The Risk to Homeland Security from Identity Fraud and Identity Theft
Good afternoon, Chairman Gekas, Chairman Smith, Ms. Jackson-Lee, Mr. Scott. Let me first thank you for the invitation to be here today. This is a vitally important matter, and a complex one, but I will begin my testimony with a simple, declarative sentence: The Social Security number (SSN) is our national identifier. Nine months ago, that statement was challenged by many. Today, it is an accepted fact.
Today's hearing focuses on the integrity of the SSN with respect to those who arrive at our borders as visitors. You should be aware that this is only one portion—albeit a critical one—of our efforts to protect the SSN's integrity. In calendar year 2000, the Social Security Administration (SSA) issued approximately 1.2 million SSNs to non-citizens, but issued over 5.5 million SSNs in all. While SSNs issued to non-citizens thus represent only about 20 percent of the total, the volume is significant.
Maintaining SSN Integrity at our Borders
We may never know with absolute certainty how many of the 19 hijackers of September 11th used improperly obtained SSNs, or how they obtained them. Following the September 11th attacks, the Office of the Inspector General (OIG) immediately received from the Federal Bureau of Investigation (FBI) the names and other personal identifiers (as they then knew them) of the 19 terrorist hijackers who died in these attacks. Those names and identifiers were matched against SSA's indices. We associated SSNs with 12 of the 19 names. Of the SSNs associated with these 12 names, 5 appeared to be counterfeit (SSNs that were never issued by SSA). In addition, 1 was associated with a child, leaving 6 names associated with SSNs that were issued by SSA. Further, 4 of these 6 names were associated with multiple SSNs. At this juncture, we cannot assert whether any of the 6 subject names associated with these SSNs are, in fact, September 11th terrorists.
It is important to understand that our investigative efforts may ultimately determine that certain of these six individuals possessed legitimate (or well-crafted counterfeit) documents to legitimately obtain an SSN. These documents may then have been cleared for entry to the United States by the vetting processes of both the Department of State, and the Department of Justice's (DOJ) Immigration and Naturalization Service (INS), thereby facilitating the assignment of an SSN under the procedures in place at that time. In view of this, and other imperatives following the terrorist incidents, the SSA established an Enumeration Working Group to develop and recommend to the Commissioner, both internal and external process changes that will result in strengthening the integrity of the issuance of SSNs. Many of these changes have been made and others are pending implementation in the near term. My office has been a committed partner with SSA in all the activities of that workgroup.
Regardless of what is eventually proven or disproven, the investigation into the events of that day, and the homeland security efforts aimed at preventing future attacks, have revealed the importance of the SSN to any attempt at assimilation into American society. Nine months later, no one harbors any illusion that the SSN remains simply a number for the tracking of workers' earnings and the payment of social insurance benefits. The SSN is our national identifier, and protecting the integrity of that identifier is as important to our homeland security as any border patrol or airport screening.
We have long been aware that failure to protect the integrity of the SSN has enormous financial consequences for the government, the people, and the business community. We now know that the burden that the enumeration process carries can have far graver consequences than previously imagined and as such, SSA can no longer afford to operate from a "business as usual" perspective. Whatever the cost, whatever the sacrifice, we must protect the number that has become our national identifier; the number that is the key to social, legal, and financial assimilation in this country.
We recognize that SSA alone cannot resolve the monumental issues surrounding homeland security. Efforts to make our Nation safer will involve new or expanded initiatives by almost every segment of our population, including State and local governments, private industry, non-governmental organizations, and citizens. However, we also recognize that, in endeavoring to protect our homeland, no government system or policy should be ignored. As such, SSA, as a Federal agency and public steward, must continue its efforts to strengthen its systems and processes to minimize the use of SSNs for illegal purposes. We believe that SSN integrity is a link in our homeland security that must be strengthened and sustained.
Last month, we issued a Management Advisory Report entitled Social Security Number Integrity: An Important Link in Homeland Security. In that report, we stated that it is critical that SSA independently verify the authenticity of the birth records, immigration records, and other identification documents presented by an applicant for an SSN.
This is a relatively new issue for the American people, but it is an old issue for us. Two years ago, in May 1999, we issued another Management Advisory Report entitled Using Social Security Numbers to Commit Fraud (A-08-99-42002), in which we described significant vulnerabilities in SSA's enumeration process. The most important of these vulnerabilities was SSA's procedures for verifying documents submitted with SSN applications. In September 2000, we issued yet another report, Procedures for Verifying Evidentiary Documents Submitted with Original Social Security Number Applications, in which we identified similar weaknesses. While each of these reports dealt with across-the-board weaknesses, rather than weaknesses associated only with enumeration of non-citizens, each report did address the non-citizen issue at length.
In both of these reports, as in last month's report, we recommended that SSA independently verify birth and immigration records submitted in support of SSN applications. Additionally, we recommended full and expedited implementation of a joint Enumeration at Entry program in which the Agency would issue SSNs to non-citizens upon their entry into the United States based on information obtained from INS and the Department of State.
At the time the 1999 and 2000 reports were issued, SSA disagreed with our recommendation to independently verify birth and immigration records. The Agency stated that delaying the receipt of SSNs for thousands of non-citizens, most of whom were legitimately entitled to a number, was not acceptable. Rather, they preferred to work with the INS on improving existing systems until the recommended Enumeration at Entry program could be implemented.
Unfortunately, until September 11th, SSA had limited success encouraging the INS to move quickly on either of these planned initiatives, as the projects did not appear to be as high a priority to INS as they were to SSA. For example, in August 1999, SSA's Commissioner wrote to the Commissioner of INS regarding SSA's concerns with the current verification process and SSA's hope that the two Agencies could expeditiously move to implement the Enumeration at Entry program. Although some staff-level meetings continued between representatives of the two agencies, SSA never received a formal response to the letter. As such, SSA requested assistance from the Office of Management and Budget (OMB) to move the initiatives along. In response, OMB convened a meeting between the two agencies. Still 2 years after that, little progress was made, although SSA does report that in the months since September 11th, negotiations with INS are proceeding more smoothly and at a faster pace.
Commissioner Barnhart has indicated her intention to begin holding non-citizens' applications for new SSNs until their evidentiary documents can be verified with the INS. I applaud her decision, and her resolve. While SSA is justifiably proud of its reputation for timely service, Commissioner Barnhart's decision to refine this commitment to include a balance for both enumeration integrity and the security of our Nation's borders is a sound one.
Our own work illustrates just how wise a decision this is. In a recent study, preliminary results indicate that 8 percent (over 100,000) of the 1.2 million SSNs assigned to non-citizens during Calendar Year 2000 were based on invalid immigration documents, which current SSA processes did not detect. We have no way of determining how many SSNs have been improperly assigned to non-citizens throughout history. However, we believe—as does Commissioner Barnhart—that in the interest of homeland security, an 8 percent error rate, 1 out of every 12 SSN cards, is unacceptable and further action is required.
The following examples from our study are representative of how non-citizens improperly obtained SSNs by presenting invalid documents:
SSA assigned SSNs to two individuals (both age 28) purporting to have been born in India. These individuals provided immigration documents improperly showing them as work-authorized; however, INS had no record of the two individuals.
SSA assigned an SSN to a 27-year-old male purporting to have been born in Japan. He presented a work-authorized immigration document to SSA, although INS never authorized him to work. Specifically, he presented an INS document indicating he was an intra-company transferee and, therefore, eligible for a work-authorized SSN. However, INS reported to us that he was actually the spouse of an intra-company transferee and, therefore, he was not eligible for a work-authorized SSN.
SSA assigned an SSN to a 56-year-old female purporting to have been born in Mexico. She presented a work-authorized document. However, INS had not authorized her to remain in the country. She originally entered the country with an "H2-B" classification (temporary worker performing services of labor unavailable in the United States). She applied for an SSN on December 20, 2000, with INS documents indicating her H2-B status. Therefore, SSA assigned the individual an SSN. Nevertheless, INS confirmed that her authorization to remain in the United States expired December 1, 2000, and INS found no indication that she applied for an extension. Accordingly, the document she presented to the SSA field office when applying for an SSN was already invalid.
These examples appear relatively harmless, but they demonstrate the ease with which any immigrant can fool well-intentioned SSA employees into issuing a critical identity document.
SSNs, Immigrants, Employers, and the Earnings Suspense File
One of the first steps in obtaining employment and realizing the goals of many U.S. immigrants is obtaining an SSN. Most immigrants—about 75 percent—come to the United States legally, many to join close family members. However, INS estimated the undocumented immigrant population reached about 5 million in 1996, not including the 3 million who were given amnesty under the Immigration Reform and Control Act of 1986. Additionally, the INS estimates the number of undocumented immigrants continues to grow by about 275,000 individuals each year.
To improperly acquire an SSN, undocumented immigrants may either apply for a "legitimate" SSN using false evidentiary documents (as in the examples given above, or by using counterfeit passports or other falsified foreign documents) or they may create or purchase a counterfeit Social Security card. Additionally, if an undocumented immigrant is not required to show a Social Security card (which is very often the case), he or she may simply invent a nine-digit number. This SSN may be one the Agency has already assigned to another individual (stolen SSN) or one never assigned (fake SSN).
SSA statistics show three industries (agriculture, food and beverage, and services) account for almost one-half of all wage items in SSA's Earnings Suspense File (ESF). The ESF is the Agency's record of annual wage reports submitted by employers for which employee names and SSNs fail to match SSA's records. Of these industries, agriculture is the largest contributor, representing about 17 percent of all ESF items. In fact, in one study of 20 agriculture employers, we determined that 6 of every 10 wage reports submitted by these employers had incorrect names or SSNs. From 1996 through 1998, these 20 employers submitted over 150,000 wage items for which the employee's name and/or SSN did not match SSA records, representing almost $250 million in suspended wages over the 3-year period.
Because SSA has no legal authority to levy fines and penalties against employers or employees who submit incorrect SSN information on wage reports, the Agency relies upon other Federal agencies to assist in combating SSN misuse. Specifically, as provided by law, SSA must rely on the Internal Revenue Service (IRS) to enforce penalties for inaccurate wage reporting and upon the INS to enforce immigration laws. Unfortunately, the IRS has been reluctant to apply penalties and SSA and the INS have had limited collaboration on the issue.
We believe applying penalties would have a ripple effect on employers who consistently submit wage reports for employees whose names and SSNs do not match SSA's records. Although SSA is primarily interested in penalizing the most egregious employers, IRS staff expressed concern with the application of even these penalties. IRS senior staff members believe they and SSA would have a difficult time determining whether an employer exercised appropriate diligence in obtaining the necessary information from employees. SSA representatives, however, believe they could provide the IRS with sufficient evidence to show an employer knew or should have known its employees' SSNs were incorrect.
Despite the IRS' concerns, the two Agencies held discussions to explore the enforcement of an existing penalty provision ($50 per incorrect wage report) for employers who repeatedly submit erroneous name and/or SSN information. To implement the penalty, SSA and the IRS agreed they must (1) jointly define the circumstances for applying penalties; (2) identify information needed from SSA for the IRS to support applying penalties; and (3) develop the proposed data flow and procedures to be followed.
In Calendar Year 2000, based on this agreement, SSA provided a list of 100 of the most egregious employers to the IRS. These employers represented the employers with the largest number of name/SSN match failures in consecutive years. The IRS expressed interest in the listing but, to date, has not assessed penalties.
Success of SSA's coordination with the INS regarding non-citizens' misuse of SSNs to obtain employment has also been minimal. In a previous audit report, we recommended that SSA (1) collaborate with INS on this issue and (2) reevaluate its application of existing disclosure laws or seek legislative authority to remove barriers that would allow SSA to share with the INS information regarding employers who chronically submitted incorrect wage reports. SSA disagreed with our recommendations and stated that its interpretation of the privacy and disclosure issues is accurately applied and continues to provide appropriate disclosure guidance within existing authority.
The intent of our recommendations was to suggest that the Agency look for avenues under current law and regulations first before seeking legislative authority. We acknowledge SSA's efforts to combat SSN misuse and reduce the ESF's growth. However, given the magnitude of SSN misuse by unauthorized non-citizens, we continue to believe SSA should take preemptive and preventive measures to ensure the SSN's integrity. We continue to believe that the sharing of such information in certain situations would stem the growth of SSN misuse for employment purposes.
SSA assigns "non-work" SSNs for limited purposes to non-citizens who do not have authorization from INS to work while they are in the United States. As of August 1997, SSA had issued approximately 7 million non-work SSNs. Since that time, the Agency has reduced the number of circumstances for which it will issue non-work SSNs. Although SSA has issued another 360,000 non-work SSNs since 1997, the number has been steadily declining in almost every year. For example, the number of non-work numbers issued dropped from approximately 128,000 in 1998 to 70,000 in 2001. Additionally, in March 2002, SSA notified the Nation's governors that it would no longer issue non-work SSNs for the purpose of getting a driver's license. As a result, the number of non-work SSNs issued in 2002 may be lower than 30,000.
We applaud SSA's efforts to minimize the number of non-work SSNs it assigns. Our audit work indicates that, despite the "not valid for employment" terminology that appears on every non-work SSN card, individuals frequently use these SSNs for just that purpose. For example, in Tax Year 2000, approximately 600,000 individuals with non-work SSNs used the numbers to work, earning over $21 billion. Because SSA does not routinely learn of changes in a person's work authorization, not all earnings reported under a non-work SSN are attributable to non-authorized work. Under current guidelines, SSA will pay Old-Age, Survivors and Disability Insurance benefits based on the earnings obtained under non-work SSNs, as long as the number holders meet all benefit eligibility requirements. We disagree with this practice and have recommended that SSA seek legislation allowing the Agency to deny benefits to individuals who use non-work SSNs for employment purposes. SSA has elected not to seek such legislation.
Suspended Wages and Notification of the Public
SSA annually sends out between 7 and 8 million letters to employees and employers regarding the submission of wages where the SSN and associated name cannot be matched to SSA's records. Although these submissions may relate to the misuse of an assigned SSN, SSA does not notify the actual SSN holder. However, providing timely notifications may be difficult due to internal attempts to resolve the problems, while notifying the public may create unnecessary alarm.
The very fact that a reported wage item is in the ESF means SSA does not know the correct identity of the worker. For example, SSA has noted that about 55 percent of the items in the ESF have (1) no name, (2) no name and no SSN, or (3) an unissued SSN. The remainder of the items in the ESF generally relates to a mismatch between the name and SSN. Under a policy of notifying people whose SSNs are being falsely used, SSA could not take action on the missing or unissued SSNs since no specific member of the public is impacted by these wage items. However, the remaining wage items with a name and SSN mismatch would require further review by SSA.
SSA has a number of ongoing processes to obtain the correct name and SSN associated with the wages, such as correspondence with employees and employers, as well as manual and automated edits. These processes can take at least a year to complete, and often longer. However, through these processes, SSA is able to reinstate many of these wage items to the rightful owners' earnings records when, at first glance, it could have appeared to be the misuse of another individual's SSN. Sending a notice to the real owner of the SSN prior to these processes may be premature and unduly alarm the public.
Finally, both OIG and SSA reviews of the suspended wages in the ESF and the associated industries lead us to believe that illegal work, rather than identity theft, may be the primary cause of suspended wages. Many of the items in the ESF related to the agricultural industry, which hires transient employees who may or may not have work authorizations from the INS. These workers may create an SSN for the sole purpose of obtaining employment. In such cases, while these workers are providing fraudulent information to their employer, notifying the real owner of the SSN that their number is being falsely used may create the impression of identity theft when in fact, the number was randomly chosen for the purpose of employment.
Improving the integrity of the enumeration process is critical, but of course, it is prospective relief. Millions of SSNs have already been issued to non-citizens, many of them based upon fraudulent documentation, and more will be issued while SSA and the INS continue seeking improvements. Therefore, we continue our efforts on the investigative side to ensure that where the improper acquisition of an SSN by a non-citizen creates a possible homeland security risk, we are doing all we can to intervene.
The operations in which our office has participated in some 18 airports across the country over the past several months are but one way in which these efforts continue. Working with Joint Terrorism Task Forces and other Federal agencies under the aegis of Offices of United States Attorney, we have worked to ensure that no airport employee who has misrepresented his or her SSN and identity has access to secure areas of the Nation's airports. A total of 432 people have been arrested to date, and more importantly, have been denied access to the areas, which represent a significant terrorism vulnerability. Similar operations are in the planning stages at other sensitive facilities around the country.
As it became apparent in the aftermath of September 11th that the SSN would be an important element in the investigation of the attacks, our office worked not only with other investigative entities, but with DOJ to educate prosecutors on the acquisition, use, and misuse of SSNs by potential terrorists. A memorandum was distributed to United States Attorneys nationwide, explaining the use of 42 U.S.C. §408(b)(7), Misuse of an SSN, as a charge that could be used to indict, arrest, detain, and where appropriate, deport suspected associates of the hijackers or others with links to terrorism. Because a terrorist, to be effective, must first be assimilated into American society, and because an SSN is a critical tool in the assimilation, it became apparent that the acquisition of an SSN was indispensable.
Lofti Raissi, for example, was long thought to be an associate of some of the September 11th hijackers, having trained with some of them at flight school in Arizona. When he was being held in London, investigation revealed that while in the U.S., he had been using the SSN of a deceased New Jersey woman.
Malek Seif, a licensed pilot and native of Djibouti, was living in Arizona until August 2001, when he left the U.S., only to surface in France, where he was detained by French anti-terror authorities. He was released in order to return to the U.S., where he was arrested upon his arrival at Phoenix Sky Harbor airport and charged with obtaining one SSN and one replacement Social Security card based on the presentation of false information to the Commissioner of Social Security, and a second SSN under a second identity on the basis of fraudulently obtained immigration documents. He pleaded guilty to multiple counts, including misuse of an SSN, in Federal court in Phoenix.
Sofiane Lamaiche, another suspected associate of some of the September 11th terrorists, and a one-time roommate of Lofti Raissi, was smuggled into the United States on an Algerian ship through the port of Philadelphia, and within five days, made his way to Phoenix and purchased a new identity, including an SSN. He was tried by an OIG attorney working as a Special Assistant U.S. Attorney in Arizona and convicted of multiple counts, including misuse of an SSN.
Finally, Redouane Dahmani, another suspected associate smuggled into the U.S., purchased a new identity, including an SSN. He then filed a false asylum application under his own identity (using Raissi as an affiant and interpreter), using the INS documents that resulted to obtain a "legitimate" SSN from SSA. He was charged at the Federal and State levels and is awaiting trial.
As the efforts of Federal law enforcement agents and prosecutors continue into the investigation of September 11th and the homeland security agenda, it becomes more and more apparent that those connected with terrorism will at some point obtain an SSN. They may buy it, they may create it, or they may obtain it from SSA directly through the use of falsified immigration records. But to operate in the United States, they need the number, and no additional time can be lost in taking those steps necessary to ensure that those numbers do not come from SSA.
In addition to large-scale operations such as those at the Nation's airports, and individual cases of those suspected of an association with terrorism, our efforts continue in other areas. We continue to meet with other Federal officials to ensure that we are doing all that restrictive privacy laws permit to assist DOJ and others to use SSN information in the homeland security context. We are in constant contact with this and other committees of both houses of Congress to provide expertise and assistance in the analysis of data and creation of legislation aimed at protecting the SSN and preventing it from being used improperly. We have attorneys either working as Federal prosecutors or with them to enforce the Social Security Act's felony provisions. We continue our audit work, reviewing SSA's enumeration process and making recommendations for much-needed improvements. And we stand ready to do more. We appreciate your interest in these issues, and look forward to working with you to enhance the safety of all Americans.