Why are there so many fewer certified DMF users?
In a word, uncertainty. While no one likes uncertainty, in business it can be a costly prospect. Yet that is the current landscape for certified subscribers or licensees of the Death Master File (DMF). The Berwyn Group has closely followed the law and subsequent rulemaking process since its inception. Our CEO, Felix, spoke directly with the rulemaking committee and has always been a vocal advocate for proper use of the DMF. For The Berwyn Group, it was never a question to stop getting the DMF, as it has been an integral part of our dataset since 1991. However, for many of our clients and others currently subscribed to the DMF, the interim and final rule represent a very large shift in operations.
What do we know about the final rule?
- Those accessing the file need to have a legal or otherwise legitimate business purpose for accessing the data, which makes sense. The regulation was designed to fight fraudulent use of the data, and if you don’t have a legitimate purpose for using the data, obituaries should be more than enough to satisfy any curiosity.
- Interestingly, genealogists were specifically excluded from access to current data and are only allowed the three-year aged data.
- DMF information is now considered Non-Public Personal Information (NPPI).
- Name, Date of Birth, SSN, and Date of Death
- Improper use may incur a fine of $1,000 per person, up to $250,000 per year, unless there is intentional fraud in which case the fines are uncapped.
What is new and causing concern?
- Organizations need to have proper security in place to store or use the NPPI and they need those processes to be independently assessed by an Accredited Conformity Assessment Body (ACAB).
- Fees to register and access the data are required to be sufficient to cover the costs of administration.
- NTIS must perform audits of DMF users.
There is significant flexibility built into the final rule by not naming a specific security standard to which companies must comply or constraining accreditation to a list of accrediting bodies. However, to licensees, the new concept of using ACABs for certification has been challenging for the very same reasons – there’s no specific set of rules and list of companies you can call to perform the assessment. For many years, The Berwyn Group has received annual SOC2 certification and the AICPA’s Trust Services Criteria were named as an acceptable standard in the supporting documentation provided by the NTIS. While this does not represent a change for us, it is an expensive and laborious process, particularly when preparing for initial certification. The larger and more complex the organization is, the cost and timeframes just increase. This may be prohibitive for large banking and insurance organizations or those outside of the expertise of many state and corporate structures.
Once the compliance hurdle is overcome, then there is the issue of the fees. Again, fees must be sufficient to cover the costs of administration. There is no upper limit on fees. Since the number of certified users is rapidly declining, the per user fees would have to go up to cover the same costs of administration. This is not a prediction, NTIS has consistently and rapidly increased the annual certification fee.
Finally, there is the audit. There has been no description of who will perform the audit. Nor what the audit will entail. The costs of the audit will come down on the users. This could be a simple desk audit, but it could also possibly be a full field audit. While a field audit would be much more expensive, it wouldn’t affect the NTIS as they would just pass on the audit costs as a part of maintaining access to the DMF.
What can organizations do?
First, determine if you need to get death data. Likely this is out of your control as many industries are subject to laws that require death audits on their populations. Also, death data significantly reduce fraud and overpayments, so even if you are not legally required, many have interpreted performing death audits as part of their fiduciary responsibility. It also just makes good business sense as auditing for death is a natural and inexpensive cost reduction.
Second, determine if this function needs to take place in-house or if it can be done outside the walls of your facility. The Berwyn Group offers solutions that fit both cases. If you would like to find out more about how you can reduce the uncertainty and join the growing group of former DMF users that are now using The Berwyn Group services, we would be happy to walk you through any questions you may have.