Florida Senate - 2020 COMMITTEE AMENDMENT
Bill No. SB 1870
Ì427788fÎ427788
LEGISLATIVE ACTION
Senate . House
Comm: RS .
02/12/2020 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Innovation, Industry, and Technology (Hutson)
recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Subsection (2) of section 20.22, Florida
6 Statutes, is amended to read:
7 20.22 Department of Management Services.—There is created a
8 Department of Management Services.
9 (2) The following divisions and programs within the
10 Department of Management Services shall consist of the following
11 are established:
12 (a) The Facilities Program.
13 (b) The Division of Telecommunications State Technology,
14 the director of which is appointed by the secretary of the
15 department and shall serve as the state chief information
16 officer. The state chief information officer must be a proven,
17 effective administrator who must have at least 10 years of
18 executive-level experience in the public or private sector,
19 preferably with experience in the development of information
20 technology strategic planning and the development and
21 implementation of fiscal and substantive information technology
22 policy and standards.
23 (c) The Workforce Program.
24 (d)1. The Support Program.
25 2. The Federal Property Assistance Program.
26 (e) The Administration Program.
27 (f) The Division of Administrative Hearings.
28 (g) The Division of Retirement.
29 (h) The Division of State Group Insurance.
30 (i) The Florida Digital Service.
31 Section 2. Section 282.0051, Florida Statutes, is amended
32 to read:
33 282.0051 Florida Digital Service Department of Management
34 Services; powers, duties, and functions.—There is established
35 the Florida Digital Service within the department to create
36 innovative solutions that securely modernize state government
37 and achieve value through digital transformation and
38 interoperability.
39 (1) As used in this section, the term:
40 (a) “Credential service provider” means a provider
41 competitively procured by the department to supply secure
42 identity management and verification services based on open
43 standards to qualified entities.
44 (b) “Data call” means an electronic transaction with the
45 credential service provider which verifies the authenticity of a
46 digital identity by querying enterprise data.
47 (c) “Electronic” means technology having electrical,
48 digital, magnetic, wireless, optical, electromagnetic, or
49 similar capabilities.
50 (d) “Electronic credential” means an electronic
51 representation of a physical driver license or identification
52 card which is viewable in an electronic format and is capable of
53 being verified and authenticated.
54 (e) “Electronic credential provider” means a qualified
55 entity contracted with the department to provide electronic
56 credentials to eligible driver license or identification card
57 holders.
58 (f) “Enterprise” means the collection of state agencies as
59 defined in s. 282.0041, except that the term includes the
60 Department of Legal Affairs, the Department of Agriculture and
61 Consumer Services, the Department of Financial Services, and the
62 judicial branch.
63 (g) “Enterprise architecture” means a comprehensive
64 operational framework that contemplates the needs and assets of
65 the enterprise to support interoperability across state
66 government.
67 (h) “Interoperability” means the technical ability to share
68 and use data across and throughout the enterprise.
69 (i) “Qualified entity” means a public or private entity or
70 individual that enters into a binding agreement with the
71 department, meets usage criteria, agrees to terms and
72 conditions, and is subsequently and prescriptively authorized by
73 the department to access data under the terms of that agreement.
74 (2) The Florida Digital Service department shall have the
75 following powers, duties, and functions in full support of the
76 cloud-first policy as described in s. 282.206:
77 (a)(1) Develop and publish information technology policy
78 for the management of the state’s information technology
79 resources.
80 (b)(2) Establish and publish information technology
81 architecture standards to provide for the most efficient use of
82 the state’s information technology resources and to ensure
83 compatibility and alignment with the needs of state agencies.
84 The Florida Digital Service department shall assist state
85 agencies in complying with the standards.
86 (c)(3) Establish project management and oversight standards
87 with which state agencies must comply when implementing projects
88 that have an information technology component projects. The
89 Florida Digital Service department shall provide training
90 opportunities to state agencies to assist in the adoption of the
91 project management and oversight standards. To support data
92 driven decisionmaking, the standards must include, but are not
93 limited to:
94 1.(a) Performance measurements and metrics that objectively
95 reflect the status of a project with an information technology
96 component project based on a defined and documented project
97 scope, cost, and schedule.
98 2.(b) Methodologies for calculating acceptable variances in
99 the projected versus actual scope, schedule, or cost of a
100 project with an information technology component project.
101 3.(c) Reporting requirements, including requirements
102 designed to alert all defined stakeholders that a project with
103 an information technology component project has exceeded
104 acceptable variances defined and documented in a project plan.
105 4.(d) Content, format, and frequency of project updates.
106 (d)(4) Perform project oversight on all state agency
107 information technology projects that have an information
108 technology component and a total project cost costs of $10
109 million or more and that are funded in the General
110 Appropriations Act or any other law. The Florida Digital Service
111 department shall report at least quarterly to the Executive
112 Office of the Governor, the President of the Senate, and the
113 Speaker of the House of Representatives on any project with an
114 information technology component which project that the Florida
115 Digital Service department identifies as high-risk due to the
116 project exceeding acceptable variance ranges defined and
117 documented in a project plan. The report must include a risk
118 assessment, including fiscal risks, associated with proceeding
119 to the next stage of the project, and a recommendation for
120 corrective actions required, including suspension or termination
121 of the project. The Florida Digital Service may establish a
122 process for state agencies to apply for an exception to the
123 requirements of this paragraph.
124 (e)(5) Identify opportunities for standardization and
125 consolidation of information technology services that support
126 interoperability and the cloud-first policy as described in s.
127 282.206, business functions and operations, including
128 administrative functions such as purchasing, accounting and
129 reporting, cash management, and personnel, and that are common
130 across state agencies. The Florida Digital Service department
131 shall biennially on April 1 provide recommendations for
132 standardization and consolidation to the Executive Office of the
133 Governor, the President of the Senate, and the Speaker of the
134 House of Representatives.
135 (f)(6) Establish best practices for the procurement of
136 information technology products and cloud-computing services in
137 order to reduce costs, increase the quality of data center
138 services, or improve government services.
139 (g)(7) Develop standards for information technology reports
140 and updates, including, but not limited to, operational work
141 plans, project spend plans, and project status reports, for use
142 by state agencies.
143 (h)(8) Upon request, assist state agencies in the
144 development of information technology-related legislative budget
145 requests.
146 (i)(9) Conduct annual assessments of state agencies to
147 determine compliance with all information technology standards
148 and guidelines developed and published by the Florida Digital
149 Service department and provide results of the assessments to the
150 Executive Office of the Governor, the President of the Senate,
151 and the Speaker of the House of Representatives.
152 (j)(10) Provide operational management and oversight of the
153 state data center established pursuant to s. 282.201, which
154 includes:
155 1.(a) Implementing industry standards and best practices
156 for the state data center’s facilities, operations, maintenance,
157 planning, and management processes.
158 2.(b) Developing and implementing cost-recovery or other
159 payment mechanisms that recover the full direct and indirect
160 cost of services through charges to applicable customer
161 entities. Such cost-recovery or other payment mechanisms must
162 comply with applicable state and federal regulations concerning
163 distribution and use of funds and must ensure that, for any
164 fiscal year, no service or customer entity subsidizes another
165 service or customer entity.
166 3.(c) Developing and implementing appropriate operating
167 guidelines and procedures necessary for the state data center to
168 perform its duties pursuant to s. 282.201. The guidelines and
169 procedures must comply with applicable state and federal laws,
170 regulations, and policies and conform to generally accepted
171 governmental accounting and auditing standards. The guidelines
172 and procedures must include, but need not be limited to:
173 a.1. Implementing a consolidated administrative support
174 structure responsible for providing financial management,
175 procurement, transactions involving real or personal property,
176 human resources, and operational support.
177 b.2. Implementing an annual reconciliation process to
178 ensure that each customer entity is paying for the full direct
179 and indirect cost of each service as determined by the customer
180 entity’s use of each service.
181 c.3. Providing rebates that may be credited against future
182 billings to customer entities when revenues exceed costs.
183 d.4. Requiring customer entities to validate that
184 sufficient funds exist in the appropriate data processing
185 appropriation category or will be transferred into the
186 appropriate data processing appropriation category before
187 implementation of a customer entity’s request for a change in
188 the type or level of service provided, if such change results in
189 a net increase to the customer entity’s cost for that fiscal
190 year.
191 e.5. By November 15 of each year, providing to the Office
192 of Policy and Budget in the Executive Office of the Governor and
193 to the chairs of the legislative appropriations committees the
194 projected costs of providing data center services for the
195 following fiscal year.
196 f.6. Providing a plan for consideration by the Legislative
197 Budget Commission if the cost of a service is increased for a
198 reason other than a customer entity’s request made pursuant to
199 sub-subparagraph d. subparagraph 4. Such a plan is required only
200 if the service cost increase results in a net increase to a
201 customer entity for that fiscal year.
202 g.7. Standardizing and consolidating procurement and
203 contracting practices.
204 4.(d) In collaboration with the Department of Law
205 Enforcement, developing and implementing a process for
206 detecting, reporting, and responding to information technology
207 security incidents, breaches, and threats.
208 5.(e) Adopting rules relating to the operation of the state
209 data center, including, but not limited to, budgeting and
210 accounting procedures, cost-recovery or other payment
211 methodologies, and operating procedures.
212 (f) Conducting an annual market analysis to determine
213 whether the state’s approach to the provision of data center
214 services is the most effective and cost-efficient manner by
215 which its customer entities can acquire such services, based on
216 federal, state, and local government trends; best practices in
217 service provision; and the acquisition of new and emerging
218 technologies. The results of the market analysis shall assist
219 the state data center in making adjustments to its data center
220 service offerings.
221 (k)(11) Recommend other information technology services
222 that should be designed, delivered, and managed as enterprise
223 information technology services. Recommendations must include
224 the identification of existing information technology resources
225 associated with the services, if existing services must be
226 transferred as a result of being delivered and managed as
227 enterprise information technology services.
228 (l)(12) In consultation with state agencies, propose a
229 methodology and approach for identifying and collecting both
230 current and planned information technology expenditure data at
231 the state agency level.
232 (m)1.(13)(a) Notwithstanding any other law, provide project
233 oversight on any project with an information technology
234 component project of the Department of Financial Services, the
235 Department of Legal Affairs, and the Department of Agriculture
236 and Consumer Services which has a total project cost of $25
237 million or more and which impacts one or more other agencies.
238 Such projects with an information technology component projects
239 must also comply with the applicable information technology
240 architecture, project management and oversight, and reporting
241 standards established by the Florida Digital Service department.
242 The Florida Digital Service may establish a process for state
243 agencies to apply for an exception to the requirements of this
244 subparagraph.
245 2.(b) When performing the project oversight function
246 specified in subparagraph 1. paragraph (a), report at least
247 quarterly to the Executive Office of the Governor, the President
248 of the Senate, and the Speaker of the House of Representatives
249 on any project with an information technology component project
250 that the Florida Digital Service department identifies as high
251 risk due to the project exceeding acceptable variance ranges
252 defined and documented in the project plan. The report shall
253 include a risk assessment, including fiscal risks, associated
254 with proceeding to the next stage of the project and a
255 recommendation for corrective actions required, including
256 suspension or termination of the project.
257 (n)(14) If a project with an information technology
258 component project implemented by a state agency must be
259 connected to or otherwise accommodated by an information
260 technology system administered by the Department of Financial
261 Services, the Department of Legal Affairs, or the Department of
262 Agriculture and Consumer Services, consult with these
263 departments regarding the risks and other effects of such
264 projects on their information technology systems and work
265 cooperatively with these departments regarding the connections,
266 interfaces, timing, or accommodations required to implement such
267 projects.
268 (o)(15) If adherence to standards or policies adopted by or
269 established pursuant to this section causes conflict with
270 federal regulations or requirements imposed on a state agency
271 and results in adverse action against the state agency or
272 federal funding, work with the state agency to provide
273 alternative standards, policies, or requirements that do not
274 conflict with the federal regulation or requirement. The Florida
275 Digital Service department shall annually report such
276 alternative standards to the Governor, the President of the
277 Senate, and the Speaker of the House of Representatives.
278 (p)1.(16)(a) Establish an information technology policy for
279 all information technology-related state contracts, including
280 state term contracts for information technology commodities,
281 consultant services, and staff augmentation services. The
282 information technology policy must include:
283 a.1. Identification of the information technology product
284 and service categories to be included in state term contracts.
285 b.2. Requirements to be included in solicitations for state
286 term contracts.
287 c.3. Evaluation criteria for the award of information
288 technology-related state term contracts.
289 d.4. The term of each information technology-related state
290 term contract.
291 e.5. The maximum number of vendors authorized on each state
292 term contract.
293 2.(b) Evaluate vendor responses for information technology
294 related state term contract solicitations and invitations to
295 negotiate.
296 3.(c) Answer vendor questions on information technology
297 related state term contract solicitations.
298 4.(d) Ensure that the information technology policy
299 established pursuant to subparagraph 1. paragraph (a) is
300 included in all solicitations and contracts that are
301 administratively executed by the department.
302 (q)(17) Recommend potential methods for standardizing data
303 across state agencies which will promote interoperability and
304 reduce the collection of duplicative data.
305 (r)(18) Recommend open data technical standards and
306 terminologies for use by state agencies.
307 (3)(a) The Secretary of Management Services shall appoint a
308 state chief information officer, who shall administer the
309 Florida Digital Service and is included in the Senior Management
310 Service.
311 (b) The state chief information officer shall appoint a
312 chief data officer, who shall report to the state chief
313 information officer and is included in the Senior Management
314 Service.
315 (4) The Florida Digital Service shall develop a
316 comprehensive enterprise architecture that:
317 (a) Recognizes the unique needs of those included within
318 the enterprise and that results in the publication of standards,
319 terminologies, and procurement guidelines to facilitate digital
320 interoperability.
321 (b) Supports the cloud-first policy as described in s.
322 282.206.
323 (c) Addresses how information technology infrastructure may
324 be modernized to achieve current and future cloud-first
325 objectives.
326 (5) The Florida Digital Service shall:
327 (a) Upon the receipt of an appropriation or approval of a
328 budget amendment, create and maintain a comprehensive indexed
329 data catalog that lists what data elements are housed within the
330 enterprise and in which legacy system or application these data
331 elements are located.
332 (b) Upon the receipt of an appropriation or approval of a
333 budget amendment, develop and publish, in collaboration with the
334 enterprise, a data dictionary for each agency which reflects the
335 nomenclature in the comprehensive indexed data catalog.
336 (c) Review and document use cases across the enterprise
337 architecture.
338 (d) Develop solutions for authorized or mandated use cases
339 in collaboration with the enterprise.
340 (e) Upon the receipt of an appropriation or approval of a
341 budget amendment, develop, publish, and manage an application
342 programming interface to facilitate integration throughout the
343 enterprise.
344 (f) Facilitate collaborative analysis of enterprise
345 architecture data to improve service delivery.
346 (g) Upon the receipt of an appropriation or approval of a
347 budget amendment, provide a testing environment in which any
348 newly developed solution can be tested for compliance within the
349 enterprise architecture and for functionality assurance before
350 deployment.
351 (h) Create the functionality necessary for a secure
352 ecosystem of data interoperability which is compliant with the
353 enterprise architecture and allows for a qualified entity to
354 access the stored data under the terms of the agreement with the
355 department.
356 (i)1. By utilizing existing resources or through the
357 approval of an appropriation or budget amendment, procure a
358 credential service provider through a competitive process
359 pursuant to s. 287.057. The terms of the contract developed from
360 such procurement shall pay for the value on a per-data call or
361 subscription basis, and there shall be no cost to the department
362 or law enforcement for using the services provided by the
363 credential service provider.
364 a. The department shall enter into agreements with
365 electronic credential providers that have the technological
366 capabilities necessary to integrate with the credential service
367 provider; ensure secure validation and authentication of data;
368 meet usage criteria; agree to terms and conditions, privacy
369 policies, and uniform remittance terms relating to the
370 consumption of an electronic credential; and include clear,
371 enforceable, and significant penalties for violations of the
372 agreements.
373 b. Revenue generated must be collected by the department
374 and deposited into the operating trust fund within the
375 department for distribution pursuant to a legislative
376 appropriation and department agreements with the credential
377 service provider, the electronic credential providers, and the
378 qualified entities. The terms of the agreements between the
379 department and the credential service provider, the electronic
380 credential providers, and the qualified entities must be based
381 on the per-data call or subscription charges to validate and
382 authenticate an electronic credential and allow the department
383 to recover any state costs for implementing and administering an
384 electronic credential solution. Provider revenues may not be
385 derived from any other transactions that generate revenue for
386 the department outside of the per-data call or subscription
387 charges. Nothing herein shall be construed as a restriction on a
388 provider’s ability to generate additional revenues from third
389 parties outside of the terms of the agreement.
390 2. Upon the signing of the enterprise architecture terms of
391 service and privacy policies, provide to qualified entities and
392 electronic credential providers appropriate access to the stored
393 data to facilitate authorized integrations to collaboratively
394 and less expensively, or at no taxpayer cost, solve enterprise
395 use cases.
396 (j) Architect and deploy applications or solutions to
397 existing enterprise obligations in a controlled and phased
398 approach, including, but not limited to:
399 1. Digital licenses, including full identification
400 management.
401 2. Upon the receipt of an appropriation or approval of a
402 budget amendment, interoperability that enables supervisors of
403 elections to authenticate voter eligibility in real time at the
404 point of service.
405 3. The criminal justice database.
406 4. Motor vehicle insurance cancellation integration between
407 insurers and the Department of Highway Safety and Motor
408 Vehicles.
409 5. Upon the receipt of an appropriation or approval of a
410 budget amendment, interoperability solutions between agencies,
411 including, but not limited to, the Department of Health, the
412 Agency for Health Care Administration, the Agency for Persons
413 with Disabilities, the Department of Education, the Department
414 of Elderly Affairs, and the Department of Children and Families.
415 6. Interoperability solutions to support military members,
416 veterans, and their families.
417 (6) The Florida Digital Service may develop a process to:
418 (a) Upon the request of funds in a legislative budget
419 request, receive written notice from state agencies within the
420 enterprise of any planned or existing procurement of an
421 information technology project that is subject to governance by
422 the enterprise architecture.
423 (b) Intervene in any planned procurement by a state agency
424 so that it complies with the enterprise architecture.
425 (c) Report to the legislative branch on any project within
426 the judicial branch which does not comply with the enterprise
427 architecture, while understanding the separation of powers.
428 (7)(19) The Florida Digital Service may adopt rules to
429 administer this section.
430 Section 3. Section 282.00515, Florida Statutes, is amended
431 to read:
432 282.00515 Enterprise Architecture Advisory Council Duties
433 of Cabinet agencies.—
434 (1)(a) The Enterprise Architecture Advisory Council, an
435 advisory council as defined in s. 20.03(7), is established
436 within the Department of Management Services. The council shall
437 comply with the requirements of s. 20.052 except as otherwise
438 provided in this section.
439 (b) The council shall consist of:
440 1. The Governor or his or her designee.
441 2. Three members appointed by the Governor.
442 3. The director of the Office of Policy and Budget in the
443 Executive Office of the Governor, or his or her designee.
444 4. The Secretary of Management Services or his or her
445 designee.
446 5. The state chief information officer or his or her
447 designee.
448 6. The Chief Justice of the Supreme Court or his or her
449 designee.
450 7. The President of the Senate or his or her designee.
451 8. The Speaker of the House of Representatives or his or
452 her designee.
453 9. The chief information officer of the Department of
454 Financial Services or his or her designee.
455 10. The chief information officer of the Department of
456 Legal Affairs or his or her designee.
457 11. The chief information officer of the Department of
458 Agriculture and Consumer Services or his or her designee.
459 (2)(a) The members appointed in this section shall be
460 appointed to terms of 4 years. However, for the purpose of
461 providing staggered terms:
462 1. The appointments by the Governor and the director of the
463 Office of Policy and Budget in the Executive Office of the
464 Governor are for initial terms of 2 years.
465 2. The appointments by the Secretary of Management Services
466 and the state chief information officer are for initial terms of
467 4 years.
468 3. The appointment by the Chief Justice is for an initial
469 term of 3 years.
470 4. The appointments by the President of the Senate and the
471 Speaker of the House of Representatives are for initial terms of
472 2 years.
473 5. The appointments by the chief information officers of
474 the Department of Financial Services, the Department of Legal
475 Affairs, and the Department of Agriculture and Consumer Services
476 are for initial terms of 2 years.
477 (b) A vacancy on the council shall be filled in the same
478 manner as the original appointment for the unexpired term.
479 (c) The council shall meet semiannually, beginning October
480 1, 2020, to discuss implementation, management, and coordination
481 of the enterprise architecture as defined in s. 282.0051(1);
482 identify potential issues and threats with specific use cases;
483 and develop proactive solutions The Department of Legal Affairs,
484 the Department of Financial Services, and the Department of
485 Agriculture and Consumer Services shall adopt the standards
486 established in s. 282.0051(2), (3), and (7) or adopt alternative
487 standards based on best practices and industry standards, and
488 may contract with the department to provide or perform any of
489 the services and functions described in s. 282.0051 for the
490 Department of Legal Affairs, the Department of Financial
491 Services, or the Department of Agriculture and Consumer
492 Services.
493 Section 4. Paragraph (a) of subsection (3) of section
494 282.318, Florida Statutes, is amended to read:
495 282.318 Security of data and information technology.—
496 (3) The department is responsible for establishing
497 standards and processes consistent with generally accepted best
498 practices for information technology security, to include
499 cybersecurity, and adopting rules that safeguard an agency’s
500 data, information, and information technology resources to
501 ensure availability, confidentiality, and integrity and to
502 mitigate risks. The department shall also:
503 (a) Designate a state chief information security officer,
504 who shall be appointed by and report to the state chief
505 information officer of the Florida Digital Service, and who is
506 in the Senior Management Service. The state chief information
507 security officer must have experience and expertise in security
508 and risk management for communications and information
509 technology resources.
510 Section 5. Subsection (4) of section 287.0591, Florida
511 Statutes, is amended to read:
512 287.0591 Information technology.—
513 (4) If the department issues a competitive solicitation for
514 information technology commodities, consultant services, or
515 staff augmentation contractual services, the Florida Digital
516 Service Division of State Technology within the department shall
517 participate in such solicitations.
518 Section 6. Paragraph (a) of subsection (3) of section
519 365.171, Florida Statutes, is amended to read:
520 365.171 Emergency communications number E911 state plan.—
521 (3) DEFINITIONS.—As used in this section, the term:
522 (a) “Office” means the Division of Telecommunications State
523 Technology within the Department of Management Services, as
524 designated by the secretary of the department.
525 Section 7. Paragraph (s) of subsection (3) of section
526 365.172, Florida Statutes, is amended to read:
527 365.172 Emergency communications number “E911.”—
528 (3) DEFINITIONS.—Only as used in this section and ss.
529 365.171, 365.173, 365.174, and 365.177, the term:
530 (s) “Office” means the Division of Telecommunications State
531 Technology within the Department of Management Services, as
532 designated by the secretary of the department.
533 Section 8. Paragraph (a) of subsection (1) of section
534 365.173, Florida Statutes, is amended to read:
535 365.173 Communications Number E911 System Fund.—
536 (1) REVENUES.—
537 (a) Revenues derived from the fee levied on subscribers
538 under s. 365.172(8) must be paid by the board into the State
539 Treasury on or before the 15th day of each month. Such moneys
540 must be accounted for in a special fund to be designated as the
541 Emergency Communications Number E911 System Fund, a fund created
542 in the Division of Telecommunications State Technology, or other
543 office as designated by the Secretary of Management Services.
544 Section 9. Subsection (5) of section 943.0415, Florida
545 Statutes, is amended to read:
546 943.0415 Cybercrime Office.—There is created within the
547 Department of Law Enforcement the Cybercrime Office. The office
548 may:
549 (5) Consult with the Florida Digital Service Division of
550 State Technology within the Department of Management Services in
551 the adoption of rules relating to the information technology
552 security provisions in s. 282.318.
553 Section 10. Effective January 1, 2021, section 559.952,
554 Florida Statutes, is created to read:
555 559.952 Financial Technology Sandbox.—
556 (1) SHORT TITLE.—This section may be cited as the
557 “Financial Technology Sandbox.”
558 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
559 created the Financial Technology Sandbox within the Office of
560 Financial Regulation to allow financial technology innovators to
561 test new products and services in a supervised, flexible
562 regulatory sandbox using waivers of specified general law and
563 corresponding rule requirements under defined conditions. The
564 creation of a supervised, flexible regulatory sandbox provides a
565 welcoming business environment for technology innovators and may
566 lead to significant business growth.
567 (3) DEFINITIONS.—As used in this section, the term:
568 (a) “Commission” means the Financial Services Commission.
569 (b) “Consumer” means a person in this state, whether a
570 natural person or a business entity, who purchases, uses,
571 receives, or enters into an agreement to purchase, use, or
572 receive an innovative financial product or service made
573 available through the Financial Technology Sandbox.
574 (c) “Financial product or service” means a product or
575 service related to finance, including securities, consumer
576 credit, or money transmission, which is traditionally subject to
577 general law or rule requirements in the provisions enumerated in
578 paragraph (4)(a) and which is under the jurisdiction of the
579 office.
580 (d) “Financial Technology Sandbox” means the program
581 created in this section which allows a person to make an
582 innovative financial product or service available to consumers
583 through waiver of the provisions enumerated in paragraph (4)(a)
584 during a sandbox period through a waiver of general laws or rule
585 requirements, or portions thereof, as specified in this section.
586 (e) “Innovative” means new or emerging technology, or new
587 uses of existing technology, which provides a product, service,
588 business model, or delivery mechanism to the public.
589 (f) “Office” means, unless the context clearly indicates
590 otherwise, the Office of Financial Regulation.
591 (g) “Sandbox period” means the period, initially not longer
592 than 24 months, in which the office has:
593 1. Authorized an innovative financial product or service to
594 be made available to consumers.
595 2. Granted the person who makes the innovative financial
596 product or service available a waiver of general law or
597 corresponding rule requirements, as determined by the office, so
598 that the authorization under subparagraph 1. is possible.
599 (4) WAIVERS OF GENERAL LAW AND RULE REQUIREMENTS.—
600 (a) Upon approval of a Financial Technology Sandbox
601 application, the office may grant an applicant a waiver of a
602 requirement, or a portion thereof, which is imposed by a general
603 law or corresponding rule in any of the following provisions, if
604 all of the conditions in paragraph (b) are met:
605 1. Section 560.1105.
606 2. Section 560.118.
607 3. Section 560.125, except for s. 560.125(2).
608 4. Section 560.128.
609 5. Section 560.1401, except for s. 560.1401(2)-(4).
610 6. Section 560.141, except for s. 560.141(1)(b)-(d).
611 7. Section 560.142, except that the office may prorate, but
612 may not entirely waive, the license renewal fees provided in ss.
613 560.142 and 560.143 for an extension granted under subsection
614 (7).
615 8. Section 560.143(2) to the extent necessary for proration
616 of the renewal fee under subparagraph 7.
617 9. Section 560.205, except for s. 560.205(1) and (3).
618 10. Section 560.208, except for s. 560.208(3)-(6).
619 11. Section 560.209, except that the office may modify, but
620 may not entirely waive, the net worth, corporate surety bond,
621 and collateral deposit amounts required under s. 560.209. The
622 modified amounts must be in such lower amounts that the office
623 determines to be commensurate with the considerations under
624 paragraph (5)(e) and the maximum number of consumers authorized
625 to receive the financial product or service under this section.
626 12. Section 516.03, except for the license and
627 investigation fee. The office may prorate, but not entirely
628 waive, the license renewal fees for an extension granted under
629 subsection (7). The office may not waive the evidence of liquid
630 assets of at least $25,000.
631 13. Section 516.05, except that the office may make an
632 investigation of the facts concerning the applicant’s
633 background.
634 14. Section 516.12.
635 15. Section 516.19.
636 16. Section 517.07.
637 17. Section 517.12.
638 18. Section 517.121.
639 19. Section 520.03, except for the application fee. The
640 office may prorate, but not entirely waive, the license renewal
641 fees for an extension granted under subsection (7).
642 20. Section 520.12.
643 21. Section 520.25.
644 22. Section 520.32, except for the application fee. The
645 office may prorate, but not entirely waive, the license renewal
646 fees for an extension granted under subsection (7).
647 23. Section 520.39.
648 24. Section 520.52, except for the application fee. The
649 office may prorate, but not entirely waive, the license renewal
650 fees for an extension granted under subsection (7).
651 25. Section 520.57.
652 26. Section 520.63, except for the application fee. The
653 office may prorate, but not entirely waive, the license renewal
654 fees for an extension granted under subsection (7).
655 27. Section 520.997.
656 28. Section 520.98.
657 29. Section 537.004, except for s. 537.004(2) and (5). The
658 office may prorate, but not entirely waive, the license renewal
659 fees for an extension granted under subsection (7).
660 30. Section 537.005, except that the office may modify, but
661 not entirely waive, the corporate surety bond amount required by
662 s. 537.005. The modified amount must be in such lower amount
663 that the office determines to be commensurate with the
664 considerations under paragraph (5)(e) and the maximum number of
665 consumers authorized to receive the product or service under
666 this section.
667 31. Section 537.007.
668 32. Section 537.009.
669 33. Section 537.015.
670 (b) During a sandbox period, the office may grant a waiver
671 of a requirement, or a portion thereof, imposed by a general law
672 or corresponding rule in any provision enumerated in paragraph
673 (a) if all of the following conditions are met:
674 1. The general law or corresponding rule currently prevents
675 the innovative financial product or service to be made available
676 to consumers.
677 2. The waiver is not broader than necessary to accomplish
678 the purposes and standards specified in this section, as
679 determined by the office.
680 3. No provision relating to the liability of an
681 incorporator, director, or officer of the applicant is eligible
682 for a waiver.
683 4. The other requirements of this section are met.
684 (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
685 APPROVAL.—
686 (a) Before filing an application to enter the Financial
687 Technology Sandbox, a substantially affected person may seek a
688 declaratory statement pursuant to s. 120.565 regarding the
689 applicability of a statute, rule, or agency order to the
690 petitioner’s particular set of circumstances.
691 (b) Before making an innovative financial product or
692 service available to consumers in the Financial Technology
693 Sandbox, a person must file an application with the office. The
694 commission shall prescribe by rule the form and manner of the
695 application.
696 1. In the application, the person must specify the general
697 law or rule requirements for which a waiver is sought and the
698 reasons why these requirements prevent the innovative financial
699 product or service from being made available to consumers.
700 2. The application must also contain the information
701 specified in paragraph (e).
702 (c) A business entity filing an application under this
703 section must be a domestic corporation or other organized
704 domestic entity with a physical presence, other than that of a
705 registered office or agent or virtual mailbox, in this state.
706 (d) Before a person applies on behalf of a business entity
707 intending to make an innovative financial product or service
708 available to consumers, the person must obtain the consent of
709 the business entity.
710 (e) The office shall approve or deny in writing a Financial
711 Technology Sandbox application within 60 days after receiving
712 the completed application. The office and the applicant may
713 jointly agree to extend the time beyond 60 days. Consistent with
714 this section, the office may impose conditions on any approval.
715 In deciding to approve or deny an application, the office must
716 consider each of the following:
717 1. The nature of the innovative financial product or
718 service proposed to be made available to consumers in the
719 Financial Technology Sandbox, including all relevant technical
720 details.
721 2. The potential risk to consumers and the methods that
722 will be used to protect consumers and resolve complaints during
723 the sandbox period.
724 3. The business plan proposed by the applicant, including a
725 statement regarding the applicant’s current and proposed
726 capitalization.
727 4. Whether the applicant has the necessary personnel,
728 adequate financial and technical expertise, and a sufficient
729 plan to test, monitor, and assess the innovative financial
730 product or service.
731 5. Whether any person substantially involved in the
732 development, operation, or management of the applicant’s
733 innovative financial product or service has pled no contest to,
734 has been convicted or found guilty of, or is currently under
735 investigation for, fraud, a state or federal securities
736 violation, any property-based offense, or any crime involving
737 moral turpitude or dishonest dealing. A plea of no contest, a
738 conviction, or a finding of guilt must be reported under this
739 subparagraph regardless of adjudication.
740 6. A copy of the disclosures that will be provided to
741 consumers under paragraph (6)(c).
742 7. The financial responsibility of any person substantially
743 involved in the development, operation, or management of the
744 applicant’s innovative financial product or service.
745 8. Any other factor that the office determines to be
746 relevant.
747 (f) The office may not approve an application if:
748 1. The applicant had a prior Financial Technology Sandbox
749 application that was approved and that related to a
750 substantially similar financial product or service; or
751 2. Any person substantially involved in the development,
752 operation, or management of the applicant’s innovative financial
753 product or service was substantially involved with another
754 Financial Technology Sandbox applicant whose application was
755 approved and whose application related to a substantially
756 similar financial product or service.
757 (g) Upon approval of an application, the office shall
758 specify the general law or rule requirements, or portions
759 thereof, for which a waiver is granted during the sandbox period
760 and the length of the initial sandbox period, not to exceed 24
761 months. The office shall post on its website notice of the
762 approval of the application, a summary of the innovative
763 financial product or service, and the contact information of the
764 person making the financial product or service available.
765 (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
766 (a) A person whose Financial Technology Sandbox application
767 is approved may make an innovative financial product or service
768 available to consumers during the sandbox period.
769 (b) The office may, on a case-by-case basis and after
770 consultation with the person who makes the financial product or
771 service available to consumers, specify the maximum number of
772 consumers authorized to receive an innovative financial product
773 or service. The office may not authorize more than 15,000
774 consumers to receive the financial product or service until the
775 person who makes the financial product or service available to
776 consumers has filed the first report required under subsection
777 (8). After the filing of the report, if the person demonstrates
778 adequate financial capitalization, risk management process, and
779 management oversight, the office may authorize up to 25,000
780 consumers to receive the financial product or service.
781 (c)1. Before a consumer purchases, uses, receives, or
782 enters into an agreement to purchase, use, or receive an
783 innovative financial product or service through the Financial
784 Technology Sandbox, the person making the financial product or
785 service available must provide a written statement of all of the
786 following to the consumer:
787 a. The name and contact information of the person making
788 the financial product or service available to consumers.
789 b. That the financial product or service has been
790 authorized to be made available to consumers for a temporary
791 period by the office, under the laws of this state.
792 c. That this state does not endorse the financial product
793 or service.
794 d. That the financial product or service is undergoing
795 testing, may not function as intended, and may entail financial
796 risk.
797 e. That the person making the financial product or service
798 available to consumers is not immune from civil liability for
799 any losses or damages caused by the financial product or
800 service.
801 f. The expected end date of the sandbox period.
802 g. The contact information for the office, and notification
803 that suspected legal violations, complaints, or other comments
804 related to the financial product or service may be submitted to
805 the office.
806 h. Any other statements or disclosures required by rule of
807 the commission which are necessary to further the purposes of
808 this section.
809 2. The written statement must contain an acknowledgment
810 from the consumer, which must be retained for the duration of
811 the sandbox period by the person making the financial product or
812 service available.
813 (d) The office may enter into an agreement with a state,
814 federal, or foreign regulatory agency to allow persons:
815 1. Who make an innovative financial product or service
816 available in this state through the Financial Technology Sandbox
817 to make their products or services available in other
818 jurisdictions.
819 2. Who operate in similar financial technology sandboxes in
820 other jurisdictions to make innovative financial products and
821 services available in this state under the standards of this
822 section.
823 (e)1. A person whose Financial Technology Sandbox
824 application is approved by the office shall maintain
825 comprehensive records relating to the innovative financial
826 product or service. The person shall keep these records for at
827 least 5 years after the conclusion of the sandbox period. The
828 commission may specify by rule additional records requirements.
829 2. The office may examine the records maintained under
830 subparagraph 1. at any time, with or without notice.
831 (7) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
832 (a) A person who is authorized to make an innovative
833 financial product or service available to consumers may apply
834 for an extension of the initial sandbox period for up to 12
835 additional months for a purpose specified in subparagraph (b)1.
836 or subparagraph (b)2. A complete application for an extension
837 must be filed with the office at least 90 days before the
838 conclusion of the initial sandbox period. The office shall
839 approve or deny the application for extension in writing at
840 least 35 days before the conclusion of the initial sandbox
841 period. In deciding to approve or deny an application for
842 extension of the sandbox period, the office must, at a minimum,
843 consider the current status of the factors previously considered
844 under paragraph (5)(e).
845 (b) An application for an extension under paragraph (a)
846 must cite one of the following reasons as the basis for the
847 application and must provide all relevant supporting information
848 that:
849 1. Amendments to general law or rules are necessary to
850 offer the innovative financial product or service in this state
851 permanently.
852 2. An application for a license that is required in order
853 to offer the innovative financial product or service in this
854 state permanently has been filed with the office, and approval
855 is pending.
856 (c) At least 30 days before the conclusion of the initial
857 sandbox period or the extension, whichever is later, a person
858 who makes an innovative financial product or service available
859 shall provide written notification to consumers regarding the
860 conclusion of the initial sandbox period or the extension and
861 may not make the financial product or service available to any
862 new consumers after the conclusion of the initial sandbox period
863 or the extension, whichever is later, until legal authority
864 outside of the Financial Technology Sandbox exists to make the
865 financial product or service available to consumers. After the
866 conclusion of the sandbox period or the extension, whichever is
867 later, the person who makes the innovative financial product or
868 service available may:
869 1. Collect and receive money owed to the person or pay
870 money owed by the person, based on agreements with consumers
871 made before the conclusion of the sandbox period or the
872 extension.
873 2. Take necessary legal action.
874 3. Take other actions authorized by commission rule which
875 are not inconsistent with this subsection.
876 (8) REPORT.—A person authorized to make an innovative
877 financial product or service available to consumers under this
878 section shall submit a report to the office twice a year as
879 prescribed by commission rule. The report must, at a minimum,
880 include financial reports and the number of consumers who have
881 received the financial product or service.
882 (9) CONSTRUCTION.—A person whose Financial Technology
883 Sandbox application is approved shall be deemed licensed under
884 part II of chapter 560 unless the person’s authorization to make
885 the financial product or service available to consumers under
886 this section has been revoked or suspended.
887 (10) VIOLATIONS AND PENALTIES.—
888 (a) A person who makes an innovative financial product or
889 service available to consumers in the Financial Technology
890 Sandbox is:
891 1. Not immune from civil damages for acts and omissions
892 relating to this section.
893 2. Subject to all criminal and consumer protection laws.
894 (b)1. The office may, by order, revoke or suspend
895 authorization granted to a person to make an innovative
896 financial product or service available to consumers if:
897 a. The person has violated or refused to comply with this
898 section, a rule of the commission, an order of the office, or a
899 condition placed by the office on the approval of the person’s
900 Financial Technology Sandbox application;
901 b. A fact or condition exists that, if it had existed or
902 become known at the time that the Financial Technology Sandbox
903 application was pending, would have warranted denial of the
904 application or the imposition of material conditions;
905 c. A material error, false statement, misrepresentation, or
906 material omission was made in the Financial Technology Sandbox
907 application; or
908 d. After consultation with the person, continued testing of
909 the innovative financial product or service would:
910 (I) Be likely to harm consumers; or
911 (II) No longer serve the purposes of this section because
912 of the financial or operational failure of the financial product
913 or service.
914 2. Written notice of a revocation or suspension order made
915 under subparagraph 1. must be served using any means authorized
916 by law. If the notice relates to a suspension, the notice must
917 include any condition or remedial action that the person must
918 complete before the office lifts the suspension.
919 (c) The office may refer any suspected violation of law to
920 an appropriate state or federal agency for investigation,
921 prosecution, civil penalties, and other appropriate enforcement
922 actions.
923 (d) If service of process on a person making an innovative
924 financial product or service available to consumers in the
925 Financial Technology Sandbox is not feasible, service on the
926 office shall be deemed service on such person.
927 (11) RULES AND ORDERS.—
928 (a) The commission shall adopt rules to administer this
929 section.
930 (b) The office may issue all necessary orders to enforce
931 this section and may enforce the orders in accordance with
932 chapter 120 or in any court of competent jurisdiction. These
933 orders include, but are not limited to, orders for payment of
934 restitution for harm suffered by consumers as a result of an
935 innovative financial product or service.
936 Section 11. Except as otherwise expressly provided in this
937 act, this act shall take effect July 1, 2020.
938
939 ================= T I T L E A M E N D M E N T ================
940 And the title is amended as follows:
941 Delete everything before the enacting clause
942 and insert:
943 A bill to be entitled
944 An act relating to technology innovation; amending s.
945 20.22, F.S.; renaming the Division of State Technology
946 within the Department of Management Services as the
947 Division of Telecommunications; deleting provisions
948 relating to the appointment of the Division of State
949 Technology’s director and qualifications for the state
950 chief information officer; adding the Florida Digital
951 Service to the department; amending s. 282.0051, F.S.;
952 establishing the Florida Digital Service within the
953 department; defining terms; transferring specified
954 powers, duties, and functions of the department to the
955 Florida Digital Service and revising such powers,
956 duties, and functions; providing for appointments of a
957 state chief information officer and a chief data
958 officer and specifying their duties; requiring the
959 Florida Digital Service to develop a comprehensive
960 enterprise architecture; providing requirements for
961 the enterprise architecture; specifying duties of and
962 authorized actions by the Florida Digital Service;
963 providing duties of the department; authorizing the
964 Florida Digital Service to adopt rules; amending s.
965 282.00515, F.S.; establishing the Enterprise
966 Architecture Advisory Council; requiring the council
967 to comply with specified requirements; providing
968 membership and meeting requirements and duties of the
969 council; deleting provisions relating to specified
970 duties and powers of the Department of Legal Affairs,
971 the Department of Financial Services, and the
972 Department of Agriculture and Consumer Services;
973 amending ss. 282.318, 287.0591, 365.171, 365.172,
974 365.173, and 943.0415, F.S.; conforming provisions to
975 changes made by the act; creating s. 559.952, F.S.;
976 providing a short title; creating the Financial
977 Technology Sandbox within the Office of Financial
978 Regulation; defining terms; authorizing the office to
979 grant waivers of specified financial regulatory
980 requirements to certain applicants offering certain
981 financial products or services during a sandbox
982 period; specifying criteria for granting a waiver;
983 requiring an application for the program for persons
984 who want to make innovative financial products or
985 services available to consumers; providing application
986 requirements and procedures; providing standards for
987 application approval or denial; requiring the office
988 to perform certain actions upon approval of an
989 application; specifying authorized actions of,
990 limitations on, and disclosure requirements for
991 persons making financial products or services
992 available during a sandbox period; authorizing the
993 office to enter into agreement with certain regulatory
994 agencies for specified purposes; providing
995 recordkeeping requirements; authorizing the office to
996 examine specified records; providing requirements and
997 procedures for applying for extensions and concluding
998 sandbox periods; requiring written notification to
999 consumers at the end of an extension or conclusion of
1000 the sandbox period; providing acts that persons who
1001 make innovative financial products or services
1002 available to consumers may and may not engage in at
1003 the end of an extension or conclusion of the sandbox
1004 period; specifying reporting requirements to the
1005 office; providing construction; providing that such
1006 persons are not immune from civil damages and are
1007 subject to criminal and consumer protection laws;
1008 providing penalties; providing for service of process;
1009 requiring the Financial Services Commission to adopt
1010 rules; authorizing the office to issue orders and
1011 enforce such orders through administrative or judicial
1012 process; authorizing the office to issue and enforce
1013 orders for payment of restitution; providing effective
1014 dates.