Social Security Death Master File
Preparing and responding to new certification requirements
The current landscape of cybersecurity threats and fraudulent activity has driven the US federal government to place new controls on organizations requiring access to the Limited Access Master Death File (LAMDF). The addition of an assessment by an independent third party presents new challenges and possible pitfalls to those entities using the Social Security Death Master File.
- Aligning with new requirements
- Death Master File certification timetable
- Failure to comply
- Are you ready?
- Join the conversation
Aligning with new requirements
As third-party risk, cybersecurity, and identity fraud dominate the headlines, the US federal government recently enacted a new certification to create additional safeguards for entities requesting access to the Limited Access Death Master File. The LADMF is made available by the US Department of Commerce's National Technical Information Service (NTIS). The list includes all individuals with social security numbers whose deaths were reported to the Social Security Administration from 1936 to present. The LADMF has many practical uses that span across industries such as insurance, banking, health care, public sector, and investment management.
The LADMF assists entities in assessing mortality to prevent or detect fraud and govern financial and other transactions. On November 28, 2016, the US government enacted rule 15 CFR Part 1110. The new rule requires entities requesting access to the LADMF be assessed by an independent third party known as an accredited conformity assessment body (ACAB). An ACAB's role is to confirm that the entity has systems, facilities, and procedures in place to safeguard LADMF information. The requirement for an independent assessment of LADMF-related internal controls from a third party is a significant shift from the requirements under the interim rule published in March 2014. It is now imperative that entities requesting the Social Security death master index take the appropriate steps to align with the new requirements.
Death Master File certification timetable
The LADMF underwent a series of revisions over the past several years. Prior to 2014, the LADMF was commercially available for download to any entity that paid the processing fee and demonstrated a legitimate business purpose. With the passage of the Bi-Partisan Budget Act of 2013, Congress empowered the Department of Commerce to develop a broad certification program to govern the receipt and maintenance of the LADMF. The interim rule established two main requirements: first, entities were required to annually self-certify that they had controls in place for receipt and maintenance of the LADMF; and second, entities were subject to scheduled and unscheduled audits from the NTIS with penalties levied for violation of the rule.
In December 2014, the NTIS published the LADMF Certification Program, which provides a framework and greater clarity regarding the controls on LADMF. On June 1, 2016, the final rule was published with an effective date of November 28, 2016. It maintains all provisions included under the interim rule with one significant addition: The independent assessment by an ACAB to be performed once every three years. Under the final rule, entities seeking access to the Social Security Death Master File must engage an ACAB every three years to assess the controls they have in place to secure LADMF information.
Failure to comply
In the event entities are unable to fully satisfy the requirements under the new rule, their access to the LADMF will be revoked. This occurrence could have a dramatic impact on operations, including:
- Increased fraudulent transactions
- Inability to maintain accurate customer records
- Challenges identifying overpayments for repetitive payment obligations
- Non-compliance with abandoned property laws
- Failure to meet obligations prescribed by regulators
- Reputational damage
- Financial statement impact
Are you ready?
Given the precise nature of the LADMF control guidelines, organizations will likely identify gaps in their existing controls when compared with those prescribed by the NTIS. To achieve compliance with the new rule, organizations need to prepare by first conducting a readiness assessment. It's critical that any entity requesting access to the LAMDF satisfy the requirements of the NTIS certification program. Failure to comply can lead to revocation of access to the LAMDF—dramatically impacting an entity's operations by limiting its ability to prevent threats.
To learn more about how this new regulation impacts use of the Social Security Death Master Index, download the full PDF.