Consent Based Social Security Number Verification (CBSV)
Addendum C: Response to Public Comments
SSA is pleased to note that virtually every entity that submitted comments on the CBSV system voiced support (and often strong support) for the Agency’s efforts to create an on-line system that allows verification of Social Security Numbers (SSN). None of the comments received opposed the creation of such a system.
Estimated number of users, who can use the system, and method of enrolling users
Estimated Number of Users
In its December 30, 2005 Federal Register Notice (FRN), SSA estimated that 150 companies would use the CBSV system in the first year of operation. Each company would be limited to 5,000 SSN verifications per calendar day. An on-line response would be available within 2-3 business days following submission of the request. This daily volume limitation and inability to receive real-time replies was a cause for concern expressed by some large potential users. One commenter suggested that SSA is significantly underestimating the number of potential first year users of the CBSV system, while another suggested that the estimate is too high. Another believes that SSA should not allow 150 companies to participate in CBSV in the first year.
SSA has revised its estimate for participants in the initial year to 90 enrolled companies and has eliminated the cap on daily submissions. Furthermore, enrolled companies will be able to submit files either in batch mode or by individual record request over an internet application or via a compatible web service application. SSA will provide real-time response to individual record requests submitted via the internet application and via the web service.
Who Can Use CBSV
One commenter suggested restricting use of this service to state or federally regulated entities and requiring background checks of all CBSV users. Another suggested SSA establish an appropriate vetting mechanism to distinguish between legitimate and illegitimate users of the service. Another suggested SSA evaluate each prospective company’s systems security (including technology to be used, internal controls, etc.) and then determine which companies can or cannot be users of CBSV. Since SSA is verifying specific data elements with the express written consent of the number holder, SSA does not believe that it should restrict the use of CBSV in any of the suggested ways. SSA believes that it should provide these verification services as required by the number holder. CBSV is the most efficient way for the Agency to handle these types of high volume requests for SSN verification. CBSV’s audit procedures will ensure that users have valid consent forms for each SSN verification request submitted to CBSV; thus, distinguishing between legitimate and illegitimate users of the service.
Two commenters suggested that SSA allow access to CBSV by third party providers such as data verification agencies. The CBSV User Agreement allows for the use of third party providers as suggested by the commenters. The third party provider must sign a User Agreement with SSA to gain access to the CBSV system. The financial institution that is using the third party provider is referred to in the User Agreement as the “principal.” When the financial institution obtains the signed consent of the number holder, the consent form must show the financial institution’s name under “Company Name” and the third party provider’s name under “Company’s Agent.” The consent forms must be given to the third party providers. See Section IV., Consent. See also Section III., SSN Verification and Use, which discusses re-use and re-disclosure of the verification in these cases, and other sections of the User Agreement that refer to the requirements placed on third party providers as regards principals.
Method of enrolling company employees as users of CBSV and file retrieval rights
The CBSV User Agreement requires each company to complete a Form SSA-88, Pre-Approval Form For Consent Based Social Security Number Verification, for each employee that the company desires to have access to CBSV. Form SSA-88 provides SSA with the name and SSN of the employee who is being authorized access to CBSV by the company.
One commenter found this system overly burdensome and inefficient. The commenter suggested that SSA give certain company employees the ability to provide access for all company employees including registration and de-activation of such employees. SSA does not believe that this suggestion is prudent. SSA’s system assigns a Personal Identification Number (PIN) credential to each individual user of CBSV. The PIN/Password provides an audit trail back to an individual user for each name-SSN combination submitted to SSA.
Since publishing the FRN in December 2005, SSA has added an additional precautionary step to the access control process to authenticate that the person to whom SSA is giving access is actually an employee of a company authorized to use CBSV. After the employee has registered online and has been issued a PIN and selected a password, SSA will mail a “positive confirmation” letter with a unique access code to the designated company official who will provide it to the authorized employee. Once the authorized employee activates the service, the user will have access to the CBSV system.
CBSV is using SSA’s existing systems and business processes which place a strong emphasis on safeguarding the public’s information. SSA’s process will also provide the ability to detect misuse of the system and the ability to trace misuse to particular individuals. SSA believes that this is the proper level of security for a system dealing with name and SSN combinations.
2. Cost burden sharing, fee structure and Form SSA-1235, Agreement Covering Reimbursable Services
One-Time Initial Fee
In the initial FRN, SSA estimated that each company that requested to be a user of CBSV would be required to pay an initial one-time fee of approximately $40,000 to recover SSA’s cost for development of the system, SSA customer support services, and SSA’s other estimated staff support requirements. The one-time fee was based on an estimated first-year cost to the Agency of approximately $6 million for CBSV divided by the estimated 150 companies expected to register as CBSV users in the first year.
One commenter suggested that there is a significant public interest in setting the initial fee at $10,000 or less to encourage maximum participation in the system.
Section 1106 (c) of the Social Security Act authorizes the Commissioner to require a requester to pay the full cost of providing non-program related information. Full cost includes direct and indirect costs to SSA of providing information and related services. SSA intends to recoup all of its costs of creating and maintaining this system; however, SSA will not make any profit from the process. SSA will charge companies only the amount required to recover our costs.
While the earlier proposed fee model would have allowed SSA to recoup development costs within the first year of operating the CBSV system, the Agency has decided to restructure its fee schedule to recover systems development costs over the depreciable life of the system based on a fee per transaction model. Each company will pay a non-refundable one-time registration fee of $5,000 which will be applied to future transaction fees. An estimated transaction fee will be charged for each transaction processed and companies will provide an advance payment based on estimated annual usage.
One commenter mentioned the original 2002 SSA pilot program for fee based SSN verifications and the current IVP. The commenter suggested that only those who became users of this SSA service after December 2004 should have to pay the approximately $40,000 CBSV initial fee. This would allow the commenter, who happened to have participated in SSA’s very limited pilot program of SSN verifications in 2002, to be exempt from paying the CBSV initial fee. The commenter erroneously believes that it paid $38,885 as an initial fee to become an IVP user. However, the $38,885 that was paid upon becoming an IVP user was actually advance payment of record processing fees for its first fiscal year use of the IVP. SSA has compared the limited 2002 pilot system to the proposed CBSV system and has concluded that the CBSV system is a sufficiently different system so as to require equal sharing among all CBSV users of the cost burden of development of the system, customer support services, and SSA’s other estimated staff support requirements. This includes those few who used the 2002 pilot system.
Fees
One commenter believes that it will be problematic for CBSV users to estimate and pay in advance for their system usage for the year. The commenter believes that companies may be required to pay millions of dollars in advance based upon a guess (of their system usage) and that the price per inquiry should be below $1.00.
While CBSV users must submit in advance the record transaction fees for the estimated number of files the user expects to submit for the entire fiscal year, SSA will offset the actual costs incurred by each user quarterly against advances received. At the end of each fiscal year/start of a new fiscal year, any remaining funds to the user’s credit are returned to the user or can be applied to the next fiscal year’s account. The requirement for advance payment from non-federal organizations is published in OMB Circular A-11 (Preparation, Submission and Execution of the Budget). SSA will recoup all of its costs for creating and maintaining this system. However, SSA will not make any profit from the process. SSA will charge companies only what it costs to recover SSA’s costs.
Regarding recoupment of costs, as stated above, Section 1106 (c) of the Social Security Act authorizes the Commissioner to require a requester to pay the full cost of providing non-program related information. Full cost includes direct and indirect costs to SSA of providing information and related services. See 20 C.F.R. 402.175 for a list of the direct and indirect actual costs that can be charged. This provision also precludes profit making because profits are, by definition, above and beyond actual costs.
Form SSA-1235, Agreement Covering Reimbursable Services
One commenter suggests eliminating the form SSA-1235 and reconciling the perceived discrepancies between the SSA-1235 and the CBSV User Agreement. SSA receives from Congress annual appropriations which expire at the end of each fiscal year. Pursuant to the Anti-Deficiency Act, SSA may not obligate funds before an appropriation is made. Therefore, the Agency may incur obligations by performing services under the CBSV User Agreement only on a fiscal year basis. Since the CBSV User Agreement spans fiscal years, the Form SSA-1235, Agreement Covering Reimbursable Services, must be executed at the beginning of each fiscal year, thus providing authorization for SSA to perform reimbursable work for that fiscal year.
The Form SSA-1235 is an agency multi-use financial form. This form has been revised since the FRN was published, eliminating the “Conditions of Agreement” part of the form. The CBSV User Agreement enumerates all the terms of the agreement.
Consent and Other Disclosure-Related Comments
Requirement for SSA-89 Consent Form and Retention
Several commenters suggested that the Social Security Administration (SSA) accept consents that are incorporated into existing documents in the loan application package rather than require a standalone form, SSA-89, which the individual signs to authorize the disclosure of their SSN verification. In support of this suggestion, two commenters noted that state laws for consent retention requirements typically exceed SSA retention requirements. Thus, these commenters contend that incorporating the consent form language into the loan application process could easily be accomplished and not impact this particular aspect of the consent requirements. SSA also received a comment indicating that the six year retention period for consent forms will be unduly burdensome to business requesters.
One commenter also noted that SSA should consider other means for accepting consent, such as through electronic transactions and e-signatures. Commenters assert that allowing entities to use other consent forms and means for accepting consent that are more conducive to existing business processes would provide substantial savings to the business requesters and to consumers and eliminate excessive paperwork.
The Privacy Act of 1974 requires federal agencies to establish administrative, technical and physical safeguards to ensure the confidentiality and appropriate disclosure of their record information. In addition, SSA regulations at 20 C.F.R. § 401.100 state that SSA will disclose an individual’s records to a third party based on written consent if the consent specifies to whom the records should be disclosed, which records should be disclosed, and during which time frame the records may be disclosed. Thus, SSA has determined that requiring a standalone SSA consent form meets our legal and regulatory obligations.
The CBSV process is a new method for providing SSN verifications in high volume to third party requesters based on consent. SSA has determined that requiring a separate consent form will also ensure the authorizing individual has provided informed consent and that business requesters are held to uniform standards for consent compliance. A standalone SSA consent form also facilitates the audit process and related requirements for the reviewing auditor since the auditors should not have to review multiple versions of the consent form.
SSA does not consider longer timeframes for retention requirements under state law to justify assimilating the form into the loan process. As explained above, SSA has valid reasons for requiring a standalone consent form in the CBSV process. In the event that litigation occurs as a result of inappropriate disclosures related to this process, SSA has determined that an adequate and reasonable timeframe for consent form retention is seven years. [SSA changed the retention period from six years stated in the first FRN to seven years to be consistent with other centralized disclosure processes concurrently being developed.] Finally, SSA has not developed a technical methodology to accept real-time consent or has assessed if it is even possible to accept electronic consents in light of particular Privacy Act requirements.
Timeframe in which Consent is Valid
Two commenters requested clarification concerning the requirements related to the timeframe the consent form is valid. They note that the User Agreement indicates the consent form may not be modified by the requesting party, yet the consent form language notes that the defined duration of the consent form may be modified by the SSN holder.
These are not inconsistent requirements. SSA’s policy allows the SSN holder to determine the particular timeframe that a consent form is valid. Because the requesting business party is not the SSN holder, it is not authorized to change the duration of the timeframe for consent.
Liability Concerns
Two commenters are concerned about companies’ liability if an applicant provides a consent to verify a SSN that is not his or her own.
SSA cannot provide companies with legal advice with regard to liability under the CBSV program. We suggest that companies review the Privacy Act of 1974, 5 U.S.C. § 552a, section 1106 of the Social Security Act, 42 U.S.C. § 1306, and other relevant Federal and state laws to determine liability issues.
Deemed Consent
Another commenter suggests that SSA should deem that an individual has provided the required consent for SSA to verify their SSN in situations in which an individual is opening a new account with a financial institution. The commenter contends that the Customer Identification Program rules associated with the Patriot Act as well as the Gramm-Leach Bliley Act requirements for notice practices concerning disclosure are such that financial institutions should be deemed to have provided the required consent for SSA to verify the individual’s SSN.
SSA does not deem the notice requirements of these statutes as sufficient for SSA to meet its obligations under the Privacy Act, Social Security Act and SSA’s disclosure regulations. The Privacy Act requires federal agencies to obtain individuals’ consent when third parties such as those requesting the CBSV services request disclosures of record information. The statutes the commenter cites for financial institutions’ compliance with customer identification requirements and related notice practices are not relevant to the individual’s authorization to SSA for disclosure of a particular record protected by the Privacy Act.
Audit Requirements
One commenter expressed concern about the audit requirements including re-contact with some individuals who signed consents and the potential for fraud, especially of the elderly. Another commenter suggests that SSA audits may not be necessary since the consent process will be part of any financial institution’s requirements under the Patriot Act Section 326 procedures.
The reviewing auditor will not be contacting groups of individuals in person. SSA currently envisions that only a small percentage of individuals who sign the consents may be contacted as part of the audit review. Individuals will not be asked identifying information such as the SSN, but will be asked only to confirm that they did sign a consent authorizing SSA to disclose the SSN verification to the company named on the consent form.
Although some financial institutions’ audit practices may suffice to ensure the integrity of the consent process, some of the requesting parties are not explicitly financial institutions under the Patriot Act provisions or subject to the Section 326 requirements. Additionally, under the Privacy Act, SSA must continue to ensure the appropriate protection and disclosure of its record information, independent of a private entity’s similar practices vis a vis the requirements of the Patriot Act or similar legislation.
Comprehensive Comparison to the SSN Master File
One commenter noted that SSA should make the SSN Master File available since the Death Master File is also available for fraud verification purposes.
The Death Master File is publicly available because privacy rights end at death. However, the SSN Master File contains information about living individuals and thus requires consent prior to disclosure. Accordingly, SSA is unable to make the SSN Master File available without obtaining individuals’ consents.
Flexibility in the Assignment of Agents
One commenter requests that SSA not require an agent to be named on the consent form since some organizations may be working with various agents or elect to use other agents at any given time.
Under SSA’s regulatory consent requirements, the disclosure is made at the request of the record holder. Thus, any third party, including the agent that will receive the SSN verification response, must be named on the consent form. Additionally, the agent is the party with whom SSA has entered into the agreement outlining the particular requirements and obligations associated with participating in the CBSV process.
Other Issues
One commenter notes that SSA should consult with financial institutions, the Treasury and federal banking agencies to ensure the CBSV process is consistent with other federal efforts to counter ID theft and other fraud.
Although the CBSV process may be helpful to financial institutions in their compliance with the Patriot Act requirements for customer identification, CBSV may also be used by other third party requesters who may not necessarily be defined as a financial institution subject to these particular provisions of the statute. Additionally, CBSV may be one means to assist in requesting parties’ efforts to ensure identity, but SSA has been clear that CBSV is not an identity check or proof of identity. Through CBSV, SSA can only provide information indicating that the name and SSN presented is or is not a match to the information in the Agency’s records. CBSV does not prove that the individual providing the name and SSN is in fact the individual to whom the data actually belongs.
System capabilities and requirements
Information on Types of Mismatches
The CBSV system will use an existing SSA system to process name-SSN combination files and create a results file. The current system requires the user to submit a last name and first name with middle name/initial optional. SSA provides instructions in its CBSV User’s Guide to delete all hyphens, apostrophes, blank spaces, periods and suffixes (e.g., Jr., III) from the last name field. One commenter asked for detailed information about the matching logic incorporated into the CBSV system. The examples given by the commenter all pertain to input requirements for the “name” fields. All of the examples are covered in the CBSV User’s Guide instructions under the heading “Input File Specifications.” Therefore, SSA assumes that this commenter’s request is satisfied by the CBSV User’s Guide.
SSA has revised its CBSV User’s Guide since the first Federal Register Notice. Information about tolerances for verification of SSN information, such as name and date of birth, is private and sensitive information (i.e., proprietary information). SSA will not make the process for SSN verification tolerances publicly accessible because knowledge of our process could aid someone in committing fraud and identify theft.
The CBSV system returns to the user a simple match/no match response. Two commenters requested that SSA provide specific information related to the data points where mismatches of the verification occur. One also suggests that the data SSA provides back to participating companies include mailing address to strengthen the matching process.
The consent form authorizes SSA to verify only whether the individual’s name and SSN match or do not match SSA records. The consent form does not authorize the disclosure from SSA’s records of any other information and SSA would violate the Privacy Act if it disclosed additional information without the individual’s consent. However, the Privacy Act does not apply to individuals once deceased. If SSA’s records indicate that the SSN submitted was issued to an individual now deceased, our reply to the requester will include this additional data.
SSA notes that if the Agency provides additional information on the specifics of the mismatch it may inadvertently make SSA vulnerable to requesters intent on “fishing” for identity data by using a process of elimination to get the correct information.
SSA maintains mailing addresses only on current claimants and beneficiaries of Social Security programs. SSA does not permanently maintain mailing addresses on the general public prior to their application for benefits since the Agency has no program need to do so.
Nickname Field
One commenter suggested that SSA revise its system to add a nickname field, suggesting that this would increase the rate of name-SSN matches with a single submission. SSA assumes that the requester means that if the first name submitted on the CBSV input file does not match the first name in SSA’s records, SSA would then look to the CBSV input file “nickname” field to see if the entry there matched the first name in SSA’s records. SSA has a low rate of mismatches for all name-SSN matching routines that provide a simple “match/no match” type of response. In addition, the CBSV matching routine has certain name tolerances that should take care of the concerns expressed by the commenter. SSA does not believe that adding a nickname field would improve the mismatch rate.
System Security
CBSV will be a new addition to SSA’s Business Services Online (BSO) webpage. Users can access BSO at http://www.ba.ssa.gov/bso/bsowelcome.htm . The requests for Record Information sent to SSA must be encrypted using either the Advanced Encryption Standard (AES) or triple DES (DES3) methods to secure the data. SSA will return the information via the same encrypted method. Transmission of data will be accomplished using TLS protocol (TLS 1.0) as specified in NIST Special Publication 800-52. Transmission of data using the web service will have equivalent safeguards.
Multiple Request Sequence Number Field
The CBSV User’s Guide includes detailed instructions for creating the input (or submission) file to be sent to SSA to verify the name-SSN combinations. The last 3 positions of the submission file are for a “Multiple Request Sequence Number.” While this field does not apply to CBSV, it does/may apply to numerous other applications that use this same submission file format. SSA has revised the CBSV User’s Guide as follows: 1) the name of this field is now “Multiple Request Indicator,” and 2) the user is now instructed to fill the field with three zeros.
In addition, SSA has revised its CBSV User Agreement and User’s Guide to delete any restrictions to the number of files that may be submitted per day. The User Agreement and User’s Guide that were made available with the first Federal Register Notice permitted companies to submit only one file per day.
First Year Time and Cost Burdens to the Public
One commenter believes that SSA’s cost estimate burden may be too low given the programs and procedures the participating companies will be required to establish in order to use the CBSV service.
SSA has examined the initial cost estimate and considers it a reasonable reflection of the first year cost for participating companies to set up and use the CBSV application. Systems infrastructure costs will be minimal for companies choosing to submit SSN verification requests via SSA’s BSO internet portal. Companies who prefer to access data using the web service will need to build a compatible web service application. SSA does not believe that companies will bear any considerable cost to conduct extensive employee training or respond to an inordinate amount of customer inquiries about the consent form.
SSA has also taken steps to mitigate questions from the public concerning the consent form by providing a notice to the number holder on the SSA-89 (consent form). This form provides the number holder with a brief explanation about the disclosure and a website for further information.
As SSA gains more experience with the CBSV collection system we will be reevaluating our cost and time estimates and, if necessary, revising them to assure they accurately reflect the collection’s time and cost burdens.
One commenter may have misunderstood SSA’s estimated first year time burden and cost burden figures. These estimates are the time and cost burdens to various members of the public as a result of the use of the new CBSV system. These figures are in no way related to the activities required of SSA to create and maintain the CBSV system.
CBSV Addendum C
| File Type | application/msword |
| File Title | Consent Based Social Security Number Verification (CBSV) |
| Author | Faye |
| Last Modified By | Faye |
| File Modified | 2007-08-09 |
| File Created | 2007-08-09 |