Home > Regulation & Examinations > Bank Examinations > Bulletin on Digital Signatures
Bulletin on Digital Signatures
|TO:||Chief Executive Officers of All FDIC Insured Banks|
|SUBJECT:||Digital Signature Deployment Issues|
The future is increasingly pointing to the use of digital documents and digital signatures. The speed with which a bank adopts new technology is not as important as the quality of the solution that a bank adopts. Banks should thoughtfully consider the attributes of a new or augmented information system to be certain it will interoperate with their existing systems, and the solution vendor is capable of withstanding a changing marketplace.
The growth of e-commerce and the recent enactment of the Electronic Signatures in Global and National Commerce Act (E-Sign Act) have presented banks with a new set of technology-related issues to consider. The E-Sign Act provides for the legal validity of "electronic signatures"1 on such documents as checks, loan applications and contracts. The term "electronic signature" encompasses a number of different technologies, including "digital signature" technology.
Digital signature technology is the electronic equivalent of a written signature on written documents. The e-commerce marketplace is generally focusing on digital signatures2 as an essential component. This is, in large part, due to digital signatures addressing the issues of authentication, non-repudiation and message integrity.
Forecasted growth of online lending alone indicates that e-commerce and digital signatures are an area that many banks may explore. However, due to the complexities of digital signature technology, it is imperative that banks research the area and engage in careful planning before deployment.
This technology bulletin is informational in nature and outlines four of the most critical issues for financial institutions to consider when deploying digital signature technology
Banks considering deploying these technologies should exercise caution in selecting a vendor and adopting its solutions.
A number of new vendors have emerged as a result of the increased demand for digital signature technology. Unfortunately, a given vendor may be marketing a proprietary solution that may not be compatible with the bank's other systems. Interoperability, now and in the future, should be a primary consideration.
The lack of interoperability and too few standards may result in ultimate failure of the system purchased. According to the consulting firm GartnerGroup, "…30% to 40% of public key infrastructure deployments will fail within two years of launching because they fail to demonstrate value." This means banks that engage certificate authority (CA)3 start-up organizations may find themselves using digital signatures that are unverifiable4 or information systems that have no technical support. While standards and best-use policies5 are being developed and integrated into information system products, banks should perform a thorough due diligence on any vendor marketing a digital signature solution.
Implementing the use of digital signatures requires adopting a new or augmented set of technologies, services and bank policies.
When a bank decides to implement digital signatures, the bank must also implement digital documents6 and the associated requirements for, among other things, document management, storage, access security, periodic hardware upgrades, and disaster recovery facilities. Further, the implementing bank could incur additional expenses as a result of the need for more staff in the form of new technology-management positions.
If digital documents are used, customers will need reasonable access to those documents. Additionally, if a bank chooses to implement remote access to digital documents, the bank may need to establish a secure information area that allows customers access.
A bank can operate a CA service for its customers. However, becoming a CA may require different technical skills and may impose liabilities.
There are advantages and disadvantages associated with a bank becoming a CA (see box). A thoughtful review of these items should be included in a bank's decision-making effort.
Operating a CA requires additional facilities for hardware, specific operational policies and procedures, disaster recovery systems, and diligent attention to security for managing revocation lists and monitoring for unauthorized access.
Liability could arise from a variety of scenarios. For example, consider a bank customer using a bank-issued digital certificate to authenticate a digital signature for contracts or other digital documents that are external7 to the bank. If the bank's CA service issues incorrect certificate types or revokes a certificate erroneously and a customer is unable to use its digital signature, legal exposure could result.
Hardware and software in support of digital signatures and digital documents will become obsolete and require replacement. Conversion of the digital signature and digital document to newer, more capable platforms will likely result in some loss of data.
Hardware and software will inevitably become obsolete. The usable life of computer hardware is approximately three to five years. The functional life of software is shorter, often only six months to a year. If a bank does not upgrade and replace older equipment, the bank could operate at a disadvantage.
Questions or comments regarding the contents of this bulletin should be directed to the Bank Technology Group by email: firstname.lastname@example.org.
Christie A. Sciacca
Director, Bank Technology Group
1In the E-Sign Act, the term "electronic signature" is defined broadly as follows: "The term 'electronic signature' means an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record." Section 106(5).
2A digital signature is a unique sequence of data that is split into two parts that together form a complete encryption key. One part is publicly shared and the other part is kept private - known only by the owner.
3A certificate authority is an organization responsible for issuing and verifying digital certificates used, in part, for digital signatures.
4An unverifiable certificate is a certificate whose issuer cannot be verified - a fictitious certificate.
5Best-use policies are those policies adopted by the industry to cope with real or perceived shortcomings in a technology or hardware/software product.
6Digital documents are those documents that exist in electronic form and not on paper. Digitally signed documents are digital documents. The document cannot be separated from the digital signature.
7External transactions are those transactions to which the bank is not a party.
|Last Updated email@example.com|