[Federal Register Volume 80, Number 186 (Friday, September 25, 2015)]
[Notices]
[Pages 57902-57906]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-24477]
=======================================================================
-----------------------------------------------------------------------
SMALL BUSINESS ADMINISTRATION
DEPARTMENT OF HOMELAND SECURITY
Federal Emergency Management Agency
Privacy Act; Computer Matching Agreement
I. Introduction
The Small Business Administration (SBA) and the Department of
Homeland Security, Federal Emergency Management Agency (DHS/FEMA) have
entered into this Computer Matching Agreement (Agreement) pursuant to
section (o) of the Privacy Act of 1974 (5 U.S.C. 552a), as amended by
the Computer Matching and Privacy Protection Act of 1988 (Pub. L. 100-
503), and as amended by the Computer Matching Privacy Protection Act
Amendments of 1990 (Pub. L. 101-508, 5 U.S.C. 552a(p) (1990)). For
purposes of this Agreement, both SBA and DHS/FEMA are the recipient
agency and the source agency as defined in 5 U.S.C. 552a(a)(9) and
(11). For this reason, the financial and administrative
responsibilities will be evenly distributed between SBA and DHS/FEMA
unless otherwise set forth in this agreement.
II. Purpose and Legal Authority
A. Purpose of the Matching Program
The purpose of this Agreement is to establish a framework and
procedures governing the Computer Matching program between SBA and DHS/
FEMA. The Computer Matching program seeks to ensure that applicants for
SBA Disaster Loans and DHS/FEMA Individuals and Households Program,
which provides Other Needs Assistance (ONA) and Housing Assistance
(HA), do not receive a duplication of benefits for the same disaster.
This will be accomplished by matching specific DHS/FEMA disaster
applicant data with SBA disaster loan application and decision data for
a declared disaster, as set forth in this Agreement.
B. Legal Authority
SBA's legal authority for undertaking its disaster loan program
without duplicating benefits is contained in section 7(b)(1) of the
Small Business Act (15 U.S.C. 636 (b)(1). DHS/FEMA's legal authority
contained at Sec. 312(a) of the Robert T. Stafford Disaster Relief and
Emergency Assistance Act (42 U.S.C. 5155), mandates DHS/FEMA not to
duplicate assistance provided by another agency or similar source.
SBA is allowed to share information with DHS/FEMA pursuant to
routine uses (f) and (g) of SBA-020 Disaster Loan Case Files system of
records, 74 FR 14911 (April 1, 2009). DHS/FEMA is allowed to share
information with SBA pursuant to routine uses H.1. and R. of DHS/FEMA-
008 Disaster Recovery Assistance Files, 78 FR 25282 (April 30, 2013)
(DHS/FEMA-008 SORN). The Computer Matching and Privacy Protection Act
of 1988 (Pub. L. 100-503), as amended, (5 U.S.C. 552a(o)-(u))
establishes procedural requirements for agencies to follow when
engaging in computer-matching activities.
III. Justification and Expected Results
A. Justification
As required by law, SBA and DHS/FEMA will not provide duplicative
disaster assistance to individuals, and businesses including Private-
Not-for Profits (PNPs) for the same disaster. To accomplish this, SBA
and DHS/FEMA will participate in a computer-matching program to share
data and financial/benefits award decisions of individuals, businesses
and/or other entities to prevent duplicative aid from being provided in
the same disaster declaration.
It is also recognized that the programs covered by this Agreement
are part of a Government-wide initiative, Executive Order 13411--
Improving Assistance for Disaster Victims (August 29, 2006). This order
mandates DHS/FEMA to identify and prevent duplication of benefits
received by individuals, businesses, or other entities for the same
disaster. That initiative and this matching program are consistent with
Office of Management and Budget (OMB) guidance on interpreting the
provisions of the Computer Matching and Privacy Protection Act of 1988,
54 FR 25818 (June 19, 1989); and OMB Circular A-130, Appendix I,
``Federal Agency Responsibilities for Maintaining Records about
Individuals.''
B. Expected Results
The matching program is to ensure that benefits provided to
disaster survivors by DHS/FEMA and SBA are not duplicated. By way of
the DHS/FEMA disaster registration identification (ID) number, DHS/FEMA
and SBA are able to identify the applications received from mutual DHS/
FEMA and SBA disaster survivors. By the nature of the sequence of
delivery as outlined in FEMA Regulation, 44 CFR 206.191, survivors that
register with DHS/FEMA for possible grant assistance, and meet SBA's
minimum income requirements, are automatically referred to SBA for
possible loan assistance. For example, DHS/FEMA received 548,953
registrations in response to hurricane Sandy, and referred 241,282 of
those registrations to SBA. More recently, in FY 2013 and 2014, DHS/
FEMA received 775,089 registrations and referred 337,619 registrations
to SBA. The computer match will also reveal instances where the same
disaster survivor has submitted applications to both DHS/FEMA and SBA,
which could result in a duplication of benefits. Since FY 2010,\1\ the
use of the CMA has identified 224,878 instances where the same disaster
survivor submitted applications to both agencies, a yearly average of
40,157. Over that same period, SBA approved 83,313 loans to homeowners
and renters, who also received assistance from FEMA. This is a yearly
average of 14,877 files identified with a potential DOB.
---------------------------------------------------------------------------
\1\ The SBA data period is from October 1, 2009 through May 11,
2015.
---------------------------------------------------------------------------
IV. Records Description
A. Systems of Records and Estimated Number of Records Involved
DHS/FEMA accesses records from its Disaster Recovery Assistance
Files system of records, as provided by the DHS/FEMA-008 SORN, through
its National Emergency Management Information System-Individual
Assistance (NEMIS-IA), and matches them to the records that SBA
provides from its SBA-020 Disaster Loan Case Files, 74 FR 14911 (April
1, 2009) system of records. SBA uses its Disaster Credit Management
System (DCMS) to access records from its Disaster Loan Case Files
system of records, and match them to the records that DHS/FEMA provides
from its Disaster Recovery Assistance Files system of records. Under
this agreement, DHS/FEMA and SBA exchange data to: (1) Check for
initial registrations, (2) check for the duplication of benefits, and
(3) update the SBA Loan Status.
A definitive answer cannot be given as to how many records will be
matched as it will depend on the number of individuals, businesses or
other entities that suffer damage from a declared disaster and that
ultimately apply for Federal disaster aid.
[[Page 57903]]
B. Description of the Match
The three types of match processes, for initial registration,
duplication of benefits, and status updates, are described below.
1. DHS/FEMA-SBA Automated Import/Export Process for Initial
Registrations.
a. SBA is the recipient (i.e. matching) agency. SBA will match
records from its Disaster Loans Case Files system of records, as
identified in Section II.B, applications and information accessed via
the DCMS, to the records extracted and provided by DHS/FEMA from its
DHS/FEMA Disaster Recovery Assistance Files system of records, as
identified in Section II.B.
b. DHS/FEMA will provide SBA the data elements identified in the
current NEMIS-IA Disaster Assistance Improvement Program (DAIP)
Interface Control Document (ICD) (See Appendix A), which includes but
is not limited to the following information: Applicant's FEMA
Registration ID Number; applicant's personally identifiable
information, which includes name, address, social security number, and
date of birth; damaged property information; insurance policy data;
property occupant data; vehicle registration data; and flood zone and
flood insurance data.
c. SBA will conduct the match using the FEMA Disaster ID number,
FEMA Registration ID number, Product (Home/Business) and Registration
Occupant Social Security number (SSN) to create a New Pre-Application.
The records SBA receives are of DHS/FEMA applicants who are referred to
SBA for disaster loan assistance. Controls on the DHS/FEMA export of
data are in place to ensure that SBA only receives unique and valid
referral records.
d. When SBA matches its records to those provided by DHS/FEMA, two
types of matches are possible: A full match and a partial match. A full
match exists when an SBA record matches a DHS/FEMA record on each of
the following data fields: FEMA Disaster ID number, FEMA Registration
ID number, Product (Home/Business), and Registration Occupant Social
Security Number (SSN). A partial match exists when an SBA record
matches a DHS/FEMA record on one or more, but not all of the data
fields listed above. If an exact (full) match is found among SBA
records for the current imported record, the current record is
automatically marked as a duplicate by the system with appropriate
comments inserted to indicate the corresponding record that matched. If
a partial match is found during the import process, the record is
routed for manual examination, investigation, and resolution to
determine whether it is truly a duplicate record.
2. DHS/FEMA-SBA Duplication of Benefits Automated Match Process:
a. Both DHS/FEMA and SBA will act as the recipient (i.e. matching)
agency. SBA will extract and provide to DHS/FEMA data from its Disaster
Loans Case Files system of records, as identified in Section II.B., and
accessed via the DCMS. DHS/FEMA will match the data SBA provides to
records in its Disaster Recovery Assistance Files system of records, as
identified in Section II.B., accessed through NEMIS-IA, via the FEMA
Registration ID number. SBA will issue a data call to DHS/FEMA
requesting that DHS/FEMA return any records for which NEMIS-IA found a
match. For each match found, DHS/FEMA sends all of its applicant
information that it collects during the registration process to SBA so
that SBA may match these records with its registrant data in the DCMS.
SBA's DCMS manual process triggers an automated interface to query
NEMIS-IA, using the FEMA Registration ID number as the unique
identifier.
b. DHS/FEMA will return the following fields for the matching DHS/
FEMA record, if any: FEMA Disaster Number; FEMA Registration ID number;
applicant and if applicable, co-applicant name; damaged dwelling
address, phone number, SSN, damaged property data, insurance policy
information, contact address (if different from damaged dwelling
address), flood zone and flood insurance data, FEMA Housing Assistance
and Other Needs Assistance data, program, award level, eligibility,
inspection data, verification of ownership and occupancy, and approval
or rejection data. DHS/FEMA will return no result when the FEMA
Registration ID number is not matched.
c. For each matching record received from DHS/FEMA, SBA determines
whether DHS/FEMA assistance duplicates SBA loan assistance. If SBA loan
officers determine that there is a duplication of benefits, the
duplicated amount is deducted from the eligible SBA loan amount.
3. DHS/FEMA-SBA Status Update Automated Match Process:
a. DHS/FEMA will act as the recipient (i.e. matching) agency. DHS/
FEMA will match records from its Disaster Recovery Assistance Files
system of records, as identified in Section II.B., to the records
extracted and provided by SBA from its Disaster Loans Case Files system
of records, as identified in Section II.B. The purpose of this process
is to update DHS/FEMA applicant information with the status of SBA loan
determinations. The records provided by SBA will be automatically
imported into NEMIS-IA to update the status of existing applicant
records. The records DHS/FEMA receives from SBA are of DHS/FEMA
applicants who were referred to SBA for disaster loan assistance.
Controls on the SBA export of data are in place to ensure that DHS/FEMA
only receives unique and valid referral records.
b. SBA will provide to DHS/FEMA information and data, including but
not limited to the following: Personal information about SBA
applicants, including name, damaged dwelling address, and SSN;
application data; loss to personal property data; loss mitigation data;
SBA loan data; and SBA event data. DHS/FEMA will conduct the match
using FEMA Disaster Number and FEMA Registration ID number.
c. Loan data for matched records will be recorded and displayed in
NEMIS-IA. Loan data will also be run through NEMIS-IA business rules;
potentially duplicative categories of assistance are sent to FEMA's
Program Review process for manual evaluation of any duplication of
benefits. If FEMA review staff determines that there is a duplication
of benefits, the duplicated amount is deducted from the eligible award.
FEMA applicants receive a letter that indicates the amount of their
eligible award and their ability to appeal.
C. Projected Starting and Completion Dates
This Agreement will take effect 40 days from the date copies of
this signed Agreement are sent to both Houses of Congress or 30 days
from the date the Computer Matching Notice is published in the Federal
Register, whichever is later, depending on whether comments are
received which would result in a contrary determination (Commencement
Date). SBA is the agency that will:
1. Transmit this Agreement to Congress.
2. Notify OMB.
3. Publish the Computer Matching Notice in the Federal Register.
4. Address public comments that may result from publication in the
Federal Register.
Matches under this program will be conducted for every Presidential
disaster declaration and will continue for as long as this agreement,
including any renewals, remains in effect.
V. Notice Procedures
A. DHS/FEMA Recipients
FEMA Form 009-0-1 ``Application/Registration for Disaster
Assistance,''
[[Page 57904]]
Form 009-0-3 ``Declaration and Release'' (both part of OMB ICR No.
1660-0002), and various other forms used for financial assistance
benefits immediately following a declared disaster, use a Privacy Act
statement, see 5 U.S.C. 552a(e)(3), to provide notice to applicants
regarding the use of their information. The Privacy Act statements
provide notice of computer matching or the sharing of their records
consistent with this Agreement. The Privacy Act statement is read to
call center applicants and is displayed and agreed to by Internet
applicants. Also, FEMA Form 009-0-3 requires the applicant's signature
in order to receive financial assistance. Additionally, FEMA/DHS gives
public notice via its Disaster Assistance Improvement Program Privacy
Impact Assessment and in its system of records notice identified in
Section II.B.
B. SBA Recipients
SBA Forms 5 ``Disaster Business Loan Application,'' 5C ``Disaster
Home Loan Application,'' and the Electronic Loan Application (ELA)
include a Privacy Act statement that provides notice that SBA may
disclose personal information under a published ``routine use,'' as
permitted by law. SBA's published system of records notice, identified
in Section II. B), provides notice that a computer match may be
performed to share information with another Federal agency in
connection with the issuance of a grant, loan or other benefit. In
addition, the Privacy Act requires that a copy of each CMA entered into
with a recipient agency shall be available upon request to the public.
VI. Verification Procedure
A. DHS/FEMA-SBA Automated Import/Export Process for Initial
Registrations
The matching program for the initial contact information for
individuals and businesses will be accomplished by mapping applicant
data for DHS/FEMA NEMIS-IA fields described earlier to the DCMS
application data fields. During the automated import process, a
computer match is performed against existing DCMS applications as
described in Section IV.B.1.
If the applicant's data does not match an existing pre-application
or application in the SBA's DCMS, then the applicant's data will be
inserted into DCMS to create a new pre-Application. An SBA application
for disaster assistance may be mailed to the registrant.
If the applicant's data does match an existing pre-application or
application in SBA's DCMS, it indicates that there may be an existing
pre-application/application for the applicant in the DCMS. If there is
an exact match, the system will insert the record within the SBA's DCMS
but will identify it as a duplicate with appropriate comments inserted
to indicate the corresponding record that matched. If there is a
partial match, the system will insert the record within the SBA's DCMS
but will identify it as a potential duplicate. The record is then
further reviewed by SBA employees to determine whether the data
reported by the DHS/FEMA applicant is a duplicate of previously
submitted registration data. Only one of the applications is kept for
processing and the other duplicate pre-applications or applications
will not be processed.
B. DHS/FEMA-SBA Duplication of Benefits Automated Match
The matching program is to ensure that recipients of SBA disaster
loans have not received duplicative benefits for the same disaster from
DHS/FEMA. The matching process begins by matching the DHS/FEMA
Registration ID number. If the data matches, specific to the
application or approved loan, SBA will then proceed with its manual
process to determine whether there is a duplication of benefits. Upon
determining that there is duplication of benefits, the dollar values
for the benefits issued by DHS/FEMA may reduce the eligible amount of
the disaster loan or may cause SBA loan proceeds to be used to repay
the grant program in the amount of the duplicated assistance.
DHS/FEMA and SBA are responsible for verifying the submissions of
data used during each respective benefit process and for resolving any
discrepancies or inconsistencies on an individual basis.
At SBA, the matching program for duplication of benefits will be
executed as part of loan processing and prior to each disbursement of
an approved SBA disaster loan. Any match indicating that there is a
possible duplicate benefit will be further reviewed by an SBA employee
to determine whether the DHS/FEMA grant monies reported by the
applicant or borrower are correct and matches the data reported by DHS/
FEMA. If there is a duplication of benefits, the amount of the SBA
disaster loan will be reduced accordingly and the applicant will be
provided written notice of the changes by processing a loan
modification to reduce the loan amount or, where appropriate, to repay
the DHS/FEMA grant program. The notice will provide the applicant with
an opportunity to apply for reconsideration of the loan modification
within six months of the date of the notice.
C. DHS/FEMA-SBA Status Update Automated Processes
For informational purposes, SBA sends DHS/FEMA loan status updates
as they occur and FEMA updates the loan records in NEMIS-IA based on
the loan information received.
D. Policies and Procedures Regarding A, B and C Above
Authorized users of both DCMS and DHS/FEMA NEMIS-IA will not make a
final decision to reduce or deny benefits of any financial assistance
to an applicant or take other adverse final action against such
applicant as the result of information produced by this matching
program until an employee of the agency taking such action has
independently verified such information and provided written notice to
the applicant with a statement of the findings and informing the
individual of the opportunity to respond or contest, along with the
expiration of the time to respond or contest.
VII. Retention of Matched Items
Pursuant to SBA document retention policy, SBA retains applicant
records in DCMS loan files, including records for matched items. DHS/
FEMA will retain records pursuant to the Retention and Disposal section
of DHS/FEMA--008 Disaster Recovery Assistance Files, 78 FR 25282 (Apr.
30, 2013).
VIII. Security Procedures
SBA and DHS/FEMA agree to the following information security
procedures:
A. Administrative
The privacy of the subject individuals will be protected by strict
adherence to the provisions of the Privacy Act of 1974 (5 U.S.C. 552a).
SBA and DHS/FEMA agree that data exchange and any records created
during the course of this matching program will be maintained and
safeguarded by each agency in such a manner as to restrict access to
only those individuals, including contractors, who have a legitimate
need to see them in order to accomplish the matching program's purpose.
Persons with authorized access to the information will be made aware of
their responsibilities pursuant to this Agreement.
B. Technical
DHS/FEMA will transmit the data (specified in this Agreement) to
SBA via the following process:
[[Page 57905]]
SBA will pull application data from DHS/FEMA Disaster Assistance
Center (DAC) via a web services based Simple Object Access Protocol
(SOAP), Extensible Markup Language (XML)/Hypertext Transfer Protocol
Secure (HTTPS) request. The data will be used to create applications
inside the Disaster Credit Management System. For each record, a
National Information Exchange Model (NIEM)-compliant response will be
sent back to FEMA DAC indicating success or failure for the transfer of
data. The SBA/DCMS to DHS/FEMA DAC export of referral data (specified
in this Agreement) will occur via a web services-based SOAP, XML/HTTPS
request.
The DHS/FEMA Duplication of Benefits Interface will be initiated
from the DCMS to the DHS/FEMA NEMIS-IA through a secured Virtual
Private Network tunnel, open only to SBA domain Internet Protocol
addresses. The results of the query are returned to the DCMS in real-
time and populated in the DCMS for delegated SBA staff to use in the
determination of duplication of benefits.
C. Physical
SBA and DHS/FEMA agree to maintain all automated matching records
in a secured computer environment that includes the use of authorized
access codes (passwords) to restrict access. Those records will be
maintained under conditions that restrict access to persons who need
them in connection with official duties related to the matching process
and grant and loan making processes.
IX. Records Usage, Duplication and Redisclosure Restrictions
SBA and DHS/FEMA agree to the following restrictions on use,
duplication, and disclosure of information furnished by the other
agency.
A. Records obtained for this matching program or created by the
match will not be disclosed outside the agency except as may be
essential to conduct the matching program, or as may be required by
law. Each agency will obtain the written permission of the other agency
before making such disclosure. See DHS/FEMA and SBA routine uses
provided in the systems of records notices identified in Section II.B.
B. Records obtained for this matching program or created by the
match will not be disseminated within the agency except on a need-to-
know basis, nor will they be used for any purpose other than that
expressly described in this Agreement.
C. Data or information exchanged will not be duplicated unless
essential to the conduct of the matching program. All stipulations in
this Agreement will apply to any duplication.
D. If required to disclose these records to a state or local agency
or to a government contractor in order to accomplish the matching
program's purpose, each agency will obtain the written agreement of
that entity to abide by the terms of this Agreement.
E. Each agency will keep an accounting of disclosure of an
individual's record as required by the Privacy Act (5 U.S.C. 552a(c))
and will make the accounting available upon request by the individual
or other agency.
X. Records Accuracy Assessments
DHS/FEMA and SBA attest that the quality of the specific records to
be used in this matching program is assessed to be at least 99%
accurate. The possibility of any erroneous match is extremely small.
In order to apply for DHS/FEMA assistance online via the DAC
portal, an applicant's name, address, SSN, and date of birth are sent
to a commercial database provider to perform identity verification. The
identity verification ensures that a person exists with the provided
credentials. In the rare instances where the applicant's identity is
not verified online or the applicant chooses, the applicants must call
one of the DHS/FEMA call centers to complete the registrations. The
identity verification process is performed again.
In order to apply for SBA's Disaster Loan Assistance online via
SBA's Electronic Loan Application (ELA) an applicant's name, address,
SSN, and date of birth and other information is sent to a commercial
database provider to perform identity verification. The identity
verification confirms that a person exists with the provided
credentials. In the rare instances where the online applicant's
identity cannot be verified electronically or if the applicant chooses,
the applicant must call SBA's Customer Service Center to complete the
online application. Once an application (electronic or paper) is
completed and submitted, the information is transmitted to the DCMS
system, where it is reviewed and processed by loan officers, who also
verify each applicant's identity.
XI. Comptroller General Access
The parties authorize the Comptroller General of the United States,
upon request, to have access to all SBA and DHS/FEMA records necessary
to monitor or verify compliance with this matching agreement. This
matching agreement also authorizes the Comptroller General to inspect
any records used in the matching process that are covered by this
matching agreement pursuant to 31 U.S.C. 717 and 5 U.S.C. 552a(b)(10).
XII. Duration of Agreement
The Agreement may be renewed, terminated or modified as follows:
A. Renewal or Termination
This Agreement will become effective in accordance with the terms
set forth in Section IV.C and will remain in effect for 18 months from
the commencement date. At the end of this period, this Agreement may be
renewed for a period of up to one additional year if the Data Integrity
Board of each agency determines within three months before the
expiration date of this Agreement that the program has been conducted
in accordance with this Agreement and will continue to be conducted
without change. Either agency not wishing to renew this Agreement
should notify the other in writing of its intention not to renew at
least three months before the expiration date of this Agreement. Either
agency wishing to terminate this Agreement before its expiration date
should notify the other in writing of its wish to terminate and the
desired date of termination.
B. Modification of the Agreement
This Agreement may be modified at any time in writing if the
written modification conforms to the requirements of the Privacy Act
and receives approval by the participant agency Data Integrity Boards.
XIII. Reimbursement of Matching Costs
SBA and DHS/FEMA will bear their own costs for this program.
XIV. Data Integrity Board Review/Approval
SBA and DHS/FEMA's Data Integrity Boards will review and approve
this Agreement prior to the implementation of this matching program.
Disapproval by either Data Integrity Board may be appealed in
accordance with the provisions of the Computer Matching and Privacy
Protection Act of 1988, as amended. Further, the Data Integrity Boards
will perform an annual review of this matching program. SBA and DHS/
FEMA agree to notify the Chairs of each Data Integrity Board of any
changes to or termination of this Agreement.
XV. Points of Contacts and Approvals
For general information, please contact: Eric M. Leckey (202-212-
5100),
[[Page 57906]]
Privacy Officer, Federal Emergency Management Agency, Department of
Homeland Security; and Jeffrey Jackson (202-205-6595), Chief
Information Security Officer, Office of the Chief Information Officer,
Small Business Administration.
XVI. Signatures
The authorizing officials whose signatures appear below have
committed their respective agencies to the terms of this Agreement.
Small Business Administration.
Dated: September 14, 2015.
James Rivera,
Associate Administrator for Disaster Assistance, U.S. Small Business
Administration.
Dated: September 9, 2015.
Matthew Varilek,
Chief Operating Officer, Data Integrity Board Chair, U.S. Small
Business Administration.
U.S. Department of Homeland Security Federal Emergency Management
Agency.
Dated: August 4, 2015.
Keith Turi,
Acting Deputy Assistant Administrator, Recovery Directorate, Federal
Emergency Management Agency, U.S. Department of Homeland Security.
Dated: August 19, 2015.
Karen L. Neuman,
Chief Privacy Officer Data Integrity Board Chair, U.S. Department of
Homeland Security.
[FR Doc. 2015-24477 Filed 9-24-15; 8:45 am]
BILLING CODE P