The core document from the IRS regarding IVES compliance can be found here: https://www.irs.gov/individuals/income-verification-express-services-ives-electronic-signature-requirements
Adobe Sign is a fully ESIGN Act compliant solution. All the IRS definitions and ESIGN law requirements are met by the core solution for all agreements sent through the service.
IVES has additional requirements that must be followed to ensure compliance with and participation in using the 4506-T and 4506T-EZ forms.
Below you will find the requirements set forth by the IRS requirements document, and the related Adobe Sign application configurations that ensure compliance.
Access to the configuration settings below requires an Adobe Sign business or enterprise level of service.
IVES compliance requires two-factor authentication when signing documents. Adobe Sign delivers all requests for signature as a unique link per signer to an email address. The unique signing URL and access to the email inbox constitutes the first factor authentication. To meet the requirement for the second factor authentication, the Adobe Sign account can be configured to require the signer to provide a second level of authentication before being able to sign the document. Adobe Sign supports three options for the second factor:
- Social Authentication (SSO)
- Phone Authentication (SMS)
- Knowledge Based Authentication (KBA) for US based signers only
It is recommended that the group or account sending document that require IVES compliance configure the following settings:
- Identify Authentication Methods – Select one of the above identified second factor verification methods and establish that as the default.
- To limit the option for human error, you can disable the option for Senders to change the default verification method.
- If you have transactions that do not require an IVES compliant counter signature, Enable different identity authentication methods for internal recipients.
- Enable different methods for internal signers, and set the default to an internally acceptable standard.
IVES requires that signers explicitly consent to doing business electronically.
- The details of the consent are captured in the audit trail for the signature agreement.
IVES document require an electronic signature to be validated against the name on the form.
- All signatures applied by the Adobe Sign system are fully compliant ESIGN Act signatures.
- The explicit text suggesting the signature be compared to the name on the form suggests that using a font based signature is superior to a more stylized signature type (e.g.: Biometric or Hanko stamp signatures). Therefore, it is recommended that the signature type be restricted to Typing their name and initials
IVES documents must be made tamper proof after the signatures are applied.
- Adobe Sign fully supports tamer proofing documents, and we recommend that tamper proofing be applied to All recipients
- The tamper proof seal is evident when the PDF is opened with Adobe Acrobat or Adobe Reader and appears as a blue bar across the top of the window.
An audit log of the entire signature process must accompany the document. The audit log must contain all the document lifecycle information.
- Every transaction in Adobe Sign has a fully compliant audit log that can be downloaded from the transaction record (on the Manage page).
- It is recommended that the group or account needing to be IVES compliant have their settings configured to:
i. Attach audit report to completed documents → Always
ii. Send an extra copy of every signed agreement to these email addresses → An internal archival email address
The Audit Trail itself contains all the elements required by IVES:
A. Date and time of creation
B. IP address of the signer
C. Document lifecycle notifications
D. Result of authentication
E. Result of consent
F. Result of each electronic signature
All 4506-T and 4506T-EZ forms, including their audit reports, must be retained for two years.
- Adobe Sign retains all signed documents and audit logs on our servers throughout the life of the service provided. Only by direct customer action could a document be deleted, and even in that case, the audit log will persist.
- It is recommended that any group or account seeking to be compliant establish an automatic CC to an archival email address (e.g.: AdobeSignContracts@myDomain.dom)
All participants using an electronic signature solution must use an independent party to audit the signatures annually.
- This requirement falls outside the scope of what Adobe Sign can provide, as the requirement specifically demands an independent party perform the audit.
Enterprise level customers can create discrete workflows using the workflow designer.
This option allows for a document specific workflow, including user verification methods and notification processes, without having to employ group or account wide settings.
Given the IVES requirements are fairly strict and unforgiving of human error, this option is strongly recommended.