Legal Implications of Offering On-line Financial Services

Stephen Revill, Consultant | July 2000

Doing Business On-line - Business as Usual or a Brave New World?

Introduction

At a recent conference at which I spoke, I was called on to provide a general description of the term "electronic commerce". My description of the term went something like this:

"Electronic commerce means the use of electronic communications technology (instead of paper, telephone or face to face meetings) for business purposes."

So if e-commerce is essentially the conduct of business by electronic means, then is it business as usual when it comes to using your existing legal compliance processes?

One would be tempted to say, yes. Most of the core laws that regulate the conduct of business here in New Zealand are not technology specific.

For example:

• the Fair Trading Act's prohibition against misleading and deceptive conduct in trade is as relevant to the conduct of business in cyberspace as it is to trading undertaken in the physical world;
  
  
• securities offered to the public must still be accompanied by an investment statement whether offered on-line or by more conventional means;
  
  
• on-line credit contracts will still be unenforceable in the same way as paper loan agreements if the Credit Contract Act's disclosure rules are not followed.

But it would be naïve to assume that legal compliance issues remain the same simply because business is now also conducted by electronic means. There are things that are different about offering financial services on-line which means that only some of the answers can be determined by using existing compliance processes.

How is On-Line Business Different

First of all the medium is simply new - there are lots of things about doing business on-line which we are all still coming to grips with. On the legal side, there are such basic questions as:

• are contracts done on-line enforceable; or
• are statutory requirements for writing satisfied by electronic messaging.

I for one, have always thought (perhaps because I am a lawyer) that the law is not so much of an ass as to have any real difficulty with these questions. However, we are due to have an Electronic Transactions Act in place later this year which is supposed to put to rest many of the residual doubts about these basic issues. I will come back to the proposed legislation later in this talk.

Then there is the fact that e-commerce very often means that dealings occur between parties on a remote basis without the benefit of pre-existing contractual arrangements setting out the rules that are to operate between them. There are basic questions concerning the identity of the other party, where they are located and who they are. For example, there have been many reports coming out of the US about situations where minors have obtained services and products on the net on the basis of contracts that cannot be enforced against them.

There is also the fact that the internet now makes information much more accessible, collectable and malleable. The application of some of these enhanced capabilities provides examples of how existing legal issues become more notorious in cyberspace.

• Privacy concerns and the application of privacy laws are, for example, given much more prominence in relation to dealings on the net;
  
  
• Copyright protection and copyright infringement become much more of a trap in every day business now that cut and paste technology are available to almost everyone with a PC and a modem;
  
  
• New features of business introduced by internet technology raise novel legal questions such as whether different types of hyperlinking and the use of metatags are permissible.

The nature of the medium also means that communications are more ephemeral and, more often than not changeable, in comparison to paper-based dealings between people in the physical world. This opens up electronic business to greater risks of fraud. A recent Gartner Group survey found that the amount of credit card fraud is 12 times higher on line than it is in the physical retailing world. There is also the question of whether electronic records are admissible in court litigation and if so, how much weight should be given to these kinds of documents.

Finally, there is the plain fact that doing business on-line is by its very nature a vehicle for doing business on a global basis. Unless clearly stated otherwise, on-line financial services offered on the net are potentially capable of acceptance by anyone similarly connected anywhere in the world. This means that service providers and other traders are for the first time having to grapple with a whole series of new questions. For example, if I find I am in dispute with a customer resident in Malaysia, will New Zealand law still apply? Will a case filed against me in Malaysia be taken on by the Malaysian courts? Will there be things that I have done or not done which will get me into trouble because I have not taken some mandatory Malaysian law into account?

Conclusion

All of these issues mean that e-commerce on the internet can be a bit like a chameleon. It looks like we are doing business as we have always done business, except that it is being done via an electronic medium. If follows, therefore, that the laws we have taken into account in the past should continue to be relevant and to work for legal compliance programmes. But when you look closer at the beast, the colours start to change. Some of the issues raised by the technology are completely new. The medium now provides capabilities that may involve compliance with foreign laws and international standards having to be taken into account for the first time. Other existing compliance issues become more important simply because they are encountered more often and can have far more reaching effects. And sometimes existing laws that anticipate paper-based dealings simply need to be applied or interpreted in new untested ways in an effort to ensure that they make sense when doing business in cyberspace.

The current state of play

What then is the current state of play here in New Zealand? Things are starting to move, but only slowly.

The Ministry of Economic Development's Discussion Paper

The Government recently issued a discussion paper in relation to a proposed Electronic Transactions Bill. The Bill is supposed to provide a legal and regulatory framework for electronic commerce and is likely to closely follow the Australian equivalent which was passed at the Commonwealth level during the course of last year. The Bill is mostly about providing legal recognition to writings, signatures, the production of documents and the retention of records in electronic form, where there are statutory requirements for these kinds of things.

Other Initiatives

There are also a number of other miscellaneous initiatives underway:

• by the Justice Department to:
  • amend the Crimes Act so as to create new offences relating to computer misuse, including hacking;
    
    
  • revamp the Evidence Act so as to make it easier to use electronic records as evidence in court litigation;
    
    
• by the Securities Commission to clarify that the Securities Act will also apply in certain respects to offers made from New Zealand to investors in other countries;
  
  
• by the Privacy Commissioner, to align the Privacy Act in a number of different ways to meet the requirements of the European Unions' privacy laws on trans border dataflows;
  
  
• by the Ministry of Consumer Affairs on a model code for consumer protection for electronic commerce;
  
  
• by the Ministry of Economic Development, who are undertaking policy work on the implications of digital, internet and related technologies for New Zealand copyright law;
  
  
• by the IRD who, with other revenue authorities overseas, are trying to grapple with the impact of electronic commerce on the revenue base for government, a revenue base which has traditionally targeted taxation on the basis of residence, the movement of physical goods and the conduct of activities in the physical world.

The Emergence of E-Government

Finally, there is Labour's e-government initiative which is only starting to get underway under the auspices of the State Services Commission. Government has finally realised that it cannot participate effectively in the new medium unless it takes a "whole of government" approach. This initiative is likely to be important if only because in the course of establishing a platform for e-government, the public sector is likely to establish standards relating to interoperability, metadata, encryption and rules acceptable to government relating to certification authorities (such as the PKI infrastructures that are being developed overseas).

International Initiatives

Internationally there are a lot of other things going on. The push is on for some standardisation of rules. This is why the Ministry of Consumer Affairs' proposed code for consumer protection in e-commerce is based on the OECD model that was issued some time in 1998. Then there is the work of the United Nations UNICTRAL Working Group on electronic signatures. This work is now almost completed and we can now see what is proposed for "reliable" electronic signatures, being electronic signatures that are meant to be given greater legal weight than electronic signatures that do not meet the specified criteria.

Adapting your compliance programme for on-line business

Introduction

A compliance programme is a set of documented rules internal to a business organisation which:

• allows that business to know what laws it has to comply with in the course of its every day activities;
  
  
• sets out a set of procedures meant to ensure that legal compliance becomes part of that business' normal management processes.

An organisation normally institutes and maintains a compliance programme as a preventative measure to minimise its legal exposure and to reduce the risk of loss if a legal claim should be brought against it.

A legal compliance programme that operates in a transparent manner can also be used as a marketing tool to differentiate one business from another and the levels of service that that business is willing to provide relative to those of its competitors.

The proposed Electronic Transactions Bill

As already mentioned specific legislation that provides formal legal recognition to electronic transactions is now finally emerging. The Electronic Transactions Bill has not yet been drafted but the Ministry's discussion paper provides a reasonable indication of what is likely to be covered. The Bill is likely to include the following new rules.

Electronic Communications

Laws requiring communications to be made in writing may be made electronically so long as:

• those electronic communications are readily accessible so as to be useable for subsequent reference; and
  
  
• the person to whom the communication is to be sent consents to it being given electronically.

Electronic Signatures

Laws requiring that a document be signed by a person may be signed electronically so long as:

• a method is used to identify the person and to indicate that person's approval to the information set out in the document;
  
  
• the method used was as reliable as was appropriate for the purposes for which the information was communicated;
  
  
• the person to whom the signature is required to be given, consents to that requirement being met by way of the use of the electronic signature method proposed by the sender.

Production and Retention of Electronic Documents

Laws requiring that a document be produced or that a record be retained, may be satisfied by the use of electronic means so long as:

• the method of generating the electronic form of record or document provided a reliable means of assuring maintenance of the integrity of the information set out in that document or record; and
  
  
• it was reasonable to expect that the information contained in the electronic form of document or record would be readily accessible so as to be useable for subsequent reference.

Implications of the Bill

The first thing to note is that under the proposed legislation consent is required before electronic communications will be recognised to satisfy the relevant legal requirements. Therefore it may be necessary for changes to be made to your existing processes in order to obtain that kind of consent up front, at least where some of the electronic communications that are to follow are required by law to be in writing or to be signed.

Another issue to consider is the requirement that electronic documents or records be readily accessible for subsequent reference. This rule will apply to both communications that the law requires to be made in writing and to records and documents that are required to be produced or retained under different statutes. For example the Credit Contracts Act says that credit information that is required to be disclosed to borrowers in accordance with the Act, is to consist of one or more legible documents. Presumably on-line credit contract disclosure will be able to be effected with the assurance of legal recognition, so long as those communications can be said to be readily accessible for subsequent reference.

Under the Securities Act, prospectuses are required to be signed by each director of the issuer of public securities. Share transfers are also to be signed by the transferee where the shares are to be purchased on a partly paid basis. In both cases the proposed Electronic Transactions Bill would enable these documents to be signed on-line by way of an electronic signature, so long as the relevant requirements of the legislation are met.

Further Rules for Electronic Signatures?

The Ministry's discussion paper proposes a number of guidelines which if satisfied, would mean that the method used to sign a document electronically would be presumed to be valid. These guidelines may be summarised as follows:

• the electronic signature must be linked to the signatory and to no other person;
  
  
• the means of creating the signature is under the control of the signatory and no other person;
  
  
• any alteration in the electronic signature or in any information contained in the signed document is detectable.

These guidelines appear to us to demand the adoption of very sophisticated authentication and security systems and therefore may in the end result in impeding rather than facilitating the growth of on-line business. This approach should be contrasted with that taken by legislation recently passed in the US. Electronic signatures in that country are now legally recognised as being equivalent to manual signatures. There are no special conditions that apply. The new US rules have been interpreted as recognising any form of assent undertaken electronically, whether by way of the use of a PIN number, digital signature or the click of a "submit" button.

Possible Exemptions

Finally it should be noted the Ministry anticipates that there will be certain business and non-business activities which will not be covered by the Bill. For example it is not planned to give legal recognition to any system involving the use of electronic instruments intended to perform functions equivalent to those currently performed by cheques, bills of lading or bills of exchange.

Developments in consumer protection

While there are no legislative initiatives in the field of consumer protection that have been announced, the Ministry of Consumer Affairs has issued a proposed code for the conduct of on-line business with consumers.

The code is meant to apply to the provision of goods and services ordinarily acquired by individuals for personal, domestic or household use or consumption. This would cover most forms of banking service and many services provided by on-line sharebroking operators.

The code restates many of the rules that apply equally to the conduct of consumer business in the physical world and in cyber space. However a number of other standards are specified, some of which are only included because of the special issues that are raised by the conduct of on-line business.

For instance a business is required to provide details about itself including:

• its trading name;
  
• its physical address;
• its email address and telephone number.

Furthermore an organisation must present its terms and conditions of business to consumers in a way that:

• enables the consumer to review and accept or reject those terms before entering the transaction;
  
  
• makes it possible for consumers to access and maintain an adequate record of those terms;
  
  
• details all the costs associated with the transaction including costs of delivery, handling and insurance;
  
  
• sets out any restrictions, limitations or conditions of purchase such as geographic limitations or parental approval requirements for minors;
  
  
• specifies conditions relating to termination, return, exchange, cancellation and refund together with details of any applicable cooling off period or right of withdrawal.

In addition businesses should:

• ensure consumers are given information which enables them to assess the level of risk involved in relying on the security and authentication systems used by the business;
  
  
• make payment mechanisms available which are easy to use and which offer a level of security that is appropriate to the method of payment;
  
  
• establish fair and effective internal procedures to address and respond to consumer complaints in a reasonable time, in a reasonable manner, and without prejudice to the customer's legal rights.

Our impression is that many on-line financial service providers already adopt practices which satisfy most of the code's requirements. However we have noted some web sites do not require the customer to go through a web page setting out the terms of supply before moving on to another web page that enables the customer to apply for the product or service on offer. There is a real question as to whether a mere hyperlink to a terms and conditions page constitutes sufficient notice of those terms so as to establish customer acceptance before the transaction is consummated.

Privacy Laws and Current Developments

The use and abuse of personal information is one of the major issues identified internationally in constituting an impediment to the development of e-commerce.

In New Zealand, we have had a Privacy Act for some years. The Act applies equally to the public or private sector and is generally technology neutral.

Most local providers of on-line financial services appear to have set up systems which comply with the basic requirements of New Zealand's legislation. For instance most sites now display privacy policies which:

• specify the purposes for which the personal information is being collected;
  
  
• identify the organisation that will hold or receive the information;
  
  
• detail the organisation or class of organisation from which personal information about the individual may be collected or to whom that personal information may be disclosed;
  
  
• notify the individual of the right to access and to correct their personal information.
  

However it now also appears to be common practice to include reference to the use of "cookies" in privacy statements. We presume the reason for this is that it is not possible for a customer to make full use of the certain features of a web site if it has its browser set to reject cookies. It is certainly not a legal requirement to disclose the methods by which personal information may be collected, whether by way of cookies or otherwise.

Specific Banking and Securities Law Issues

Identification Issues

Under the Code of Banking Practice, banks undertake to satisfy themselves as to the identity of their customers. This self-imposed rule is at least in part driven by the requirements imposed on banks and other financial institutions by the Financial Transactions Reporting Act 1996.

The Financial Transactions Reporting Act aims to prevent and detect money laundering by imposing obligations on financial institutions to verify the identity of persons conducting transactions and to report suspicious transactions.

The term "financial institution" is defined widely so as to include not only banks, but anyone whose principal business is to provide financial services that involve the transfer or exchange of funds.

Doing business on-line by definition involves the conduct of commercial activity with a customer on a remote basis. Verifying the identity of the new customer in a face-to-face encounter is relatively less complicated and risky, than trying to do the same as part of the preliminaries for undertaking on-line financial transactions.

In theory it might be possible to do identity checks on a new customer remotely. Guidance notes issued for the equivalent UK legislation recommends that checks on the name and address of the new customer be made against the electoral roll or through a telephone directory. Additional inquiries ought to also be made by way of telephone contact with the person concerned or by confirming the details given with the individual's employer.

Of course, all of this takes time and is not conducive to a quick and automated process.

It also involves procedures that are less certain than actual sighting of a copy of an individual's passport, driver's licence or birth certificate. It is presumably for this reason that at least one well known New Zealand on-line securities broker still requires information of this type to be provided in physical form before opening an account for a new customer.

All this means that the Financial Transactions Reporting Act is and is likely to remain, at least for the time being, an impediment to the conduct of on-line financial business, at least until some form of system for certifying on-line identity is widely adopted.

Security Offerings and On-line Compliance

The Securities Act 1978 sets out a detailed set of requirements that are to apply when first offering securities to the public in New Zealand.

In 1996 a number of significant changes were made to the Act. These included the insertion of new definitions of "writing", "document", "distribution", and "receive", the effect of which is to give legal recognition to the electronic distribution of statutorily required materials.

Offers to the Public

Issuers can now use web pages to automate most of the offering process. However, there are a number of things that have to be kept in mind:

• You need to ensure that the site is architected in a way to ensure that the investment statement which describes the offering in accordance with the Act's requirements, is received by the potential investor before the application for the shares is made;
  
  
• It is important as a first step to ensure that the potential investor provides not only a full name and other contact details, but also his or her email address.
  
  
• Under the proposed Electronic Transactions Bill a document such as an investment statement, will be confirmed as being received by the potential investor, once the statement is received by the investor's information system, so long as that information system has been designated by the investor for the purpose.
  
  
• The application form itself should require the investor to identify him or herself as a New Zealand resident and there should be warnings that no applications are to be made by anyone who is not resident in New Zealand. These precautions are intended to avoid the offer being unintentionally the subject of foreign securities laws which are likely to impose different, and in some cases more onerous, legal requirements than those that apply in New Zealand.

Private Placements

The remote nature of internet communications raises special problems for securities which are intended to be offered on-line to habitual investors by way of private placement. There is a risk that where an offer of securities is made on the net, this will be construed as a "virtual" invitation to subscribe for the securities by anyone who accesses the site.

Issuers of securities that are privately placed will typically wish to first satisfy themselves that those responding to the offer are indeed New Zealand residents and are also habitual investors. The risks of non-compliance with the Securities Act may be minimised by requiring the potential investor to complete an on-line questionnaire designed to confirm the investor's habitual investor status, as well as their New Zealand residency. These measures can be reinforced by the inclusion of a statement of selling restrictions set out in the information memorandum. It is also worth considering allocating a password to those persons who have completed the questionnaire and who have been determined to be habitual investors. The intention would be that the subsequent application process would be only accessible to those who have pre-qualified for the offer as habitual investors.

Prospectuses

One aspect of the process may not lend itself to full automation. While investment statements are now the principal vehicle for disclosure under the Securities Act, the potential investor is also entitled to request a copy of the prospectus. This copy is required to be identical to the hard copy version registered at the Companies Office. The hard copy lodged is required to have endorsed or attached to it, various specified documents. This suggests that a copy of the registered prospectus sent to an investor who has requested it may still have to be sent by post rather than delivered to the investor on-line.

Cross-border issues - some observations

Introduction

At the beginning of this talk I mentioned the risk to which on-line operators are exposed when offering services to persons outside the jurisdiction in which they normally do business.

There are over 180 countries in the world, each of which have their own set of laws. Plainly, it would be impracticable for providers of on-line financial services to absorb and take into account all the different laws that might apply to the audience that they may reach.

Reducing Your Risks

The first objective is to set out in your contract the terms which assert that your local law applies and that your local courts have jurisdiction to hear any dispute arising out of the on-line business you undertake.

You should also ensure that your web site is architected so that the services you provide are made available on an "invitation to treat" basis. An invitation to treat is not an offer. Rather it is a request for an offer from a potential customer to avail themselves of your services. In other words, it is the customer who makes the offer to buy your service and you may or may not decide to accept that offer.

There are a number of reasons to invite offers rather than to make offers yourself. In this context the issue is important because at least under New Zealand law one of the arguments that can be made for asserting local jurisdiction is that the relevant contract in dispute has been made in New Zealand. A contract is made when it is accepted.

Other Countries' Rules

However, the fact is that each country has its own different rules which are used to determine whether or not local law should apply and whether or not the local courts should have jurisdiction.

For instance, we understand that new rules are being introduced in the European Union which will mandate that any dispute involving a consumer should be governed by the laws of the country in which the consumer resides and by the courts of that country.

It is beyond the scope of this paper to go into any great detail about the different rules that might apply internationally for the assertion of jurisdiction in foreign courts. Some general trends are, however, emerging which can provide some guidance.

• First of all the emerging consensus is that you are unlikely to subject yourself to foreign laws merely by operating a passive web site that simply provides information.
  
  
• Secondly, the risks increase when your site is used for interactive dealings with individuals and organisations residing offshore. This is even more the case when you are involved in business to consumer e-commerce as opposed to merely business to business dealings on-line.
  
  
• Thirdly, there is a trend in the US to assert jurisdiction in circumstances where it is determined that the foreign on-line service provider has targeted that jurisdiction in the conduct of its on-line business. What factors constitute "targeting" is still somewhat of an open question, but they appear to be of a fairly general nature. They can involve the past supply of services within the relevant jurisdiction or even the acceptance of payment in the relevant foreign currency. It all depends on the level of interactivity undertaken in the past and the commercial nature of the exchange of information that occurs on the web site.

Proceed with care

Therefore, as a general rule, care needs to be taken as to the way in which you operate a web site. If you wish to extend your reach to certain markets overseas, make sure that your processes and contractual terms take full account of the relevant foreign laws that apply. If you want to limit the reach of the services you provide to local residents, then it is important to clearly specify this on your web site. This, however, may not be sufficient by itself. You may also wish to consider requiring visitors to the site to fill out a registration form asking them to identify their location. Thereafter you can use such information to impose restrictions on the use of your web site by visitors who are based overseas. An alternative would be to restrict access to certain blocks of internet protocol numbers that are identified with your local jurisdiction.

Conclusion

To sum, the conduct of business on-line does not mean that you have to trash your existing legal compliance manuals. Business is business and the law is the law whether done in cyberspace or in the physical world.

However, things are also different for all the reasons already discussed today. The trick is to recognise the features of the new environment in which you are operating and make adjustments to your legal compliance processes where appropriate.

The chameleon is still the animal it always was, but it is still necessary to keep track of all the colours as they change.