Navigating Loan Doc E-Signatures Under The CARES Act

By Alan Wingfield, Troy Jenkins and Nicholas Ramos
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Banking newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!



Law360 (May 12, 2020, 5:32 PM EDT) --
Alan Wingfield
Alan Wingfield
Troy Jenkins
Troy Jenkins
Nicholas Ramos
Nicholas Ramos
The Coronavirus Aid, Relief and Economic Security, or CARES, Act expanded the Small Business Administration's section 7(a) loan program,[1] the primary means by which the SBA provides financial assistance to small businesses, by creating the Paycheck Protection Program.

As social distancing policies and stay-at-home orders continue to prevent people from physically meeting, lenders, banks, credit unions and small business borrowers need to understand electronic signature requirements that may be necessary to take advantage of the relief offered by the CARES Act.

This article analyzes the SBA's electronic signature requirements in light of the CARES Act, focusing on the E-Sign Act,[2] SBA's standard operating procedure for the relevant loan programs,[3] and recent SBA guidance issued in light of COVID-19.

The E-Sign Act grants electronic signatures the same legal validity and enforceability as wet ink signatures. Generally, the E-Sign Act establishes three requirements to have an enforceable electronic signature: (1) an electronic signature; (2) intent to sign; and (3) logical association.

However, the E-Sign Act grants agencies (e.g., the SBA) the ability to specify additional standards. The SBA establishes four requirements to create legally enforceable, electronic loan agreements for 7(a) loans, several of which are already required by the E-Sign Act: (1) an electronic signature; (2) intent to sign; (3) logical association; and (4) identification and authentication.

If lenders create electronic loan documents to be electronically signed, then lenders must ensure that all of the aforementioned requirements are met to create a valid, and enforceable electronic loan agreement.

SBA Electronic Signature Requirements

Before analyzing the electronic signature requirements for SBA 7(a) loans, it is important to note that the SBA recently issued guidance allowing SBA 7(a) lenders to accept scanned copies of signed loan applications and other documents "where electronic signatures are not feasible."[4]

In instances where obtaining an electronic signature is not feasible, a scanned copy of the signed application and loan documents are permitted so long as the SBA lender also obtains: (1) a copy of the borrower's driver's license or other valid form of identification (front and back); and (2) a valid original signature on the applicable document within six months of the date on the note.

Failure to obtain the original signature may allow the SBA to deny liability on the guaranty. This guidance document is effective from March 24 through Sept. 30.

Electronic Signature

The E-Sign Act defines "electronic signature" as "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."[5] The electronic signature can be almost anything that indicates a borrower is binding itself to the electronic agreement, such as a typed name (e.g., /s/ John Doe); a scanned image of a handwritten signature; or a digital signature.

While the E-Sign Act permits a voice or audio electronic signature, the SBA will not accept an electronic signature that is solely voice or audio. This is an important distinction between the E-Sign Act and the SBA's electronic signature requirements.

Intent to Sign

The electronic signature must also evidence the borrower's intent to sign the agreement. The SBA outlines two requirements to show the signors intent: (1) clear identification of the reason for signing; and (2) clear specification that the required conduct indicates the borrower's intent to sign, illustrating concurrence with that reason.

There are several methods lenders may use to establish intent, which include: creating online dialog boxes advising borrowers they have created an electronic signature and providing them with an opportunity to confirm or cancel the signature; click-through agreements; and alerts advising borrowers that continuing a certain electronic process will result in an electronic signature.

Lenders may also create an online dialog box with a disclosure statement that appears immediately before the electronic signature that "by [insert electronic signature], I agree to be bound by the terms of the attached agreement."

Logical Association

The SBA requires lenders to ensure that (1) electronic loan documents are presented to the borrower before the borrower may electronically sign the document, and (2) that the borrower's electronic signature is attached to, or logically associated with, the signed documents.

The process of reviewing and signing the electronic loan documents should be presented in such a manner that indicates the borrower's electronic signature is connected to the entire electronic loan agreement that he or she is signing. This is typically where placement of the electronic signature is important.

Electronic loan documents must be presented to the borrower before the borrower electronically signs the document. While there may be electronic signatures throughout the electronic loan document, it is important to include the borrower's electronic signature at the end of the electronic loan agreement because, at that point, the borrower has been presented with all terms and conditions of the agreement, and the borrower is expressing his or her consent to all terms and conditions of the electronic loan agreement.

To establish logical association, lenders must ensure the electronic loan documents are properly titled and referenced. By titling the electronic loan documents, the lender is able to refer to the specific document by name in the entire package and associate the borrower's signature with the specified document. This allows the borrower to know exactly to which document the signature relates.

A lender may also consider including a clear and conspicuous disclosure statement directly above or below the space where the borrower electronically signs the documents.

The disclosure may state, "By [typing my name / typing my initials / clicking the check box, etc.] above / below, I agree that I have read and consent to be bound by the terms and conditions of this [title of electronic agreement]."

By including the disclosure directly above or below the borrower's electronic signature space in a clear and conspicuous manner, the borrower's electronic signature is "attached to or logically associated with" the electronic loan documents because the disclosure states exactly what the borrower's electronic signature represents.

Referring to the documents by title brings it full circle because it tells the borrower the name of the agreement to which the signature is associated.

Including a disclosure also provides evidence of the borrower's intent to sign the electronic loan agreement because the borrower is affirming that his or her electronic signature represents that he or she has read the agreement in its entirety, and agrees to be bound by the terms and conditions of the electronic loan agreement.

Identification and Authentication

There are several requirements that lenders must follow to identify and authenticate borrower signatures: initial establishment and verification; separate action for each signature or initial; attribution; and authentication.

Initial Establishment and Verification

Lenders are required to establish and verify a borrower's identity the first time the borrower requests credentials (i.e., an object or data structure that, when possessed or controlled by the borrower, confirms the borrower's identity) to sign a document.

The SBA requires compliance with Level 3 assurance standards in National Institute of Standards and Technology, or NIST, Special Publication 800-63-3. The NIST standards provide two bases for issuing credentials — in-person and remote. For purposes of this article, we focus on remote verification.

For remote verification, the borrower must provide a valid government ID number and a financial or utility account number. Then, a registered agent or credential service provider, or CSP, must verify the information provided by the borrower through record checks with the relevant government agency, credit bureaus, or similar databases.

A registered agent is "a trusted entity that establishes and vouches for the identity or attributes of a subscriber to a CSP." The registered agent "may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP." A CSP is "a trusted entity that issues or registers Subscriber tokens and issues electronic credentials to subscribers."

A CSP may be an independent third party, or may issue credentials for its own use.

Separate Action for Each Signature or Initial

The SBA requires lenders to ensure signers perform a separate action in each location of an electronic loan document in which a signature or initials are required. For example, a borrower may need to check a box or physically type in his or her name in each location a signature or initialing is required.

Attribution

Attribution is the process of ensuring the identity of the individual signing on behalf of a borrower matches with his or her signature. Lenders must perform attribution in accordance with the Level 3 assurance standards described above and maintain sufficient evidence to show that the individual's electronic signature can be attributed to the person that signed the document(s).

There are multiple methods in which lenders may establish attribution, which include:

  • Assigning, or allowing selection of, an individual PIN, password or other shared secret that the borrower may use as part of the electronic signature process;

  • Delivering a credential to the borrower by a trusted third party, which is then used to allow the borrower to electronically sign the document(s) or prevent undetected alteration after the borrower electronically signs the document(s); or

  • "Out of band/wallet" information (i.e., two-factor authentication).

Authentication

Authentication refers to the process by which lenders confirm the borrower's identity. Using Level 3 assurance standards, the lender must provide a two-factor remote network authentication. The first factor may include approved authentication mechanisms, such as: one-time passwords sent to the borrower via email, text message or voicemail; in-person authentication; electronic notary; or out of band/wallet information (i.e., two-factor authentication).

The second factor involves knowledge-based authentication, which involves verification of identifying materials and information using SBA-approved sources. Some of these sources may include national commercial credit bureaus, commercially available data sources or services, or government agencies or databases.

The SBA outlines several knowledge-based authentication requirements, such as:

  • The system must use static date of birth information, at a minimum, but it should use static and dynamic account balance verification.

  • The lender must verify the borrower's name, date of birth, and either its Social Security number or driver's license number.

  • The system must use multiple versions of the same question and randomly order questions to protect against scripts and hacking.

  • Failed attempts must be documented and reported to the lender.

Additional Requirements

Lenders must abide by record integrity and retention, vendor and technology selection, and credential loss management requirements.

Record Integrity and Retention

The E-Sign Act requires electronic records to be in a form that is capable of being retained and accurately reproduced for later reference by all parties or persons who are entitled to retain the contract or other record. Audit trails, computer systems, controls, and documentation must be readily available and subject to SBA inspection for the same time periods as documents signed in wet ink.

Lenders must also ensure that signed electronic loan documents cannot be altered without authorization. The electronic loan documents must be tamper-sealed and lenders must use industry standard encryption to protect signatures and documents.

If a lender authorizes changes to electronic loan documents, the process must be designed to provide an audit trail of the changes. In addition, the system must be designed in a manner that designates the signed electronic loan documents as the authoritative copy.

A best business practice is to store the electronic documents in an eVault, which has the technology capabilities to (1) ensure that electronic documents are not changed without specific authorization, and (2) create an audit trail of users that access the document.

Finally, the SBA requires electronic signatures have a record or certificate that tracks:

  • Certificate of completion status;

  • The signer's identity or a link to the identifying information's source (i.e., validated user ID, digital certificate, biometric database);

  • Signature date and time;

  • Method used to sign the record; and

  • The reason for signing and/or events associated with the signature.

Vendor and Technology Selection Requirements

When choosing compliant vendors and technology, lenders must ensure several things. First, lenders must ensure vendors comply with the E-Sign Act by including express provisions stating such in vendor agreements, and those agreements must also include language ensuring vendor representatives will be available to testify in litigation arising from disputes over electronic signature data.

Lenders must also ensure vendors have the experience, capabilities, and longevity to meet all the requirements discussed above. Finally, lenders must ensure the technology solution meets disaster recovery and archiving requirements, and that it contains adequate quality control processes.

Credential Loss Management

Lenders are required to have a system that ensures the security of codes or credentials. The SBA outlines several management controls that would be acceptable within such a system, including:

  • Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password;

  • Ensuring that identification code and password issuances are periodically checked, recalled, or revised; and

  • Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise compromised identification code or password information, and issue temporary or permanent replacements using suitable, rigorous controls.

Conclusion

In sum, there are four requirements to create an enforceable electronic loan agreement with an electronic signature: (1) a valid electronic signature; (2) the signature must evidence the borrower's intent to sign; (3) logical association between the electronic signature and electronic agreement; and (4) authentication and identification of the borrower.

Failure to follow the electronic signature, record-keeping, vendor selection, or credential loss management requirements, or SBA's temporary guidance easing these requirements in instances where obtaining an electronic signature is not feasible, may open up lenders to unwanted regulatory scrutiny or inquiries, and/or cause SBA to deny its loan guaranties.

While COVID-19 and the CARES Act have highlighted the need to review the SBA's electronic signature requirements, keep in mind that the electronic signature requirements do not only apply during the pandemic.

While the SBA released guidance easing electronic signature requirements in instances where obtaining an electronic signature is not feasible, the electronic signature requirements will continue to exist post-pandemic. Thus, it is important to have compliance policies and procedures in place in order to mitigate future risk.



Alan Wingfield is a partner, and Troy Jenkins and Nicholas Ramos are associates, at Troutman Sanders LLP

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] 15 U.S.C. § 636(a).

[2] 15 U.S.C. § 7001, et seq.

[3] SBA, Lender and Development Company Loan Programs, Standard Operating Procedure 50 10 5(K), Appendix 8 (Apr. 1, 2019).

[4] SBA Procedural Notice, Guidance on Acceptable Signatures for Applications and Loan Documents in the 7(a) and 504 Business Loan Programs, Control No. 5000-20009 (Mar. 24, 2020). This guidance document also applies to SBA 504 Business Loan Programs.

[5] 15 U.S.C. § 7006.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!