Digital Signatures: Industry Likes E-Signatures, But Unsure on Infrastructure

Starting Sunday, applications for loans and new accounts, as well as other documents that financial institutions deal with on a daily basis, will be legal whether they carry a handwritten signature or one that exists only in cyberspace.

American Banker gathered industry experts to discuss implications for the financial services industry of the new E-Sign law. Among their views: Financial institutions are best positioned to fully exploit the new law, but mass deployment of the technology to support digital signatures has yet to be proven.

At American Banker's New York office were Stephen Schutze, director of e-strategies at the American Bankers Association; Terry Leahy, vice president of the cryptography services division at Wells Fargo & Co.; and June Felix, chief executive officer of Certco, a New York provider of digital certificates for use in business-to-business transactions.

Participating by conference call were Thomas Crocker, a partner at the Atlanta law firm of Alston & Bird; Stephen Mitchell, senior vice president of customer marketing and development at Fidelity Investments; and Alexander Gavis, assistant general counsel at Fidelity.

What are the implications of the new digital signature law on financial services?

STEPHEN MITCHELL: The conversion to technology and the new law really makes it possible for financial services firms to provide an increased level of convenience for our customers. It enables them to take advantage of our services in a much more streamlined, user-friendly way. And for financial services firms, the plus side is it makes it easier for us to offer those services more efficiently and in real time.

THOMAS CROCKER: To take but one example, if you open an account with an online broker, while much of it under current law can be done electronically, one would still have to download and print and manually sign the agreement with the broker. Now under E-Sign, that step potentially is removed and can be done electronically without a paper signature. And that type of facilitation of electronic commerce will have benefits both for the consumer and for the industry.

STEPHEN SCHUTZE: To take it a little bit further than that … if the financial institutions are supplying the digital certificates and the digital signatures that go along with them, then you really put the financial institutions in the middle of the whole e-commerce area.

ALEXANDER GAVIS: In addition to consumer benefits, which I think will be great, there are also business-to-business benefits. There may be the use of electronic contracting in the future.

JUNE FELIX: The law can have really global implications. Part of the mandate is that there is a need to come back within 180 days of the signing with some specific initiatives that will homogenize or help encourage the adoption of similar types of activity on a global basis, even though there are different types of approaches between countries. I think that's going to help pave the way over the long term for many of these international business-to-business transactions to be facilitated.


It's intriguing that there was no mention made in the law of the level of security that is required with these electronic signatures. Could you comment on whether that was a good way to go about it?CROCKER: Because levels of security are a constantly moving target, it was thought that it would be impossible to mandate any specific level of security, because you'd be out of date by the time the act was enacted. And also, it's really almost impossible to mandate a global level of security, because there are different levels that might appropriately apply for different types of transactions and different types of players. And it's really a matter for the marketplace to decide.

One of the philosophies that underlay this act was that it was a market-oriented act and to leave maximum flexibility to the parties, so-called party autonomy, to set the standards for their transactions themselves.


The Secure Electronic Transaction standard for securing credit card transactions has been said to be too cumbersome to work, and it has not been implemented widely. Do digital signatures or certificates face the same fate?SCHUTZE: The operation of a digital certificate, because I have it on my PC, doesn't slow it down. You don't even know it's happening when you go to sign something - it's that fast. So I don't think that we're looking at an SET [situation].

This technology's going to constantly evolve, and we're going to get faster. But I don't think we're going to go down the same road [as SET].

TERRY LEAHY: My experience is that massive deployment is yet to be proven. The problem with SET is that it requires a lot of changes on the back-end application. And actually, PKI [private-key infrastructure] also requires back-end applications to be PKI-enabled. And most of the legacy applications don't really know what to do with the certificate once it gets there. So there's a lot of stuff that yet needs to be worked out.

SCHUTZE: I agree with you. Once you start handling, as an industry, 35 to 40 million of these certificates, we don't know what we're in for yet.


Which business lines will deploy digital certificates first?LEAHY: We are going to deploy in the commercial wholesale area. At this point it really makes more sense to deploy those applications that are high-dollar transactions. And in most cases, the wholesale applications are more suitable - not high volume, but high asset value.

CROCKER: I think it's important to bear in mind that, as important as the electronic signature element of the act is, the act also covers electronic contracts and electronic records, which are vastly important.

MITCHELL: On the retail side is where the big initial opportunity is for us. One example might be for an existing customer who is accessing their account via the Internet, and wants to change their address. If they log on using their password and PIN, we will allow them to do that transaction on the Web.

That's a great convenience for the customer, it's a significant cost saving for us, and it's immediate, so there are lots of benefits there.

A simpler example even might be the click-through, where we might provide a particular piece of information or an investment tool of some sort on our Web site. And there are certain legal disclosures that are important for the customer to understand and agree to in using that tool, to protect the customer and protect Fidelity.

The fact that they view that disclosure statement and click on a button that says "I agree" gives us comfort that they were not able to use that tool without having agreed to the terms.

So that's a level of authentication that's sort of matched to the use and to what the customer's trying to do. It wasn't a monetary transaction, but they were getting information. And this allows us to feel comfortable that the customer obtained that information with full disclosure.

And then there are other levels of authentication that, in opening a brokerage account, we need to do regardless of whether that account is opened electronically or opened via paper. It might be an additional step, to verify credit history, for example.

LEAHY: When you are deploying the PKI infrastructure, whether it's internally or externally to your customer, there are "certificate practice statements" and "certificate policies" that need to be established. And those are the rules, if you will, to guide how your organization will do business in the digital certificate arena.

Within Wells, we have a PKI board, composed of various people and parties within the bank. And those practice rules have to be agreed by all of those members. The policies call for certain authentication requirements.

SCHUTZE: The ABA is trying to establish the policies and the rules and the guidelines and the liability for the financial industry. As this industry evolves, these policies will evolve. And we're hoping that as the ABA, as a sort of a third party, an independent party - that we can establish these for financial industries so you get cross-verification between different certificates.


What liabilities do banks have as they issue digital certificates?SCHUTZE: If I'm a financial institution and I issue a certificate to you, and you do business as X and someone else relies on it and you're really Y, then they will probably want to come and talk to me. Or their lawyers would want to come and talk to me.

CROCKER: The E-Sign act is not addressing any liability issues. They deliberately forbore from doing that. This a matter of contract between the certificate authority and its customer.

FELIX: But any time there's risk, there's also opportunity. And there's new ways in which to make money. Banks are in the best position to really understand that link between the identity and that certificate. So there are new services that you can create that are linked off of your ability to warrant that people are who they say they are.

GAVIS: How will digital signatures work when consumers have multiple relationships among banks and institutions? Are they going to use the same signature?

FELIX: You could go one of two ways. One is that it could be like a passport. Or alternatively, it could be like your credit card, where you have numerous memberships and you use them for different places. In either case, being able to cross-certify is going to be key.

SCHUTZE: What you're talking about is what we call the portable certificate. You have the financial area, you may have the medical area with its certificates, and then you have the government issuing certificates. Whether you can have one certificate that will satisfy all three areas, or if you have to have three or you have to have six, is a question.

LEAHY: One of the things that you have to look at is ease of use for the end-user. So, by definition, you can't give them too many digital certificates for all these purposes that they will not know which one to use for what. On the other hand, I don't see that consumers will have one certificate that allows them to do everything either. I would say that you will need less than 10, but something that is manageable for various purposes.

MITCHELL: Has anyone projected what the cost of providing digital certificates might be? Would we charge a customer a one-time fee? A per-use fee? What's the business model there? And what do we think consumer acceptance would be?

SCHUTZE: I think it will range from free to one-time costs to annual fee to all of the above, or some combination thereof. In other words, it will be everything.

FELIX: I think it's going to be bundled into what you value that customer at. For example, you're going to have some high-value private clients that are going to do big-value transactions. And you're also going to have to compare the risk of the trade going wrong to the costs of putting in the system, versus the competitive cost of not having that capability.

MITCHELL: If you look at it truly from the consumer perspective, not requiring digital signatures or digital certificates might be a competitive advantage, because a customer might find it easier to do business. If you piece together a lot of the things that were just said, it seems like the market's trying to find the right equilibrium.


It sounds like there might be a lot of consumer marketing and consumer education issues to deal with.SCHUTZE: There's also a lot of education that needs to go on in the financial industries themselves. There are thousands of banks out there that aren't quite sure what a digital certificate or signature would mean to them. And so there's a tremendous amount of education we have to do.


To pick up on that point, is there a difference between a digital signature and a digital certificate?LEAHY: Yes, there is. The certificate includes a number of things. It includes your name and whatever information is unique to you. It also includes a key PIN, which is uniquely generated by a vehicle that only you have the unique key for. And it could include how long that certificate is, what it is going to be used for, and other information like the issuing CA (certificate authority). So that whole data string is the certificate.

Now you take that certificate and go into some hashing algorithm and come out with the digital signature. And the Certificate Authority will validate that.

SCHUTZE: From a certificate, you generate a digital signature.

LEAHY: You need both.

SCHUTZE: You use one to do the other.


What are the differences between the state laws and the federal laws with respect to digital signatures, and how will that affect banks trying to get into the business?CROCKER: One of the impetuses behind the bill was the numerous state laws dealing with electronic authentication, and the fact that no two of them were precisely alike. Some were technology neutral, others weren't, etc. And there was a feeling that this potentially inhibited electronic commerce growth in the United States. So therefore, the E-Sign act preempts state laws, but with a couple of exceptions.

SCHUTZE: From a business standpoint, what's important about that is that now businesses can go forward and conduct commerce across the United States, not worrying about state boundaries.


What will be the biggest challenge to actually implementing and using digital certificates?SCHUTZE: An analogy is probably credit cards when they first came out. You had two haberdashers in Northern California who said, "We'll take credit cards." And you had one bank in Florida that said, "We'll issue them." Then they both looked and said, "Where is the other side?"

And I think we're right there, especially on the consumer side. Until you get some very large parties saying, "We want to use them," it's going to be a hard sell for a lot of banks to start issuing them, especially on the consumer side. I think the business side will go faster.

LEAHY: The biggest challenge is the support, the infrastructure. Because this is something new and the mass market doesn't know how to use it. To us, the technology is only 20% of the success. The rest of it is all the infrastructure. For example, you need a help desk for users who forget their keys. And how do you verify they are who they are? That sort of thing all needs to be worked out. So I would say that the supporting the infrastructure is going to be the biggest challenge.

CROCKER: There are some details to be worked out and questions to be answered from a legal point of view. There are elements of the bill dealing with consumer consents. The industry will have to look at those requirements closely to see how they implement them and if they can do so on a cost-effective basis.

MITCHELL: I think the biggest challenges will be looking at the various technologies and methods of authentication and so forth, and matching the appropriate ones to the customer needs and our willingness to do business in that manner with the level of risk that we are absorbing as a firm. I'm not sure where the technology's going to go, but I think if we follow it and listen to our customers along the way, we'll get to the right answer.

FELIX: I think the only challenge is, frankly, when it strikes, the resources won't probably be sufficient for the demand. This is going to be explosive growth.


Related Content Online:

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER