A. Justification
Introduction/Authoring Laws and Regulations
Section 215 of S. 2155, the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 (Banking Bill; Pub. L. No. 115-174) directs SSA to modify or develop a database for accepting and comparing fraud protection data provided electronically by a permitted entity. The Banking Bill defines ‘‘Fraud Protection
Data’’ to mean a combination of an individual’s name (including the first name and any family forename or surname), SSN, and date of birth (including month, day, and year).
Permitted entities, such as a financial institution as defined by Section 509 of the Gramm-Leach-Bliley Act, or a service provider, subsidiary, affiliate, agent, subcontractor, or assignee of a financial institution, present the Social Security Administration (SSA) with requests for Social Security number (SSN) verifications. To facilitate processing these requests, SSA developed the electronic Consent Based Social Security Number Verification (eCBSV) process. Section 1106 of the Social Security Act (Act);Section 20 CFR 401.100 of the Code of Federal Regulations; 5 USC 552a (b) of the Privacy Act; Section 1106 of the Act, codified at 42 USC 1306; 20 CFR 401.100 of the Code of Federal Regulations provide the authority for SSA to provide verification of SSNs.
Description of Collection
The eCBSV process is a fee-based SSN verification service that will allow permitted entities to verify an individual’s SSN based on the SSN holder’s signed, including electronic, consent in connection with a credit transaction or any circumstance described in Section 604 of the Fair Credit Reporting Act (15 USC 1681b).
Background
We are creating this system due to the Banking Bill. Permitted entities will be able to submit an SSN, name, and date of birth (DOB) to SSA for verification via an application programming interface. The purpose of the information collection is for SSA to verify for the permitted entity that the submitted name, DOB, and SSN matches, or does not match, the data contained in our records. After completing the enrollment process; paying for services; and obtaining SSN holder consent, the permitted entity submits to the eCBSV service the names, DOBs, and SSNs of number holders who gave valid consents. SSA matches the information against our Master File, using SSN, name, and DOB. The eCBSV Service will respond in real time with a match/no match indicator (and an indicator if our records show that the SSN Holder died). SSA does not provide specific information on what data elements did not match, nor does SSA provide any SSNs or other identifying information. In addition, the verification does not authenticate the identity of individuals, or conclusively prove the individuals we verify are who they claim to be. The service simply accomplishes in real time and electronically what our existing CBSV service does manually – verify that the name and SSN submitted by the entity match to a name and associated SSN in our records.
Consent Requirements
Under eCBSV, SSA requires each permitted entity to obtain and retain a valid consent for each SSN verification request for a period of five years from the date of receipt of the consent form. The consent form may vary by institution, but it must contain certain common elements prescribed by SSA in the User Agreement we developed [and are clearing with this Information Collection Request (ICR)]. These forms of consent include an SSA‑89 with the SSN holder’s wet signature, an SSA-89 in a “pdf fillable” form, signed electronically by the SSN holder, with an Electronic Signature that meets the requirements set forth in section IV.E of the User Agreement, or an electronic form of consent, which can be incorporated into the Permitted Entity’s or Financial Institution’s electronic workflow or business process, and which includes SSA’s requirements for a valid Written Consent, signed electronically by the SSN holder with an Electronic Signature that meets all requirements set forth in section IV.E of the User Agreement. For additional information, templates, and specific elements, please see the User Agreement consent section.
The Banking Bill permits a Financial Institution’s service provider, subsidiary, affiliate, agent, subcontractor, or assignee to seek verification of the SSN Holder’s SSN on behalf of a financial institution pursuant to the terms of the SSN Holder’s consent, limited to the purposes set forth in the Banking Bill. In this case, the permitted entity shall ensure that the Financial Institution use the verification only for the purposes stated in the consent, and make no further use or disclosure of the verified SSN. The relationship will be subject to the contractual obligations as specified in the User Agreement that the permitted entity signs
As is the case for standard CBSV, the permitted entity does not submit the number holder’s consent documents to SSA. Instead, the permitted entity is required to retain the consent for audit purposes.
Compliance Review
SSA requires each permitted entity to undergo compliance reviews to ensure the permitted entities have obtained and are retaining valid consent from SSN number holders. An SSA approved certified public accountant (CPA) firm will conduct the compliance reviews. The reviews will ensure the permitted entities meet all terms and conditions of the User Agreement. The eCBSV fee will include all compliance review costs. In general, all eCBSV users will be subject to an audit within the first three years after they begin using the system, with subsequent additional reviews periodically as necessary. The CPA follows review standards established by the American Institute of Certified Public Accountants and contained in the Generally Accepted Government Audit Standards (GAGAS). At any time, SSA may conduct onsite inspections of the requester’s site, including a systems review, to ensure they adhered to the applicable requirements associated with collection and maintenance of consent forms, and to assess security of systems maintaining the Written Consents or SSN Verifications overall.
The respondents to the eCBSV collection are the permitted entities; members of the public who consent to the disclosure of SSN verifications; and CPAs who provide compliance review services.
Use of Information Technology to Collect the Information
In accordance with the Banking Bill, SSA is creating the eCBSV application under the agency’s Government Paperwork Elimination Act (GPEA) plan. Once we complete both phase rollouts for eCBSV, we will collect this information 100 percent electronically. In addition, the consent forms may not be entirely electronic, but the permitted entities will need to submit that information to us electronically to prove consent if requested.
Why We Cannot Use Duplicate Information
The nature of the information we collect and the manner in which we collect it precludes duplication. SSA does use Forms SSA-88 & SSA-89 (OMB No. 0960‑0760) to collect similar information. However, we are creating eCBSV to collect this information electronically, so this creates a different modality of information collection rather than a duplicate one.
Minimizing Burden on Small Respondents
For initial implementation, this collection does not affect small businesses or other small entities. SSA will update this section, if we include any permitted entities who are small businesses.
6. Consequence of Not Collecting Information or Collecting it Less Frequently If we did not collect this information, permitted entities would not have the ability to obtain the SSN verification they need for business purposes Since we only collect the information once per permitted entity’s submission, we cannot collect it less frequently. There are no technical or legal obstacles that prevent burden reduction.
7. Special Circumstances
Consent Form Retention Requirement – SSA requires participating permitted entities to retain the signed consent of the individual who is the subject of the verification request for five years. They do not submit the consent form to SSA. Our primary purpose for requiring permitted entities to retain consent forms for five years is due to SSA’s need to ensure that we can obtain a copy of the consent to defend against, or prosecute, alleged violations of civil and criminal law. The agency permits permitted entities to retain copies of the consent in an electronic format. Because the Privacy Act establishes a 2-year statute of limitations that begins when the individual discovers a potential violation of the Act (5 USC 552a(g)(5)), SSA must require no less than a 3‑year consent retention period to ensure we can obtain a copy of the consent from the permitted entity to defend against any alleged Privacy Act cause of action.
In addition, other statutes of limitations applicable to criminal actions that might arise from consent based disclosures to third parties counsel in favor of a 5-year retention period. For example, in the event an employee of a permitted entity provides fraudulent consents to the agency, or a permitted entity misrepresents the validity of a consent, Federal statutes exist in aiding investigations of fraud against the Government, including 18 USC 371 (conspiracy to defraud the Government) and 18 USC 1001 (false statements). Accordingly, SSA is requiring a 5-year consent retention period in order to prosecute alleged violations of criminal law. A 5-year retention period serves to reinforce the need for third parties to provide SSA with accurate and valid consent as a critical requirement.
There are no other special circumstances that would cause SSA to conduct this information collection in a manner inconsistent with 5 CFR 1320.5.
Solicitation of Public Comment and Other Consultations with the Public
The 60-day advance Federal Register Notice published on December 5, 2019, at
84 FR 66704. The 30-day FRN published on March 10, 2020 at 85 FR 13967. If we receive any comments in response to this Notice, we will forward them to OMB.
Payment or Gifts to Respondents
SSA does not provide payment or gifts to the respondents.
Assurances of Confidentiality
SSA protects and holds confidential the information it collects in accordance with 42 U.S.C. 1306, 20 CFR 401 and 402, 5 U.S.C. 552 (Freedom of Information Act), 5 U.S.C. 552a (Privacy Act of 1974), and OMB Circular No. A-130.
Justification for Sensitive Questions
The information collection does not contain any questions of a sensitive nature.
Estimates of Public Reporting Burden
Requirement |
Number of Respondents |
Frequency of Response |
Average Burden per Response (minutes) |
Estimated Total Annual Burden (hours) |
Average Theoretical Hourly Cost Amount (dollars)* |
Total Annual Opportunity Cost (dollars)** |
a) Complete eCBSV enrollment process*** |
10 |
1 |
120 |
20 |
$36.98* |
$740** |
a) Configure customer system for ability to send in verification requests |
10 |
1 |
2,400 |
400 |
$36.98* |
$14,792** |
a) People whose SSNs SSA will verify - Reading and Signing |
307,000,000 |
1 |
3 |
15,350,000 |
$10.22* |
$156,877,000** |
a) Sending in the verification request, calling our system, getting a response |
307,000,000 |
1 |
1 |
5,116,667 |
$36.98* |
$189,214,346** |
b) Follow SSA requirements to configure application program interface |
10 |
1 |
4,800 |
800 |
$36.98* |
$29,584** |
c) CPA Compliance Review and Report**** |
10 |
1 |
4,800 |
800 |
$33.89* |
$27,112** |
Totals |
614,000,040 |
|
|
20,468,687 |
|
$346,163,574** |
* We based these figures on average Business and Financial operations occupations and Certified Public Accountants’ hourly salaries, as reported by Bureau of Labor Statistics data; and per average Disability Insurance (DI) payments, as reported in SSA’s DI payment data.
** This figure does not represent actual costs that SSA is imposing on recipients of Social Security payments to complete this application; rather, these are theoretical opportunity costs for the additional time respondents will spend to complete the application. There is no actual charge to respondents to complete the application.
***The enrollment process entails reviewing and completing eCBSV User Agreement and financial requirements package; visiting the Department of the Treasury’s Pay.gov to make payment for services; and submitting a permitted entity certification via email.
**** There will be one CPA respondent (an SSA-approved contractor) to conduct compliance reviews and prepare written reports of findings on the 10 permitted entities.
The total burden for this ICR is 20,468,687 burden hours (reflecting SSA management information data), which results in an associated theoretical (not actual) opportunity cost financial burden of $346,163,574. SSA does not charge respondents to complete our applications.
13. Annual Cost to the Respondents (Other)
Although respondents will pay fees as a part of participating in and using eCBSV, because these fees are in alignment with the costs to government for providing this service, for the purposes of the supporting statement these fees are considered ‘transfers’ between the public and government and not a ‘cost.’ As such, they are discussed in full in Question 14, Annual Cost to the Government.
The agency acknowledges that building both the front-end and back-end systems necessary to operate eCBSV will involve both upfront and on-going capital and operations and maintenance costs that there are currently unquantified.
Annual Cost To Federal Government
Section (h) of the Banking Bill requires SSA to collect 50 percent of the program startup costs prior to developing the eCBSV system. Therefore, once selected and notified by SSA, permitted entities will receive a bill to pay their prorated portion of 50 percent of the estimated program startup costs within 2 weeks of selection through Pay.gov. These funds will be credited to future transactions. Before work begins on reimbursable projects requested by non‑Federal organizations, we require advance payment. OMB Circular A-11 (Preparation, Submission, and Execution of the Budget) stipulates that budgetary resources for reimbursable work with non-Federal organizations, including State and local governments, are not available for obligation until receiving advance payments. OMB designed this policy to prevent unintentional violations of the Anti-Deficiency Act. In addition, advance payment covers the start-up costs if potential permitted entities cancel the User Agreement; it protects SSA against any uncollectible debts; and prevents SSA’s Limitation on Administrative Expense Account from having to absorb the cost. Accordingly, non-Federal requesters must pay 100 percent of SSA’s estimated costs in advance.
The public cost burden depends upon the number of permitted entities and annual transaction volume. In FY 2019, 10 companies enrolled out of 123 applications received to participate in eCBSV. We based the cost estimates below on 10 participating permitted entities in FY 2020 submitting an anticipated volume of 307,000,000 transactions. The Banking Bill requires that we collect at least 50 percent of the start-up costs (i.e., that we collect $9.2 million) before we may begin development of the eCBSV verification system. SSA will recover the remaining development costs over three years using the below tier fee schedule.
Total eCBSV Cost Burden
Administrative Fee $3,693 x 10 companies = $36,930
Tier Fee Tier cost for 10 companies = $9,233,040
Total eCBSV Cost Burden - $9,269,970 **
* The 10 selected permitted entities estimated total annual volume at 614 million (M). Since the expanded rollout will occur within 6 months of the initial rollout, we estimated volume at 50% of 614M = 307M.
eCBSV Tier Fee Schedule
Tier |
Annual Transaction Threshold |
Annual Fee |
1 |
1 - 1,000 |
$400 |
2 |
1,001 - 10,000 |
$3,030 |
3 |
10,001 - 200,000 |
$14,300 |
4 |
200,001 - 50 million |
$276,500 |
5 |
50,000,001 - 2 billion |
$860,000 |
SSA will require each enrolled permitted entity to remit the above tier based subscription fee for the 365-day agreement period and the appropriate administrative fee. We will charge newly enrolled entities a startup administrative fee of $3,693. After the initial year, we will charge the entities a renewal administrative fee of $1,691 each time the agreement is renewed or amended. We calculate the fees based on forecasted systems and operational expenses; agency oversight, overhead and CPA audit contract costs.
In addition, SSA will periodically recalculate costs to provide eCBSV services and adjust the fees charged as needed. We notify companies of a fee adjustment at the renewal of the eCBSV User Agreement and via notice in the Federal Register; companies have the opportunity to cancel the agreement or continue service using the new fee.
15. Program Changes or Adjustments to the Information Collection Request
eCBSV is a new application that increases the public reporting burden. The reporting burden for eCBSV is 20,468,687 hours. See #12 above for the burden chart.
16. Plans for Publication Information Collection Results
SSA will not publish the results of the information collection.
17. Displaying the OMB Approval Expiration Date
SSA is not requesting an exception to the requirement to display the OMB approval expiration date.
Exceptions to Certification Statement
SSA is not requesting an exception to the certification requirements at 5 CFR 1320.9 and related provisions at 5 CFR 1320.8(b)(3).
B. Collections of Information Employing Statistical Methods
SSA does not use statistical methods for this information collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2021-01-22 |