Supporting Statement 0596 Revised

Supporting Statement for

Request for Internet Services & 800# Automated Telephone Services

Knowledge-Based Authentication (RISA)

20 CFR 401.45 OMB No. 0960-0596

A. Justification

1. The Social Security Administration (SSA) collects this information by authority of the Privacy Act of 1974 at 5 U.S.C. Sub-section 552A (e)(10) which requires agencies to establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records. Also in the same Sub-section, (f)(2)&(3) requires agencies to establish requirements for identifying an individual who requests a record or information pertaining to that individual and to establish procedures for disclosure of personal information. SSA promulgated Privacy Act rules in the Code of Federal Regulations, Subpart B. Procedures for verifying identity are at 20 CFR 401.45. Authority to collect this information is also contained in Section 205(a) of the Social Security Act.

2. Electronic and automated telephone applications allow the public to establish their identity with SSA prior to allowing them access to personal information through screens over the Internet and through automated voice responses over the telephone. SSA must verify the requester’s identity by obtaining name, Social Security Number (SSN) and usually Date of Birth (DOB). We also may request mother’s maiden name, place of birth, gender, and other last name (if any). Depending on the individual’s current status in SSA’s records, we may also ask for the amount of the last payment, or the month of the last monthly payment. Answers to these questions are compared information contained in our records.

With the exception of the gender field, SSA uses the information collected exclusively to verify the identity of the requester. For most of these applications, the field for other last names is optional and SSA uses this information to match the person in cases where the person has changed their name (e.g., marriage) and not notified Social Security. Information on gender is collected for management information purposes and is optional.

SSA has established a process for verifying the identity of individuals who use the Internet to request information from SSA records, to make changes to SSA records, or to register with SSA in order to participate in SSA’s online business services. Successful verification of the individual may give him or her access to services such as:

• Change of Address and Telephone Number

• Benefit Verification (Proof of Income – POI Letter)

• Medicare Replacement Card

• Replacement Benefit Statements (SSA-1099/1042S)

• Social Security Statement

• Retirement Estimator (previously ARPI)

• Registration of Appointed Representatives

• Activation Process for the Federated ID

Respondents are current Social Security beneficiaries, individuals who are registering for SSA’s online business services, or the general public.

SSA has established a process for verifying the identity of individuals who use the 800# automated telephone services or speak to an agent to request information from SSA records or to make changes to SSA records, such as:

• Change of Address (TKCOA)

• Start or Change Direct Deposit (TKDD)

• Benefit Verification (Proof of Income – POI Letter)

• Request a Medicare Replacement Card (TKMRC)

• Replacement Benefit Statements (SSA-1099/1042S)

• Screen Splash Verification System (TKSS)

• SSI Monthly Wage Reporting

Respondents are current Social Security beneficiaries.

3. The Internet version of this collection is an automated process. The requester keys in identifying information, transmits it over the Internet to SSA, and the system compares the information to existing electronic records in real time. If the information keyed matches with SSA records, the requester will have access to proceed to additional screens to make his/her specific request.

The automated telephone version of this collection is also an automated process, which follows a similar process to the Internet version. However, in cases where the requestor wishes to speak with an agent, a new verification program called Screen Splash (TKSS) is used which requests specific information from the requestor (name, SSN, DOB, mother’s maiden name and place of birth) to verify their identities before they speak with the agent. Splash (TKSS) automatically displays this information on the computer screen of the agent prior to taking the requestor’s call.

Federated ID Pilot

SSA is currently engaging in a pilot to test the Federated ID eAuthentication Architecture with the SSA, the General Services Administration (GSA), and the Financial Services Technology Consortium (FSTC). This Federated ID Pilot entails integrating, in phases, SSA's internet applications into the eAuthentication's federated environment. In this environment, SSA's electronic applications are, and will be, accessible via SSA's Access Control Utility (ACU). Individuals will authenticate using a valid, approved, third-party credential (User ID and Password) before gaining access to SSA's internet applications through the ACU.

When an authenticated individual comes to SSA using a particular approved third-party credential for the first time, SSA needs to bind that combination of person and credential to the appropriate SSA record. This is a one-time process called Activation which within the ACU. As soon as the individual comes to the SSA site, we will ask for the first five numbers of his/her SSN. Using the SSN, we will compare the name and date of birth provided from Credential Service Provider via a Secure Access Markup Language (SAML) assertion to the Numerical Identification System (NUMIDENT) using tolerances. The tolerances used in the activation process are different from the tolerances used for authentication. If the information we receive is a match, the ACU activates the individual to use that credential for authentication and access to appropriate level SSA applications.

We expect this pilot to terminate in mid fiscal year 2009.

4. The information collected through these electronic processes has already been collected and posted to SSA’s master electronic records, however; we ask for the information again for comparison and verification. There currently is no existing alternative means of SSA’s verifying identity when the request is user-initiated over the Internet or the telephone.

5. This collection does not affect small businesses or other small businesses entities.

6. If SSA is unable to verify the requester’s identity, we would not be able to respond to the requests. In addition, since SSA collects this information on an as needed basis, we cannot collect it less frequently. There are no technical or legal obstacles that prevent burden reduction.

7. There are no special circumstances that would cause SSA to conduct this information collection in a manner inconsistent with 5 CFR 1320.5.

8. The 60-day advance Federal Register Notice published on March 23, 2009, at 74 FR 12170, and SSA received no public comments. The second Notice published on June 25, 2009, at 74 FR 30353. SSA did not consult members of the public in the development of this form.

9. SSA does not provide payment or gifts to the respondents.

10. SSA protects and holds confidential the information it collects in accordance with 42 U.S.C. 1306, 20 CFR 401 and 402, 5 U.S.C. 552 (Freedom of Information Act), 5 U.S.C. 552a (Privacy Act of 1974), and OMB Circular No. A-130.

11. The information collection does not contain any questions of a sensitive nature.

12. We estimate that 3,357,503 requestors annually will use the Internet screens to submit identification/verification information and that it will take 1 ½ minutes to answer the questions, resulting in an annual reporting burden of 83,938 hours. We estimate that it will take 24,171,867 requestors 1 ½ minutes to answer the questions via the Telephone verification, resulting in an annual reporting burden of 604,297 hours. The total annual burden hours for both the Internet and the telephone versions are 688,235.

Forms	Number of Respondents	Frequency of Response	Average Burden Per Response	Burden Hours
Internet Requestors	3,357,503	1	1 ½ Minutes	83,938
Telephone Requestors	24,171,867	1	1 ½ Minutes	604,297
Totals:	27,529,370			688,235

This clearance request covers questions asked to authenticate the identity of users performing the following tasks.

• Request for a Social Security Statement (0960-0466)

• Request for Electronic Benefit Verification via Proof of Income Letter

(0960-0595)

• Request for a Replacement SSA-1099/SSA-1042S Social Security Benefits Statement (0960-0583)

• Change of Address and Telephone Number

• Request for a Medicare Replacement Card

• Access to Retirement Estimator

• Registration of Appointed Representatives

• Start or Change Direct Deposit

• SSI Monthly Wage Reporting (covered under a separate OMB Clearance 0960-0618, but is part of ACU)

• Responding to Screen Splash Questions

• Activation Process for the Federated ID

The burden to answer the authentication questions for the Social Security Statement, the Proof of Income Letter, and the SSI Monthly Wage Reporting information collections is included in separate OMB clearance numbers (shown above). The burden to answer the authentication questions for the Internet version of the Replacement 1099 information collection is included under a separate OMB clearance; however, we do count respondents for the Telephone version. Although these applications do use Knowledge-Based Authentication, we have not included the burden hours for these collections in this request. Thus, we are not duplicating Respondent counts.

13. There is no known cost burden to the respondents.

14. The annual cost to the Federal Government is approximately $152,000. This estimate is a projection of the costs for collecting the information, and the costs for updating and maintaining the systems.

15. The large increase in the number of respondents and burden hours is due to the increased usage of the SSA website www.ssa.gov by the public and the addition of the 800# automated telephone services, including the Screen Splash verification system for requestors who wish to speak with agents. The increase in number of respondents and burden hours may due to the addition of two new internet processes, the Retirement Estimator and Registration of Appointed Representatives.

16. SSA will not publish the results of the information collection.

17. OMB exempted SSA from the requirement to print the OMB approval expiration date on its program forms. SSA produces millions of public-use forms, many of which have a life cycle longer than that of an OMB approval. SSA does not periodically revise and reprint its public-use forms (e.g., on an annual basis). OMB granted this exemption so the agency would not have to discontinue using otherwise useable editions of forms with outdated expiration dates. In addition, SSA avoids Government waste, because we will not have to destroy and reprint stocks of forms.

18. SSA is not requesting an exception to the certification requirements at 5 CFR 1320.9 and related provisions at 5 CFR 1320.8(b)(3).

B. Collection of Information Employing Statistical Methods

SSA is not using statistical methods for this information collection.