Signatures - a representative of authorisation or a hidden flaw?
Have you ever been in a store and had to sign for your purchase? Have you ever had to answer your door and sign for delivery? Did the counterpart check your signature against the one on the back of your card or against the one present on some form of ID? Yes? Great!
In practice, this process seems second nature, but when considered further, would we really want to authorise transactions based on the sole interpretation of an individual? Especially when their judgment could be flawed, their checking process lackluster or their concentration focused elsewhere.
By contrast, why would the person signing the receipt, accepting the parcel, or in more commercial circumstances, authorising a business process, not be authorised to do so? It seems ridiculous that still to this day people wouldn’t accept the signature of an individual, after all, the status quo is that an individual signing their unique scribble is authorised to do such a thing. The confusion arises when you look at exactly what they’re signing for.
In the simplest terms, the use of a signature on some form of official documentation is such a cornerstone of the way transactions and business take place, the signature by itself has become the perfect mechanism to defraud, mislead or innocently make a mistake. This is primarily because we take them at perfect face value. This is not to say that signatures need to be replaced, but they do need some level of support to be used effectively.
In business, particularly in the financial sector, the all-encompassing notion that the signature is a 100% accurate representation of authorisation is an issue. This misconception is that if someone has signed, stamped or printed their name on an official piece of business, they must have been authorised to do so.
Human intuition adds a layer of protection to this practice, whereby individuals — because they may know or be aware of their counterpart and feel the need to validate further — would question that the person(s) signing off on something may not be authorised. However, this has been counterbalanced by the greatest detriment to business security, Time. The savvy individual wanting to run further checks simply doesn’t have the time and must continue to process at an efficient rate or face falling behind in their output. All of this efficiency comes directly as a cost to security.
Authorised Signatory Lists
To increase the confidence of accuracy, the authorised signatory list was brought into practice. These lists, designed to support the validity of signatures and detail what each signatory is authorised to sign off against, enhance the trust element of the process.
Unfortunately, the process by which signatory lists are maintained and distributed brings with it a number of weaknesses, allowing for mistakes to be made, lists to be exploited and fraud to occur. So, where are the holes in this process?
Usage. Whilst lists are exchanged and requested to be used when authorising signatures, there is the issue of human error/ignorance, where we simply do not use them. Commonly, this is a consequence of time and/or the aforementioned presumption that the signature must be valid.
Distribution and audit. A large organisation may interact with hundreds, if not thousands of counterparts, requiring each party involved to have an up-to-date list of the authorised signatories at any given time. If the list is distributed only contains 5 names for example, then the process to recreate an updated version and send it out is time-consuming but not terribly laborious. Should the more common scenario of a list with say 20 or 30 names on it need to be recreated and sent out, the task becomes increasingly labour intensive and vulnerable to mistakes.
Over time, the only practice this kind of distribution is going to support is ignorance. Those responsible for checking signatures will simply use whichever list is closest to hand, be it the most recent version, or as is usually the case, an outdated one. Again, this is because they are acutely aware of the inefficiencies of requesting a new version.
In Summary
This problem is twofold. The first issue is around the limitations and vulnerabilities of the signature as a way of authorising processes. As has been alluded to, these can be resolved with help and support from other resources, such as signatory lists, however, in practice, this has still proven to have its issues.
The second factor is the common issue of misconduct when completing these authorisation processes. The time-consuming nature of auditing and distributing the lists enforces a barrier to comprehensive checks being run on the signatories. Having said that, the problems with not updating lists, not using the most recent distribution, or not requesting a new version are all simple steps that if taken, could greatly improve the level of accuracy around authorisations.
The solution?
As with most operational deficiencies in business today, technology is sought to provide a solution and drive forward innovation. The nature of the authorised signatory lists process and its industry-agnostic application means any technical answers to this problem must be simple, widely applicable, and easy to integrate with legacy systems. Whilst bespoke offerings have been built, there is certainly a market requirement for a widely applicable solution.
This is the area Cygnetise is flourishing in. With marquee clients in the insurance, legal, business services and fund management verticals, Cygnetise has the cross-industry capabilities required to achieve true collaboration, alleviate the pain points and enable improvements in security, authorisation and fraud mitigation.