E-signed contracts are great, but how do I know who actually signed it?
While online motor vehicle sales and financing transactions were already prevalent before COVID-19, the pandemic accelerated the growth of that sector. Before the pandemic, consumers, dealers, banks and finance companies all became comfortable with retail transactions that were executed at the dealership by the consumer using electronic records and signatures.
Entirely online transactions, in which the consumer purchased and financed a motor vehicle from their living room, were seen as something of a niche market that might become more mainstream. With COVID-19 making in-person transactions awkward, if not impossible, however, that someday arrived in the spring of 2020.
The industry had already learned the basics of electronic contracting under the federal Electronic Signatures in Global and National Commerce (ESIGN) Act and the Uniform Electronic Transactions Act (UETA) or other state electronic transaction acts. For example, under both federal and state law, an electronic signature is a valid signature on an electronic record.
For an in-person transaction, however, dealers were able to verify that the person who electronically signed a document was really the named signer because the dealers were able to rely on traditional identity verification techniques, such as comparing the picture on a driver’s license with the person present in the dealership.
In a completely online transaction, however, direct identity verification is not possible. And where direct identity verification is not possible, the chance that the transaction may be fraudulent increases. Such fraud can be either impostor fraud, in which a stranger pretends to be the actual customer, or synthetic fraud, in which the fraudster invents a fictional identity and enhances it with information taken from a real person.
The technical term for verifying identity in this instance is “attribution.” According to UETA:
An electronic record or electronic signature is attributable to a person if it was the act of the person. The act of the person may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable.
The official comment to this section elaborates:
The inclusion of a specific reference to security procedures as a means of proving attribution is [helpful] because of the unique importance of security procedures in the electronic environment. In certain processes, a technical and technological security procedure may be the best way to convince a trier of fact that a particular electronic record or signature was that of a particular person.
In certain circumstances, the use of a security procedure to establish that the record and related signature came from the person’s business might be necessary to overcome a claim that a hacker intervened.
To sum up, even though federal and/or state law may support the enforcement of an electronically signed document, the party enforcing it must still prove that: the party electronically signed and intended to sign that document, and the party who electronically signed the document was the intended signer. This means it is necessary to be able to “authenticate” that the person who executed the document was the intended signer. A well-designed e-signature protocol is the basis for the authentication process.
So, what well-designed protocol is required to authenticate an electronic signature? The answer is multifactor authentication. For example, the electronic contracting system could place a cookie on the customer’s device to confirm that device is associated with that particular consumer. In addition, the contracting system could attempt to verify that the information provided in the online signing session matches information available in various databases. However, much of that information can be found by an impostor with minimal effort.
A stronger authentication factor is the use of what is called “knowledge-based authentication,” or something that the real customer — not a fraudster — would know. A common form of this authentication uses a series of “out of wallet” questions that the lender can easily verify and that do not rely on openly accessible public information. Examples include: Which address have you never lived at? or Where did you go to high school? The answers to these questions are not knowable to someone who has stolen or looked at the customer’s wallet and are therefore more likely to be known only by the actual customer. The use of several factors to authenticate a customer’s identity increases the likelihood that dealers know who really signed the electronic contract.
Arthur Rotatori is a partner in McGlinchey’s Cleveland office. He works with banks, finance businesses, and loan program administrators and marketers across the country on consumer credit and finance issues, with a particular focus on electronic contracts and signatures.
