by Chuck Salvia, Computer Information Development (CID)
Currently, a hard-copy wet signature is required by the IRS to process a 4506T Income Tax Return Verification to check an applicant’s income history. Beginning January 7, 2013, use of E-Signature technology will be available for the betterment of the service.
The E-SIGN Act (Electronic Signature in National and Global Commerce Act, Public Law 106-229 June 30, 2000), passed by the U.S. Congress to facilitate the use of electronic records and signatures in interstate and foreign commerce, allows electronic contracts and the use of electronic records relating to such agreements.
E-SIGN provides uniform national standards for the use of electronic signatures. The most promising e-signature technology comes in the form of “digital signatures,” which use public key cryptography: a unique “private key” for the user, which encrypts the information, and a corresponding “public key” which unlocks the information and verifies the user’s identity. Other currently popular types of e-signatures include click-wrap signatures (i.e., an “I accept” button on a website), passwords, and biometric signatures (i.e., voice prints and fingerprints).
The E-SIGN Act states the following:
1) Applies to all transactions if the consumer affirmatively consents to the use of electronic procedures
(Unless the transaction is specifically excluded under the terms of the act itself)
2) Permits the use of an electronic signature in any transaction if both parties consent to the usage
3) Dictates that any document in electronic form or executed with an electronic signature is fully enforceable
4) Sets forth electronic record retention requirements
5) Provides that electronic records are fully admissible in any legal proceeding
E-SIGN Act Requirements which the IRS proposes to implement
1) The signature must be under the sole control of the individual. Password based signatures should be used in conjunction with PKI, signature stamps, electronic seals as well as simple click-wrap.
2) The signature must be verifiable in real time using complex algorithms or through forensic analysis of the signature dynamics or measurements.
3) The signature must be unique to the individual regardless of whether it is a physical measurement like a fingerprint or virtual measurement like the click of a mouse.
4) The signature must establish the individual’s intent to be bound to the transaction and must be fully aware of the purpose for which the signature is being provided, regardless of underlying technology.
5) The signature must be applied in a tamper-evident manner. Industry standard encryption must be used to protect the users’ signatures and the integrity of the documents to which they are affixed.
Participant/Authorized Companies Must Follow IRS Framework for E-Signature Requirements
1) Authentication: Participant/Authorized Company must validate that the signer is who they say they are and that the document has made it into the correct hands. The most common form of authentication is “Two Factor,” referring to something the signer has (i.e., emailed successfully into their in-box) and something the signer knows (e.g., a pass code). Other common authentication options include: Knowledge Based Authentication (KBA) where the signer is presented with multiple choice questions and Single Sign-On (SSO) where “keys” or credentials are passed along from another website.
2) Consent: Authorized Company (Participant) must get consent from signer to receive and sign documents electronically prior to moving forward with the viewing and signing ceremony. This is typically done with a one page consent form presented to the signer after authentication and prior to gathering signatures. Signer must either accept or reject the consent.
3) Electronic Signature: Must be an electronic symbol logically associated with a record and executed or adopted by a person with the intent to sign the record. IRS will require an electronic signature in order to validate the name(s) against the name(s) listed on either the Form 4506-T.
4) Tamper Proof Seal: After the electronic signature is collected, the document must be made tamper proof to ensure its validity.
5) Non-Repudiation: An audit log of the entire electronic signing ceremony must accompany the document for future use as needed for non-repudiation. Data in the log should include: date and time of creation, IP address of the signer, document lifecycle notifications, result of authentication, result of consent, and result of each electronic signature in the document.
6) Retention of Documentation by Participant/Authorized Company: All audit log information as well as the associated Form 4506-T must be retained by the participant Authorized Company for a period of 2 years.
By allowing the use e-signature, the IRS has simplified 4506T income verification for all Credit Union purposes, including Mortgage, other Lending transactions, and in the HR hiring process.
Now Credit Unions have a one-two punch to mitigate fraud and identity theft with two superior governmental services to protect the vital business interests of their institution. The counterpart to the IRS Income Tax Return Verification 4506T, is the SSA Consent Based SSN Verification (CBSV) service. Used together, Credit Unions have the preeminent personal identifier validation methodologies in place to reduce loan losses, net charge-offs, and unauthorized applicants.