Today, the U.S. Department of Commerce’s National Technical Information Service (NTIS) put into effect a certification program required for any person or entity seeking to access information during the three-year period following an individual’s death on the Social Security Death Master File (DMF) (recent DMF data), as required by Section 203 of the Bipartisan Budget Act of 2013 (Act). By publishing an Interim Final Rule (IFR) today, without formal notice and comment, together with a certification form and subscriber and licensing agreements that carry significant penalties if willfully false, NTIS has created uncertainty among entities that use the DMF for legitimate anti-fraud and other business purposes.
The IFR sets forth temporary requirements to become a certified person, provides that certified persons will be subject to periodic and unscheduled audits, and provides for the imposition of penalties upon any person who discloses or uses DMF information in a manner not in accordance with the Act. In addition, fees will be charge for the certification program.
To become certified, an entity must:
- Have a legitimate fraud prevention or business purpose pursuant to a law, government rule, regulation or fiduciary duty for accessing recent DMF data and state the specific basis on the certification form. In the IFR, NTIS clarified that use of the DMF by life insurers to ensure payment of valid death claims to proper beneficiaries is a certifiable purpose;
- Have systems, facilities and procedures in place to safeguard DMF information, and have experience in maintaining the confidentiality, security and appropriate use of such information, pursuant to requirements similar to section 6103(p)(4) of the Internal Revenue Code of 1986 (IRC) and agree to satisfy the requirements of IRC 6103(p)(4) “as if such section applied to” that person. IRC 6103(p)(4) is a principles-based regulation designed to ensure the confidentiality of IRS information provided to federal, state and local agencies, their agents and contractors in the private sector, and requires entities to design systems “to the satisfaction of the” IRS Commissioner. Previously most DMF users, including the life insurance industry, have not been required to address compliance with IRC 6103(p)(4). Primary guidance on the application of IRC 6103(p)(4) to the private sector is found in a 159-page Publication 1075 issued by the IRS in January 2014 that contains detailed provisions applicable to the protection of tax information. How the NTIS will interpret this guidance, including its penalty provisions, and apply it to users of the DMF is unclear;
- Agree to inform NTIS of all subsequent value-added products that are created using recent DMF data; and
- Agree not to make recent DMF data in any form available to any person who does not meet the requirements to be a certified person in the IFR at 15 CFR § 1110.102.
The issuance of the IFR will be followed this weekend by the first meeting of the Unclaimed Life Insurance Benefits (A) Working Group of the National Association of Insurance Commissioners (NAIC) – a long overdue response by state insurance regulators to the industry’s request for guidance on the required use of the DMF in processing claims and unclaimed property practices. How the NAIC will respond to the DMF certification process remains to be seen.
In a subsequent Legal Alert, Sutherland will present any significant developments from the NAIC Unclaimed Life Insurance Benefits (A) Working Group meeting.