Debt Management System

Name of project

Debt Management System

Unique project identifier


Privacy Impact Assessment Contact

Office of Payment and Recovery Policy
Office of Financial Policy and Operations
Social Security Administration
6401 Security Boulevard
Baltimore, MD 21235

System background description or purpose

The Debt Management System (DMS) is a Social Security Administration (SSA) certified and accredited Major System consisting of several sub-systems that we describe within this assessment. 

DMS is a collection of automated financial management systems that record, classify, summarize, and consolidate SSA's program debt activities and debt collection responsibilities, including overpayments and payments certified to the Department of the Treasury (Treasury).  The purpose of these systems is to provide timely resolution, control, and accounting of program debts owed, and to provide management information that supports strategic use of SSA's resources to minimize overpayment occurrences.

Describe the information we collect, why we collect the information, how we use the information, and with whom we share the information.

DMS manages and controls recovery, collection, and reporting of overpayments owed to SSA by beneficiaries of Retirement, Survivors, and Disability Insurance (RSDI) Title II and Supplemental Security Income (SSI) Title XVI programs.  This system includes information about:  beneficiaries who are responsible for the debts (e.g., names, addresses and Social Security numbers); SSA actions taken against the debts, including the amounts collected and written-off; methods of debt collection; and, debtor requests for due process.  When SSA detects an overpayment, it attempts to recover the overpayment amount by withholding a beneficiary’s benefits.  If benefit withholding is not an option, then appropriate DMS applications are used for either billing or external collections. 

We generally disclose the information described above to process payments to individuals to whom SSA owes monies or, alternatively, to collect payments from individuals who owe monies to SSA, or as authorized by Federal law.  DMS is not accessible to members of the public.

DMS consists of the following subsystems and their corresponding technologies:

Subsystem Name

Summary of Subsystem Function

Accounts Receivable System (ARS) II

ARS II tracks and monitors the status of Title II funds due from the Treasury so that they can be included in the SSA general ledger as accounts receivables.

External Collections Operations (ECO)

The ECO subsystem enables collection and recovery of an individual’s delinquent SSA debt by referring to credit bureaus, initiating an Administrative Wage Garnishment, Federal Salary Offset, or utilizing the government’s Treasury Offset Program. 

Non-Entitled Debtor (NED)

A NED is a person or entity that owes a debt to SSA that does not result from his or her own entitlement to Social Security benefits or Supplemental Security Income payments.

Recovery and Collection of Overpayments Process (RECOOP)

The RECOOP subsystem facilitates recovery of Title II and Title XVI debts that cannot be recovered via benefit offset because the recipients are not in current benefit payment status. 

Recovery of Overpayments, Accounting, and Reporting (ROAR)

The ROAR subsystem is responsible for the establishment, recovery, and accounting of Title II overpayments.

Debt Management (DM) Conversion

The DM Conversion subsystem allows field personnel to enter online Title II debt management information and prepare the data for input to ROAR, and other debt management transaction data to RECOOP, the Remittance Process, and ECO.

Remittance Process

The Remittance Process subsystem facilitates recording, maintaining, and tracking of remittance data from beneficiaries who have received benefit overpayments.

Describe the administrative and technological controls that we have in place to secure the information we collect.

DMS has undergone authentication where SSA requires that DMS users authenticate to the SSA network using their SSA issued 6-digit PIN and password or their PIV credential. The user must also hold the necessary assigned system profiles to be granted authorization to the DMS system.  

DMS has also undergone security risk analyses that incorporates an evaluation of security and audit controls proven effective in protecting the information collected, stored, processed, and transmitted by our information systems.  These include technical, management, and operational controls that permit access to those users who have an official “need to know.”  Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.  SSA requires that DMS users authenticate to the SSA network using their SSA issued 6-digit PIN and password or their PIV credential. 

SSA provides annual security awareness training to all appropriate employees and contractors that includes reminders about the need to protect personally identifiable information (PII) and the criminal penalties that apply to unauthorized access to, or disclosure of, PII.  See 5 U.S.C. § 552a(i)(1).  Furthermore, employees and contractors with access to databases maintaining PII must annually sign a sanctions document that acknowledges their accountability for inappropriately accessing or disclosing such information.

Describe the impact on persons’ privacy rights. 

We collect information only where we have specific legal authority to do so in order to administer our responsibilities under the Social Security Act.  When we collect personal information from individuals, we advise them of our legal authority for requesting the information, the purposes for which we will use and disclose the information, and the consequences of not providing any or all of the requested information.  The individuals can then make informed decisions as to whether or not they should provide the information.

Do we afford individuals an opportunity to consent to only particular uses of the information?

When we collect a person’s information, we advise that person of the purposes for which we will use the information.  We further advise them that we will disclose the information without their prior written consent only when we have specific legal authority to do so (e.g., the Privacy Act).   

Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?

The DMS does not require a new Privacy Act system of records or an alteration to an existing system of records.  DMS uses information collected and maintained for business purposes related to other Privacy Act systems of records:  Master Beneficiary Record (60-0090); Supplemental Security Income Record and Special Veterans Benefits (60-0103); and Recovery of Overpayments, Accounting and Reporting (60-0094). 


/signed/                                                                  08/29/2018                       

Mary Ann Zimmerman                                           DATE
Acting Executive Director
Office of Privacy and Disclosure



Daniel F. Callahan for                                              09/04/2018

Asheesh Agarwal                                                     DATE
General Counsel
Senior Agency Official for Privacy