Digital Signature Legality for Businesses in Mexico

How to eSign a document: digital signature legality for businesses in Mexico

[Music] now I'd like to uh introduce our panel here um we've got uh Jac Earth from the Netherlands representing NBA which is the Dutch Institute of Chartered accounts and is also chair of X Netherlands um we've got VM Heiden um digital reporting lead at PWC Netherlands and also Vice chair of the corporate reporting policy group at cting se Europe um Jose Moreno from 2 software in Mexico um founder and also uh member of the XL Standards Board and Elena k cantalo sorry uh from xprl Finland also independent xprl consultant so thank you very much um for taking part in this panel um and there's a reason why uh the Netherlands is slightly over represented on this panel and that's because there are jurisdictions where we are already using digital signatures uh in xprl so Jack if I could start with you and pass your microphone so you can answer um and just ask you to explain a bit bit more about who it is who's using digital signatures in the Netherlands with xbrl and what exactly is being done there okay to be honest we were a little bit lucky um we started with a men in 2017 the Mandate for average for average mediumsized companies and the Dutch law states that an an an a Sit company must be ACC computed with an auditor report so there's nothing strange I I guess but another part of the Dutch law states that an auditor report always must be signed and we were there digital of course because the the the the filings were in experi so we had to make a a a a swift from from yeah let's say paper based signing to digital-based signing and and the Auditors the accountants in the Netherlands were the first one they had to deal with that but luckily because that was the same period that ads ad ad was was published in this new form and the ety standards were renewed the year before so we had a very good good starting point and everything was was clear again we had to use the ety standards because we had to add here to ad80 do so we started with that so that is our framework it's it's just uh the the ety standards uh and we using Sardis for for the digital signatures so um and we were the first one uh of course to try it uh we had to event uh everything ourselves for example the the uh signature policy something new let's say text somewhere on the internet in an XML format um yes uh saying what is the legal meaning of of of the signature it it it was not there but we were the first one um to to to create that uh uh thing and everything worked from the start um because we had a mandate in 2017 and and were a lot of worries but at the end everything everything works the whole chain from the uh let's say the company until the the Chamber of Commerce worked um so so and for some of you already know that we have a a system a methodology in the nland called standard business reporting so we want to create one one standard and because the the the the method we used for the accountant was very successful the same method has been copied by the uh uh actuaries and and the um I forgot I forgot uh sorry the housing C housing the appraises that's what I was looking for the appraises yes that was the term I was looking for so now we have the the same solution working for the activar and the appraises besides the uh accountants all based on standards uh U we all support like s ET see so nothing nothing offensive great thank you and um a l of the work that we're doing in the digital Sy working group is trying to learn from this experience and then coming up with a framework that allows us to apply digital signatures to uh XL in a consistent manner um and also um figuring out how we apply digital signatures to inline xprl reports as well as uh xprl reports um but come to you um and um as it stands U many Securities Regulators central banks and other authorities that collect reports um rely on simple username and password for authentication uh when receiving those reports and checking that the person filing the report is who they say they are um can you say a bit about why now might be the time for that to change and why we should move on to something more sophisticated yeah sure Paul um exactly you're saying uh what you just said um many Regulators still rely on Portal um either portals using uh company login uh credentials or personal login credentials but it's just that it's just access to a portal and not link to the individual filing uh but going forward U um well what you see is since digitalization is really taking off and um especially ESF and even more so cfrd um are triggers to uh to reconsider whether the accountability that that we want at company level should also be uh uh pushed forward to the individual U uh directors of the companies because actually they are the legal persons that take ownership of the report and that's in many company laws that is stated uh but right now there's no mechanism for conveying that whilst they do that or they did do that uh on paper the the directors have to sign off on the on the accounts or on the regulatory reports uh there's no equivalent in the digital uh uh Arena so there's a call for more uh at least the opportunity the possibility uh to sign off digitally and uh making the link to uh to SBR um back in 2016 or even 15 we did have a discussion um whether the uh company directors also would have to sign off on the SBR annual statements um not only the auditor uh but we then decided even though technically it would be possible uh we decided against that because of the costs uh for digital certificates which at that point in time were really high and they were considered uh from a political point of view not acceptable but technically we uh already had the discussion and it would have been possible to also have the director sign it uh sign the accounts back then so this is this is this is basically where we're coming from that's very interesting you mentioned the issue of the cost of certificates what what's changed there is that to make them more affordable is that well I well that's a relative term but what you see is now since digitalization has progressed much further than it was in 2015 16 um the let's say the relative importance of the cost of a digital certificate is not perceived as being that much of a burden as as it was back then because now companies have to use um digital certificates for much more purposes I mean uh for example tax de declarations and statistical declarations they also need to be signed sign signed off so if you see the network effects from you know more usage then the relative costs go down so at this point in time if I can speak for the Netherlands the cost of individual certificate are not being seen as a significant hurdle for adoption anymore okay that makes a lot of sense um and I think one other um topic that's come up in the context of digital signatures that know John Turner and I have discussed is the the impact of AI and in particular of responsible AI um and the importance of traceability that that bring with it that when you're looking at a a figure in a in an analyst model the ability to trace where that figure came from um becomes increasingly important and digital cures potentially have a very important role to play there and being able to demonstrate that this this particular figure is not an AI hallucination it really was from a real financial report and it was audited by this entity and created by that entity and signatures give you the ability to verify that um but if I can move on excuse me to uh to Jose um and you've worked very closely with the uh Mexican Stock Exchange and other uh Mexican Regulators um are these kind of issues of trust in reporting also relevant in a Mexican and perhaps more broadly uh Latin America context um and can you see a in which corporate and auditor accountability through digital signatures adds to Market trust um of course um actually right now the mexan stock exchange they offer an API for third party vendors of software that offer editors to create uh the xerial filings to submit the documents and the documents have to be digitally sign uh but they wanted to move forward with also signing digit Al you know maybe parts of the report for the auditor or the whole document for specific officers inside a company but in our case we had we faced an issue where all the Mexican citizens they have a certificate issued by the tax Authority everybody has to have one of those but the foreigners they don't have that certificate so and obviously for an IPO or for a de dist there's frequently foreign involved so that's why they didn't keep pursuing this idea but I think it's something really important because even though as we keep evolving the taxonomies and adding more digitalized information inside these filings in the end we keep attaching a PDF with manually signatures in a in a sheet of paper you know and to me that's ridiculous because even though the government keeps spending on improving and making trying to make more modern systems it's incredible that we are still attaching in the end a copy of a sheet of paper with manual signatures I think that by having this um Innovation from xbrl International and seeing that more countries are adopting digital signatures in a standardized way will help push forward the local regulation in Mexico and also in Latino America to say this is the way that uh everybody's doing it this is the the way forward and I think it's going to be very beneficial uh to have this kind of a standardization around digital signature thank you and I think I think uh you and vill both highlighted common problem with digital signatures which is not necessarily the challenge of actually signing the document although there are challenges there particularly when you get into the topic trying to sign part of a document or signing for purposes but actually the the Big Challenge often is the certificate infrastructure and actually getting the signatures getting the certificates rather to people so they can make them make the signatures and and managing um that side of things but I think it is always interesting to compare uh the digital signature world to the paper world that it's replacing because you know when you look at what we do on paper and what we rely on for a signature and there's actually very little you can do to verify an ink signature um even once it's being copied around it's very little very hard to actually verify that so digital SES are giving us um a lot more in terms of um verifiability than what we had before I'm so Elena um in a number of uh EU jurisdictions the uh the audit profession is very much tied to their um PDF based infrastructure they have little s dongles that they can use to digitally sign U PDFs using uh using that infrastructure and uh I think it's probably going to be very difficult to move them away from that but do you think that sort of digital signature um that we're talking about for inline xbrl would be welcomed on EF reports in in Finland for example yes absolutely and um at the moment in Finland uh we are still in a situation where the ESF filings are not recognized as official financial statements the law is actually written that you need to publish your financial statement but not prepare in SF and thus then everything uh is paper that you sign uh of as an auditor but now uh in the next uh weeks we're actually passing a new or set of new laws that will recognize the SF and other xpl filings as the official ones um and no more mentioning of any paper anywhere the same also for uh auditor statements uh the csrd uh Assurance report has to be in inline xprl so we cannot escape this uh question anymore um but we need Solutions um we are very much looking forward to having a standard uh yeah yes no no we cannot do that so we look towards XI and we look towards the EU uh or or Global solution and uh hope that that will Sol solve the issue for us fast um for the certificates um we do have a national system in place with the ID cards that they have a chip um that acts as a certificate but uh it's difficult to use you need to have a chip reader so I hope there will also be a better way to distribute the certificates thanks thank you and yes and that's um uh emphasize one of one of the things um that we are acknowledging in the in the working group is that yes we need a standard we need consistency between the different jurisdictions but actually lot of jurisdictions there's already some infrastructure in place there's already you know perhaps six C certificate infrastructure in place or in case Netherland is already signing in place and we need to be able to accommodate uh the existing infrastructure but try and make it uh more consistent now you mentioned Solutions um and specifications and standardization is obviously uh one part of problem in terms of solution but then the next part of it is software so Jack if I could ask you um at the moment there's obviously no software out there that allows you to sign an inline exper report either in in the hole okay Sor but either in whole or in part here hear some details in a moment um but do you have a view on what that type of software should look like and what the user experience should be oh that's a very good question um yeah you have u a solution of course at this moment um it's it's but it's not ready for inline XB um um but the open one of the solutions we have is an open source solution um um you can find it at open sb.org um and it explains a lot I guess if you look take a look at it but but I see that solution because that solution is is being reused in a lot of other software Solutions but I see that solution as a Leo uh building structure and I think what we have to do in the Netherlands if we want to support inline exhib well we have to dissemble um that that that structure and and use the same bricks again and to rebuild something and I I think that can be done very very very very quick and it's up to the user what what he wants to see so I'm I'm I'm I'm I'm I'm I'm more the technical guy you know me I'm I'm more the technical guy not not the end user just I I don't mind but but but I I'm certain that um the things we we now offer to to the end us es which is very simple we can also do that with the same building blocks the same legal bricks to the uh for for the new situation so I'm not afraid of that um um um and I really would like to have one European Standard solution and probably there will be some let's say say alterations because of local laws and things like that but a generic solution would be would be very nice um also yeah um to to be honest the creation of the signature that's that's not the difficult creating the hash which is the basis of the yes of the of the signature there there lies the complexity and if we can keep that simple as possible throughout Europe throughout the world then we have an easy adoptable system and that's the experience I have because we we we support everything from PDFs to to other XML files xbrl files the the the the link bases if there was a issues extension all of it but it and and and and every time we only have to adjust the bricks will do you want to add to that sorry as ja made clear that um let's say in the Netherlands I think the experience that we had and the developments that we have uh done basically create the building blocks for a potential European solution but uh we don't our suggestion is not that EU or at EU level we adopt the Dutch approach although we would love that and it would work we think but the point is the point is the the point is we've got all the components in place and based with those components I think uh we we can build a European we come up with a European approach which uh uh does not necessitate real development work it's just agreeing something that could work across EU area um uh I think that's the most important uh aspect but we've proven in the Netherland I think that's the core point that it can work we've got everything in place one thing I want to add to that discussion before we move on to what alen and J said um um the level of assurance that we provide in the Netherlands by using a digital signif is significantly higher than a paper based you know an ink signature because the when the auditor signs his his or her certificate is actually being checked for validity not only whether it is still a valid certificate but also the the qualification of the person so that you're actually also allowed to sign so there's a registry behind that which is being actively managed so you you know when you got a digitally signed Dutch SBR set of financial statements including auditor opinion you know that the auditor was actually the auditor that that signed it we know with threeway um verification but also that that auditor was at that point in time you know authorized to sign and the same infrastructure I think is very important when you want directors of a company to sign and I think in many countries you have a uh a register like in the Netherland we have a register linked to the company's register but I'm not aware that in all other company countries in the European Union such a register exists so that's an important requisite I think for this solution to work yeah absolutely and I think that's that's an important thing that um adopting digital signatures for uh digital reports is not just about moving the status quo from signing paper reports into the digital world it's actually enabling more allowing us to do more with the signatures in terms of their verifiability and their scope and their purpose and their meaning so I think there's it's uh perhaps easy to look at it as a as a problem how do we how do we replicate what we've got but we don't want to replicate we what we've got we want to be able to do everything we can do today and do more um digital signatures um and you mentioned about expanding what's been done in the Netherlands to a european-wide solution obviously we're then looking to have a truly International solution that will work around the world ABS absolutely um and um I think what from what we see inside the working group the difference there is the um what um digital signature Frameworks exist already in in the in the legal context what the legislative framework is for digital signatures and obviously in the EU particular standards on that side that we need to adhere to but that's why we say that the XI solution X International solution digital signatures needs to be technology agnostic on the signature side is because different jurisdictions already have existing different standards there um Jose um and on the top on the topic of software obviously there's a bit of a chicken and egg situation always with these things until there's some software Regulators find it hard to mandate um the use of signature need any any standard and similarly until there's a a mandate from regulator software developers have little incentive to develop Solutions so do you have anything um you can add on in terms of how we can move that forward and indeed what what software should look like for maintaining digital signatures of course I think that uh another important issue when you're dealing with certificates andal signatures is that especially if you we look at the recent past 10 years ago when you were about to sign something digitally you know with with a certificate you usually needed to something in your computer know maybe a plugin but if it is if it comes from java you know the Java bral machine it's at the Trap you know almost any institution would allow the client to download a jnlp plugin if it is a Windows application then you're living out U many any other operating systems you know and when you think about corporate corporations they really have a tight uh it policy you know and it's really complicated to say to tell a bank all your officers that need to sign documents they need to the software you know that immediately would trigger a huge certification process you know that so that's why I think this solution also has to innovate in in how we can digitally sign documents without having to plugins through the use of new technologies like certificate bolts on the cloud or you know having a yeah Cloud signing and not relying on on the client but rather on a on the very self- certificate Authority maybe I think that would that's going to be key to speed up the implementation process so nobody has to anything and that it feels like a breeze to sign a document yeah and I think ease ease of use has been a significant issue with digital signatures and actually cryptography in general over the years the technology for signing emails has existed for pretty much as long as I can remember using emails and things like gpg it's been around for years but it's still not routinely used it's still not routine to sign your email digitally because the user experience has always been um so terrible and so that's obviously something we must overcome in bringing digital signatures to xql Elena is there anything you'd like to add on the topic of software and uh yeah um you mentioned the Chicken and the Egg problem um I actually don't think that it exists I think the once you have the standard and we know how we want to to apply the building blocks as as you said and we have them in place I think the rest will follow quite quickly at least in Finland we're just waiting for there to be something that we can use uh the the Mandate is essentially there uh if if we can apply something so um that that's that should be first um and then yes I I agree what Jos said and also it would be very helpful to have some open source tools we've already done some trials with the open open spr tools that uh the Netherlands have uh created and they work for us too um so something like that would be great and of course Comm commcial tools as well that can then provide better functionalities but with those I think we could get far thank you thank you and I think we do just have uh a couple minutes for questions has anyone got any questions to the panel J yes thank you Paul in fact I would like to to know if you are aware of the initiatives in the different part of the world and especially in Europe and the first question and second if there are um the European commission for instance which is uh having a project on that because it could be interesting to to speak about that to the authorities because we are this is um in my opinion something which we could try to convince the authorities to to be involved in that don't you think for the group um I'm only aware of what GLI is doing at the fible LIE it seems the same that it seems to to have a solution for the same as the same problem but the other part you were telling I was not aware of that that that is was playing in the European Union so if you have some details for me I uh yeah I'm sorry it could be interesting to to for all of us to try to to get some information for first who is who could be dealing with that in the European Commission because I'm sure that someone is dealing with that and second how to involve them in our work or vice versa don't you think okay thank you for the signal I will uh I'm sorry hello I'm aware of some of these uh uh Trends in the European Union and it's also I think the where you see diverging Trend in perhaps the world that where are many parts designing is quite technical with uh it's a hash and a digital signature and it's something that the computer can decrypt and you see the European Trend especially now also moving towards Eid 2.0 where there are intents like with the the the signature policy the expression of will uh the idea of also adding in attributes that I'm signing from a certain role which could be an accountant or managing director or just adding in all kinds of aspects in which add legal value to something which has always been a very technical something like we see a lock in the screen when we visit a uh secure website and we know have a secure connection so I think that one is quite interesting and I think it's also quite interesting to follow all the discussions currently regarding Eis 2.0 because uh European Union wants to push those uh uh Technologies to the end user with the cloud sign uh with the you can set signatures but they also State there must be free tools available for everybody with a very good user interface that they can verify any kind of document uh where what kind of signatures are in there and whether it's useful so I think that Trend would be also want to follow to look for the usability and the acceptance uh uh we we are in the Netherlands yes of course okay funny because one of the initiatives of open SBI just walked inside this this room man can I you saying I think that alludes to um for this community to I think an important uh question that we need to answer ourselves okay where do we want to start with setting our standards because we're not in Reinventing the will we should take what's already there at European level this generic it do 2.0 for example that's something it's a given for us and we want to add on that but the question here for this group I think is how do we apply uh that those generic uh developments in the specific environment of signing structured digital reports you know in reporting change how do we do that and how do we think that could be standardized at EU level which I think is a main driver internationally but if possible globally but I think EU uh drivers are stronger than the international driver but that's my personal opinion please join me in thank you