Regs don't require e-signatures, so why is the payments industry pushing them?
You may not realize it, but there is no need for electronic invoices within the U.S. and Europe to have an electronic signature.
This has actually been the case since January 2013, and yet, so much of the payments industry is still beating the drum for the need to use electronic signatures.
Why is this and what impact is it having on the industry? Well, I believe some players within the industry are actively hampering the adoption of e-invoicing by propagating this myth.
So, to "bust" the myth, I thought I would examine the relevant regulations and consider how perceived ambiguity within the legislation, is enabling those with vested interests in the use of electronic signatures to restrict the choices organizations make when implementing e-invoicing and, as a result, are limiting the potential growth of the e-invoicing industry.
Before we start, let’s be clear what exactly we are talking about. An electronic invoice is any invoice that has been issued and received in any electronic format. This includes both structured documents (e.g. XML) and unstructured (e.g. PDF).
What is an electronic signature? An electronic signature is data in electronic form that is attached to, or logically associated with, other electronic data and that serve as a method of authentication. There are various forms this can take, relevant to our subject however, are "qualified electronic signatures," which is “an advanced signature with a digital certificate encrypted by a secure creation device e.g. smart card."
It has been widely believed that the adoption of e-invoicing across the U.S. has been hampered by the requirement to electronically sign e-invoices. The technological infrastructure required to adopt specific electronic signature technology has been a barrier to potential adopters of e-invoicing who are looking to e-invoicing, as a way, to reduce costs and processing burdens.
As a result, the Electronic Signatures in Global and National Commerce Act (ESIGN) and a new EU Directive (2010/45/EU) were issued. ESIGN was adopted by the federal government in 2000. The regulations set out clearly that electronic signatures are not required on e-invoices. The regulations instead set out the need to ensure three key things when using e-invoicing: Authenticity, integrity and legibility.
The regulations are specific that the way a user ensures authenticity and integrity is for the user to decide and there is no requirement to use one method of e-invoicing to ensure compliance. An electronic signature is but one way to ensure authenticity and integrity, it is not the only way.
Whilst this has clearly removed the requirement of an electronic signature, a criticism was that it did not specifically outline how to ensure authenticity and integrity without one. The European Committee for Standardization (CEN) subsequently produced compliance guidelines to reduce the confusion and ambiguity that surrounded the original directive. All U.S. states have laws permitting, but not mandating, the use of electronic signatures importantly insisting that prior consent of all parties is obtained before use.
The EU CEN gives three examples of approaches that can be used to ensure compliance: Electronic data interchange (EDI); qualified electronic signature; and business controls, which create a reliable audit trail between an invoice and a supply of goods or services.
EDI, with or without qualified electronic signatures, is already established as an accepted method of compliance, so let’s examine in more detail the area of business controls to establish authenticity and integrity. It is of importance to note that EDI and e-signatures are not synonymous. There are many EDI implementations that use e-signatures, but there are also many that do not.
Most organizations will be operating two- or three-way matching as part of their standard business processes. These existing checks, usually through an ERP system, create an audit trail linking invoices and supplies, are often sufficient to ensure authenticity and integrity.
Information that must legally be included on an invoice help an organization to establish the authenticity and integrity of the invoice, name, address, tax registration, invoice number, taxable/gross amounts, etc. Requesting that suppliers send invoices containing the relevant purchase order (PO) number is another way, that organizations can support integration to their audit trail, and is something we would recommend establishing with your trading partners during the onboarding process.
One note of caution, provided by the guidelines, when using the audit trail as a method of compliance is to consider acceptable tolerance levels, so the acceptable difference between values on documents being matched. If tolerances are set too high it will reduce the reliability of the matching process and therefore reduce the ability of the audit trail to verify authenticity and integrity. This is something businesses need to consider during their setup phase.
So, there are regulations clearing stating that there is no requirement for e-signatures to be used, and further guidance to provide clear explanations as to how compliance can be ensured without the use of such technology; and yet there is still so much confusion surrounding e-invoicing and the need for electronic signatures. Why?
The regulations themselves, which sought to simplify e-invoicing to enhance adoption rates, have caused uncertainty. They clearly set out that there are multiple methodologies and technologies that can be used compliantly for e-invoicing, and yet, is not abundantly clear on how to do this outside of EDI or electronic signature options.
The subsequent CEN guidelines were issued to clear up this ambiguity, but some within the industry are still selling the EDI and e-signature methods as the only way to definitively guarantee compliance. Perhaps not surprisingly this message is the one being communicated by some service providers who just happen to provide technology based on EDI and/or e-signatures. But even some auditors are giving incorrect information, creating uncertainty, which leads to fear, which leads to another company potentially unable to utilize e-invoicing to its fullest.