Authorised signatory mandates across the globe: A compliance roadmap

As the digital frontier expands, the need for rigorous oversight of who has the authority to sign off on corporate actions has never been more critical. From the GDPR's strict personal data handling in Europe to the Sarbanes-Oxley Act's demand for financial integrity in the US, and Hong Kong's new SFC rules, this article ventures into the complex world of authorised signatory mandates that form the backbone of global business governance and trust.

In today’s complex world of corporate governance and regulatory compliance, the concept of authorisation takes a central place. Ensuring that only designated individuals have the authority to make certain decisions or act on behalf of their organisations is fundamental to maintaining ethical, sustainable and compliant business operations. One key aspect of this is the management of authorised signatory lists. In this blog, we delve into the myriad regulations and mandates that require the maintenance of such lists across Europe, Asia, and the United States.

Applying the principles of data protection, the EU’s GDPR requires any business, organisation, or professional that performs economic activities to follow clear authorisation protocols for processing personal data covering the maintenance of authorised signatory lists.

The eIDAS was introduced in 2024 to streamline and standardise digital identification and the use of e-signatures across Europe, outlining the criteria for trusted digital identification services. The regulation identifies three key types of electronic signatures that have different standards for validation – simple, advanced and qualified electronic signatures.

The Simple Electronic Signature (SES) serves as a basic authentication method, where any electronic form or technology is generally accepted, as long as the signature indicates the signer's intent and is made by the individual associated with it.

The Advanced Electronic Signature (AES) elevates authentication by uniquely linking to the signatory and ensuring the sanctity of the signed document through detectable measures for any subsequent data alterations. Such measures could include the maintenance of authorised e-signatory lists.

The highest tier, the Qualified Electronic Signature (QES), is akin to a handwritten signature in legal standing and requires a Qualified Certificate issued by an accredited Certificate Authority (CA). These certificates must be stored on a secured device like a smart card, a USB token, or a cloud-based trust service adhering to eIDAS standards.

Thus, the eIDAS along with the GDPR and the NIS Directive (which assures a high level of security for networks and information systems), serve as an instrumental framework for facilitating and enhancing the security of digital transactions and establishing “a single European digital market”.

One of the key measures under the MiFID II EU legislation, aimed at fostering transparency in financial trading, is the strict monitoring of all designated personnel in financial organisations who are authorised to trade. Investment firms involved in trading activities are thus required to maintain and distribute a formal register or list of authorised traders with all their trading counterparts.

Moreover, MiFID II stipulates that buyers and sellers of financial instruments should be individually identified either by a Legal Entity Identifier (LEI) or on a person-by-person basis, further highlighting the significance of authorised individuals in the trading process.

On 3 January 2022, Hong Kong’s Securities and Futures Commission (SFC) introduced new regulatory rules for Licensed Corporations (LCs) to improve control over their bank account management and operations. Applicable to LC's house and client bank accounts, the main objective of the mandate is to ensure the proper safeguard of client funds and quick discharge of liabilities, while fully complying with the financial resources requirements under the Securities and Futures (Financial Resources) Rules (FRR).

The governance measures emphasise senior management’s key responsibilities in developing and implementing all necessary internal policies and controls to maintain compliance, including the maintenance of an accurate and up-to-date list of authorised signatories for bank operations.

The Sarbanes-Oxley Ac, introduced in the USA in 2002 by Congressmen Paul Sarbanes and Michael Oxley, was intended to bolster corporate governance and accountability, especially in the wake of substantial financial scandals that had unfolded in the preceding years. At its core, SOX compliance hinges on annual audits mandated for public companies, wherein they are legally obliged to submit evidence of accurate and secure financial reporting. This compliance extends both to financial and IT realms, significantly impacting how corporate electronic records are managed and stored within organisations.

A major requirement under SOX is hence the maintenance of strict internal controls involving robust data security practices and processes, coupled with full transparency over interactions with financial records over time. In the IT domain, particularly, SOX controls should cover the entire IT organisation, focusing on key areas like IT security, access controls, data backup, and change management, and aim to ensure that only authorised individuals including authorised signers have access to sensitive financial information. The consequences of SOX non-compliance are severe, often entailing hefty fines or even imprisonment.

On 15 February 2023, the US Securities and Exchange Commission (SEC) amended the standard settlement cycle for securities trades from "T+2" to "T+1" to mitigate market volatility, effective 60 days post-publication with a compliance deadline of 28 May 2024. 

The regulatory change aims to reduce credit, market and liquidity risks by shortening the time between trade execution and settlement, thereby decreasing unsettled trades and potential price fluctuations. Additionally, broker-dealers are mandated to have written agreements or policies for prompt completion of allocations, confirmations and affirmations, while registered investment advisers are required to document these for certain transactions.

The amendment also introduces a requirement for straight-through processing for specific clearing agencies, further suggesting a potential need for maintaining a list of authorised signatories or signers to ensure compliance and streamline operations under the new T+1 regulation.

The Bank Secrecy Act mandates certain “U.S. persons”, including both individual citizens or residents and organisations like corporations, partnerships, joint ventures, and other entities, with a financial interest or signature authority over foreign financial accounts to report these accounts annually via the FBAR (Foreign Bank and Financial Account Reporting, or FinCEN Form 114).

An authorised signatory is considered any person who has control over the dispensing of funds or other assets in these accounts through their signature. Maintaining an up-to-date list of authorised signatories is hence essential for ensuring accurate reporting and compliance with the act.

The FBAR isn't a tax return but rather an informational report aimed at deterring tax evasion, alongside other reporting requisites such as the IRS’s Foreign Account Tax Compliance Act (FATCA). 

The FBAR rules are stringent with penalties for non-compliance, which can be assessed for negligence, non-wilful violations, and wilful violations. The penalties can range from monetary fines to more severe penalties for wilful violations, which can include a penalty equal to the greater of $100,000 or 50% of the account balance at the time of violation for each violation.

The US equivalent of the European e-signature regulation, eIDAS, is the federal ESIGN Act. The ESIGN Act facilitates the use of electronic signatures in transactions, ensuring their legality and authenticity in the region.

Similar to eIDAS, effectively managing authorised signatories is essential for organisations to remain compliant with ESIGN as it aids in e-signatures attribution and establishing a reliable audit trail. Maintaining up-to-date authorised signatory lists helps in verifying the identities of e-signatories, aligning with ESIGN's mandates on clear intent, consumer consent and accurate record retention.

The regulatory odyssey of authorised signatory mandates across the world is a testament to the evolving nature of global business operations. It underscores the importance of a well-charted compliance strategy, ensuring organisations not only meet the legal mandates but also instil trust amongst stakeholders. It's not merely about compliance; it's about building a robust foundation for trust, accountability, and ultimately, sustainable business operations and growth.  

At Cygnetise, we have developed an application that solves the pain of managing authorised signatory lists, digitising the process and making it more secure and efficient. Our technology enables users to update their lists in real time and has a variety of sharing mechanisms so that the counterpart can always have access to the most up-to-date information, eliminating the need to recompile and redistribute data. Organisations can now save over 90% of their admin costs and time, whilst mitigating the risk of fraud for the organisation.

Here are 5 ways Cygnetise can enhance your compliance with global regulatory signatory mandates:

• Manage, share and update signatory data in real time

• Maintain a single source of truth

• Have instant, remote access to the latest signatory data entry

• Keep a historical record of any signatory data changes

• Develop a sufficiently standardised process across all your functions/entities

Want to learn more about Cygnetise? Request a free demo below and one of our team will get in touch with you right away!