eCBSV: new consent-based SSN verification service

image

Following worldwide trends of governments providing new and better identity and privacy services to consumers and banks, the Social Security Administration (SSA) is implementing a new fee-based Social Security number (SSN) verification service known as Electronic Consent Based Social Security Number Verification (eCBSV). This service follows worldwide privacy directives aligned with Open Banking, requiring data owner consent while securing that data through standards-based open API OAuth frameworks. 

What is eCBSV?

eCBSV allows companies to verify if an individual's SSN, name, and date of birth match SSA records. eCBSV is currently open for enrollment for companies the SSA considers “permitted entities” (a financial institution OR a service provider, subsidiary, affiliate, agent, subcontractor, or assignee of a financial institution). In addition, permitted entities are required to meet a set of security requirements and technical capabilities.

eCBSV will allow companies to directly verify with SSA

Source: SSA

Permitted entities that implement eCBSV into their services will be able to verify customers’ SSNs against the SSA database in real-time. Integrating directly with the SSA ensures that SSNs are not shared with the third-party private companies offering similar services (such as Experian or Lexis Nexis). Financial institutions and their agents will not only be better securing their SSN requests - because eCBSV is based on existing open data standards - but will also being making those requests against the source of truth instead of secondhand data. The SSA requires explicit consumer consent, which more closely aligns the US government with industry best practices for data privacy, and follows the direction adopted by other countries and regions, including the UK's Open Banking regulations, Australia's CDR and the EU's GDPR.

eCBSV requirements

The SSA needs the number holder's written consent with a wet or electronic signature to disclose the SSN verification. Integration with the eCBSV follows a set of the best practices for security and privacy that are inspired by Open ID Connect Financial Grade Certified APIs extensions. This set of standards is a proven foundation to enable data sharing agreements. These B2B API-based interfaces allow for more secure data sharing that protects privacy.

The implementation of the eCBSV technical integration requires expertise in the following open standards and technologies:

  • Extended Validation SSL certificates
  • OpenID Connect specification (OIDC), including Discovery, Dynamic Client Registration
  • Authorization Code Flow
  • JSON Web Tokens (JWTs)
  • OAuth 2, including JWT client assertionJSON Web Encryption (JWE)
  • Understanding of REST API requests and responses (JSON) and headers

Securely integrate with eCBSV using Cloudentity

The Cloudentity platform enables permitted entities to accelerate their integration with SSA via the eCBSV interfaces, while meeting all security profile and privacy requirements. In addition, Cloudentity is OIDC-certified, which meets all the criteria listed by the SSA to consume eCBSV services securely. Financial institutions and their agents can also use the Cloudentity platform to create multiple authorization servers that can be configured using preconfigured templates to conform to specific security profiles and standards. In fact, those standards will automatically be enforced as new API services appear. Developers looking for more information on how our platform can be leveraged to meet this emerging US government standard can visit our developer portal