The E-SIGN Act has been around since June, 2000. That means its 18th birthday is coming up. As banking regulations go, this isn’t exactly new. 18 years is plenty of time for the novelty to wear off and for it to become a commonplace part of your compliance routine. However, that doesn’t mean compliance is always straightforward and simple, especially now that the demand for electronic products and services is growing, including mobile banking, remote deposit transfers, e-statements, and online banking is at an all-time high. Technological changes and advances are forcing the industry to find new ways of achieving compliance in a cost-effective manner, which almost always involves the use of electronic signatures or providing important documents electronically. For example, the Right to an Appraisal changes made to Regulation B have forced lenders who do a lot of mortgage loans to provide large numbers of appraisals economically and, consequently, electronically.
If it’s been awhile since you last took a look at E-SIGN requirements, it’s a good idea to go back and refresh your memory. Also, while it seems fairly straightforward, we still receive a lot of questions about E-SIGN compliance. So here’s a brief review of the regulation and the answers to some of the most common common E-SIGN compliance questions.
The Electronic Signatures in Global and National Commerce Act was signed into law on June 30, 2000 by President Clinton. The E-SIGN Act established the legitimacy of electronic documents and signatures in interstate or foreign commerce. It also made electronic documents acceptable to satisfy any statute, regulation or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and demonstrated the ability to access the documents.
- We do not open online accounts but offer paperless statements. Is E-SIGN required?
Yes, E-SIGN is applicable. This is a good example of where affirmative consent is needed. You must provide consumers with the E-SIGN notice (about 3 paragraphs explaining the consumer’s rights to withdraw consent and receive paper statements, how to do so, and the software/hardware requirements needed to receive disclosures electronically). This may already be written into your e-statements agreement. This can be a blanket consent for all electronic documents or consent just for this product.
- Can we decline a deposit account if the consumer declines to receive electronic statements?
You cannot require consumers to use electronic records. E-SIGN gives the consumer a right to request and receive paper records. However, you are permitted to charge a reasonable fee for photocopying or hardcopy records.
- Do we have to notify the customer every time there is a change in our hardware or software requirements?
The act requires that if, after consent is provided, a change is made in the hardware or software requirements needed to access or retain the electronic disclosures, and the change creates a material risk that the consumer will not be able to access or retain an electronic disclosure that was the subject of the prior consent, the consumer must be provided with an appropriate notice of the change and must re-consent electronically in a manner that reasonably demonstrates the consumer’s ability to access the electronic notice or disclosure.
- If the ECOA appraisal regulation applies to certain business loans, we do not need to follow the E-SIGN requirements per my understanding. Can we just email the business the appraisal or is there a more acceptable practice?
The first part of E-SIGN establishes the validity of electronic records and signatures for all commerce or trade. This is true for everyone, but the consumer protection requirements (the E-SIGN notice, the right to opt out, affirmative consent) are just for individual consumers, not for businesses. You may provide business appraisals however you choose and so email is acceptable. You must ensure that the electronic document (appraisal) is accurate, can be reproduced by the recipient, and is provided in a secure or safe manner for all customers business or consumer.
- When a person signs up for e-statements, does the institution have an obligation to verify that the customer is able to view their statement and the ability to prove the customer has viewed it? For instance, once the customer accepts receiving e-statements, do we need to send the customer a sample e-statement and have the customer verify that they can read the statement?
E-SIGN requires that the consumer consent “in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.” This can be accomplished in various ways including test documents, pin codes, and clicking links. You are not obligated to confirm that the consumer is opening or reading the electronic documents only that they can if they so choose.
Here we’ll turn our attention to similar recurring questions centered around one somewhat simple phrase in the regulation: “reasonably demonstrate.”
In context, the regulation states that the institution should obtain consumer consent “in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.” The point of that statement was to ensure that novice computer users were able to access their disclosures and electronic documents. This is a legitimate concern, because spam filters, pop-up blockers or changes in browser configurations could prevent electronic records from being received or opened.
Here are some common questions we’re hearing about demonstrative consent:
- When statements and disclosures are provided via a PDF, what method do you recommend to “reasonably demonstrate” access, and what evidence should we retain to prove it? Our core processor’s system does not include any kind of method to force the user to “reasonably demonstrate” access, so it appears not all institutions are doing this.
- Can you provide some examples of what actions would be considered acceptable to meet the requirement to “reasonably demonstrate” consumers can access information in electronic form?
- We have been cited twice by examiners who say that it is not satisfactory just for the consumer to acknowledge electronically that they have the appropriate software to read the e-statement, but that they must also demonstrate this ability. However, our core system provider does not have a “bounce back” system to identify that the consumer has demonstrated the ability to read the e-statement. What should we do?
- What if a consumer “demonstrates consent” initially, but when the disclosures are emailed later, they are returned as undeliverable?
As you can see, there is a great deal of frustration about the demonstrative consent provision of E-SIGN. Unfortunately, the regulation is rather vague about the nature and timing of the “demonstrate” requirement. As the OCC indicated in Advisory Letter AL 2004-11, “the E-SIGN act is not clear on precisely when the ‘reasonable demonstration’ must occur in time relative to the consumer’s expression of consent.” You know what this means: when there is an absence of guidance on an issue, then the interpretation of “reasonable demonstration” can vary from regulator to regulator.
Demonstrative consent means that the consumer has shown the ability to receive and read the documents in the format that your institution plans to use. There are many ways to accomplish this depending on the format, but the consumer should always provide your institution with some evidence of access.
For example, you can do a “test drive” to verify the consumer’s ability. To do so, you would need to create a “test” disclosure/document and require the consumer to pick up and return a PIN or code to you. That will confirm that the consumer can in fact navigate your system and has the capacity to retrieve and respond to electronic records and disclosures. So, if you want to send e-statements in a PDF file, you will have the consumer open a test PDF and return some PIN or code to you. Many e-statement systems are set up in this fashion. If you plan to send an appraisal via e-mail with a link to an HTML web page, you can send sample e-mail with a link to click on to confirm access. This sort of test process will eliminate any doubt about whether a consumer can access electronic information. Many institutions retain both the copy of the consent as well as the email string verifying consent/ability.
On to the question of “What if emails start coming back as undeliverable after access was demonstrated?” Under the law, the bank or credit union is not responsible to monitor whether the customer has opened his email or visited document sites set up for disclosures. But, if you know that emails are coming back undeliverable, your institution does have a good faith responsibility to investigate. You may wish to consider the E-SIGN consent to have been withdrawn if the customer is unresponsive and you know that important federal disclosures or electronic records are not being received.
These are just several of dozens of other questions about E-SIGN. For a three-page regulation, it sure generates a lot of questions, and that is due in part to its increasing importance in this technological era.