NHTSA odometer disclosure rule might pave way for e-signature authentication

On October 2, 2019, the Department of Transportation’s (DOT) National Highway Traffic Safety Administration (NHTSA), published its Final Rule for Odometer Disclosure Requirement, which would enable states to allow electronic odometer disclosure statements in conjunction with electronic titling systems. This rule, if adopted widely by the states, could hasten the acceptance of e-signatures as a means of authentication.

As part of an overall digital transformation and a move away from paper-based systems, the new requirement amends regulations to permit odometer disclosures to be made 100% electronically or through using paper documents. Those documents are then signed, scanned and converted into electronic form. From there, they are stored in a state data system.

Additionally, NHTSA now permits electronic and paper powers of attorney when a title is unavailable to a transferor due to loss or held by a lienholder.

The opportunity to reduce costs, save trees and streamline processes is significant as NHTSA estimates that there are over 40 million odometer disclosures made every year in the US.  By enabling states to move to an electronic process, it is critical that policies and processes are implemented as to not introduce fraud. Not surprisingly, NHTSA suggests a technology-neutral approach to tackle the issue. 

Verifying identity with electronic signatures

NHTSA’s rule states that identities of all parties must be verified. This paves the way for electronic signatures. Electronic signatures are legally binding and enforceable in countries that have enacted e-signature laws. Many commercially available electronic signature solutions comply with both the US ESIGN Act and Uniform Electronic Transactions Act (UETA).

The Final Rule defines an electronic signature as “an electronic sound, symbol, or process.” It is intended to encompass the full range of methods and technologies that may be employed to electronically sign a disclosure. A signature executed by writing on a pen pad or using a biometric such as a fingerprint or retina scan falls within an “electronic process” as described in the definition.

Electronic signatures offer tremendous value and, because they have become mainstream in recent years, consumer adoption for odometer disclosure should be a non-issue. From a security standpoint, they provide secure, tamper-proof evidence of the signing event with advanced e-signature solutions having the capability to record and play back the signing event, which could be important in cases of a fraudulent odometer disclosure.  

Identity verification technology mandated by the NHTSA

Of all the benefits electronic signature technology offers, the technology cannot verify the identity of the person signing without prior enrollment and identity verification process.  NHTSA realized that and has mandated that identity verification must be performed at NIST’s Identity Assurance Level 2 (IAL2), which requires evidence to support the real-world existence of the claimed identity, either remote or physically present identity proofing.

For remote identity proofing, a compliant approach to identity verification would be to follow what has become a well-adopted process by the banking industry. The process digitally onboards customers using a government-issued identity card, such as a driver’s license, verified with the photo matched to the user via a “selfie” using the latest “match on device” facial recognition biometric technology. 

Avoiding burdensome procedures

In 2017, NIST published updated Digital Identity Guidelines (Special Publication 800-63-3). A key change made was to decouple identity proofing and authentication into separate components, Identity Assurance Level (IAL) and Authentication Assurance Level (AAL). The previous guidance combined the two to determine a Level of Assurance (LoA). 

The challenge is to properly balance security and usability as to avoid introducing burdensome procedures for electronic transactions that would impede adoption. NHTSA originally proposed IAL3 and AAL3 requirements, the highest defined by NIST. However, NHTSA received severe pushback from industry and states during the public comment period noting that this would be expensive, burdensome. It settled on IAL2 and AAL2, which appear to be garnering support from other industries as many banks are supporting IAL2 and AAL2 and healthcare has headed in this direction to access electronic health records.

AAL2 solutions are relatively low cost and commercially available. This, coupled with FIDO2, the newest set of specifications by the Fast Identity Online (FIDO), means that strong authentication is embedded and readily available in all operating systems and the majority of mobile phones being sold today.

Although most odometer disclosures are signed at a dealership, I expect many more to be signed remotely as an added convenience to the seller. Effective Level 2 identity proofing (IAL2) combined with Level 2 authentication (AAL2) shall enhance security and should maintain or elevate consumer trust in the system.

Emerging technologies and 2020

NHTSA intends for this final rule to accommodate emerging technologies such as blockchain, should states wish to use them for recording electronic titles, making odometer disclosures, and authenticating electronic signatures. NHTSA notes that it, “cannot foresee all future security and authentication applications that states may wish to use to facilitate electronic odometer disclosures and title transactions.”

The rule takes effect December 31, 2019, and it remains to be seen how many states embrace it. As consumers have grown accustomed to e-signing documents, they may force states to accelerate adoption.

Disclosure: My employer, OneSpan is a provider of identity verification, authentication, mobile application security and electronic signature solutions. I also serve as co-chair of the FIDO Alliance’s Government Deployment Working Group and represent OneSpan on the board of directors of the Electronic Signature and Records Association.