Www.XBRL.se Authenticity of Electronic Records in XBRL Lucas Cardholm, LL.M. Working Group Authenticity and Security, XBRL Sweden lucas.cardholm@se.ey.com.

www.XBRL.se

Authenticity of Electronic Records in XBRL

Lucas Cardholm, LL.M.Working Group Authenticity and Security, XBRL Sweden

lucas.cardholm@se.ey.com

XBRL Sweden objective is to create a Swedish XBRL taxonomy applicable for companies reporting under Swedish GAAP as well as IFRS

Non-profit organisation Lucas is IT-Lawyer in WG ”Authenticity and Security” Ernst & Young, Technology & Security Risk Services

Background

Project Background

CompanyCompanyAuditorAuditor

Book-keepingBook-keeping

Sw. Companies Sw. Companies Reg. OfficeReg. Office

Signature (authenticity) Confidentiality

MarketMarket

PublicPublicAuthoritiesAuthorities

The annual report

Auditors endorsement

Members of the board, Managing Director Data

integrity

Initials, members of the board and Auditor(s)

Proof of adoption resolution, member of the board

One Signature – a variety of intentions

Paper WorldPaper World

Signers intention is defined by the nature of the document and years of practise, legal effect by the court of law.

Identify

Assure Authenticity•Integrity•Non-repudiation

Legal Effect

Declaration of Commitment

Warning

Electronic/Digital WorldElectronic/Digital World

Signers intention is often not defined when signature is created.

?

The need for Declaration of Commitment

”Figures are correct”

No commitment, but intention ”No pages are (ex)changed”

”I agree that the report is correct”

”I have audited and produced an audit report…”

”I certify that the shareholder meeting has adopted the annual report”

Proposed solution Definition of four levels of liability Recommendations on what to include within the signature

and how to attach the commitment of the signature Focus on the XBRL annual report and audit report for

them to have legal validity

Signature Liability Levels

High LiabilityElectronic Record signed by Legal Person

Personal LiabilityElectronic Record signed by Natural Person

Low LiabilityElectronic Record signed by Legal Person

No LiabilityAuthenticated Electronic Record

Withoutcontractual relationship

With or without prior contractual relationship

Not denied legal effect

Must not give any legal effect!

Legally binding signature for legal person

Legally binding signature for natural person

The need for Liability levels

Low Liability?

No Liability

Personal Liability

Personal Liability orHigh Liability

Personal Liability

Current activities Discussion paper delivered to XBRL in Europe and XBRL

International Discussions with vendors regarding pilot implementations

and adoption of signatures

More information www.xbrl.se www.xbrl.org www.etsi.org

fredrik.hertz@se.ey.com

www.XBRL.se

Brief drill-down

Fredrik Hertz, MSc, CISSPHead of Working Group Authenticity and Security, XBRL Sweden

fredrik.hertz@se.ey.com

Matrix overview

Electronic Record Application External Dependencies

Warning1 Authenticity Level

Declaration of

Commitment No DC DC

Unique

Identification Record Signer Legal Effect

Personal Liability SHOULD MUST MUST MUST Yes Yes Yes

High Liability SHOULD SHOULD MUST MUST Yes Yes Yes

Low Liability MAY MAY SHOULD SHOULD Yes By contract Not Denied

No Liability SHOULD SHOULD NOT SHOULD NOT MAY Data integrity only No No Liability

1 “No DC” denotes No Declaration of Commitment present in signature, while “DC” denotes Declaration of Commitment present in signature.

Implementation <SignedDataObjectProperties>

(CommitmentTypeIndication)

<SignedSignatureProperties>(SignatureLiability)

Specification of when the application should present a warning

Useful in this context Directive 1999/93/EC of the European Parliament and of

the Council of 13 December 1999 on a Community framework for electronic signatures

IETF RFC 3275: "XML-Signature Syntax and Processing“

ETSI TS 101 903: " XML Advanced Electronic Signatures (XAdES)”