March 25, 1999

Secretary
Federal Trade Commission
Room H-159
600 Pennsylvania Avenue, NW
Washington, DC 20580

Dear Mr. Secretary:

Enclosed please find an original and five copies of comments from the American Institute of Certified Public Accountants (AICPA), in the above referenced docket.

Respectively submitted,

AICPA

[SIGNED]
Barry C. Melancon, CPA
President and CEO

These comments are submitted on behalf of the American Institute of Certified Public Accountants, the ISO 9001 certified national professional organization of CPAs in the United States with more than 330,000 members in public practice, business and industry, government and education.

Comments

The American Institute of Certified Public Accountants (AICPA) applauds the efforts of the Federal Trade Commission (FTC) to address consumer confidence and trust issues in the evolving area of electronic commerce. By pursuing cases of fraud on the Internet and holding open hearings to solicit input on how to promote confidence in this new and important business medium, the FTC is helping to ensure that global electronic commerce brings the many benefits it promises to businesses and consumers around the world.

Global electronic commerce requires consumer confidence and trust in order to thrive. Consumers engaging in commerce over the Internet need to have assurance before they purchase a good or service online that the website they are conducting business with is reputable, reliable and trustworthy. The best methods of promoting these goals are full and fair disclosure by the business so the public can make informed buying decisions. The remote nature of electronic commerce creates a need for an independent third party to provide assurance to consumers and businesses alike.

AICPA believes that the private sector has a preeminent role to play in assuring consumer confidence and trust. But companies have to do more than just post their policies on their websites in order to earn consumers’ trust. How can the general public believe what is stated on a website, especially if it is not based in the country from which a transaction is initiated?

In response to these fears and concerns and to increase consumer confidence in the new electronic marketplace, the public accounting profession has developed and is promoting a set of principles and criteria for business-to-consumer electronic commerce, referred to as the WebTrust^SM Principles and Criteria , and the related WebTrust seal of assurance, also referred to as CPA WebTrust^SM. The WebTrust Principles and Criteria are intended to address user needs and concerns and are designed to benefit users and providers of electronic commerce services. A copy of the Principles and Criteria are attached to this letter for your review.

Public accounting firms and CPAs, who have a WebTrust business license from the AICPA, can provide assurance services to evaluate and test whether a particular Web site meets these principles and criteria. The WebTrust seal of assurance is a symbolic representation of a CPA’s unqualified report. It also indicates to customers that they need to click to see the practitioner’s report. This seal can be displayed on the entity’s Web site together with links to the practitioner’s report and other relevant information.

In addition, the AICPA has recently expanded the WebTrust program to include the public accounting profession represented by the Canadian Institute of Chartered Accountants, the Institute of Chartered Accountants in England and Wales, the Institute of Chartered Accountants in Scotland and the Institute of Chartered Accountants of Scotland. We expect that the WebTrust program will be expanding into several other countries in Europe and in Australia and New Zealand by mid April 1999.

CPAs are in the business of providing assurance services, the most publicly recognized of which is the audit of financial statements. CPA’s have been providing independent assurance related to the reliability of management assertions over financial reporting for decades. We believe our role in the U.S. capital markets has helped make them the envy of the world. This role is an excellent example of a public/private sector partnership that lets an informed market make better business decisions. Further, an audit opinion signed by a CPA is valued because these professionals are experienced in assurance matters and financial accounting subject matter and are recognized for their independence, integrity, discretion, and objectivity. CPAs also follow comprehensive ethics rules and professional standards in providing their services.

However, financial statement assurance is only one of the many types of assurance services that can be provided by a CPA. CPAs also provide assurance about internal controls and compliance with specified criteria. The business and professional experience, subject matter expertise (electronic commerce information systems security, auditability, and control) and professional characteristics (independence, integrity, discretion, and objectivity) needed for such projects are the same key elements that enable a CPA to comprehensively and objectively assess the risks, controls, and business disclosures associated with electronic commerce.

WebTrust is implemented by CPAs who are specially trained and licensed to issue the WebTrust seal. Because accountants are known for their independence, integrity and competency, the WebTrust seal offers assurance to businesses and consumers that "what you see is what you get".

The WebTrust seal verifies that a website can be trusted based on a thorough review and testing of its:

1) Business Practices and Disclosures: Electronic commerce often involves transactions between strangers. Appearances can be deceiving. How can a consumer know whether an entity that presents a well-constructed Web page will really fill its orders for goods and services as it claims? How can a consumer know whether the entity will allow the return of goods, or whether there are product warranties? The anonymity of electronic commerce and the ease with which the unscrupulous can establish – and abandon – electronic identities make it crucial that people know that those entities with which they are doing business disclose and follow certain business practices. Without such useful information and the assurance that the entity has a history of following such practices, consumers could face an increased risk of loss, fraud, inconvenience, or unsatisfied expectations.

 

2) Transaction Integrity: Without proper internal controls, electronic transactions and documents can be easily changed, lost, duplicated and incorrectly processed. These attributes may cause the integrity of electronic transactions and documents to be questioned, causing disputes regarding the terms of a transaction and the related billing. Potential participants in electronic commerce need assurance that the entity has effective transaction integrity controls and a history of processing its transactions accurately, completely, and promptly, and of billing its customers in accordance with agreed-upon terms.

3) Information Protection and Privacy: It is important for consumers to have confidence that they have reached a properly identified Web site and that the entity takes appropriate steps to protect private customer information. Although it is relatively easy to establish a website on the Internet, the underlying technology can be complex and can entail a multitude of information protection and related security issues. The confidentiality of sensitive information transmitted over the Internet can be compromised. For example, without the use of basic encryption techniques, consumer credit card numbers can be intercepted and stolen during transmission. Without appropriate firewalls and other security practices, private customer information residing on an entity’s electronic commerce computer system can be intentionally or unintentionally provided to third parties not related to the entity’s business. Security breaches may also include unauthorized access to corporate networks, Internet/Web servers, and even access to the consumer’s Internet connection (for example, his or her home computer). Potential participants in electronic commerce need assurance that the entity has effective information protection controls and a history of protecting private customer information.

If a consumer has a problem with a WebTrust site, there are remedial actions that can be taken. AICPA is in the process of developing a third party mediation program to which the users of the seal will agree to abide. These changes will position WebTrust with European Union directives related to privacy and electronic commerce. Should this new third party remediation program not prove satisfactory to a consumer and it is felt that the website has acted in a fraudulent manner based on its representations, there already exists well-developed consumer protection laws in the U.S. and many other countries for the consumer to pursue legal recourse through the courts.

AICPA’s is one of many private sector initiatives seeking to address consumer confidence issues. We believe strongly that the FTC and other government bodies should continue to monitor consumer confidence and trust issues while supporting efforts by the private sector to develop tools such as WebTrust. Through consumer education, government monitoring, and private sector initiatives, consumer confidence and trust in global electronic commerce will continue to mature.

It is AICPA’s hope that through its hearings in June 1999, the FTC will focus on the available private sector-developed tools to protect consumers online in addition to regulatory or legislative solutions. Just as we have developed an extensive and comprehensive means to assure the financial integrity of the nation’s and the world’s businesses, the AICPA and its over 330,000 members are ready to apply its skills and public trust to assuring that consumers feel safe to conduct their business online.

As the FTC moves forward in its exploration of online consumer confidence and trust issues, AICPA encourages the Commission to focus on the following questions:

1) What are the key assurances that consumers require in order to have confidence in online transactions?

2) How can mediation systems address the concerns of consumers without being overly burdensome on either party?

3) How can a consumer be assured that trust seals or similar tools are accurate and up to date?

 

4) How can consumer confidence tools function in an international market?

Please find attached, for your further information, a list of frequently asked questions about the CPA WebTrust program and a chart that highlights the key differences between CPA WebTrust and other seal programs currently offered in the marketplace.

We look forward to the opportunity to discuss CPA WebTrust with you further.