As we have previously reported, Commerce Department officials have stated that the first interim regulations will likely be amended in three stages. The first stage is to involve the "easy" changes, such as the reinstatement of practices that were clearly established at State but were inadvertently left out of the Commerce regulations and clarifying some aspects of the regulations that are unclear. The next set of changes will be those that involve more difficult issues that will require more work and/or may require some policy determinations. The last set of changes will be those that involve the most difficult issues.
This new draft primarily represents the first stage - the "easy" changes. There are also, however, some changes that reflect significant policy determinations that have been made since the beginning of the year. Moreover, although these may be characterized as the least controversial of the proposed changes, some will have significant impacts on exporters of encryption.
If adopted in its current form, this new interim rule would make the following changes:
INTERNET DOWNLOADS - Section 734.3 is amended to clarify that downloading or causing the downloading of encryption source code and object code in Canada is not controlled and does not require a license. However, the new section states that the methods used as precautions to prevent the unauthorized transfer of such code outside the United States or Canada must be approved in writing by BXA before they are relied upon. This would be a new requirement, and it is not clear whether companies that are already relying on prior BXA guidance, or on written approval from the State Department, would be required to submit their procedures for formal BXA approval.
56-BIT NON-RECOVERY ITEMS AFTER THE TWO-YEAR WINDOW - Section 740.8 is amended to state that exporters of 56-bit non-recovery encryption items under License Exception KMI (i.e. those exports permitted in exchange for a key recovery commitment plan) may continue to service and support existing customers of those products after the two-year transition period. "Service and support" includes maintenance or replacement of products to correct defects or maintain existing functionality. It also includes upgrades that do not increase the strength of the encryption in the product. This section is also amended by adding a paragraph to authorize exporters of non-recovery encryption products under License Exception KMI to export additional quantities of such products to existing customers under a license after the two-year transition period.
FINANCIAL-SPECIFIC ENCRYPTION ITEMS - Section 740.8 is also amended by adding a new paragraph to authorize, after a one-time review, exports and re-exports under License Exception KMI of non-key recovery financial-specific encryption items of any key length that are restricted by design (e.g., highly field-formatted with validation procedures, and not easily diverted to other end-uses) for financial applications to secure financial transactions, for end-uses such as intra or inter-banking transfers and home banking. No business and marketing plan to develop, produce, and/or market similar encryption items with recoverable features is required, and no reporting requirements will be imposed. Conforming changes are also made in Section 742.15.
GENERAL PURPOSE ENCRYPTION ITEMS USED BY FINANCIAL INSTITUTIONS - Section 742.15 is amended by adding a new paragraph that allows manufacturers to export under an Encryption Licensing Arrangement ("ELA") general purpose non-key recovery, non-voice encryption items of any key length for use by financial institutions (such as banks) in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Syria and Sudan. However, applications will be reviewed on a case-by-case basis, and must be supported by a satisfactory business and marketing plan which explains in detail the steps the applicant will take during the two year transition period beginning January 1, 1997 to develop, produce, and/or market similar encryption items with recoverable features. This would be a new requirement. Currently, a key recovery commitment plan is not required for the approval of such exports.
NEW DEFINITION OF "FINANCIAL INSTITUTION" - Part 772 adds a detailed definition of "financial institution." The full definition is included at the end of this summary. While we understand that the definition that will actually be adopted is still the subject of much debate within the Administration, this draft language may give us an insight into the thinking of at least some of the agencies involved.
PERSONAL USE EXEMPTION - Sections 740.9 and 740.14 are amended to clarify that controlled encryption software may be pre-loaded on a laptop and temporarily exported under the tools of trade provisions of License Exception TMP or License Exception BAG to all destinations except Cuba, Iraq, Iran, Libya, North Korea, Sudan and Syria. As you may recall, as currently drafted, License Exception TMP does not allow exports to a rather significant list of countries, including all the former Soviet states.
AMENDMENTS TO ENCRYPTION LICENSE ARRANGEMENTS - Section 750.7(c)(2) is amended to state that certain changes to Encryption Licensing Arrangements may be requested by letter. Such changes include, additional sales territory or country of destination, additional quantity, and additional products. Currently, such changes to an ELA are normally handled through the submission of a new application.
RESTORING CERTAIN EXEMPTIONS THAT EXISTED AT STATE - ECCN 5A002 is revised to authorize exports of components and spare parts under License Exception LVS, provided the value of each order does not exceed $500. Also restored is the language exempting equipment specially designed or modified for the encryption of interbanking transactions.
OTHER MINOR CHANGES - There are several additional changes in the draft regulations that address procedural issues, clarify ambiguities, or bring the regulations in line with established practices. These include:
- clarifying that 40-bit DES is eligible for 15-day review and mass market treatment;
- clarifying the key recovery product criteria to eliminate ambiguities concerning the frequency with which the output must identify the key recovery agent and what information is required to decrypt the ciphertext, and stating that the government must be able to obtain the keys or other information needed to decrypt the data, but without restricting the means by which key recovery products allow this;
- eliminating the test-vector requirement for 7-day mass-market classification requests and replacing it with a requirement to provide a copy of the encryption subsystem source code;
- clarifying that certain support documentation is not required for license applications for technology, software, or any encryption items controlled under ECCNs 5A002, 5B002, 5D002 and 5E002;
- clarifying that encryption items controlled for EI reasons are not eligible for a Special Comprehensive License;
- adding new definitions for "effective control," "encryption licensing arrangement," financial institution" (addressed above), and "recovery encryption products"; and
- revising the phrase "up to 56-bit key length DES" where it appears to read "up to or equal to 56-bit key length DES", and making other editorial changes.
Banks and Financial Institutions.
For purposes of this part, "banks and financial institutions" means:
a) a bank or savings association, as defined in section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813(a) or (b)); a credit union, as defined in section 101 of the Federal Credit Union Act (12 U.S.C. 1752);
b) a subsidiary, holding company, branch located outside the United States, of the entities described in paragraph (a);
c) a bank service company as defined in section 1 of the Bank Service Company Act (12 U.S.C. 1861); or a service corporation under section 5 of the Home Owners' Loan Act (12 U.S.C. 1464(c)(4)(B)); a corporation charted under section 25A of the Federal Reserve Act (12 U.S.C. 611), including any branch thereof, or a corporation having an agreement or undertaking with the Board of Governors of the Federal Reserve System under section 25 of the Federal Reserve Act (12 U.S.C. 611), including any branch or subsidiary thereof;
d) a company organized under the laws of a foreign country which engages in the business of banking, including, without limitation, foreign commercial banks, foreign merchant banks and other foreign institutions that engage in banking activities usual in connection with the business of banking in the countries where such foreign institutions are organized or operating, including any branch or subsidiary thereof;
e) a interbank clearing system that is, or whose members are subject to state or national regulation or supervision;
f) a broker or dealer in securities registered with the Securities and Exchange Commission; a foreign broker or dealer in securities subject to governmental supervision or regulation by a foreign securities authority; an investment company, registered with the Securities and Exchange Commission; an investment adviser, as defined in 2(20) of the Investment Company Act of 1970 (15 U.S.C. 80a-2), that is registered with the Securities and Exchange Commission and is engaged solely in the business of advising one or more investment companies, a foreign investment company; or a securities, commodity, fixtures, or option exchange or other financial marker that is subject to governmental supervision or regulation;
g) an issuer of a general purpose charge, credit or debit card; or
h) a company engaged in the electronic transmission of money, credit or financial instruments between a financial institution (as defined in this section) and a customer or other financial institutions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
For further information please contact L. Benjamin Ederington on Tel: + 202-429-6411, Fax: 202-429-3902 or E-mail: bedering@steptoe.com
