Strategy for recording tax form signatures

[Betree]

Part of #7216

With the tax forms collection moving to our own system, we should look into the best practices for recording online signatures.

• Do we need to collect and store the associated IP?
• Do we need additional KYC?
• Should we sign the PDF with something auto-generated from the name, with a canvas that lets the user draw its signature or upload a file? Does it matter?

Resources

• Related Hackernews conversation
• https://www.docusign.com/products/electronic-signature/legality/united-states
• https://www.docusign.com/learn/esign-act-ueta
• https://www.adobe.com/content/dam/dx-dc/en/pdfs/adobe-sign-us-guide-e-signatures-wp-ue.pdf
• https://www.irs.gov/instructions/iw9
• https://www.irs.gov/newsroom/details-on-using-e-signatures-for-certain-forms

[Betree]

After reading through some resources (see above), here's my understanding.

The ESIGN act

The ESIGN act is the law that allows electronic signatures to be legally binding in the US. This law does not require a specific technology to be used (aka. DocuSign), but it does require that the signature is:

• Immutable: The documents must be generated in a way that can't be tempered. I assume that by uploading the PDF to S3, the "Last Modification Date" can serve as a certification since it can't be edited.
• Identifiable: The signer must be identifiable. The level of identification is not clearly defined, it goes from the basics of requiring a password/2fa to more advanced methods like using a government-issued ID. The level of verification to apply depends on what the agencies (i.e., the IRS) we're dealing with require and the level of trust we want to have. It is important to note that the service we've been using so far, Dropbox Forms, does not do any identity verification; it only verifies the email.
• Auditable: though the law doesn't specify what needs to be recorded, most of the services for electronic signatures provide an audit trail where, at each step, they log some metadata: timestamps, IP address, browser/device...etc

The IRS

Some government agencies still require a third-party service like DocuSign to act as a neutral 3rd party. The IRS is not one of them. The IRS allows you to use your own system as long as it respects the ESIGN Act along with some rules about how the signature should be done:

Electronic Submission of Forms W-9

Requesters may establish a system for payees and payees' agents to submit Forms W-9 electronically, including by fax. A requester is anyone required to file an information return. A payee is anyone required to provide a taxpayer identification number (TIN) to the requester.

Payee's agent.

A payee's agent can be an investment advisor (corporation, partnership, or individual) or an introducing broker. An investment advisor must be registered with the Securities and Exchange Commission (SEC) under the Investment Advisers Act of 1940. The introducing broker is a broker-dealer that is regulated by the SEC and the National Association of Securities Dealers, Inc., and that is not a payer. Except for a broker who acts as a payee's agent for "readily tradable instruments," the advisor or broker must show in writing to the payer that the payee authorized the advisor or broker to transmit the Form W-9 to the payer.

Electronic system.

Generally, the electronic system must:

• Ensure the information received is the information sent, and document all occasions of user access that result in the submission;
• Make reasonably certain that the person accessing the system and submitting the form is the person identified on Form W-9, the investment advisor, or the introducing broker;
• Provide the same information as the paper Form W-9;
• Be able to supply a hard copy of the electronic Form W-9 if the Internal Revenue Service requests it; and
• Require as the final entry in the submission an electronic signature by the payee whose name is on Form W-9 that authenticates and verifies the submission. The electronic signature must be under penalties of perjury and the perjury statement must contain the language of the paper Form W-9.

On top of that, the IRS define some general rules about electronic signatures:

The IRS will accept a wide range of electronic signatures. An electronic signature is a way to get approval on electronic documents. It can be in many forms and created by many technologies. Acceptable electronic signature methods include:

1. A typed name typed on a signature block
2. A scanned or digitized image of a handwritten signature that's attached to an electronic record
3. A handwritten signature input onto an electronic signature pad
4. A handwritten signature, mark or command input on a display screen with a stylus device
5. A signature created by a third-party software

The IRS doesn't specify what technology a taxpayer must use to capture an electronic signature. The IRS will accept images of signatures (scanned or photographed) including common file types supported by Microsoft 365 such as tiff, jpg, jpeg, pdf, Microsoft Office suite or Zip.

Conclusion

In the context of W9/W8 forms, it looks like nothing is preventing us from collecting the signature ourselves as long as we respect the rules about identifiability, immutability, and auditability mentioned above. We should especially ensure that:

1. The language used on the form matches the document. This should be the case if we replicate the Dropbox Form template we already have.
2. We record some metadata when signing the form: browser/os, IP address, and any uniquely identifiable information.
3. We ensure the user is identified (if set up, a 2FA confirmation would be nice).
4. We add an input that clearly mention that it's a signature. This input can be any text field where you type your name, a canvas to draw your signature, or an image upload field.
5. We add a policy to our S3 bucket that prevents existing files from being edited.

In the future, we may have to look into 3rd party solutions if we ever start collecting legal documents for different agencies, especially in Europe, where some government agencies require more complex regulations (Regulation 2014/910/EU, eIDAS, PADES, CADES, XADES) that would be difficult to implement and maintain internally.

[Betree]

• For Auditability, it would be interesting to record the payment information we have in the audit log (name, address)
• We may want to have stricter enforcement between the name on the tax form and the payee's name
• We do not want to store real users' signatures as they're sensitive info, so we'll go with an auto-generate solution
• We need to make sure that the user has control over the auto-generated signature before submitting

[Betree]

These specifications have been implemented in opencollective/opencollective-frontend#9906 + opencollective/opencollective-api#9988.