Ensuring the legality of digital signatures and KYC processes is a must

We shed light on your questions about the legality of e-signatures, the cross-border admissibility of eIDs, and their combined use to meet KYC requirements.

Legality

 

The legal value of digital signatures in the EU and around the world

 

What is an electronic signature? Is it legal to sign via e-signature?

An electronic signature is a legal way to sign documents and contracts in electronic format. The art. 25 of the eIDAS Regulation contains a decisive ban on discrimination against agreements concluded digitally, establishing that "an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form". In other words, it is contrary to the law if any enterprise or authority refuses to accept or recognize contractual documents solely because they are digitally signed. This prevailing principle of non-discrimination is similarly prescribed in almost all other e-signature laws around the world, firmly stating that the legal value of signatures cannot be exclusively based on whether they are on paper or in electronic form. Therefore, e-signatures are legally binding and valid.

 

What is the difference between an e-signature and a digital signature?

Digital signatures are the most secure type of electronic signatures. While all digital signatures are also electronic signatures, not all electronic signatures qualify as digital signatures.

 

Are digital signatures legally binding?

Digital signatures are legal, trusted, and enforceable in nearly every industrialized nation around the globe and actively in use in Europe. Being the most advanced and secure type of e-signature, a digital signature is as legally binding and valid as a traditional signature placed with ink on paper.

 

What is meant by simple, advanced, and qualified e-signature?

A simple e-signature is data in electronic form, which is attached to or logically associated with other data in electronic form and used by the signatory to sign. In its most basic configuration, the e-signature can be as simple as a name entered in an electronic document and used by the signatory to sign.

An advanced e-signature is defined in the EU as an e-signature that meets the requirements listed in art. 26 of eIDAS Regulation (and the same requirements are similarly materialized in other e-signature legislations). For an e-signature to be classified as advanced (and therefore compliant and valid), it must be:

- uniquely linked to the signatory and capable of providing distinctive information that identifies the signatory and confirms that they are who they claim to be.

- created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; this can be done with a certificate for electronic signature, electronic proof that confirms the identity of the signatory and links the electronic signature validation data to that person.

- linked to the data signed therewith in such a way that any subsequent change in the data is detectable (in case of following alteration, the signature is marked invalid for tampering).

A qualified e-signature is an advanced e-signature that provides even higher probative value as it is created by using a certificate-based digital ID issued by a Qualified Trust Service Provider. The said certificate authenticates the signer's identity and demonstrates proof of signing by binding the signature to the document with encryption. The resulting upgraded advanced signature then carries the same legal value as a handwritten signature in the EU (and around the world).

However, this is only regulated in the European Union and similarly through ZertES in Switzerland, but a qualified electronic signature is not defined in the U.S. (where the requirements e-signatures must meet to be legally valid are simpler and less strict).

 

Can Member States (and countries where EU law applies by virtue of public international law) provide exceptions? Are there use cases in which it is not appropriate to use an e-signature, and a handwritten signature is required?

Member States remain free to decide on the type of electronic signatures (hence, the level of security) required for a given online public service or transaction.

Therefore, it is up to the individual national legislation to establish the cases in which a simple electronic signature is sufficient and those where a digital signature (advanced or qualified) is required - in any case, without prejudice on the ban on discrimination for which a document cannot be denied legal effect and admissibility as evidence in legal proceedings solely because it is digitally signed (art. 25 eIDAS Regulation).

In addition, each State can decide to require a traditional ink-signature for specific cases.

In Denmark, e-signatures (in the simple, advanced, or qualified form) are allowed for almost all cases. There are, however, a few exceptions:

Notarial will and witness testament, for which handwritten signatures or formal notarial process are explicitly required (sec. 63, 64, and 66 of the Danish Inheritance Act - Arveloven).

Signatures on the lease agreement and other agreements on the leased property must be drawn up in writing when one of the parties so requires (section 4), and the landlord’s notification of rental agreement’s termination (pursuant to sections 87 and 93.2) cannot be submitted as digital documents (Danish Rent Act - Lejeloven)

DISCLAIMER: The content provided on this website is intended to help understand the legal framework of e-signatures and not to serve as legal advice. As laws and regulations may change often, we cannot guarantee the accuracy of the information presented, as it may not be up to date with the most recent legal developments. Penneo disclaims all liability with respect to this material, expressed or implied, to the maximum extent permitted by law. We suggest consulting a licensed attorney in your area for advice on specific legal issues and jurisdictions. If you have specific legal questions about any of the information on this site, you should consult with a licensed attorney in your area (Last updated: November, 2020)

 

Which category does Penneo fall into?

Penneo supports certificate-based eID signatures, therefore it enables the creation of digital signatures surrounded with the highest level of security. Penneo complies with all the legal and technical standards established worldwide for advanced e-signatures.

The Penneo signature can be used as a proof of trustworthiness in terms of authenticity, content integrity, and non-repudiation of the transaction the parties agreed upon, as it allows to believe that:

the signature was created by a known sender - the identity of the signer is verified;

the digitally signed document was not altered in transit - the integrity of data is ensured;

the signer was aware of what was agreeing to, and their consent and signature are time-stamped and embedded in the document - the intent of signing is captured.

To create a digital signature via eID, Penneo uniquely identifies signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs) that are included in the EU Trusted List. This authentication method provides security on the signers' identity and enables anyone to verify who is actually the author of the signature. It is an electronic proof that undisputedly confirms the identity of the signatory and links the electronic signature validation data to that person.

 

Does Penneo offer any signing methods other than digital ID signature?

Penneo offers two different signing methods: digital signature via eID and Touch signature. Both options can be used to create e-signatures, but not all e-signatures provide the same security level.

 

How can I verify the validity of a document digitally signed via Penneo?

The digital version of the documents signed via Penneo embeds technical evidence that certifies who signed the agreement, what was agreed on, and when this happened. Our files have very specific characteristics that are clear and visible in the digital version. Their presence provides assurance that the content and the signature have not been forged or compromised. Therefore, the final document is indisputable proof of authenticity of the signature and non-tempering of the content, and the parties involved cannot deny having signed it.

With our Validator, you can always verify and confirm your documents' technical (and legal) validity. All you need to do is upload your PDF, and you will get a full overview - including:

- document key algorithm

- timestamp

- eID authentication

- confirmation of the validity of the signatures

- proof of non-alteration of the document.

 

Global landscape of e-signature laws: How to use e-signatures internationally

As we further integrate technology into our lives, e-commerce has become the basis of every daily activity. Business processes have gradually migrated to the online world, transforming computers, smartphones, and the Internet from auxiliary means to the central core of the workplace. That's due to all the gains that the society has gotten from digitization, that is now spreading in all industries - turning from an efficiency booster to a necessary tool for today’s companies.

To get the most out of this modern digital economy, however, the need for confidence in online trades has to be always prioritized and addressed. In the event of a legal dispute, we need to be sure with a high level of certainty about who we were contracting with and what exactly was the content of the signed agreement. It's the other side of the coin of non-face-to-face business relationships: we want to be able to do long-distance business, but at the same time, we must ensure the legality of our cross-border interactions. To this end, legislation is a necessary framework to build on and a key condition for success.

Policymakers and regulators at an international level have acknowledged the demand for a predictable (and harmonized) regulatory landscape to mitigate potential risks and strengthen trust and confidence in the digital environment. In consequence, all countries have gradually laid down ad hoc legislation, setting forth rules and requirements for safe and compliant use of digital identification and signing mechanisms.

Electronic identification methods have been identified as an effective solution to meet current security needs and are today the key to trustworthy international mutual recognition of electronic interactions. Likewise, e-signature laws have established a comprehensive cross-border and cross-sector framework for secure and trustworthy online transactions by enabling the replacement of handwritten signatures with their digital equivalent. Digital signatures make it easy to prove who signed the document and when this happened. Therefore, they can today be exploited as valuable evidence, being legally equal to witnessed signatures.

 

European Union: eIDAS Regulation

The demand for an updated institutional framework for electronic commerce has been satisfied in the European Union with the eIDAS Regulation (Electronic Identification, Authentication, and trust Services EU Regulation n. 910/2014) that took effect in July 2016. Being a regulation and not a directive, it has binding legal force throughout each of the 27 Member States and did not need to be transposed into national laws to enter into force.

eIDAS provides an appropriate and coherent regulatory environment to enable secure access to services and safe online transactions between people, companies, and public administrations. Moreover, the regulation spreads better public perception and acceptance around digital transactions and represents a significant step towards developing a frictionless digital market that improves the European alignment and competitiveness with the rest of the world.

 

What is it about?

Overseeing electronic identification and trust services in the European Union's internal market, the eIDAS regulates electronic signatures, electronic transactions, involved bodies, and their embedding processes to provide a safe way for users to conduct business online. E-signatures and e-identity authentication mechanisms that meet the rules and requirements established by eIDAS have the same legal standing as the corresponding manual transactions.

 

What does eIDAS establish on electronic identification and authentication mechanisms?

The eIDAS regulation aims to create a pan-European e-identity authentication system, which is basically a European eID interoperability platform where people and businesses can use their own national electronic identification schemes to access public services in other EU countries.

To this purpose, the Regulation established that citizens and entities could use eIDs supplied by Trust Service Providers (TSPs) to safely and compliantly authenticate themselves online just as they would do by physically handing over their passport in an in-person meeting.

 

What is a Trust Service Provider (TSP)?

A Trust Service Provider is a natural or a legal person who provides one or more trust services, such as electronic signatures, seals or timestamps, delivery services, and website authentication. eIDAS regulated the TSPs and laid down the requirements that they must meet to be considered "qualified" and included in the EU Trusted list.

To create an eIDAS-compliant digital signature, Penneo allows the signers to authenticate themselves and prove their identity by using Digital IDs issued by Qualified Trusted Service Providers (TSPs), whose qualified status is granted by the supervisory body designated by a Member State to carry out eIDAS audits.

 

Is there a different eID in every EU country? What if another Member State does not accept my eID?

At the moment, the eID solutions are nationally developed and adopted (while ensuring compliance with eIDAS). Two fundamental provisions of the regulation must be highlighted here:

• the eIDAS states that each Member State must establish, maintain and publish trusted lists of qualified trust service providers, together with information related to the qualified trust services provided by them (Art. 22).

• all organizations delivering public digital services in an EU member state must recognize electronic identification from all EU member states from September 2018.

Loosely speaking, since the end of 2018, all public services in the European Union are obliged to accept the eIDs of other member states, which, in turn, must equip themselves with lists of qualified trust service providers. This is how the European Union can proceed in the planned path towards creating an interoperable European platform for electronic European ID.

Through the eIDAS, the EU has created a single digitized European market whose benefits all businesses should take advantage of. On our side, we are eager to help your company achieve digital transformation compliance with regional and industry regulatory requirements.

 

US e-Sign Act & UETA Act

In the United States, the validity and enforceability of electronic signatures are granted by the e-Sign Act (Electronic Signatures in Global and National Commerce Act, a federal law passed in 2000) and the UETA Act (Uniform Electronic Transactions Act, adopted in 1999).

These two main Regulations provide electronic signatures with the same legal status as traditional handwritten signatures in the U.S. Both the e-Sign Act and the UETA Act:

establish that any signature required by law can be made digitally

allow electronically executed agreements to be presented as evidence in court

prevent denial of validity or enforceability of an electronically signed document solely because it is in an electronic form (ban of discrimination).

Meeting and exceeding standards worldwide is our most important objective. To this end, Penneo ensures all compliance requirements are well-met. We don't transfer documents or data outside the EU. Still, our users are free to do so, and in that case, the digital signatures created via Penneo will be equally legally binding in the United States.

 

What about the rest of the world?

At Penneo, being compliant with legal requirements is a must. Our digital signatures support the rules of all major e-signature global standards and regulations. Although e-signature laws vary from country to country, you can entrust Penneo to develop a corporate e-signature policy that works worldwide. Three different types of legislative approaches can generally be identified in the e-signature regulatory environment.

 

1. Permissive or minimalist: all e-signatures are legal and enforceable

Also called the functionalist approach because of its focus on the relevant functions of signatures, it refers to a technology-neutral approach that considers all types of virtual signatures (both electronic and digital) as legal and binding as manuscript signatures. There are no specific technical requirements or different reliability levels concerning the purposes the signatures are used for (with some exceptions).

The only prescription is that both parties must agree to the use of electronic signatures. Allowing the broad enforceability of e-signatures for all uses, minimalist legislations provide the widest protection and validity for e-signatures. Regions and countries that have adopted multi-tier laws include United States, Canada, Australia, New Zealand, and Thailand.

 

2. Prescriptive or digital signature: only digital signatures are legally binding

Being diametrically opposite to the minimalist laws, this restrictive approach only admits the probative status of digital signatures, based on the specific technique used to build them. Therefore, encryption through digital signatures is the only method approved in order to replace traditional signatures in the digital environment.

Prescriptive e-signature laws lie down precise and strict requirements that an e-signature must meet to acquire legally binding value. Sometimes these legislations do not even consider or do not mention simple electronic signatures or explicitly state that no legal value can be recognized by them. The digital signature approach has only been enacted by a few countries, including Brazil, Israel, Indonesia, Peru, Russian Federation, and Turkey.

 

3. Two or multi-pronged approach: e-signatures are legal, but only digital signatures have the same legal standing of handwritten signatures

Some countries adopt a hybrid way of dealing with electronic authentication, consisting of a middle ground between the minimalist and the prescriptive approaches. These legislations choose to assign a certain minimum legal status to some electronic signing methods while reserving greater legal effect on others. This level of difference can change from one country to another.

This approach is likely more time-resistant, leaving room for new technological developments. Jurisdictions adopting two-tier laws usually recognize only digital signatures as carrying the same legal status as handwritten signatures. Simple e-signatures are legal and enforceable as well (unless stated otherwise), and it is usually prescribed the prevailing principle of non-discrimination on them. However, they are not granted the same evidentiary weight as advanced e-signatures (digital signatures).

It's up to the parties' freedom of contract to decide what type of signature they prefer. However, the use of a digital signature is recommended when deals and documents are particularly sensitive. The application of the two-pronged approach involves European Union and other European countries such as Norway, the U.K., Switzerland, as well as Argentina, Bermuda, Chile, Colombia, Mexico, Taiwan, China, South Korea, Singapore, Hong Kong, Japan, India, Malaysia, and South Africa.

 

Overview of AML laws and KYC requirements for digital client onboarding

In the past, most businesses were local businesses, so it wasn’t that difficult to get to know your customers. In today’s global, internet-based economy, though, companies are under growing pressure to verify their clients’ identity, along with their potential risk factors or suspicious intentions.

While performing cross-border high-value business transactions, there is no guarantee that the person who approaches your business is who they say they are - nor could you know what they might be involved with. Therefore, it's crucial to perform thorough identity checks to discover suspicious elements early on.

Besides, the increasing frequency and severity of corruption, terrorist financing, and economic crimes have made more and more urgent the need for Know-Your-Customer (KYC) policies. That is why identification procedures are not just a business need but also mandatory activities required by Anti Money Laundering (AML) regulations.

Today, banks and credit or insurance agencies are not the only organizations that put a policy framework in place to know their customers. More and more businesses of all sizes are implementing this process, demanding customers to provide detailed due diligence information to assess their suitability as clients and minimize the risk of fraud.

In this context, electronic identification methods have been identified as an effective solution to meet current security needs. E-identity schemes are essential in the modern client-business relationship lifecycle. And they are also the key to trustworthy cross-border mutual recognition of electronic interactions.

Know-your-customer processes have thus been evolving globally and today represent a fundamental phase in the client onboarding process.

 

What is meant by KYC, CDD, EDD, PEP, and KYB?

Know-Your-Customer (KYC) refers to the steps taken by companies to identify their clients. This assessment allows organizations to protect themselves by ensuring that they are doing business legally and with trustworthy and legitimate entities, and it also protects the individuals who might otherwise be harmed by financial crime.

The procedure is equally needed during client or corporate onboarding, user registration, processing of high-profile transactions, re-verifying existing users, and ensuring regulatory compliance. The identification process must be performed following the Customer Due Diligence (CDD) measures, as laid down in AML laws.

Such measures vary according to the client's level of risk. If the client has a higher risk profile - being, for instance, a Politically Exposed Person (PEP, meaning a person who is or has been entrusted with prominent public functions) - particularly rigorous CDD is required, the so-called Enhanced Due Diligence (EDD).

Sometimes it might be relevant to carry out KYC procedures on the clients of the potential client as well. The KYCC (Know Your Customer's Customer) is a process that detects a client’s client's nature and activities by identifying those people and assessing their associated risk levels. This derivative of the standard KYC process was necessitated from the growing risk of fraud originating from fraudulent individuals or companies that might otherwise be hiding in second-tier business relationships.

Companies that offer their services to other companies (B2B) need to verify the identity of the real person they are doing business with, that is the natural person who ultimately owns or controls the legal entity customer on whose behalf a transaction is being conducted - also known as Ultimate Beneficial Owner/s (UBOs). Know-your-Business (KYB), also known as corporate KYC, concerns, indeed, the same identification process when this applies to businesses, instead of individual consumers.

 

AML Framework - How KYC went digital

The EU has shown a positive attitude towards innovative technology, trusting digitization as a tool for improving and securing financial services and client onboarding. EU's political initiatives have been openly promoting eKYC practices as a part of the broader plan of creating a modern digital market to boost economic and social development and keep up and compete with the rest of the world.

After the first EU AML Directive adopted in 1990, the legislation has been constantly revised to mitigate emerging risks and adapt to the modern environment. Several regulatory bodies contributed to the creation of the current framework:

The Financial Action Task Force (FATF) Recommendations – measures recognized as the global AML and CFT standard - encouraged the use of electronic identity verification whereas suitably mitigating the ML/TF risks, back in 2012.

The Markets in Financial Instruments Directive (MiFID II, EU Directive 2014/65) recommended the employment of new technology solutions that enable more transparent and successful protection of the greater amount of data collected and PII involved.

The Payments Services Directive (PSD2, EU Directive 2015/2366) required the identity verification through 2FA – the so-called Strong Customer Authentication (SCA) - for payment transactions processed within the EU, with clear implications for the KYC process and its digitization.

The Financial Crimes Enforcement Network (FinCEN) “Customer Due Diligence Requirements for Financial Institutions” (the CDD Rule) first introduced the definition of the Ultimate Beneficial Owner, along with the requirement of verifying their identity (as similarly established by all subsequent legislation).

The 4th Anti-Money Laundering Directive (4AMLD, EU Directive 2015/849) instituted a central registry for beneficial owners, enforced a risk-based approach with different rules and procedures for low and high-risk customers (i.e., simplified and enhanced due diligence frameworks). Additionally, the Directive encouraged businesses to employ e-IDs and e-KYC methods to verify customers' identities remotely.

The 5th Anti-Money Laundering Directive (5AMLD, EU Directive 2018/843) extended the scope of the 4th AMLD and explicitly promoted the use of electronic signature and digital identification means as standardized by the eIDAS Regulation (910/2014) to carry out the verification of the customer’s identity. The main points of the 5th AML Directive are:

It extended the scope of obliged entities (including the cryptocurrency sector at a cross-national level).

It required more Customer Due Diligence (CDD) checks and raised the bar in terms of Enhanced Due Diligence (EDD).

It regulated domestic PEPs (Politically Exposed Persons).

It improved the central registrars of beneficial ownership to facilitate the identification of UBOs (Ultimate Beneficial Owners).

It extended AML checks to majority-owned subsidiaries outside the European Union.

 

eKYC in compliance with eIDAS and GDPR

Today, in the RegTech era, eKYC is being used in its most effective form. eKYC refers to the digital conversion of the KYC process to perform the identity verification online, remotely, and paperless - minimizing time and costs, cutting bureaucracy, improving user experience, and ensuring regulatory compliance.

The 5AMLD (art. 13) states that the "customer due diligence measures must include: identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in EU Regulation 910/2014 (eIDAS) or any other secure, remote or electronic identification process regulated, recognized, approved or accepted by the relevant national authorities".

The eKYC process via digital IDs provides the highest level of certainty on the clients’ identity and makes it easier to collect and process their personal information according to GDPR.

 

6th AML Directive: major takeaways for businesses

Although the previous framework had already been amended several times, the measures were apparently not effective enough to prevent money laundering. A number of international investigations in the past few years resulted in scandals implicating major European banks and exposed an outstanding increase in financial crimes. The 6AMLD is meant to strengthen the effectiveness of the legal landscape.

How? By assigning companies a more significant role in the fight against fraud and stronger incentives for meeting AML requirements.

The main highlights for firms operating in the European Union are:

Harmonization of the list of predicate money laundering offenses across the EU: businesses need to ensure that their AML programs can deal with the new risk environment and cyber-threats.

Expansion of criminal liability even to those who have only had an “enabling” role: EU firms should now make sure they can spot and prevent atypical “enabling” activities.

Extension of criminal liability to businesses due to lack of supervision, control, and compliance: the civil punishments range from a temporary ban on operations, judicial supervision, or exclusion from accessing public funding to permanent shut-down.

Harsher penalties, both for individuals and legal entities: increase of prison sentence term to four years, which may be supplemented with fines up to €5M, disqualification from commercial activities, etc.

Member-state and companies cooperation: where a financial crime occurs across two different countries or businesses, they are required to join efforts to identify and prosecute the offender.

 

How can Penneo help you?

To solve all the security issues and make the workflow faster, smoother, and more cost-efficient, Penneo created a user-friendly solution based on identity validation through eID. It is also possible to utilize the Penneo KYC form without eID - however, this is not something Penneo recommends if you wish for high security.

Furthermore, our solution for fully AML-compliant client onboarding lets your customers handle everything using their digital IDs directly from their computer or smartphone, in abidance with CDD measures.

Moreover, you can set up regular and automatic data backups to ensure all your documents are retrievable if needed and exploit our encryption capabilities to keep them safe and confidential.

Capterra logo
G2 logo

Find the package that fits your needs