Addendum to Supporting Statement for
Electronic Consent Based Social Security Number Verification
20 CFR 401.100
OMB No. 0960-NEW
Section A: Public Comments
We published the 30-day advance Federal Register Notice on March 10, 2020, at 85 FR 13967, and we received the following public comments:
Comment
#1: Several
banks want to rollout verification through eCBSV for their
tele-sales. In that case, applicants apply for new deposit accounts
or credit card accounts over the voice/phone:
Consumer information (SSN, Name, Date of Birth, Address, Phone….) is provided by the consumer over the phone;
SSA’s consumer consent (as well as other consents) are being read by the bank agent to the consumer (over the phone) and an explicit approval is obtained from the consumer (verbal confirmation “I agree”);
The
entire phone conversation is recorded and stored for at least 5
years for evidence purposes.
Can
you please confirm that this process is in compliance with your
requirements and expectations? Processing new applications over the
phone/verbally is very important for our banks for two main reason:
To assist customers that are unable to come to the branch (elderly people, people outside major cities, with physical challenges (handicapped customers)).
Have
standardized process of validating SSNs/Name/DoB across all the
channels (Online/Branch/Mail/Over the Phone) to make sure that one
particular channel is not exploited by fraudsters. As we all know,
fraudsters will find a weakest link and exploit it if banks don’t
put appropriate measures in place.
SSA Response #1: This question appears to align with Question #54 in the first addendum to the 60-day Paperwork Reduction Act package. The eCBSV User Agreement identifies that “a sound recording of a person’s voice expressing consent” is an acceptable form of electronic signature and is consistent with section 7006 of the E-SIGN Act so long as all other related requirements in the eCBSV User Agreement are satisfied – see the eCBSV User Agreement, section IV. Consent and Exhibit C for SSA’s Written Consent Template. Permitted Entities using voice consent will need to incorporate our consent requirements into a script to read to the consumer. For the recording of an individual expressing consent to a Permitted Entity over the telephone to be considered sufficient for evidence purposes from an electronic signature standpoint: the person being recorded must clearly show intent to “sign,” such recording must be attached to or logically associated with the Written Consent, the recording and Written Consent must be retained in a manner that preserves its integrity for the period of time specified in the eCBSV User Agreement for auditing purposes, and the recording must meet federal or state laws regarding recording consumers.
Comment #2: We were told that permissible purposes listed on the SSA-89 form will need to be used by the banks when requesting an explicit, electronic consent from the consumer. Attached are 2 separate SSA-89 forms. One is currently available on your web site and the other one is currently located in the eCBSV User Agreement sent by the SSA to the Permitted Entities. The first form has 6 permitted purposes and the second form has 8 permitted purposes. Questions:
Which
list of permitted purposes should banks integrate into the consumer
consent language for June 2020 release?
SSA Response #2a:
The current Form SSA-89 includes six permitted purposes. The Office of Management and Budget (OMB) is currently reviewing the updated fillable SSA‑89 that is Exhibit A to the User Agreement, and which has eight permissible purposes. Once OMB clears the updated fillable SSA-89, Permitted Entities will be required to use that form. We expect OMB to clear the updated form in time for the June 2020 rollout.
The form included in the eCBSV User Agreement has a comment for the consumer to just select one purpose “(please select one).” However, the form on the web site includes a reference “(Please select all that apply).” In cases when the consumer applies for 2 separate product at the same time, should we tell banks to display or allow consumer to select multiple purposes or just one?
SSA Response #2b: Consistent with the fillable SSA-89 that we expect will be the official Form SSA-89 in June 2020, consumers will need to complete an SSA‑89 for each permissible purpose.
Are the following acceptable permissible purposes for obtaining consumer consent to use the eCBSV service:
To Apply or to maintain a Mortgage Account
To Apply or to maintain a Bank Account
To Apply or to maintain a Credit Card Account
To Apply or to maintain a Loan
To open or maintain a Retirement Account
To Apply for a Job
To meet Licensing Requirements
Other: To file for taxes
Other: To open or maintain an Insurance Account
SSA Response #2c: We want to clarify that the agency requires a consumer to consent to SSA disclosing the SSN verification to the consumer’s Permitted Entity. This is separate from any consumer consent the Permitted Entity requires for its purposes.
Section
215(f)(1)(B) of the Economic Growth, Regulatory Relief, and Consumer
Protection Act (Banking Bill) states that a Permitted Entity may
submit a request to SSA in
connection with a credit transaction or any circumstance described in
section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b).
Therefore, permissible purposes are limited to a credit transaction
or any circumstance described in section 604 of the Fair Credit
Reporting Act.
Comment
#3: Your
User Agreement already dictates the permissible purposes (FCRA
permissible purposes). Can you please elaborate why Financial
Institutions need to develop dynamic consumer consent if the
permissible purpose is already governed by the User Agreement?
SSA Response #3: The eCBSV User Agreement is between SSA and the Permitted Entity and sets forth the terms of conditions the Permitted Entity must agree to before using the eCBSV service. In accordance with the Privacy Act, Social Security Act, and SSA’s regulations, the number holder must also give informed consent to SSA to disclose the number holder’s SSN Verification to the Financial Institution. SSA reads the Banking Bill in conjunction with other authorities that govern the agency’s ability to disclose information (e.g., the Privacy Act, the Social Security Act, the agency’s implementing regulations, and long adhered to agency disclosure policy). Therefore, SSA must continue to adhere to other authorities that mandate specific consent requirements, which exist to prevent unauthorized disclosure of agency information.
Please see SSA Response #8 for additional information about the updated eCBSV User Agreement.
Comment #4: Is SSA seriously thinking about requiring an image of the electronic application (application screen) with the actual consumer information (SSN, Name, DOB…) and the consumer’s consent. I talked to several banks and engineers have major issues with this:
They don’t know how to capture that evidence automatically;
They are concerned that even if they find a way it will substantially affect their cost of storage (storing images for 5 years of the application screen);
They
are afraid of the security issues because of images will be stored
with exposed PII data (potentially millions of images every month
for 5 years).
SSA Response #4: No, SSA will not require an image of the electronic application and the consumer’s consent. In accordance with the eCBSV User Agreement, Permitted Entities must have a means to retrieve and reproduce legible, accurate, and readable hard or electronic copies of the Written Consent reflecting all Electronic Signature requirements in this section for auditing and monitoring purposes under the Banking Bill and the Privacy Act of 1974, as amended.
Comment
#5: Can
a Consumer Reporting Agency (CRA), third party background screening
company qualify as a Permitted Entity, who is a service provider,
subsidiary, affiliate, agent, subcontractor, or assignee of the
Financial Institution?
SSA Response #5: SSA can generally comment that a CRA - a third party background screening company - that is a service provider, subsidiary, affiliate, agent, subcontractor, or assignee of a financial institution, may qualify as a Permitted Entity, if the CRA meets all of the requirements in the Banking Bill. SSA refers the commenter to the following provisions of the Banking Bill to consider as part of the determination:
Section 215(b)(2) (definition of “financial institution” as further defined in Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809(3));
Section 215(b)(4) (definition of “permitted entity”);
Section 215(e) (certificate required, certifying as to status and compliance with title V of the Gramm-Leach Bliley Act);
Section 215(f)(1)(B) (requirement that all requests must be in connection with a credit transaction or any circumstance in section 604 of the Fair Credit Reporting Act); and
Section 215(g)(2) (enforcement provisions).
We further note that, in accordance with the Banking Bill, only the SSN verification requests submitted by the CRA for the financial institution it services would fall under the Banking Bill. If the CRA also conducts other SSN verification business for other non-financial institutions, those SSN verification requests would fall outside of the Banking Bill.
Comment
#6: The
Gramm-Leach-Bliley Act section 509 defines Financial Institution,
non-affiliate but not service provider, agent, subcontractor or
assignee. If the Financial Institution contracts with a CRA to
conduct background checks and verifications on their behalf, will
they qualify to apply and be approved to conduct eCBSV?
SSA Response #6: Please see the response for #5 above. In addition, SSA acknowledges that the Banking Bill does not define the terms service provider, subsidiary, affiliate, agent, subcontractor, or assignee. Therefore, they would generally have their common meaning.
Comment
#7: Are
there any CRAs now that have applied? Have any been approved?
SSA
Response #7:
Yes, CRAs
have applied and have been approved.
Comment
#8: A commenter
stated that after the first PRA package, the electronic consent
requirements – arguably the most critical element of the eCBSV
User Agreement and, in fact, the essential core of the Banking Bill
– remain considerably problematic. The commenter
recognized that use of eCBSV will require adapting to an electronic
consent process specific to that system. The commenter is
further concerned that SSA’s proposed electronic consent
requirements present significant operational burdens and are
incongruous with modern informed consent practices, adding friction
to financial services processes that puts at risk the effectiveness
of eCBSV as a tool to protect consumers. The commenter offered
two alternatives for recommended consent language and proposed to
work with SSA to perfect this language in a way that is amenable to
the Agency and also addresses the operational challenges previously
expressed.
SSA
Response #8:
We
understand the concerns. We revised SSA’s Written
Consent template (Exhibit C to the eCBSV User Agreement) and made
changes to the eCBSV User Agreement consistent with the updated
Written Consent template. The updated Written Consent
template and eCBSV User Agreement uphold the agency’s
existing consent policies, but also address the commenter’s
outstanding concerns and gives greater flexibility to Permitted
Entities. The updated Written Consent template is similar to
the commenter’s second alternative recommended consent
language. We also streamlined the language in the “intent
to sign” example in the eCBSV User Agreement, which will more
clearly tie the electronic signature to the SSN holder’s
consent in the event the two appear on different screens during the
signing process.
Comment
#9: A
commenter asked can a document vendor create an electronic copy of
Form SSA-89, pre-populate the fillable parts of the form using data
imported from a mortgage lender’s loan origination system, and
have the SSN holder electronically sign such copy (which can be
saved into PDF format)? Or must Form SSN-89 always be provided to an
SSN holder in ‘pdf fillable’ form to be filled out
manually by the SSN holder?
SSA Response #9: Yes, a document vendor may create an electronic copy of Form SSA-89, pre-populate the fillable parts of the form using data imported from a mortgage lender’s loan origination system, and have the SSN holder electronically sign such copy, as long as the form is not altered in any way and the SSN holder has an opportunity to review/correct any “auto-populated” information prior to signing the SSA-89.
The document vendor must replicate the SSA-89 in its entirety so as not to alter the purpose of the form.
Comment
#10: A
commenter asked can Form SSA-89 be marked in ways traditionally
applied to electronically generated mortgage loan documents or must
it be maintained in its exact original form?
For example,
for tracking purposes, most copies of forms generated electronically
contain barcodes, so that mortgage companies can easily identify
which loan file the form belongs in. Other markings include an
identification box surrounding an electronic signature, which
certifies the SSN holder’s signature and when it was
electronically signed. If these (and other necessary) markings
appeared on a copy of Form SSA-89, would it still be considered a
form of “valid Written Consent”?
SSA Response #10: Section III.A.11 of the eCBSV User Agreement indicates that the Permitted Entity must not alter the Written Consent either before or after the SSN holder signs the Written Consent. However, this section also states that, “Alterations do not include fax date/time stamps, barcodes, quick response codes or tracking/loan numbers added to the margin of a form.” In addition, SSA does not consider the identification box surrounding an electronic signature to be an alteration, because this is a part of the electronic signing process being applied by the SSN holder during signing and should be included as part of a valid Written Consent.
Comment
#11: A
commenter outlined portions of section IV. Consent
as follows:
Subsection IV.A.1.c of the Agreement holds that the following is considered a valid form of consent:
“An electronic form of consent, which can be incorporated into the Permitted Entity’s or Financial Institution’s electronic workflow or business process, and which includes SSA’s requirements for a valid Written Consent, signed electronically by the SSN holder with an Electronic Signature as part of an electronic signing process that meets all requirements set forth in section IV.E. See SSA’s Written Consent Template, attached and incorporated into this user agreement as Exhibit C.”
Subsection IV.A.2 outlines how to complete this form electronically.
Subsection IV.B, however, goes into details about how to retain a copy of the form physically:
“If the Permitted Entity or Financial Institution obtaining the Written Consent in paper format and chooses to retain the Written Consent in paper format, that entity must store the Written Consent in a locked, fireproof and waterproof storage receptacle.
If the Permitted Entity or Financial Institution obtains Written Consents electronically, or chooses to convert original paper copies of Written Consents to electronic versions, the
Permitted Entity and any Financial Institution it services, if any, must retain the Written Consents in a way that accounts for integrity of the Written Consents . . .
When storing a Written Consent electronically, the Permitted Entity must destroy any original Written Consent in paper form.”
These provisions make references to “original” paper copies of the Written Consent. However, the criteria for a valid form of consent only permits the Written Consent to be executed electronically.
The
commenter asked ‘[c]an a Written Consent be executed with ink
on paper, as well as electronically, and still be considered a valid
form of consent?”
SSA Response #11: There are three ways by which an SSN holder can consent to SSA disclosing the SSN verification to a Permitted Entity:
Form SSA‑89 (Exhibit A, Authorization for SSA to Release SSN Verification) with a wet signature,
Form SSA-89 in “pdf fillable” form with an Electronic Signature, or
Electronically with SSA’s consent language as provided in section IV, which is incorporated into the Financial Institution’s or Permitted Entity’s business process.
See the eCBSV User Agreement, section I.B. Written Consent and section IV.A.1.a.
Section IV.A.1.c. applies only when a Permitted Entity integrates SSA’s Electronic Signature requirements into its own electronic business process. Section IV.B Retention describes how a Permitted Entity must retain all forms of Written Consent.
Please
note, we have updated the eCBSV User Agreement section IV. Consent.
This update does not change the types of consent listed in section
IV.A.1 or the retention requirements listed in section IV.B.
However, because we deleted the section enumerated at IV.A.2 in the
eCBSV User Agreement that was part of the previous PRA package, the
subsequent subsection numbers in IV.A. changed in the updated eCBSV
User Agreement (i.e., IV.A.3 became IV.A.2 and so forth).
Section B: Changes to the Collection Instruments:
Change #1: We revised the Written Consent template language in Exhibit C.
Justification
#1: In
response to Comment #8 above, we updated
SSA’s Written
Consent Template in
Exhibit C to uphold the agency’s existing consent policies, but
also to address the commenter’s outstanding concerns and give
greater flexibility to Permitted Entities.
Change
#2: We added
language in Section IV.A.1.c of the eCBSV User Agreement, and
renumbered subsection numbers.
Justification
#2: In response
to Comment #8 above and because we updated SSA’s Written
Consent Template in Exhibit C, we updated Section IV.A.1.c of the
eCBSV User Agreement Consent section. Because of these updates, we
removed Section IV.A.2 and renumbered the subsequent subsections
accordingly.
Change #3: In Section IV.E.2.i, we deleted some language in the “intent to sign” example.
Justification
#3: We updated
this section to streamline language and more clearly tie the
electronic signature to the Written Consent in the event it is on a
different screen.
Change
#4: In Sections
IV.E.2, IV.E.2.i, and IV.E.3, we inserted the word “consent”
in the place of “document.”
Justification
#4: We made this
change for clarification purposes.
Section C: Next Steps
We will implement Phase 1 of eCBSV collection upon OMB approval.
Future Plans: Approximately 6 months after the initial rollout of eCBSV to the 10 permitted entities, SSA will conduct an expanded rollout open to any qualified Permitted Entity that submitted a complete application during the open enrollment period in July 2019. We will seek OMB approval under a separate Paperwork Reduction Act cycle for that expansion of the user base, which will involve additional new Information Collection instruments.
eCBSV Addendum
Page
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Curt Miller |
| File Modified | 0000-00-00 |
| File Created | 2021-01-22 |