There's no ESIGN regulatory requirement (because ESIGN prohibits implementing regulations) and the ESIGN Act is silent about record retention. That's never given me any comfort. How would you defend against consumer "I never consented to tree-free delivery of my Reg. E disclosures" claims?
Section 205.13(b) of Reg. E states that "Any person subject to the act and this part shall retain evidence of compliance with the requirements imposed by the act and this part for a period of not less than two years from the date disclosures are required to be made or action is required to be taken."
Section 205.4(a)(1) states that "Disclosures required under this part shall be clear and readily understandable, in writing, and in a form the consumer may keep. The disclosures required by this part may be provided to the consumer in electronic form, subject to compliance with the consumer consent and other applicable provisions of the Electronic Signatures in Global and National Commerce Act (E-Sign Act)."
Taken together, these provisions of Reg. E clearly require you to maintain evidence that you have provided all Reg. E disclosures "in writing." ESIGN outlines the procedure you must follow in order for your e-delivered documents to have the same legal effect as documents printed on paper.
You can easily show a sample of the pre-consent disclosures (hardware, software, how-it-works, etc.), but what kind of evidence will prove that each e-delivery customer took and passed your opt-in "test?"
There's not much you can capture and retain, but I'd feel more comfortable if I had:
1. screenshots of all the steps in your disclosure/consent process.
2. date and time each e-deliveree opted in.
3. email address provided by the customer.
4. PIN or other key the consumer used to demonstrate technological capability to use your system. If your "test" involves unique opt-in PINs, this creates better evidence than a one-size-fits-all code word or number.