Malaysia E-Signing: What You Need To Know.
Legal News & Analysis - Asia Pacific - Malaysia - Regulatory & Compliance
12 May, 2017
With all the technology available to us in today’s globalised world, it is common for parties to transactions to not always be located in the same place. Among the business jetset, there may be a need to sign and send a contract to another geographic location within a short amount of time. A question that might have been asked is whether it would be acceptable to use electronic tools available online (e.g. e-signature product providers, PDF apps etc.) to sign a document remotely?
This article takes a look at whether e-signatures and digital signatures are legally enforceable and valid in Malaysia, the difference between the two, and the practical factors that should be considered.
Electronic signatures on contracts have been legally recognised in Malaysia since 1997 – starting with the enactment of the Digital Signature Act 1997 (“DSA”), followed later by the Electronic Commerce Act 2006 (“ECA”).
The DSA initially provided for legal recognition of a technologically-specific type of electronic signature, known as ‘digital signature’, to be as legally binding as a document signed with a handwritten signature, an affixed thumb-print or any other mark. A ‘digital signature’ under the DSA is limited rather narrowly to a “signature which uses an asymmetric cryptosystem that is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority”.
Subsequently, the ECA provided more broadly for legal recognition of commercial transactions and contracts conducted or concluded by any electronic means. The ECA recognises (i) the legal effect and enforceability of information contained in electronic messages (such as emails and SMS), and (ii) the communication of proposals and formation of legally binding contracts expressed and signed via any electronic format, as long as they meet a broad set of technologically-neutral conditions.
The two separate acts reflect the fact that ‘electronic signatures’ and ‘digital signatures’ are not exactly the same thing, even though many use the two terms interchangeably. Digital signatures embed a unique digital ‘fingerprint’ into documents and the signer is required to possess a certificate-based digital ID (a digital certificate) in order to link the signer and document. Digital signatures also offer tamper evidence and tend to be subject to stricter regulations in many countries around the world. In summary, digital signatures can be understood as a type of electronic signature that offers higher security and protection from fraud than other types of electronic signatures.
The above said, there is nothing in the ECA that contradicts or precludes the DSA with respect to its continued specific regulation of digital signatures. As such, the DSA remains in force notwithstanding the ECA.
This article now turns to the practice of signing of documents electronically, and when it might be appropriate to use digital signatures vs other types of electronic signatures.
An electronic signature is broadly defined under the ECA as “any letter, character, number, sound or any other symbol or any combination thereof created in an electronic form adopted by a person as a signature”.
According to the ECA, if there is a requirement for a signature of a person on an electronic document, this is fulfilled by an electronic signature which is:
- attached to or logically associated with the document;
- adequately identifies the signer and his approval of the information to which the signature relates; and
- is as reliable as is appropriate given the purpose and circumstances for which the signature is required.
To demonstrate fulfilment of the reliability test above, three further conditions need to be met. These are that (i) the means of creating the electronic signature is linked to and under the control of the signer only; (ii) any change to the e-signature post signing is detectable; and (iii) any change to the document post signing is detectable.
The above further conditions regarding detectability of changes post-signing might present a challenge when it comes to simpler e-signature tools, such as those that only provide a PDF image of a signature. It is difficult to see how such tools, without anything further, can convincingly be said to suffice. It appears though that there are some alternative ‘middle ground’ e-signature tools in the market – stopping short of digital signatures – which do offer a built in tamper evidence function. These would seem to be less risky options for meeting these specific conditions.
There has not been much in the form of case law expanding on the practical meaning of each of the above ECA tests in the event of a dispute. However, the recent case of Yam Kong Seng & Anor v Yee Weng Kai  4 MLRA 316 does illustrate that point (b) above regarding identifying the signer is not necessarily a very difficult threshold to meet. In that case, it was held that even a simple SMS could fulfil the legal requirement for a signature:
ECA legislated that…where any law required a signature of a person on a document, the requirement of the law…by an electronic signature subject to the collective demands of subparagraphs (a) to (c).
For purposes of this appeal, the legal requirement for a signature was fulfilled as, inter alia, the sender was adequately identified…
The telephone number of the respondent from which the SMS was sent confirmed that it came from the respondent as the registered owner of that telephone… There was no probability of successfully rebutting the respondent being the sender as the respondent himself admitted sending the message.
The above case confirms that electronic signatures for purposes of the ECA can be in the form of any mark, created using any electronic technology. The ECA sets out some other further points which are important to note Section 10: “where any law requires a seal to be affixed to a document, the requirement of the law is fulfilled (if the document is in the form of an electronic message) by a digital signature as provided under the DSA”.
Some transactions and documents are clearly and expressly exempted from the scope of the ECA. These are:
(i) powers of attorney; (ii) wills and codicils (i.e. an addition/supplement to a will); (iii) trusts; and (iv) negotiable instruments (i.e. documents guaranteeing payment of a specific sum with the payer named such as promissory notes, demand draft and cheques).For such documents to be valid and enforceable, there might be additional formal requirements under Malaysian law such as notarisation or attestation before a public notary or commissioner of oaths. As such, for these instances, pen might still need to be put to paper and relying solely on electronic messages and signatures would generally not be appropriate.
The full definition of a digital signature under the DSA is “a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine (a) whether the transformation was created using the private key that corresponds to the signer’s public key and (b) whether the message had been altered since the transformation was made.”
According to the DSA, where a rule of law requires a signature or provides for certain consequences in the absence of a signature, that rule shall be satisfied by a digital signature where:
- that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
- that digital signature was affixed by the signer with the intention of signing the message; and
- the recipient has no knowledge or notice that the signer has breached a duty as a subscriber; or does not rightfully hold the private key used to affix the digital signature.
The effect of the DSA is that a document signed with a digital signature in accordance with the above conditions is legally binding as a document signed with a handwritten signature or a thumb-print.
Note that currently there are 3 certification authorities who are licensed in Malaysia to issue legally binding digital certificates – i.e. Pos Digicert Sdn Bhd, MSCTrustgate.com Sdn Bhd and Telekom Applied Business Sdn Bhd. There does not appear to be any recognised foreign certification authorities.
Given the lack of recognised foreign certification authorities under the DSA, foreign persons may wish to weigh up the practicalities of using a ‘digital signature that is in accordance with the DSA’ (e.g. in cases where the document requires a seal under Malaysian law) vs. the traditional physical signature approach.
E-signature or digital signatures
The ECA does not preclude the use of digital signatures (as defined in the DSA) in electronic commercial transactions. As such, parties are free to choose to use a digital signature as an electronic signature in any commercial transaction. When this is the case, the provisions of the DSA shall continue to apply to such use.
As mentioned above however, the inverse is not the case. In cases where a seal is required on a document under Malaysian law, section 10 of the ECA requires nothing less than a digital signature to be used.
More recently, there have been new uncertainties brought about by the introduction of the Malaysia Companies Act 2016 (“CA 2016”). Section 66(4) of the CA 2016 now states that “A document or proceeding requiring authentication by a company may be signed by an authorised officer and need not be made under the common seal”. The scope of section 66 of the CA 2016 is still not entirely clear, However, it appears there is now room for making out an argument that section 10 of the ECA should not apply in instances when s.66 of the CA 2016 allows for a signature as an alternative to a seal. On this argument, it should then follow that, in those instances, it is not mandatory to have to use a digital signature when not using a physical written signature, and any type of electronic signature should suffice. At this point in time however, this is still a novel and untested argument.
Given the above ongoing uncertainties regarding the acceptability of e-signatures in lieu of a seal, parties should – in instances where a document is one where a seal is traditionally required – weigh up the balance between the (i) convenience of signing documents online using e-signature tools, against (ii) legal risks of such e-signatures being challenged for validity or failing to meet the statutory requirements. If using digital signatures in these instances is too cumbersome or logistically difficult, physically signing the document may still be prudent.
Separately, it is also difficult to state definitively that certain documents such as share transfer forms and property transfer forms – even when signed with a digital signature verified by a certificate issued by a Malaysian licensed authority – will, in practice, be recognised and accepted by all relevant local authorities in Malaysia without question. It is in effect an open-ended question as to whether or not all parts of government administration are already familiar with and amenable to the use of digital signatures.
- Be aware of the difference between electronic signatures, and the more specific subset known as digital signatures;
- Be mindful of the legal conditions (such as reliability) that need to be met for e-signatures to be valid under the ECA;
- Using types of e-signatures other than digital signature may be more open to challenge on legal validity in cases where a seal is traditionally needed. In such instances , physically signing the document may still be prudent – discretion is advised;
- Although using e-signatures (incl. digital signatures) may be more convenient/quicker, there is still some practical uncertainty as to whether this approach on certain documents (e.g. share transfer forms and property transfer forms) will be acceptable to all Malaysian authorities without question.
For further information, please contact:
Donovan Cheah, Partner, Donovan & Ho