esra irs briefing 20150519
TRANSCRIPT
1
www.eSignRecords.org© ESRA Confidential & Proprietary
Information Session
Online Authentication Principles and Practices
Internal Revenue Service BriefingMay 19, 2015
www.eSignRecords.org© ESRA Confidential & Proprietary
10:00 AM ESRA Overview & Introductions
10:10 AMElectronic Transactions Today’s IRS Challenge Electronic Signatures and Records: ESIGN & GPEA Attribution – How do I know who signed?
10:25 AMRisk Assessment Classifications of risks associated with online transactions Risk tolerance Mitigation
10:35 AMAttribution, Authentication & Identity Identity Management Government Assurance Levels Federated Identity
10:55 AM
Use Cases and Best Practices Private sector examples Public sector examples
DOD FDA HUD-FHA SBA
11:10 AMIRS Use Cases and Approach The PIN Non-return guidance: ESIGN compliance 8878/8879 Guidance Up close: IRS e-Transcript program
11:25 AM Q&A
12:00 PM Close
2
Agenda
© ESRA Confidential & Proprietarywww.eSignRecords.org
3
ESRA is the premier global trade association focused on the advancement of electronic signatures and records
Technology-neutral forum comprised of both users and providers Advocates public policy that promotes the inherent compliance, efficiency and
transparency benefits of electronic processes Develops thought leadership, events and education around the most pressing
legal, regulatory and operational issues associated with e-signed records
ESRA Vision: Positively impact consumers, businesses and government through the promotion of electronic signatures and records
ESRA Mission: Globally, lead endeavors to advocate the use of electronic signatures and records, promote process efficiencies and provide educational resources to the public, businesses and government
ESRAElectronic Signature and Records Associat ion
© ESRA Confidential & Proprietarywww.eSignRecords.org
4
Electronic Financial Services Council (EFSC) National trade association established in the late 1990s by a group of
professionals from various industries who realized the need for public policy initiatives and the promotion of electronic signature and records technology Promoted legislation and regulation designed to ensure that electronic commerce
continued to revolutionize the availability and delivery of financial services Advocated positions on public policies affecting the offering of financial products and
services, including mortgage loans, insurance products, investment products, consumer loans and online banking, in e-commerce
Led the charge to make electronic signatures a legally binding way to sign documents Instrumental in the passage of the Electronic Signatures in Global and National
Commerce Act (E-Sign Act), which became a law on June 30, 2000
ESRA was later established in 2006 to lead efforts that optimize the understanding and encourage further adoption of these pract ices
ESIGN Act Champions
© ESRA Confidential & Proprietarywww.eSignRecords.org
• Annual Conference - eSignRecords
• Member Newsletters & Bulletins
• Online Resources – Premier Access
• Federal Legislative Developments, Compliance, and Regulatory Updates
Education Events
• Ad-hoc meetings with federal / state level legislators & regulators
• Coordination with other organizations on specific topics of interest
Public Policy Advocacy
• Bi-annual membership meeting (Winter / Summer)
• Membership Only Legislative and Regulatory Conference Calls
• Regular committee meetings
• Quarterly and special meetings of the Board of Directors
ESRA Meetings
• Reduced fees to attend, exhibit, and/or sponsor at ESRA events
• Exposure on website – Member List
• Network with peers at conferences & events
• Thought leadership: media placements and speaking engagements
Member Opportunities
5
Shared Knowledge & Collaboration
Maximize the value of membership; volunteer to get involved
6
www.eSignRecords.org© ESRA Confidential & Proprietary
ESRA Mission
Globa l l y, l ead endeavors t o
advocate the use o f e l ec t r on ic s igna tu res and records , p romote p rocess e f f i c i enc ies
and p rov ide educa t iona l
resou rces t o the pub l i c , bus inesses
and gove rnmen t
...lead endeavors to advocate the use of
electronic signatures and records
© ESRA Confidential & Proprietarywww.eSignRecords.org
7
Public Policy Committee
© ESRA Confidential & Proprietarywww.eSignRecords.org
Adobe Systems
AlphaTrust Corporation AssureSign BuckleySan
dler, LLP
California Association of
RealtorsCitibank
Com mu n i ca t i o n I n t e l l i ge nc e
Co r po r a t i o n ( C I C)
Consumer Financial Protection Bureau
(CFPB)
Corpora t ion Serv ice
Company (CSC)DocMagic DocuSign DocuTech
DocVerify DotLoop Eastern Funding Ellie Mae eOriginal,
Inc. eLynx
Equifax eSignSystems Experian Fidelity National
Financial (FNF)GoPaperless
Solutions IMM
iPipeline Locke Lorde LLP NotaryCam
Pennsylvania Employee State
Credit Union (PESCU)
Property Records Industry
Association (PRIA)RouteOne
SpringLeaf Finance
Silanis Technology Simplifile SIGNiX
TeleTrust - EU IT Security
Association
Topaz Systems
USAA US Bank Wells Fargo Wolters Kluwer
William Mills Agency
8
A Collective VoiceSamp le L i s t o f Member Or gan iz a t i ons
© ESRA Confidential & Proprietarywww.eSignRecords.org
9
Electronic Notary
WY: e-Recording
NE: e-Delivery Regulation
OH: e-Signed Security Agreements
Sample Public Policy Issues – 2015
10
www.eSignRecords.org© ESRA Confidential & Proprietary
ESRA Mission
Globa l l y, l ead endeavors t o
advocate the use o f e l ec t r on ic s igna tu res and records , p romote p rocess e f f i c i enc ies
and p rov ide educa t iona l
resou rces t o the pub l i c , bus inesses
and gove rnmen t
...promote process efficiencies
11
www.eSignRecords.org© ESRA Confidential & Proprietary
ESRA Mission
Globa l l y, l ead endeavors t o
advocate the use o f e l ec t r on ic s igna tu res and records , p romote p rocess e f f i c i enc ies
and p rov ide educa t iona l
resou rces t o the pub l i c , bus inesses
and gove rnmen t
…provide educational resources to the public,
businesses and government
12
www.eSignRecords.org© ESRA Confidential & Proprietary
IRS Cha l lenge
Elec t ron ic S ignatures
At t r ibut ion
Electronic Transactions
© ESRA Confidential & Proprietarywww.eSignRecords.org
13
Establish a high-assurance, low friction means of identifying taxpayers and other stakeholders remotely, allowing IRS to deliver services in an online environment without increasing risk.
Today’s IRS Challenge
© ESRA Confidential & Proprietarywww.eSignRecords.org
The Uniform Electronic Transactions Act (UETA) and the companion federal law, Electronic Signatures in Global and National Commerce Act (ESIGN), prov ide assurance that electronic s ignatures wi l l be granted the same legal author i ty as t radit ional ink s ignatures on paper. If an electronic transaction meets the requirements of the electronic signature laws, the
transaction cannot be repudiated based on the fact that the transaction was conducted electronically, rather than on paper.
ESIGN does not give guidance on how to identify and authenticate signatories.
14
U.S. Legality of e-Signed Records
Establishes the legal equivalence of electronic records and signatures with paper writings and manually-signed signatures, removing barriers to electronic commerce
UETA
Confirms that states must allow the use of electronic signatures if the two parties involved agree to this method of signing. ESIGN applies to interstate commerce, foreign commerce, and business transactions with the Federal Government.
ESIGN
Requires Federal agencies, by October 21, 2003, to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically, when practicable, and to maintain records electronically, when practicable.
GPEA
© ESRA Confidential & Proprietarywww.eSignRecords.org
15
Four Basic Purposes For
Signing
I agree to it
It came from me
I’ve seen it
I got it
Signer must intend to “sign” the document
Purpose of signature derived from surrounding circumstances
Intent & Authentication
© ESRA Confidential & Proprietarywww.eSignRecords.org
Attribution
Legal sufficiency vs. attribution ESIGN answers the question “is it a signature?” Does NOT answer the question “is it your signature?”
Attribution must be proven May be proven by any means, including surrounding circumstances or
efficacy of agreed-upon security procedure Burden of proof is on person seeking to enforce signature Non-repudiation is a legal condition, not a technology feature
17
www.eSignRecords.org© ESRA Confidential & Proprietary
Identity Management
Federated Credentials
Attribution, Authentication & Identity
© ESRA Confidential & Proprietarywww.eSignRecords.org
18
“Electronic authenticat ion is essential for establishing accountabil i ty on l ine.”
Electronic authentication provides a level of assurance as to whether someone is who he claims to be in a
digital environment. plays a key role in the establishment of trust relationships for electronic
commerce, electronic government and many other social interactions. is also an essential component of any strategy to protect information systems
and networks, financial data, personal information and other assets from unauthorized access or identity theft.
- O r g a n i s a t i o n f o r E c o n o m i c C o - o p e r a t i o n a n d D e v e l o p m e n t ( O E C D ) R e c o m m e n d a t i o n o n E l e c t r o n i c A u t h e n t i c a t i o n a n d O E C D G u i d a n c e f o r E l e c t r o n i c A u t h e n t i c a t i o n , J u n e 2 0 0 7
Authentication and Accountabil ity
© ESRA Confidential & Proprietarywww.eSignRecords.org
19
Who are you?
How can you prove
it?
What should you be allowed
to do?
Verifying the identity of a person or entity that:o seeks remote access to
a corporate system, o authors an electronic
communication, or o signs an electronic
document
Identity Management
© ESRA Confidential & Proprietarywww.eSignRecords.org
20
Answers question: Who are you?
Also called “identity proofing” or “enrolment
Gathers “attributes” One-time event Can be done remotely,
but often requires physical appearance
ScopeWhich information
collectedHow much
AccuracyReliability of sourceSee assurance levels
Identification
© ESRA Confidential & Proprietarywww.eSignRecords.org
21
IdentificationScope and Accuracy Issuance of credential
Authentication Authorization
Identity Management Basics
Seek access Identify
Credential
Authenticate Authorize
1x
22© ESRA Confidential & Proprietarywww.eSignRecords.org
Issuance of Credential
e.g. userid e.g. password
Identifier
Authenticator
(token)
Credential
A c reden t ia l i s da ta tha t i s used to au then t i ca te the c la imed d ig i t a l i den t i t y o r a t t r i bu tes o f a pe rson
Issuance of Credential
Trust in both the PROCESS and the SECURITY of the data is critical
© ESRA Confidential & Proprietarywww.eSignRecords.org
23
Who are you?
How can you prove
it?
What should you be allowed
to do?
Establishing confidence in a person’s claimed identity
Transaction-specific Process always involves
cross-checking claimed identity against one or more authentication “factors”, including Something the person knows; Something the person
possesses; or Something the person is.
Authentication
24© ESRA Confidential & Proprietarywww.eSignRecords.org
•Passwords•personal identification numbers (PINs), •digital certificates using a public key infrastructure (PKI), •physical devices such as smart cards, •one-time passwords, •USB plug-ins or other types of “tokens,” •transaction profile scripts, •biometric identification
Authentication types
© ESRA Confidential & Proprietarywww.eSignRecords.org
25
Grant of rights or privileges
Access control to networks
Verify identify sender of data message
Verify identify signer of an electronic record
Authorization
Who are you?
How can you prove
it?
What should you be allowed
to do?
© ESRA Confidential & Proprietarywww.eSignRecords.org
26
Confidence that: the identity information
being presented actually represents the person named in it, and
the person identified in the credential is the person who is actually engaging in the electronic transaction
Assurance
Assurance Level: Strength of
identification and authentication
processes
© ESRA Confidential & Proprietarywww.eSignRecords.org
27
Reliance on 3d party for identification services.
Roles, Functions & Duties split between:Subject Identity ProviderRelying Party
Federated Identity Credentials
Seek access Identify
Credential
Authenticate Authorize
www.eSignRecords.org© ESRA Confidential & Proprietary
Rely ing par t y mus t be ab le to t r us t I den t i t y P rov ide r
Trust
28
29
www.eSignRecords.org© ESRA Confidential & Proprietary
Ident i f icat ion
Assessment
Mit igat ion
Risk
© ESRA Confidential & Proprietarywww.eSignRecords.org
30
Repudiation Risk Compliance Risk Admissibility Risk Adoption Risk Relative Risk Authentication Risk
Key E-Signature Risks
© ESRA Confidential & Proprietarywww.eSignRecords.org
31
Inconvenience, distress, or damage to standing or reputation
Financial loss Harm to agency
programs or public interests
Privacy
Personal safety Civil or criminal
violation Unauthorized release of
sensitive information
Key Impacts of Authentication Errors (OMB)
© ESRA Confidential & Proprietarywww.eSignRecords.org
32
Technology Process Performance
IdentificationAuthentication
Privacy
Data Security Liability Enforceability Regulatory Compliance
Key Identity Risks
33
www.eSignRecords.org© ESRA Confidential & Proprietary
Use Cases
Agency policies
Lessons Learned
© ESRA Confidential & Proprietarywww.eSignRecords.org
35
ML 2010-14 set e-signature requirements for “third party” documents on FHA Single Family Loans.
Data subjects: individual borrowers
Ecosystem: Open Paper authentication:
None Risk: Low Mitigation method: ESIGN
compliance (basic) Result: Risk mitigation
methods set by lenders
FHA Single Family Loan Program - 1
© ESRA Confidential & Proprietarywww.eSignRecords.org
36
ML 2014-3 set e-signature requirements for lender-generated documents for FHA Single Family Loans.
Authentication refers to the process used to confirm an individual’s identity as a party in a transaction.
Attr ibution is the process of associating the identity of an individual with his or her signature.
Data subjects: individual borrowers
Ecosystem: Open Paper authentication:
None Risk: Low Mitigation method:
Various Result: Confusion among
lenders
FHA Single Family Loan Program - 2
© ESRA Confidential & Proprietarywww.eSignRecords.org
37
SBA Procedural Notice 5000-1323 allows 7(a) and 504 lenders to use electronic signatures on SBA documents.
.
Data subjects: small business entities
Ecosystem: Open Paper authentication:
Low Risk: Low Mitigation method: NIST
Level 3 (High) Result: No adoption
SBA Loan Program guidelines
www.eSignRecords.org© ESRA Confidential & Proprietary
Guidance for government agencies
© ESRA Confidential & Proprietarywww.eSignRecords.org
Unique challenges for agencies
Regulators may be faced with electronic records in any or all of these situations: Regulating transactions between parties Record retention Filing requirements Government as market participant Direct-to-citizen transactions
Risk appetite for government service providers is lower than most private sector levels
© ESRA Confidential & Proprietarywww.eSignRecords.org
Where to start?
ESIGN GPEA
OMB guidance
NISTOther federal agencies
Private industry
eID Initiatives
© ESRA Confidential & Proprietarywww.eSignRecords.org
Statutory framework
ESIGN/UETA
Statutes are consistent in their message: remove barriers to paperless transactions
© ESRA Confidential & Proprietarywww.eSignRecords.org
42
Factors affecting assurance levels:- Nature of ID process- Type of authenticator
(token) used- Security of remote
authentication mechanism
Very High Confidence
Level 4
High ConfidenceLevel
3
Some ConfidenceLevel
2
Little or No Confidence
Level 1
U.S. Government Assurance Levels
© ESRA Confidential & Proprietarywww.eSignRecords.org
43
Outl ines a 5-step process by which agencies should meet their e-authenticat ion assurance requirements: 1. Conduct a r isk assessment of the government system. 2. Map identif ied r isks to the appropriate assurance level. 3. Select technology based on e-authenticat ion technical guidance. 4. Validate that the implemented system has met the required assurance
level. 5. Periodical ly reassess the information system to determine technology
refresh requirements.
OMB Guidance (M-04-04)
© ESRA Confidential & Proprietarywww.eSignRecords.org
44
Guidelines for implementing the third step of the OMB M-04-04 process.
Specif ic technical requirements for each of the four levels of assurance in the fol lowing areas: Identity proofing and registration of Applicants, Tokens (typically a cryptographic key or password) for authentication, Token and credential management mechanisms used to establish and maintain
token and credential information, Protocols used to support the authentication mechanism between the Claimant
and the Verifier, Assertion mechanisms used to communicate the results of a remote
authentication if these results are sent to other parties.
NIST SP 800-63-2
45© ESRA Confidential & Proprietarywww.eSignRecords.org
NIST recommendation provides technical guidelines to agencies to allow an individual to remotely authenticate his or her identity to a Federal IT system.
OMB M-04-04 applies to remote authentication of human users of Federal agency IT systems for the purposes of conducting government business electronically (or e-government)..
NIST Spec ia l Pub l i ca t ion 800 -63 -2
OMB M-04-04
U.S. Government Assurance Levels
46© ESRA Confidential & Proprietarywww.eSignRecords.org
GSA/OMB 2013 e-signature guidelines
Exec Order 13681By Jan. 2015, agencies to present
plan to ensure use of multi-factor authentication for citizen access to personal data.
Implementation required by April 2016.
© ESRA Confidential & Proprietarywww.eSignRecords.org
Other entit ies – Private & Public Sector
Private industry SPeRS FFIEC Independent standards bodies such as ISO
Current initiatives NSTIC/IDESG OpenID
© ESRA Confidential & Proprietarywww.eSignRecords.org
48
SPeRS Standard 1-1
© ESRA Confidential & Proprietarywww.eSignRecords.org
eProcess should not be r iskier or more burdensome than the tradit ional process of using wet ink and hard copy paper
Validate the identity of the signatory The individual who wil l be signing the
form must provide their consent to receive and sign documents electronical ly
Demonstrate that the document has made it into the correct hands
After the electronic signature is col lected, the document should be made tamper-evident (as opposed to tamper-proof)
Signature event audit log should remain available with the record in a secure environment; captures acknowledgement 49
Best Practices for e-Signed Records
“Wet” Ink vs. Electronic
Identity Validation
Signer’s Consent
E-Process Audit Log
Tamper-Evident Seal
© ESRA Confidential & Proprietarywww.eSignRecords.org
50
Introduct ion to Onl ine Ident i ty Management By Thomas J. Smedinghoff , http: / /www.uncit ra l .org/pdf/engl ish/col loquia/EC/Smedinghoff_Paper_-_Introduct ion_to_Ident i ty_Management.pdf
Organisat ion for Economic Co-operat ion and Development (OECD) Recommendat ion on Electronic Authent icat ion and OECD Guidance for Electronic Authent icat ion, June 2007, ht tp: / /www.oecd.org/dataoecd/32/45/38921342.pdf
Federal Financial Inst i tut ions Examinat ion Counci l ( “FFIEC”), “Authent icat ion in an Internet Banking Environment,” October 12, 2005, ht tp: / /www.ff iec.gov/pdf/authent icat ion_guidance.pdf
National Inst i tute of Standards and Technology, "Electronic Authent icat ion Guidel ine," Special Pub. No. 800-63-2 (August, 2013), http: / /nvlpubs.nist .gov/nis tpubs/SpecialPubl icat ions/NIST.SP.800-63-2.pdf
SBA Procedural Not ice 5000-1323 (October 21, 2014), https: / /www.sba.gov/s i tes/default / f i les/ lender_not ices/5000-1323.pdf
Resources
51
www.eSignRecords.org© ESRA Confidential & Proprietary
1 2 5 0 2 4 t h S t r e e t N WWa s h i n g t o n , D C 2 0 0 3 7
8 0 0 - 5 6 0 - E S R A ( 3 7 7 2 )E S R A @ e S i g n R e c o r d s . o r g
Thank you!
© ESRA Confidential & Proprietarywww.eSignRecords.org
IndividualReliance on integrity of post office In-person identificationSignature sample
RepresentativesCertificates of authority
Identity – current practices in a paper world
© ESRA Confidential & Proprietarywww.eSignRecords.org
Unique identifier Surrounding circumstances Third-party tools
Credit check “out of wallet” identification
Identity in remote transactions
© ESRA Confidential & Proprietarywww.eSignRecords.org
SSN verification services Credit card bill ing address verification Address verification Transaction structure – e.g. all credit balances must be
sent to the same account that is being debited.
Verification online