ESIGN or UETA?

Posted By: Richard Insley

ESIGN or UETA? - 03/25/02 01:08 PM

We've had 18 months to study the federal ESIGN Act, compare & contrast it with any state UETA law that may have been enacted in our state(s), and consider how and when ESIGN's preemption applies. Most online info about ESIGN vs. UETA focusses on basic, introductory coverage of these laws.

I'm still unsure if ESIGN is the final authority on the all-important matter of "consent." ESIGN's tricky system of disclosure and opt-in has stymied developers' efforts to automate the delivery of "written" disclosures--like periodic statements for credit cards, HELOCs, and deposit accounts.

One authority recommended in a Dec. 2001 seminar that we should "adopt the ESIGN Act as the baseline, and assume that all ESIGN restrictions and exclusions will apply, even in UETA jurisdictions."

What other opinions and recommendations are you hearing? Have you seen a detailed analysis online or in print? Have you discussed this issue with regulators or received anything in writing from them?

Posted By: Andy_Z

Re: ESIGN or UETA? - 03/25/02 04:56 PM

My limited discussions with regulators indicates that they are becoming familiar with e-sign but have limited knowledge of UETA. If a bank opts to adopt some of the less stringent UETA requirements, they need to be prepared to discuss it with their regulators before an exam.

I'm not sure if banks are slow to adopt this new delivery medium because it is difficult, untested, an unknown or just not a priority at this time.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/25/02 06:53 PM

I don't see that ESIGN allows you to opt for "less stringent UETA requirements." In fact, UETA is preempted ENTIRELY if it is in any way inconsistent with ESIGN. When it comes to the all-important consent provision (Section 101(c)(1)(C)(ii) of ESIGN), does UETA even have a comparable provision? (It would have been much better if Congress had appointed a rulewriter.)
Posted By: Andy_Z

Re: ESIGN or UETA? - 03/25/02 07:29 PM

Versions of UETA that are defined as "conforming" and may therefore be used in place of E-sign's 101, have fewer control requirements.

One criticism I have read about UETA is that the proverbial traveling salesman can take a laptop into a consumer's home and have them agree to an e-contract, and walk out with the laptop. Obviously this would be an abusive practice if it would in fact "pass the test", and some attorneys thought it could.

What I have read on UETA is that it is much simpler to comply with from the business owners perspective.
Posted By: Terry

Re: ESIGN or UETA? - 03/26/02 09:01 PM

I read a good analysis of ESIGN requirements stating that UETA eliminates the need to comply with ESIGN 101(c) but only with respect to disclosures required by state regulation. If the disclosure is also required by federal regulation then ESIGN applies. Similar to Richard's comment, it referred to ESIGN as the "lowest common denominator" for such things and granting consumer credit online. The focus of the article was on credit, but presumably the same could be said of deposit activity.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/27/02 01:14 AM

This is a critical question. If we mistakenly rely on UETA when Sec 101(c) of ESIGN applies, then we get the rug pulled out from under us. End result--disclosures you thought you gave don't count!!

It would be very helpful if the regulators studied this from a safety & soundness perspective and issued some guidance while the questions are still hypothetical. Imagine the penalties that could result if a court decided that all of a bank's e-disclosures didn't count because the consent was improper!!!
Posted By: Andy_Z

Re: ESIGN or UETA? - 03/27/02 03:06 AM

E-Sign specifically says a conforming version of UETA will prevail. I have never heard that there would be one standard for state and another for Federal requirements.

Why would there have been issues raised about UETA if E-Sign was the lowest common denominator?

I will verify my position again, but I did this once with a senior FDIC regulator. They had not studied these issues and he initially believed E-Sign was "it". When we talked about it again, he indicated that UETA could prevail and that it would be best to indicate this to your regulators when they come in.

Obviously this is new to all of us. Perhpas this helps to answer the original question of why banks are not adopting this.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/27/02 01:37 PM

Good points, Andy. Many bankers are still at the head-scratching stage, too. It's worse for the vendors who have to provide for states with (a) conforming UETAs, (b) non-conforming UETAs, or (c) no UETA. No one's likely to start investing development dollars until the necessary consent mechanism can be defined to the degree where the risks are understood and acceptable.

I've had conversations with regulators, too. They're a mixed bag of "don't get it", "don't see the big deal", "don't have time to worry about it", and "don't see it as part of my job--it's a technology issue." It could be years before we see the test case that makes some poor business the "ESIGN disaster poster child" who's disclosures and contracts are judged inadequate. Look at how long mortgage lenders merrily charged courier fees before the Rodash case hit the fan.
Posted By: Andy_Z

Re: ESIGN or UETA? - 03/27/02 03:54 PM

An attorney who does a lot of well respected work here in Texas replied to me. I didn't ask permission for a quote so I won't provide a name. But this is the response to my question of which prevails.

Actually, I served on the State Bar Committee that proposed UETA, so I have some familiarity with this!

You are right!

E-SIGN was thrown together in a hurry and mimics a lot of UETA--which was developed by the conference on uniform laws. E-SIGN and UETA both have sections of law (like wills) that are not preempted. But generally, as between the two, UETA prevails. And UETA does not have the same cumbersome requirements that are found in E-SIGN. This leaves us with an interesting dilemma if a party is doing business over the internet or in multiple jurisdictions. In that situation, I would prefer to comply with E-SIGN and get clear consumer consent before engaging in an electronic transaction. But under UETA, entering into the transaction can itself signify consent to engage in electronic transactions!
Posted By: Terry

Re: ESIGN or UETA? - 03/27/02 05:28 PM

This sure seems to conflict with what I read. I noted something earlier and never quite knew what to make of it, but Section 101(a) of ESIGN says that it is "with respect to any transaction in or affecting interstate or foreign commerce". Does this mean that it only applies to transactions that cross state lines? Or do all of our transactions become "interstate" because we must comply with federal regulatons? This would be a significant point for smaller banks that only have physical branches in one state and only plan to accept applications from within that state.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/27/02 07:37 PM

Has ABA counsel offered any guidance to banks that are trying to sort this out? Obviously, the major players will probably implement the ESIGN 101(c) consent mechanism because it will be required in at least some of their states. Smaller banks may have to decide which law applies to their Internet banking activities
Posted By: Terry

Re: ESIGN or UETA? - 03/27/02 07:45 PM

I haven't contacted the ABA, but I did contact the Fed Board. I asked about UETA vs ESIGN plus a whole load of questions relating to the ones we kicked around in the thread just before this one about opening a deposit account online. I hope to hear back this week.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/27/02 09:47 PM

Good luck with the Fed. Any guidance would be helpful & I hope you can share what you get.
Posted By: Terry

Re: ESIGN or UETA? - 03/27/02 10:42 PM

I'll be sure to let you know.

If we eventually are told that ESIGN prevails, what do you all think will be the risks for the banks that didn't live up to ESIGN consent requirements? It seems that a number of the banks currently opening accounts online still require a manual (pen and paper) signature, but they don't seem to meet the consent requirements of ESIGN. I have read that failure to obtain proper consent will not invalidate the contract, but in my view the bank could still be cited for a pattern & practice of violations for Reg DD, E, CC, etc.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/28/02 03:09 PM

Yes, I share that fear. The courts would be handing out very bitter punishment if whole portfolios were destroyed due to a technicality. On the other hand regulators may not hesitate to declare violations of disclosure rules, order corrective action, and possibly impose CMP in extreme cases--especially repeat offenders.
Posted By: Terry

Re: ESIGN or UETA? - 03/28/02 03:28 PM

Geez, did you have to say that? I was hoping for something just a little more reassuring.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/28/02 03:51 PM

Sorry if I sound like a gloom & doomer. I'm always uneasy when dealing with a rule that's untested, isn't clear and could produce unpleasant consequences. Any misunderstanding about when and how ESIGN or UETA apply would result in a pattern of violations.
Posted By: Andy_Z

Re: ESIGN or UETA? - 03/29/02 02:28 PM

I believe a lot of banks are still gathering some information over the Web and then providing disclosures as though the request was via snail mail. They make paper disclosures and send a signature card for execution and Notary. They are slow to adopt the newer technology that could speed the process and automate it.

One question is, even if we clear up some of these issues how many are ready to adopt the technology, or is it still not a priority?

This thread is dominated by the posts of 3 people. Is no one else interested? If not, that will be one reason rulings and guidance will be slow to come. We don't know if this is the chicken or the egg.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/29/02 03:07 PM

Excellent point, Andy. We've been going at this topic all week, so thousands of BOLers have seen the discussion & appear to have no interest. I'd be interested in hearing from those of you who are sitting on the sidelines--
Don't your banks want to save postage costs by offering e-statements?
Are your service bureaus & other support vendors supporting e-delivery of required disclosures?
Do you have e-delivery on your long range plans?
Have you heard anything on this topic from your regulators, trade assns, others?
Posted By: Colleen

Re: ESIGN or UETA? - 03/29/02 03:54 PM

It's not that I'm not interested. I've been reading this with GREAT INTEREST. We are starting the due diligence process to get on-line banking started. So my interest is great but I don't feel I have the know-how that you three have to make a knowledgeable contribution. I've gained a lot since signing on to bankers threads. It's always nice to get info from people in the trenches(those that actually have to apply the regulations).
Posted By: RVFlyboy

Re: ESIGN or UETA? - 03/29/02 05:50 PM

Richard, I agree with Colleen. It's not that we're not interested, just that we don't have anything more profound to add to the conversation. To answer your questions:

Yes, we want to save postage costs.
Our support vendors are starting to come online with support for e-delivery, but nobody's all the way there yet.
We do have e-delivery on our long range plans
We haven't heard much from regulators and trade associations. Probably heard more in this thread than from all of them combined.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/29/02 06:28 PM

Someone mentioned the "chicken vs. egg" problem earlier in this thread & that's the frustrating part of this. We're not going to get to the answers until a good number of banks start implementing e-delivery and coming up with the tough questions. Meanwhile, banks seem to be sitting on the bench waiting for the answers before comitting implementation resources.

The least risky approach is to assume you must implement whichever is the more demanding standard. Since UETA has no consent mechanism like ESIGN's Section 101(c), then you'd simply implement this part of ESIGN as an abundance of caution. Of course this approach will also cost the most in the short run.
Posted By: John Burnett

Re: ESIGN or UETA? - 03/29/02 08:27 PM

Both of my good friends Andy and Richard have mentioned the "chicken and egg" problem. I'd like to suggest that many of us fellow bankers might be seeing the "chicken and egg" from a different perspective.

Perhaps some of us are chicken, because we don't want egg on our faces when the regulators finally figure this thing out!

Speaking of eggs, where is that Cadbury bunny when you need him?
Posted By: Anonymous

Re: ESIGN or UETA? - 03/29/02 09:31 PM

Maybe more like sitting ducks. And by-the-way, the Cadbury Bunny has been sighted in Birmingham today! (Just kidding)
Posted By: Andy_Z

Re: ESIGN or UETA? - 03/29/02 09:39 PM

I like that bunny, and bunny wannabes.

Another issue is that the compliance officer should have input and assist in providing direction. But we don't make the final decisions or create the priority list for IT or product development.

What we need to do is educate ourselves as much as possible and waive this flag, citing the savings and improvements possible which Richard cited above, plus others applicable. That would have the additional benefit of compliance contributing to the net instead of being a cost center.
Posted By: Rubaiyat

Re: ESIGN or UETA? - 03/29/02 09:48 PM

I hadn't responded to this thread because this is just too close to home for me at the moment. We have had internet banking and bill pay services for some time but have required the customer come into the bank to set them up. However, we are almost ready to roll out e-statements with online registration and here is the issue. I approached this completely from the e-sign perspective and prepared all disclosures that way. The problem came in the requirement that the customer acknowledge that they can receive the e-information in the form in which it is available. I believe this requirement was written with the concept of using email as the delivery method. You send a test email of some kind, the customer responds and you are in business. Since the e-statement is being offered through the internet (using an ID and password) the dilemma was how we could document that the customer was able to receive the information using this method. We consulted with our regulator, the OCC, and the question finally ended up with their legal counsel in D.C. They finally decided that if the process required them to change their password the first time they entered the product, this would be our documentation that this piece of e-sign had been covered.

I figure (hope!) that if we conform to esign now, we'll be ahead of the game once all the dust settles. But, I've been wrong before!
Posted By: Andy_Z

Re: ESIGN or UETA? - 03/29/02 10:06 PM

So your delivery method will be to leave it on a server that the customer accesses with a user name and ID.

I'm not sure I'd make them change their password, but that is a good practice periodically. If they will download a file containing the statement, you could add a test message in there. The customer responds to a URL or e-mail address with the contents of the downloaded file and that would produce demonstrable consent.

If they see the sample message online, they could do the same. I think this would work.

In any case it sounds like you are over a hurdle. Save the messages the OCC sent you. If you are very cautious, you could also verify their opinion with counsel specializing in this. That would provide regulatory and litigation assurances.

I believe e-statements is a fairly low-risk e-venture. And with postage going up the returns will be seen quickly.

Good luck.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/29/02 11:43 PM

cwilliams- The obligation to use ordinary e-mail comes from the Fed's "e-Regs" (the March/April 2001 amendments to Regs B, E, M, Z, and DD). ESIGN doesn't care how you and the customer agree to handle the e-delivery, but the Fed does! If you're e-delivering disclosures under any of these regs, you get to choose between:
1) on or attached to an ordinary e-mail message, or
2) at a WWW address that is communicated to the e-delivery customer by ordinary e-mail message.

You got an uninspired answer from OCC. There are much easier ways to get the customer to demonstrate success with the e-delivery medium. My favorite is the PIN system--during the consent ritual, consumer is sent a test message of the type that you'll use for the real disclosures. Inside is a code of some kind and a link to the final consent page. When the customer clicks into the final consent page and enters the PIN on a form, your server adds that customer to the e-delivery list.
Posted By: Tina A Sweet

Re: ESIGN or UETA? - 04/04/02 07:21 PM

I agree with those who have posted and do not feel they have enough knowledge on this subject. We do not do on line disclosures and I do not have enough experience in this matter to contribute. I have, however, learned a great deal from all of you and look forward to absorbing more knowledge in this area.

Posted By: Richard Insley

Re: ESIGN or UETA? - 04/04/02 08:40 PM

Tina- Is your bank planning to begin e-delivery? Do you rely on vendors for the needed processing support? Have those vendors announced what solutions are now or will be available to support e-delivery?
Posted By: Anonymous

Re: ESIGN or UETA? - 04/08/02 05:47 PM

This has been an excellent discussion. We are just breaths away from e-statements and still haven't won the battle of e-sign. We have a Nationwide credit card operation so we will be much safer with e-sign than UETA. Like the earlier posts our struggles are with the customer's demonstration. Our customer's must signup online (after entering their user id and password). This is step 1 of making sure that the customer demonstates their ability to get their statement. If they can sign up, in essence they can get their statement. Step 2: Our e-statement will be provided by a third-party vendor. The vendor reportedly will track the e-mail sent to the customer. The vendor states that they will be able to tell us that the e-mail has actually been read. When read by the customer, a flag is tripped on the vendor's system indicating that the customer is good to go for e-sign. The e-mail provides the customer with a url to come back to our site and view their statement. At which time they will enter their ID and password. Just like the process they went through when they signed up for e-statements. I'm anxious to see if the OCC will buy off on this process. Disclosures are following very close behind e-statements.
Posted By: Terry

Re: ESIGN or UETA? - 04/08/02 09:11 PM

Hi everyone. I have been out all last week. I haven't heard back from the Fed yet, but I'll let you know when I do.

In the meantime, regarding cwilliams' statements - Richard pointed out that eventhough you are providing monthly statements on your website rather than by e-mail, you'll still need to send your consumers an e-mail each month letting them know that their new statement is available. So, under ESIGN it seems to me that you will need two different versions of consent from each consumer. As you mentioned, you'll need consent in a form that demonstrates the consumer's ability to access the statement at the website, plus you'll also need a second consent in a form that demonstrates that the consumer can receive the monthly e-mail messages too.
Posted By: Rubaiyat

Re: ESIGN or UETA? - 04/08/02 09:58 PM

I believe Terry is right. This is the easier part for us though, because we will be sending information and instructions with the first email, which the customer needs in order to get to the server location. We are not allowing "instant" access to the e-statement system. We are allowing the customer to sign-up online, but we are performing our authentication, at least for now, manually. After the authentication has been completed, we send the email with further instructions. Yes, it is cumbersome for now. But our vendor doesn't provide the level of authentication we felt was necessary in order to feel comfortable with complete online sign-up.
Posted By: Richard Insley

Re: ESIGN or UETA? - 04/09/02 12:30 PM

The methods you are describing sound promising. Do they accomplish the consent handshake before the date the first statement is to be rendered? It would seem to be a problem if the customer's demonstration took the form of receiving the first live statement. Those who can't complete the handshake for some reason will never get the first statement, or it will be late if you have to revert to paper.
Posted By: Terry

Re: ESIGN or UETA? - 04/09/02 03:03 PM

I think that as long as you require them to change the password (or some similar demonstration of consent) in a manner that they cannot bypass before you let them access their statement you should be okay with that version of consent. My concern would be whether you could obtain consent for e-mail notices in the same e-mail message that provides additional information as cwilliams mentioned. In doing it that way aren't you providing information before obtaining consent to do so? Maybe consent is not needed for that type of "welcome package" information as long as it is not "consumer disclosure" information required by a regulation.
Posted By: Andy_Z

Re: ESIGN or UETA? - 04/09/02 03:44 PM

Demonstrable consents could be "chained" together much as the transactions will occur. I see no reason that would invalidate this. But I think it is important to note that this is a test and is not the actual delivery, or at least not the only means of delivery, for that periodic statement.
Posted By: Rubaiyat

Re: ESIGN or UETA? - 04/09/02 04:05 PM

In our case, all consumer disclosures and consent, including e-sign, are received at the time of online sign-up through the "I Agree" button before they ever have access to their statement. The subsequent e-mail we send is just a confirmation "Welcome" type of correspondence with information regarding how to get to the site and the fact that a password change will be required when they get there. So, the consent has been given before the customer has any access to the e-statement. I feel like we have covered all the bases to the point of being cumbersome, but better safe than sorry!
Posted By: Harvey

Re: ESIGN or UETA? - 04/09/02 04:21 PM

Would someone direct me to reading on this topic so I can begin to educate myself? I need to start with E-SIGN/UETA 101.
Posted By: Rubaiyat

Re: ESIGN or UETA? - 04/09/02 05:41 PM

Here is a link to the e-sign law as well as a couple of articles. There is lots of information out there. I also looked at some large bank websites just to get a feel for how they look in "real life". Don't presume these are right, just use them to give you a guide on what to research. Also, Richard may not want to toot his own horn, but he does a very nice seminar called "Wired For Compliance" which I found very informative and helpful.

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf
http://www.bankerssystems.com/compliance/article13.html
http://www.complianceheadquarters.com/Deposit/deposit_elec/deposit_elec.html


Posted By: Andy_Z

Re: ESIGN or UETA? - 04/09/02 06:25 PM

Don't confuse "consent" as in "I Will" with "demonstrable consent" which is "proof that I can".

They have to agree and they have to prove they can do it, under E-Sign.
Posted By: Richard Insley

Re: ESIGN or UETA? - 04/09/02 06:53 PM

Yes, Andy, I share your concern with any system that doesn't complete the ESIGN handshake BEFORE sending the first live e-delivery. As Terry observes, you must put the customer through an exercise that tests both the e-mail "alert message" delivery capability and also the WWW statement presentation. Unless both are working, live disclosures will not reach the customer.
Posted By: Richard Insley

Re: ESIGN or UETA? - 12/10/02 01:10 PM

Now that we're seeing the first examples of banks violating both ESIGN and UETA, I'd like to reactivate this thread for further discussion of this still-murky topic.

We've had references to these laws in a number of other threads, but little if any new information. What have you seen in print about ESIGN and UETA since March?

Reviewing the old discussions, I think Terry hit the central issue we need to resolve--can any state law (UETA, in this case) dictate how federal disclosures must be given? Although UETA may govern the contracts and signatures (always controlled by state law) necessary to open an account, I have a hard time ignoring a federal law (ESIGN) that outlines specific steps that must be taken to obtain consumer consent for electronic delivery of federal disclosures--especially when Regs. B, E, M, Z, and DD reference ESIGN exclusively.

A few more open-ended questions:
1. What further communications have the regulators issued during the year?
2. Have regulators addressed the difference between authority to contract electronically vs. authority to disclose electronically?
3. Has anyone taken a hit during an exam dealing with e-delivery & how did you and the regulator agree that your practices should be revised?
4. Has anyone heard of that all-important first test case involving ESIGN?
5. Have any of the State Bankers Associations issued briefs or guidance on this matter?
6. What are you hearing from the vendor community?
Posted By: RebekahL CRCM

Re: ESIGN or UETA? - 02/28/03 05:19 PM

BUMP! (Ouch, I think I just stubbed my toe trying to get this behemoth thread kicked back up to the top of the pile!)

I have been reading this thread with a growing level of anxiety. My bank is wanting to roll out e-statements, and after reading the different threads about it, I can safely say that I've had the bejeebers scared out of me.

Nonetheless, marketing and IT want to proceed with great gusto. I'd like to petition some of the previous posters from this thread to report in with some status updates from the front line. How has your e-statement delivery project come along? Do you have any pearls of wisdom to pass along?

My bank is looking at delivering statements (for free) via e-mail in a "push" fashion (with encryption). The customer would open the statement up with Adobe Acrobat, and the “back page” stuff - error resolution and billing rights summary, would be included. They would not receive a paper statement once they are successfully receiving e-statements.

I know that the customer has to agree to receive the statements this way, but would the second issue -demonstrable consent- be achieved by them next responding to a test e-mail? Or do we need to show that they not only get mail, but they ALSO are able to open the statement in Adobe? If so, how in the world could we do that? Also, say they request an additional e-mailed statement to an accountant. Would demonstrable consent from the accountant be required too??

Those are my main issues, but I have some more questions I’d love some advice on...

- We currently allow the customer to see previous statements through internet banking (which is only accessed through a login ID and password.) However, there are not any disclosures included, just the statement activity. Should we be doing this? The customer still receives paper statements (with disclosures), and the online statement viewing is for convenience only.

- We are also considering implementing CD Rom delivery of statements for our large corporate customers (McDonalds, for example) for a fee. This would replace their thick paper statements, with the benefit of providing extended details about the account (like the checks making up a deposit), and offer some convenience for them when tax time rolls around. Do any of you know about compliance issues for this? Would the same ESIGN rules apply? How could demonstrable consent be achieved here?

Whew! Thanks so much, folks. Any feedback you could provide would be greatly appreciated!!
Posted By: Andy_Z

Re: ESIGN or UETA? - 02/28/03 06:10 PM

Quote:

I know that the customer has to agree to receive the statements this way, but would the second issue -demonstrable consent- be achieved by them next responding to a test e-mail? Or do we need to show that they not only get mail, but they ALSO are able to open the statement in Adobe? If so, how in the world could we do that? Also, say they request an additional e-mailed statement to an accountant. Would demonstrable consent from the accountant be required too??

Those are my main issues, but I have some more questions I’d love some advice on...

- We currently allow the customer to see previous statements through internet banking (which is only accessed through a login ID and password.) However, there are not any disclosures included, just the statement activity. Should we be doing this? The customer still receives paper statements (with disclosures), and the online statement viewing is for convenience only.

- We are also considering implementing CD Rom delivery of statements for our large corporate customers (McDonalds, for example) for a fee. This would replace their thick paper statements, with the benefit of providing extended details about the account (like the checks making up a deposit), and offer some convenience for them when tax time rolls around. Do any of you know about compliance issues for this? Would the same ESIGN rules apply? How could demonstrable consent be achieved here?




Demonstrable consent would include opening and reading the attachment. Otherwise, you only confirmed a working address that can receive an attachment.

The test record could include a number to call, an address to respond to and for example, a code word if you wanted. Any or all of these would demonstrate that they received, opened and read the message.

I do not believe you have an obligation of demonstrable consent with the accountant receiving a courtesy copy. They are not your customer/consumer. But doing so will ensure they too can read it. Why wouldn't you want this?

Online statements are fine. You are offering that as historical information, not statement delivery, change notices or to comply with "DD" or "E".

As to the CD ROM version of the statement, E-Sign is a consumer regulation. You'd be looking at commercial aspects which are more broad and less stringent. If you did this with consumers, I believe at first blush E-Sign would apply.
Posted By: RebekahL CRCM

Re: ESIGN or UETA? - 02/28/03 11:03 PM

Many thanks, Andy - your info was just what I needed!
Posted By: Richard Insley

Re: ESIGN or UETA? - 02/28/03 11:07 PM

I agree with Andy. You have to test the whole delivery system to be sure the customer has what it takes to receive, open and read a sample of the disclosures you want to send electronically.
Posted By: RebekahL CRCM

Re: ESIGN or UETA? - 03/03/03 06:38 PM

OK, here I go again, thinking too much (or too little??)...

Since E-SIGN is a consumer regulation, would e-statements going only to commercial customers need to jump through all the same hoops (specifically demonstrable consent) as consumer customers?

I personally think that it is a good practice to keep the same protocol for ALL customers, consumer and commercial, but I can already hear my IT department wanting to exclude businesses, to make their duties less cumbersome.
Posted By: Richard Insley

Re: ESIGN or UETA? - 03/03/03 06:46 PM

You do not have to go through the ESIGN disclosure & opt-in drill for commercial customers.
Posted By: Angel Eyes

Re: ESIGN or UETA? - 05/14/03 02:29 PM

Hello! The boss wants e-stmts out and he wants them out yesterday of course! My problem has been with the E-sign requirements that the customer demonstrate that they can use the system. Earlier in this thread CWilliams stated that the OCC stated that requiring the customer to change their password the first time demonstrated the ability to access the system.

We already have internet banking out there, which requires our customers to change their password the first time and our customers have to have internet banking to get e-statements. Here is the question we have been debating...does the fact that the customer changed their password six months ago before signing up for e-statements demonstrate their ability to access the system for E-sign?

Thanks for the input!
Posted By: Andy_Z

Re: ESIGN or UETA? - 05/14/03 02:37 PM

If the e-statements are delivered through your Internet banking system, possibly yes. How do they download the statement, is there any encryption, is it in PDF and have they been exposed to PDFs in the past? Ask these type questions as you talk about demonstrable consent.

If the statement is just on the system and there is nothing unique to them separate from the banking side which has already been tested and accepted, you should be OK.

Sending (pushing) encrypted statements would be a separate matter. That is what we do and it is separately distinct from the banking side.
Posted By: Richard Insley

Re: ESIGN or UETA? - 05/14/03 02:51 PM

I don't necessarily agree that previously demonstrated capability satisfies the ESIGN requirement that the customer must "consent electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent."

"Consent" is used exclusively in the present tense. What manner of consent do you use? How does this act demonstrate success with the medium? Do you test both the statement delivery system and also the "alert message" that must be sent by ordinary email?
Posted By: Lawrence T. Levine

Re: ESIGN or UETA? - 05/14/03 05:33 PM

Regarding the encryption side of things -

I would think that the normal 128bit SSL encryption (DO NOT ALLOW users to use 40bit!) used in the web session for download would be enough. I think sending an actual document (rather than just getting people to a 128bit SSL website) would be a mistake on several fronts.

Also - as a matter of principle and because I always feel like ranting - there are MANY good companies that will sell you SSL certificates. I personally like Thawte but there are a bunch of good ones. If you decide to use Verisign's I'd be very carefull about knowing what you are buying and what you need. For example on their website they charge a $400-500 price difference for a 40bit vs 128bit cert. In reality if you dig deep enough you learn that for domestic purposes the cheaper one does do 128bit. I'd disable 40bit on any servers as a matter principle (since it's compromised). Which leads me to some usefull advice at the end of the rant - Just because something is 'encrypted' doesn't mean that it's encrypted well. There could be ramification to using 'weak' cryptography - that's why the ATM networks are being upgraded... ok... I'm rambling.. back to work!
Posted By: Lawrence T. Levine

Re: ESIGN or UETA? - 05/14/03 06:19 PM

Ok.. so I'm not done!

Regarding the delivery side of things.

1) Use a web based delivery with email notification. I don't believe consumers or banks are served well by using email attachments. The cryptographic side of things is historically weak and it adds complexity.
2) Be very carefull about the look and feel of the email. A large bank (with ~10% of the US depository - go figure that one out) got hit by criminals who emailed their customers with something that looked like email from them... It's incredibly easy to send email that is from someone other than the apparent sender. The email pushed them to a website that 'looked' like the bank. The users then logged in and were 'pushed' to the 'real' bank site. With their login information captured in the process.

Dangerous stuff...

I'd be very carefull about keeping emails you send them uncluttered and clear as to their origination and where you are linking them to. A link to www.yourbank.com is much less likely to be easily confused than a link to http://www.notreallyyourbank.com/blah/blah/yourbank/%blah/%blah/%%%Imtryingtohackyou.html
see what I mean.

On the same note - the same institution I referenced above sent out emails of a marketing nature but used a 3rd party. The emails went out from: Bank Name <BankName#1.8722.92873456173829.1@email.bankname1.com>

Not very clear is it? This is BAD FORM. Not only was it very unclear as to who the email was really from, but the domain name wasn't even that of the banks. In short - the bank didn't learn the lessons of the activity that took place earlier in the year. They were (are) TEACHING their customers not to pay attention.
Posted By: etm614

Re: ESIGN or UETA? - 05/14/03 07:51 PM

Okay - I have a dumb question. How would I know if my state adopted a "conforming" UETA?
Posted By: Andy_Z

Re: ESIGN or UETA? - 05/14/03 07:56 PM

Call one of your state banking associations. They should know if you don't find the answer here.
Posted By: Angel Eyes

Re: ESIGN or UETA? - 05/15/03 04:05 PM

Our E-Stmts are going to be a part of our Internet Banking. We will not but pushing encrypted statements but rather sending a link to our log in screen letting them know that the statement is available for them to view.

I understand that we will have to have some sort of e-mail regarding disclosures and consent. My main point of concern is ensuring that they have demonstrated that they can use the system. It seems that the OCC feels that requiring them to change their password demonstrates their ability to use the system. However, I must say that I am not confident that changing a password six months ago demonstrates the ability to use the system. Just wanted to see what other thoughts were out there.

Thanks for the input!
Posted By: Andy_Z

Re: ESIGN or UETA? - 05/15/03 05:56 PM

If they will download the statement, I would see that as a separate act than just entering the system and changing a password.
Posted By: Richard Insley

Re: ESIGN or UETA? - 05/15/03 06:56 PM

You need to get "affirmative consent" PRIOR to making the switch to e-delivery, and the consent must be given in a manner that demonstrates success with the medium to be used for e-delivery. Changing a password 6 months ago might be acceptable, but if you guess wrong and a court or OCC later concludes that you have not done enough, then your permission to substitute electrons for paper vaporizes, retroactively. Do you want to run the risk that you will be liable for months of "failure to provide disclosures" violations? Imagine the penalties under Regs. Z or E--not to mention the reopened error resolution time window!
Posted By: Angel Eyes

Re: ESIGN or UETA? - 05/16/03 02:42 PM

Thanks for the help! I appreciate all the guidance