29 January 1998
Source: http://www.senate.gov/~banking/97_10hrg/102897/witness/pollard.htm

Senate Banking, Housing and Urban Affairs Committee

Subcommittee on Financial Services and Technology

Hearing on Electronic Authentication and Digital Signature

Prepared Testimony of Mr. Alfred M. Pollard
Senior Director for Legislative Affairs
The Bankers Roundtable

10:30 a.m., Tuesday, October 28 1997

Summary of Testimony

Electronic Authentication

The Bankers Roundtable supports federal legislation that would provide validity and certainty for private sector contracts relating to electronic authentication.

Electronic authentication provides a critical element for electronic commerce, particularly its role in verifying the identity of parties in financial transactions.

State laws on digital signatures and electronic authentication represented the first efforts to provide a solid foundation for electronic commerce within state borders. The interstate and international nature of electronic commerce requires electronic authenication devices that are valid regardless of location. The policy of supporting private sector initiative and not favoring one technology over another applies to electronic authentication.

Internationally, other countries and the European Community are considering actions to provide certainty and uniformity for electronic authentication.

Precedents exist for limited federal action to provide validity and certainty for private sector contracts for electronic authentication.

Federal action would support private contracts for electronic authentication and would provide certainty for these contracts in the face of differing state laws.

The time for federal legislation has arrived as electronic commerce faces the need for strong authentication arrangements before a truly open system of operation may be realized for users. Federal action would resolve domestic issues and would create a strong foundation for United States actions in the international community.

Full Text of Testimony

Electronic Authentication


Mr. Chairman and members of the Subcommittee, my name is Alfred Pollard and I serve as Senior Director for Legislative Affairs at The Bankers Roundtable. The Roundtable represents the nation's major banking organizations, with a membership open to the 125 largest institutions. Roundtable member companies range in size from $800 million to over $300 billion in assets, represent some two thirds of all domestic banking assets and provide services in nearly every city and town in the United States and in countries around the world. The Roundtable appreciates the opportunity to address the Subcommittee on the important topic of new technology that affects the banking industry.

The Roundtable has been active for some time in the area of technology. Long before current interest in new retail delivery mechanisms, the Roundtable provided a major forum for discussion and industry policy making on the payments system.

Today, the Roundtable continues its efforts through its Technology and Payments Committee and addresses such diverse issues as regulation of delivery vehicles, encryption, privacy and security of new technologies, authentication, international technology issues and related topics. In 1996, the Roundtable issued a set of industry principles as guidance to the banking industry on technology issues entitled Banking and Technology: Statement of Industry Principles. This year the Roundtable spearheaded an effort to join industry groups in a common position on privacy in electronic media and on September 18th produced a joint release on Privacy Principles to benefit bank customers.

The Roundtable has taken a more targetted action in creating the Banking Industry Technology Secretariat or BITS. BITS aims to foster growth and development of electronic banking and commerce in an open environment that will encourage greater choice in banking software, access devices and the development of more efficient processing capabilities for the benefit of bank customers. BITS focuses on the business side of technology issues for the banking industry and has on its board not only Roundtable member companies, but as well members of the American Bankers Association and the Independent Bankers Association of America.

Electronic Authentication

The Roundtable welcomes the opportunity to provide comments on the need for federal action on electronic authentication. For banking, a business founded on customer trust, operational security and privacy, certainty in authentication processes represents a key element of moving forward with new electronic commerce that will occur in an "open" marketplace. Old fashioned "know your customer" concepts remain just as valid in this new electronic age.

Defined. Electronic authentication refers to the use of various technologies that validate the identity of a party or device and, as well, may validate the transaction itself in electronic systems. In other words, electronic authentication verifies that a message was sent by a party and that the message has not been altered, thus proving the origin of information and its integrity. Authentication may come in the form of familiar PIN numbers or passwords or new biometric devices-- thumbprints or retinal scans-- or cryptographic measures such as digital signatures which involve mathematical formulas.

Electronic authentication does not relate to encryption or confidentiality of the message or information, only to the identity of the party and that the message is indeed the one sent by the party. None of the issues relating to law enforcement concerns with encryption or access to information arise here. Authentication, indeed, meets a key goal of the private sector and law enforcement-- assisting in the avoidance of fraud and the maintenance of system integrity and confidence.

Today, the private sector has acted to add this essential component to electronic commerce-- developing, refining and deploying authentication techniques. This means better protection for consumers and for financial institutions and greater utility for electronic commerce. At a recent forum on digital signatures, Department of Commerce General Counsel Andrew J. Pincus indicated that digital signatures are a "critical ingredient" for public and private sector confidence in electronic commerce.

Just as we do not know the exact direction technology and electronic commerce will take in the future and we do not want to impair its development, the future of electronic authentication should continue to evolve and is expected to add more value to electronic commerce, if its development is unimpaired.

Simply put, electronic authentication's role in electronic commerce begins when private parties negotiate agreements, for example to accept credit cards over the Internet, in which provisions exist for electronic authentication. These agreements serve the same function as existing arrangements among parties for retail and wholesale banking products, again such as PIN numbers for credit cards.

State Regulation. State governments have recognized the need for certainty and clarity in agreements between parties to employ electronic authentication. States have enacted laws that would create support for electronic authentication within their borders and for other purposes, such as legal validity and certificate authorities.

As an industry, banking supports a dual banking system and state banking regulation. Many of the nation's top banking firms operate under state charters and state regulation, including some of the nation's largest banks. The banking industry takes state initiatives seriously.

In the instance of authentication, a need exists for federal action in a "narrow band" to create a national approach that facilitates the creation of authentication agreements. State laws, that conflict with one another as enacted or that may conflict later under regulatory and judicial interpretation, run counter to the critical need for certainty in the authentication process.

Need for Federal Action

Before specifics on authentication, a threshold issue must be addressed. Most parties to electronic commerce and the federal government's policies support development of technology and electronic services free from government intervention that would either hinder development of technology or steer it in one direction or another. Why would private sector parties, therefore, indicate that a need exists for federal action to provide certainty for electronic authentication?

Two fundamental reasons exist. First, government action has occurred at the state level and that action hinders development of electronic commerce; federal action would restore open marketplace operation by validating contracts between private parties. Second, evidence exists that as digital signature technology comes on line, there is reluctance to make major investments and deployment with legal uncertainty from differing state rules. In short, federal action is needed to restore private sector development.

Domestic. At the domestic level, electronic commerce would operate under extreme disadvantage and development would be hindered if state laws subjected a device intended to provide customer security and system integrity to uneven and conflicting enforcement. As new electronic commerce opportunities come on line, authentication must be there to assure that parties may identify one another and know that their actions and requests have been heard.

Simply put, why would we want different routing numbers on our checks, those band of numbers that are read electronically and help direct the payments process. Those numbers identify parties to the transaction, but no one wants to have fifty different rules on those simple identifying marks. In another example, VISA has asked the question of whether its hologram, an identifying safety device, needs to be produced in 50 different forms. Yet that is what differing state laws on digital signatures and electronic authentication would create.

Ironically, state banks may be disadvantaged by differing state laws. For the most part and with significant exceptions, state banks are smaller institutions. In a world where the costs are higher to conduct electronic business in a multistate environment, interstate activities for smaller institutions could be severely impacted. Larger institutions would be more likely to bear the extraordinary and unnecessary costs than smaller, primarily state chartered institutions.

Obviously, this subject has critical importance for financial services. Almost every electronic transaction involves the payment of funds. The identity of parties where financial transactions occur is fundamental to electronic commerce.

Simply put, in this narrow area of authentication, agreements signed by parties should be enforced as negotiated. They should be viewed as valid and should not be subject to different interpretation.

In the context of a "narrow band," such a policy affects only the authentication mechanism. If a violation of some other state law occurs, then that law applies to the overall transaction. If fraud, duress, impossibility or any other law violation occurs, a transaction would be subject to that law.

As Commerce Department General Counsel Pincus stated, not only domestic but as well international consensus is needed on digital signatures, because "...fragmentation is the great enemy here." He also supported technology neutrality by government and the need for private sector leadership.

In short, the need is for a federal statement that authentication and identification agreements are valid between the parties and that local laws will not upset this expectation of validity.

International. As transactions in this open marketplace move to an international level, the need for global recognition of identification that permits this one element of the process to proceed smoothly will press upon us.

Internationally, Japan, Denmark, Germany, Italy and the European Union are working to provide legal recognition for electronic authentication agreements. The United Nations has indicated interest in exploring the need for an international law on electronic authentication.

The European Union has published a paper entitled Towards a European Framework for Digital Signatures and Encryption, COM(97)503 released October 8, 1997. The paper highlights the significance of establishing a community-wide approach to electronic authentication in Europe in order to permit electronic commerce to advance. The paper sets forth a number of questions that need answers across national lines. Perhaps of most significance, the paper calls for European action with a common legal framework by the year 2000.

[Of note, the EU Commission paper indicated that key escrow of private keys would endanger the presumption that a document has been signed by the person whose public key corresponds to the private key used to create the digital signature.]

Precedents for Federal Action

Federal action has been taken on a number of occasions to address issues that have an impact on financial service providers at the federal level and at the state level. While not routine, separate approaches have been taken for financial institutions.

At the federal level, banks have differing treatment under securities, merger and bankruptcy laws. Banks, in certain instances, face regulation under differing legal regimes due to the unique role of depository institutions. This has been the basis in many cases for such separation of legal treatment. It must be remembered that banks are key participants in the Federal Reserve's payment system.

Federal law has determined in limited occasions that state laws should not interfere with the operation of financial businesses across state lines. Since 1864, federal law has governed the charging of interest by national banks and has led to banks charging interest rates across state lines in accordance with limitations set forth in federal law, despite state usury laws; 12 USC 85.

Perhaps, the most pertinent and relevant example of a limited action that assured the validity of contracts, critical to commerce, came with congressional action on bilateral netting arrangements. In 1991 as part of the Federal Deposit Insurance Corporation Improvement Act, PL 102-242, a section of the law addressed reducing risk in the payment system.

Congress noted in Section 401 of the law, that financial institutions participate in thousands of transactions daily, that processing those transaction is essential to a "smoothly functioning economy" and that "such transactions can be processed most efficiently if, consistent with applicable contractual terms, obligations among financial institutions are netted." Finally, Congress noted that "the effectiveness of such netting procedures can be assured only if they are recognized as valid and legally binding..."

To that end, Congress provided that such contracts "notwithstanding any other provision of law...shall be netted in accordance with, and subject to the conditions of, the terms of any applicable netting contract." Section 403. [Text of Sections 401-407 is attached.]

Here Congress acted on a key element of commerce, upholding the validity of contracts in one area-- netting-- and not otherwise interfering with state laws.


Limited action now by the federal government would have major benefits for all parties involved in the future of electronic commerce. A measure that provides validity to contracts between parties and provides such valid contracts should not be affected by other laws would provide a clear signal from the United States on its intentions on an international level. Such a measure would provide certainty in the United States without interfering with fundamental commercial laws, most of which emanate from the states. In the end, what should result is a system of business dealings through new technologies in which customer security is increased and the integrity of our payment system is enhanced.


Federal Deposit Insurance Corporation Improvement Act of 1991, PL 104-242 (1991), Sections 401-407


Subtitle A--Payment System Risk Reduction


The Congress finds that--

(1) many financial institutions engage daily in thousands of transactions with other financial institutions directly and through clearing organizations;

(2) the efficient processing of such transactions is essential to a smoothly functioning economy;

(3) such transactions can be processed most efficiently if, consistent with applicable contractual terms, obligations among financial institutions are netted;

(4) such netting procedures would reduce the systemic risk within the banking system and financial markets; and

(5) the effectiveness of such netting procedures can be assured only if they are recognized as valid and legally binding in the event of the closing of a financial institution participating in the netting procedures.


For purposes of this subtitle--

(1) BROKER OR DEALER.-- The term broker or dealer' means--




No stay, injunction, avoidance, moratorium. or similar proceeding or order. whether issued or granted by a court, administrative agency, or otherwise, shall limit or delay application of otherwise enforceable netting contracts in accordance with sections 403 and 404.


This subtitle shall have no effect by implication or otherwise on the validity or legal enforceability of a netting arrangement of any payment system which is not subject to this subtitle.


The provisions of this subtitle may not be construed to limit the authority of the President under the Trading With the Enemy Act (50 U.S.C. App. 1 et seq.) or the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.).