Lesson 5: System Requirements for Receiving e-Signatures

The system must be able to prove that the e-signature is valid at the time of signing.

When the document is signed, the e-signature must meet the requirements of a valid e-signature, as previously described in this lesson.

Note: This requirement must be met at the time the signature is executed.

The system must be able to prove the e-document cannot be altered without detection after signing.

E-documents with e-signatures cannot be altered at any time—during or after transmission—after signing without detection. A system must be able to prove that the document content is the same as the content at the time of signing. Currently, this generally involves some sort of encryption software.

Note: This requirement must be met at the time the signature is executed.

The system must be able to prove signatories have had the opportunity to review content.

Before actually signing, signatories must have an opportunity to review the content for which their signature is being requested.

Note: This requirement must be met at the time the signature is executed.

The system must be able to prove signatories reviewed the certification statement.

Before actually signing, signatories must have an opportunity to review certification statements, including warnings that false certification carries criminal penalties, to establish that they understood the implications of their signature and meant to sign. This is important should someone ever be prosecuted for criminal fraud.

Note: This requirement must be met at the time the signature is executed.

The system must be able to prove an acknowledgement of receipt.

The system automatically sends an acknowledgment of receipt of the document to an "out-of-band" address. This is usually paper mail or an email address that does not share the same controls as those used to access the online submission account. This ensures that if, by chance, the signature device was compromised, the owner of the device will be notified outside of the system that someone made submissions in their name. This is a common practice used by online shopping sites—after making a purchase on a site, you are notified that the purchase was made with a confirmation in a separate email system.

Note: This requirement must be met at the time of signatory registration.

The system must be able to prove signatories have signed e-signature agreements.

Signatories have executed e-signature agreements related to using their signature devices. The e-signature agreement can be done electronically, but can also be done on paper.

The agreement must include the following:

• The signatory agrees to protect their signature device, such as a password or hardware token, from compromise;
• The signatory agrees to report any evidence of compromise; and
• The signatory understands that the signature they submit electronically with the device carries the same legal force and obligation as a hand written signature.

Usually, signatories execute this agreement when they register with the system to receive their electronic signature device.

Note: This requirement must be met at the time of signatory registration.

The system must be able to prove identities with legal certainty.

This is a requirement that serves to establish the identity of an individual who is issued (or registers) an electronic signature device with enough evidence that it will hold up in a court of law. This is the one instance in all these requirements in which CROMERR is tiered in terms of priority and non-priority reports.

• For Non-Priority Reports, the requirement does not specify how identity proofing is to be carried out.
• For Priority Reports, the identity proofing must be done prior to signature execution, and must be done with one of two specified methods.

Priority reports and their associated identity proofing requirements will be discussed in more detail later in this lesson.

Note: This requirement must be met at the time of signatory registration.