Mr. Chairman and members of the Subcommittee, my name is Mike Nugent. I am General
Counsel for Technology and Intellectual Property at Citibank. I welcome this opportunity to
offer my views in support of the Digital Signature and Electronic Authentication Law (SEAL) of
1998 (S. 1594).
The Need for the SEAL Act
Citibank has joined with a number of other banking and nonbanking financial institutions and
trade associations in organizing a group called the Ad-Hoc Committee for Electronic
Authentication. The goal of this group is to establish national uniformity in the legal and
regulatory regimes governing electronic authentication.
Why have Citibank and these other institutions done this? Because electronic commerce is
unique. At present, its growth is being driven primarily by the Internet, a worldwide network that
respects no geographic, political or economic boundaries. Electronic commerce is global. It will
not long tolerate roadblocks, including those resulting from a failure to act. It will simply
develop outside of the United States, affecting the competitiveness of U.S. financial institutions
and other domestic institutions and, ultimately, the U.S. economy.
Why is the SEAL Act necessary? Because there is an urgent need for a uniform legal and
regulatory infrastructure in the United States to supply the rules and standards for acceptable
levels of identity and security in the virtual world. Inconsistent legal and regulatory regimes with
differing protections, standards and levels of security prevent the growth of commerce which, by
its very nature, is interstate and even international in scope. Disparate laws hinder the
development and unnecessarily burden the introduction of new electronic commerce
technologies, products and services.
The Problem of Conflicting State Laws
Financial institutions put priority on a governance regime for electronic authentication that is
consistent from state to state. This goal is threatened by a burst of state legislation that is
producing a patchwork quilt of conflicting and inconsistent state laws. While the states should
be commended for stepping into the breach and considering regimes for the licensing and
regulation of electronic authentication, the resulting disparate state statutes concern financial
institutions which seek to offer nationwide electronic banking and commerce services.
No two of these state laws are alike. They range from minimalist enabling legislation to detailed
statutes that contemplate far-reaching regulatory schemes. Some statutes are technology specific,
providing that electronic authentication must be accomplished through public key cryptography
utilizing "digital signatures," with licensed or regulated "certificate authorities." Others are
technology neutral and authorize "electronic signatures" using any electronic or digital means
that is adequate to establish message and identity authentication.
The problem is that if there are 50 state regimes governing electronic authentication, the
implementation of secure electronic banking and commerce over the Internet will become costly
and inefficient. Fifty differing legal regimes will diminish the likelihood of seamless and
uniform electronic banking and commerce which by their very nature are interstate in nature.
Fifty different regimes will reduce the incentive for new market entrants to offer electronic
commerce and banking products and services. Fifty different regimes will confuse consumers
doing business over the Internet and will result in a patchwork quilt of differing legal protections,
commercial standards and levels of security. Although efforts to achieve uniform state
legislation are presently underway, the most optimistic projections estimate that it will be years
before those efforts are completed. This time lag will not do in the world of electronic
commerce. Financial institutions need interim relief, and they need it now.
What the SEAL Act Does
So what does the SEAL Act do to solve this problem? Two main things. First, at its most
elemental level, it gives recognition and effect to the use of electronic authentication by financial
institutions throughout the United States. Second, it provides federal uniformity as to
registration, licensing and regulation of the use of electronic authentication by financial
institutions which elect to be covered by the Act. Two points: recognition and effect and federal
uniformity. It is that simple.
The SEAL Act is minimalist legislation. It does not purport to allocate obligations and liabilities
between users and providers of electronic commerce. The SEAL Act does, however, expressly
preserve existing consumer protections such as the Truth in Lending Act, Electronic Fund
Transfer Act and similar statutes and regulations, as well as the rules that govern the validity of
the formation of agreements or system rules under the Uniform Commercial Code or uniform
state laws dealing with electronic contracting. It places the banking agencies in charge of
oversight of these activities by financial institutions to ensure the protection of safety and
soundness.
Why the SEAL Act Is Directed to Financial Institutions
The SEAL Act is directed to financial institutions -- broadly defined to include credit card issuers
and other affiliates of financial institutions. It does this because financial institutions are
uniquely situated. Financial institutions are accustomed to assuming "trusted third party" roles.
They serve as trustees and offer notary and signature guarantee services. Offering electronic
authentication services is a logical outgrowth and functional equivalent of such traditional bank
activities. Also, financial institutions are highly regulated entities. Both federal and state bank
regulators have experience in supervising trusted third-party activities by financial institutions.
This unique layer of regulation sets financial institutions apart from other providers of electronic
authentication. Application of the Act to financial institutions is particularly appropriate as a
first step or confidence-building measure designed to facilitate the broader and ultimate national
growth of electronic commerce. Finally, many of the transactions which individuals and
businesses will seek to authenticate are likely to be financial transactions. However, the SEAL
Act is not a "monopolistic" bill because it does not set up financial institutions as the only
providers of electronic authentication services.
The SEAL Act helps smaller banks in particular to participate in the promising area of electronic
commerce. Because of their size, smaller banks (many of which are state-chartered) are likely to
find it difficult to comply with up to 50 differing state laws in order to provide electronic
authentication services. By establishing a uniform federal framework, compliance costs for these
banks will be minimized and they can become full participants in this exciting new industry.
Accordingly, the Independent Bankers Association of America, which represents the interests of
many smaller banks, has joined other trade associations in endorsing the bill.
The SEAL Act Abhors Bureaucracies
The SEAL Act is minimalist, free-market legislation. It expressly does not seek to establish new government bureaucracies or self-regulatory organizations with licensing and standards-setting powers. The supporters of the SEAL Act believe that entities from any sector should be able to act as Certificate Authorities and participate in electronic authentication. Market forces should pick winners and losers. This approach distinguishes the SEAL Act from at least one other proposal which would establish exclusionary licensing schemes that would bar from the electronic authentication business any provider of Certificate Authority services that does not play by the rules set by the federal government and/or a small clique of service providers.
Let me say a quick word about self-regulatory organizations or SROs. This is a concept that
seems to be gaining currency in some quarters these days, especially with certain agencies in the
federal government and among some groups that think they are the answer, either to privatize or
preempt government regulation, as the case may be. SROs are simply the latest fad. Let me
assure you that they are no panacea. What's more, they are unnecessary and do not enjoy broad
industry support. We strongly oppose SROs, whether mandatory or "voluntary," in whatever
their form.
I cannot stress enough the minimalist nature of the SEAL Act. It stands in contrast to other
proposals being presented to Congress. The bureaucracies (including SROs) created by other
proposals are unnecessary and will stifle this emerging industry and commercial use of electronic
authentication. These bureaucracies intrude on matters that are more properly left to private
contract or sector-specific operating rules. Moreover, they will delay resolution of issues while
the bodies and processes are set up and argued about. The extended debate surrounding
legislative enactment of the bureaucracies contemplated in these other proposals will deter use
and application of electronic authentication while the rules are slowly being framed under the
prolonged and convoluted processes contemplated by those proposals. This process will thwart
current private sector efforts to set up ground rules via contract and operating systems which
address practical and immediate marketplace needs. Electronic authentication need not be
encumbered by a remote, prolonged, bureaucratic regulatory process, especially where the private
sector is handling these issues -- where they are emerging -- and handling them on a real-time
basis.
Moreover, the enforcement and judicial review elements of those other proposals are overkill.
They attempt to mirror the exhaustive approach of the NASD. Such an approach with strict
enforcement and judicial review provisions is more suitable for a developed industry with well-defined standards, codes of conduct and guidelines which have stood the test of time and
experience.
Those other proposals contemplate advanced regulatory schemes for an industry that is only
beginning to develop and commercialize its produces and services. The emerging electronic
authentication industry has no history or pattern of demonstrating need for government oversight.
No case has been made that a regulatory blunderbuss needs to be initiated or that a NASD-like
organizational set-up is necessary for electronic authentication or electronic commerce.
The Seal Act Approach
Citibank and the Ad Hoc Committee advocate through the SEAL Act a different approach, one
that addresses the only real problem that has emerged on the electronic authentication landscape
to date -- the issue of contrary and inconsistent state laws regarding the registration, licensing and
operation of certificate authorities and issuers of digital signatures. We advocate legislation that
allows financial institutions to employ electronic authentication pursuant to private contract and
operating rules and prohibits the states from acting in the area of registration, licensing and
regulation of use of electronic authentication by financial institutions. It is that simple.
This approach allows private contracts to govern the details and nuances of applied electronic
authentication and precludes the states from requiring registration, licensing and detailed
adherence to technical and operational standards on a state-by-state basis. States may continue to
act and legislate when it comes to the legal efficacy of digital signatures and certificates under
state law. This approach can serve as a model and point of departure for non-regulated
enterprises to establish a minimalist, overarching system of electronic authentication governance
without resorting to the creation of whole new bureaucracies under whatever guise.
I strongly urge you to pass the SEAL Act now.
Home | Menu | Links | Info | Chairman's Page