National banks have been launched into deep cyberspace. On Jan. 12, the Office of the Comptroller of the Currency approved the operating subsidiary application of Zions First National Bank to establish Digital Signature Trust Co. as a certification authority to issue digital certificates for electronic authentication.
Electronic authentication is a prerequisite for binding Internet transactions and payments, as well as for electronic documents that will hold up in court. Digital Signature Trust will also operate an accessible data base for storing, retrieving, and verifying the current validity of a digital certificate known as a key repository; and will also provide escrow services for cryptographic keys used for encryption rather than authentication.
The OCC's sweeping legal analysis found that acting as a certification authority, as well as engaging in the intertwined function of key repository, is part of the business of banking regardless of whether bank- issued digital certificates are used for financial transactions.
This conclusion was reached on the basis that certification authority activities are the functional equivalent of notary services long offered by banks and a logical outgrowth of bank identification and verification skills, and that they also respond to bank customer needs and involve risks similar in nature to those already assumed by banks. Key escrow was approved on the basis of being the functional equivalent of traditional bank safekeeping services.
These are momentous precedents. In the information age, banks may be able to employ their core competencies in security, data management, and telecommunications in a broad range of activities beyond the bounds of traditional banking.
The approval letter reveals that OCC examiners worked closely with Zions National Bank as it planned its certification authority activities, and that they will engage in close supervision of its operations.
The OCC's bank technology policy and operations staff is developing a supervisory issuance on national bank certification authority activities and will monitor general certification authority industry developments on an ongoing basis. OCC will exert a tight rein over these activities, including subjecting third-party software and vendor service providers to its examination and regulatory authority.
The crucial role of a certification authority is to prevent identity theft. Initially, Digital Signature Trust will issue only fairly high level certificates to persons who physically present themselves at a designated registration office and provide a reliable photo ID and other indicia of identity; certificate cost will necessarily reflect these procedures.
Though it will issue certificates to Utah residents, it will primarily interact with wholesale customers, both within and outside the state, and provide certificates for use within closed systems where preexisting contractual relationships bind the relying parties. A bank card authorization system is an example of a closed system governed by contractual arrangements, and the SET security protocol being developed by VISA and MasterCard makes extensive use of digital certificates.
Digital Signature Trust's subscription contracts will be governed by Utah's 1995 Digital Signature Act. Utah enacted it in the apparent hope that it could become for certification authority establishment what Delaware is for incorporations.
The Utah law seeks to attract certification authorities by providing them with significant insulation from legal liability, and by shifting certain legal burdens away from certification authority and onto their subscribers in the event that a digital "signing" is disputed.
Some legal commentators have been critical of the Utah statute as placing excessive potential legal liability on private key subscribers, particularly consumers. It obliges them to exercise reasonable care in controlling their private keys, and to indemnify certification authorities for misuse.
Utah's statute not only places more potential liability on key subscribers but is also less flexible and more restrictive than other state laws-as well as the model Uniform Electronic Transactions Act now being drafted by the National Conference of Commissioners on Uniform State Laws- in that it does not encompass electronic authentication methodologies other than dual key cryptography.
California law, for example, also recognizes a biometric reading of a handwritten signature as providing equivalent authentication.
This far-reaching OCC approval seems bound to have political ramifications. Last fall, nonbank financial and technology firms successfully engaged in behind-the-scenes lobbying against introduction of a bank-drafted bill that would have authorized banking organizations to employ electronic authentication exempt from state laws and subject solely to private contractual rules. They may now charge that the OCC has achieved nearly the same result by regulatory fiat, but that is not what has happened here. The OCC has just authorized a national bank to offer services in accordance with one state's existing law.
Banks' capital strength, fiduciary tradition, and long involvement with electronic services and data base management create a natural affinity for providing electronic authentication services. It is those characteristics, rather than any administrative order, which will make banks serious contenders in this field.
The OCC has not given national banks any leg up on the competition. In particular, reading between the lines of its letter makes clear that the enforceability of Utah law against key subscribers residing beyond its borders is uncertain, particularly if they are individual consumers or where the relevant transaction is governed by public law rather than private system rules.
Ironically, to the extent that the OCC's approval spurs the entry of national banks into this new role facilitating electronic commerce, it may hasten congressional consideration of uniform federal rules for electronic authentication.
These could govern privacy, legal presumptions, liability, warranties and disclosure, as well as determine the ultimate allocation of regulatory oversight and supervisory responsibilities for certification authorities regardless of their business form.
