On 23 October 2023, the Financial Services Commission of Mauritius (FSC) issued guidelines on the use of digital signature (‘Digital Signature Guidelines’). One of the avowed aims of the Digital Signature Guidelines is to establish a high level of certainty regarding the use of digital signatures and to ensure that they are legally valid and enforceable in line with the Electronic Transactions Act 2000.
In his keynote address at the launch of the framework for the use of digital signatures on 23 October 2023, Honourable Mahen K. Seeruttun, Minister of Financial Services Good Governance stated that ‘Government considers it as its responsibility to create the right environment for individuals and companies to access markets and to have the support that would be beneficial to them.”
In this regard, the Digital Signature Guidelines regulate the following:
- the requirements to be met by applicants and licensees when submitting digital signatures both for pre-licensing and post-licensing applications to the FSC through the FSC One Platform;
- inspections by the FSC during which licensees must provide demonstrations of pdf documents which include digital signatures; and
- submissions of other digitally signed PDF documents as may be determined by the FSC.
The FSC has laid down the following requirements in order that a digital signature is accepted failing which the FSC will turn down a document bearing a digital signature:
(i) the signatory shall be a natural person;
(ii) the document bearing the digital signature shall be in the PDF format;
(iii) the digital certificate used to sign the document shall have been issued by a Certificate Authority listed on the Adobe Approved Trust List;
(iv) the digital signature shall meet the PAdES LTV standard which is the electronic signature design for PDF Advanced Electronic Signatures;
(v) the validity of the digital signature shall be automatically verifiable within Adobe Reader/ Adobe Acrobat;
(vi) the security level of the digital signature must either meet with or exceed the security level required by the eIDAS regulation for Advanced Electronic Signatures. The minimum requirement for a digital signature is that it must contain unique signer identity, strong authentication, data integrity and non-repudiation;
(vii) a Certificate of Completion shall be generated and retained by the digital signature software for every digitally signed document; and
(viii) the signed document shall include an embedded timestamp as proof of the exact time when the signature was created.
The FSC has not identified any list of specific vendors. Instead, the FSC has adopted a vendor- neutral approach on the choice of software to be used for digital signatures. Nevertheless, what is clear is that it is imperative that the software supports the level of security and safety functionalities required under Item (vi) above, together with a strong audit trail that shows an intention to sign by the signatories.
In particular, the digital signature software must enable signing parties to download/retain executed documents with the signing platform clearly identifying the ‘shell life’ of documents and their audit trails in order to enable an informed choice by the signatories. Importantly, the digital signature software or service provider must at least be ISO 27001 and SOC 2 TYPE 2 certified. By way of indication, the levels of security and safety functionalities of the digital signature platform shall not fall below that of DocuSign’s EU Advanced Signature.
CONCLUSION
The Digital Signature Guidelines signals a new era in our international financial centre and shows the commitment of the FSC to continue to make of our international financial centre one of choice by being in line with the practices of the international business community whilst ensuring investor protection with the increased use of digital technology spearheaded by the COVID-19 pandemic.