Computer Matching Agreement Between U.S. Small Business Administration and U.S. Department of Homeland Security, Federal Emergency Management Agency

AGENCY:

U.S. Small Business Administration.

ACTION:

Notice of Computer Matching Agreement between the U.S. Small Business Administration and the U.S. Department of Homeland Security, Federal Emergency Management Agency.

SUMMARY:

The purpose of this Agreement is to ensure that applicants for SBA Disaster Assistance Loan Programs and DHS/FEMA's Other Needs Assistance and Housing Assistance Grant programs do not receive a duplication of benefits for the same disaster.

DATES:

Issued on September 4, 2018.

ADDRESSES:

U.S. Small Business Administration, Processing and Disbursement Center, 14925 Kingsport Road, Fort Worth, TX 76155.

FOR FURTHER INFORMATION CONTACT:

A. Escobar, Office of Disaster Assistance, U.S. Small Business Administration, 409 3rd Street SW, Suite 6050, Washington, DC 20416, (202) 205-6734.

SUPPLEMENTARY INFORMATION:

Pursuant to the Robert T. Stafford Disaster and Emergency Assistance Act (Pub. L. 93-288), as amended at 42 U.S.C. 5121 et seq., DHS/FEMA and SBA may not provide duplicative disaster assistance to individuals, businesses, including Private-Not-for Profits (PNPs), or other entities for the same disaster or emergency losses. To accomplish this, DHS/FEMA and SBA will participate in a Computer Matching program to share data and financial/benefits award decisions of individuals, businesses, and/or other entities to verify eligibility for benefits, prevent duplicative aid from being provided in response to the same disaster or emergency, and recover aid when duplication of benefits is identified.

This Agreement establishes the Computer Matching program between DHS/FEMA and SBA. The Computer Matching program seeks to ensure that applicants for SBA Disaster Loans and DHS/FEMA Individuals and Households Program (IHP), which provides Other Needs Assistance (ONA) and Housing Assistance (HA), are eligible to receive benefits and do not receive a duplication of benefits for the same disaster. Additionally, the Computer Matching program seeks to establish or verify initial eligibility for DHS/FEMA and SBA disaster assistance as well as provide updates on disaster recipients SBA Loan status. This will be accomplished by matching specific DHS/FEMA disaster applicant data with SBA disaster loan application and decision data for a declared disaster, as set forth in this Agreement.

COMPUTER MATCHING AGREEMENT BETWEEN U.S. SMALL BUSINESS ADMINISTRATION AND U.S. DEPARTMENT OF HOMELAND SECURITY FEDERAL EMERGENCY MANAGEMENT AGENCY

I. INTRODUCTION

The SMALL BUSINESS ADMINISTRATION (SBA) and the DEPARTMENT OF HOMELAND SECURITY, FEDERAL EMERGENCY MANAGEMENT AGENCY (DHS/FEMA) have entered into this Computer Matching Agreement (Agreement) pursuant to section (o) of the Privacy Act of 1974, (Privacy Act), 5 U.S.C. § 552a, as amended by the Computer Matching and Privacy Protection Act of 1988 (Pub. L. 100-503), and as amended by the Computer Matching Privacy Protection Act Amendments of 1990 (Pub. L. 101-508, 5 U.S.C. § 552a(p) (1990)). For purposes of this Agreement, both SBA and DHS/FEMA are the recipient agency and the source agency as defined in 5 U.S.C. § 552a(a)(9) and (11). For this reason, the financial and administrative responsibilities will be evenly distributed between SBA and DHS/FEMA unless otherwise set forth in this agreement.

II. PURPOSE AND LEGAL AUTHORITY

A. Purpose of the Matching Program

Pursuant to the Robert T. Stafford Disaster and Emergency Assistance Act (Pub. L. 93-288), as amended at 42 U.S.C. § 5121 et seq, DHS/FEMA and SBA may not provide duplicative disaster assistance to individuals, businesses, including Private-Not-for Profits (PNPs), or other entities for the same disaster or emergency losses. To accomplish this, DHS/FEMA and SBA will participate in a Computer Matching program to share data and financial/benefits award decisions of individuals, businesses, and/or other entities to verify eligibility for benefits, prevent duplicative aid from being provided in response to the same disaster or emergency, and recover aid when duplication of benefits is identified.

This Agreement establishes the Computer Matching program between DHS/FEMA and SBA. The Computer Matching program seeks to ensure that applicants for SBA Disaster Loans and DHS/FEMA Individuals and Households Program (IHP), which provides Other Needs Assistance (ONA) and Housing Assistance (HA), are eligible to receive benefits and do not receive a duplication of benefits for the same disaster. Additionally, the Computer Matching program seeks to establish or verify initial eligibility for DHS/FEMA and SBA disaster assistance as well as provide updates on disaster recipients SBA Loan status. This will be accomplished by matching specific DHS/FEMA disaster applicant data with SBA disaster loan application and decision data for a declared disaster, as set forth in this Agreement.

B. Legal Authority

This Agreement is executed in compliance with the Privacy Act and other statutes discussed in this Agreement, their implementing regulations, and related notices and guidance.

1. The Robert T. Stafford Disaster and Emergency Assistance Act, as amended (Stafford Act), 42 U.S.C. § 5121 et seq., requires each federal agency that administers any program that provides financial assistance as a result of a major disaster or emergency to assure that no individual or entity receives duplicate financial assistance under any program or from insurance or any other source, 42 U.S.C. § 5155(a). The Stafford Act requires DHS/FEMA or SBA (whichever agency provided the duplicative assistance) to recover all duplicative assistance from the recipient, when the head of such agency considers it to be in the best interest of the Federal Government, 42 U.S.C. § 5155(c).

2. Pursuant to Section 408(i) of the Stafford Act, 42 U.S.C. § 5174(i), in carrying out Section 408 (Federal Assistance to Individuals and Households), DHS/FEMA is directed and authorized to “develop a system, including an electronic database,” to:

1. Verify the identity and address of recipients of assistance to provide reasonable assurance that payments are made only to an individual or household that is eligible for such assistance by sharing personally identifiable information (PII);

2. Minimize the risk of making duplicative payments or payments for fraudulent claims;

3. Collect any duplicate payment on a claim, or reduce the amount of subsequent payments to offset the amount of any such duplicate payment;

4. Provide instructions to recipients of assistance regarding the proper use of any such assistance, regardless of how such assistance is distributed; and

5. Conduct an expedited and simplified review and appeal process for an individual or household whose application for assistance is denied.

3. FEMA collects and maintains personally identifiable information of individuals who apply for FEMA disaster assistance under Section 408 of the Stafford Act. In accordance with the Privacy Act of 1974, DHS/FEMA is authorized to provide States (impacted by disasters) with access to DHS/FEMA's electronic records of individuals and households receiving assistance in order for the States to make available any additional State and local assistance to the affected individuals and households. The provision of these records is further allowed under Routine Uses H.1 and R of the DHS/FEMA Disaster Recovery Assistance Files System of Records, 78 Fed. Reg. 25,282 (April 30, 2013). RU H.1 states that DHS/FEMA may disclose applicant information to other federal agencies and agencies of state, tribal, and local governments to prevent duplication of benefits and/or to address unmet needs of eligible, ineligible, or partially eligible FEMA applicants. RU R permits FEMA to share information to other federal, state, local, or tribal government agencies, and voluntary organizations under approved computer matching efforts.

4. Pursuant to the Debt Collection Improvement Act of 1996, 31 U.S.C. §§ 3325(d) and 7701(c)(1), federal agencies are required to collect the taxpayer identification number (i.e., Social Security Number) of each person who receives payments from the federal government; and each person doing business with the federal government is required to furnish his or her taxpayer identification number.

A. For the purposes of 31 U.S.C. § 7701, a person is considered to be doing business with the federal government if the person is:

i. A lender or servicer in a federal guaranteed or insured loan program administered by a federal agency;

ii. An applicant for, or recipient of, a federal license permit, right-of-way, grant or benefit payment administered by a federal agency;

iii. A contractor of a federal agency;

iv. Assessed a fine, fee, royalty or penalty by a federal agency;

v. In a relationship with a federal agency that may give rise to a receivable due to that agency, such as a partner of a borrower in or a guarantor of a federal direct or insured loan administered by the federal agency.

Each federal agency must inform each person required to disclose his or her taxpayer identification number of the agency's intent to use such number for purposes of collecting and reporting on any delinquent amounts arising out of such person's relationship with the federal government.

5. Fraud, waste, and abuse prevention efforts pursuant to the aforementioned statutory authorities are also applicable to certain FEMA-administered pilot programs, designed to provide alternative or additional federal disaster assistance programs. 6 U.S.C. §§ 776-777.

6. SBA's legal authority to make disaster loans to repair, rehabilitate or replace property, real or personal, damaged or destroyed without duplicating benefits is contained in section 7(b)(1) of the Small Business Act, 15 U.S.C. § 636 (b) (1), provided that such damage or destruction is not compensated for by insurance or otherwise.

7. SBA regulation 13 CFR § 123.108 requires that grant assistance received from FEMA's Individuals and Households Program (IHP) that duplicates the damage covered by the SBA loan must be deducted from the SBA disaster loan eligibility.

8. SBA is allowed to share information with DHS/FEMA pursuant to Routine uses (f) and (g) of SBA-020 Disaster Loan Case Files System of Records, 74 FR 14911 (April 1, 2009).

III. JUSTIFICATION AND EXPECTED RESULTS

A. Justification

DHS/FEMA collaborates with the SBA in determining applicant eligibility for Other Needs Assistance (ONA). ONA is a provision of IHP, authorized by section 408(e) of the of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act), that provides financial assistance for disaster-related necessary expenses and serious needs that are not covered by insurance or provided by any other source. There are two categories of ONA: Non-SBA-dependent ONA and SBA-dependent ONA. Non-SBA-dependent ONA is assistance DHS/FEMA provides for funeral, medical, dental, childcare, and miscellaneous expenses without regard to whether a disaster survivor may obtain a SBA loan. SBA-dependent ONA is assistance where the disaster survivor must first apply to SBA for a loan for personal property, moving and storage, and transportation expenses before DHS/FEMA provides assistance for these expenses. 44 CFR 206.119 (a)(1) and 206.191(d)(2).

The Small Business Act authorizes the SBA to provide low-interest disaster loans to applicants who have sustained damage in a disaster. An applicant must meet a minimum income test, which the SBA establishes, to be considered for a loan. DHS/FEMA refers the applicant's registration to SBA if the applicant's income meets SBA minimum guidelines. Once referred to SBA, the applicant must apply for a SBA low-interest disaster loan which is based on credit-worthiness. All denied applicants are referred back to DHS/FEMA for possible SBA-dependent ONA. DHS/FEMA will provide assistance for SBA-dependent ONA if the applicant's SBA loan application is denied or if their income does not meet the SBA minimum threshold to warrant a SBA referral. However, if SBA approves the applicant's loan application and the applicant does not accept the loan, DHS/FEMA will not provide any SBA-dependent ONA to that applicant.

SBA provides low-interest, long-term Federal disaster loans to homeowners, renters, businesses of all sizes and private, non-profit organizations to help repair or replace privately-owned property that was damaged or destroyed in a declared disaster event. SBA disaster loan assistance is for uninsured, underinsured or otherwise uncompensated disaster losses only. A disaster survivor's SBA disaster loan eligibility is determined by total amount of disaster losses, as verified by SBA, less recoveries such as insurance, FEMA grant assistance and other sources. In the normal sequence of delivery, a disaster survivor will initiate the Federal disaster assistance process by registering with FEMA. If the survivor's reported household income is above a minimum threshold, as provided to FEMA by SBA, they will be referred to the SBA disaster loan program and encouraged to apply for disaster loan assistance. After the survivor submits an SBA disaster loan application, SBA will determine loan eligibility by estimating the applicant's disaster losses and verifying other assistance received, including insurance, FEMA grant assistance and other recoveries.

DHS/FEMA and SBA coordinate to ensure that ONA and SBA disaster loans do not cause a duplication of benefits for the same type of assistance. DHS/FEMA and SBA provide benefits for the same type of assistance: personal property damage, moving and storage expenses, and transportation assistance. Additionally, the amount of aid provided by SBA impacts the amount of assistance FEMA provides. This matching program ensures disaster survivors are not receiving duplicative benefits from both agencies.

It is also recognized that the programs covered by this Agreement are part of a Government-wide initiative, Executive Order 13411—Improving Assistance for Disaster Victims (August 29, 2006). This order mandates DHS/FEMA to identify and prevent duplication of benefits received by individuals, businesses, or other entities for the same disaster. That initiative and this matching program are consistent with Office of Management and Budget (OMB) guidance on interpreting the provisions of the Computer Matching and Privacy Protection Act of 1988, 54 Fed. Reg. 25818 (June 19, 1989); and OMB Circular A-130, Appendix I, “Federal Agency Responsibilities for Maintaining Records about Individuals.”

B. Expected Results

The matching program is to ensure that benefits provided to disaster survivors by DHS/FEMA and SBA are not duplicated. By way of the DHS/FEMA disaster registration identification (ID) number, DHS/FEMA and SBA are able to identify the applications received from mutual DHS/FEMA and SBA disaster survivors.

By the nature of the sequence of delivery, as outlined in FEMA Regulation, 44 CFR Section 206.191, survivors that register with FEMA for possible disaster assistance and meet SBA's minimum income requirements are automatically referred to SBA for possible loan assistance to homeowners and renters. The Agreement helps to identify instances where the same disaster survivor has submitted applications to both FEMA and SBA, which could result in a duplication of benefits. Since FY 2015 the use of the Agreement has identified 166,234 instances where the same disaster survivor submitted applications to both agencies, a yearly average of 83,117. Over that same time period, SBA approved 62,258 loans to home owners and renters totaling more than $4 billion. This is a yearly average of 31,129 loan files identified with a potential duplication of benefits, with an average loan amount of $64,819. Once the computer match identifies a potential duplication of benefits, SBA staff manually review the files to determine whether a DOB exists and the amount of the duplication of benefits. In FY 2016 and 2017, SBA declined 376 loans due to recoveries from other sources. The verified loss amount for these declined loans totaled more than $23.3 million, an average of $62,042 per loan application declined due to other recoveries.

Prior to the use of this computer match, SBA loan officers used stand-alone PCs to access FEMA's system, National Emergency Management Information System-Individual Assistance (NEMIS-IA). Without the computer matching Agreement, SBA staff performed a manual checking process to avoid a duplication of benefits. This duplication of benefits check procedure took approximately 10-12 minutes per loan application and was performed on all loan applications, not just the approved loans. The matching program between SBA and FEMA will save the federal government nearly $2.5 million.

IV. RECORDS DESCRIPTION

As required by the Privacy Act's subsection 552a(o)(1)(C), the following is a description of the records that will be matched:

A. Systems of Records and Estimated Number of Records Involved

DHS/FEMA accesses records from its Disaster Recovery Assistance Files system of records, as provided by the DHS/FEMA-008 SORN, through its NEMIS-IA system, and matches them to the records that SBA provides from its SBA-020 Disaster Loan Case Files, 74 Fed. Reg. 14,911 (April 1, 2009) system of records.

SBA uses its Disaster Credit Management System (DCMS) to access records from its Disaster Loan Case Files system of records, and match them to the records that DHS/FEMA provides from its Disaster Recovery Assistance Files system of records. Under this agreement, DHS/FEMA and SBA exchange data to: 1) check for initial registrations, 2) check for the duplication of benefits, and 3) update the SBA Loan Status.

Records Estimate

SBA and DHS/FEMA intend to match records after any disaster in which FEMA provides IHP assistance or SBA awards disaster loans. The estimated number of records SBA and DHS/FEMA will match following any disaster fluctuate based on the size and impact area of the disaster and depend upon the number of individuals that are affected. The damage type and cost will be determined after the disaster, and cannot easily be estimated, as the scale and impact of each disaster is unique.

B. Description of the Match

The three types of match processes, for initial registration, duplication of benefits, and status updates, are described below.

1. DHS/FEMA—SBA Automated Import/Export Process for Initial Registrations.

a. SBA is the recipient (i.e. matching) agency. SBA will match records from its Disaster Loans Case Files system of records, as identified in Section (1c), applications and information accessed via the DCMS, to the records extracted and provided by DHS/FEMA from its DHS/FEMA Disaster Recovery Assistance Files system of records, as identified in Section II.B.

b. DHS/FEMA will provide SBA the data elements identified in the current NEMIS-IA Disaster Assistance Improvement Program (DAIP) Interface Control Document (ICD) (See Appendix A), which includes but is not limited to the following information: Applicant's FEMA Registration ID Number; applicant's personally identifiable information, which includes name, address, social security number, and date of birth; damaged property information; insurance policy data; property occupant data; vehicle registration data; and flood zone and flood insurance data.

c. SBA will conduct the match against the Disaster Loans Case Files system of records via DCMS using the FEMA Disaster ID number, FEMA Registration ID number, Product (Home/Business), and Registration Occupant Social Security number (SSN) to create a New Pre-Application. The records SBA receives are of DHS/FEMA applicants who are referred to SBA for disaster loan assistance. Controls on the DHS/FEMA export of data are in place to ensure that SBA only receives unique and valid referral records.

d. When SBA matches its records to those provided by DHS/FEMA, two types of matches are possible: a full match and a partial match. A full match exists when an SBA record matches a DHS/FEMA record on each of the following data fields: FEMA Disaster ID number, FEMA Registration ID number, Product (Home/Business), and Registration Occupant Social Security Number (SSN). A partial match exists when an SBA record matches a DHS/FEMA record on one or more, but not all of the data fields listed above. If an exact (full) match is found among SBA records for the current imported record, the current record is automatically marked as a duplicate by the system with appropriate comments inserted to indicate the corresponding record that matched. If a partial match is found during the import process, the record is routed for manual examination, investigation, and resolution to determine whether it is truly a duplicate record.

2. DHS/FEMA—SBA Duplication of Benefits Automated Match Process:

a. Both DHS/FEMA and SBA will act as the recipient (i.e. matching) agency. SBA will extract and provide to DHS/FEMA data from its Disaster Loans Case Files system of records, as identified in Section (1c), and accessed via the DCMS. DHS/FEMA will match the data SBA provides to records in its Disaster Recovery Assistance Files system of records, as identified in Section II.B., accessed through NEMIS-IA System, via the FEMA Registration ID number. SBA will issue a data call to DHS/FEMA requesting that DHS/FEMA return any records for which NEMIS-IA found a match. For each match found, DHS/FEMA sends all of its applicant information that it collects during the registration process to SBA so that SBA may match these records with its registrant data in the DCMS. SBA's DCMS manual process triggers an automated interface to query NEMIS-IA, using the FEMA Registration ID number as the unique identifier.

b. DHS/FEMA will return the following fields for the matching DHS/FEMA record, if any: FEMA Disaster Number; FEMA Registration ID number; applicant and if applicable, co-applicant name; damaged dwelling address, phone number, SSN, damaged property data, insurance policy information, contact address (if different from damaged dwelling address), flood zone and flood insurance data, FEMA Housing Assistance and Other Needs Assistance data, program, award level, eligibility, inspection data, verification of ownership and occupancy, and approval or rejection data. DHS/FEMA will return no result when the FEMA Registration ID number is not matched.

c. For each matching record received from DHS/FEMA, SBA determines whether DHS/FEMA assistance duplicates SBA loan assistance. If SBA loan officers determine that there is a duplication of benefits, the duplicated amount is deducted from the eligible SBA loan amount.

3. DHS/FEMA—SBA Status Update Automated Match Process:

a. DHS/FEMA will act as the recipient (i.e. matching) agency. DHS/FEMA will match records from its Disaster Recovery Assistance Files system of records, as identified in Section (1b), to the records extracted and provided by SBA from its Disaster Loans Case Files system of records, as identified in Section (1c). The purpose of this process is to update DHS/FEMA applicant information with the status of SBA loan determinations. The records provided by SBA will be automatically imported into NEMIS-IA to update the status of existing applicant records. The records DHS/FEMA receives from SBA are of DHS/FEMA applicants who were referred to SBA for disaster loan assistance. Controls on the SBA export of data are in place to ensure that DHS/FEMA only receives unique and valid referral records.

b. SBA will provide to DHS/FEMA information and data, including but not limited to the following: personal information about SBA applicants, including name, damaged dwelling address, and SSN; application data; loss to personal property data; loss mitigation data; SBA loan data; and SBA event data. DHS/FEMA will conduct the match using FEMA Disaster Number and FEMA Registration ID number.

c. Loan data for matched records will be recorded and displayed in NEMIS-IA. Loan data will also be run through NEMIS-IA business rules; potentially duplicative categories of assistance are sent to FEMA's Program Review process for manual evaluation of any duplication of benefits. If FEMA review staff determines that there is a duplication of benefits, the duplicated amount is deducted from the eligible award. FEMA applicants receive a letter that indicates the amount of their eligible award and their ability to appeal.

C. Projected Starting and Completion Dates

This Agreement will take effect forty (40) days from the date copies of this signed Agreement are sent to both Houses of Congress and OMB, or thirty (30) days from the date the Computer Matching Notice is published in the Federal Register for public comment, at which time comments will be addressed. Additionally, depending on whether comments are received, this Agreement could yield a contrary determination (Commencement Date). DHS/FEMA is the agency that will:

1. Transmit this Agreement to Congress;

2. Notify OMB;

3. Publish the Computer Matching Notice in the Federal Register; and

4. Address public comments that may result from publication in the Federal Register.

Matches under this program will be conducted for every Presidential disaster declaration where IHP assistance has been granted. The aforementioned matching processes shall commence, as needed, following a disaster declaration, and shall last until DHS/FEMA IHP disaster assistance closes out, or until SBA have stopped processing applications, whichever is later.

V. NOTICE PROCEDURES

The Privacy Act's subsection 552a(o)(1)(D) requires CMAs to specify procedures for notifying applicants/recipients at the time of registration and other periodic notice, as directed by the Data Integrity Board of such agency (subject to guidance provided by the Director of OMB pursuant to subsection v), to applicants for and recipients of financial assistance or payments under Federal benefit programs.

As noted under Section V.A. and Section V.B. of this Agreement, DHS/FEMA and SBA have both published SORNs informing applicants/recipients that their information may be subject to verification through matching programs per 5 U.S.C. § 552a(o)(1)(D). As further required by the Privacy Act, DHS/FEMA and SBA shall make a copy of this Agreement available to the public upon request and it shall be published in the Federal Register.

A. DHS/FEMA recipients

FEMA Form 009-0-1 “Application/Registration for Disaster Assistance,” Form 009-0-3 “Declaration and Release” (both part of OMB ICR No. 1660-0002), and various other forms used for financial assistance benefits immediately following a declared disaster, use a Privacy Act statement, see 5 U.S.C. § 552a(e)(3), to provide notice to applicants regarding the use of their information. The Privacy Act statements provide notice of computer matching or the sharing of their records consistent with this Agreement. The Privacy Act statement is read to call center applicants and is displayed and agreed to by Internet applicants. Also, FEMA Form 009-0-3 requires the applicant's signature in order to receive financial assistance. Additionally, DHS/FEMA gives public notice via its Individual Assistance Program Privacy Impact Assessment (PIA) and in its system of records notice identified in Section II.B.

B. SBA recipients

SBA Forms 5 “Disaster Business Loan Application,” 5C “Disaster Home Loan Application,” and the Electronic Loan Application (ELA) include a Privacy Act statement that provides notice that SBA may disclose personal information under a published “routine use,” as permitted by law. SBA's published system of records notice, identified in Section II. B), provides notice that a computer match may be performed to share information with another Federal agency in connection with the issuance of a grant, loan or other benefit. In addition, the Privacy Act requires that a copy of each CMA entered into with a recipient agency shall be available upon request to the public.

VI. VERIFICATION PROCEDURE AND OPPORTUNITY TO CONTEST

A. General

The Privacy Act's subsection 552a(o)(1)(E) requires that each CMA outline procedures for verifying information produced in the matching program, as required by 5 U.S.C. § 552a(p). This subsection requires agencies to independently verify the information produced by a matching program and to provide the individual an opportunity to contest the agency's findings, before an adverse action is taken against the individual, as a result of the match. Subsequent amendments and regulations allow for an agency to authorize a waiver of independent verification procedures when it finds a high degree of confidence in the accuracy of the data. (See OMB “Final Guidance Interpreting the Provisions of P.L.100-503, the Computer Matching and Privacy Protection Act”, Sec. 6.g. Providing Due Process to Matching Subjects, 54 Fed. Reg. 25,818 (June 19, 1989).

DHS/FEMA will be responsible for ensuring that DHS/FEMA data is current and accurate at the time it is provided to SBA. SBA will be responsible for ensuring that SBA data is current and accurate at the time it is provided to DHS/FEMA.

B. DHS/FEMA—SBA Automated Import/Export Process for Initial Registrations

The matching program for the initial contact information for individuals and businesses will be accomplished by mapping applicant data for DHS/FEMA NEMIS-IA fields described earlier to the DCMS application data fields. During the automated import process, a computer match is performed against existing DCMS applications as described in Section IV.B.1.

If the applicant's data does not match an existing pre-application or application in the SBA's DCMS, then the applicant's data will be automatically transferred into DCMS to create a new pre-Application. An SBA application for disaster assistance may be mailed to the registrant.

If the applicant's data does match an existing pre-application or application in SBA's DCMS, it indicates that there may be an existing pre-application/application for the applicant in the DCMS. If there is an exact match, the system will transfer the record into SBA's DCMS but will identify it as a duplicate with appropriate comments inserted to indicate the corresponding record that matched. If there is a partial match, the system will insert the record within the SBA's DCMS but will identify it as a potential duplicate. The record is then further reviewed by SBA employees to determine whether the data reported by the DHS/FEMA applicant is a duplicate of previously submitted registration data. Only one of the applications is kept for processing and the other duplicate pre-applications or applications will not be processed.

C. DHS/FEMA—SBA Duplication of Benefits Automated Match

The matching program is to ensure that recipients of SBA disaster loans have not received duplicative benefits for the same disaster from DHS/FEMA. The matching process begins by matching the DHS/FEMA Registration ID number. If the data matches, specific to the application or approved loan, SBA will then proceed with its manual process to determine whether there is a duplication of benefits. Upon determining that there is duplication of benefits, the dollar values for the benefits issued by DHS/FEMA may reduce the eligible amount of the disaster loan or may cause SBA loan proceeds to be used to repay the grant program in the amount of the duplicated assistance.

DHS/FEMA and SBA are responsible for verifying the submissions of data used during each respective benefit process and for resolving any discrepancies or inconsistencies on an individual basis.

At SBA, the matching program for duplication of benefits will be executed as part of loan processing and prior to each disbursement of an approved SBA disaster loan. Any match indicating that there is a possible duplicate benefit will be further reviewed by an SBA employee to determine whether the DHS/FEMA grant monies reported by the applicant or borrower are correct and matches the data reported by DHS/FEMA. If there is a duplication of benefits, the amount of the SBA disaster loan will be reduced accordingly and the applicant will be provided written notice of the changes by processing a loan modification to reduce the loan amount or, where appropriate, to repay the DHS/FEMA grant program. The notice will provide the applicant with an opportunity to apply for reconsideration of the loan modification within six months of the date of the notice. Except in extraordinary or unforeseeable circumstances, SBA will not consider a request for a loan increase received more than two years from the date of the loan approval.

D. DHS/FEMA—SBA Status Update Automated Processes

For informational purposes, SBA sends DHS/FEMA loan status updates as they occur and FEMA updates the loan records in NEMIS-IA based on the loan information received.

E. DHS/FEMA Notice and Opportunity to Contest

As required by the Privacy Act's subsection 552a(p), DHS/FEMA will not terminate, suspend, reduce, deny, or take other adverse action against an applicant for or recipient of temporary housing assistance based on data disclosed from DHS/FEMA records until the individual is notified in writing of the potential adverse action, and provided an opportunity to contest the planned action. “Adverse action” means any action resulting in a termination, suspension, reduction, or final denial of eligibility, payment, or benefit. The applicant will follow the current DHS/FEMA process for response as detailed in the written notice or letter.

To enable rapid response and resolution, DHS/FEMA and SBA telephone numbers will be provided to call in the event of a dispute. DHS/FEMA and/or SBA will respond to these calls as soon as reasonably possible, and when requested, in writing.

VII. DISPOSITION AND RECORDS RETENTION OF MATCHED ITEMS

As required by the Privacy Act's subsection 552a(o)(1)(F):

A. DHS/FEMA will retain data it receives from SBA under this Agreement only for the processing times required for the applicable federally funded benefit programs to verify data, and will then destroy all such data.

B. SBA will retain data received from DHS/FEMA under this Agreement only for the processing times required for the applicable federally funded benefit programs to verify data, and will then destroy all such data.

C. An exception applies if the information is required for evidentiary reasons, in which case, the information will be destroyed upon completion of the criminal, civil, or administrative actions and cases.

D. Any paper-based documentation used to determine whether a record was matched in the other agency's system and any documentation that was prepared for, provided to, or used to determine final benefit status will be destroyed by shredding, burning, or electronic erasure of the subject information according to the proper records retention schedules. Other identifiable records that may be created by each agency during the course of the investigation will be destroyed as soon as they have served the matching program's purpose pursuant to records retention requirements established in conjunction with the National Archives and Records Administration (NARA). For electronic matches, electronic records will be housed in DHS/FEMA's NEMIS-IA System, and SBA's DCMS database, retained with and according to the appropriate disaster recovery assistance records determined by the NARA.

E. Pursuant to SBA document retention policy, SBA retains applicant records in DCMS loan files, including records for matched items. DHS/FEMA will retain records pursuant to the Retention and Disposal section of DHS/FEMA—008 Disaster Recovery Assistance Files, 78 FR 25282 (Apr. 30, 2013).

VIII. SECURITY PROCEDURES

As required by the Privacy Act's subsection 552a(o)(1)(G), SBA and DHS/FEMA agree to the following information security procedures:

A. Administrative

DHS/FEMA and SBA will comply with the existing and future requirements set forth by the Privacy Act, 44 U.S.C. §§ 3541-3549, related OMB circulars and memoranda such as Circular A-130, Managing Information as a Strategic Resource (July 28, 2016), and Memorandum M-06-16, Protection of Sensitive Agency Information (June 23, 2006); NIST directives; and the Federal Acquisition Regulations (FAR), including any applicable amendments published after the effective date of this Agreement . These laws, directives, and regulations include requirements for safeguarding federal information systems and personally identifiable information used in federal agency business processes, as well as related reporting requirements. Specifically, Federal Information System Modernization Act (FISMA), (44 U.S.C. §§3501-3558) requirements apply to all federal contractors, organizations, or entities that possess or use federal information, or that operate, use, or have access to federal information systems on behalf of an agency. Both DHS/FEMA and SBA will ensure that their authorized users will receive training to ensure proper information security and privacy protections are adhered to in a manner consistent with this Agreement. Accordingly, DHS/FEMA and SBA will restrict access to the data matched and to any data created by the match to only those users authorized under this Agreement.

B. Technical

DHS/FEMA will transmit the data (specified in this Agreement) to SBA via the following process:

1. SBA will pull application data from DHS/FEMA Disaster Assistance Center (DAC) via a web services based Simple Object Access Protocol (SOAP), Extensible Markup Language (XML)/ Hypertext Transfer Protocol Secure (HTTPS) request. The data will be used to create applications inside the Disaster Credit Management System. For each record, a National Information Exchange Model (NIEM)-compliant response will be sent back to FEMA DAC indicating success or failure for the transfer of data. The SBA/DCMS to DHS/FEMA DAC export of referral data (specified in this Agreement) will occur via a web services-based SOAP, XML/ HTTPS request.

2. The DHS/FEMA Duplication of Benefits Interface will be initiated from the DCMS to the DHS/FEMA NEMIS-IA through a secured Virtual Private Network tunnel, open only to SBA domain Internet Protocol addresses. The results of the query are returned to the DCMS in real-time and populated in the DCMS for delegated SBA staff to use in the determination of duplication of benefits.

C. Physical

SBA and DHS/FEMA agree to maintain all automated matching records in a secured computer environment that includes the use of authorized access codes (passwords and/or PIV) to restrict access. Those records will be maintained under conditions that restrict access to persons who need them in connection with their official duties related to the matching process. It is the responsibility of the user's supervisor to ensure that DHS/FEMA or SBA, as applicable, are notified when a user has departed or duties have changed such that the user no longer needs access to the system, to ensure timely deletion of the user's account and password.

D. On-Site Inspections

SBA and DHS/FEMA may make on-site inspections of each other's recordkeeping and security practices, or make provisions beyond those in this Agreement to ensure the adequate safeguarding of records exchanged.

IX. MONITORING AND COMPLIANCE

DHS/FEMA and SBA agree that each agency may monitor compliance with the terms of this Agreement, including the non-discrimination provision. Both agencies have the right to monitor and review (1) transactions conducted pursuant to this Agreement, (2) the use of information obtained pursuant to this Agreement, and (3) policies, practices, and procedures related to this Agreement. Both agencies have the right to make onsite inspections to audit compliance with this Agreement for the duration or any extension of this Agreement. DHS/FEMA and SBA will cooperate to ensure the success of each agency's monitoring and compliance activities.

X. NON-DISCRIMINATION

Any action required or permitted under this Agreement shall be conducted in a manner that does not discriminate against an individual based upon his or her national origin, race, color, sex, religion, or disability in accordance with Section 705 of the Homeland Security Act of 2002; Section 504 of the Rehabilitation Act of 1973, and agency implementing regulations at 6 C.F.R Part 15.

In fulfilling their obligations under Executive Order 13,166 (“Improving Access to Services for Persons with Limited English Proficiency,” 65 Fed. Reg. 50,121 (Aug. 11, 2000)), DHS/FEMA and SBA will take reasonable steps to provide limited English proficiency (LEP) persons with meaningful access to federally conducted programs and activities, including services and benefits. Meaningful access includes providing timely language assistance services to ensure effective communication with LEP persons and providing language services that are sufficient to provide the same level of access to services received by persons who are not LEP. Language assistance services may be oral and written, and must be provided at no charge to the individual. Vital documents, including notices relating to consent, verification of status, and contesting verification failures should be translated.

In accordance with Section 504 of the Rehabilitation Act of 1973 (29 U.S.C. § 701) and related agency implementing regulations, DHS/FEMA and SBA will provide accommodations to individuals with disabilities to ensure effective communication; including providing qualified sign language interpreters; providing accessible electronic and information technology; and producing notices and publications in alternate formats, at no charge to the individual. Persons with disabilities that may require accommodation and provision of alternative communication methods to ensure effective communication include persons who are deaf or hard of hearing, persons with vision impairments, and persons with psychiatric and/or developmental disabilities.

XI. RECORDS USAGE, DUPLICATION AND REDISCLOSURE RESTRICTIONS

SBA and DHS/FEMA agree to the following restrictions on use, duplication, and disclosure of information furnished by the other agency:

A. Records obtained for this matching program or created by the match will not be disclosed outside the agency except as may be essential to conduct the matching program, or as may be required by law. Each agency will obtain the written permission of the other agency before making such disclosure. See DHS/FEMA and SBA routine uses provided in the systems of records notices identified in Section II.B.

B. Records obtained for this matching program or created by the match will not be disseminated within the agency except on a need-to-know basis, nor will they be used for any purpose other than that expressly described in this Agreement.

C. Data or information exchanged will not be duplicated unless essential to the conduct of the matching program. All stipulations in this Agreement will apply to any duplication.

D. If required to disclose these records to a state or local agency or to a government contractor in order to accomplish the matching program's purpose, each agency will obtain the written agreement of that entity to abide by the terms of this Agreement.

E. Each agency will keep an accounting of disclosure of an individual's record as required by the Privacy Act (5 U.S.C. § 552a(c)) and will make the accounting available upon request by the individual or other agency.

XII. RECORDS ACCURACY ASSESSMENTS

DHS/FEMA and SBA attest that the quality of the specific records to be used in this matching program is assessed to be at least 99% accurate. The possibility of any erroneous match is extremely small.

In order to apply for DHS/FEMA assistance online via the DAC portal, an applicant's name, address, SSN, and date of birth are sent to a commercial database provider to perform identity verification. The identity verification ensures that a person exists with the provided credentials. In the rare instances where the applicant's identity is not verified online or the applicant chooses, the applicants must call one of the DHS/FEMA call centers to complete the registrations. The identity verification process is performed again.

In order to apply for SBA's Disaster Loan Assistance online via SBA's Electronic Loan Application (ELA) an applicant's name, address, SSN, and date of birth and other information is sent to a commercial database provider to perform identity verification. The identity verification confirms that a person exists with the provided credentials. In the rare instances where the online applicant's identity cannot be verified electronically or if the applicant chooses, the applicant must call SBA's Customer Service Center to complete the online application. Once an application (electronic or paper) is completed and submitted, the information is transmitted to the DCMS system, where it is reviewed and processed by loan officers, who also verify each applicant's identity.

XIII. INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES

A. DHS/FEMA and SBA agree to report and track incidents in accordance with the most current, final version of NIST Special Publication 800-61. Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency's System Security Contact(s) below:

• DHS/FEMA will promptly notify the following contact at SBA simultaneously: SBA Office for Disaster Assistance—Disaster Credit Management System (DCMS) Operations Center: (703) 487-8100, SBA Office of Chief Information Officer (OCIO) Chief Information Security Officer: 202-25-6708.
• SBA will promptly notify the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), Recovery Technology Programs Division (RTPD), Disaster Assistance Improvement Program (DAIP).

B. If the federal agency experiencing the incident is unable to speak with the other federal agency's System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following contact information shall be used:

• FEMA Security Operations Center (SOC): (540) 542-4762 OR FEMA Helpdesk: 1-888-457-3362
• SBA IT Service Center: (855) 620-4780 OR ODA Service Desk (877) 398-1296

C. If either DHS/FEMA and SBA experience an exposure or of personally identifiable information (PII) provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 “Preparing for and Responding to a Breach of Personally Identifiable Information” (January 3, 2017).

D. Neither SBA nor FEMA shall be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.

Nothing in this section shall be construed as a waiver of sovereign immunity against suits by third persons against a State or local government.

Notwithstanding any rights that may be available under the legal authorities referenced in this Agreement, this Agreement itself is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

E. DHS/FEMA and SBA agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, including:

Notifying the proper organizations (e.g., United States Computer Emergency Readiness Team (US-CERT), the ISSOs, and other contacts listed in this document);

Conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss;

Providing such notice and credit monitoring to the affected individuals at no cost to the other agency, if the analysis conducted by the agency having experienced the loss incident indicates that individual notice and credit monitoring are appropriate.

F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or litigation arising from a breach of the Agency's own systems or data; FEMA is responsible only for costs and litigation associated with breaches to FEMA systems or data and SBA is responsible only for breaches associated with SBA system or data.

FEMA shall not be liable to SBA or to any third person for any cause of action arising from the possession, control, or use by SBA of survivor/registrant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.

SBA shall not be liable to FEMA or to any third person for any cause of action arising from the possession, control, or use by FEMA of applicant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.

Nothing in this section shall be construed as a waiver of sovereign immunity against suits by third persons.

XIV. COMPTROLLER GENERAL ACCESS

The parties authorize the Comptroller General of the United States, upon request, to have access to all SBA and DHS/FEMA records necessary to monitor or verify compliance with this matching agreement, in accordance with 5 U.S.C. § 552a(o)(1)(K). This matching agreement also authorizes the Comptroller General to inspect any records used in the matching process that are covered by this matching agreement pursuant to 31 U.S.C. § 717 and 5 U.S.C. § 552a(b)(10).

XV. INSPECTOR GENERAL ACCESS

By agreeing to this matching Agreement, DHS/FEMA and SBA authorize their respective Offices of Inspector General to use results from data matches conducted under this matching program, for investigation, audit, or evaluation matters, pursuant to5. U.S.C. App. §§1-13.

XVI. DURATION OF AGREEMENT

A. Effective Date of the Agreement

This Agreement shall become effective, and matching may commence, under this Agreement on the later of the following dates:

Thirty (30) days after notice of the matching program described in this CMA has been published in the Federal Register, or

Forty (40) days after a report concerning this CMA is transmitted simultaneously to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Government Reform of the U.S. House of Representatives according to 5 U.S.C. § 552a(o)(2)(A)(i), and to OMB, unless OMB waives 10 days of this 40-day period for compelling reasons, in which case 30 days after transmission of the report to OMB and Congress.

The Parties to this Agreement may assume OMB and Congressional concurrence if no comments are received within forty (40) days of the date of the transmittal letter of the Report of the Matching Program. The parties may assume public concurrence if no comment is received within thirty (30) days of the date of the publication of the Notice of Matching Program. This Agreement shall remain in effect for a period not to exceed eighteen (18) months.

B. Renewal of the Agreement

This Agreement may be extended for one twelve (12) month period upon mutual agreement by both Parties, if the renewal occurs within three (3) months of the expiration date of this Agreement. Renewals are subject to the requirements of the Privacy Act, including certification by the Parties to the responsible DIB (as described in Section XV of this Agreement) that:

The matching program will be conducted without change, and

The matching program has been conducted in compliance with the original Agreement pursuant to 5 U.S.C. §552a(o)(2)(D).

C. Termination of the Agreement

This Agreement shall terminate when the purpose of the computer match has been accomplished, or after eighteen (18) months from the effective date of the Agreement without notice from either party (whichever comes first). This Agreement may also be terminated, nullified, or voided by either DHS/FEMA or SBA, if:

Either Party violates the terms of this Agreement; or

SBA or its authorized users misuse or improperly handle the data provided by DHS/FEMA; or

DHS/FEMA or its authorized users misuse or improperly handle the data provided by SBA; or

The Parties mutually agree to terminate this Agreement prior to its expiration after 18 months; or

Either Party provides the other with 30 days written notice.

XVII. REIMBURSEMENT OF MATCHING COSTS

SBA and DHS/FEMA will bear their own costs for this program.

XVIII. DATA INTEGRITY BOARD REVIEW/APPROVAL

SBA and DHS/FEMA's Data Integrity Boards will review and approve this Agreement prior to the implementation of this matching program. Disapproval by either Data Integrity Board may be appealed in accordance with the provisions of the Computer Matching and Privacy Protection Act of 1988, as amended. Further, the Data Integrity Boards will perform an annual review of this matching program. SBA and DHS/FEMA agree to notify the Chairs of each Data Integrity Board of any changes to or termination of this Agreement.

This Agreement may be modified only by mutual consent of both Parties and approval of the respective DIBs. Any modifications must be in writing and satisfy the requirements of the Privacy Act and the requirements set forth in OMB Guidelines on the Conduct of Matching Programs, 54 Fed. Reg. 25818.

XIV. POINTS OF CONTACTS AND APPROVALS

For general information, please contact: William H. Holzerland (202-212-5100), Senior Director for Information Management, Federal Emergency Management Agency, Department of Homeland Security; and Ana Beskin (202-205-6595), Chief Information Security Officer, Office of the Chief Information Officer, Small Business Administration.

XVI. SIGNATURES

The authorizing officials whose signatures appear below have committed their respective agencies to the terms of this Agreement.

Small Business Administration

Dated: September 4, 2018.

James Rivera,

Associate Administrator for Disaster Assistance, U.S. Small Business Administration.

Dated: June 26, 2018.

Maria Roat,

Chief Information Officer, Data Integrity Board Chair, U.S. Small Business Administration.

U.S. Department of Homeland Security

Federal Emergency Management Agency

Dated: June 26, 2018.

Keith Turi,

Acting Assistant Administrator, Recovery Directorate, Federal Emergency Management Agency, U.S. Department of Homeland Security.

Dated: July 30, 2018.

Philip S. Kaplan,

Chief Privacy Officer, Data Integrity Board Chair, U.S. Department of Homeland Security.