Three core requirements—authenticity, integrity, and legibility—help us to establish a basic global e-billing framework for a compliant legal e-billing system.
No specific mandates, however, exist as to the particular technical solutions. Users and solution providers have the design freedom to develop approaches that fit within the standards and corresponding local rules. Notwithstanding, the MEU, as an instructional e-billing region, offers three examples of acceptable approaches:
- Electronic data interchange (EDI)
- Qualified electronic signature
- Any reasonable business controls
An electronic invoicing process does not have to use a single mechanism for all transactions in order to be compliant. For example, a corporate law department may establish a compliant business control mechanism for some firms, while using EDI or electronic signatures for others. Likewise, different approaches may be used to prove the essential elements of authenticity and integrity. For example, digital signature may be used for authenticity of the invoice, while EDI is used to prove invoice integrity. The ability to use a variety of compliance approaches provides important flexibility to develop e-billing programs that meet the business needs, policies and procedures of the client.
Electronic Data Interchange (EDI)
Historically, legal e-billing systems have typically used either electronic data interchange (EDI) or electronic signature as the primary means for satisfying the authenticity and integrity requirements. In an EDI-based approach, structured data and secure transport technologies are used to create compliant means for transferring data from provider to recipient. The legal industry follows the LEDES standards body (Legal Electronic Data Exchange Standard) as the recognized authority on EDI-applicable data standards. The LEDES community, comprised of law departments, law firms and solution providers, have ratified a number of standards. The two standards relevant to most e-billing, international or otherwise, are 98BI and XML 2.0/2.1. From a solutions perspective, both standards have certain advantages and limitations, although general technology trends are moving towards use of the more flexible XML data format. Some legal e-billing vendors and service providers have introduced tools to convert non-LEDES data into the proper data format. The use of these tools should be evaluated as part of the overall business controls scheme used in the e-billing program. It should be noted that while LEDES is widely used, there is nothing in EU regulations that mandate the LEDES format per se; other data formats are possible should they meet regulatory requirements, and many ELM systems offer the ability to upload or create custom invoice formats.
Qualified Electronic Signature
Qualified Electronic Signatures (QES) are explicitly recognized by the EU as means for ensuring the integrity and authenticity of electronic invoices. A QES is an enhanced version of an advanced electronic signature because it uses a qualified certificate (QC) provider and is created by a secure signature-creation device. Non-QC electronic signatures can be used provided that they meet the business control standards for authenticity and integrity.
Reasonable Business Controls
In addition to EDI and electronic signature, there is increased acceptance of the “any business controls” method as a third alternative for EU member states. The business controls standard provides a more flexible protocol; nevertheless, it requires a highly structured and auditable process. Law departments and law firms must thoroughly document their financial and accounting policies and procedures, as well as provide auditable transaction artifacts. The use of business controls method must still meet the authenticity, integrity and legibility requirements, and will be subject to review and audit by local tax authorities.
Of particular note is the use of scanned invoices. These include invoices transmitted in an image-based format such as .PDF or .TIFF. While not in and of themselves meeting the standards of the EDI approach, scanned invoices may be acceptable as a component part in an otherwise compliant business controls based approach.
Ultimately, while the European directives are most prevalent, every step of the e-billing process, regardless of region, must be controlled through a combination of transport-level technologies and process-level controls. Solutions must provide security against data vulnerabilities, including between physical and logical processing process steps. Suitable security related measures, such as firewalls, IDS, encrypted channels (e.g. TLS-based) and malware detection and prevention solutions should be employed to ensure that trusted processes cannot be compromised through external attacks to processing applications and transmission channels.