Compliance with the Electronic Signatures in Global and National Commerce Act (ESIGN) has become critical in recent years as the usage of electronic service offerings has exploded. In the current environment, regulators have taken a much closer look at institution’s ESIGN compliance efforts. Institutions must be careful to ensure that their product structures and controls are sufficient to certify compliance. This article will explore the key consumer consent requirements, pitfalls to avoid, and best practices for institutions to follow.
Originally signed into law in 2000, the intent of the ESIGN act is to facilitate the usage of electronic signatures and records in global and inter-state commerce. With the possibility that existing laws and regulations could create a barrier to providing services or performing transactions in an electronic manner, ESIGN breaks down such barriers by providing the same legal authority to electronic signatures as paper or “wet” signatures, and by permitting the usage of electronic records in place of paper ones. At a state level, 47 out of 50 states have signed into law the Uniform Electronic Transactions Act (UETA), which provides similar protections. The remaining three states—New York, Illinois, and Washington—have issued their own laws regarding electronic signatures and records.
As more institutions offer electronic products and services, the importance of ESIGN increases. Electronic statements have historically been the most common banking service offered in electronic form. Many institutions offer consumers the ability to apply for loans online through their website, and provide various key disclosures as part of the origination process, such as the loan estimate and other documents, in electronic fashion. Consumers often have the ability to perform the entire deposit account-opening process online. At times, this is with the intent that the account will be used exclusively online and that the consumer will not perform any transactions in the branch, or receive any material throughout the life of the account in paper form. Many other products and services can be offered exclusively via electronic means such as online banking, online bill pay, mobile banking, and person-to-person transfer services. Before offering any of these services, institutions will need to ensure compliance with the ESIGN requirements and the consumer consent provisions.
WHAT IS ESIGN COMPLIANCE?
ESIGN compliance is critical, as the failure to comply could not only result in a technical violation of law, but also other major issues. Numerous laws and regulations require the providing of disclosures to the consumer. If ESIGN compliance is not met, it is as though the institution never provided those disclosures. Imagine needing to trace back the assessment of fees and provide refunds to hundreds, if not thousands, of your customers because the institution did not get ESIGN consent before providing a fee schedule. Under Regulation E, the consumer has the obligation to notify the institution within 60 days of a periodic statement being sent containing any unauthorized electronic transactions or errors on the statement. However, if the institution did not properly obtain ESIGN consent, then the statement was effectively never provided, extending the period of time during which the consumer may report an error. Due to chargeback deadlines, the institution may have no option other than to refund the customer and accept a loss.
Possibly the greatest area of liability is lending. The failure to properly obtain consent before providing critical disclosures such as the loan estimate or closing disclosure could result in the institution needing to reimburse thousands of dollars in settlement charges for just a single loan. In addition, the clock for rescission does not start until the consumer has received certain documents, including the rescission notice and the closing disclosure. If ESIGN consent was not properly provided for such documents, then the rescission clock has not truly started, and the consumer may be able to rescind the loan for an extended period of time.
ESIGN’s consumer consent provisions require a multi-step process prior to providing the consumer with electronic documents. First, the consumer must be provided with a statement that offers details on the consumer’s rights with respect to electronic documents, known as the ESIGN Disclosure. Among other things, the ESIGN Disclosure requires statements such as the scope of what documents will be provided electronically, the ability to withdraw electronic consent, how to receive paper copies of documents, the hardware/software requirements to access the electronic documents, and other matters. Once the consumer has received the disclosure, the individual must consent to receive electronic documents in a manner that demonstrates to the institution that they can access the electronic documents in the required format. Once this step is fulfilled, the institution is permitted to provide electronic documents subject to the scope of the consent until the consumer has withdrawn their consent. If the hardware/software requirements change, the institution must obtain ESIGN consent again.
This “demonstration” part of the process is the most critical, and the area where institutions tend to make mistakes. Lawmakers designed ESIGN safeguards whereby the institution must obtain some sort of evidence that the consumer can access the electronic documents. For example, if the institution provides the consumer documents in PDF format, the consumer has to demonstrate to the institution the ability to access and open PDF documents.
Some common pitfalls that institutions should avoid with respect to the consumer consent process include:
- The institution should ensure that the vendor being utilized has the ability to go back, locate, and provide evidence that the consumer has performed the demonstration step. If there isn’t a proper audit trail, auditors and examiners may not consider any consent obtained to be valid.
- Any consent that is obtained verbally, in person, or via wet signature is not valid as it provides no demonstration that the consumer can access electronic documents. The institution will need to ensure that the consumer consents in electronic fashion.
- Consent obtained via an institution-owned device is not valid as the consumer will not be using that device to remotely access electronic documents in the future. At most, the institution can consider this an entry point to the consent process, but must still require the consumer consent on one’s own device.
- Institutions should avoid obtaining consent in a different manner than the format in which documents are going to be subsequently provided. One example becoming more common in the industry is the usage of web portals to provide electronic documents to the consumer during the loan origination process. Institutions have been criticized by regulators for evidencing that the consumer could access the web portal, but not demonstrating that the consumer could access and download from the portal to view.
- Institutions should avoid the mindset that simply because the consumer has sent an email or has asked to be sent something via email that these actions constitute ESIGN consent. The institution will have to follow the ESIGN consent process before proceeding.
- Institutions should make sure that the consumer does not have the ability to bypass the ESIGN disclosure without opening it. Many vendors have a pop up window appear or use another mechanism that blocks the ability of the consumer to proceed without opening the document.
- Institutions should avoid ignoring the ESIGN implications when hardware/software requirements change. Institutions continue to change applicable software systems often, whether changing core service providers or simply the account opening vendor. If this action creates a material risk that the consumer will no longer be able to access the documents electronically, then consumer consent must be obtained again.
- Institutions should avoid consolidating the ESIGN disclosure and other documents. An institution cannot begin providing documents electronically until the ESIGN consent has been provided and accepted, and the ESIGN Disclosure must be provided before the consumer consents. As such, there should be no circumstance whereby the institution provides the ESIGN disclosure and the electronic documents subject to the consent all at the same time or within the same document.
ESIGN Compliance Checklist
- As with any new product or service, involving the compliance team in the process from start to finish is critical. The ESIGN consent process should be a core part of the design of any electronic product or service. In addition to providing direction to the business line during development, compliance personnel should also review the final product prior to launch to ensure the ESIGN consent process is operating appropriately.
- Make sure that there are proper controls and road blocks during the process. Institutions should consider including steps that prohibit a consumer from moving forward or obtaining the applicable electronic disclosures until the ESIGN disclosure has been provided and the consumer has given their consent.
- Consider simplifying the format through which electronic documents are provided. For example, some institutions provide all disclosures in web page format. For situations where consumers are going to the website to consent, the act of doing so should demonstrate to the institution that they can access the electronic documents in the webpage format.
- Many institutions have started using an entry code. For example, an institution that will provide documents in PDF format will, prior to consent, provide the consumer with a PDF document that includes an entry code. The consumer will be required to type in the entry code when they consent, thereby evidencing that they can access documents in the PDF format.
- Establish a clear timeline for when consent will be obtained and electronic documents will be provided. While it may be popular to consolidate processes and make the online account opening process as brief as possible for the consumer, as a best practice, institutions should consider having the ESIGN disclosure and the consent itself on separate screens, and ensure that the applicable disclosures are not provided until later in the process.
- Institutions should have good change management processes in place and be careful any time a vendor upgrades or changes systems. For example, we have seen instances where the vendor upgraded the system and this inadvertently caused certain electronic disclosures to no longer be provided. Institutions will want to validate that everything is still working as intended.
The usage of electronic products and services will continue to be a big part of the industry, assisting institutions in expanding their service offerings and keeping pace with their competitors. Many consumers have a base expectation that documents relating to their account are going to be provided electronically. With the increased demand for electronic services and rising regulatory scrutiny, ESIGN and UETA compliance is more important than ever. By having an appropriate ESIGN strategy, institutions will be able to keep pace with technology and avoid costly mistakes.