Can CRA Forms Be Electronically Signed?

By L.Kenway BComm CPB Retired

Updated February 22, 2024 | Edited April 8, 2024


What it is | CRA policy | Procedures | Forms Accepted |Data Storage Consideration| Data Residency Requirements  | SaaS Data Locations | LegislationeIDAS | Europe vs Canada | PIPEDA | UECA | IALs

Find out the steps you need to follow for CRA to accept an electronically signed tax form.

Electronic signature on a business contractThe tax preparer must verify the identity of the taxpayer prior to accepting an electronically signed tax form.
Puzzle Pieces


Pieces Of The Puzzle Coming Together
HIGHLIGHTS OF THIS POST

  • What is an electronic signature?
  • Can CRA forms be electronically signed?
  • What procedures do you need to follow when applying e-signatures to tax forms?
  • What forms does the CRA accept e-signatures on?
  • Data storage considerations when selecting third party service providers
  • CRA data residency requirements
  • Common SaaS platform data storage locations 
  • Legislation governing Canada's electronic signatures 
  •      The European Union's eIDAS (Electronic Identification Authentication And Trust Services)     
  •      Differences between Canada's PIPEDA and UECA vs. the EU's eIDAS
  •      PIPEDA (Personal Information Protection and Electronic Documents Act)
  •      UECA (Uniform Electronic Commerce Act)
  •      Identity Assurance Levels (IALs) for digital identities

Puzzle Pieces

Puzzle Pieces

What is an electronic signature?

To help business owners understand the legal framework around, "Can CRA forms be electronically signed?", we need to look at Canadian legislation and regulations around electronic signatures.

What is an electronic signature?

An electronic signature (also referred to as e-signature) is an effective and legal way to get electronic documents signed quickly as part of a paperless process. An electronic signature is really just a rendering of your signature in electronic form. E-signatures can replace handwritten signatures in many, but not all, Canadian business affairs. The electronic signing should be able to clearly link the document to the signer.

In Canada, standard electronic signatures are distinguished from secure electronic signatures.

Secure electronic signatures (also called "verified" e-signatures or digital signatures) hold more weight and generally only required in specific circumstances outlined in provincial and federal legislation. It must include a digital signature certificate.

Digital signatures are encrypted, based on PKI (public key infrastructure), to lock the content with a stamp of authentication about the information being signed. It embeds details like email addresses, serial numbers and identifying details of the device used to sign the document creating a "fingerprint". When a digital signature is used with an e-signing app, unlike electronic signatures, the signature confirms the information originated from the signer and has not been altered after signing. 

As a business owner, you may want to use secure electronic signatures to ensure added security and enforceability even if not required by law. 



Puzzle Pieces

Can CRA Forms Be Electronically Signed?

During the pandemic as a temporary measure, CRA began allowing electronic signatures on forms such as the T183 Information Return for Electronic Filing of an Individual's Income Tax and Benefit Return and T183CORP Information Return for Corporations Filing Electronically as "having met the signature requirements of the Income Tax Act (ITA)".

Allowing e-signatures reduced the "necessity for taxpayers and tax preparers to meet in person ... during this difficult". As of 2024, this measure is no longer temporary.

It seems, the CRA had to ensure that electronic signatures were not only compliant with PIPEDA and UECA but also the ITA. (Wow that is a lot of acronyms!) Can CRA forms be electronically signed? The answer going forward now is yes.

The signed forms must be retained by both the tax preparer and the taxpayer for at least six years when a tax preparer has electronically filed the tax return on the taxpayer’s behalf.



Puzzle Pieces

What Procedures Do You have to Follow When Applying e-Signatures To Forms?

Verification of taxpayerCan CRA forms be electronically signed? Yes if you follow CRA's procedures.

Can CRA forms be electronically signed? Yes if you follow these steps:

  1. The identity of the taxpayer has been identified by the tax preparer.

  2. Methods used must respect the safety and security of personal and tax information of the taxpayer.

  3. When generating or displaying the form in paper format or electronically, it is highly recommended the first 5 digits of the social insurance number (SIN) be masked.

  4. If the electronic signature is applied to the form in person by the individual using methods such as a stylus or finger on a tablet, it is applied in the presence of the other party.

  5. If the electronic signature is not applied to the form in person by the individual, it is either (a) applied to the form that is then sent to the other party using the electronic address most recently provided to the other party for that purpose; or (b) applied to the form that is then sent to the other party through an access controlled, secured electronic location, such as a secure website, that is accessible to the individual only because the other party has made that location known and granted access to the individual.

  6. A date and time stamp must be displayed on the electronically signed form. The CRA will accept a date and time stamp that has been automatically populated by the software or manually entered by the tax payer or tax preparer. Preferable format is year/month/day and hour/minute/second.

  7. Electronic filers should retain the third party certificate of completion for the electronic signature as the CRA may request them as part of their monitoring program.



Puzzle Pieces

What Tax forms Are Accepted With e-Signatures?

Can CRA forms be electronically signed? Yes. CRA has approved the following forms for electronic signatures:

  • T183, Information Return for Electronic Filing of an Individual’s Income Tax and Benefit Return
  • T183CORP, Information Return for Corporations Filing Electronically
  • T183TRUST, Information Return for the Electronic Filing of a Trust Return
  • T2183, Information Return for Electronic Filing of Special Elections
  • T2200, Declaration of Conditions of Employment
  • T1223, Clergy Residence Deduction
  • RC71, Statement of Discounting Transaction (2023 tax year forward)
  • RC72, Notice of the Actual Amount of the Refund of Tax (2023 tax year forward)



Puzzle Pieces

Can CRA Forms Be Electronically Signed?

Data Storage Considerations

ITSM.50.030 Cyber security considerations for consumers of managed services talks about why you would want your data stored in Canada. This may be an important factor for your business when choosing a third party electronic signing provider. Just like cloud service providers, you need to consider whether they can be trusted with confidential information.

Data stored outside Canada is subject to different privacy, security, and data ownership laws which may take precedence over Canadian laws. For instance, Canadian Lawyer (see references) explains  "the U.S. Patriot Act gives American authorities permission to access and seize data stored on American soil without your knowledge or consent. This is important to keep in mind as many of the popular cloud providers, including Dropbox, iCloud, and Google Cloud, are not hosted on Canadian soil. Cloud service providers that store data on Canadian soil are not subject to the Patriot Act, as long as the data remains stored on Canadian soil."

In addition, Canada's PIPEDA, like the European Union's (EU) GDPR (General Data Protection Regulations) require organizations to ask individuals for permission to collect their personal data. The individuals also have the right to be forgotten. Other countries may view privacy differently or not comply with PIPEDA or GDPR privacy laws, which can interfere with the confidentiality of your organization’s data.


Puzzle Pieces
Puzzle Pieces

Good Compliance Habit


CRA Data Residency Requirements

The CRA requires you keep records at your place of business or your residence in Canada, unless they give you written permission to keep them elsewhere. For CRA purposes, records kept outside of Canada and accessed electronically from Canada are not considered to be records kept in Canada. [CRA last modified 2023-11-30]


AUDIT READY

It is always a wise policy to keep a CSV file or PDF reports of your financial statements, secondary supporting reports, and general ledger at each month-end, quarter-end, and year-end to meet the data residency requirements if you use SaaS (Software as a Service) for your record keeping.


BACKUP OF RECORDS

CRA guidance on backup of your records can be found under Managing Books and Records February 2022; as well Electronic Record Keeping June 2010 and Computerized Records June 2005 states under the section titled Location of Records:

  • " ... Where records are maintained electronically in a location outside Canada, the CRA may accept a copy of these records, provided the copy of the records is made available in Canada to the CRA officers in an electronically readable and useable format and contains adequate details to enable the determination of the person’s tax liabilities and obligations, or the amount of any rebate or refund to which the person is entitled. 
  • ... Normally back-up copies of electronic records are stored at a site other than the business location for security and precautionary purposes (i.e., in case of fire, flood, theft or other cause). The CRA encourages this business practice and recommends that these back-up copies be maintained at a location within Canada.
  • ... Persons with businesses that operate via the Internet and that are hosted on a server located outside Canada should be cognizant of their responsibility of maintaining their records within Canada."



Puzzle Pieces

Can CRA Forms Be Electronically Signed?

Common SaaS Platform Data Storage Locations

I did a quick search to see where some popular online accounting, tax, and cloud storage platforms store customer data.

  • Intuit QuickBooks website states, "We store data on Intuit-managed systems. These are in your home country to satisfy data residency laws. Data is stored in the cloud on Amazon Web Services (AWS)."
  • Xero website says "Similar to many software-as-a-service providers, we use Amazon Web Services (AWS), a top-tier, third-party data hosting provider with servers located in the US to host our online and mobile services. Xero has no short-term plans to store data in the EU [and presumably Canada]. Xero makes sure it complies with EU data export restrictions when it exports data outside of the EU.
  • Sage Intacct  launched Sage Intacct data centre in Montreal, Canada on May 25, 2021 leveraging AWS.  The in-country presence will help Sage Intacct customers scale and accelerate their digital transformation strategy, while complying with federal and provincial privacy legislation. 
  • Sage Accounting website says data is stored at AWS, us-east-1 – N. Virginia and Canada (ca-central-1) so it's not clear if your data is stored in Canada. However, "[2018] uses Amazon Web Services. We have ensured that all Canadian Sage data is redundant on AWS servers in Canada. ... although it is not a requirement of CRA to ensure the data is here in Canada ... [CRA encourages this business practice and recommends that these back-up copies be maintained at a location within Canada.] ... [CRA's] wording focuses less on requiring the data to be in a specific location (Canada) and more on the ACCESS to the data, regardless of where the data is stored."
  • TaxCycle (owned by Xero) states "Our main repository for and storage of customer data (including personal information) is on servers located in the Canadian region provided by third-party cloud-hosted services such as Microsoft Azure and Amazon Web Services. However, data may be transferred between locations and jurisdictions as part of service provision and third-party service providers described in this privacy policy, which provide services to us under contract, are based in other countries or may host data worldwide and accordingly your personal information may be available to governments worldwide under a lawful order, irrespective of the safeguards we have put in place for the protection of your personal information." [Effective 07-01-2022]
  • ProFile Connect (owned by Intuit) states "your data is stored in two secure Intuit servers in Canada".
  • Amazon Web Services (AWS) has 2 regions in Canada. Canada Central region is located in Montreal, Quebec and Canada West region is located in Calgary, Alberta. It wasn't clear what data is stored on Canadian servers.
  • Microsoft Azure has in-country data residency with data centres in Toronto, Ontario and Quebec City, Quebec as well as data replication in two locations within Canada.
  • OneDrive data is stored on servers within Canada.
  • iCloud servers are located in five data centres in the United States. They also utilize Google Cloud for some data storage.
  • Google Cloud operates data centres in Montreal, Quebec and Toronto, Ontario but it wasn't clear if ordinary Canadian residents' data is stored on Canadian servers.
  • IBM Cloud MZR (Multizone Region) announced April 8, 2024 will expand its cloud operations in Canada to open in Montreal, Quebec. The IBM Cloud MZR will be designed to meet the needs even the most regulated industries, prioritizing resiliency, performance and scalability, security and compliance. It will help Canadian enterprises leverage generative AI and address data sovereignty requirements. Innovative capabilities and services will be available to clients throughout Canada including access to IBM Power Virtual Server, VMware as a Service, SAP, and HPC as a Service 



Puzzle Pieces

Can CRA forms Be Electronically Signed?

Canada's Governing Legislation for Electronic Signatures

Identity Assurance LevelsAs pictures are often times easier to understand, following is a diagram of the province of BC's identity assurance framework.

The European Union's 2016 Electronic Identification Authentication And Trust Services

I am going to look at the European Unions's eIDAS (Electronic Identification Authentication and Trust Services) standards before I review Canada's regulations as I found them easier to understand from a layman's perspective. If you do business in Europe, you will need to be aware of eIDAS.

Though similar, Canadian law is different from the European Union's regulations which are governed by eIDAS.

The European Union's eIDAS regulations lay out clearly secure cross-border transactions governance. Examples of eIDAS's different standards of electronic signatures follow.

  1. Simple electronic signatures (SES) - the tax payer downloads a PDF of the tax form, makes a copy, signs it, and sends it back by email. It is the easiest method but provides the least validation. It would normally be used if you don't have to verify the person's identity and where you believe the signature is authentic.

  2. Advanced electronic signatures (AES) - this is the most commonly used e-signature. The tax preparer uses an electronic registered delivery service provider to create an audit trail with evidence of the transaction or signing event. The service provides authenticity, identity verification, authentication and integrity. It utilizes PKI technology. 

  3. Qualified electronic signatures (QES) - this signing method provides the highest level of assurance but may be burdensome to use. It requires identification using a certified authority, in-person validation or video as well as a PKI certificate issued with the appropriate technology. In Europe, the signature holds the same legal power as a traditional signature (often referred to as a wet signature).

HR Insider (see references) explains that the European Union’s Directive on Electronic Signatures imposes no general requirement of reliability but leaves proof to the parties. If the validity of the signature is questioned, the party wanting to enforce the signature must prove it is valid.

HR Insider further explains that the EU Directive "ensures that electronic signatures can be valid despite their electronic form and despite not meeting the more demanding standards described in the rest of the Directive. It goes on to prescribe in considerable detail a regime for “advanced electronic signatures” created by a “secure-signature-creation device” and supported by “qualified certificates”". 

With regards evidence, HR Insider states that the EU Directive "provides that qualified electronic signatures must be admissible in evidence, and that other electronic signatures may not be denied admissibility on grounds of their electronic form or because they are not qualified in one element or another".


Differences Between Canada And The European Union

As discussed, Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES) are types of electronic signatures that are classified under the eIDAS regulation of the European Union. The United States also follows similar definitions under the federal ESIGN Act and UETA law.

However, these specific terminologies - AES, QES, or Simple Electronic Signatures (SES) - are not typically used in the context of Canadian law, which has its own regulations regarding electronic signatures.

Canada has generally used a minimalist response to determine the certainty about the legal status of electronic communications and electronic signatures. That is, legislation indicates only the general nature of the results to be achieved. The context is that the basic function of a signature is to link a person with a text or document.

In Canada, electronic signatures are recognized and governed by two primary pieces of legislation:

(1) PIPEDA (Personal Information Protection and Electronic Documents Act)

PIPEDA recognizes the use of electronic signatures. It doesn't detail levels of electronic signatures in the legislation, but instead, it states that a generic electronic signature is "a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document".

Secure Electronic Signature Regulations outline the requirements for secure electronic signatures. They are appended to PIPEDA and the Canada Evidence Act. It includes instances when secure electronic signatures must be used.

(2) UECA (Uniform Electronic Commerce Act) 

UECA provides non-binding model legislation for each province and territory. Each province has its own laws and regulations. Quebec adopted its own legislation not based on UECA. Legislators wanted to create certainty that e-signatures would be accepted.

Adobe (see references) explains that "where a given ‎statute or regulation is silent on the method of execution, electronic signatures are generally acceptable and enforceable in court". Provincial and federal legislation may require the use of secured electronic signatures in specific circumstances. 


Also thrown into the mix is the Government of Canada's own internal guidance on electronic signatures -Government of Canada Guidance on Using Electronic Signatures. It does not replace or override existing legislation or government policy but acts as a guide for the use of electronic signatures for day-to-day business activities.

As noted earlier, while Canadian law accepts electronic signatures, the terms AES, QES, or SES aren't explicitly used or defined by PIPEDA. I found this disappointing as the European Union's 2016 eIDAS was easy to understand for a layman.

The enforcement and acceptance of electronic signatures can vary based on the specific requirements of different legal contexts. However in the broadest of definitions, Canadian laws seem to be analogous to SES standards except when secured electronic signatures are a legal requirement.


2000 PIPEDA (Personal Information Protection And Electronic Documents Act)

The first piece of legislation that governs Canadian electronic signatures is PIPEDA (Canadian federal law) endorses the use of e-signatures and outlines explicit requirements for an electronic signature to be secure. According to PIPEDA, a secure electronic signature should be:

  • Unique and distinctive
  • Created under the signer’s sole control
  • Can confirm the identity of the signatory
  • Protected by the technology that can detect any subsequent changes in the document

PandaDoc (see references) explains this means that you can’t just draw an “X” or another kind of icon to sign your document. Online marks like these can’t be identified as unique and can’t prove your identity.

The Canadian government has established certain technologies and processes that it recognizes as providing a secure electronic signature. This includes digital signatures secured by a Public Key Infrastructure (PKI), among others.

If a document requires a secure electronic signature, then only using a technology or process recognized by the Canadian government as providing a secure electronic would suffice if you do business with the government.

It's important to note the validity of an electronic signature can depend on its use. Some transactions or documents may require a traditional ink (or wet) signature or additional steps beyond just a secure electronic signature.

PIPEDA secure electronic signature criteria seems to have the same requirements as a DES signature and possibly AES.  While the SES standard appears to be the equivalent to Canadian law, to be sure your document is provable or enforceable in court, it seems it would be safer using an e-signature service provider that meets at a minimum the AES standard even though Canadian law doesn't require it. This usually means the service provides enhanced options including multi-factor authentication, audit trails, and other security measures.

Canadian legislation and regulations are scattered over various acts (or government frameworks) which are similar but each one different as well as more vague than eIDAS. Adobe explains this is because PIPEDA does not apply to all federal laws but only specific federal statute provisions. This left gaps. The gaps were filled through many federal statutes and regulations incorporating language about electronic documents and signatures.

Canadian 2000 UECA (Uniform Electronic Commerce Act)

The second piece of legislation that governs Canadian electronic signatures is UECA.  UETA (Uniform Electronic Transactions Act) is a similar piece of legislation for the United States. 

UECA is a uniform act in Canada, developed by the Uniform Law Conference of Canada. It's aimed at facilitating electronic commerce in Canada by providing a set of rules that ensure the legal validity of electronic documents. Similar to UETA, it does not make electronic documents or signatures more valid than their paper counterparts; it simply balances the playing field. 

Under Canadian common law, an electronic signature is binding. UECA leaves open the means of achieving the appropriate degrees of assurance. It is also silent on evidence, however "many of the uses of secure electronic signatures in Canadian federal legislation support an evidentiary use".

UECA does require certain requirements for it to be considered valid and enforceable:

  • Consent: Both parties involved must have agreed to conduct transactions and business electronically. Consent may not necessarily be explicit and can be inferred from the context and surrounding circumstances of the transactions in which they are engaged.

  • Intent to Sign: Both parties involved in the contract must show clear intent that they meant to sign. The signer can show intent by actively attaching a digital signature for electronic document signing.

  • Association of Signature with the Record: There needs to be evidence that a signature is linked or connected to the document being signed. The e-signature needs to be attributable to the signatory subject to the context and circumstances surrounding the signing process. This could be in the form of an IP address, date/time stamp, or any other relevant metadata.

  • Record retention: The electronic record can be reproduced for all parties involved and can be retained and accurately reproduced for later reference. It also needs to maintain an accurate audit trail of all actions taken at every stage of the workflow. The signed document must be tamper-evident, meaning any alterations made post-signature can be detected.

It's worth noting that UECA is technology-neutral and considers an e-signature to be "electronic information that a person creates or adopts in order to sign a document and that is in, attached to or associated with the document".  

The purpose of UECA defining electronic signatures is to make clear that the electronic version does not have to look like a handwritten signature when it is displayed. This leaves some room for interpretation and can potentially include typed names, electronic images of a handwritten signature, and more. For example, many Canadian banks have you sign electronically by paging to the end of the document online and typing in your name as your signature on the form before you hit the submit button. If you do not type in your name, the submit button fails to work.


Identity Assurance Levels (IALs) For Digital Identities

The Canadian Government's Guideline on Identity Assurance provides a risk assessment process for determining the ability to rely on the digital identity of a party. It is what gives Canadians a secure and convenient way to sign into government services.

The Government of Canada's Guidance on Using Electronic Signatures gives guidance on the type of electronic required. The decision is informed by legal advice, assurance level assessment, and the Government of Canada electronic signature guidance.

When making an assessment of assurance levels, the impact of threats should be considered.  Some threats to consider are:

  • impersonation (the signer is not who they claim to be)
  • repudiation (the signer attempts to deny that they originated an e-signature)
  • loss of data integrity (the electronic data has been altered since it was signed)
  • exceeding authority (the signer is not authorized to sign the associated electronic data)

Once the Identity Assurance Level (IALs) assessment requirements for digital identities has been completed, authentication options need to be determined. Information Technology Security Guidelines (ITSG) are relied upon to determine the appropriate use of cyber authentication services. ITSG-31 User Authentication Guidance for IT Systems assists with credential assurance level requirements while ITSG-33 IT Security Risk Management: A Lifecycle Approach assists with authentication requirements.

IALs for the electronic signing process seem to be the closest thing to eIDAS:

  • IAL1: Little confidence that an individual is who they claim to be. Any type of e-signature is acceptable. Supporting information should include the e-signature and the signed electronic document. I think this is the equivalent to SES. Compromise could reasonably be expected to cause nil to minimal harm.

  • IAL2: Some confidence that an individual is who they claim to be. Any type of e-signature can be used in conjunction with the authentication requirements for Assurance Level 2 or higher. Supporting information should include the authentication method, the e-signature, the signed electronic document, a time-stamp based on standard local system time that indicates the time the document was signed. This level of assurance is likely still classified as SES as it does not seem to involve encryption. Compromise could reasonably be expected to cause minimal to moderate harm.

  • IAL3: High confidence that an individual is who they claim to be. Two options here.

    (1) A non-cryptographic e-signature may be used in conjunction with acceptable two-factor authentication. Supporting information for a non-cryptographically based e-signature should include the same information as for Assurance Level 2.

    (2) A digital signature or secure e-signature may be preferred in some circumstances, depending on the target environment and the security controls that are in place. Supporting information for digital signatures or secure e-signatures should include the verification certificate, the certification path, the associated revocation information or status at the time the electronic document was signed.

    Level 3 is possibly classified as AES but maybe not if the non-cryptographic option is used as PIPEDA (through required government processes) and AES require PKI which is asymmetric cryptography. Compromise at this level could reasonably be expected to cause moderate to serious harm.

  • IAL4: Very high confidence that an individual is who they claim to be. The signer's identity was confirmed using a multi-factor cryptographic SSCD hardware device like a smart card, biometric identifier like a fingerprint, or a secure one-time password.

    Supporting information for level 4 assurance should include the same information as for Assurance Level 3 digital signatures plus a secure time-stamp. I'm going to guess this would be the equivalent of QES if it includes verification by a certified authority. Compromise at this level could reasonably be expected to cause serious to catastrophic harm.

According to PandaDoc, Canadian law doesn’t recognize advanced or qualified electronic signatures like the higher levels of assurance often classified in other countries. Canada only has a standard electronic signature (SES) as defined by UECA.

Examples of identity information are name, date of birth, and sex, for individuals; business registration numbers for organizations; and serial numbers and network identifiers for telecommunications and computing devices. Email addresses as well as user names and passwords can also be a part of verifying an identity. On their own they would only provide a low level of assurance. Layers of verifying a digital identity provides greater assurance.

Some examples of online identity verification methods are biometrics, knowledge-based authentication (KBA), two-factor verification, personal identifying information (PII), or geo-location.

The laws and regulations around electronic signatures in Canada are confusing. I guess all that is important is that the answer to, "Can CRA forms be electronically signed?" is yes if you are trying to be tax compliant and paperless in your business!



Puzzle Pieces

Other Audit Related Articles


Can CRA forms be electronically signed?

References used in writing this article: CRA Website Forms and Publications; CRA Campaigns, Government of Canada Guidance on Using Electronic Signatures, Guideline on Identity Assurance, BC Office of the Chief Information Officer Identity Assurance Standard version 1 April 2010, Adobe Electronic Signature Laws & Regulations - Canada, PandaDoc Overview of electronic signature law and legality in Canada, Signiflow Electronic Signatures in Canada, PandaDoc What are types of electronic signatures and which one should you use?, eZsign What is Assurance Level 4 for e-signatures?, OneSpan Digital Signatures: A Comprehensive Guide and Are e-signatures legal, admissible, and enforceable in Canada?, HR Insider Canadian and American Legislation on Electronic Signatures with reflections on the European Union Directive, Canadian Lawyer Saving your files: cloud or network?.