[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]



       REGULATORY DIVERGENCE: FAILURE OF THE ADMINISTRATIVE STATE

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                       INTERGOVERNMENTAL AFFAIRS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 18, 2018

                               __________

                           Serial No. 115-92

                               __________

Printed for the use of the Committee on Oversight and Government Reform



              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


         Available via the World Wide Web: http://www.fdsys.gov
                       http://oversight.house.gov
                       
                                  ________
                                 
                       
                      U.S. GOVERNMENT PUBLISHING OFFICE
                
31-369 PDF                      WASHINGTON: 2018
                        
                       
                       
              Committee on Oversight and Government Reform

                  Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Mark Sanford, South Carolina         Eleanor Holmes Norton, District of 
Justin Amash, Michigan                   Columbia
Paul A. Gosar, Arizona               Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts
Virginia Foxx, North Carolina        Jim Cooper, Tennessee
Thomas Massie, Kentucky              Gerald E. Connolly, Virginia
Mark Meadows, North Carolina         Robin L. Kelly, Illinois
Ron DeSantis, Florida                Brenda L. Lawrence, Michigan
Dennis A. Ross, Florida              Bonnie Watson Coleman, New Jersey
Mark Walker, North Carolina          Raja Krishnamoorthi, Illinois
Rod Blum, Iowa                       Jamie Raskin, Maryland
Jody B. Hice, Georgia                Jimmy Gomez, Maryland
Steve Russell, Oklahoma              Peter Welch, Vermont
Glenn Grothman, Wisconsin            Matt Cartwright, Pennsylvania
Will Hurd, Texas                     Mark DeSaulnier, California
Gary J. Palmer, Alabama              Stacey E. Plaskett, Virgin Islands
James Comer, Kentucky                John P. Sarbanes, Maryland
Paul Mitchell, Michigan
Greg Gianforte, Montana
Michael Cloud, Texas

                     Sheria Clarke, Staff Director
                    William McKenna, General Counsel
                 Kelsey Wall, Professional Staff Member
   Katy Rother, Intergovernmental Affairs Subcommittee Staff Director
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                                 ------                                

               Subcommittee on Intergovernmental Affairs

                     Gary Palmer, Alabama, Chairman
Glenn Grothman, Wisconsin, Vice      Jamie Raskin, Maryland, Ranking 
    Chair                                Minority Member
John J. Duncan, Jr., Tennessee       Mark DeSaulnier, California
Virginia Foxx, North Carolina        Matt Cartwright, Pennsylvania
Thomas Massie, Kentucky              Wm. Lacy Clay, Missouri
Mark Walker, North Carolina          (Vacancy)
Mark Sanford, South Carolina




                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 18, 2018....................................     1

                               WITNESSES

Mr. James ``Bo'' Reese, President, National Association of State 
  Chief Information Officers; Chief Information Officer, Office 
  of Management and Enterprise Services, State of Oklahoma
    Oral Statement...............................................     5
    Written Statement............................................     8
Mr. John Riggi, Senior Advisor for Cybersecurity and Risk, 
  American Hospital Association
    Oral Statement...............................................    30
    Written Statement............................................    32
Mr. Robert Weissman, President, Public Citizen
    Oral Statement...............................................    38
    Written Statement............................................    40
Mr. Christopher Feeney, Executive Vice President, Bank Policy 
  Institute
    Oral Statement...............................................    71
    Written Statement............................................    73
Mr. Oliver Sherouse, Policy Analytics Lead, Program for Economic 
  Research on Regulation, Mercatus Center
    Oral Statement...............................................    86
    Written Statement............................................    88

 
       REGULATORY DIVERGENCE: FAILURE OF THE ADMINISTRATIVE STATE

                              ----------                              


                        Wednesday, July 18, 2018

                  House of Representatives,
         Subcommittee on Intergovernmental Affairs,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 2:08 p.m., in 
Room 2154, Rayburn House Office Building, Hon. Gary J. Palmer 
[chairman of the subcommittee] presiding.
    Present: Representatives Palmer and Raskin.
    Mr. Palmer. The Subcommittee on Intergovernmental Affairs 
will come to order. Without objection, the presiding member is 
authorized to declare a recess at any time.
    The Federal Government has long been associated with 
entrenched bureaucracy, separated by agencies and ignorant of 
the realities of the average American's life. Federal agencies 
impose regulatory requirements under a siloed organizational 
structure that is program by program, department by department, 
with very little interagency coordination. This committee is 
well aware of the impact of Federal agencies' failure to 
coordinate between themselves and non-Federal stakeholders.
    For the last 8 years, the Government Accountability Office 
has issued an annual report on overlapping, duplicative, and 
otherwise wasteful Federal programs. And to date, addressing 
the problems that GAO highlights in these reports has saved 
over $175 billion. Addressing the remaining could save tens of 
billions of dollars more. And I might even argue, in some cases 
hundreds of billions of dollars more.
    In other words, the failure of Federal agencies to 
coordinate has wasted hundreds of billions of dollars of 
taxpayer money over the last decade.
    But the impact of the failure of the administrative state 
doesn't stop there. The lack of interagency coordination has 
led to a steady accumulation of divergent regulatory mandates 
on States and the private sector. Despite often seeking similar 
results, Federal agencies impose conflicting regulations that 
force the regulated entities, like State agencies and private 
sector businesses, to focus heavily on compliance rather than 
improved outcomes.
    Although the panel comes from different sectors, missions, 
and backgrounds, there is remarkable consistency in their 
testimony about the burdensome effects of a divergent 
regulatory regime.
    Today Federal regulations touch nearly every aspect of 
daily life, and those regulations have become so complex that 
even the regulators can't agree what the requirements are or 
how to comply with them.
    As a result, these divergent regulations drastically 
increase the overall cost of the intended operations and 
deviate from the intended purpose of the regulations 
themselves. According to the Competitive Enterprise Institute, 
Federal regulations cost the economy nearly $2 trillion 
annually.
    And what I like to point out, I have some colleagues who 
identify that as a hidden tax. It really isn't. At least a tax 
goes to build a road or a bridge or has some good purpose in 
many cases. A regulatory cost is just a hidden cost that weighs 
disproportionately heavily upon low-income families. I think 
that averages almost $15,000 per household.
    Likewise, State governments also experience a drain on 
resources and State autonomy due to regulatory divergence. 
State officials from the National Association of State Chief 
Information Officers have shared multiple accounts with the 
committee on duplicative and inconsistent audit requirements 
imposing significant burdens on States without any substantive 
benefit.
    One State's chief information security officer reported 
than an audit of the same data security enterprise yielded 
inconsistent results across multiple Federal agencies. 
Unfortunately, this has become a regular feature of the State 
partnership with the Federal Government.
    It is our duty to the American people to explore 
opportunities to harmonize our current regulatory standards. To 
do this, Federal agencies, along with State governments and the 
private sector, need to come together to develop means of 
communication and cooperation to mitigate future duplicative, 
inconsistent, and obsolete regulations.
    We are fortunate today to have with us a panel that can 
help us better understand the challenges imposed by these 
Federal regulatory standards. I thank the witnesses for being 
here today.
    And at this point, I would like to yield to my friend and 
colleague from Maryland, the ranking member, Mr. Raskin, for 
his opening statement.
    Mr. Raskin. Mr. Chairman, thank you. It's always a pleasure 
to be with you, Chairman Palmer.
    I'm planning to surprise everyone by becoming the first 
American politician in history to defend regulation in its 
entirety: the notice and comment period, the hearing process, 
regulatory enforcement, the whole kit and caboodle.
    Let's start with terminology. A regulation is just a fancy 
name for a rule, and we all live according to rules. Every 
family has rules, every household, every sport, every school, 
every road, every highway, every institution, every economy, 
every government, every nation, every corporation, every State, 
county, city, and town.
    And, indeed, Congress itself and every committee has rules. 
I get 5 minutes to do my opening presentation no matter how 
brilliant it is, not 6 minutes, not 4 minutes, but we've got a 
rule about it. The rule gives us a fair allotment of time and 
makes each of us free to use it. We will probably invoke dozens 
of rules as we go about our business in the House today.
    But the rules targeted for criticism in this hearing are 
the rules that Federal agencies adopt to enforce the laws that 
we pass in Congress. The laws and the rules reflect the values 
of the people and implement our social priorities.
    Look at what agency rules do. The Department of Labor's 
overtime rule says that hourly wage workers must be paid time 
and a half when their bosses ask them to work more than 40 
hours a week. That's a rule which gives dignity and fairness to 
workers.
    The Federal Aviation Administration's 24-hour rule says 
passengers forced to cancel airline ticket reservations with 24 
hours of purchase must get a full refund. Another FAA rule says 
that passengers who miss their flight must be given standby 
access if they arrive within 2 hours of the missed flight on 
the next flight.
    A lot of Federal rules save human lives and protect public 
health. The National Highway Transportation Safety 
Administration's Gulbransen rule requires dramatically improved 
rear visibility in new cars, which is why so many people in 
this room and in our country have backup cameras on their 
dashboards now. Although President Bush signed it into law in 
2008, the rule was unnecessarily delayed and went into effect 
in 2018.
    Named for 2-year-old Cameron Gulbransen, who was killed 
when a car accidentally backed up over him, this rule has 
already begun to significantly lower the number of deaths and 
injuries, roughly 250 deaths and more than 12,000 injuries a 
year that were occurring from accidents caused by vehicles in 
reverse. The rule compels use of a technology that had been 
available for a decade but was opposed by the auto industry, 
which tried to keep it as an optional luxury add-on item.
    Everyone knows that the seatbelt rule has saved tens or 
even hundreds of thousands of lives since it was adopted in 
1983 despite vehement protests that this was overregulation or 
hyper-regulation when it was first adopted.
    Like these, most Federal rules are commonsense protections 
of vital freedoms that we cherish as Americans. Freedom from 
air pollution and water pollution. Freedom from dangerous 
consumer appliances. Freedom from workplace discrimination and 
exploitation. Freedom from predatory business practices and 
monopolies.
    Moreover, rules have made our people freer and our country 
safer, healthier, cleaner, more just, more equitable, and more 
secure.
    Yet President Trump and my GOP colleagues in the House have 
made destroying government rules one of their top priorities, 
and they have made of deregulation a mindless political fetish.
    But they target only certain kinds of rules. The 
administration hates rules that get in the way of corporate 
power. They want to get rid of rules that restrict Wall Street 
and the finance industry. They want to scrap rules that enforce 
the Clean Water Act and the Clean Air Act and rules that 
restrict the freedom of polluters.
    They love other kinds of rules. They want rules that 
interfere with women's rights to make their own healthcare 
decisions and decisions about birth control and reproduction. 
Just this past May, the administration issued a gag rule that 
blocks recipients of Federal family planning funds from 
counseling or advising women about abortions, and also 
compelling expensive physical, financial, and programmatic 
segregation between units that provide such counseling and 
those that do not.
    They pile rule upon rule in the SNAP program to impose a 
kind of bureaucratic extremism which makes it impossible for 
people to access nutritional benefits that they need.
    So regulations, like statutes or ordinances or 
constitutions, are just forms of law. They can be good, they 
can be bad. They can be efficient, they can be inefficient, 
fair or not. But my colleagues invite us to believe that 
Federal regulation is, in general, categorically burdensome and 
costly. That's false, and we've got a way to show it.
    The Office of Management and Budget annually issues a 
congressionally mandated report that identifies the costs of 
government rules on the private sector and the estimated 
financial benefits produced for the American people. Every year 
this report shows objectively that the economic benefits of 
Federal rules far outweigh the cost.
    Quite shockingly, the administration tried to bury this 
year's report, releasing it 2 months late, almost certainly 
because its findings undercut everything the President has 
stated about government rules.
    The report found that last year Federal rules imposed 
around $5 billion in costs on businesses. At the same time, 
they resulted in more than $27 billion in benefits to the 
public. The regulatory benefits to taxpayers are more than five 
times the cost of these rules.
    The costs of an America without any Federal rules are not 
hard to imagine, but they are impossible to accept. Cars 
without backup cameras or seatbelts. Peanut butter made in 
unsanitary conditions. Banks and hedge funds freed from rules 
of prudential lending. Coal mines that poison coal miners and 
collapse on human beings with impunity. Predatory payday 
lenders operating without a CFPB checking them. Out-of-control 
data breaches. And so on.
    This deregulatory project in our economy and environment is 
risky and dangerous. We cannot risk American lives and our 
environment because the President wants to reward large 
campaign donors while using the regulatory bogeyman to try to 
destroy democratically chosen rules.
    Let's think pragmatically and not ideologically. Let's 
remember that Federal rules are just America's rules. And when 
it comes to building a strong democracy, laissez isn't fair.
    Thank you very much, Mr. Chairman.
    Mr. Palmer. I thank the gentleman.
    I'm pleased to introduce our witnesses.
    Mr. James ``Bo'' Reese, president of the National 
Association of State Chief Information Officers, and Chief 
Information Officer, Office of Management and Enterprise 
Services, State of Oklahoma.
    Mr. John Riggi, senior advisor for cybersecurity and risk 
for the American Hospital Association.
    Mr. Robert Weissman, president of Public Citizen.
    Mr. Christopher Feeney, executive vice president of the 
Bank Policy Institute.
    And Mr. Oliver Sherouse, policy analytics lead for the 
Program for Economic Research on Regulation at the Mercatus 
Center.
    Welcome to you all.
    Pursuant to committee rules, all witnesses will be sworn in 
before they testify. Please stand and raise your right hand.
    Do you solemnly swear or affirm the testimony you're about 
to give is the truth, the whole truth, and nothing but the 
truth, so help you God?
    The record will reflect that all witnesses answered in the 
affirmative.
    Please be seated.
    In order to allow time for discussion, please limit your 
testimony to 5 minutes. And your entire written statement will 
be made part of the record.
    As a reminder, the clock in front of you shows the 
remaining time during your opening statement. The light will 
turn yellow when you have 30 seconds left and red when your 
time is up. Please also remember to press the button to turn 
your microphones on before speaking.
    The chair now recognizes the gentleman, Mr. Reese, for 5 
minutes.

                       WITNESS STATEMENTS

                STATEMENT OF JAMES ``BO'' REESE

    Mr. Reese. Thank you, Chairman Palmer and Ranking Member 
Raskin and members of the subcommittee. Thank you for inviting 
me to testify before you today on the burden of Federal 
regulations and their impact to State governments.
    My name is Bo Reese, and I serve as the chief information 
officer, or CIO, for the State of Oklahoma. I also serve as the 
president of the National Association of State Chief 
Information Officers, or NASCIO.
    All 50 States and three territories are members of NASCIO, 
and we represent the interests of government-appointed State 
CIOs who acted as the top IT officials for State government.
    Today I would like to provide the subcommittee an overview 
of how Federal regulations hamper the ability of State CIOs to 
offer effective and efficient technology and IT services. I 
will also touch upon how the complex Federal regulatory 
environment is duplicative in nature, contributes to 
inconsistent Federal audits, and drives cybersecurity 
investments based on compliance and not risk, which is the more 
secure approach.
    State CIOs act as the technology and IT provider for State 
agencies. State agencies administer Federal programs, like 
Medicaid, SNAP, unemployment insurance, and in so doing 
exchange data with Federal agencies. Because of this 
intergovernmental relationship, Federal agencies impose rules 
on State agencies and all their requirements in audits which 
then flow to State CIOs who provide IT services to State 
agencies.
    Compliance with the multitude of Federal regulations is 
burdensome on States, especially those like Oklahoma that have 
consolidated or unified our IT service delivery. IT unification 
has resulted in $372 million in cost savings and avoidance for 
Oklahoma.
    Before IT unification, Oklahoma was supporting 129 email 
servers in State government, 76 different financial systems, 22 
time and attendance systems, and 30 data center locations. 
After the 5-year IT unification process, we were able to reduce 
redundancies and leverage economies of scale, further enabling 
the hundreds of millions in savings and cost avoidance.
    The biggest hurdle we faced in achieving IT consolidation 
was compliance with Federal regulations. Our Federal agency 
partners are regulating the States not in a streamlined 
fashion, similar to the way we now operate, but in a siloed way 
that impedes our ability to operate effectively. States must 
comb through thousands of pages of Federal regulations to 
ensure that they are in compliance while administering Federal 
programs.
    And even though many Federal regulations are similar in 
nature, they each have minor differences, which then requires 
one-off adjustments for each Federal regulation. This obscures 
the goal of IT consolidation, which ultimately produces savings 
for taxpayers.
    We certainly understand the importance of regulations and 
are not advocating their wholesale elimination. The problem is 
not that there is regulation, but that Federal requirements are 
organized by Federal individual program and do not follow the 
industry-recommended approach, which would regulate cyber 
threats by their risk.
    The siloed Federal regulatory approach is carried forward 
in the Federal audit process. Audits are conducted program by 
program and not holistically. This means that my office 
responds to the same audit questions multiple times, again and 
again, year after year.
    For example, in Oklahoma, the IRS audited one State agency 
multiple times because it viewed different programs as distinct 
and separate entities. My office had to answer hundreds of 
questions, attend multiple audit meetings, and deliver 
additional explanatory material multiple times for one State 
agency.
    This wasteful and inefficient process is repeated time and 
time again across many different State agencies for each 
Federal regulatory entity, not to mention the fact that several 
auditors had different results even though they examined the 
same audit environment.
    A great example of this inefficiency is, in 2016, the State 
of Oklahoma performed 14 audits over 8 months on the same IT 
environment. In 2017, we had 11 audits that took us 7 months 
and all of our resources to perform.
    Ultimately, we believe that there is a more efficient and 
holistic way of ensuring data security and allowing States to 
implement IT consolidation plans that have proven to generate 
cost savings.
    We would like your assistance in getting Federal regulators 
to the table with the State CIOs so that we can harmonize 
regulatory environments and streamline the audit process 
together.
    To this end, NASCIO members have already started the 
process of identifying the differences with two major 
regulations. And I have a great example of what we've performed 
already today. The IRS Publication 1075 and the FBI-CJIS are 
the two that we compared.
    We hope to engage with our Federal partners further and 
appreciate the subcommittee's support in reducing the 
regulatory burden on States.
    In closing, I would like to thank the subcommittee for the 
opportunity to testify on this important issue, and also like 
to express our gratitude to Chairman Gowdy for initiating the 
GAO study on the State impact of Federal regulations in October 
of last year.
    I look forward to your questions, and thank you.
    [Prepared statement of Mr. Reese follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Palmer. I thank the gentleman.
    The chair now recognizes Mr. Riggi for his testimony.

                    STATEMENT OF JOHN RIGGI

    Mr. Riggi. Good afternoon. My name is John Riggi, and I 
appreciate the opportunity to testify on behalf of the American 
Hospital Association today.
    Every day hospitals and health systems confront the 
daunting task of complying with a growing number of Federal 
regulations. While Federal regulation is necessary to ensure 
that healthcare patients receive safe, high quality care, in 
recent years, clinical staff--doctors, nurses, and caregivers--
find themselves devoting more time to regulatory compliance, 
taking them away from patient care. Some of these rules do not 
improve care, and all of them raise costs.
    Last fall, the AHA issued a report entitled ``Regulatory 
Overload,'' and I appreciate the opportunity today to discuss 
the findings. The major findings include that health systems, 
hospitals, and post-acute care providers must comply with 629 
discrete regulatory requirements across nine domains.
    The four agencies that promulgated these requirements--the 
Centers for Medicare and Medicaid Services, CMS; the Office of 
the Inspector General, Office for Civil Rights, OIG OCR; and 
the Office of the National Coordinator for Health Information 
Technology, ONC--are the primary drivers of Federal regulation 
impacting these providers.
    However, providers also are subject to regulation from 
other Federal and State entities which are not accounted for in 
this report.
    Health systems, hospitals, and post-acute care providers 
spend nearly $39 billion a year solely on the administrative 
activities related to regulatory compliance in the nine domains 
discussed in the report.
    An average-sized community hospital of 161 beds spends 
nearly $7.6 million annually on administrative activities to 
support compliance with the reviewed Federal regulations. That 
figure rises to $9 million for those hospitals with post-acute 
care beds.
    Nationally, this equates to $38.6 billion each year to 
comply with the administrative aspects of regulatory compliance 
in just these nine domains.
    Looked at in another way, regulatory burden costs $1,200 
every time a patient is admitted to a hospital.
    An average-sized hospital dedicates 59 full-time equivalent 
employees to regulatory compliance, over one-quarter of which 
are doctors, nurses, and pulling clinical staff away from 
patient care responsibilities.
    The frequency and pace of regulatory change make compliance 
challenging and often results in duplication of efforts in 
substantial amounts of clinician time away from patient care. 
As new or updated regulations are issued, a provider must 
quickly mobilize clinical and nonclinical resources to decipher 
the regulations and then redesign, test, implement, and 
communicate new processes throughout the organization.
    Providers dedicate the largest proportion of resources to 
documenting conditions of participation, CoPs, adherence, 
billing and coverage verification processes. Meaningful use has 
spurred provider investment in IT systems, but exorbitant costs 
and ongoing interoperability issues remain. Quality reporting 
requirements are often duplicative and have inefficient 
reporting processes, particularly for providers participating 
in value-based purchasing models.
    Again, this creates inefficiency and consumes significant 
financial resources and clinician staff.
    Fraud and abuse laws are outdated and have not evolved to 
support new models of care. The Stark Law and the Anti-Kickback 
Statute, AKS, can be impediments to transforming care delivery.
    While CMS has waived certain fraud and abuse laws for 
providers participating in various demonstration projects, 
those who receive a waiver generally cannot apply it beyond the 
specific demonstration or model.
    The lack of protections extending care innovations to other 
Medicare or Medicaid patients and commercially insured 
beneficiaries minimize efficiencies and cost savings realized 
through these types of models and demonstration projects.
    A reduction in administrative burden would enable providers 
to focus on patients, not paperwork, and reinvest resources in 
improving care, improving health, and reducing costs.
    We have several general recommendations to reduce 
administrative requirements without compromising patient 
outcomes:
    Regulatory requirements should be better aligned and 
consistently applied within and across Federal agencies and 
programs and subject to routine review for effectiveness to 
ensure the benefit for the public good outweigh additional 
compliance burdens;
    Regulators should provide clear, concise guidance and 
reasonable timelines for the implementation of new rules;
    Conditions of participation should be evidence-based, 
aligned with other laws, industry standards, and flexible in 
order to support different patient populations and communities;
    Federal agencies should accelerate the transition to 
automation of administrative transactions, such as prior 
authorization;
    Meaningful use requirements should be streamlined and 
should be increasingly focused on interoperability and 
cybersecurity risk considerations without holding providers 
responsible for the action of others;
    Quality reporting requirements should be thoroughly 
evaluated across all programs to better determine what measures 
provide meaningful and actionable information for patients and 
providers and regulators;
    Post-acute care rules should be reviewed and simplified to 
remove or update antiquated, redundant, and unnecessary rules;
    With new deliver system and payment reforms emerging, 
Congress, CMS, and the OIG should revisit the Stark Law and AKS 
to ensure that statutes provide the flexibility necessary to 
support the provision of high quality care.
    Thank you for the opportunity to provide an overview of 
AHA's view on regulatory burden. We appreciate the committee's 
focus on this topic. And I look forward to your questions.
    [Prepared statement of Mr. Riggi follows:]
    
    
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Palmer. I thank the gentleman.
    The chair now recognizes Mr. Weissman for his testimony.

                  STATEMENT OF ROBERT WEISSMAN

    Mr. Weissman. Mr. Palmer and Mr. Raskin, thank you very 
much for the opportunity to speak today. I wanted to make three 
general points and, assuming I talk fast enough, add a footnote 
in.
    The American regulatory system has made our country 
stronger, better, safer, cleaner, healthier, more fair, and 
more just. It's something we should be celebrating, trying to 
improve, but not attacking with evidence-free allegations.
    As Mr. Raskin pointed out, the benefits of regulation, 
Federal regulation, even monetized and corporate-friendly 
accounting systems, vastly exceed the costs. We know that 
because of the OMB reviews of the costs and benefits of 
significant regulations issued each year. Every single year 
since the agency started conducting that study in 2001, 
benefits have vastly exceeded costs at minimum of a range of 2 
to 1 and typically up to 12 to 1.
    Critics of regulation too often focus on costs to the 
exclusion of talking about the benefits. No agency adopts a 
rule for the simple purpose of imposing costs. There's always a 
rationale and reason, and the benefits have to be taken into 
account. The $2 trillion figure that is routinely cited is not 
based on careful analysis, as my testimony describes in some 
detail.
    It's worth focusing also for a moment on the American 
Hospital Association study, which fell into this same problem 
of focusing exclusively on the cost of regulation without 
talking about the benefit. It acknowledges that there may be 
some patient benefits, but doesn't actually try to monetize 
those costs.
    The study does not show that there are duplicative 
regulations. The study does not acknowledge the benefits in 
monetary terms to patients. The study does not disclose its 
methodology or how its survey was calculated. So there's every 
reason to assume that the cost estimates are inflated.
    Most importantly, what the study fails to do is acknowledge 
why it is that the government imposes a host of regulations on 
the healthcare sector. It's primarily to deal with two 
overarching problems: poor quality of care and massive fraud.
    250,000 people die every single year in this country from 
medical malpractice, making it the third highest single cause 
of death in this country. By any metric, we perform at often 
the worst of all rich countries in quality of care.
    Quality of care regulations are aimed at trying to improve 
that situation. Fraud consumes 3 to 10 percent of all 
healthcare spending in the United States, according to the FBI. 
At the low end, $80 billion a year.
    Those regulations are designed to cut down on rampant 
fraud. They have a purpose. They are inadequate. They're 
obviously not doing the job. It would be much worse off if 
those rules, by and large, were not in place.
    The second point I wanted to make was about the issue of 
regulatory duplication. I think it is the case that much of 
what's complained about in the area of duplication is really a 
disguised complaint about regulation itself.
    That said, there are obviously, in a complicated 
bureaucracy, in a complicated economy, overlapping rules and 
regulations and massive regulatory gaps. So for sure better 
coordination is desirable. It doesn't really make sense to 
blame that problem on the administrative state, though.
    Let's talk for a moment about cybersecurity. It is the case 
that there are massive gaps in cybersecurity and privacy 
protections in this country. That's because there is no 
overarching American cybersecurity framework or privacy 
protection law.
    We absolutely need that. I detail some components of what 
would be desirable in such a framework. That may not cure all 
the problems that are being discussed today by area 
specialists, but it would for sure deal with many of them.
    The third thing I wanted to highlight is that, although 
there has been a very partisan discussion about regulation in 
the Congress for now going on almost a decade, there is a 
shared agenda that's available if members are eager to pick it 
up.
    I think the key elements of reform packages that would have 
bipartisan support would focus on transparency, limiting 
regulatory delay, enhancing regulatory enforcement without 
regard to adopting new rules but making sure everyone plays by 
the same rules, and focusing on the revolving door of people 
leaving from regulatory agencies and going into regulated 
industry, and back and forth.
    Finally, my footnote. Yesterday my organization, along with 
100 other organizations, petitioned OSHA to adopt a heat 
standard to protect indoor and outdoor workers from extreme 
heat. More than 1,000 people die every near in this country 
from extreme heat. Many of them are workers, especially 
agricultural workers.
    Supporting our petition was Raudel Felix Garcia, the 
brother of Audon Felix Garcia, a California farmworker who died 
from excessive heat in the fields. Raudel told the story of his 
brother's death yesterday in a teleconference we had in 
wrenching detail and pleaded with Federal regulators to take 
steps to make sure that no one else died such a needless death.
    It was a crucial reminder both in that particular area, but 
more generally, that life and death is at stake in regulation, 
that real people are affected and protected and need strong 
regulatory protections. And I hope this Congress can ensure 
that that is delivered to them.
    Thank you very much.
    [Prepared statement of Mr. Weissman follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Palmer. I thank the gentleman.
    The chair now recognizes Mr. Feeney for his testimony.

                STATEMENT OF CHRISTOPHER FEENEY

    Mr. Feeney. Chairman Palmer, Ranking Member Raskin, and 
members of the subcommittee, thank you for inviting me to 
testify today. My name is Chris Feeney. I'm the executive vice 
president of the Bank Policy Institute and president of our 
Technology Policy Division, BITS.
    Cybersecurity is a top-of-mind issue for every one of our 
CEOs, and the industry has been and remains committed to making 
the investments necessary to protect our critical 
infrastructure broadly. We embrace the trust that our customers 
confer in us and take the job of protecting customers and their 
data seriously, including valuing their privacy.
    Our industry is heavily regulated. In the U.S. alone, we 
have 9 independent Federal regulators, 3 self-regulatory 
organizations, and 50 State banking, securities, and insurance 
agencies. Regulations include extensive cybersecurity oversight 
and comprehensive data protection standards, such as those in 
the 1999 Gramm-Leach-Bliley Act.
    The cybersecurity requirements across the industry are very 
diverse in terms of size, type of business, and geographic 
footprint. Yet we have validated that over 80 percent of the 
cyber issuances are common across all regulators.
    For the financial sector, it becomes a tangible problem 
when those tasked with creating cybersecurity rules approach 
regulations with their own variations, addressing the same 
cyber requirements with different approaches and language.
    To analogize this, think of the impact on your safety if 
air traffic controllers didn't use English as a common language 
and instead pilots were required to use their native language 
for every airspace they pass through. This would be challenging 
at best, require extensive training, and introduce unneeded 
risk.
    This is the dilemma we face today with variations on cyber 
standards, requirements, and expectations without any 
appreciable benefit to security. These requirements lead to 
misuse of scarce cybersecurity experts' time, taking them away 
from protecting our technology and the customers who count on 
us daily to access ATMs, to write checks, and to pay mortgages.
    When a chief information security officer at one of our 
largest firms estimates that 40 percent of their time is spent 
trying to unravel the web of cybersecurity regulation rather 
than focusing on protecting systems, that's a serious problem.
    We face similar complexity in the area of data breach, 
which has no uniform standard, and we are seemingly entering 
into a complex environment of conflicting requirements related 
to privacy as regulation develops around international 
requirements, emerging State requirements, and potentially 
local requirements, such as those being discussed in Chicago.
    For technology and cybersecurity experts, consistency, 
repeatability, and improved security require a common technical 
and operating architecture, a common language, and a common 
framework to achieve the highest degree of protection.
    In a 2017 Financial Stability Board publication, U.S. 
member agencies self-reported that 10 different Federal schemes 
of cyber regulation were in place and that 43 different 
publicly available cybersecurity issuances were about to be 
offered.
    We want to be clear. The financial industry supports the 
need for cyber regulation and the industry's multi-billion-
dollar investments here to improve our capabilities and satisfy 
our regulations. These investments have contributed to 
developing the highest standards for cybersecurity, data 
security, and customer expectation.
    Individually these regulations have merit. However, when 
one regulation is laid over another and another, it saps both 
the time and focus from executive leadership and those whose 
time and job it is to defend and operate our businesses. And 
more specifically, firms are already burdened by a shortfall of 
skilled cyber professionals and they must take resources away 
from protecting their platforms to interpret the language of 
divergent regulation.
    Ultimately, we hold ourselves accountable for protecting 
customers, our systems, and for compliance with the regulatory 
process. You might be surprised to hear me say that the 
solution is not fewer regulations but instead rationalized and 
harmonized regulation around a common approach and a shared 
language.
    BITS and our industry partners have developed a model cyber 
framework. The foundation of this effort centers on the NIST 
Cybersecurity Framework which is used across multiple 
industries, Federal and State government, and with support from 
both the Obama and the Trump administration.
    The financial sector used this standard to develop a sector 
profile. And importantly, we developed a solution by working 
with our regulators, gathering their input, incorporating their 
diagnostic statements, and tailoring the solution so that we 
don't force a one-size-fits-all approach to managing cyber 
risk.
    There are clear benefits of this approach for the 
regulatory agencies, such as examinations that can be tailored 
to institutional complexity, and for financial firms, such as 
optimizing the use of cybersecurity professionals' time and 
also enabling more effective use of fintech innovators who can 
meet requirements and expectations more efficiently.
    Congress has been vocal in encouraging regulators to pause 
any additional cyber regulation, and we ask that Congress now 
support and encourage the use of the sector profile.
    In the spirit of this committee's broad remit, we also ask 
that Congress work to develop uniform Federal standards for 
data breach notification and a common privacy standard before 
we enter into a 50-State and 50-variation environment similar 
to what we face today in cyber. We must ensure these issues do 
not fall prey to jurisdictional battles, and we need to work 
together to maintain the cyber integrity of the U.S. financial 
system.
    Thank you, Mr. Chairman, and I look forward to your 
questions.
    [Prepared statement of Mr. Feeney follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Palmer. I thank the gentleman.
    The chair now recognizes Mr. Sherouse.

                  STATEMENT OF OLIVER SHEROUSE

    Mr. Sherouse. Chairman Palmer, Ranking Member Raskin, and 
members of the subcommittee, thank you for the chance to speak 
to you today about the important and often overlooked problem 
of duplicative regulations and regulatory standards.
    My testimony today will focus on one cause of regulatory 
duplication, the incomprehensible scale of the administrative 
state. And I will also present two ways my colleagues and I are 
working to reduce that problem. First, through the application 
of text analysis and machine learning in our QuantGov project; 
and second by developing an open, machine-readable, and data-
first standard for rulemaking documents called XRRL.
    Now, my job is policy analytics, and what that means is 
that I teach computers to read policy documents, and especially 
regulation. We have to use computers because the administrative 
state has grown to an incomprehensible size. And I mean that 
literally. There are simply too many rules for any one person 
to understand.
    So using text analysis and machine learning, my colleagues 
and I have created a dataset called RegData to quantify Federal 
regulation.
    Now, RegData tells us that today there are more than 103 
million words in the Code of Federal Regulations, including 
1.08 million individual regulatory restrictions, so that's 
words and phrases like ``shall'' and ``must'' that indicate a 
particular mandated or prohibited activity.
    That means that if you were to read the Code as your full-
time job, it would take you 3 years, 111 days, and a bit past 
lunchtime the next day. By the time you'd finished, of course, 
you would need to immediately start figuring out what had 
changed since you started. And that's no easy task since the 
Code increases by an average of more than 1.4 million words 
every year.
    So since reading the Code is impossible, data tools like 
those we have produced for the QuantGov project can help us 
begin to make better sense of the administrative state. 
RegData, in fact, does more than count total words and 
restrictions. It attributes them to the individual agencies 
that write them and predicts which industries will be affected 
by them.
    All of our data is freely available, and our website 
features a daily updated interactive tracker of Federal 
regulation which users can break down by industry and by 
agency.
    And we do the same thing for regulation currently being 
developed with our RegPulse dataset, which examines rules as 
they are published in the Federal Register. And as with 
RegData, we have built a daily updated interactive tool that 
allows users to see which industries have more or fewer 
relevant rules coming into effect over the next several years 
and what those rules are.
    With QauntGov we are producing these kinds of data and 
interactive tools for a growing set of jurisdictions and policy 
documents. The software we used to produce QuantGov is also 
open source and freely available for anyone to use or build on.
    For a more comprehensive understanding of the 
administrative state, however, we should reexamine the medium 
by which regulations are made. The current process is made for 
paper, paper rules and analyses published in a paper Federal 
Register and compiled into a paper Code of Federal regulations.
    Even the electronic versions of these documents essentially 
mimic the paper-based system in use since the Administrative 
Procedure Act of 1946. Seventy years later, it is time for an 
upgrade to an open, machine-readable, and data-first standard 
format for regulatory documents.
    A standard format could liberate the information that's 
currently trapped in pretty dense prose about who regulations 
will affect and how and transform that information into 
accessible data.
    That data can be used by Congress to ensure effective 
oversight. It can be used by regulators to avoid duplication 
across agencies and potentially even across jurisdictions. It 
could facilitate the review of regulatory programs to fix those 
that are broken and to recognize those that are successful. And 
it can be used by businesses and individuals to ensure that 
they know what the law is and how to follow it.
    My colleagues and I are currently developing such a 
standard, the eXtensible Regulatory Reporting Language, or 
XRRL. Our role with this project is to build an open and 
nonproprietary standard incorporating insights from the 
academy, government, and industry that can be adapted to any 
level of government, including the U.S. Federal Government.
    So in conclusion, duplication in regulation is a side 
effect of an administrative state grown too large to manage 
effectively, and tools like the ones we have built with 
QuantGov are a step towards making an incomprehensible 
collection of rules somewhat less so. But the implementation of 
an open, data-first standard format, such as XRRL for 
rulemaking, would be an even more powerful way to render the 
administrative state more manageable while also providing 
benefits to both those writing rules and those subject to them.
    I thank you again for the opportunity to testify, and I 
look forward to answering your questions.
    [Prepared statement of Mr. Sherouse follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Palmer. I thank the gentleman for his testimony.
    I think we'll go ahead and begin with our questions. We 
anticipate that they will call votes at any time. In the event 
that occurs, I will order a recess and reconvene.
    And I normally, as chairman, wait until other members have 
asked their questions. And being that there is only one, I am 
at this point going to yield to the ranking member, Mr. Raskin, 
for questions.
    Mr. Raskin. Mr. Chairman, you're a true gentleman. Thank 
you very much for doing that.
    Mr. Reese, let me start with you. I was very interested in 
your testimony. And thanks for coming all the way from 
Oklahoma. One of the things that cheered me about it was that 
you were not engaged in any kind of broadbrush attack on 
regulation. You were giving very specific examples of conflicts 
that just make your life difficult.
    The specific example that you raised in your testimony, or 
at least your written testimony, was if you're handling 
sensitive data in the State, like Social Security data, IRS 
data, how many unsuccessful attempts of somebody trying to get 
into the computer must there be before you're required to shut 
it down and to close people out?
    And you sort of set up a little graph where you showed that 
the IRS requirement was, if there are three attempts, I think 
the one from DOJ was perhaps no more than five attempts, and 
the Social Security agency was a recommendation of no less than 
three, no more than five. Okay.
    And I did the little SAT question analysis and figured, 
okay, well, you could just set it at three. You would meet the 
IRS. You would also meet Department of Justice, because it 
would be not more than five. And the third one was just a 
recommendation. So it's not that big a deal.
    On the other hand, why should it be so difficult for the 
Federal Government on something like that to come up with one 
governing principle? And I wonder if you've attempted to get 
the relevant agencies to come around on one coordinated, 
harmonized approach on that.
    Mr. Reese. Thank you, Ranking Member Raskin, for your 
question.
    So absolutely that is our goal. Our goal is seeking that 
partnership with our Federal partners. And, again, as a State 
agency, I absolutely view our Federal agencies as partners. We 
are all trying to do the same thing, and that is best use our 
citizen tax dollars to serve the needs of the citizens.
    And so our goal in making sure that we are being fiscally 
responsible is where we get into challenges like this where 
we've got multiple different regulations that are imposed upon 
us and trying to find, in some cases, the most restrictive that 
applies. And, of course, in the example we talk about IRS and 
SSA and FBI.
    Mr. Raskin. Did you do anything to see if they would 
coordinate or harmonize?
    Mr. Reese. So working through NASCIO, our national 
association, we have significant outreach where we come 
together and have had several opportunities now to come 
together with the SSA and the FBI and the IRS who come speak to 
us.
    In fact, our last meeting that we had here in Washington at 
the Hall of States, I believe we actually had in excess of, I 
think, 40 CIOs from other States that participated, if not all.
    And those entities came and they spoke to us. And we 
actually get to talk about it. And they're there to answer our 
questions.
    And so there's outreach. There's ongoing opportunities. But 
in typical State and government fashion, it's slow going. We're 
seeking support to continue those actions.
    Mr. Raskin. Gotcha.
    Let me quickly come to you, Mr. Feeney. You mentioned NIST, 
which is actually in my district, so that piqued my curiosity, 
and I was thinking like an example that Mr. Reese gave.
    Does NIST or can NIST play a role in just harmonizing and 
reconciling these things? It doesn't strike me as a really big 
deal except that we've got a big country with a lot of States, 
we have a lot of Federal agencies, and somebody needs to pull 
it together. But does NIST play that function?
    Mr. Feeney. NIST doesn't play that function exactly. But we 
coordinate and partner with NIST quite actively. So we took the 
NIST framework, which was a standard that had multi-stakeholder 
input, and we actually designed it specifically for the 
financial industry with NIST's both endorsement. And also NIST 
held two large conferences for us with the industry, with 
regulators and member firms, to really help develop that.
    So they've been supportive of the work we're doing. They 
actually like it. They'd like to use it as a model for some 
other industries. And we are actively working with them.
    We added two components to the NIST framework, because we 
thought they were very important to surface actively. One is 
governance and the second is third-party or dependency 
management. So we also have taken the NIST framework and 
extended it for the attributes of our industry, so we're 
working very collaboratively with them.
    Mr. Raskin. Thank you much.
    Mr. Weissman, let me come to you. There have been some good 
points raised on specific issues like this on the need for 
harmonization and reconciliation of different Federal mandates 
for the States.
    How can we distinguish those kinds of criticisms or points 
from a broadbrush attack on regulation itself and the system of 
rulemaking?
    Mr. Weissman. Well, I think, as you're pointing out, these 
are pretty particular issues. And it's not obvious that they 
broadly say anything about the administrative state.
    I think in the cyber area the big problem is that there is 
no overarching legal framework. And although the executive 
could come up with one, Congress has actually failed on this.
    We do have a crying need for, as Mr. Feeney was saying, 
really for an overarching cyber protection framework as well as 
a privacy protection one.
    I agree with much of what he said. I disagree with his idea 
that we should preempt State law. I think it would be very 
important to protect overall for States in this. But there does 
need to be a unified approach on that.
    Beyond that, I'm not sure there is a massive problem of 
coordination. There may be issues in particular sectors. In 
many cases, the downside of lack of coordination is 
insufficient regulation rather than too much regulation.
    Mr. Raskin. Thank you.
    I yield back, Mr. Chairman.
    Mr. Palmer. I thank the gentleman.
    I now recognize myself for questions.
    Mr. Reese, how does having to comply with disparate Federal 
regulations impact the States? What kind of burden does that 
impose on the States?
    Mr. Reese. So as you can imagine, in most areas of State 
government we have to be very cautious with the money that we 
have and how we spend it and what we do with it. And the 
challenge that we have is with these resources that we have to 
dedicate to compliance and in cybersecurity.
    We're finding that we're having to put, as someone else 
here, I believe, pointed out, we know that about 40 percent of 
our resources within our compliance in cybersecurity are being 
utilized to our Federal compliance where, again, we're all for 
Federal compliance. We absolutely want to be following the laws 
because we need structure.
    But our challenge is, is that we're having to spend so much 
time and so much duplicative time because of the multiple 
audits, again, when we're having the same audits over and over 
again.
    And the fact that there's some differences that we have to 
go out and try to map as we had showed before, we've got to 
determine what the least common denominator is across those, 
the time constraints are just enormous. The amount of time that 
we spend, the thousands of hours we know.
    We spoke with some of our other States, and we were able to 
log that in a single year Oklahoma spent over 10,000 hours in 
regulatory compliance, Maine spent over 11,000 hours, and 
Kansas over 14,000 hours just in our compliance and audits. 
Colorado itself had nearly 3,000 hours.
    And so all of that is time and resources. And those 
resources, especially in days like we have today with 
cybersecurity being really a number one challenge for all of 
us, we'd rather be spending our time and efforts updating 
legacy systems and trying to enhance our security posture 
rather than trying to meet some of these, in many cases, 
outdated regulatory compliances.
    Mr. Palmer. I ran a State-based think tank for 24 years and 
worked very closely with State legislators and administration 
official across, I think, four or five governors. And I am very 
aware of the cost imposed on the States and the inefficiencies 
from duplicate regulations, obsolete regulations, extremely 
overly complex regulations. It wasn't that the States weren't 
interested in complying. It was in many cases they didn't know 
what complying meant. And we spent an enormous amount of money.
    Mr. Riggi, it's interesting, in your testimony you talk 
about what's going on in healthcare and how the patient-
physician relationship is impacted by overregulation. One 
example, that would be ICD 10, where basically you've got 
doctors that are compromising time with patients--or their time 
with patients is compromised because now they've become data 
entry people.
    Would you like to comment on that?
    Mr. Riggi. Well, again--well, first, I'd just also like to 
clarify for the record that the AHA does understand the 
necessity of regulations to provide safety and high quality 
care for patients.
    Again, the implementation of ICD 10 does require a 
significant amount of physician time. And I think for us to 
make sure we give you the most accurate response, it would be 
better for me to provide you a written response on that one, 
sir.
    Mr. Palmer. That would be fine with me.
    I introduced a bill to postpone the implementation of ICD 
10 primarily because I grew up in a rural area. I grew up dirt 
poor basically in a house that had cardboard between the two by 
fours. And at the time I grew up, we did have a little doctor 
in a town that didn't even have traffic light.
    You won't find that anymore. And one of things that I saw 
happening with ICD 10 was--and even made rural healthcare even 
harder to provide, literally, doctors were selling their 
practices or they were just flat out retiring, shutting the 
door.
    And that's an example of how overregulating can have a very 
negative impact, particularly in these rural healthcare 
settings where they're already undercapitalized. It's also 
impacted wait times, and like I said, the amount of time that a 
doctor's able to spend with a patient.
    And if you want to see what overregulation of a healthcare 
system looks like, take a look at Canada. The Fraser Institute 
published a report, the Huffington Post commented on this, that 
showed that between 1993 and 2009 there were between 25,000 and 
63,000 women died on waiting lists waiting for treatment. The 
wait times have increased that much.
    They just called votes. I'm going to go ahead and ask a 
couple other questions here before we recess.
    But I want to go back to Mr. Reese and ask you, how do the 
Federal regulations keep pace with the evolving technology in 
the business models across State governments.
    Mr. Reese. They do not.
    Mr. Palmer. That is what I thought you'd say.
    Mr. Reese. Our challenge is we find ourselves in a lot of 
cases when we're dealing with our regulatory compliance, we're 
actually dealing with third-party auditors. And the third-party 
auditors are coming in and doing different audits, getting 
different results on the same regulations, on the same systems.
    And the technologies that they're auditing us on are not 
consistent. Their understanding of the technologies are not 
consistent with the technologies that we're using today. And in 
some cases, they're limiting our ability to use what we believe 
would be more cost-effective, efficient, and possibly even more 
secure technologies because we can't check the box with the 
auditor. So we have to go back and spend more money, using 
older technologies, costing the State more dollars, than if we 
could actually make good business decisions.
    And a lot of this has to do with that those Federal 
regulations need to be able to keep up. We need to figure out 
how we can harmonize and be involved in those discussions and 
decisions, and how we can do it quicker so that we can keep up 
with the evolving technology.
    But your point is absolutely spot on.
    Mr. Palmer. What I found, again, working with the think 
tank, is that the people who are responsible for regulating are 
not people who are trying to mess things up. They're trying to 
do a good job. But they're as frustrated as everybody else 
because you call one regulator and get an answer, and 2 or 3 
weeks later you call another regulator and you get a different 
answer. And it's frustrating them, because they want to do a 
good job.
    Mr. Feeney, I'm going to ask this question, then we're 
going to take a recess to go vote. How much does it cost the 
financial institutions to apply with disparate regulations? And 
I'm interested in this because this additional cost gets passed 
on to the consumers, and I think it has a disproportionate 
impact on older customers and lower-income customers.
    Mr. Feeney. Right. So I can't speak to the specific aspect 
of that. I can tell you in 2016 the industry spent $9.5 billion 
on regulation, $1.5 billion of that was spent by the largest 
firms.
    Mr. Palmer. Wait a minute. Wait a minute. According to the 
report that Mr. Raskin said came from OMB, I think you said 
that the regulatory cost was only $5 billion, but you say the 
regulatory cost on the financial institution was $9 billion?
    Mr. Feeney. I think quite a bit in the industry, across the 
industry, and that was a single-year review.
    Mr. Palmer. Thank you.
    Mr. Feeney. The challenge is more, and I think Mr. Reese 
had referenced it, is that our industry, they are trying to 
keep up with the changes in technology, but you can't. It's 
just too fast paced, too hard.
    We were able to use that sector profile, for instance, and 
take the question set down to about 400 from thousands. And 
what that does is provide you some latitude in simplifying the 
diagnostic statements that auditors or examiners would use. And 
there are ways to actually apply these types of tools to help 
the regulators, help the industries, I say that plurally, to 
really minimize the cost. And I think there are a number of 
things we can do in that arena.
    Mr. Palmer. Okay. Hold on. I'm going to suspend for just a 
minute.
    Mr. Raskin. Mr. Chairman, with your permission, I'd like to 
submit for the record the OMB report from which I drew the 
figure, about $4.9 billion. Thanks.
    Mr. Palmer. Okay. This is going to be a long vote series, 
so in consultation with the ranking member, what I'm going to 
do is I'm just going to make a couple other points here. Any 
additional questions will be submitted in writing. Because one 
thing that the ranking member and I do have a constitutional 
responsibility to do, and that is vote, and a political 
responsibility as well.
    I do want to make some points that were in the OMB report, 
and these are quotes from the report, that it was a perspective 
analysis that they say may overestimate or underestimate both 
benefits and costs. Retrospective analysis can be important as 
a collective mechanism. And that this was not an actual 
analysis of actual cost and benefits and that it only applied 
to about 1.6 percent of all the regulations.
    So I tend to be somewhat dismissive of the OMB report, 
because my experience, again, working with the think tanks and 
being focused on trying to come up with sensible regulations. 
This idea that those of us on the Republican side of the aisle 
are for getting rid of all the regulations is just political 
nonsense. What we want are sensible regulations.
    Regulations have improved the quality of life in our 
country. They've protected consumers. They've in some respects 
protected the relationship between the State and Federal 
Government.
    What we want to do is get rid of the obsolete, the 
duplications, and the contradictions, and get it down to 
regulations that businesses can comply with, that they 
understand.
    And one of the reasons that this is important is that in I 
think it was 2014--2015--the Gallup organization put out a 
report entitled basically--I think that the working title was 
``Is Entrepreneurism Dead in America?''
    Prior to 2008, according to the Gallup study, there were 
100,000 more businesses that started up than closed. But by 
2014, there was 70,000 more businesses closed than started up. 
And according to the report, the primary reason for that was 
regulations.
    I've tried to point out to people that businesses are not 
anti-regulation. They're anti-uncertainty. They're anti-
complexity. And what we want to try to do in working to reform 
regulations is as much as possible reduce the uncertainty and 
the complexity, so that some person who has some capital to 
invest can make a sensible investment, whether it's starting a 
business or expanding a business or hiring more people.
    With that, if there are no further questions--let me find 
my script.
    Okay. The ranking member would like to make a closing 
comment. I yield to him.
    Mr. Raskin. Mr. Chairman, thank you very much.
    And I want to just start my closing statement by saying how 
much I agreed with what you just said, that we're not opposed 
to rules which have, indeed, advanced the public interest, but 
obsolete rules or duplicate rules or contradictory rules, and I 
think we can all agree to that.
    You know, nobody is in love with regulation, and the 
biggest tax is on people's time. And that might be one thing 
for big businesses, which often support a lot of regulation, 
but for small businesses it's very tough.
    But I think about the 2010 BP oil spill, which was one of 
the worst environmental catastrophes in our history, which 
caused 11 deaths, immediately the deaths of more than a million 
coastal seabirds and other animals, and 5 million barrels of 
oil poisoning the whole Gulf of Mexico ecosystem.
    That was a failure of regulatory enforcement just like the 
same year the collapse of the coal mines in Mexico, which led 
to dozens of deaths and a real calamity in that country.
    So we need regulation. We need strong regulation. But I 
agree with you, we should be doing whatever we can to get rid 
of the duplicative, unnecessary, and obsolete regulation.
    I yield back, Mr. Chairman.
    Mr. Palmer. I thank the gentleman.
    I thank our witnesses again for appearing before us today.
    The hearing record will remain open for 2 weeks for any 
member to submit a written opening statement or questions for 
the record.
    If there is no further business, without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 3:08 p.m., the subcommittee was adjourned.]