Social Security numbers (SSNs) were originally designed to track a person’s work history in order to calculate Social Security payments and other governmental benefits. Today, most people consider their SSN to be the single most intimate piece of information tied to their identity.
Assigned at birth or granted during the immigration process, SSNs are as close to a universal numerical identifier as there has ever been in the United States. This universality, and the fact that each number attempts to be unique, has made them valuable for a number of other purposes outside of their original intended use.
One such use is KYC.
But how do these organizations know whether or not an SSN provided by an individual truly belongs to them?
Below, we begin to answer this question. We define Social Security number verification and take a look at the different types of SSN verification that are commonly used today. We also take a brief look at the history of the SSN and discuss the potential shortcomings of relying solely on a person’s SSN for verification purposes.
What is Social Security number verification?
Social Security number verification is the process of verifying whether or not an SSN provided by an individual for identity verification purposes is, in fact, their number.
Typically, SSN verification is achieved by cross-checking the Social Security number and other information provided by the individual (such as their name and date of birth) against authoritative data sources.
Why is this necessary? Because fraudsters and other bad actors often use stolen SSNs to establish fake identities and open fraudulent bank accounts in order to launder money, evade taxes, and engage in other nefarious activities. Social Security number verification can, then, be a highly effective means of identifying and mitigating cases of tax evasion, money laundering, terrorist financing, and more.
Additionally, there has been a significant rise in the creation of synthetic identities in authoritative databases that leverage the fact that not all institutions perform direct SSN validation.
Social Security number verification and AML
When a person opens an account with a bank or other financial institution, the organization is required by law to have a customer identification program (CIP) in place to prevent money laundering. Specifically, banks are required to collect and verify a person’s SSN, along with other information such as their name, address, and date of birth.
Social Security number verification, then, plays an important role in the AML and KYC process.
Types of Social Security number verification
Businesses can verify a person’s Social Security number in a number of different ways. Three of the most common methods of SSN verification are:
- Authoritative database verification
- eCBSV validation
- Document verification
1. Authoritative database verification
In the US, the de-facto standard for identity verification is to check against various authoritative data sources.
An authoritative database is exactly what it sounds like: a trusted database that houses information (in this case, about a person’s identity), which can be queried in order to perform identity verification. Typically, this is done by comparing the information provided by an individual — such as their name, date of birth, and, yes, SSN — against the information stored within the database.
There are many authoritative, Customer Identification Program (CIP)-grade data sources that you can turn to for this purpose, including:
- The major credit bureaus (TransUnion, Experian, Equifax)
- Financial institutions
- Other data aggregators
2. eCBSV validation
Electronic Consent-Based Social Security Number Verification (eCBSV) is an SSN verification system that checks against it’s issuing datasouce. Note that eCBSV only validates components of an SSN and is not intended to be used as an identity verification system.
It works by comparing the information provided by an individual against official Social Security Administration records. In this way, it’s a form of issuing database verification. eCBSV validations can be very effective against synthetic identity fraud, in which a bad actor pairs stolen information (such as an SSN) with fake information (such as birthdate or name) or creates a fictitious SSN entirely.
eCBSV is currently only available to financial institutions, such as banks and lenders. Other types of businesses are not currently allowed to use the eCBSV system for SSN verification.
It’s also important to note that the results of a scan are returned on a pass/fail basis to protect the individual’s identity. This means that you won’t know which piece of information led to the scan failing, which can make it more difficult to rule out potential false positives with follow-up.
Because this is a consent-based validation service, organizations also need to keep in mind that strict consent language must be presented to an end-user and that the consent must be tracked for compliance purposes.
3. Document verification
In addition to eCBSV scans and authoritative database verification, document verification can also be used to verify a person’s SSN.
Social Security number verification through document verification typically looks something like this:
- First, the individual provides their SSN and other key information.
- They’re then asked to take a photograph of a document that contains this information, such as their Social Security card.
- The document’s authenticity must then be validated to ensure that it is not a forgery.
- Finally, the information contained within the document is extracted and compared against the information originally provided by the user.
Other documents that can be used to verify a person’s SSN, other than their Social Security Card, include:
- A W-2 Form with full SSN
- An SSA-1099 Form with full SSN
- A Non-SSA 1099 Form with full SSN (such as a 1099-DIV or 1099-MISC)
- A 1098 Form with full SSN
- A paystub with full SSN
- Bank, loan, or financial documents with full SSN
Of course, these documents, like a person’s SSN, are highly sensitive. It’s worth noting that some people may be uncomfortable or even suspicious of the idea of electronically uploading a scan of their Social Security Card. In these cases, it can be helpful to offer a different means of verification.
The problem with relying on SSNs for identity verification
As mentioned above, SSNs are very commonly collected and verified as a part of the broader IDV process. But the fact remains that they weren’t designed to act as universal identification numbers. As such, things can become messy when you try to rely solely on SSN verification when verifying a person’s identity.
For example, while SSNs are essentially universal among American citizens, not every person living in the United States will have one. This may include undocumented aliens as well as nonresident and resident aliens who are ineligible for an SSN and who may only have an Individual Taxpayer Identification Number (ITIN) — or no TIN at all.
It’s also important to note that the logic behind how SSNs are assigned is not particularly complex or secure. Given enough information about when and where a person was born, it’s possible for a bad actor to reverse engineer likely SSNs within a usable margin of error. In fact, in 2009, professors at Carnegie Mellon University were able to design an algorithm that could predict a person’s SSN within a 10 percent margin of error.
Just one piece of the puzzle
Despite the shortcomings discussed above, Social Security number verification as a part of the broader KYC toolkit isn’t going away. On the one hand, some businesses, like financial institutions, are required to collect a person’s SSN (or other TIN) during the account opening process. On the other, it is, as of right now, the closest thing to a comprehensive national identifier that the United States has.
But there are steps you can take to improve your KYC processes when they include SSN verification.
First, when you require an SSN for KYC purposes, it’s important to instill trust in the individual so that they will feel comfortable sharing this sensitive piece of information with you. You can achieve this by explaining why you need the information and how the transmission will be encrypted and stored to protect the individual’s privacy. A short, simple, on-screen message can go far in assuaging a user’s concerns.
Beyond this, it’s important to recognize that SSN verification should be just one piece — one layer — of your broader KYC processes. By pairing it with other forms of verification, such as government ID verification, document verification, selfie verification, database verification, etc., it becomes much more difficult for bad actors to slip through the cracks using stolen or fraudulent information.
Here at Persona, we understand the need for a comprehensive, holistic approach to identity verification. We also understand that the processes that work for one business may not work for all businesses. That’s why offer a variety of verification options, from document verification to database verifications and more. We’ve also developed our Verifications solution with extreme customizability in mind. You have complete control over what information you collect, what verification methods you leverage, and how much automation you wish to deploy.
When it comes to SSN verification specifically, our platform gives you the power to find your perfect balance between conversion and fraud. For example, you might choose to:
- Perform an eCBSV validation for all transactions in order to better detect synthetic identities that might have been missed if you’d just relied on an authoritative database scan. This would offer you the greatest level of fraud protection but would come with higher costs and a greater potential for false rejections depending on match rules.
- Perform an eCBSV validation only for transactions deemed to carry high risk. In this scenario, your default verification flow would not include an eCBSV scan. Instead, eCBSV validation would be triggered when a risky signal is detected. This can help you limit costs associated with eCBSV validation while still increasing the likelihood that you will catch synthetic identities.
- Perform an eCBSV validation only when an identity cannot be validated in other ways. In this scenario, your default verification flow would not include an eCBSV scan. It would only trigger when an identity cannot be verified through any other means (for example, for individuals with a thin or non-existent credit file). This would lead to the greatest cost savings, but could potentially lead to cases of missed synthetic identity fraud.