When the U.S. electronic signature law took effect a year ago, supporters anticipated a new burst of e-commerce momentum.
By Jeffrey Kutler
October 2001
Institutional Investor Magazine
The law gave online transactions and documents the same legal validity as those executed on paper, and that should have been a boon to the e-signature technology designed to make those communications secure from interception or tampering.
Those expectations have since gone the way of other Internet-generated excitement. The tepid response has nearly bankrupted one vendor of digital certification technology, Dublin-based Baltimore Technologies. Plano, Texas-based competitor Entrust, its stock price having plummeted from $130 to $4 over the past 19 months, has been scrambling to restructure.
The U.S. financial services industry has indeed been more deliberate with e-signatures than its support of the 2000 legislation suggested. Still, it’s not a total bust.
“How important are e-signatures? It depends on your point of view,” says Virginia Gobats, the resident expert on the subject at Andover, Massachusetts-based consulting firm NewRiver, which advises major banks, brokerages and asset management firms.
Gobats notes, for example, that several million individual investors have granted the legally required “informed consent” to receive prospectuses and other disclosures electronically, typically by e-mail. Those clients had to provide a valid proof of identity, that is, a signature. Usually, that was no more complicated than providing personal identification numbers and passwords - an elementary approach to security, but within the bounds of the Electronic Signatures in Global and National Commerce Act.
Firms such as American Century Investments, E*Trade Group, Invesco Funds Group and Wells Fargo & Co. have opted for PIN-password simplicity to open accounts, deliver statements and validate other online interactions in compliance with the law. “They have decided that PINs and passwords are enough to know who their customers are,” says Gobats.
That amounts to a setback for higher-grade authentication technologies like those marketed by Baltimore Technologies and Entrust. Known as PKIs, or public key encryption infrastructures, these systems put an added layer of security - a digital code, or certificate, possessed by the client - on top of a memorized password. Because the certificates have to be actively managed, monitored and at times revoked, PKIs have proved too unwieldy for mass-market rollouts. They show more promise for wholesale banking or business-to-business commerce, where more dollars may be at risk - yet even there acceptance is limited.
“If you’re a bank managing peer-to-peer relationships, which are mostly B2B today, you don’t need digital certificates [to validate identities],” says Stijn Bijnens, CEO of Ubizen, a Leuven, Belgium-based provider of data security systems to major banks. “That might change by 2003 or 2004, and we’ll be ready.”
Hopes for widespread PKI use spring eternal; many bankers pin theirs on Identrus, a global, 51-bank consortium focused on B2B. June Felix, CEO of New York-based CertCo, a technology ally of Identrus, sees it as an eventual catalyst for business-to-consumer security as well. “We see some banks taking digital signing into the high-net-worth franchise. The key is to make it simple,” says Felix.
Adds James Smith, senior vice president of consumer Internet services at San Francisco-based Wells Fargo: “Large companies will be more ready for this than the average customer. We’re at early stages, and we still need a lot of customer education and infrastructure in place.”
David Ryan, CEO of Vordel, an Irish data security vendor, perceives growing international demand for e-signatures - initially institutional, which implies PKI. “A balance has to be struck between security and ease of use. And security is definitely a problem,” says Ryan.
In view of the World Trade Center tragedy, nobody’s arguing. But are they buying?
