eSignature Legality Guide

OneSpan's Perspective

The information provided in this section is prepared by OneSpan. It summarizes best practices for legal compliance when implementing e-signatures and explains how OneSpan Sign is designed to meet the e-signature requirements in countries that have enacted electronic signature laws. 

OneSpan has been actively engaged with a number of governing bodies to help to advance e-signature adoption around the world. OneSpan also participates in outreach activities, including workshops and conferences, to help organizations that are adapting to global e-signature laws and regulations.

E-Signature Compliance

The ability to execute binding agreements online has compelling benefits, including an improved customer experience, a stronger legal and compliance position, increased staff productivity, and greater operational efficiency. Though e-signatures are proven to be superior to ink signatures in a multitude of ways, questions still arise regarding e-signature compliance.

There generally are three forms of e-signature recognized around the world: Simple, Advanced, and Qualified.

 

Simple e‑signature (SES)

Advanced e‑signature (AES)

Qualified e‑signature (QES)

SES can be any form of electronic message associated with a natural person (this can include typed signatures, email blocks, etc.).

AES is an electronic signature uniquely associated with an individual and linked to data so that any subsequent change in the data is readily identifiable.

QES is generated by a qualified electronic signature creation device (backed by a certificate issued by a qualified trust service provider), and has the same validity as a handwritten signature.

Simple e-signatures have the least signer ID proofing requirements, while qualified e-signatures have the highest and are the legal equivalent of a handwritten signature. Different types of use cases and transactions require different types of e-signatures, as determined by local regulations. 

OneSpan Sign is designed to meet the requirements for all three forms of e-signature and supports a wide range of business use cases, ranging from simple internal and B2B signing processes to more complex consumer-facing transactions.

 

OneSpan Sign:

  • Captures an act or process and stores the information as the e-signature block of data and in the audit trail in the signed document file;
  • Uses a digital signature to securely associate the e-signature block/data to the e-signed document. This association cannot be broken or copied to another document;
  • Provides multiple authentication approaches to identify and attribute the electronic signature to the signer; 
  • Captures a signature by having the signer click-to-sign or draw their signature on a device. Either approach is activated by clicking a button located in the document at the location where the signature would normally appear. This ensures that the intent of the signer is established as with a wet ink signature.

Trust Service Providers (TSPs) 

OneSpan Sign provides a choice of native and third-party identity management services through integrations with Trust Service Providers (TSPs) around the world. TSPs specialize in electronic ID and trust services to deliver both advanced and qualified e-signatures through OneSpan Sign. Our TSP partners are on the EU Trusted List, enabling cross-border recognition of electronic signatures in all EU member states.

Our global TSP partners include:

Asseco Firmaprofesional aruba it Uanataca logo
TrustPro Itsme logo Swisscom logo  

 

Local and Remote Digital Certificates

A digital certificate is an electronic document issued by a Trusted Service Provider (TSP) or Certificate Authority (CA). It contains the public key for a digital signature and specifies the identity associated with the key such as the name of an individual or organization. The certificate is used to confirm that the public key belongs to the specific individual or organization.

OneSpan Sign supports a broad range of local- and server-side digital certificates that adhere to global standards. This includes instant interoperability with X.509 PKI (digital certificate and signature technology) issued by TSPs and CAs, and digital certificates stored on U.S. government Common Access Cards (CAC) and PIV (Personal Identity Verification) cards. The result is a secure, tamper-evident e-signed PDF with a detailed audit trail embedded directly into the document.

Local Digital Certificates

  • E-Signing with local signing certificates can be completed by following these easy steps:
  • Insert your local smart card into your laptop, mobile device, or smart card reader.
  • Open the document that requires your e-signature.
  • When the document is displayed and ready to be signed, click the signature block then confirm your signature.
  • Select the appropriate certificate from the list. If prompted, enter the PIN code associated to the selected certificate. Once the PIN is confirmed, OneSpan Sign generates a hash of your information at the time of signing (e.g., name, date, time, IP address, and certificate used to sign the document), along with a unique hash of the document itself. 

Watch this video for more information on how to e-sign documents using a local signing certificate. 

Remote Digital Certificates

E-Signing with cloud-based certificates issued by our TSP partners can be completed following these easy steps:

  • Create an e-signature transaction in OneSpan Sign and select TSP as the signing method.
  • Signers access the document via an embedded web or mobile experience or via email link.
  • Upon successful signer identification, a consent to sign is prompted and an OTP (one-time passcode) is texted to the signer by OneSpan Sign.
  • Once signed, OneSpan Sign generates a hash of the signer’s information at the time of signing (e.g., name, date, time, IP address, and certificate used to sign the document), along with a unique hash of the document itself. 

Here’s a sample workflow for both known signers (e.g., existing customers to whom your organization has already issued credentials) and unknown signers (e.g., new applicants whose identity has not been verified and who do not yet have credentials) in OneSpan Sign:

Signer-Workflow-EN

Qualified Timestamping

Electronically signed documents include details such as the signer’s digital certificate (i.e., a local- or server-side signing certificate), timestamp, and the signer’s information (e.g., email address and IP address). While most e-signature solutions will apply a standard timestamp to indicate the date and time associated to the signing process, there may be scenarios (i.e., high risk, high value transactions) where organizations want to opt for a "qualified timestamp" – a timestamp generated by a trusted third-party for each signing event. 

OneSpan Sign supports timestamping by connecting to a qualified timestamp server – binding the e-signature data with a trusted timestamp to independently prove when a particular transaction took place. The resulting timestamp further strengthens the integrity of the electronic signature.

Identity Assurance

Identity assurance is a measure of certainty (or a degree of confidence) that an individual is who they claim to be. Identity assurance is used to answer the question, "How sure are you that you have the right individual in an e-signature transaction?” Different identity assurance levels allow businesses and government services to carry out transactions aligned with the level of risk. For some services, the level of risk is low (LoA1, or Level of Assurance 1); for others, it is higher (LoA4, or Level of Assurance 4). 

NIST has established a framework for determining guidance on how to meet these levels of identity assurance. Please consult NIST’s digital identity guidelines for more information. 

A critical component of an e-signature transaction is the way businesses identify signers. OneSpan Sign offers a number of identity verification and authentication methods to verify the signer’s identity – whether they are known or unknown to the business. We don’t dictate the option used; we adapt to the model that works best for our customers and their use cases. 

Options include:

  • OneSpan Sign’s identity verification capabilities enable businesses to automatically verify the authenticity of a signer’s government-issued ID. When paired with facial biometric comparison and liveness detection, businesses can establish that the signer is the person they claim to be with a high degree of assurance. Visit our identity verification coverage map to see the types of identity documents we support by country.
  • Local- and remote-signing certificates (see above)
  • One-time passcode (SMS)
  • Shared secret (Q&A)
  • Knowledge-based authentication (KBA)
  • U.S. government-issued Common Access Cards (CAC) and Personal Identity Verification (PIV) cards
  • Signer attachments, which requires the signer to upload a piece of official ID for verification before signing (i.e., driver’s license or passport)
  • OneSpan Sign API, which allows for custom ID verification integration

Retention and Validity

With OneSpan Sign, e-signed PDF documents are made available for download to all e-signature transaction participants. Businesses do not have to store the e-signed record in OneSpan Sign. The record can securely travel through any email, storage, or archiving system (e.g., SharePoint, eOriginal, CDC Arkhineo, Box, Laserfiche, etc.) without being compromised or requiring additional programming. The e-signed documents can be indexed, stored, and retrieved in the system of record of choice. Our customers determine their account’s retention policies, including the option to purge e-signature transactions. This provides the necessary level of flexibility to manage e-signed records in a manner that meets long-term records retention policies. 

The validity of the e-signed PDF documents is assured by applying a digital signature to the document with each electronic signature. Digital signatures are a form of encryption technology that ensure the integrity of the data stored in the document file, such that any change to the document data will invalidate the electronic signature(s). The electronic and digital signature data are both stored in the PDF document file so that the accuracy of the document can always be verified, from anywhere, at any time.

To verify document integrity, OneSpan Sign offers one-click signature and document verification. If the verification process is too cumbersome, participants may wrongly assume that the document and signatures are valid, without proper verification. When verifying a document that has been e-signed with OneSpan Sign, participants click on the signature block. This opens the audit trail and automatically verifies both signer authentication and document validity. If a document signed with OneSpan Sign is modified or tampered with in any way, the underlying digital signature technology will detect it and the PDF reader will visibly invalidate the document. The e-signed PDF will display a red “X” indicating that the document should not be trusted. Detailed audit trails accompany every e-signature transaction.

OneSpan eSignature

A one-click process such as this simplifies the user experience, leading to greater confidence in the e-signature process and the reassurance that any errors or fraudulent actions will be detected. 

Audit Trails

E-Signature audit trails are digital records that identify when a document was sent, opened, and signed, along with the names, email addresses, IP addresses, and unique signing identifiers of the signers. Audit trails have proven very effective in authenticating an electronic record to demonstrate that the e-signature is that of the signer.

Audit trails help answer questions such as:

  • Did the signer pass the required identity verification and/or authentication steps?
  • Was the signer presented with the required disclosures? 
  • Did they sign in all the required locations on the document(s) to properly indicate intent?
  • Were the proper procedures followed at every stage of the process?

OneSpan Sign offers a single audit trail of the entire agreement process that captures all the e-signature actions (i.e., what they signed, when, and where), as well as the identity verification and authentication events proving how the signer was identified. The audit trail is  embedded in the e-signed document and available in a detailed Evidence Summary Report. The Evidence Summary Report can be downloaded and viewed at any time. It is available to all transaction participants, both as an individual download or as part of the completed transaction. 

Data Residency

As cloud adoption continues to grow, there is a need to ensure that data is protected and complies with an organization’s local data residency and data protection laws. Regulated and compliance-driven industries such as banking, insurance, government, and healthcare often require transparency and control over where personal data resides.

Currently, OneSpan maintains four instances of its e-signature service – one each in the U.S., Canada, the EU (Ireland, Germany), and Australia. When OneSpan provisions a customer’s account, customers may select their desired region. This determines where their e-signed documents will be processed and stored. 

By leveraging the global data center networks of our technology partners (Amazon Web Services, IBM Cloud, and Microsoft Azure), OneSpan Sign offers both SaaS and private cloud deployment options for OneSpan Sign. OneSpan Sign’s ability to meet data residency requirements extends to the third-party apps we integrate with. For example, OneSpan Sign for Salesforce provides organizations with the flexibility to connect to any global instance of OneSpan Sign. 

OneSpan Sign also became the first e-signature solution Authorized to Operate (ATO) under the U.S. Federal Risk and Authorization Management Program (FedRAMP) in 2016. U.S. government organizations looking to implement e-signatures now have immediate access to a secure, FedRAMP-compliant cloud, hosted on Microsoft’s world-class Azure cloud infrastructure.

Visit the OneSpan Sign Trust Center for more information on the safeguards we have in place to meet and exceed the security control and compliance requirements of our customers around the world.

For businesses that are looking for maximum control, OneSpan Sign can be deployed and managed on-premises behind an organization’s own firewall and infrastructure.

Get started with electronic signatures

Try our a quick demo to see what the e-signing experience looks like.