eCBSV Archive | Data Exchange

October 29, 2020 - Conference Call

SSA issued a Press Release on Thursday, October 29, 2020, to provide the status of the eCBSV Initial Rollout.

May 28, 2020 - Conference Call

SSA conducted a brief conference call on Thursday, May 28, 2020, to provide general information about eCBSV.

October 10, 2019 - eCBSV Industry Call Script

SSA conducted an eCBSV Industry Call on Thursday, July 11, 2019, to share information about the current enrollment process. The script for that call can be found here.

October 10, 2019 - eCBSV Enrollment period (July 17, 2019 to July 31, 2019)

Permitted entities that wish to enroll must:

Complete form SSA-157 (OMB No. 0960-0802), Data Exchange Request Form (DXRF) with additional Forms SSA-157 for any permitted entities you will service.
Follow instructions for completing Form SSA-157, including the certification statement within the application.
Submit the completed document beginning July 17, 2019, at 6:00 a.m. EST to ecbsv@ssa.gov, but no later than July 31, 2019, at 6:00 p.m. EST.
Following the enrollment period, Social Security will select and notify the selected permitted entities and provide the necessary instructions to complete enrollment, including billing information.
Selected permitted entities will be required to complete and sign a reimbursable memorandum of understanding with payment. Refer to the “Fees” tab on the left for further information.
Selected permitted entities will be required to sign a user agreement closer to June 2020 rollout.

October 10, 2019 - eCBSV Enrollment FAQ

2. Application

2.01 Question two in the SSA-157 application indicates applicants should mark “commercial entity” and to indicate whether the entity is a financial institution. Please confirm how an entity can enter both pieces of information.

Permitted entities can check the commercial entity box, then indicate in the blank space of the box that they are a financial institution in accordance with P.L. 115-174.

2.02 The SSA-157 application question three states, “Briefly state the purpose for requesting this information and tell us how your organization will use the data.” Is SSA’s intent that firms should list every possible FCRA-covered product or service that a given firm may use eCBSV for, or is “banking service” sufficiently broad to cover everything? Also, can multiple purposes can be stated?

Permitted entities may select multiple purposes as appropriate for any anticipated use of eCBSV that is in accordance with P.L. 115-174. “Banking service” is too broad to identify the specific purpose.

2.03 For the SSA-157 application question 12, can general descriptions of positions be listed and can this information be amended closer to the initial rollout?

Yes, general descriptions may be provided and may be amended later if necessary. More importantly, permitted entities who are financial institutions’ service providers, subsidiaries, affiliates, agents, subcontractors, or assignees must also provide the list of each financial institution and EIN that they will service.

2.04 Do the SSA-157 instructions only apply to financial institutions’ service providers, subsidiaries, affiliates, agents, subcontractors, or assignees?

No. The instructions are to provide additional information to assist the applicant with completing the application, and do not limit who may apply.

2.05 Since question 12 of the SSA-157 requires financial institutions’ service providers, subsidiaries, affiliates, agents, subcontractors, or assignees to provide a list of up to 20 financial institutions that they will service during the initial rollout and those entities must also submit an application, does that mean that the 20 financial institutions must be selected by SSA for the initial rollout?

No. Only the eCBSV User entering into a User Agreement with SSA will be “selected” for the initial rollout. The eCBSV User must meet the definition of a permitted entity in accordance with P.L. 115-174. Applications submitted by financial institutions – who are permitted entities - that will be serviced by a service provider, subsidiary, affiliate, agent, subcontractor, or assignee – who are also permitted entities - will only be considered in conjunction with the service provider, subsidiary, affiliate, agent, subcontractor, or assignee’s application. SSA will link the financial institutions’ EIN on their application with the list of EINs provided on the service provider, subsidiary, affiliate, agent, subcontractor, or assignee’s application in question 12. The eCBSV User/ service provider, subsidiary, affiliate, agent, subcontractor, or assignee may update or alter the list of financial institutions prior to rollout; however, any new financial institution added will be required to submit an SSA-157 prior to rollout.

2.06 Regarding question 14 in the SSA-157, can you confirm that “daily” should be the answer given as a real-time, as-needed service?

The answer is dependent upon each permitted entity’s business process. While it is a real-time service, not all permitted entities may intend to submit transactions on a daily basis; therefore, they should select the most appropriate answer based on their anticipated business needs.

2.07 Regarding question 15 in the SSA-157 application, what is the starting point of the annual estimate?

Permitted entities should estimate the number of transactions they will perform on an annual basis for their 365-day agreement period; therefore, the starting point is the beginning of their agreement period.

2.08 Regarding question 15 in the SSA-157 application, it is likely that at least some permitted entities participating in the initial rollout will only do so for some – but not all – of their products and services; meaning their estimated volume for the initial rollout will be smaller than their volume in the expanded rollout. How should permitted entities account for this difference?

Permitted entities selected for the initial rollout will begin transactions in June 2020 and continue through for a 365-day period. Their transactions will be limited to a quarterly (1/4) prorated amount until the expanded rollout. Once the expanded rollout begins, their transactions will no longer be limited to quarterly amounts and will continue for the full 365-day period. Therefore, permitted entities enrolling in the initial rollout should estimate their annual transaction volume based on their anticipated use for the entire year.

2.09 Regarding question 16 in the SSA-157 application, some larger permitted entities have multiple subsidiaries, some of which may want to access eCBSV differently than others. Can a financial institution apply to have direct access to eCBSV in the initial phase and subsequently decide to buy some or all of its access from a service provider, subsidiary, affiliate, agent, subcontractor, or assignee, who meets the definition of permitted entity?

Yes, financial institutions may apply for direct access to eCBSV, and also request transactions through a service provider, subsidiary, affiliate, agent, subcontractor, or assignee, who will meet the definition of permitted entity; however, their estimated annual volume of transactions and tier-based payment level will only apply to their direct access. Any funds provided in the initial rollout to cover the program startup costs can only be applied to the direct access account for which they were provided. Any transactions requested on their behalf by a service provider, subsidiary, affiliate, agent, subcontractor, or assignee are attributable only to the service provider, subsidiary, affiliate, agent, subcontractor, or assignee and are subject to any charges the service provider, subsidiary, affiliate, agent, subcontractor, or assignee imposes on the financial institution.

2.10 Along with our application listing the Financial Institutions that we will service as a subcontractor, is each of those institutions also required to submit an application as well?

Yes, every permitted entity must submit an application. SSA will correlate their individual application using their EIN to their service provider’s application list of permitted entities they will service, to identify all permitted entities. Also, SSA is required to receive a permitted entity certification (see Eligibility tab for more details) from every permitted entity regardless of whether they apply directly or through a service provider.

2.11 Should the response to question 12 of the SSA-157 include BOTH the service provider’s organization and job functions that will have access to SSA-provided information AND the names and EIN’s of the permitted entities to be serviced?

Yes.

2.12 Entities such as credit reporting agencies are considered a financial institution for GLBA purposes. Please confirm that credit reporting agencies should apply as a service provider.

If the credit reporting agency as defined as a financial institution is only submitting transactions for themselves, then they should apply as a financial institution. If the credit reporting agency is servicing other permitted entities, or both performing transactions for themselves and servicing other permitted entities, then they should apply as a service provider.

2.13 For fintech companies that plan to use the eCBSV service to augment verification and fraud products for financial institutions, is it a requirement to list the financial institution clients if the financial institutions will not receive the raw responses from eCBSV? If the answer is yes it is unclear if the financial institutions must apply at the same time as the fintech company in the July 17 – July 31 window. Does the fintech company need to coordinate with the financial institutions and all apply at the same time? If the volume for the Financial Institutions is then zero, because it will all go through the fintech company, must they still pay the application fee?

A qualified enrollee of the eCBSV service must be a permitted entity as defined by section 509 of the Gramm-Leach-Bliley Act. 42 USCA 405b(b)(4), Pub. L. No. 115-174, Title II, §215(b)(4). If a fintech company determines that they meet the definition of a permitted entity as a service provider, subsidiary, affiliate, agency, subcontractor, or assignee of a financial institution, then they must identify the financial institution they are servicing in order to qualify regardless of how they share the verification results.

To apply, the fintech company as a service provider must complete the SSA-157 identifying all of the permitted entities’ EINs that they will service during the initial enrollment period, up to 20. Each permitted entity they will service must also complete the SSA-157 form to include the permitted entity certification, and submit it during the enrollment period; however, SSA will accept changes if needed prior to the initial rollout. No fees are charged for submitting an application. The service provider may choose to consolidate all SSA-157s for each of the permitted entities they will service with their own SSA-157 application to submit in one email to SSA.

2.14 If a service provider were to append applications for only 19 of the 20 financial institutions listed on that service providers own application for eCBSV, could that final Financial Institution submit its application separately within the application period in July? Would that damage the chances of the service provider to be selected for the pilot? Additionally, if that last Financial Institution fails to submit their application in the enrollment period, would the service provider be required to update their application to remove that particular financial institution?

Yes, we would accept the 20th application later during the enrollment period, and we will also accept changes to the 20 approved financial institutions - permitted entities at any time leading up to the initial rollout in June 2020 with no adverse impact on the service provider’s – permitted entity’s initial application or potential selection. The service provider would be required to provide us with those changes via a corrected SSA-157 with the financial institution - permitted entity EIN listed and we would have to receive an SSA-157 from any added financial institution - permitted entities before we would begin providing transactions to that permitted entity.

2.15 For a bank that has two legal entities, do we have to submit a separate application (SSA-157) for each entity or can we submit one that includes both and list them in field 12? If we have to submit separate applications for each legal entity, would we have to estimate annual volumes for each legal entity and pay accordingly for each legal entity according to your fee tables?

Every individual entity with a unique EIN must be separately identified as a permitted entity. So, if two legal entities have two separate EINs, then you must submit an application for each entity. Each would be entirely separate entities, user agreements, volume estimates, and tier level fees, etc.

2.16 If fields in the sample application provided for the SSA-157 instructions have "N/A" in several of the fields (e.g. fields 6, 7, 8, 9, 11, 17). Does the "N/A" mean that you are not requesting nor requiring an answer for those fields?

Correct. If N/A is provided, you do not need to answer those questions.

2.17 Does the "No" in field 13 of the sample application provided for the SSA-157 instructions imply that the only answer for that question can be "No"?

It means that we have determined that all applicants for eCBSV must answer “no” to this question, and you cannot share the data with anyone other than those listed in question 12.

2.18 Does the "No" in field 20 of the sample application provided for the SSA-157 instructions imply that the only answer for that question can be "No" thereby meaning we cannot use an external commercial cloud service provider to store or process the SSA information?

SSA has determined that eCBSV permitted entities may not store the actual verification response that SSA provides in any format or location; therefore, you must annotate “No” to this question. You will be authorized to use the verification response only for the purpose stated on the consumer consent, may record the fact of the verification, but may not make any further use or disclosure of the verified SSN.

2.19 Can a service provider that services multiple permitted entities (financial institutions) share the results of a SSN verification obtained on behalf of one permitted entity with another permitted entity, provided both permitted entities met all the other requirements for eCBSV participation?

No. Each verification request must be supported by an individual signed consumer consent for one specified purpose authorizing the disclosure to the specific permitted entity for which the verification is provided. Also, keep in mind, each service provider is a “permitted entity” for purposes of Section 215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act, Public Law (PL)115-174.

2.20 The instructions provided by SSA labels question 6 as N/A. For companies that currently validate SSN, Name and DOB combinations using SSA-89, should this be stated in our answer to question 6, or is question 6 specific to eCBSV? This then brings us to question 23. SSA instructions state that we should indicate whether or not we are a current CBSV user. We’d like to confirm or deny that our usage of SSA-89 makes us a current CBSV user.

Regarding question 6 on the SSA-157, SSA annotated on the instructions that you may mark this response as N/A. You do not need to respond to that question. For question 23, if you are a current CBSV user with a formal, executed CBSV User Agreement, then you are a CBSV User, and should identify yourself as such in this question.

2.21 SSA instructions on question 18, label this question as “No.” However we are not a federal agency and would like to confirm this question should be answered as “Non Applicable – Non-Federal Agency” and then provide an answer to question 19.

For question 18, you should appropriately mark “Not Applicable – Non-Federal Agency” and respond to question 19.

2.22 How are permitted entities supposed to list the 20 FIs they plan on servicing through eCBSV on the SSA-157? Do we fill box 12 and then use box 36 as an overflow or should we attach the list in some other fashion?

You may enter the list of EINs in box 12 or box 36, or submit a separate list.

2.23 Will SSA provide confirmation of receipt of a submitted application, and will such confirmation include a time stamp of receipt?

Yes, we will provide a confirmation and it will include the time stamp of receipt.

2.24 If a financial institution submits a single application indicating its intent to run all of its volume through a single service provider, and then that service provider is not selected by SSA, what options does the financial institution have?

None, unless they apply independently.

2.25 For the SSA-157 application question 12, you mention in other FAQs that SSA will associate all financial institution applications with service providers based upon the lists they provide. Is there anywhere for the financial institution to indicate the service provider they will be using?

No, not specifically on the SSA-157. SSA will associate the EIN on the financial institution’s application with the list on the service provider’s application. The service provider may also gather all financial institutions’ SSA-157s and submit them together in one application email to SSA. Or the financial institution may indicate its intent in the financial institution’s own application email to SSA.

2.26 For the SSA-157 application question 12, it is mentioned in other FAQs that the list of financial institutions being serviced can be adjusted prior to rollout. Can we just supply a list at a later date since we are a year away? Do any and all financial institutions have to have the application in by the end of the month or we cannot then service them?

No, as the service provider you must provide at least an initial list now; however, we will accept changes before the initial rollout in June 2020. And, no, as previously stated, you can make changes to your list of financial institutions up to the initial rollout date in June 2020; therefore, the financial institutions you want to service may submit their application for being serviced by you later as well. Please note, if the financial institutions intend to participate in eCBSV directly with SSA, not through anyone as a service provider, their application must be received during the enrollment period to be considered for both the initial and the expanded rollouts.

2.27 I read that we must provide a signed permitted entity certification. The directions state to have information about this input into the Additional Comments section. There is no space on the form requiring a signature. Do we need to sign a separate document?

There is no need to sign the SSA-157 or permitted entity certification at this time. Permitted entities will be required to sign a certification at the time of selection for the initial rollout. SSA is building the new eCBSV service to include the capability to provide an electronic signature on the certification for those enrolled later.

2.28 Is there any potential conflict in us submitting an SSA-157 on our own and also allowing a different provider to submit an SSA-157 naming us as a client in their application?

No, the SSA-157 may be submitted both ways.

2.29 For question 11, are you able to provide examples of the legal authority that organizations usually use in order to access this information for fraud/identity theft prevention purposes? Is this covered under the FCRA?

You do not need to respond to Question 11. It is indicated as not applicable (N/A) on the SSA-157 instructions.

2.30 For question 12, since we must provide the permitted entities names and EINs, is the SSA willing to sign a Mutual Non-Disclosure Agreement (MNDA)?

No.