[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] REGULATORY DIVERGENCE: FAILURE OF THE ADMINISTRATIVE STATE ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON INTERGOVERNMENTAL AFFAIRS OF THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION __________ JULY 18, 2018 __________ Serial No. 115-92 __________ Printed for the use of the Committee on Oversight and Government Reform [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.fdsys.gov http://oversight.house.gov ________ U.S. GOVERNMENT PUBLISHING OFFICE 31-369 PDF WASHINGTON: 2018 Committee on Oversight and Government Reform Trey Gowdy, South Carolina, Chairman John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland, Darrell E. Issa, California Ranking Minority Member Jim Jordan, Ohio Carolyn B. Maloney, New York Mark Sanford, South Carolina Eleanor Holmes Norton, District of Justin Amash, Michigan Columbia Paul A. Gosar, Arizona Wm. Lacy Clay, Missouri Scott DesJarlais, Tennessee Stephen F. Lynch, Massachusetts Virginia Foxx, North Carolina Jim Cooper, Tennessee Thomas Massie, Kentucky Gerald E. Connolly, Virginia Mark Meadows, North Carolina Robin L. Kelly, Illinois Ron DeSantis, Florida Brenda L. Lawrence, Michigan Dennis A. Ross, Florida Bonnie Watson Coleman, New Jersey Mark Walker, North Carolina Raja Krishnamoorthi, Illinois Rod Blum, Iowa Jamie Raskin, Maryland Jody B. Hice, Georgia Jimmy Gomez, Maryland Steve Russell, Oklahoma Peter Welch, Vermont Glenn Grothman, Wisconsin Matt Cartwright, Pennsylvania Will Hurd, Texas Mark DeSaulnier, California Gary J. Palmer, Alabama Stacey E. Plaskett, Virgin Islands James Comer, Kentucky John P. Sarbanes, Maryland Paul Mitchell, Michigan Greg Gianforte, Montana Michael Cloud, Texas Sheria Clarke, Staff Director William McKenna, General Counsel Kelsey Wall, Professional Staff Member Katy Rother, Intergovernmental Affairs Subcommittee Staff Director Sharon Casey, Deputy Chief Clerk David Rapallo, Minority Staff Director ------ Subcommittee on Intergovernmental Affairs Gary Palmer, Alabama, Chairman Glenn Grothman, Wisconsin, Vice Jamie Raskin, Maryland, Ranking Chair Minority Member John J. Duncan, Jr., Tennessee Mark DeSaulnier, California Virginia Foxx, North Carolina Matt Cartwright, Pennsylvania Thomas Massie, Kentucky Wm. Lacy Clay, Missouri Mark Walker, North Carolina (Vacancy) Mark Sanford, South Carolina C O N T E N T S ---------- Page Hearing held on July 18, 2018.................................... 1 WITNESSES Mr. James ``Bo'' Reese, President, National Association of State Chief Information Officers; Chief Information Officer, Office of Management and Enterprise Services, State of Oklahoma Oral Statement............................................... 5 Written Statement............................................ 8 Mr. John Riggi, Senior Advisor for Cybersecurity and Risk, American Hospital Association Oral Statement............................................... 30 Written Statement............................................ 32 Mr. Robert Weissman, President, Public Citizen Oral Statement............................................... 38 Written Statement............................................ 40 Mr. Christopher Feeney, Executive Vice President, Bank Policy Institute Oral Statement............................................... 71 Written Statement............................................ 73 Mr. Oliver Sherouse, Policy Analytics Lead, Program for Economic Research on Regulation, Mercatus Center Oral Statement............................................... 86 Written Statement............................................ 88 REGULATORY DIVERGENCE: FAILURE OF THE ADMINISTRATIVE STATE ---------- Wednesday, July 18, 2018 House of Representatives, Subcommittee on Intergovernmental Affairs, Committee on Oversight and Government Reform, Washington, D.C. The subcommittee met, pursuant to call, at 2:08 p.m., in Room 2154, Rayburn House Office Building, Hon. Gary J. Palmer [chairman of the subcommittee] presiding. Present: Representatives Palmer and Raskin. Mr. Palmer. The Subcommittee on Intergovernmental Affairs will come to order. Without objection, the presiding member is authorized to declare a recess at any time. The Federal Government has long been associated with entrenched bureaucracy, separated by agencies and ignorant of the realities of the average American's life. Federal agencies impose regulatory requirements under a siloed organizational structure that is program by program, department by department, with very little interagency coordination. This committee is well aware of the impact of Federal agencies' failure to coordinate between themselves and non-Federal stakeholders. For the last 8 years, the Government Accountability Office has issued an annual report on overlapping, duplicative, and otherwise wasteful Federal programs. And to date, addressing the problems that GAO highlights in these reports has saved over $175 billion. Addressing the remaining could save tens of billions of dollars more. And I might even argue, in some cases hundreds of billions of dollars more. In other words, the failure of Federal agencies to coordinate has wasted hundreds of billions of dollars of taxpayer money over the last decade. But the impact of the failure of the administrative state doesn't stop there. The lack of interagency coordination has led to a steady accumulation of divergent regulatory mandates on States and the private sector. Despite often seeking similar results, Federal agencies impose conflicting regulations that force the regulated entities, like State agencies and private sector businesses, to focus heavily on compliance rather than improved outcomes. Although the panel comes from different sectors, missions, and backgrounds, there is remarkable consistency in their testimony about the burdensome effects of a divergent regulatory regime. Today Federal regulations touch nearly every aspect of daily life, and those regulations have become so complex that even the regulators can't agree what the requirements are or how to comply with them. As a result, these divergent regulations drastically increase the overall cost of the intended operations and deviate from the intended purpose of the regulations themselves. According to the Competitive Enterprise Institute, Federal regulations cost the economy nearly $2 trillion annually. And what I like to point out, I have some colleagues who identify that as a hidden tax. It really isn't. At least a tax goes to build a road or a bridge or has some good purpose in many cases. A regulatory cost is just a hidden cost that weighs disproportionately heavily upon low-income families. I think that averages almost $15,000 per household. Likewise, State governments also experience a drain on resources and State autonomy due to regulatory divergence. State officials from the National Association of State Chief Information Officers have shared multiple accounts with the committee on duplicative and inconsistent audit requirements imposing significant burdens on States without any substantive benefit. One State's chief information security officer reported than an audit of the same data security enterprise yielded inconsistent results across multiple Federal agencies. Unfortunately, this has become a regular feature of the State partnership with the Federal Government. It is our duty to the American people to explore opportunities to harmonize our current regulatory standards. To do this, Federal agencies, along with State governments and the private sector, need to come together to develop means of communication and cooperation to mitigate future duplicative, inconsistent, and obsolete regulations. We are fortunate today to have with us a panel that can help us better understand the challenges imposed by these Federal regulatory standards. I thank the witnesses for being here today. And at this point, I would like to yield to my friend and colleague from Maryland, the ranking member, Mr. Raskin, for his opening statement. Mr. Raskin. Mr. Chairman, thank you. It's always a pleasure to be with you, Chairman Palmer. I'm planning to surprise everyone by becoming the first American politician in history to defend regulation in its entirety: the notice and comment period, the hearing process, regulatory enforcement, the whole kit and caboodle. Let's start with terminology. A regulation is just a fancy name for a rule, and we all live according to rules. Every family has rules, every household, every sport, every school, every road, every highway, every institution, every economy, every government, every nation, every corporation, every State, county, city, and town. And, indeed, Congress itself and every committee has rules. I get 5 minutes to do my opening presentation no matter how brilliant it is, not 6 minutes, not 4 minutes, but we've got a rule about it. The rule gives us a fair allotment of time and makes each of us free to use it. We will probably invoke dozens of rules as we go about our business in the House today. But the rules targeted for criticism in this hearing are the rules that Federal agencies adopt to enforce the laws that we pass in Congress. The laws and the rules reflect the values of the people and implement our social priorities. Look at what agency rules do. The Department of Labor's overtime rule says that hourly wage workers must be paid time and a half when their bosses ask them to work more than 40 hours a week. That's a rule which gives dignity and fairness to workers. The Federal Aviation Administration's 24-hour rule says passengers forced to cancel airline ticket reservations with 24 hours of purchase must get a full refund. Another FAA rule says that passengers who miss their flight must be given standby access if they arrive within 2 hours of the missed flight on the next flight. A lot of Federal rules save human lives and protect public health. The National Highway Transportation Safety Administration's Gulbransen rule requires dramatically improved rear visibility in new cars, which is why so many people in this room and in our country have backup cameras on their dashboards now. Although President Bush signed it into law in 2008, the rule was unnecessarily delayed and went into effect in 2018. Named for 2-year-old Cameron Gulbransen, who was killed when a car accidentally backed up over him, this rule has already begun to significantly lower the number of deaths and injuries, roughly 250 deaths and more than 12,000 injuries a year that were occurring from accidents caused by vehicles in reverse. The rule compels use of a technology that had been available for a decade but was opposed by the auto industry, which tried to keep it as an optional luxury add-on item. Everyone knows that the seatbelt rule has saved tens or even hundreds of thousands of lives since it was adopted in 1983 despite vehement protests that this was overregulation or hyper-regulation when it was first adopted. Like these, most Federal rules are commonsense protections of vital freedoms that we cherish as Americans. Freedom from air pollution and water pollution. Freedom from dangerous consumer appliances. Freedom from workplace discrimination and exploitation. Freedom from predatory business practices and monopolies. Moreover, rules have made our people freer and our country safer, healthier, cleaner, more just, more equitable, and more secure. Yet President Trump and my GOP colleagues in the House have made destroying government rules one of their top priorities, and they have made of deregulation a mindless political fetish. But they target only certain kinds of rules. The administration hates rules that get in the way of corporate power. They want to get rid of rules that restrict Wall Street and the finance industry. They want to scrap rules that enforce the Clean Water Act and the Clean Air Act and rules that restrict the freedom of polluters. They love other kinds of rules. They want rules that interfere with women's rights to make their own healthcare decisions and decisions about birth control and reproduction. Just this past May, the administration issued a gag rule that blocks recipients of Federal family planning funds from counseling or advising women about abortions, and also compelling expensive physical, financial, and programmatic segregation between units that provide such counseling and those that do not. They pile rule upon rule in the SNAP program to impose a kind of bureaucratic extremism which makes it impossible for people to access nutritional benefits that they need. So regulations, like statutes or ordinances or constitutions, are just forms of law. They can be good, they can be bad. They can be efficient, they can be inefficient, fair or not. But my colleagues invite us to believe that Federal regulation is, in general, categorically burdensome and costly. That's false, and we've got a way to show it. The Office of Management and Budget annually issues a congressionally mandated report that identifies the costs of government rules on the private sector and the estimated financial benefits produced for the American people. Every year this report shows objectively that the economic benefits of Federal rules far outweigh the cost. Quite shockingly, the administration tried to bury this year's report, releasing it 2 months late, almost certainly because its findings undercut everything the President has stated about government rules. The report found that last year Federal rules imposed around $5 billion in costs on businesses. At the same time, they resulted in more than $27 billion in benefits to the public. The regulatory benefits to taxpayers are more than five times the cost of these rules. The costs of an America without any Federal rules are not hard to imagine, but they are impossible to accept. Cars without backup cameras or seatbelts. Peanut butter made in unsanitary conditions. Banks and hedge funds freed from rules of prudential lending. Coal mines that poison coal miners and collapse on human beings with impunity. Predatory payday lenders operating without a CFPB checking them. Out-of-control data breaches. And so on. This deregulatory project in our economy and environment is risky and dangerous. We cannot risk American lives and our environment because the President wants to reward large campaign donors while using the regulatory bogeyman to try to destroy democratically chosen rules. Let's think pragmatically and not ideologically. Let's remember that Federal rules are just America's rules. And when it comes to building a strong democracy, laissez isn't fair. Thank you very much, Mr. Chairman. Mr. Palmer. I thank the gentleman. I'm pleased to introduce our witnesses. Mr. James ``Bo'' Reese, president of the National Association of State Chief Information Officers, and Chief Information Officer, Office of Management and Enterprise Services, State of Oklahoma. Mr. John Riggi, senior advisor for cybersecurity and risk for the American Hospital Association. Mr. Robert Weissman, president of Public Citizen. Mr. Christopher Feeney, executive vice president of the Bank Policy Institute. And Mr. Oliver Sherouse, policy analytics lead for the Program for Economic Research on Regulation at the Mercatus Center. Welcome to you all. Pursuant to committee rules, all witnesses will be sworn in before they testify. Please stand and raise your right hand. Do you solemnly swear or affirm the testimony you're about to give is the truth, the whole truth, and nothing but the truth, so help you God? The record will reflect that all witnesses answered in the affirmative. Please be seated. In order to allow time for discussion, please limit your testimony to 5 minutes. And your entire written statement will be made part of the record. As a reminder, the clock in front of you shows the remaining time during your opening statement. The light will turn yellow when you have 30 seconds left and red when your time is up. Please also remember to press the button to turn your microphones on before speaking. The chair now recognizes the gentleman, Mr. Reese, for 5 minutes. WITNESS STATEMENTS STATEMENT OF JAMES ``BO'' REESE Mr. Reese. Thank you, Chairman Palmer and Ranking Member Raskin and members of the subcommittee. Thank you for inviting me to testify before you today on the burden of Federal regulations and their impact to State governments. My name is Bo Reese, and I serve as the chief information officer, or CIO, for the State of Oklahoma. I also serve as the president of the National Association of State Chief Information Officers, or NASCIO. All 50 States and three territories are members of NASCIO, and we represent the interests of government-appointed State CIOs who acted as the top IT officials for State government. Today I would like to provide the subcommittee an overview of how Federal regulations hamper the ability of State CIOs to offer effective and efficient technology and IT services. I will also touch upon how the complex Federal regulatory environment is duplicative in nature, contributes to inconsistent Federal audits, and drives cybersecurity investments based on compliance and not risk, which is the more secure approach. State CIOs act as the technology and IT provider for State agencies. State agencies administer Federal programs, like Medicaid, SNAP, unemployment insurance, and in so doing exchange data with Federal agencies. Because of this intergovernmental relationship, Federal agencies impose rules on State agencies and all their requirements in audits which then flow to State CIOs who provide IT services to State agencies. Compliance with the multitude of Federal regulations is burdensome on States, especially those like Oklahoma that have consolidated or unified our IT service delivery. IT unification has resulted in $372 million in cost savings and avoidance for Oklahoma. Before IT unification, Oklahoma was supporting 129 email servers in State government, 76 different financial systems, 22 time and attendance systems, and 30 data center locations. After the 5-year IT unification process, we were able to reduce redundancies and leverage economies of scale, further enabling the hundreds of millions in savings and cost avoidance. The biggest hurdle we faced in achieving IT consolidation was compliance with Federal regulations. Our Federal agency partners are regulating the States not in a streamlined fashion, similar to the way we now operate, but in a siloed way that impedes our ability to operate effectively. States must comb through thousands of pages of Federal regulations to ensure that they are in compliance while administering Federal programs. And even though many Federal regulations are similar in nature, they each have minor differences, which then requires one-off adjustments for each Federal regulation. This obscures the goal of IT consolidation, which ultimately produces savings for taxpayers. We certainly understand the importance of regulations and are not advocating their wholesale elimination. The problem is not that there is regulation, but that Federal requirements are organized by Federal individual program and do not follow the industry-recommended approach, which would regulate cyber threats by their risk. The siloed Federal regulatory approach is carried forward in the Federal audit process. Audits are conducted program by program and not holistically. This means that my office responds to the same audit questions multiple times, again and again, year after year. For example, in Oklahoma, the IRS audited one State agency multiple times because it viewed different programs as distinct and separate entities. My office had to answer hundreds of questions, attend multiple audit meetings, and deliver additional explanatory material multiple times for one State agency. This wasteful and inefficient process is repeated time and time again across many different State agencies for each Federal regulatory entity, not to mention the fact that several auditors had different results even though they examined the same audit environment. A great example of this inefficiency is, in 2016, the State of Oklahoma performed 14 audits over 8 months on the same IT environment. In 2017, we had 11 audits that took us 7 months and all of our resources to perform. Ultimately, we believe that there is a more efficient and holistic way of ensuring data security and allowing States to implement IT consolidation plans that have proven to generate cost savings. We would like your assistance in getting Federal regulators to the table with the State CIOs so that we can harmonize regulatory environments and streamline the audit process together. To this end, NASCIO members have already started the process of identifying the differences with two major regulations. And I have a great example of what we've performed already today. The IRS Publication 1075 and the FBI-CJIS are the two that we compared. We hope to engage with our Federal partners further and appreciate the subcommittee's support in reducing the regulatory burden on States. In closing, I would like to thank the subcommittee for the opportunity to testify on this important issue, and also like to express our gratitude to Chairman Gowdy for initiating the GAO study on the State impact of Federal regulations in October of last year. I look forward to your questions, and thank you. [Prepared statement of Mr. Reese follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Palmer. I thank the gentleman. The chair now recognizes Mr. Riggi for his testimony. STATEMENT OF JOHN RIGGI Mr. Riggi. Good afternoon. My name is John Riggi, and I appreciate the opportunity to testify on behalf of the American Hospital Association today. Every day hospitals and health systems confront the daunting task of complying with a growing number of Federal regulations. While Federal regulation is necessary to ensure that healthcare patients receive safe, high quality care, in recent years, clinical staff--doctors, nurses, and caregivers-- find themselves devoting more time to regulatory compliance, taking them away from patient care. Some of these rules do not improve care, and all of them raise costs. Last fall, the AHA issued a report entitled ``Regulatory Overload,'' and I appreciate the opportunity today to discuss the findings. The major findings include that health systems, hospitals, and post-acute care providers must comply with 629 discrete regulatory requirements across nine domains. The four agencies that promulgated these requirements--the Centers for Medicare and Medicaid Services, CMS; the Office of the Inspector General, Office for Civil Rights, OIG OCR; and the Office of the National Coordinator for Health Information Technology, ONC--are the primary drivers of Federal regulation impacting these providers. However, providers also are subject to regulation from other Federal and State entities which are not accounted for in this report. Health systems, hospitals, and post-acute care providers spend nearly $39 billion a year solely on the administrative activities related to regulatory compliance in the nine domains discussed in the report. An average-sized community hospital of 161 beds spends nearly $7.6 million annually on administrative activities to support compliance with the reviewed Federal regulations. That figure rises to $9 million for those hospitals with post-acute care beds. Nationally, this equates to $38.6 billion each year to comply with the administrative aspects of regulatory compliance in just these nine domains. Looked at in another way, regulatory burden costs $1,200 every time a patient is admitted to a hospital. An average-sized hospital dedicates 59 full-time equivalent employees to regulatory compliance, over one-quarter of which are doctors, nurses, and pulling clinical staff away from patient care responsibilities. The frequency and pace of regulatory change make compliance challenging and often results in duplication of efforts in substantial amounts of clinician time away from patient care. As new or updated regulations are issued, a provider must quickly mobilize clinical and nonclinical resources to decipher the regulations and then redesign, test, implement, and communicate new processes throughout the organization. Providers dedicate the largest proportion of resources to documenting conditions of participation, CoPs, adherence, billing and coverage verification processes. Meaningful use has spurred provider investment in IT systems, but exorbitant costs and ongoing interoperability issues remain. Quality reporting requirements are often duplicative and have inefficient reporting processes, particularly for providers participating in value-based purchasing models. Again, this creates inefficiency and consumes significant financial resources and clinician staff. Fraud and abuse laws are outdated and have not evolved to support new models of care. The Stark Law and the Anti-Kickback Statute, AKS, can be impediments to transforming care delivery. While CMS has waived certain fraud and abuse laws for providers participating in various demonstration projects, those who receive a waiver generally cannot apply it beyond the specific demonstration or model. The lack of protections extending care innovations to other Medicare or Medicaid patients and commercially insured beneficiaries minimize efficiencies and cost savings realized through these types of models and demonstration projects. A reduction in administrative burden would enable providers to focus on patients, not paperwork, and reinvest resources in improving care, improving health, and reducing costs. We have several general recommendations to reduce administrative requirements without compromising patient outcomes: Regulatory requirements should be better aligned and consistently applied within and across Federal agencies and programs and subject to routine review for effectiveness to ensure the benefit for the public good outweigh additional compliance burdens; Regulators should provide clear, concise guidance and reasonable timelines for the implementation of new rules; Conditions of participation should be evidence-based, aligned with other laws, industry standards, and flexible in order to support different patient populations and communities; Federal agencies should accelerate the transition to automation of administrative transactions, such as prior authorization; Meaningful use requirements should be streamlined and should be increasingly focused on interoperability and cybersecurity risk considerations without holding providers responsible for the action of others; Quality reporting requirements should be thoroughly evaluated across all programs to better determine what measures provide meaningful and actionable information for patients and providers and regulators; Post-acute care rules should be reviewed and simplified to remove or update antiquated, redundant, and unnecessary rules; With new deliver system and payment reforms emerging, Congress, CMS, and the OIG should revisit the Stark Law and AKS to ensure that statutes provide the flexibility necessary to support the provision of high quality care. Thank you for the opportunity to provide an overview of AHA's view on regulatory burden. We appreciate the committee's focus on this topic. And I look forward to your questions. [Prepared statement of Mr. Riggi follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Palmer. I thank the gentleman. The chair now recognizes Mr. Weissman for his testimony. STATEMENT OF ROBERT WEISSMAN Mr. Weissman. Mr. Palmer and Mr. Raskin, thank you very much for the opportunity to speak today. I wanted to make three general points and, assuming I talk fast enough, add a footnote in. The American regulatory system has made our country stronger, better, safer, cleaner, healthier, more fair, and more just. It's something we should be celebrating, trying to improve, but not attacking with evidence-free allegations. As Mr. Raskin pointed out, the benefits of regulation, Federal regulation, even monetized and corporate-friendly accounting systems, vastly exceed the costs. We know that because of the OMB reviews of the costs and benefits of significant regulations issued each year. Every single year since the agency started conducting that study in 2001, benefits have vastly exceeded costs at minimum of a range of 2 to 1 and typically up to 12 to 1. Critics of regulation too often focus on costs to the exclusion of talking about the benefits. No agency adopts a rule for the simple purpose of imposing costs. There's always a rationale and reason, and the benefits have to be taken into account. The $2 trillion figure that is routinely cited is not based on careful analysis, as my testimony describes in some detail. It's worth focusing also for a moment on the American Hospital Association study, which fell into this same problem of focusing exclusively on the cost of regulation without talking about the benefit. It acknowledges that there may be some patient benefits, but doesn't actually try to monetize those costs. The study does not show that there are duplicative regulations. The study does not acknowledge the benefits in monetary terms to patients. The study does not disclose its methodology or how its survey was calculated. So there's every reason to assume that the cost estimates are inflated. Most importantly, what the study fails to do is acknowledge why it is that the government imposes a host of regulations on the healthcare sector. It's primarily to deal with two overarching problems: poor quality of care and massive fraud. 250,000 people die every single year in this country from medical malpractice, making it the third highest single cause of death in this country. By any metric, we perform at often the worst of all rich countries in quality of care. Quality of care regulations are aimed at trying to improve that situation. Fraud consumes 3 to 10 percent of all healthcare spending in the United States, according to the FBI. At the low end, $80 billion a year. Those regulations are designed to cut down on rampant fraud. They have a purpose. They are inadequate. They're obviously not doing the job. It would be much worse off if those rules, by and large, were not in place. The second point I wanted to make was about the issue of regulatory duplication. I think it is the case that much of what's complained about in the area of duplication is really a disguised complaint about regulation itself. That said, there are obviously, in a complicated bureaucracy, in a complicated economy, overlapping rules and regulations and massive regulatory gaps. So for sure better coordination is desirable. It doesn't really make sense to blame that problem on the administrative state, though. Let's talk for a moment about cybersecurity. It is the case that there are massive gaps in cybersecurity and privacy protections in this country. That's because there is no overarching American cybersecurity framework or privacy protection law. We absolutely need that. I detail some components of what would be desirable in such a framework. That may not cure all the problems that are being discussed today by area specialists, but it would for sure deal with many of them. The third thing I wanted to highlight is that, although there has been a very partisan discussion about regulation in the Congress for now going on almost a decade, there is a shared agenda that's available if members are eager to pick it up. I think the key elements of reform packages that would have bipartisan support would focus on transparency, limiting regulatory delay, enhancing regulatory enforcement without regard to adopting new rules but making sure everyone plays by the same rules, and focusing on the revolving door of people leaving from regulatory agencies and going into regulated industry, and back and forth. Finally, my footnote. Yesterday my organization, along with 100 other organizations, petitioned OSHA to adopt a heat standard to protect indoor and outdoor workers from extreme heat. More than 1,000 people die every near in this country from extreme heat. Many of them are workers, especially agricultural workers. Supporting our petition was Raudel Felix Garcia, the brother of Audon Felix Garcia, a California farmworker who died from excessive heat in the fields. Raudel told the story of his brother's death yesterday in a teleconference we had in wrenching detail and pleaded with Federal regulators to take steps to make sure that no one else died such a needless death. It was a crucial reminder both in that particular area, but more generally, that life and death is at stake in regulation, that real people are affected and protected and need strong regulatory protections. And I hope this Congress can ensure that that is delivered to them. Thank you very much. [Prepared statement of Mr. Weissman follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Palmer. I thank the gentleman. The chair now recognizes Mr. Feeney for his testimony. STATEMENT OF CHRISTOPHER FEENEY Mr. Feeney. Chairman Palmer, Ranking Member Raskin, and members of the subcommittee, thank you for inviting me to testify today. My name is Chris Feeney. I'm the executive vice president of the Bank Policy Institute and president of our Technology Policy Division, BITS. Cybersecurity is a top-of-mind issue for every one of our CEOs, and the industry has been and remains committed to making the investments necessary to protect our critical infrastructure broadly. We embrace the trust that our customers confer in us and take the job of protecting customers and their data seriously, including valuing their privacy. Our industry is heavily regulated. In the U.S. alone, we have 9 independent Federal regulators, 3 self-regulatory organizations, and 50 State banking, securities, and insurance agencies. Regulations include extensive cybersecurity oversight and comprehensive data protection standards, such as those in the 1999 Gramm-Leach-Bliley Act. The cybersecurity requirements across the industry are very diverse in terms of size, type of business, and geographic footprint. Yet we have validated that over 80 percent of the cyber issuances are common across all regulators. For the financial sector, it becomes a tangible problem when those tasked with creating cybersecurity rules approach regulations with their own variations, addressing the same cyber requirements with different approaches and language. To analogize this, think of the impact on your safety if air traffic controllers didn't use English as a common language and instead pilots were required to use their native language for every airspace they pass through. This would be challenging at best, require extensive training, and introduce unneeded risk. This is the dilemma we face today with variations on cyber standards, requirements, and expectations without any appreciable benefit to security. These requirements lead to misuse of scarce cybersecurity experts' time, taking them away from protecting our technology and the customers who count on us daily to access ATMs, to write checks, and to pay mortgages. When a chief information security officer at one of our largest firms estimates that 40 percent of their time is spent trying to unravel the web of cybersecurity regulation rather than focusing on protecting systems, that's a serious problem. We face similar complexity in the area of data breach, which has no uniform standard, and we are seemingly entering into a complex environment of conflicting requirements related to privacy as regulation develops around international requirements, emerging State requirements, and potentially local requirements, such as those being discussed in Chicago. For technology and cybersecurity experts, consistency, repeatability, and improved security require a common technical and operating architecture, a common language, and a common framework to achieve the highest degree of protection. In a 2017 Financial Stability Board publication, U.S. member agencies self-reported that 10 different Federal schemes of cyber regulation were in place and that 43 different publicly available cybersecurity issuances were about to be offered. We want to be clear. The financial industry supports the need for cyber regulation and the industry's multi-billion- dollar investments here to improve our capabilities and satisfy our regulations. These investments have contributed to developing the highest standards for cybersecurity, data security, and customer expectation. Individually these regulations have merit. However, when one regulation is laid over another and another, it saps both the time and focus from executive leadership and those whose time and job it is to defend and operate our businesses. And more specifically, firms are already burdened by a shortfall of skilled cyber professionals and they must take resources away from protecting their platforms to interpret the language of divergent regulation. Ultimately, we hold ourselves accountable for protecting customers, our systems, and for compliance with the regulatory process. You might be surprised to hear me say that the solution is not fewer regulations but instead rationalized and harmonized regulation around a common approach and a shared language. BITS and our industry partners have developed a model cyber framework. The foundation of this effort centers on the NIST Cybersecurity Framework which is used across multiple industries, Federal and State government, and with support from both the Obama and the Trump administration. The financial sector used this standard to develop a sector profile. And importantly, we developed a solution by working with our regulators, gathering their input, incorporating their diagnostic statements, and tailoring the solution so that we don't force a one-size-fits-all approach to managing cyber risk. There are clear benefits of this approach for the regulatory agencies, such as examinations that can be tailored to institutional complexity, and for financial firms, such as optimizing the use of cybersecurity professionals' time and also enabling more effective use of fintech innovators who can meet requirements and expectations more efficiently. Congress has been vocal in encouraging regulators to pause any additional cyber regulation, and we ask that Congress now support and encourage the use of the sector profile. In the spirit of this committee's broad remit, we also ask that Congress work to develop uniform Federal standards for data breach notification and a common privacy standard before we enter into a 50-State and 50-variation environment similar to what we face today in cyber. We must ensure these issues do not fall prey to jurisdictional battles, and we need to work together to maintain the cyber integrity of the U.S. financial system. Thank you, Mr. Chairman, and I look forward to your questions. [Prepared statement of Mr. Feeney follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Palmer. I thank the gentleman. The chair now recognizes Mr. Sherouse. STATEMENT OF OLIVER SHEROUSE Mr. Sherouse. Chairman Palmer, Ranking Member Raskin, and members of the subcommittee, thank you for the chance to speak to you today about the important and often overlooked problem of duplicative regulations and regulatory standards. My testimony today will focus on one cause of regulatory duplication, the incomprehensible scale of the administrative state. And I will also present two ways my colleagues and I are working to reduce that problem. First, through the application of text analysis and machine learning in our QuantGov project; and second by developing an open, machine-readable, and data- first standard for rulemaking documents called XRRL. Now, my job is policy analytics, and what that means is that I teach computers to read policy documents, and especially regulation. We have to use computers because the administrative state has grown to an incomprehensible size. And I mean that literally. There are simply too many rules for any one person to understand. So using text analysis and machine learning, my colleagues and I have created a dataset called RegData to quantify Federal regulation. Now, RegData tells us that today there are more than 103 million words in the Code of Federal Regulations, including 1.08 million individual regulatory restrictions, so that's words and phrases like ``shall'' and ``must'' that indicate a particular mandated or prohibited activity. That means that if you were to read the Code as your full- time job, it would take you 3 years, 111 days, and a bit past lunchtime the next day. By the time you'd finished, of course, you would need to immediately start figuring out what had changed since you started. And that's no easy task since the Code increases by an average of more than 1.4 million words every year. So since reading the Code is impossible, data tools like those we have produced for the QuantGov project can help us begin to make better sense of the administrative state. RegData, in fact, does more than count total words and restrictions. It attributes them to the individual agencies that write them and predicts which industries will be affected by them. All of our data is freely available, and our website features a daily updated interactive tracker of Federal regulation which users can break down by industry and by agency. And we do the same thing for regulation currently being developed with our RegPulse dataset, which examines rules as they are published in the Federal Register. And as with RegData, we have built a daily updated interactive tool that allows users to see which industries have more or fewer relevant rules coming into effect over the next several years and what those rules are. With QauntGov we are producing these kinds of data and interactive tools for a growing set of jurisdictions and policy documents. The software we used to produce QuantGov is also open source and freely available for anyone to use or build on. For a more comprehensive understanding of the administrative state, however, we should reexamine the medium by which regulations are made. The current process is made for paper, paper rules and analyses published in a paper Federal Register and compiled into a paper Code of Federal regulations. Even the electronic versions of these documents essentially mimic the paper-based system in use since the Administrative Procedure Act of 1946. Seventy years later, it is time for an upgrade to an open, machine-readable, and data-first standard format for regulatory documents. A standard format could liberate the information that's currently trapped in pretty dense prose about who regulations will affect and how and transform that information into accessible data. That data can be used by Congress to ensure effective oversight. It can be used by regulators to avoid duplication across agencies and potentially even across jurisdictions. It could facilitate the review of regulatory programs to fix those that are broken and to recognize those that are successful. And it can be used by businesses and individuals to ensure that they know what the law is and how to follow it. My colleagues and I are currently developing such a standard, the eXtensible Regulatory Reporting Language, or XRRL. Our role with this project is to build an open and nonproprietary standard incorporating insights from the academy, government, and industry that can be adapted to any level of government, including the U.S. Federal Government. So in conclusion, duplication in regulation is a side effect of an administrative state grown too large to manage effectively, and tools like the ones we have built with QuantGov are a step towards making an incomprehensible collection of rules somewhat less so. But the implementation of an open, data-first standard format, such as XRRL for rulemaking, would be an even more powerful way to render the administrative state more manageable while also providing benefits to both those writing rules and those subject to them. I thank you again for the opportunity to testify, and I look forward to answering your questions. [Prepared statement of Mr. Sherouse follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Palmer. I thank the gentleman for his testimony. I think we'll go ahead and begin with our questions. We anticipate that they will call votes at any time. In the event that occurs, I will order a recess and reconvene. And I normally, as chairman, wait until other members have asked their questions. And being that there is only one, I am at this point going to yield to the ranking member, Mr. Raskin, for questions. Mr. Raskin. Mr. Chairman, you're a true gentleman. Thank you very much for doing that. Mr. Reese, let me start with you. I was very interested in your testimony. And thanks for coming all the way from Oklahoma. One of the things that cheered me about it was that you were not engaged in any kind of broadbrush attack on regulation. You were giving very specific examples of conflicts that just make your life difficult. The specific example that you raised in your testimony, or at least your written testimony, was if you're handling sensitive data in the State, like Social Security data, IRS data, how many unsuccessful attempts of somebody trying to get into the computer must there be before you're required to shut it down and to close people out? And you sort of set up a little graph where you showed that the IRS requirement was, if there are three attempts, I think the one from DOJ was perhaps no more than five attempts, and the Social Security agency was a recommendation of no less than three, no more than five. Okay. And I did the little SAT question analysis and figured, okay, well, you could just set it at three. You would meet the IRS. You would also meet Department of Justice, because it would be not more than five. And the third one was just a recommendation. So it's not that big a deal. On the other hand, why should it be so difficult for the Federal Government on something like that to come up with one governing principle? And I wonder if you've attempted to get the relevant agencies to come around on one coordinated, harmonized approach on that. Mr. Reese. Thank you, Ranking Member Raskin, for your question. So absolutely that is our goal. Our goal is seeking that partnership with our Federal partners. And, again, as a State agency, I absolutely view our Federal agencies as partners. We are all trying to do the same thing, and that is best use our citizen tax dollars to serve the needs of the citizens. And so our goal in making sure that we are being fiscally responsible is where we get into challenges like this where we've got multiple different regulations that are imposed upon us and trying to find, in some cases, the most restrictive that applies. And, of course, in the example we talk about IRS and SSA and FBI. Mr. Raskin. Did you do anything to see if they would coordinate or harmonize? Mr. Reese. So working through NASCIO, our national association, we have significant outreach where we come together and have had several opportunities now to come together with the SSA and the FBI and the IRS who come speak to us. In fact, our last meeting that we had here in Washington at the Hall of States, I believe we actually had in excess of, I think, 40 CIOs from other States that participated, if not all. And those entities came and they spoke to us. And we actually get to talk about it. And they're there to answer our questions. And so there's outreach. There's ongoing opportunities. But in typical State and government fashion, it's slow going. We're seeking support to continue those actions. Mr. Raskin. Gotcha. Let me quickly come to you, Mr. Feeney. You mentioned NIST, which is actually in my district, so that piqued my curiosity, and I was thinking like an example that Mr. Reese gave. Does NIST or can NIST play a role in just harmonizing and reconciling these things? It doesn't strike me as a really big deal except that we've got a big country with a lot of States, we have a lot of Federal agencies, and somebody needs to pull it together. But does NIST play that function? Mr. Feeney. NIST doesn't play that function exactly. But we coordinate and partner with NIST quite actively. So we took the NIST framework, which was a standard that had multi-stakeholder input, and we actually designed it specifically for the financial industry with NIST's both endorsement. And also NIST held two large conferences for us with the industry, with regulators and member firms, to really help develop that. So they've been supportive of the work we're doing. They actually like it. They'd like to use it as a model for some other industries. And we are actively working with them. We added two components to the NIST framework, because we thought they were very important to surface actively. One is governance and the second is third-party or dependency management. So we also have taken the NIST framework and extended it for the attributes of our industry, so we're working very collaboratively with them. Mr. Raskin. Thank you much. Mr. Weissman, let me come to you. There have been some good points raised on specific issues like this on the need for harmonization and reconciliation of different Federal mandates for the States. How can we distinguish those kinds of criticisms or points from a broadbrush attack on regulation itself and the system of rulemaking? Mr. Weissman. Well, I think, as you're pointing out, these are pretty particular issues. And it's not obvious that they broadly say anything about the administrative state. I think in the cyber area the big problem is that there is no overarching legal framework. And although the executive could come up with one, Congress has actually failed on this. We do have a crying need for, as Mr. Feeney was saying, really for an overarching cyber protection framework as well as a privacy protection one. I agree with much of what he said. I disagree with his idea that we should preempt State law. I think it would be very important to protect overall for States in this. But there does need to be a unified approach on that. Beyond that, I'm not sure there is a massive problem of coordination. There may be issues in particular sectors. In many cases, the downside of lack of coordination is insufficient regulation rather than too much regulation. Mr. Raskin. Thank you. I yield back, Mr. Chairman. Mr. Palmer. I thank the gentleman. I now recognize myself for questions. Mr. Reese, how does having to comply with disparate Federal regulations impact the States? What kind of burden does that impose on the States? Mr. Reese. So as you can imagine, in most areas of State government we have to be very cautious with the money that we have and how we spend it and what we do with it. And the challenge that we have is with these resources that we have to dedicate to compliance and in cybersecurity. We're finding that we're having to put, as someone else here, I believe, pointed out, we know that about 40 percent of our resources within our compliance in cybersecurity are being utilized to our Federal compliance where, again, we're all for Federal compliance. We absolutely want to be following the laws because we need structure. But our challenge is, is that we're having to spend so much time and so much duplicative time because of the multiple audits, again, when we're having the same audits over and over again. And the fact that there's some differences that we have to go out and try to map as we had showed before, we've got to determine what the least common denominator is across those, the time constraints are just enormous. The amount of time that we spend, the thousands of hours we know. We spoke with some of our other States, and we were able to log that in a single year Oklahoma spent over 10,000 hours in regulatory compliance, Maine spent over 11,000 hours, and Kansas over 14,000 hours just in our compliance and audits. Colorado itself had nearly 3,000 hours. And so all of that is time and resources. And those resources, especially in days like we have today with cybersecurity being really a number one challenge for all of us, we'd rather be spending our time and efforts updating legacy systems and trying to enhance our security posture rather than trying to meet some of these, in many cases, outdated regulatory compliances. Mr. Palmer. I ran a State-based think tank for 24 years and worked very closely with State legislators and administration official across, I think, four or five governors. And I am very aware of the cost imposed on the States and the inefficiencies from duplicate regulations, obsolete regulations, extremely overly complex regulations. It wasn't that the States weren't interested in complying. It was in many cases they didn't know what complying meant. And we spent an enormous amount of money. Mr. Riggi, it's interesting, in your testimony you talk about what's going on in healthcare and how the patient- physician relationship is impacted by overregulation. One example, that would be ICD 10, where basically you've got doctors that are compromising time with patients--or their time with patients is compromised because now they've become data entry people. Would you like to comment on that? Mr. Riggi. Well, again--well, first, I'd just also like to clarify for the record that the AHA does understand the necessity of regulations to provide safety and high quality care for patients. Again, the implementation of ICD 10 does require a significant amount of physician time. And I think for us to make sure we give you the most accurate response, it would be better for me to provide you a written response on that one, sir. Mr. Palmer. That would be fine with me. I introduced a bill to postpone the implementation of ICD 10 primarily because I grew up in a rural area. I grew up dirt poor basically in a house that had cardboard between the two by fours. And at the time I grew up, we did have a little doctor in a town that didn't even have traffic light. You won't find that anymore. And one of things that I saw happening with ICD 10 was--and even made rural healthcare even harder to provide, literally, doctors were selling their practices or they were just flat out retiring, shutting the door. And that's an example of how overregulating can have a very negative impact, particularly in these rural healthcare settings where they're already undercapitalized. It's also impacted wait times, and like I said, the amount of time that a doctor's able to spend with a patient. And if you want to see what overregulation of a healthcare system looks like, take a look at Canada. The Fraser Institute published a report, the Huffington Post commented on this, that showed that between 1993 and 2009 there were between 25,000 and 63,000 women died on waiting lists waiting for treatment. The wait times have increased that much. They just called votes. I'm going to go ahead and ask a couple other questions here before we recess. But I want to go back to Mr. Reese and ask you, how do the Federal regulations keep pace with the evolving technology in the business models across State governments. Mr. Reese. They do not. Mr. Palmer. That is what I thought you'd say. Mr. Reese. Our challenge is we find ourselves in a lot of cases when we're dealing with our regulatory compliance, we're actually dealing with third-party auditors. And the third-party auditors are coming in and doing different audits, getting different results on the same regulations, on the same systems. And the technologies that they're auditing us on are not consistent. Their understanding of the technologies are not consistent with the technologies that we're using today. And in some cases, they're limiting our ability to use what we believe would be more cost-effective, efficient, and possibly even more secure technologies because we can't check the box with the auditor. So we have to go back and spend more money, using older technologies, costing the State more dollars, than if we could actually make good business decisions. And a lot of this has to do with that those Federal regulations need to be able to keep up. We need to figure out how we can harmonize and be involved in those discussions and decisions, and how we can do it quicker so that we can keep up with the evolving technology. But your point is absolutely spot on. Mr. Palmer. What I found, again, working with the think tank, is that the people who are responsible for regulating are not people who are trying to mess things up. They're trying to do a good job. But they're as frustrated as everybody else because you call one regulator and get an answer, and 2 or 3 weeks later you call another regulator and you get a different answer. And it's frustrating them, because they want to do a good job. Mr. Feeney, I'm going to ask this question, then we're going to take a recess to go vote. How much does it cost the financial institutions to apply with disparate regulations? And I'm interested in this because this additional cost gets passed on to the consumers, and I think it has a disproportionate impact on older customers and lower-income customers. Mr. Feeney. Right. So I can't speak to the specific aspect of that. I can tell you in 2016 the industry spent $9.5 billion on regulation, $1.5 billion of that was spent by the largest firms. Mr. Palmer. Wait a minute. Wait a minute. According to the report that Mr. Raskin said came from OMB, I think you said that the regulatory cost was only $5 billion, but you say the regulatory cost on the financial institution was $9 billion? Mr. Feeney. I think quite a bit in the industry, across the industry, and that was a single-year review. Mr. Palmer. Thank you. Mr. Feeney. The challenge is more, and I think Mr. Reese had referenced it, is that our industry, they are trying to keep up with the changes in technology, but you can't. It's just too fast paced, too hard. We were able to use that sector profile, for instance, and take the question set down to about 400 from thousands. And what that does is provide you some latitude in simplifying the diagnostic statements that auditors or examiners would use. And there are ways to actually apply these types of tools to help the regulators, help the industries, I say that plurally, to really minimize the cost. And I think there are a number of things we can do in that arena. Mr. Palmer. Okay. Hold on. I'm going to suspend for just a minute. Mr. Raskin. Mr. Chairman, with your permission, I'd like to submit for the record the OMB report from which I drew the figure, about $4.9 billion. Thanks. Mr. Palmer. Okay. This is going to be a long vote series, so in consultation with the ranking member, what I'm going to do is I'm just going to make a couple other points here. Any additional questions will be submitted in writing. Because one thing that the ranking member and I do have a constitutional responsibility to do, and that is vote, and a political responsibility as well. I do want to make some points that were in the OMB report, and these are quotes from the report, that it was a perspective analysis that they say may overestimate or underestimate both benefits and costs. Retrospective analysis can be important as a collective mechanism. And that this was not an actual analysis of actual cost and benefits and that it only applied to about 1.6 percent of all the regulations. So I tend to be somewhat dismissive of the OMB report, because my experience, again, working with the think tanks and being focused on trying to come up with sensible regulations. This idea that those of us on the Republican side of the aisle are for getting rid of all the regulations is just political nonsense. What we want are sensible regulations. Regulations have improved the quality of life in our country. They've protected consumers. They've in some respects protected the relationship between the State and Federal Government. What we want to do is get rid of the obsolete, the duplications, and the contradictions, and get it down to regulations that businesses can comply with, that they understand. And one of the reasons that this is important is that in I think it was 2014--2015--the Gallup organization put out a report entitled basically--I think that the working title was ``Is Entrepreneurism Dead in America?'' Prior to 2008, according to the Gallup study, there were 100,000 more businesses that started up than closed. But by 2014, there was 70,000 more businesses closed than started up. And according to the report, the primary reason for that was regulations. I've tried to point out to people that businesses are not anti-regulation. They're anti-uncertainty. They're anti- complexity. And what we want to try to do in working to reform regulations is as much as possible reduce the uncertainty and the complexity, so that some person who has some capital to invest can make a sensible investment, whether it's starting a business or expanding a business or hiring more people. With that, if there are no further questions--let me find my script. Okay. The ranking member would like to make a closing comment. I yield to him. Mr. Raskin. Mr. Chairman, thank you very much. And I want to just start my closing statement by saying how much I agreed with what you just said, that we're not opposed to rules which have, indeed, advanced the public interest, but obsolete rules or duplicate rules or contradictory rules, and I think we can all agree to that. You know, nobody is in love with regulation, and the biggest tax is on people's time. And that might be one thing for big businesses, which often support a lot of regulation, but for small businesses it's very tough. But I think about the 2010 BP oil spill, which was one of the worst environmental catastrophes in our history, which caused 11 deaths, immediately the deaths of more than a million coastal seabirds and other animals, and 5 million barrels of oil poisoning the whole Gulf of Mexico ecosystem. That was a failure of regulatory enforcement just like the same year the collapse of the coal mines in Mexico, which led to dozens of deaths and a real calamity in that country. So we need regulation. We need strong regulation. But I agree with you, we should be doing whatever we can to get rid of the duplicative, unnecessary, and obsolete regulation. I yield back, Mr. Chairman. Mr. Palmer. I thank the gentleman. I thank our witnesses again for appearing before us today. The hearing record will remain open for 2 weeks for any member to submit a written opening statement or questions for the record. If there is no further business, without objection, the subcommittee stands adjourned. [Whereupon, at 3:08 p.m., the subcommittee was adjourned.]