislation and what is feasible in the long run is needed in order to implement MiFID II. Balanced legal requirements and operational implications could translate into competitive advantages.
Obtaining, interpreting, processing and recording information are essential elements of the suitability assessment. The investment firm has the legal obligation to obtain information from the client which is needed within the framework of the ‘Know Your Customer’ principle.
If, in case of investment advice or portfolio management, the investment firm does not obtain the information required, the firm will not be able to provide investment services or recommend financial instruments to (potential) clients.
SignMit solution comply with MiFID regulation by collecting reliable information and meeting recordkeeping requirements. Following use cases meet these requirements and can be implemented with investment firms and banks:
- MiFid II documentation: risk profiling questionnaire, the result of the appropriateness assessment, Pre-trade suitability report, Opt-in/Opt out documentation for customer classification change, Repapering…
- Advisory / Warning: to inform clients of insufficient information provided to the investment firm linked to a transaction, inadequate investment in regards to investor’s profile…