In the previous blogs we have explored the history of e-Signatures, how they work, and their legal standing. The focus of this blog is to understand the trends behind the recent widespread uptake of e-Signing – after years of relatively little use despite the fact that the supporting technology and first legal directives date back to early 2000s. What is different now is that the requirements for the adoption of e-Signing are all coming together through greater accessibility, use cases, and a profound business need to fully digitalise processes. This combination is bringing us to the frontline of the e-Signing revolution.
At Deloitte we see four trends as core enablers, driving e-Signature capabilities in the next decade: the next wave in digitisation, access to verified digital identities, a growing risk-based approach towards Advanced e-Signatures (AES), and greater solution maturity.
- Fully digital processes require end-to-end solutions
Most articles on e-Signature trends revolve around technological or legal advancements. While they are important enablers, the key driver for progress is a real need from businesses and their users. Customers’ digital expectations have risen with the rapid adoption of new technology, a trend further accelerated by the COVID-19 pandemic. Customers now expect to be able to complete most processes digitally. In banking, for example, if prospects can initiate the process of opening an account online but still have to sign papers and confirm their identity at a branch, the process will be considered by many to be an offline experience and will not meet their digital expectations.
This push for digitalisation of processes by organisations has in turn driven the development of supporting capabilities, many of which are technology-enabled. This includes the e-Signing capability, the focus of this blog series, but also many more, one example being auto-identification, often used in combination with e-Signing. Auto-identification solutions effectively allow a client or prospect to identify him or herself autonomously through the use of different technologies (e.g. digital identities, biometric passport data extraction, facial recognition), providing cost-efficient, high-quality and secure identification services to organisations for a wide array of processes (e.g. onboarding, electronic portal login, product acquisition).
Governments, companies and other organisations are moving fast towards paperless offices and fully digital customer experiences. A good example of this is Estonia, where 99% of state services can be completed online . In the private sector, neo-banks such as Monzo, N26 and Revolut are challenging traditional banks with their fully digital proposition, including advanced automation, e-Signing, and auto-identification capabilities.
- The rise of verified digital identity enables user-friendly remote signing
One of the most critical enablers for e-Signatures is the availability of verified digital identities which enable the identification and authentication process to be decoupled from the signing. In a previous blog, we saw that users need a “signing” certificate containing their private key. Until recently, the digital key would be stored locally, for example on smartcards, which brought obvious disadvantages. Users need to carry issued physical smartcards with them to sign, and often need to install expensive software to facilitate the process. e-Signing was therefore often limited to enterprise environments.
The European eIDAS regulation covers the concept of “remote” or “server-side” signing. Server-side signing relies on a Trust Service Provider (TSP) to remotely generate and manage the signing keys on the signatory’s behalf. This makes it easier for users to securely manage their own keys and, more importantly, makes the process more user-friendly by making it fully digital. A prerequisite is that the user authenticates strongly with their electronic identity. This is another challenge the eIDAS Regulation has addressed, by setting standards for electronic identity (e-ID). Today, more and more users have a trusted e-ID at their disposal. In the Nordics and in Estonia the market penetration of e-ID is well above 70%. Other examples are Belgium and Germany where citizens are issued e-Signature certificates on their national e-ID cards.
In practice this means that users can log in to online signing platforms with their trusted identity, and place an e-Signature managed by the signing provider, making for a more user-friendly, scalable, and efficient solution. In parallel the growth of federated authentication, allowing users to log in with their preferred and accepted means (rather than a means issued by an unproven service provider) has further increased trust in the technology.
For users and established service providers it is easier to rely on proven, regulatorily compliant, high-level of assurance identities, than to issue and manage identities with a lower level of assurance. Identity brokers can help connect identity providers and signing platforms, allowing them to accept as many identities as possible through a single connection. In short, e-Signatures based on strong e-IDs is a gamechanger for market participants.
- Growing risk-based approach towards AES drives accessible use
As we explained in our previous blog on the legal perspectives of e-Signing, there are different types of e-Signatures and acceptance is often locally determined. Qualified e-Signatures (QES) offer the highest level of protection. Strong assurance requires very secure and expensive safeguards, often implemented with strict and rigorous control systems. In practice, we find that QES is most used in countries where a strong and well-adopted e-ID solution is in place. On the other hand, QES often proves too expensive to implement in countries where no e-ID infrastructure can be leveraged. AES appears to offer a more simple and affordable alternative solution, and presents a case for a risk-based approach.
In practice the authenticity of a signature is not based entirely on technological validation but is also determined by the context of the signing process and its environment. For example, a typical court reasoning would first seek to assess how probable it is that the e-Signature was added by the signatory to whom the signature was attributed (think of verified e-ID). Secondly, the court would consider whether the signing process was designed in such a way that the signatory was aware of the content he or she was signing and its potential consequences. Lastly, it would also evaluate whether a reliable time indication was used at the moment of signing, such as a time stamp. Simply put, it is the full picture that matters and there are many measures an organisation can take to increase the level of assurance.
Combining the above considerations with the accessibility, cost, and user experience advantages of AES over QES, one can understand why there is a structural shift towards AES adoption. At Deloitte we have seen a number of clients moving in this direction, often using AES in combination with (strong) remote identification. AES is often used as a pragmatic solution for contracts where there are no formal requirements. It still offers a good level of trust on the authenticity and integrity of the signature and related documents.
- Solution maturity sells itself
Solution providers leverage the above enablers to offer more competitive and comprehensive product offerings. In the next blog we will look at the ecosystem of solution providers, which is becoming more defined and mature. This includes vendors proposing Software as a Service offerings for signing, but also technology providers such as identity brokers and (managed) PKI providers.
What matters for buyers, of course, is the package e-Signature platforms offer. Increasingly platforms offer functionalities to support the full business process, including (bulk) signing, workflows, audit trails, and archiving. An interesting development is the use of Artificial Intelligence (AI) to automatically prepare documents for signing, based on a template library. AI configures the template, chooses the right signature method for the type of document, and routes the document for signing. Vendors include DocuSign, Connective, Adobe Sign, One Span, Evidos, Signicat, Signing Hub, Cryptomathic, among many others.