GAO Report Highlights Flaws in a System That’s Supposed to Reduce Synthetic Identity Theft: The System Must Be Fixed

    In June 2023, Jason Kratovil of SentiLink and Ryan Metcalf, then of Funding Circle US, published an OpEd, noting that the IRS and the Social Security Administration (SSA) are standing in the way of Congress’ innovative solutions to fight fraud and expand access to capital. One of those innovations came in June 2000 with the SSA’s launch of the electronic Consent Based SSN Verification (eCBSV). It is the eCBSV that is the subject of this blog. I will save the IRS’ IVES system for another day.

    The SSA’s eCBSV program began with a great promise to reduce fraud and speed up consumer transactions. Sadly, the program has withered on the vine, and the industry that wants to use this service has a lot of sour grapes.

    A new report from the GAO, which reviewed SSA’s efforts to implement and recover the cost of eCBSV, adds to the debate. SSA officials told the GAO that the SSA “did not plan to take significant steps to increase use of the service.”[i] If the SSA kept to the statutory vision created by Congress for the eCBSV and leaned into the public-private partnership that Congress envisioned, the program could be a game-changer for consumers and the businesses that serve them. It’s not too late to fix this.

    This blog makes several points. First, I discuss Congressional direction to reduce synthetic identity fraud. Second, I offer a fond recollection of when SSA wanted to partner with the private sector to make eCBSV work. Third, how SSA fumbled that work. Fourth, how eCBSV can still recover to benefit consumers and the businesses that serve them.

    Congressional direction to reduce synthetic identity fraud

    The growing crime of synthetic identity fraud

    Synthetic identity fraud is a significant source of identity crime. It’s a

    “a type of fraud that involves creating a fictional identity by combining real and fake personally identifiable information, such as an SSN, date of birth, and name. This fabricated identity is then used to defraud financial institutions, government agencies, individuals, or other entities. Unlike traditional identity fraud, which uses a real person’s identity, synthetic identity fraud creates a new, fictional identity to commit fraud, such as applying for a credit account or other benefit.”[ii]

    The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), financial institutions reported $182 million in suspicious activity associated with synthetic identity fraud in 2021.[iii]

    That number is expected to climb with the rapid advancement of criminal use of technology, including deep fakes and artificial intelligence.

    Don’t trust, verify

    Before opening an account for a consumer, a business needs first to understand who that consumer is and if she is who she claims to be.[iv] To meet legal mandates and business guidelines to verify consumers, “certain financial institutions must collect a customer’s name, date of birth, address, and [SSN]. Financial institutions may use a variety of methods and sources to meet these requirements, including third-party data for certain transactions.”[v]

    In response to the growing threat posed by synthetic identity fraud, Congress passed the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) in 2018.[vi] This law included a section (Sec. 215) “to reduce the prevalence of synthetic identity fraud, which disproportionally affects vulnerable  populations, such as minors and recent immigrants.” Sec. 215(a). Congress directed SSA “to modify or create a database allowing financial institutions and other permitted entities to electronically verify an individual’s Social Security number (SSN), date of birth, and name from SSA in real time.”[vii]

    The SSA Takes Up Congress’ Challenges

    In 2018, SSA began developing the eCBSV service to meet Congressional demands and prevent synthetic identity fraud. This program took a while to develop. At its core, the program

    “is a computer connection system that allows computer systems operated by permitted entities to send verification requests to SSA’s computer systems and receive real-time matching results. Permitted entities must obtain an individual’s written consent, which may be obtained electronically, and use the service for the authorized purposes to verify whether the combination of SSN, date of birth, and name matches SSA records. The results provide a single ‘Yes’ or ‘No’ indicating whether all the data elements match. The results also indicate if the individual is deceased for each requested SSN.”

    Financial institutions can access eCBSV directly by paying a fee to SSA or through a third-party service provider that directly pays SSA for access to the service. For example, a financial institution that issues credit cards may use a service provider that pays for access to eCBSV to check if the identifying information of an applicant matches SSA’s records. The financial institution could then use the results in conjunction with other information to accept or decline the application. [viii]

    Congress required that the eCBSV system cannot be developed or run without the financial support of participating businesses.[ix] This novel approach allowed for businesses and the agency to work together to solve a problem without saddling taxpayers with all the costs. However, somewhere along the way, the SSA lost its way.

    Along with many colleagues, I sat through countless, lengthy, and sometimes massive meetings with SSA staff to help educate the agency on the business community’s needs and how the agency can best protect consumers. At the start, many of these meetings were productive. Businesses have a vested interest in preventing fraud since they often eat the costs of that fraud. It seemed SSA was a willing partner for a time, but things went off track.

    SSA’s Office of Data Exchange and International Agreements began developing a new verification service, known as eCBSV. SSA began accepting applications for a pilot limited to 10 users in July 2019 and launched the service to pilot participants in June 2020. In February 2022, SSA opened enrollment of eCBSV to all permitted entities, which the authorizing legislation defined as financial institutions, service providers, subsidiaries, affiliates, agents, subcontractors, or assignees of a financial institution.

    In July 2019, SSA began accepting applications “for a pilot limited to ten users and launched the service to pilot participants in June 2020. In February 2022, SSA opened enrollment of eCBSV to all permitted entities, which the authorizing legislation defined as financial institutions, service providers, subsidiaries, affiliates, agents, subcontractors, or assignees of a financial institution.”[x]

    The businesses that support the eCBSV and the members of Congress who launched the system into law now question the eCBSV’s financial viability and its effectiveness in reducing synthetic identity fraud.

    The SSA Fumbles Congress’ Challenge

    In testimony before a House Ways and Means Committee hearing in 2023, Katie Wechsler, co-executive director of the Consumer First Coalition, said: “I do not say this lightly: the eCBSV system is at risk of collapse if changes are not made.”[xi]

    Costs are too high and are opaque

    Costs skyrocketed, and business participation dropped. While SSA noted cost overruns, GAO “could not pinpoint specific explanations for overestimates in recent years because SSA’s documentation did not include sufficient detail.” Further, “SSA’s guidance on developing cost estimates for IT investments and reimbursable agreements did not fully incorporate key steps and best practices for developing reliable estimates.”[xii] Sadly, the GAO found limited communication with and transparency for the businesses that want the eCBSV to work and which have invested millions of their own dollars to make the system happen.[xiii]

    We are now stuck in a Catch-22. The Social Security Administration has jacked up costs to cover a flawd service, which drives down participation in the eCBSV system, which means that the SSA needs more revenue to run the system.

    For businesses that need to verify consumers, “eCBSV is a valuable resource because it [and the SSA] is an authoritative source for validating identifying information.” But, fees are high, “nonmatching results that can be challenging to interpret, and…consent requirements…are a disincentive for wider adoption.”[xiv]

    The no-match returns limit usefulness

    The binary yes/no match limits eCBSV’s usefulness. A “No” response could indicate fraud, but it could also be the result of a data entry error or an alternative name or alias that does not match SSA’s records.[xv]

    The consent requirements are nonsensical

    The written consent requirement SSA instituted is difficult or impossible to integrate into a point-of-sale system, especially where the financial institution might not be known at the time of sale, like in an auto transaction. Adding one more form for a consumer injects unnecessary friction and may deter consumers from completing the transaction.[xvi]

    The eCBSV system can be fixed

    The business community wants a fast, efficient eCBSV system, and it is willing to pay for it. However, the eCBSV system needs to be reformed. Congress, which required the system, sees flaws in implementation. In November 2023, the U.S. House Committee on Appropriations issued a report to accompany H.R.5894, the bill to fund the Departments of Labor, Health and Human Services, and Education, and related agencies for FY 2024. Page 230 of the report contains a provision on the SSA’s eCBSV: “The Committee encourages SSA to restructure eCBSV user fees in a manner that does not discourage permitted entities from utilizing the system and in a manner that does not seek to recover costs before such time as required by law.”

    To help reduce synthetic identity theft, changes to the eCBSV system are needed. Most of these changes were laid out nicely by Katie Wechsler in her 2023 Congressional testimony and remain relevant still considering the GAO report.

    • Costs. The SSA must be more transparent in sharing operational information and cost projections. Further, the cost recovery timeframe should be extended for ten years. Spreading out the system’s costs will increase participation.
    • No-match results. “SSA should explore ways to provide further detail on a no-match result. It is impossible to determine, based on that result alone, if there is synthetic identity fraud. Data shows that roughly 40 percent of the no-match results are fraud, while the rest are typos or another benign issue. Enhancements to the technology of the system and additional granularity, all while protecting consumers’ privacy and data, are worth exploring. This could significantly improve the usefulness of the system and attract more users.”
    • Consent. Providing greater flexibility in the consent requirements will increase business use of eCBSV. One way to fix this is to allow financial institutions to include the written consent language in existing credit application terms and conditions.
    • Expanded use of eCBSV. “SSA should consider how else ECBSV could be used. Other entities in both the public and private sector[s] may find this system worthwhile.” Consumers are counting on businesses and their government to help prevent fraud. We all have a vested interest in making sure that eCBSV works. This system can be what Wechsler called “a model of good government and public- private collaboration. If it fails, the only people that benefit are criminals.”

    Synthetic identity theft is bad and getting worse. Too much is at stake to mess this up.

    Eric J. Ellman's avatar

    Eric J. Ellman

    [i] General Accountability Office, Social Security Administration: Actions Needed to Help Ensure Success of Electronic Verification Service, GAO-24-106770 (Sept. 2024), Highlights.

    [ii] Id., 4. See also, What is Synthetic Identity Fraud?, LexisNexis Risk Solutions.

    [iii] U.S. Dep’t. of the Treasury, Financial Crimes Enforcement Network, Financial Trends Analysis, Identity-Related Suspicious Activity: 2021 Threats and Trends (Vienna, VA: Jan. 2024). See also, Fed. Reserve, Synthetic Identity Fraud in the U.S. Payment System A Review of Causes and Contributing Factors (July 2019); Fed. Reserve, Mitigating Synthetic Identity Fraud in the U.S. Payment System (July 2020).

    [iv] ‘If we can’t be sure when interacting that someone is who they purport to be, where are we?’ said James G. Huse Jr., the Social Security Administration’s inspector general [in the wake of the Sept. 11 attacks when hijackers used fake SSNs and other fraudulent IDs].” Robert O’Harrow Jr. and Jonathan Krim, National ID Card Gaining Support, Wash. Post, Dec. 7, 2001, A1 (quoting James Huse, Inspector General of the Social Security Administration).

    [v] GAO-24-106770, 6.

    [vi] Pub. L. 115-174.

    [vii] Id., 1.

    [viii] Id., 7-8.

    [ix] Id., 8 (citing 42 U.S.C. §§  405b(h)(1), 405b(h)(2)).

    [x] Id., 7.

    [xi] Hearing on Social Security Administration’s Role in Combating Identity Fraud before the Subcomm. on Social Security of the H. Comm. on Ways & Means, 118th Cong. (2023) (statement of Katie Wechsler), Serial No. 118–SS02 (May 24, 2023).

    [xii] Id., 12-13.

    [xiii] Id., 28-30.

    [xiv] Id., 30.

    [xv] Id., 32.

    [xvi] Id., 32-35.

    Eric J. Ellman