A CIO’s Checklist for E-Signatures
Electronic signature technology started out more than 20 years ago as a relatively unknown way to take paper forms out of employees’ and customers’ hands and move them online into a secure, automated process. Today, e-signature solutions are popular with organizations and IT departments looking to bring companies into the digital and mobile business era.
It’s often highly regulated transactions that are first to adopt this technology. Having implemented e-signatures at the enterprise level myself, here are some of the best practices and lessons learned that will help CIOs avoid common missteps.
The online world is synonymous with IT’s least favorite word – risk. It is fairly common to try to over-engineer user authentication in e-signature transactions in an attempt to reduce risk and enforce contracts, despite the fact that most paper processes incur far more risk than electronic ones. The best approach to managing authentication risk is to familiarize yourself with your process, requirements and risk tolerance.
It’s important to think of authentication in terms of risk management but also customer experience. Executed well, authentication builds trust and loyalty. Done poorly, it leads to frustration and abandonment. A flexible e-signature solution is designed to support many authentication options, making it easier to calibrate the level of authentication to each process and balance security with usability.
Look for an e-signature solution that gives you the ability to:
- Use existing credentials;
- Integrate with ID verification services;
- Send a randomly generated PIN code by SMS text;
- Customize the questions, if using secret question challenge;
- Configure different authentication methods within the same transaction;
- Adapt the authentication method to each signer, independently of the others.
While the more robust e-signature solutions use digital signatures to tamper-proof signed documents, there are variations in how the digital signature is applied. Best practice is to lock down the document and each e-signature with a digital signature in a format that can be stored long term (e.g. PDF) to build a full audit trail.
Another consideration is the long-term security of your records. Recommended practice is to store e-signed records independently of the e-signature vendor. If the e-signatures and audit trail are embedded directly in the document, they will travel with the record and document authenticity can be verified outside the e-signature service. Look for an e-signature solution that:
- Embeds the audit trail directly in the signed document;
- Secures the document and each signature with a digital signature;
- Includes the date and time of each signature in the audit trail;
- Provides the ability to verify the integrity of the record offline;
- Enables you to download a verifiable copy of the record;
- Enables documents to be archived in any repository.
Regardless of where the application is hosted, the solution must meet regulatory, industry and corporate data and system security standards including compliance with FFIEC guidance and HIPAA regulations. With a cloud service, look at the protocols the vendor has in place to prevent data breaches, and ask for a Service Organization Control (SOC) 2 attestation.
Build a plan that takes into account long-term e-signature use. That may even mean starting with a SaaS service to gain some experience with e-signatures while a larger integration project is underway. Deployment options include:
- SaaS: An estimated 80 percent of e-signature implementations run on SaaS. SaaS offers immediacy, no integration and a low cost. Resistance to public cloud solutions is more common in highly regulated industries where there are concerns about security and privacy of information but overall, SaaS e-signature solutions are mature and feature-rich.
- Connectors for CRM, ECM and more: Pre-integrated connectors are ideal when completing a transaction as part of an ecosystem. For example, with a connector for Salesforce or Microsoft Dynamics CRM, documents are generated, prepared and sent to signers directly from the CRM.
- Pre-integrated e-signatures from third-party solution providers: Technology providers like IBM, Oracle and HP are making e-signatures a component of their industry frameworks. Likewise, core system providers are building e-signatures into policy administration systems, loan generation systems and more.
- API and SDKs: Custom code allows you to configure all aspects of the e-signature workflow to fit your exact requirements and create a seamless, white labeled process.
- On-premises deployment: For organizations that need total control over data and servers. It also provides the ability to deploy as a shared service across the enterprise.
TOP 5 TAKEAWAYS
- Start small and fast, and then scale. Regardless of the size of the project, start by getting some experience in a line of business and then expand.
- Use what comes out of the box. Try the product as is before asking for customizations – there isn’t much gained from reinventing the wheel on processes that are tried and true.
- Talk with other companies in the same industry who have firsthand experience.
- Find a partner rather than just a vendor.
- Test your e-signature process. Focus groups can help identify areas of improvement.
If you’re interested in learning more, I recently shared E-Signature Strategies for IT Executives on a recorded webcast.