Vaultie

Virtual commissioning in Ontario, can it be trusted?

Ontario’s virtual commissioning regulations came into effect on August 1, 2020. However, there’s one key fact that’s been lost in the shuffle amid the excitement of taking this big step forward (and it is big): the regulations are porous when defending against identity theft and fraud. 

Misaligned with other heavily researched and already established digital identity practices in Canada, the new regulations aren’t up to par with jurisdictions that have already implemented this change (in the US either). That makes our virtual commissioned documents both untrustworthy and risky for third parties.

The core issue is that the regulations for virtually commissioned documents do not satisfy the main purpose of a commissioned document: to facilitate trust between all parties involved in the transaction. The declarant/deponent, the commissioner, and the third-party all need to be able to verify the legitimacy of these documents. 

Further, there is no obligation in the regulations for anyone to accept a virtually commissioned document. Without some alignment on digital identity standards and fraud prevention, it’s not clear how any third-party verifiers could. 

There are three key areas where these regulations don’t meet the grade.

1. Identity Verification

What does the regulation say?

The person administering the oath or declaration confirms the identity of the deponent or declarant.

Why this is an issue?

Confirming an identity is very open ended in this case. 

There are two issues with the wide array of acceptable methods for confirming identity for virtual commissioning in Ontario. The first is the potential for fraud, where falsified IDs, documents, or even discussion through the video chat can be used to fool an untrained eye. The facilitation of trust is also broken since the third-party verifier has no way to ascertain whether a commissioner’s confirmation of identity matches their own requirements or even a way to verify the identity on their own.

Two existing standards illustrate this wide disparity.

The Law Society of Ontario’s Best Practices for Remote Commissioning, published in relation to the new regulations, set out its best practice for identify verification:

22. Request that the deponent show the front and back of their current government-issued photo identification.

23. Compare the video image of the deponent and the image and information in the deponent's government-issued photo identity document to reasonably satisfy yourself that it is the same
person and that the document is valid and current.

Well established and heavily researched digital identity standards are already used in Canada for financial transactions and were produced by The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as a method of preventing fraud. Here is a direct excerpt from its Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation:

It is not enough to just view a person and their government-issued photo identification document online through a video conference or any other type of virtual application. You must use a software or some type of technology that would be able to authenticate the government-issued photo identification document. You must also verify that the name and image match that of the individual on the authentic government-issued photo identification document.

That means the best practices from the Law Society don’t even stand up to lowest acceptable standard in digital identity when it comes to financial transactions and reporting. There is simply no way to determine the authenticity of an ID without specific expertise or the aid of software capable of ascertaining this. 

How is a third-party verifier supposed to trust a commissioning when they can’t even verify the declarant, or trust that a verification was performed correctly?

What can be done?

Regulations should adopt standards consistent with best practices in digital identity. Nearly all of the 22 U.S. states that implemented virtual commissioning pre-COVID through remote online notary laws had language demanding verification of identities or identity proofing, both involving the use of software to authenticate an ID. The way this software works is the user takes a photo of their ID, which is tested for authenticity, then takes a live selfie, which the software compares to the ID using (ethical) facial recognition. This confirms that the user is precisely who they claim to be.

2. We can’t trust the integrity of a commissioned document

What does the regulation say?

Not much.  There is a requirement to keep a record of the transaction.

Why is this an issue? 

There is no requirement for any form of tamper evident technology. Without this, any virtually commissioned document can be easily edited, altered, hacked, or otherwise compromised.

Altering a document without tamper evident technology can be as easy as uploading it to any PDF editor. A shadow attack, which can fundamentally change a document without affecting the signature, is but one of many other well documented attacks. A declarant could simply add or subtract three zeroes to their net worth without detection, having a dangerous impact on statutory declarations of possessions, child support, and applications for mortgages, among other things. 

That means that from the moment a commissioning event is completed, the document is suspect. How can a third party trust a document if they can’t even be sure that it’s the same document that was signed during the event?

What can be done?

Place requirements on the technology used in virtual commissioning to include both independent verification, and tamper evident. All but one U.S. state (again, Pre-COVID) that has implemented virtual commissioning require that a document be independently verifiable and tamper evident.  This means that the verifier has the ability to prove whether or not a document has been altered. While this limits the technologies that can be used to perform a commissioning, most states give guidance on acceptable software providers that can deliver this when performing a signature for a commissioning. Few digital signature providers meet these standards, and most traditional e-signatures do not.

3. Verifying a commissioner

What does the regulation say?

The regulations do not address this issue

Why is this an issue? 

Within the current regulations, there provides no ability to prove the credibility of a commissioner in the first place. without the ability to verify the status of a commissioner, a third party can’t prove that any commissioned document has indeed been commissioned properly by a valid commissioner. This opens the door to fraudsters either pretending to be a commissioner, or fabricating a commissioned document from scratch without detection.

Transparency and verifiability are crucial to facilitating the trust needed to get a commissioned document accepted. 

What can be done? 

Distribute verifiable digital credentials for remote commissioners. Arizona, like many states, issues digital certificates to commissioners or notaries who perform virtual commissionings. These certificates can be uploaded to the software approved to commission or notarize to documents. The software then processes these certificates and pulls the relevant information into a seal that guarantees the status of a commissioner. These seals expire when the certificate expires, or can be renewed with a new or updated certificate.

Verification is the only transparent way to facilitate trust between all parties

Verification is mandated in nearly all jurisdictions where virtual commissioning and remote notary has been established for some time.

A system that facilitates trust needs to verify that:

  • the identity of the deponent or declarant has been verified according to a consistent set of standards
  • the document is authentic and hasn’t been tampered with
  • the commissioner is valid.

None of these standards are met by the current regulations or best practices in Ontario.

It’s worth noting that verifying legal documents is different and more complicated than verifying financial transactions.  

Legal document verification is multi-lateral instead of bilateral. In a financial transaction, only the financial institution needs to verify the client. A commissioning event has several more steps: the commissioner verifies the client, a third party verifies the commissioned document, as well as the credentials certifying that the declarant/deponent and the commissioner are capable of executing the document. These events often take place at different times in different locations, which means the verifiability of the document must travel with the document as opposed to the stationary verification in financial transactions.

Without regulation that mandates these transparencies and verifications, we have a system that can be easily defrauded and lacks the trust needed to perform this core service. Virtual commissioning has the potential to transform how the legal community operates—providing more support to access to justice initiatives and facilitating transactions across large geographical regions, among other things. 

We need a process that protects everyone involved.