Publication Date: July 2001
Author: PPI | Program Policy Initiatives
Summary: Revisions to Section 3.5 of the Standards for Electronic Signatures
The link to the Standards for Electronic Signatures in Electronic Loan Transactions listed below was revised on August 17, 2001.
This announcement revises Section 3.5 of the Standards for Electronic Signatures in Electronic Loan Transactions (Dear Partner Letter GEN-01-06). Under this section, a lender or holder could deliver a shared secret or other credential to a borrower in only one way - by mailing it via the U.S. Postal Service. To provide more flexibility to lenders and holders in delivering shared secrets or credentials to borrowers whose identity has been authenticated, Section 3.5 is revised to read (revisions in Bold text):
3.5 Authenticating the Borrower's Identity Before a lender or holder issues a shared secret or other credential that may be used by a borrower as part of a process to sign electronically a record for a covered transaction, the lender or holder must confirm the identity of the borrower by authenticating data provided by the borrower with data maintained by an independent source (e.g., by conducting data matches). Independent sources include, but are not limited to:
(a) National commercial credit bureaus;
(b) Commercially available data sources or services;
(c) State motor vehicle agencies;
(d) Government databases.
School databases are not independent sources.
At a minimum, the lender or holder must verify a borrower's name, social security number or driver's license number, and date of birth.
After the lender or holder completes the required data matches verifying the borrower's identity, it must provide the shared secret or other credential to the borrower via the U.S. Postal Service, as part of a secure online session, or in some other secure way. Unencrypted e-mail, by itself, is not considered secure enough for direct delivery of the secret or credential but may be used as part of a multi-step delivery of the secret or credential. For example, unencrypted e-mail may be used by the lender or holder to deliver a private key or a Web (URL) address to the borrower. The borrower could then use this private key or Web address to obtain from the lender (over a session-encrypted link) the shared secret or credential that will be used to sign electronic documents.
Alternatively, the lender or holder may issue the shared secret or other credential to a borrower without conducting the data matches if the lender or holder has previously authenticated the borrower's identify in a manner that satisfies the requirements of this Section. For example, the lender or holder used information on paper documents (social security card) and/or photographic identification (driver's license) presented by the borrower to confirm his or her identity.
Because the shared secret or credential would be delivered in a secure way, we believe these revisions promote faster, more efficient electronic processing without compromising the integrity of the authentication process.
The complete Standards for Electronic Signatures in Electronic Loan Transactions documen t, including the change noted in this announcement, can be accessed at on IFAP.