The Clinton administration's recent encryption export and key recovery initiative opens a potential opportunity for financial institutions to act as key recovery agents.
On Dec. 30, the Department of Commerce issued an interim rule to implement the administration's long-awaited initiative to authorize export of 56-bit-keylength encryption products. It was open to public comment until Thursday.
Under the interim rule, the administration has relaxed for two years controls that have generally prohibited the export of encryption keys exceeding 40 bits in length. In exchange for granting a license exception that authorizes the export of 56-bit encryption, the administration expects commitments by exporters to develop, subject to explicit "benchmarks and milestones," key recovery arrangements under which law enforcement officials acting under proper authority can obtain access to private keys.
To facilitate development of key recovery, the administration will push legislation in Congress to relieve key recovery agents of liability for properly handled keys.
Without mandating a specific technology, the interim rule spells out detailed requirements applicable to both key recovery products and key recovery agents. In particular, Commerce must evaluate and approve the agent's security policies, key recovery procedures, and "suitability and trustworthiness." These requirements will be a condition of the authorization to export, and the key recovery agent must provide a representation to the Commerce Department that it will comply with these standards on an on-going basis.
For example, the agent must implement certain specified security policies, failsafe procedures, confidentiality protections, and record- keeping requirements and make recovery available at any time on two hours' notice.
The interim rule does not specify or limit the types of entities that may serve as key recovery agents.
In anticipation of the initiative, a group of 11 major computer producers and users announced last fall the formation of the Key Recovery Alliance to develop key recovery systems.
However, banks also might be well suited to act as key recovery agents, assuming that questions of regulatory authority, economic incentive, and liability can be resolved.
In addition to their experience with trust and fiduciary powers, banks in recent years have developed expertise in safeguarding their own encryption keys and providing them on request to enforcement agencies. Moreover, banks are perhaps uniquely situated in having the credibility and technological expertise to perform this function. The potential for lucrative fee income could be significant.
At a minimum, banks will want to work with the administration and Congress to develop legislation to deal with the liability issues in order to ensure that the option of banks providing key recovery services is kept open. Irrespective of any potential business opportunity, financial institutions will have to comply with the standards and procedures under the interim rule in the management of their own encryption software.
While federal bank regulators have not yet expressly authorized banks to provide key recovery services, they have authorized banks to provide related services, and approval of authority for key recovery services may be a logical next step.
On May 10, the Office of the Comptroller of the Currency confirmed the legality of the acquisition by Bankers Trust Co. of a 5.5% interest in Certco, which designs, develops, markets, and maintains a network for electronic funds transfers and electronic data interchange, including transacting electronic commerce and marketing software products for use on its worldwide electronic commerce network.
The OCC confirmed that these activities are part of the business of banking. Although the OCC did not consider the key recovery issue in the Bankers Trust case, national banks have broad authority to perform fiduciary services as a permissible activity.
Thus, under the National Bank Act, the OCC may authorize a national bank to act in any fiduciary capacity which, among other things, "corporations which come into competition with the national bank may exercise under local law," provided such authorization does not violate local law. Therefore, if a nonbanking company were able to compete as a fiduciary by providing key recovery services under local law, the OCC should be able to authorize a national bank to provide that service and to provide it through electronic means.
In confirming the appropriateness of Certco's activities, the OCC noted that one of its "primary concerns" was that a national bank not be subjected to undue risk. It concluded that, the bank must not have open- ended liability for the obligations of the subsidiary. In the case of Certco, the company and the bank were separate corporations, and the bank structured its investment so that its potential loss exposure was limited to the amount of its investment.
Accordingly, any bank contemplating entry into the key recovery business might want to structure its investment through a subsidiary and limit its liability in similar fashion. This concern is particularly relevant because issues of liability of key recovery agents have yet to be worked out.
A second potentially relevant authority to key recovery activities is the Federal Reserve Board's Dec. 2 approval of the application of Royal Bank of Canada, Norwest Corp., and various entities related to ABN Amro Bank NV to acquire control of Integrion Financial Network and thereby engage in data processing and data transmission activities.
Integrion is a joint venture among the applicants, 12 national banks, one savings and loan holding company, and a nonbanking subsidiary of International Business Machines Corp. Integrion will develop and operate a data processing and transmission system through which depository institutions and their affiliates will make available home banking and other financial services to their respective customers. Integrion will not itself provide home banking or other financial services but rather would operate a "gateway" that serves as a switch or interface to connect customers of Integrion's member banks with the banks themselves.
The Fed held that the activities were "data processing and transmission activities" permissible for bank holding companies under the Bank Holding Company Act. Thus key recovery agent activities could be approved on the grounds that the data (that is, keys) to be processed or furnished are "financial, banking, or economic" in nature.
Beyond the regulatory framework, a number of questions remain about the technical and market viability of key recovery arrangements. Although these questions may be answered in time, any bank that seeks to enter the key recovery business should bear in mind that so far there is no technology that has been proven to meet the Commerce Department's criteria (such as the two-hour recovery requirement). In addition, market acceptance and the cost of key recovery are uncertain. Finally, liability issues have not yet been resolved.