Legality

All you need to know regarding e-signature, digital identification and the legal environment around it

In the digital age we live in, the old-fashioned solutions don't meet our modern needs. The technological advancement gains more speed year after year, increasing the demand of expeditiousness and global availability. Signing documents and contracts with a pen and paper is nowadays a time-consuming and inefficient burden that no company should bear.

 

Today's fast-paced business world demands a more flexible and responsive solution in order to stay competitive and relevant in a hyperconnected and digitized marketplace. Adaptation to this new environment may seem challenging but cannot be considered as an option, it must be recognized as a necessary way to avoid the risk of being left behind in a society moving towards digital technology. Embracing digital processes and investing in digital solutions allow a company to take full advantage of these changes and bring unprecedented convenience and capability in terms of keeping up with an evolving market and saving time and resources. And it's where digital signature joins the game.

Digital signatures are just as valid as handwritten signatures and enable to perform their same traditional functions wherever you are and whenever you want. The use of this powerful business tool is constantly growing as a means for optimizing efficiency and enabling faster and more secure authentication that cannot be easily forged or compromised, while still protecting the privacy of the subjects involved.

This faster, safer and cheaper alternative enables a completely paperless process, raises productivity and efficiency, helps to reduce our impact on the environment and establish a globally uniform digital market. From common citizens to enterprises and all the way up through governments, nobody can deny the importance of relying on electronic signatures to protect their documents and to ensure trust and confidence with their business practices.

An increasing number of companies are undertaking this digital transformation and recognizing the huge benefits it involves. Implementing new technologies improves synergies by streamlining the processes, reducing costs and increasing profits. The transactional process requires customer-focused company-wide changes. The rising of the figure of the digital customer, who requires the availability of the services he needs anywhere and anytime at the click of a button, has likely been the major drive for digital-oriented improvement. Digital solutions allow to meet the needs of customers providing a better and personalized experience and grant more business opportunities. What's more, the legal framework is also on our side. Digital signatures are legal, trusted and enforceable in nearly every industrialized nation worldwide and are actively in use in Europe.

e-Signatures and Digital Signatures

The expression electronic signature refers to data in electronic form which is attached to or logically associated with other data in electronic form. In its most basic form, the e-signature can be as simple as a name entered in an electronic document and which is used by the signatory to sign. The concept includes the objective element, which basically consists of the signing method, and the subjective element, that is the intent to sign. As long as the e-signature adheres to the requirements of the specific regulation it was created under, it provides the same legal standing as a handwritten signature.

The generic term e-signature is often used in a broad sense to embrace all types of methods used to sign electronic documents, including the digital signatures. However, these are two distinct concepts and they cannot be used interchangeably.

The digital signatures are cryptographic implementations of electronic signatures, based on asymmetric or public key cryptography. The definition given by the European Telecommunications Standards Institute (ETSI) is that of "data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient".

The digital signature is the signing method which ensures with most certainty the identity of the signer as well as the integrity of the message.

How do digital signatures work?

Advanced digital signatures are secure and legally binding means to implement e-signatures through a two-phases process: the creation by the signer with their private key and the verification by the recipient with the signer's public key. The process involves three cryptographic algorithms:

  • the key generating algorithm, that randomly selects a private key and its corresponding public key;
  • the signing algorithm, that produces the digital signature from the message and private key;
  • the signature verifying algorithm, that uses public key message and digital signature to confirm the authenticity of the message.

To better understand how the process works, let's suppose that John wants to sign a document and send it to Mary.

The key generating algorithm randomly selects a private key and its corresponding public key.

John now holds two keys, a public key and a private key. The two keys are presented in the form of random numbers and letters.

The private key is used to digitally sign a message. The private key of the signer shows that the signature belongs to the private key holder because he is the only one with access to the private key.

While the signer's private key should always remain private, the public key must be shared with the recipient in order to allow the verification of the authenticity and integrity of the document. Any person can verify the identity of the author of the signature by means of the signer's public key. However, if the signer wants the document to be confidential, he can encrypt the message with the public key of the recipient, so that only the recipient using their private key can decrypt it. Eventually, the message is digitally signed and confidential.

The creation process:

After John creates a document, its content is processed through a hashing algorithm (in order to obtain a compressed digital representation of the data unit that is to be signed): the size of the document is reduced by means of this algorithm that creates a unique sequence of numbers and letters (hash value) often called "digest" of the document.

John (the signer)'s private key is applied to the digest result to sign it on his behalf.

The final output, the encrypted digest, is the digital signature of the document.

Therefore, a digital signature is a combination of the signed document and the author's private key. Any variation in the content of the document or in the private key used to sign it will create a different digital signature. The calculation of the hash result and application of the private key through the signing algorithm is a single process conducted automatically. The same applies when verifying the digital signature.

John sends the digitally signed document to the recipient, Mary, who will need John's public key to verify the authenticity of the document and the signature. Therefore, John keeps securely his private key and shares with Mary, the recipient, his public key.

The verification process:

When Mary receives them, she needs to verify the identity of the signer/sender (Authenticity) and the integrity of the signed document. To do so, she can reverse the process and verify its legitimacy.

  • Mary applies John's public key to decrypt the digital signature and get the digest. The verification consists of the regeneration of the hash value on the basis of the same document and the same algorithm; this hash value is computed with the public key to produce a checksum, which should be compared with the checksum/signature attached to the document. If the result is identical, it will verify that the signer's private key was used to sign and that the document has not been altered. If Mary cannot decrypt the digital signature, then she knows it did not come from John because only John's public key is able to decrypt the digests generated with his private key. If the signature is untampered, the digests should be exactly the same.
  • Once Mary gets the digest, she will check the integrity of the document. Mary can process the document through the same hashing algorithm that John used previously and she will get a digest. Finally, Mary will have two digests, one based on the digital signature and the other one based on the content of the document: if the document is untampered, the digest should also be exactly the same. Comparing them, if both digests match, then Mary can be confident that John is actually the author and that the document has not changed since he signed it, so the content and the digital signature are verified; if the digests are not equal, this will generate an error message and Mary will know the document has been altered in transit.

A same message will never produce two different hash results, as well as two different messages may not produce the same hash result. This means that, had the message been altered since its signing, the hash result calculated by the recipient would not match the hash result calculated and sent by the sender.

It is in this way that digital signatures are one of the key parts of securing data and guaranteeing immutability.

Are digital signatures legally binding?

Digital signatures are the most advanced and secure type of electronic signature.

At Penneo, being compliant with legal requirements is a must.

Digital signatures are legal, trusted and enforceable in nearly every industrialized nation around the globe and are actively in use in Europe. Penneo supports the vast majority of legal requirements worldwide.

A digital signature is as legally binding and valid as a traditional signature placed with ink on paper.

The eIDAS Regulation Art. 25 contains a decisive ban on discrimination against agreements concluded digitally, establishing that "an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form". In other words, it is contrary to the law if any enterprises or authorities refuse to accept or recognize contractual documents solely on the grounds that they are digitally signed. This prevailing principle of non-discrimination is similarly prescribed in almost all other digital signature Regulations around the world, firmly stating that the legal value of signatures cannot be exclusively based on whether they are on paper or in electronic form.

As previously mentioned, the generic term electronic signature refers broadly to any electronic process that indicates acceptance of an agreement or a record. However, not every data attached to an electronic document and used by the signatory to sign provide the same legal standing as a manuscript signature. In order to have the same value as a traditional signature placed with ink on paper, the e-signature needs to adhere to the requirements of the specific regulation it was created under, so that it can be identified as an advanced or qualified e-signature.

Digital signatures, also known as advanced or qualified e-signatures, refer to one specific type of electronic signatures. The digital signatures are cryptographic implementations of electronic signatures, based on asymmetric or public key cryptography. This particular technique uses a certificate-based digital ID to authenticate signer identity and demonstrate proof of signing by binding each signature to the document with encryption. The digital signature is the signing method which ensures with most certainty the identity of the signer as well as the integrity of the message.

In fact, in order for a signature to be classified as compliant and valid, art. 26 of the eIDAS lists three basic requirements that should be met (and the same requirements are similarly materialized in each other e-signature legislation). The signature must be:

  • uniquely linked to the signatory and provide distinctive identifying information that confirm that the signatory is who he or she claims to be.
  • created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; this can be done with a certificate for electronic signature, electronic proof that confirms the identity of the signatory and links the electronic signature validation data to that person.
  • linked to the data signed therewith in such a way that any subsequent change in the data is detectable; the signature must be capable of identifying any subsequent alteration in the data so that the signature is marked invalid in case of tampering.

Penneo signatures can be used as a proof of trustworthiness in terms of identity of the signer, integrity of data and intent of signing, therefore they have the equivalent legal weight of a handwritten signature.

At Penneo, the Signer Authentication requires a certificate-based digital ID, a PIN plus a unique digital certificate to authenticate signer identity and demonstrate proof of signing. To further increase security, a unique PID (Personal Identifier) is also printed on the document, assuring that the signer's certificate is cryptographically bound to the document.

Penneo is designed to keep documents secure and prevent tampering of the document during and after the signing process with a watermark ID on the document and a secured and recorded audit trail. This procedure allows to be sure that the message was not altered in transit and provide proof of Content Integrity. We could say that the digital signature performs the same function as a mail sealed envelope since it ensures that the recipient receives the file in its original format.

Penneo ensures that a party to a contract or a communication cannot deny the authenticity of their signature on a document or sending the communication in the first place. In this context, Non-Repudiation refers to the ability to ensure that a party to a contract or a communication must accept the authenticity of their signature on a document or the sending of a message here. The signer's intent to sign is captured, the parameters of the transaction are communicated and the signer unequivocally intended to undergo the process and method of signing.

What are the benefits of using digital signatures and why our customers choose us?

The adaptation to the modern business is not only an increasing necessity, but also an advantageous investment to fully appreciate the potentiality of the global digital market. The improvement of the efficiency of your company goes hand in hand with the adoption of digital tools. In this context digital signatures, legalized and recognized as being of equal value compared to manuscript signatures, provide even further reliability in terms of security and data protection and enable your company to enjoy lots of benefits, such as reducing waste of resources and time, automating and streamlining workflows, ensuring authenticity of both signatures and documents.

Why should you use digital signatures? What would your company gain from this adoption?

  1. Fast, simple, intuitive, adaptable to your needs, available anytime-anywhere

    In today's fast-paced world every minute counts. Contracts and documents can now be easily and quickly signed by partners and customers spread around the world using digital signatures. It only takes some minutes, and it doesn't matter anymore where you are and what time it is, you only need an internet connection to digitally sign a document or collect signatures remotely. Penneo's configuration is customer built so that each document is different and unique but can be reused for similar cases. Our configuration capabilities include multi-signing, integrations and collaboration features, personalization possibilities and automation functions. Ensuring flexibility and control, Penneo can integrate with your organization's management systems and adapt to its specific processes, technologies and industry requirements.

  2. Automation, tracking, sharing

    With digital signatures delays are minimized since there is no need to wait for mailing documents back and forth by post or for receiving signed documents from the other parties. The automated process of digital signing streamlines workflows by eliminating many sequential steps each time a document needs a signature. Penneo services will help you to simplify your working day and reduce turnaround times.

    The individual archive provides a complete oversight and progress status of all documents — getting a full traceability of documents being sent, opened, activated, completed or signed — while automatic reminders notifies delays of signing. With Penneo you'll have a managerial overview and be able follow the progress of sent out documents easily.

    Documents often need to be shared with colleagues, teammates, or people outside your organization. By using Penneo, you can improve effectiveness on joint tasks by sharing documents, tasks or collaborative workflows and achieve synergetic efficiency.

  3. Authenticity-Data Integrity-Non Repudiation: Probative Value

    People are traditionally used to deal with paper documents and the lack of familiarity with electronic solutions may lead them to be afraid of higher risks in digital transactions. However, from a security point of view, digital signatures are undoubtedly one step ahead than the aged, wet ink signatures. Comparing the different signing methods in terms of security, digital signatures are the safest ones and are labelled as virtually impossible to defraud, while paper documents are easily alterable. Manuscript signatures can be defrauded, changes may be made to the content of the paper document and contractual parties can deny having signed it. A digital signature is able to protect the document in a safer way than its traditional counterpart from a triple perspective:

    • The identification of the signatories: Penneo uniquely identifies signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs). This authentication method provides security on the signers' identity and enables anyone to verify who is actually the author of the signature. It's an electronic proof that undisputedly confirms the identity of the signatory and links the electronic signature validation data to that person.
    • The integrity of the content of the document: The information being sent can be, stolen or altered before the intended recipient has received it. While using digital signature, in the event that someone tries to change any part of the document there is proof that this happened. Every step is captured in a secured audit trail and makes it extremely easy to verify if the signed document has been modified since it was signed. If a modification is detected, the document is invalidated. When a document is signed through Penneo, the signers use their private key to cryptographically bound their certificate to the document. This phase allows to carry out a validation process consisting in the application of the signers' public key to both authenticate their identity and the non-alteration of the document. Eventually, you obtain evidence of each signature within the document itself.
    • The impossibility to repudiate both the signature and the document: Alongside the identity of the signers, it is equally important to ensure their intent of sign. When a digital signature needs to be applied to a document through Penneo's signature platform, the user has been informed of the consequences of his actions and has had the opportunity to read that document. It's also worth mentioning that, while signing the document, signers have to accept a statement of declaration and consent which include an overview of the document itself, as well as the signer's role. This statement is stored as part of the signature itself and thus serves as further proof of the validity of the signature. Furthermore, each newly generated digital signature is time-stamped by a time-stamping authority so that the trusted time of signature generation can be identified and used as non- repudiation evidence.

    In paper-based processes, you can only have uncontested certainty of these three main features by availing of the intervention of a notary public. E-signatures which ensure both the identity of the signers and the integrity of the documents, as well as the impossibility to deny the signature, may be compared to notarized signatures. That's why digital signatures actually offer a level of reliability and security that is far higher than those offered by the traditional ones, while allowing the users to save time and money.

  4. Security, data protection, end-to-end encryption

    When using Penneo for documents or signing processes, a high level of security is included. Penneo has implemented rigorous policies to meet the security requirements of some of the most stringent certifications around the world. From authentication to encryption, Penneo protects not only your agreements but also the critical business and personal information. Having a strict focus on IT security, Penneo complies with international legislations, it is certified under ISAE-3000 issued by KPMG and meets the GDPR requirements.

    With Penneo, all data transfers can be end-to-end encrypted so you can safely send cases out, even with private information in the documents. The data deletion requires that data is only collected for specified, explicit and legitimate purposes and Penneo is obliged to delete data if this is no longer the case. Using Penneo, you can create and manage users and groups, and use permissions to allow and deny their access to resources. When you create a case file, you can put validation on the individual case, so that it is the correct signer who signs the document. Penneo's high level of security ensures that no one else can access a signed document and that your documents remain inside your IT domain and are never saved on external, untrusted servers or exposed to the risk of tampering and fraud.

  5. Reduce the use of paper: save time and money while being environmentally friendly

    What do you need to hand-sign your documents? Paper, ink, stationery, printing/scanning tools, mailing/shipping services are just some of the most evident extraneous costs that can be avoided by conveniently replace the old-aged processes and embracing the digital solutions. What matters even more than these cost savings is the possibility to save the most important and invaluable of the resources: time. To carry out a paper-based process, the user first needs to come into possession of the document by receiving a mail or printing an email. Then he/she would physically sign the document and need to send it to its originator or to the other parties who need to sign it; these latter would need to follow the same steps once again and then return the document to the person who started the process, who will need to verify the validity of the document and the signatures in terms of authenticity and integrity. These methods are not always secure or timely. Among the most frequent risks, delays in delivery could occur, signatures could be forged, or the enclosed documents may be altered. What's more, the issues increase as multiple signatures are required from different people who may be located in different locations: the originator/sender would probably need to forward the signed document to the other parties once he collected all the signatures, by making physical copies of the document and sending them by physical mail or scanning them to use email. The sole explanation of these steps points out how this offline traditional paper-based process is cumbersome and time/resources-consuming.

    Penneo provides you with a cost-effective IT management while helping to give a contribution to the protection of the environment. Using digital signatures means adopting an eco-friendly approach in your company by reducing drastically the amount of paper you need and cut down on environmental waste.

    Please visit our Features section to learn more about Penneo's digital signature capabilities and benefits.

Current eSignature laws around the world

Electronic commerce is the basis of every daily activity, today more than ever. In order to fully enjoy the benefits and advantages the digital economy brings, the need for trust and confidence in every form of trade must always be prioritized and satisfied. Building trust and legal certainty in the online environment is key to economic and social development.

For the purpose of addressing these needs in a context of day-to-day practical usage of digital signatures, it is necessary to be able to prove what was signed, and under which circumstances a party entered into the agreement. In the event of a legal dispute concerning an agreement, you need to be sure with a high level of certainty about who you were contracting with and what is the exact content of the signed agreement.

You can exploit the digital signature as valuable evidence, being equal to a witnessed signature, and with the digitally signed document is easy to prove who signed the document and when this happened.

E-signature legislations seek to increase effectiveness in the e-commerce by establishing comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions and enabling the use of electronic equivalent to handwritten signatures in paper-based contracts.

Acknowledging both the ubiquity and the huge benefits involved and the need of a predictable regulatory framework to mitigate potential risks, all the countries have gradually lay down ad hoc legislations setting forth rules and requirements for a safe and compliant use of digital signature.

European Union

eIDAS Regulation:

The demand of an up-to-date legislation that fully serves the needs of business and consumers has been satisfied in the European Union with the eIDAS Regulation.Providing an appropriate and coherent institutional framework for electronic commerce, the eIDAS spreads a better public perception and acceptance and aligns Europe with the rest of the world.

Enforced as of July 2016, the electronic Identification, Authentication and trust Services EU Regulation (n. 910/2014) provides a regulatory environment to enable secure access to services and safe online transactions between people, companies and public administrations.

Being a Regulation and not a directive, it has binding legal force throughout each one of the 28 Member States and does not need to be transposed into national laws in order to enter into force.

What's the difference between the legal concepts of e-signature and digital signature?

The Regulation defines the different types of e-signatures, by distinguishing the electronic signature from the advanced e-signature and the qualified e-signature:

  • "electronic signature" means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign and accept the agreement or form.
  • 'advanced electronic signature" means an electronic signature which meets the requirements set out in Article 26 and these requirements are that the signature:
    • it is uniquely linked to the signatory;
    • it is capable of identifying the signatory;
    • it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
    • it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
  • "qualified electronic signature" means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. In simple terms, the difference between the advanced electronic signature and the qualified electronic signature is the addition of a qualified certificate that has been encrypted by a secure signature creation device.

Therefore, an advanced electronic signature can be used as a proof of trustworthiness in terms of authenticity, data integrity and non-repudiation of online interactions. The advanced e-signature would reach a higher probative value when enhanced to the level of a qualified electronic signature by adding a digital certificate that has been issued by a qualified trust service provider attesting to the authenticity of the qualified signature; so, the upgraded advanced signature then carries the same legal value as a handwritten signature.

Under eIDAS Regulation (Article 27) Member States are prohibited from requesting for cross-border use in an online service offered by a public sector body signatures of a higher security level than the qualified electronic signature.

Evidentiary value in legal proceedings

Recognizing the legal effects of electronic signature, Article 25 prescribes the non-discrimination principle by firmly stating that the legal value of signatures cannot be exclusively based on whether they are on paper or electronic form or they do not meet the requirements for qualified electronic signatures.

In the same article, the Regulation provides qualified electronic signatures with the equivalent legal effect of handwritten signatures and establishes that a qualified electronic signature based on a qualified certificate issued in one Member State must be recognized as a qualified electronic signature in all other Member States and cannot be dismissed in a court proceeding as evidence.

What about non-EU countries?

The ban on discrimination against agreements concluded digitally is similarly contained in almost all other digital signature legislations around the world.

The distinction between advanced and qualified e-signature is only regulated in the European Union and similarly through ZertES in Switzerland, while qualified electronic signatures are not defined in the U.S.

How to use electronic signatures internationally:

Current landscape of global e-signature laws

Three different types of legislative approaches can generally be identified in e-signature laws worldwide:

  • Permissive or minimalist: all e-signatures are legal and enforceable. Also called functionalist approach because of its focus on the relevant functions of signatures, it refers to a technology-neutral approach that considers all types of "virtual signatures" (electronic, advanced, qualified, digital..) as legal and binding as manuscript signatures. There are no specific technical requirements or different levels of reliability with respect to the purposes the signatures are used (with some exceptions); the only prescription is that both parties must agree to the use of electronic signatures. Allowing the broad enforceability of e-signatures for all uses, minimalist legislations provide the widest protection and validity for e-signatures. Regions and countries that have adopted multi-tier laws include United States, Canada, Australia, New Zealand and Thailand.
  • Two or multi-pronged approach: electronic signatures are legal but only digital signatures have the same legal standing of handwritten signatures. Some countries adopt a hybrid way of dealing with electronic authentication, consisting in a middle ground between the minimalist and the prescriptive approaches. These legislations choose to assign a certain minimum legal status to some electronic signing methods while reserving greater legal effect to others and this level of difference can change from one legislation to another. This approach is likely more time-resistant, leaving room for new technological developments. Jurisdictions adopting this approach usually recognize only digital signatures as carrying the same legal status as handwritten signatures. Electronic signatures are also legal and enforceable (unless stated otherwise), and it is usually prescribed the prevailing principle of non- discrimination on them; however, they are not granted with the same evidentiary weight as digital, advanced, qualified e-signatures. It's up to the parties' freedom of contract to decide what type of signature they prefer; however, businesses should recommend use digital signatures when deals and documents are particularly sensitive. Legislations which follow this approach are usually based on the UNCITRAL MLES (United Nations Commission on International Trade Law - Model Law on Electronic Signatures), that establishes criteria of technical reliability for the equivalence between electronic and hand-written signatures as well as basic rules of conduct for assessing duties and liabilities; it also contains provisions for the recognition of foreign certificates and electronic signatures based on a principle of substantive equivalence that disregards the place of origin of the foreign signature. The application of the two-tier approach involves European Union and other European countries such as Norway, the U.K., Switzerland, as well as Argentina, Bermuda, Chile, Colombia, Mexico, Taiwan, China, South Korea, Singapore, Hong Kong, Japan, India, Malaysia, South Africa.
  • Prescriptive or "digital signature": only digital signatures are legally binding.  Being diametrically opposite to the minimalist laws, this restrictive approach mainly focuses on the probative status of digital signature basing on the specific technique used to build it. Therefore, it regulates encryption by way of digital signatures as the only method approved in order to replace traditional signatures in the digital environment. Prescriptive e-signature laws lie down precise and strict requirements that an e-signature must meet to acquire legally binding value; sometimes these legislations do not even consider simple electronic signatures or explicitly state that no legal value can be recognized to them. The digital signature approach has only been enacted by a few countries, including Brazil, Israel, Indonesia, Peru, Russian Federation, Turkey.

Although e-signature laws vary from country to country, you can develop a corporate e-signature policy that works worldwide. Penneo meets the requirements of all major e-signature and data privacy global standards and regulations and continuously monitors the legal landscape to be sure our services comply with the latest national, EU and international regulations.

Learn more about how Penneo meets or exceeds national and international standards and Regulations.

Digital Identification

In the past few decades, the increasing frequency and severity of issues pertaining to corruption, terrorist financing, and money laundering has made more and more evident and urgent the need of an implementation of KYC policies. What's more, the security of electronic identification schemes is not only essential in the client-business relationship lifecycle; it's also the key to trustworthy cross-border mutual recognition of electronic interactions. Given that, know-your-customer processes have been evolving and expanding globally as an important tool to combat illegal transactions in the international finance field.

All companies need to verify the identity of their clients, either before or during the time that they start doing business with them, along with the potential risk factors or illegal intentions towards the business relationship. To achieve this AML goal and minimize the risk of fraud, it's crucial to be sure that customers are who they say they are and to identify suspicious elements earlier on. To this purpose, traceability of financial information has an important deterrent effect.

Know-Your-Customer (KYC)

The authentication process known as KYC, namely Know Your Customer (or Know Your Client), aims to prevent money laundering, terrorist financing, theft and so on. The expression is also often used to refer to anti-money laundering regulations and regulated bank practices which govern these activities.

Today not only banks and credit or insurance agencies put in place a policy framework to know their customers. More and more online businesses of all sizes are implementing this process, demanding that customers provide detailed due diligence information for the purposes of assessing the suitability of their clients and ensuring they are anti-bribery and AML compliant.

How Penneo can help you

The process of Know-Your-Customer concerns what businesses do in order to verify the identity of their clients. Following this procedure allows companies to protect themselves by ensuring that they are doing business legally and with legitimate entities, and it also protects the individuals who might otherwise be harmed by financial crime.

Getting to know your customer cannot be reduced to the initial identity check to establish an identity. It's important to acquire additional information such as

  • the purpose of the business relationship;
  • if the customer is a company, the customer's business, finance and ownership strictly controlled;
  • representatives must be identified and their right to represent the company must be checked.

Establishing the identity of customers is a regular but important step for businesses. Many companies begin their KYC procedures by simple collecting basic data and information about their customers. Often, company's processes are a bit « old school » by requesting scanned copies of passports, Driving Licenses or similar IDs. This requires that the person needs to be present or those information need to be communicated by email. In any case, it is cumbersome, time consuming and insecure.

To resolve the issues linked with compliance and security, and make the processes smoother, Penneo created a solid solution based on the identity validation through eID. It is also possible to utilize the Penneo KYC form without eID, however, this is not something Penneo recommends if you wish high security.

Penneo's solution lets your customers handle everything using their national digital IDs directly from their computer or smartphone and still comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations.

  • When does the process take place?The KYC verification is equally needed during client, candidate or corporate onboarding, user registration, in case of processing of high-profile transactions, in order to re-verify existing users and ensuring regulatory compliance.
  • What parts is a KYC process made up of?
    KYC policies usually include four key elements:
    • Customer Acceptance Policy, document collection
    • Customer Identification Procedures, data assessment
    • Continuous Monitoring of Transactions
    • Ongoing Risk management and reporting

    Moreover, the KYC process must be relevant and time-bound, scalable and proportionate to the risk and resources, and it must be documented and available for inspection by regulators.

  • What are the typical controls included to ensure AML compliance?
    KYC processes seek to verify and validate the customer's identity with reasonable assurance; to this end:
    • basic Personally Identifiable Information (PII) are collected and analysed;
    • the status of public exposure and adverse media is determined by screening of identity particulars (PII) against global watch-lists;
    • it is also determined the customer's risk in terms of the tendency to commit money laundering, terrorist finance, or identity theft;
    • a 'Customer Profile' is created and assessed on the basis of a customer's transactional behaviour;
    • customer's transactions are monitored against expected behaviour and recorded profile as well as that of the customer's peers.

    Testing the customer's profile, business and account activity, allows to identify relevant adverse information and risk, assess the potential for money laundering and/or terrorist financing and ensure regulatory compliance.

  • What is the Enhanced Due Diligence (EDD)?Enhanced due diligence is a more comprehensive set of procedures for customers with a higher risk profile, either through sources of origin or transactions that exhibit irregular behavior.
  • What is KYCC?
    KYCC stands for Know Your Customer's Customer. It's a process that detects the nature and activities of a client's client by identifying those people and assessing their associated risk levels. This derivative of the standard KYC process was necessitated from the growing risk of fraud originating from fraudulent individual or companies that might otherwise be hiding in second-tier business relationships.

How does it work?

Collect information about your customers and verify their identity to minimize risk and save time in a secure, fast and compliant way.

  1. Create a new verification in Penneo and choose what kind of information you want your customer to validate
  2. Send it to one or multiple customers along with automatic reminders
  3. Once done, your customer gets an email with a link where they can upload the required information
  4. Signed and finalised verification ends up in your chosen folder in the Penneo archive

Penneo KYC process offers many advantages:

  • KYC access control is simple and secure
  • It is possible to pair the form with other documents that need to be send and signed
  • It can be used on the phone and go directly to the camera, no need for a pre scan or anything
  • Forms can be customized, you can even pre-fill a form and share it with a unique link
  • KYC form can also be plugged with the Penneo API for a full integration
  • If your company is subject to AML, KYC is part of the process

EU legal framework on anti-money laundering

The European Union adopted the first anti-money laundering Directive in 1990 in order to prevent the misuse of the financial system for the purpose of money laundering. It established that obliged entities must apply customer due diligence requirements when entering into a business relationship, i.e. identify and verify the identity of clients, monitor transactions and report suspicious transactions.

This legislation has been constantly revised in order to mitigate risks until the EU adopted a modernized regulatory framework in 2015, encompassing:

  • the Directive (EU) 2015/849 on preventing the use of the financial system for money laundering or terrorist financing (4th Anti-Money Laundering Directive)
  • the Regulation (EU) 2015/847 on information on the payer accompanying transfers of funds (that makes fund transfers more transparent, thereby helping law enforcement authorities to track down terrorists and criminals)
  • both instruments take into account the 2012 Recommendations of the Financial Action Task Force (FATF) and go further on a number of issues to promote the highest standards for anti-money laundering and to counter terrorism financing.

The new EU AML Directive

The latest technical developments in the digitalization of transactions and payments enable secure remote or electronic identification and verification of data. The 5th Anti-Money Laundering EU Directive (n. 2018/843), takes into account the new means of identification as set out in EU eIDAS Regulation of 2014 (or regulated, recognized and approved at national level), in particular with regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition.

The 5th AML Directive, which amends the 4th Anti-Money Laundering Directive, was published on 19 June 2018. Setting high standards on customer due diligence in terms of both individuals, businesses and its representatives, the Directive requires Member States to transpose it by 10 January 2020 and implement their national Money Laundering laws and KYC rules.

The amendments introduce substantial improvement to better equip the Union, aiming to:

  • protect the integrity of the EU financial system by strengthening the fight against terrorist financing through more accurate identification and verification of data of natural and legal persons;
  • enhance transparency by setting up publicly available registers for companies, trusts and other legal arrangements;
  • enhance the powers of EU Financial Intelligence Units (FIUs), and provide them with access to broad information for the carrying out of their tasks;
  • set up central bank account registries or retrieval systems in all Member States;
  • enhance vigilance in business relationships and transactions involving greater risk of money laundering or terrorist financing. Although the identity and business profile of all customers should be established, there are cases in which particularly rigorous customer identification and verification procedures are required.

Customer Due Diligence (CDD)

According to art. 13 the EU AML Directive of 2015, as amended by EU AML Directive of 2018, Customer due diligence measures must include:

  • identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council (eIDAS Regulation) or any other secure, remote or electronic identification process regulated, recognized, approved or accepted by the relevant national authorities;
  • identifying the beneficial owner and taking reasonable measures to make sure that person's identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer;
  • when performing the above described measures, obliged entities shall also make sure that any person purporting to act on behalf of the customer is so authorized and verify the identity of that person;
  • assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
  • conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.

The Directive also requires that obliged entities apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis, or when the relevant circumstances of a customer change, or when the obliged entity has any legal duty in the course of the relevant calendar year to contact the customer for the purpose of reviewing any relevant information relating to the beneficial owner(s).

 

Data protection, Record-Retention & Statistical Data

For the purpose of preventing, detecting and investigating, by the EU Financial Intelligence Units (FIUs) or by other competent authorities, possible money laundering or terrorist financing, the following documents and information must be retained:

  • in the case of customer due diligence, a copy of the documents and information which are necessary to comply with the customer due diligence requirements, including, where available, information obtained through electronic identification means, relevant trust services as set out in EU eIDAS Regulation (n. 910/2014) or any other secure, remote or electronic, identification process regulated, recognized, approved or accepted by the relevant national authorities, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;
  • the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.

Politically Exposed Persons (PEPs)

Although the identity and business profile of all customers should be established, in some situations particularly rigorous customer identification and verification procedures are required. In these cases, business relationships and transactions may involve higher risks of money laundering or terrorist financing; therefore, enhancing the level of vigilance and control is necessary and legally mandatory.

"Politically exposed person" means a person who is or who has been entrusted with prominent public functions. Member States are in charge of issuing and updating national lists that indicate the specific functions which, in accordance with national laws, qualify as prominent public functions.

Obliged entities must have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a politically exposed person; in cases of transactions or business relationships with politically exposed persons, organizations must put in place additional measures in addition to the customer due diligence, such as

  • obtain senior management approval for establishing or continuing business relationships with such persons;
  • take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons;
  • conduct enhanced, ongoing monitoring of those business relationships;
  • where a politically exposed person is no longer entrusted with a prominent public function, take into account the continuing risk posed by that person and apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further risk specific to politically exposed persons.

These measures also apply to family members or persons known to be close associates of politically exposed persons. The EU Directive specifies that the requirements relating to politically exposed persons are of a preventive and not criminal nature and should not be interpreted as stigmatizing politically exposed persons as being involved in criminal activity.

Get started with Penneo today

Try now and get your first signatures for FREE!