E-Sign Compliance

Posted By: mzachau, CRCM

E-Sign Compliance - 08/04/10 04:14 PM

I know there are a lot of threads out here covering E-Sign, but I wanted to bounce something off of other compliance professionals.

We are in the development stage for offering online deposit account opening. We are posting the electronic consent agreement in PDF format. Our e-statements are also PDF formatted and are housed on our server (pull system). By the consumer providing a "yes I Agree" to the terms and read the agreement, do we still have to obtain proof the consumer can or has opened the agreement?

I have reviewed other Banking sites and noticed that all i have had to do for e-statement authorization is check a box or click "i agree" without opening the agreement
Posted By: Richard Insley

Re: E-Sign Compliance - 08/05/10 03:54 PM

Let's step through this so you can identify and explain the risks--most of which arise from uncertainty. Your business managers already understand the rewards of swapping electrons for trees and postage.

1. The use of electronic documents is optional.
2. Most of the regulations that govern day-to-day banking operations (Regs E, DD, and CC for example) require disclosures, and in most cases these disclosures must be "written", "in writing", "in a form the consumer may keep", or otherwise capable of retention for the consumer's later reference.
3. If you fail to provide these "written" disclosures in proper form, you may be exposed to civil liability--it's just like you didn't give the disclosures at all! In cases like Reg. E's periodic disclosures, systemic violations would quickly multiply into a staggering aggregate civil liability.
4. Paper documents always satisfy "in writing" requirements.
5. Electronic documents can satisfy "in writing" requirements--but only if you follow ESIGN's opt-in procedures.
6. ESIGN has no implementing regulations. That means you must read, interpret, and implement the law without guidance from your regulator. It's a performance without a net. The only "guidance" will come from the rulings of federal courts if/when litigation involves ESIGN compliance. I don't remember hearing about anything important, but Andy and John are experts in this area & they may be aware of something that alters or interprets the language of the ESIGN statute.
7. In order to obtain the "ESIGN seal of approval", you must get the customer's consent by following the steps spelled out in Section 101(c)(1). Let's study them (I removed certain details in order to provide clarity.)

(1) CONSENT TO ELECTRONIC RECORDS.—...if a statute, regulation, or other rule of law requires that information relating to a transaction or transactions in or affecting interstate or foreign commerce be provided or made available to a consumer in writing [Regs. B, E, M, Z, and DD, for example], the use of an electronic record to provide or make available (whichever is required) such information satisfies the requirement that such information be in writing if—
(A) the consumer has affirmatively consented to such
(B) the consumer, prior to consenting, is provided with [how-e-delivery-works disclosures]...and;
(C) the consumer—...
(ii) consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent

Affirmative consent (green) is pretty straightforward. A simple "I do" covers it.

"How e-delivery works" disclosures (blue) must cover all the points in paragraph B (not shown, but basic stuff). Note that these are not boilerplate disclosures. They must explain the system you will actually use to accomplish e-deliveries.

The rub always comes in Section 101(c)(1)(C)(ii) (red). What does the term "demonstrates" mean? If Congress considered it sufficient to provide a "click here to consent" button, the word "declares" would have sufficed. To me (an possibly a federal judge), a "demonstration" is a test drive with a pass/fail score at the end. In order to pass, customers must be able to prove that they have the hardware, software, and savvy to navigate to, open, and read a test e-document. Think of this process like a credit application. Applicants must submit evidence that they are creditworthy before credit can be approved.

Are all those other banks wrong if they simply provide a "click here to consent" button? I don't consider a button to be a demonstration & would vote "no", but the only vote that matters is a judge's ruling. Potential class action Reg. E liability would land you in a position somewhat like that of Dirty Harry's collar:
I know what you're thinking — "Did he fire six shots or only five?" Well, to tell you the truth, in all this excitement, I've kinda lost track myself. But being as this is a .44 Magnum, the most powerful handgun in the world and would blow your head clean off, you've got to ask yourself one question: "Do I feel lucky?" Well, do ya, punk?
Posted By: mzachau, CRCM

Re: E-Sign Compliance - 08/05/10 05:07 PM

Thank you for the information Richard. We have been offering electronic statements for a couple years and our current process is to have the consumer open a sample PDF document which contains a specific "code". Before E-Statements may be accessed or "consented" to, the consumer must provide us with the specific code to "demonstrate" they can access and view the statements.

We are getting resistance by project management and upper management as we develop online deposit account opening because they have not had to perform these steps where they hold bank accounts and have electronic statements and are questioning why we require this step? I understand the legal ramifications if we don't comply with the demonstrable consent requirements, especially dealing with regulation Z rescission timelines and regulation E dispute timelines, both being extended if we do not follow the rule appropriately.

Again, thank you for your insight into this question.
Posted By: Richard Insley

Re: E-Sign Compliance - 08/05/10 06:43 PM

It sounds like you have an excellent grasp of the situation and are doing your best to minimize risk.

Maybe you could improve the way you explain the test drive to your customers and get a bit more customer relations benefit out of it? After all, it's in the customers' benefit to confirm that they can handle e-documents.

Those who remember the ancient banking history of ATM introduction will recall slow adoption rates until CSRs recognized the need to walk outside with certain customers and give one-on-one lessons in using the machines. Once these hesitant customers could see that it would work for them, they became happy ATM users.
Posted By: Andy_Z

Re: E-Sign Compliance - 08/05/10 10:12 PM

Demonstrable consent is a huge step. And you would be surprised at the number of people who give you a bad email address. That is one reason this is necessary. Second, fraud prevention.

Can you say how you'll CIP these new online accounts?
Posted By: mzachau, CRCM

Re: E-Sign Compliance - 08/06/10 07:56 PM

Online account opening customers will be required to provide personal information (name, SSN, address, occupation, phone number, DL#, etc) as they complete the application process. We then use third party software which performs and ID verification and authentication process that utilizes numerous government records to validate information being provided. The ID Authentication process requires the consumer to answer questions about themselves, for example: you have a mortgage loan through such and such Bank. If information provided does not match exactly to what has been reviewed the application is flagged and our internal staff are required to follow-up prior to opening the account. We usually only see discrepancies surrounding address information because information is not updated to frequently.
Posted By: mzachau, CRCM

Re: E-Sign Compliance - 08/06/10 08:00 PM

The purpose of providing online account opening services for us is to expand our footprint and grow our customer base, specifically the electronic age customer. They don't want to enter a bank, they want to sit at home and open accounts electronically and quickly. I agree with you Richard, it is always important to inform customers that practices are put in place to protect them and their investments.

For me, it is difficult to defend our current E-Sign Act practices when other institutions are not going the extra step to demonstrate consent, at least on the face we don't see them doing it and I always stress that we do not know what type of programming they may have on the back end to show demonstrable consent.

Thank you both for the discussion. Any additional guidance would be greatly appreciated
Posted By: Richard Insley

Re: E-Sign Compliance - 08/07/10 02:09 PM

Originally Posted By: mzachau
it is difficult to defend our current E-Sign Act practices when other institutions are not going the extra step to demonstrate consent....

Your practices are based on a clear understanding of the law and a healthy fear of the consequences of non-compliance. Whether they're smart enough to realize it or not, your competitors are cutting corners and are flirting with disaster. Imagine what would happen if a federal judge determined that your ESIGN opt-in procedure was inadequate. That would mean that NONE of your e-documents EVER satisfied the delivery requirements of Reg. E. Instantly, the error resolution window would reopen for every e-statement you have sent. Also, you would face class action penalty exposure for "failure to provide required disclosures"--it can't get much worse than that. While these horrors are not likely to occur, you must decide whether you could stand the consequences. This problem is like Section 8--probability of detection and penalty is very low, but consequences are unacceptably high.
Posted By: mzachau, CRCM

Re: E-Sign Compliance - 08/10/10 06:48 PM

Again, thank you Richard!!
Posted By: Derwood

Re: E-Sign Compliance - 01/13/11 07:55 PM

We are getting ready to offer e-statements in the same manner as mzachau described above. The customer must log into online banking and then open a pdf document. We will be sending the customer a notification via email that their current statement is available, but the email is in no way necessary in order for the customer to view the statement. In order to enroll the consumer must log into online banking, agree to the terms and conditions by checking an accept box, and provide a confirmation code they will obtain by opening a pdf located on the terms and conditions page. I believe this satisfies the "demonstrable consent" requirement, but at no point is there any verification of the email provided that the notification email will go to. Does anyone see this as an issue? The following verbiage is contained in the agreement - You understand that if you do not receive an email notification, it does not release you from the responsibility to review your electronic statement promptly and notify the bank of any errors within 30 days of the statement date.

Given the customer can access their available statements at anytime once they have logged into online banking irregardless of their receipt of the notification leads me to believe this is a non-issue, but I would feel better hearing what some others think.
Posted By: John Burnett

Re: E-Sign Compliance - 01/13/11 09:43 PM

I think you are OK. There is no requirement that you notify the customer of the availability of his statement. Be careful, however, because you may find that tying things up with an email address may pay dividends later, if you want the demonstrable consent to include things like change in terms notices, annual or periodic error resolution notices, any new notices that you might be required to provide, etc.
Posted By: Ronnoc

Re: E-Sign Compliance - 01/14/11 08:35 PM

Does all this apply to tax documents, such as 1099s, or is that a separate matter or regulation? If it is, what would that be?
Posted By: Richard Insley

Re: E-Sign Compliance - 01/14/11 09:04 PM

There are a few exclusions from ESIGN, but the only ones that come to mind are eviction and foreclosure notices. Maybe someone else has looked at this lately(?)

Unless a type of communication is excluded, the ESIGN "seal of approval" allows you and consumers to communicate anything you agree "in writing" with electrons.
Posted By: John Burnett

Re: E-Sign Compliance - 01/14/11 09:09 PM

Anyone who has a savings account with ING Direct will be pulling down an e-version of a 1099-INT during the next couple of months.
Posted By: A_G

Re: E-Sign Compliance - 01/14/11 09:50 PM

I got an e-version of my 1098-E (student loan interest statement) this year.
Posted By: rlcarey

Re: E-Sign Compliance - 01/14/11 10:01 PM

See: http://www.irs.gov/pub/irs-pdf/i1099gi.pdf

Page 10: Electronic recipient statements.
Posted By: morirse de risa

Re: E-Sign Compliance - 07/14/11 05:00 PM

We are in the process of updating our e-sign process to ensure compliance. We will be emailing a test document that includes a PIN/code. The customer will then need to email this code to us.

We are wondering if we need to retain this email or can we log info from this email into a spreadsheet and retain the info that way? We are concerned with the burden of retaining tons of emails.

I understand we need to retain evidence of compliance with ESIGN and want to make sure we do it right. Suggestions?
Posted By: Richard Insley

Re: E-Sign Compliance - 07/15/11 10:25 AM

If you're pushing e-statements (or other documents), then the email/test doc/PIN/reply process sounds good. ESIGN is silent about evidence of compliance, but if consent is challenged I'd sure want a copy of the customer's reply message or at least the header from the message.

If your e-delivery system is anything other than email-push, then this reconfirmation should match the method you're actually using.

Expect low response rates. There's so much bogus stuff floating around out there that your customers may trash any message they did not expect. In order to improve the likelihood of a response, I'd place a notice in a normal e-statement or two before sending out the new test message. Also, you might place an info page somewhere in your home banking system.
Posted By: Libby P.

Re: E-Sign Compliance - 08/23/11 01:20 PM

Richard, we are going to offer eStatements but not account opening online. Is there anything we need to do as far as Reg E is concerned if we gave the customer our written on paper disclosure at account opening?

Also, on some thread that I have read in the last couple of days there was a discussion about adding information to the TISA stating that we offer eStatements. Is that necessary? If so, why?
Posted By: Richard Insley

Re: E-Sign Compliance - 08/24/11 02:15 AM

Originally Posted By: ilovebulldogs!
Richard, we are going to offer eStatements but not account opening online. Is there anything we need to do as far as Reg E is concerned if we gave the customer our written on paper disclosure at account opening?

You're free to use paper to deliver the account opening disclosures, but in order to switch to e-delivery of the periodic disclosures, you must obtain each customer's consent. Consent will not be valid unless you follow the entire ESIGN process.
Posted By: ahkcompliance

Re: E-Sign Compliance - 08/25/11 08:40 PM

I think the demostrable consent is the hardest to obtain. Before my time here at my current bank, their process for estatement enrollment was having the customer sign a piece of paper detailing the termsn & conditions. When I took my position, I quickly changed this. We now have all customer enroll through online banking. They must open a pdf document which is the terms and conditions and the after they open, click the box agreeing to receive statements online. The box does not appear until they actually open the pdf.
Posted By: KTW327

Re: E-Sign Compliance - 08/25/11 09:07 PM

Can the initial e-sign acknowledgement for account opening apply to the statements as well, or should that be a separate disclosure?
Posted By: ahkcompliance

Re: E-Sign Compliance - 08/25/11 09:24 PM

I think in the agreement you need to specify what kind of notices, statements will be inlcuded. We do not deliver account opening disclosure electronically but in our notice we state, you agree to receive all perodic statements, notices, privacy notices, etc electronically.

I think if you obtained consent at account opening, you need to specify what will be sent electronically.
Posted By: Andy_Z

Re: E-Sign Compliance - 09/01/11 07:38 PM

Originally Posted By: KTW327
Can the initial e-sign acknowledgement for account opening apply to the statements as well, or should that be a separate disclosure?

Disclosures at opening are fine, fees, alternatives, cancellation, etc. That isn't demonstrable consent, but you do have to make the disclosures anyway. There is no requirement that they be separate, that is your choice.
Posted By: mmumm

Re: E-Sign Compliance - 11/09/11 10:37 PM

We have received questions from lending staff in regards to providing loan applications via email, and also receiving completed applications back from the customer via email.

Also, we've received questions from operations staff regarding signing up a customer for e-statements at the same time as when they come in and open a new account at the desk with the new accounts person. Currently the customer has to enroll for online banking, and then enroll for e-statements through OLB.

In the loan app case, as far as receiving completed apps back via email, what are the requirements on us having a "wet signature" on file, versus if we were to print out the app attached in an email?

In the e-statement case, don't they need to demonstrate that they can receive the e-statement, which is something they do when they enroll via OLB. If we sign them up at new account opening (by checking a box for e-statements in our system), that doesnt appear to satisfy the requirement that the customer can actually receive and view the e-statement...?
Posted By: Richard Insley

Re: E-Sign Compliance - 11/09/11 11:43 PM

How will loan applicants secure their information before sending it through the internet?

The e-statement sign-up process you described will not comply with ESIGN. You can provide the preconsent disclosures on paper at the time you open a new account, but the customer's consent must be electronic and it must be handled in a manner that proves the customer has the necessary hardware, software, and technical capability.
Posted By: mmumm

Re: E-Sign Compliance - 11/15/11 12:21 AM

We would have them password protect it and send it back. Or, they could print it and provide it to us that way.

For providing a loan applicaiton to them via email, do they need to first demonstrate that they can receive it?
Posted By: Richard Insley

Re: E-Sign Compliance - 11/15/11 01:37 AM

Demonstration only comes into play if you are using ESIGN, and you only need to use ESIGN if federal law requires you to deliver a document "in writing."

See Section 202.4 (c) and (d) of Reg. B for general rules concerning applications, including specific exclusions from ESIGN. If Reg. Z requires time-of-application disclosures for the type(s) of credit you're offering with e-applications, then you must review those rules to determine what must be "in writing", how it must be delivered, when, and how ESIGN applies.
Posted By: mmumm

Re: E-Sign Compliance - 12/20/11 05:46 PM

We do commercial/commercial construction loans, SBA/B&I/FSA loans, and the only consumer loans we do are HELOC's/LOC's.

Should we be worried about complying with E-SIGN for sending loan app's via email for the above loans?
Posted By: Richard Insley

Re: E-Sign Compliance - 12/21/11 01:47 PM

With a few exceptions, electronic transmissions are a legal alternative to paper documents for all transactions - both commercial and consumer. ESIGN applicability can only be determined on a document-by-document basis.

Your question covers a wide range of transactions and related documents. Some of these documents are required by state or federal law and others are not. Unless a document is required by law, is necessary to document your compliance with a law, or is necessary to support a contract with your customer, you are free to handle it any way you wish. Considering that not all customers care to use electronics for some or all of their communications with your company, it's always a good business practice to provide alternate means of document delivery.

Since contract documents fall under state laws and will be judged in a California court, these items must conform to state laws for content, timing, and method of delivery. Although these documents can be handled in electronic form, delivery must conform with either ESIGN or California's UETA. Disclosures (if any) required by state law are handled the same way.

Federal consumer disclosures can also be handled electronically, but they fall into three delivery categories. Most demanding are "written" communications. If a federal law or regulation says you must deliver something "in writing", then you must use paper or ESIGN-enabled electronic communication. A few federal items must comply with standards specified in a particular law, but need not follow the full ESIGN regimen. Remaining federal items can be handled any way you want. Keep in mind, however, that investor rules will apply to any loan destined for the secondary market.

So how do you sort all of this out? Document by document. A complete ESIGN/UETA analysis matrix would list (column 1) all documents you plan to deliver in electronic form. Column 2 would list the specific (cite the law/reg and section) legal requirement (if any) satisfied by each document. Column 3 would be an indication of the delivery method ("written", regulated, or unrestricted) required by the law or reg shown in Column 2.
Posted By: Red Raiders

Re: E-Sign Compliance - 01/16/14 09:53 PM

We are kicking around online account opening. Our provider has a process to do CIP and OFAC to verify the customer and will provide the disclosures on the screen through the opening process (applicant will have to check box that they reviewed to continue). Do we have to go through the E-Sign hoops (mainly demonstrable consent) and if so, how do most banks do this for online account opening?
Posted By: Richard Insley

Re: E-Sign Compliance - 01/17/14 12:15 AM

How about moving this over to a new thread. This one is already a monster.