Thank you for your interest in the electronic Consent Based Social Security Number Verification (eCBSV) service. We are reviewing questions received and will be posting responses here periodically. Please check this page frequently for updates. You may submit questions to eCBSV@ssa.gov.
1.02 The Reimbursable Memorandum of Understanding’s period of performance is August 1, 2019 through September 30, 2019. Is the expectation that participating firms will integrate to the eCBSV service and submit production transactions during the course of this 2-month period?
1.03 The Reimbursable Memorandum of Understanding (MOU) shows a beginning period of August 1, 2019; however, the enrollment period ends on July 31, 2019. That does not appear to give sufficient time for SSA to notify selected permitted entities. When will entities be notified and how will that impact the MOU?
2.01 Question two in the SSA-157 application indicates applicants should mark “commercial entity” and to indicate whether the entity is a financial institution. Please confirm how an entity can enter both pieces of information.
2.02 The SSA-157 application question three states, “Briefly state the purpose for requesting this information and tell us how your organization will use the data.” Is SSA’s intent that firms should list every possible FCRA-covered product or service that a given firm may use eCBSV for, or is “banking service” sufficiently broad to cover everything? Also, can multiple purposes can be stated?
2.05 Since question 12 of the SSA-157 requires financial institutions’ service providers, subsidiaries, affiliates, agents, subcontractors, or assignees to provide a list of up to 20 financial institutions that they will service during the initial rollout and those entities must also submit an application, does that mean that the 20 financial institutions must be selected by SSA for the initial rollout?
2.08 Regarding question 15 in the SSA-157 application, it is likely that at least some permitted entities participating in the initial rollout will only do so for some – but not all – of their products and services; meaning their estimated volume for the initial rollout will be smaller than their volume in the expanded rollout. How should permitted entities account for this difference?
2.09 Regarding question 16 in the SSA-157 application, some larger permitted entities have multiple subsidiaries, some of which may want to access eCBSV differently than others. Can a financial institution apply to have direct access to eCBSV in the initial phase and subsequently decide to buy some or all of its access from a service provider, subsidiary, affiliate, agent, subcontractor, or assignee, who meets the definition of permitted entity?
2.11 Should the response to question 12 of the SSA-157 include BOTH the service provider’s organization and job functions that will have access to SSA-provided information AND the names and EIN’s of the permitted entities to be serviced?
2.13 For fintech companies that plan to use the eCBSV service to augment verification and fraud products for financial institutions, is it a requirement to list the financial institution clients if the financial institutions will not receive the raw responses from eCBSV? If the answer is yes it is unclear if the financial institutions must apply at the same time as the fintech company in the July 17 – July 31 window. Does the fintech company need to coordinate with the financial institutions and all apply at the same time? If the volume for the Financial Institutions is then zero, because it will all go through the fintech company, must they still pay the application fee?
A qualified enrollee of the eCBSV service must be a permitted entity as defined by section 509 of the Gramm-Leach-Bliley Act. 42 USCA 405b(b)(4), Pub. L. No. 115-174, Title II, §215(b)(4). If a fintech company determines that they meet the definition of a permitted entity as a service provider, subsidiary, affiliate, agency, subcontractor, or assignee of a financial institution, then they must identify the financial institution they are servicing in order to qualify regardless of how they share the verification results.
To apply, the fintech company as a service provider must complete the SSA-157 identifying all of the permitted entities’ EINs that they will service during the initial enrollment period, up to 20. Each permitted entity they will service must also complete the SSA-157 form to include the permitted entity certification, and submit it during the enrollment period; however, SSA will accept changes if needed prior to the initial rollout. No fees are charged for submitting an application. The service provider may choose to consolidate all SSA-157s for each of the permitted entities they will service with their own SSA-157 application to submit in one email to SSA.
2.14 If a service provider were to append applications for only 19 of the 20 financial institutions listed on that service providers own application for eCBSV, could that final Financial Institution submit its application separately within the application period in July? Would that damage the chances of the service provider to be selected for the pilot? Additionally, if that last Financial Institution fails to submit their application in the enrollment period, would the service provider be required to update their application to remove that particular financial institution?
Yes, we would accept the 20th application later during the enrollment period, and we will also accept changes to the 20 approved financial institutions - permitted entities at any time leading up to the initial rollout in June 2020 with no adverse impact on the service provider’s – permitted entity’s initial application or potential selection. The service provider would be required to provide us with those changes via a corrected SSA-157 with the financial institution - permitted entity EIN listed and we would have to receive an SSA-157 from any added financial institution - permitted entities before we would begin providing transactions to that permitted entity.
2.15 For a bank that has two legal entities, do we have to submit a separate application (SSA-157) for each entity or can we submit one that includes both and list them in field 12? If we have to submit separate applications for each legal entity, would we have to estimate annual volumes for each legal entity and pay accordingly for each legal entity according to your fee tables?
Every individual entity with a unique EIN must be separately identified as a permitted entity. So, if two legal entities have two separate EINs, then you must submit an application for each entity. Each would be entirely separate entities, user agreements, volume estimates, and tier level fees, etc.
2.16 If fields in the sample application provided for the SSA-157 instructions have "N/A" in several of the fields (e.g. fields 6, 7, 8, 9, 11, 17). Does the "N/A" mean that you are not requesting nor requiring an answer for those fields?
Correct. If N/A is provided, you do not need to answer those questions.
It means that we have determined that all applicants for eCBSV must answer “no” to this question, and you cannot share the data with anyone other than those listed in question 12.
2.18 Does the "No" in field 20 of the sample application provided for the SSA-157 instructions imply that the only answer for that question can be "No" thereby meaning we cannot use an external commercial cloud service provider to store or process the SSA information?
SSA has determined that eCBSV permitted entities may not store the actual verification response that SSA provides in any format or location; therefore, you must annotate “No” to this question. You will be authorized to use the verification response only for the purpose stated on the consumer consent, may record the fact of the verification, but may not make any further use or disclosure of the verified SSN.
2.19 Can a service provider that services multiple permitted entities (financial institutions) share the results of a SSN verification obtained on behalf of one permitted entity with another permitted entity, provided both permitted entities met all the other requirements for eCBSV participation?
No. Each verification request must be supported by an individual signed consumer consent for one specified purpose authorizing the disclosure to the specific permitted entity for which the verification is provided. Also, keep in mind, each service provider is a “permitted entity” for purposes of Section 215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act, Public Law (PL)115-174.
2.20 The instructions provided by SSA labels question 6 as N/A. For companies that currently validate SSN, Name and DOB combinations using SSA-89, should this be stated in our answer to question 6, or is question 6 specific to eCBSV? This then brings us to question 23. SSA instructions state that we should indicate whether or not we are a current CBSV user. We’d like to confirm or deny that our usage of SSA-89 makes us a current CBSV user.
Regarding question 6 on the SSA-157, SSA annotated on the instructions that you may mark this response as N/A. You do not need to respond to that question. For question 23, if you are a current CBSV user with a formal, executed CBSV User Agreement, then you are a CBSV User, and should identify yourself as such in this question.
2.21 SSA instructions on question 18, label this question as “No.” However we are not a federal agency and would like to confirm this question should be answered as “Non Applicable – Non-Federal Agency” and then provide an answer to question 19.
For question 18, you should appropriately mark “Not Applicable – Non-Federal Agency” and respond to question 19.
2.22 How are permitted entities supposed to list the 20 FIs they plan on servicing through eCBSV on the SSA-157? Do we fill box 12 and then use box 36 as an overflow or should we attach the list in some other fashion?
You may enter the list of EINs in box 12 or box 36, or submit a separate list.
Yes, we will provide a confirmation and it will include the time stamp of receipt.
2.24 If a financial institution submits a single application indicating its intent to run all of its volume through a single service provider, and then that service provider is not selected by SSA, what options does the financial institution have?
None, unless they apply independently.
2.25 For the SSA-157 application question 12, you mention in other FAQs that SSA will associate all financial institution applications with service providers based upon the lists they provide. Is there anywhere for the financial institution to indicate the service provider they will be using?
No, not specifically on the SSA-157. SSA will associate the EIN on the financial institution’s application with the list on the service provider’s application. The service provider may also gather all financial institutions’ SSA-157s and submit them together in one application email to SSA. Or the financial institution may indicate its intent in the financial institution’s own application email to SSA.
2.26 For the SSA-157 application question 12, it is mentioned in other FAQs that the list of financial institutions being serviced can be adjusted prior to rollout. Can we just supply a list at a later date since we are a year away? Do any and all financial institutions have to have the application in by the end of the month or we cannot then service them?
No, as the service provider you must provide at least an initial list now; however, we will accept changes before the initial rollout in June 2020. And, no, as previously stated, you can make changes to your list of financial institutions up to the initial rollout date in June 2020; therefore, the financial institutions you want to service may submit their application for being serviced by you later as well. Please note, if the financial institutions intend to participate in eCBSV directly with SSA, not through anyone as a service provider, their application must be received during the enrollment period to be considered for both the initial and the expanded rollouts.
2.27 I read that we must provide a signed permitted entity certification. The directions state to have information about this input into the Additional Comments section. There is no space on the form requiring a signature. Do we need to sign a separate document?
There is no need to sign the SSA-157 or permitted entity certification at this time. Permitted entities will be required to sign a certification at the time of selection for the initial rollout. SSA is building the new eCBSV service to include the capability to provide an electronic signature on the certification for those enrolled later.
No, the SSA-157 may be submitted both ways.
2.29 For question 11, are you able to provide examples of the legal authority that organizations usually use in order to access this information for fraud/identity theft prevention purposes? Is this covered under the FCRA?
You do not need to respond to Question 11. It is indicated as not applicable (N/A) on the SSA-157 instructions.
Consent must be captured in accordance with the requirements SSA will set forth in the User Agreement. SSA will require consent be captured (1) on a properly-signed SSA-89, Authorization for SSA to Release SSN Verification in either paper format, fillable-PDF or other electronic format, or (2) in some other electronic process consistent with the permitted entity’s existing business process and SSA’s Privacy Act-compliant template language, provided in the eCBSV User Agreement. Moreover, SSA’s signature – including electronic signature requirements will be set forth on SSA’s website and incorporated by reference into the User Agreement.
The eCBSV user must retain the signed consent for a period of five (5) years from the date of the verification request in its original format.
Every permitted entity selected will pay a portion of the 50 percent of the program startup costs, and an initial administrative fee of $3,693. SSA will apply all program startup costs collected to each permitted entity’s annual tier-based subscription fee each year until recouped by the permitted entity.
The permitted entities participating in the initial rollout may be charged additional costs at rollout, if their initial contribution was not sufficient to cover their selected tier-based transactions charge. Again, this is dependent upon the number of permitted entities selected, the estimated annual transaction volumes, and the associated costs at the time of rollout.
Permitted entities selected for the small rollout will be required to submit their prorated portion of the estimated 50 percent startup costs once they are notified by SSA. Prior to rollout in June 2020, the permitted entity will be required to submit the annual subscription fee for their transaction tier selected plus administrative fees as necessary, if greater than their initial 50 percent program startup costs contribution (see previous FAQ).
The annual subscription fee includes the remaining 50 percent startup costs plus other costs the agency will incur for eCBSV services. The permitted entity will not be expected to submit any other fees beyond these noted here for their first year of enrollment.
The chart below provides an estimate of the tier levels and their fees based on approximately 100 participating companies in the expanded rollout as identified from applications received in the enrollment period. These fees will be charged for both the initial and expanded rollout. These are only estimates and may change if the volume of companies participating is higher or lower than 100, if their volumes of transactions are not as anticipated, and if costs are higher or lower than estimated.
|eCBSV Subscription Estimate 100 Participating Permitted Entities*|
*This chart provides an example of how we will charge for the eCBSV service. These fees are subject to change and are based on an estimated 100 participating companies the first year of eCBSV services. The tiers are based on volumes we estimated with the data provided to us at this point in time. Both the fee and tiers could change once we have better data during the open enrollment period. Once startup and systems development costs have been fully restored, fees will likely decrease.
4.11 If a permitted entity in the initial rollout finds over that period that its volume estimates were too high, can the permitted entity drop to a lower volume tier? If so, how? Same question for the expanded rollout.
Once a permitted entity selects a tier level in either the initial or expanded rollout, executes a reimbursable agreement, and pays the tier level fee, no refunds will be provided. Therefore, they cannot drop to a lower volume tier during any 365-day period. They can move up a tier level by starting a new agreement with a new 365-day period. They can also select a lower tier in the following year.
4.12 Do you have any general information on using pay.gov? We’re looking to see if we would use a credit card or ACH and if there is a fee involved for using the system. Any information you can offer is greatly appreciated.
General information on pay.gov can be found on their website at https://www.pay.gov/public/home. If you are selected as an initial rollout participant, SSA will connect to Pay.gov to generate a bill for you from Pay.gov. It will provide specific instructions. Credit cards will be accepted for up to $24,999.99, and ACH can be accepted for any dollar amount. There are no fees associated with using Pay.gov.
The estimated fee range is for the entire “transaction band”. In other words, once we finalize the fees, there will be one fee for each transaction range to include any volume within that range.
If you are an individual permitted entity selected for the eCBSV initial rollout in June 2020, we will terminate your CBSV User Agreement as of that date and you will no longer be a CBSV customer. We will provide you a refund of unused CBSV funds at that time.
If you are a service provider permitted entity selected for the eCBSV initial rollout in June 2020, you may remain enrolled in CBSV to service non-permitted entities or during the initial rollout, other permitted entities beyond the 20 limited in the initial rollout.
If you are not selected for the eCBSV initial rollout, you will continue as a CBSV customer and must adhere to all requirements in the CBSV User Agreement.
5.04 We are a service provider for a handful of customers that provide SSA verifications today. Could you explain to me the difference between this new service and the existing service that we use today? Today it's an API where we pass the SSN, DOB, and name and get a yes/no/deceased response which seems to be identical to this new system. Is this new system a replacement for the one we are currently using or is there some other feature that i'm not seeing? I did not see on the site where this new service differs in any way except for new security measures.
The substantial difference between CBSV and eCBSV is that the Economic Growth, Regulatory Relief, and Consumer Protection Act, Section 215, Reducing Identity Fraud, requires SSA to confirm (or not confirm) to a "permitted entity" the validity of fraud protection data (specific information about an individual, including SSN verification) based on the individual's written consent, including by electronic signature. An SSN verification is verification that a name, SSN, and date of birth combination matches (or does not match) our records. The legislation requires SSA to improve our current verification system to accommodate the much larger anticipated volume of users and verifications as a result of now allowing consumer consent to be received electronically. In addition, the Act defines permitted entities use of eCBSV for specific uses as outlined in the Act. Therefore, for entities that do not qualify as a permitted entity, or entities who use the SSN verification for purposes outside of the Act will continue to obtain a number holder’s wet signature on the consent forms and use the current CBSV at this time.
6.06 Some permitted entities are both a financial institution and a service provider to financial institutions. Would SSA require that each permitted entity submit separate applications for its activities as a financial institution and as a service provider to the financial institution, or would that permitted entity be able to serve in both capacities under the single application?
6.09 What happens if the number of queries exceed the specified limits established for any given permitted entity? How will limits be calculated/enforced? Will it be daily, weekly, monthly, or some other specified time horizon?
6.10 If I am a company that supports financial institutions with decision management solutions, that includes the opening of new accounts, and determine that I qualify as a permitted entity, do I need to apply for eCBSV? Do I need to apply if I am not requesting the SSN verification directly from SSA?
- June 7, 2019: Federal Register Notice published
- July 17 – July 31, 2019: Initial enrollment period and 50 percent cost collection
- August 2019: Industry Day including high-level draft technical requirements
- April 2020: User agreement and eSignature requirements posted
- May 2020: Selected permitted entities receive agreement package to submit to SSA
- June 2020: Implementation for selected permitted entities
- September 2020: Notification of expanded rollout
- October – December 2020: Expanded rollout implementation
7.03 Will financial institutions’ service providers, subsidiaries, affiliates, agents, subcontractors, or assignees be able to pool and/or allocate queries across multiple financial institutions they service?
7.07 Can you clarify what the "annual number of transactions" is based on? Some of us in the bank believe that it may be implying projected use of this service (number of inquiries) while others believe that it may be implying all banking activities such as deposits, withdrawals, and others.
The annual number of transactions refers to the number of requests for verification that a permitted entity plans to send to SSA annually.
7.08 What is the difference between the services provided by the eCBSV and the TIN matching program provided by the IRS? The IRS TIN matching program as outlined in Publication 2108A seems to provide similar services for TIN matching, so I am trying to determine what differences (if any) exist between the SSA and IRS services.
SSA is unable to provide you with any information regarding the IRS TIN Matching program. We can tell you that SSA is the authoritative source for the Social Security Number (SSN). eCBSV will provide SSN verifications to enrolled permitted entities. An SSN verification is verification that a name, SSN, and date of birth combination matches (or does not match) our records.
Since we have not yet built the verification system, we cannot provide service level details at this time. However, we anticipate providing eCBSV with the same availability or better of the existing CBSV application, which is as follows:
|Monday – Friday||5:00 AM to 1:00 AM Eastern Standard Time|
|Saturday||5:00 AM to 11:00 PM Eastern Standard Time|
|Sunday||8:00 AM to 11:30 PM Eastern Standard Time|
- SSA’s verification of an SSN does not authenticate the identity of the individual or
conclusively prove that the individual submitting the information is who he or she claims to be.
SSA’s positive response on the name, date of birth, and SSN of an SSN verification only establishes
that the submitted information matches the information contained in SSA’s records.
The CBSV User Agreement specifically states:
SSA’s verification of an SSN does not provide proof or confirmation of identity….CBSV does not verify employment eligibility, nor does it interface with the Department of Homeland Security’s (DHS) verification system, and it will not satisfy DHS’s I-9 requirements.
SSA cannot speak to CBSV user recipients’ experience in “confirming good identities.” SSA does not collect feedback from CBSV user recipients about their success or fallout from verifying SSNs through CBSV.