Despite the fact that the idea of digitizing documents and their electronic signing is far from new, in a certain way we bring fundamental changes to companies and their years of established processes. Every change brings with it worries, resistance, and all sorts of excuses such as: it sounds really great, surely in a few months (or years) we will all conclude contracts electronically, but now it’s not for us yet. Since founding Signi 6 months ago, we have heard many different opinions, excuses, and recommendations; so many that we could publish another article just about them.
Today we will focus on such concerns, which we can divide into 2 groups.
- How does Signi make sure my documents are still here in 10 years?
- What if the other signatory says – I didn’t sign it?
The first group concerns the long-term storage and accessibility of your data. This is technologically and procedurally well solved and this issue is described in detail and enshrined in our and European laws. You may have heard the English term “durable medium”, which defines how information must be delivered and stored to ensure its availability over time and, in particular, its immutability. One of the formats that undoubtedly meets the definition of durable medium is the PDF format, which we use to store all electronic documents. We discuss more about this topic in another article.
The “I did not sign it” concern can be further divided into two variants.
The first is that the other signatory does not dispute that it has entered into a contract with you or that it has a business relationship with you and that its electronic signature is on the contract. However, they may question the content of the document and dispute the fact that it did not sign the specific text. In this case, we can assure you that Signi is designed so that there is not the slightest doubt as to who signed which document as well as what made up the content of the document received by the other party that they subsequently signed and delivered back to you. It’s called a “chain” or “document integrity” and you can rest assured that we’ve spent countless hours absolutely ensuring and securing this area.
Yes, I agree that in the digital world, there is a widespread belief that whoever has Admin rights can do almost anything. In practice, however, this is not the case. Especially since any such intervention, if at all possible, bears huge costs.
If you want to change the past in a blockchain environment and go back a few minutes or hours, you have to expend so much energy that you think twice about whether it pays off. It is basically impossible to turn back time and cancel or change a transaction that happened yesterday. If we wanted to turn back time in Signi, we would have to disaffirm several emails and SMS messages; decrypt, change, and re-encrypt half of the database; and if the client uses timestamps, hack the timestamp publisher’s server. We are not saying that this is completely impossible, but the costs are really enormous. In comparison, you can absolutely believe that forging a signature on paper, on the other hand, is much easier and cheaper.
Moreover, the ancillary costs of such an intervention would be much greater. If such an intervention were to happen, one side will tell the truth and one will inevitably lie. The mere implication of doubt for a trust service, like Signi, is a death knell marking the beginning of their bankruptcy. Such services never regain their lost reputation and simply enter a death spiral of apologizing and explaining until their inevitable end.
The second option is that the counterparty questions the fact that they ever entered into the contract and that it must have been someone else. We agree, this would be a problem. However, this is not a problem that belongs just to electronic signatures. The same problem can just as easily occur with paper contracts. However, electronic ones are simply more discussed. Additionally, this issue really concerns signatory identification concerns.
As of now, it is not possible without prior personal identification to determine with certainty whether the person on the other side is really the person they claim to be. No matter what anyone says otherwise.
There are services that know a lot about you, they know your daily program in detail, how you like your steak, and where you will be going over the weekend. But they don’t know how old you are, where you really live, what you really look like, and if it is you or your virtual double pretending to be you the entire time. Such doppelgangers may be like you, behave like you, but do not have the legal authority to sign contracts on your behalf.
At the same time, the solution is relatively easy… Unlike other problems regarding integrity, security, and availability, this seems trivial. There must have been a moment in your life when you heard the question: please show me your ID card. This is exactly the moment when you are no longer an anonymous, virtual character without a unique identity. At this moment, it is YOU. So why not record this fact, anchor it in time, issue you a resulting confirmation, number it, and make this number available to others and make money doing so? And who has identified you like this at least once in the past? That’s right, your bank.
And thus we have bank identity
We enthusiastically arranged meetings with five banks and, in their gleaming meeting rooms, we told them how we would be able to safely sign documents using bank identities. They didn’t seem to understand, so we repeated it a few more times to be sure: you have identified clients, we have partners who want to conclude tens of thousands of contracts without having to meet with your clients, and they are willing to pay for it. The answer was something like this:
That’s great, but we can’t give you such a service, we can’t give it to anyone. The fact that we do it here and there is made possible by a loophole in today’s laws and we’re acting in the gray zone.
We don’t like to lose, we would even say that we hate to lose, so we didn’t give up and asked further:
Why can’t you provide us with such a service? Dictate the conditions that we, as a company and as a service, must meet. Do you require certification, audits, the appointment of a person to supervise everything?
This is not the case either, you are not an entity required by AML (note: the abbreviation AML means anti-money laundering), we can provide bank identity only to those who are legally required to have it under AML.
Great, that covers a lot of companies that close a lot of documents: investment advisers, financial advisors, real estate agents, and others. So can we provide this service for them?
Unfortunately, this is not possible, because we have to pass the identity directly to the person / company required by AML. Signi cannot figure in that relationship.
And if Signi becomes an entity required by AML, can you provide us with the client’s bank identity?
Yes we can.
Great, so we will verify the client, store the information securely, and as soon as our partner wants to identify this client and conclude a contract with them, they will be verified with us and everything will be simple.
That would not work…. Firstly, you would be taking our business and, secondly, your idea would involve a chain of identities, meaning that the identity provided by you to your partner would no longer valid according to AML.
Ah, so Signi, respectively Digital factory s.r.o., which operates this service, must not figure in any way in the bank-partner relationship. Our partner will have a contract directly with the bank and we will only supply them with an application license.
Yes, that would be possible.
However, this means that Signi must not store such an identity, i.e. each identification = a new requirement for the bank’s API, which at the price of “higher single digit to lower double digit figures of EUR” essentially excludes a reasonable business model except for online betting and gambling.
Yes, that’s right. And you still need to ensure that only the person required by AML and no other partner of yours can access the bank’s API. We also need to point out that this method has no precedent and it is possible that once you implement it, it will end up not passing through our risk and compliance department. Moreover, we also need to inform you that this service, provided in this way, is likely to end in a year.
Simply put: this was a dead end. Even if we closed our eyes to the high costs of developing and modifying the application and if clients accept a high price for one contract concluded in this way and the risk and compliance departments would approve this service, it would already be summer, or probably, autumn 2020. But mainly, why would we provide a service, that through us, without us, our partners conclude contracts?
Then Bank ID was born
At each of those meetings, however, there was a mention of a project being prepared that would exactly fulfill what we would need at Signi. That is, the bank would be able to provide us with verified bank identities for our clients, which we could use and store securely.
At the same time, it will provide the option of logging in to Signi using the same login details as it uses for internet banking. Not only can we identify Signi users and guarantee our partners that the user is really who they claim to be, but will be able to sign documents using their bank identity (aka BankID). No more personal certificates on USB disks, no keychains, or HW keys will be needed, just one recognized, qualified identity will suffice for everything.
In October 2019, it was written…
Since then, we have come a long way in this area, actively cooperating with several banks to bring you the best possible service both for identification via BankID and, especially, for signing documents via Signi. We will have the first real access in Q1, 2020, so we look forward to being able to share all we learn with you. BankID will be a reality in 2021 at the earliest, so we believe that we will be able to manage everything by then.
Finally, we would like to reiterate that the problem of identification is not a problem of electronic signatures and it does not reduce their validity or effectiveness in any way. Just as we would not recommend that you conclude a paper contract without any identification, we do not recommend it to you when using electronic signatures. But if you know, for example, the email or phone number from which you communicated with the other party, we think you have won 95%.