eIDAS: Striking A Balance Between Security & Customer Experience
As European organizations seek to deliver business via online and mobile channels, the need to balance security with improvements to the customer experience is key. One of the technologies that does both – electronic signatures – is underpinning the digital revolution so much so that there is a new regulation called eIDAS meant to facilitate ease of transacting electronically across EU member state borders.
eIDAS provides clear guidance for the use of e-signatures, along with three categories of e-signature to satisfy the varying levels of risk associated with digital transactions. These categories are meant to enforce security measures to protect company and customer data while ensuring compliance with regulations. The challenge then lies in enabling a seamless user experience to attract more customers, but to do so in a manner that ensures that digital transactions are legal and secure at all times.
Not all E-Signatures are the Same
The eIDAS Regulation defines three categories of e-signature – Basic, Advanced and Qualified – which can all be legally effective. Prior to eIDAS, many believed that national laws mandated the use of the Qualified E-Signature in order for an e-signature to be legally effective, which simply wasn’t the case. Still today, however, the Qualified E-Signature is perceived to be the best option because it offers the highest levels of security and assurance.
The Qualified E-Signature signing process is based on the use of a personal digital certificate, known as a qualified certificate under eIDAS, which is assigned to an individual person and obtained from a Trust Service Provider (TSP). The certificate is typically stored on a device such as a smart card or USB token and used with a computer system to sign documents, making the process highly secure. In practice, this could be a government-issued electronic identity (eID) card such as the national Belgium eID, or a smart card issued by a qualified TSP to sign documents.
Today, we see the use of the Qualified E-Signature in sectors such as government, military and financial services for digital transactions associated with high value and high risk because it enforces an extra security step before the e-signature is applied to the document. In this scenario, however, the user’s experience tends to be cumbersome because the process requires a smart card reader that keeps the user tethered to a computer. This can create a major roadblock in deploying e-signatures across business-to-employee, business-to-business, and business-to-consumer processes and in some cases, negatively impact adoption rates because of extra hardware and steps required to complete the e-signing process.
eIDAS: Balancing Security & Customer Experience for Adoption
A December 2014 report by Forrester Research, "E-Signatures – A Few Simple Best Practices Drive Adoption," explains that complex processes lower adoption significantly and advocates designing the signing experience to be as easy or as detailed as is needed to manage risk in order to ensure high adoption of the technology.
While many organizations in Europe are poised to leverage e-signature technology now that eIDAS is in full effect, they may be tempted to default to the Qualified E-Signature. This is because it offers the highest security and requires the least amount of evidence to reassure a court that the signature is genuine and intentionally applied to the particular document. The challenge however is that cost and effort of implementing the Qualified E-Signature may outweigh the potential benefits if the process is cumbersome and no one is interested in using it.
Advanced E-Signature vs. Qualified E-Signature and What to Look for
When evaluating an e-signature solution and choosing the optimal e-signature type, it’s important to take the time to look at your business processes and determine the level of risk.
For some high risk, high-value transactions such as money transfers, it may make sense to implement the Qualified E-Signature. Look for a solution that uses standards-based digital signatures and can support X.509 certificates issued by any qualified TSP – not all solutions can do so and if not, they can’t be used immediately without some hard coding (read: delays and IT costs). Out-of-the-box readiness is one of the 'must-haves' that will ensure you can implement e-signatures today rather than waiting for the vendor to deliver on future development plans.
For more routine and common signing use cases, such as contracts, agreements and onboarding documents, the Advanced E-Signature may be the appropriate choice. If you decide to go with the latter, be sure to evaluate whether the vendor’s solution provides detailed audit trails to support you in the event of a legal dispute. Some solutions in the market skimp on the details so do your due diligence and ensure your legal and compliance teams are part of the evaluation and selection process.
Whatever e-signature option you choose, it’s important to strike a fine balance between customer experience and security, and determine whether your original objectives for implementing e-signatures can be met.
This article was originally published in Innovation Enterprise.