6 February 1998 Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html ---------------------------------------------------------------------- [DOCID: f:h2937ih.txt] 105th CONGRESS 1st Session H. R. 2937 To provide for the recognition of digital and other forms of authentication as an alternative to existing paper-based methods, to improve efficiency and soundness of the Nation's capital markets and the payment system, and to define and harmonize the practices, customs, and uses applicable to the conduct of electronic authentication, and for other purposes. _______________________________________________________________________ IN THE HOUSE OF REPRESENTATIVES November 8, 1997 Mr. Baker (for himself and Mr. Dreier) introduced the following bill; which was referred to the Committee on Commerce, and in addition to the Committees on Government Reform and Oversight, the Judiciary, Science, and Banking and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned _______________________________________________________________________ A BILL To provide for the recognition of digital and other forms of authentication as an alternative to existing paper-based methods, to improve efficiency and soundness of the Nation's capital markets and the payment system, and to define and harmonize the practices, customs, and uses applicable to the conduct of electronic authentication, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Electronic Financial Services Efficiency Act of 1997''. SEC. 2. FINDINGS AND PURPOSE. (a) Findings.--The Congress finds the following: (1) In recent years, new technological applications have had a significant impact on bank capital markets and the manner in which business enterprises and financial institutions conduct their activities and operations. (2) Financial and consumer transactions and communications are being conducted in digital electronic formats because of the adoption of new technological applications which allow for the instantaneous retrieval and transmission of information and the electronic consummation of business and personal transactions. (3) These changes relate not only to the creation, retention, and delivery of documentation and other data, but also to the purchase and sale of goods and services, the receipt and payment of funds, and other aspects of commerce and finance.- (4) These developments have allowed for the emergence of a new electronic commerce infrastructure for consumer and financial communications and transactions, and the concomitant emergence of electronic authentication methodologies. (5) These new technologies have impacted, and will continue to impact, the national payment system, our financial services industry, and our Nation's capital markets. (6) Parties to consumer and financial transactions have heretofore entered into agreements, consistent with paper-based authentication methodologies. (7) Thus, where the formation of agreements are otherwise valid and effective under applicable law, the parties should be able to use electronic authentication methodologies of equal or greater reliability. (8) Given the size and importance of our domestic economy and the fact that electronic commerce is not limited by geographical or national boundaries and will have a significant impact on international finance, the United States should be actively involved in the development of uniform global standards for electronic authentication. (9) There are many industries that have the technical expertise, can meet proposed national standards, and have the desire to offer electronic authentication services. Therefore, it is important not to prematurely limit market access and stifle growth by narrowly defining industries that may provide electronic authentication services. (10) As a result, it is appropriate for Congress to enable a framework whereby government, business enterprises, financial institutions, and consumers can participate in electronic commerce in a viable, safe, efficient, and consistent manner. (b) Purpose.--The purpose of this Act is to provide for the recognition of digital and other forms of authentication as an alternative to existing paper-based methods, to improve efficiency and soundness of the Nation's capital markets and payment system, and to define and harmonize the practices, customs, and uses applicable to the conduct of electronic authentication. SEC. 3. DEFINITIONS. For purposes of this Act, the following definitions shall apply: (1) Electronic commerce.--The term ``electronic commerce'' means the transaction or conduct of business in whole or part by electronic means. (2) Electronic means.--The term ``electronic means'' includes all forms of electronic communication mediated by computer, including telephonic communications, facsimile, electronic mail, electronic data exchanges, satellite, cable, and fiber optic communications. (3) Electronic authentication.--The term ``electronic authentication'' means any methodology, technology, or technique intended to-- (A) establish the identity of the maker, sender, or originator of a document or communication in electronic commerce; and (B) establish the fact that the document or communication has not been altered. (4) Digital signature.--The term ``digital signature'' means any electronic symbol or series of symbols, created, or processed by a computer, intended by the party using it (or authorizing its use) to have the same legal force and effect as a manual signature. (5) Certification authority.--The term ``certification authority'' means any private or public entity which provides assurance that a particular digital signature, or other form of electronic authentication, is tied to the identity of an individual or legal entity, or attests to the current validity of such a signature. (6) Trusted third party.--The term ``trusted third party'' means a certification authority who is known to 2 transacting parties and whose certificate is relied upon by those parties. (7) Certificate.--The term ``certificate'' is an electronic message the contents of which enable the recipient to determine the attestation made regarding the certificate holder by the certification authority. (8) State.--The term ``State'' has the meaning given to such term in section 3 of the Federal Deposit Insurance Act. (9) Affiliate.--The term ``affiliate'' means any person that controls, is controlled by, or is under common control with another person. SEC. 4. COMMUNICATIONS WITH FEDERAL GOVERNMENTAL AGENCIES. In any written communication with an agency, department, or instrumentality of the United States Government, or with any court of the United States, in which a signature is required or used, any party to the communication may affix a signature by use of a digital signature with a certificate issued by a trusted third party. SEC. 5. VALIDITY OF ELECTRONIC AUTHENTICATION. (a) Validity of Electronic Communications with Agencies, Courts, and Instrumentalities of the United States.--All forms of electronic authentication that comport with standards as described in subsections (a) and (b) of section 6 of this Act shall have standing equal to paper-based, written signatures, such that, with respect to any communications with Federal administrative agencies, Federal courts and other instrumentalities of the United States government-- (1) any rule of law which requires a record to be in writing shall be deemed satisfied; and (2) any rule of law which requires a signature shall be deemed satisfied. (b) Validity of Electronic Communications in General.--Unless otherwise expressly prohibited by the laws of any State, all forms of electronic authentication that comport with the standards as described in subsections (a) and (b) of section 6 shall have standing equal to paper-based, written signatures, such that-- (1) any rule of law which requires a record to be in writing shall be deemed satisfied; and (2) any rule of law which requires a signature shall be deemed satisfied.- SEC. 6. CRITERIA FOR ELIGIBILITY. (a) Electronic Authentication.--Electronic authentication technology shall be deemed valid hereunder if such technology-- (1) reliably establishes the identity of the maker, sender, or originator of a document or communication in electronic commerce; and (2) reliably establishes the fact that the document or communication has not been altered. (b) Emerging Technologies.--2 currently acknowledged signature technologies are public key cryptography and signature dynamics technology. In contemplation of acceptance of other technological applications, the following criteria shall be applied in the determination of their validity for purposes of this Act: (1) The identification methodology shall be unique to the person making, sending, originating a document or communication. (2) The identification technology shall be capable of verification. (3) The identification method or device shall be under the sole control of the person using it (4) The identification technology or device shall be linked to data or communication transmitted in such a manner that if such data or communication has been altered, the authentication becomes invalid. SEC. 7. NATIONAL ASSOCIATION OF CERTIFICATION AUTHORITIES. (a) In General.--There is hereby established the National Association of Certification Authorities (hereafter in this section referred to as the ``Association''). (b) Registration.--Any person or group wishing to provide electronic authentication services in the United States shall be a registered member of the Association. (c) Denial of Membership.-- (1) Decertification.--The Association may deny membership to any person or group (or any affiliate of such person or group) who has been decertified pursuant to subsection (e)(5)(D)(iii). (2) Failure to comply with code of conduct.--The Association may deny membership to any provider of electronic authentication services who fails to comply with any guidelines, standards, or codes of conduct regarding the use of electronic authentication established by the Electronic Authentications Standards Review Committee pursuant to subsection (e)(2). (3) Failure to meet standards.--The Association may deny membership to any provider of electronic authentication services to any person or group that is unable to meet standards established pursuant to subsections (a) and (b) of section 6. (4) Practices inconsistent with this act.--The Association may bar an individual from becoming affiliated with a member of the Association if such individual has engaged in acts or practices inconsistent with this Act and rules established by the Association. (5) Lack of cooperation.--The Association may bar any person or group from becoming affiliated with a member if such person or group does not agree-- (A) to supply the Association with such information with respect to the relationship and dealings of such person or group with the member as may be specified in the rules of the Association; and (B) to permit examination of the books and records of such person or group to verify the accuracy of any information so supplied. (d) Dues.--The rules of the Association shall provide for the equitable allocation of reasonable dues, fees, and other charges among members and other persons applying for membership or using any facility or system which the Association operates or controls. (e) Standards Review Committee.-- (1) In general.--The Association shall establish the Electronic Authentications Standards Review Committee (hereafter in this subsection referred to as the ``Standards Review Committee'') which shall establish, develop, and refine criteria to be applied to the emerging electronic authentication industry, including-- (A) the roles and responsibilities of the parties involved in electronic authentication; (B) the application of the standards described in section 6(b) to emerging electronic authentication; (C) recognition of foreign legal and regulatory standards; and (D) transparency requirements, licensing, and registration of certification authorities. (2) Rulemaking.--With the approval of the Secretary of the Treasury, the Standards Review Committee shall establish and adopt such guidelines, standards, and codes of conduct regarding the use of electronic authentication by members of the Association, including the rights and responsibilities of certification authorities in matters involving notification, disclosure requirements, liability of consumers and certification authorities, and hearing procedures regarding disciplinary actions taken by the Standards Review Committee in furtherance of the purposes of this Act. (3) Enforcement.--The Standards Review Committee shall have enforcement powers to ensure minimum standards and protections for consumers and shall establish and adopt disciplinary procedures and policies in furtherance of the purposes of this Act. (4) Disciplinary actions.--The Standards Review Committee shall organize in a manner such that disciplinary actions against members shall be heard fairly and in a timely fashion and afford due process. (5) Notification.-- (A) In general.--If, in the opinion of the Standards Review Committee, any certification authority is engaging or has engaged in conduct in contravention of any guideline, standard, or code of conduct prescribed in accordance with paragraph (3), the Standards Review Committee shall notify such certification authority. (B) Statement of facts.--The notification shall contain a statement of the facts constituting the violation. (C) Period for response.--The certification authority shall respond to such notification within 15 days. (D) Sanctions.--Based upon the response of the certification authority, if the Standards Review Committee determines that the certification authority has violated any such guideline, standard, or code of conduct, the committee may take any of the following actions: (i) Censure.--Publicly censure the certification authority. (ii) Suspension.--Prohibit the certification authority from providing electronic authentication services in the United States for such period of time as the committee may determine to be appropriate. (iii) Decertification.--Prohibit the certification authority from providing electronic authentication services in the United States. (iv) Civil penalty.--Impose monetary penalties on the certification authority. (6) Judicial review.--Any party aggrieved by an order of the Standards Review Committee under this Act may obtain a review of such order in the United States Court of Appeals within any circuit wherein such party has its principal place of business or in the court of Appeals in the District of Columbia, by filing in the court, within 30 days after the entry of the Standards Review Committee order, a petition praying that the order of the Standards Review Committee be set aside. A copy of such petition shall be forthwith transmitted to the Standards Review Committee by the clerk of the court, and thereupon the Standards Review Committee shall file in the court the record made before the Standards Review Committee. Upon the filing of such petition the court shall have the jurisdiction to affirm, set aside, or modify the order of the Standards Review Committee and to require the Standards Review Committee to take such action with regard to the matter under review as the court deems proper. The findings of the Standards Review Committee as to the facts, if supported by substantial evidence, shall be conclusive.- (7) Report to secretary of the treasury.--The Standards Review Committee shall transmit to the Secretary of the Treasury, not later than February 20 and July 20 of each year, complete reports of the activities of the committee undertaken in furtherance of the purposes of this Act, including a statement of the committee's objectives and plans for the next semiannual reporting period. (8) Studies and recommendations.--The Standards Review Committee may conduct studies to carry out the purposes of this Act. On the basis of such studies the Committee may make recommendations to the Secretary of the Treasury concerning the implementation of this Act and such legislative and administrative action as the committee may determine to be necessary to promote the recognition of electronic authentication as an alternative to paper-based methods of verification. SEC. 8. OVERSIGHT. The Secretary of the Treasury shall provide effective oversight and shall review the activities of the Electronic Authentication Standards Review Committee on a semiannual basis, providing a venue for the discussion and airing of all activity, standards and other material issues which may have arisen during that time period. SEC. 9. CONSUMER PROTECTION. (a) In General.--No provision of this Act shall be construed as impairing any right afforded a consumer under the provisions of any law applicable to an underlying transaction or communication that is authenticated by digital signature or other form of electronic authentication that comports with the standards as described in subsections (a) and (b) of section 6. (b) Notification.--Any transaction or communication involving a consumer that is authenticated by digital signature or other form of electronic authentication that comports with the standards as described in subsections (a) and (b) of section 6 shall contain a notification of the fact that such transaction or communication has been authenticated. Such notification shall be in such form as prescribed by the Electronic Authentication Standards Review Committee. (c) Definitions.--For purposes of this section, the following definitions shall apply: (1) Consumer.--The term ``consumer'' means an individual. (2) Transaction.--The term ``transaction'' refers only to transactions for personal, family, or household purposes. (3) Communication.--The term ``communication'' means a communication pertaining only to personal, family, or household purposes.