The truth about digital signatures

Digital signatures have been around for almost 20 years, yet there’s still confusion about their use in the accounting industry. 

If there’s something more shrouded in mystery in the accounting profession than the legality of digital signatures, we’d need Scooby and the gang on the case.

Time and time again I hear of accountants and bookkeepers unwilling to accept digital signatures from clients. And you know what? I can’t say I blame them. There’s a distinct lack of clarity around digital signatures that is hindering the industry from adopting this efficient, time-saving innovation. It’s a technology that sits at the heart of a connected practice.

Let’s see if we can break down some of the mystery surrounding the legality and use of digital signatures.

READ: State of the Digital Nation – The great digital divide

What are the rules around digital signatures?

Legislation (specifically the Electronic Transactions Act 1999) says this about electronic transactions in its objective:

The object of this Act is to provide a regulatory framework that:

(a) Recognises the importance of the information economy to the future economic and social prosperity of Australia; and

(b) Facilitates the use of electronic transactions; and

(c) Promotes business and community confidence in the use of electronic transactions; and

(d) Enables business and the community to use electronic communications in their dealings with government.

SOURCE: Electronic Transactions Act 1999, Part 1 – Introduction, 3 Object, printed page 1

So we’re agreed that the Act is doing its darnedest to enable electronic transactions.

Let’s get to the simplified outline of what the Act says:

4) Simplified outline

The following is a simplified outline of this Act:

For the purposes of a law of the Commonwealth, a transaction is not invalid because it took place by means of one or more electronic communications.

The following requirements imposed under a law of the Commonwealth can be met in electronic form:

(a) A requirement to give information in writing;

(b) A requirement to provide a signature;

(c) A requirement to produce a document;

(d) A requirement to record information;

(e) A requirement to retain a document.

SOURCE: Electronic Transactions Act 1999, Part 1 – Introduction, 4 Simplified Outline, printed page 1

To me, that says we’re good to go with digital signatures as far as the Federal Government’s Electronic Transactions Act 1999 is concerned.

The ATO’s stance on digital signatures

The ATO’s website mirrors the Act. Specifically, here’s the clearest sign of the ATO approving digital signature usage:

How does my client sign an electronic declaration?

If your client chooses to send their declaration by email, they do not need to include their scanned signature at the end of the email. The action of sending the email and the agent accepting the information and then using that as a basis for lodging the approved form would be sufficient to satisfy the electronic signature provisions set out in section 10 of the Electronic Transactions Act 1999 (ETA).

SOURCE: Client declarations – frequently asked questions and examples

And while it says “email”, the ATO has provided MYOB with an “approval” for our “Electronic Declarations”, which are included at the bottom of every Tax form that we create in any of our Tax products, including our online Tax features (such as Activity Statements, etc).

When your practice sends a Tax form to a client, that form includes an ATO-approved format of declaration. Therefore when the client reviews the form via MYOB Portal, it inherently includes the Electronic Declaration as part of the electronically transmitted document, and then the digital signature technology includes “certificates” and “encrypted security features” that prove the electronic transmission is a true representation of the actual document that the client reviewed.

When the client clicks “Approve” on their mobile phone, they are “signing” the declaration that is part of the form and it states “…this information is true and correct and I authorise accountant X to lodge on my behalf”…

Here’s a specific example from MYOB Portal:

screen-cap

 

So there you go.

ASIC’s stance on digital signatures

There’s loads of confusion about ASIC’s stance on digital signatures, but a quick look at their Electronic Lodgment Protocol reveals that the list of documents that are eligible for submission with digital signatures is extensive – see below.

But first, let’s take a look at what ASIC has to say about their acceptance of digital signatures in their Australian Securities and Investments Commission Electronic Lodgement Protocol (“ELP”):

Electronic signatures and levels of electronic signature

  1. A Document is a form, and, if required, includes any statutory report or attachment required to be lodged with ASIC pursuant to:
    1. the Act, or
    2. the Credit Act
  1. ASIC has determined the following electronic signatures as acceptable for electronic transactions through the delivery modes set out in Table 1 of Schedule 1:
    1. Level 1 – A Digital Signature based on public/private key encryption or AUSkey (depending whether the Document lodged is lodged under Item 1 or Item 2 of Part A of Schedule 1); or
    2. Level 2 – A Personal Identifier will be accepted:
      1. Where it is self-selected and accepted by ASIC, if the particular service provided by ASIC allows for this procedure; or
      2. If it is provided by ASIC.
  1. A person using a Digital Signature to sign a Document must use that method of electronic signature to lodge electronically any type of Document with ASIC as set out in Items 1 or 2 of Part A of Schedule 1.

SOURCE: Australian Securities and Investments Commission Electronic Lodgement Protocol (“ELP”), printed page 5

Aha! “A Digital Signature based on public/private key encryption”. That covers technologies such as MYOB Portal.

In fact ASIC’s business rationale for the use of digital signatures (in the epically titled EDGE Electronic Lodgement System Digital Signature Specification document) says:

To provide an appropriate level of authentication for electronically lodged documents, ASIC will utilise digital signatures generated using the private key associated with an X.509 certificate issued by an approved certification authority.

Digital signatures will be mandated for certain company registration messages.

Digital signatures may optionally be used on other documents, provided that the signatory possesses a suitable X.509 certificate and the agents trading agreement authorises its use.

Okay, so let’s take a look at the documents referred to earlier:

Schedule 1 – Documents

Document is original Document duly signed by approved form of electronic signature Document is “copy” of original Document retained by User or agent of user.
Internet(TCP/IP) electronic signature mandatory electronic signature optional
Internet(ASIC website browser) electronic signature mandatory electronic signature optional

PART A

Documents that may be lodged requiring a Digital Signature as an electronic signature

Item 1 – Documents lodged via Electronic Company Registration (ECR)

Column 1 Column 2 Column 3
Form No Form Description Direct fee payment options available
201 Application for registration as an Australian company Direct debit / Direct credit
410 Application for reservation of a name Direct debit / Direct credit

Item 2 – Documents lodged via SBR enabled software

Column 1 Column 2 Column 3
Form No Form Description Direct fee payment options available
388 Copy of financial statements and reports None
7051 Notification of half yearly reports None
405 Statement to verify financial statements of a foreign company None
406 Annual return of a foreign company None
FS70 Australian financial services profit and loss statement and balance sheet None
FS71 Australian financial services audit report None

And on and on it goes. Start at printed page 23 and move down the full list of approved documents.

Australian Securities and Investments Commission Electronic Lodgement Protocol (“ELP”)

So what’s the problem with digital signatures, then?

Perhaps it’s time to get the legal point of view here.

In 2015, Brisbane law firm HopgoodGanim published its take on the legality of digital signatures. To summarise, the key points are (and I quote):

  • According to Australian and international law, electronic signatures are a valid way of executing agreements.
  • Difficulties with electronic signatures arise when evidence is required confirming the identity of the signor and their intention to be bound by the content of contract.
  • Digital signature tools which incorporate technically accepted identity verification and authentication methods (such as public key cryptography) can mitigate these risks. However there are still important issues to consider.

SOURCE: HG IP&IT Alert: Electronic signatures and their legal validity in Australia – 13 July 2015

Those “important points to consider” are around the integrity of the digital signature product. Specifically, they note:

Because of the rapid nature of technological advance, there is no guarantee that a product that reflects the law currently will still do so in a year’s time. Therefore, a product that is constantly updated to reflect this progress is desirable.

From MYOB’s perspective, MYOB Portal is constantly updated to refine its features, improve its workflow and, importantly, ensure its compatibility with industry body requirements.

An industry view

An example of an industry body getting on the front foot of the digital signature debate is the Institute of Certified Bookkeepers.

I caught up with Executive Director Matthew Addison for the ICB’s view on the legality and use of digital signatures. Matthew’s position is that the adoption of digital signatures is an essential tool for bookkeepers and clients alike. He points out that it is Government policy that electronic transactions are to be considered valid, leading to entities such as Fair Work and the ATO considering digital signatures as valid.

The ICB has produced a number of valuable member resources concerning the topic, including the following guide for members reproduced by permission from the Institute of Certified Bookkeepers:

Obtaining digital signatures from your businesses

The document outlines the ICB’s stance on digital signatures as well as providing a suggested course of action for the workflow.

Parting thoughts

Perhaps the biggest obstacle to widespread adoption (and bear in mind that digital signatures have been a thing for almost two decades already) is the fact that, as far as I’m aware, the use of digital signatures hasn’t been tested in a court of law. So there’s been no challenge to the legality of the Act in the 16-odd years since its passing as law.

Perhaps we need to introduce a system whereby approved solutions are listed so that accountants, bookkeepers and their clients are assured they’re using an approved method of digital form submission.

Would it be so difficult for the Government to test the validity of the various portals and solutions available in the today’s marketplace? It would allow the industry to move on to the next innovation quickly and confidently. After all, the ATO is dead keen to remove red tape. Providing more clarity on this topic would help.

In the meantime, thousands and thousands of documents have been digitally signed via MYOB Portal without a hitch. And by no hitches I mean nothing’s been returned with a note saying, “Sorry, we don’t accept your kind around here.”

What do you think? Have you embraced the technology or are you holding back? Why?

READ: How MYOB helped one busy accounting practice go paperless