I. Introduction

The Small Business Administration (SBA) and the Department of Homeland Security, Federal Emergency Management Agency (DHS/FEMA) have entered into this Computer Matching Agreement (Agreement) pursuant to section (o) of the Privacy Act of 1974 (5 U.S.C. 552a), as amended by the Computer Matching and Privacy Protection Act of 1988 (Pub. L. 100-503), and as amended by the Computer Matching Privacy Protection Act Amendments of 1990 (Pub. L. 101-508, 5 U.S.C. 552a(p) (1990)). For purposes of this Agreement, both SBA and DHS/FEMA are the recipient agency and the source agency as defined in 5 U.S.C. 552a(a)(9) and (11). For this reason, the financial and administrative responsibilities will be evenly distributed between SBA and DHS/FEMA unless otherwise set forth in this agreement.

II. Purpose and Legal Authority

A. Purpose of the Matching Program

The purpose of this Agreement is to establish a framework and procedures governing the Computer Matching program between SBA and DHS/FEMA. The Computer Matching program seeks to ensure that applicants for SBA Disaster Loans and DHS/FEMA Individuals and Households Program, which provides Other Needs Assistance (ONA) and Housing Assistance (HA), do not receive a duplication of benefits for the same disaster. This will be accomplished by matching specific DHS/FEMA disaster applicant data with SBA disaster loan application and decision data for a declared disaster, as set forth in this Agreement.

B. Legal Authority

SBA's legal authority for undertaking its disaster loan program without duplicating benefits is contained in section 7(b)(1) of the Small Business Act (15 U.S.C. 636 (b)(1). DHS/FEMA's legal authority contained at § 312(a) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5155), mandates DHS/FEMA not to duplicate assistance provided by another agency or similar source.

SBA is allowed to share information with DHS/FEMA pursuant to routine uses (f) and (g) of SBA-020 Disaster Loan Case Files system of records, 74 FR 14911 (April 1, 2009). DHS/FEMA is allowed to share information with SBA pursuant to routine uses H.1. and R. of DHS/FEMA-008 Disaster Recovery Assistance Files, 78 FR 25282 (April 30, 2013) (DHS/FEMA-008 SORN). The Computer Matching and Privacy Protection Act of 1988 (Pub. L. 100-503), as amended, (5 U.S.C. 552a(o)-(u)) establishes procedural requirements for agencies to follow when engaging in computer-matching activities.

III. Justification and Expected Results

A. Justification

As required by law, SBA and DHS/FEMA will not provide duplicative disaster assistance to individuals, and businesses including Private-Not-for Profits (PNPs) for the same disaster. To accomplish this, SBA and DHS/FEMA will participate in a computer-matching program to share data and financial/benefits award decisions of individuals, businesses and/or other entities to prevent duplicative aid from being provided in the same disaster declaration.

It is also recognized that the programs covered by this Agreement are part of a Government-wide initiative, Executive Order 13411—Improving Assistance for Disaster Victims (August 29, 2006). This order mandates DHS/FEMA to identify and prevent duplication of benefits received by individuals, businesses, or other entities for the same disaster. That initiative and this matching program are consistent with Office of Management and Budget (OMB) guidance on interpreting the provisions of the Computer Matching and Privacy Protection Act of 1988, 54 FR 25818 (June 19, 1989); and OMB Circular A-130, Appendix I, “Federal Agency Responsibilities for Maintaining Records about Individuals.”

B. Expected Results

The matching program is to ensure that benefits provided to disaster survivors by DHS/FEMA and SBA are not duplicated. By way of the DHS/FEMA disaster registration identification (ID) number, DHS/FEMA and SBA are able to identify the applications received from mutual DHS/FEMA and SBA disaster survivors. By the nature of the sequence of delivery as outlined in FEMA Regulation, 44 CFR 206.191, survivors that register with DHS/FEMA for possible grant assistance, and meet SBA's minimum income requirements, are automatically referred to SBA for possible loan assistance. For example, DHS/FEMA received 548,953 registrations in response to hurricane Sandy, and referred 241,282 of those registrations to SBA. More recently, in FY 2013 and 2014, DHS/FEMA received 775,089 registrations and referred 337,619 registrations to SBA. The computer match will also reveal instances where the same disaster survivor has submitted applications to both DHS/FEMA and SBA, which could result in a duplication of benefits. Since FY 2010,^[1] the use of the CMA has identified 224,878 instances where the same disaster survivor submitted applications to both agencies, a yearly average of 40,157. Over that same period, SBA approved 83,313 loans to homeowners and renters, who also received assistance from FEMA. This is a yearly average of 14,877 files identified with a potential DOB.

IV. Records Description

A. Systems of Records and Estimated Number of Records Involved

DHS/FEMA accesses records from its Disaster Recovery Assistance Files system of records, as provided by the DHS/FEMA-008 SORN, through its National Emergency Management Information System-Individual Assistance (NEMIS-IA), and matches them to the records that SBA provides from its SBA-020 Disaster Loan Case Files, 74 FR 14911 (April 1, 2009) system of records. SBA uses its Disaster Credit Management System (DCMS) to access records from its Disaster Loan Case Files system of records, and match them to the records that DHS/FEMA provides from its Disaster Recovery Assistance Files system of records. Under this agreement, DHS/FEMA and SBA exchange data to: (1) Check for initial registrations, (2) check for the duplication of benefits, and (3) update the SBA Loan Status.

A definitive answer cannot be given as to how many records will be matched as it will depend on the number of individuals, businesses or other entities that suffer damage from a declared disaster and that ultimately apply for Federal disaster aid.Start Printed Page 57903

B. Description of the Match

The three types of match processes, for initial registration, duplication of benefits, and status updates, are described below.

1. DHS/FEMA-SBA Automated Import/Export Process for Initial Registrations.

a. SBA is the recipient (i.e. matching) agency. SBA will match records from its Disaster Loans Case Files system of records, as identified in Section II.B, applications and information accessed via the DCMS, to the records extracted and provided by DHS/FEMA from its DHS/FEMA Disaster Recovery Assistance Files system of records, as identified in Section II.B.

b. DHS/FEMA will provide SBA the data elements identified in the current NEMIS-IA Disaster Assistance Improvement Program (DAIP) Interface Control Document (ICD) (See Appendix A), which includes but is not limited to the following information: Applicant's FEMA Registration ID Number; applicant's personally identifiable information, which includes name, address, social security number, and date of birth; damaged property information; insurance policy data; property occupant data; vehicle registration data; and flood zone and flood insurance data.

c. SBA will conduct the match using the FEMA Disaster ID number, FEMA Registration ID number, Product (Home/Business) and Registration Occupant Social Security number (SSN) to create a New Pre-Application. The records SBA receives are of DHS/FEMA applicants who are referred to SBA for disaster loan assistance. Controls on the DHS/FEMA export of data are in place to ensure that SBA only receives unique and valid referral records.

d. When SBA matches its records to those provided by DHS/FEMA, two types of matches are possible: A full match and a partial match. A full match exists when an SBA record matches a DHS/FEMA record on each of the following data fields: FEMA Disaster ID number, FEMA Registration ID number, Product (Home/Business), and Registration Occupant Social Security Number (SSN). A partial match exists when an SBA record matches a DHS/FEMA record on one or more, but not all of the data fields listed above. If an exact (full) match is found among SBA records for the current imported record, the current record is automatically marked as a duplicate by the system with appropriate comments inserted to indicate the corresponding record that matched. If a partial match is found during the import process, the record is routed for manual examination, investigation, and resolution to determine whether it is truly a duplicate record.

2. DHS/FEMA-SBA Duplication of Benefits Automated Match Process:

a. Both DHS/FEMA and SBA will act as the recipient (i.e. matching) agency. SBA will extract and provide to DHS/FEMA data from its Disaster Loans Case Files system of records, as identified in Section II.B., and accessed via the DCMS. DHS/FEMA will match the data SBA provides to records in its Disaster Recovery Assistance Files system of records, as identified in Section II.B., accessed through NEMIS-IA, via the FEMA Registration ID number. SBA will issue a data call to DHS/FEMA requesting that DHS/FEMA return any records for which NEMIS-IA found a match. For each match found, DHS/FEMA sends all of its applicant information that it collects during the registration process to SBA so that SBA may match these records with its registrant data in the DCMS. SBA's DCMS manual process triggers an automated interface to query NEMIS-IA, using the FEMA Registration ID number as the unique identifier.

b. DHS/FEMA will return the following fields for the matching DHS/FEMA record, if any: FEMA Disaster Number; FEMA Registration ID number; applicant and if applicable, co-applicant name; damaged dwelling address, phone number, SSN, damaged property data, insurance policy information, contact address (if different from damaged dwelling address), flood zone and flood insurance data, FEMA Housing Assistance and Other Needs Assistance data, program, award level, eligibility, inspection data, verification of ownership and occupancy, and approval or rejection data. DHS/FEMA will return no result when the FEMA Registration ID number is not matched.

c. For each matching record received from DHS/FEMA, SBA determines whether DHS/FEMA assistance duplicates SBA loan assistance. If SBA loan officers determine that there is a duplication of benefits, the duplicated amount is deducted from the eligible SBA loan amount.

3. DHS/FEMA-SBA Status Update Automated Match Process:

a. DHS/FEMA will act as the recipient (i.e. matching) agency. DHS/FEMA will match records from its Disaster Recovery Assistance Files system of records, as identified in Section II.B., to the records extracted and provided by SBA from its Disaster Loans Case Files system of records, as identified in Section II.B. The purpose of this process is to update DHS/FEMA applicant information with the status of SBA loan determinations. The records provided by SBA will be automatically imported into NEMIS-IA to update the status of existing applicant records. The records DHS/FEMA receives from SBA are of DHS/FEMA applicants who were referred to SBA for disaster loan assistance. Controls on the SBA export of data are in place to ensure that DHS/FEMA only receives unique and valid referral records.

b. SBA will provide to DHS/FEMA information and data, including but not limited to the following: Personal information about SBA applicants, including name, damaged dwelling address, and SSN; application data; loss to personal property data; loss mitigation data; SBA loan data; and SBA event data. DHS/FEMA will conduct the match using FEMA Disaster Number and FEMA Registration ID number.

c. Loan data for matched records will be recorded and displayed in NEMIS-IA. Loan data will also be run through NEMIS-IA business rules; potentially duplicative categories of assistance are sent to FEMA's Program Review process for manual evaluation of any duplication of benefits. If FEMA review staff determines that there is a duplication of benefits, the duplicated amount is deducted from the eligible award. FEMA applicants receive a letter that indicates the amount of their eligible award and their ability to appeal.

C. Projected Starting and Completion Dates

This Agreement will take effect 40 days from the date copies of this signed Agreement are sent to both Houses of Congress or 30 days from the date the Computer Matching Notice is published in the Federal Register, whichever is later, depending on whether comments are received which would result in a contrary determination (Commencement Date). SBA is the agency that will:

1. Transmit this Agreement to Congress.

2. Notify OMB.

3. Publish the Computer Matching Notice in the Federal Register.

4. Address public comments that may result from publication in the Federal Register.

Matches under this program will be conducted for every Presidential disaster declaration and will continue for as long as this agreement, including any renewals, remains in effect.

V. Notice Procedures

A. DHS/FEMA Recipients

FEMA Form 009-0-1 “Application/Registration for Disaster Assistance,” Start Printed Page 57904Form 009-0-3 “Declaration and Release” (both part of OMB ICR No. 1660-0002), and various other forms used for financial assistance benefits immediately following a declared disaster, use a Privacy Act statement, see 5 U.S.C. 552a(e)(3), to provide notice to applicants regarding the use of their information. The Privacy Act statements provide notice of computer matching or the sharing of their records consistent with this Agreement. The Privacy Act statement is read to call center applicants and is displayed and agreed to by Internet applicants. Also, FEMA Form 009-0-3 requires the applicant's signature in order to receive financial assistance. Additionally, FEMA/DHS gives public notice via its Disaster Assistance Improvement Program Privacy Impact Assessment and in its system of records notice identified in Section II.B.

B. SBA Recipients

SBA Forms 5 “Disaster Business Loan Application,” 5C “Disaster Home Loan Application,” and the Electronic Loan Application (ELA) include a Privacy Act statement that provides notice that SBA may disclose personal information under a published “routine use,” as permitted by law. SBA's published system of records notice, identified in Section II. B), provides notice that a computer match may be performed to share information with another Federal agency in connection with the issuance of a grant, loan or other benefit. In addition, the Privacy Act requires that a copy of each CMA entered into with a recipient agency shall be available upon request to the public.

VI. Verification Procedure

A. DHS/FEMA-SBA Automated Import/Export Process for Initial Registrations

The matching program for the initial contact information for individuals and businesses will be accomplished by mapping applicant data for DHS/FEMA NEMIS-IA fields described earlier to the DCMS application data fields. During the automated import process, a computer match is performed against existing DCMS applications as described in Section IV.B.1.

If the applicant's data does not match an existing pre-application or application in the SBA's DCMS, then the applicant's data will be inserted into DCMS to create a new pre-Application. An SBA application for disaster assistance may be mailed to the registrant.

If the applicant's data does match an existing pre-application or application in SBA's DCMS, it indicates that there may be an existing pre-application/application for the applicant in the DCMS. If there is an exact match, the system will insert the record within the SBA's DCMS but will identify it as a duplicate with appropriate comments inserted to indicate the corresponding record that matched. If there is a partial match, the system will insert the record within the SBA's DCMS but will identify it as a potential duplicate. The record is then further reviewed by SBA employees to determine whether the data reported by the DHS/FEMA applicant is a duplicate of previously submitted registration data. Only one of the applications is kept for processing and the other duplicate pre-applications or applications will not be processed.

B. DHS/FEMA-SBA Duplication of Benefits Automated Match

The matching program is to ensure that recipients of SBA disaster loans have not received duplicative benefits for the same disaster from DHS/FEMA. The matching process begins by matching the DHS/FEMA Registration ID number. If the data matches, specific to the application or approved loan, SBA will then proceed with its manual process to determine whether there is a duplication of benefits. Upon determining that there is duplication of benefits, the dollar values for the benefits issued by DHS/FEMA may reduce the eligible amount of the disaster loan or may cause SBA loan proceeds to be used to repay the grant program in the amount of the duplicated assistance.

DHS/FEMA and SBA are responsible for verifying the submissions of data used during each respective benefit process and for resolving any discrepancies or inconsistencies on an individual basis.

At SBA, the matching program for duplication of benefits will be executed as part of loan processing and prior to each disbursement of an approved SBA disaster loan. Any match indicating that there is a possible duplicate benefit will be further reviewed by an SBA employee to determine whether the DHS/FEMA grant monies reported by the applicant or borrower are correct and matches the data reported by DHS/FEMA. If there is a duplication of benefits, the amount of the SBA disaster loan will be reduced accordingly and the applicant will be provided written notice of the changes by processing a loan modification to reduce the loan amount or, where appropriate, to repay the DHS/FEMA grant program. The notice will provide the applicant with an opportunity to apply for reconsideration of the loan modification within six months of the date of the notice.

C. DHS/FEMA-SBA Status Update Automated Processes

For informational purposes, SBA sends DHS/FEMA loan status updates as they occur and FEMA updates the loan records in NEMIS-IA based on the loan information received.

D. Policies and Procedures Regarding A, B and C Above

Authorized users of both DCMS and DHS/FEMA NEMIS-IA will not make a final decision to reduce or deny benefits of any financial assistance to an applicant or take other adverse final action against such applicant as the result of information produced by this matching program until an employee of the agency taking such action has independently verified such information and provided written notice to the applicant with a statement of the findings and informing the individual of the opportunity to respond or contest, along with the expiration of the time to respond or contest.

VII. Retention of Matched Items

Pursuant to SBA document retention policy, SBA retains applicant records in DCMS loan files, including records for matched items. DHS/FEMA will retain records pursuant to the Retention and Disposal section of DHS/FEMA—008 Disaster Recovery Assistance Files, 78 FR 25282 (Apr. 30, 2013).

VIII. Security Procedures

SBA and DHS/FEMA agree to the following information security procedures:

A. Administrative

The privacy of the subject individuals will be protected by strict adherence to the provisions of the Privacy Act of 1974 (5 U.S.C. 552a). SBA and DHS/FEMA agree that data exchange and any records created during the course of this matching program will be maintained and safeguarded by each agency in such a manner as to restrict access to only those individuals, including contractors, who have a legitimate need to see them in order to accomplish the matching program's purpose. Persons with authorized access to the information will be made aware of their responsibilities pursuant to this Agreement.

B. Technical

DHS/FEMA will transmit the data (specified in this Agreement) to SBA via the following process:Start Printed Page 57905

SBA will pull application data from DHS/FEMA Disaster Assistance Center (DAC) via a web services based Simple Object Access Protocol (SOAP), Extensible Markup Language (XML)/Hypertext Transfer Protocol Secure (HTTPS) request. The data will be used to create applications inside the Disaster Credit Management System. For each record, a National Information Exchange Model (NIEM)-compliant response will be sent back to FEMA DAC indicating success or failure for the transfer of data. The SBA/DCMS to DHS/FEMA DAC export of referral data (specified in this Agreement) will occur via a web services-based SOAP, XML/HTTPS request.

The DHS/FEMA Duplication of Benefits Interface will be initiated from the DCMS to the DHS/FEMA NEMIS-IA through a secured Virtual Private Network tunnel, open only to SBA domain Internet Protocol addresses. The results of the query are returned to the DCMS in real-time and populated in the DCMS for delegated SBA staff to use in the determination of duplication of benefits.

C. Physical

SBA and DHS/FEMA agree to maintain all automated matching records in a secured computer environment that includes the use of authorized access codes (passwords) to restrict access. Those records will be maintained under conditions that restrict access to persons who need them in connection with official duties related to the matching process and grant and loan making processes.

IX. Records Usage, Duplication and Redisclosure Restrictions

SBA and DHS/FEMA agree to the following restrictions on use, duplication, and disclosure of information furnished by the other agency.

A. Records obtained for this matching program or created by the match will not be disclosed outside the agency except as may be essential to conduct the matching program, or as may be required by law. Each agency will obtain the written permission of the other agency before making such disclosure. See DHS/FEMA and SBA routine uses provided in the systems of records notices identified in Section II.B.

B. Records obtained for this matching program or created by the match will not be disseminated within the agency except on a need-to-know basis, nor will they be used for any purpose other than that expressly described in this Agreement.

C. Data or information exchanged will not be duplicated unless essential to the conduct of the matching program. All stipulations in this Agreement will apply to any duplication.

D. If required to disclose these records to a state or local agency or to a government contractor in order to accomplish the matching program's purpose, each agency will obtain the written agreement of that entity to abide by the terms of this Agreement.

E. Each agency will keep an accounting of disclosure of an individual's record as required by the Privacy Act (5 U.S.C. 552a(c)) and will make the accounting available upon request by the individual or other agency.

X. Records Accuracy Assessments

DHS/FEMA and SBA attest that the quality of the specific records to be used in this matching program is assessed to be at least 99% accurate. The possibility of any erroneous match is extremely small.

In order to apply for DHS/FEMA assistance online via the DAC portal, an applicant's name, address, SSN, and date of birth are sent to a commercial database provider to perform identity verification. The identity verification ensures that a person exists with the provided credentials. In the rare instances where the applicant's identity is not verified online or the applicant chooses, the applicants must call one of the DHS/FEMA call centers to complete the registrations. The identity verification process is performed again.

In order to apply for SBA's Disaster Loan Assistance online via SBA's Electronic Loan Application (ELA) an applicant's name, address, SSN, and date of birth and other information is sent to a commercial database provider to perform identity verification. The identity verification confirms that a person exists with the provided credentials. In the rare instances where the online applicant's identity cannot be verified electronically or if the applicant chooses, the applicant must call SBA's Customer Service Center to complete the online application. Once an application (electronic or paper) is completed and submitted, the information is transmitted to the DCMS system, where it is reviewed and processed by loan officers, who also verify each applicant's identity.

XI. Comptroller General Access

The parties authorize the Comptroller General of the United States, upon request, to have access to all SBA and DHS/FEMA records necessary to monitor or verify compliance with this matching agreement. This matching agreement also authorizes the Comptroller General to inspect any records used in the matching process that are covered by this matching agreement pursuant to 31 U.S.C. 717 and 5 U.S.C. 552a(b)(10).

XII. Duration of Agreement

The Agreement may be renewed, terminated or modified as follows:

A. Renewal or Termination

This Agreement will become effective in accordance with the terms set forth in Section IV.C and will remain in effect for 18 months from the commencement date. At the end of this period, this Agreement may be renewed for a period of up to one additional year if the Data Integrity Board of each agency determines within three months before the expiration date of this Agreement that the program has been conducted in accordance with this Agreement and will continue to be conducted without change. Either agency not wishing to renew this Agreement should notify the other in writing of its intention not to renew at least three months before the expiration date of this Agreement. Either agency wishing to terminate this Agreement before its expiration date should notify the other in writing of its wish to terminate and the desired date of termination.

B. Modification of the Agreement

This Agreement may be modified at any time in writing if the written modification conforms to the requirements of the Privacy Act and receives approval by the participant agency Data Integrity Boards.

XIII. Reimbursement of Matching Costs

SBA and DHS/FEMA will bear their own costs for this program.

XIV. Data Integrity Board Review/Approval

SBA and DHS/FEMA's Data Integrity Boards will review and approve this Agreement prior to the implementation of this matching program. Disapproval by either Data Integrity Board may be appealed in accordance with the provisions of the Computer Matching and Privacy Protection Act of 1988, as amended. Further, the Data Integrity Boards will perform an annual review of this matching program. SBA and DHS/FEMA agree to notify the Chairs of each Data Integrity Board of any changes to or termination of this Agreement.

XV. Points of Contacts and Approvals

For general information, please contact: Eric M. Leckey (202-212-5100), Start Printed Page 57906Privacy Officer, Federal Emergency Management Agency, Department of Homeland Security; and Jeffrey Jackson (202-205-6595), Chief Information Security Officer, Office of the Chief Information Officer, Small Business Administration.

XVI. Signatures

The authorizing officials whose signatures appear below have committed their respective agencies to the terms of this Agreement.

Footnotes