[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5192 Referred in Senate (RFS)]

<DOC>
115th CONGRESS
  2d Session
                                H. R. 5192


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 18, 2018

     Received; read twice and referred to the Committee on Finance

_______________________________________________________________________

                                 AN ACT


 
      To authorize the Commissioner of Social Security to provide 
 confirmation of fraud protection data to certain permitted entities, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Protecting Children from Identity 
Theft Act''.

SEC. 2. REDUCING IDENTITY FRAUD.

    (a) Purpose.--The purpose of this section is to reduce the 
prevalence of synthetic identity fraud, which disproportionally affects 
vulnerable populations, such as minors and recent immigrants, by 
facilitating the validation by permitted entities of fraud protection 
data, pursuant to electronically received consumer consent, through use 
of a database maintained by the Commissioner.
    (b) Definitions.--In this section:
            (1) Commissioner.--The term ``Commissioner'' means the 
        Commissioner of the Social Security Administration.
            (2) Financial institution.--The term ``financial 
        institution'' has the meaning given the term in section 509 of 
        the Gramm-Leach-Bliley Act (15 U.S.C. 6809).
            (3) Fraud protection data.--The term ``fraud protection 
        data'' means a combination of the following information with 
        respect to an individual:
                    (A) The name of the individual (including the first 
                name and any family forename or surname of the 
                individual).
                    (B) The Social Security account number of the 
                individual.
                    (C) The date of birth (including the month, day, 
                and year) of the individual.
            (4) Permitted entity.--The term ``permitted entity'' means 
        a financial institution or a service provider, subsidiary, 
        affiliate, agent, contractor, or assignee of a financial 
        institution.
    (c) Efficiency.--
            (1) Reliance on existing methods.--The Commissioner shall 
        evaluate the feasibility of making modifications to any 
        database that is in existence as of the date of enactment of 
        this Act or a similar resource such that the database or 
        resource--
                    (A) is reasonably designed to effectuate the 
                purpose of this section; and
                    (B) meets the requirements of subsection (d).
            (2) Execution.--The Commissioner shall establish a system 
        to carry out subsection (a), in accordance with section 1106 of 
        the Social Security Act. In doing so, the Commissioner shall 
        make the modifications necessary to any database that is in 
        existence as of the date of enactment of this Act or similar 
        resource, or develop a database or similar resource.
    (d) Protection of Vulnerable Consumers.--The database or similar 
resource described in subsection (c) shall--
            (1) compare fraud protection data provided in an inquiry by 
        a permitted entity against such information maintained by the 
        Commissioner in order to confirm (or not confirm) the validity 
        of the information provided, and in such a manner as to deter 
        fraudulent use of the database or similar resource;
            (2) be scalable and accommodate reasonably anticipated 
        volumes of verification requests from permitted entities with 
        commercially reasonable uptime and availability; and
            (3) allow permitted entities to submit--
                    (A) one or more individual requests electronically 
                for real-time machine-to-machine (or similar 
                functionality) accurate responses; and
                    (B) multiple requests electronically, such as those 
                provided in a batch format, for accurate electronic 
                responses within a reasonable period of time from 
                submission, not to exceed 24 hours.
    (e) Certification Required.--Before providing confirmation of fraud 
protection data to a permitted entity, the Commissioner shall ensure 
that the Commissioner has a certification from the permitted entity 
that is dated not more than 2 years before the date on which that 
confirmation is provided that includes the following declarations:
            (1) The entity is a permitted entity.
            (2) The entity is in compliance with this section.
            (3) The entity is, and will remain, in compliance with its 
        privacy and data security requirements, as described in title V 
        of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) and as 
        required by the Commissioner, with respect to information the 
        entity receives from the Commissioner pursuant to this section.
            (4) The entity will retain sufficient records to 
        demonstrate its compliance with its certification and this 
        section for a period of not less than 2 years.
    (f) Consumer Consent.--
            (1) In general.--Notwithstanding any other provision of law 
        or regulation, a permitted entity may submit a request to the 
        database or similar resource described in subsection (c) only--
                    (A) pursuant to the written, including electronic, 
                consent received by a permitted entity from the 
                individual who is the subject of the request; and
                    (B) in connection with any circumstance described 
                in section 604 of the Fair Credit Reporting Act (15 
                U.S.C. 1681b).
            (2) Electronic consent requirements.--For a permitted 
        entity to use the consent of an individual received 
        electronically pursuant to paragraph (1)(A), the permitted 
        entity must obtain the individual's electronic signature, as 
        defined in section 106 of the Electronic Signatures in Global 
        and National Commerce Act (15 U.S.C. 7006). Permitted entities 
        must develop and use an electronic signature process in 
        accordance with all Federal laws and requirements as designated 
        by the Commissioner.
            (3) Effectuating electronic consent.--No provision of law 
        or requirement, including section 552a of title 5, United 
        States Code, shall prevent the use of electronic consent for 
        purposes of this subsection or for use in any other consent 
        based verification under the discretion of the Commissioner.
    (g) Compliance and Enforcement.--
            (1) Audits and monitoring.--
                    (A) In general.--The Commissioner--
                            (i) shall conduct audits and monitoring 
                        to--
                                    (I) ensure proper use by permitted 
                                entities of the database or similar 
                                resource described in subsection (c); 
                                and
                                    (II) deter fraud and misuse by 
                                permitted entities with respect to the 
                                database or similar resource described 
                                in subsection (c); and
                            (ii) may terminate services for any 
                        permitted entity that prevents or refuses to 
                        allow the Commissioner to carry out the 
                        activities described in clause (i) and may 
                        terminate or suspend services for any permitted 
                        entity as necessary to enforce any violation of 
                        this section or of any certification made under 
                        this section.
            (2) Enforcement.--
                    (A) In general.--Notwithstanding any other 
                provision of law, including the matter preceding 
                paragraph (1) of section 505(a) of the Gramm-Leach-
                Bliley Act (15 U.S.C. 6805(a)), any violation of this 
                section and any certification made under this section 
                shall be enforced in accordance with paragraphs (1) 
                through (7) of such section 505(a) by the agencies 
                described in those paragraphs.
                    (B) Relevant information.--Upon discovery by the 
                Commissioner of any violation of this section or any 
                certification made under this section, the Commissioner 
                shall forward any relevant information pertaining to 
                that violation to the appropriate agency described in 
                subparagraph (A) for evaluation by the agency for 
                purposes of enforcing this section.
    (h) Recovery of Costs.--
            (1) In general.--
                    (A) In general.--Amounts obligated to carry out 
                this section shall be fully recovered from the users of 
                the database or verification system by way of advances, 
                reimbursements, user fees, or other recoveries as 
                determined by the Commissioner. The funds recovered 
                under this paragraph shall be deposited as an 
                offsetting collection to the account providing 
                appropriations for the Social Security Administration, 
                to be used for the administration of this section 
                without fiscal year limitation.
                    (B) Prices fixed by commissioner.--The Commissioner 
                shall establish the amount to be paid by the users 
                under this paragraph, including the costs of any 
                services or work performed, such as any appropriate 
                upgrades, maintenance, and associated direct and 
                indirect administrative costs, in support of carrying 
                out the purposes described in this section, by 
                reimbursement or in advance as determined by the 
                Commissioner. The amount of such prices shall be 
                periodically adjusted by the Commissioner to ensure 
                that amounts collected are sufficient to fully offset 
                the cost of the administration of this section.
            (2) Initial development.--The Commissioner shall not begin 
        development of a verification system to carry out this section 
        until the Commissioner determines that amounts equal to at 
        least 50 percent of program start-up costs have been collected 
        under paragraph (1).
            (3) Existing resources.--The Commissioner of Social 
        Security may use funds designated for information technology 
        modernization to carry out this section, but in all cases shall 
        be fully reimbursed under paragraph (1)(A).
            (4) Annual report.--The Commissioner of Social Security 
        shall annually submit to the Committee on Ways and Means of the 
        House of Representatives and the Committee on Finance of the 
        Senate a report on the amount of indirect costs to the Social 
        Security Administration arising as a result of the 
        implementation of this section.

            Passed the House of Representatives April 17, 2018.

            Attest:

                                                 KAREN L. HAAS,

                                                                 Clerk.