6 February 1998
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

----------------------------------------------------------------------

[DOCID: f:h2937ih.txt]

105th CONGRESS
  1st Session
                                H. R. 2937

     To provide for the recognition of digital and other forms of
 authentication as an alternative to existing paper-based methods, to
 improve efficiency and soundness of the Nation's capital markets and
the payment system, and to define and harmonize the practices, customs,
 and uses applicable to the conduct of electronic authentication, and
                          for other purposes.

_______________________________________________________________________

                    IN THE HOUSE OF REPRESENTATIVES

                            November 8, 1997

 Mr. Baker (for himself and Mr. Dreier) introduced the following bill;
which was referred to the Committee on Commerce, and in addition to the
Committees on Government Reform and Oversight, the Judiciary, Science,
  and Banking and Financial Services, for a period to be subsequently
   determined by the Speaker, in each case for consideration of such
 provisions as fall within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


     To provide for the recognition of digital and other forms of
 authentication as an alternative to existing paper-based methods, to
 improve efficiency and soundness of the Nation's capital markets and
the payment system, and to define and harmonize the practices, customs,
 and uses applicable to the conduct of electronic authentication, and
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Electronic Financial Services
Efficiency Act of 1997''.

SEC. 2. FINDINGS AND PURPOSE.

    (a) Findings.--The Congress finds the following:
            (1) In recent years, new technological applications have
        had a significant impact on bank capital markets and the manner
        in which business enterprises and financial institutions
        conduct their activities and operations.
            (2) Financial and consumer transactions and communications
        are being conducted in digital electronic formats because of
        the adoption of new technological applications which allow for
        the instantaneous retrieval and transmission of information and
        the electronic consummation of business and personal
        transactions.
            (3) These changes relate not only to the creation,
        retention, and delivery of documentation and other data, but
        also to the purchase and sale of goods and services, the
        receipt and payment of funds, and other aspects of commerce and
        finance.-
            (4) These developments have allowed for the emergence of a
        new electronic commerce infrastructure for consumer and
        financial communications and transactions, and the concomitant
        emergence of electronic authentication methodologies.
            (5) These new technologies have impacted, and will continue
        to impact, the national payment system, our financial services
        industry, and our Nation's capital markets.
            (6) Parties to consumer and financial transactions have
        heretofore entered into agreements, consistent with paper-based
        authentication methodologies.
            (7) Thus, where the formation of agreements are otherwise
        valid and effective under applicable law, the parties should be
        able to use electronic authentication methodologies of equal or
        greater reliability.
            (8) Given the size and importance of our domestic economy
        and the fact that electronic commerce is not limited by
        geographical or national boundaries and will have a significant
        impact on international finance, the United States should be
        actively involved in the development of uniform global
        standards for electronic authentication.
            (9) There are many industries that have the technical
        expertise, can meet proposed national standards, and have the
        desire to offer electronic authentication services. Therefore,
        it is important not to prematurely limit market access and
        stifle growth by narrowly defining industries that may provide
        electronic authentication services.
            (10) As a result, it is appropriate for Congress to enable
        a framework whereby government, business enterprises, financial
        institutions, and consumers can participate in electronic
        commerce in a viable, safe, efficient, and consistent manner.
    (b) Purpose.--The purpose of this Act is to provide for the
recognition of digital and other forms of authentication as an
alternative to existing paper-based methods, to improve efficiency and
soundness of the Nation's capital markets and payment system, and to
define and harmonize the practices, customs, and uses applicable to the
conduct of electronic authentication.

SEC. 3. DEFINITIONS.

    For purposes of this Act, the following definitions shall apply:
            (1) Electronic commerce.--The term ``electronic commerce''
        means the transaction or conduct of business in whole or part
        by electronic means.
            (2) Electronic means.--The term ``electronic means''
        includes all forms of electronic communication mediated by
        computer, including telephonic communications, facsimile,
        electronic mail, electronic data exchanges, satellite, cable,
        and fiber optic communications.
            (3) Electronic authentication.--The term ``electronic
        authentication'' means any methodology, technology, or
        technique intended to--
                    (A) establish the identity of the maker, sender, or
                originator of a document or communication in electronic
                commerce; and
                    (B) establish the fact that the document or
                communication has not been altered.
            (4) Digital signature.--The term ``digital signature''
        means any electronic symbol or series of symbols, created, or
        processed by a computer, intended by the party using it (or
        authorizing its use) to have the same legal force and effect as
        a manual signature.
            (5) Certification authority.--The term ``certification
        authority'' means any private or public entity which provides
        assurance that a particular digital signature, or other form of
        electronic authentication, is tied to the identity of an
        individual or legal entity, or attests to the current validity
        of such a signature.
            (6) Trusted third party.--The term ``trusted third party''
        means a certification authority who is known to 2 transacting
        parties and whose certificate is relied upon by those parties.
            (7) Certificate.--The term ``certificate'' is an electronic
        message the contents of which enable the recipient to determine
        the attestation made regarding the certificate holder by the
        certification authority.
            (8) State.--The term ``State'' has the meaning given to
        such term in section 3 of the Federal Deposit Insurance Act.
            (9) Affiliate.--The term ``affiliate'' means any person
        that controls, is controlled by, or is under common control
        with another person.

SEC. 4. COMMUNICATIONS WITH FEDERAL GOVERNMENTAL AGENCIES.

    In any written communication with an agency, department, or
instrumentality of the United States Government, or with any court of
the United States, in which a signature is required or used, any party
to the communication may affix a signature by use of a digital
signature with a certificate issued by a trusted third party.

SEC. 5. VALIDITY OF ELECTRONIC AUTHENTICATION.

    (a) Validity of Electronic Communications with Agencies, Courts,
and Instrumentalities of the United States.--All forms of electronic
authentication that comport with standards as described in subsections
(a) and (b) of section 6 of this Act shall have standing equal to
paper-based, written signatures, such that, with respect to any
communications with Federal administrative agencies, Federal courts and
other instrumentalities of the United States government--
            (1) any rule of law which requires a record to be in
        writing shall be deemed satisfied; and
            (2) any rule of law which requires a signature shall be
        deemed satisfied.
    (b) Validity of Electronic Communications in General.--Unless
otherwise expressly prohibited by the laws of any State, all forms of
electronic authentication that comport with the standards as described
in subsections (a) and (b) of section 6 shall have standing equal to
paper-based, written signatures, such that--
            (1) any rule of law which requires a record to be in
        writing shall be deemed satisfied; and
            (2) any rule of law which requires a signature shall be
        deemed satisfied.-

SEC. 6. CRITERIA FOR ELIGIBILITY.

    (a) Electronic Authentication.--Electronic authentication
technology shall be deemed valid hereunder if such technology--
            (1) reliably establishes the identity of the maker, sender,
        or originator of a document or communication in electronic
        commerce; and
            (2) reliably establishes the fact that the document or
        communication has not been altered.
    (b) Emerging Technologies.--2 currently acknowledged signature
technologies are public key cryptography and signature dynamics
technology. In contemplation of acceptance of other technological
applications, the following criteria shall be applied in the
determination of their validity for purposes of this Act:
            (1) The identification methodology shall be unique to the
        person making, sending, originating a document or
        communication.
            (2) The identification technology shall be capable of
        verification.
            (3) The identification method or device shall be under the
        sole control of the person using it
            (4) The identification technology or device shall be linked
        to data or communication transmitted in such a manner that if
        such data or communication has been altered, the authentication
        becomes invalid.

SEC. 7. NATIONAL ASSOCIATION OF CERTIFICATION AUTHORITIES.

    (a) In General.--There is hereby established the National
Association of Certification Authorities (hereafter in this section
referred to as the ``Association'').
    (b) Registration.--Any person or group wishing to provide
electronic authentication services in the United States shall be a
registered member of the Association.
    (c) Denial of Membership.--
            (1) Decertification.--The Association may deny membership
        to any person or group (or any affiliate of such person or
        group) who has been decertified pursuant to subsection
        (e)(5)(D)(iii).
            (2) Failure to comply with code of conduct.--The
        Association may deny membership to any provider of electronic
        authentication services who fails to comply with any
        guidelines, standards, or codes of conduct regarding the use of
        electronic authentication established by the Electronic
        Authentications Standards Review Committee pursuant to
        subsection (e)(2).
            (3) Failure to meet standards.--The Association may deny
        membership to any provider of electronic authentication
        services to any person or group that is unable to meet
        standards established pursuant to subsections (a) and (b) of
        section 6.
            (4) Practices inconsistent with this act.--The Association
        may bar an individual from becoming affiliated with a member of
        the Association if such individual has engaged in acts or
        practices inconsistent with this Act and rules established by
        the Association.
            (5) Lack of cooperation.--The Association may bar any
        person or group from becoming affiliated with a member if such
        person or group does not agree--
                    (A) to supply the Association with such information
                with respect to the relationship and dealings of such
                person or group with the member as may be specified in
                the rules of the Association; and
                    (B) to permit examination of the books and records
                of such person or group to verify the accuracy of any
                information so supplied.
    (d) Dues.--The rules of the Association shall provide for the
equitable allocation of reasonable dues, fees, and other charges among
members and other persons applying for membership or using any facility
or system which the Association operates or controls.
    (e) Standards Review Committee.--
            (1) In general.--The Association shall establish the
        Electronic Authentications Standards Review Committee
        (hereafter in this subsection referred to as the ``Standards
        Review Committee'') which shall establish, develop, and refine
        criteria to be applied to the emerging electronic
        authentication industry, including--
                    (A) the roles and responsibilities of the parties
                involved in electronic authentication;
                    (B) the application of the standards described in
                section 6(b) to emerging electronic authentication;
                    (C) recognition of foreign legal and regulatory
                standards; and
                    (D) transparency requirements, licensing, and
                registration of certification authorities.
            (2) Rulemaking.--With the approval of the Secretary of the
        Treasury, the Standards Review Committee shall establish and
        adopt such guidelines, standards, and codes of conduct
        regarding the use of electronic authentication by members of
        the Association, including the rights and responsibilities of
        certification authorities in matters involving notification,
        disclosure requirements, liability of consumers and
        certification authorities, and hearing procedures regarding
        disciplinary actions taken by the Standards Review Committee in
        furtherance of the purposes of this Act.
            (3) Enforcement.--The Standards Review Committee shall have
        enforcement powers to ensure minimum standards and protections
        for consumers and shall establish and adopt disciplinary
        procedures and policies in furtherance of the purposes of this
        Act.
            (4) Disciplinary actions.--The Standards Review Committee
        shall organize in a manner such that disciplinary actions
        against members shall be heard fairly and in a timely fashion
        and afford due process.
            (5) Notification.--
                    (A) In general.--If, in the opinion of the
                Standards Review Committee, any certification authority
                is engaging or has engaged in conduct in contravention
                of any guideline, standard, or code of conduct
                prescribed in accordance with paragraph (3), the
                Standards Review Committee shall notify such
                certification authority.
                    (B) Statement of facts.--The notification shall
                contain a statement of the facts constituting the
                violation.
                    (C) Period for response.--The certification
                authority shall respond to such notification within 15
                days.
                    (D) Sanctions.--Based upon the response of the
                certification authority, if the Standards Review
Committee determines that the certification authority has violated any
such guideline, standard, or code of conduct, the committee may take
any of the following actions:
                            (i) Censure.--Publicly censure the
                        certification authority.
                            (ii) Suspension.--Prohibit the
                        certification authority from providing
                        electronic authentication services in the
                        United States for such period of time as the
                        committee may determine to be appropriate.
                            (iii) Decertification.--Prohibit the
                        certification authority from providing
                        electronic authentication services in the
                        United States.
                            (iv) Civil penalty.--Impose monetary
                        penalties on the certification authority.
            (6) Judicial review.--Any party aggrieved by an order of
        the Standards Review Committee under this Act may obtain a
        review of such order in the United States Court of Appeals
        within any circuit wherein such party has its principal place
        of business or in the court of Appeals in the District of
        Columbia, by filing in the court, within 30 days after the
        entry of the Standards Review Committee order, a petition
        praying that the order of the Standards Review Committee be set
        aside. A copy of such petition shall be forthwith transmitted
        to the Standards Review Committee by the clerk of the court,
        and thereupon the Standards Review Committee shall file in the
        court the record made before the Standards Review Committee.
        Upon the filing of such petition the court shall have the
        jurisdiction to affirm, set aside, or modify the order of the
        Standards Review Committee and to require the Standards Review
        Committee to take such action with regard to the matter under
        review as the court deems proper. The findings of the Standards
        Review Committee as to the facts, if supported by substantial
        evidence, shall be conclusive.-
            (7) Report to secretary of the treasury.--The Standards
        Review Committee shall transmit to the Secretary of the
        Treasury, not later than February 20 and July 20 of each year,
        complete reports of the activities of the committee undertaken
        in furtherance of the purposes of this Act, including a
        statement of the committee's objectives and plans for the next
        semiannual reporting period.
            (8) Studies and recommendations.--The Standards Review
        Committee may conduct studies to carry out the purposes of this
        Act. On the basis of such studies the Committee may make
        recommendations to the Secretary of the Treasury concerning the
        implementation of this Act and such legislative and
        administrative action as the committee may determine to be
        necessary to promote the recognition of electronic
        authentication as an alternative to paper-based methods of
        verification.

SEC. 8. OVERSIGHT.

    The Secretary of the Treasury shall provide effective oversight and
shall review the activities of the Electronic Authentication Standards
Review Committee on a semiannual basis, providing a venue for the
discussion and airing of all activity, standards and other material
issues which may have arisen during that time period.

SEC. 9. CONSUMER PROTECTION.

    (a) In General.--No provision of this Act shall be construed as
impairing any right afforded a consumer under the provisions of any law
applicable to an underlying transaction or communication that is
authenticated by digital signature or other form of electronic
authentication that comports with the standards as described in
subsections (a) and (b) of section 6.
    (b) Notification.--Any transaction or communication involving a
consumer that is authenticated by digital signature or other form of
electronic authentication that comports with the standards as described
in subsections (a) and (b) of section 6 shall contain a notification of
the fact that such transaction or communication has been authenticated.
Such notification shall be in such form as prescribed by the Electronic
Authentication Standards Review Committee.
    (c) Definitions.--For purposes of this section, the following
definitions shall apply:
            (1) Consumer.--The term ``consumer'' means an individual.
            (2) Transaction.--The term ``transaction'' refers only to
        transactions for personal, family, or household purposes.
            (3) Communication.--The term ``communication'' means a
        communication pertaining only to personal, family, or household
        purposes.
                                 <all>
