Solving the ‘no click’ rule for financial services companies in Singapore and the Philippines
Across the globe, phishing and social engineering scams are on the rise. Cyber criminals keep getting craftier, and attacks on companies and individuals hit an all-time high in 2021. With the incidence of scams showing no signs of slowing, governments and institutions are ramping up their efforts to protect people and companies.
One industry is particularly vulnerable: financial services. The growth in digital banking puts customers’ personal funds at risk, which is why some countries have made bold moves to bolster security. In Singapore and the Philippines, financial services institutions must now follow a prescriptive list of measures designed to help prevent and detect scams. One of these measures? Removing clickable links in emails and SMS messages sent to customers. That’s right. No more links in emails.
The move makes sense. After all, scammers excel in replicating a company’s email template so that unwitting customers click through and share their personal details with the wrong people. By removing any links from emails, this risk is removed.
But what does that mean for banks that have invested in solutions like Docusign eSignature? They use eSignature to make it easier for customers to sign forms from wherever they are. But if they can’t click on a ‘sign here’ button, what can they do?
Digital signatures are still possible, no clicks in sight
To remain compliant with the regulatory requirements in Singapore and the Philippines, financial services institutions need to think laterally about how to use Docusign for things like home loan applications and new customer accounts. We’ve done some thinking for them, and have two options for customers to continue using Docusign without clickable links.
The first is by removing links from Docusign’s email notifications; and the second is to integrate the signing experience into the bank’s web portal or app. Let’s take a look at both.
Option 1: Remove clickable links in email notifications
To remove clickable links in Docusign’s email notification, an administrator needs to access the email resource files from the admin panel.
1. Go to Admin
2. In the navigation panel, under the Account heading, click Brands
3. Select the brand for the email profile you want to change. If a brand doesn’t exist, then select ADD BRAND to create one (learn more about adding brands).
4. Click on the Resource Files
5. In the Select Resource File Type dropdown, select Email and then Download Master.
6. After downloading the Email Resource file, open it with a source code editor (i.e. NotePad++) and remove the links within the document.
Note: In this example, we’re showing you how to remove the “Review Document” link. HTML/XML knowledge is recommended before working on this file. If you don’t have a technical resource, get in touch with your Docusign Account Team to get a Professional Service quotation to complete this.
7. After making necessary changes to the resource file, upload it by selecting Upload on Email Resource File.
8. On the Email Notification, you may customise the following:
==Starts here===
Follow the Instructions below to sign the document: </br> </br>
<a href=""><img src="https://i.ibb.co/bX6n5fH/image004.png" alt="image004" border="0"></a> </br>
Security code: [[Data:DocumentCode]]
==End here===
Then, the email that’s sent out to customers looks like this. Signers simply follow the instructions to open the document from the Docusign website, using a security code instead of clicking “Review Documents”.
Option 2: Integrate signing experience on portal or application
The other approach is to integrate the Docusign signing experience into the bank’s portal or app. This uses embedded signing*.
*The animation above illustrates the process of a banking portal where the customer logins to the portal, fills up the mortgage application form and gets directed straight to the Docusign signing page within the bank’s portal for sign off.
Embedded signing enables users to view and sign documents directly through your app or website. This way, users work off only one system and do not have to straddle between your app and emails. It’s a more fluid document transaction, appearing as a seamless extension of the client application.
Given the tight integration with Docusign, there are more technical and functional burdens on the client application – including addressing security, legal, and user experience requirements that are engineered into the Docusign application in the Remote Signer pattern. Embedded signing is implemented only via API and maintains its connection allowing them to visit a one-time secured link.
As per option 1, if your team needs help with embedded signing, we encourage you to contact Docusign.