The legal frameworks that govern e-signatures

Two frameworks govern the legal validity of electronic signatures in the US:

The E-SIGN Act (federal, 2000)

The Electronic Signatures in Global and National Commerce Act establishes that electronic signatures and records are legally valid for most contracts and documents in interstate commerce. It preempts state law except where states have enacted UETA.

UETA (state level)

The Uniform Electronic Transactions Act has been adopted by 49 US states. It provides the same effect as E-SIGN — electronic signatures are valid for most contracts — and sets ground rules for electronic records in state transactions.

Industry-specific compliance requirements

Beyond the baseline frameworks, some industries have sector-specific requirements:

Financial services

FINRA and SEC guidance permits e-signatures for most client documents. Key requirements: clear disclosure that the client is signing electronically, an opportunity to receive a paper copy, a record of consent, and the ability to retain the signed document. FINRA Rule 4511 requires electronic records to be retained in a non-rewriteable, non-erasable format — a tamper-evident PDF with a trusted timestamp satisfies this.

Healthcare (HIPAA)

HIPAA doesn't prohibit e-signatures — it requires that the mechanism used to sign adequately protects the integrity of the document and the identity of the signer. An email OTP-verified signature with a full audit trail meets this bar for HIPAA consent forms, authorization for release of information, and similar documents.

Insurance

The NAIC (National Association of Insurance Commissioners) Electronic Transactions Model Act aligns with E-SIGN and UETA. Most states require that the applicant's intent to sign is demonstrated and that the signed record is retained. E-signatures are valid for most policy applications, beneficiary designations, and disclosure acknowledgements.

Legal documents

Engagement letters, retainer agreements, authorization forms, and most intake documents can be signed electronically in all US jurisdictions. Wills, codicils, and powers of attorney have jurisdiction-specific rules — check the applicable state statute before using e-signatures for these.

What makes an e-signature compliant

• Signer identification — verify who signed (email OTP is sufficient for most documents)
• Intent to sign — a clear signing action, not just clicking through
• Document integrity — a SHA-256 hash or equivalent tamper detection
• Audit trail — timestamped record of verification and signing events
• Record retention — ability to retrieve the signed record at any point
• Disclosure — signer was informed they were signing electronically (typically in the interview UI)

Common compliance mistakes

• Assuming any click counts as a signature — lacking identity verification
• Not retaining the audit trail alongside the signed document
• Using e-signatures for document types that require wet signatures in the applicable jurisdiction
• No trusted timestamp — leaving the signing time disputed
• Sending documents for signature via email attachment (no audit trail)

Document types that remain wet-signature only

• Wills and testamentary documents (most US states require wet signatures and witnesses)
• Codicils to wills
• Notarized documents (unless remote online notarization is explicitly permitted in the jurisdiction)
• Certain real estate conveyances (state-dependent)