E-Statements, E-SIGN, and demonstable consent

Posted By: Anonymous

E-Statements, E-SIGN, and demonstable consent - 05/06/05 08:34 PM

We have introduced a new internet banking add on that allows our customers to opt-in, online, to receipt of an electronic statement. This is via the "pull" method (they will receive an e-mail notifying them that their statement is available).

In order to opt-in, the customer must access our website, click to indicate that they want to opt-in, access the page with our e-sign disclosures, and click "accept". Obviously, to do all this, they have to be able to read output in html format. The statement is in this same format.

Is this demonstrable consent?
Posted By: Andy_Z

Re: E-Statements, E-SIGN, and demonstable consent - 05/06/05 11:31 PM

If it is a matter of "if they can do this, they can see the statement", then I'd agree it is demonstrable consent. They got the message, read it, followed it to the site and saw the contents just as they would had it been their statement.
Posted By: Richard Insley

Re: E-Statements, E-SIGN, and demonstable consent - 05/07/05 02:38 AM

Sounds like you're almost there. How do you test the "alert message?"
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/08/05 01:46 AM

Related subject, if you are actually turning the paper off, (it depends on your compliance group) but I think you also need to make sure that if the e-mail bounces back to you, you have a means of identifying it and turning the paper back on to send to your customers.
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/09/05 02:05 PM

Quote:

Sounds like you're almost there. How do you test the "alert message?"



Quote:

Related subject, if you are actually turning the paper off, (it depends on your compliance group) but I think you also need to make sure that if the e-mail bounces back to you, you have a means of identifying it and turning the paper back on to send to your customers.




Original poster here. Richard, when you refer to testing the "alert message," are you talking about the same thing the 2nd anon is referring to?

We will receive notifications of rejected e-mails and I believe the plan is to contact the customer by phone, and if we are unable to resolve it then we will be going back to paper statements.
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/09/05 02:06 PM

BTW, thanks Andy, Richard, anon.
Posted By: Richard Insley

Re: E-Statements, E-SIGN, and demonstable consent - 05/09/05 07:11 PM

Quote:

Richard, when you refer to testing the "alert message," are you talking about the same thing the 2nd anon is referring to?



No. In your set up steps I don't see a test to be sure the customer has given you a working EMA and that the customer can navigate to the e-disclosure upon receipt of the email message.
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/09/05 07:52 PM

Quote:

In your set up steps I don't see a test to be sure the customer has given you a working EMA and that the customer can navigate to the e-disclosure upon receipt of the email message.




Ok, well that is kind of the crux of my question. My understanding is that E-SIGN requires some form of demonstrable consent (consent handshake, whatever), that shows the customer is able to receive the disclosures in whatever particular format we provide them.

Ours will be provided in HTML. To sign up for our statement, the customer has to have internet access, a browser, and be able to reach our website. Those are the same requirements to be able to receive their statements in this format.

Does sign up, therefore, equal demonstrable consent?
Posted By: Richard Insley

Re: E-Statements, E-SIGN, and demonstable consent - 05/09/05 08:40 PM

Ordinary email "alert messages" are a necessary component of any e-delivery system that complies with Sec. 230.10(d) of Reg. DD and the similar provision in Reg. E. If you have to do it to comply with Regs DD and E, then ESIGN requires you to test it during the test drive.
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/09/05 08:57 PM

Ok. If a test e-mail is sent, is there a requirement that it be responded to? Or is the fact that it isn't rejected sufficient?

This is so much fun.
Posted By: Richard Insley

Re: E-Statements, E-SIGN, and demonstable consent - 05/10/05 11:39 AM

Now you're back to ESIGN, which says that your e-delivery: "...satisfies the requirement that such information be in writing if the consumer consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent."

To me, a "demonstration" of successful access includes every step the consumer will be required to take in order to receive live statements when the time comes. How will the consumer know that a statement has been rendered unless your alert message reaches him/her?

There are no ESIGN regulations, no agency was appointed to interpret ESIGN, and the courts have not yet interpreted ESIGN through rulings. This is a classic Dirty Harry situation. What is an adequate "demonstration?" If you guess wrong, all of your ensuing periodic disclosures will be void, Reg E liability will never end, and you may face an ugly and expensive enforcement action by your regulator.

"...you've got to ask yourself a question: Do I feel lucky? Well, do ya, punk?"
Harry Callahan
Posted By: Andy_Z

Re: E-Statements, E-SIGN, and demonstable consent - 05/11/05 12:00 AM

I agree with Richard. While you are most of the way there, the customer must have a way to know a "pull" statement is available. 205.17(c)(2)(i) describes sending an email or postal notification. The latter sort of defeats the purpose here and is moreso the backup.
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/11/05 10:12 PM

guys are we missing the point here? the customer does not receive his statement via email? do any banks send the customer a letter in the mail to tell them that they've sent the monthly statement via US postal service.

The reg E site mentioned by Andy is still just an interim rule and its not even mandatory. If a customer is accustomed to receiving their statement around the 20th, they don't need email access to login and review their statements.
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/11/05 10:27 PM

how does a customer know a statement has been rendered when its sent by US mail?
Posted By: Andy_Z

Re: E-Statements, E-SIGN, and demonstable consent - 05/11/05 11:32 PM

Sending the customer an email to pull them in for statements is a good rule. Yes, it is interim final rule and not mandatory. It is also the best guidance we have. If you don't do that, you have increased your risks. I don't believe the average customer knows the date of their statement. This is new technology and there are extra steps to go through. It does have faults. The chance that a consumers email box is full and email is returned is MUCH greater than the USPO returning the statement because his home mailbox was stuffed.
Posted By: Richard Insley

Re: E-Statements, E-SIGN, and demonstable consent - 05/12/05 03:17 AM

The e-Regs are a safe harbor. If you comply with them you will not be liable for delivery violations of Regs E and DD. If you attempt a do-it-yourself approach, you're taking an unnecessary risk. If the Fed finally makes the e-Regs permanent (as it promised in 2001), you will be forced to conform to the current rule.
Posted By: Kathleen O. Blanchard

Re: E-Statements, E-SIGN, and demonstable consent - 05/12/05 03:35 AM

Everyone I receive an e-statement or e-bill from sends me an email that it is ready.
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/12/05 06:41 AM

I think most people would agree that an email alert notice is appropriate in some form or fashion (I would actually prefer notice through a closed system, but that's another topic!)

Just a few other issues to consider:


Here's what E-Sign actually says regarding consent.

(C) the consumer -* * *(ii) consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.

What's considered "reasonable" is still subject to interpretation. Based upon plain reading of the law, I think the important issues for demonstrable access are electronic consent and the format of the information subject to the consent (in this case the periodic statements.)

If the statement was actually delivered as an email attachment in PDF format, then I would agree with Andy, Richard that the user would definitely need to demonstrate the ability to access PDF documents through email. (My ISP blocks virtually all attachments, including PDFs)

If the user disputed receipt of an electronic statement and alert notice, and if the bank can prove the customer has actually logged in and viewed the statement page, wouldn't that be more relevant than proving receipt of alert notice?

Does your system provide a confirmation email notice after receipt of an enrollment form?

If yes, and if that confirmation email notice bounced, that would be a clue not to turn off the paper statements until a valid email address is confirmed.

If no, then could the bank establish internal procedures to send out email notices to confirm: the email address, receipt of the e-statement enrollment and request that the user respond affirmatively by email before turning off paper statements?

One other issue to consider - state UETA laws.. in some states, the consumer protection measures are not as onerous as the E-Sign Act.

just additional thoughts
Posted By: Richard Insley

Re: E-Statements, E-SIGN, and demonstable consent - 05/12/05 10:48 AM

Quote:

What's considered "reasonable" is still subject to interpretation.



Agreed--and that's what makes this a risk management issue rather than a cut-and-dried compliance check list. No one has the legal authority to interpret ESIGN except the federal courts. Based solely on the merits of a particular case, a federal judge is free to declare what is reasonable and what is not.

Quote:

Based upon plain reading of the law, I think the important issues for demonstrable access are electronic consent and the format of the information subject to the consent (in this case the periodic statements.)



Your plain reading ignores the central issue - what does an adequate demonstration include?

Quote:

If the user disputed receipt of an electronic statement and alert notice, and if the bank can prove the customer has actually logged in and viewed the statement page, wouldn't that be more relevant than proving receipt of alert notice?



You are not required to prove receipt of e-deliveries or alert messages, only the test message. From that point on, ESIGN "blesses" all e-deliveries by the tested & proven system.

Quote:

Does your system provide a confirmation email notice after receipt of an enrollment form?

If yes, and if that confirmation email notice bounced, that would be a clue not to turn off the paper statements until a valid email address is confirmed.

If no, then could the bank establish internal procedures to send out email notices to confirm: the email address, receipt of the e-statement enrollment and request that the user respond affirmatively by email before turning off paper statements?



Your customer must demonstrate (electronically) receipt of the test message in an affirmative manner. If I understand the preceeding comment, you would consider the message delivered unless you get a bounce-back. That would be a bad assumption because POP servers are not always programmed to bounce back undeliverable messages. If you send a message and the server vaporizes it because the address does not exist, you will never know that the message was not delivered.

Quote:

One other issue to consider - state UETA laws.. in some states, the consumer protection measures are not as onerous as the E-Sign Act.



UETAs have no effect on delivery of federal disclosures. They are state laws. Both Regs E and DD make exclusive reference to ESIGN as the first step in using electronic communication, and Fed staffers have (verbally) confirmed that ESIGN is your exclusive choice when dealing with e-delivery of TIS & Reg. E disclosures (periodic statements.)
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/12/05 08:48 PM

In response to your comments regarding UETAs - I have no argument regarding its effect on the "delivery" of federal disclosures. Its the "demonstrable consent issue" that differs in UETA. If the state has adopted a uniform version of UETA, then it may not be pre-empted.

In response to your comment, "
Your plain reading ignores the central issue - what does an adequate demonstration include?" I believe you're taking a very narrow position. Many will agree with you and some won't. Again its up for the courts to decide.

Again focus on the actual wording in the statue:

*(ii) consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.

As mentioned above couldn't a bank establish their own internal procedures sending out email notices to confirm: the customer's email address, receipt of the e-statement enrollment and request that the user respond affirmatively by email before turning off paper statements?

Doesn't this address this issue?

Has anyone seen a company or bank that tests only the email alert notice? Examples would be most helpful.

If I'm not mistaken the courts look at industry standards when trying to evaluate reasonableness.

I haven't done the legislative homework to review comments from legislators when drafting this provision, but I think that would also be relevant.

It would be most interesting to hear what an attorney or examiner thinks on this issue as that will probably guide most risk management practices.
Posted By: Richard Insley

Re: E-Statements, E-SIGN, and demonstable consent - 05/12/05 10:14 PM

Quote:

If the state has adopted a uniform version of UETA, then it may not be pre-empted.



Section 102 of ESIGN permits UETAs to modify, limit, or supersede ESIGN's consent provisions with respect to State law, only. This variance applies only if your state's UETA meets several standards. If it does not meet these standards then it is preempted by ESIGN.

Quote:

I believe you're taking a very narrow position. Many will agree with you and some won't. Again its up for the courts to decide.



I am taking a safe position. Why would you want to ignore a safe harbor (the e-Regs' delivery system) and take the risk that every e-statement you have ever sent could be ruled NOT to be a valid for Reg E and Reg DD purposes? You would open your bank to substantial retroactive penalties and cost.

Quote:

As mentioned above couldn't a bank establish their own internal procedures sending out email notices to confirm: the customer's email address, receipt of the e-statement enrollment and request that the user respond affirmatively by email before turning off paper statements?

Doesn't this address this issue?



ESIGN does not specify each step you must take or that you must take them in a particular sequence. If you have confirmed separately that your messages are reaching the email address, and that the consumer knows where the e-statements will be located, how to download them, and how to open, print or save the content, then you have probably touched all the bases.

Quote:

Has anyone seen a company or bank that tests only the email alert notice?



This would never be sufficient without also testing the customer's ability to obtain, open, and use a test document.

Quote:

If I'm not mistaken the courts look at industry standards when trying to evaluate reasonableness.



Yes, that's right, provided the standards are consistent with the requirements of the law.

Quote:

I haven't done the legislative homework to review comments from legislators when drafting this provision, but I think that would also be relevant.



The legislative history includes strong objections from consumer advocates to UETA-like opt-in systems that may impose e-delivery on unsophisticated consumers. These groups lobbied for confirmation of receipt of each e-document before it would be recognized as a legal alternative to paper. Businesses objected strenuously, indicating that such a burden would make the service impractical. The compromise was the informed consent system found in Section 101(c)(1)(C)(ii) of ESIGN--one successful test drive of the system before the e-documents would be treated as legal.
Posted By: Anonymous

Re: E-Statements, E-SIGN, and demonstable consent - 05/19/05 06:52 PM

I am taking a safe position. Why would you want to ignore a safe harbor (the e-Regs' delivery system) and take the risk that every e-statement you have ever sent could be ruled NOT to be a valid for Reg E and Reg DD purposes? You would open your bank to substantial retroactive penalties and cost.

******************************************
Sorry, but I think the issue in debate is demonstrable consent and neither Reg E or DD cover this issue. In the situation described by the anonymous user..they are sending the email.so they are not ignoring what you perceive as a safe-harbor. E-Sign and UETA would cover this issue at debate. Take note of this provision in the E-Sign Act; if it also applies to statements, then it seems logical that the statements themselves would not be invalidated simiply because a bank failed to test an alert email notice that statement was available.

Just my thoughts..I think we'll just have to agree to disagree on this. Personally I think its best to seek an attorney's opinion on these types of issues.

"

(3) EFFECT OF FAILURE TO OBTAIN ELECTRONIC CONSENT
OR CONFIRMATION OF CONSENT.—The legal effectiveness,
validity, or enforceability of any contract executed by a consumer shall not be denied solely because of the failure toobtain electronic consent or confirmation of consent by that consumer in accordance with paragraph (1)(C)(ii)."
Posted By: Richard Insley

Re: E-Statements, E-SIGN, and demonstable consent - 05/20/05 03:08 AM

I give up. Since virtually everyone posting to this thread is anonymous, I have no idea how many different sets of facts and positions are being debated.
Posted By: Andy_Z

Re: E-Statements, E-SIGN, and demonstable consent - 05/20/05 06:00 AM

The reason many were skeptical of UETA was because the siding salesman could take his laptop into granny's home and have her agree to e-documents and then leave with his laptop. That same premise holds here. They may have accessed your web site and viewed the test statement. But the bank hasn't tested any notices to the consumer. Not doing so would be dangerous in my mind. Yes, most who access the web have email. But I'd want to go through the demonstrable consent hoops. If we agree to disagree, so be it.
Posted By: ecompliance

Re: E-Statements, E-SIGN, and demonstable consent - 01/17/06 04:13 PM

Hi, everyone..interesting thread. There must be many companies that are not complying with Richard's interpretation. From personal experience, I've found that many of the larger cc companies (e.g. american express) do NOT test drive the email alert system as part of the consent process, nor do they test the ability to access PDF documents.
Posted By: mrbsaaml

Re: E-Statements, E-SIGN, and demonstable consent - 03/01/06 06:56 PM

My company requires customers, when activating their account via IVR or on our website, to agree to electronic (website/email)delivery of statements and disclosures and confirm that they have the means to access this information. We believe we are ok as far as those who access the website; and while we have records of the acknowledgements received via ivr, they haven't actually "demonstrated" the ability to access our website. Note: all customers receive a hard copy of our t&cs when they submit their account application. Thoughts