Many tasks are more complex to accomplish when one has to do them remotely. For instance building schemas to explain complex ideas or processes or carry out a brainstorming exercise. Although not alone, there is one that isn’t related to the dynamics of group interactions, the need for signing reports or documents that need legal validity.
All of the actions listed above can be done digitally these days. We couldn’t have written this sentence 20 years ago which have seen countless technology developments that have shaped the world we know. To remotely sign any document, there is such a thing called an electronic signature also known as e-signature.
Before March 2020, a month for posterity, relatively limited attention was paid to e-signatures. Neophobia or the fear of the new wasn’t prompting this situation because the technology dates back to decades ago, even before 1999, when the Electronic Signatures Directive 1999/93/EC was enforced and the ability to embed digital signatures into PDF documents was added. But, for any technology to go mainstream, there are also legal and cultural variables and social circumstances that come into play.
It was only since July 2014, when European co-legislators adopted eIDAS regulation that provides the needed pan-european regulatory environment for secure electronic interactions between citizens, organisations and public authorities.
However, no one could have expected that the imposition of physical distancing measures aimed at limiting the rapid spread of COVID-19 would be the real trigger for the e-signature solution to start going mainstream. Like a side effect of confinement, it has proved to be a real asset for maintaining organisations activities. Home-based workers have also realised the benefits of e-signature .
Luxembourg, naturally, has followed the eIDAS regulation. What is special about the country is its readiness. Making use of people’s digital identity to perform quite a few things online has already been around for a little while. The widely spread LuxTrust-powered token to perform banking transactions online is the most conspicuous example.
Likely, we will see more and more use cases where the validation of operations and transactions will be powered by e-signatures. To dig more into this interesting topic and how it is helping businesses, we had an online talk with several of our professionals working with it. In this article we are summarising the concepts and ideas we discussed with Malik Lekehal, Sébastien Sadzot and Xavier Lisoir. Malik and Sébastien are responsible for PwC Luxembourg’s audit transformation and Xavier works on the deployment of e-signature technology with clients.
What’s an e-signature in simple words
So, what is an electronic signature? You may be asking yourself.
Broadly speaking, it is a way for a user to sign a record or contract electronically, expressing consent towards what is stated in the digital document.
Commonly, e-signatures are associated with a symbol because it is what most of us have in mind when signing a document on paper, however, it can also be a sound or a process. Whichever the method used, the e-signature is attached to, or logically associated with, the contract or record.
Xavier explained to us that there are three types of e-signature according to eIDAS. The simple, advanced and qualified signatures have different uses and answer different needs for legal certainty or risk levels.
A qualified signature is the most suitable for business because it enables the verification of authorship and is considered as equivalent to a manual signature.
To create a qualified e-signature, both a qualified certificate authenticating the signatory and a qualified signature creation device (QSCD) that generates qualified digital certificates are necessary.
Also, for e-signatures to be “qualified”, the entity who signs (the signatory) must have full control over the data used to create the certificate and also have the ability to identify if that information hasn’t been altered or amended after the e-signature was done.
Sébastien made clear that the electronic signature offers more security than a handwritten one because it is the entire document or contract that is signed electronically, not just the last page. Once signed electronically, it is impossible to modify the content without invalidating the signature.
How a business implements e-signature
As mentioned above, businesses need a signing platform to upload the document that will be digitally signed.
To implement such a platform, there are two options. Either a business deploys an existing solution internally and adapts it to its needs—an option that could be more time consuming—or takes advantage of existing software offered by a Qualified Trust Service Provider (QTSP) for which deployment normally takes less time. Opting for one or the other responds to time availability, resources and requirements of the signature mechanism that a business wants to put in place. QTSPs across the European Union and Switzerland follow the eIDAS regulation standards, assuring the integrity of electronic identification for signatories and services.
However, when setting an e-signature mechanism, the onboarding of the e-signature users—the signatories—could be a time consuming step. Depending on who the target population is, individuals may be already equipped with the relevant signature device, a soft token or an mobile-based signature option that meet the legal and technical requirements, for instance.
The trust variable
In support of the qualified digital certificates, there is the trust aspect. In fact, the difference between the simple, advanced and qualified signatures isn’t necessarily technology-related and, in most cases, the technology used may not even change.
This is why the role of the QTSP is so relevant. Apart from overseeing that the electronic signing mechanism meets all the requirements, it also guarantees that the qualified digital certificates will be recognised as valid in the future.
The outcome – the signature – which is the combination of one’s identity and the document by means of a cryptographic function, binds both irreversibly together. And this is the signed document that can be used, for instance, in front of a court or for any other legal needs.
Currently, the guidelines of the iDAS do not include blockchain as an alternative technology but they recommend different cryptographic mechanisms. Blockchain could be added to the list in the future.
When e-signature meets audit
As part of any audit activities, several documents must be issued with a signature. Afterwards, they are shared with various stakeholders (customers, shareholders, regulators, etc.). When signed by hand, a still very common “facon de faire”, the distribution process can be relatively long and very manual.
E-signature makes the signing of audit reports more efficient and dynamic as the constraint of being physically present disappears.
For instance, since last November, we have included qualified e-signatures in our audit reports. This solution allows us to sign documents electronically and securely with the same legal value of a handwritten signature.
Malik commented that the use of e-signatures has proved to be very convenient. Apart from the significant reduction of paper consumption, it ensures better tracking of documents and signatures and speeds up the processing time of files. In addition, the solution integrated into management flows allows better processing and monitoring of files and facilitates digital archiving.
However, he told us, the work to facilitate its adoption was arduous. Our teams had to convince the parties concerned of the merits of the solution and its approach. So far, the feedback has been very positive. Somehow, it is pushing organisations’ digital transformation agenda further.
To do this, we’re collaborating with LuxTrust, supplier of secure digital identity solutions. The role played by LuxTrust is precisely what we explained before. It acts as a trusted digital third party as required by the eIDAS directive.
And what about hierarchy levels?
There is a question on whether e-signature mechanisms are deployable in large organisations considering that hierarchical matters could be a constraint.
Let’s start with the technical part. It’s fully possible to have multiple e-signatures on a single document. The challenge, then, falls on the need for applying business rules, for instance, approval and validation processes. But that has little or nothing to do with the e-signature mechanism in itself and, in fact, it is about business workflows that are likely available within the organisation already. These workflows help to solve “who is entitled to sign what” questions.
Over time, we have learnt to accept as “valid” a scanned document or faxes which could be forged very easily. Now it’s the time for e-signatures to take the podium. They definitely strengthen trust between remote actors and are invaluable assets to support businesses in times of crisis. However, the old ways will be around for quite a good time because they are ingrained in our memory and life practices. And in the practices of regulators and public organisations too. One day, maybe, we’ll find the balance between the analog and digital methods of doing things.
E-signature and its underlying technology guarantee the integrity of an entire document or contract over time. The true challenge is to adapt the mechanism to business processes and to continue its integration once the urgency of the COVID-19 crisis has passed; to move from the “business case” stage to broader redesign of organisational processes.
What we think
E-signatures make our business greener, bring flexibility to the experience of clients and give room for us to focus on sustaining our business and continuing to deliver quality. Technology is the foundation of rethinking our operational processes.
The use of electronic signature will be in a near future, as common as the use of e-mails and will induce new workflows in our organisations, by far much more efficient.