Bill Text: FL S1870 | 2020 | Regular Session | Comm Sub

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Technology Innovation

Spectrum: Bipartisan Bill

Status: (Introduced) 2020-03-09 - Laid on Table, refer to CS/CS/CS/HB 1391 [S1870 Detail]

Download: Florida-2020-S1870-Comm_Sub.html
       Florida Senate - 2020                             CS for SB 1870
       
       
        
       By the Committee on Innovation, Industry, and Technology; and
       Senator Hutson
       
       
       
       
       580-03376-20                                          20201870c1
    1                        A bill to be entitled                      
    2         An act relating to technology innovation; amending s.
    3         20.22, F.S.; renaming the Division of State Technology
    4         within the Department of Management Services as the
    5         Division of Telecommunications; deleting provisions
    6         relating to the appointment of the Division of State
    7         Technology’s director and qualifications for the state
    8         chief information officer; adding the Florida Digital
    9         Service to the department; amending s. 282.0041, F.S.;
   10         defining terms; amending s. 282.0051, F.S.;
   11         establishing the Florida Digital Service within the
   12         department; transferring specified powers, duties, and
   13         functions of the department to the Florida Digital
   14         Service and revising such powers, duties, and
   15         functions; providing for appointments of a state chief
   16         information officer and a chief data officer and
   17         specifying their duties; requiring the Florida Digital
   18         Service to develop a comprehensive enterprise
   19         architecture; providing requirements for the
   20         enterprise architecture; specifying duties of, and
   21         authorized actions by, the Florida Digital Service;
   22         providing duties of, and authorized actions by, the
   23         department; authorizing the Florida Digital Service to
   24         adopt rules; amending s. 282.00515, F.S.; establishing
   25         the Enterprise Architecture Advisory Council;
   26         requiring the council to comply with specified
   27         requirements; specifying the composition of the
   28         council; providing membership and meeting requirements
   29         and duties of the council; deleting provisions
   30         relating to specified duties and powers of the
   31         Department of Legal Affairs, the Department of
   32         Financial Services, and the Department of Agriculture
   33         and Consumer Services; amending ss. 282.318, 287.0591,
   34         365.171, 365.172, 365.173, and 943.0415, F.S.;
   35         conforming provisions to changes made by the act;
   36         creating s. 559.952, F.S.; providing a short title;
   37         creating the Financial Technology Sandbox within the
   38         Office of Financial Regulation; defining terms;
   39         authorizing the office to grant waivers of specified
   40         financial regulatory requirements to certain
   41         applicants offering certain financial products or
   42         services during a sandbox period; authorizing certain
   43         persons to seek a declaratory statement before filing
   44         an application for the Financial Technology Sandbox;
   45         specifying requirements and procedures for an
   46         application to enter the Financial Technology Sandbox;
   47         specifying requirements and procedures for the office
   48         in reviewing applications; specifying authorized
   49         actions of, limitations on, and disclosure
   50         requirements for persons making financial products or
   51         services available during a sandbox period;
   52         authorizing the office to enter into agreement with
   53         certain regulatory agencies for specified purposes;
   54         providing recordkeeping requirements; authorizing the
   55         office to examine specified records; providing
   56         requirements and procedures for applying for
   57         extensions and concluding sandbox periods; requiring
   58         written notification to consumers at the end of an
   59         extension or conclusion of the sandbox period;
   60         providing acts that persons who make innovative
   61         financial products or services available to consumers
   62         may and may not engage in at the end of an extension
   63         or conclusion of the sandbox period; specifying state
   64         financial regulatory laws that the office may grant
   65         exceptions to; specifying reporting requirements to
   66         the office; providing construction; providing that
   67         such persons are not immune from civil damages and are
   68         subject to certain laws; providing penalties;
   69         providing for service of process; requiring the
   70         Financial Services Commission to adopt rules;
   71         authorizing the office to issue orders and enforce
   72         them through administrative or judicial process;
   73         authorizing the office to issue and enforce orders for
   74         payment of restitution; providing effective dates.
   75          
   76  Be It Enacted by the Legislature of the State of Florida:
   77  
   78         Section 1. Subsection (2) of section 20.22, Florida
   79  Statutes, is amended to read:
   80         20.22 Department of Management Services.—There is created a
   81  Department of Management Services.
   82         (2) The following divisions and programs within the
   83  Department of Management Services shall consist of the following
   84  are established:
   85         (a) The Facilities Program.
   86         (b) The Division of Telecommunications State Technology,
   87  the director of which is appointed by the secretary of the
   88  department and shall serve as the state chief information
   89  officer. The state chief information officer must be a proven,
   90  effective administrator who must have at least 10 years of
   91  executive-level experience in the public or private sector,
   92  preferably with experience in the development of information
   93  technology strategic planning and the development and
   94  implementation of fiscal and substantive information technology
   95  policy and standards.
   96         (c) The Workforce Program.
   97         (d)1. The Support Program.
   98         2. The Federal Property Assistance Program.
   99         (e) The Administration Program.
  100         (f) The Division of Administrative Hearings.
  101         (g) The Division of Retirement.
  102         (h) The Division of State Group Insurance.
  103         (i)The Florida Digital Service.
  104         Section 2. Section 282.0041, Florida Statutes, is amended
  105  to read:
  106         282.0041 Definitions.—As used in this chapter, the term:
  107         (1) “Agency assessment” means the amount each customer
  108  entity must pay annually for services from the Department of
  109  Management Services and includes administrative and data center
  110  services costs.
  111         (2) “Agency data center” means agency space containing 10
  112  or more physical or logical servers.
  113         (3) “Breach” has the same meaning as provided in s.
  114  501.171.
  115         (4) “Business continuity plan” means a collection of
  116  procedures and information designed to keep an agency’s critical
  117  operations running during a period of displacement or
  118  interruption of normal operations.
  119         (5) “Cloud computing” has the same meaning as provided in
  120  Special Publication 800-145 issued by the National Institute of
  121  Standards and Technology.
  122         (6) “Computing facility” or “agency computing facility”
  123  means agency space containing fewer than a total of 10 physical
  124  or logical servers, but excluding single, logical-server
  125  installations that exclusively perform a utility function such
  126  as file and print servers.
  127         (7) “Credential service provider” means a provider
  128  competitively procured by the department to supply secure
  129  identity management and verification services based on open
  130  standards to qualified entities.
  131         (8) “Customer entity” means an entity that obtains services
  132  from the Department of Management Services.
  133         (9)(8) “Data” means a subset of structured information in a
  134  format that allows such information to be electronically
  135  retrieved and transmitted.
  136         (10)“Data-call” means an electronic transaction with the
  137  credential service provider that verifies the authenticity of a
  138  digital identity by querying enterprise data.
  139         (11)(9) “Department” means the Department of Management
  140  Services.
  141         (12)(10) “Disaster recovery” means the process, policies,
  142  procedures, and infrastructure related to preparing for and
  143  implementing recovery or continuation of an agency’s vital
  144  technology infrastructure after a natural or human-induced
  145  disaster.
  146         (13)“Electronic” means technology having electrical,
  147  digital, magnetic, wireless, optical, electromagnetic, or
  148  similar capabilities.
  149         (14)“Electronic credential” means a digital asset that
  150  verifies the identity of a person, organization, application, or
  151  device.
  152         (15)“Enterprise” means the collection of state agencies.
  153  The term includes the Department of Legal Affairs, the
  154  Department of Agriculture and Consumer Services, the Department
  155  of Financial Services, and the judicial branch.
  156         (16)“Enterprise architecture” means a comprehensive
  157  operational framework that contemplates the needs and assets of
  158  the enterprise to support interoperability across state
  159  government.
  160         (17)(11) “Enterprise information technology service” means
  161  an information technology service that is used in all agencies
  162  or a subset of agencies and is established in law to be
  163  designed, delivered, and managed at the enterprise level.
  164         (18)(12) “Event” means an observable occurrence in a system
  165  or network.
  166         (19)(13) “Incident” means a violation or imminent threat of
  167  violation, whether such violation is accidental or deliberate,
  168  of information technology resources, security, policies, or
  169  practices. An imminent threat of violation refers to a situation
  170  in which the state agency has a factual basis for believing that
  171  a specific incident is about to occur.
  172         (20)(14) “Information technology” means equipment,
  173  hardware, software, firmware, programs, systems, networks,
  174  infrastructure, media, and related material used to
  175  automatically, electronically, and wirelessly collect, receive,
  176  access, transmit, display, store, record, retrieve, analyze,
  177  evaluate, process, classify, manipulate, manage, assimilate,
  178  control, communicate, exchange, convert, converge, interface,
  179  switch, or disseminate information of any kind or form.
  180         (21)(15) “Information technology policy” means a definite
  181  course or method of action selected from among one or more
  182  alternatives that guide and determine present and future
  183  decisions.
  184         (22)(16) “Information technology resources” has the same
  185  meaning as provided in s. 119.011.
  186         (23)(17) “Information technology security” means the
  187  protection afforded to an automated information system in order
  188  to attain the applicable objectives of preserving the integrity,
  189  availability, and confidentiality of data, information, and
  190  information technology resources.
  191         (24)“Interoperability” means the technical ability to
  192  share and use data across and throughout the enterprise.
  193         (25)(18) “Open data” means data collected or created by a
  194  state agency and structured in a way that enables the data to be
  195  fully discoverable and usable by the public. The term does not
  196  include data that are restricted from public distribution based
  197  on federal or state privacy, confidentiality, and security laws
  198  and regulations or data for which a state agency is statutorily
  199  authorized to assess a fee for its distribution.
  200         (26)(19) “Performance metrics” means the measures of an
  201  organization’s activities and performance.
  202         (27)(20) “Project” means an endeavor that has a defined
  203  start and end point; is undertaken to create or modify a unique
  204  product, service, or result; and has specific objectives that,
  205  when attained, signify completion.
  206         (28)(21) “Project oversight” means an independent review
  207  and analysis of an information technology project that provides
  208  information on the project’s scope, completion timeframes, and
  209  budget and that identifies and quantifies issues or risks
  210  affecting the successful and timely completion of the project.
  211         (29)“Qualified entity” means a public or private entity or
  212  individual that enters into a binding agreement with the
  213  department, meets usage criteria, agrees to terms and
  214  conditions, and is subsequently and prescriptively authorized by
  215  the department to access data under the terms of that agreement.
  216         (30)(22) “Risk assessment” means the process of identifying
  217  security risks, determining their magnitude, and identifying
  218  areas needing safeguards.
  219         (31)(23) “Service level” means the key performance
  220  indicators (KPI) of an organization or service which must be
  221  regularly performed, monitored, and achieved.
  222         (32)(24) “Service-level agreement” means a written contract
  223  between the Department of Management Services and a customer
  224  entity which specifies the scope of services provided, service
  225  level, the duration of the agreement, the responsible parties,
  226  and service costs. A service-level agreement is not a rule
  227  pursuant to chapter 120.
  228         (33)(25) “Stakeholder” means a person, group, organization,
  229  or state agency involved in or affected by a course of action.
  230         (34)(26) “Standards” means required practices, controls,
  231  components, or configurations established by an authority.
  232         (35)(27) “State agency” means any official, officer,
  233  commission, board, authority, council, committee, or department
  234  of the executive branch of state government; the Justice
  235  Administrative Commission; and the Public Service Commission.
  236  The term does not include university boards of trustees or state
  237  universities. As used in part I of this chapter, except as
  238  otherwise specifically provided, the term does not include the
  239  Department of Legal Affairs, the Department of Agriculture and
  240  Consumer Services, or the Department of Financial Services.
  241         (36)(28) “SUNCOM Network” means the state enterprise
  242  telecommunications system that provides all methods of
  243  electronic or optical telecommunications beyond a single
  244  building or contiguous building complex and used by entities
  245  authorized as network users under this part.
  246         (37)(29) “Telecommunications” means the science and
  247  technology of communication at a distance, including electronic
  248  systems used in the transmission or reception of information.
  249         (38)(30) “Threat” means any circumstance or event that has
  250  the potential to adversely impact a state agency’s operations or
  251  assets through an information system via unauthorized access,
  252  destruction, disclosure, or modification of information or
  253  denial of service.
  254         (39)(31) “Variance” means a calculated value that
  255  illustrates how far positive or negative a projection has
  256  deviated when measured against documented estimates within a
  257  project plan.
  258         Section 3. Section 282.0051, Florida Statutes, is amended
  259  to read:
  260         282.0051 Florida Digital Service Department of Management
  261  Services; powers, duties, and functions.—There is established
  262  the Florida Digital Service within the department to create
  263  innovative solutions that securely modernize state government,
  264  achieve value through digital transformation and
  265  interoperability, and fully support the cloud-first policy as
  266  specified in s. 282.206.
  267         (1) The Florida Digital Service department shall have the
  268  following powers, duties, and functions:
  269         (a)(1) Develop and publish information technology policy
  270  for the management of the state’s information technology
  271  resources.
  272         (b)(2) Establish and publish information technology
  273  architecture standards to provide for the most efficient use of
  274  the state’s information technology resources and to ensure
  275  compatibility and alignment with the needs of state agencies.
  276  The Florida Digital Service department shall assist state
  277  agencies in complying with the standards.
  278         (c)(3) Establish project management and oversight standards
  279  with which state agencies must comply when implementing projects
  280  that have an information technology component projects. The
  281  Florida Digital Service department shall provide training
  282  opportunities to state agencies to assist in the adoption of the
  283  project management and oversight standards. To support data
  284  driven decisionmaking, the standards must include, but are not
  285  limited to:
  286         1.(a) Performance measurements and metrics that objectively
  287  reflect the status of a project with an information technology
  288  component project based on a defined and documented project
  289  scope, cost, and schedule.
  290         2.(b) Methodologies for calculating acceptable variances in
  291  the projected versus actual scope, schedule, or cost of a
  292  project with an information technology component project.
  293         3.(c) Reporting requirements, including requirements
  294  designed to alert all defined stakeholders that a project with
  295  an information technology component project has exceeded
  296  acceptable variances defined and documented in a project plan.
  297         4.(d) Content, format, and frequency of project updates.
  298         (d)(4) Perform project oversight on all state agency
  299  information technology projects that have an information
  300  technology component with a total project cost costs of $10
  301  million or more and that are funded in the General
  302  Appropriations Act or any other law. The Florida Digital Service
  303  department shall report at least quarterly to the Executive
  304  Office of the Governor, the President of the Senate, and the
  305  Speaker of the House of Representatives on any project with an
  306  information technology component project that the Florida
  307  Digital Service department identifies as high-risk due to the
  308  project exceeding acceptable variance ranges defined and
  309  documented in a project plan. The report must include a risk
  310  assessment, including fiscal risks, associated with proceeding
  311  to the next stage of the project, and a recommendation for
  312  corrective actions required, including suspension or termination
  313  of the project. The Florida Digital Service shall establish a
  314  process for state agencies to apply for an exception to the
  315  requirements of this paragraph for a specific project with an
  316  information technology component.
  317         (e)(5) Identify opportunities for standardization and
  318  consolidation of information technology services that support
  319  interoperability and the cloud-first policy as specified in s.
  320  282.206, business functions and operations, including
  321  administrative functions such as purchasing, accounting and
  322  reporting, cash management, and personnel, and that are common
  323  across state agencies. The Florida Digital Service department
  324  shall biennially on April 1 provide recommendations for
  325  standardization and consolidation to the Executive Office of the
  326  Governor, the President of the Senate, and the Speaker of the
  327  House of Representatives.
  328         (f)(6) Establish best practices for the procurement of
  329  information technology products and cloud-computing services in
  330  order to reduce costs, increase the quality of data center
  331  services, or improve government services.
  332         (g)(7) Develop standards for information technology reports
  333  and updates, including, but not limited to, operational work
  334  plans, project spend plans, and project status reports, for use
  335  by state agencies.
  336         (h)(8) Upon request, assist state agencies in the
  337  development of information technology-related legislative budget
  338  requests.
  339         (i)(9) Conduct annual assessments of state agencies to
  340  determine compliance with all information technology standards
  341  and guidelines developed and published by the Florida Digital
  342  Service department and provide results of the assessments to the
  343  Executive Office of the Governor, the President of the Senate,
  344  and the Speaker of the House of Representatives.
  345         (j)(10) Provide operational management and oversight of the
  346  state data center established pursuant to s. 282.201, which
  347  includes:
  348         1.(a) Implementing industry standards and best practices
  349  for the state data center’s facilities, operations, maintenance,
  350  planning, and management processes.
  351         2.(b) Developing and implementing cost-recovery or other
  352  payment mechanisms that recover the full direct and indirect
  353  cost of services through charges to applicable customer
  354  entities. Such cost-recovery or other payment mechanisms must
  355  comply with applicable state and federal regulations concerning
  356  distribution and use of funds and must ensure that, for any
  357  fiscal year, no service or customer entity subsidizes another
  358  service or customer entity.
  359         3.(c) Developing and implementing appropriate operating
  360  guidelines and procedures necessary for the state data center to
  361  perform its duties pursuant to s. 282.201. The guidelines and
  362  procedures must comply with applicable state and federal laws,
  363  regulations, and policies and conform to generally accepted
  364  governmental accounting and auditing standards. The guidelines
  365  and procedures must include, but need not be limited to:
  366         a.1. Implementing a consolidated administrative support
  367  structure responsible for providing financial management,
  368  procurement, transactions involving real or personal property,
  369  human resources, and operational support.
  370         b.2. Implementing an annual reconciliation process to
  371  ensure that each customer entity is paying for the full direct
  372  and indirect cost of each service as determined by the customer
  373  entity’s use of each service.
  374         c.3. Providing rebates that may be credited against future
  375  billings to customer entities when revenues exceed costs.
  376         d.4. Requiring customer entities to validate that
  377  sufficient funds exist in the appropriate data processing
  378  appropriation category or will be transferred into the
  379  appropriate data processing appropriation category before
  380  implementation of a customer entity’s request for a change in
  381  the type or level of service provided, if such change results in
  382  a net increase to the customer entity’s cost for that fiscal
  383  year.
  384         e.5. By November 15 of each year, providing to the Office
  385  of Policy and Budget in the Executive Office of the Governor and
  386  to the chairs of the legislative appropriations committees the
  387  projected costs of providing data center services for the
  388  following fiscal year.
  389         f.6. Providing a plan for consideration by the Legislative
  390  Budget Commission if the cost of a service is increased for a
  391  reason other than a customer entity’s request made pursuant to
  392  sub-subparagraph d. subparagraph 4. Such a plan is required only
  393  if the service cost increase results in a net increase to a
  394  customer entity for that fiscal year.
  395         g.7. Standardizing and consolidating procurement and
  396  contracting practices.
  397         4.(d) In collaboration with the Department of Law
  398  Enforcement, developing and implementing a process for
  399  detecting, reporting, and responding to information technology
  400  security incidents, breaches, and threats.
  401         5.(e) Adopting rules relating to the operation of the state
  402  data center, including, but not limited to, budgeting and
  403  accounting procedures, cost-recovery or other payment
  404  methodologies, and operating procedures.
  405         (f) Conducting an annual market analysis to determine
  406  whether the state’s approach to the provision of data center
  407  services is the most effective and cost-efficient manner by
  408  which its customer entities can acquire such services, based on
  409  federal, state, and local government trends; best practices in
  410  service provision; and the acquisition of new and emerging
  411  technologies. The results of the market analysis shall assist
  412  the state data center in making adjustments to its data center
  413  service offerings.
  414         (k)(11) Recommend other information technology services
  415  that should be designed, delivered, and managed as enterprise
  416  information technology services. Recommendations must include
  417  the identification of existing information technology resources
  418  associated with the services, if existing services must be
  419  transferred as a result of being delivered and managed as
  420  enterprise information technology services.
  421         (l)(12) In consultation with state agencies, propose a
  422  methodology and approach for identifying and collecting both
  423  current and planned information technology expenditure data at
  424  the state agency level.
  425         (m)1.(13)(a) Notwithstanding any other law, provide project
  426  oversight on any project with an information technology
  427  component project of the Department of Financial Services, the
  428  Department of Legal Affairs, and the Department of Agriculture
  429  and Consumer Services which has a total project cost of $25
  430  million or more and which impacts one or more other agencies.
  431  Such projects with an information technology component projects
  432  must also comply with the applicable information technology
  433  architecture, project management and oversight, and reporting
  434  standards established by the Florida Digital Service department.
  435  The Florida Digital Service shall establish a process for the
  436  Department of Financial Services, the Department of Legal
  437  Affairs, and the Department of Agriculture and Consumer Services
  438  to apply for an exception to the requirements of this paragraph
  439  for a specific project with an information technology component.
  440         2.(b) When performing the project oversight function
  441  specified in subparagraph 1. paragraph (a), report at least
  442  quarterly to the Executive Office of the Governor, the President
  443  of the Senate, and the Speaker of the House of Representatives
  444  on any project with an information technology component project
  445  that the Florida Digital Service department identifies as high
  446  risk due to the project exceeding acceptable variance ranges
  447  defined and documented in the project plan. The report shall
  448  include a risk assessment, including fiscal risks, associated
  449  with proceeding to the next stage of the project and a
  450  recommendation for corrective actions required, including
  451  suspension or termination of the project.
  452         (n)(14) If a project with an information technology
  453  component project implemented by a state agency must be
  454  connected to or otherwise accommodated by an information
  455  technology system administered by the Department of Financial
  456  Services, the Department of Legal Affairs, or the Department of
  457  Agriculture and Consumer Services, consult with these
  458  departments regarding the risks and other effects of such
  459  projects on their information technology systems and work
  460  cooperatively with these departments regarding the connections,
  461  interfaces, timing, or accommodations required to implement such
  462  projects.
  463         (o)(15) If adherence to standards or policies adopted by or
  464  established pursuant to this section causes conflict with
  465  federal regulations or requirements imposed on a state agency
  466  and results in adverse action against the state agency or
  467  federal funding, work with the state agency to provide
  468  alternative standards, policies, or requirements that do not
  469  conflict with the federal regulation or requirement. The Florida
  470  Digital Service department shall annually report such
  471  alternative standards to the Governor, the President of the
  472  Senate, and the Speaker of the House of Representatives.
  473         (p)1.(16)(a) Establish an information technology policy for
  474  all information technology-related state contracts, including
  475  state term contracts for information technology commodities,
  476  consultant services, and staff augmentation services. The
  477  information technology policy must include:
  478         a.1. Identification of the information technology product
  479  and service categories to be included in state term contracts.
  480         b.2. Requirements to be included in solicitations for state
  481  term contracts.
  482         c.3. Evaluation criteria for the award of information
  483  technology-related state term contracts.
  484         d.4. The term of each information technology-related state
  485  term contract.
  486         e.5. The maximum number of vendors authorized on each state
  487  term contract.
  488         2.(b) Evaluate vendor responses for information technology
  489  related state term contract solicitations and invitations to
  490  negotiate.
  491         3.(c) Answer vendor questions on information technology
  492  related state term contract solicitations.
  493         4.(d) Ensure that the information technology policy
  494  established pursuant to subparagraph 1. paragraph (a) is
  495  included in all solicitations and contracts that are
  496  administratively executed by the department.
  497         (q)(17) Recommend potential methods for standardizing data
  498  across state agencies which will promote interoperability and
  499  reduce the collection of duplicative data.
  500         (r)(18) Recommend open data technical standards and
  501  terminologies for use by state agencies.
  502         (2)(a)The Secretary of Management Services shall appoint a
  503  state chief information officer, who shall administer the
  504  Florida Digital Service and is included in the Senior Management
  505  Service.
  506         (b)The state chief information officer shall appoint a
  507  chief data officer, who shall report to the state chief
  508  information officer and is included in the Senior Management
  509  Service.
  510         (3)The Florida Digital Service shall develop a
  511  comprehensive enterprise architecture that:
  512         (a)Recognizes the unique needs of those included within
  513  the enterprise that results in the publication of standards,
  514  terminologies, and procurement guidelines to facilitate digital
  515  interoperability.
  516         (b)Supports the cloud-first policy as specified in s.
  517  282.206.
  518         (c)Addresses how information technology infrastructure may
  519  be modernized to achieve cloud-first objectives.
  520         (4)The Florida Digital Service shall, pursuant to
  521  legislative appropriation:
  522         (a)Create and maintain a comprehensive indexed data
  523  catalog that lists what data elements are housed within the
  524  enterprise and in which legacy system or application these data
  525  elements are located.
  526         (b)Develop and publish, in collaboration with the
  527  enterprise, a data dictionary for each agency that reflects the
  528  nomenclature in the comprehensive indexed data catalog.
  529         (c)Review and document use cases across the enterprise
  530  architecture.
  531         (d)Develop and publish standards that support the creation
  532  and deployment of application programming interfaces to
  533  facilitate integration throughout the enterprise.
  534         (e)Facilitate collaborative analysis of enterprise
  535  architecture data to improve service delivery.
  536         (f)Develop plans to provide a testing environment in which
  537  any newly developed solution can be tested for compliance within
  538  the enterprise architecture and for functionality assurance
  539  before deployment.
  540         (g)Publish standards necessary to facilitate a secure
  541  ecosystem of data interoperability that is compliant with the
  542  enterprise architecture and allows for a qualified entity to
  543  access the enterprise’s data under the terms of the agreements
  544  with the department.
  545         (h)Publish standards that facilitate the deployment of
  546  applications or solutions to existing enterprise obligations in
  547  a controlled and phased approach, including, but not limited to:
  548         1.Electronic credentials, including digital licenses as
  549  referenced in s. 322.032.
  550         2.Interoperability that enables supervisors of elections
  551  to authenticate voter eligibility in real time at the point of
  552  service.
  553         3.The criminal justice database.
  554         4.Motor vehicle insurance cancellation integration between
  555  insurers and the Department of Highway Safety and Motor
  556  Vehicles.
  557         5.Interoperability solutions between agencies, including,
  558  but not limited to, the Department of Health, the Agency for
  559  Health Care Administration, the Agency for Persons with
  560  Disabilities, the Department of Education, the Department of
  561  Elderly Affairs, and the Department of Children and Families.
  562         6.Interoperability solutions to support military members,
  563  veterans, and their families.
  564         (5) Pursuant to legislative authorization and subject to
  565  appropriation:
  566         (a) The department may procure a credential service
  567  provider through a competitive process pursuant to s. 287.057.
  568  The terms of the contract developed from such procurement must
  569  pay for the value on a per-data-call or subscription basis, and
  570  there shall be no cost to the enterprise or law enforcement for
  571  using the services provided by the credential service provider.
  572         (b) The department may enter into agreements with qualified
  573  entities that have the technological capabilities necessary to
  574  integrate with the credential service provider; ensure secure
  575  validation and authentication of data; meet usage criteria; and
  576  agree to terms and conditions, privacy policies, and uniform
  577  remittance terms relating to the consumption of enterprise data.
  578  These agreements must include clear, enforceable, and
  579  significant penalties for violations of the agreements.
  580         (c) The department may enter into agreements with qualified
  581  entities that meet usage criteria and agree to the enterprise
  582  architecture terms of service and privacy policies. These
  583  agreements must include clear, enforceable, and significant
  584  penalties for violations of the agreements.
  585         (d) The terms of the agreements between the department, the
  586  credential service provider, and the qualified entities shall be
  587  based on the per-data-call or subscription charges to validate
  588  and authenticate and allow the department to recover any state
  589  costs for implementing and administering a solution. Credential
  590  service provider and qualifying entity revenues may not be
  591  derived from any other transactions that generate revenue for
  592  the enterprise outside of the per-data-call or subscription
  593  charges.
  594         (e) All revenues generated from the agreements with the
  595  credential service provider and qualified entities shall be
  596  remitted to the department, and the department shall deposit
  597  these revenues into the Department of Management Services
  598  Operating Trust Fund for distribution pursuant to a legislative
  599  appropriation and department agreements with the credential
  600  service provider and qualified entities.
  601         (f) Upon the signing of the agreement and the enterprise
  602  architecture terms of service and privacy policies with a
  603  qualified entity, the department shall provide to the qualified
  604  entity, as applicable, appropriate access to enterprise data to
  605  facilitate authorized integrations to collaboratively solve
  606  enterprise use cases.
  607         (6)The Florida Digital Service may develop a process to:
  608         (a)Receive written notice from the state agencies within
  609  the enterprise of any planned or existing procurement of an
  610  information technology project that is subject to governance by
  611  the enterprise architecture.
  612         (b)Intervene in any planned procurement by a state agency
  613  so that the procurement complies with the enterprise
  614  architecture.
  615         (c)Report to the Governor, the President of the Senate,
  616  and the Speaker of the House of Representatives on any
  617  information technology project within the judicial branch that
  618  does not comply with the enterprise architecture.
  619         (7)(19)The Florida Digital Service may adopt rules to
  620  administer this section.
  621         Section 4. Section 282.00515, Florida Statutes, is amended
  622  to read:
  623         282.00515 Enterprise Architecture Advisory Council Duties
  624  of Cabinet agencies.—
  625         (1)(a)The Enterprise Architecture Advisory Council, an
  626  advisory council as defined in s. 20.03(7), is established
  627  within the Department of Management Services. The council shall
  628  comply with the requirements of s. 20.052 except as otherwise
  629  provided in this section.
  630         (b)The council shall consist of the following members:
  631         1.Four members appointed by the Governor.
  632         2. One member appointed by the President of the Senate.
  633         3. One member appointed by the Speaker of the House of
  634  Representatives.
  635         4. One member appointed by the Chief Justice of the Supreme
  636  Court.
  637         5.The director of the Office of Policy and Budget in the
  638  Executive Office of the Governor, or the person acting in the
  639  director’s capacity should the position be vacant.
  640         6.The Secretary of Management Services, or the person
  641  acting in the secretary’s capacity should the position be
  642  vacant.
  643         7.The state chief information officer, or the person
  644  acting in the state chief information officer’s capacity should
  645  the position be vacant.
  646         8.The chief information officer of the Department of
  647  Financial Services, or the person acting in the chief
  648  information officer’s capacity should the position be vacant.
  649         9.The chief information officer of the Department of Legal
  650  Affairs, or the person acting in the chief information officer’s
  651  capacity should the position be vacant.
  652         10.The chief information officer of the Department of
  653  Agriculture and Consumer Services, or the person acting in the
  654  chief information officer’s capacity should the position be
  655  vacant.
  656         (2)(a)The appointments made by the Governor, the President
  657  of the Senate, the Speaker of the House of Representatives, and
  658  the Chief Justice of the Supreme Court are for terms of 4 years.
  659  However, for the purpose of providing staggered terms:
  660         1. The appointments made by the Governor, the President of
  661  the Senate, and the Speaker of the House of Representatives are
  662  for initial terms of 2 years.
  663         2. The appointment made by the Chief Justice is for an
  664  initial term of 3 years.
  665         (b) A vacancy on the council among members appointed under
  666  subparagraph (1)(b)1., subparagraph (1)(b)2., subparagraph
  667  (1)(b)3., or subparagraph (1)(b)4. shall be filled in the same
  668  manner as the original appointment for the remainder of the
  669  unexpired term.
  670         (c) The council shall elect a chair from among its members.
  671         (d) The council shall meet at least semiannually, beginning
  672  October 1, 2020, to discuss implementation, management, and
  673  coordination of the enterprise architecture as defined in s.
  674  282.0041; identify potential issues and threats with specific
  675  use cases; and recommend proactive solutions. The council may
  676  conduct its meetings through teleconferences or other similar
  677  means The Department of Legal Affairs, the Department of
  678  Financial Services, and the Department of Agriculture and
  679  Consumer Services shall adopt the standards established in s.
  680  282.0051(2), (3), and (7) or adopt alternative standards based
  681  on best practices and industry standards, and may contract with
  682  the department to provide or perform any of the services and
  683  functions described in s. 282.0051 for the Department of Legal
  684  Affairs, the Department of Financial Services, or the Department
  685  of Agriculture and Consumer Services.
  686         Section 5. Paragraph (a) of subsection (3) of section
  687  282.318, Florida Statutes, is amended to read:
  688         282.318 Security of data and information technology.—
  689         (3) The department is responsible for establishing
  690  standards and processes consistent with generally accepted best
  691  practices for information technology security, to include
  692  cybersecurity, and adopting rules that safeguard an agency’s
  693  data, information, and information technology resources to
  694  ensure availability, confidentiality, and integrity and to
  695  mitigate risks. The department shall also:
  696         (a) Designate a state chief information security officer
  697  who shall be appointed by and report to the state chief
  698  information officer of the Florida Digital Service and is in the
  699  Senior Management Service. The state chief information security
  700  officer must have experience and expertise in security and risk
  701  management for communications and information technology
  702  resources.
  703         Section 6. Subsection (4) of section 287.0591, Florida
  704  Statutes, is amended to read:
  705         287.0591 Information technology.—
  706         (4) If the department issues a competitive solicitation for
  707  information technology commodities, consultant services, or
  708  staff augmentation contractual services, the Florida Digital
  709  Service Division of State Technology within the department shall
  710  participate in such solicitations.
  711         Section 7. Paragraph (a) of subsection (3) of section
  712  365.171, Florida Statutes, is amended to read:
  713         365.171 Emergency communications number E911 state plan.—
  714         (3) DEFINITIONS.—As used in this section, the term:
  715         (a) “Office” means the Division of Telecommunications State
  716  Technology within the Department of Management Services, as
  717  designated by the secretary of the department.
  718         Section 8. Paragraph (s) of subsection (3) of section
  719  365.172, Florida Statutes, is amended to read:
  720         365.172 Emergency communications number “E911.”—
  721         (3) DEFINITIONS.—Only as used in this section and ss.
  722  365.171, 365.173, 365.174, and 365.177, the term:
  723         (s) “Office” means the Division of Telecommunications State
  724  Technology within the Department of Management Services, as
  725  designated by the secretary of the department.
  726         Section 9. Paragraph (a) of subsection (1) of section
  727  365.173, Florida Statutes, is amended to read:
  728         365.173 Communications Number E911 System Fund.—
  729         (1) REVENUES.—
  730         (a) Revenues derived from the fee levied on subscribers
  731  under s. 365.172(8) must be paid by the board into the State
  732  Treasury on or before the 15th day of each month. Such moneys
  733  must be accounted for in a special fund to be designated as the
  734  Emergency Communications Number E911 System Fund, a fund created
  735  in the Division of Telecommunications State Technology, or other
  736  office as designated by the Secretary of Management Services.
  737         Section 10. Subsection (5) of section 943.0415, Florida
  738  Statutes, is amended to read:
  739         943.0415 Cybercrime Office.—There is created within the
  740  Department of Law Enforcement the Cybercrime Office. The office
  741  may:
  742         (5) Consult with the Florida Digital Service Division of
  743  State Technology within the Department of Management Services in
  744  the adoption of rules relating to the information technology
  745  security provisions in s. 282.318.
  746         Section 11. Effective January 1, 2021, section 559.952,
  747  Florida Statutes, is created to read:
  748         559.952 Financial Technology Sandbox.—
  749         (1)SHORT TITLE.—This section may be cited as the
  750  “Financial Technology Sandbox.”
  751         (2)CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
  752  created the Financial Technology Sandbox within the Office of
  753  Financial Regulation to allow financial technology innovators to
  754  test new products and services in a supervised, flexible
  755  regulatory sandbox using exceptions to specified general law and
  756  waivers of the corresponding rule requirements under defined
  757  conditions. The creation of a supervised, flexible regulatory
  758  sandbox provides a welcoming business environment for technology
  759  innovators and may lead to significant business growth.
  760         (3)DEFINITIONS.—As used in this section, the term:
  761         (a)“Commission” means the Financial Services Commission.
  762         (b)“Consumer” means a person in this state, whether a
  763  natural person or a business entity, who purchases, uses,
  764  receives, or enters into an agreement to purchase, use, or
  765  receive an innovative financial product or service made
  766  available through the Financial Technology Sandbox.
  767         (c)“Financial product or service” means a product or
  768  service related to finance, including securities, consumer
  769  credit, or money transmission, which is traditionally subject to
  770  general law or rule requirements in the provisions enumerated in
  771  paragraph (7)(a) and which is under the jurisdiction of the
  772  office.
  773         (d)“Financial Technology Sandbox” means the program
  774  created in this section which allows a person to make an
  775  innovative financial product or service available to consumers
  776  through the provisions enumerated in paragraph (7)(a) during a
  777  sandbox period through an exception to general laws or a waiver
  778  of rule requirements, or portions thereof, as specified in this
  779  section.
  780         (e)“Innovative” means new or emerging technology, or new
  781  uses of existing technology, which provides a product, service,
  782  business model, or delivery mechanism to the public.
  783         (f)“Office” means, unless the context clearly indicates
  784  otherwise, the Office of Financial Regulation.
  785         (g)“Sandbox period” means the period, initially not longer
  786  than 24 months, in which the office has:
  787         1.Authorized an innovative financial product or service to
  788  be made available to consumers.
  789         2.Granted the person who makes the innovative financial
  790  product or service available an exception to general law or a
  791  waiver of the corresponding rule requirements, as determined by
  792  the office, so that the authorization under subparagraph 1. is
  793  possible.
  794         (4)FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS FOR
  795  APPROVAL.
  796         (a)Before filing an application to enter the Financial
  797  Technology Sandbox, a substantially affected person may seek a
  798  declaratory statement pursuant to s. 120.565 regarding the
  799  applicability of a statute, rule, or agency order to the
  800  petitioner’s particular set of circumstances.
  801         (b)Before making an innovative financial product or
  802  service available to consumers in the Financial Technology
  803  Sandbox, a person must file an application with the office. The
  804  commission shall prescribe by rule the form and manner of the
  805  application.
  806         1.In the application, the person must specify the general
  807  law or rule requirements for which an exception or a waiver is
  808  sought and the reasons why these requirements prevent the
  809  innovative financial product or service from being made
  810  available to consumers.
  811         2.The application must also contain the information
  812  specified in paragraph (e).
  813         (c)A business entity filing an application under this
  814  section must be a domestic corporation or other organized
  815  domestic entity with a physical presence, other than that of a
  816  registered office or agent or virtual mailbox, in this state.
  817         (d)Before a person applies on behalf of a business entity
  818  intending to make an innovative financial product or service
  819  available to consumers, the person must obtain the consent of
  820  the business entity.
  821         (e)The office shall approve or deny in writing a Financial
  822  Technology Sandbox application within 60 days after receiving
  823  the completed application. The office and the applicant may
  824  jointly agree to extend the time beyond 60 days. Consistent with
  825  this section, the office may impose conditions on any approval.
  826  In deciding to approve or deny an application, the office must
  827  consider each of the following:
  828         1.The nature of the innovative financial product or
  829  service proposed to be made available to consumers in the
  830  Financial Technology Sandbox, including all relevant technical
  831  details.
  832         2.The potential risk to consumers and the methods that
  833  will be used to protect consumers and resolve complaints during
  834  the sandbox period.
  835         3.The business plan proposed by the applicant, including a
  836  statement regarding the applicant’s current and proposed
  837  capitalization.
  838         4.Whether the applicant has the necessary personnel,
  839  adequate financial and technical expertise, and a sufficient
  840  plan to test, monitor, and assess the innovative financial
  841  product or service.
  842         5.If any person substantially involved in the development,
  843  operation, or management of the applicant’s innovative financial
  844  product or service has pled no contest to, has been convicted or
  845  found guilty of, or is currently under investigation for, fraud,
  846  a state or federal securities violation, any property-based
  847  offense, or any crime involving moral turpitude or dishonest
  848  dealing, their application to the Financial Technology Sandbox
  849  will be denied. A plea of no contest, a conviction, or a finding
  850  of guilt must be reported under this subparagraph regardless of
  851  adjudication.
  852         6.A copy of the disclosures that will be provided to
  853  consumers under paragraph (6)(c).
  854         7.The financial responsibility of any person substantially
  855  involved in the development, operation, or management of the
  856  applicant’s innovative financial product or service.
  857         8.Any other factor that the office determines to be
  858  relevant.
  859         (f)The office may not approve an application if:
  860         1.The applicant had a prior Financial Technology Sandbox
  861  application that was approved and that related to a
  862  substantially similar financial product or service; or
  863         2.Any person substantially involved in the development,
  864  operation, or management of the applicant’s innovative financial
  865  product or service was substantially involved with another
  866  Financial Technology Sandbox applicant whose application was
  867  approved and whose application related to a substantially
  868  similar financial product or service.
  869         (g)Upon approval of an application, the office shall
  870  specify the general law or rule requirements, or portions
  871  thereof, for which an exception or rule waiver is granted during
  872  the sandbox period and the length of the initial sandbox period,
  873  not to exceed 24 months. The office shall post on its website
  874  notice of the approval of the application, a summary of the
  875  innovative financial product or service, and the contact
  876  information of the person making the financial product or
  877  service available.
  878         (5)OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.
  879         (a)A person whose Financial Technology Sandbox application
  880  is approved may make an innovative financial product or service
  881  available to consumers during the sandbox period.
  882         (b)The office may, on a case-by-case basis and after
  883  consultation with the person who makes the financial product or
  884  service available to consumers, specify the maximum number of
  885  consumers authorized to receive an innovative financial product
  886  or service. The office may not authorize more than 15,000
  887  consumers to receive the financial product or service until the
  888  person who makes the financial product or service available to
  889  consumers has filed the first report required under subsection
  890  (8). After the filing of the report, if the person demonstrates
  891  adequate financial capitalization, risk management process, and
  892  management oversight, the office may authorize up to 25,000
  893  consumers to receive the financial product or service.
  894         (c)1.Before a consumer purchases, uses, receives, or
  895  enters into an agreement to purchase, use, or receive an
  896  innovative financial product or service through the Financial
  897  Technology Sandbox, the person making the financial product or
  898  service available must provide a written statement of all of the
  899  following to the consumer:
  900         a.The name and contact information of the person making
  901  the financial product or service available to consumers.
  902         b.That the financial product or service has been
  903  authorized to be made available to consumers for a temporary
  904  period by the office, under the laws of this state.
  905         c.That this state does not endorse the financial product
  906  or service.
  907         d.That the financial product or service is undergoing
  908  testing, may not function as intended, and may entail financial
  909  risk.
  910         e.That the person making the financial product or service
  911  available to consumers is not immune from civil liability for
  912  any losses or damages caused by the financial product or
  913  service.
  914         f.The expected end date of the sandbox period.
  915         g.The contact information for the office, and notification
  916  that suspected legal violations, complaints, or other comments
  917  related to the financial product or service may be submitted to
  918  the office.
  919         h.Any other statements or disclosures required by rule of
  920  the commission which are necessary to further the purposes of
  921  this section.
  922         2.The written statement must contain an acknowledgment
  923  from the consumer, which must be retained for the duration of
  924  the sandbox period by the person making the financial product or
  925  service available.
  926         (d)The office may enter into an agreement with a state,
  927  federal, or foreign regulatory agency to allow persons:
  928         1.Who make an innovative financial product or service
  929  available in this state through the Financial Technology Sandbox
  930  to make their products or services available in other
  931  jurisdictions.
  932         2.Who operate in similar financial technology sandboxes in
  933  other jurisdictions to make innovative financial products and
  934  services available in this state under the standards of this
  935  section.
  936         (e)1.A person whose Financial Technology Sandbox
  937  application is approved by the office shall maintain
  938  comprehensive records relating to the innovative financial
  939  product or service. The person shall keep these records for at
  940  least 5 years after the conclusion of the sandbox period. The
  941  commission may specify by rule additional records requirements.
  942         2.The office may examine the records maintained under
  943  subparagraph 1. at any time, with or without notice.
  944         (6)EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.
  945         (a)A person who is authorized to make an innovative
  946  financial product or service available to consumers may apply
  947  for an extension of the initial sandbox period for up to 12
  948  additional months for a purpose specified in subparagraph (b)1.
  949  or subparagraph (b)2. A complete application for an extension
  950  must be filed with the office at least 90 days before the
  951  conclusion of the initial sandbox period. The office shall
  952  approve or deny the application for extension in writing at
  953  least 35 days before the conclusion of the initial sandbox
  954  period. In deciding to approve or deny an application for
  955  extension of the sandbox period, the office must, at a minimum,
  956  consider the current status of the factors previously considered
  957  under paragraph (4)(e).
  958         (b)An application for an extension under paragraph (a)
  959  must cite one of the following reasons as the basis for the
  960  application and must provide all relevant supporting information
  961  that:
  962         1.Amendments to general law or rules are necessary to
  963  offer the innovative financial product or service in this state
  964  permanently.
  965         2.An application for a license that is required in order
  966  to offer the innovative financial product or service in this
  967  state permanently has been filed with the office, and approval
  968  is pending.
  969         (c)At least 30 days before the conclusion of the initial
  970  sandbox period or the extension, whichever is later, a person
  971  who makes an innovative financial product or service available
  972  shall provide written notification to consumers regarding the
  973  conclusion of the initial sandbox period or the extension and
  974  may not make the financial product or service available to any
  975  new consumers after the conclusion of the initial sandbox period
  976  or the extension, whichever is later, until legal authority
  977  outside of the Financial Technology Sandbox exists to make the
  978  financial product or service available to consumers. After the
  979  conclusion of the sandbox period or the extension, whichever is
  980  later, the person who makes the innovative financial product or
  981  service available may:
  982         1.Collect and receive money owed to the person or pay
  983  money owed by the person, based on agreements with consumers
  984  made before the conclusion of the sandbox period or the
  985  extension.
  986         2.Take necessary legal action.
  987         3.Take other actions authorized by commission rule which
  988  are not inconsistent with this subsection.
  989         (7)EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
  990  REQUIREMENTS.
  991         (a) Notwithstanding any other provision of law, upon
  992  approval of a Financial Technology Sandbox application, the
  993  office may grant an applicant a waiver of a requirement, or a
  994  portion thereof, which is imposed by rule as authorized by any
  995  of the following provisions of general law, if all of the
  996  conditions in paragraph (b) are met. If the application is
  997  approved for a person who otherwise would be subject to the
  998  provisions of chapter 560, chapter 516, chapter 517, chapter
  999  520, or chapter 537, the following provisions shall not be
 1000  applicable to the approved sandbox participant:
 1001         1. Section 560.1105.
 1002         2. Section 560.118.
 1003         3. Section 560.125, except for s. 560.125(2).
 1004         4. Section 560.128.
 1005         5. Section 560.1401, except for s. 560.1401(2)-(4).
 1006         6. Section 560.141, except for s. 560.141(1)(b)-(d).
 1007         7. Section 560.142, except that the office may prorate the
 1008  license renewal fees provided in ss. 560.142 and 560.143 for an
 1009  extension granted under subsection (6).
 1010         8. Section 560.143(2), to the extent necessary for
 1011  proration of the renewal fee under subparagraph 7.
 1012         9. Section 560.205, except for s. 560.205(1) and (3).
 1013         10. Section 560.208, except for s. 560.208(3)-(6).
 1014         11. Section 560.209, except that the office may modify the
 1015  net worth, corporate surety bond, and collateral deposit amounts
 1016  required under s. 560.209. The modified amounts must be in such
 1017  lower amounts that the office determines to be commensurate with
 1018  the considerations under paragraph (4)(e) and the maximum number
 1019  of consumers authorized to receive the financial product or
 1020  service under this section.
 1021         12. Section 516.03, except for the license and
 1022  investigation fee. The office may prorate the license renewal
 1023  fees for an extension granted under subsection (6). The office
 1024  may not waive the evidence of liquid assets of at least $25,000.
 1025         13. Section 516.05, except that the office may make an
 1026  investigation of the facts concerning the applicant’s
 1027  background.
 1028         14. Section 516.12.
 1029         15. Section 516.19.
 1030         16. Section 517.07.
 1031         17. Section 517.12.
 1032         18. Section 517.121.
 1033         19. Section 520.03, except for the application fee. The
 1034  office may prorate the license renewal fees for an extension
 1035  granted under subsection (6).
 1036         20. Section 520.12.
 1037         21. Section 520.25.
 1038         22. Section 520.32, except for the application fee. The
 1039  office may prorate the license renewal fees for an extension
 1040  granted under subsection (6).
 1041         23. Section 520.39.
 1042         24. Section 520.52, except for the application fee. The
 1043  office may prorate the license renewal fees for an extension
 1044  granted under subsection (6).
 1045         25. Section 520.57.
 1046         26. Section 520.63, except for the application fee. The
 1047  office may prorate the license renewal fees for an extension
 1048  granted under subsection (6).
 1049         27. Section 520.997.
 1050         28. Section 520.98.
 1051         29. Section 537.004, except for s. 537.004(2) and (5). The
 1052  office may prorate the license renewal fees for an extension
 1053  granted under subsection (6).
 1054         30. Section 537.005, except that the office may modify the
 1055  corporate surety bond amount required by s. 537.005. The
 1056  modified amount must be in such lower amount that the office
 1057  determines to be commensurate with the considerations under
 1058  paragraph (4)(e) and the maximum number of consumers authorized
 1059  to receive the product or service under this section.
 1060         31. Section 537.007.
 1061         32. Section 537.009.
 1062         33. Section 537.015.
 1063         (b) During a sandbox period, the exceptions granted in
 1064  paragraph (a) are applicable if all of the following conditions
 1065  are met:
 1066         1. The general law or corresponding rule currently prevents
 1067  the innovative financial product or service to be made available
 1068  to consumers.
 1069         2. The exceptions or rule waivers are not broader than
 1070  necessary to accomplish the purposes and standards specified in
 1071  this section, as determined by the office.
 1072         3. No provision relating to the liability of an
 1073  incorporator, director, or officer of the applicant is eligible
 1074  for a waiver.
 1075         4. The other requirements of this section are met.
 1076         (8)REPORT.A person authorized to make an innovative
 1077  financial product or service available to consumers under this
 1078  section shall submit a report to the office twice a year as
 1079  prescribed by commission rule. The report must, at a minimum,
 1080  include financial reports and the number of consumers who have
 1081  received the financial product or service.
 1082         (9)CONSTRUCTION.—A person whose Financial Technology
 1083  Sandbox application is approved shall be deemed licensed under
 1084  the applicable exceptions to general law or waiver of the rule
 1085  requirements specified under subsection (7), unless the person’s
 1086  authorization to make the financial product or service available
 1087  to consumers under this section has been revoked or suspended.
 1088         (10)VIOLATIONS AND PENALTIES.—
 1089         (a)A person who makes an innovative financial product or
 1090  service available to consumers in the Financial Technology
 1091  Sandbox is:
 1092         1.Not immune from civil damages for acts and omissions
 1093  relating to this section.
 1094         2.Subject to all criminal statutes and any other statute
 1095  not specifically excepted under subsection (7).
 1096         (b)1.The office may, by order, revoke or suspend
 1097  authorization granted to a person to make an innovative
 1098  financial product or service available to consumers if:
 1099         a.The person has violated or refused to comply with this
 1100  section, a rule of the commission, an order of the office, or a
 1101  condition placed by the office on the approval of the person’s
 1102  Financial Technology Sandbox application;
 1103         b.A fact or condition exists that, if it had existed or
 1104  become known at the time that the Financial Technology Sandbox
 1105  application was pending, would have warranted denial of the
 1106  application or the imposition of material conditions;
 1107         c.A material error, false statement, misrepresentation, or
 1108  material omission was made in the Financial Technology Sandbox
 1109  application; or
 1110         d.After consultation with the person, continued testing of
 1111  the innovative financial product or service would:
 1112         (I)Be likely to harm consumers; or
 1113         (II)No longer serve the purposes of this section because
 1114  of the financial or operational failure of the financial product
 1115  or service.
 1116         2.Written notice of a revocation or suspension order made
 1117  under subparagraph 1. must be served using any means authorized
 1118  by law. If the notice relates to a suspension, the notice must
 1119  include any condition or remedial action that the person must
 1120  complete before the office lifts the suspension.
 1121         (c)The office may refer any suspected violation of law to
 1122  an appropriate state or federal agency for investigation,
 1123  prosecution, civil penalties, and other appropriate enforcement
 1124  actions.
 1125         (d)If service of process on a person making an innovative
 1126  financial product or service available to consumers in the
 1127  Financial Technology Sandbox is not feasible, service on the
 1128  office shall be deemed service on such person.
 1129         (11)RULES AND ORDERS.—
 1130         (a)The commission shall adopt rules to administer this
 1131  section.
 1132         (b)The office may issue all necessary orders to enforce
 1133  this section and may enforce the orders in accordance with
 1134  chapter 120 or in any court of competent jurisdiction. These
 1135  orders include, but are not limited to, orders for payment of
 1136  restitution for harm suffered by consumers as a result of an
 1137  innovative financial product or service.
 1138         Section 12. Except as otherwise expressly provided in this
 1139  act, this act shall take effect July 1, 2020.

feedback