HUD Updates Guidance on Electronic Signatures and File Storage
On November 6, 2020, HUD published Notice H 2020-10. In this notice, HUD provides clarification to the Electronic Signatures and Electronic File Storage guidance previously published on May 26, 2020, Notice H 2020-04. You can read my article about the original notice from June 1, 2020, by clicking here.
Notice H 2020-4 permits IPAs (Independent Public Auditors) to access the owner/agent’s electronic files when conducting HUD financial audits. However, the notice did not expressly state that this access did not apply to EIV Data.
HUD Notice H 2020-10 clarified that access is not permitted if the electronic files contain EIV data. IPAs are only permitted to access EIV income information within hard copy files and only within the owner or management-agent offices.
Data Security Requirements on Electronic Signatures
In this notice, there is an explanation of the security standards for electronic signatures.
…Industry partners likely use computer systems or applications that contain digital signatures. For these digital signatures to be considered a legal form of electronic signature, the system or application must conform to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Digital Signature Standard 186-4 and other Federal Government digital signature regulations and guidance. Compliant software programs will contain a security feature that ensures that the digital signature is unique and protected and that only the “owner” of the signature maintains control of its use.
Any company seeking to utilize electronic signatures should clarify their software’s capability with this security requirement. Additionally, beyond the technical requirements for e-signatures, there are additional requirements for how signatures are captured.
The usability, admissibility, and provability of a signed electronic record requires that procedures be undertaken to ensure the continuing integrity of both the electronic record and its electronic signature, following completion of the signing process. It is a matter of providing appropriate data security for both the record and the signature…. Industry partners utilizing e-signatures must ensure that documents signed electronically cannot be altered. If changes to the document are made, the electronic process must be designed to provide an “audit trail”, showing all alterations, the date and time they were made, and the identity of the person who made them.