By: Timothy A. Raty, Sr. Regulatory Compliance Specialist
“Doveryai, no proveryai.” (Russian Proverb)
“Trust, but verify.” (Ronald Reagan)
The Economic Growth, Regulatory Reform, and Consumer Protection Act (132 Stat. 1296 [2018]; “EGRRCPA”) established new 42 U.S.C.A. § 405b, which permits the Social Security Administration (“SSA”) to accept the consent of a consumer to verify their Social Security Number (“SSN”), when such consent is submitted electronically.
Prior to this enactment, consumers could consent, but only through a tangible copy of Form SSA-89 which is “inked-signed.” A financial institution could then verify the consumer’s information through the SSA’s “Consent Based Social Security Number Verification” (“CBSV”) system.
Due to EGRRCPA, the SSA is now in the process of establishing a new electronic verification system (“eCBSV”) and they have published webpages providing details about it (https://www.ssa.gov/dataexchange/eCBSV/). On a basic level, a financial institution (or an entity acting on their behalf, which is known as a “permitted entity”) obtains a consumer’s consent to verify their information (SSN, date of birth, and name) with the SSA. Once the consent is received (either electronically or manually), the financial institution or permitted entity enters the consumer’s information into the eCBSV system, which will verify whether this information matches their records or not (albeit the eCBSV cannot be used to verify the identification of the consumer; only whether the information provided matches the SSA’s records).
Of particular interest to First American Docutech are the ways a consumer can electronically consent. Most of the details can be found in the “eCBSV User Agreement” (https://www.ssa.gov/dataexchange/eCBSV/user_agreement.html), but basically there are three different types of consent that the SSA will recognize:
- A completed, tangible copy Form SSA-89 which is “ink-signed”;
- A “PDF fillable” copy of Form SSA-89 which is electronically completed and signed; or
- An electronic form of consent, based on one of two options outlined in Exhibit C of the User Agreement, when incorporated into a financial institution’s (or a permitted entity’s) existing electronic business process. (see eCBSV User Agreement Section IV.A..1.c)
Currently, the eCBSV is in its first testing stage (“initial rollout”), with an expanded rollout slated to occur between October and December of this year. No date (tentative or otherwise) has been set as to when the eCBSV will be fully functional and when enrollment will be open to all qualified institutions. Until it is fully functional, only institutions who have been accepted into the “rollout periods” may use an electronic copy of Form SSA-89.
Changes to Form SSA-89
In addition to the fact that Form SSA-89 may eventually be used electronically, the form itself is being revised (a copy of the new form may be found in Exhibit B of the eCBSV User Agreement). The SSA had hoped that this version would be approved by the OMB by the time of the initial rollout in June, but it is still pending approval.
While there are subtle changes to the form, a major one is to the section in which the consumer indicates the reasons for using the CBSV (or eCBSV) system. Here is a comparison between the current and the new reasons:
Besides semantics, this change will also require separate copies of Form SSA-89 to print for each reason selected (as opposed to the current version of the form, in which multiple reasons can be selected). This is explained by the SSA in their “eCBSV Addendum – 30-Day FRN Comments and Responses” document:
“Comment #2: . . . The form included in the eCBSV User Agreement has a comment for the consumer to just select one purpose ‘(please select one).’ However, the form on the web site includes a reference ‘(Please select all that apply).’ In cases when the consumer applies for two separate products at the same time, should we tell banks to display or allow consumer to select multiple purposes or just one?
SSA Response #2b: Consistent with the fillable SSA-89 that we expect will be the official Form SSA-89 in June 2020, consumers will need to complete an SSA-89 for each permissible purpose.”
In response to comments, the SSA also confirmed that, even though an electronic copy of Form SSA-89 in “PDF fillable” format is an acceptable form of consent, a pre-populated, electronic version of the Form may also acceptable, under certain conditions:
“Comment #9: A commenter asked can a document vendor create an electronic copy of Form SSA-89, pre-populate the fillable parts of the form using data imported from a mortgage lender’s loan origination system, and have the SSN holder electronically sign such copy (which can be saved into PDF format)? Or must Form SSN-89 always be provided to an SSN holder in ‘pdf fillable’ form to be filled out manually by the SSN holder?
SSA Response #9: Yes, a document vendor may create an electronic copy of Form SSA-89, pre-populate the fillable parts of the form using data imported from a mortgage lender’s loan origination system, and have the SSN holder electronically sign such copy, as long as the form is not altered in any way and the SSN holder has an opportunity to review/correct any ‘auto-populated’ information prior to signing the SSA-89.
The document vendor must replicate the SSA-89 in its entirety so as not to alter the purpose of the form.”
Despite the restrictions on altering the form, the SSA does confirm that some changes may be made:
“Comment #10: A commenter asked can Form SSA-89 be marked in ways traditionally applied to electronically generated mortgage loan documents or must it be maintained in its exact original form?
For example, for tracking purposes, most copies of forms generated electronically contain barcodes, so that mortgage companies can easily identify which loan file the form belongs in. Other markings include an identification box surrounding an electronic signature, which certifies the SSN holder’s signature and when it was electronically signed. If these (and other necessary) markings appeared on a copy of Form SSA-89, would it still be considered a form of ‘valid Written Consent’?
SSA Response #10: Section III.A.11 of the eCBSV Use Agreement indicates that the Permitted Entity must not alter the Written Consent either before or after the SSN holder signs the Written Consent. However, this section also states that, ‘Alterations do not include fax date/time stamps, barcodes, quick response codes or tracking/loan numbers added to the margin of a form.’ In addition, SSA does not consider the identification box surrounding an electronic signature to be an alteration, because this is a part of the electronic signing process being applied by the SSN holder during signing and should be included as part of a valid Written Consent.”
A Third Way
Even though the SSA will accept both tangible and electronic copies of Form SSA-89 as valid forms of written consent, it will also permit a third option, described as follows:
“An electronic form of consent that incorporates one of the two options provided in Exhibit C, SSA Written Consent Template, into the Permitted Entity’s or Financial Institution’s existing electronic business process. As shown in Exhibit C, SSA Written Consent Template, the title of SSA’s Written Consent must be in ‘bold’ font followed directly by the SSA-provided language. See SSA’s Written Consent Template, attached and incorporated into this user agreement as Exhibit C.” (eCBSV User Agreement Section IV.A.1.c)
There are two versions of the “SSA Written Consent Template”. One simply states that the consumer is authorizing verification “for the purpose of this transaction” (“static purpose”), while the other permits the consumer to insert a specific purpose into the form (“dynamic purpose”). Even though the “static purpose” document only provides a vague purpose for the verification, a financial institution (or permitted entity) must still “maintain documentation of the specific purpose in accordance with sections III, IV, and VIII of the user agreement” (Ibid. Section IV.A.2).
Please note that this Written Consent Template is not a separate document, per se. Rather, it is to be incorporated into the financial institution’s “existing electronic business process,” such as including it as an additional screen in an online application process or documents portal.
Recordkeeping
It is easy to assume that the consumer’s consent must be submitted to the SSA through the eCBSV system, but this would be the wrong conclusion. As summarized by the SSA:
“Under eCBSV, the permitted entity does not submit the number holder’s consent documents to SSA. SSA requires each permitted entity to retain a valid consent for each SSN verification request for a period of five years from the date of receipt of the consent form. . . .” (85 FR 13968 [2020])
The retention requirements are promulgated in detail in Subsection IV.B of the eCBSV User Agreement. Of particular note is the fact that if the consent is obtained in paper format, it may be retained in either paper or electronic format. If the consent is obtained electronically, it must be stored electronically.
As part of the User Agreement, financial institutions and permitted entities permit the SSA to perform onsite inspections, to ensure that the consumer’s written consent has been properly obtained and that the records of such have been properly maintained.
Where We’re At (as of October 8, 2020)
For First American Docutech, we are monitoring the approval process of Form SSA-89 and will proceed to modify our generic copies of it as soon as permitted. However, as mentioned earlier, only those entities which have been approved for the eCBSV rollout phases may use an electronic copy of Form SSA-89 and have it electronically signed. Thus, we will continue to keep our copies of Form SSA-89 “inked-signed” only, except for clients who utilize the eCBSV system.
Because the SSA only permits an electronic, pre-populated copy of Form SSA-89 to be used if the consumer has the ability to change the pre-populated data, we have completed system changes to permit consumers to change the data in the form during the eSign process (once the form is set to be eSigned).
Finally, because either a tangible or electronic version of Form SSA-89 is an acceptable form of consent, we are not planning to incorporate the SSA Written Consent Template into our eSign process, since it would be superfluous to have the consumer sign this and complete Form SSA-89 during the same process.
We are still several months away from the eCBSV system being fully operational and the SSA may change some requirements in the interim, based on their findings during their rollout periods. However, we are working diligently to ensure that we will be ready to support our clients once they start using this system.