Bill Amendment: FL S1870 | 2020 | Regular Session
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: Technology Innovation
Status: 2020-03-09 - Laid on Table, refer to CS/CS/CS/HB 1391 [S1870 Detail]
Download: Florida-2020-S1870-Senate_Committee_Amendment_427788.html
Bill Title: Technology Innovation
Status: 2020-03-09 - Laid on Table, refer to CS/CS/CS/HB 1391 [S1870 Detail]
Download: Florida-2020-S1870-Senate_Committee_Amendment_427788.html
Florida Senate - 2020 COMMITTEE AMENDMENT Bill No. SB 1870 Ì427788fÎ427788 LEGISLATIVE ACTION Senate . House . . . . . ————————————————————————————————————————————————————————————————— ————————————————————————————————————————————————————————————————— The Committee on Innovation, Industry, and Technology (Hutson) recommended the following: 1 Senate Amendment (with title amendment) 2 3 Delete everything after the enacting clause 4 and insert: 5 Section 1. Subsection (2) of section 20.22, Florida 6 Statutes, is amended to read: 7 20.22 Department of Management Services.—There is created a 8 Department of Management Services. 9 (2) Thefollowing divisions and programs within the10 Department of Management Services shall consist of the following 11are established: 12 (a) The Facilities Program. 13 (b) The Division of TelecommunicationsState Technology,14the director of which is appointed by the secretary of the15department and shall serve as the state chief information16officer. The state chief information officer must be a proven,17effective administrator who must have at least 10 years of18executive-level experience in the public or private sector,19preferably with experience in the development of information20technology strategic planning and the development and21implementation of fiscal and substantive information technology22policy and standards. 23 (c) The Workforce Program. 24 (d)1. The Support Program. 25 2. The Federal Property Assistance Program. 26 (e) The Administration Program. 27 (f) The Division of Administrative Hearings. 28 (g) The Division of Retirement. 29 (h) The Division of State Group Insurance. 30 (i) The Florida Digital Service. 31 Section 2. Section 282.0051, Florida Statutes, is amended 32 to read: 33 282.0051 Florida Digital ServiceDepartment of Management34Services; powers, duties, and functions.—There is established 35 the Florida Digital Service within the department to create 36 innovative solutions that securely modernize state government 37 and achieve value through digital transformation and 38 interoperability. 39 (1) As used in this section, the term: 40 (a) “Credential service provider” means a provider 41 competitively procured by the department to supply secure 42 identity management and verification services based on open 43 standards to qualified entities. 44 (b) “Data call” means an electronic transaction with the 45 credential service provider which verifies the authenticity of a 46 digital identity by querying enterprise data. 47 (c) “Electronic” means technology having electrical, 48 digital, magnetic, wireless, optical, electromagnetic, or 49 similar capabilities. 50 (d) “Electronic credential” means an electronic 51 representation of a physical driver license or identification 52 card which is viewable in an electronic format and is capable of 53 being verified and authenticated. 54 (e) “Electronic credential provider” means a qualified 55 entity contracted with the department to provide electronic 56 credentials to eligible driver license or identification card 57 holders. 58 (f) “Enterprise” means the collection of state agencies as 59 defined in s. 282.0041, except that the term includes the 60 Department of Legal Affairs, the Department of Agriculture and 61 Consumer Services, the Department of Financial Services, and the 62 judicial branch. 63 (g) “Enterprise architecture” means a comprehensive 64 operational framework that contemplates the needs and assets of 65 the enterprise to support interoperability across state 66 government. 67 (h) “Interoperability” means the technical ability to share 68 and use data across and throughout the enterprise. 69 (i) “Qualified entity” means a public or private entity or 70 individual that enters into a binding agreement with the 71 department, meets usage criteria, agrees to terms and 72 conditions, and is subsequently and prescriptively authorized by 73 the department to access data under the terms of that agreement. 74 (2) The Florida Digital Servicedepartmentshall have the 75 following powers, duties, and functions in full support of the 76 cloud-first policy as described in s. 282.206: 77 (a)(1)Develop and publish information technology policy 78 for the management of the state’s information technology 79 resources. 80 (b)(2)Establish and publish information technology 81 architecture standards to provide for the most efficient use of 82the state’sinformation technology resources and to ensure 83 compatibility and alignment with the needs of state agencies. 84 The Florida Digital Servicedepartmentshall assist state 85 agencies in complying with the standards. 86 (c)(3)Establish project management and oversight standards 87 with which state agencies must comply when implementing projects 88 that have an information technology componentprojects. The 89 Florida Digital Servicedepartmentshall provide training 90 opportunities to state agencies to assist in the adoption of the 91 project management and oversight standards. To support data 92 driven decisionmaking, the standards must include, but are not 93 limited to: 94 1.(a)Performance measurements and metrics that objectively 95 reflect the status of a project with an information technology 96 componentprojectbased on a defined and documented project 97 scope, cost, and schedule. 98 2.(b)Methodologies for calculating acceptable variances in 99 the projected versus actual scope, schedule, or cost of a 100 project with an information technology componentproject. 101 3.(c)Reporting requirements, including requirements 102 designed to alert all defined stakeholders that a project with 103 an information technology componentprojecthas exceeded 104 acceptable variances defined and documented in a project plan. 105 4.(d)Content, format, and frequency of project updates. 106 (d)(4)Perform project oversight on all state agency 107information technologyprojects that have an information 108 technology component and a total project costcostsof $10 109 million or more and that are funded in the General 110 Appropriations Act or any other law. The Florida Digital Service 111departmentshall report at least quarterly to the Executive 112 Office of the Governor, the President of the Senate, and the 113 Speaker of the House of Representatives on any project with an 114 information technology component whichproject thatthe Florida 115 Digital Servicedepartmentidentifies as high-risk due to the 116 project exceeding acceptable variance ranges defined and 117 documented in a project plan. The report must include a risk 118 assessment, including fiscal risks, associated with proceeding 119 to the next stage of the project, and a recommendation for 120 corrective actions required, including suspension or termination 121 of the project. The Florida Digital Service may establish a 122 process for state agencies to apply for an exception to the 123 requirements of this paragraph. 124 (e)(5)Identify opportunities for standardization and 125 consolidation of information technology services that support 126 interoperability and the cloud-first policy as described in s. 127 282.206, business functions and operations, including 128 administrative functions such as purchasing, accounting and 129 reporting, cash management, and personnel, and that are common 130 across state agencies. The Florida Digital Servicedepartment131 shall biennially on April 1 provide recommendations for 132 standardization and consolidation to the Executive Office of the 133 Governor, the President of the Senate, and the Speaker of the 134 House of Representatives. 135 (f)(6)Establish best practices for the procurement of 136 information technology products and cloud-computing services in 137 order to reduce costs, increase the quality of data center 138 services, or improve government services. 139 (g)(7)Develop standards for information technology reports 140 and updates, including, but not limited to, operational work 141 plans, project spend plans, and project status reports, for use 142 by state agencies. 143 (h)(8)Upon request, assist state agencies in the 144 development of information technology-related legislative budget 145 requests. 146 (i)(9)Conduct annual assessments of state agencies to 147 determine compliance with all information technology standards 148 and guidelines developed and published by the Florida Digital 149 Servicedepartmentand provide results of the assessments to the 150 Executive Office of the Governor, the President of the Senate, 151 and the Speaker of the House of Representatives. 152 (j)(10)Provide operational management and oversight of the 153 state data center established pursuant to s. 282.201, which 154 includes: 155 1.(a)Implementing industry standards and best practices 156 for the state data center’s facilities, operations, maintenance, 157 planning, and management processes. 158 2.(b)Developing and implementing cost-recovery or other 159 payment mechanisms that recover the full direct and indirect 160 cost of services through charges to applicable customer 161 entities. Such cost-recovery or other payment mechanisms must 162 comply with applicable state and federal regulations concerning 163 distribution and use of funds and must ensure that, for any 164 fiscal year, no service or customer entity subsidizes another 165 service or customer entity. 166 3.(c)Developing and implementing appropriate operating 167 guidelines and procedures necessary for the state data center to 168 perform its duties pursuant to s. 282.201. The guidelines and 169 procedures must comply with applicable state and federal laws, 170 regulations, and policies and conform to generally accepted 171 governmental accounting and auditing standards. The guidelines 172 and procedures must include, but need not be limited to: 173 a.1.Implementing a consolidated administrative support 174 structure responsible for providing financial management, 175 procurement, transactions involving real or personal property, 176 human resources, and operational support. 177 b.2.Implementing an annual reconciliation process to 178 ensure that each customer entity is paying for the full direct 179 and indirect cost of each service as determined by the customer 180 entity’s use of each service. 181 c.3.Providing rebates that may be credited against future 182 billings to customer entities when revenues exceed costs. 183 d.4.Requiring customer entities to validate that 184 sufficient funds exist in the appropriate data processing 185 appropriation category or will be transferred into the 186 appropriate data processing appropriation category before 187 implementation of a customer entity’s request for a change in 188 the type or level of service provided, if such change results in 189 a net increase to the customer entity’s cost for that fiscal 190 year. 191 e.5.By November 15 of each year, providing to the Office 192 of Policy and Budget in the Executive Office of the Governor and 193 to the chairs of the legislative appropriations committees the 194 projected costs of providing data center services for the 195 following fiscal year. 196 f.6.Providing a plan for consideration by the Legislative 197 Budget Commission if the cost of a service is increased for a 198 reason other than a customer entity’s request made pursuant to 199 sub-subparagraph d.subparagraph 4.Such a plan is required only 200 if the service cost increase results in a net increase to a 201 customer entity for that fiscal year. 202 g.7.Standardizing and consolidating procurement and 203 contracting practices. 204 4.(d)In collaboration with the Department of Law 205 Enforcement, developing and implementing a process for 206 detecting, reporting, and responding to information technology 207 security incidents, breaches, and threats. 208 5.(e)Adopting rules relating to the operation of the state 209 data center, including, but not limited to, budgeting and 210 accounting procedures, cost-recovery or other payment 211 methodologies, and operating procedures. 212(f) Conducting an annual market analysis to determine213whether the state’s approach to the provision of data center214services is the most effective and cost-efficient manner by215which its customer entities can acquire such services, based on216federal, state, and local government trends; best practices in217service provision; and the acquisition of new and emerging218technologies. The results of the market analysis shall assist219the state data center in making adjustments to its data center220service offerings.221 (k)(11)Recommend other information technology services 222 that should be designed, delivered, and managed as enterprise 223 information technology services. Recommendations must include 224 the identification of existing information technology resources 225 associated with the services, if existing services must be 226 transferred as a result of being delivered and managed as 227 enterprise information technology services. 228 (l)(12)In consultation with state agencies, propose a 229 methodology and approach for identifying and collecting both 230 current and planned information technology expenditure data at 231 the state agency level. 232 (m)1.(13)(a)Notwithstanding any other law, provide project 233 oversight on any project with an information technology 234 componentprojectof the Department of Financial Services, the 235 Department of Legal Affairs, and the Department of Agriculture 236 and Consumer Services which has a total project cost of $25 237 million or more and which impacts one or more other agencies. 238 Such projects with an information technology componentprojects239 must also comply with the applicable information technology 240 architecture, project management and oversight, and reporting 241 standards established by the Florida Digital Servicedepartment. 242 The Florida Digital Service may establish a process for state 243 agencies to apply for an exception to the requirements of this 244 subparagraph. 245 2.(b)When performing the project oversight function 246 specified in subparagraph 1.paragraph (a), report at least 247 quarterly to the Executive Office of the Governor, the President 248 of the Senate, and the Speaker of the House of Representatives 249 on any project with an information technology componentproject250 that the Florida Digital Servicedepartmentidentifies as high 251 risk due to the project exceeding acceptable variance ranges 252 defined and documented in the project plan. The report shall 253 include a risk assessment, including fiscal risks, associated 254 with proceeding to the next stage of the project and a 255 recommendation for corrective actions required, including 256 suspension or termination of the project. 257 (n)(14)If a project with an information technology 258 componentprojectimplemented by a state agency must be 259 connected to or otherwise accommodated by an information 260 technology system administered by the Department of Financial 261 Services, the Department of Legal Affairs, or the Department of 262 Agriculture and Consumer Services, consult with these 263 departments regarding the risks and other effects of such 264 projects on their information technology systems and work 265 cooperatively with these departments regarding the connections, 266 interfaces, timing, or accommodations required to implement such 267 projects. 268 (o)(15)If adherence to standards or policies adopted by or 269 established pursuant to this section causes conflict with 270 federal regulations or requirements imposed on a state agency 271 and results in adverse action against the state agency or 272 federal funding, work with the state agency to provide 273 alternative standards, policies, or requirements that do not 274 conflict with the federal regulation or requirement. The Florida 275 Digital Servicedepartmentshall annually report such 276 alternative standards to the Governor, the President of the 277 Senate, and the Speaker of the House of Representatives. 278 (p)1.(16)(a)Establish an information technology policy for 279 all information technology-related state contracts, including 280 state term contracts for information technology commodities, 281 consultant services, and staff augmentation services. The 282 information technology policy must include: 283 a.1.Identification of the information technology product 284 and service categories to be included in state term contracts. 285 b.2.Requirements to be included in solicitations for state 286 term contracts. 287 c.3.Evaluation criteria for the award of information 288 technology-related state term contracts. 289 d.4.The term of each information technology-related state 290 term contract. 291 e.5.The maximum number of vendors authorized on each state 292 term contract. 293 2.(b)Evaluate vendor responses for information technology 294 related state term contract solicitations and invitations to 295 negotiate. 296 3.(c)Answer vendor questions on information technology 297 related state term contract solicitations. 298 4.(d)Ensure that the information technology policy 299 established pursuant to subparagraph 1.paragraph (a)is 300 included in all solicitations and contracts that are 301 administratively executed by the department. 302 (q)(17)Recommend potential methods for standardizing data 303 across state agencies which will promote interoperability and 304 reduce the collection of duplicative data. 305 (r)(18)Recommend open data technical standards and 306 terminologies for use by state agencies. 307 (3)(a) The Secretary of Management Services shall appoint a 308 state chief information officer, who shall administer the 309 Florida Digital Service and is included in the Senior Management 310 Service. 311 (b) The state chief information officer shall appoint a 312 chief data officer, who shall report to the state chief 313 information officer and is included in the Senior Management 314 Service. 315 (4) The Florida Digital Service shall develop a 316 comprehensive enterprise architecture that: 317 (a) Recognizes the unique needs of those included within 318 the enterprise and that results in the publication of standards, 319 terminologies, and procurement guidelines to facilitate digital 320 interoperability. 321 (b) Supports the cloud-first policy as described in s. 322 282.206. 323 (c) Addresses how information technology infrastructure may 324 be modernized to achieve current and future cloud-first 325 objectives. 326 (5) The Florida Digital Service shall: 327 (a) Upon the receipt of an appropriation or approval of a 328 budget amendment, create and maintain a comprehensive indexed 329 data catalog that lists what data elements are housed within the 330 enterprise and in which legacy system or application these data 331 elements are located. 332 (b) Upon the receipt of an appropriation or approval of a 333 budget amendment, develop and publish, in collaboration with the 334 enterprise, a data dictionary for each agency which reflects the 335 nomenclature in the comprehensive indexed data catalog. 336 (c) Review and document use cases across the enterprise 337 architecture. 338 (d) Develop solutions for authorized or mandated use cases 339 in collaboration with the enterprise. 340 (e) Upon the receipt of an appropriation or approval of a 341 budget amendment, develop, publish, and manage an application 342 programming interface to facilitate integration throughout the 343 enterprise. 344 (f) Facilitate collaborative analysis of enterprise 345 architecture data to improve service delivery. 346 (g) Upon the receipt of an appropriation or approval of a 347 budget amendment, provide a testing environment in which any 348 newly developed solution can be tested for compliance within the 349 enterprise architecture and for functionality assurance before 350 deployment. 351 (h) Create the functionality necessary for a secure 352 ecosystem of data interoperability which is compliant with the 353 enterprise architecture and allows for a qualified entity to 354 access the stored data under the terms of the agreement with the 355 department. 356 (i)1. By utilizing existing resources or through the 357 approval of an appropriation or budget amendment, procure a 358 credential service provider through a competitive process 359 pursuant to s. 287.057. The terms of the contract developed from 360 such procurement shall pay for the value on a per-data call or 361 subscription basis, and there shall be no cost to the department 362 or law enforcement for using the services provided by the 363 credential service provider. 364 a. The department shall enter into agreements with 365 electronic credential providers that have the technological 366 capabilities necessary to integrate with the credential service 367 provider; ensure secure validation and authentication of data; 368 meet usage criteria; agree to terms and conditions, privacy 369 policies, and uniform remittance terms relating to the 370 consumption of an electronic credential; and include clear, 371 enforceable, and significant penalties for violations of the 372 agreements. 373 b. Revenue generated must be collected by the department 374 and deposited into the operating trust fund within the 375 department for distribution pursuant to a legislative 376 appropriation and department agreements with the credential 377 service provider, the electronic credential providers, and the 378 qualified entities. The terms of the agreements between the 379 department and the credential service provider, the electronic 380 credential providers, and the qualified entities must be based 381 on the per-data call or subscription charges to validate and 382 authenticate an electronic credential and allow the department 383 to recover any state costs for implementing and administering an 384 electronic credential solution. Provider revenues may not be 385 derived from any other transactions that generate revenue for 386 the department outside of the per-data call or subscription 387 charges. Nothing herein shall be construed as a restriction on a 388 provider’s ability to generate additional revenues from third 389 parties outside of the terms of the agreement. 390 2. Upon the signing of the enterprise architecture terms of 391 service and privacy policies, provide to qualified entities and 392 electronic credential providers appropriate access to the stored 393 data to facilitate authorized integrations to collaboratively 394 and less expensively, or at no taxpayer cost, solve enterprise 395 use cases. 396 (j) Architect and deploy applications or solutions to 397 existing enterprise obligations in a controlled and phased 398 approach, including, but not limited to: 399 1. Digital licenses, including full identification 400 management. 401 2. Upon the receipt of an appropriation or approval of a 402 budget amendment, interoperability that enables supervisors of 403 elections to authenticate voter eligibility in real time at the 404 point of service. 405 3. The criminal justice database. 406 4. Motor vehicle insurance cancellation integration between 407 insurers and the Department of Highway Safety and Motor 408 Vehicles. 409 5. Upon the receipt of an appropriation or approval of a 410 budget amendment, interoperability solutions between agencies, 411 including, but not limited to, the Department of Health, the 412 Agency for Health Care Administration, the Agency for Persons 413 with Disabilities, the Department of Education, the Department 414 of Elderly Affairs, and the Department of Children and Families. 415 6. Interoperability solutions to support military members, 416 veterans, and their families. 417 (6) The Florida Digital Service may develop a process to: 418 (a) Upon the request of funds in a legislative budget 419 request, receive written notice from state agencies within the 420 enterprise of any planned or existing procurement of an 421 information technology project that is subject to governance by 422 the enterprise architecture. 423 (b) Intervene in any planned procurement by a state agency 424 so that it complies with the enterprise architecture. 425 (c) Report to the legislative branch on any project within 426 the judicial branch which does not comply with the enterprise 427 architecture, while understanding the separation of powers. 428 (7)(19)The Florida Digital Service may adopt rules to 429 administer this section. 430 Section 3. Section 282.00515, Florida Statutes, is amended 431 to read: 432 282.00515 Enterprise Architecture Advisory CouncilDuties433of Cabinet agencies.— 434 (1)(a) The Enterprise Architecture Advisory Council, an 435 advisory council as defined in s. 20.03(7), is established 436 within the Department of Management Services. The council shall 437 comply with the requirements of s. 20.052 except as otherwise 438 provided in this section. 439 (b) The council shall consist of: 440 1. The Governor or his or her designee. 441 2. Three members appointed by the Governor. 442 3. The director of the Office of Policy and Budget in the 443 Executive Office of the Governor, or his or her designee. 444 4. The Secretary of Management Services or his or her 445 designee. 446 5. The state chief information officer or his or her 447 designee. 448 6. The Chief Justice of the Supreme Court or his or her 449 designee. 450 7. The President of the Senate or his or her designee. 451 8. The Speaker of the House of Representatives or his or 452 her designee. 453 9. The chief information officer of the Department of 454 Financial Services or his or her designee. 455 10. The chief information officer of the Department of 456 Legal Affairs or his or her designee. 457 11. The chief information officer of the Department of 458 Agriculture and Consumer Services or his or her designee. 459 (2)(a) The members appointed in this section shall be 460 appointed to terms of 4 years. However, for the purpose of 461 providing staggered terms: 462 1. The appointments by the Governor and the director of the 463 Office of Policy and Budget in the Executive Office of the 464 Governor are for initial terms of 2 years. 465 2. The appointments by the Secretary of Management Services 466 and the state chief information officer are for initial terms of 467 4 years. 468 3. The appointment by the Chief Justice is for an initial 469 term of 3 years. 470 4. The appointments by the President of the Senate and the 471 Speaker of the House of Representatives are for initial terms of 472 2 years. 473 5. The appointments by the chief information officers of 474 the Department of Financial Services, the Department of Legal 475 Affairs, and the Department of Agriculture and Consumer Services 476 are for initial terms of 2 years. 477 (b) A vacancy on the council shall be filled in the same 478 manner as the original appointment for the unexpired term. 479 (c) The council shall meet semiannually, beginning October 480 1, 2020, to discuss implementation, management, and coordination 481 of the enterprise architecture as defined in s. 282.0051(1); 482 identify potential issues and threats with specific use cases; 483 and develop proactive solutionsThe Department of Legal Affairs,484the Department of Financial Services, and the Department of485Agriculture and Consumer Services shall adopt the standards486established in s. 282.0051(2), (3), and (7) or adopt alternative487standards based on best practices and industry standards, and488may contract with the department to provide or perform any of489the services and functions described in s. 282.0051 for the490Department of Legal Affairs, the Department of Financial491Services, or the Department of Agriculture and Consumer492Services. 493 Section 4. Paragraph (a) of subsection (3) of section 494 282.318, Florida Statutes, is amended to read: 495 282.318 Security of data and information technology.— 496 (3) The department is responsible for establishing 497 standards and processes consistent with generally accepted best 498 practices for information technology security, to include 499 cybersecurity, and adopting rules that safeguard an agency’s 500 data, information, and information technology resources to 501 ensure availability, confidentiality, and integrity and to 502 mitigate risks. The department shall also: 503 (a) Designate a state chief information security officer, 504 who shall be appointed by and report to the state chief 505 information officer of the Florida Digital Service, and who is 506 in the Senior Management Service. The state chief information 507 security officer must have experience and expertise in security 508 and risk management for communications and information 509 technology resources. 510 Section 5. Subsection (4) of section 287.0591, Florida 511 Statutes, is amended to read: 512 287.0591 Information technology.— 513 (4) If the department issues a competitive solicitation for 514 information technology commodities, consultant services, or 515 staff augmentation contractual services, the Florida Digital 516 ServiceDivision of State Technologywithin the department shall 517 participate in such solicitations. 518 Section 6. Paragraph (a) of subsection (3) of section 519 365.171, Florida Statutes, is amended to read: 520 365.171 Emergency communications number E911 state plan.— 521 (3) DEFINITIONS.—As used in this section, the term: 522 (a) “Office” means the Division of TelecommunicationsState523Technologywithin the Department of Management Services, as 524 designated by the secretary of the department. 525 Section 7. Paragraph (s) of subsection (3) of section 526 365.172, Florida Statutes, is amended to read: 527 365.172 Emergency communications number “E911.”— 528 (3) DEFINITIONS.—Only as used in this section and ss. 529 365.171, 365.173, 365.174, and 365.177, the term: 530 (s) “Office” means the Division of TelecommunicationsState531Technologywithin the Department of Management Services, as 532 designated by the secretary of the department. 533 Section 8. Paragraph (a) of subsection (1) of section 534 365.173, Florida Statutes, is amended to read: 535 365.173 Communications Number E911 System Fund.— 536 (1) REVENUES.— 537 (a) Revenues derived from the fee levied on subscribers 538 under s. 365.172(8) must be paid by the board into the State 539 Treasury on or before the 15th day of each month. Such moneys 540 must be accounted for in a special fund to be designated as the 541 Emergency Communications Number E911 System Fund, a fund created 542 in the Division of TelecommunicationsState Technology, or other 543 office as designated by the Secretary of Management Services. 544 Section 9. Subsection (5) of section 943.0415, Florida 545 Statutes, is amended to read: 546 943.0415 Cybercrime Office.—There is created within the 547 Department of Law Enforcement the Cybercrime Office. The office 548 may: 549 (5) Consult with the Florida Digital ServiceDivision of550State Technologywithin the Department of Management Services in 551 the adoption of rules relating to the information technology 552 security provisions in s. 282.318. 553 Section 10. Effective January 1, 2021, section 559.952, 554 Florida Statutes, is created to read: 555 559.952 Financial Technology Sandbox.— 556 (1) SHORT TITLE.—This section may be cited as the 557 “Financial Technology Sandbox.” 558 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is 559 created the Financial Technology Sandbox within the Office of 560 Financial Regulation to allow financial technology innovators to 561 test new products and services in a supervised, flexible 562 regulatory sandbox using waivers of specified general law and 563 corresponding rule requirements under defined conditions. The 564 creation of a supervised, flexible regulatory sandbox provides a 565 welcoming business environment for technology innovators and may 566 lead to significant business growth. 567 (3) DEFINITIONS.—As used in this section, the term: 568 (a) “Commission” means the Financial Services Commission. 569 (b) “Consumer” means a person in this state, whether a 570 natural person or a business entity, who purchases, uses, 571 receives, or enters into an agreement to purchase, use, or 572 receive an innovative financial product or service made 573 available through the Financial Technology Sandbox. 574 (c) “Financial product or service” means a product or 575 service related to finance, including securities, consumer 576 credit, or money transmission, which is traditionally subject to 577 general law or rule requirements in the provisions enumerated in 578 paragraph (4)(a) and which is under the jurisdiction of the 579 office. 580 (d) “Financial Technology Sandbox” means the program 581 created in this section which allows a person to make an 582 innovative financial product or service available to consumers 583 through waiver of the provisions enumerated in paragraph (4)(a) 584 during a sandbox period through a waiver of general laws or rule 585 requirements, or portions thereof, as specified in this section. 586 (e) “Innovative” means new or emerging technology, or new 587 uses of existing technology, which provides a product, service, 588 business model, or delivery mechanism to the public. 589 (f) “Office” means, unless the context clearly indicates 590 otherwise, the Office of Financial Regulation. 591 (g) “Sandbox period” means the period, initially not longer 592 than 24 months, in which the office has: 593 1. Authorized an innovative financial product or service to 594 be made available to consumers. 595 2. Granted the person who makes the innovative financial 596 product or service available a waiver of general law or 597 corresponding rule requirements, as determined by the office, so 598 that the authorization under subparagraph 1. is possible. 599 (4) WAIVERS OF GENERAL LAW AND RULE REQUIREMENTS.— 600 (a) Upon approval of a Financial Technology Sandbox 601 application, the office may grant an applicant a waiver of a 602 requirement, or a portion thereof, which is imposed by a general 603 law or corresponding rule in any of the following provisions, if 604 all of the conditions in paragraph (b) are met: 605 1. Section 560.1105. 606 2. Section 560.118. 607 3. Section 560.125, except for s. 560.125(2). 608 4. Section 560.128. 609 5. Section 560.1401, except for s. 560.1401(2)-(4). 610 6. Section 560.141, except for s. 560.141(1)(b)-(d). 611 7. Section 560.142, except that the office may prorate, but 612 may not entirely waive, the license renewal fees provided in ss. 613 560.142 and 560.143 for an extension granted under subsection 614 (7). 615 8. Section 560.143(2) to the extent necessary for proration 616 of the renewal fee under subparagraph 7. 617 9. Section 560.205, except for s. 560.205(1) and (3). 618 10. Section 560.208, except for s. 560.208(3)-(6). 619 11. Section 560.209, except that the office may modify, but 620 may not entirely waive, the net worth, corporate surety bond, 621 and collateral deposit amounts required under s. 560.209. The 622 modified amounts must be in such lower amounts that the office 623 determines to be commensurate with the considerations under 624 paragraph (5)(e) and the maximum number of consumers authorized 625 to receive the financial product or service under this section. 626 12. Section 516.03, except for the license and 627 investigation fee. The office may prorate, but not entirely 628 waive, the license renewal fees for an extension granted under 629 subsection (7). The office may not waive the evidence of liquid 630 assets of at least $25,000. 631 13. Section 516.05, except that the office may make an 632 investigation of the facts concerning the applicant’s 633 background. 634 14. Section 516.12. 635 15. Section 516.19. 636 16. Section 517.07. 637 17. Section 517.12. 638 18. Section 517.121. 639 19. Section 520.03, except for the application fee. The 640 office may prorate, but not entirely waive, the license renewal 641 fees for an extension granted under subsection (7). 642 20. Section 520.12. 643 21. Section 520.25. 644 22. Section 520.32, except for the application fee. The 645 office may prorate, but not entirely waive, the license renewal 646 fees for an extension granted under subsection (7). 647 23. Section 520.39. 648 24. Section 520.52, except for the application fee. The 649 office may prorate, but not entirely waive, the license renewal 650 fees for an extension granted under subsection (7). 651 25. Section 520.57. 652 26. Section 520.63, except for the application fee. The 653 office may prorate, but not entirely waive, the license renewal 654 fees for an extension granted under subsection (7). 655 27. Section 520.997. 656 28. Section 520.98. 657 29. Section 537.004, except for s. 537.004(2) and (5). The 658 office may prorate, but not entirely waive, the license renewal 659 fees for an extension granted under subsection (7). 660 30. Section 537.005, except that the office may modify, but 661 not entirely waive, the corporate surety bond amount required by 662 s. 537.005. The modified amount must be in such lower amount 663 that the office determines to be commensurate with the 664 considerations under paragraph (5)(e) and the maximum number of 665 consumers authorized to receive the product or service under 666 this section. 667 31. Section 537.007. 668 32. Section 537.009. 669 33. Section 537.015. 670 (b) During a sandbox period, the office may grant a waiver 671 of a requirement, or a portion thereof, imposed by a general law 672 or corresponding rule in any provision enumerated in paragraph 673 (a) if all of the following conditions are met: 674 1. The general law or corresponding rule currently prevents 675 the innovative financial product or service to be made available 676 to consumers. 677 2. The waiver is not broader than necessary to accomplish 678 the purposes and standards specified in this section, as 679 determined by the office. 680 3. No provision relating to the liability of an 681 incorporator, director, or officer of the applicant is eligible 682 for a waiver. 683 4. The other requirements of this section are met. 684 (5) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR 685 APPROVAL.— 686 (a) Before filing an application to enter the Financial 687 Technology Sandbox, a substantially affected person may seek a 688 declaratory statement pursuant to s. 120.565 regarding the 689 applicability of a statute, rule, or agency order to the 690 petitioner’s particular set of circumstances. 691 (b) Before making an innovative financial product or 692 service available to consumers in the Financial Technology 693 Sandbox, a person must file an application with the office. The 694 commission shall prescribe by rule the form and manner of the 695 application. 696 1. In the application, the person must specify the general 697 law or rule requirements for which a waiver is sought and the 698 reasons why these requirements prevent the innovative financial 699 product or service from being made available to consumers. 700 2. The application must also contain the information 701 specified in paragraph (e). 702 (c) A business entity filing an application under this 703 section must be a domestic corporation or other organized 704 domestic entity with a physical presence, other than that of a 705 registered office or agent or virtual mailbox, in this state. 706 (d) Before a person applies on behalf of a business entity 707 intending to make an innovative financial product or service 708 available to consumers, the person must obtain the consent of 709 the business entity. 710 (e) The office shall approve or deny in writing a Financial 711 Technology Sandbox application within 60 days after receiving 712 the completed application. The office and the applicant may 713 jointly agree to extend the time beyond 60 days. Consistent with 714 this section, the office may impose conditions on any approval. 715 In deciding to approve or deny an application, the office must 716 consider each of the following: 717 1. The nature of the innovative financial product or 718 service proposed to be made available to consumers in the 719 Financial Technology Sandbox, including all relevant technical 720 details. 721 2. The potential risk to consumers and the methods that 722 will be used to protect consumers and resolve complaints during 723 the sandbox period. 724 3. The business plan proposed by the applicant, including a 725 statement regarding the applicant’s current and proposed 726 capitalization. 727 4. Whether the applicant has the necessary personnel, 728 adequate financial and technical expertise, and a sufficient 729 plan to test, monitor, and assess the innovative financial 730 product or service. 731 5. Whether any person substantially involved in the 732 development, operation, or management of the applicant’s 733 innovative financial product or service has pled no contest to, 734 has been convicted or found guilty of, or is currently under 735 investigation for, fraud, a state or federal securities 736 violation, any property-based offense, or any crime involving 737 moral turpitude or dishonest dealing. A plea of no contest, a 738 conviction, or a finding of guilt must be reported under this 739 subparagraph regardless of adjudication. 740 6. A copy of the disclosures that will be provided to 741 consumers under paragraph (6)(c). 742 7. The financial responsibility of any person substantially 743 involved in the development, operation, or management of the 744 applicant’s innovative financial product or service. 745 8. Any other factor that the office determines to be 746 relevant. 747 (f) The office may not approve an application if: 748 1. The applicant had a prior Financial Technology Sandbox 749 application that was approved and that related to a 750 substantially similar financial product or service; or 751 2. Any person substantially involved in the development, 752 operation, or management of the applicant’s innovative financial 753 product or service was substantially involved with another 754 Financial Technology Sandbox applicant whose application was 755 approved and whose application related to a substantially 756 similar financial product or service. 757 (g) Upon approval of an application, the office shall 758 specify the general law or rule requirements, or portions 759 thereof, for which a waiver is granted during the sandbox period 760 and the length of the initial sandbox period, not to exceed 24 761 months. The office shall post on its website notice of the 762 approval of the application, a summary of the innovative 763 financial product or service, and the contact information of the 764 person making the financial product or service available. 765 (6) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.— 766 (a) A person whose Financial Technology Sandbox application 767 is approved may make an innovative financial product or service 768 available to consumers during the sandbox period. 769 (b) The office may, on a case-by-case basis and after 770 consultation with the person who makes the financial product or 771 service available to consumers, specify the maximum number of 772 consumers authorized to receive an innovative financial product 773 or service. The office may not authorize more than 15,000 774 consumers to receive the financial product or service until the 775 person who makes the financial product or service available to 776 consumers has filed the first report required under subsection 777 (8). After the filing of the report, if the person demonstrates 778 adequate financial capitalization, risk management process, and 779 management oversight, the office may authorize up to 25,000 780 consumers to receive the financial product or service. 781 (c)1. Before a consumer purchases, uses, receives, or 782 enters into an agreement to purchase, use, or receive an 783 innovative financial product or service through the Financial 784 Technology Sandbox, the person making the financial product or 785 service available must provide a written statement of all of the 786 following to the consumer: 787 a. The name and contact information of the person making 788 the financial product or service available to consumers. 789 b. That the financial product or service has been 790 authorized to be made available to consumers for a temporary 791 period by the office, under the laws of this state. 792 c. That this state does not endorse the financial product 793 or service. 794 d. That the financial product or service is undergoing 795 testing, may not function as intended, and may entail financial 796 risk. 797 e. That the person making the financial product or service 798 available to consumers is not immune from civil liability for 799 any losses or damages caused by the financial product or 800 service. 801 f. The expected end date of the sandbox period. 802 g. The contact information for the office, and notification 803 that suspected legal violations, complaints, or other comments 804 related to the financial product or service may be submitted to 805 the office. 806 h. Any other statements or disclosures required by rule of 807 the commission which are necessary to further the purposes of 808 this section. 809 2. The written statement must contain an acknowledgment 810 from the consumer, which must be retained for the duration of 811 the sandbox period by the person making the financial product or 812 service available. 813 (d) The office may enter into an agreement with a state, 814 federal, or foreign regulatory agency to allow persons: 815 1. Who make an innovative financial product or service 816 available in this state through the Financial Technology Sandbox 817 to make their products or services available in other 818 jurisdictions. 819 2. Who operate in similar financial technology sandboxes in 820 other jurisdictions to make innovative financial products and 821 services available in this state under the standards of this 822 section. 823 (e)1. A person whose Financial Technology Sandbox 824 application is approved by the office shall maintain 825 comprehensive records relating to the innovative financial 826 product or service. The person shall keep these records for at 827 least 5 years after the conclusion of the sandbox period. The 828 commission may specify by rule additional records requirements. 829 2. The office may examine the records maintained under 830 subparagraph 1. at any time, with or without notice. 831 (7) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.— 832 (a) A person who is authorized to make an innovative 833 financial product or service available to consumers may apply 834 for an extension of the initial sandbox period for up to 12 835 additional months for a purpose specified in subparagraph (b)1. 836 or subparagraph (b)2. A complete application for an extension 837 must be filed with the office at least 90 days before the 838 conclusion of the initial sandbox period. The office shall 839 approve or deny the application for extension in writing at 840 least 35 days before the conclusion of the initial sandbox 841 period. In deciding to approve or deny an application for 842 extension of the sandbox period, the office must, at a minimum, 843 consider the current status of the factors previously considered 844 under paragraph (5)(e). 845 (b) An application for an extension under paragraph (a) 846 must cite one of the following reasons as the basis for the 847 application and must provide all relevant supporting information 848 that: 849 1. Amendments to general law or rules are necessary to 850 offer the innovative financial product or service in this state 851 permanently. 852 2. An application for a license that is required in order 853 to offer the innovative financial product or service in this 854 state permanently has been filed with the office, and approval 855 is pending. 856 (c) At least 30 days before the conclusion of the initial 857 sandbox period or the extension, whichever is later, a person 858 who makes an innovative financial product or service available 859 shall provide written notification to consumers regarding the 860 conclusion of the initial sandbox period or the extension and 861 may not make the financial product or service available to any 862 new consumers after the conclusion of the initial sandbox period 863 or the extension, whichever is later, until legal authority 864 outside of the Financial Technology Sandbox exists to make the 865 financial product or service available to consumers. After the 866 conclusion of the sandbox period or the extension, whichever is 867 later, the person who makes the innovative financial product or 868 service available may: 869 1. Collect and receive money owed to the person or pay 870 money owed by the person, based on agreements with consumers 871 made before the conclusion of the sandbox period or the 872 extension. 873 2. Take necessary legal action. 874 3. Take other actions authorized by commission rule which 875 are not inconsistent with this subsection. 876 (8) REPORT.—A person authorized to make an innovative 877 financial product or service available to consumers under this 878 section shall submit a report to the office twice a year as 879 prescribed by commission rule. The report must, at a minimum, 880 include financial reports and the number of consumers who have 881 received the financial product or service. 882 (9) CONSTRUCTION.—A person whose Financial Technology 883 Sandbox application is approved shall be deemed licensed under 884 part II of chapter 560 unless the person’s authorization to make 885 the financial product or service available to consumers under 886 this section has been revoked or suspended. 887 (10) VIOLATIONS AND PENALTIES.— 888 (a) A person who makes an innovative financial product or 889 service available to consumers in the Financial Technology 890 Sandbox is: 891 1. Not immune from civil damages for acts and omissions 892 relating to this section. 893 2. Subject to all criminal and consumer protection laws. 894 (b)1. The office may, by order, revoke or suspend 895 authorization granted to a person to make an innovative 896 financial product or service available to consumers if: 897 a. The person has violated or refused to comply with this 898 section, a rule of the commission, an order of the office, or a 899 condition placed by the office on the approval of the person’s 900 Financial Technology Sandbox application; 901 b. A fact or condition exists that, if it had existed or 902 become known at the time that the Financial Technology Sandbox 903 application was pending, would have warranted denial of the 904 application or the imposition of material conditions; 905 c. A material error, false statement, misrepresentation, or 906 material omission was made in the Financial Technology Sandbox 907 application; or 908 d. After consultation with the person, continued testing of 909 the innovative financial product or service would: 910 (I) Be likely to harm consumers; or 911 (II) No longer serve the purposes of this section because 912 of the financial or operational failure of the financial product 913 or service. 914 2. Written notice of a revocation or suspension order made 915 under subparagraph 1. must be served using any means authorized 916 by law. If the notice relates to a suspension, the notice must 917 include any condition or remedial action that the person must 918 complete before the office lifts the suspension. 919 (c) The office may refer any suspected violation of law to 920 an appropriate state or federal agency for investigation, 921 prosecution, civil penalties, and other appropriate enforcement 922 actions. 923 (d) If service of process on a person making an innovative 924 financial product or service available to consumers in the 925 Financial Technology Sandbox is not feasible, service on the 926 office shall be deemed service on such person. 927 (11) RULES AND ORDERS.— 928 (a) The commission shall adopt rules to administer this 929 section. 930 (b) The office may issue all necessary orders to enforce 931 this section and may enforce the orders in accordance with 932 chapter 120 or in any court of competent jurisdiction. These 933 orders include, but are not limited to, orders for payment of 934 restitution for harm suffered by consumers as a result of an 935 innovative financial product or service. 936 Section 11. Except as otherwise expressly provided in this 937 act, this act shall take effect July 1, 2020. 938 939 ================= T I T L E A M E N D M E N T ================ 940 And the title is amended as follows: 941 Delete everything before the enacting clause 942 and insert: 943 A bill to be entitled 944 An act relating to technology innovation; amending s. 945 20.22, F.S.; renaming the Division of State Technology 946 within the Department of Management Services as the 947 Division of Telecommunications; deleting provisions 948 relating to the appointment of the Division of State 949 Technology’s director and qualifications for the state 950 chief information officer; adding the Florida Digital 951 Service to the department; amending s. 282.0051, F.S.; 952 establishing the Florida Digital Service within the 953 department; defining terms; transferring specified 954 powers, duties, and functions of the department to the 955 Florida Digital Service and revising such powers, 956 duties, and functions; providing for appointments of a 957 state chief information officer and a chief data 958 officer and specifying their duties; requiring the 959 Florida Digital Service to develop a comprehensive 960 enterprise architecture; providing requirements for 961 the enterprise architecture; specifying duties of and 962 authorized actions by the Florida Digital Service; 963 providing duties of the department; authorizing the 964 Florida Digital Service to adopt rules; amending s. 965 282.00515, F.S.; establishing the Enterprise 966 Architecture Advisory Council; requiring the council 967 to comply with specified requirements; providing 968 membership and meeting requirements and duties of the 969 council; deleting provisions relating to specified 970 duties and powers of the Department of Legal Affairs, 971 the Department of Financial Services, and the 972 Department of Agriculture and Consumer Services; 973 amending ss. 282.318, 287.0591, 365.171, 365.172, 974 365.173, and 943.0415, F.S.; conforming provisions to 975 changes made by the act; creating s. 559.952, F.S.; 976 providing a short title; creating the Financial 977 Technology Sandbox within the Office of Financial 978 Regulation; defining terms; authorizing the office to 979 grant waivers of specified financial regulatory 980 requirements to certain applicants offering certain 981 financial products or services during a sandbox 982 period; specifying criteria for granting a waiver; 983 requiring an application for the program for persons 984 who want to make innovative financial products or 985 services available to consumers; providing application 986 requirements and procedures; providing standards for 987 application approval or denial; requiring the office 988 to perform certain actions upon approval of an 989 application; specifying authorized actions of, 990 limitations on, and disclosure requirements for 991 persons making financial products or services 992 available during a sandbox period; authorizing the 993 office to enter into agreement with certain regulatory 994 agencies for specified purposes; providing 995 recordkeeping requirements; authorizing the office to 996 examine specified records; providing requirements and 997 procedures for applying for extensions and concluding 998 sandbox periods; requiring written notification to 999 consumers at the end of an extension or conclusion of 1000 the sandbox period; providing acts that persons who 1001 make innovative financial products or services 1002 available to consumers may and may not engage in at 1003 the end of an extension or conclusion of the sandbox 1004 period; specifying reporting requirements to the 1005 office; providing construction; providing that such 1006 persons are not immune from civil damages and are 1007 subject to criminal and consumer protection laws; 1008 providing penalties; providing for service of process; 1009 requiring the Financial Services Commission to adopt 1010 rules; authorizing the office to issue orders and 1011 enforce such orders through administrative or judicial 1012 process; authorizing the office to issue and enforce 1013 orders for payment of restitution; providing effective 1014 dates.