eCBSV Addendum - 30-Day FRN Comments and Responses (Final)

eCBSV Addendum - 30-Day FRN Comments and Responses (Final).docx

Electronic Consent Based Social Security Number Verification

eCBSV Addendum - 30-Day FRN Comments and Responses (Final)

OMB: 0960-0817

Document [docx]
Download: docx | pdf

Addendum to Supporting Statement for

Electronic Consent Based Social Security Number Verification

20 CFR 401.100

OMB No. 0960-NEW


Section A: Public Comments

We published the 30-day advance Federal Register Notice on March 10, 2020, at 85 FR 13967, and we received the following public comments:


  • Comment #1: Several banks want to rollout verification through eCBSV for their tele-sales. In that case, applicants apply for new deposit accounts or credit card accounts over the voice/phone:

  1. Consumer information (SSN, Name, Date of Birth, Address, Phone….) is provided by the consumer over the phone;

  2. SSA’s consumer consent (as well as other consents) are being read by the bank agent to the consumer (over the phone) and an explicit approval is obtained from the consumer (verbal confirmation “I agree”);

  3. The entire phone conversation is recorded and stored for at least 5 years for evidence purposes.

Can you please confirm that this process is in compliance with your requirements and expectations? Processing new applications over the phone/verbally is very important for our banks for two main reason:

  1. To assist customers that are unable to come to the branch (elderly people, people outside major cities, with physical challenges (handicapped customers)).

  2. Have standardized process of validating SSNs/Name/DoB across all the channels (Online/Branch/Mail/Over the Phone) to make sure that one particular channel is not exploited by fraudsters. As we all know, fraudsters will find a weakest link and exploit it if banks don’t put appropriate measures in place.

    • SSA Response #1: This question appears to align with Question #54 in the first addendum to the 60-day Paperwork Reduction Act package. The eCBSV User Agreement identifies that “a sound recording of a person’s voice expressing consent” is an acceptable form of electronic signature and is consistent with section 7006 of the E-SIGN Act so long as all other related requirements in the eCBSV User Agreement are satisfied – see the eCBSV User Agreement, section IV. Consent and Exhibit C for SSA’s Written Consent Template.  Permitted Entities using voice consent will need to incorporate our consent requirements into a script to read to the consumer.  For the recording of an individual expressing consent to a Permitted Entity over the telephone to be considered sufficient for evidence purposes from an electronic signature standpoint: the person being recorded must clearly show intent to “sign,” such recording must be attached to or logically associated with the Written Consent, the recording and Written Consent must be retained in a manner that preserves its integrity for the period of time specified in the eCBSV User Agreement for auditing purposes, and the recording must meet federal or state laws regarding recording consumers.


  • Comment #2: We were told that permissible purposes listed on the SSA-89 form will need to be used by the banks when requesting an explicit, electronic consent from the consumer. Attached are 2 separate SSA-89 forms. One is currently available on your web site and the other one is currently located in the eCBSV User Agreement sent by the SSA to the Permitted Entities. The first form has 6 permitted purposes and the second form has 8 permitted purposes. Questions:


  1. Which list of permitted purposes should banks integrate into the consumer consent language for June 2020 release?

    • SSA Response #2a:

    • The current Form SSA-89 includes six permitted purposes.  The Office of Management and Budget (OMB) is currently reviewing the updated fillable SSA‑89 that is Exhibit A to the User Agreement, and which has eight permissible purposes.  Once OMB clears the updated fillable SSA-89, Permitted Entities will be required to use that form.  We expect OMB to clear the updated form in time for the June 2020 rollout.


  1. The form included in the eCBSV User Agreement has a comment for the consumer to just select one purpose “(please select one).” However, the form on the web site includes a reference “(Please select all that apply).” In cases when the consumer applies for 2 separate product at the same time, should we tell banks to display or allow consumer to select multiple purposes or just one?


    • SSA Response #2b: Consistent with the fillable SSA-89 that we expect will be the official Form SSA-89 in June 2020, consumers will need to complete an SSA‑89 for each permissible purpose.


  1. Are the following acceptable permissible purposes for obtaining consumer consent to use the eCBSV service:

    1. To Apply or to maintain a Mortgage Account

    2. To Apply or to maintain a Bank Account

    3. To Apply or to maintain a Credit Card Account

    4. To Apply or to maintain a Loan

    5. To open or maintain a Retirement Account

    6. To Apply for a Job

    7. To meet Licensing Requirements

    8. Other: To file for taxes

    9. Other: To open or maintain an Insurance Account


    • SSA Response #2c: We want to clarify that the agency requires a consumer to consent to SSA disclosing the SSN verification to the consumer’s Permitted Entity. This is separate from any consumer consent the Permitted Entity requires for its purposes. 


Section 215(f)(1)(B) of the Economic Growth, Regulatory Relief, and Consumer Protection Act (Banking Bill) states that a Permitted Entity may submit a request to SSA in connection with a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b). Therefore, permissible purposes are limited to a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act.

  • Comment #3: Your User Agreement already dictates the permissible purposes (FCRA permissible purposes). Can you please elaborate why Financial Institutions need to develop dynamic consumer consent if the permissible purpose is already governed by the User Agreement?

    • SSA Response #3: The eCBSV User Agreement is between SSA and the Permitted Entity and sets forth the terms of conditions the Permitted Entity must agree to before using the eCBSV service. In accordance with the Privacy Act, Social Security Act, and SSA’s regulations, the number holder must also give informed consent to SSA to disclose the number holder’s SSN Verification to the Financial Institution.  SSA reads the Banking Bill in conjunction with other authorities that govern the agency’s ability to disclose information (e.g., the Privacy Act, the Social Security Act, the agency’s implementing regulations, and long adhered to agency disclosure policy).  Therefore, SSA must continue to adhere to other authorities that mandate specific consent requirements, which exist to prevent unauthorized disclosure of agency information.


Please see SSA Response #8 for additional information about the updated eCBSV User Agreement.


  • Comment #4: Is SSA seriously thinking about requiring an image of the electronic application (application screen) with the actual consumer information (SSN, Name, DOB…) and the consumer’s consent. I talked to several banks and engineers have major issues with this:


  1. They don’t know how to capture that evidence automatically;

  2. They are concerned that even if they find a way it will substantially affect their cost of storage (storing images for 5 years of the application screen);

  3. They are afraid of the security issues because of images will be stored with exposed PII data (potentially millions of images every month for 5 years).

    • SSA Response #4: No, SSA will not require an image of the electronic application and the consumer’s consent. In accordance with the eCBSV User Agreement, Permitted Entities must have a means to retrieve and reproduce legible, accurate, and readable hard or electronic copies of the Written Consent reflecting all Electronic Signature requirements in this section for auditing and monitoring purposes under the Banking Bill and the Privacy Act of 1974, as amended.

  • Comment #5: Can a Consumer Reporting Agency (CRA), third party background screening company qualify as a Permitted Entity, who is a service provider, subsidiary, affiliate, agent, subcontractor, or assignee of the Financial Institution?

    • SSA Response #5: SSA can generally comment that a CRA - a third party background screening company - that is a service provider, subsidiary, affiliate, agent, subcontractor, or assignee of a financial institution, may qualify as a Permitted Entity, if the CRA meets all of the requirements in the Banking Bill. SSA refers the commenter to the following provisions of the Banking Bill to consider as part of the determination:

      • Section 215(b)(2) (definition of “financial institution” as further defined in Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809(3));

      • Section 215(b)(4) (definition of “permitted entity”);

      • Section 215(e) (certificate required, certifying as to status and compliance with title V of the Gramm-Leach Bliley Act);

      • Section 215(f)(1)(B) (requirement that all requests must be in connection with a credit transaction or any circumstance in section 604 of the Fair Credit Reporting Act); and

      • Section 215(g)(2) (enforcement provisions).

We further note that, in accordance with the Banking Bill, only the SSN verification requests submitted by the CRA for the financial institution it services would fall under the Banking Bill. If the CRA also conducts other SSN verification business for other non-financial institutions, those SSN verification requests would fall outside of the Banking Bill.


  • Comment #6: The Gramm-Leach-Bliley Act section 509 defines Financial Institution, non-affiliate but not service provider, agent, subcontractor or assignee. If the Financial Institution contracts with a CRA to conduct background checks and verifications on their behalf, will they qualify to apply and be approved to conduct eCBSV?

    • SSA Response #6: Please see the response for #5 above. In addition, SSA acknowledges that the Banking Bill does not define the terms service provider, subsidiary, affiliate, agent, subcontractor, or assignee. Therefore, they would generally have their common meaning. 


  • Comment #7: Are there any CRAs now that have applied? Have any been approved?

    • SSA Response #7: Yes, CRAs have applied and have been approved.

  • Comment #8: A commenter stated that after the first PRA package, the electronic consent requirements – arguably the most critical element of the eCBSV User Agreement and, in fact, the essential core of the Banking Bill – remain considerably problematic.  The commenter recognized that use of eCBSV will require adapting to an electronic consent process specific to that system.  The commenter is further concerned that SSA’s proposed electronic consent requirements present significant operational burdens and are incongruous with modern informed consent practices, adding friction to financial services processes that puts at risk the effectiveness of eCBSV as a tool to protect consumers.  The commenter offered two alternatives for recommended consent language and proposed to work with SSA to perfect this language in a way that is amenable to the Agency and also addresses the operational challenges previously expressed.

    • SSA Response #8: We understand the concerns.  We revised SSA’s Written Consent template (Exhibit C to the eCBSV User Agreement) and made changes to the eCBSV User Agreement consistent with the updated Written Consent template.  The updated Written Consent template and eCBSV User Agreement uphold the agency’s existing consent policies, but also address the commenter’s outstanding concerns and gives greater flexibility to Permitted Entities.  The updated Written Consent template is similar to the commenter’s second alternative recommended consent language.  We also streamlined the language in the “intent to sign” example in the eCBSV User Agreement, which will more clearly tie the electronic signature to the SSN holder’s consent in the event the two appear on different screens during the signing process.

  • Comment #9: A commenter asked can a document vendor create an electronic copy of Form SSA-89, pre-populate the fillable parts of the form using data imported from a mortgage lender’s loan origination system, and have the SSN holder electronically sign such copy (which can be saved into PDF format)? Or must Form SSN-89 always be provided to an SSN holder in ‘pdf fillable’ form to be filled out manually by the SSN holder?

    • SSA Response #9: Yes, a document vendor may create an electronic copy of Form SSA-89, pre-populate the fillable parts of the form using data imported from a mortgage lender’s loan origination system, and have the SSN holder electronically sign such copy, as long as the form is not altered in any way and the SSN holder has an opportunity to review/correct any “auto-populated” information prior to signing the SSA-89.


The document vendor must replicate the SSA-89 in its entirety so as not to alter the purpose of the form.


  • Comment #10: A commenter asked can Form SSA-89 be marked in ways traditionally applied to electronically generated mortgage loan documents or must it be maintained in its exact original form?

    For example, for tracking purposes, most copies of forms generated electronically contain barcodes, so that mortgage companies can easily identify which loan file the form belongs in. Other markings include an identification box surrounding an electronic signature, which certifies the SSN holder’s signature and when it was electronically signed. If these (and other necessary) markings appeared on a copy of Form SSA-89, would it still be considered a form of “valid Written Consent”?


    • SSA Response #10: Section III.A.11 of the eCBSV User Agreement indicates that the Permitted Entity must not alter the Written Consent either before or after the SSN holder signs the Written Consent. However, this section also states that, “Alterations do not include fax date/time stamps, barcodes, quick response codes or tracking/loan numbers added to the margin of a form.” In addition, SSA does not consider the identification box surrounding an electronic signature to be an alteration, because this is a part of the electronic signing process being applied by the SSN holder during signing and should be included as part of a valid Written Consent.


  • Comment #11: A commenter outlined portions of section IV. Consent as follows:

Subsection IV.A.1.c of the Agreement holds that the following is considered a valid form of consent:


An electronic form of consent, which can be incorporated into the Permitted Entity’s or Financial Institution’s electronic workflow or business process, and which includes SSA’s requirements for a valid Written Consent, signed electronically by the SSN holder with an Electronic Signature as part of an electronic signing process that meets all requirements set forth in section IV.E. See SSA’s Written Consent Template, attached and incorporated into this user agreement as Exhibit C.”


Subsection IV.A.2 outlines how to complete this form electronically.


Subsection IV.B, however, goes into details about how to retain a copy of the form physically:


If the Permitted Entity or Financial Institution obtaining the Written Consent in paper format and chooses to retain the Written Consent in paper format, that entity must store the Written Consent in a locked, fireproof and waterproof storage receptacle.


If the Permitted Entity or Financial Institution obtains Written Consents electronically, or chooses to convert original paper copies of Written Consents to electronic versions, the

Permitted Entity and any Financial Institution it services, if any, must retain the Written Consents in a way that accounts for integrity of the Written Consents . . .


When storing a Written Consent electronically, the Permitted Entity must destroy any original Written Consent in paper form.”


These provisions make references to “original” paper copies of the Written Consent. However, the criteria for a valid form of consent only permits the Written Consent to be executed electronically.


The commenter asked ‘[c]an a Written Consent be executed with ink on paper, as well as electronically, and still be considered a valid form of consent?”

    • SSA Response #11: There are three ways by which an SSN holder can consent to SSA disclosing the SSN verification to a Permitted Entity:

      • Form SSA‑89 (Exhibit A, Authorization for SSA to Release SSN Verification) with a wet signature,

      • Form SSA-89 in “pdf fillable” form with an Electronic Signature, or

      • Electronically with SSA’s consent language as provided in section IV, which is incorporated into the Financial Institution’s or Permitted Entity’s business process.

See the eCBSV User Agreement, section I.B. Written Consent and section IV.A.1.a.


Section IV.A.1.c. applies only when a Permitted Entity integrates SSA’s Electronic Signature requirements into its own electronic business process. Section IV.B Retention describes how a Permitted Entity must retain all forms of Written Consent.


Please note, we have updated the eCBSV User Agreement section IV. Consent. This update does not change the types of consent listed in section IV.A.1 or the retention requirements listed in section IV.B. However, because we deleted the section enumerated at IV.A.2 in the eCBSV User Agreement that was part of the previous PRA package, the subsequent subsection numbers in IV.A. changed in the updated eCBSV User Agreement (i.e., IV.A.3 became IV.A.2 and so forth).


Section B: Changes to the Collection Instruments:


  • Change #1:  We revised the Written Consent template language in Exhibit C.


Justification #1In response to Comment #8 above, we updated SSA’s Written Consent Template in Exhibit C to uphold the agency’s existing consent policies, but also to address the commenter’s outstanding concerns and give greater flexibility to Permitted Entities.

  • Change #2: We added language in Section IV.A.1.c of the eCBSV User Agreement, and renumbered subsection numbers.

    Justification #2: In response to Comment #8 above and because we updated SSA’s Written Consent Template in Exhibit C, we updated Section IV.A.1.c of the eCBSV User Agreement Consent section. Because of these updates, we removed Section IV.A.2 and renumbered the subsequent subsections accordingly.

  • Change #3: In Section IV.E.2.i, we deleted some language in the “intent to sign” example.


Justification #3: We updated this section to streamline language and more clearly tie the electronic signature to the Written Consent in the event it is on a different screen.

  • Change #4: In Sections IV.E.2, IV.E.2.i, and IV.E.3, we inserted the word “consent” in the place of “document.”

    Justification #4: We made this change for clarification purposes.


Section C: Next Steps


We will implement Phase 1 of eCBSV collection upon OMB approval.


Future Plans: Approximately 6 months after the initial rollout of eCBSV to the 10 permitted entities, SSA will conduct an expanded rollout open to any qualified Permitted Entity that submitted a complete application during the open enrollment period in July 2019. We will seek OMB approval under a separate Paperwork Reduction Act cycle for that expansion of the user base, which will involve additional new Information Collection instruments.

eCBSV Addendum

Page 6


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorCurt Miller
File Modified0000-00-00
File Created2021-01-22

© 2023 OMB.report | Privacy Policy