esra irs briefing 20150519

1

www.eSignRecords.org© ESRA Confidential & Proprietary

Information Session

Online Authentication Principles and Practices

Internal Revenue Service BriefingMay 19, 2015


10:00 AM ESRA Overview & Introductions

10:10 AMElectronic Transactions Today’s IRS Challenge Electronic Signatures and Records: ESIGN & GPEA Attribution – How do I know who signed?

10:25 AMRisk Assessment Classifications of risks associated with online transactions Risk tolerance Mitigation

10:35 AMAttribution, Authentication & Identity Identity Management Government Assurance Levels Federated Identity

10:55 AM

Use Cases and Best Practices Private sector examples Public sector examples

DOD FDA HUD-FHA SBA

11:10 AMIRS Use Cases and Approach The PIN Non-return guidance: ESIGN compliance 8878/8879 Guidance Up close: IRS e-Transcript program

11:25 AM Q&A

12:00 PM Close

2

Agenda

© ESRA Confidential & Proprietarywww.eSignRecords.org

3

ESRA is the premier global trade association focused on the advancement of electronic signatures and records

Technology-neutral forum comprised of both users and providers Advocates public policy that promotes the inherent compliance, efficiency and

transparency benefits of electronic processes Develops thought leadership, events and education around the most pressing

legal, regulatory and operational issues associated with e-signed records

ESRA Vision: Positively impact consumers, businesses and government through the promotion of electronic signatures and records

ESRA Mission: Globally, lead endeavors to advocate the use of electronic signatures and records, promote process efficiencies and provide educational resources to the public, businesses and government

ESRAElectronic Signature and Records Associat ion


4

Electronic Financial Services Council (EFSC) National trade association established in the late 1990s by a group of

professionals from various industries who realized the need for public policy initiatives and the promotion of electronic signature and records technology Promoted legislation and regulation designed to ensure that electronic commerce

continued to revolutionize the availability and delivery of financial services Advocated positions on public policies affecting the offering of financial products and

services, including mortgage loans, insurance products, investment products, consumer loans and online banking, in e-commerce

Led the charge to make electronic signatures a legally binding way to sign documents Instrumental in the passage of the Electronic Signatures in Global and National

Commerce Act (E-Sign Act), which became a law on June 30, 2000

ESRA was later established in 2006 to lead efforts that optimize the understanding and encourage further adoption of these pract ices

ESIGN Act Champions


• Annual Conference - eSignRecords

• Member Newsletters & Bulletins

• Online Resources – Premier Access

• Federal Legislative Developments, Compliance, and Regulatory Updates

Education Events

• Ad-hoc meetings with federal / state level legislators & regulators

• Coordination with other organizations on specific topics of interest

Public Policy Advocacy

• Bi-annual membership meeting (Winter / Summer)

• Membership Only Legislative and Regulatory Conference Calls

• Regular committee meetings

• Quarterly and special meetings of the Board of Directors

ESRA Meetings

• Reduced fees to attend, exhibit, and/or sponsor at ESRA events

• Exposure on website – Member List

• Network with peers at conferences & events

• Thought leadership: media placements and speaking engagements

Member Opportunities

5

Shared Knowledge & Collaboration

Maximize the value of membership; volunteer to get involved

6


ESRA Mission

Globa l l y, l ead endeavors t o

advocate the use o f e l ec t r on ic s igna tu res and records , p romote p rocess e f f i c i enc ies

and p rov ide educa t iona l

resou rces t o the pub l i c , bus inesses

and gove rnmen t

...lead endeavors to advocate the use of

electronic signatures and records


7

Public Policy Committee


Adobe Systems

AlphaTrust Corporation AssureSign BuckleySan

dler, LLP

California Association of

RealtorsCitibank

Com mu n i ca t i o n I n t e l l i ge nc e

Co r po r a t i o n ( C I C)

Consumer Financial Protection Bureau

(CFPB)

Corpora t ion Serv ice

Company (CSC)DocMagic DocuSign DocuTech

DocVerify DotLoop Eastern Funding Ellie Mae eOriginal,

Inc. eLynx

Equifax eSignSystems Experian Fidelity National

Financial (FNF)GoPaperless

Solutions IMM

iPipeline Locke Lorde LLP NotaryCam

Pennsylvania Employee State

Credit Union (PESCU)

Property Records Industry

Association (PRIA)RouteOne

SpringLeaf Finance

Silanis Technology Simplifile SIGNiX

TeleTrust - EU IT Security

Association

Topaz Systems

USAA US Bank Wells Fargo Wolters Kluwer

William Mills Agency

8

A Collective VoiceSamp le L i s t o f Member Or gan iz a t i ons


9

Electronic Notary

WY: e-Recording

NE: e-Delivery Regulation

OH: e-Signed Security Agreements

Sample Public Policy Issues – 2015

10


ESRA Mission





and gove rnmen t

...promote process efficiencies

11


ESRA Mission





and gove rnmen t

…provide educational resources to the public,

businesses and government

12


IRS Cha l lenge

Elec t ron ic S ignatures

At t r ibut ion

Electronic Transactions


13

Establish a high-assurance, low friction means of identifying taxpayers and other stakeholders remotely, allowing IRS to deliver services in an online environment without increasing risk.

Today’s IRS Challenge


The Uniform Electronic Transactions Act (UETA) and the companion federal law, Electronic Signatures in Global and National Commerce Act (ESIGN), prov ide assurance that electronic s ignatures wi l l be granted the same legal author i ty as t radit ional ink s ignatures on paper. If an electronic transaction meets the requirements of the electronic signature laws, the

transaction cannot be repudiated based on the fact that the transaction was conducted electronically, rather than on paper.

ESIGN does not give guidance on how to identify and authenticate signatories.

14

U.S. Legality of e-Signed Records

Establishes the legal equivalence of electronic records and signatures with paper writings and manually-signed signatures, removing barriers to electronic commerce

UETA

Confirms that states must allow the use of electronic signatures if the two parties involved agree to this method of signing. ESIGN applies to interstate commerce, foreign commerce, and business transactions with the Federal Government.

ESIGN

Requires Federal agencies, by October 21, 2003, to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically, when practicable, and to maintain records electronically, when practicable.

GPEA


15

Four Basic Purposes For

Signing

I agree to it

It came from me

I’ve seen it

I got it

Signer must intend to “sign” the document

Purpose of signature derived from surrounding circumstances

Intent & Authentication


Attribution

Legal sufficiency vs. attribution ESIGN answers the question “is it a signature?” Does NOT answer the question “is it your signature?”

Attribution must be proven May be proven by any means, including surrounding circumstances or

efficacy of agreed-upon security procedure Burden of proof is on person seeking to enforce signature Non-repudiation is a legal condition, not a technology feature

17


Identity Management

Federated Credentials

Attribution, Authentication & Identity


18

“Electronic authenticat ion is essential for establishing accountabil i ty on l ine.”

Electronic authentication provides a level of assurance as to whether someone is who he claims to be in a

digital environment. plays a key role in the establishment of trust relationships for electronic

commerce, electronic government and many other social interactions. is also an essential component of any strategy to protect information systems

and networks, financial data, personal information and other assets from unauthorized access or identity theft.

- O r g a n i s a t i o n f o r E c o n o m i c C o - o p e r a t i o n a n d D e v e l o p m e n t ( O E C D ) R e c o m m e n d a t i o n o n E l e c t r o n i c A u t h e n t i c a t i o n a n d O E C D G u i d a n c e f o r E l e c t r o n i c A u t h e n t i c a t i o n , J u n e 2 0 0 7

Authentication and Accountabil ity


19

Who are you?

How can you prove

it?

What should you be allowed

to do?

Verifying the identity of a person or entity that:o seeks remote access to

a corporate system, o authors an electronic

communication, or o signs an electronic

document

Identity Management


20

Answers question: Who are you?

Also called “identity proofing” or “enrolment

Gathers “attributes” One-time event Can be done remotely,

but often requires physical appearance

ScopeWhich information

collectedHow much

AccuracyReliability of sourceSee assurance levels

Identification


21

IdentificationScope and Accuracy Issuance of credential

Authentication Authorization

Identity Management Basics

Seek access Identify

Credential

Authenticate Authorize

1x

22© ESRA Confidential & Proprietarywww.eSignRecords.org

Issuance of Credential

e.g. userid e.g. password

Identifier

Authenticator

(token)

Credential

A c reden t ia l i s da ta tha t i s used to au then t i ca te the c la imed d ig i t a l i den t i t y o r a t t r i bu tes o f a pe rson

Issuance of Credential

Trust in both the PROCESS and the SECURITY of the data is critical


23

Who are you?

How can you prove

it?


to do?

Establishing confidence in a person’s claimed identity

Transaction-specific Process always involves

cross-checking claimed identity against one or more authentication “factors”, including Something the person knows; Something the person

possesses; or Something the person is.

Authentication


•Passwords•personal identification numbers (PINs), •digital certificates using a public key infrastructure (PKI), •physical devices such as smart cards, •one-time passwords, •USB plug-ins or other types of “tokens,” •transaction profile scripts, •biometric identification

Authentication types


25

Grant of rights or privileges

Access control to networks

Verify identify sender of data message

Verify identify signer of an electronic record

Authorization

Who are you?

How can you prove

it?


to do?


26

Confidence that: the identity information

being presented actually represents the person named in it, and

the person identified in the credential is the person who is actually engaging in the electronic transaction

Assurance

Assurance Level: Strength of

identification and authentication

processes


27

Reliance on 3d party for identification services.

Roles, Functions & Duties split between:Subject Identity ProviderRelying Party

Federated Identity Credentials

Seek access Identify

Credential

Authenticate Authorize


Rely ing par t y mus t be ab le to t r us t I den t i t y P rov ide r

Trust

28

29


Ident i f icat ion

Assessment

Mit igat ion

Risk


30

Repudiation Risk Compliance Risk Admissibility Risk Adoption Risk Relative Risk Authentication Risk

Key E-Signature Risks


31

Inconvenience, distress, or damage to standing or reputation

Financial loss Harm to agency

programs or public interests

Privacy

Personal safety Civil or criminal

violation Unauthorized release of

sensitive information

Key Impacts of Authentication Errors (OMB)


32

Technology Process Performance

IdentificationAuthentication

Privacy

Data Security Liability Enforceability Regulatory Compliance

Key Identity Risks

33


Use Cases

Agency policies

Lessons Learned


35

ML 2010-14 set e-signature requirements for “third party” documents on FHA Single Family Loans.

Data subjects: individual borrowers

Ecosystem: Open Paper authentication:

None Risk: Low Mitigation method: ESIGN

compliance (basic) Result: Risk mitigation

methods set by lenders

FHA Single Family Loan Program - 1


36

ML 2014-3 set e-signature requirements for lender-generated documents for FHA Single Family Loans.

Authentication refers to the process used to confirm an individual’s identity as a party in a transaction.

Attr ibution is the process of associating the identity of an individual with his or her signature.

Data subjects: individual borrowers


None Risk: Low Mitigation method:

Various Result: Confusion among

lenders

FHA Single Family Loan Program - 2


37

SBA Procedural Notice 5000-1323 allows 7(a) and 504 lenders to use electronic signatures on SBA documents.

.

Data subjects: small business entities


Low Risk: Low Mitigation method: NIST

Level 3 (High) Result: No adoption

SBA Loan Program guidelines


Guidance for government agencies


Unique challenges for agencies

Regulators may be faced with electronic records in any or all of these situations: Regulating transactions between parties Record retention Filing requirements Government as market participant Direct-to-citizen transactions

Risk appetite for government service providers is lower than most private sector levels


Where to start?

ESIGN GPEA

OMB guidance

NISTOther federal agencies

Private industry

eID Initiatives


Statutory framework

ESIGN/UETA

Statutes are consistent in their message: remove barriers to paperless transactions


42

Factors affecting assurance levels:- Nature of ID process- Type of authenticator

(token) used- Security of remote

authentication mechanism

Very High Confidence

Level 4

High ConfidenceLevel

3

Some ConfidenceLevel

2

Little or No Confidence

Level 1

U.S. Government Assurance Levels


43

Outl ines a 5-step process by which agencies should meet their e-authenticat ion assurance requirements: 1. Conduct a r isk assessment of the government system. 2. Map identif ied r isks to the appropriate assurance level. 3. Select technology based on e-authenticat ion technical guidance. 4. Validate that the implemented system has met the required assurance

level. 5. Periodical ly reassess the information system to determine technology

refresh requirements.

OMB Guidance (M-04-04)


44

Guidelines for implementing the third step of the OMB M-04-04 process.

Specif ic technical requirements for each of the four levels of assurance in the fol lowing areas: Identity proofing and registration of Applicants, Tokens (typically a cryptographic key or password) for authentication, Token and credential management mechanisms used to establish and maintain

token and credential information, Protocols used to support the authentication mechanism between the Claimant

and the Verifier, Assertion mechanisms used to communicate the results of a remote

authentication if these results are sent to other parties.

NIST SP 800-63-2


NIST recommendation provides technical guidelines to agencies to allow an individual to remotely authenticate his or her identity to a Federal IT system.

OMB M-04-04 applies to remote authentication of human users of Federal agency IT systems for the purposes of conducting government business electronically (or e-government)..

NIST Spec ia l Pub l i ca t ion 800 -63 -2

OMB M-04-04

U.S. Government Assurance Levels


GSA/OMB 2013 e-signature guidelines

Exec Order 13681By Jan. 2015, agencies to present

plan to ensure use of multi-factor authentication for citizen access to personal data.

Implementation required by April 2016.


Other entit ies – Private & Public Sector

Private industry SPeRS FFIEC Independent standards bodies such as ISO

Current initiatives NSTIC/IDESG OpenID


48

SPeRS Standard 1-1


eProcess should not be r iskier or more burdensome than the tradit ional process of using wet ink and hard copy paper

Validate the identity of the signatory The individual who wil l be signing the

form must provide their consent to receive and sign documents electronical ly

Demonstrate that the document has made it into the correct hands

After the electronic signature is col lected, the document should be made tamper-evident (as opposed to tamper-proof)

Signature event audit log should remain available with the record in a secure environment; captures acknowledgement 49

Best Practices for e-Signed Records

“Wet” Ink vs. Electronic

Identity Validation

Signer’s Consent

E-Process Audit Log

Tamper-Evident Seal


50

Introduct ion to Onl ine Ident i ty Management By Thomas J. Smedinghoff , http: / /www.uncit ra l .org/pdf/engl ish/col loquia/EC/Smedinghoff_Paper_-_Introduct ion_to_Ident i ty_Management.pdf

Organisat ion for Economic Co-operat ion and Development (OECD) Recommendat ion on Electronic Authent icat ion and OECD Guidance for Electronic Authent icat ion, June 2007, ht tp: / /www.oecd.org/dataoecd/32/45/38921342.pdf

Federal Financial Inst i tut ions Examinat ion Counci l ( “FFIEC”), “Authent icat ion in an Internet Banking Environment,” October 12, 2005, ht tp: / /www.ff iec.gov/pdf/authent icat ion_guidance.pdf

National Inst i tute of Standards and Technology, "Electronic Authent icat ion Guidel ine," Special Pub. No. 800-63-2 (August, 2013), http: / /nvlpubs.nist .gov/nis tpubs/SpecialPubl icat ions/NIST.SP.800-63-2.pdf

SBA Procedural Not ice 5000-1323 (October 21, 2014), https: / /www.sba.gov/s i tes/default / f i les/ lender_not ices/5000-1323.pdf

Resources

http://www.uncitral.org/pdf/english/colloquia/EC/Smedinghoff_Paper_-_Introduction_to_Identity_Management.pdf



http://www.oecd.org/dataoecd/32/45/38921342.pdf



http://www.ffiec.gov/pdf/authentication_guidance.pdf



http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

https://www.sba.gov/sites/default/files/lender_notices/5000-1323.pdf

https://www.sba.gov/sites/default/files/lender_notices/5000-1323.pdf

51


1 2 5 0 2 4 t h S t r e e t N WWa s h i n g t o n , D C 2 0 0 3 7

8 0 0 - 5 6 0 - E S R A ( 3 7 7 2 )E S R A @ e S i g n R e c o r d s . o r g

Thank you!


IndividualReliance on integrity of post office In-person identificationSignature sample

RepresentativesCertificates of authority

Identity – current practices in a paper world


Unique identifier Surrounding circumstances Third-party tools

Credit check “out of wallet” identification

Identity in remote transactions


SSN verification services Credit card bill ing address verification Address verification Transaction structure – e.g. all credit balances must be

sent to the same account that is being debited.

Verification online

esra irs briefing 20150519

Documents