In a world in which all communications is moving toward digital format, why are signatures still largely paper-based? There are software solutions that make electronic signatures legal and doable, and, more than most other industries, financial services could benefit.

It is important to distinguish between se-cure electronic signatures and simple reproductions of paper-based signatures. “If you’ve ever received a fax with someone’s signature on it, that’s an electronic signature,” says Don Johnston, president of the Canadian IT Law Association. But it isn’t a secure signature.

A scanned or faxed reproduction of a manual signature doesn’t lend it any security. In many ways, such signatures are even less secure than an original signature on a piece of paper, because it would be easy to paste an electronic signature into any electronic document and then change the document’s contents.

Secure electronic signatures work differently. They generally don’t look like a handwritten signature at all; instead, they consist of a long string of encoded data. Such signatures are based on a concept called a “public key infrastructure” and are created using a digital certificate, obtained from a trusted third party offering PKI services. This third party — a certificate authority — validates an individual’s identity before providing the certificate. When an individual sends a document using the certificate, software combines the document and the certificate to create a unique signature.

Because the signature is partly based on the message, software on the recipient’s computer can match up the signature and the message to ensure that nothing has changed, says Scott Vanstone, executive vice president of strategic technology and founder of Mississauga, Ont.-based encryption software company Certicom Corp. “Your electronic signature is a function of any electronic bit in the message. If you change any bit, the signature will not verify,” he adds.

An unchanged secure electronic signature leads to authentication of the user’s identity. “With a digital signature, we’re sending along a certificate with the transaction, saying that this document hasn’t been altered in any way, and that it is coming from the person that it says it’s coming from,” explains James Quin, a senior research analyst at London, Ont.-based Info-Tech Research Group.

There are large swaths of the financial services industry that secure electronic signature technology has not touched. The system for electronic document analysis and retrieval — SEDAR — does not require a secure electronic signature, as defined by Johnston, as part of its electronic filing requirements.

“In general, the SEDAR rules provide that a signature to or within any electronic filing on SEDAR shall be presented in typed form rather than manual form,” says Carolyn Shaw-Rimmington, manager of public affairs at the Ontario Securities Commission. Certain documents, such as prospectuses or takeover bid circulars, require a paper copy of a “certificate of authentication” that has been manually signed by the relevant people before an electronic typed signature can be filed.

Toronto-based Investment Counsel Association of Canada, likewise, is not using secure signatures to their full potential. “With our members and in dealing with their clients, electronic communication is used, but not specifically in terms of trade instructions,” explains Katie Walmsley, president of the ICAC.

Why isn’t the financial services industry making more use of electronic signatures? “The financial community moves very slowly, and members have lots of legacy equipment. It takes a long time to change,” says Vanstone.

Part of the problem may be the challenge of deploying certificates in software. Companies can make themselves into certificate authorities by creating their own certificates, and can issue these certificates to both employees and clients. However, it may be difficult to ensure that clients have the necessary software to manage and use digital certificates, especially if they are not adept technologically.

“The final frontier has been getting that two-way digital signature transaction model flowing in a widespread way, not only from w3the business to the consumer but from the other direction,” says Eric Skinner, vice president of product management for digital certificate company Entrust, based in Kanata, Ont.

“It’s also a risk acceptance thing,” says Quin. “Is an organization willing to accept the risk of not using the certificate, or is it burying its head in the sand?”

He calls for the introduction of mandatory secure electronic signatures using regulation to reduce fraud.

@page_break@Ironically, Canada is one of the few countries that has legislated electronic signatures as legally admissible. The Uniform Electronic Commerce Act, designed to be implemented at a provincial level, allows for the use of electronic signatures and requires only that, when used, they be a reliable means of identifying a person. The Investment Dealers Association of Canada member regulation notice MR0177 essentially follows this law, allowing the use of electronic signatures but pointing to provincial legislation for final guidelines.

One company that has chosen to use digital certificates is Toronto-based FundServ Inc. The company, which provides business-to-business trading services for mutual funds, has been using PKI technology since 1999, and acts as its own certificate authority. Its staff use digital certificates to help automate internal processes such as human resources and the use of purchase orders in finance, explains Amir Jafri, vice president of technology.

“There is reduced risk because of the audit trails that the products give you,” he explains, adding that FundServ obtains substantial productivity savings through electronic signing. The No. 1 benefit is the ability to avoid lost documents.

Although FundServ uses digital signatures internally, it hasn’t yet enabled its clientele to exchange electronically signed documents with it. “We haven’t been approached by customers yet,” says Jafri, adding that the market hasn’t yet recognized the value of the technology. “The solution is there, and we need to keep our eye open for a mission-critical application that can take advantage of this.” IE