A 4 Year Journey Towards a Smooth and Strong e-Signing Solution in a Multi-National Insurance Company

Okay. Hello, my name is Miha and I'm learn to use this one. I used to work for the National Certification Authority in lava and wearing also the head of product owner for different types and shapes of electronic signatures, which qualified el electronic signatures provided across the country. And this is where I learned a practical part of eSigning.

And, and then later I joined if insurance company, which is the largest Nordic insurance company operating in seven countries in Scandinavia and Baltic countries. And since we're the digital first company, this smooth digital operation is something very critical to us.

And yeah, And in, in, in, if, when I also as, as a product owner, I had like two babies there, which are relevant to the context of this conference. And the first one was like the award-winning mobile application for health insurance back then in 2018. I think we've got this word and, and it has the centralized iden. It had already then the decentralized identity in its core before even all the like discussions appeared here about that. So I can share some experiences, some features later if you're interested.

But then another baby also very important is the corporate electronic signing service. So, which I've got green light for to work upon it from the management back in 2016 actually. And it is important, it was important because we, we often have cross-border and cross-departmental operations and with customers, with partners, with whoever. And first of all, the first thing we did, we wanted to learn the landscape. So what was already there in place because we obviously have seen different like appearances of what people call e-sign.

And we have have identified at least four, but actually more than that, different eSigning solutions used in if in different parts of, if we've been paying for them and each of them solved one specific isolated problem for either department, country or use case. And you know, those all are made, were driven by it. And for it, EIG mainly unfortunately is either black or white. So it's either e-sign or it is not at all.

So, and they don't care about the datas because e-sign solutions are very much different. And the problem, the real problem is that in all those implementations, legal voice was not represented.

So, and that's important point, that's fundamental point here because e-sign is all about like legal, it's all, it's all about collecting and preserving evidence full legal to use later. So we need, with e-sign, we need to ensure sufficient legal protection. So they are the primary customers of this thing. So they must be equipped eventually to, to go to the court and, and, and, and, and, and struggle there.

So, and the, i I can make this strong statement that legal is the only valid reason to have his resigning in place. I can't imagine of any other valid, sufficient reason to have his resigning there. So it's the only, if you don't need it for legal purposes, just skip it's much easier and cheaper.

So, and what we start not started, but what we've, what we've learned, we've learned to ask in order to like to screen out the relevant candidates because there are tens or hundreds of them on the market who can be the supplier of assigning solution and which of them is okay, we've learned to ask five questions, which by accidents relate very much to the requirements of ADAS towards advanced electronic signature, by the way. And this five questions are the first one, how does the signature like identify unique person in the world?

So can you point, when you see the signature, can you point your finger to one person, maybe let's say you in the world and tell, okay, this, the claimed signee is you. So of course obviously usually you use social security numbers or something like that to identify. The next question is, could it be somebody else who pretends to be you then when added this signature? So that's another question and very important one. So how does this signature ensure that it is really you?

Number three is could the change to, so is the document which we get as a sign document, is it the same or is the same as the one which has been originally presented to the signer for signing? So has it changed on the way or while keeping it or, so it's important. So the the outcome is the same as the income to the designer.

And then important question, if we sign some document with you, why should anybody else, like banks or insurance companies, whoever in the world like find our signatures credible enough for them to make their decision based on what we have signed, like in the contract because they need to rely on upon it as well. So what, what is the framework or regulation which makes it trusted for them? And then number five, imagine is that in five, 10, whatever years the signing solution provider, which you used to sign all the documents in your archive suddenly disappears.

Will you lose evidence then are your evidence is done or part of them or not? So are you secure on that side? And that's, these are like five, like I would say screening questions. Of course there are many more detailed questions, but these are five screening questions which we've got. And let me show you a few examples of different classes of signing solutions. There are many of implementation, but the IY will take two classes of them, which we have seen a lot of around. And the one class of signing solution is what we call here finger signing.

This is where you like make your graphical signature with a finger on the screen and the solution on the backend. It tries to collect different facts about who did what you are in the signing. Like IP addresses, email addresses, even the location of the graphical signature on the document and then give it away back to you as a report. So like evidence report that big class of solutions and let's, let's just check, okay, does this solution clearly identify who is the designer? Mm. Will IP address or email address tell you this?

Like clearly I'm not sure because email addresses and IP addresses used to be shared among users, different people the same addresses and, and and also the graphical signature. I'm not sure if you, if I know how your signature looks in the passport, so I don't have it to compare.

So I, so therefore I don't think I can identify you out of the document alone, out of the signature. The same problem is with impersonation impersonation.

Since, since these credentials are shared like IP and email, it can be rather easily impersonated well on detecting changes. There are some measures, it depends on solution, but, but it's not like clearly yes or no. There could be some, some options for that. It's a problem with credibility as well because it's as credible to others as it is to me because they cannot identify IP address doesn't tell anybody to anything to the bank. If you show this signature, okay, is it your IP address or not? So they do not know. And with preserving evidences in long term, it's also like, it depends.

So it could be or could be better or worse. So, but it depends on solution.

Anyway, none of these questions get the clear yes, answer clear like green check mark, check there. So we skip that solution, that class of solutions. Another big, really big and popular class of solution signing solutions, at least in Nordic region. I'm not sure about other parts of the world or Europe, but is are those who like rely upon the existing and like credible identity providers present on market like bank s different types of IDs which are there in the pockets of people around people like those and trust them.

And those signing solution providers, they identify signer and then they present the original document to you and okay, now press the sign button. And when you press the sign button, they use some their own invent and proprietary method of signing, which is not very standardized. And what they do, they immediately start changing the original content of the document. They add like footers, headers, borders, extra pages. They add additional information about who it was, who came us and improved our, our his identity here.

So different disclaimers and transaction IDs, which are meaningless to me. And that's what you get is the signed document, what they call a signed document. So the problem, the first problem here is the original content is gone once you sign. That's the fundamental first fundamental issue.

And, and, and they just, okay, let's keep going next big problem with this type of solutions was you immediately become dependent in long run on them because it's a proprietary method of signing. So you need a proprietary method of verifying the signature. How do you get to that sir?

Okay, they tell you, okay, now use the link, we have a link upload document there and you will get the answer if the signature is okay and they even add some transaction IDs, which only they know what it means. So if they disappear the method, the verification method is done, some of them know it's a problem, it could be a problem. And what they suggest, this is the quote from the official documentation of one of those providers, okay, option one, get the link if the link is not there, build your own verification method. That's simple.

So try to do our job and if you are not capable of that, just the easiest the last resort. Take the hash of the sign document, take the publication from Financial Times, combine those data into the mathematical formula, calculate the verification results, and here we are. So you have verified the doc, the, the signature. That's easy. That's what our lawyers usually do during the morning coffee.

So, and then they can be, can can repeat this exercise in the court easily so judge can understand as well. Yeah. So it's clear no go as well.

But, but even this is not the biggest problem with that type of signing solutions. And the biggest problem from my perspective, from our, that's our subjective judgment. So don't take it as, as, as, as, as a, as a, as, as a, like a full truth. But that's how we judge it.

It, and this is what I call credibility bubble here because what they do with adding all those headers, footers and extra pages, they make you believe, they try to make you believe that the signing secret belongs to the intended signee, but it does not because they instead use their own like certificate or like, which belongs to them and is controlled by them to sign the document to actually seal document. So you don't see the signees name there, where the signature should be. It's their name, it's the company name there usually.

But by, by adding nice logos and everything, they actually steal credibility from bank IDs from all those guys who are really credible on the market. They, they, they, okay, let's call it borrow credibility, not steal, but that's, and it's not even a bubble, it's a foam because you, they use the same, exactly the same secret to sign different documents for different signers.

So it's, it's the same secret used across by them and that's obviously not what we was looking for. And I can also not hear from the stage tete. I can show you how it, how I got the fake document look more authentic than the original one signed with this method on my own like machine with no any special software for that.

So it's, it's, it's, it's incredible. So what we were looking instead was solution, which uses the, the secret of intended signer to sign the document. So it must be protected by that secret. So it's a strong evidence of the signature. That's a legal fact as well. Yeah. And unique secret for each signer, obviously. Yeah. So let's summarize. Do they identify a person?

Yes, they they do they use credible ID provider, but then impersonation, that's exactly what they do. They impersonate, in fact they impersonate that signer with their own identity. The tech changes bad because they do change document immediately straight at the straight at the signing time. You don't get original content anymore. And they try to address the credibility issue for third parties with the credibility bubble. That's what they do. They try to make everybody believe that it was that sign signer who signed the document.

But maybe yes, maybe no, there are no strong evidence of that in the document. That's the fact.

And you, number five, you become immediately dependent on them. Since they use proprietary sign-in methods, you depend on them. So your evidence is like very vulnerable, let's say to their business also if they are present in the business.

So I, I'm now cutting out the long story how we selected what we did. So, and, and, and, but the long story short, that's the target situation. The the actual one. And we have like one big red block in the middle, which is a signing engine which is accessed by different signers. Our employees, employees of our branded businesses, of our partners customers, whoever. They use it via webpage or mobile or API to trigger and sign documents. And the outcome is the signed PDF file, which is easily, can easily be used and opened and reread in the a any acrobat software across the world.

Also signatures can be like validated there in a standard manner. And that's the centralized and unified part of it. The the very local part is here because we also want users to have smooth experience and something which they used to use.

And we, we also rely here on the existing identity providers. That's obviously case and, and and a good idea. But comparing to those mentioned before, we have certification authorities here in the middle and they do important job for us. They create unique signing secrets for those people who prove identities to the certification authorities. And those secrets are used then to sign document and these, these secrets are there inside the final document. So not not secrets, but but the like the, the proofs of them being in possession of those secrets.

So, and that's makes very much difference to the final, to the end result. Obviously it costs much more than that type of solution, but it is a completely different legal story then. So because when we look in the final document, it is their, first of all their original content. What we see here, that's the signed document and we hear, see the, and the signature information is there apart from the content. So it's in a special dedicated area of the PDF file in the metadata area. It lives together, it's connected, but it's not here. It does not corrupt the document.

And we have the real names of the signers there and they are, they have those green bubbles next to the names. So that's important because that means that these inform this information is trusted and verified.

Okay, that can, that can be different levels of how you verify what, but but of actually put it, to put it simple, it is verified and trusted information that the name of the signer is this. So that's what we can rely upon and can easily present to the judge and they can understand it easily eventually.

So, and all these information in evidence is detached from the solution provider. It leaves within the document. So we get it to the archive and it stays there forever. So as long as we keep it and protected, but we are not dependent on the provider anymore, we can switch at any point in time. So we are not attached and it's smooth and it's respects local habits of people.

So, and obviously we get all the green marks here for to as positive answers to all questions. And also it's, it's what actually this a this advanced level is about, I would say. So having all those green marks here, so one short aspect, important aspect I should emphasize.

So how we did it and it was a team and the leadership was here and, and the legal person we put in the middle of the team or, or they, they, they are our customers in this, in this project and, but it's not just as simple as getting any legal person and any IT guy and, and even brilliant legal person and brilliant IT guy, it'll not fly because those legal people must be like it enthusiasts. They must be trying to step into it and understand how it works, why it works like that. And the opposite is also true.

Like it guys must be like law enthusiasts or legal, like legal enthusiasts must want to understand and look into regulation, understand how it works, why it's there. So they must become towards each other in this type of projects.

Then it's, I can't imagine any other setup which will work than for, for this type of, of eSigning projects at least of course business context is there as well. So for smooth journeys and for for making sense to, to have this like paper signed at all. Yeah. And on the journey, it was a long journey and in the middle of it, when we were doing production pilot with the one of the solution candidates, COVID came and suddenly people went back to the north back but went to move to their home offices without any option to sign document, or like to put wet signature on the document.

And suddenly those nice to have things became must have things and, and people, oh they, they enjoyed, okay, that's great. We had this option. It was not ideal option back then it was not good enough. And it all, COVID also was something which helped us to discover more critical business needs and conclude that the original solution provider, which we have picked for the production pilot could not satisfy, could not like meet all the critical business needs for us.

So, and we had to make this hard decision, but in the middle of production pilot or by the end of it we told no, sorry, stop, we should switch. And we started, we actually, we started switching earlier than that even.

But, but by the end of production pilot we have switched to alternative to another provider or even a mix of providers, which is, which was and still is a good fit and can satisfy all the critical needs. And this is where we are now. We are in the approach in the middle of the third year of the like fully featured production mode.

So when we sign more than 30,000 documents annually and one more than one third of our employees are active users of this e-sign solution without having promotion from our side, we of course we provide proper support and maintenance to, to people, but, but we do not like force them to use it. It's just comes naturally. And we have, throughout those years we have discovered several repeating usage patterns which help us now to, to add new use cases quickly.

So, okay, ah, it looks like the same, it is the same thing or similar. So do like this and they can easily jump into the signing within their business processes, within the context of their business. And we also heavily used out of the box automation options. And I can say these, these are like low hanging fruits, which we collected almost most of them now. And we are approaching the next like challenge of, of introducing low code or API based automation to get deeper integration into our business processes. So to integrate the csig deeper than just using Porwal or mobile to sign.

Yeah, so, and believe me, so I've repeated the fundamentals of re-signing so many times throughout these years to different people. So then, then I decided to make a video recordings of my, at least some of explanations and, and posted them on YouTube.

So if, yeah, I just, this is not for business, for any money, just just for better communication and for, for, for educating. So if you just are interested, have a look there.

Yeah, there are a few videos for that. So yeah, that's it. Yeah. So thank you Micah. We have no questions from the audience that is listening online. Do we have any here in the room?

Okay, I'll take a microphone Or walk around. Gimme a second. Thank you Martin. Thank you. Yes.

You, you explained, you identified during COVID with the first solution, you implemented some critical issues or capabilities, missing capabilities just to, to know which type of critical capabilities. We Don't say, oh, one of the critical things was, was actually the ability to use the existing identity providers. So we skip any registration, any like onboarding or ID proofing before the user can sign at least external user. That was a critical one to go like widely around.

And another one was a pure, not purely but legal because those who provided, they didn't clearly understand their role in that service. They, they didn't, they actually issued certificates, but they didn't want to accept their responsibility for issuing certificates like legal because that, that's, that's important point. So like issuing passports, when you issue a passport as a, as a, as a official, you must take responsibility who you do issue it to.

So, and these were like two major critical things, but there were some others as well. Okay, thanks.

Which, which others? Hmm, which others? When you say there were some other major critics, which Others, other, other one was purely about how the signing process goes. Like for example, when you sign, when you triggers document for signing, there are parts of information which you would like to share with your colleagues only. So they like, like management, they don't have to read the whole paper, the whole contract for example.

You provide some summary for them, but you don't want this summary, first of all to become a part of Signable document and then to also to be seen by externals who you, your concert parties. And it was, it could hardly be salt with the original ones. And it was important for us. I think for me there are two aspects of this whole e-signature partner, right? One is your certification, which is certifying a document. And the second part is a whole workflow management. Yeah.

And generally when you look at a big organization, you have got the B2B landscape where you don't need legal documents because internal signatures are sufficient using your active directory. True. But when you go outside, true, you need a legally authorized signature that can be validated, right? And then when you try to combine these different providers, that's where the difficulty is because organization one is using Adobe science organization two is using DocuSign, third one is using something.

So how did you, did you actually have to deal with that, separate them to separate the fact of the signing and the workflow? And did you manage that as a, as an implementation? We have faced a lot of situations. Okay.

Not, not very many, but, but, but several situations where counterparts like, okay, let's use SIG or let's use whatever. And I would say that's still a problem is between those providers of unifying standards because you cannot at the moment take the like partially signed there and partially signed here. So then of course we try to force like what we use and, but, but sometimes it depends on the business, on the risks which are part of the content of the document itself.

So, but, but, but for intern it's, that's, that's, that's, that was not the driver here. So totally. So mainly it's, but for our business it's important. For example, in cases where in competitive situations, even when we like trying to make business with a customer who has our competitor as insurance provider, and now our salespeople can sign during one phone call. So they don't need to play around with like, okay, printing, sending and sending to, they just do everything on the call and strongly. So Phillip, I don't have any further questions from the Audience so far.

I think we are anyway, very close to the end of the time, aren't we? Two minutes. Two minutes. Okay. Any more questions from the audience here in the room? No.

Okay, then we take this one and then we are done, I believe. Thank you.

No, very, very quick question regarding the architecture, because I have seen that in new architecture there are two, there were two certification authority. Yes. So my question is about those certification authority, those ca are they a local ca or are they in some trust list like utl A a tl We actually don't care.

They, they, they can be global unless, unless, yeah. So if they can provide what we need, so because they, that's that all based on ADAS regulation let's say. And it's cross European. So any company, at least from Europe who satisfies the requirements towards this can, can serve. And we in fact have those one from Italy, one from Estonia.

Because, because of the set of ID providers, they can supply to us. Okay. Thank you. Thank you very much for all the insights you've been providing.