grady!management!inc.! enterprise!income ... eiv and you brochure is to be given with all...

Revised 08/2015

of 30

Grady Management Inc. Enterprise Income Verification System (EIV)

Policy and Procedures

On March 8, 2013 HUD issued a revised copy of this Notice the number is H 2013-06 As of January 31, 2010, HUD made mandatory the use of the Enterprise Income Verification System (EIV) in its entirety and to complete activities associated with existing residents during recertification and new applicants. From 4/16/2010 – 6/8/2010, and any other disruptions when the EIV system was down, any Annual, Interim or the 90-day reporting for move-ins completed MUST have a note to file stating the EIV system was down. The following procedures listed below must be maintained in your office and all data must be kept secure and made available for auditors during Management Occupancy Review (MOR).

• Copy of Management written EIV policies and procedures for using the EIV employment and income data and EIV verification reports. Print the summary reports for the EIV master files for the reports below except the No income reported on the 50059 and no income reported by HHS or SSA. All detailed reports need to go into the residents file along with any evidence that backs up the outcome of the investigation.

1) Owner/agents must keep an EIV Master File which includes reports which must be reviewed on a regular basis. This “Master File” must include the following Reports:

a. Identity Verification Reports –Monthly 1. Failed Pre-screening 2. Failed Verification

b. Deceased Tenant – Monthly and as indicated in GMI’s EIV policies c. New Hires Report – Monthly and as indicated in the GMI’s EIV policies d. Multiple Occupancy Report – Monthly and as indicated in the GMI’s EIV policies e. No Income Reported on the 50059 –Quarterly and as indicated in the GMI’s EIV policies f. No Income Reported on the HHS or SSA-Quarterly and as indicated in the GMI’s EIV

policies 2) The discrepancy report needs to be printed every time the summary and the income reports are

printed. All of these reports needs to addressed/corrected within 30 days of the print date.

Revised 08/2015

of 30

EIV Brochures:

The EIV and YOU brochure is to be given with all applications. Residents will receive a copy at annual recertification. Residents are required to acknowledge receipt of the guide.

Disclosure to Persons Assisting Tenants with the Recertification Process

With the written consent of the tenant, EIV data may be shared with persons assisting the tenant with the recertification process. A sample Tenant Consent to Disclose EIV income information will be made available when applicable. Tenants who require assistance during the recertification process may have a representative present to assist them in their ability to participate in the recertification process; this includes review and explanation of the written third party verifications. Disclosure of the EIV information to these parties must be employment or income information pertaining only to the tenant who has provided his/her consent. These parties must not have access to EIV information for any other household members.

Parties to whom the tenant can provide written consent include:

• Service Coordinator’s (only if they are present at and assisting the tenant with the recertification process)

• Translators/Interpreters • Individuals assisting an elderly individual or a person with a disability • Guardians • Powers of Attorney • Other Family members

Resident Notification of Recertification:

Management is required to provide reminder notices to residents informing them of their responsibility to provide the management with information about changes in family income assets and/or composition that are necessary to properly complete an annual recertification. The reminder notice must be in writing and must include a list of information that a resident is required to bring with them to their recertification interview. The list must include documentation needed to support the income and assets they are receiving as well as documentation to support any deductions they may be eligible to receive. Having the necessary documentation available at the time of the recertification interview will save time in completing the recertification process. In addition, asking the right questions at the time of the interview will ensure that the correct information has been provided and will assist in reducing errors in income and rent determinations.

Revised 08/2015

of 30

EIV at Annual recertification:

When employer and income information in EIV is the same as what the Resident reports he/she is receiving, you can use the EIV Income Report for third party verification and resident provided documents to calculate income. This information from EIV may not be accessed, used or searched for any other purpose except for verifying the employment and income of Resident currently assisted.

You must obtain third party verifications when:

• Resident disputes EIV data • Resident cannot provide acceptable/current income documents • There is incomplete data for a resident; or • There is no EIV data for the resident.

When third party verification is not available, this must be documented in the residents file to explain why third-party verification was not available

All reports must be printed off at the time of recertification and the files need to reflect efforts to resolve the errors or discrepancies based on GMI’s Policy and Procedures.

EIV REPORTS:

Following are the procedures for accessing and maintaining the required reports for each report found in the EIV system.

Existing Tenant Search- Processing of Application/ Move-In

Applicants and all household members applying for assisted housing must have an Existing Tenant Search performed to check for possible dual subsidy, this also includes Live-in-Aids. A copy of the page from EIV must be keep with the resident file. This report is accessed at admission and rejected applicants. If the report indicates the applicant or a member of the applicant’s household is residing at another location, management will discuss this with the applicant, giving the applicant the opportunity to explain any circumstances relative to his/her being assisted at another location. Management will allow five (5) business days for a response to discrepancies found in the report, failure to respond is cause for declining the application. This may be a case where the applicant wants to move from his/her existing location or where two assisted families share custody of a minor child. If the parents share 50-50 custody, only one parent can get the dependent allowance. If an agreement cannot be made regarding which parent will receive the dependent allowance, management will not offer the allowance. Depending on the outcome of the discussion with the applicant, all information must be followed up with the respective PHA or O/A to confirm the individual’s program participation status before admission.

Revised 08/2015

of 30

This report gives the community the ability to coordinate move-out and move-in dates with the PHA or O/A of the property at the other location (Recommend retrieving written verification from the move-out community). If the community discovers that any household member failed to move-out of a the previous HUD assisted residence before moving into the community, no rent subsidy or utility allowance will be provided by the Department of Housing and Urban Development until the day after the move-out is complete from the previous residence... Household members who signed the lease will be responsible for paying the market rent until qualified to receive HUD assistance on this property. Any assistance paid in error MUST be returned to HUD.

Income Reports –Annually and Interim Certifications

Management must use at annual recertification and Interim Certifications. The report provides a variety of information about each member of a household. This report provides TRACS certification information and residents who have started new employment within the past few months, quarterly wage information for past or current employment, unemployment insurance benefits, social security benefits, Medicare premiums, and SSA disability Status. In most cases, the printed report will serve as third party verification. The income report does not include other income the household may receive such as welfare benefits, most pensions, child support, etc. It should also be noted that a resident may have wages that the employer did not report to the SWA and, therefore these wages will not be contained in the new hires date base. If the resident disputes this information, you must note this on the report and follow established guidance for obtaining 3rd party verification directly from the income source. Income reports for each resident must be maintained in the resident file.

Please note the report identifying the NDNH employment, wage and unemployment income information in EIV must be used as third party verification of the resident employment and is not to be used to calculate the resident income.

New Admissions – Summary/Income Report

Management must for all new admissions review the Summary Report within 90 days after the transmission of the move-in certification to TRACS to confirm/validate the income reported by the household. Resolve any income discrepancies with the household within 30 days of the Income Report date. Print and retain the Income Report in the resident file along with any documentation received to resolve income discrepancies, if applicable. If there is a discrepancy on the report which is before the move-in, the discrepancy still must be addressed by obtaining verification that the income no longer exists or counting it if the household is still receiving the income.

Revised 08/2015

of 30

For new move-ins (including additions of new adult household members), EIV Summary reports will be reviewed based on the following schedule:

January MI – EIV reports reviewed in March July MI - EIV reports reviewed in September February MI - EIV reports reviewed in April August MI – EIV reports reviewed in October March MI - EIV reports reviewed in May September MI - EIV reports reviewed in November April MI - EIV reports reviewed in June October MI - EIV reports reviewed in December May MI - EIV reports reviewed in July November MI - EIV reports reviewed in January June MI - EIV reports reviewed in August December MI - EIV reports reviewed in February Failed Verification Reports - Monthly

This report identifies household members who failed the SSA identity match due to invalid (SSN, last name or DOB) as well as, identifies deceased household members. Management must use this report to identify those residents that did not pass the SSA identity verification match and the reason (s) they did not pass any discrepancies must be corrected within 30 days of the date of the report. You must identify records with errors and follow up to correct inaccurate information by contacting the resident. You must also obtain third party verification or documentation to support the resident’s personal identifiers and the accuracy of the HUD-50059 and TRACS data. Requirements for third party verification according to the HUD Handbook 4350.3 must be adhered to. Encourage the resident to contact the SSA to correct any inaccurate data in their databases if the personal identifiers on the form HUD -50059 and in TRACS are accurate. The resident can request SSA to correct his/her record by completing and submitting form SS-5, Application for a Social Security Card, to the local SSA office. Print and retain a copy of the report in a master “Failed the SSA Identify Test” File. The report must be documented with action taken to resolve invalid personal identifiers. When you get the messages that states “No 50059 Available) Follow the steps below.

a. Print out the TRACS page showing that the move-in did indeed go through TRACS b. Print out the pending verification report showing that the person is still pending c. Print out the page showing no 50059

Revised 08/2015

of 30

Failed EIV Pre-Screening Report - Monthly

This report provides a listing of residents who fail the EIV pre-screening test because of invalid or missing personal identifiers such as SSN, Last Name or DOB sent to TRACS. Any invalid data on this report must be corrected within 30 days of the report. Please confirm the data with the resident obtain documentation from the resident to verify any discrepant personal identifiers. Correct any discrepant information in the TRACS system. Print and retain a copy of the report in the master “Failed EIV prescreening Report” file. The report must be document with action taken to resolve invalid or discrepant personal identifiers.

NOTES: This report will include those persons who are exempt from the SSN disclosure and verification requirements. In these instances the management will note the copy of the report retained the “Failed EIV Pre-Screening Report” master file that the resident is exempt from SSN requirements.

Exempt from SSN disclosure and verification requirement:

• Resident who were 62 years of age or older as of January 31, 2010, and whose initial determination of eligibility was begun before January 31, 2010; and

• Individuals who do not continue eligible immigration status.

These individuals will continue to have a TRACS generated identification number in the SSN field. No employment or income information will be provided in EIV for these individuals.

No Income Reports (No income on the 50059 and No Income Reported by HHS or SSA) – Quarterly:

• January • April • July • October

These report is a listing of residents who passed the identify match against SSA’s records but no employment or income information was received from the match against either the SSA or NDNH records. Because no income was reported as a result of the match against SSA or NDNH records does not mean that the resident does not have income. The O/A must make sure the right questions are asked at the interview conducted with the residents at the time of rectification so that the residents is given the opportunity to disclose any income they received.

Revised 08/2015

of 30

It is now GMI’s Management’s policy to re-verify the status of residents reporting zero income quarterly. As part of the procedures for implementing the policy, the communities will use EIV to determine if the resident or any family members have income reported by HHS or SSA.

New Hires Reports- Monthly

This report provides information on households who have started new jobs within the last six months. The information in this report is updated monthly. Because resident participation in one of Multifamily Housing’s rental assistance programs are required to report changes in income when the household’s income cumulatively increases by $200 or more per month, O/A may be proactive in outreaching to their residents to report the income changes so the rent adjustments can be made in a timely manner, thus elimination/reducing the amount of retroactive rent repayments. Management must contact the resident regarding his/her new employment, and confirm with the resident that they have a new job and that the employment information in EIV is correct. If the resident agrees that the employment in EIV is correct, request the resident provide document, four consecutive pay stubs, employment confirmation letter specifying date of hire, rate of pay, number of hours worked each week, pay frequency, for use in determining the resident income or , if necessary, request third party verification from the employer. If the resident disputes the employment information in EIV, management must obtain third party verification from the employer. Process the recertification in accordance with the program requirement that includes the employment income. Retain the New Hires Summary Report in the Master “New Hires Report File along with notations as to the outcome of the contact with the resident. This must be retained in the resident file.

Deceased Reports – Monthly

This report identifies resident who are participating in one of Multifamily Housing’s rental assistance programs who are reported by SSA as being deceased. You must confirm in writing with the head of household, next of kin or emergency contact person or entity provided by the resident whether or not the person is deceased. . If the person is deceased, you must update the family composition, and income and allowances, if applicable, on the HUD-50059 and case a single member of a household, process a Move-out using HUD 50059-A will be retroactive to earlier of the 14 days after the resident death or the date the unit was vacated. Any overpayment of subsidy that was paid on behalf of the deceased resident must be repaid to HUD. Discrepant information must be corrected in the TRACS system within 30 days from the date of report.

Revised 08/2015

of 30

Encourage the resident to contact the SSA to correct any inaccurate date in their data bases if the person shown as being deceased in the SSA database is not deceased. Management must retain a copy of the report in the master “Deceased Tenant File” The report must be document with action taken for a particular resident must be retained in the resident file. This report is updated every weekend.

Multiple Subsidy Reports – Monthly

These reports allow the management to identify individuals who may be receiving multiple rental subsidies. Management must perform both search options. If the report show the resident is being assisted at another location, management must discuss this with the resident, giving the resident the opportunity to explain any circumstances relative to his/her being assisted at another location. Management must follow up with the respective PHA or O/A to confirm that the resident is being assisted at the other location. Depending on the results of this investigation, the O/A may need to take action to terminate the resident’s assistance or tenancy. Print out and retain a copy and place in the in the Master Multiple Subsidy File along with notations keep a copy in resident file.

Income Reports –Annually and Interim Certifications

Management must use at annual recertification and Interim Certifications. The report provides a variety of information about each member of a household. This report provides TRACS certification information and residents who have started new employment within the past few months, quarterly wage information for past or current employment, unemployment insurance benefits, social security benefits, Medicare premiums, and SSA disability Status. In most cases, the printed report will serve as third party verification. In the Medicare Data section there will be an N for no or Y for yes regarding a buy-in for the Medicare insurance. If the household receives medicare in that section of the income report, it will have an N or Y. The N means that the resident does not have buy-in to the medicare program, if they are receiving the benefits, it may be an out of pocket expense which needs to be verified. If there is a Y for yes, it means there has been a buy-in so it will also have a buy-in date which means the expense is being paid by an agency and/or person and it is not an out of pocket expense. If the buy-in is stopped the end date will show in medicare data area. The income report does not include other income the household may receive such as welfare benefits, most pensions, child support, etc. It should also be noted that a resident may have wages that the employer did not report to the SWA and, therefore these wages will not be contained in the new hires date base. If the resident disputes this information, you must note this on the report and follow established guidance for obtaining 3rd party verification directly from the income source. Income reports for each resident must be maintained in the resident file.

Revised 08/2015

of 30

Please note the report identifying the NDNH employment, wage and unemployment income information in EIV must be used as third party verification of the resident employment and is not to be used to calculate the resident income.

No Income Reports (No income on the 50059 and No Income Reported by HHS or SSA) – Quarterly and use the ALL months tab.

These report is a listing of residents who passed the identify match against SSA’s records but no employment or income information was received from the match against either the SSA or NDNH records. Because no income was reported as a result of the match against SSA or NDNH records does not mean that the resident does not have income. The community will have the household complete the zero income form and make sure the right questions are asked at the interview conducted with the residents during the recertification/interim process so that the residents are given the opportunity to disclose any income they received. The community will re-verify the status of residents reporting zero income quarterly. As part of this procedure, they will use EIV to determine if the resident or any family members has income reported by HHS or SSA.

Income Discrepancy Reports- Annually and Interims This report identifies residents whose wage, unemployment or social security benefits income reported in EIV is $2400 or more annually in the wages, unemployment compensation and / or social security benefit income reported by the family ad transmitted to TRACS. The O/A must retain a printed copy of the Income Discrepancy Report along with detailed information on the resolution of the reported discrepancy in the resident file. This includes information resolution of the discrepancy regardless of whether the discrepancy was found to be valid or invalid. The report identifies residents whose income may have been under-or –over reported. Negative numbers on the report represent potential resident under reporting of income while a positive number represent a potential decrease in a resident income.

Revised 08/2015

of 30

Income Discrepancy Report – Annual and Interim Certifications

Discrepancies usually fall into the following four (4) categories:

1. Discrepancies created as a result of Resident failure to disclose 2. Discrepancies created as a result of a situation that the owner/agent already knows

about. (Example: An adult full time student who reported working and we only count $480 if they are not Head, co-Head or Spouse. EIV will show more income earned which will cause a discrepancy)

3. Discrepancies created as a result of data entry errors 4. Discrepancies created because of a false hit. A “false hit” can be caused by multiple

factors.

Not all discrepancies need to be corrected but they ALL need to be investigated.

Investigating and Resolving Income Discrepancies:

Owners must investigate and confirm possible discrepancies of $ 2,400 or more as disclose on the EIV Income Discrepancy Report. They must also investigate and confirm other possible errors that may result in over or underpayment of HUD Subsidy. Management may not suspend, terminate, reduce, make a final denial of rental assistance, or take any other adverse action against an individual based solely on the data in EIV. The Owner /Agent must notify the resident of the results of third party verification and request the resident come into the office, within 10 days of notification to discuss the results. If Management determines that the resident is in non-compliance with his/her lease because he/she knowingly provided incomplete or inaccurate information, the Management must terminate the resident tenancy according to Chapter 8.

Unreported or Underreported Income:

If it is determined that a resident unreported or underreported income, you must go back to the time of the unreported or underreporting of income started, not to exceed the 5-year limitation that the resident was receiving assistance discussed on forms 9887/9887A and calculate the difference between what the resident should have paid and what was paid. This record must be provided to the resident and retained in the resident file. However, you must have on file the 50059’s that were in effect during the period(s) that the resident had unreported or underreported income, along with any supporting documents to calculate the amount the resident must reimburse the property. If you do not have the historical documents, you cannot have the resident reimburse the property for the rent. We are still obligated to reimburse HUD for the overpaid subsidy so it is critical to maintain accurate and complete resident files.

Revised 08/2015

of 30

INVESTGATING FOR RESOLVING INCOME DISCREPANCIES:

Management must investigate and confirm possible income discrepancies of $2,400 or more as disclose on the EIV Income Discrepancy Report. They must also investigate and confirm other possible errors that may result in over or underpayment of HUD subsidy. Management may not suspend, terminate, reduce, and make a final denial of rental assistance. Or take any other adverse action against and individual based solely on the data in EIV. When the resident disputes the employment and income information in EIV, then management must independently verify the disputed information by obtaining third party verification directly from the third party source.

Management must notify the resident of the results of any third party verification and requests the resident come in the office, within 10 days of notification, to discuss the results.

If management determines that the resident is in non-compliance with his/her lease because he/she knowingly provide incomplete or inaccurate information, the management must follow guidance in Chapter 8 for terminating the resident tenancy.

UNREPORTED OR UNDERREPORTED INCOME:

If Management determines the resident unreported or underreported his/her income, the O/A must go back to the time the unreported or underreporting of income started, not to exceed the 5-year limitation that the resident was receiving assistance describe on the form HUD -9887 and HUD 9887-A

Calculation of repayment amount. You must also determine the amount of back rent due by subtracting the amount of rent the resident was charged from the amount of rent the resident should have paid. Your calculation must go back to the time the resident first provided incomplete or inaccurate information, not to exceed the 5-year limitation that the tenant was receiving assistance discussed on forms HUD-9887 and HUD-9887A. You must inform the resident in writing how you calculated the repayment amount and keep the calculation in the resident's file. You must have the form HUD-50059(s) on file that was in effect during the period(s) that the resident had unreported or underreported income, along with any supporting documentation on which the calculation of the repayment amount was based. If you do not have the HUD-50059(s) on file, you cannot require the resident to repay rent for the period(s) associated with the HUD-50059(s). When unreported income is discovered, a breach of lease violation will be issued to the household. If unreported income is discovered again a 30-day notice to vacate will be issued for breach of lease.

Revised 08/2015

of 30

Payment plan. If the resident is not able to pay all of the back rent immediately in one payment, he or she must enter into a repayment plan. You must use the ONESITE Resident Repayment Agreement. The monthly payment plus the amount of rent the resident/family pays at the time the repayment agreement is executed should not exceed 40 percent of the family’s monthly adjusted income.

Example:

• Family’s monthly adjusted income is $1,230.00

• Family’s monthly rent payment is $369.00 (30% of the family’s monthly adjusted income.)

• 40% of the family’s monthly adjusted income is $492.00

• The monthly payment for the repayment agreement should not exceed $123.00 per month ($492.00 - $369.00 = $123.00) ($669.00 monthly rent + $123.00 repayment = $429.00, 40% of the family’s monthly adjusted income).

d. Failure to make payments. If the tenant fails to make a payment under the Tenant Repayment Agreement, all amounts due will accelerate, and you should begin the rent collection process.

REPAYMENT OPTIONS: There are three options.

1. Lump Sum 2. Repayment agreement 3. Combination of lump sum and repayment plan

THE REPAYMENT AGREEMENT:

Monthly payment should be what the resident can afford to pay based on income.

The resident and management must both agree to the terms of the repayment agreement.

Monthly payments should not exceed 40% of resident’s income when added to monthly rental payment.

Revised 08/2015

of 30

The agreement should include the time period to cover the amount owed based on monthly amount. For example: The monthly amount of _________ for ______ months and _____ amount for _____ months.

This written agreement must reference the lease where resident could be in non-compliance of agreement is not adhered to. It has also included the clause whereby the terms of the agreement will be renegotiated if there is a decrease or increase in the family’s income of $ 200.00 or more per month.

Late Payment constitutes default of the repayment agreement and may result in termination of assistance and /or tenancy.

This agreement must be signed and dated by the resident and management.

DISPOSITION OF FUNDS:

All funds collected from the resident must be reimbursed to HUD in accordance with Chapter 8, paragraph 8-20 of HUD Handbook 4350.3 Rev. 1. After verifying the resident’s income management must complete corrections to prior certifications affected by the income change.

1. An OARQ must be completed if payment is not made in a lump sum. To complete an OARQ, the following must be done:

2. Reverse the adjustment that was created by the correction of the prior certifications less the lump sum payment by creating an OARQ.

3. As the tenant makes payments, the O/A must enter them as negative amounts on the voucher as OARQs.

4. Subtract O/A costs 5. The comment field should explain transaction ( max. of 78 characters) Example:

Repayment – Unit 1023- John Smith - $50 collected less costs of $8.00)

MANAGEMENT COSTS:

• Management may retain up to 20% of the repayments they actually collect from the tenant. This is no longer limited to just fraud cases. The amount retained cannot exceed the lesser of:

• 20% of the collected funds • The costs associated with pursuing the retrieval of the funds • Amounts retained by the O/A must be deposited into the project’s operating account

to offset expenses incurred from the cases.

Revised 08/2015

of 30

RECORD KEEPING:

• O/As are responsible for the following: • Receipts of all amounts collected from the resident ( date and amount) • Documenting all expenses incurred • Amounts retained by the Community • Voucher adjustments indicating repayment to HUD ( voucher dates and amount of

reimbursement made to HUD)

EXAMPLES OF EXPENSES:

• Staff Time for verifying the unreported income meeting with the resident • Collection Agency Fees • Any fees generating from the requirement to meet all State requirements

REPAYING THE RESIDENT

The O/A must complete corrections to the prior certification (s) affected by the income change

The amount repaid is the difference between the amount of the rent the resident paid and the rent the tenant should have paid.

The O/A must reimburse the tenant in accordance with Chapter 8, paragraph 8-21 of Handbook 4350.3 Rev. 1

DELIQUENT REPAYMENTS

The EIV repayment agreement states that the repayments are in addition to the regular rent. Default in the monthly payment is a breach in the repayment agreement and render the repayment agreement void and the delinquent balance would be files in courts for the full amount.

MAINTAINING EIV ACCESS DOCUMENTATION

Upon obtaining EIV access, the following documents must be retained and made available to HUD/ upon request:

• Written authorization from the owner to access EIV data for the property • List of EIV Coordinator(s) and EIV User(s) who currently have access to the EIV system

Revised 08/2015

of 30

• HUD approved EIV Coordinator Access Authorization Form(s) (CAAFs) for each EIV Coordinator assigned to the property

• Security Awareness Training Questionnaire completed for each HUD approved EIV Coordinator

• EIV Coordinator approved EIV User Access Authorization Form(s) (UAAFs) for each employee assigned access to EIV data for the property

• Security Awareness Training Questionnaire completed for each EIV User assigned access to the property

• TRACS Rules Of Behavior (ROB) should be completed at the initial access and completed annually

• Rules of Behavior (ROB) should be completed for anyone reviewing the files who does not have access to the EIV system such as auditors and they need to complete this form annually.

CONTESTING RECORD PROCEDURES:

Employment and wage information reported in EIV originates from the employer. The employer reports this information to the local State Workforce Agency (SWA), who in turn, reports the information to the NDNH database. If a participant of a HUD rental assistance program disputes this information, he or she should contact the employer directly in writing to dispute the employment and/or wage information and request that the employer correct erroneous information. If employer resolution is not possible, the program participant should contact the local SWA for assistance.

Unemployment benefit information reported in EIV originates from the local State Workforce Agency (SWA). If a participant of HUD rental assistance disputes this information, he or she should contact the SWA directly, in writing to dispute the unemployment benefit information, and request that the SWA correct erroneous information.

SS and SSI benefit information reported in EIV originates from the SSA. If a participant of a HUD rental assistance program disputes this information, he or she should contact the SSA at (800) 772–1213 or visit your local SSA office. SSA office information is available in the government pages of your local telephone directory or online at http://www.socialsecurity.gov.

Revised 08/2015

of 30

Rules of Behavior (ROB)

All EIV users who have access to the EIV system must adhere to the EIV ROB signed at the time of requesting access to the EIV system.

The signed initial and current access authorization forms containing the ROB must be kept on file. Upon request, the signed forms must be made available to the entity monitoring EIV compliance.

Security Policy:

The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and applicants and residents for the acceptable use, disposition and storage of data obtained through EIV (Enterprise Income Verification System). This policy has been developed to ensure that EIV data is secure. This policy has been communicated to all persons with access to EIV or EIV data. This policy has been developed to ensure compliance with HUD’s security protocol regarding the three safeguard categories:

1. Technical 2. Administrative 3. Physical

Designated staff will have the responsibility of ensuring compliance with the security policies and procedures outlined in this document. These responsibilities include:

• Maintaining and enforcing the security procedures • Keeping records and monitoring security issues • Communicating security information and requirements to appropriate personnel including

coordinating and/or conducting security awareness training sessions • Conducting review of all User ID’s issued to determine if the users still have a valid need to

access EIV data and taking necessary steps to ensure that access rights are revoked or modified as appropriate

• Reporting any evidence of unauthorized access or known security breaches to designated staff and taking immediate action to address the impact of the breach including but not limited to prompt notification to designated staff. Designated staff will escalate the incident by reporting to appropriate parties including the Contract Administrator and/or HUD.

The EIV Database is part of HUD’s Secure Systems Database. Individual Users must use their own user name (MID/WASS ID) and password to access the Secure Systems database. Coordinators, who are not property owners, the agent has obtained a letter of authorization from the property owner. This letter must state that the Secure Systems Coordinator has authorization to act as the EIV Coordinator. This letter is maintained in the Corporate Office Compliance Department’s EIV file and will be available to Reviewers during the Management and Occupancy Review.

Revised 08/2015

of 30

Security Training EIV users are required to complete online security training annually. To meet this requirement, EIV users must complete the online security awareness training program identified below. At the end of the training, EIV users must print and maintain the Certificate of Completion provided.

• Click on Cyber Awareness Challenge (for DoD and Federal

Personnel) icon on the IA Education, Training and Awareness Screen. • Click on Launch Cyber Awareness Challenge Federal Version • Proceed with the training. • When the training is complete, print and maintain the Certificate of

Completion. Note: The Security Awareness Training described above is the same training required for those individuals who transmit TRACS files. If the training has been completed to satisfy TRACS security training requirements, this will also satisfy EIV security training requirements as well provided the completion date represented on the Certificate of Completion is not older than one year. Safeguarding EIV Data 1. Technical Safeguarding of Data

a. All individuals who have access to the EIV system must have a valid WASS User ID and password and must use this ID and password for

accessing the EIV system. Upon receipt of the assigned WASS User ID, an individual must then apply to be approved for access to the EIV system.

b. To assist in ensuring that only those individuals who have a need to use the EIV system to perform their job function have access to the EIV system, users must be certified to use the system:

(1) EIV Coordinators are certified at initial access and annually thereafter. (2) EIV Users are certified at initial access and bi-annually thereafter. If this certification is not made, the user’s EIV access is terminated.

c. A Security Awareness Training Questionnaire, which supplements required annual security training, must be completed at the time of initial access to the system and annually thereafter. The EIV system is designed to block the entry of those individuals who have not successfully completed the questionnaire (i.e., answered 90 percent of the questions correctly).

Revised 08/2015

of 30

2. Administrative Safeguards a. Policies and procedures must be established to govern the use of the EIV system. These procedures should address:

(1) Authorized use of the EIV system; (2) How to handle security breaches; and (3) Destruction of EIV data.

b. EIV manuals and the instructions in this Notice should be reviewed when implementing these administrative safeguards. c. Posting of bulletins and flyers can assist in communicating how sensitive EIV data is and how this data should be handled.

3. Physical Safeguards Physical safeguarding of EIV data refers to steps that must be taken to help ensure the data is safe when stored electronically or in hardcopy and when transmitting data electronically.

a. Storing and Transmitting of Electronic EIV Data (1) EIV data stored electronically must be in a restricted access directory or, if placed on portable media, labeled appropriately and encrypted using a NIST compliant vendor. Similarly, all emails containing EIV data must be encrypted using a NIST compliant vendor. A list of compliant vendors can be found at: http://csrc.nist.gov/groups/STM/cmvp/documents/140- 1/1401vend.htm. (2) The full nine-digit SSN for a tenant must not be included in emails or other electronic communications.

Note: The downloading of EIV data to mobile devices is not allowed for IPAs.

b. Hardcopy EIV Data EIV data that is printed out must not be left unattended. The documents should be retrieved as soon as they are printed and, if possible, use a restricted printer, copier, or facsimile machine. When faxing EIV data, ensure there is someone waiting and ready to retrieve the fax as soon as it is received (printed). When mailing EIV data, the data must be sent to an office of the O/A. EIV data must not be mailed to Independent Public Auditor offices (see Section XII.A.3).

Revised 08/2015

of 30

c. Computer Security The EIV system is set up to time out after 30 minutes of inactivity. This automatic safeguard should not be the only security measure taken. Individuals who use the EIV system should use a password protected screensaver and lock their computer when leaving their workspace. A user should not leave a computer unattended with EIV data displayed on the screen. It is also recommended that the EIV system be exited using the “X” at the top right of the screen which will remove the user from the entire WASS system. d. Destroying EIV data EIV data must be destroyed as soon as it has served its purpose as prescribed by HUD’s policies and procedures and in accordance with HUD’s prescribed retention period. Shredding, burning or pulverizing are all examples of acceptable ways to destroy EIV data.

Technical Safeguards:

• Each coordinator/user must have a valid WASS User ID and password • IDs and passwords must not be shared • No one may access the system using another users identity • Each user must provide an application access authorization form (CAAF or UAAF) • Access to data is restricted based on EIV role (EIV Coordinator or EIV User) • Access is limited based on need to know • Users understand that access and activity are monitored and audited

Administrative Safeguards:

• The Equity Management has established standard operating procedures for use of data • Employment and income data is used for certification and compliance purposes only • Users may not share data with others who do not have a need to know • Users will check to see if applicant/resident is receiving assistance under another program

at a different location • Equity Management will monitor access

o Obtain and retain owner approval letters o Approved/current signed access authorization form o Conduct periodic reviews to see if user still has a valid need to access the EIV

data o Modify or revoke rights as appropriate o Assign Access Ensure access rights and responsibilities are appropriate

Revised 08/2015

of 30

• Ensure that a signed copy of form HUD-9887 is on file for all adults living in the unit • Destroy EIV information when it is no longer needed • Ensure all EIV users receive security training at time of implementation and at least

annually thereafter • Communicate security information

o Posters o Security bulletins o Discussion groups o Distribution of EIV manuals

• Detect, deter, and report improper disclosures, unauthorized access, or security breaches to The Director of Compliance who will report as necessary to:

o HUD’s Multifamily Help Desk o HUD’s Security Officer o TRACS/EIV mailbox: [email protected] o Mail to: Department of Housing and Urban Development Office of Multifamily

Housing o Notify the Office of Inspector General (IG)

E-mail it to [email protected].

Equity Management has also implemented the following processes to ensure compliance with HUD’s

Physical Safeguard requirements:

• Designated secure areas • Restricted use of printers, copiers, facsimile machines, etc. • Controlled access to areas containing EIV information • How to secure computer systems and output

o If any EIV data is converted to an electronic format, it must be encrypted o All emails including EIV data must be encrypted o Store downloaded EIV data in a separate, restricted access directory o Label CDs containing EIV data “confidential” or “For Official Use Only” o Lock in secure place

• Users must retrieve all computer printouts as soon as they are generated so that EIV data is not left unattended • Keep printouts locked up • Printouts should not be transported from premises • Avoid leaving a computer unattended with EIV data displayed on screen • Lock computer/Log off/Exit the system when not going to be at desk or when finished for

the day (EIV will time-‐out after 30 minutes of inactivity) • Use a password-‐protected screensaver

Revised 08/2015

of 30

• Secure disposal of EIV information

o Destroy as soon as it has served its purpose or as prescribed by HUD’s policies and procedures

o Burn/shred o Keep log of destroyed data

§ Date destroyed § How destroyed § By whom

PHYSICAL SECURITY REQUIREMENTS: Equity management may use a combination of methods to provide physical security for resident file records. The EIV data may be maintained in a locked metal file cabinet within a locked file room. Restricted Areas: Management will have the areas clearly identified by the use of prominently posted signs or other indicators. For example “Employees Only”. This sign will be posted on the door to the locked file room. The restricted areas will be separated from non-‐restricted areas by physical barriers that control access and/or will have limited points of entry.

Since the EIV data in resident files is maintained in the locked room, designated staff will establish and maintain a key control log to track the inventory of keys available, the number of keys issued and to whom the keys are issued. All employees and contractors who have been issued keys to the file room will complete a form acknowledging the receipt of the key Users will retrieve computer printouts as soon as they are generated so that EIV data is not left unattended in printers or fax machines where unauthorized users may access them. EIV data will be handled in such a manner that it does not become misplaced or available to unauthorized personnel.

LIMITING ACCESS TO EIV DATA: User accounts for the EIV system will be provided on a need-‐to-‐know basis, with appropriate approval and authorization.

EIV System Coordinators: Before accessing EIV, the Secure Systems Coordinators will obtain a letter/memo from each property owner indicating that the owner gives permission for the Secure Systems Coordinator to act as the EIV coordinator. Once that permission is obtained, the Coordinator will:

• Review the EIV training material provided by HUD • Participate in EIV Security Training from HUD or another source • Read the EIV Use Policy

Revised 08/2015

of 30

Upon completion of these tasks, the EIV Coordinator will submit to HUD, the appropriate Coordinator Access Authorization Forms. Upon receipt of HUD approval, the EIV Coordinator will complete the EIV Coordinator setup process

EIV Users

Before requesting EIV User access, appropriate staff will:

• Review the EIV training material provided by HUD • Participate in EIV Security Training from HUD or another source • Read the EIV Use Policy

Upon completion of these tasks, the EIV User will submit, to the EIV Coordinator, the appropriate User Access Authorization Form. The EIV Coordinator will confirm that the steps listed above have been completed. Once the tasks are satisfactorily completed, the EIV Coordinator will complete the appropriate steps to provide EIV access to the user. In accordance with HUD requirements, the user’s need for access will be reviewed on a semiannual basis.

At least once a year, staff with EIV access will be required to:

• Participate in training that includes a review of the EIV security requirements and • Complete the EIV Security Awareness Training Questionnaire

Management will restrict access to EIV data only to persons whose duties or responsibilities require access. EIV Coordinators will be required to request re-‐certification on an annual basis. EIV Coordinators are authorized to provide access only to those individuals directly involved in the resident certification process and/or compliance monitoring. EIV Coordinators will carefully review initial and quarterly requests for access and certify only those users who will need access within the next 6 months. In some cases, EIV information may be provided to auditors charged with ensuring the owner/agent’s compliance with HUD requirements. In these cases, the auditor will be required to review and sign the property’s Privacy Policy for Auditors and will be required to sign the HUD Rules of Behavior document. These documents will be maintained in the property’s Master EIV File. In addition, the auditor’s access will be noted company Log for review during the Management & Occupancy Review. Management will maintain a record of users who have approved access to EIV data. Further, management compliance department will revoke (Terminate) the access rights of those users who no longer require such access. The HUD 9887 Fact Sheet will be provided to all adult household members required to sign the form. By signing this HUD Form 9887 and HUD Form 9887-‐A, the applicant/resident authorizes HUD and/or the owner/agent to obtain and verify income and unemployment compensation information from various sources including, but not limited to, the IRS, the Department of Health and Human Services and the Social Security Administration and state agencies. At the final eligibility interview and at each annual certification, management will provide a copy of the EIV and You Brochure so that the household is

Revised 08/2015

of 30

adequately informed about the EIV verification process and so that the resident’s understand the penalty for failing to fully disclose income information.

Management will assure that a copy of Form 9887 and Form 9887-‐A has been signed by each member of the household age 18 years or older. The 9887 will be presented at the final eligibility determination, at move-‐in and/or initial certification and at each annual certification. If a household member turns 18 in the middle of a certification cycle, that household member will be required to sign Form 9887 and Form 9887-‐A within 30 days of turning 18 at the next certification. (See HUD 9887 Fact Sheet for exceptions due to extenuating circumstances) All HUD-‐9887’s will be placed in a resident file and will be updated on at least an annual basis for each adult household member.

Computer System Security Requirements: All computer systems and computers will have password restricted access. Passwords must be no fewer than 8 characters and must include: At least one lower case letter At least one upper case letter At least one number or character such as a dash or exclamation point The owner/agent will also use Antivirus software to limit data destruction or unintended transmission via virus, worms, Trojan horses or other malicious means. Remote access by other computers other than those specifically authorized is prohibited. Authorized users of EIV data are directed to avoid leaving EIV data displayed on their computer screens where unauthorized users may view it. A computer will not be left unattended while the user is “logged in” to Secure Systems. If an authorized user is viewing EIV data and an unauthorized user approaches the work area, the authorized user will lessen the chance of inadvertent disclosure of EIV data by logging out of Secure Systems or minimizing or closing out the screen on which the EIV data is being displayed.

User Names, Passwords and Password Changes: Many systems require frequent changes to passwords. Secure Systems / EIV passwords will be changed in accordance with HUD Secure Systems requirements. Users will not share passwords with any other employee or with anyone outside the organization. EIV access granted to an employee or authorized user will be revoked when access is no longer required or prior to termination of that employee or user to ensure data safety. Termination of EIV access and un-‐assigning property access through “Property Assignment Maintenance” is required. The EIV file will be documented to indicate when user access was terminated by the EIV Coordinator. Documentation of termination will be maintained in the property EIV file.

Revised 08/2015

of 30

DISCLOSURE OF EIV INFORMATION: The EIV Social Security (SS), Supplemental Security Income (SSI), new hires (W-‐4), wage, and unemployment compensation information contained in the EIV system may only be used for limited official purposes.

§ By Contract Administrators (CAs) for monitoring and oversight of the resident recertification process

§ By the Office of the Inspector General (OIG) for investigative purposes. § By owners/agents (O/As) for verifying the employment and income at the time of certification for

residents participating in one of HUD’s rental assistance programs

EIV Data may is disclosed to:

• Private owners • Management agents • Service Bureaus • Contract Administrators • HUD staff • HUD Office of Inspector General (OIG) for investigative purposes • Individual to whom the record pertains

EIV income data may only be used for:

• Verification of employment and income at certification • Discrepancy monitoring as described in the EIV Use Policy •

Under no circumstances may users or coordinators provide access to the system by sharing the user name/password combination. Owner/agents must not disclose data in any way that would violate the privacy of the individuals.

EIV data must not be disclosed (or re-‐disclosed) to any third parties such as the local Welfare office, DFCS, etc. Willful disclosure or inspection of EIV data can result in civil and criminal penalties.

Revised 08/2015

of 30

• Unauthorized disclosure – felony conviction and fine up to $5,000 or imprisonment up to five (5) years, as well as civil damages

• Unauthorized inspection – misdemeanor penalty of up to $1,000 and/or one (1) year imprisonment, as well as civil damages

Official use does not include using the EIV data for certifying residents under the Low Income Housing Tax Credit (LIHTC) or Rural Housing Services (RHS) Section 515 programs. Neither the Internal Revenue Service (IRS) nor RHS are a party to the computer matching agreements HUD has with the Department of Health and Human Services (HHS) and with the Social Security Administration (SSA).

The fact that there is financing through other federal agencies involved in a particular property under one of the authorized HUD programs does not permit that federal agency to use or view information from the EIV system for certifying residents for their programs or for monitoring purposes.

Management has created separate files for HUD Programs.

USE AND HANDLING OF EIV DATA: EIV Data serves two purposes:

1. Verification of specific income information provided by the resident 2. Monitoring resident and staff compliance

Use of the data is described in the EIV User Policies. This policy is designed to describe the security protocol used to protect EIV data.

EIV Data will be used only to administer HUD programs. The data in EIV is not to be used to assist with eligibility determination or compliance monitoring for any other programs including those administered by the IRS (Tax Credit) or Rural Development (515).

EIV Printouts: Reports available through EIV will be printed to a shared printer the appropriated staff plans to immediately retrieve the data. Some communities EIV printouts are sent to the user’s personal printer. EIV printouts will be stored in the resident file for the term of residency and for three years after residency ends.

In addition to use by the owner/agent, EIV reports may also be used by Contract Administrators (CAs) (Performance Based Contract Administrators (PBCAs), Traditional Contract Administrators (TCAs) and HUD staff) for monitoring compliance with the recertification process; independent public auditors (IPAs) auditing an owner’s compliance with HUD’s verifying income and the accuracy of rent/subsidy determinations; and, the Office of Inspector General (IG) for auditing purposes.

Revised 08/2015

of 30

EIV Income Reports are retained in the resident file for the term of tenancy and for three years after tenancy ends. Because the property also participates in other housing assistance programs (LIHTC) Management has taken special precautions to ensure the security of the EIV printouts. EIV printouts / HUD Files will be maintained in a separate resident file Folders.

Providing EIV Printouts to Auditors: Independent auditors (IPAs) are approved to view EIV information, when hired by an owner to perform the financial audit of the project, for use in determining the owner’s compliance with verifying income and determining the accuracy of the rent and subsidy calculations.

Restrictions on disclosure requirements for IPAs:

(a) Can only access EIV income information within hard copy files and only within the offices of the owner or management agent;

(b) Cannot transmit or transport EIV income information in any form;

(c) Cannot enter EIV income information on any portable media;

(d) Must sign non-‐disclosure oaths (Rules of Behavior) that the EIV income information

will be used only for the purpose of the audit; and (e) Cannot duplicate EIV income information or re-‐disclose EIV income information to

any user not authorized by Section 435(j) (7) of the Social Security Act to have access to the EIV income data.

Providing EIV Printouts to Residents: If a resident requests a copy of their own EIV printout, a copy will be produced. The staff person providing the copy will note that the printout is a copy provided to the resident upon request. This note will include the following:

• This is not an original, this is a copy provided to: Resident Name • On ___________ ____, 20__ • By_____________________(name will be printed) • Resident Initials_____________

Revised 08/2015

of 30

Providing EIV Printouts to Individuals Supportive of residents: In some cases, residents require additional support from individuals during certification; the supporting individuals may or may not be part of the resident’s family. These include but are not limited to:

• Service coordinators • Translators • Guardians providing supportive services to residents with disabilities

If there is need to provide copies of EIV printout to those individuals so that they may assist with the certification process, the resident must sign a separate Release of Information Authorization Form that specifically identifies, by name, the person providing supportive service. The Authorization will also specify that the information is being provided solely to support HUD certification activity. The resident must sign and date the authorization. Authorized individuals who are associated with the owner or the owner’s agent will also sign a copy of the EIV Rules of Behavior. The staff person providing the copy will note that the printout is a copy provided to the resident upon request. This note will include the following:

• This is not an original, this is a copy provided to: Resident Name • On ___________ ____, 20__ • By_____________________(name will be printed) • Recipient Initials_____________

ELECTRONIC INFORMATION FROM EIV In some cases, there may be a need to send or store EIV information electronically. In these cases, all electronic versions of EIV information will be encrypted. If there is need to store the information on a hard drive, a specific folder will be created. The folder will be password protected to prevent unauthorized access. Information in the folder will be purged periodically to comply with HUD’s EIV file retention policies.

Revised 08/2015

of 30

DISPOSAL OF EIV INFORMATION: EIV data will be destroyed in a timely manner based on the information provided in HUD’s published EIV training materials, HUD Handbook 2400.25, REV-‐2: HUD Information Technology Security Policy, dated October 1, 2008, HUD notices or as prescribed by the owner/agent’s policy and procedures. The owner/agent’s policy and procedures will not allow data retention that is longer than the time allowed in the published HUD materials. Information about use of EIV information and how printouts were destroyed will be maintained in the EIV file. Reporting Improper Disclosures

Recognition, reporting, and disciplinary action in response to security violations are crucial to successfully maintaining the security and privacy of the EIV system. These security violations may include the disclosure of private data as well as attempts to access unauthorized data and sharing of passwords.

Upon the discovery of a possible improper disclosure of EIV information or other security violation by an employee or any other person, the individual making the observation or receiving the information will contact the EIV Coordinator who will document all improper disclosures in writing providing details including who was involved, what was disclosed, how the disclosure occurred, and where and when it occurred. The EIV Coordinator will immediately review the report of improper disclosure and, if appropriate, the EIV Coordinator will remove EIV access.

Improper disclosure of any information is grounds for immediate termination. All employees must carefully review the EIV Access Authorization Form or the Rules of Behavior to understand the penalties for improper disclosure of EIV data.

RETENTION OF EIV REPORTS: Management must retain the Income Report, the Summary Report(s) showing Identity Verification Status as “Verified” and the Income Discrepancy Report(s) and supporting documentation must be retained in the tenant file for the term of tenancy plus three years.

Any tenant provided documentation, or other third party verification of income, received to supplement the SSA or NDNH data must be retained in the tenant file for the term of tenancy plus three year

Results of the Existing Tenant Search must be retained with the application:

(a) If applicant is not admitted, the application and search results must be retained for three years.

Revised 08/2015

of 30

(b) If applicant is admitted, the application and search results must be retained in the tenant file for the term of tenancy plus three years.

The master files for the New Hires Report, Identity Verification Reports, Multiple Subsidy Report and Deceased Tenants Report must be retained for three years.

The current Policies and Procedures are subject to change according the HUD updates

By signing below I have read understand and will adhere to this Enterprise Income Verification (EIV) Policy.

_____________________________ ______________________

Resident Date

_____________________________ _______________________

Resident Date

____________________________ _______________________

Resident Date

___________________________ _______________________

Resident Date

___________________________ ________________________

Management Date

Revised 08/2015

of 30

grady!management!inc.! enterprise!income ... eiv and you brochure is to be given with all...

Documents