Has anyone else received a solicitation from a local or regional office of the Social Security Administration asking the bank to voluntarily provide a list of customers? The e-mail touts a pilot program done with B of A and Wachovia where thousands of beneficiaries were converted to direct deposit as a direct result of the banks’ cooperation. Following is an excerpt from the solicitation:

The match begins with the bank or credit union supplying SSA with a computer file listing their customers. Those customers are then matched against Social Security's Master Beneficiary Records to generate a list of the customers getting benefits and not using direct deposit. Those beneficiaries are then sent a solicitation by the bank with a tear-off coupon that is bar-coded with the necessary information and a return envelope to SSA.

RFPA at 3413(k) does provide a limited exception for disclosure of customer names and addresses to SSA et al. However, my opinion is that it could not be stretched to encompass disclosures relating to all customers. In particular it would not allow the disclosure of nonpublic personal information on customers who are clearly ineligible for SSA/SSI payments, the vast majority of customers listed in the bank's files.

Obviously, I would verify this actually came from SSA before responding. However, even if it did, it would get a "When donkeys fly" answer from me. However, I am curious about any insight and contrary opinions that anyone can offer.

I have never heard of the SSA going after recipients for direct deposit in this manner. I agree that the law permits providing certain information, but only in direct response to a targeted inquiry. The usual scenario involves a direct deposit SSA recipient who has moved and the SSA is looking for address info to communicate directly with him or her.

The scenario Ken has painted looks a lot like the Bank Match programs designed to ferret out deadbeat parents. Most provide two options -- either send your state agency a full customer file or receive a list of targets and respond with suspect hits. The latter seems the more acceptable option.

I share Ken's suspicions. And I'm watching for donkey doo.

I have never heard of this. Why would the bank want to do this? I'm also watching for Donkeys.

Ken,

I have never heard of any such SSA solicitations and would throw out the following cautions and suggestions to any institution that is thinking about sending customer info to the SSA in response to such a solicitation.

The federal RFPA essentially prohibits any federal agency from obtaining any customer records from financial institutions unless one of the many listed exceptions can be satisfied.

The most obvious exceptions (customer authorization, administrative subpoena, search warrant and judicial subpoena) are not involved in the SSA solicitation.

The "formal written request" exception found at 3408 is not applicable because the records sought must be "relevant to a legitimate law enforcement inquiry" (Section 3408(3)).

The SSA can't satisfy any of the exceptions in Section 3414 (Secret Service, intelligence and terrorism related events) so that only leaves Section 3413.

The SSA exception at Section 3414(k) states that SSA can only request the name and address of a customer "where the disclosure of such information is necessary to . . . the proper administration of . . . title II of the Social Security Act".

When I review title II of the Social Security Act I find nothing about direct deposits or any requirement that SSA undertake efforts to increase the number of recipients using direct deposit.

I question whether the SSA direct deposit promotion falls within the definition of "proper administration".

Personally, I don't believe the SSA's request for information falls within 3413(k) and such a request should be respectfully ignored.

However, if an institution wants to cooperate with the SSA I suggest the following:

1. Ask for a certification letter per 3403(b) that the SSA has complied with the applicable provisions of RFPA.

2. Only release the names and addresses of customers as that is all the SSA is entitled to receive under 3413(k) [assuming its request for information is proper].

3. Ask the SSA to reimburse the institution for its expenses in gathering and disclosing the data per Section 3415. Under Section 3415 a government agency does not have to pay an institution's expenses if the request for records are made pursuant to Section 3403(d) or 3413(a) through (h). Since the SSA request falls under 3413(k) the institution is entitled to reimbursement.

WARNING

Section 3417(a)(1) provides for an automatic $100 penalty per customer for any disclosure by a financial institution in violation of the RFPA. In addition, the financial institution may have to pay the affected customers for their actual damages and attorney fees (subsections (3) and (4)).

Section 3417(c) provides an institution with immunity from liability if it makes a disclosure of financial records in " good faith reliance upon a certificate by any Government authority ".

I think obtaining a certification from the SSA under Section 3403(b) is key and if the SSA refuses to provide such a certification then I suggest no records be disclosed.