[Federal Register Volume 84, Number 26 (Thursday, February 7, 2019)]
[Notices]
[Pages 2649-2657]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-01508]
-----------------------------------------------------------------------
SMALL BUSINESS ADMINISTRATION
Computer Matching Agreement Between U.S. Small Business
Administration and U.S. Department of Homeland Security, Federal
Emergency Management Agency
AGENCY: U.S. Small Business Administration.
ACTION: Notice of Computer Matching Agreement between the U.S. Small
Business Administration and the U.S. Department of Homeland Security,
Federal Emergency Management Agency.
-----------------------------------------------------------------------
SUMMARY: The purpose of this Agreement is to ensure that applicants for
SBA Disaster Assistance Loan Programs and DHS/FEMA's Other Needs
Assistance and Housing Assistance Grant programs do not receive a
duplication of benefits for the same disaster.
DATES: Issued on September 4, 2018.
ADDRESSES: U.S. Small Business Administration, Processing and
Disbursement Center, 14925 Kingsport Road, Fort Worth, TX 76155.
FOR FURTHER INFORMATION CONTACT: A. Escobar, Office of Disaster
Assistance, U.S. Small Business Administration, 409 3rd Street SW,
Suite 6050, Washington, DC 20416, (202) 205-6734.
SUPPLEMENTARY INFORMATION: Pursuant to the Robert T. Stafford Disaster
and Emergency Assistance Act (Pub. L. 93-288), as amended at 42 U.S.C.
5121 et seq., DHS/FEMA and SBA may not provide duplicative disaster
assistance to individuals, businesses, including
[[Page 2650]]
Private-Not-for Profits (PNPs), or other entities for the same disaster
or emergency losses. To accomplish this, DHS/FEMA and SBA will
participate in a Computer Matching program to share data and financial/
benefits award decisions of individuals, businesses, and/or other
entities to verify eligibility for benefits, prevent duplicative aid
from being provided in response to the same disaster or emergency, and
recover aid when duplication of benefits is identified.
This Agreement establishes the Computer Matching program between
DHS/FEMA and SBA. The Computer Matching program seeks to ensure that
applicants for SBA Disaster Loans and DHS/FEMA Individuals and
Households Program (IHP), which provides Other Needs Assistance (ONA)
and Housing Assistance (HA), are eligible to receive benefits and do
not receive a duplication of benefits for the same disaster.
Additionally, the Computer Matching program seeks to establish or
verify initial eligibility for DHS/FEMA and SBA disaster assistance as
well as provide updates on disaster recipients SBA Loan status. This
will be accomplished by matching specific DHS/FEMA disaster applicant
data with SBA disaster loan application and decision data for a
declared disaster, as set forth in this Agreement.
James Rivera,
Associate Administrator for Disaster Assistance.
COMPUTER MATCHING AGREEMENT BETWEEN U.S. SMALL BUSINESS ADMINISTRATION
AND U.S. DEPARTMENT OF HOMELAND SECURITY FEDERAL EMERGENCY MANAGEMENT
AGENCY
I. INTRODUCTION
The SMALL BUSINESS ADMINISTRATION (SBA) and the DEPARTMENT OF
HOMELAND SECURITY, FEDERAL EMERGENCY MANAGEMENT AGENCY (DHS/FEMA) have
entered into this Computer Matching Agreement (Agreement) pursuant to
section (o) of the Privacy Act of 1974, (Privacy Act), 5 U.S.C. Sec.
552a, as amended by the Computer Matching and Privacy Protection Act of
1988 (Pub. L. 100-503), and as amended by the Computer Matching Privacy
Protection Act Amendments of 1990 (Pub. L. 101-508, 5 U.S.C. Sec.
552a(p) (1990)). For purposes of this Agreement, both SBA and DHS/FEMA
are the recipient agency and the source agency as defined in 5 U.S.C.
Sec. 552a(a)(9) and (11). For this reason, the financial and
administrative responsibilities will be evenly distributed between SBA
and DHS/FEMA unless otherwise set forth in this agreement.
II. PURPOSE AND LEGAL AUTHORITY
A. Purpose of the Matching Program
Pursuant to the Robert T. Stafford Disaster and Emergency
Assistance Act (Pub. L. 93-288), as amended at 42 U.S.C. Sec. 5121 et
seq, DHS/FEMA and SBA may not provide duplicative disaster assistance
to individuals, businesses, including Private-Not-for Profits (PNPs),
or other entities for the same disaster or emergency losses. To
accomplish this, DHS/FEMA and SBA will participate in a Computer
Matching program to share data and financial/benefits award decisions
of individuals, businesses, and/or other entities to verify eligibility
for benefits, prevent duplicative aid from being provided in response
to the same disaster or emergency, and recover aid when duplication of
benefits is identified.
This Agreement establishes the Computer Matching program between
DHS/FEMA and SBA. The Computer Matching program seeks to ensure that
applicants for SBA Disaster Loans and DHS/FEMA Individuals and
Households Program (IHP), which provides Other Needs Assistance (ONA)
and Housing Assistance (HA), are eligible to receive benefits and do
not receive a duplication of benefits for the same disaster.
Additionally, the Computer Matching program seeks to establish or
verify initial eligibility for DHS/FEMA and SBA disaster assistance as
well as provide updates on disaster recipients SBA Loan status. This
will be accomplished by matching specific DHS/FEMA disaster applicant
data with SBA disaster loan application and decision data for a
declared disaster, as set forth in this Agreement.
B. Legal Authority
This Agreement is executed in compliance with the Privacy Act and
other statutes discussed in this Agreement, their implementing
regulations, and related notices and guidance.
1. The Robert T. Stafford Disaster and Emergency Assistance Act, as
amended (Stafford Act), 42 U.S.C. Sec. 5121 et seq., requires each
federal agency that administers any program that provides financial
assistance as a result of a major disaster or emergency to assure that
no individual or entity receives duplicate financial assistance under
any program or from insurance or any other source, 42 U.S.C. Sec.
5155(a). The Stafford Act requires DHS/FEMA or SBA (whichever agency
provided the duplicative assistance) to recover all duplicative
assistance from the recipient, when the head of such agency considers
it to be in the best interest of the Federal Government, 42 U.S.C.
Sec. 5155(c).
2. Pursuant to Section 408(i) of the Stafford Act, 42 U.S.C. Sec.
5174(i), in carrying out Section 408 (Federal Assistance to Individuals
and Households), DHS/FEMA is directed and authorized to ``develop a
system, including an electronic database,'' to:
1. Verify the identity and address of recipients of assistance to
provide reasonable assurance that payments are made only to an
individual or household that is eligible for such assistance by sharing
personally identifiable information (PII);
2. Minimize the risk of making duplicative payments or payments for
fraudulent claims;
3. Collect any duplicate payment on a claim, or reduce the amount of
subsequent payments to offset the amount of any such duplicate payment;
4. Provide instructions to recipients of assistance regarding the
proper use of any such assistance, regardless of how such assistance is
distributed; and
5. Conduct an expedited and simplified review and appeal process for an
individual or household whose application for assistance is denied.
3. FEMA collects and maintains personally identifiable information
of individuals who apply for FEMA disaster assistance under Section 408
of the Stafford Act. In accordance with the Privacy Act of 1974, DHS/
FEMA is authorized to provide States (impacted by disasters) with
access to DHS/FEMA's electronic records of individuals and households
receiving assistance in order for the States to make available any
additional State and local assistance to the affected individuals and
households. The provision of these records is further allowed under
Routine Uses H.1 and R of the DHS/FEMA Disaster Recovery Assistance
Files System of Records, 78 Fed. Reg. 25,282 (April 30, 2013). RU H.1
states that DHS/FEMA may disclose applicant information to other
federal agencies and agencies of state, tribal, and local governments
to prevent duplication of benefits and/or to address unmet needs of
eligible, ineligible, or partially eligible FEMA applicants. RU R
permits FEMA to share information to other federal, state, local, or
tribal government agencies, and voluntary organizations under approved
computer matching efforts.
4. Pursuant to the Debt Collection Improvement Act of 1996, 31
U.S.C.
[[Page 2651]]
Sec. Sec. 3325(d) and 7701(c)(1), federal agencies are required to
collect the taxpayer identification number (i.e., Social Security
Number) of each person who receives payments from the federal
government; and each person doing business with the federal government
is required to furnish his or her taxpayer identification number.
A. For the purposes of 31 U.S.C. Sec. 7701, a person is considered
to be doing business with the federal government if the person is:
i. A lender or servicer in a federal guaranteed or insured loan
program administered by a federal agency;
ii. An applicant for, or recipient of, a federal license permit,
right-of-way, grant or benefit payment administered by a federal
agency;
iii. A contractor of a federal agency;
iv. Assessed a fine, fee, royalty or penalty by a federal agency;
v. In a relationship with a federal agency that may give rise to a
receivable due to that agency, such as a partner of a borrower in or a
guarantor of a federal direct or insured loan administered by the
federal agency.
Each federal agency must inform each person required to disclose
his or her taxpayer identification number of the agency's intent to use
such number for purposes of collecting and reporting on any delinquent
amounts arising out of such person's relationship with the federal
government.
5. Fraud, waste, and abuse prevention efforts pursuant to the
aforementioned statutory authorities are also applicable to certain
FEMA-administered pilot programs, designed to provide alternative or
additional federal disaster assistance programs. 6 U.S.C. Sec. Sec.
776-777.
6. SBA's legal authority to make disaster loans to repair,
rehabilitate or replace property, real or personal, damaged or
destroyed without duplicating benefits is contained in section 7(b)(1)
of the Small Business Act, 15 U.S.C. Sec. 636 (b) (1), provided that
such damage or destruction is not compensated for by insurance or
otherwise.
7. SBA regulation 13 CFR Sec. 123.108 requires that grant
assistance received from FEMA's Individuals and Households Program
(IHP) that duplicates the damage covered by the SBA loan must be
deducted from the SBA disaster loan eligibility.
8. SBA is allowed to share information with DHS/FEMA pursuant to
Routine uses (f) and (g) of SBA-020 Disaster Loan Case Files System of
Records, 74 FR 14911 (April 1, 2009).
III. JUSTIFICATION AND EXPECTED RESULTS
A. Justification
DHS/FEMA collaborates with the SBA in determining applicant
eligibility for Other Needs Assistance (ONA). ONA is a provision of
IHP, authorized by section 408(e) of the of the Robert T. Stafford
Disaster Relief and Emergency Assistance Act (Stafford Act), that
provides financial assistance for disaster-related necessary expenses
and serious needs that are not covered by insurance or provided by any
other source. There are two categories of ONA: Non-SBA-dependent ONA
and SBA-dependent ONA. Non-SBA-dependent ONA is assistance DHS/FEMA
provides for funeral, medical, dental, childcare, and miscellaneous
expenses without regard to whether a disaster survivor may obtain a SBA
loan. SBA-dependent ONA is assistance where the disaster survivor must
first apply to SBA for a loan for personal property, moving and
storage, and transportation expenses before DHS/FEMA provides
assistance for these expenses. 44 CFR 206.119 (a)(1) and 206.191(d)(2).
The Small Business Act authorizes the SBA to provide low-interest
disaster loans to applicants who have sustained damage in a disaster.
An applicant must meet a minimum income test, which the SBA
establishes, to be considered for a loan. DHS/FEMA refers the
applicant's registration to SBA if the applicant's income meets SBA
minimum guidelines. Once referred to SBA, the applicant must apply for
a SBA low-interest disaster loan which is based on credit-worthiness.
All denied applicants are referred back to DHS/FEMA for possible SBA-
dependent ONA. DHS/FEMA will provide assistance for SBA-dependent ONA
if the applicant's SBA loan application is denied or if their income
does not meet the SBA minimum threshold to warrant a SBA referral.
However, if SBA approves the applicant's loan application and the
applicant does not accept the loan, DHS/FEMA will not provide any SBA-
dependent ONA to that applicant.
SBA provides low-interest, long-term Federal disaster loans to
homeowners, renters, businesses of all sizes and private, non-profit
organizations to help repair or replace privately-owned property that
was damaged or destroyed in a declared disaster event. SBA disaster
loan assistance is for uninsured, underinsured or otherwise
uncompensated disaster losses only. A disaster survivor's SBA disaster
loan eligibility is determined by total amount of disaster losses, as
verified by SBA, less recoveries such as insurance, FEMA grant
assistance and other sources. In the normal sequence of delivery, a
disaster survivor will initiate the Federal disaster assistance process
by registering with FEMA. If the survivor's reported household income
is above a minimum threshold, as provided to FEMA by SBA, they will be
referred to the SBA disaster loan program and encouraged to apply for
disaster loan assistance. After the survivor submits an SBA disaster
loan application, SBA will determine loan eligibility by estimating the
applicant's disaster losses and verifying other assistance received,
including insurance, FEMA grant assistance and other recoveries.
DHS/FEMA and SBA coordinate to ensure that ONA and SBA disaster
loans do not cause a duplication of benefits for the same type of
assistance. DHS/FEMA and SBA provide benefits for the same type of
assistance: personal property damage, moving and storage expenses, and
transportation assistance. Additionally, the amount of aid provided by
SBA impacts the amount of assistance FEMA provides. This matching
program ensures disaster survivors are not receiving duplicative
benefits from both agencies.
It is also recognized that the programs covered by this Agreement
are part of a Government-wide initiative, Executive Order 13411--
Improving Assistance for Disaster Victims (August 29, 2006). This order
mandates DHS/FEMA to identify and prevent duplication of benefits
received by individuals, businesses, or other entities for the same
disaster. That initiative and this matching program are consistent with
Office of Management and Budget (OMB) guidance on interpreting the
provisions of the Computer Matching and Privacy Protection Act of 1988,
54 Fed. Reg. 25818 (June 19, 1989); and OMB Circular A-130, Appendix I,
``Federal Agency Responsibilities for Maintaining Records about
Individuals.''
B. Expected Results
The matching program is to ensure that benefits provided to
disaster survivors by DHS/FEMA and SBA are not duplicated. By way of
the DHS/FEMA disaster registration identification (ID) number, DHS/FEMA
and SBA are able to identify the applications received from mutual DHS/
FEMA and SBA disaster survivors.
By the nature of the sequence of delivery, as outlined in FEMA
Regulation, 44 CFR Section 206.191, survivors that register with FEMA
for possible disaster assistance and meet SBA's minimum income
requirements are automatically referred to SBA for
[[Page 2652]]
possible loan assistance to homeowners and renters. The Agreement helps
to identify instances where the same disaster survivor has submitted
applications to both FEMA and SBA, which could result in a duplication
of benefits. Since FY 2015 \1\ the use of the Agreement has identified
166,234 instances where the same disaster survivor submitted
applications to both agencies, a yearly average of 83,117. Over that
same time period, SBA approved 62,258 loans to home owners and renters
totaling more than $4 billion. This is a yearly average of 31,129 loan
files identified with a potential duplication of benefits, with an
average loan amount of $64,819. Once the computer match identifies a
potential duplication of benefits, SBA staff manually review the files
to determine whether a DOB exists and the amount of the duplication of
benefits. In FY 2016 and 2017, SBA declined 376 loans due to recoveries
from other sources. The verified loss amount for these declined loans
totaled more than $23.3 million, an average of $62,042 per loan
application declined due to other recoveries.
---------------------------------------------------------------------------
\1\ The SBA data period is from October 1, 2015 through December
31, 2017.
---------------------------------------------------------------------------
Prior to the use of this computer match, SBA loan officers used
stand-alone PCs to access FEMA's system, National Emergency Management
Information System-Individual Assistance (NEMIS-IA). Without the
computer matching Agreement, SBA staff performed a manual checking
process to avoid a duplication of benefits. This duplication of
benefits check procedure took approximately 10-12 minutes per loan
application and was performed on all loan applications, not just the
approved loans. The matching program between SBA and FEMA will save the
federal government nearly $2.5 million.\2\
---------------------------------------------------------------------------
\2\ For more information, please see the SBA Cost Benefit
Analysis document.
---------------------------------------------------------------------------
IV. RECORDS DESCRIPTION
As required by the Privacy Act's subsection 552a(o)(1)(C), the
following is a description of the records that will be matched:
A. Systems of Records and Estimated Number of Records Involved
DHS/FEMA accesses records from its Disaster Recovery Assistance
Files system of records, as provided by the DHS/FEMA-008 SORN, through
its NEMIS-IA system, and matches them to the records that SBA provides
from its SBA-020 Disaster Loan Case Files, 74 Fed. Reg. 14,911 (April
1, 2009) system of records.
SBA uses its Disaster Credit Management System (DCMS) to access
records from its Disaster Loan Case Files system of records, and match
them to the records that DHS/FEMA provides from its Disaster Recovery
Assistance Files system of records. Under this agreement, DHS/FEMA and
SBA exchange data to: 1) check for initial registrations, 2) check for
the duplication of benefits, and 3) update the SBA Loan Status.
Records Estimate
SBA and DHS/FEMA intend to match records after any disaster in
which FEMA provides IHP assistance or SBA awards disaster loans. The
estimated number of records SBA and DHS/FEMA will match following any
disaster fluctuate based on the size and impact area of the disaster
and depend upon the number of individuals that are affected. The damage
type and cost will be determined after the disaster, and cannot easily
be estimated, as the scale and impact of each disaster is unique.
B. Description of the Match
The three types of match processes, for initial registration,
duplication of benefits, and status updates, are described below.
1. DHS/FEMA--SBA Automated Import/Export Process for Initial
Registrations.
a. SBA is the recipient (i.e. matching) agency. SBA will match
records from its Disaster Loans Case Files system of records, as
identified in Section (1c), applications and information accessed via
the DCMS, to the records extracted and provided by DHS/FEMA from its
DHS/FEMA Disaster Recovery Assistance Files system of records, as
identified in Section II.B.
b. DHS/FEMA will provide SBA the data elements identified in the
current NEMIS-IA Disaster Assistance Improvement Program (DAIP)
Interface Control Document (ICD) (See Appendix A), which includes but
is not limited to the following information: Applicant's FEMA
Registration ID Number; applicant's personally identifiable
information, which includes name, address, social security number, and
date of birth; damaged property information; insurance policy data;
property occupant data; vehicle registration data; and flood zone and
flood insurance data.
c. SBA will conduct the match against the Disaster Loans Case Files
system of records via DCMS using the FEMA Disaster ID number, FEMA
Registration ID number, Product (Home/Business), and Registration
Occupant Social Security number (SSN) to create a New Pre-Application.
The records SBA receives are of DHS/FEMA applicants who are referred to
SBA for disaster loan assistance. Controls on the DHS/FEMA export of
data are in place to ensure that SBA only receives unique and valid
referral records.
d. When SBA matches its records to those provided by DHS/FEMA, two
types of matches are possible: a full match and a partial match. A full
match exists when an SBA record matches a DHS/FEMA record on each of
the following data fields: FEMA Disaster ID number, FEMA Registration
ID number, Product (Home/Business), and Registration Occupant Social
Security Number (SSN). A partial match exists when an SBA record
matches a DHS/FEMA record on one or more, but not all of the data
fields listed above. If an exact (full) match is found among SBA
records for the current imported record, the current record is
automatically marked as a duplicate by the system with appropriate
comments inserted to indicate the corresponding record that matched. If
a partial match is found during the import process, the record is
routed for manual examination, investigation, and resolution to
determine whether it is truly a duplicate record.
2. DHS/FEMA--SBA Duplication of Benefits Automated Match Process:
a. Both DHS/FEMA and SBA will act as the recipient (i.e. matching)
agency. SBA will extract and provide to DHS/FEMA data from its Disaster
Loans Case Files system of records, as identified in Section (1c), and
accessed via the DCMS. DHS/FEMA will match the data SBA provides to
records in its Disaster Recovery Assistance Files system of records, as
identified in Section II.B., accessed through NEMIS-IA System, via the
FEMA Registration ID number. SBA will issue a data call to DHS/FEMA
requesting that DHS/FEMA return any records for which NEMIS-IA found a
match. For each match found, DHS/FEMA sends all of its applicant
information that it collects during the registration process to SBA so
that SBA may match these records with its registrant data in the DCMS.
SBA's DCMS manual process triggers an automated interface to query
NEMIS-IA, using the FEMA Registration ID number as the unique
identifier.
b. DHS/FEMA will return the following fields for the matching DHS/
FEMA record, if any: FEMA Disaster Number; FEMA Registration ID number;
applicant and if applicable, co-applicant name; damaged dwelling
address, phone number, SSN, damaged property
[[Page 2653]]
data, insurance policy information, contact address (if different from
damaged dwelling address), flood zone and flood insurance data, FEMA
Housing Assistance and Other Needs Assistance data, program, award
level, eligibility, inspection data, verification of ownership and
occupancy, and approval or rejection data. DHS/FEMA will return no
result when the FEMA Registration ID number is not matched.
c. For each matching record received from DHS/FEMA, SBA determines
whether DHS/FEMA assistance duplicates SBA loan assistance. If SBA loan
officers determine that there is a duplication of benefits, the
duplicated amount is deducted from the eligible SBA loan amount.
3. DHS/FEMA--SBA Status Update Automated Match Process:
a. DHS/FEMA will act as the recipient (i.e. matching) agency. DHS/
FEMA will match records from its Disaster Recovery Assistance Files
system of records, as identified in Section (1b), to the records
extracted and provided by SBA from its Disaster Loans Case Files system
of records, as identified in Section (1c). The purpose of this process
is to update DHS/FEMA applicant information with the status of SBA loan
determinations. The records provided by SBA will be automatically
imported into NEMIS-IA to update the status of existing applicant
records. The records DHS/FEMA receives from SBA are of DHS/FEMA
applicants who were referred to SBA for disaster loan assistance.
Controls on the SBA export of data are in place to ensure that DHS/FEMA
only receives unique and valid referral records.
b. SBA will provide to DHS/FEMA information and data, including but
not limited to the following: personal information about SBA
applicants, including name, damaged dwelling address, and SSN;
application data; loss to personal property data; loss mitigation data;
SBA loan data; and SBA event data. DHS/FEMA will conduct the match
using FEMA Disaster Number and FEMA Registration ID number.
c. Loan data for matched records will be recorded and displayed in
NEMIS-IA. Loan data will also be run through NEMIS-IA business rules;
potentially duplicative categories of assistance are sent to FEMA's
Program Review process for manual evaluation of any duplication of
benefits. If FEMA review staff determines that there is a duplication
of benefits, the duplicated amount is deducted from the eligible award.
FEMA applicants receive a letter that indicates the amount of their
eligible award and their ability to appeal.
C. Projected Starting and Completion Dates
This Agreement will take effect forty (40) days from the date
copies of this signed Agreement are sent to both Houses of Congress and
OMB, or thirty (30) days from the date the Computer Matching Notice is
published in the Federal Register for public comment, at which time
comments will be addressed. Additionally, depending on whether comments
are received, this Agreement could yield a contrary determination
(Commencement Date). DHS/FEMA is the agency that will:
1. Transmit this Agreement to Congress;
2. Notify OMB;
3. Publish the Computer Matching Notice in the Federal Register;
and
4. Address public comments that may result from publication in the
Federal Register.
Matches under this program will be conducted for every Presidential
disaster declaration where IHP assistance has been granted. The
aforementioned matching processes shall commence, as needed, following
a disaster declaration, and shall last until DHS/FEMA IHP disaster
assistance closes out, or until SBA have stopped processing
applications, whichever is later.
V. NOTICE PROCEDURES
The Privacy Act's subsection 552a(o)(1)(D) requires CMAs to specify
procedures for notifying applicants/recipients at the time of
registration and other periodic notice, as directed by the Data
Integrity Board of such agency (subject to guidance provided by the
Director of OMB pursuant to subsection v), to applicants for and
recipients of financial assistance or payments under Federal benefit
programs.
As noted under Section V.A. and Section V.B. of this Agreement,
DHS/FEMA and SBA have both published SORNs informing applicants/
recipients that their information may be subject to verification
through matching programs per 5 U.S.C. Sec. 552a(o)(1)(D). As further
required by the Privacy Act, DHS/FEMA and SBA shall make a copy of this
Agreement available to the public upon request and it shall be
published in the Federal Register.
A. DHS/FEMA recipients
FEMA Form 009-0-1 ``Application/Registration for Disaster
Assistance,'' Form 009-0-3 ``Declaration and Release'' (both part of
OMB ICR No. 1660-0002), and various other forms used for financial
assistance benefits immediately following a declared disaster, use a
Privacy Act statement, see 5 U.S.C. Sec. 552a(e)(3), to provide notice
to applicants regarding the use of their information. The Privacy Act
statements provide notice of computer matching or the sharing of their
records consistent with this Agreement. The Privacy Act statement is
read to call center applicants and is displayed and agreed to by
Internet applicants. Also, FEMA Form 009-0-3 requires the applicant's
signature in order to receive financial assistance. Additionally, DHS/
FEMA gives public notice via its Individual Assistance Program Privacy
Impact Assessment\3\ (PIA) and in its system of records notice
identified in Section II.B.
---------------------------------------------------------------------------
\3\ The PIA can be found at https://www.dhs.gov/publication/dhsfemapia-049-individual-assistance-ia-program.
---------------------------------------------------------------------------
B. SBA recipients
SBA Forms 5 ``Disaster Business Loan Application,'' 5C ``Disaster
Home Loan Application,'' and the Electronic Loan Application (ELA)
include a Privacy Act statement that provides notice that SBA may
disclose personal information under a published ``routine use,'' as
permitted by law. SBA's published system of records notice, identified
in Section II. B), provides notice that a computer match may be
performed to share information with another Federal agency in
connection with the issuance of a grant, loan or other benefit. In
addition, the Privacy Act requires that a copy of each CMA entered into
with a recipient agency shall be available upon request to the public.
VI. VERIFICATION PROCEDURE AND OPPORTUNITY TO CONTEST
A. General
The Privacy Act's subsection 552a(o)(1)(E) requires that each CMA
outline procedures for verifying information produced in the matching
program, as required by 5 U.S.C. Sec. 552a(p). This subsection
requires agencies to independently verify the information produced by a
matching program and to provide the individual an opportunity to
contest the agency's findings, before an adverse action is taken
against the individual, as a result of the match. Subsequent amendments
and regulations allow for an agency to authorize a waiver of
independent verification procedures when it finds a high degree of
confidence in the accuracy of the data. (See OMB ``Final Guidance
Interpreting the Provisions of P.L.100-503, the Computer Matching and
Privacy Protection Act'', Sec. 6.g. Providing Due Process to Matching
[[Page 2654]]
Subjects, 54 Fed. Reg. 25,818 (June 19, 1989).
DHS/FEMA will be responsible for ensuring that DHS/FEMA data is
current and accurate at the time it is provided to SBA. SBA will be
responsible for ensuring that SBA data is current and accurate at the
time it is provided to DHS/FEMA.
B. DHS/FEMA--SBA Automated Import/Export Process for Initial
Registrations
The matching program for the initial contact information for
individuals and businesses will be accomplished by mapping applicant
data for DHS/FEMA NEMIS-IA fields described earlier to the DCMS
application data fields. During the automated import process, a
computer match is performed against existing DCMS applications as
described in Section IV.B.1.
If the applicant's data does not match an existing pre-application
or application in the SBA's DCMS, then the applicant's data will be
automatically transferred into DCMS to create a new pre-Application. An
SBA application for disaster assistance may be mailed to the
registrant.
If the applicant's data does match an existing pre-application or
application in SBA's DCMS, it indicates that there may be an existing
pre-application/application for the applicant in the DCMS. If there is
an exact match, the system will transfer the record into SBA's DCMS but
will identify it as a duplicate with appropriate comments inserted to
indicate the corresponding record that matched. If there is a partial
match, the system will insert the record within the SBA's DCMS but will
identify it as a potential duplicate. The record is then further
reviewed by SBA employees to determine whether the data reported by the
DHS/FEMA applicant is a duplicate of previously submitted registration
data. Only one of the applications is kept for processing and the other
duplicate pre-applications or applications will not be processed.
C. DHS/FEMA--SBA Duplication of Benefits Automated Match
The matching program is to ensure that recipients of SBA disaster
loans have not received duplicative benefits for the same disaster from
DHS/FEMA. The matching process begins by matching the DHS/FEMA
Registration ID number. If the data matches, specific to the
application or approved loan, SBA will then proceed with its manual
process to determine whether there is a duplication of benefits. Upon
determining that there is duplication of benefits, the dollar values
for the benefits issued by DHS/FEMA may reduce the eligible amount of
the disaster loan or may cause SBA loan proceeds to be used to repay
the grant program in the amount of the duplicated assistance.
DHS/FEMA and SBA are responsible for verifying the submissions of
data used during each respective benefit process and for resolving any
discrepancies or inconsistencies on an individual basis.
At SBA, the matching program for duplication of benefits will be
executed as part of loan processing and prior to each disbursement of
an approved SBA disaster loan. Any match indicating that there is a
possible duplicate benefit will be further reviewed by an SBA employee
to determine whether the DHS/FEMA grant monies reported by the
applicant or borrower are correct and matches the data reported by DHS/
FEMA. If there is a duplication of benefits, the amount of the SBA
disaster loan will be reduced accordingly and the applicant will be
provided written notice of the changes by processing a loan
modification to reduce the loan amount or, where appropriate, to repay
the DHS/FEMA grant program. The notice will provide the applicant with
an opportunity to apply for reconsideration of the loan modification
within six months of the date of the notice. Except in extraordinary or
unforeseeable circumstances, SBA will not consider a request for a loan
increase received more than two years from the date of the loan
approval.
D. DHS/FEMA--SBA Status Update Automated Processes
For informational purposes, SBA sends DHS/FEMA loan status updates
as they occur and FEMA updates the loan records in NEMIS-IA based on
the loan information received.
E. DHS/FEMA Notice and Opportunity to Contest
As required by the Privacy Act's subsection 552a(p), DHS/FEMA will
not terminate, suspend, reduce, deny, or take other adverse action
against an applicant for or recipient of temporary housing assistance
based on data disclosed from DHS/FEMA records until the individual is
notified in writing of the potential adverse action, and provided an
opportunity to contest the planned action. ``Adverse action'' means any
action resulting in a termination, suspension, reduction, or final
denial of eligibility, payment, or benefit. The applicant will follow
the current DHS/FEMA process for response as detailed in the written
notice or letter.
To enable rapid response and resolution, DHS/FEMA and SBA telephone
numbers will be provided to call in the event of a dispute. DHS/FEMA
and/or SBA will respond to these calls as soon as reasonably possible,
and when requested, in writing.
VII. DISPOSITION AND RECORDS RETENTION OF MATCHED ITEMS
As required by the Privacy Act's subsection 552a(o)(1)(F):
A. DHS/FEMA will retain data it receives from SBA under this
Agreement only for the processing times required for the applicable
federally funded benefit programs to verify data, and will then destroy
all such data.
B. SBA will retain data received from DHS/FEMA under this Agreement
only for the processing times required for the applicable federally
funded benefit programs to verify data, and will then destroy all such
data.
C. An exception applies if the information is required for
evidentiary reasons, in which case, the information will be destroyed
upon completion of the criminal, civil, or administrative actions and
cases.
D. Any paper-based documentation used to determine whether a record
was matched in the other agency's system and any documentation that was
prepared for, provided to, or used to determine final benefit status
will be destroyed by shredding, burning, or electronic erasure of the
subject information according to the proper records retention
schedules. Other identifiable records that may be created by each
agency during the course of the investigation will be destroyed as soon
as they have served the matching program's purpose pursuant to records
retention requirements established in conjunction with the National
Archives and Records Administration (NARA). For electronic matches,
electronic records will be housed in DHS/FEMA's NEMIS-IA System, and
SBA's DCMS database, retained with and according to the appropriate
disaster recovery assistance records determined by the NARA.
E. Pursuant to SBA document retention policy, SBA retains applicant
records in DCMS loan files, including records for matched items. DHS/
FEMA will retain records pursuant to the Retention and Disposal section
of DHS/FEMA--008 Disaster Recovery Assistance Files, 78 FR 25282 (Apr.
30, 2013).
VIII. SECURITY PROCEDURES
As required by the Privacy Act's subsection 552a(o)(1)(G), SBA and
DHS/
[[Page 2655]]
FEMA agree to the following information security procedures:
A. Administrative
DHS/FEMA and SBA will comply with the existing and future
requirements set forth by the Privacy Act, 44 U.S.C. Sec. Sec. 3541-
3549, related OMB circulars and memoranda such as Circular A-130,
Managing Information as a Strategic Resource (July 28, 2016), and
Memorandum M-06-16, Protection of Sensitive Agency Information (June
23, 2006); NIST directives; and the Federal Acquisition Regulations
(FAR), including any applicable amendments published after the
effective date of this Agreement. These laws, directives, and
regulations include requirements for safeguarding federal information
systems and personally identifiable information used in federal agency
business processes, as well as related reporting requirements.
Specifically, Federal Information System Modernization Act (FISMA), (44
U.S.C. Sec. Sec. 3501-3558) requirements apply to all federal
contractors, organizations, or entities that possess or use federal
information, or that operate, use, or have access to federal
information systems on behalf of an agency. Both DHS/FEMA and SBA will
ensure that their authorized users will receive training to ensure
proper information security and privacy protections are adhered to in a
manner consistent with this Agreement. Accordingly, DHS/FEMA and SBA
will restrict access to the data matched and to any data created by the
match to only those users authorized under this Agreement.
B. Technical
DHS/FEMA will transmit the data (specified in this Agreement) to
SBA via the following process:
1. SBA will pull application data from DHS/FEMA Disaster Assistance
Center (DAC) via a web services based Simple Object Access Protocol
(SOAP), Extensible Markup Language (XML)/ Hypertext Transfer Protocol
Secure (HTTPS) request. The data will be used to create applications
inside the Disaster Credit Management System. For each record, a
National Information Exchange Model (NIEM)-compliant response will be
sent back to FEMA DAC indicating success or failure for the transfer of
data. The SBA/DCMS to DHS/FEMA DAC export of referral data (specified
in this Agreement) will occur via a web services-based SOAP, XML/ HTTPS
request.
2. The DHS/FEMA Duplication of Benefits Interface will be initiated
from the DCMS to the DHS/FEMA NEMIS-IA through a secured Virtual
Private Network tunnel, open only to SBA domain Internet Protocol
addresses. The results of the query are returned to the DCMS in real-
time and populated in the DCMS for delegated SBA staff to use in the
determination of duplication of benefits.
C. Physical
SBA and DHS/FEMA agree to maintain all automated matching records
in a secured computer environment that includes the use of authorized
access codes (passwords and/or PIV) to restrict access. Those records
will be maintained under conditions that restrict access to persons who
need them in connection with their official duties related to the
matching process. It is the responsibility of the user's supervisor to
ensure that DHS/FEMA or SBA, as applicable, are notified when a user
has departed or duties have changed such that the user no longer needs
access to the system, to ensure timely deletion of the user's account
and password.
D. On-Site Inspections
SBA and DHS/FEMA may make on-site inspections of each other's
recordkeeping and security practices, or make provisions beyond those
in this Agreement to ensure the adequate safeguarding of records
exchanged.
IX. MONITORING AND COMPLIANCE
DHS/FEMA and SBA agree that each agency may monitor compliance with
the terms of this Agreement, including the non-discrimination
provision. Both agencies have the right to monitor and review (1)
transactions conducted pursuant to this Agreement, (2) the use of
information obtained pursuant to this Agreement, and (3) policies,
practices, and procedures related to this Agreement. Both agencies have
the right to make onsite inspections to audit compliance with this
Agreement for the duration or any extension of this Agreement. DHS/FEMA
and SBA will cooperate to ensure the success of each agency's
monitoring and compliance activities.
X. NON-DISCRIMINATION
Any action required or permitted under this Agreement shall be
conducted in a manner that does not discriminate against an individual
based upon his or her national origin, race, color, sex, religion, or
disability in accordance with Section 705 of the Homeland Security Act
of 2002; Section 504 of the Rehabilitation Act of 1973, and agency
implementing regulations at 6 C.F.R Part 15.
In fulfilling their obligations under Executive Order 13,166
(``Improving Access to Services for Persons with Limited English
Proficiency,'' 65 Fed. Reg. 50,121 (Aug. 11, 2000)), DHS/FEMA and SBA
will take reasonable steps to provide limited English proficiency (LEP)
persons with meaningful access to federally conducted programs and
activities, including services and benefits. Meaningful access includes
providing timely language assistance services to ensure effective
communication with LEP persons and providing language services that are
sufficient to provide the same level of access to services received by
persons who are not LEP. Language assistance services may be oral and
written, and must be provided at no charge to the individual. Vital
documents, including notices relating to consent, verification of
status, and contesting verification failures should be translated.
In accordance with Section 504 of the Rehabilitation Act of 1973
(29 U.S.C. Sec. 701) and related agency implementing regulations, DHS/
FEMA and SBA will provide accommodations to individuals with
disabilities to ensure effective communication; including providing
qualified sign language interpreters; providing accessible electronic
and information technology; and producing notices and publications in
alternate formats, at no charge to the individual. Persons with
disabilities that may require accommodation and provision of
alternative communication methods to ensure effective communication
include persons who are deaf or hard of hearing, persons with vision
impairments, and persons with psychiatric and/or developmental
disabilities.
XI. RECORDS USAGE, DUPLICATION AND REDISCLOSURE RESTRICTIONS
SBA and DHS/FEMA agree to the following restrictions on use,
duplication, and disclosure of information furnished by the other
agency:
A. Records obtained for this matching program or created by the
match will not be disclosed outside the agency except as may be
essential to conduct the matching program, or as may be required by
law. Each agency will obtain the written permission of the other agency
before making such disclosure. See DHS/FEMA and SBA routine uses
provided in the systems of records notices identified in Section II.B.
B. Records obtained for this matching program or created by the
match will not be disseminated within the agency
[[Page 2656]]
except on a need-to-know basis, nor will they be used for any purpose
other than that expressly described in this Agreement.
C. Data or information exchanged will not be duplicated unless
essential to the conduct of the matching program. All stipulations in
this Agreement will apply to any duplication.
D. If required to disclose these records to a state or local agency
or to a government contractor in order to accomplish the matching
program's purpose, each agency will obtain the written agreement of
that entity to abide by the terms of this Agreement.
E. Each agency will keep an accounting of disclosure of an
individual's record as required by the Privacy Act (5 U.S.C. Sec.
552a(c)) and will make the accounting available upon request by the
individual or other agency.
XII. RECORDS ACCURACY ASSESSMENTS
DHS/FEMA and SBA attest that the quality of the specific records to
be used in this matching program is assessed to be at least 99%
accurate. The possibility of any erroneous match is extremely small.
In order to apply for DHS/FEMA assistance online via the DAC
portal, an applicant's name, address, SSN, and date of birth are sent
to a commercial database provider to perform identity verification. The
identity verification ensures that a person exists with the provided
credentials. In the rare instances where the applicant's identity is
not verified online or the applicant chooses, the applicants must call
one of the DHS/FEMA call centers to complete the registrations. The
identity verification process is performed again.
In order to apply for SBA's Disaster Loan Assistance online via
SBA's Electronic Loan Application (ELA) an applicant's name, address,
SSN, and date of birth and other information is sent to a commercial
database provider to perform identity verification. The identity
verification confirms that a person exists with the provided
credentials. In the rare instances where the online applicant's
identity cannot be verified electronically or if the applicant chooses,
the applicant must call SBA's Customer Service Center to complete the
online application. Once an application (electronic or paper) is
completed and submitted, the information is transmitted to the DCMS
system, where it is reviewed and processed by loan officers, who also
verify each applicant's identity.
XIII. INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES
A. DHS/FEMA and SBA agree to report and track incidents in
accordance with the most current, final version of NIST Special
Publication 800-61.\4\ Upon detection of an incident related to this
interconnection, the agency experiencing the incident will promptly
notify the other agency's System Security Contact(s) below:
---------------------------------------------------------------------------
\4\ Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012,
August). Computer Security Incident Handling Guide (Unit, Department
of Commerce, National Institute of Standards and Technology).
Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.
DHS/FEMA will promptly notify the following contact at SBA
simultaneously: SBA Office for Disaster Assistance--Disaster Credit
Management System (DCMS) Operations Center: (703) 487-8100, SBA Office
of Chief Information Officer (OCIO) Chief Information Security Officer:
202-25-6708.
SBA will promptly notify the following contact at DHS/FEMA
simultaneously: Information System Security Officer (ISSO), Recovery
Technology Programs Division (RTPD), Disaster Assistance Improvement
Program (DAIP).
B. If the federal agency experiencing the incident is unable to
speak with the other federal agency's System Security Contacts within
one (1) hour, or if contacting the System Security Contact is not
practical (e.g., outside of normal business hours), then the following
contact information shall be used:
FEMA Security Operations Center (SOC): (540) 542-4762 OR FEMA
Helpdesk: 1-888-457-3362
SBA IT Service Center: (855) 620-4780 OR ODA Service Desk
(877) 398-1296
C. If either DHS/FEMA and SBA experience an exposure or of
personally identifiable information (PII) provided under the terms of
this Agreement, the federal agency that experienced the loss incident
will also comply with the PII breach reporting and security
requirements set forth by OMB M-17-12 ``Preparing for and Responding to
a Breach of Personally Identifiable Information'' (January 3, 2017).
D. Neither SBA nor FEMA shall be liable for any cause of action
arising from the possession, control, or use by a State or local
government of survivor/registrant PII, or for any loss, claim, damage
or liability, of whatsoever kind or nature, which may arise from or in
connection with this Agreement or the use of survivor/registrant PII.
Nothing in this section shall be construed as a waiver of sovereign
immunity against suits by third persons against a State or local
government.
Notwithstanding any rights that may be available under the legal
authorities referenced in this Agreement, this Agreement itself is not
intended to, and does not, create any right or benefit, substantive or
procedural, enforceable at law or in equity by any party against the
United States, its departments, agencies, or entities, its officers,
employees, or agents, or any other person.
E. DHS/FEMA and SBA agree to notify all the Security Contact(s)
named in this Agreement as soon as possible, but no later than one (1)
hour, after the discovery of a breach (or suspected breach) involving
PII. The agency that experienced the incident will also be responsible
for following its internal established procedures, including:
[ssquf] Notifying the proper organizations (e.g., United States
Computer Emergency Readiness Team (US-CERT), the ISSOs, and other
contacts listed in this document);
[ssquf] Conducting a breach and risk analysis, and making a
determination of the need for notice and/or remediation to individuals
affected by the loss;
[ssquf] Providing such notice and credit monitoring to the affected
individuals at no cost to the other agency, if the analysis conducted
by the agency having experienced the loss incident indicates that
individual notice and credit monitoring are appropriate.
F. In the event of any incident arising from or in connection with
this Agreement, each Agency will be responsible only for costs and/or
litigation arising from a breach of the Agency's own systems or data;
FEMA is responsible only for costs and litigation associated with
breaches to FEMA systems or data and SBA is responsible only for
breaches associated with SBA system or data.
FEMA shall not be liable to SBA or to any third person for any
cause of action arising from the possession, control, or use by SBA of
survivor/registrant PII, or for any loss, claim, damage or liability,
of whatsoever kind or nature, which may arise from or in connection
with this Agreement or the use of survivor/registrant PII.
SBA shall not be liable to FEMA or to any third person for any
cause of action arising from the possession, control, or use by FEMA of
applicant PII, or for any loss, claim, damage or liability, of
whatsoever kind or nature, which may arise from or in connection with
this Agreement or the use of survivor/registrant PII.
Nothing in this section shall be construed as a waiver of sovereign
immunity against suits by third persons.
[[Page 2657]]
XIV. COMPTROLLER GENERAL ACCESS
The parties authorize the Comptroller General of the United States,
upon request, to have access to all SBA and DHS/FEMA records necessary
to monitor or verify compliance with this matching agreement, in
accordance with 5 U.S.C. Sec. 552a(o)(1)(K). This matching agreement
also authorizes the Comptroller General to inspect any records used in
the matching process that are covered by this matching agreement
pursuant to 31 U.S.C. Sec. 717 and 5 U.S.C. Sec. 552a(b)(10).
XV. INSPECTOR GENERAL ACCESS
By agreeing to this matching Agreement, DHS/FEMA and SBA authorize
their respective Offices of Inspector General to use results from data
matches conducted under this matching program, for investigation,
audit, or evaluation matters, pursuant to5. U.S.C. App. Sec. Sec. 1-13.
XVI. DURATION OF AGREEMENT
A. Effective Date of the Agreement
This Agreement shall become effective, and matching may commence,
under this Agreement on the later of the following dates:
[ssquf] Thirty (30) days after notice of the matching program described
in this CMA has been published in the Federal Register, or
[ssquf] Forty (40) days after a report concerning this CMA is
transmitted simultaneously to the Committee on Homeland Security and
Governmental Affairs of the Senate, the Committee on Oversight and
Government Reform of the U.S. House of Representatives according to 5
U.S.C. Sec. 552a(o)(2)(A)(i), and to OMB, unless OMB waives 10 days of
this 40-day period for compelling reasons, in which case 30 days after
transmission of the report to OMB and Congress.
The Parties to this Agreement may assume OMB and Congressional
concurrence if no comments are received within forty (40) days of the
date of the transmittal letter of the Report of the Matching Program.
The parties may assume public concurrence if no comment is received
within thirty (30) days of the date of the publication of the Notice of
Matching Program. This Agreement shall remain in effect for a period
not to exceed eighteen (18) months.
B. Renewal of the Agreement
This Agreement may be extended for one twelve (12) month period
upon mutual agreement by both Parties, if the renewal occurs within
three (3) months of the expiration date of this Agreement. Renewals are
subject to the requirements of the Privacy Act, including certification
by the Parties to the responsible DIB (as described in Section XV of
this Agreement) that:
[ssquf] The matching program will be conducted without change, and
[ssquf] The matching program has been conducted in compliance with
the original Agreement pursuant to 5 U.S.C. Sec. 552a(o)(2)(D).
C. Termination of the Agreement
This Agreement shall terminate when the purpose of the computer
match has been accomplished, or after eighteen (18) months from the
effective date of the Agreement without notice from either party
(whichever comes first). This Agreement may also be terminated,
nullified, or voided by either DHS/FEMA or SBA, if:
[ssquf] Either Party violates the terms of this Agreement; or
[ssquf] SBA or its authorized users misuse or improperly handle the
data provided by DHS/FEMA; or
[ssquf] DHS/FEMA or its authorized users misuse or improperly handle
the data provided by SBA; or
[ssquf] The Parties mutually agree to terminate this Agreement prior to
its expiration after 18 months; or
[ssquf] Either Party provides the other with 30 days written notice.
XVII. REIMBURSEMENT OF MATCHING COSTS
SBA and DHS/FEMA will bear their own costs for this program.
XVIII. DATA INTEGRITY BOARD REVIEW/APPROVAL
SBA and DHS/FEMA's Data Integrity Boards will review and approve
this Agreement prior to the implementation of this matching program.
Disapproval by either Data Integrity Board may be appealed in
accordance with the provisions of the Computer Matching and Privacy
Protection Act of 1988, as amended. Further, the Data Integrity Boards
will perform an annual review of this matching program. SBA and DHS/
FEMA agree to notify the Chairs of each Data Integrity Board of any
changes to or termination of this Agreement.
This Agreement may be modified only by mutual consent of both
Parties and approval of the respective DIBs. Any modifications must be
in writing and satisfy the requirements of the Privacy Act and the
requirements set forth in OMB Guidelines on the Conduct of Matching
Programs, 54 Fed. Reg. 25818.
XIV. POINTS OF CONTACTS AND APPROVALS
For general information, please contact: William H. Holzerland
(202-212-5100), Senior Director for Information Management, Federal
Emergency Management Agency, Department of Homeland Security; and Ana
Beskin (202-205-6595), Chief Information Security Officer, Office of
the Chief Information Officer, Small Business Administration.
XVI. SIGNATURES
The authorizing officials whose signatures appear below have
committed their respective agencies to the terms of this Agreement.
Small Business Administration
Dated: September 4, 2018.
-----------------------------------------------------------------------
James Rivera,
Associate Administrator for Disaster Assistance, U.S. Small Business
Administration.
Dated: June 26, 2018.
-----------------------------------------------------------------------
Maria Roat,
Chief Information Officer, Data Integrity Board Chair, U.S. Small
Business Administration.
U.S. Department of Homeland Security
Federal Emergency Management Agency
Dated: June 26, 2018.
-----------------------------------------------------------------------
Keith Turi,
Acting Assistant Administrator, Recovery Directorate, Federal
Emergency Management Agency, U.S. Department of Homeland Security.
Dated: July 30, 2018.
-----------------------------------------------------------------------
Philip S. Kaplan,
Chief Privacy Officer, Data Integrity Board Chair, U.S. Department
of Homeland Security.
[FR Doc. 2019-01508 Filed 2-6-19; 8:45 am]
BILLING CODE 8025-01-P