Companies that use the Income Verification Express Services (IVES), and particularly the IRS forms 4506-T and 4506T-EZ, need to explicitly configure their Adobe Acrobat Sign group or account settings to ensure compliance.
Overview
The core document from the IRS regarding IVES compliance can be found here: https://www.irs.gov/individuals/income-verification-express-services-ives-electronic-signature-requirements
Adobe Acrobat Sign is a fully ESIGN Act compliant solution. All the IRS definitions and ESIGN law requirements are met by the core solution for all agreements sent through the service.
IVES has additional requirements that must be followed to ensure compliance with and participation in using the 4506-T and 4506T-EZ forms.
Below you will find the requirements set forth by the IRS requirements document, and the related Acrobat Sign application configurations that ensure compliance.
Access to the configuration settings below requires an Acrobat Sign business or enterprise level of service.
Authentication
IVES compliance requires two-factor authentication when signing documents. Acrobat Sign delivers all requests for signature as a unique link per signer to an email address. The unique signing URL and access to the email inbox constitute the first-factor authentication. To meet the requirement for the second-factor authentication, the Acrobat Sign account can be configured to require the signer to provide the second level of authentication before being able to sign the document. Acrobat Sign supports three options for the second factor:
- Phone Authentication (SMS)
- Knowledge-Based Authentication (KBA)
- Government ID
It is recommended that the group or account sending a document that requires IVES compliance configure the following settings:
- Identify Authentication Methods – Select one of the above-identified second-factor verification methods and establish that as the default.
- To limit the option for human error, you can disable the option for Senders to change the default verification method.
- If you have transactions that do not require an IVES compliant counter signature, Enable different identity authentication methods for internal recipients.
- Enable different methods for internal signers, and set the default to an internally acceptable standard.
Consent
IVES requires that signers explicitly consent to doing business electronically.
- Explicit consent can be configured with forced review of the Terms of Use and Consumer Disclosure. See here for full details
- The details of the consent are captured in the audit trail for the signature agreement.
Electronic Signature
IVES documents require an electronic signature to be validated against the name on the form.
- All signatures applied by the Acrobat Sign system are fully compliant ESIGN Act signatures.
- The explicit text suggesting the signature be compared to the name on the form suggests that using a font-based signature is superior to a more stylized signature type (e.g.: Biometric or Hanko stamp signatures). Therefore, it is recommended that the signature type be restricted to Typing their name and initials
Tamper Proof Seal
IVES documents must be made tamper-proof after the signatures are applied.
- Acrobat Sign applies tamper-proofing on all completed documents
- The tamper-proof seal is evident when the PDF is opened with Adobe Acrobat or Adobe Reader and appears as a blue bar across the top of the window.
Non-Repudiation / Audit Log
An audit log of the entire signature process must accompany the document. The audit log must contain all the document lifecycle information.
- Every transaction in Acrobat Sign has a fully compliant audit log that can be downloaded from the transaction record (on the Manage page).
- It is recommended that the group or account needing to be IVES compliant have their settings configured to:
i. Attach audit report to completed documents → Always
ii. Send an extra copy of every signed agreement to these email addresses → An internal archival email address
The Audit Trail itself contains all the elements required by IVES:
A. Date and time of creation
B. IP address of the signer
C. Document lifecycle notifications
D. Result of authentication
E. Result of consent
F. Result of each electronic signature
Document Retention
All 4506-T and 4506T-EZ forms, including their audit reports, must be retained for two years.
- Acrobat Sign retains all signed documents and audit logs on our servers throughout the life of the service provided. Only by direct customer action could a document be deleted, and even in that case, the audit log will persist.
- It is recommended that any group or account seeking to be compliant establish an automatic CC to an archival email address (e.g.: AcrobatSignContracts@myDomain.dom)
Quality Review
All participants using an electronic signature solution must use an independent party to audit the signatures annually.
- This requirement falls outside the scope of what Acrobat Sign can provide, as the requirement specifically demands an independent party perform the audit.
Custom Workflows
Enterprise-level customers can create discrete workflows using the workflow designer.
This option allows for a document-specific workflow, including user verification methods and notification processes, without having to employ group or account-wide settings.
Given the IVES requirements are fairly strict and unforgiving of human error, this option is strongly recommended.