At Penneo, ensuring legality and lawfulness of our services is a must

Shed light over all your doubts regarding the legal value of e-signatures, the cross-border admissibility of eIDs, and their combined use to meet KYC requirements.

Legality

In the digital age we live in, old-fashioned solutions don’t meet our modern needs. The technological advancements gain more speed year after year, increasing the demand for expeditiousness and global availability. Signing documents and contracts with pen and paper is nowadays a time-consuming and inefficient burden that no company should bear.

Today’s fast-paced business world demands a more flexible and responsive solution to stay competitive and relevant in a hyperconnected and digitized marketplace. And this is where digital signatures join the game.

Investing in digital solutions allows companies to take full advantage of these changes. Paperless processes bring unprecedented convenience and capability to keep up with an evolving market and save time and resources. What’s more, the legal landscape is on our side as well. Digital signatures are legal, trusted, and enforceable in the European Union and nearly every industrialized nation worldwide.

Digital signatures are just as valid as handwritten signatures and enable the same traditional functions through a completely paperless process that can be performed wherever you are and whenever you want.

The use of this powerful business tool is constantly growing as a means for optimizing efficiency and more secure authentication that cannot be easily forged or compromised while still protecting the privacy of the subjects involved. Being a faster, safer, and cheaper alternative to their aged counterpart, digital signatures raise productivity while helping reduce the impact on the environment and implement sustainable business practices within the organization.

To facilitate and encourage ever more widespread adoption, the EU and UN political initiatives are increasingly promoting and incentivizing digitization in both governments and businesses as part of a broader plan to create a modern digital market that allows Europe to keep up and compete with the rest of the world.

in the EU and around the world

The expression e-signature refers broadly to any electronic process or technique that indicates acceptance of an agreement or a record. The concept includes the objective element, which basically consists of the signing method, and the subjective element, that is the intent to sign.

The generic term e-signature is used in an all-encompassing sense to embrace all signing methods - including digital signatures. However, e-signature and digital signature are two distinct concepts and cannot be used interchangeably.

Not every data attached to an electronic document and used by the signatory to sign provides the same legal standing as a manuscript signature. To have the same value as a traditional one placed with ink on paper, the e-signature needs to adhere to the requirements of the specific regulation it was created under, so that it can be identified as a so-called digital signature.

Digital signatures, also known as advanced or qualified e-signatures, are cryptographic implementations of electronic signatures, based on asymmetric or public-key cryptography. The definition given by the European Telecommunications Standards Institute (ETSI) is that of data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient. The digital signature is the signing method which ensures with most certainty the identity of the signer as well as the integrity of the message.

Digital signatures are legal, trusted, and enforceable in nearly every industrialized nation around the globe and actively in use in Europe. Being the most advanced and secure type of e-signature, a digital signature is as legally binding and valid as a traditional signature placed with ink on paper.

Legally binding e-signature

A simple e-signature is data in electronic form, which is attached to or logically associated with other data in electronic form and used by the signatory to sign. In its most basic configuration, the e-signature can be as simple as a name entered in an electronic document and used by the signatory to sign.

An advanced e-signature is defined in the EU as an e-signature that meets the requirements listed in art. 26 of eIDAS Regulation (and the same requirements are similarly materialized in other e-signature legislations). For an e-signature to be classified as advanced (and therefore compliant and valid), it must be:

- uniquely linked to the signatory and capable of providing distinctive information that identifies the signatory and confirms that they are who they claim to be.

- created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; this can be done with a certificate for electronic signature, electronic proof that confirms the identity of the signatory and links the electronic signature validation data to that person.

- linked to the data signed therewith in such a way that any subsequent change in the data is detectable (in case of following alteration, the signature is marked invalid for tampering).

A qualified e-signature is an advanced e-signature that provides even higher probative value as it is created by using a certificate-based digital ID issued by a Qualified Trust Service Provider. The said certificate authenticates the signer's identity and demonstrates proof of signing by binding the signature to the document with encryption. The resulting upgraded advanced signature then carries the same legal value as a handwritten signature in the EU (and around the world). However, this is only regulated in the European Union and similarly through ZertES in Switzerland, but a qualified electronic signature is not defined in the U.S. (where the requirements e-signatures must meet to be legally valid are simpler and less strict).

Member States remain free to decide on the type of electronic signatures (hence, the level of security) required for a given online public service or transaction.

Therefore, it is up to the individual national legislation to establish the cases in which a simple electronic signature is sufficient and those where a digital signature (advanced or qualified) is required - in any case, without prejudice on the ban on discrimination for which a document cannot be denied legal effect and admissibility as evidence in legal proceedings solely because it is digitally signed (art. 25 eIDAS Regulation).

In addition, each State can decide to require a traditional ink-signature for specific cases.

In Denmark, e-signatures (in the simple, advanced, or qualified form) are allowed for almost all cases. There are, however, a few exceptions:

Notarial will and witness testament, for which handwritten signatures or formal notarial process are explicitly required (sec. 63, 64, and 66 of the Danish Inheritance Act - Arveloven).

Signatures on the lease agreement and other agreements on the leased property must be drawn up in writing when one of the parties so requires (section 4), and the landlord’s notification of rental agreement’s termination (pursuant to sections 87 and 93.2) cannot be submitted as digital documents (Danish Rent Act - Lejeloven)

DISCLAIMER: The content provided on this website is intended to help understand the legal framework of e-signatures and not to serve as legal advice. As laws and regulations may change often, we cannot guarantee the accuracy of the information presented, as it may not be up to date with the most recent legal developments. Penneo disclaims all liability with respect to this material, expressed or implied, to the maximum extent permitted by law. We suggest consulting a licensed attorney in your area for advice on specific legal issues and jurisdictions. If you have specific legal questions about any of the information on this site, you should consult with a licensed attorney in your area (Last updated: November, 2020)

How Penneo works

Penneo supports certificate-based eID signatures, therefore it enables the creation of digital signatures surrounded with the highest level of security. Penneo complies with all the legal and technical standards established worldwide for advanced e-signatures and meets the eIDAS requirements for qualified e-signatures.
Penneo digital signatures
The Penneo signature can be used as a proof of trustworthiness in terms of authenticity, content integrity, and non-repudiation of the transaction the parties agreed upon, as it allows to believe that:

the signature was created by a known sender - the identity of the signer is verified;

the digitally signed document was not altered in transit - the integrity of data is ensured;

the signer was aware of what was agreeing to, and their consent and signature are time-stamped and embedded in the document - the intent of signing is captured.

To create a digital signature via eID, Penneo uniquely identifies signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs) that are included in the EU Trusted List. This authentication method provides security on the signers' identity and enables anyone to verify who is actually the author of the signature. It's an electronic proof that undisputedly confirms the identity of the signatory and links the electronic signature validation data to that person.

Penneo offers three different signing methods: Touch signature, OpenID via your Google account, and digital signature via eID. All the options can be used to create e-signatures, but not all of them provide the same security level.

To be more specific, three different levels of security can be identified - from the lowest to the highest:

A touch signature registers both the signer's IP address and the date and time of the signature, which are embedded in the final digital document. Consequently, the integrity of the content is still ensured, as any subsequent alteration can be detected. However, it is not as secure as one made with e-ID, nor does it meet all the eIDAS Regulation requirements - because to create a touch signature, there are no specific authentication measures in place. Therefore, we only recommend using it as a last resort, and for the cases when a simple e-signature is sufficient.

An OpenID signature created via Google account attaches a number of identifying information to the document, such as the signer's full name, IP address, and public certificate. Moreover, it's safer than a touch signature because Two-factor Authentication is required, therefore an additional layer of security is included to confirm that the signatory is who he or she claims to be. As a result, such a signing method enables the creation of advanced e-signatures (according to the nomenclature used in the EU), which are generally recognized as having a legal value equal to that of handwritten signatures over the world. Nonetheless, this signing method may prove vulnerable to phishing, identity theft, and other cyber attacks; moreover, it involves a lack of privacy, and it may be difficult to establish the authenticity of the binding between a public key and its owner. To these security issues are added those that can derive from errors in typing the recipient's email address, changes in the ownership, and so on. For all the above reasons, an e-signature made via Google is not as safe as one made via e-ID. Thus, we suggest using it only when employing an e-ID is not possible.

The e-ID, on the other hand, provides absolute certainty on the signer’s identity and fully complies with all eIDAS requirements – as users can only login and sign through a certificate-based digital ID issued by a Qualified Trust Service Provider (i.e. NemID, BankID, Itsme, and so on). In addition to securing the integrity of the content of the digitally signed document and preventing its repudiation, the signature via eID certificate assures the safest authentication possible, as it refers to SSN or similar public identification numbers. Accordingly, the resulting upgraded advanced signature can be identified as a qualified e-signature in the EU (from now on, digital signature), and carries the same legal value as a manuscript signature in the EU and around the world.

Penneo validation result

The digital version of the documents signed via Penneo embeds technical evidence that certifies who signed the agreement, what was agreed on, and when this happened. Our files have very specific characteristics that are clear and visible in the digital version. Their presence provides assurance that the content and the signature have not been forged or compromised. Therefore, the final document is indisputable proof of authenticity of the signature and non-tempering of the content, and the parties involved cannot deny having signed it.

With our Validator, you can always verify and confirm your documents' technical (and legal) validity. All you need to do is upload your PDF, and you will get a full overview - including:

- document key algorithm

- timestamp

- eID authentication

- confirmation of the validity of the signatures

- proof of non-alteration of the document.

Current global landscape of e-signature laws:

How to use electronic signatures internationally

As we further integrate technology into our lives, e-commerce has become the basis of every daily activity. Business processes have gradually migrated to the online world, transforming computers, smartphones, and the Internet from auxiliary means to the central core of the workplace. That's due to all the gains that the society has gotten from digitization, that is now spreading in all industries - turning from an efficiency booster to a necessary tool for today’s companies.

To get the most out of this modern digital economy, however, the need for confidence in online trades has to be always prioritized and addressed. In the event of a legal dispute, we need to be sure with a high level of certainty about who we were contracting with and what exactly was the content of the signed agreement. It's the other side of the coin of non-face-to-face business relationships: we want to be able to do long-distance business, but at the same time, we must ensure the legality of our cross-border interactions. To this end, legislation is a necessary framework to build on and a key condition for success.

Policymakers and regulators at an international level have acknowledged the demand for a predictable (and harmonized) regulatory landscape to mitigate potential risks and strengthen trust and confidence in the digital environment. In consequence, all countries have gradually laid down ad hoc legislation, setting forth rules and requirements for safe and compliant use of digital identification and signing mechanisms.

Electronic identification methods have been identified as an effective solution to meet current security needs and are today the key to trustworthy international mutual recognition of electronic interactions. Likewise, e-signature laws have established a comprehensive cross-border and cross-sector framework for secure and trustworthy online transactions by enabling the replacement of handwritten signatures with their digital equivalent. Digital signatures make it easy to prove who signed the document and when this happened. Therefore, they can today be exploited as valuable evidence, being legally equal to witnessed signatures.

European Union: eIDAS Regulation

The demand for an updated institutional framework for electronic commerce has been satisfied in the European Union with the eIDAS Regulation (electronic Identification, Authentication, and trust Services EU Regulation n. 910/2014) that took effect in July 2016. Being a regulation and not a directive, it has binding legal force throughout each of the 28 Member States and did not need to be transposed into national laws to enter into force.

eIDAS provides an appropriate and coherent regulatory environment to enable secure access to services and safe online transactions between people, companies, and public administrations. Moreover, the regulation spreads better public perception and acceptance around digital transactions and represents a significant step towards developing a frictionless digital market that improves the European alignment and competitiveness with the rest of the world.

Overseeing electronic identification and trust services in the European Union's internal market, the eIDAS regulates electronic signatures, electronic transactions, involved bodies, and their embedding processes to provide a safe way for users to conduct business online. E-signatures and e-identity authentication mechanisms that meet the rules and requirements established by eIDAS have the same legal standing as the corresponding manual transactions.

The eIDAS regulation aims to create a pan-European e-identity authentication system, which is basically a European eID interoperability platform where people and businesses can use their own national electronic identification schemes to access public services in other EU countries.

To this purpose, the Regulation established that citizens and entities could use eIDs supplied by Trust Service Providers (TSPs) to safely and compliantly authenticate themselves online just as they would do by physically handing over their passport in an in-person meeting.

The Trust Service Provider is a natural or a legal person who provides one or more trust services, such as electronic signatures, seals or timestamps, delivery services, and website authentication. eIDAS regulated the TSPs and laid down the requirements that they must meet to be considered "Qualified" and included in the EU Trusted list.

To create an eIDAS-compliant digital signature, Penneo allows the signers to authenticate themselves and prove their identity by using Digital IDs issued by Qualified Trusted Service Providers (TSPs), whose qualified status is granted by the supervisory body designated by a Member State to carry out eIDAS audits.

At the moment, the eID solutions are nationally developed and adopted (while ensuring compliance with eIDAS). Two fundamental provisions of the regulation must be highlighted here:

• the eIDAS states that each Member State must establish, maintain and publish trusted lists of qualified trust service providers, together with information related to the qualified trust services provided by them (Art. 22).

• all organizations delivering public digital services in an EU member state must recognize electronic identification from all EU member states from September 2018.

Loosely speaking, since the end of 2018, all public services in the European Union are obliged to accept the eIDs of other member states, which, in turn, must equip themselves with lists of qualified trust service providers. This is how the European Union can proceed in the planned path towards creating an interoperable European platform for electronic European ID.

Through the eIDAS, the EU has created a single digitized European market whose benefits all businesses should take advantage of. On our side, we are eager to help your company achieve digital transformation compliance with regional and industry regulatory requirements.

US e-Sign Act & UETA Act

In the United States, the validity and enforceability of electronic signatures are granted by the e-Sign Act (Electronic Signatures in Global and National Commerce Act, a federal law passed in 2000) and the UETA Act (Uniform Electronic Transactions Act, adopted in 1999).

These two main Regulations provide electronic signatures with the same legal status as traditional handwritten signatures in the U.S. Both the e-Sign Act and the UETA Act:

establish that any signature required by law can be made digitally

allow electronically executed agreements to be presented as evidence in court

prevent denial of validity or enforceability of an electronically signed document solely because it is in an electronic form (ban of discrimination).

Meeting and exceeding standards worldwide is our most important objective. To this end, Penneo ensures all compliance requirements are well-met. We don't transfer documents or data outside the EU. Still, our users are free to do so, and in that case, the digital signatures created via Penneo will be equally legally binding in the United States.

US e-Sign Act and UETA Act

What about the rest of the world?

At Penneo, being compliant with legal requirements is a must. Our digital signatures support the rules of all major e-signature global standards and regulations. Although e-signature laws vary from country to country, you can entrust Penneo to develop a corporate e-signature policy that works worldwide. Three different types of legislative approaches can generally be identified in the e-signature regulatory environment:

Being diametrically opposite to the minimalist laws, this restrictive approach only admits the probative status of digital signatures, based on the specific technique used to build them. Therefore, encryption through digital signatures is the only method approved in order to replace traditional signatures in the digital environment.

Prescriptive e-signature laws lie down precise and strict requirements that an e-signature must meet to acquire legally binding value. Sometimes these legislations do not even consider or do not mention simple electronic signatures or explicitly state that no legal value can be recognized by them. The digital signature approach has only been enacted by a few countries, including Brazil, Israel, Indonesia, Peru, Russian Federation, and Turkey.

AML laws and KYC requirements

for a digital and compliant client onboarding

In the past, most businesses were local businesses, so it wasn’t that difficult to get to know your customers. In today’s global, internet-based economy, though, companies are under growing pressure to verify the identity of their clients, along with their potential risk factors or illegal intentions.

While performing cross-border high-value business transactions, there is no guarantee that the person who approaches your business is who they say they are - nor could you know what they might be involved with. Therefore, it's crucial to perform thorough identity checks on the parties involved to discover suspicious elements early on.

Besides, the increasing frequency and severity of corruption, terrorist financing, and money laundering have made more and more urgent the need for Know-Your-Customer (KYC) policies. That is why identification procedures are now not only a business need but also mandatory activities required by Anti Money Laundering (AML) regulations.

Today not only banks and credit or insurance agencies put in place a policy framework to know their customers. More and more online businesses of all sizes are implementing this process, demanding that customers provide detailed due diligence information to assess their suitability as clients and minimize the risk of fraud.

In this context, electronic identification methods have been identified as an effective solution to meet current security needs: e-identity schemes are not only essential in the modern client-business relationship lifecycle, they are also the key to trustworthy cross-border mutual recognition of electronic interactions. Know-your-customer processes have thus been evolving globally and today represent a fundamental phase in the client onboarding process.

KYC process

Know-Your-Customer (KYC) refers to the steps taken by companies to identify their clients. This assessment allows organizations to protect themselves by ensuring that they are doing business legally and with trustworthy and legitimate entities, and it also protects the individuals who might otherwise be harmed by financial crime. The procedure is equally needed during client or corporate onboarding, user registration, processing of high-profile transactions, re-verifying existing users, and ensuring regulatory compliance.
The identification process is called Customer Due Diligence (CDD) and involves background checks run according to the client's level of risk.
If the client has a higher risk profile - being, for instance, a Politically Exposed Person (PEP, meaning a person who is or has been entrusted with prominent public functions) - particularly rigorous CDD is required, the so-called Enhanced Due Diligence (EDD).
Sometimes it might be relevant to carry out KYC procedures on the clients of the potential client as well. The KYCC (Know Your Customer's Customer) is a process that detects a client’s client's nature and activities by identifying those people and assessing their associated risk levels. This derivative of the standard KYC process was necessitated from the growing risk of fraud originating from fraudulent individuals or companies that might otherwise be hiding in second-tier business relationships.

Companies that offer their services to other companies (B2B) need to verify the identity of the real person they are doing business with, that is the natural person who ultimately owns or controls the legal entity customer on whose behalf a transaction is being conducted, also known as Ultimate Beneficial Owner/s (UBOs). Know-your-Business (KYB) concerns, indeed, the same identification process when this applies to businesses, instead of individual consumers (also known as Corporate KYC).

KYC rules are dictated by AML regulations, therefore abiding by them is mandatory for the obliged entities these laws apply to. Although their scope includes most businesses, today not only formally obliged organizations put in place a KYC policy framework. Any company needs to make sure a potential client is truthful and legitimate, so KYC compliance is rapidly becoming the norm on the international business stage for all the industries.

The European regulatory landscape has changed over the past few years. Two main factors led to legislative news:

On one side, the growing frequency and gravity of cases of bribery and money laundering have made the need for adequate KYC policies increasingly evident.

On the other side, the EU's political initiatives have been openly promoting digitization in KYC practices as a part of the broader plan of creating a modern digital market that allows Europe to boost economic and social development and keep up and compete with the rest of the world.

AML framework

The first anti-money laundering Directive was adopted by the EU in 1990 to prevent the misuse of the financial system. It required obliged entities to perform customer due diligence when entering into a business relationship, i.e., identifying new clients, verifying their identity, monitoring transactions, and reporting suspicious activities. The legislation has been constantly revised to mitigate emerging risks and adapt to the modern environment. Several regulatory bodies contributed to the creation of the current framework:

the Financial Action Task Force (FATF) Recommendations – measures recognized as the global AML and CFT standard - first encouraged the use of electronic identity verification whereas suitably mitigating the ML/TF risks, back in 2012;

the Markets in Financial Instruments Directive (MiFID II, EU Directive 2014/65) recommended the employment of new technology solutions that enable more transparent and successful protection of the greater amount of data collected and PII involved;

the Payments Services Directive (PSD2, EU Directive 2015/2366) required the identity verification through 2FA – the so-called Strong Customer Authentication (SCA) - for payment transactions processed within the EU, with clear implications for the KYC process and its digitization;

the Financial Crimes Enforcement Network (FinCEN) “Customer Due Diligence Requirements for Financial Institutions” (the CDD Rule) first introduced the definition of the Ultimate Beneficial Owner, along with the requirement of verifying their identity (as similarly established by all subsequent legislation);

the 4th Anti-Money Laundering Directive (4AMLD, EU Directive 2015/849) instituted a central registry for beneficial owners, enforced a risk-based approach with different rules and procedures for low and high-risk customers (i.e. simplified and enhanced due diligence frameworks), and allowed businesses to employ e-IDs and e-KYC procedures to verify customers' identities remotely.

The latest EU legislative update on the subject, namely the 5th Anti-Money Laundering Directive (5AMLD, EU Directive 2018/843), takes into account the new means of digital identification as set out in EU eIDAS Regulation of 2014, particularly in regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition.
The Directive explicitly promoted and encouraged the use of electronic signature and digital identification means as standardized by eIDAS to carry out the verification of customers’ identity. To be more specific, art. 13 states that the customer due diligence measures must include: identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and the Council (eIDAS Regulation) or any other secure, remote or electronic identification process regulated, recognized, approved or accepted by the relevant national authorities.

KYC practices
KYC rules are dictated by AML laws and their application is, therefore, mandatory for the obliged entities these laws apply to, which include:

financial services institutions, i.e. credit institutions, banks, insurance companies, and investment firms

auditors, external accountants, and tax advisers

independent legal professionals who participate in any financial or real estate transaction

trust or company service providers

estate agents

gambling services providers

other persons trading in goods over €10.000

However, even if your business does not seem to fall into any of these categories, the implementation of security procedures in the client onboarding process is always highly recommended.

The documents and data collected during client onboarding have to be stored for prevention and detection purposes, as they need to be available for investigations of potential money laundering or terrorist financing issued by EU Financial Intelligence Units (FIUs) or other competent authorities. Therefore, the following documents and information must be retained:

a copy of the documents and information which are necessary to comply with the customer due diligence requirements, including, where available, information obtained through electronic identification means, relevant trust services as set out in EU eIDAS Regulation or any other secure, remote or electronic, identification process regulated, recognized, approved or accepted by the relevant national authorities, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;

the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.

How can Penneo help you?

Establishing the identity of customers is a regular but important step for businesses. Many companies still rely on scanned copies of paper IDs to manually collect KYC data. Therefore, they require the physical presence of the customer or the sharing of such sensitive information via traditional email. Such work habits are cumbersome, time-consuming, and insecure, both for the company and the customers.
The paper-based onboarding process affects business efficiency and provides an unpleasant customer experience. Manual data collection is hardly reliable: when processes are not standardized or automated, the KYC documentation obtained can be fragmented, duplicate, and inconsistent, thereby limiting a company’s ability to meet compliance requirements. What's more, relying on physical documents puts your organization at risk as it makes it more difficult to comply with the retention requirements, both from a practical perspective (as paper documents can easily get misplaced and lost) and from a legal point of view, as it's harder to ensure adequate protection of the privacy of the subject involved (and satisfy GDPR standards).
To solve all these security issues and make the workflow faster, smoother, and more cost-efficient, Penneo created a user-friendly solution based on identity validation through eID. It is also possible to utilize the Penneo KYC form without eID - however, this is not something Penneo recommends if you wish for high security.
Our KYC process lets your customers handle everything using their national digital IDs directly from their computer or smartphone in full compliance with AML rules. Moreover, you can set up regular and automatic data backups to make sure all your documents are retrievable if needed and exploit our encryption capabilities to keep them safe and confidential.
Please check our KYC Guide for more information.

Traditional paper-based KYC process
Digital KYC process

Get started with Penneo today!

Try it now and get your first signatures for FREE

Capterra logo
G2 logo