E-SIGN BASICS:
Scope
E-SIGN only affects laws which impose a writing or signing
requirement. E-SIGN does not affect substantive protections
of consumer protection laws or the content or timing of disclosures that are required by law. E-SIGN also does not affect
any requirement by a regulatory body that records must be
filed in a specific manner.
Note, the Federal Reserve Board implemented Final Rules under
E-SIGN on November 9, 2007 (which were inherited by the CFPB
under Dodd-Frank.) These rules set forth uniform standards for
electronic delivery of disclosures for the following regulations:
■ ■ ■ Regulation B: Equal Credit Opportunity
■ ■ ■ Regulation E: Electronic Fund Transfers
■ ■ ■ Regulation M: Consumer Leasing
■ ■ ■ Regulation Z: Truth in Lending
■ ■ ■ Regulation DD: Truth in Savings
Delivering Disclosures or
Other Required Notices Electronically
In order to be able to deliver disclosures or other regulatory or
legal documents electronically, you must follow specific rules
first, discussed in E-SIGN §101(c). These are:
Pre-Consent Consumer E-SIGN Disclosure:
Before providing consent to accept items electronically, the consumer must receive a clear and conspicuous disclosure, which
they must be able to retain a copy of or access at a later time. The
notice must contain the following:
■ ■ ■ Any right or option of the consumer to have the record provided
or made available in paper form;
■ ■ ■ The right of the consumer to withdraw consent and any conditions or consequences (including termination of the parties’
relationship) of such a withdrawal (including any fees);
■ ■ ■ Whether the consent applies only to a single transaction or
the entire relationship between the parties;
■ ■ ■ The procedures the consumer must use to withdraw consent
and to update his or her contact information;
■ ■ ■ How the consumer may obtain a paper copy of the electronic
record and whether any fee will be charged for such a copy
(Note—the Consumer Financial Protection Bureau (CFPB)
takes the position that you should not charge for a copy); and
■ ■ ■ The hardware and software requirements for access to, and
retention of, the electronic records.
Affirmative Consent:
After receiving that notice, the consumer must “affirmatively
consent” to receive the information electronically.
An “affirmative consent” means the consumer has to DO something—check a box, click through, enter a code, etc. As an example,
you might see language like: “By clicking the box labeled ‘Accept’
below, you agree to the terms and conditions of this Agreement
and acknowledge that you have read and understand the disclosure
provided above…” where the disclosure that is required is on that
page, above the item they are asked to “click.”
Reasonably Demonstrate Ability to Access the
Information:
Finally, the consumer must “reasonably demonstrate” that they
can access information in the electronic form that will be used to
provide the information that is the subject of the consent. This is
the most debated and violated part of this rule.
“Reasonably demonstrate” means they must show that they are
able to access the disclosure on a device that they have regular access to, such as their own computer or mobile device. Allowing the
consumer to see the information on a screen within the institution
(unless it is owned by the consumer) is not sufficient. For example,
using an institution’s tablet for account opening and going through the
process for E-SIGN on that tablet does not show that the consumer is
able to access the same information on their own device. You could
have the customer sign in to their own email, using a readily available
internet browser, and that may possibly suffice—although examiners
seem split on whether this works. You at least have a valid argument
if you use this method that the consumer accessed their own email.
How do you prove the “reasonably demonstrate” part of this?
There is no proscribed method, however some systems do it via
sending the consumer an email with a code to enter back on the
main website, or with a link in an email to follow that then proves
they can access the information. Be careful here that you verify
the ability to receive the information using the same technology.
For example, don’t send a text message to prove they can receive
an email. And, don’t send an email to prove they can receive
something through an app.
A best practice would be not only to follow this step, but have
a system capable of following a strict workflow that is:
■ ■ ■ Incapable of employee access after the fact;
■ ■ ■ Including actions time-stamped;
■ ■ ■ Documents are unalterable by anyone after execution or delivery; and
■ ■ ■ Produces an audit trail to show when consumers received items,
took actions, etc.
This principle is illustrated further in some of the cases discussed below.
Most importantly—all the steps above must occur before you
deliver a required a notice or disclosure electronically! Some
institutions deliver the disclosure in the same email that they
send, to “reasonably demonstrate” access. This is not technically
correct, because you have not closed the E-SIGN loop yet. You
have to confirm they can access the material and then send any
information to them electronically.
Once E-SIGN was law, where something
that a statute, regulation, or law requires to
be provided “in writing,” or “signed,”
an electronic record (as defined) will suffice
instead of paper delivery or “wet”
signature, with exceptions.
