Posts

eSignatures and the Americans with Disabilities Act

The Americans with Disabilities Act is a landmark civil law that continues to have repercussions across the United States, nearly thirty years since its original form passing in 1990. A panel discussion at the annual ESRA conference eSignRecords2017 covered the current state of digital accessibility when it comes to serving people with disabilities under the ADA. In addition, getting businesses into compliance had significant coverage.

The participants were:

  • Margo Tank, partner at DLA Piper
  • Ryan Diehl, Sr. Director of Sales, Level Access

An introduction to digital accessibility

Diehl started by referencing Stevie Wonder presenting at the Grammy Awards and saying, “There will be a time when all things will be accessible to all people.”

“That’s what we’re talking about here,” Diehl said.

He continued: “When you think about digital systems, think about apps, websites, operating systems, Microsoft and Adobe products, and things like that, including hardware. The first question I usually get when I tell people what I do is, ‘How do disabled people use the web?’

“The answer is, software, which is referred to as ‘assistive technologies,’ such as screen readers or screen magnifiers or voice dictation, that allow people to interact with digital systems.

“The problem is that everything in this area is always changing. For example, smart watches and other wearable technologies, as well as the introduction of Alexa and Google Home help people interact with these things. Laws, and the lack of laws, can be confusing, and standards can be complex. It can be hard to know if something you’re developing meets certain requirements.

“One of the main problems is a lack of knowledge. We’re seeing recent college grads, for example, who don’t know what digital accessibility is.”

Diehl then outlined four reasons why people should care:

  • Legal risk
  • Market risk
  • User benefits
  • Brand risk: how the public perceives a brand (“The mantra that ‘there’s no such thing as bad press’ isn’t true when it comes to inaccessible content,” Diehl said.)

Why people should care: legal risk

Tank then went into the legal background of the subject. She said: “In recent years, one of the Department of Justice’s main focuses has been ensuring that businesses are meeting their obligation to provide accessible facilities. Under Title 3 of the ADA, public accommodations are prohibited from discriminating against people with disabilities. Compliance with Title 3 is enforced by the DoJ and has several options for relief, including monetary penalties, which aren’t that high, but they’re not what tends to worry people.

“Title 3 can also be enforced by private plaintiffs with lawsuits seeking injunctive relief. So even though the ADA doesn’t explicitly mention access to digital platforms, the DoJ has said it does. In 2010, the DoJ issued a notice that said the ADA applied to websites and other digital applications and sought feedback for appropriate standards. One of the options they came out with was a set of guidelines for website access.

“The DoJ then began pursuing enforcement actions. In 2014, there was an interesting one with H&R Block that was contested. They settled and the corrective action and injunctive relief that was entered was more about the brand image and the future cost the company might face if they didn’t come into compliance, even though technically the rules weren’t finalized.”

Tank noted that all the settlements that have been arrived at since 2010 have typically included the following:

  • Conducting an annual accessibility testing with an independent consultant to audit the website
  • Developing accessibility policies
  • Providing employees with training
  • Obtaining commitments from vendors
  • Designating an employee as an accessibility coordinator
  • Reporting to the DoJ in detail on compliance

“The cost associated with no complying is the cost to settle and then the cost of remaining in compliance, along with the not-intangible reputational risks,” Tank said. “In addition, one of the possibilities under the ADA is that private litigants can sue, which is an ongoing thing. In 2016, there were 244 lawsuits. So far in 2017, they’ve increased to 432, so it’s happening.

“Another step along the way is the demand letter. There’s a group of plaintiff attorneys who send letters to businesses to assess non-compliance, and businesses are agreeing and paying attorneys’ fees. The Trump administration has sent notice to every agency and said that if they want to issue new regulations, they have to be important to the administration’s policies. They had a list of what was okay and what wasn’t, and the ADA has been on the ‘no go’ list, but private litigation has still increased.

“The courts have been a bit schizophrenic, but most of them are following the DoJ. But some are starting to question what a public accommodation is and whether it’s due process to have a proposed rule from 2010 be a compliance standard.”

Why people should care: market risk

Diehl then took the reins of the discussion and noted: “Litigation has skyrocketed because private plaintiffs have decided that they will handle this on their own. The challenge absent regulations is that there’s no safe harbor, since there’s no definition of what accessible means from a legal perspective.

“There’s also an idea that there’s market risk from inaccessible content. There are regulations that say you have to provide accessibility in certain places. A good example is Section 508, which says that the government must buy the most accessible product to fit their needs. The FCC has its own accessibility guidelines for broadcast content, as do the DoT, airlines and health care.

“What we’re seeing in the private space is third party vendors having the inability to participate in procurement cycles. If you sell to industries that are high risk, such as retail, and you sell something on a retailer’s website that’s inaccessible, it will cause a problem. We’re also seeing a trend where they’re pushing out RFPs and saying, ‘You have to fix this.

“It’s an international thing, too. Regulations say that something must be accessible and the standards say how you should do it. There’s an international standard for websites. There are three levels of it – they build off each other. I haven’t seen anybody strive for the AAA level, since it requires a lot of resources.”

Why people should care: user benefits

Diehl noted: “27% of adults in the US have a disability that inhibits their daily function. One of the questions I get is, how is that number so high? It’s so high because it doesn’t just cover severe disabilities, such as deafness or blindness. It covers things like: limited sight, hard of hearing, cognitive disabilities like ADHD, and so forth.

“That percentage will only go up as the population gets older overall. I often ask audiences how many of them have increased text size on their laptop screen. That’s a good example of digital accessibility.

“When I got into this space, there was this idea that companies were losing revenue if they didn’t address accessibility, but there wasn’t a lot of data around that. A recent study showed that 71% of disabled people will click away from your website if it doesn’t accommodate them, which is pretty significant. We’re also seeing that 93% of them don’t call a number for help with a website if it’s provided.

“The problems encountered by disabled people were covered in the survey too. They included crowded pages, poor legibility, poor link information, distracting images, and so forth. Good accessibility tends to be good usability for everyone.”

Diehl then asked: “So how do you do this? There are two paths people tend to take. The cheaper way to do it is to incorporate accessibility practices early in the design process and do plenty of testing along the way.

“The other path, which is 95% of the people I deal with, covers things already out there. We’ve broken that down into three phases: discovery, retrofitting, and standardization. That means: test it, fix it, and make sure you don’t break it again.

“In the discovery phase, you want to see how compliant you are and where you’re starting from. One key thing is determining what is actually out there in the wild right now. Then prioritize what to fix first and figure out if there’s governance in place to guide the process.”

Tank noted that from a legal perspective, “We’re always asked, ‘What do we do today?’ We break it down into short-, medium-, and long-term plans. It’s crucial to make everyone up the chain aware of the situation and place an accessibility phone number on the website, even if they won’t call it, because the DoJ requires that. Then do an audit and start exploring the next phase.”

Diehl continued: “In the next step, it’s important to ensure you’re testing things properly and you understand full compliance. There are two types of testing: the technical side, which means, is the code written in compliance with the standards; and the usability side, which means, is it actually usable by disabled people.

“You can lean on software that can scan your site and look for problems. The challenge there is that machine learning can’t uncover everything, so you need a human to look at the code too. One example is alternate text (alt-text) for images – software can say if it’s there or not and not see if the text is right for the image.

“The last part of testing is functional. Employ people with disabilities to use your site and give you feedback. You could technically be compliant but not be 100% usable. At some point you hit a level of technical compliance where you have complete usability.

“We see three levels of accessibility with E-SIGN. There’s the ‘check the box if you agree’ type of stuff, which you can make accessible to people with disabilities and ensure that terms and conditions are readable, such as with headings and sub-headings.

“The next is software, such as uploading a document to be signed. Consider that in two parts: Is the document you’re uploading in an accessible format, such as a PDF or a Microsoft Office file, and is it usable? Can people do what they need to do?

“The last part is hardware accessibility, which is the most challenging. What type of OS are you running on it, for example? If it’s Windows, you’re good, because it has good options for that, but if it’s homegrown, you need to look further. And then what kind of content are you running on it? A good example of that is in the airline space: kiosks need to be accessible – third parties tend to build them and the airlines provide the software, so they need to work together.”

Diehl continued: “So, you know what’s wrong and you get good information together. Then you move into the fixing, or retrofitting phase. Fix the easy things first. You don’t want to get into a lawsuit over something simple, such as an alt-text problem. Then fix things that are harder within release cycles. Don’t stall new features – plan out your development so you can work the changes into your release cycle.

“Then consider provisioning development teams to address issues in the long term. Get good knowledge and be forward-thinking about site redesigns and so forth.

“Finally, you reach the ‘How do I not break it again?’ phase? The key is self-enablement. Refine processes, build out corporate governance, policies, and so forth, and do tooling you can do internally, and eventually you move into the easier method, where you’re considering compliance during the design phase.

“You should also make sure you schedule an annual audit and get good documentation out of that – don’t self-certify and instead hire an outside vendor to do it. Good defensibility involves good documentation that shows the strides you’ve made with accessibility.”

Diehl concluded: “Finally, questions to ask yourself: What’s your risk pool? (It’s larger if you sell to individuals.) Are you providing solutions to businesses in an at-risk industry, such as retail? (Retailers get sued all the time.) Do you have pending litigation? Do you have outside vendors? Has your organization been asked to provide proof of accessibility? And are you building new stuff today? If so, incorporate accessibility from the beginning.”

Q&A

One participant asked about the current situation with the Trump administration’s requirement about regulations, which as covered during the presentation. Diehl noted: “The DoJ didn’t throw rule-making away. It’s stuck on the inactive list and they’re waiting for the next administration to pick it up and run with it.”

Tank added: “People are wondering if it will be more onerous next time and Congress is talking about possibly providing a safe harbor time where businesses can come into compliance.”

The Digital ID Revolution – as told from the front lines

At a recent ESRA event, we convened a panel discussion to navigate the the digital identity revolution and the challenges faced. Important topics, including “Who are the parties involved?” and “How do you enforce the transaction?” were described by a leading group of experts.

John Gunn, VASCO’s Chief Marketing Officer, moderated the discussion. The participants were:

  • John Fraser, an independent consultant at Core
  • Sarah Clark, Senior VP of Global Product Management at Mitek
  • Anatoly Kvitnitsky, VP of Growth at Trulioo

How do companies address this issue on a global scale?

 “Identity verification during onboarding is a huge challenge today,” Clark said. “There’s a perfect storm with this challenge. The first is everything being digital and heightened user experience expectations. You have to be able to onboard people in real time.

“The second is that we have measure rises in fraud with new accounts. It’s a well-recognized rise in fraud. There were 80 million attacks on financial institutions by fraudulent accounts in 2015, and it’s estimated that 3% of all new accounts are fraudulent. That has doubled over the past two years.

“The third challenge is increased regulations, especially for industries like financial services. The good news is that adjacent to the challenges is the rise of new technology that can combat those issues. The first thing I would point to is that because of the rapid rise in data breaches, fraud has risen because data is lost all the time – 5.2 million records are lost or stolen, on average, every day.

“So it’s imperative to embrace new technology that goes beyond asking for your name, Soecial Security number, and birth date. So utilizing new methods that go beyond that, such as embracing who you are or what you have. One of the areas I have a lot of experience with involves scanning documents through a mobile device. That type of technology leverages advances in machine learning, AI, and computer vision. It’s very mature. You can have an end user scan a document with the camera on their mobile device and authenticate their identity in real time.

“You can layer that with other ‘What you have’ factors, such as device ownership. So you know they own a specific device and they have their ID on hand. These types of solutions can be inclusive. In the US, we have lots of credit data that the rest of the world doesn’t, so that can be a challenge in the rest of the world.”

What about beyond the US? 

Kvitnitsky explained: “The general data providers, such as the credit bureaus, only cover about 30% of the world’s population. How do you address the rest of them? You have to look elsewhere, such as governments. Many people are surprised when they find out that China often performs better than all parts of Europe because the Chinese database covers 95% of their population. Same with India.

“In other places, mobile carrier data provides a solution, such as places in Africa, where a lot of data exists on paper in filing cabinets. But they usually have mobile phones, or the government knows exactly who they are and where they live. That actually makes the emerging markets perform very well.

“We’ve seen a lot of our traditional financial institutions use those databases in those markets. India, for example, got rid of all hard currency about a year ago, so all payments are digital there now. In China, every phone provider, every app provider, starts with the government.”

Credit bureau data has been devalued because of recent breaches. What else can companies do to establish trust and identity?

“I would say that trust starts with three core tenets,” Fraser replied. “It starts with allowing them to use their own device, which seems safe and secure because it has a password, fingerprint technology, and face recognition. In comparison, an ATM could be compromised.

“The other one is having a familiar process. As I work with companies, I dislike it when the user experience team wants to build a set of requirements around an e-sign process without consideration for the major players. That could be a two-month process. That pales in comparison to the billions or trillions of transactions that have gone through the major e-sign players out there. There’s no need to reinvent the wheel. A financial transaction should feel the same as one with your cable provider.

“The last one is to make it feel secure for the end user. If you’re authenticating someone with a shared email that multiple people have access to, that’s not good enough. If they can find a loophole in the process, they won’t trust you.”

Fraud is still increasing. Banks and others are spending more and more to combat it. Next year, losses will be $2.2 billion. What do organizations stop spending on and start spending on to offset those losses? 

Clark commented, “Digital account opening fraud is rising. It’s a result of EMV pushing fraud from point-of-sale to pother techniques, such as better synthetic IDs. It’s imperative to have a stronger front door, so if you create an identity verification process today, it would be different from five years ago.

“What you wouldn’t spend more money on is knowledge-based identity authentication questions. They’ve diminished in effectiveness quite severely. No financial institution believes it works, but it hasn’t changed as quickly as it should. It shouldn’t be a cornerstone of a process.

“You also wouldn’t invest in manual processes because they’re not fast enough nor reliable enough. You want a layered approach that combines what works with what you have and who you are factors, such as collecting data off an ID document and corroborating it with various sources. Even things like carrier data or taking a selfie and comparing it to the ID photo.”

Businesses have a trade-off between stopping fraud losses and serving customers. How do they strike a balance? 

Fraser responded: “I look at it from an end user’s perspective first and from the back end second. If someone is opening a bank account with $100 in it, you probably don’t need a blood sample. I always like to encourage my partners to tell me what they did in the paper process. They will literally be okay with a printed document mailed to a printed address, get back a scribbled piece of ink, and they’ll give you a $100,000 line of credit on it.

“And then with a digital transaction, you know what device they have, you have the location services on the device to know where they are, they knew the PIN number to authenticate themselves, and then the client says that’s not good enough.

“Then also look at the risk of the transaction. If somebody is depositing a check into an account that’s $2,000, that’s very different from someone wiring $12,000 to some place in West Africa. So look at the transaction and balance providing a sufficient user experience so you don’t have the drop-off rates because the 1% or 2% fraud rate might be worth it so you don’t have 10%, 20%, or 30% drop-off in the new account opening process.”

So what tools are used to do that? 

Fraser responded, “A lot of the tools that Clark mentioned. You can use knowledge-based authentication. You can leverage the device itself, there’s retinal scanning on some phones, there are different ways to authenticate and collect evidence that you can use later to verify people. So if someone says it wasn’t them, you can look at the photo they provided.

“There’s a car insurance company that uses photos to keep people from suing them over liability coverage. So it’s about using the right tools, assessing the risk of the transaction, and erring on the side of the customer experience.”

What are the best practices for identity verification? 

Kvitnitsky said: “I agree that it’s a risk-based approach. You can either not onboard anyone via mobile devices and be completely risk-averse, such as half of the top ten banks in the US, or do nothing and let everyone in. A lot of start-ups say they don’t worry about risk or compliance because they’re too small, for example. And then there’s everyone in the middle.

“To open a cryptocurrency account, you have to hold up your passport next to your face to verify who you are. That’s not a great onboarding experience because it can be difficult to get a clean photo. But there are a lot of flags you can track. For example, last year there was a woman who was the queen of tax fraud, and she had about 1,000 tax returns sent to the same address, so the velocity of that data helped catch her.

“You can start on one end of the spectrum with a simple check, such as document verification, and then you can add in things like a text message to verify that they’re there and put a timer on it. Or you could do a selfie check, like Mitek does. Knowledge-based authentication isn’t very effective, and I would argue that the bad guys are better at it. I can’t remember all the addresses I’ve lived at in the last ten years, versus a bad guy who has my data, thanks to Equifax.

“If it’s a financial transaction, you have to verify the person, regardless of the amount. This is public information: In 2012, PayPal missed about $30,000 in transactions and were fined $7 million because they didn’t verify those people. That can take many companies underwater very quickly.”

How will mobile platforms evolve the ability to verify people?

Clark said: “Mobile in the world of identity is becoming synonymous with your identity, on many ways. It’s become sophisticated in terms of fingerprinting the device, its reputation, and so forth. And it will become more sophisticated in the future. If done right, mobile should be your main channel for initial and ongoing verification processes.

“Selfie capture is one example. If you’re capturing a selfie, as part of that experience, because of the richness of the stream, there’s a way to tell that that’s a live user. It makes mobile an amazing channel for all kinds of transactions. If you don’t have a way to use mobile, that’s something you should seriously look at because it’s a good way to onboard the most end users and verify them.”

How does mobile verification apply to the world of financial institutions? 

Fraser said: “I agree with Clark that mobile is more secure. Right now you can’t use Snapchat or Instagram on your computer. Outside of financial services and healthcare, the rest of the world has adopted this. It’s time to stop being 10-20 years behind the rest of the world and adopt these new technologies. The fact that 50% of the top ten financial institutions don’t allow new account openings on mobile is shameful. The other FIs, along with credit unions and smaller FIs, will catch up to them.”

In an environment where the biggest demand is from young users who don’t have long credit histories and may have just gotten their mobile devices, how do you address that?

Kvitnitsky responded: “I’ll use Canada as an example. In that country, a law was just passed that said if a credit file isn’t at least three years old, you can’t use it. If you’re not in your mid-20s, you’re off the map for getting a new account.

“So it becomes about using alternative data, such as carrier data. In the US, they allow their data to be used for a lot of things. Governments, especially in southeast Asia, are a good place to start.

“With a mobile device, you can track where the person is coming from. If they say they’re in San Francisco but the IP address is in Russia, that’s a red flag. Risk isn’t created equal among all countries. Our clients worry about Asia Pacific and eastern Europe because that’s where a lot of fraud comes from. On mobile, you can send them a text message or ask for a fingerprint or a selfie.”

What are your thoughts on the regulatory environment and how it will impact identity verification in the next one to two years?

Clark said: “The European regulations tend to be ahead of the US, but these things normalize over time. The European regs are a sign of what’s to come in the US. The main ones are the anti-money laundering regulations which require knowing your customer. In Europe, they have the AML-4 directive, with the AML-5 directive soon to follow, and without going into the weeds on this, the story is that more and more transactions are requiring customer due diligence.

“There are good reasons for that. Even though it’s about anti-money laundering, it’s based mainly on counter-terrorism efforts. For example, the Paris bombings were funded by prepaid cards, so guess what’s in the new European regulations? You must do identity verification for people buying prepaid cards. More and more transactions are coming into the fold, including cryptocurrency and others.

“We expect those due diligence trends to happen in the US too. It’s in the best interest of your organization to have a strong front door and use the right technology for that.”

Fraser added: “I agree with the front door piece, but I don’t think Europe is ahead of the US. I would argue that the amount of regulation needed makes me think about the future and look toward the technology that could solve this, rather than constantly chase. I’m looking for a future where we’re not constantly implementing regulation but getting ahead of it with technology that will stop it.”

Kvitnitsky concluded: “Governments don’t agree on a lot of things, but they do agree that money laundering is bad. About 2% of the global GDP is laundered, which is $1-2 trillion a year that results in missing tax revenue. I think a lot of regulations are good, and the US is way behind. There’s nowhere else in the world where you can Google someone’s name and find out where they live, find their data of birth, their family history, and so forth.

“Our company took the approach of meeting the strictest regulations in the world. It’s our opinion that Australia and other parts of Asia Pacific are the strictest. So when a lot of laws in Europe came through, that was great for us. People have a right to their data and how it’s used in Europe.

“There was a dingle woman in Europe who asked Tinder for all the data they had on her. They gave her a 200-page report, including food preferences, the men she liked, and so forth. A lot of people say they care about data, but it’s probably scary when they get it. I’d like to see the US catch up on that.”

Q&A 

An audience member asked: “One of my pet peeves about identity and authentication. When it comes to banking, it’s annoying that the level of security needed to get into my online accounts is really not good enough. I’ve asked banks to implement two-factor authentication. With everything going on in fraud, what’s holding back North American banks and financial institutions from using this kind of technology?”

Clark responded: “Complexity is quite severe, between legacy platforms and the disconnectedness of their user information and their internal processes. In general, a lot of banks and financial institutions have a layered approach to authentication that’s not visible to a lot of people. You might think they just want a password, but there are multiple passive layers that underlie it, such as behavioral biometrics, the device fingerprint, and so forth.

“Just about every financial institution is doing a lot with biometrics in some form of a pilot, as well as two-factor authentication,. It’s common to have a single gate to get in and look at your money, but if you want to transfer anything, it’s common to have a two-factor solution. But that needs to happen much more quickly. By 2020, biometrics will be the pervasive means for authenticating account access because it’s more secure.”

There were no other questions, so Gunn asked about a final topic.

Some US states are testing mobile drivers licenses. How will that change how identity is verified?

Clark replied: “They’ll be used as part of the process. Some European countries are ahead of that, such as the Netherlands, where you need an e-ID to get some government services. It’s just another way for a bank or someone else to get your identity by tapping into those repositories, but it will take a long time because of privacy considerations, fragmented data, and so forth. Physical IDs will be relevant for many years to come, but e-IDs will be a great resource eventually.”

How will e-ID use be implemented?

“I expect it will be an opt-in process,” Fraser said. “As long as they put it in the end user’s hands, I’m excited about that kind of technology because it puts the customer at the center of it and gives them some comfort.”

Kvitnitsky added: “I think what will slow it down is that DMVs have their own IDs. It’s like dealing with different countries. We deal with about 30 state DMVs, and the other 20 aren’t even digital yet. We are far away from a digital drivers license in the US because only a few states are close to ready for it.”