As we continue to assist Advisors during examinations conducted by the United States Securities and Exchange Commission (the “SEC”), we have noticed questions related to the Advisors’ use of electronic signatures. Earlier this week, we provided guidelines for Advisors using electronic signatures in securities transactions. The legality of electronic signatures in connection with contracts and other records has long been accepted pursuant to the Electronic Signatures in Global and National Commerce Act or “ESIGN” and the Uniform Electronic Transactions Act or “UETA.” Three principles apply to transactions within the scope of ESIGN and the UETA:
-
A signature or record in electronic form may not be denied legal effect or enforceability simply because it is in electronic form;
-
If a law requires a record to be in writing, an electronic record will satisfy the law; and
-
If a law requires a signature, an electronic signature will satisfy the law.[1]
Generally, the SEC has accepted and permitted the use of electronic records and signatures for most transactions in connection with a business, consumer or commercial transaction. A key requirement is properly identifying the parties to a transaction which may occur when the relationship between Advisor and client first begins and when a transaction occurs within the course of an existing relationship. Authentication refers to the process your firm uses to verify the identity of the client. This may vary from requiring your client to personally appear and present a physical ID and wet ink signature or your client providing a digital signature through a service like DocuSign. When authenticating via a digital signature, the client will receive an access or identification verification device, a “Credential”, which is used to streamline or automate identification in future transactions. A Credential may be a username, password or pin, a number generated at random, a digital certificate, a biometric measurement (e.g., retina scan, fingerprint matching, or voice recognition) a digitized image of a handwritten signature, a typed name or a combination of these. The Credential may be used to authenticate an individual before an electronic signature is accepted.
If an Advisor chooses to implement a process for electronic signatures, the Advisor must update their procedures to document their process for accepting electronic signatures, which may include, but is not limited to the following:
-
Implementation of supervisory reviews and testing to ensure compliance with the above requirements.
-
Maintaining a record of all documents the Advisor allows to be executed by clients through electronic signature.
-
Maintaining a record of documents the Advisor allows to be delivered electronically, specifically those documents included in establishing and maintaining client relationships.
-
Maintaining a record of all client documents electronically signed and for each document signed, document:
-
Document Control Number or Unique Identifier;
-
Client Name(s);
-
Account Number(s);
-
Document Type or Name (i.e., account agreement, fund transfer request, etc.)
-
Authentication information for all parties that signed or created the document. Such information should include the client’s email address, username, or other means to authenticate the client’s identity;
-
IP Addresses used by all parties that signed or created the document;
-
Dates and times of all signatures on the document; and
-
Date and time that the document was created.
-
If your Firm is using DocuSign or one of the other alternatives, make sure the Firm also complies with the requirements discussed above, including updating its policies and procedures. Using DocuSign alone is not enough to pass SEC scrutiny of the Firm’s use of electronic signatures.
FOOTNOTES
[1] See UETA § 7; ESIGN § 101(a).