SSA says it will offer data matches to government benefit programs

Douglas Sacha/Getty Images

The Social Security Administration offers data validation services for the financial services sector. It now says it plans to offer similar verification services to government benefit programs.

The Social Security Administration intends to offer social security number verification services to federal benefit programs, the agency’s chief information officer and deputy commissioner for systems Sean Brune told lawmakers during a Wednesday hearing. 

The agency currently does over 2 billion automated verifications annually through more than 3,500 data exchanges via electronic systems, but now the SSA wants to expand the ability of benefit programs to tap into identity validation services, Brune said at a House Ways and Means subcommittee hearing on combating identity fraud.

Data matches that confirm or deny if a given piece of identity information is true are an important part of identity verification processes and efforts to combat synthetic identity fraud. 

These matches have become even more important in the wake of public and private data leaks of identity information like social security numbers, said Brune. 

Now, “we intend to enable federal benefit programs to verify SSN directly or through other federal agencies using real time verification requests,” he said. “We understand the significant challenges associated with identity theft within both government and private sector. As long as the SSN remains key to assessing things about you or of value, the SSN itself will have commercial value and it will continue to be targeted for misuse.”

One major data-matching program at SSA, its electronic Consent Based Social Security Number Verification service, or eCBSV, is only available to financial institutions, for example. Congress directed the agency to create the program in 2018. Those financial institutions can use it to get an answer on whether a submitted name, birthday and social security number match SSA records. 

The move comes as the National Institute of Standards and Technology is working on voluntary guidance for how governments can offer attribute validation services,  a practice that Jeremy Grant — coordinator of the identity-focused trade group, the Better Identity Coalition, and managing director in the Technology and Innovation Group at Venable LLP —  has previously said is currently often confined to narrow, specific use cases.

Although Brune didn’t offer other details about the timeline or specifics of how this will work, Katie Wechsler, co-executive director of the financial services group Consumer First Coalition, did provide ideas for how to improve eCBSV, which she said will be necessary “for the viability of the program.”

Planned fee increases for the system could risk deterring users away, said Wechsler, who noted that SSA is upping feeds to try to meet a cost recovery timeline. She urged Congress and SSA to up that timeline. A notice of the fee increases in the Federal Register cites lower participation in the program than expected. 

Wechsler also said it would be useful for SSA to give more granular information beyond the yes/no answer.

Another thing to watch for: vulnerabilities in SSA’s own systems, said Jeffrey Brown, deputy assistant inspector general at SSA.

During the pandemic, “bad actors exploited some of SSA’s public-facing systems to validate SSNs and potentially use that information to commit identity fraud,” he said in his written testimony. “These incidents underscore the need for SSA to thoroughly evaluate applications for potential vulnerabilities— including the risk the applications could be misused for purposes for which they were not designed.”

Brown also wrote that since the start of fiscal 2021, the watchdog’s office has gotten over 41,000 allegations related to SSA’s eServices, “including fraud schemes that misuse or are facilitated by SSA’s online platforms,” like the agency’s mySocialSecurity hub where individuals can do things like manage benefits.

“It is critical SSA employ effective controls to obtain sufficient assurance users of its online services are who they claim to be,” he wrote.