Computer Matching Agreement Between U.S. Small Business Administration and U.S. Department of Homeland Security, Federal Emergency Management Agency, 2649-2657 [2019-01508]

Agencies

• SMALL BUSINESS ADMINISTRATION

[Federal Register Volume 84, Number 26 (Thursday, February 7, 2019)]
[Notices]
[Pages 2649-2657]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-01508]


-----------------------------------------------------------------------

SMALL BUSINESS ADMINISTRATION


Computer Matching Agreement Between U.S. Small Business 
Administration and U.S. Department of Homeland Security, Federal 
Emergency Management Agency

AGENCY: U.S. Small Business Administration.

ACTION: Notice of Computer Matching Agreement between the U.S. Small 
Business Administration and the U.S. Department of Homeland Security, 
Federal Emergency Management Agency.

-----------------------------------------------------------------------

SUMMARY: The purpose of this Agreement is to ensure that applicants for 
SBA Disaster Assistance Loan Programs and DHS/FEMA's Other Needs 
Assistance and Housing Assistance Grant programs do not receive a 
duplication of benefits for the same disaster.

DATES: Issued on September 4, 2018.

ADDRESSES: U.S. Small Business Administration, Processing and 
Disbursement Center, 14925 Kingsport Road, Fort Worth, TX 76155.

FOR FURTHER INFORMATION CONTACT: A. Escobar, Office of Disaster 
Assistance, U.S. Small Business Administration, 409 3rd Street SW, 
Suite 6050, Washington, DC 20416, (202) 205-6734.

SUPPLEMENTARY INFORMATION: Pursuant to the Robert T. Stafford Disaster 
and Emergency Assistance Act (Pub. L. 93-288), as amended at 42 U.S.C. 
5121 et seq., DHS/FEMA and SBA may not provide duplicative disaster 
assistance to individuals, businesses, including

[[Page 2650]]

Private-Not-for Profits (PNPs), or other entities for the same disaster 
or emergency losses. To accomplish this, DHS/FEMA and SBA will 
participate in a Computer Matching program to share data and financial/
benefits award decisions of individuals, businesses, and/or other 
entities to verify eligibility for benefits, prevent duplicative aid 
from being provided in response to the same disaster or emergency, and 
recover aid when duplication of benefits is identified.
    This Agreement establishes the Computer Matching program between 
DHS/FEMA and SBA. The Computer Matching program seeks to ensure that 
applicants for SBA Disaster Loans and DHS/FEMA Individuals and 
Households Program (IHP), which provides Other Needs Assistance (ONA) 
and Housing Assistance (HA), are eligible to receive benefits and do 
not receive a duplication of benefits for the same disaster. 
Additionally, the Computer Matching program seeks to establish or 
verify initial eligibility for DHS/FEMA and SBA disaster assistance as 
well as provide updates on disaster recipients SBA Loan status. This 
will be accomplished by matching specific DHS/FEMA disaster applicant 
data with SBA disaster loan application and decision data for a 
declared disaster, as set forth in this Agreement.

James Rivera,
Associate Administrator for Disaster Assistance.

COMPUTER MATCHING AGREEMENT BETWEEN U.S. SMALL BUSINESS ADMINISTRATION 
AND U.S. DEPARTMENT OF HOMELAND SECURITY FEDERAL EMERGENCY MANAGEMENT 
AGENCY

I. INTRODUCTION

    The SMALL BUSINESS ADMINISTRATION (SBA) and the DEPARTMENT OF 
HOMELAND SECURITY, FEDERAL EMERGENCY MANAGEMENT AGENCY (DHS/FEMA) have 
entered into this Computer Matching Agreement (Agreement) pursuant to 
section (o) of the Privacy Act of 1974, (Privacy Act), 5 U.S.C. Sec.  
552a, as amended by the Computer Matching and Privacy Protection Act of 
1988 (Pub. L. 100-503), and as amended by the Computer Matching Privacy 
Protection Act Amendments of 1990 (Pub. L. 101-508, 5 U.S.C. Sec.  
552a(p) (1990)). For purposes of this Agreement, both SBA and DHS/FEMA 
are the recipient agency and the source agency as defined in 5 U.S.C. 
Sec.  552a(a)(9) and (11). For this reason, the financial and 
administrative responsibilities will be evenly distributed between SBA 
and DHS/FEMA unless otherwise set forth in this agreement.

II. PURPOSE AND LEGAL AUTHORITY

A. Purpose of the Matching Program

    Pursuant to the Robert T. Stafford Disaster and Emergency 
Assistance Act (Pub. L. 93-288), as amended at 42 U.S.C. Sec.  5121 et 
seq, DHS/FEMA and SBA may not provide duplicative disaster assistance 
to individuals, businesses, including Private-Not-for Profits (PNPs), 
or other entities for the same disaster or emergency losses. To 
accomplish this, DHS/FEMA and SBA will participate in a Computer 
Matching program to share data and financial/benefits award decisions 
of individuals, businesses, and/or other entities to verify eligibility 
for benefits, prevent duplicative aid from being provided in response 
to the same disaster or emergency, and recover aid when duplication of 
benefits is identified.
    This Agreement establishes the Computer Matching program between 
DHS/FEMA and SBA. The Computer Matching program seeks to ensure that 
applicants for SBA Disaster Loans and DHS/FEMA Individuals and 
Households Program (IHP), which provides Other Needs Assistance (ONA) 
and Housing Assistance (HA), are eligible to receive benefits and do 
not receive a duplication of benefits for the same disaster. 
Additionally, the Computer Matching program seeks to establish or 
verify initial eligibility for DHS/FEMA and SBA disaster assistance as 
well as provide updates on disaster recipients SBA Loan status. This 
will be accomplished by matching specific DHS/FEMA disaster applicant 
data with SBA disaster loan application and decision data for a 
declared disaster, as set forth in this Agreement.

B. Legal Authority

    This Agreement is executed in compliance with the Privacy Act and 
other statutes discussed in this Agreement, their implementing 
regulations, and related notices and guidance.
    1. The Robert T. Stafford Disaster and Emergency Assistance Act, as 
amended (Stafford Act), 42 U.S.C. Sec.  5121 et seq., requires each 
federal agency that administers any program that provides financial 
assistance as a result of a major disaster or emergency to assure that 
no individual or entity receives duplicate financial assistance under 
any program or from insurance or any other source, 42 U.S.C. Sec.  
5155(a). The Stafford Act requires DHS/FEMA or SBA (whichever agency 
provided the duplicative assistance) to recover all duplicative 
assistance from the recipient, when the head of such agency considers 
it to be in the best interest of the Federal Government, 42 U.S.C. 
Sec.  5155(c).
    2. Pursuant to Section 408(i) of the Stafford Act, 42 U.S.C. Sec.  
5174(i), in carrying out Section 408 (Federal Assistance to Individuals 
and Households), DHS/FEMA is directed and authorized to ``develop a 
system, including an electronic database,'' to:

1. Verify the identity and address of recipients of assistance to 
provide reasonable assurance that payments are made only to an 
individual or household that is eligible for such assistance by sharing 
personally identifiable information (PII);
2. Minimize the risk of making duplicative payments or payments for 
fraudulent claims;
3. Collect any duplicate payment on a claim, or reduce the amount of 
subsequent payments to offset the amount of any such duplicate payment;
4. Provide instructions to recipients of assistance regarding the 
proper use of any such assistance, regardless of how such assistance is 
distributed; and
5. Conduct an expedited and simplified review and appeal process for an 
individual or household whose application for assistance is denied.

    3. FEMA collects and maintains personally identifiable information 
of individuals who apply for FEMA disaster assistance under Section 408 
of the Stafford Act. In accordance with the Privacy Act of 1974, DHS/
FEMA is authorized to provide States (impacted by disasters) with 
access to DHS/FEMA's electronic records of individuals and households 
receiving assistance in order for the States to make available any 
additional State and local assistance to the affected individuals and 
households. The provision of these records is further allowed under 
Routine Uses H.1 and R of the DHS/FEMA Disaster Recovery Assistance 
Files System of Records, 78 Fed. Reg. 25,282 (April 30, 2013). RU H.1 
states that DHS/FEMA may disclose applicant information to other 
federal agencies and agencies of state, tribal, and local governments 
to prevent duplication of benefits and/or to address unmet needs of 
eligible, ineligible, or partially eligible FEMA applicants. RU R 
permits FEMA to share information to other federal, state, local, or 
tribal government agencies, and voluntary organizations under approved 
computer matching efforts.
    4. Pursuant to the Debt Collection Improvement Act of 1996, 31 
U.S.C.

[[Page 2651]]

Sec. Sec.  3325(d) and 7701(c)(1), federal agencies are required to 
collect the taxpayer identification number (i.e., Social Security 
Number) of each person who receives payments from the federal 
government; and each person doing business with the federal government 
is required to furnish his or her taxpayer identification number.
    A. For the purposes of 31 U.S.C. Sec.  7701, a person is considered 
to be doing business with the federal government if the person is:
    i. A lender or servicer in a federal guaranteed or insured loan 
program administered by a federal agency;
    ii. An applicant for, or recipient of, a federal license permit, 
right-of-way, grant or benefit payment administered by a federal 
agency;
    iii. A contractor of a federal agency;
    iv. Assessed a fine, fee, royalty or penalty by a federal agency;
    v. In a relationship with a federal agency that may give rise to a 
receivable due to that agency, such as a partner of a borrower in or a 
guarantor of a federal direct or insured loan administered by the 
federal agency.
    Each federal agency must inform each person required to disclose 
his or her taxpayer identification number of the agency's intent to use 
such number for purposes of collecting and reporting on any delinquent 
amounts arising out of such person's relationship with the federal 
government.
    5. Fraud, waste, and abuse prevention efforts pursuant to the 
aforementioned statutory authorities are also applicable to certain 
FEMA-administered pilot programs, designed to provide alternative or 
additional federal disaster assistance programs. 6 U.S.C. Sec. Sec.  
776-777.
    6. SBA's legal authority to make disaster loans to repair, 
rehabilitate or replace property, real or personal, damaged or 
destroyed without duplicating benefits is contained in section 7(b)(1) 
of the Small Business Act, 15 U.S.C. Sec.  636 (b) (1), provided that 
such damage or destruction is not compensated for by insurance or 
otherwise.
    7. SBA regulation 13 CFR Sec.  123.108 requires that grant 
assistance received from FEMA's Individuals and Households Program 
(IHP) that duplicates the damage covered by the SBA loan must be 
deducted from the SBA disaster loan eligibility.
    8. SBA is allowed to share information with DHS/FEMA pursuant to 
Routine uses (f) and (g) of SBA-020 Disaster Loan Case Files System of 
Records, 74 FR 14911 (April 1, 2009).

III. JUSTIFICATION AND EXPECTED RESULTS

A. Justification

    DHS/FEMA collaborates with the SBA in determining applicant 
eligibility for Other Needs Assistance (ONA). ONA is a provision of 
IHP, authorized by section 408(e) of the of the Robert T. Stafford 
Disaster Relief and Emergency Assistance Act (Stafford Act), that 
provides financial assistance for disaster-related necessary expenses 
and serious needs that are not covered by insurance or provided by any 
other source. There are two categories of ONA: Non-SBA-dependent ONA 
and SBA-dependent ONA. Non-SBA-dependent ONA is assistance DHS/FEMA 
provides for funeral, medical, dental, childcare, and miscellaneous 
expenses without regard to whether a disaster survivor may obtain a SBA 
loan. SBA-dependent ONA is assistance where the disaster survivor must 
first apply to SBA for a loan for personal property, moving and 
storage, and transportation expenses before DHS/FEMA provides 
assistance for these expenses. 44 CFR 206.119 (a)(1) and 206.191(d)(2).
    The Small Business Act authorizes the SBA to provide low-interest 
disaster loans to applicants who have sustained damage in a disaster. 
An applicant must meet a minimum income test, which the SBA 
establishes, to be considered for a loan. DHS/FEMA refers the 
applicant's registration to SBA if the applicant's income meets SBA 
minimum guidelines. Once referred to SBA, the applicant must apply for 
a SBA low-interest disaster loan which is based on credit-worthiness. 
All denied applicants are referred back to DHS/FEMA for possible SBA-
dependent ONA. DHS/FEMA will provide assistance for SBA-dependent ONA 
if the applicant's SBA loan application is denied or if their income 
does not meet the SBA minimum threshold to warrant a SBA referral. 
However, if SBA approves the applicant's loan application and the 
applicant does not accept the loan, DHS/FEMA will not provide any SBA-
dependent ONA to that applicant.
    SBA provides low-interest, long-term Federal disaster loans to 
homeowners, renters, businesses of all sizes and private, non-profit 
organizations to help repair or replace privately-owned property that 
was damaged or destroyed in a declared disaster event. SBA disaster 
loan assistance is for uninsured, underinsured or otherwise 
uncompensated disaster losses only. A disaster survivor's SBA disaster 
loan eligibility is determined by total amount of disaster losses, as 
verified by SBA, less recoveries such as insurance, FEMA grant 
assistance and other sources. In the normal sequence of delivery, a 
disaster survivor will initiate the Federal disaster assistance process 
by registering with FEMA. If the survivor's reported household income 
is above a minimum threshold, as provided to FEMA by SBA, they will be 
referred to the SBA disaster loan program and encouraged to apply for 
disaster loan assistance. After the survivor submits an SBA disaster 
loan application, SBA will determine loan eligibility by estimating the 
applicant's disaster losses and verifying other assistance received, 
including insurance, FEMA grant assistance and other recoveries.
    DHS/FEMA and SBA coordinate to ensure that ONA and SBA disaster 
loans do not cause a duplication of benefits for the same type of 
assistance. DHS/FEMA and SBA provide benefits for the same type of 
assistance: personal property damage, moving and storage expenses, and 
transportation assistance. Additionally, the amount of aid provided by 
SBA impacts the amount of assistance FEMA provides. This matching 
program ensures disaster survivors are not receiving duplicative 
benefits from both agencies.
    It is also recognized that the programs covered by this Agreement 
are part of a Government-wide initiative, Executive Order 13411--
Improving Assistance for Disaster Victims (August 29, 2006). This order 
mandates DHS/FEMA to identify and prevent duplication of benefits 
received by individuals, businesses, or other entities for the same 
disaster. That initiative and this matching program are consistent with 
Office of Management and Budget (OMB) guidance on interpreting the 
provisions of the Computer Matching and Privacy Protection Act of 1988, 
54 Fed. Reg. 25818 (June 19, 1989); and OMB Circular A-130, Appendix I, 
``Federal Agency Responsibilities for Maintaining Records about 
Individuals.''

B. Expected Results

    The matching program is to ensure that benefits provided to 
disaster survivors by DHS/FEMA and SBA are not duplicated. By way of 
the DHS/FEMA disaster registration identification (ID) number, DHS/FEMA 
and SBA are able to identify the applications received from mutual DHS/
FEMA and SBA disaster survivors.
    By the nature of the sequence of delivery, as outlined in FEMA 
Regulation, 44 CFR Section 206.191, survivors that register with FEMA 
for possible disaster assistance and meet SBA's minimum income 
requirements are automatically referred to SBA for

[[Page 2652]]

possible loan assistance to homeowners and renters. The Agreement helps 
to identify instances where the same disaster survivor has submitted 
applications to both FEMA and SBA, which could result in a duplication 
of benefits. Since FY 2015 \1\ the use of the Agreement has identified 
166,234 instances where the same disaster survivor submitted 
applications to both agencies, a yearly average of 83,117. Over that 
same time period, SBA approved 62,258 loans to home owners and renters 
totaling more than $4 billion. This is a yearly average of 31,129 loan 
files identified with a potential duplication of benefits, with an 
average loan amount of $64,819. Once the computer match identifies a 
potential duplication of benefits, SBA staff manually review the files 
to determine whether a DOB exists and the amount of the duplication of 
benefits. In FY 2016 and 2017, SBA declined 376 loans due to recoveries 
from other sources. The verified loss amount for these declined loans 
totaled more than $23.3 million, an average of $62,042 per loan 
application declined due to other recoveries.
---------------------------------------------------------------------------

    \1\ The SBA data period is from October 1, 2015 through December 
31, 2017.
---------------------------------------------------------------------------

    Prior to the use of this computer match, SBA loan officers used 
stand-alone PCs to access FEMA's system, National Emergency Management 
Information System-Individual Assistance (NEMIS-IA). Without the 
computer matching Agreement, SBA staff performed a manual checking 
process to avoid a duplication of benefits. This duplication of 
benefits check procedure took approximately 10-12 minutes per loan 
application and was performed on all loan applications, not just the 
approved loans. The matching program between SBA and FEMA will save the 
federal government nearly $2.5 million.\2\
---------------------------------------------------------------------------

    \2\ For more information, please see the SBA Cost Benefit 
Analysis document.
---------------------------------------------------------------------------

IV. RECORDS DESCRIPTION

    As required by the Privacy Act's subsection 552a(o)(1)(C), the 
following is a description of the records that will be matched:

A. Systems of Records and Estimated Number of Records Involved

    DHS/FEMA accesses records from its Disaster Recovery Assistance 
Files system of records, as provided by the DHS/FEMA-008 SORN, through 
its NEMIS-IA system, and matches them to the records that SBA provides 
from its SBA-020 Disaster Loan Case Files, 74 Fed. Reg. 14,911 (April 
1, 2009) system of records.
    SBA uses its Disaster Credit Management System (DCMS) to access 
records from its Disaster Loan Case Files system of records, and match 
them to the records that DHS/FEMA provides from its Disaster Recovery 
Assistance Files system of records. Under this agreement, DHS/FEMA and 
SBA exchange data to: 1) check for initial registrations, 2) check for 
the duplication of benefits, and 3) update the SBA Loan Status.

Records Estimate

    SBA and DHS/FEMA intend to match records after any disaster in 
which FEMA provides IHP assistance or SBA awards disaster loans. The 
estimated number of records SBA and DHS/FEMA will match following any 
disaster fluctuate based on the size and impact area of the disaster 
and depend upon the number of individuals that are affected. The damage 
type and cost will be determined after the disaster, and cannot easily 
be estimated, as the scale and impact of each disaster is unique.

B. Description of the Match

    The three types of match processes, for initial registration, 
duplication of benefits, and status updates, are described below.
    1. DHS/FEMA--SBA Automated Import/Export Process for Initial 
Registrations.
    a. SBA is the recipient (i.e. matching) agency. SBA will match 
records from its Disaster Loans Case Files system of records, as 
identified in Section (1c), applications and information accessed via 
the DCMS, to the records extracted and provided by DHS/FEMA from its 
DHS/FEMA Disaster Recovery Assistance Files system of records, as 
identified in Section II.B.
    b. DHS/FEMA will provide SBA the data elements identified in the 
current NEMIS-IA Disaster Assistance Improvement Program (DAIP) 
Interface Control Document (ICD) (See Appendix A), which includes but 
is not limited to the following information: Applicant's FEMA 
Registration ID Number; applicant's personally identifiable 
information, which includes name, address, social security number, and 
date of birth; damaged property information; insurance policy data; 
property occupant data; vehicle registration data; and flood zone and 
flood insurance data.
    c. SBA will conduct the match against the Disaster Loans Case Files 
system of records via DCMS using the FEMA Disaster ID number, FEMA 
Registration ID number, Product (Home/Business), and Registration 
Occupant Social Security number (SSN) to create a New Pre-Application. 
The records SBA receives are of DHS/FEMA applicants who are referred to 
SBA for disaster loan assistance. Controls on the DHS/FEMA export of 
data are in place to ensure that SBA only receives unique and valid 
referral records.
    d. When SBA matches its records to those provided by DHS/FEMA, two 
types of matches are possible: a full match and a partial match. A full 
match exists when an SBA record matches a DHS/FEMA record on each of 
the following data fields: FEMA Disaster ID number, FEMA Registration 
ID number, Product (Home/Business), and Registration Occupant Social 
Security Number (SSN). A partial match exists when an SBA record 
matches a DHS/FEMA record on one or more, but not all of the data 
fields listed above. If an exact (full) match is found among SBA 
records for the current imported record, the current record is 
automatically marked as a duplicate by the system with appropriate 
comments inserted to indicate the corresponding record that matched. If 
a partial match is found during the import process, the record is 
routed for manual examination, investigation, and resolution to 
determine whether it is truly a duplicate record.
    2. DHS/FEMA--SBA Duplication of Benefits Automated Match Process:
    a. Both DHS/FEMA and SBA will act as the recipient (i.e. matching) 
agency. SBA will extract and provide to DHS/FEMA data from its Disaster 
Loans Case Files system of records, as identified in Section (1c), and 
accessed via the DCMS. DHS/FEMA will match the data SBA provides to 
records in its Disaster Recovery Assistance Files system of records, as 
identified in Section II.B., accessed through NEMIS-IA System, via the 
FEMA Registration ID number. SBA will issue a data call to DHS/FEMA 
requesting that DHS/FEMA return any records for which NEMIS-IA found a 
match. For each match found, DHS/FEMA sends all of its applicant 
information that it collects during the registration process to SBA so 
that SBA may match these records with its registrant data in the DCMS. 
SBA's DCMS manual process triggers an automated interface to query 
NEMIS-IA, using the FEMA Registration ID number as the unique 
identifier.
    b. DHS/FEMA will return the following fields for the matching DHS/
FEMA record, if any: FEMA Disaster Number; FEMA Registration ID number; 
applicant and if applicable, co-applicant name; damaged dwelling 
address, phone number, SSN, damaged property

[[Page 2653]]

data, insurance policy information, contact address (if different from 
damaged dwelling address), flood zone and flood insurance data, FEMA 
Housing Assistance and Other Needs Assistance data, program, award 
level, eligibility, inspection data, verification of ownership and 
occupancy, and approval or rejection data. DHS/FEMA will return no 
result when the FEMA Registration ID number is not matched.
    c. For each matching record received from DHS/FEMA, SBA determines 
whether DHS/FEMA assistance duplicates SBA loan assistance. If SBA loan 
officers determine that there is a duplication of benefits, the 
duplicated amount is deducted from the eligible SBA loan amount.
    3. DHS/FEMA--SBA Status Update Automated Match Process:
    a. DHS/FEMA will act as the recipient (i.e. matching) agency. DHS/
FEMA will match records from its Disaster Recovery Assistance Files 
system of records, as identified in Section (1b), to the records 
extracted and provided by SBA from its Disaster Loans Case Files system 
of records, as identified in Section (1c). The purpose of this process 
is to update DHS/FEMA applicant information with the status of SBA loan 
determinations. The records provided by SBA will be automatically 
imported into NEMIS-IA to update the status of existing applicant 
records. The records DHS/FEMA receives from SBA are of DHS/FEMA 
applicants who were referred to SBA for disaster loan assistance. 
Controls on the SBA export of data are in place to ensure that DHS/FEMA 
only receives unique and valid referral records.
    b. SBA will provide to DHS/FEMA information and data, including but 
not limited to the following: personal information about SBA 
applicants, including name, damaged dwelling address, and SSN; 
application data; loss to personal property data; loss mitigation data; 
SBA loan data; and SBA event data. DHS/FEMA will conduct the match 
using FEMA Disaster Number and FEMA Registration ID number.
    c. Loan data for matched records will be recorded and displayed in 
NEMIS-IA. Loan data will also be run through NEMIS-IA business rules; 
potentially duplicative categories of assistance are sent to FEMA's 
Program Review process for manual evaluation of any duplication of 
benefits. If FEMA review staff determines that there is a duplication 
of benefits, the duplicated amount is deducted from the eligible award. 
FEMA applicants receive a letter that indicates the amount of their 
eligible award and their ability to appeal.

C. Projected Starting and Completion Dates

    This Agreement will take effect forty (40) days from the date 
copies of this signed Agreement are sent to both Houses of Congress and 
OMB, or thirty (30) days from the date the Computer Matching Notice is 
published in the Federal Register for public comment, at which time 
comments will be addressed. Additionally, depending on whether comments 
are received, this Agreement could yield a contrary determination 
(Commencement Date). DHS/FEMA is the agency that will:
    1. Transmit this Agreement to Congress;
    2. Notify OMB;
    3. Publish the Computer Matching Notice in the Federal Register; 
and
    4. Address public comments that may result from publication in the 
Federal Register.
    Matches under this program will be conducted for every Presidential 
disaster declaration where IHP assistance has been granted. The 
aforementioned matching processes shall commence, as needed, following 
a disaster declaration, and shall last until DHS/FEMA IHP disaster 
assistance closes out, or until SBA have stopped processing 
applications, whichever is later.

V. NOTICE PROCEDURES

    The Privacy Act's subsection 552a(o)(1)(D) requires CMAs to specify 
procedures for notifying applicants/recipients at the time of 
registration and other periodic notice, as directed by the Data 
Integrity Board of such agency (subject to guidance provided by the 
Director of OMB pursuant to subsection v), to applicants for and 
recipients of financial assistance or payments under Federal benefit 
programs.
    As noted under Section V.A. and Section V.B. of this Agreement, 
DHS/FEMA and SBA have both published SORNs informing applicants/
recipients that their information may be subject to verification 
through matching programs per 5 U.S.C. Sec.  552a(o)(1)(D). As further 
required by the Privacy Act, DHS/FEMA and SBA shall make a copy of this 
Agreement available to the public upon request and it shall be 
published in the Federal Register.

A. DHS/FEMA recipients

    FEMA Form 009-0-1 ``Application/Registration for Disaster 
Assistance,'' Form 009-0-3 ``Declaration and Release'' (both part of 
OMB ICR No. 1660-0002), and various other forms used for financial 
assistance benefits immediately following a declared disaster, use a 
Privacy Act statement, see 5 U.S.C. Sec.  552a(e)(3), to provide notice 
to applicants regarding the use of their information. The Privacy Act 
statements provide notice of computer matching or the sharing of their 
records consistent with this Agreement. The Privacy Act statement is 
read to call center applicants and is displayed and agreed to by 
Internet applicants. Also, FEMA Form 009-0-3 requires the applicant's 
signature in order to receive financial assistance. Additionally, DHS/
FEMA gives public notice via its Individual Assistance Program Privacy 
Impact Assessment\3\ (PIA) and in its system of records notice 
identified in Section II.B.
---------------------------------------------------------------------------

    \3\ The PIA can be found at https://www.dhs.gov/publication/dhsfemapia-049-individual-assistance-ia-program.
---------------------------------------------------------------------------

B. SBA recipients

    SBA Forms 5 ``Disaster Business Loan Application,'' 5C ``Disaster 
Home Loan Application,'' and the Electronic Loan Application (ELA) 
include a Privacy Act statement that provides notice that SBA may 
disclose personal information under a published ``routine use,'' as 
permitted by law. SBA's published system of records notice, identified 
in Section II. B), provides notice that a computer match may be 
performed to share information with another Federal agency in 
connection with the issuance of a grant, loan or other benefit. In 
addition, the Privacy Act requires that a copy of each CMA entered into 
with a recipient agency shall be available upon request to the public.

VI. VERIFICATION PROCEDURE AND OPPORTUNITY TO CONTEST

A. General

    The Privacy Act's subsection 552a(o)(1)(E) requires that each CMA 
outline procedures for verifying information produced in the matching 
program, as required by 5 U.S.C. Sec.  552a(p). This subsection 
requires agencies to independently verify the information produced by a 
matching program and to provide the individual an opportunity to 
contest the agency's findings, before an adverse action is taken 
against the individual, as a result of the match. Subsequent amendments 
and regulations allow for an agency to authorize a waiver of 
independent verification procedures when it finds a high degree of 
confidence in the accuracy of the data. (See OMB ``Final Guidance 
Interpreting the Provisions of P.L.100-503, the Computer Matching and 
Privacy Protection Act'', Sec. 6.g. Providing Due Process to Matching

[[Page 2654]]

Subjects, 54 Fed. Reg. 25,818 (June 19, 1989).
    DHS/FEMA will be responsible for ensuring that DHS/FEMA data is 
current and accurate at the time it is provided to SBA. SBA will be 
responsible for ensuring that SBA data is current and accurate at the 
time it is provided to DHS/FEMA.

B. DHS/FEMA--SBA Automated Import/Export Process for Initial 
Registrations

    The matching program for the initial contact information for 
individuals and businesses will be accomplished by mapping applicant 
data for DHS/FEMA NEMIS-IA fields described earlier to the DCMS 
application data fields. During the automated import process, a 
computer match is performed against existing DCMS applications as 
described in Section IV.B.1.
    If the applicant's data does not match an existing pre-application 
or application in the SBA's DCMS, then the applicant's data will be 
automatically transferred into DCMS to create a new pre-Application. An 
SBA application for disaster assistance may be mailed to the 
registrant.
    If the applicant's data does match an existing pre-application or 
application in SBA's DCMS, it indicates that there may be an existing 
pre-application/application for the applicant in the DCMS. If there is 
an exact match, the system will transfer the record into SBA's DCMS but 
will identify it as a duplicate with appropriate comments inserted to 
indicate the corresponding record that matched. If there is a partial 
match, the system will insert the record within the SBA's DCMS but will 
identify it as a potential duplicate. The record is then further 
reviewed by SBA employees to determine whether the data reported by the 
DHS/FEMA applicant is a duplicate of previously submitted registration 
data. Only one of the applications is kept for processing and the other 
duplicate pre-applications or applications will not be processed.

C. DHS/FEMA--SBA Duplication of Benefits Automated Match

    The matching program is to ensure that recipients of SBA disaster 
loans have not received duplicative benefits for the same disaster from 
DHS/FEMA. The matching process begins by matching the DHS/FEMA 
Registration ID number. If the data matches, specific to the 
application or approved loan, SBA will then proceed with its manual 
process to determine whether there is a duplication of benefits. Upon 
determining that there is duplication of benefits, the dollar values 
for the benefits issued by DHS/FEMA may reduce the eligible amount of 
the disaster loan or may cause SBA loan proceeds to be used to repay 
the grant program in the amount of the duplicated assistance.
    DHS/FEMA and SBA are responsible for verifying the submissions of 
data used during each respective benefit process and for resolving any 
discrepancies or inconsistencies on an individual basis.
    At SBA, the matching program for duplication of benefits will be 
executed as part of loan processing and prior to each disbursement of 
an approved SBA disaster loan. Any match indicating that there is a 
possible duplicate benefit will be further reviewed by an SBA employee 
to determine whether the DHS/FEMA grant monies reported by the 
applicant or borrower are correct and matches the data reported by DHS/
FEMA. If there is a duplication of benefits, the amount of the SBA 
disaster loan will be reduced accordingly and the applicant will be 
provided written notice of the changes by processing a loan 
modification to reduce the loan amount or, where appropriate, to repay 
the DHS/FEMA grant program. The notice will provide the applicant with 
an opportunity to apply for reconsideration of the loan modification 
within six months of the date of the notice. Except in extraordinary or 
unforeseeable circumstances, SBA will not consider a request for a loan 
increase received more than two years from the date of the loan 
approval.

D. DHS/FEMA--SBA Status Update Automated Processes

    For informational purposes, SBA sends DHS/FEMA loan status updates 
as they occur and FEMA updates the loan records in NEMIS-IA based on 
the loan information received.

E. DHS/FEMA Notice and Opportunity to Contest

    As required by the Privacy Act's subsection 552a(p), DHS/FEMA will 
not terminate, suspend, reduce, deny, or take other adverse action 
against an applicant for or recipient of temporary housing assistance 
based on data disclosed from DHS/FEMA records until the individual is 
notified in writing of the potential adverse action, and provided an 
opportunity to contest the planned action. ``Adverse action'' means any 
action resulting in a termination, suspension, reduction, or final 
denial of eligibility, payment, or benefit. The applicant will follow 
the current DHS/FEMA process for response as detailed in the written 
notice or letter.
    To enable rapid response and resolution, DHS/FEMA and SBA telephone 
numbers will be provided to call in the event of a dispute. DHS/FEMA 
and/or SBA will respond to these calls as soon as reasonably possible, 
and when requested, in writing.

VII. DISPOSITION AND RECORDS RETENTION OF MATCHED ITEMS

    As required by the Privacy Act's subsection 552a(o)(1)(F):
    A. DHS/FEMA will retain data it receives from SBA under this 
Agreement only for the processing times required for the applicable 
federally funded benefit programs to verify data, and will then destroy 
all such data.
    B. SBA will retain data received from DHS/FEMA under this Agreement 
only for the processing times required for the applicable federally 
funded benefit programs to verify data, and will then destroy all such 
data.
    C. An exception applies if the information is required for 
evidentiary reasons, in which case, the information will be destroyed 
upon completion of the criminal, civil, or administrative actions and 
cases.
    D. Any paper-based documentation used to determine whether a record 
was matched in the other agency's system and any documentation that was 
prepared for, provided to, or used to determine final benefit status 
will be destroyed by shredding, burning, or electronic erasure of the 
subject information according to the proper records retention 
schedules. Other identifiable records that may be created by each 
agency during the course of the investigation will be destroyed as soon 
as they have served the matching program's purpose pursuant to records 
retention requirements established in conjunction with the National 
Archives and Records Administration (NARA). For electronic matches, 
electronic records will be housed in DHS/FEMA's NEMIS-IA System, and 
SBA's DCMS database, retained with and according to the appropriate 
disaster recovery assistance records determined by the NARA.
    E. Pursuant to SBA document retention policy, SBA retains applicant 
records in DCMS loan files, including records for matched items. DHS/
FEMA will retain records pursuant to the Retention and Disposal section 
of DHS/FEMA--008 Disaster Recovery Assistance Files, 78 FR 25282 (Apr. 
30, 2013).

VIII. SECURITY PROCEDURES

    As required by the Privacy Act's subsection 552a(o)(1)(G), SBA and 
DHS/

[[Page 2655]]

FEMA agree to the following information security procedures:

A. Administrative

    DHS/FEMA and SBA will comply with the existing and future 
requirements set forth by the Privacy Act, 44 U.S.C. Sec. Sec.  3541-
3549, related OMB circulars and memoranda such as Circular A-130, 
Managing Information as a Strategic Resource (July 28, 2016), and 
Memorandum M-06-16, Protection of Sensitive Agency Information (June 
23, 2006); NIST directives; and the Federal Acquisition Regulations 
(FAR), including any applicable amendments published after the 
effective date of this Agreement. These laws, directives, and 
regulations include requirements for safeguarding federal information 
systems and personally identifiable information used in federal agency 
business processes, as well as related reporting requirements. 
Specifically, Federal Information System Modernization Act (FISMA), (44 
U.S.C. Sec. Sec. 3501-3558) requirements apply to all federal 
contractors, organizations, or entities that possess or use federal 
information, or that operate, use, or have access to federal 
information systems on behalf of an agency. Both DHS/FEMA and SBA will 
ensure that their authorized users will receive training to ensure 
proper information security and privacy protections are adhered to in a 
manner consistent with this Agreement. Accordingly, DHS/FEMA and SBA 
will restrict access to the data matched and to any data created by the 
match to only those users authorized under this Agreement.

B. Technical

    DHS/FEMA will transmit the data (specified in this Agreement) to 
SBA via the following process:
    1. SBA will pull application data from DHS/FEMA Disaster Assistance 
Center (DAC) via a web services based Simple Object Access Protocol 
(SOAP), Extensible Markup Language (XML)/ Hypertext Transfer Protocol 
Secure (HTTPS) request. The data will be used to create applications 
inside the Disaster Credit Management System. For each record, a 
National Information Exchange Model (NIEM)-compliant response will be 
sent back to FEMA DAC indicating success or failure for the transfer of 
data. The SBA/DCMS to DHS/FEMA DAC export of referral data (specified 
in this Agreement) will occur via a web services-based SOAP, XML/ HTTPS 
request.
    2. The DHS/FEMA Duplication of Benefits Interface will be initiated 
from the DCMS to the DHS/FEMA NEMIS-IA through a secured Virtual 
Private Network tunnel, open only to SBA domain Internet Protocol 
addresses. The results of the query are returned to the DCMS in real-
time and populated in the DCMS for delegated SBA staff to use in the 
determination of duplication of benefits.

C. Physical

    SBA and DHS/FEMA agree to maintain all automated matching records 
in a secured computer environment that includes the use of authorized 
access codes (passwords and/or PIV) to restrict access. Those records 
will be maintained under conditions that restrict access to persons who 
need them in connection with their official duties related to the 
matching process. It is the responsibility of the user's supervisor to 
ensure that DHS/FEMA or SBA, as applicable, are notified when a user 
has departed or duties have changed such that the user no longer needs 
access to the system, to ensure timely deletion of the user's account 
and password.

D. On-Site Inspections

    SBA and DHS/FEMA may make on-site inspections of each other's 
recordkeeping and security practices, or make provisions beyond those 
in this Agreement to ensure the adequate safeguarding of records 
exchanged.

IX. MONITORING AND COMPLIANCE

    DHS/FEMA and SBA agree that each agency may monitor compliance with 
the terms of this Agreement, including the non-discrimination 
provision. Both agencies have the right to monitor and review (1) 
transactions conducted pursuant to this Agreement, (2) the use of 
information obtained pursuant to this Agreement, and (3) policies, 
practices, and procedures related to this Agreement. Both agencies have 
the right to make onsite inspections to audit compliance with this 
Agreement for the duration or any extension of this Agreement. DHS/FEMA 
and SBA will cooperate to ensure the success of each agency's 
monitoring and compliance activities.

X. NON-DISCRIMINATION

    Any action required or permitted under this Agreement shall be 
conducted in a manner that does not discriminate against an individual 
based upon his or her national origin, race, color, sex, religion, or 
disability in accordance with Section 705 of the Homeland Security Act 
of 2002; Section 504 of the Rehabilitation Act of 1973, and agency 
implementing regulations at 6 C.F.R Part 15.
    In fulfilling their obligations under Executive Order 13,166 
(``Improving Access to Services for Persons with Limited English 
Proficiency,'' 65 Fed. Reg. 50,121 (Aug. 11, 2000)), DHS/FEMA and SBA 
will take reasonable steps to provide limited English proficiency (LEP) 
persons with meaningful access to federally conducted programs and 
activities, including services and benefits. Meaningful access includes 
providing timely language assistance services to ensure effective 
communication with LEP persons and providing language services that are 
sufficient to provide the same level of access to services received by 
persons who are not LEP. Language assistance services may be oral and 
written, and must be provided at no charge to the individual. Vital 
documents, including notices relating to consent, verification of 
status, and contesting verification failures should be translated.
    In accordance with Section 504 of the Rehabilitation Act of 1973 
(29 U.S.C. Sec.  701) and related agency implementing regulations, DHS/
FEMA and SBA will provide accommodations to individuals with 
disabilities to ensure effective communication; including providing 
qualified sign language interpreters; providing accessible electronic 
and information technology; and producing notices and publications in 
alternate formats, at no charge to the individual. Persons with 
disabilities that may require accommodation and provision of 
alternative communication methods to ensure effective communication 
include persons who are deaf or hard of hearing, persons with vision 
impairments, and persons with psychiatric and/or developmental 
disabilities.

XI. RECORDS USAGE, DUPLICATION AND REDISCLOSURE RESTRICTIONS

    SBA and DHS/FEMA agree to the following restrictions on use, 
duplication, and disclosure of information furnished by the other 
agency:
    A. Records obtained for this matching program or created by the 
match will not be disclosed outside the agency except as may be 
essential to conduct the matching program, or as may be required by 
law. Each agency will obtain the written permission of the other agency 
before making such disclosure. See DHS/FEMA and SBA routine uses 
provided in the systems of records notices identified in Section II.B.
    B. Records obtained for this matching program or created by the 
match will not be disseminated within the agency

[[Page 2656]]

except on a need-to-know basis, nor will they be used for any purpose 
other than that expressly described in this Agreement.
    C. Data or information exchanged will not be duplicated unless 
essential to the conduct of the matching program. All stipulations in 
this Agreement will apply to any duplication.
    D. If required to disclose these records to a state or local agency 
or to a government contractor in order to accomplish the matching 
program's purpose, each agency will obtain the written agreement of 
that entity to abide by the terms of this Agreement.
    E. Each agency will keep an accounting of disclosure of an 
individual's record as required by the Privacy Act (5 U.S.C. Sec.  
552a(c)) and will make the accounting available upon request by the 
individual or other agency.

XII. RECORDS ACCURACY ASSESSMENTS

    DHS/FEMA and SBA attest that the quality of the specific records to 
be used in this matching program is assessed to be at least 99% 
accurate. The possibility of any erroneous match is extremely small.
    In order to apply for DHS/FEMA assistance online via the DAC 
portal, an applicant's name, address, SSN, and date of birth are sent 
to a commercial database provider to perform identity verification. The 
identity verification ensures that a person exists with the provided 
credentials. In the rare instances where the applicant's identity is 
not verified online or the applicant chooses, the applicants must call 
one of the DHS/FEMA call centers to complete the registrations. The 
identity verification process is performed again.
    In order to apply for SBA's Disaster Loan Assistance online via 
SBA's Electronic Loan Application (ELA) an applicant's name, address, 
SSN, and date of birth and other information is sent to a commercial 
database provider to perform identity verification. The identity 
verification confirms that a person exists with the provided 
credentials. In the rare instances where the online applicant's 
identity cannot be verified electronically or if the applicant chooses, 
the applicant must call SBA's Customer Service Center to complete the 
online application. Once an application (electronic or paper) is 
completed and submitted, the information is transmitted to the DCMS 
system, where it is reviewed and processed by loan officers, who also 
verify each applicant's identity.

XIII. INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES

    A. DHS/FEMA and SBA agree to report and track incidents in 
accordance with the most current, final version of NIST Special 
Publication 800-61.\4\ Upon detection of an incident related to this 
interconnection, the agency experiencing the incident will promptly 
notify the other agency's System Security Contact(s) below:
---------------------------------------------------------------------------

    \4\ Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, 
August). Computer Security Incident Handling Guide (Unit, Department 
of Commerce, National Institute of Standards and Technology). 
Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

 DHS/FEMA will promptly notify the following contact at SBA 
simultaneously: SBA Office for Disaster Assistance--Disaster Credit 
Management System (DCMS) Operations Center: (703) 487-8100, SBA Office 
of Chief Information Officer (OCIO) Chief Information Security Officer: 
202-25-6708.
 SBA will promptly notify the following contact at DHS/FEMA 
simultaneously: Information System Security Officer (ISSO), Recovery 
Technology Programs Division (RTPD), Disaster Assistance Improvement 
Program (DAIP).

    B. If the federal agency experiencing the incident is unable to 
speak with the other federal agency's System Security Contacts within 
one (1) hour, or if contacting the System Security Contact is not 
practical (e.g., outside of normal business hours), then the following 
contact information shall be used:

 FEMA Security Operations Center (SOC): (540) 542-4762 OR FEMA 
Helpdesk: 1-888-457-3362
 SBA IT Service Center: (855) 620-4780 OR ODA Service Desk 
(877) 398-1296

    C. If either DHS/FEMA and SBA experience an exposure or of 
personally identifiable information (PII) provided under the terms of 
this Agreement, the federal agency that experienced the loss incident 
will also comply with the PII breach reporting and security 
requirements set forth by OMB M-17-12 ``Preparing for and Responding to 
a Breach of Personally Identifiable Information'' (January 3, 2017).
    D. Neither SBA nor FEMA shall be liable for any cause of action 
arising from the possession, control, or use by a State or local 
government of survivor/registrant PII, or for any loss, claim, damage 
or liability, of whatsoever kind or nature, which may arise from or in 
connection with this Agreement or the use of survivor/registrant PII.
    Nothing in this section shall be construed as a waiver of sovereign 
immunity against suits by third persons against a State or local 
government.
    Notwithstanding any rights that may be available under the legal 
authorities referenced in this Agreement, this Agreement itself is not 
intended to, and does not, create any right or benefit, substantive or 
procedural, enforceable at law or in equity by any party against the 
United States, its departments, agencies, or entities, its officers, 
employees, or agents, or any other person.
    E. DHS/FEMA and SBA agree to notify all the Security Contact(s) 
named in this Agreement as soon as possible, but no later than one (1) 
hour, after the discovery of a breach (or suspected breach) involving 
PII. The agency that experienced the incident will also be responsible 
for following its internal established procedures, including:

[ssquf] Notifying the proper organizations (e.g., United States 
Computer Emergency Readiness Team (US-CERT), the ISSOs, and other 
contacts listed in this document);
[ssquf] Conducting a breach and risk analysis, and making a 
determination of the need for notice and/or remediation to individuals 
affected by the loss;
[ssquf] Providing such notice and credit monitoring to the affected 
individuals at no cost to the other agency, if the analysis conducted 
by the agency having experienced the loss incident indicates that 
individual notice and credit monitoring are appropriate.

    F. In the event of any incident arising from or in connection with 
this Agreement, each Agency will be responsible only for costs and/or 
litigation arising from a breach of the Agency's own systems or data; 
FEMA is responsible only for costs and litigation associated with 
breaches to FEMA systems or data and SBA is responsible only for 
breaches associated with SBA system or data.
    FEMA shall not be liable to SBA or to any third person for any 
cause of action arising from the possession, control, or use by SBA of 
survivor/registrant PII, or for any loss, claim, damage or liability, 
of whatsoever kind or nature, which may arise from or in connection 
with this Agreement or the use of survivor/registrant PII.
    SBA shall not be liable to FEMA or to any third person for any 
cause of action arising from the possession, control, or use by FEMA of 
applicant PII, or for any loss, claim, damage or liability, of 
whatsoever kind or nature, which may arise from or in connection with 
this Agreement or the use of survivor/registrant PII.
    Nothing in this section shall be construed as a waiver of sovereign 
immunity against suits by third persons.

[[Page 2657]]

XIV. COMPTROLLER GENERAL ACCESS

    The parties authorize the Comptroller General of the United States, 
upon request, to have access to all SBA and DHS/FEMA records necessary 
to monitor or verify compliance with this matching agreement, in 
accordance with 5 U.S.C. Sec.  552a(o)(1)(K). This matching agreement 
also authorizes the Comptroller General to inspect any records used in 
the matching process that are covered by this matching agreement 
pursuant to 31 U.S.C. Sec.  717 and 5 U.S.C. Sec.  552a(b)(10).

XV. INSPECTOR GENERAL ACCESS

    By agreeing to this matching Agreement, DHS/FEMA and SBA authorize 
their respective Offices of Inspector General to use results from data 
matches conducted under this matching program, for investigation, 
audit, or evaluation matters, pursuant to5. U.S.C. App. Sec. Sec. 1-13.

XVI. DURATION OF AGREEMENT

A. Effective Date of the Agreement

    This Agreement shall become effective, and matching may commence, 
under this Agreement on the later of the following dates:

[ssquf] Thirty (30) days after notice of the matching program described 
in this CMA has been published in the Federal Register, or
[ssquf] Forty (40) days after a report concerning this CMA is 
transmitted simultaneously to the Committee on Homeland Security and 
Governmental Affairs of the Senate, the Committee on Oversight and 
Government Reform of the U.S. House of Representatives according to 5 
U.S.C. Sec.  552a(o)(2)(A)(i), and to OMB, unless OMB waives 10 days of 
this 40-day period for compelling reasons, in which case 30 days after 
transmission of the report to OMB and Congress.

    The Parties to this Agreement may assume OMB and Congressional 
concurrence if no comments are received within forty (40) days of the 
date of the transmittal letter of the Report of the Matching Program. 
The parties may assume public concurrence if no comment is received 
within thirty (30) days of the date of the publication of the Notice of 
Matching Program. This Agreement shall remain in effect for a period 
not to exceed eighteen (18) months.

B. Renewal of the Agreement

    This Agreement may be extended for one twelve (12) month period 
upon mutual agreement by both Parties, if the renewal occurs within 
three (3) months of the expiration date of this Agreement. Renewals are 
subject to the requirements of the Privacy Act, including certification 
by the Parties to the responsible DIB (as described in Section XV of 
this Agreement) that:
    [ssquf] The matching program will be conducted without change, and
    [ssquf] The matching program has been conducted in compliance with 
the original Agreement pursuant to 5 U.S.C. Sec. 552a(o)(2)(D).

C. Termination of the Agreement

    This Agreement shall terminate when the purpose of the computer 
match has been accomplished, or after eighteen (18) months from the 
effective date of the Agreement without notice from either party 
(whichever comes first). This Agreement may also be terminated, 
nullified, or voided by either DHS/FEMA or SBA, if:

[ssquf] Either Party violates the terms of this Agreement; or
[ssquf] SBA or its authorized users misuse or improperly handle the 
data provided by DHS/FEMA; or
[ssquf] DHS/FEMA or its authorized users misuse or improperly handle 
the data provided by SBA; or
[ssquf] The Parties mutually agree to terminate this Agreement prior to 
its expiration after 18 months; or
[ssquf] Either Party provides the other with 30 days written notice.

XVII. REIMBURSEMENT OF MATCHING COSTS

    SBA and DHS/FEMA will bear their own costs for this program.

XVIII. DATA INTEGRITY BOARD REVIEW/APPROVAL

    SBA and DHS/FEMA's Data Integrity Boards will review and approve 
this Agreement prior to the implementation of this matching program. 
Disapproval by either Data Integrity Board may be appealed in 
accordance with the provisions of the Computer Matching and Privacy 
Protection Act of 1988, as amended. Further, the Data Integrity Boards 
will perform an annual review of this matching program. SBA and DHS/
FEMA agree to notify the Chairs of each Data Integrity Board of any 
changes to or termination of this Agreement.
    This Agreement may be modified only by mutual consent of both 
Parties and approval of the respective DIBs. Any modifications must be 
in writing and satisfy the requirements of the Privacy Act and the 
requirements set forth in OMB Guidelines on the Conduct of Matching 
Programs, 54 Fed. Reg. 25818.

XIV. POINTS OF CONTACTS AND APPROVALS

    For general information, please contact: William H. Holzerland 
(202-212-5100), Senior Director for Information Management, Federal 
Emergency Management Agency, Department of Homeland Security; and Ana 
Beskin (202-205-6595), Chief Information Security Officer, Office of 
the Chief Information Officer, Small Business Administration.

XVI. SIGNATURES

    The authorizing officials whose signatures appear below have 
committed their respective agencies to the terms of this Agreement.

Small Business Administration

Dated: September 4, 2018.
-----------------------------------------------------------------------

James Rivera,
Associate Administrator for Disaster Assistance, U.S. Small Business 
Administration.

Dated: June 26, 2018.
-----------------------------------------------------------------------

Maria Roat,
Chief Information Officer, Data Integrity Board Chair, U.S. Small 
Business Administration.

U.S. Department of Homeland Security
Federal Emergency Management Agency

Dated: June 26, 2018.

-----------------------------------------------------------------------

Keith Turi,
Acting Assistant Administrator, Recovery Directorate, Federal 
Emergency Management Agency, U.S. Department of Homeland Security.

Dated: July 30, 2018.
-----------------------------------------------------------------------

Philip S. Kaplan,
Chief Privacy Officer, Data Integrity Board Chair, U.S. Department 
of Homeland Security.

[FR Doc. 2019-01508 Filed 2-6-19; 8:45 am]
 BILLING CODE 8025-01-P