[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2937 Introduced in House (IH)]







105th CONGRESS
  1st Session
                                H. R. 2937

     To provide for the recognition of digital and other forms of 
 authentication as an alternative to existing paper-based methods, to 
 improve efficiency and soundness of the Nation's capital markets and 
the payment system, and to define and harmonize the practices, customs, 
 and uses applicable to the conduct of electronic authentication, and 
                          for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            November 8, 1997

 Mr. Baker (for himself and Mr. Dreier) introduced the following bill; 
which was referred to the Committee on Commerce, and in addition to the 
Committees on Government Reform and Oversight, the Judiciary, Science, 
  and Banking and Financial Services, for a period to be subsequently 
   determined by the Speaker, in each case for consideration of such 
 provisions as fall within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
     To provide for the recognition of digital and other forms of 
 authentication as an alternative to existing paper-based methods, to 
 improve efficiency and soundness of the Nation's capital markets and 
the payment system, and to define and harmonize the practices, customs, 
 and uses applicable to the conduct of electronic authentication, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Electronic Financial Services 
Efficiency Act of 1997''.

SEC. 2. FINDINGS AND PURPOSE.

    (a) Findings.--The Congress finds the following:
            (1) In recent years, new technological applications have 
        had a significant impact on bank capital markets and the manner 
        in which business enterprises and financial institutions 
        conduct their activities and operations.
            (2) Financial and consumer transactions and communications 
        are being conducted in digital electronic formats because of 
        the adoption of new technological applications which allow for 
        the instantaneous retrieval and transmission of information and 
        the electronic consummation of business and personal 
        transactions.
            (3) These changes relate not only to the creation, 
        retention, and delivery of documentation and other data, but 
        also to the purchase and sale of goods and services, the 
        receipt and payment of funds, and other aspects of commerce and 
        finance.-
            (4) These developments have allowed for the emergence of a 
        new electronic commerce infrastructure for consumer and 
        financial communications and transactions, and the concomitant 
        emergence of electronic authentication methodologies.
            (5) These new technologies have impacted, and will continue 
        to impact, the national payment system, our financial services 
        industry, and our Nation's capital markets.
            (6) Parties to consumer and financial transactions have 
        heretofore entered into agreements, consistent with paper-based 
        authentication methodologies.
            (7) Thus, where the formation of agreements are otherwise 
        valid and effective under applicable law, the parties should be 
        able to use electronic authentication methodologies of equal or 
        greater reliability.
            (8) Given the size and importance of our domestic economy 
        and the fact that electronic commerce is not limited by 
        geographical or national boundaries and will have a significant 
        impact on international finance, the United States should be 
        actively involved in the development of uniform global 
        standards for electronic authentication.
            (9) There are many industries that have the technical 
        expertise, can meet proposed national standards, and have the 
        desire to offer electronic authentication services. Therefore, 
        it is important not to prematurely limit market access and 
        stifle growth by narrowly defining industries that may provide 
        electronic authentication services.
            (10) As a result, it is appropriate for Congress to enable 
        a framework whereby government, business enterprises, financial 
        institutions, and consumers can participate in electronic 
        commerce in a viable, safe, efficient, and consistent manner.
    (b) Purpose.--The purpose of this Act is to provide for the 
recognition of digital and other forms of authentication as an 
alternative to existing paper-based methods, to improve efficiency and 
soundness of the Nation's capital markets and payment system, and to 
define and harmonize the practices, customs, and uses applicable to the 
conduct of electronic authentication.

SEC. 3. DEFINITIONS.

    For purposes of this Act, the following definitions shall apply:
            (1) Electronic commerce.--The term ``electronic commerce'' 
        means the transaction or conduct of business in whole or part 
        by electronic means.
            (2) Electronic means.--The term ``electronic means'' 
        includes all forms of electronic communication mediated by 
        computer, including telephonic communications, facsimile, 
        electronic mail, electronic data exchanges, satellite, cable, 
        and fiber optic communications.
            (3) Electronic authentication.--The term ``electronic 
        authentication'' means any methodology, technology, or 
        technique intended to--
                    (A) establish the identity of the maker, sender, or 
                originator of a document or communication in electronic 
                commerce; and
                    (B) establish the fact that the document or 
                communication has not been altered.
            (4) Digital signature.--The term ``digital signature'' 
        means any electronic symbol or series of symbols, created, or 
        processed by a computer, intended by the party using it (or 
        authorizing its use) to have the same legal force and effect as 
        a manual signature.
            (5) Certification authority.--The term ``certification 
        authority'' means any private or public entity which provides 
        assurance that a particular digital signature, or other form of 
        electronic authentication, is tied to the identity of an 
        individual or legal entity, or attests to the current validity 
        of such a signature.
            (6) Trusted third party.--The term ``trusted third party'' 
        means a certification authority who is known to 2 transacting 
        parties and whose certificate is relied upon by those parties.
            (7) Certificate.--The term ``certificate'' is an electronic 
        message the contents of which enable the recipient to determine 
        the attestation made regarding the certificate holder by the 
        certification authority.
            (8) State.--The term ``State'' has the meaning given to 
        such term in section 3 of the Federal Deposit Insurance Act.
            (9) Affiliate.--The term ``affiliate'' means any person 
        that controls, is controlled by, or is under common control 
        with another person.

SEC. 4. COMMUNICATIONS WITH FEDERAL GOVERNMENTAL AGENCIES.

    In any written communication with an agency, department, or 
instrumentality of the United States Government, or with any court of 
the United States, in which a signature is required or used, any party 
to the communication may affix a signature by use of a digital 
signature with a certificate issued by a trusted third party.

SEC. 5. VALIDITY OF ELECTRONIC AUTHENTICATION.

    (a) Validity of Electronic Communications with Agencies, Courts, 
and Instrumentalities of the United States.--All forms of electronic 
authentication that comport with standards as described in subsections 
(a) and (b) of section 6 of this Act shall have standing equal to 
paper-based, written signatures, such that, with respect to any 
communications with Federal administrative agencies, Federal courts and 
other instrumentalities of the United States government--
            (1) any rule of law which requires a record to be in 
        writing shall be deemed satisfied; and
            (2) any rule of law which requires a signature shall be 
        deemed satisfied.
    (b) Validity of Electronic Communications in General.--Unless 
otherwise expressly prohibited by the laws of any State, all forms of 
electronic authentication that comport with the standards as described 
in subsections (a) and (b) of section 6 shall have standing equal to 
paper-based, written signatures, such that--
            (1) any rule of law which requires a record to be in 
        writing shall be deemed satisfied; and
            (2) any rule of law which requires a signature shall be 
        deemed satisfied.-

SEC. 6. CRITERIA FOR ELIGIBILITY.

    (a) Electronic Authentication.--Electronic authentication 
technology shall be deemed valid hereunder if such technology--
            (1) reliably establishes the identity of the maker, sender, 
        or originator of a document or communication in electronic 
        commerce; and
            (2) reliably establishes the fact that the document or 
        communication has not been altered.
    (b) Emerging Technologies.--2 currently acknowledged signature 
technologies are public key cryptography and signature dynamics 
technology. In contemplation of acceptance of other technological 
applications, the following criteria shall be applied in the 
determination of their validity for purposes of this Act:
            (1) The identification methodology shall be unique to the 
        person making, sending, originating a document or 
        communication.
            (2) The identification technology shall be capable of 
        verification.
            (3) The identification method or device shall be under the 
        sole control of the person using it
            (4) The identification technology or device shall be linked 
        to data or communication transmitted in such a manner that if 
        such data or communication has been altered, the authentication 
        becomes invalid.

SEC. 7. NATIONAL ASSOCIATION OF CERTIFICATION AUTHORITIES.

    (a) In General.--There is hereby established the National 
Association of Certification Authorities (hereafter in this section 
referred to as the ``Association'').
    (b) Registration.--Any person or group wishing to provide 
electronic authentication services in the United States shall be a 
registered member of the Association.
    (c) Denial of Membership.--
            (1) Decertification.--The Association may deny membership 
        to any person or group (or any affiliate of such person or 
        group) who has been decertified pursuant to subsection 
        (e)(5)(D)(iii).
            (2) Failure to comply with code of conduct.--The 
        Association may deny membership to any provider of electronic 
        authentication services who fails to comply with any 
        guidelines, standards, or codes of conduct regarding the use of 
        electronic authentication established by the Electronic 
        Authentications Standards Review Committee pursuant to 
        subsection (e)(2).
            (3) Failure to meet standards.--The Association may deny 
        membership to any provider of electronic authentication 
        services to any person or group that is unable to meet 
        standards established pursuant to subsections (a) and (b) of 
        section 6.
            (4) Practices inconsistent with this act.--The Association 
        may bar an individual from becoming affiliated with a member of 
        the Association if such individual has engaged in acts or 
        practices inconsistent with this Act and rules established by 
        the Association.
            (5) Lack of cooperation.--The Association may bar any 
        person or group from becoming affiliated with a member if such 
        person or group does not agree--
                    (A) to supply the Association with such information 
                with respect to the relationship and dealings of such 
                person or group with the member as may be specified in 
                the rules of the Association; and
                    (B) to permit examination of the books and records 
                of such person or group to verify the accuracy of any 
                information so supplied.
    (d) Dues.--The rules of the Association shall provide for the 
equitable allocation of reasonable dues, fees, and other charges among 
members and other persons applying for membership or using any facility 
or system which the Association operates or controls.
    (e) Standards Review Committee.--
            (1) In general.--The Association shall establish the 
        Electronic Authentications Standards Review Committee 
        (hereafter in this subsection referred to as the ``Standards 
        Review Committee'') which shall establish, develop, and refine 
        criteria to be applied to the emerging electronic 
        authentication industry, including--
                    (A) the roles and responsibilities of the parties 
                involved in electronic authentication;
                    (B) the application of the standards described in 
                section 6(b) to emerging electronic authentication;
                    (C) recognition of foreign legal and regulatory 
                standards; and
                    (D) transparency requirements, licensing, and 
                registration of certification authorities.
            (2) Rulemaking.--With the approval of the Secretary of the 
        Treasury, the Standards Review Committee shall establish and 
        adopt such guidelines, standards, and codes of conduct 
        regarding the use of electronic authentication by members of 
        the Association, including the rights and responsibilities of 
        certification authorities in matters involving notification, 
        disclosure requirements, liability of consumers and 
        certification authorities, and hearing procedures regarding 
        disciplinary actions taken by the Standards Review Committee in 
        furtherance of the purposes of this Act.
            (3) Enforcement.--The Standards Review Committee shall have 
        enforcement powers to ensure minimum standards and protections 
        for consumers and shall establish and adopt disciplinary 
        procedures and policies in furtherance of the purposes of this 
        Act.
            (4) Disciplinary actions.--The Standards Review Committee 
        shall organize in a manner such that disciplinary actions 
        against members shall be heard fairly and in a timely fashion 
        and afford due process.
            (5) Notification.--
                    (A) In general.--If, in the opinion of the 
                Standards Review Committee, any certification authority 
                is engaging or has engaged in conduct in contravention 
                of any guideline, standard, or code of conduct 
                prescribed in accordance with paragraph (3), the 
                Standards Review Committee shall notify such 
                certification authority.
                    (B) Statement of facts.--The notification shall 
                contain a statement of the facts constituting the 
                violation.
                    (C) Period for response.--The certification 
                authority shall respond to such notification within 15 
                days.
                    (D) Sanctions.--Based upon the response of the 
                certification authority, if the Standards Review 
Committee determines that the certification authority has violated any 
such guideline, standard, or code of conduct, the committee may take 
any of the following actions:
                            (i) Censure.--Publicly censure the 
                        certification authority.
                            (ii) Suspension.--Prohibit the 
                        certification authority from providing 
                        electronic authentication services in the 
                        United States for such period of time as the 
                        committee may determine to be appropriate.
                            (iii) Decertification.--Prohibit the 
                        certification authority from providing 
                        electronic authentication services in the 
                        United States.
                            (iv) Civil penalty.--Impose monetary 
                        penalties on the certification authority.
            (6) Judicial review.--Any party aggrieved by an order of 
        the Standards Review Committee under this Act may obtain a 
        review of such order in the United States Court of Appeals 
        within any circuit wherein such party has its principal place 
        of business or in the court of Appeals in the District of 
        Columbia, by filing in the court, within 30 days after the 
        entry of the Standards Review Committee order, a petition 
        praying that the order of the Standards Review Committee be set 
        aside. A copy of such petition shall be forthwith transmitted 
        to the Standards Review Committee by the clerk of the court, 
        and thereupon the Standards Review Committee shall file in the 
        court the record made before the Standards Review Committee. 
        Upon the filing of such petition the court shall have the 
        jurisdiction to affirm, set aside, or modify the order of the 
        Standards Review Committee and to require the Standards Review 
        Committee to take such action with regard to the matter under 
        review as the court deems proper. The findings of the Standards 
        Review Committee as to the facts, if supported by substantial 
        evidence, shall be conclusive.-
            (7) Report to secretary of the treasury.--The Standards 
        Review Committee shall transmit to the Secretary of the 
        Treasury, not later than February 20 and July 20 of each year, 
        complete reports of the activities of the committee undertaken 
        in furtherance of the purposes of this Act, including a 
        statement of the committee's objectives and plans for the next 
        semiannual reporting period.
            (8) Studies and recommendations.--The Standards Review 
        Committee may conduct studies to carry out the purposes of this 
        Act. On the basis of such studies the Committee may make 
        recommendations to the Secretary of the Treasury concerning the 
        implementation of this Act and such legislative and 
        administrative action as the committee may determine to be 
        necessary to promote the recognition of electronic 
        authentication as an alternative to paper-based methods of 
        verification.

SEC. 8. OVERSIGHT.

    The Secretary of the Treasury shall provide effective oversight and 
shall review the activities of the Electronic Authentication Standards 
Review Committee on a semiannual basis, providing a venue for the 
discussion and airing of all activity, standards and other material 
issues which may have arisen during that time period.

SEC. 9. CONSUMER PROTECTION.

    (a) In General.--No provision of this Act shall be construed as 
impairing any right afforded a consumer under the provisions of any law 
applicable to an underlying transaction or communication that is 
authenticated by digital signature or other form of electronic 
authentication that comports with the standards as described in 
subsections (a) and (b) of section 6.
    (b) Notification.--Any transaction or communication involving a 
consumer that is authenticated by digital signature or other form of 
electronic authentication that comports with the standards as described 
in subsections (a) and (b) of section 6 shall contain a notification of 
the fact that such transaction or communication has been authenticated. 
Such notification shall be in such form as prescribed by the Electronic 
Authentication Standards Review Committee.
    (c) Definitions.--For purposes of this section, the following 
definitions shall apply:
            (1) Consumer.--The term ``consumer'' means an individual.
            (2) Transaction.--The term ``transaction'' refers only to 
        transactions for personal, family, or household purposes.
            (3) Communication.--The term ``communication'' means a 
        communication pertaining only to personal, family, or household 
        purposes.
                                 <all>