Skip to Content

Notice

Privacy Act of 1974, Computer Matching Program-U.S. Small Business Administration and U.S. Department of Homeland Security, Federal Emergency Management Agency

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Small Business Administration.

ACTION:

Notice of computer matching program: U.S. Small Business Administration and U.S. Department of Homeland Security, Federal Emergency Management Agency.

SUMMARY:

The U.S. Small Business Administration plans to participate as a source agency in a computer matching program with and U.S. Department of Homeland Security, Federal Emergency Management Agency. The purpose of this agreement is to set forth the terms under which a computer matching program will be conducted. The matching program will ensure that applicants for SBA Disaster loans and DHS/FEMA Other Needs Assistance have not received a duplication of benefits for the same disaster. This will be accomplished by matching specific DHS/FEMA disaster, as established in the computer matching agreement.

DATES:

Effective Date: May 21, 2010.

End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Introduction

The Small Business Administration (SBA) and the Department of Homeland Security, Federal Emergency Management Agency (DHS/FEMA) have entered into this Computer Matching Agreement (Agreement) pursuant to section (o) of the Privacy Act of 1974 (5 U.S.C. 552a), as amended by the Computer Matching and Privacy Protection Act of 1988 (Pub. L. 100-503), and as amended by the Computer Matching Privacy Protection Act Amendments of 1990 (Pub. L. 101-508, 5 U.S.C. 552a(p) (1990)). For purposes of this Agreement, both SBA and DHS/FEMA are the recipient agency and the source agency as defined in 5 U.S.C. 552a(a)(9), (11). For this reason, the financial and administrative responsibilities will be evenly distributed between SBA and DHS/FEMA unless otherwise called out in this agreement.Start Printed Page 35848

II. Purpose and Legal Authority

A. Purpose of the Matching Program

The purpose of this Agreement is to set forth the terms under which a computer-matching program will be conducted. The matching program will ensure that applicants for SBA Disaster Loans and DHS/FEMA Other Needs Assistance have not received a duplication of benefits for the same disaster. This will be accomplished by matching specific DHS/FEMA disaster data with SBA disaster loan application and decision data for a declared disaster, as set forth in this Agreement.

B. Legal Authority

The legal authority for undertaking this matching program is contained in section 7(b)(1) of the Small Business Act (15 U.S.C. 636(b)(1)) and in section 312(a) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5155), which authorizes agencies to ensure that assistance provided by each is not duplicated by another source.

The Computer Matching and Privacy Protection Act of 1988 (Pub. L. 100-503), as amended, establishes procedural requirements for agencies to follow when engaging in computer-matching activities.

III. Justification and Expected Results

A. Justification

It is the policy of both SBA and DHS/FEMA that the agencies will not provide disaster assistance or loan funds to individuals or businesses that have already received benefits from another source for the same disaster. One way to accomplish this objective is to conduct a computer-matching program between the agencies and compare the data of individuals, businesses, or other entities that may have received duplicative aid for a specific disaster from SBA and DHS/FEMA.

It is also recognized that the programs covered by this Agreement are part of a Government-wide initiative (Executive Order 13411 Improving Assistance for Disaster Victims, dated August 29, 2006) to identify duplication of benefits received by individuals, businesses, or other entities for the same disaster. That initiative and this matching program are consistent with Office of Management and Budget (OMB) guidance on interpreting the provisions of the Computer Matching and Privacy Protection Act of 1988 (54 FR 25818, June 19, 1989); and OMB Circular A-130, Appendix I, “Federal Agency Responsibilities for Maintaining Records About Individuals,” instructions on Federal agency responsibilities for maintaining records about individuals.

B. Expected Results

In processing applications for assistance for both DHS/FEMA and SBA, there are several scenarios where duplicate partial or full applications are received. For example, a husband and wife may both apply for assistance, not knowing the other had done so; a person may apply to both DHS/FEMA and SBA; or system failures may abort a registration while in progress and generate a duplicate registration when the person returns to try again, to name a few.

Based on historical data, DHS/FEMA and SBA anticipate that the computer match will reveal instances where such duplication results in excessive or duplicate assistance payments. For example, DHS/FEMA received 2,160,284 registrations in response to hurricanes Katrina and Rita, and referred 67,023 of those registrations to SBA as potential duplicates. Excluding the Katrina and Rita disasters, DHS/FEMA received 7,070,068 registrations from 1998-2009, and referred 13,809 potential duplicates to SBA. The data illustrates that the number of possible duplicates, while typically a low percentage of total registrations, could rise or fall based on a change in the volume of referrals. The data suggests that the expected results of the match are difficult to quantify precisely due to the unpredictable nature of disasters.

IV. Records Description

A. Systems of Records and Estimated Number of Records Involved

DHS/FEMA accesses records from its DHS/FEMA 008—Disaster Recovery Assistance Files (September 24, 2009, 74 FR 48763) system of records through its National Emergency Management Information System (NEMIS), and matches them to the records that SBA provides from its SBA—020 Disaster Loan Case Files (April 1, 2009, 74 FR 14911) system of records. SBA uses its Disaster Credit Management System (DCMS) to accesses records from its SBA—020 Disaster Loan Case Files (April 1, 2009, 74 FR 14911) system of records and match them to the records that DHS/FEMA provides from its DHS/FEMA 008—Disaster Recovery Assistance Files (September 24, 2009, 74 FR 48763) system of records. Under this agreement, DHS/FEMA and SBA exchange data for: (1) Initial registrations; (2) to update the SBA loan status, and (3) to check for a duplication of benefits.

1. For the initial registration match, SBA is the recipient of data from DHS/FEMA. DHS/FEMA will extract and provide to SBA the following information: Registrant data; registration data; registration damage; insurance policy data; registration occupants' data; registration vehicles data; National Flood Insurance Reform Act of 1994 registration data; and registration flood zone data.

2. For the Duplication of Benefits Match, SBA is the recipient of data from DHS/FEMA. DHS/FEMA will extract and provide to SBA the following information for the Automated Duplication of Benefits Interface: Registrant and damaged property data; home application assistance data; “other assistance” data; verification data; and inspection data.

3. For the Status Update match, DHS/FEMA is the recipient of data from SBA. SBA will extract and provide to DHS/FEMA personal information about SBA applicants; application data; loss to personal property data; loss mitigation data; SBA loan data; and SBA event data.

4. Estimated number of records. A definitive answer cannot be given as to how many records will be matched as it will depend on the number of individuals, businesses or other entities that suffer damage from a declared disaster and that ultimately apply for Federal disaster aid.

B. Description of the Match

1. DHS/FEMA—SBA automated import/export process for initial registrations. SBA is the recipient (i.e. matching) agency. SBA will match records from its SBA-020 Disaster Loan Case Files system of records (April 1, 2009, 74 FR 14911) and non-disaster related applications accessed via the Disaster Credit Management System (DCMS), to the records extracted and provided by DHS/FEMA from its DHS/FEMA 008—Disaster Recovery Assistance Files system of records (September 24, 2009, 74 FR 48763). DHS/FEMA will provide to SBA the following information: Personal information about the disaster assistance registrant; disaster assistance registration data; property damage data; insurance policy data; property occupant data; vehicle registration data; National Flood Insurance Program data; and Flood Zone data. SBA will conduct the match using the FEMA Disaster ID Number, FEMA Registration ID Number, Product (Home/Business) and Registration Occupant Social Security Number to create a New Pre-Application. The records SBA receives are deemed to be DHS/FEMA registrants Start Printed Page 35849who are referred to SBA for disaster loan assistance. Controls on the DHS/FEMA export of data should ensure that SBA only receives unique and valid referral records.

When SBA matches its records to those provided by DHS/FEMA, two types of matches are possible: A full match and a partial match. A full match exists when an SBA record matches a DHS/FEMA record on each of the following data fields: FEMA Disaster ID Number, FEMA Registration ID Number, Product (Home/Business), and Registration Occupant Social Security Number. A partial match exists when an SBA record matches a DHS/FEMA record on one or more, but not all, of the data fields listed above. If either a full or partial match is found during this process, the record is placed in a separate queue for manual examination, investigation, and resolution. Non-matched records, those for which no SBA registration is found for a given DHS/FEMA registration, are placed into the regular Pre-Application Queue.

2. DHS/FEMA—SBA duplication of benefits automated match process. Both DHS/FEMA and SBA will act as the recipient (i.e. matching) agency. SBA will extract and provide to DHS/FEMA data from its SBA-020 Disaster Loan Case File system of records (April 1, 2009, 74 FR 14911), accessed via the DCMS. DHS/FEMA will match the data SBA provides to records in its DHS/FEMA—008 Disaster Recovery Assistance Files system of records (September 24, 2009, 74 FR 48763), accessed via NEMIS, on the FEMA Registration ID Number. SBA will issue a data call to FEMA requesting that FEMA return any records in NEMIS for which a match was found. For each match found, FEMA sends all of its applicant information to SBA so that SBA may match these records with its registrant data in the DCMS. SBA's DCMS manual process triggers an automated interface to query NEMIS using the FEMA Registration ID Number as the unique identifier. DHS/FEMA will return the fields described below for the matching DHS/FEMA record, if any, and no result when the FEMA Registration ID Number is not matched. DHS/FEMA will provide the FEMA Disaster Number, FEMA Registration Identifier, Registrant and Co-registrant Name, Mailing Address, Phone Number, Social Security Number, Damaged Property data, National Flood Insurance Reform Act data, Flood Zone data, FEMA Housing Assistance and other Assistance data, Program, Award Level, Eligibility, and Approval or Rejection data. SBA will then proceed with its duplication of benefits determination.

3. DHS/FEMA-SBA status update automated match process. DHS/FEMA will act as the recipient (i.e. matching) agency. DHS/FEMA will match records from its DHS/FEMA 008—Disaster Recovery Assistance Files system of records (September 24, 2009, 74 FR 48763), to the records extracted and provided by SBA from its SBA-020 Disaster Loan Case File system of records (April 1, 2009, 74 FR 14911). The purpose of this process is to update DHS/FEMA registrant information with the status of SBA loan determinations for said registrants. The records provided by SBA will be automatically imported into NEMIS to update the status of existing registration records. The records DHS/FEMA receives from SBA are deemed to be DHS/FEMA registrants who were referred to SBA for disaster loan assistance. Controls on the SBA export of data should ensure that DHS/FEMA only receives unique and valid referral records.

SBA will provide to DHS/FEMA the following information: Personal information about SBA applicants; application data; loss to personal property data; loss mitigation data; SBA loan data; and SBA event data. DHS/FEMA will conduct the match using FEMA Disaster Number, and FEMA Registration ID Number. Loan data for matched records will be recorded and displayed in NEMIS. Loan data will also be run through NEMIS business rules; potentially duplicative categories of assistance are sent to the National Processing Service Centers Program Review process for manual evaluation of any duplication of benefits.

C. Projected Starting and Completion Dates

This Agreement will take effect 40 days from the date copies of this signed Agreement are sent to both Houses of Congress or 30 days from the date the Computer Matching Notice is published in the Federal Register, whichever is later, depending on whether comments are received which would result in a contrary determination (Commencement Date). SBA is the agency that will:

1. Transmit this agreement to Congress.

2. Notify OMB.

3. Publish the Computer Matching Notice in the Federal Register.

4. Address public comments that may result from publication in the Federal Register.

Matches under this program will be conducted for every Presidential disaster declaration.

V. Notice Procedures

A. DHS/FEMA Recipients

FEMA Form 90-69 “Application/Registration for Disaster Assistance,” Form 90-69B “Declaration and Release” (both included in OMB No. 1660-0002), and various other forms used for financial assistance benefits immediately following a declared disaster, use a Privacy Act statement to provide notice to applicants regarding the use of their information. The Privacy Act statements provide notice of computer matching or the sharing of their records consistent with this Agreement. The Privacy Act statement is read to call center applicants and is displayed and agreed to by Internet applicants. Also, FEMA Form 90-69B requires the applicant's signature in order to receive financial assistance. Additionally, the Federal Emergency Management Agency Disaster Assistance Improvement Program Privacy Impact Assessment and Department of Homeland Security Federal Emergency Management Agency—008 Disaster Recovery Assistance Files System of Records Notice (September 24, 2009, 74 FR 48763) provide public notice.

B. SBA Recipients

SBA Forms 5 “Disaster Business Loan Application,” 5C “Disaster Home Loan Application” and the Electronic Loan Application (ELA) include notice to all applicants that in the event of duplication of benefits from DHS/FEMA or any other source, the Agency may verify eligibility through a computer matching program with another Federal or state agency and reduce the amount of the applicant's loan. All applicants are required to acknowledge that they have received this notification. Additionally, the Small Business Administration Disaster Credit Management System Privacy Impact Assessment and Small Business Administration—020 Disaster Loan Case File system of records (April 1, 2009, 74 FR 14911) provide public notice.

VI. Verification Procedure

A. DHS/FEMA-SBA Automated Import/Export Process for Initial Registrations

The matching program for the initial contact information for individuals and businesses will be accomplished by mapping registrant data for DHS/FEMA fields described earlier to the Disaster Credit Management System application data fields. During the automated import process, a computer match is performed against existing Disaster Credit Management System Start Printed Page 35850Applications as described in the Section.IV,1. FEMA's system of record for the registration data is known as Department of Homeland Security Federal Emergency Management Agency—008 Disaster Recovery Assistance Files system of records (September 24, 2009, 74 FR 48763).

If the registrant's data does not match an existing Pre-Application or Application in the SBA's Disaster Credit Management System, then the registrant's data will be inserted into the Disaster Credit Management System to create a new Pre-Application and an SBA application for disaster assistance may be mailed to the registrant. If the registrant's data does match an existing Pre-Application or Application in SBA's Disaster Credit Management System, it indicates that there may be an existing Pre-Application/Application for the registrant in the Disaster Credit Management System. The system will insert the record within the SBA's Disaster Credit Management System but will identify it as a potential duplicate. This will be further reviewed by SBA employees to determine whether the data reported by the DHS/FEMA registrant is a duplicate of previously submitted registration information. Duplicate Pre-Applications or Applications will not be processed. DHS/FEMA takes steps to ensure that only valid and unique registrants are referred to SBA through the computer matching process.

B. DHS/FEMA-SBA Duplication of Benefits Automated Match Process

The matching program is to ensure that recipients of SBA Disaster Loans have not received duplicative benefits for the same disaster from DHS/FEMA. This will be accomplished by matching the DHS/FEMA Registration ID Number. If the data matches, specific to the application or approved loan, the dollar values for the benefits issued by DHS/FEMA may reduce the eligible amount of the disaster loan or may cause SBA loan proceeds to be used to repay the grant program in the amount of the duplicated assistance.

DHS/FEMA and SBA are responsible for verifying the submissions of data used during each respective benefit process and for resolving any discrepancies or inconsistencies on an individual basis. Authorized users of both the Disaster Credit Management System and National Emergency Management Information System will not make a final decision to reduce benefits of any financial assistance to an applicant or take other adverse action against such applicant as the result of information produced by this matching program until an employee of the agency taking such action has independently verified such information.

The matching program for duplication of benefits will be executed as part of loan processing and prior to each disbursement on an approved SBA disaster loan. Any match indicating that there is a possible duplicated benefit will be further reviewed by an SBA employee to determine whether the FEMA grant monies reported by the applicant or borrower are correct and matches the data reported by DHS/FEMA. If there is a duplication of benefits, the amount of the SBA disaster loan will be reduced accordingly after providing applicant with written notice of the changes, by processing a loan modification to reduce the loan amount or, where appropriate, by using the SBA loan proceeds to repay the FEMA grant program.

VII. Disposition of Matched Items

After a computer match has been performed, records of applicants that are not identified as being a recipient of both DHS/FEMA and SBA benefits will be eliminated from the Disaster Credit Management System and destroyed. Other identifiable records that may be created by SBA or DHS/FEMA during the course of the matching program will be destroyed as soon as they have served the matching program's purpose, and under any legal retention requirements established in conjunction with the National Archives and Records Administration or other authority. Destruction will be by shredding, burning or electronic erasure, as appropriate.

Neither SBA nor DHS/FEMA will create a separate permanent file consisting of information resulting from the specific matching programs covered by this Agreement except as necessary to monitor the results of the matching program. Information generated through the matches will be destroyed as soon as follow-up processing from the matches has been completed unless the information is required to be preserved by the evidentiary process.

VIII. Security Procedures

SBA and DHS/FEMA agree to the following information security procedures:

A. Administrative. The privacy of the subject individuals will be protected by strict adherence to the provisions of the Privacy Act of 1974 (5 U.S.C. 552a). SBA and DHS/FEMA agree that data exchange and any records created during the course of this matching program will be maintained and safeguarded by each agency in such a manner as to restrict access to only those individuals, including contractors, who have a legitimate need to see them in order to accomplish the matching program's purpose. Persons with authorized access to the information will be made aware of their responsibilities pursuant to this Agreement.

B. Technical. DHS/FEMA will transmit the data (specified in this Agreement) to SBA via the following process:

1. SBA will pull application data from FEMA Disaster Assistance Center (DAC) via a Web services based Simple Object Access Protocol, Extensible Markup Language/Hypertext Transfer Protocol Secure request. The data will be used to create applications inside the Disaster Credit Management System. For each record, a response will be sent back to FEMA DAC indicating success or failure.

The SBA/Disaster Credit Management System to DHS/FEMA Disaster Assistance Center export of referral data (specified in this Agreement) will occur via a Web services based Simple Object Access Protocol, Extensible Markup Language/Hypertext Transfer Protocol Secure request.

The DHS/FEMA Duplication of Benefits Interface will be initiated from the Disaster Credit Management System to the DHS/FEMA Disaster Recovery Assistance-National Emergency Management Information System through a secured Virtual Private Network tunnel, open only to SBA domain Internet Protocol addresses. The results of the query are returned to the Disaster Credit Management System in real-time and populated in the Disaster Credit Management System for delegated SBA staff to use in the determination of duplication of benefits.

C. Physical. SBA and DHS/FEMA agree to maintain all automated matching records in a secured computer environment that includes the use of authorized access codes (passwords) to restrict access. Those records will be maintained under conditions that restrict access to persons who need them in connection with official duties related to the matching process.

D. On-Site inspections. SBA and DHS/FEMA may make on-site inspections of the other agency's recordkeeping and security practices, or make provisions beyond those in this Agreement to ensure adequate safeguarding of records exchanged.Start Printed Page 35851

IX. Records Usage, Duplication and Redisclosure Restrictions

SBA and DHS/FEMA agree to the following restrictions on use, duplication, and disclosure of information furnished by the other agency.

A. Records obtained for this matching program or created by the match will not be disclosed outside the agency except as may be essential to conduct the matching program, or as may be required by law. Each agency will obtain the written permission of the other agency before making such disclosure (see routine uses in Department of Homeland Security Federal Emergency Management Agency—008 Disaster Recovery Assistance Files system of records (September 24, 2009, 74 FR 48763) and Small Business Administration—020 Disaster Loan Case File system of records (April 1, 2009, 74 FR 14911).

B. Records obtained for this matching program or created by the match will not be disseminated within the agency except on a need-to-know basis, nor will they be used for any purpose other than that expressly described in this Agreement. Information concerning “non-matching” individuals, businesses or other entities will not be used or disclosed by either agency for any purpose.

C. Data or information exchanged will not be duplicated unless essential to the conduct of the matching program. All stipulations in this Agreement will apply to any duplication.

D. If required to disclose these records to a state or local agency or to a government contractor in order to accomplish the matching program's purpose, each agency will obtain the written agreement of that entity to abide by the terms of this Agreement.

E. Each agency will keep an accounting of disclosure of an individual's record as required by section 552a(c) of the Privacy Act and will make the accounting available upon request by the individual or other agency.

X. Records Accuracy Assessments

DHS/FEMA and SBA attest that the quality of the specific records to be used in this matching program is assessed to be at least 99% accurate. The possibility of any erroneous match is extremely small.

In order to apply for assistance online via the Disaster Assistance Center (DAC) portal an applicant's name, address, Social Security Number, and date of birth are sent to a commercial database provider to perform identity verification. The identity verification ensures that a person exists with the provided credentials. In the rare instances where the applicant's identity is not verified online or the applicant chooses, the applicants must call one of the DHS/FEMA call centers to complete the registrations. The identity verification process is performed again. Depending on rare circumstances, an applicant is allowed to register using an ersatz Social Security Number. Applicants must update their Social Security Number and pass the identity verification to obtain assistance.

XI. Comptroller General Access

The parties authorize the Comptroller General of the United States, upon request, to have access to all SBA and DHS/FEMA records necessary to monitor or verify compliance with this matching agreement. This matching agreement also authorizes the Comptroller General to inspect any records used in the matching process that are covered by this matching agreement. (31 U.S.C. 717 and 5 U.S.C. 552a(b)(10)).

XII. Duration of Agreement

The Agreement may be renewed, terminated or modified as follows:

A. Renewal or Termination. This Agreement will become effective in accordance with the terms set forth in paragraph IV.C and will remain in effect for 18 months from the commencement date. At the end of this period, this Agreement may be renewed for a period of up to one additional year if the Data Integrity Board of each agency determines within three months before the expiration date of this Agreement that the program has been conducted in accordance with this Agreement and will continue to be conducted without change. Either agency not wishing to renew this Agreement should notify the other in writing of its intention not to renew at least three months before the expiration date of this Agreement. Either agency wishing to terminate this Agreement before its expiration date should notify the other in writing of its wish to terminate and the desired date of termination.

B. Modification of the Agreement. This Agreement may be modified at any time in writing if the written modification conforms to the requirements of the Privacy Act and receives approval by the participant agency Data Integrity Boards.

XIII. Reimbursement of Matching Costs

SBA and DHS/FEMA will bear their own costs for this program.

XIV. Data Integrity Board Review/Approval

SBA and DHS/FEMA's Data Integrity Boards will review and approve this Agreement prior to the implementation of this matching program. Disapproval by either Data Integrity Board may be appealed in accordance with the provisions of the Computer Matching and Privacy Protection Act of 1988, as amended. Further, the Data Integrity Boards will perform an annual review of this matching program. SBA and DHS/FEMA agree to notify the Chairs of each Data Integrity Board of any changes to or termination of this Agreement.

XV. Points of Contacts and Approvals

For general information please contact: Thomas R. McQuillan (202-646-3323), Privacy Officer, Federal Emergency Management Agency, Department of Homeland Security; and Ethel Matthews (202-205-7173), Senior Privacy Advisor, Office of the Chief Information Officer, Small Business Administration.

Start Signature

Paul T. Christy,

Acting Chief Information Officer/Chief Privacy Officer.

End Signature End Supplemental Information

[FR Doc. 2010-15113 Filed 6-22-10; 8:45 am]

BILLING CODE 8025-01-P