The truth about digital signatures

3012413440_14f4b4068b_o

Digital signatures have been around for almost 20 years, yet there’s still confusion about their use in the accounting industry. 

If there’s something more shrouded in mystery in the accounting profession than the legality of digital signatures, we’d need Shaggy and Scooby and the gang on the case.

Time and time again I hear of accountants and bookkeepers unwilling to accept digital signatures from clients. And you know what? I can’t say I blame them. There’s a distinct lack of clarity around digital signatures that is hindering the industry from adopting this efficient, time-saving innovation. It’s a technology that sits at the heart of a connected practice.

Let’s see if we can break down some of the mystery surrounding the legality and use of digital signatures.

What are the rules around digital signatures?

Legislation (specifically the Electronic Transactions Act 1999) says this about electronic transactions in its objective:

The object of this Act is to provide a regulatory framework that:

(a) Recognises the importance of the information economy to the future economic and social prosperity of Australia; and

(b) Facilitates the use of electronic transactions; and

(c) Promotes business and community confidence in the use of electronic transactions; and

(d) Enables business and the community to use electronic communications in their dealings with government.

SOURCE: Electronic Transactions Act 1999, Part 1 – Introduction, 3 Object, printed page 1

So we’re agreed that the Act is doing its darnedest to enable electronic transactions.

Let’s get to the simplified outline of what the Act says:

4) Simplified outline

The following is a simplified outline of this Act:

For the purposes of a law of the Commonwealth, a transaction is not invalid because it took place by means of one or more electronic communications.

The following requirements imposed under a law of the Commonwealth can be met in electronic form:

(a) A requirement to give information in writing;

(b) A requirement to provide a signature;

(c) A requirement to produce a document;

(d) A requirement to record information;

(e) A requirement to retain a document.

SOURCE: Electronic Transactions Act 1999, Part 1 – Introduction, 4 Simplified Outline, printed page 1

To me, that says we’re good to go with digital signatures as far as the Federal Government’s Electronic Transactions Act 1999 is concerned.

The ATO’s stance on digital signatures

The ATO’s website mirrors the Act. Specifically, here’s the clearest sign of the ATO approving digital signature usage:

How does my client sign an electronic declaration?

If your client chooses to send their declaration by email, they do not need to include their scanned signature at the end of the email. The action of sending the email and the agent accepting the information and then using that as a basis for lodging the approved form would be sufficient to satisfy the electronic signature provisions set out in section 10 of the Electronic Transactions Act 1999 (ETA).

SOURCE: Client declarations – frequently asked questions and examples

And while it says “email”, the ATO has provided MYOB with an “approval” for our “Electronic Declarations”, which are included at the bottom of every Tax form that we create in any of our Tax products, including our online Tax features (such as Activity Statements, etc).

When your practice sends a Tax form to a client, that form includes an ATO-approved format of declaration. Therefore when the client reviews the form via MYOB Portal, it inherently includes the Electronic Declaration as part of the electronically transmitted document, and then the digital signature technology includes “certificates” and “encrypted security features” that prove the electronic transmission is a true representation of the actual document that the client reviewed.

When the client clicks “Approve” on their mobile phone, they are “signing” the declaration that is part of the form and it states “…this information is true and correct and I authorise accountant X to lodge on my behalf”…

Here’s a specific example from MYOB Portal:

screen-cap

screen-cap

So there you go.

ASIC’s stance on digital signatures

There’s loads of confusion about ASIC’s stance on digital signatures, but a quick look at their Electronic Lodgment Protocol reveals that the list of documents that are eligible for submission with digital signatures is extensive – see below.

But first, let’s take a look at what ASIC has to say about their acceptance of digital signatures in their Australian Securities and Investments Commission Electronic Lodgement Protocol (“ELP”):

Electronic signatures and levels of electronic signature

  1. A Document is a form, and, if required, includes any statutory report or attachment required to be lodged with ASIC pursuant to:
    1. the Act, or
    2. the Credit Act
  1. ASIC has determined the following electronic signatures as acceptable for electronic transactions through the delivery modes set out in Table 1 of Schedule 1:
    1. Level 1 – A Digital Signature based on public/private key encryption or AUSkey (depending whether the Document lodged is lodged under Item 1 or Item 2 of Part A of Schedule 1); or
    2. Level 2 – A Personal Identifier will be accepted:
      1. Where it is self-selected and accepted by ASIC, if the particular service provided by ASIC allows for this procedure; or
      2. If it is provided by ASIC.
  1. A person using a Digital Signature to sign a Document must use that method of electronic signature to lodge electronically any type of Document with ASIC as set out in Items 1 or 2 of Part A of Schedule 1.

 Etc.

SOURCE: Australian Securities and Investments Commission Electronic Lodgement Protocol (“ELP”), printed page 5

Aha! “A Digital Signature based on public/private key encryption”. That covers technologies such as MYOB Portal.

In fact ASIC’s business rationale for the use of digital signatures (in the epically titled EDGE Electronic Lodgement System Digital Signature Specification document) says:

To provide an appropriate level of authentication for electronically lodged documents, ASIC will utilise digital signatures generated using the private key associated with an X.509 certificate issued by an approved certification authority.

Digital signatures will be mandated for certain company registration messages.

Digital signatures may optionally be used on other documents, provided that the signatory possesses a suitable X.509 certificate and the agents trading agreement authorises its use.

OK. So let’s take a look at the documents referred to earlier:

Schedule 1 – Documents

Document is original Document duly signed by approved form of electronic signature Document is “copy” of original Document retained by User or agent of user.
Internet(TCP/IP) electronic signature mandatory electronic signature optional
Internet(ASIC website browser) electronic signature mandatory electronic signature optional

PART A

Documents that may be lodged requiring a Digital Signature as an electronic signature

Item 1 – Documents lodged via Electronic Company Registration (ECR)

Column 1 Column 2 Column 3
Form No Form Description Direct fee payment options available
201 Application for registration as an Australian company Direct debit / Direct credit
410 Application for reservation of a name Direct debit / Direct credit

Item 2 – Documents lodged via SBR enabled software

Column 1 Column 2 Column 3
Form No Form Description Direct fee payment options available
388 Copy of financial statements and reports None
7051 Notification of half yearly reports None
405 Statement to verify financial statements of a foreign company None
406 Annual return of a foreign company None
FS70 Australian financial services profit and loss statement and balance sheet None
FS71 Australian financial services audit report None

And on and on it goes. Start at printed page 23 and move down the full list of approved documents.

Australian Securities and Investments Commission Electronic Lodgement Protocol (“ELP”)

So what’s the problem with digital signatures, then?

Perhaps it’s time to get the legal point of view here.

In 2015, Brisbane law firm HopgoodGanim published its take on the legality of digital signatures. To summarise, the key points are (and I quote):

  • According to Australian and international law, electronic signatures are a valid way of executing agreements.
  • Difficulties with electronic signatures arise when evidence is required confirming the identity of the signor and their intention to be bound by the content of contract.
  • Digital signature tools which incorporate technically accepted identity verification and authentication methods (such as public key cryptography) can mitigate these risks. However there are still important issues to consider.

SOURCE: HG IP&IT Alert: Electronic signatures and their legal validity in Australia – 13 July 2015

Those “important points to consider” are around the integrity of the digital signature product. Specifically, they note:

Because of the rapid nature of technological advance, there is no guarantee that a product that reflects the law currently will still do so in a year’s time. Therefore, a product that is constantly updated to reflect this progress is desirable.

From MYOB’s perspective, MYOB Portal is constantly updated to refine its features, improve its workflow and, importantly, ensure its compatibility with industry body requirements.

An industry view

An example of an industry body getting on the front foot of the digital signature debate is the Institute of Certified Bookkeepers.

I caught up with Executive Director Matthew Addison for the ICB’s view on the legality and use of digital signatures. Matthew’s position is that the adoption of digital signatures is an essential tool for bookkeepers and clients alike. He points out that it is Government policy that electronic transactions are to be considered valid, leading to entities such as Fair Work and the ATO considering digital signatures as valid.

The ICB has produced a number of valuable member resources concerning the topic, including the following guide for members reproduced by permission from the Institute of Certified Bookkeepers:

Obtaining digital signatures from your businesses

The document outlines the ICB’s stance on digital signatures as well as providing a suggested course of action for the workflow.

Parting thoughts

Perhaps the biggest obstacle to widespread adoption (and bear in mind that digital signatures have been a thing for almost two decades already) is the fact that, as far as I’m aware, the use of digital signatures hasn’t been tested in a court of law. So there’s been no challenge to the legality of the Act in the 16-odd years since its passing as law.

Perhaps we need to introduce a system whereby approved solutions are listed so that accountants, bookkeepers and their clients are assured they’re using an approved method of digital form submission.

Would it be so difficult for the Government to test the validity of the various portals and solutions available in the today’s marketplace? It would allow the industry to move on to the next innovation quickly and confidently. After all, the ATO is dead keen to remove red tape. Providing more clarity on this topic would help.

In the meantime, thousands and thousands of documents have been digitally signed via MYOB Portal without a hitch. And by no hitches I mean nothing’s been returned with a note saying, “Sorry, we don’t accept your kind around here.”

What do you think? Have you embraced the technology or are you holding back? Why?

  • http://www.robertsonhyetts.com.au/ Robert Jennings

    Thanks for putting this article together Alistair. What a mine field! The paperless offices of the near future digital signatures will be the only way to go

    • Alistair Nestor

      Thanks, Robert. It’s one of those roadblocks on the journey we need to work out to ensure we’re moving ahead. I’m sure there’ll be a tipping point soon, where adoption is widespread and we can start enjoying the time savings and convenience – and paperlessness!

  • http://www.cpasmsfauditor.com.au/ Robert Lopez

    You mention the lack of Australian case law when it comes to electronic signatures (ES). It is my understanding that Getup Ltd (Getup) v Electoral Commissioner (2010) is a substantive case on the issue of ES in Australia. I could not agree more in that a lot of accountants, bookkeepers and auditors are reluctant to use ES. For anyone interested in ES I suggest you read Electronic Signatures for B2B Contracts: Evidence from Australia by Dr Aashish Srivastava. Professor Srivastava is a senior lecturer in the Department of Business Law and Taxation at Monash University. His research covers a lot of ground but one key finding he does make is that a lot of professionals presume that ES are not valid because they think they should know what a valid signature is. Most professionals, after all, have been signing documents all their life so it is not surprising they assume they are well informed and know their stuff. In reality, however, many of these professionals have a very poor understanding of the law surrounding ES and as a result refuse to accept them despite the fact that they are perfectly legal and validly applied. There are all sorts of reasons for this but lack of time to read up on and research how ES can be used is a major and understandable factor.

    • Alistair Nestor

      I noticed you mention that book in the Connected Practice LinkedIn group, Robert. Thank you so much for that heads up, as I wasn’t aware of it. Nor the court case. That book would’ve helped immensely with this post’s research, I’m sure.

      What led you to that book, Robert? Was it inquisitiveness to find the answer on signatures? Are you now accepting signatures as a result of your research?

      • http://www.cpasmsfauditor.com.au/ Robert Lopez

        I work in a paperless accounting practice where everything is done electronically; 95% of our compliance work is completed without a single piece of paper being used, printed or created. The productivity that goes with being paperless is really something. Our server is indexed every week so it can be searched like you would use Google. How many times do you hear that accountants should check the trust deed of their clients when doing tax etc? Most find it difficult to do but in our office all you have to do is throw the name of the trust and a few key phrases and 9 times out of 10 the client deed you want will pop up in seconds. You then enter some key words to search the deed for the clause you want; tag that clause with a comment as to why it clears or stops you doing what you want to do etc and move on to the next step in the job. Because everything is paperless the fastest way to do things is apply an electronic or digital signature when we want to sign any outgoing document. Likewise we like our clients using e-signatures for the same reason. Over the past few years we have had more than a few accountants, auditors etc rejecting our e-signatures. To deal with this we did some homework on e-signatures and produced summaries with hyperlinks to online research notes. We then pass these on when someone questions our use of an e-signature. This does help as some people will read, do their own home work and accept the e-signature as valid. The worst culprits are banks – they have some really stupid protocols. Try this one for size – a bank wants you to email them a certified copy of a client trust deed. You tell the bank the deed has been digitised and can you affix a digital signature to the scan and in so doing deliver to the bank an encrypted, hash tagged copy of the trust deed which will give them a traceable signature to my tax agent and CPA registration numbers to support my statement about the validity of the deed. Far too risky says the bank, we know what we are doing, print out the deed. Once it is printed apply a manuscript signature and then scan the deed back into your computer and email it to us. What a joke – the acceptance of e-signatures has a long way to go.

  • http://www.DigitalFirst.com/ Sholto Macpherson

    Hey Alistair – great question, great answer! I like your thinking. How can we encourage greater acceptance of digital signatures by the broader community?
    Off the top of my head, some suggestions.

    1. Start locally. Pick a digital signatures app for your own business. It’s cheaper for me to email a PDF and get them to print, sign, scan, email (cost to me: Free) than to pay a monthly rental to an e-sig app. I need to bite the bullet and practise what I preach. It’s hard to pick an app though, I’ve already tried. Does MYOB only use e-sigs for its own contracts?

    2. Swing the stick internally. Insist on e-signatures for your own stuff. Don’t send out anything that requires a wet signature. Enforce it in your organisation. Easy for me! What would it take for MYOB to do the same? Does it use e-sigs for all software agreements?

    3. … and swing a carrot to suppliers. I wonder whether you could incentivise suppliers to send agreements and contracts via e-sig? Some you could probably insist. I guess if you put your foot down and insist that e-sigs are more secure than wet sigs – which is arguable, given GPS and smartphone tracking – you could refuse to sign anything that wasn’t an e-sig. Would be an interesting move, eh? Done the right way it would definitely publicise e-sigs!

    • Alistair Nestor

      Sorry it’s taken a while to get back to you, Sholto. The reason for my tardiness is that you’ve inspired me to take a look at exactly how MYOB treats digital signatures ourselves. After all, it’s no good me wondering why the industry hasn’t adopted digital signatures en masse if MYOB itself can’t adopt them.

      I’m pleased to report that the previous 24 hours’ worth of research has revealed we ARE accepting digital signatures – at least in the areas I investigated (SME and Practice Solutions sales).

      I’ll be transparent with you – my lofty intention with this post was to attract the attention of those entities that haven’t perhaps provided concrete clarification on their digital signatures stance. The input from you and Robert’s Lopez and Jennings below goes a long way to making that a possibility. Thank you for your thoughts.

      • http://www.DigitalFirst.com/ Sholto Macpherson

        That’s good to know, thanks Alistair.