Senate Banking, Housing and Urban Affairs Committee

Subcommittee on Financial Services and Technology

Hearing on Electronic Authentication and Digital Signature

Mr. Chairman and members of the Subcommittee, my name is Mike Nugent. I am General Counsel for Technology and Intellectual Property at Citibank. I welcome this opportunity to offer my views on electronic authentication. I commend you and your colleagues for exploring this important issue.

Citibank has joined with a number of other banking and nonbanking financial institutions and trade associations in organizing a group called the Ad-Hoc Committee for Electronic Authentication. The goal of this group is to establish national uniformity in legal and regulatory regimes governing electronic authentication. Citibank has taken on this task because it has great interest in using electronic authentication in its electronic commerce and Internet products and because it does business all over the United States and in some 98 foreign countries and territories. Indeed, in our view uniformity is essential to the successful development of this important new tool for financial institutions.

Why is this important? Because the business of banking is being transformed by technology. Electronic commerce has the potential to change the way every American does business. According to one recent study, the number of on-line banking users in the United States will more than double by the year 2000 -- just two years away -- to 2.1 million. Worldwide, the figure is expected to quadruple by that date from 10 million to 40 million. Some analysts predict that electronic commerce will be a $300 billion a year business by the year 2000. While no one knows for sure whether these predictions are reliable, it is increasingly evident that the global use of electronic commerce will change commerce as we know it.

From Citibank's point of view, the key issue is whether financial institutions will play an important role in these new forms of commerce. Citibank believes that unless there is federal legislation that facilitates a uniform legal structure in this country, they may not.

In the world of electronic commerce, parties transact business over large, open networks like the Internet. In order to transact business over the Internet parties must find a way to authenticate -- that is, to identify -- each other and to ensure that the messages sent were not tampered with during the transmission. The technique known as electronic authentication meets these goals.

As we have heard, electronic authentication is a cryptographic technique that allows the user to (i) authenticate the identity of or information associated with a sender of a document, (ii) determine that a document was not altered, changed or modified during the transmission to a recipient and/or (iii) verify that a document received was sent by the identified party claiming to be the sender.

These are simple and necessary attributes. They are a useful tool that allows certainty and knowledge about customers and transactions.

Why is legislation necessary or desirable? Financial institutions put priority on a governance regime for electronic authentication that is consistent from state to state. This goal is threatened by a burst of state legislation that is producing a patchwork quilt of conflicting and inconsistent state laws. While the states should be commended for stepping into the breach and considering and enacting regimes for the licensing and regulation of electronic authentication, the resulting disparate state statutory regimes concern financial institutions seeking to offer nationwide electronic banking and commerce services over the Internet and other open networks. I think all of us can agree that the Internet, and commerce conducted over the Internet, transcends state boundaries. As a result, anything short of uniformity will hinder the ability of financial institutions to provide these products and services.

What are the states doing? A number of states have enacted or are considering laws dealing with electronic authentication that impact on financial institutions. These states have varying approaches regarding such matters as registration of certificate authorities, the definition of "digital signature" and the minimal content and technological scope of digital certificates. Some states provide that electronic authentication must be accomplished through public key cryptography. Still others maintain that mere "electronic signatures" -- which use any electronic or digital method employed by the parties-- are adequate to establish message and identity authentication. However, these methods will lead to incompatible and non-interoperable authentication systems, as well as less secure, less trustworthy and possibly rogue authentication systems that could undermine the safety and soundness of electronic banking and commerce. This, in turn, could present concerns related to the efficiency and interoperability of the nation's payments systems.

The problem is that if there are 50 state regimes governing electronic authentication, the implementation of secure electronic banking and commerce over the Internet will become costly and inefficient. Fifty differing legal regimes will diminish the likelihood of seamless and uniform electronic banking and commerce which by their very nature are interstate in nature. Fifty different regimes will reduce the incentive for new market entrants to offer electronic commerce and banking products and services. Fifty different regimes will confuse consumers doing business over the Internet and will result in a patchwork quilt of differing legal protections, commercial standards and levels of security.

There is also a foreign competitiveness issue. This is very important. Foreign countries, particularly in the European Union, are allowing electronic authentication without a variety of conflicting intra-country rules and regulations. They thus facilitate commerce and the competitiveness of their financial institutions and companies. For the U.S. financial services industry to compete in the world market it needs uniformity and simplicity at home.

Make no mistake about it. These are compelling issues for financial institutions. The world will not stand still to wait for the crafting of uniform state laws and similar approaches. While we do not oppose such efforts, Internet electronic commerce is moving forward at too fast a pace to rely solely on them. Financial institutions need legislation, and they need it now.

What should or could legislation do? Seven things:

• First, it should allow financial institutions to employ electronic authentication in the conduct of their business.
  
  
• Second, it should be optional. It should allow financial institutions, broadly defined to include a variety of entities involved in the payments system, to elect to be covered. There are those who have criticized this approach as being limited only to financial institutions. Let me make one thing clear: we have no objection if entities other than financial institutions want to opt in to its protections. Thus while there is a compelling need for financial institutions to have this legislation, it is not meant to exclude other entities or industries. We are confident that the appropriate language to accomplish such inclusion can be worked out.
  
  
• Third, it should not purport to allocate obligations and liabilities between users and providers of electronic authentication. It should leave this up to the parties to establish by contract.
  
  
• Fourth, to protect financial institutions and others who elect coverage from competing or conflicting requirements under state law, it should provide federal uniformity as to registration, licensing and regulation of use of electronic authentication by the parties that elect coverage. Importantly, it is not clear that any legislation advocated by other groups here today would accomplish this essential objective of expressly dealing with the problem caused by conflicting state laws.
  
  
• Fifth, it should put the banking agencies in charge of oversight of these activities by financial institutions to ensure the protection of safety and soundness.
  
  
• Sixth, it should not affect existing consumer protections, including the Truth in Lending Act, the Electronic Fund Transfer Act and other similar statutes and regulations or the rules governing the validity of formation of agreements or system rules under the Uniform Commercial Code or uniform state laws dealing with electronic contracting.
  
  
• Seventh, it should require a review by bank regulators of existing banking regulations to see if they make sense as applied to electronic commerce transactions.

These seven attributes reflect a minimalist, market-oriented approach and are consistent with protection of the public. These measures are contained in the legislation which the Ad-Hoc Committee for Electronic Authentication has proposed. Citicorp and the members of the Ad-Hoc Committee for Electronic Authentication strongly endorse this approach and urge you to act promptly on it.

Finally, and quite important in our view, these measures are consistent with the Clinton Administration's policy announced last July on Global Information Infrastructure. The very first principle of the White House's policy is that "The private sector should lead." That is precisely what electronic authentication legislation as we envisage it would help ensure. The second and third principles of the Administration's policy are that "Governments should avoid undue restrictions on electronic commerce" and that "Where government involvement is needed, its aim should be to support and enforce a predictable, minimalist and simple legal environment for commerce." These are exactly the goals of our proposed legislation as we see it.

Thank you.

Home | Menu | Links | Info | Chairman's Page