R. David Whitaker

Senior Company Counsel

Strategy & Operational Risk Group

Wells Fargo Bank, N.A.

R. David Whitaker

Senior Company Counsel

Strategy & Operational Risk Group

Wells Fargo Bank, N.A.

““So You Want To Take Your Business So You Want To Take Your Business Electronic” -- The SequelElectronic” -- The SequelImplementing electronic records and signatures across a Implementing electronic records and signatures across a corporate platform -- A round-up of pivotal issuescorporate platform -- A round-up of pivotal issues

AgendaAgenda “When last we left our heroes…”

A review of key points from last year’s program “Aim low, boys, they’re ridin’ Shetland ponies”*

The “small wins” strategy “Howdy, stranger”

Addressing attribution and authority to sign “Them varmints have cut the telegraph wires!”

Dealing with notice and delivery issues “Showdown at the OK Corral”

Managing electronic records “Riding off into the sunset”

*With apologies to Lewis Grizzard

“When last we left our heroes…” A review of key points from last year’s program

“Aim low, boys, they’re ridin’ Shetland ponies”* The “small wins” strategy

“Howdy, stranger” Addressing attribution and authority to sign

“Them varmints have cut the telegraph wires!” Dealing with notice and delivery issues

“Showdown at the OK Corral” Managing electronic records

“Riding off into the sunset”

*With apologies to Lewis Grizzard

When Last We Left Our Heroes -- Paving the Cow Path Vs. Blazing a TrailWhen Last We Left Our Heroes -- Paving the Cow Path Vs. Blazing a Trail

Replacing writings with electronic signatures and records in an existing process

Replacing writings with electronic signatures and records in an existing process

Advantages Relatively easy – numerous third-party

solutions exist that will fit with existing systems

Tends to be less expensive and faster to implement

Preserves existing roles and functions for employees

When it makes sense For repetitive documents that need to

be completed, signed, transmitted and stored, but are not (or don’t have to be) part of a larger process flow

For taking in information or agreements online that would otherwise come in through the mail or by facsimile, but not further processed (license agreements, contracts to use online services, etc.)

As a first step to blazing a trail

Be aware of… Managing the files after they are created Dependence on vendor solutions

Advantages Relatively easy – numerous third-party

solutions exist that will fit with existing systems

Tends to be less expensive and faster to implement

Preserves existing roles and functions for employees

When it makes sense For repetitive documents that need to

be completed, signed, transmitted and stored, but are not (or don’t have to be) part of a larger process flow

For taking in information or agreements online that would otherwise come in through the mail or by facsimile, but not further processed (license agreements, contracts to use online services, etc.)

As a first step to blazing a trail

Be aware of… Managing the files after they are created Dependence on vendor solutions

Building new processes and systems to take advantage of electronic signatures and recordsBuilding new processes and systems to take

advantage of electronic signatures and records

Advantages Offers significant efficiency and cost

savings over time Improves quality control May improve and automate records

management functions

When it makes sense For transactions where information has to

be promulgated across multiple systems For transactions with manual steps that

can be automated if key data is machine-readable

When your company is performing well and can absorb the cost

Watch for… Internal resistance Underestimating complexity Unrealistic time frames Leaving out key stakeholders Cost overruns Ignoring mundane design issues Ignoring long-term quality control and risk

management issues

Advantages Offers significant efficiency and cost

savings over time Improves quality control May improve and automate records

management functions

When it makes sense For transactions where information has to

be promulgated across multiple systems For transactions with manual steps that

can be automated if key data is machine-readable

When your company is performing well and can absorb the cost

Watch for… Internal resistance Underestimating complexity Unrealistic time frames Leaving out key stakeholders Cost overruns Ignoring mundane design issues Ignoring long-term quality control and risk

management issues

Using in-house

resources

Using in-house

resources

Using outside vendors

Using outside vendors

Tend to have a better grasp of business needs Less likely to have labor-based cost overruns Build off existing relationships Solid understanding of existing systems

Better grasp of industry standards/practices (sometimes) Experience with other implementations – often can

suggest innovative problem-solving strategies May have turn-key solutions for portions of the project More likely to introduce, or be open to, new approaches

When Last We Left Our Heroes -- Hired Hands v. Hired Guns?When Last We Left Our Heroes -- Hired Hands v. Hired Guns?

Watch for…Watch for…

“PowerPoint Products” Scalability Licensing dependencies Solvency Lack of knowledge of

your specific industry and applicable standards

In the contract – Unrealistic liability

limitations Warranty disclaimers

that contradict promises made

Be sure your contract covers…Be sure your contract covers…

A detailed description of services and products

Clear handling of intellectual property issues

Warranties reflecting promises made For ASPs – Warranties reflecting the

business model For ASPs – Service standards Exit strategies for

Inadequate service Breach of warranty Merger or acquisition Insolvency Loss of key license

Realistic time frames for exit Realistic liability and indemnity Protection against self-help remedies

(beware MD and VA) Protection against future price-

gouging

When Last We Left Our Heroes -- When Last We Left Our Heroes -- Are The Hired Guns Sharpshooters, or Shooting Blanks?Are The Hired Guns Sharpshooters, or Shooting Blanks?

When Last We Left Our Heroes -- Herding CatsWhen Last We Left Our Heroes -- Herding Cats

Blazing a trail often means leaving comfortable roles behind

Internal resistance and roadblocks may come from: Those who see their role/importance diminished Those who see their role eliminated Those who will be required to learn new skills Those who will be required to revise system

designs/infrastructure Those who will be asked to take responsibility

Blazing a trail often means leaving comfortable roles behind

Internal resistance and roadblocks may come from: Those who see their role/importance diminished Those who see their role eliminated Those who will be required to learn new skills Those who will be required to revise system

designs/infrastructure Those who will be asked to take responsibility

Watch for…

Watch for…

Be prepared

to…

Be prepared

to…

Attempts to foster/exaggerate third party objections Refusal to recognize a change in roles Unwillingness to modify existing infrastructure designs The dreaded phrase “Out of Scope…” Assertions of legal/compliance uncertainty

Lead from the top down Directly explore/confirm third party objections Incent/enforce necessary changes in roles Support and fund the necessary infrastructure changes Seek outside advice to supplement internal sources

When Last We Left Our Heroes – How to Prevent a Range WarWhen Last We Left Our Heroes – How to Prevent a Range War

Aim Low, Boys, They’re Ridin’ Shetland Ponies -- The “Small Wins” StrategyAim Low, Boys, They’re Ridin’ Shetland Ponies -- The “Small Wins” Strategy

Qapla!

Foundational Infrastructure Development

Priority Value-Added Features or Services

Desirable Enhancements

Access &Authenticate

Send & Receive Docs / other

communicationManifestation of Assent

Records and Data Management

Execute

Start Here

Howdy, Stranger -- Addressing Attribution and Authority to Sign Howdy, Stranger -- Addressing Attribution and Authority to Sign

Electronic SignatureElectronic Signature

Definition of signature -- “Electronic Signature” means an electronic identifying sound, symbol, or process attached to or logically connected with an electronic record and executed or adopted by a person with present intention to authenticate a record.

This definition includes (for example): Typed names, A click-through on a software

program’s dialog box combined with some other identification procedure,

Personal identification numbers, Biometric measurements, A digitized picture of a handwritten

signature, Use of SecureID™ or Defender™

number generators, and A complex, encrypted

authentication system. Note that a click-through probably does

not satisfy the requirements for an electronic signature under Article 9 of the UCC.

Key ElementsKey Elements

ESIGN and UETA require that: The signature be attributable to

the signer and associated with the records

The signing party have authority to sign

The signing party must have the intent to affix a signature to the record

ESIGN and UETA do not require that: The signature process itself

provide proof of identity The signature process itself

protect the record from alteration without detection

Howdy, Stranger -- Addressing Attribution and Authority to SignHowdy, Stranger -- Addressing Attribution and Authority to Sign

Attribution basicsAttribution basics

Legal sufficiency vs. attribution -- UETA and ESIGN’s signature rules: Answer the question “is it a

signature?” Do NOT answer the question

“is it your signature?” Attribution must be proven:

Attribution may be proven by any means, including surrounding circumstances or efficacy of agreed-upon security procedure

The burden of proof is usually on the person seeking to enforce signature

Legal sufficiency vs. attribution -- UETA and ESIGN’s signature rules: Answer the question “is it a

signature?” Do NOT answer the question

“is it your signature?” Attribution must be proven:

Attribution may be proven by any means, including surrounding circumstances or efficacy of agreed-upon security procedure

The burden of proof is usually on the person seeking to enforce signature

Attribution in the electronic worldAttribution in the electronic world

In an electronic environment, attribution is often proven by associating the signature with use of a “credential.” A credential is a method for establishing the identity of the signer, and may involve use of a password, employment of a token (such as a random number generator), biometrics, or demonstration of knowledge of a “shared secret,” or some combination of the above (or similar devices/approaches). Use of the credential gives the person receiving the signed record a reasonable basis to believe that the signature was created by the intended signer.

In an electronic environment, attribution is often proven by associating the signature with use of a “credential.” A credential is a method for establishing the identity of the signer, and may involve use of a password, employment of a token (such as a random number generator), biometrics, or demonstration of knowledge of a “shared secret,” or some combination of the above (or similar devices/approaches). Use of the credential gives the person receiving the signed record a reasonable basis to believe that the signature was created by the intended signer.

Howdy, Stranger -- Addressing Attribution and Authority to SignHowdy, Stranger -- Addressing Attribution and Authority to Sign

Creating a CredentialCreating a Credential

A credential may be:• Assigned to the signer directly by

the intended recipient of the signed record, either in advance or at the time of signing.

• Assigned to the signer indirectly, through a hierarchical model, where the intended recipient gave a “root” or “master” credential to a person who is then authorized to provide derivative credentials to others (e.g. Recipient gives a master User ID and password for its Treasury Services website to an executive at Company X and the executive then establishes passwords for other Company X employees).

• Created spontaneously (often through the use of biometrics or a “shared secret”) at the time it is needed for the signing.

A credential may be:• Assigned to the signer directly by

the intended recipient of the signed record, either in advance or at the time of signing.

• Assigned to the signer indirectly, through a hierarchical model, where the intended recipient gave a “root” or “master” credential to a person who is then authorized to provide derivative credentials to others (e.g. Recipient gives a master User ID and password for its Treasury Services website to an executive at Company X and the executive then establishes passwords for other Company X employees).

• Created spontaneously (often through the use of biometrics or a “shared secret”) at the time it is needed for the signing.

Notes on credentialsNotes on credentials Note that the effectiveness of the credential

for attribution depends on the integrity and reliability of the process for first creating and assigning the credential to the individual. • So, if it is easy to get a credential under

false pretenses, then the value of the credential for attribution is diluted.

• But, if the process for first issuing the credential to the correct person is demonstrably reliable, then the later use of the credential will usually constitute strong evidence of attribution.

In more sophisticated applications the customer may be given multiple credentials to permit two or three-factor authentication, depending on the risk level of the specific requested transaction. So, for example, a banking customer may be able to access general online banking services using a User ID and Password, but then be required to also provide a one-time password or PIN from a random-number generator before completing a funds transfer during the online session.

Note that the effectiveness of the credential for attribution depends on the integrity and reliability of the process for first creating and assigning the credential to the individual. • So, if it is easy to get a credential under

false pretenses, then the value of the credential for attribution is diluted.

• But, if the process for first issuing the credential to the correct person is demonstrably reliable, then the later use of the credential will usually constitute strong evidence of attribution.

In more sophisticated applications the customer may be given multiple credentials to permit two or three-factor authentication, depending on the risk level of the specific requested transaction. So, for example, a banking customer may be able to access general online banking services using a User ID and Password, but then be required to also provide a one-time password or PIN from a random-number generator before completing a funds transfer during the online session.

Howdy, Stranger -- Addressing Attribution and Authority to SignHowdy, Stranger -- Addressing Attribution and Authority to Sign

ESIGN and UETA incorporate the existing common law rule requiring that the signing party have the authority to sign.

Individuals – identity, age, capacity – capacity is usually taken for granted with any person over the age of 18, unless there are indications to the contrary

Representatives – identity, age, capacity, and authorization to take the contemplated action on behalf of the represented party. The authority to act is not automatic just because a person is an appointed representative (e.g. an agent or employee). Authority must be either expressly or implicitly conferred by the represented person.

ESIGN and UETA incorporate the existing common law rule requiring that the signing party have the authority to sign.

Individuals – identity, age, capacity – capacity is usually taken for granted with any person over the age of 18, unless there are indications to the contrary

Representatives – identity, age, capacity, and authorization to take the contemplated action on behalf of the represented party. The authority to act is not automatic just because a person is an appointed representative (e.g. an agent or employee). Authority must be either expressly or implicitly conferred by the represented person.

“Hail Mary” “Hail Mary”

Situational “actual” or “apparent” authority

Situational “actual” or “apparent” authority

Certificate of Authority

Certificate of Authority

Very often used with small companies. It presumes that in a small company anyone taking action with respect to bank services must have authority to do so because unauthorized activity is so difficult to conceal. This involves a “cost/benefit” risk analysis, since historically small business employees have proven quite adept at using bank accounts and banking relationships to commit fraud under the noses of their co-employees and owners.

In the most formal of situations, a certificate is required from the company’s owners or controlling body (Board of Directors, General Partners, Members, etc.) confirming the authority of a particular person to sign as a representative of the company. In some cases, confirmation of authority is incorporated into an opinion letter from outside counsel, creating a potential claim against outside counsel in case of a later dispute.

Where authority is not formally established, it may alternatively be established by circumstance. Job titles and/or known supervision and review of the proposed agreement by senior management may establish either actual or apparent authority to act.

Howdy, Stranger -- Addressing Attribution and Authority to Sign

The Hierarchical Model

The Hierarchical Model

In this model, the potential recipient of the signed records (e.g. the bank) assigns a master credential, through a highly reliable and carefully controlled process, to a company representative (e.g. the Senior Vice President for Treasury Management Services) whose authority to establish the initial relationship is beyond question (either because of certification or situational verification). In turn, the recipient’s system of record permits the trusted company representative to create lower-level credentials for other company employees. These credentials come with assigned rights, which may include the right to enter into additional agreements with the recipient. Presumably, the master agreement between the recipient and the company establishes the recipient’s right to rely on the “hierarchical model” to establish the authority of the lower-level employees to sign.

Them varmints have cut the telegraph wires! -- Dealing with Notice and Delivery IssuesThem varmints have cut the telegraph wires! -- Dealing with Notice and Delivery Issues

Key Considerations- Will the records contain sensitive information?- Will the records contain required disclosures or notices?- Are multiple delivery methods possible/desirable?- Are there “phishing” or “pharming” issues to address?- Need to maintain control over display and audit trails?- Need to obtain ESIGN Consumer Consent?

Key Considerations− 2 Factor Authentication required?− How will cross-system compatibility/communication

issues be addressed?− How much of design will be automated or manual?− Is system intended for use with targets without prior

electronic relationship with sender?− Regulatory requirements for timing, delivery,

proximity, conspicuousness, forced review?

Key Considerations− Addressing electronic delivery channels− Agreement on what constitutes “sending”

and “receipt” (Note some state UETAs limit variation by agreement)

− Agreement on obligation to update electronic addresses

− Managing bouncebacks and withdrawal of consent

• Secure or Unsecure? • Push out in email/SMS, or send

“ready notice” and pull behind firewall?

• Embedded hyperlinks in “ready notice” email?

• Permit target to set delivery preferences?

• Permit target to designate multiple recipients?

• Forced review or bypassable?

• Enrollment / consent process• Audit trails and reporting• Transmittal message contents• Authentication process for access to

secure data (if applicable)• Record generation and posting to

delivery system• Message or notice

generation/transmission• Record retention/destruction

process• Record generation/posting

• Establish agreement on delivery•When deemed delivered•Delivery address•Obligation to update address

• Obtain ESIGN Consent• Generate records• Send notice or attachments• Provide opportunity to retain• Generate audit trail• Handle “bouncebacks”• Handle withdrawal of consent

DesignDelivery Design Choices Execution

Secure CommunicationRecord Management Responsibility

Showdown at the OK Corral -- Managing Electronic RecordsShowdown at the OK Corral -- Managing Electronic Records

Generate Deliver Store Manage DestroyRecord

Life Cycle

Propagate Data

TrackRecord

Versions

Extract & Index Data

Create Audit Trails & Reports

Secure and Consistent Record Management

ActiveData

Processes

Access Controls

Quality & IntegrityControls

Record Destruction

Business Continuity

Key Systems

Issues

Boilerplate DocsTransaction-specific

Docs

Audit Trails for Enrollment, Delivery/Signing

Screen Shots & Process Flows

Primary Record

Categories

Search and Report

Capabilities

Company Policies and Guidelines

Record Management Audit Trails & Reports

Who was that masked man?Who was that masked man?

Some Additional ResourcesSome Additional Resources

SM

– Standards and Procedures for electronic Records and Signatures – available for purchase at www.spers.org

FFIEC Information Technology Examination Handbook – available at www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

FFIEC Guidance On Electronic Financial Services And Consumer Compliance – available at www.ffiec.gov/PDF/EFS.pdf

FTC Guidance on Dot Com Disclosures – available at www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html

FTC Staff Report on Improving Consumer Mortgage Disclosures – available at www.ftc.gov/opa/2007/06/mortgage.shtm

AIIM Recommended Practice Report on Electronic Document Management Systems (AIIM ARP1-2006) – available at www.aiim.org/documents/standards/arp1-2006.pdf

SM

– Standards and Procedures for electronic Records and Signatures – available for purchase at www.spers.org

FFIEC Information Technology Examination Handbook – available at www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

FFIEC Guidance On Electronic Financial Services And Consumer Compliance – available at www.ffiec.gov/PDF/EFS.pdf

FTC Guidance on Dot Com Disclosures – available at www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html

FTC Staff Report on Improving Consumer Mortgage Disclosures – available at www.ftc.gov/opa/2007/06/mortgage.shtm

AIIM Recommended Practice Report on Electronic Document Management Systems (AIIM ARP1-2006) – available at www.aiim.org/documents/standards/arp1-2006.pdf