Digital document ~~security~~ insecurity
Following on from my outline of the problem of digital document insecurity, I’m exploring how we can all improve this so we’re protecting clients and not unwittingly propagating fraud.
Tuesday, April 16th 2024, 8:25AM
by Jon-Paul Hale
The challenge until recently has been finding good, easily accessible tools that provide security for the digital signing process. Today, I think most of these have come of age, but the providers have yet to catch up.
We need a coherent industry approach to digital sign-off, which is made somewhat more challenging with AIA, Southern Cross and others not needing signatures for applications as they have done in the past.
This lack of signatures makes changing things later in the contract life harder to do because ID signatures don't match the current signatures the clients are using. I had one client where I provided eight different documents with eight different signatures to prove their signature changes every single time!
On the subject of industry communication so far, Partners Life clearly states the digital providers they accept, AIA states the process around this, and Asteron Life has also got something in this space. None of them is a complete and coherent approach to this issue.
What I have seen, and also been told by other advisers, is even with this limited communication on digital systems, the provider staff often get it wrong and either kick stuff back that the provider defines as acceptable, or worse, they accept stuff that clearly should not be.
I recently reached out to all providers on this subject, with copies of what we do have to date, asking for clarity around this so that we have a better framework to work in and improve our protection of client contracts because it's a bloody mess!
The response so far, from the few I have talked to since, is the providers' approach is to balk and look at this as them developing internal systems for digital engagement. Nope, that's not what this is about.
We will have direct digital engagement systems from providers; many already have these facilities.
This subject is about how paper-based processes made digital are to be handled because paper-based processes are not going away and presently are not secure enough.
However, the digital signing systems we have, while pretty robust, still have flaws.
The big one is who can access and control a client's email account.
The next one, how do you get two, or more, people to sign when they share an email account?
That second one, you don't. At the same time this is an issue for those over age 55 where they don't have work email addresses and only have a "home" email address. They're still sharing a Facebook account too!
After sitting across this area for nearly 30 years, the external digital systems are excellent. Still, they all have the above fundamental flaw on account control. In the same way that my commercial manager had with fax authority, there's a connection to the signer issue in the process.
Let's be clear here: The issues discovered over the years have not been significant. If they were, providers would have moved much sooner on this subject. At the same time, we have likely missed thousands of examples where these issues were not picked up, and this becomes an issue of perception rather than volume to act upon.
What is the solution?
There are a few.
* 2Shakes out of Wellington has a biometric identification tool that uses a webcam to compare the client's biometrics against the DIA passport database. It is only effective for NZ passports; the client must have one.
* Other digital signing providers have similar options.
* RealMe, where the RealMe system is integrated into signing systems. RealMe is a government digital ID that is verified with a photo ID at a post shop.
* But it still suffers from the flaw of passwords being shared. ACC's use of this for their online system has resulted in accounting firms sharing the principal's RealMe account details around the office!
* Onetime email/links sent to mobile devices, where the number and person have been verified as connected and secure. This is an external third-party connection. This needs more work as this is managed at the adviser level, and the provider needs to have faith in the adviser business to get this right.
The recent ComCom draft report released about financial services highlights the challenges of digital documentation and ID verification as a barrier to accessing financial services, so this subject is on legislators minds.
The fundamental issue in play, as it has been from the 1990's, is the integrity of the resulting signature.
* Was it signed by the person?
* Do we know it wasn't a drag-and-drop by someone else?
* Do we know that the email account was secure and no one else had access?
Digital systems from providers will play a part in managing this in the future, at the same time, they will also have the same "who's doing what?" issues that I have outlined here.
As advisers, we are the gatekeepers on what happens and how this is managed with our clients.
Providers need to define their operating parameters and processes better so we can be as effective in this as possible.
Providers also need to train staff on these processes so that we don't end up with a back-and-forth issue of what is or is not acceptable.
And providers need to stop accepting italicised signed documents just because they came from the email address they think the client has, because that process has zero security or integrity.
Clearly, this is an issue for all professions across the spectrum. At the same time, financial services need to lead this to ensure the integrity of the market and market confidence.
Maybe this is an FMA issue to tackle?
One thing is clear: adviser firms aren't the ones making the decisions around this, but we will have to work within any resulting framework, and that means we need to make ourselves heard so we have a workable solution for everyone.
« Digital Signatures and Fraud | Digital Docs more stuff... » |
Special Offers
Comments from our readers
No comments yet
Sign In to add your comment
Printable version | Email to a friend |