KYC CDD Checklist: All You Need For AML Compliance

01 August 2021

Once you make the decision to accept non-traditional handwritten signatures for your business documents, there is still some research to undertake. For a start, do you understand the finer points of the digital vs electronic signatures debate? This is a common problem for those who are just beginning to work with online signing and it is difficult to find a clear answer. 

This article is here to let you know the difference between the two and how you can use these signatures to save time and money. You will also learn how to create an easy-to0retrieve audit trail that ensures you remain compliant with the eIDAS Regulation and European Union law at all times. Keep reading to find out everything you need to know about digital and electronic signatures. 

What is a Digital Signature?

Neither the EU’s eIDAS Regulation nor the ESIGN Act in the US, two major pieces of legislation regarding electronic signing, make any use of the term ‘digital signature’ at all. This is due to the fact that a digital signature is not a legal term, but rather a technical one. A digital signature is the mathematical algorithm that provides the digital thumbprint to identify the signer, whereas the actual signature itself is an electronic signature. 

That being said, many people use ‘digital signature’ and ‘electronic signature’ interchangeably, which is where some of the confusion lies. 

Difference Between Digital Signatures and Electronic Signatures

The Uniform Electronic Transactions Act (UETA) in the United States refers to a digital signature as one that uses “using public key encryption technology” to be able to identify the signer. That is the equivalent of an Advanced Electronic Signature (AES) or Qualified Electronic Signature (QES) as defined in eIDAS in the EU. The real difference is geography in this case. 

The European Union Agency For Network And Information Security (ENISA) explains its definitions of the two terms when it says 

“QES are implemented by means of asymmetric cryptography. With this technology, each signatory owns a key pair made of a private and a public key (the technology is called the public key cryptography) and the so produced electronic signatures are called digital signatures.”

Essentially, when we talk about companies in European Union member states using online tools to verify documents, we should use the phrase ‘electronic signature’ as that provides the more accurate description of what we are trying to achieve. 

What are Electronic Signatures Used For?

You can use electronic signatures for different types of document, dependent on the level of security you require. Here is a guide to potential uses of Simple Electronic Signatures (SES), AES and QES.

Type of Signature	Possible Uses
SES – Any form of electronic mark with no need to verify the identity of the signer	Parcel delivery person’s terminal An ‘I Agree’ button on an app’s terms and conditions Typing your name at the bottom of an email
AES – Higher level of signer identification and ensuring the document can’t be changed after signing	Sending a One-Time Password (OTP)  via SMS or email to verify login.  Employment contracts Banking documents
QES – Highest form of signer identification, backed by a certificate issued by a qualified trust service provider	Large commercial agreements Major sales agreements Mortgage documents

Key Features of an Electronic Signature

The key features of an electronic signature depend on the type of signature in question. 

 

Type of Signature	Key Features
SES (Sometimes known as a Basic Electronic Signature or BES)	Any kind of digital mark to indicate acceptance. This could be a scan of a wet signature, a recreation of a handwritten signature created on a computer program, an X typed in a box, your name typed out or anything else that serves to identify you.
AES	To be seen as Advanced, the signature must have the following features:  You must be able to uniquely identify the signer through the signature and it should be linked to them The signer must be in total control over the data used in creating the signature It must be possible to identify whether anyone has changed the document following the signature. If it has been changed, the signature is invalidated.
QES	To be seen as Qualified, the signature must have all features of an Advanced signature and: It should be created using a Qualified Signature Creation Device (QSCD) The signer must be verified by a face-to-face meeting or equivalent process, such as a video call Multi-factor authentication is required to ensure its validity.

How Does it Work?

A QES works in this manner:

• A qualified trust service provider (TSP) creates a qualified digital certificate that ensures the signature can be used only by the signer. 
• The Qualified Signature Creation Device creates a private key and a public key that ensure the signature is unique to the signer and cannot be forged. 
• The signatory uses the private key to sign the document. 
• The recipient uses the public key to verify the signer’s identity. 

What is a Certificate Authority? 

TSPs are also known as certificate authorities (CA) and must be recognised and qualified by their country’s government if they want to be included on that nation’s, and the EU’s, trusted list. 

How Do You Digitally Sign a Document?

To ensure a compliant electronic signature for your documents, you should use an online digital signing solution such as Signhost by Evidos. This is how it works: 

1. The signer identifies themselves through a method such as a passport selfie or their government ID, using one of a host of identification methods approved in the EU member states.
2. When you send a document to sign, the signer must verify their identity.
3. Then, they sign the document and confirm their signature. 
4. You receive a transaction receipt to show that the signer was identified and verified, and has signed the document. 

FAQ

Does a digital signature replace a handwritten one? 

A QES has the same legal status as a handwritten signature on documents within the EU. The level of security is such that, if the signatory disputes the fact that it is their signature on the document, the burden of proof is on them to show that they did not, rather than on the party that instigated the document. 

In addition, the eIDAS Regulation states that “an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.” 

If both parties agree that an SES or AES will suffice for the purposes of an agreement between them, it can form an acceptable agreement. However, the issuer must consider that in a dispute they would need to prove the identity of the party who signed the document.

What makes certificate-based digital signatures so secure?

With a certificate-based digital signature like a QES, the certificate acts as a digital fingerprint to identify the signer as being the only person to have marked the document. They must verify themselves and then revalidate as they sign the document using the Public Key Infrastructure (PKI). This is why the EU bestows the same level of authority to a QES as a handwritten signature. 

Conclusion

In terms of digital vs electronic signature, it is possible to see that a digital signature is essentially the technical term for the virtual fingerprint the signer leaves when they sign the document. If you are a business looking to use online technology to improve and streamline your processes, an electronic signature describes what you require. Signhost allows you to accept electronic signatures with ease and adheres to the identification methods favoured in all major EU markets. Try out Signhost for free here. 

References and Further Reading

• E-signature compliance
• Signing methods across major markets
• EU Trusted Lists
• EU e-signature guidance
• Digital Signatures Post-COVID

---

Back to overview