CPA Compliance Review and Report

Electronic Consent Based Social Security Number Verification

eCBSV Webpage Content

CPA Compliance Review and Report

OMB: 0960-0817

Document [pdf]
Download: pdf | pdf
Social Security

electronic Consent Based Social Security Number Verification (eCBSV) Service
eCBSV Home

Information About eCBSV

Eligibility

Section 215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act, Public Law
(PL)115- 174, directs Social Security to modify or develop a database for accepting and comparing fraud
protection data provided electronically by a permitted entity. In response to this statutory directive,
Social Security is creating eCBSV, a fee-based Social Security number (SSN) verification service.

Fees
Enrollment
Technical Information
FAQs
Archive
Get Page Updates

eCBSV will allow permitted entities to verify if an individual’s SSN, name, and date of birth combination
matches Social Security records. Social Security needs the number holder’s written consent with a wet or
electronic signature in order to disclose the SSN verification.
eCBSV returns a match verification of “Yes” or “No.” If our records show that the SSN holder is deceased,
eCBSV returns a death indicator. eCBSV does not verify an individual’s identity.
Social Security will roll out the service to a limited number of permitted entities in June 2020, and plans
on expanding the number of permitted entities within six months of the initial rollout.
For more information, refer to FRN.

/

Social Security

eCBSV Eligibility
eCBSV Home
Eligibility
Fees
Enrollment

Qualified enrollees must be permitted entities, as defined in PL115-174,, and must possess an employer
identification number (EIN). Each permitted entity will be required to submit a certification in
accordance with the Banking Bill.
Permitted Entity – A financial institution, as defined in as defined section 509 of the Gramm-LeachBliley Act (15 U.S.C. 6809), or service provider, subsidiary, affiliate, agent, subcontractor, or assignee
of a financial institution Pub. L. No. 115-174.

Technical Information

EIN - An EIN, also known as a Employer Identification Number, identifies a business entity. If you
need an EIN, contact the IRS.

FAQs

Certification Statement – A signed declaration the permitted entity provides to Social Security at
least every two years that includes the following four declarations:

Archive
Get Page Updates

The entity is a permitted entity.
The entity is in compliance with the Banking Bill.
The entity is, and will remain, in compliance with its privacy and data security requirements, as
described in Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), with respect to
information the entity receives from the Commissioner pursuant to this section.
The Entity will retain sufficient records to demonstrate its compliance with its certification and
this section for a period of not less than two years.

/

Social Security

eCBSV Fees
eCBSV Home
Eligibility
Fees
Enrollment
Technical Information
FAQs
Archive
Get Page Updates

Program Startup Costs for the Initial Rollout
Social Security is required to collect 50 percent of the program startup costs prior to developing the
SSN verification system for the electronic Consent Based Social Security Number Verification (eCBSV)
service.
Once selected and notified by SSA, permitted entities will receive a reimbursable package to
complete within two weeks of selection. Once Social Security receives the completed package, the
selected permitted entity will receive a bill to pay their prorated portion of the 50 percent of the
estimated program startup costs and an initial administrative fee of $3,693 within three business
days, through Pay.gov.
Prior to rollout in June 2020, the permitted entity will be required to submit the annual subscription
fee (see below) for their transaction tier selected plus administrative fees as necessary, if greater than
their initial 50 percent program startup costs contribution.
A permitted entity’s initial 50 percent program startup cost will be credited to future year’s fees until
they are exhausted. Therefore, if the permitted entity’s initial 50 percent program startup
contribution is greater than their first annual tier based transaction charge (see below) for their
selected tier level, no additional payment will be necessary prior to the initial rollout.
The prorated portion is dependent on the number of permitted entities selected, the estimated
annual transaction volumes, and the associated costs. These will be finalized once enrollment ends,
and will be provided to the selected permitted entities.
The chart below depicts the expected contribution of 50 percent program startup costs dependent
on annual transaction volume. These are subject to change and will be finalized prior to billing.

/

Annual # of Transactions

Charge (subject to change)

1 – 5,000

$3,000 – $5,000

5,001 – 50,000

$8,000 – $15,000

50,001 – 1,000,000

$50,000 – $75,000

1,000,001 – 500,000,000

$2.5 million – $3 million

500,000,001 – 2 billion

$3.5 million – $5 million

Annual Tier Based Subscription Fee Model
Social Security will use a tier based subscription fee model to collect the full cost of eCBSV services.
Social Security will collect the remaining 50 percent program startup costs plus other costs the
agency will incur for eCBSV services through the annual tier based subscription fee from all users
during the first three years of eCBSV.
The subscription fees will be announced in a Federal Register Notice this fall. The Notice will explain
the fees in detail.

/

Social Security

eCBSV Enrollment
eCBSV Home
Eligibility
Fees
Enrollment
Technical Information
FAQs
Archive
Get Page Updates

Enrollment Period
Enrollment is now closed.
The enrollment period for permitted entities to apply for access to the electronic Consent Based
Social Security Number Verification (eCBSV) service was July 17, 2019, at 6:00 a.m. EST, through July
31, 2019, at 6:00 p.m. EST as provided in the Federal Register Notice (FRN). Applications received
outside of the stated enrollment period were not considered.

Initial Rollout
Social Security is preparing to implement an initial rollout to a limited number of permitted entities
in June 2020.
In accordance with statutory requirements, permitted entities were required to provide payment to
build the new eCBSV system.
Social Security notified the first potential group of permitted entities selected for the initial rollout of
eCBSV on Friday, September 6, 2019. See the Press Release and FAQs for more information.
As of October 25, 2019, the following are the 10 selected permitted entities:
Financial Institutions:
Low Volume
Navy Federal Credit Union
University Bank*
High Volume
/

Discover Financial Services
Synchrony Financial
Service Providers, Subsidiaries, Affiliates, Agents, Subcontractors, or Assignees of Financial
Institutions:
Low Volume
SentiLink Corp.
ID Analytics, LLC
Computer Information Development, LLC
Medium Volume
Early Warning Services, LLC
Capital One Services, LLC
High Volume
Experian Information Solutions, Inc.
* Since the initial selection one company, American Express Travel Related Services has been replaced with University Bank, the next in
line by date and time, with a completed application, and in the same category.

The initial rollout is designed to support the development of eCBSV business processes and systems
requirements, and to provide for testing of the system performance and capacity. As a result, we can
only support a limited number of companies until the expanded rollout. As indicated in the FRN, SSA
selected companies based upon the earliest date and time of the receipt of a completed application.
Selected permitted entities will be required to sign a user agreement closer to the June 2020 rollout.

Expanded Rollout
Social Security is planning an expanded rollout to all permitted entities that applied for the initial
rollout but were not selected within six months following the initial rollout.
/

Any permitted entity that submitted a valid application prior to close of the stated July 31, 2019
deadline but was not selected for the initial rollout will have an opportunity to resubmit a full
application and user agreement for the later expanded rollout.
However, any permitted entity that did not submit a valid application before the close of the stated
July 31, 2019 deadline will not have the opportunity to apply for the expanded rollout in late 2020,
and must wait until the next open enrollment for which there could be as long as a two-year wait.

/

Social Security

eCBSV Technical Information
eCBSV Home

eCBSV Technical Information

Eligibility

The Banking Bill requires SSA to collect 50 percent of the program startup costs prior to developing the
eCBSV system. Therefore, we are unable to provide specific technical details about the system at this

Fees

time. We plan to update this page to share technical details, including the Technical Guide referenced and
linked to in the User Agreement, as the eCBSV system development progresses. In the meantime, below
you will find draft high-level information about the anticipated eCBSV Service. If you have any specific
questions, please email them to [email protected].   

Enrollment
Technical Information

SSN Verifications

FAQs
Archive
Get Page Updates

In June 2020, SSA will implement the new eCBSV service to allow the selected permitted entities to
verify an individual's SSN based on the SSN holder's signed consent to disclose the SSN Verification.
SSN Verifications will be provided via an application programming interface (API).
The Verification API will verify that the number holder’s SSN, name, and date of birth matches or does
not match the data in the Social Security Administration’s records.
The Verification API will return a match verification of “yes” or “no.” If our records show that the SSN
holder is deceased, the API will return a death indicator.
Permitted entities will have the ability to submit one or many verification requests to the Verification
API for real-time results.
The Verification API will return various error codes if the service is unavailable or the transaction
cannot be processed.
The Verification API will provide various alerts to avoid interruptions to service (e.g. agreements
expiring or transaction balance is low)
/

eCBSV services are not available if your company does not stay within your selected tier level and
have a current/valid signed agreement.
eCBSV services will not be provided without successful authentication and authorization.
Access to eCBSV
SSA will not issue end-user credentials and will not manage end-user identities or permissions. Rather,
SSA will provide an OpenID Connect and OAuth 2.0 solution for authentication and authorization to
SSA’s Verification API.
Therefore, in order to access eCBSV, permitted entities must:
Implement the required OpenID Connect/OAuth 2.0 configurations.
Assign and manage all end-user permissions, which will be provided as attributes in the OpenID
Connect assertion.
Obtain API keys from SSA according to industry best practices.
System Availability:
As we build the system, we will define the availability. We anticipate providing eCBSV with the same
availability or better of the existing CBSV application, which is as follows:
Day

Time

Monday – Friday     

5:00 AM to 1:00 AM Eastern Standard Time

Saturday

5:00 AM to 11:00 PM Eastern Standard Time

Sunday

8:00 AM to 11:30 PM Eastern Standard Time

/

Social Security

eCBSV Frequently Asked Questions
eCBSV Home
Eligibility
Fees

Thank you for your interest in the electronic Consent Based Social Security Number Verification (eCBSV)
service.  We are reviewing questions received and will be posting responses here periodically.  Please
check this page frequently for updates.  You may submit questions to [email protected].
1. Agreements

Enrollment

1.01 Will a draft User Agreement be available for review?

Technical Information
No. The eCBSV User Agreement will be available in Spring 2020.

FAQs
Archive
Get Page Updates

1.02 The Reimbursable Memorandum of Understanding’s period of performance is August 1,
2019 through September 30, 2019. Is the expectation that participating firms will integrate to
the eCBSV service and submit production transactions during the course of this 2-month
period?
No. The period of performance for the Reimbursable Memorandum of Understanding represents the
remaining portion of the fiscal year during which SSA will collect each participating permitted entity’s
50 percent program startup costs. SSA will not begin providing eCBSV transactions until the June
2020 initial rollout.

1.03 The Reimbursable Memorandum of Understanding (MOU) shows a beginning period of
August 1, 2019; however, the enrollment period ends on July 31, 2019. That does not appear to
give sufficient time for SSA to notify selected permitted entities. When will entities be notified
and how will that impact the MOU?

/

SSA will notify selected permitted entities immediately upon their selection around the close of the
enrollment period. Individual MOU effective dates will follow shortly after the parties execute the
MOU.

2. Application
Content archived. See Archive, Enrollment FAQ.

3. Consent
3.01 Can any detail be provided regarding how the consent from the consumer needs to be
presented, captured, stored, and presented as evidence?
Consent must be captured in accordance with the requirements SSA will set forth in the User
Agreement. SSA will require consent be captured (1) on a properly-signed SSA-89, Authorization for
SSA to Release SSN Verification in either paper format, fillable-PDF or other electronic format, or (2)
in some other electronic process consistent with the permitted entity’s existing business process and
SSA’s Privacy Act-compliant template language, provided in the eCBSV User Agreement. Moreover,
SSA’s signature – including electronic signature requirements will be set forth on SSA’s website and
incorporated by reference into the User Agreement.
The eCBSV user must retain the signed consent for a period of five (5) years from the date of the
verification request in its original format.

3.02 Can the electronic signature piece of the eCBSV consent process fit into existing E-Sign Act
practices?

/

Yes, SSA designed its electronic signature requirements in accordance with the E-Sign Act.

4. Costs - UPDATED
4.01 Are volume estimates for the initial rollout period, or for a forward-looking year when
eCBSV is fully operational?
Permitted entities will select an estimated annual transaction volume for a full year (365-day period)
regardless of whether they participate in the initial or expanded rollout.

4.02 If an entity is selected for the initial rollout, pays the startup costs, but then decides to
withdraw, what is the off-ramp and refund process.
Once the permitted entity signs the Reimbursable MOU and remits payment, no refunds can be
issued. SSA is required to collect 50 percent of the program startup costs in accordance with P.L.
115-174, before we can build the verification system. Once funds are collected and we begin building
the system, we cannot issue refunds.

4.03 When will more accurate startup cost details be provided to the initial rollout selected
permitted entities?
When a permitted entity is notified of their selection for the initial rollout around the close of the
enrollment period, SSA will include the amount of their 50 percent program startup costs for
payment with their notification.

/

4.04 Can SSA estimate what it will charge permitted entities for each validation/ping, based on
provided numbers, once the system is built?
Not at this time. It is too early to provide the exact costs; however, estimates will be available in the
October/November 2019 timeframe. In addition, SSA will not charge users on a per transaction basis,
instead users will select an annual tier-based transaction level with one cost regardless of the
number of transactions submitted by the permitted entity within that tier level.

4.05 Will SSA provide regular updates on startup costs incurred as compared to the estimates?
SSA will review actual costs annually as compared to estimates, and will adjust tier level charges
appropriately to ensure we are only recovering actual costs.

4.06 What additional costs will the selected permitted entities for the initial rollout be required
to pay?
Every permitted entity selected will pay a portion of the 50 percent of the program startup costs, and
an initial administrative fee of $3,693. SSA will apply all program startup costs collected to each
permitted entity’s annual tier-based subscription fee each year until recouped by the permitted
entity.
The permitted entities participating in the initial rollout may be charged additional costs at rollout, if
their initial contribution was not sufficient to cover their selected tier-based transactions charge.
Again, this is dependent upon the number of permitted entities selected, the estimated annual
transaction volumes, and the associated costs at the time of rollout.

UPDATED 4.07 What are the total estimated program startup costs for the initial rollout in June
2020?
/

SSA estimates program startup costs for the initial rollout in June 2020 of $18.47 million; therefore,
the 50 percent program startup cost that must be collected is $9.2 million.

4.08 What does the startup contribution guarantee?
If you are selected as a participant in the small rollout during the initial enrollment period, you will
be charged a prorated portion of the estimated 50 percent startup costs based on your estimated
volume of transactions for an annual agreement period.  Your initial contribution will be credited to
your future years’ subscription and administrative fees.  If you are required to contribute more than
the cost for one year, it will be credited towards future years.  SSA will draw down from your initial
contribution for as many years necessary to diminish all the initial contribution funds.

4.09 Will permitted entities selected for the small rollout be required to pay the remaining 50
percent startup costs?
Permitted entities selected for the small rollout will be required to submit their prorated portion of
the estimated 50 percent startup costs once they are notified by SSA.  Prior to rollout in June 2020,
the permitted entity will be required to submit the annual subscription fee for their transaction tier
selected plus administrative fees as necessary, if greater than their initial 50 percent program startup
costs contribution (see previous FAQ).
The annual subscription fee includes the remaining 50 percent startup costs plus other costs the
agency will incur for eCBSV services.  The permitted entity will not be expected to submit any other
fees beyond these noted here for their first year of enrollment. 

UPDATED 4.10 Do you have an estimate of the tier level subscriptions fees SSA will charge
permitted entities for the small and expanded rollouts?
/

The subscription fees will be announced in a Federal Register Notice this fall. The Notice will explain
the fees in detail.

4.11 If a permitted entity in the initial rollout finds over that period that its volume estimates
were too high, can the permitted entity drop to a lower volume tier? If so, how? Same question
for the expanded rollout.
Once a permitted entity selects a tier level in either the initial or expanded rollout, executes a
reimbursable agreement, and pays the tier level fee, no refunds will be provided. Therefore, they
cannot drop to a lower volume tier during any 365-day period. They can move up a tier level by
starting a new agreement with a new 365-day period. They can also select a lower tier in the
following year.

4.12 Do you have any general information on using pay.gov? We’re looking to see if we would
use a credit card or ACH and if there is a fee involved for using the system. Any information you
can offer is greatly appreciated.
General information on pay.gov can be found on their website at https://www.pay.gov/public/home.
If you are selected as an initial rollout participant, SSA will connect to Pay.gov to generate a bill for
you from Pay.gov. It will provide specific instructions. Credit cards will be accepted for up to
$24,999.99, and ACH can be accepted for any dollar amount. There are no fees associated with using
Pay.gov.

4.13 The FRN gives ranges of costs based on estimated volume tiers. Are those fee ranges for
the entire transaction band or is it consistent with the transaction volume?
/

The estimated fee range is for the entire “transaction band”. In other words, once we finalize the fees,
there will be one fee for each transaction range to include any volume within that range.

5. Current CBSV Customers
5.01 As a current CBSV enrolled company and a company who qualifies as a permitted entity,
may we begin to accept electronic signatures now?
No, as a currently enrolled company in CBSV, you are not enrolled in eCBSV and are not permitted to
accept electronically signed consents at this time. You must continue to adhere to all requirements in
the CBSV User Agreement.

5.02 As a current CBSV enrolled company and a company who qualifies as a permitted entity,
does our enrollment in the current CBSV program affect our application for eCBSV?
No, your status as a CBSV company and a company who qualifies as a permitted entity, does not
affect your application for eCBSV.  SSA will consider all permitted entities for eCBSV enrollment in
accordance with the process set forth in the Federal Register Notice.  You must follow the
instructions as provided in the Federal Register Notice to apply for eCBSV during the upcoming
enrollment period.  Companies that do not qualify as permitted entities cannot currently enroll for
eCBSV. 

5.03 As a current CBSV enrolled company, what happens to our status as a CBSV enrolled
company, if we are selected for the initial rollout of eCBSV in June 2020?

/

If you are an individual permitted entity selected for the eCBSV initial rollout in June 2020, we will
terminate your CBSV User Agreement as of that date and you will no longer be a CBSV customer. 
We will provide you a refund of unused CBSV funds at that time.
If you are a service provider permitted entity selected for the eCBSV initial rollout in June 2020, you
may remain enrolled in CBSV to service non-permitted entities or during the initial rollout, other
permitted entities beyond the 20 limited in the initial rollout.
If you are not selected for the eCBSV initial rollout, you will continue as a CBSV customer and must
adhere to all requirements in the CBSV User Agreement.

5.04 We are a service provider for a handful of customers that provide SSA verifications today.
Could you explain to me the difference between this new service and the existing service that
we use today? Today it's an API where we pass the SSN, DOB, and name and get a
yes/no/deceased response which seems to be identical to this new system. Is this new system a
replacement for the one we are currently using or is there some other feature that i'm not
seeing? I did not see on the site where this new service differs in any way except for new
security measures.
The substantial difference between CBSV and eCBSV is that the Economic Growth, Regulatory Relief,
and Consumer Protection Act, Section 215, Reducing Identity Fraud, requires SSA to confirm (or not
confirm) to a "permitted entity" the validity of fraud protection data (specific information about an
individual, including SSN verification) based on the individual's written consent, including by
electronic signature.  An SSN verification is verification that a name, SSN, and date of birth
combination matches (or does not match) our records.  The legislation requires SSA to improve our
current verification system to accommodate the much larger anticipated volume of users and
verifications as a result of now allowing consumer consent to be received electronically.  In addition,
the Act defines permitted entities use of eCBSV for specific uses as outlined in the Act.  Therefore, for

/

entities that do not qualify as a permitted entity, or entities who use the SSN verification for
purposes outside of the Act will continue to obtain a number holder’s wet signature on the consent
forms and use the current CBSV at this time.

6. Enrollment
6.01 Can you give a better sense of how many participants you expect to be in the first small
group for the initial rollout?
SSA’s goal is to provide equal opportunity for any type and size of permitted entity to participate in
the initial rollout, while providing the ability to test our system’s capacity and performance under
controlled circumstances.  The number of permitted entities selected for the initial rollout will
depend on how many permitted entities apply and their anticipated volumes.

6.02 When will SSA notify firms that are selected for the expanded rollout?
Upon completion of selection of the initial rollout group, all other permitted entities who submitted
a complete application during the enrollment period will be notified of their non-selection for the
initial rollout. We are anticipating that all permitted entities who submitted a complete application
during the enrollment period will be invited to participate in the expanded rollout. Those permitted
entities will receive an invitation in the summer of 2020 to complete their application for the
expanded rollout.

6.03 Will permitted entities be selected on a first come/first served basis or are there other
criteria for selection into the initial rollout?
/

Selections are determined based on the earliest date and time of receipt by SSA of a fully completed
application from a permitted entity based on the five categories identified in the FRN. SSA will select
the first permitted entities that apply in each category and that meet all requirements up to the
number of entities needed in each category to provide 50 percent of the program startup costs.

6.04 If SSA chooses a permitted entity to participate in the initial rollout, but the permitted
entity declines, can that permitted entity still participate in the expanded rollout?
Yes, if SSA selects a permitted entity for the initial rollout, but the permitted entity declines
participation, the permitted entity will be added to the list of permitted entities invited for the
expanded rollout.

6.05 For financial institutions with subsidiaries, will SSA allow different subsidiaries to apply
individually or does a subsidiary need to apply at the higher financial institution level?
Financial institutions’ subsidiaries are, by definition, permitted entities under the law. Permitted
entities must provide an EIN with their application. Only one application will be accepted per EIN. So
if a financial institution has the same EIN as its subsidiaries, the subsidiaries must apply at the
financial institution level.

6.06 Some permitted entities are both a financial institution and a service provider to financial
institutions. Would SSA require that each permitted entity submit separate applications for its
activities as a financial institution and as a service provider to the financial institution, or would
that permitted entity be able to serve in both capacities under the single application?
A financial institution’s service provider should only submit one application. Each SSN verification
request submitted by a service provider must include an identifier, so that SSA can identify
transactions by each financial institution the service provider services, and to identify the service
/

provider for their own permitted entity transactions. Remember, a service provider can only accept
electronic signatures on consents for transactions when servicing a financial institution.

6.07 Who decides the amount of queries for each permitted entity in the initial rollout? SSA or
the permitted entity? How are the queries prorated?
Permitted entities will select an estimated annual transaction volume. For the initial period and until
the expanded rollout, permitted entity’s volumes will be limited to a quarterly (1/4) prorated amount
of their estimated annual transaction volume.

6.08 Once fully implemented, is a permitted entity restricted to the amount of queries used
during the initial rollout phase?
Permitted entities will enroll and sign a User Agreement for a 365-day period, which specifies their
estimated annual transaction volume, whether they begin in the initial rollout or the expanded
rollout. Permitted entities must stay within their assigned tier level based on the estimated volume. If
a permitted entity reaches the maximum volume of their tier level, no further transactions will be
processed unless the permitted entity enters into a new User Agreement with a new 365-day period
and a higher tier level.

6.09 What happens if the number of queries exceed the specified limits established for any
given permitted entity? How will limits be calculated/enforced? Will it be daily, weekly, monthly,
or some other specified time horizon?
The eCBSV system will monitor transactions in real time, and provide an alert when a permitted
entity nears their tier level transaction limit. If no action is taken by the permitted entity to establish a
new tier level and user agreement, no transactions will be processed over their tier level.

/

6.10 If I am a company that supports financial institutions with decision management solutions,
that includes the opening of new accounts, and determine that I qualify as a permitted entity,
do I need to apply for eCBSV? Do I need to apply if I am not requesting the SSN verification
directly from SSA?
You should apply for eCBSV if you wish to obtain SSN verifications directly from SSA.  Each SSN
verification request submitted to SSA must be supported by an individual consent, including
electronic consent.  If you are supporting financial institutions by obtaining information from another
service provider who is already an eCBSV customer, please be aware that the other service provider
may not share with you the results of its SSN verification request.

7. Initial Rollout (NEW)
7.01 Is this the final list of those selected for the initial rollout? I wasn’t on the list of companies
selected. Does that mean that I am not selected for the initial rollout?
SSA has made selections for the initial rollout of eCBSV. Each company selected must complete a
reimbursable agreement and pay their portion of the 50 percent program startup costs to be fully
enrolled. If any company selected opts not to complete the agreement and payment, SSA will select
another company to replace them in the initial rollout. Therefore, we must wait until all selected
companies finalize their enrollment before we can notify you of your status. We anticipate
completing the enrollments by November 2019, at such time we will send you an individual
notification if you are ultimately not selected.
If you are not selected and you have received notification from us of your complete application, you
will be invited to participate in the expanded rollout approximately 6 months following the initial
rollout. We thank you for your continued interest.

/

8. Other
8.01 Is there a process or timeline available?
Yes, see below.  Please note, these are estimated dates and are subject to change.  SSA will provide
selected permitted entities with the most up-to-date information.
June 7, 2019: Federal Register Notice published
July 17 – July 31, 2019: Initial enrollment period and 50 percent cost collection
August 2019: Industry Day including high-level draft technical requirements
April 2020: User agreement and eSignature requirements posted
May 2020: Selected permitted entities receive agreement package to submit to SSA
June 2020: Implementation for selected permitted entities
September 2020: Notification of expanded rollout
October – December 2020: Expanded rollout implementation

8.02 If a consumer disputes SSA’s verification response, what action should he or she take?
If the eCBSV User ensures that the data submitted to SSA matches the information provided by the
consumer on the consent form, and the consumer verifies the accuracy of the consent data
provided, then the eCBSV User can direct the consumer to his or her local SSA Field Office to
determine the nature of the problem.

8.03 Will financial institutions’ service providers, subsidiaries, affiliates, agents,
subcontractors, or assignees be able to pool and/or allocate queries across multiple financial
institutions they service?
/

Yes, financial institutions’ service providers, subsidiaries, affiliates, agents, subcontractors, or
assignees may allocate transactions any way they like. SSA will only track the number of
transactions at the eCBSV User (who enters into the User Agreement with SSA) level.

8.04 Who determines if I am a permitted entity?
You must determine if you are a permitted entity.  Review all of the requirements as provided in PL
115-174, 215(b)(4), and provide a certification statement to SSA at least every two years as
required by PL 115-174.  See the Eligibility tab for more details.

8.05 As a permitted entity service provider, will we be allowed to provide the eCBSV to all of
our clients or just the financial institutions?
As a permitted entity, you may only use eCBSV with electronically signed consents for your
approved activities as a permitted entity and for other permitted entities approved activities under
PL 115-174.  You may not submit verification requests for entities that are not permitted under the
definition.

8.06 Can permitted entities change their annual transaction estimates from one year to the
next, or do they have to stay in the same tier or higher forever?
A permitted entity should estimate their annual transactions based on how many they anticipate
requesting in the first year (365 day usage).  Every year after that, the permitted entity has the
option to stay at the same tier, or go up or down in tier levels.  The only limitation imposed on a
permitted entity tier level is when an entity exhausts all transactions within their year (365-day
period).  In that situation, SSA requires that the permitted entity move to the next higher tier level
and sign a new user agreement to continue enrollment.
/

8.07 Can you clarify what the "annual number of transactions" is based on? Some of us in the
bank believe that it may be implying projected use of this service (number of inquiries) while
others believe that it may be implying all banking activities such as deposits, withdrawals, and
others.
The annual number of transactions refers to the number of requests for verification that a
permitted entity plans to send to SSA annually.

8.08 What is the difference between the services provided by the eCBSV and the TIN
matching program provided by the IRS? The IRS TIN matching program as outlined in
Publication 2108A seems to provide similar services for TIN matching, so I am trying to
determine what differences (if any) exist between the SSA and IRS services.
SSA is unable to provide you with any information regarding the IRS TIN Matching program. We
can tell you that SSA is the authoritative source for the Social Security Number (SSN). eCBSV will
provide SSN verifications to enrolled permitted entities. An SSN verification is verification that a
name, SSN, and date of birth combination matches (or does not match) our records.

9. Technical
9.01 Is SSA planning to present information on the eCBSV system at any upcoming
conferences or events?
SSA will not be presenting at any upcoming conferences or events.   However, SSA is planning an
“eCBSV Industry Day” to share high-level draft technical requirements.  We anticipate holding this
event in August 2019.
/

9.02 What sort of service level agreement does SSA envision? Will the system be available
24/7/365, or only for a certain number of hours each day?
Since we have not yet built the verification system, we cannot provide service level details at this
time.  However, we anticipate providing eCBSV with the same availability or better of the existing
CBSV application, which is as follows:
Day

Time

Monday – Friday     

5:00 AM to 1:00 AM Eastern Standard Time

Saturday

5:00 AM to 11:00 PM Eastern Standard Time

Sunday

8:00 AM to 11:30 PM Eastern Standard Time

9.03 How long will it take to get a response from the system; will it be in real-time or near
real-time?
The verification system will provide a real-time response. We do not distinguish between real-time
or near real-time.

9.04 How will SSN and other information be submitted for verification; will it be a website or
another type of interface?
For the initial rollout in June 2020, participants will send requests via an Application Programming
Interface (API).  More details regarding the API will be provided with the technical requirements. 
For the expanded rollout, participants will be able to submit requests through a user interface or
the API.

9.05 What data is available to set expectations around the performance of the service with
respect to successfully confirming good identities and successfully refuting
/

fraudulent/misused data?
A. SSA’s verification of an SSN does not authenticate the identity of the individual or conclusively
prove that the individual submitting the information is who he or she claims to be. SSA’s
positive response on the name, date of birth, and SSN of an SSN verification only establishes
that the submitted information matches the information contained in SSA’s records. The CBSV
User Agreement specifically states:

“
SSA’s verification of an SSN does not provide proof or confirmation of identity….CBSV does
not verify employment eligibility, nor does it interface with the Department of Homeland
Security’s (DHS) verification system, and it will not satisfy DHS’s I-9 requirements.

SSA cannot speak to CBSV user recipients’ experience in “confirming good identities.” SSA does
not collect feedback from CBSV user recipients about their success or fallout from verifying
SSNs through CBSV.

9.06 Will SSA create a capability for permitted entities to test the interface to the eCBSV
service in advance of the service going live?
Yes, permitted entities will have the ability to test the eCBSV interface. More details will be
provided once we build the system.

/

Social Security

eCBSV Archive
This is an archival or historical document and may not reflect current policies or procedures.
eCBSV Home

October 10, 2019 - eCBSV Industry Call Script

Eligibility

SSA conducted an eCBSV Industry Call on Thursday, July 11, 2019, to share information about the current
enrollment process. The script for that call can be found here

.

Fees
October 10, 2019 - eCBSV Enrollment period (July 17, 2019 to July 31, 2019)
Enrollment
Technical Information
FAQs
Archive
Get Page Updates

Permitted entities that wish to enroll must:
Complete form SSA-157
(OMB No. 0960-0802), Data Exchange Request Form (DXRF) with
additional Forms SSA-157
for any permitted entities you will service.
Follow instructions for completing Form SSA-157
application.

, including the certification statement within the

Submit the completed document beginning July 17, 2019, at 6:00 a.m. EST to [email protected], but no
later than July 31, 2019, at 6:00 p.m. EST.
Following the enrollment period, Social Security will select and notify the selected permitted entities
and provide the necessary instructions to complete enrollment, including billing information.
Selected permitted entities will be required to complete and sign a reimbursable memorandum of
understanding
with payment. Refer to the “Fees” tab on the left for further information.
Selected permitted entities will be required to sign a user agreement closer to June 2020 rollout.
October 10, 2019 - eCBSV Enrollment FAQ
2. Application

/

2.01 Question two in the SSA-157 application indicates applicants should mark “commercial
entity” and to indicate whether the entity is a financial institution. Please confirm how an entity
can enter both pieces of information.
Permitted entities can check the commercial entity box, then indicate in the blank space of the box
that they are a financial institution in accordance with P.L. 115-174.

2.02 The SSA-157 application question three states, “Briefly state the purpose for requesting this
information and tell us how your organization will use the data.” Is SSA’s intent that firms
should list every possible FCRA-covered product or service that a given firm may use eCBSV for,
or is “banking service” sufficiently broad to cover everything? Also, can multiple purposes can
be stated?
Permitted entities may select multiple purposes as appropriate for any anticipated use of eCBSV that
is in accordance with P.L. 115-174. “Banking service” is too broad to identify the specific purpose.

2.03 For the SSA-157 application question 12, can general descriptions of positions be listed and
can this information be amended closer to the initial rollout?
Yes, general descriptions may be provided and may be amended later if necessary. More importantly,
permitted entities who are financial institutions’ service providers, subsidiaries, affiliates, agents,
subcontractors, or assignees must also provide the list of each financial institution and EIN that they
will service.

2.04 Do the SSA-157 instructions only apply to financial institutions’ service providers,
subsidiaries, affiliates, agents, subcontractors, or assignees?

/

No. The instructions are to provide additional information to assist the applicant with completing the
application, and do not limit who may apply.

2.05 Since question 12 of the SSA-157 requires financial institutions’ service providers,
subsidiaries, affiliates, agents, subcontractors, or assignees to provide a list of up to 20 financial
institutions that they will service during the initial rollout and those entities must also submit an
application, does that mean that the 20 financial institutions must be selected by SSA for the
initial rollout?
No. Only the eCBSV User entering into a User Agreement with SSA will be “selected” for the initial
rollout. The eCBSV User must meet the definition of a permitted entity in accordance with P.L. 115174. Applications submitted by financial institutions – who are permitted entities - that will be
serviced by a service provider, subsidiary, affiliate, agent, subcontractor, or assignee – who are also
permitted entities - will only be considered in conjunction with the service provider, subsidiary,
affiliate, agent, subcontractor, or assignee’s application. SSA will link the financial institutions’ EIN on
their application with the list of EINs provided on the service provider, subsidiary, affiliate, agent,
subcontractor, or assignee’s application in question 12. The eCBSV User/ service provider, subsidiary,
affiliate, agent, subcontractor, or assignee may update or alter the list of financial institutions prior to
rollout; however, any new financial institution added will be required to submit an SSA-157 prior to
rollout.

2.06 Regarding question 14 in the SSA-157, can you confirm that “daily” should be the answer
given as a real-time, as-needed service?
The answer is dependent upon each permitted entity’s business process. While it is a real-time
service, not all permitted entities may intend to submit transactions on a daily basis; therefore, they
should select the most appropriate answer based on their anticipated business needs.

/

2.07 Regarding question 15 in the SSA-157 application, what is the starting point of the annual
estimate?
Permitted entities should estimate the number of transactions they will perform on an annual basis
for their 365-day agreement period; therefore, the starting point is the beginning of their agreement
period.

2.08 Regarding question 15 in the SSA-157 application, it is likely that at least some permitted
entities participating in the initial rollout will only do so for some – but not all – of their
products and services; meaning their estimated volume for the initial rollout will be smaller than
their volume in the expanded rollout. How should permitted entities account for this difference?
Permitted entities selected for the initial rollout will begin transactions in June 2020 and continue
through for a 365-day period. Their transactions will be limited to a quarterly (1/4) prorated amount
until the expanded rollout. Once the expanded rollout begins, their transactions will no longer be
limited to quarterly amounts and will continue for the full 365-day period. Therefore, permitted
entities enrolling in the initial rollout should estimate their annual transaction volume based on their
anticipated use for the entire year.

2.09 Regarding question 16 in the SSA-157 application, some larger permitted entities have
multiple subsidiaries, some of which may want to access eCBSV differently than others. Can a
financial institution apply to have direct access to eCBSV in the initial phase and subsequently
decide to buy some or all of its access from a service provider, subsidiary, affiliate, agent,
subcontractor, or assignee, who meets the definition of permitted entity?
Yes, financial institutions may apply for direct access to eCBSV, and also request transactions through
a service provider, subsidiary, affiliate, agent, subcontractor, or assignee, who will meet the definition
of permitted entity; however, their estimated annual volume of transactions and tier-based payment
level will only apply to their direct access. Any funds provided in the initial rollout to cover the
program startup costs can only be applied to the direct access account for which they were provided.

/

Any transactions requested on their behalf by a service provider, subsidiary, affiliate, agent,
subcontractor, or assignee are attributable only to the service provider, subsidiary, affiliate, agent,
subcontractor, or assignee and are subject to any charges the service provider, subsidiary, affiliate,
agent, subcontractor, or assignee imposes on the financial institution.

2.10 Along with our application listing the Financial Institutions that we will service as a
subcontractor, is each of those institutions also required to submit an application as well?
Yes, every permitted entity must submit an application.  SSA will correlate their individual application
using their EIN to their service provider’s application list of permitted entities they will service, to
identify all permitted entities.  Also, SSA is required to receive a permitted entity certification (see
Eligibility tab for more details) from every permitted entity regardless of whether they apply directly
or through a service provider.

2.11 Should the response to question 12 of the SSA-157 include BOTH the service provider’s
organization and job functions that will have access to SSA-provided information AND the
names and EIN’s of the permitted entities to be serviced?
Yes.

2.12 Entities such as credit reporting agencies are considered a financial institution for GLBA
purposes. Please confirm that credit reporting agencies should apply as a service provider.
If the credit reporting agency as defined as a financial institution is only submitting transactions for
themselves, then they should apply as a financial institution. If the credit reporting agency is
servicing other permitted entities, or both performing transactions for themselves and servicing
other permitted entities, then they should apply as a service provider.

/

2.13 For fintech companies that plan to use the eCBSV service to augment verification and fraud
products for financial institutions, is it a requirement to list the financial institution clients if the
financial institutions will not receive the raw responses from eCBSV? If the answer is yes it is
unclear if the financial institutions must apply at the same time as the fintech company in the
July 17 – July 31 window. Does the fintech company need to coordinate with the financial
institutions and all apply at the same time? If the volume for the Financial Institutions is then
zero, because it will all go through the fintech company, must they still pay the application fee?
A qualified enrollee of the eCBSV service must be a permitted entity as defined by section 509 of the
Gramm-Leach-Bliley Act. 42 USCA 405b(b)(4), Pub. L. No. 115-174, Title II, §215(b)(4). If a fintech
company determines that they meet the definition of a permitted entity as a service provider,
subsidiary, affiliate, agency, subcontractor, or assignee of a financial institution, then they must
identify the financial institution they are servicing in order to qualify regardless of how they share the
verification results.
To apply, the fintech company as a service provider must complete the SSA-157 identifying all of the
permitted entities’ EINs that they will service during the initial enrollment period, up to 20. Each
permitted entity they will service must also complete the SSA-157 form to include the permitted
entity certification, and submit it during the enrollment period; however, SSA will accept changes if
needed prior to the initial rollout. No fees are charged for submitting an application. The service
provider may choose to consolidate all SSA-157s for each of the permitted entities they will service
with their own SSA-157 application to submit in one email to SSA.

2.14 If a service provider were to append applications for only 19 of the 20 financial institutions
listed on that service providers own application for eCBSV, could that final Financial Institution
submit its application separately within the application period in July? Would that damage the
chances of the service provider to be selected for the pilot? Additionally, if that last Financial
Institution fails to submit their application in the enrollment period, would the service provider
be required to update their application to remove that particular financial institution?
/

Yes, we would accept the 20th application later during the enrollment period, and we will also accept
changes to the 20 approved financial institutions - permitted entities at any time leading up to the
initial rollout in June 2020 with no adverse impact on the service provider’s – permitted entity’s initial
application or potential selection. The service provider would be required to provide us with those
changes via a corrected SSA-157 with the financial institution - permitted entity EIN listed and we
would have to receive an SSA-157 from any added financial institution - permitted entities before we
would begin providing transactions to that permitted entity.

2.15 For a bank that has two legal entities, do we have to submit a separate application (SSA157) for each entity or can we submit one that includes both and list them in field 12? If we have
to submit separate applications for each legal entity, would we have to estimate annual volumes
for each legal entity and pay accordingly for each legal entity according to your fee tables?
Every individual entity with a unique EIN must be separately identified as a permitted entity. So, if
two legal entities have two separate EINs, then you must submit an application for each entity. Each
would be entirely separate entities, user agreements, volume estimates, and tier level fees, etc.

2.16 If fields in the sample application provided for the SSA-157 instructions have "N/A" in
several of the fields (e.g. fields 6, 7, 8, 9, 11, 17). Does the "N/A" mean that you are not
requesting nor requiring an answer for those fields?
Correct. If N/A is provided, you do not need to answer those questions.

2.17 Does the "No" in field 13 of the sample application provided for the SSA-157 instructions
imply that the only answer for that question can be "No"?
/

It means that we have determined that all applicants for eCBSV must answer “no” to this question,
and you cannot share the data with anyone other than those listed in question 12.

2.18 Does the "No" in field 20 of the sample application provided for the SSA-157 instructions
imply that the only answer for that question can be "No" thereby meaning we cannot use an
external commercial cloud service provider to store or process the SSA information?
SSA has determined that eCBSV permitted entities may not store the actual verification response that
SSA provides in any format or location; therefore, you must annotate “No” to this question. You will
be authorized to use the verification response only for the purpose stated on the consumer consent,
may record the fact of the verification, but may not make any further use or disclosure of the verified
SSN.

2.19 Can a service provider that services multiple permitted entities (financial institutions) share
the results of a SSN verification obtained on behalf of one permitted entity with another
permitted entity, provided both permitted entities met all the other requirements for eCBSV
participation?
No. Each verification request must be supported by an individual signed consumer consent for one
specified purpose authorizing the disclosure to the specific permitted entity for which the verification
is provided. Also, keep in mind, each service provider is a “permitted entity” for purposes of Section
215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act, Public Law (PL)115174.

2.20 The instructions provided by SSA labels question 6 as N/A. For companies that currently
validate SSN, Name and DOB combinations using SSA-89, should this be stated in our answer to
/

question 6, or is question 6 specific to eCBSV? This then brings us to question 23. SSA
instructions state that we should indicate whether or not we are a current CBSV user. We’d like
to confirm or deny that our usage of SSA-89 makes us a current CBSV user.
Regarding question 6 on the SSA-157, SSA annotated on the instructions that you may mark this
response as N/A. You do not need to respond to that question. For question 23, if you are a current
CBSV user with a formal, executed CBSV User Agreement, then you are a CBSV User, and should
identify yourself as such in this question.

2.21 SSA instructions on question 18, label this question as “No.” However we are not a federal
agency and would like to confirm this question should be answered as “Non Applicable – NonFederal Agency” and then provide an answer to question 19.
For question 18, you should appropriately mark “Not Applicable – Non-Federal Agency” and respond
to question 19.

2.22 How are permitted entities supposed to list the 20 FIs they plan on servicing through
eCBSV on the SSA-157? Do we fill box 12 and then use box 36 as an overflow or should we
attach the list in some other fashion?
You may enter the list of EINs in box 12 or box 36, or submit a separate list.

2.23 Will SSA provide confirmation of receipt of a submitted application, and will such
confirmation include a time stamp of receipt?
Yes, we will provide a confirmation and it will include the time stamp of receipt.
/

2.24 If a financial institution submits a single application indicating its intent to run all of its
volume through a single service provider, and then that service provider is not selected by SSA,
what options does the financial institution have?
None, unless they apply independently.

2.25 For the SSA-157 application question 12, you mention in other FAQs that SSA will associate
all financial institution applications with service providers based upon the lists they provide. Is
there anywhere for the financial institution to indicate the service provider they will be using?
No, not specifically on the SSA-157. SSA will associate the EIN on the financial institution’s
application with the list on the service provider’s application. The service provider may also gather all
financial institutions’ SSA-157s and submit them together in one application email to SSA. Or the
financial institution may indicate its intent in the financial institution’s own application email to SSA.

2.26 For the SSA-157 application question 12, it is mentioned in other FAQs that the list of
financial institutions being serviced can be adjusted prior to rollout. Can we just supply a list at
a later date since we are a year away? Do any and all financial institutions have to have the
application in by the end of the month or we cannot then service them?
No, as the service provider you must provide at least an initial list now; however, we will accept
changes before the initial rollout in June 2020. And, no, as previously stated, you can make changes
to your list of financial institutions up to the initial rollout date in June 2020; therefore, the financial
institutions you want to service may submit their application for being serviced by you later as well.
Please note, if the financial institutions intend to participate in eCBSV directly with SSA, not through
anyone as a service provider, their application must be received during the enrollment period to be
considered for both the initial and the expanded rollouts.
/

2.27 I read that we must provide a signed permitted entity certification. The directions state to
have information about this input into the Additional Comments section. There is no space on
the form requiring a signature. Do we need to sign a separate document?
There is no need to sign the SSA-157 or permitted entity certification at this time. Permitted entities
will be required to sign a certification at the time of selection for the initial rollout. SSA is building
the new eCBSV service to include the capability to provide an electronic signature on the certification
for those enrolled later.

2.28 Is there any potential conflict in us submitting an SSA-157 on our own and also allowing a
different provider to submit an SSA-157 naming us as a client in their application?
No, the SSA-157 may be submitted both ways.

2.29 For question 11, are you able to provide examples of the legal authority that organizations
usually use in order to access this information for fraud/identity theft prevention purposes? Is
this covered under the FCRA?
You do not need to respond to Question 11. It is indicated as not applicable (N/A) on the SSA-157
instructions.

2.30 For question 12, since we must provide the permitted entities names and EINs, is the SSA
willing to sign a Mutual Non-Disclosure Agreement (MNDA)?
No.

/

 

/


File Typeapplication/pdf
File Modified2020-03-03
File Created2020-03-03

© 2024 OMB.report | Privacy Policy