Capital Markets Insights

Canada’s Guide to ESignatures - 12 Must Knows for Investment Firms

Digital transformation is rapidly changing the way the investment industry does business and interfaces with their customers. Among the highest priorities for leading firms is the adoption of electronic or digital signatures rather than “wet” signatures. By introducing electronic signatures, the firm can move away from manual and paper-based, ad hoc processes that are plagued with deficiencies, compliance risks, and frustrations by all those involved.

Ensuring compliance with a change to electronic signatures is critical and in Canada there are two different areas of guidance that must be adhered to, particularly for IIROC members: 

  1. A) Legal Requirements - Provincial and National legislation including the Personal Information Protection and Electronic Documents Act (PIPEA) and the Uniform Electronic Commerce Act (UECA). 
  2. B) Industry Requirements - Guidance from the Investment Industry Regulatory Organization of Canada (IIROC). 

The purpose of this overview is to provide an understanding of the requirements and always consult your legal counsel for clarity and confirmation.

Part 1 - E-Signatures Legal Requirements

Electronic Signature Legislation The Uniform Electronic Commerce Act (UECA) was adopted by the Uniform Law Conference of Canada in 1999, and subsequently enacted (with some modifications) in every province but Quebec, which has its own legislation permitting electronic signatures, and in Nunavut and Yukon territories. The main principle of the UECA, and of Quebec’s Act to Establish a Legal Framework for Information Technology, CQLR c C-1.1 is “functional equivalence,” establishing that electronic signatures and documents have the same legal weight as their paper equivalents. 

At the federal level, the Canadian Parliament included provisions permitting electronic signatures in the Personal Information Protection and Electronic Documents Act (PIPEDA) enacted in 2000. Electronic Evidence Electronic documents may be admitted as evidence in Canadian legal proceedings, subject to the applicable rules of evidence. A Uniform Electronic Evidence Act was promulgated in 1998, and was the basis for amendments to the Canadian Evidence Act, and the provincial evidence acts in a majority of the provinces. 

There is no restriction on Canadian companies using cloud solutions that are based in the United States. PIPEDA makes it clear that organizations that are otherwise compliant with the law may freely move personal information across the border if it makes business sense to do so. Canadian companies, including financial institutions, may transfer data to the U.S. without obtaining any additional consent from customers, so long as they provide notice to customers about their information practices, and keep the information secure. 

PIPEDA requires Canadian organizations to use appropriate security safeguards with respect to customer information.

Personal Information Protection and Electronic Documents Act (PIPEDA)

The requirements for an electronic signature according to PIPEDA are as follows:

  1. Unique and Distinctive
    The ideal way to achieve this is to allow investors to create in two different manners; either the investor signs by drawing their signature on a signature pad, or the signer chooses the style that will be used to display their name. At Katipult our solution allows investors to customize the way that both their signature and initials are displayed.
  2. Created Under Signer’s Sole Discretion
    Signatures should only be created by the investor who is asked to sign for the document; for example the investor is invited to sign for the document by receiving an email to their private email address. The investor is then asked to input a PIN code (optional) that they have been told by their representative at the firm they are making the investment through. The Investor, then is asked to sign, signs through an interface where they can see what they are signing, and where there is a clear indication that they are signing for a document.
  3. Can Confirm the Identity of the Signer
    A great way to achieve this is to require that a PIN Code be entered by the Investor before they are able to sign; a log of the entry of this PIN Code then appears on the signature certificate. 
    Screenshot from Katipult software providing verification code capability for e-signatures
  4. Protected by the Technology that can Detect any Subsequent Changes to the Document

Each document that has taken an electronic signature should have a calculated hash stored in the database for the document; the stored hash should also be available on the signature certificate for the document. The hash could be calculated as follows: sha3(investor’s ip address + investor’s user agent + investor’s name + investor’s email + time signed + signed document hash) 

Uniform Electronic Commerce Act (UECA)

The requirements for an electronic signature according to the Uniform Electronic Commerce Act are as follows:

  • Reliable for the Purpose of Identifying the Person
    Again, requiring that a PIN Code be entered by the Investor before they are able to sign; a log of the entry of this PIN Code then appears on the signature certificate. 
  • Relevant to the Agreement at the Time the Agreement was Made
    The agreement that is being signed using electronic signature should be attached to the signature certificate for the document once executed. In addition, the secure hash that is calculated, is calculated on a hash of the signed document. This means that the hash can only be created from a copy of the hashed document. In other words, an external party can validate that the attached document is the one associated with the certificate.

Part 2 - E-Signatures Financial Industry Requirements

On March 26th, 2019, the Investment Industry Regulatory Organization of Canada issued IIROC Rule Notice/Guidance Note 19-005 on E-Signatures, reaffirming its permission for investment dealers to use them. This Guidance replaced Member Regulation Notice MR0177 – Electronic Signatures, dated November 18, 2002, effective immediately.

There are a number key areas to focus on in these notices including the following:

  • The electronic signature workflow requires, among other things, that the capabilities of the technology guarantee non-repudiation. This entails the inability of the signer to repudiate his or her signature on or association with the document. It does not specify the digital signature technology that must be applied. 
  • Consent is required from the investor prior to the use of an electronic signature. While the notice does not define the method of consent, it does provide for implied consent. It generally states that consent may be inferred from a person’s conduct if there are reasonable grounds to believe that the consent is genuine and is relevant to the information or document. 
  • Electronic signatures do not have to look like a “physical” signature in order to be valid and binding. For example, the signature can be a code, sound or symbol of any kind and could be part of or separate from the document it signs, as long as the association with the document is clear. 
  • There are no restrictions or limitations on the use of electronic signatures in relation to the formation or operation of electronic contracts; as long as the association of the electronic signature with the person and the document is established and the intent to sign is demonstrated, an electronic signature will be valid. 

The requirements for an electronic signature according to the two IIROC notices are as follows:

      • A document or information in electronic form must be accessible by the other person so as to be usable for subsequent reference
  • A document or information in electronic form must be capable of being retained by the other person
  • A document or information in electronic form must be organized in the same or substantially the same way as the specific non-electronic form 
  • The electronic signature is reliable for the purpose of identifying the person
  • The association of the electronic signature with the relevant electronic document is reliable. 
  • The member firm must obtain a reliable legal opinion that confirms the system satisfies the requirements

Members are also reminded of MR Notice 008 Guidelines for the Electronic Delivery of Documents, issued on February 15, 2000. Members are advised to refer to that Notice in conjunction with the implementation of the use of electronic signatures. 

IIROC E-Signatures Requirements

  • A document or information in electronic form must be accessible by the other person so as to be usable for subsequent reference
    Investors need to be emailed a link to their signed document once the document has been completed by all parties. The link in their email is a secure link which when accessed allows the investor to download a copy of their signed document. 
  • A document or information in electronic form must be capable of being retained by the other person
    Again, Investors are emailed a link to their signed document once the document has been completed by all parties. The link in their email allows them to download and retain a copy of the document that was signed.
  • A document or information in electronic form must be organized in the same or substantially the same way as the specified non-electronic form
    Documents prepared for electronic signature should be digital copies of the documents that would have been signed in non-electronic form. Digital copies means that the PDF that would have been printed for the investor to sign is instead uploaded, then prepared for text entry (or automated merging of fields) signature and initial placements, and then sent to the investor for signing.
  • The electronic signature is reliable for the purpose of identifying the person
    When the investor receives the link to sign a document, they can be first taken to a page where they must enter their PIN number. The PIN number must be provided to them only after having a phone conversation with the Investment Advisor. In this way, the Investment Advisor is ensuring, over the phone, that this person is their customer.

Screenshot from Katipult software providing verification code capability for e-signatures

  • The association of the electronic signature with the relevant electronic document is reliable

To each electronic document, after signing, a signature certificate needs to be created. The signature certificate contains a field called the “Multi-factor Digital Fingerprint Checksum”. The Multi-factor Digital Fingerprint Checksum is calculated as follows:

sha3(investor’s ip address + investor’s user agent + investor’s name + investor’s email + time signed + signed document hash)

The sha3 function is a hash function; this means that given a certain output of a function, for sha1, it is impossible to manufacture inputs that will create that output within a reasonable time frame (thousands of years). 

 

  • The member firm must obtain a reliable legal opinion that confirms the system satisfies the requirements
    Firms will require Members to obtain a reliable legal opinion that confirms that the Member’s digital signature technology and system satisfies the legislative requirements in the jurisdictions in which it is intended to be applied. A Member may supply its own legal opinion or one from a certification authority.

The purpose of this overview is to provide an understanding of the requirements and always consult your legal counsel for clarity and confirmation.