By: Timothy A. Raty, Sr. Regulatory Compliance Specialist
“consent . . . a voluntary yielding to what another proposes or desires;
agreement, approval, or permission regarding some act or purpose, esp.
given voluntarily by a competent person; legally effective assent.”
(CONSENT, Black’s Law Dictionary [11th ed. 2019])
Section 215 of the “Economic Growth, Regulatory Reform, and Consumer Protection Act” (132 Stat. 1296 ) created new 42 U.S.C.A. § 405b, which requires the establishment of a database within the Social Security Administration (“SSA”) which is meant to “effectuate the purpose[s] of this section” (Ibid. § 405b[c]), such purpose “is to reduce the prevalence of synthetic identity fraud, which disproportionately affects vulnerable populations, such as minors and recent immigrants, by facilitating the validation by permitted entities of fraud protection data, pursuant to electronically received consumer consent, through use of a database maintained by the Commissioner.” (Ibid. § 405b[a])
As referenced, this new law allows a “permitted entity” to submit a request to verify the identity of the holder of a Social Security number, but only “pursuant to the written, including electronic, consent received by a permitted entity form the individual who is the subject of the request” and only “in connection with a credit transaction or any circumstance described in section 1681b of Title 15 [dealing with consumer credit reports].” (Ibid. § 405b[f])
At the present time, the SSA is in the final preliminary implementation stages of its “electronic Consent Based Social Security Number Verification” service or “ECBs” (i.e., it is in the final stages before permitting select financial institutions to test run the eCBSV). Through this system, “eCBSV will allow permitted entities to verify if an individual’s SSN, name, and date of birth combination matches Social Security records. Social Security needs the number holder’s written consent with a wet or electronic signature in order to disclose the SSN verification.” (see https://www.ssa.gov/dataexchange/eCBSV/index.html)
In other words, without the individual’s consent, their identity cannot be verified as part of a loan origination process.
Of particular interest to document service providers are the types of written consent that the SSA recognize and which are considered “valid.” Interestingly, “under the eCBSV, the permitted entity does not submit the number holder’s consent documents to SSA. SSA requires each permitted entity to retain a valid consent for each SSN verification request for a period of five years from the date of receipt of the consent form.” (85 FR 13968 ) The “consent documents” are promulgated in a User Agreement between the SSA and the “permitted entity”, a revised draft version of which is located on the SSA’s website linked above.
According to this revised draft, written consent (properly defined) “must be provided by the SSN holder in one of three ways:
- Form SSA-89 (Exhibit A, Authorization for SSA to Release SSN Verification) with a wet signature, or
- Form SSA-89 in “pdf fillable” form with an Electronic Signature, or
- Electronically with SSA’s consent language as provided in section IV, which is incorporated into the Financial Institution’s or Permitted Entity’s business process.” (Revised User Agreement, § I.B “Written Consent”)
Section IV of the Agreement goes into further details about these forms and how they are to be completed. It is interesting to note that while Form SSA-89 may be completed with either an ink or electronic signature, the “Written Consent Template” (attached to the User Agreement as Exhibit C) only forms a valid written consent if it is completed electronically. However, for recordkeeping purposes, a physical copy may be retained:
“The entity – either the Permitted Entity or Financial Institution it services, if any – obtaining the Written Consent must retain the signed Written Consent for a period of five (5) years from the date of the SSN Verification request, either electronically or in paper form. . . .
If the Permitted Entity or Financial Institution obtaining the Written Consent in paper format and chooses to retain the Written Consent in paper format, that entity must store the Written Consent in a locked, fireproof and waterproof storage receptacle.” (Revised User Agreement, § IV.B)
While it is not illogical to permit a physical copy of an electronic record to be retained for recordkeeping purposes, it is odd that only an electronically signed “Written Consent Template” is valid. The reasons for this are not promulgated; an assumption could be made that because Form SSA-89 can be completed physically or electronically, it is not necessary to have the “Written Consent Template” follow suit (but this is only an assumption).
It is also interesting that when Form SSA-89 is completed electronically, it must be done in “pdf fillable” form. While it is typical for copies of electronic forms to be printed into PDF format, they are not in such format (let alone “fillable”, as commonly understood) when they are signed electronically. A technicality, to be sure, but one which raises the question of whether Form SSA-89 must be electronically executed in a format different than those of other documents which are provided in the same electronic package.
Under the ESIGN Act (15 U.S.C.A. §§ 7001 et seq.), creditors are permitted to obtain a consumer’s consent to receiving “information relating to a transaction or transactions in or affecting interstate or foreign commerce” (Ibid. § 7001[c]) and may obtain the consumer’s consent to receiving such information “only to the particular transaction which gave rise to the obligation to provide the record, or . . . to identified categories of records that may be provided or made available during the course of the parties’ relationship.” (Ibid. § 7001[c][B][ii])
Taken together, these provisions permit a creditor to disclose, and obtain the consumer’s singular consent for receiving and electronically signing, multiple, related documents. Without these provisions, a creditor would have to separately disclose and receive consent to every single disclosure provided to the consumer (the arduousness of which makes Hannibal’s crossing of the Alps look like hopscotch in comparison).
Despite this “single consent for multiple documents” approach, however, the SSA has indicated that, when it comes to the consumer’s consent during the eCBSV process, a separate disclosure and consent must be used apart from what is used for other mortgage documents. This is indicated in their “Q&As” to comments submitted during the first comment period for their system and the User Agreement:
“Comment #19: Additional language must be added to clarify that consumer consent for an eCBSV verification does not require its own separate and distinct consent ‘check box.’ A single consent is vastly preferred as it is extremely unlikely that an application would be allowed to go through if a user did not consent to both standard terms and conditions and the eCBSV consent. Stated differently, requiring separate consent or dual consents would frustrate the clear purpose of the Banking Bill. Thus, while the Draft User Agreement states that written, including electronic, consent can be incorporated into existing electronic workflows or business processes, an explicit statement regarding single consent is critical. Therefore, section IV.A.1.c (p. 8) of the User Agreement should be rewritten as follows:
An electronic form of consent, which can be incorporated into the Permitted Entity’s or Financial Institution’s electronic workflow or business process, including any existing process to capture an individual’s consent, signed electronically by the SSN holder with an Electronic Signature. See SSA’s Written Consent Template . . .
SSA Response #19: We understand the industry’s preference that the SSN holder’s consent that SSA verify his or her fraud protection data is included with current consent. However, the industry’s preference heightens the risk that the SSN holder would not provide informed consent for SSA’s SSN Verification. We also have some concerns that one consent checkbox will heighten consumer confusion regarding consent, because the standard terms and conditions for a credit application or other FCRA permissible purpose are not the same as SSA’s requirements for an SSN holder to consent to SSN Verification by SSA. Further, two checkboxes more accurately captures [sic] the SSN holder’s intent to apply his or her binding electronic signature to consent to SSA disclosing the SSN Verification.
Further, our recommendation is consistent with SSA’s best practices in assessing consents submitted for disclosure purposes outside the context of CBSV/e-CBSV process. . . .
Therefore, we considered this comment, but decline to make the recommended changes. The recommended language removes SSA’s consent requirements and replaces them with ‘any existing process to capture an individual’s consent.’ We do not agree with the recommended language because the term ‘any existing processes’ is too vague. There is an unknown number of ‘existing processes’ to capture an individual’s consent for the banking industry, and we are uncertain whether the standards behind those ‘existing processes’ are compatible with SSA’s consent requirements. SSA cannot agree to remove its consent requirements, without assurance that the other ‘existing processes’ meet SSA’s consent requirements and comply with our policies.” (Federal Register Notice Addendum to the Supporting Statement, pg. 10 – 11; emphasis in the original; available at: https://www.ssa.gov/dataexchange/eCBSV/index.html).
This could impact document vendors, who may need to create separate eSign disclosure screens for Form SSA-89 and the “Written Consent Template”. However, a final draft of the User Agreement and final consent rules have yet to be promulgated, so it is not known at this point what specific changes need to be made.
Docutech has submitted some comments on the SSA’s rules during their latest comment period. Our comments can be accessed at: https://www.regulations.gov/document?D=SSA-2020-0011-0004.
As always, we will continue to monitor the SSA’s changes and to adapt our system and documents accordingly. The eCBSV system, short of delays due to a pandemic, is on the horizon of being operational and everyone should begin preparing for it sooner rather than later.