eCBSV Guide to eCBSV Written Consent
Permitted Entity Registration Process
Recommended Technical Expertise
To Access Entity Registration and Enrollment
What is Written Consent in the eCBSV Context?
What is an Electronic Signature?
What are Acceptable Forms of Electronic Signatures?
How Do I Attach or Associate the Electronic Signature to the Written Consent?
Written Consent Incorporated into the Financial Institution’s Business Process
Written Consent Template Must Haves
In order to use eCBSV, Permitted Entities must first obtain the Social Security number (SSN) holder’s written consent with a wet or electronic signature. The eCBSV User Agreement provides all of the requirements related to written consent, which are summarized here with examples of valid written consent.
This Guide to eCBSV Written Consent presents the eCBSV User Agreement requirements in a manner that is intended to be useful to Permitted Entities and also includes practical suggestions for how Permitted Entities might choose to go about complying with those requirements. This guide may not address all situations. Where there may be multiple ways to comply with requirements in the User Agreement, a Permitted Entity can make its own business decision regarding which method to use, and this may include a method that is not specifically addressed in the Guide to eCBSV Written Consent. In summary, Permitted Entities are not required to comply with the Guide to eCBSV Written Consent itself. Permitted Entities must comply with the consent requirements in Section IV of the eCBSV User Agreement. In the event of a conflict between this Guide and the User Agreement, the User Agreement is the governing source.
What is Written Consent in the eCBSV Context?
The definition of written consent as provided in the eCBSV User Agreement is, “Written Consent, including electronic, by which the SSN holder gives SSA permission to disclose SSN Verification results to the Permitted Entity or Financial Institution (or both) in connection with a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act (15 U.S.C. § 1681b).” Refer to Section I.B. (eCBSV User Agreement, Page 3).
In plain language, written consent is when the SSN holder who is a customer of the Financial Institution, gives his or her permission for SSA to provide a “yes” or “no” response to the Financial Institution or the Permitted Entity (or both) about whether the SSN holder’s name, date of birth, and SSN match SSA’s records. The written consent must be provided in connection with a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act (15 U.S.C. § 1681b). Refer to Section III.A.7. (eCBSV User Agreement, Page 5).
The written consent must also meet SSA’s requirements in Section IV of the eCBSV User Agreement (eCBSV User Agreement, Pages 8-13) and SSA’s regulations. Under the agency’s regulations, written consent must clearly specify:
- to whom the information may be disclosed (the Permitted Entity and Financial Institution, if different),
- that the SSN holder permits SSA to disclose the SSN Verification to the Permitted Entity and Financial Institution, if different, and
- where applicable, the timeframe during which SSA may disclose the SSN Verification.
Refer to 20 C.F.R. Part 401.100.
For eCBSV purposes, written consent must be provided by the SSN holder in one of three ways:
- Form SSA-89 (Exhibit A, Authorization for SSA to Release SSN Verification to the eCBSV User Agreement) with a wet signature, or
- Form SSA-89 in “pdf fillable” form with an Electronic Signature (Refer to Sections I.B and IV.E. (eCBSV User Agreement, Pages 2 and 11-12), or
- Electronically with SSA’s written consent language as provided in section IV of the eCBSV User Agreement, which is incorporated into the Financial Institution’s or Permitted Entity’s business process. Refer to Section IV.A.1.Exhibit C Written Consent Template.
Refer to Section IV.A.1. (eCBSV User Agreement, Page 9).
What is an Electronic Signature?
Electronic signature is defined by section 106 of the E-SIGN Act (15 U.S.C. § 7006) as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” Refer to Section I.B. (eCBSV User Agreement, Page 2).
The User Agreement lists the agency’s electronic signature requirements, including but not limited to:
- The Permitted Entity must use a form of electronic signature consistent with E-SIGN;
- The electronic signature must be executed or adopted by a person with the intent to sign; and
- The electronic signature must be attached to or associated with the written consent being signed.
Refer to Section IV.E. (eCBSV User Agreement, Pages 11-12).
What are Acceptable Forms of Electronic Signatures?
The following are non-exclusive examples of forms of electronic signature that are consistent with E‑SIGN:
- A typed name (i.e., typed into a signature block on a website form).
- A digitized image of a handwritten signature that is attached to an electronic record.
- A shared secret (i.e., password or PIN) used by a person to sign the electronic record.
- A sound recording of a person’s voice expressing consent.
- Clicking or checking an on-screen button (i.e., clicking or checking an “I Agree” or “I Consent” button).
The Permitted Entity or Financial Institution obtaining the written consent may incorporate other comparable forms of electronic signature so long as they are otherwise in compliance with section 106 of E-SIGN and the User Agreement.
Refer to Section IV.E.1. (eCBSV User Agreement, Page 11).
What is Intent to Sign?
The Permitted Entity or Financial Institution obtaining the written consent must ensure that the electronic signature is executed or adopted by the SSN holder with his or her intent to sign the written consent.
Clear evidence of intent to sign must be included and demonstrated either in the written consent being signed or in the signing process so that it is clear to the SSN holder that he or she is signing SSA’s written consent.
Examples of ways Permitted Entities or Financial Institutions can satisfy the intent to sign requirement include, but are not limited to:
- Clicking a clearly labeled “Accept” button:
- Example: “By [clicking the [SIGN/OK/I AGREE/I ACCEPT] button], you are signing the consent for SSA to disclose your SSN Verification to [Permitted Entity and/or Financial Institution]. You agree that your electronic signature has the same legal meaning, validity, and effect as your handwritten signature.”); or
- Allowing the signer to opt out of electronically signing the record by providing an option to decline.
Refer to Section IV.E.2. (eCBSV User Agreement, Page 12).
How Do I Attach or Associate the Electronic Signature to the Written Consent?
The SSN holder’s electronic signature must be attached to, or logically associated with, the written consent.
Associating the electronic signature with SSA’s written consent can be accomplished using various approaches. The signature data can be associated with the written consent by a process that permanently appends the signature data to the consent (i.e., the signature data is embedded within, or directly appended to, the written consent). Using this approach, the electronic signature becomes a part of, and is stored with, the electronic record being signed. Alternatively, the electronic signature data can be associated with the written consent by a database-type link between the signature data and the written consent (i.e., the data representing the electronic signature can be stored separately from the document signed, so long as a reliable process is in place to associate the electronic signature with the electronic record so that it can be established that a particular electronic signature was applied to a specific electronic record with an intent to sign that electronic record).
Other approaches are also feasible so long as they can provide evidence that a specific electronic signature was applied to or used in connection with a specific electronic record. Refer to Section IV.E.2. (eCBSV User Agreement, Page 12).
Written Consent Incorporated into the Financial Institution’s Business Process
Permitted Entities or, if applicable, Financial Institutions may elect to use written consent option 3 above: to obtain written consent electronically with SSA’s written consent language as provided in section IV.A.1.c. of the eCBSV User Agreement, which is incorporated into the Financial Institution’s or Permitted Entity’s business process.
When using this option, SSA has provided the consent language in Exhibit C of the eCBSV User Agreement, which includes a purpose statement. Refer to Exhibit C Written Consent Template (eCBSV User Agreement, Page 28). The purpose is the reason the Permitted Entity or, if applicable, the Financial Institution is requesting the SSN verification for an SSN holder. Permitted Entities or, if applicable, Financial Institutions may choose to use either a static or dynamic purpose in the SSA provided consent language.
For static purpose, the Permitted Entity’s or, if applicable, the Financial Institution’s purpose for requesting an SSN verification will not change in their business process. The purpose field will be populated with “this transaction” and it will be the same for each person. Permitted Entities may choose this option in lieu of building a separate “purpose field” that must be populated within the electronic Written Consent with the actual reason for the transaction.
For dynamic purpose, the Permitted Entity’s or, if applicable, the Financial Institution’s purpose for requesting an SSN verification will change based on the SSN holder’s business transaction. In this case, the electronic written consent must include a specific purpose field to be populated with each transaction; therefore, the reason may be different for each person.
When selecting option 3 above to incorporate written consent into the business process, if the Permitted Entity or Financial Institution chooses to incorporate a static purpose statement, it must maintain evidence that documents the specific purpose of the written consent. Refer to Section IV.A.2 and III.A.9. (eCBSV User Agreement, Page 9).
Written Consents with static purpose (rather than building in a dynamic field):
I authorize the Social Security Administration (SSA) to verify and disclose to [Name of Financial Institution] through [Name of Service Provider, (if one), their service provider] for the purpose of this transaction whether the name, Social Security Number (SSN) and date of birth I have submitted matches information in SSA records. My consent is for a one-time validation within the next [number of days].
Written Consents with dynamic purpose in the consent language:
I authorize the Social Security Administration (SSA) to verify and disclose to [Name of Financial Institution] through [Name of Service Provider, (if one), their service provider] for the purpose of opening a new account whether the name, Social Security Number (SSN) and date of birth I have submitted matches information in SSA records. My consent is for a one-time validation within the next [number of days].
Refer to Exhibit C SSA Written Consent Template (eCBSV User Agreement, Page 28).
Written Consent Template Must Haves
The following elements are required for Written Consent when a Permitted Entity or, if applicable, Financial Institution incorporates electronic consent into its business process using SSA’s Written Consent Template. Refer to Section IV.A.1.c, (eCBSV User Agreement, Page 9).
A title or header in bold as shown in Exhibit C of the eCBSV User Agreement. Refer to Section IV.A.1.c, (eCBSV User Agreement, Page 9); see also Exhibit C SSA Written Consent Template (eCBSV User Agreement, Page 28).
“Authorization for the Social Security Administration to Disclose Your Social Security Number Verification”
The following statement authorizing SSA to verify that the SSN holder’s name, date of birth, SSN match SSA records and disclose results to the Permitted Entity and Financial Institution (when applicable) only in connection with a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act (15 U.S.C. § 1681b), and the purpose statement (either static or dynamic). Refer to Section III.A.9.a. of the (eCBSV User Agreement, Page 5); see also Exhibit C SSA Written Consent Template (eCBSV User Agreement, Page 28).
“I authorize the Social Security Administration (SSA) to verify and disclose to [Name of Financial Institution] through [Name of Service Provider, (if applicable), their service provider] for the purpose of this transaction whether the name, Social Security Number (SSN) and date of birth I have submitted matches information in SSA records.”
A statement that the consent is for one-time use and the number of days the consent is valid. Refer to Sections IV.A.3 and 7 (eCBSV User Agreement, Page 9):
My consent is for a one-time validation within the next [number of days].
A means for satisfying intent to sign. Refer to Section IV.E.2 (eCBSV User Agreement, Page 12). As a reminder, one way to satisfy this requirement is to include the following statement along with providing an option to decline:
By [clicking the [SIGN/ I AGREE/I ACCEPT] button], you are signing the consent for SSA to disclose your SSN Verification to [Permitted Entity and/or Financial Institution]. You agree that your electronic signature has the same legal meaning, validity, and effect as your handwritten signature.
Putting it All Together – Compliant Examples
Static Consent and Intent to Sign Example
For written consent that includes a static purpose, Permitted Entities or Financial Institutions (when applicable) must satisfy the requirement to provide the purpose. Refer to Section IV.A.2 and III.A.9. (eCBSV User Agreement, Page 9).
Dynamic Consent and Intent to Sign Example
Phone Script with Dynamic Consent Example
Voice Consent Additional Guidance
Section IV.A.1.c. of the User Agreement (eCBSV User Agreement, Page 9), specifically requires the title of SSA’s Written Consent must be followed by the SSA-provided consent language. The Permitted Entity’s or, if applicable, Financial Institution’s agent is required to read aloud the Exhibit C header (that is, the customer rep must say “Authorization for the Social Security Administration to Disclose Your Social Security Number Verification”.
When reciting the Exhibit C consent template over the phone or in-person, a customer service representative can change the consent template from first person to second person.
“YOU authorize the Social Security Administration (SSA) to verify and disclose to [Name of Financial Institution] through [Name of Service Provider, (if one), their service provider] for the purpose of this transaction whether the name, Social Security Number (SSN) and date of birth YOU have submitted matches information in SSA records. YOUR consent is for a one-time validation within the next [number of days].”
The eCBSV User Agreement states Permitted Entities or, if applicable, Financial Institutions must use one of SSA’s forms of consent, but does not expressly prohibit these slight deviations. The Permitted Entity or Financial Institution may ultimately choose to alter the consent in the case of obtaining verbal consents. In an audit, this specific situation, where a customer service representative recites the Exhibit C consent language to a consumer/SSN holder using the second voice could be viewed as incorporating the consent language into the Financial Institutions existing electronic business process.
Putting it All Together – Non-compliant Examples
Missing Intent to Sign Example
The example immediately below uses the SSA Consent Template from Exhibit C of the eCBSV User Agreement but does not satisfy the intent to sign requirements (e.g., it does not have either the intent to sign statement or an option for the SSN holder to decline).
Non-compliant Consent Example
The example below uses a version of SSA’s Consent Template from Exhibit C of the eCBSV User Agreement, satisfies the intent to sign requirements by including the optional statement, and gives the SSN holder the option to decline. The consent language is incorporated into the business process; however, it does not reflect the language in Exhibit C of the User Agreement, and the example associates the request with identify verification. The eCBSV service does not verify or confirm identity (as stated in the header of the mockup), but instead verifies whether an individual’s name, date of birth, and SSN matches SSA’s records. Refer to Section II (eCBSV User Agreement, Page 3); see also Section IV.A.1.c. (eCBSV User Agreement, Page 9) and SSA Written Consent Template (eCBSV User Agreement, Page 28).