CBA Comment Letter re Agency Information Collection Activities
Dear Mr. Lowman:
The undersigned associations appreciate the opportunity to comment on the Social Security Administration’s (“SSA”) proposed amendments to the User Agreement and Technical Specifications and Systems Security documents for participants in the SSA’s electronic Consent Based Social Security Number (“SSN”) Verification (“eCBSV”) Service, as well as the document titled “Addendum to the Supporting Statement for Electronic Consent Based Social Security Number Verification, 20 CFR 401.100 OMB No. 0960-0817 (“the Addendum”), issued for notice and comment under the Paperwork Reduction Act (“PRA”). We appreciate the SSA’s willingness to engage with us and our member firms as it develops the system and implements Section 215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 (the “Banking Bill”).
We strongly oppose approval of the amendments to the eCBSV User Agreement contained in this proposed collection request. As currently drafted, the proposed amendments would (1) disenfranchise many American citizens traveling or living outside of the jurisdiction of the United States, including deployed servicemembers; (2) inappropriately and unnecessarily expand SSA’s regulatory authority; and (3) impose excessive burdens on users of the system. Collectively, these proposals represent a significant regression in the progress SSA has made to date with eCBSV and undermine the intent of the eCBSV as a tool to prevent fraud. Further, SSA has not provided a clear articulation of its basis for these amendments, and very little explanation or justification. As such, SSA cannot demonstrate that the elements of its proposed information collection are “necessary for the proper performance of the functions of the agency,”3 or that they provide “utility” to the federal government or the public, as SSA is required to demonstrate under the PRA.4
Critically, it is important to highlight the impact these proposed changes are likely to have on fraud in the United States. Today, a portion of identity fraud affecting Americans originates outside the United States. The proposed changes would make it impossible to protect against that. Were these changes to take effect, we would expect to see a dramatic spike in synthetic identity fraud attempts against Americans originating outside our borders as fraudsters realize that an IP address traced by a bank to just outside the U.S. border with Mexico or Canada means the eCBSV will not be available to screen those applications for fraud.
In this letter, we provide analysis and recommendations for the four issues we have identified that, if addressed, will ensure the ongoing development of the eCBSV is not compromised and that the proposed changes meet the requirements of the PRA.
1) Restrictions on the “transferring” and “processing” of SSN Verifications or Written Consents will harm Americans abroad, including servicemembers, and perpetuate fraud from outside the jurisdiction of the United States.
In exchanges with SSA prior to publication of this collection request, we understood the genesis of the proposed changes to be a concern within SSA over the storage of SSA’s data, and in particular, where it would be physically stored by Permitted Entities. This idea is corroborated in the Addendum to this proposed collection request when SSA states as justification “We are including this language to make it clear that the Permitted Entities must ensure the security and confidentiality of SSN Verifications and Written Consent which they store.” (Emphasis added). We do not disagree with amendments to the User Agreement intended to help ensure the security and confidentiality of SSA-owned data, so long as those amendments adhere to SSA’s statutory authority under the Banking Bill and other federal agency guidelines.
However, the proposed changes to the User Agreement and technical documentation go beyond restricting how SSA data is stored to include restrictions on the “transferring” and “processing” of SSN Verifications and Written Consents. In attempting to regulate how Permitted Entities process and transfer information from eCBSV, SSA is putting restrictions not just on the location of the data at rest, but also is imposing restrictions based on the physical location of where the consumer is applying for the financial product.