Death Master File — NTIS Certification Program

The Death Master File (DMF) is the Social Security Administration's database of deceased persons — a comprehensive record of reported deaths linked to Social Security numbers, dates of birth and death, names, and last known addresses. For decades, this data was freely available for purchase from NTIS (the National Technical Information Service) and used widely for fraud detection, identity verification, genealogical research, and actuarial analysis. But a significant problem emerged: deaths in the Social Security records were appearing publicly before families had been notified — enabling identity thieves to open fraudulent accounts and claim benefits in a deceased person's name before the death was even announced. The Bipartisan Budget Act of 2013 (Section 203, codified at 42 U.S.C. § 1306c) responded by restricting access to the most sensitive portion — death records less than three years old — to a certified class of users with legitimate fraud prevention purposes. NTIS implements that certification requirement through 15 CFR Part 1110. The program creates a two-tier DMF: the "Public DMF" (deaths more than three years old, freely available) and the "Limited Access DMF" (deaths within the past three years, restricted to certified users only).

Current Rule (2026)

Parameter	Value
Citation	15 CFR Part 1110
Issuing agency	National Technical Information Service (NTIS), Department of Commerce
Statutory authority	42 U.S.C. § 1306c (Bipartisan Budget Act of 2013, § 203)
Restricted data	"Limited Access DMF" — SSA death records less than 3 years old
Certification requirement	Persons and entities must be certified by NTIS before accessing Limited Access DMF
Eligible purposes	Fraud prevention, identity theft detection, death benefit administration, and similar legitimate uses
Annual audit	Certified users subject to annual compliance audits
Fee basis	Access is fee-based; NTIS sets fees to cover program costs
False certification penalty	Civil and criminal penalties for false statements in certification applications
Public DMF	Deaths more than 3 years old remain publicly available without certification

What This Rule Does

Before 2013, SSA reported deaths to NTIS, which made the complete DMF available for purchase to anyone willing to pay the subscription fee. Insurance companies, banks, pension administrators, and genealogists were the primary legitimate users — they needed to know whether a policyholder, account holder, or ancestor had died. Researchers and journalists used the DMF to document fraud and mortality patterns. But the open availability created a vulnerability: a death record appearing in the DMF before the family had announced the death gave fraudsters a window to file tax refunds, open credit accounts, and claim benefits using a fresh Social Security number linked to a name that would not yet trigger identity theft alerts.

The 2013 restriction addressed this by splitting the DMF: records of deaths reported within the past three years became the "Limited Access DMF," available only to certified users with demonstrated legitimate purposes. Deaths more than three years old remained part of the public record. NTIS administers the certification program — vetting applicants, issuing certifications, conducting annual audits, and managing access.

Who may be certified: organizations and individuals whose primary use is one of the statutory eligible purposes: fraud prevention, identity theft detection, pension or benefit administration, law enforcement, or other purposes consistent with the Act. News organizations, genealogical researchers, and academic researchers are not eligible for Limited Access DMF; they retain access only to the public (3-year-old) records.

Key Provisions

§ 1110.100 — Scope: Part 1110 governs access to the "Limited Access Death Master File" — that portion of SSA's death records less than 3 years old; the Public DMF (deaths ≥3 years) remains unrestricted and is not covered by Part 1110; NTIS administers access on behalf of SSA
§ 1110.101 — Definitions: "Certified Person" means an individual or entity that has received NTIS certification to access the Limited Access DMF; "immediate family member" includes spouse, parent, child, or sibling of the deceased (they may access their own family member's record without certification); "Limited Access DMF" is defined by the 3-year rolling window — as time passes, records move from restricted to public automatically
§ 1110.102 — Certification requirements: to be certified, an applicant must demonstrate: (1) a legitimate fraud prevention purpose (fraud detection, identity verification, benefit payment integrity, similar financial or legal use cases); (2) adequate information security safeguards protecting the data from unauthorized access or disclosure; (3) a commitment to no unauthorized re-disclosure — certified users may not share Limited Access DMF data with uncertified third parties; (4) willingness to undergo annual audits of data security practices and usage; the certification covers the applicant organization, not individual employees — organizations are responsible for internal access controls
§ 1110.200 — Penalties for false certification: any person who makes a false statement in a certification application or annual audit submission is subject to civil penalties and, for willful violations, criminal prosecution under 18 U.S.C. § 1001 (false statements to federal agencies); civil penalties may be assessed per violation
§ 1110.201 — Annual audits: all certified users are subject to annual compliance audits conducted by NTIS or accredited conformity assessment bodies; audits verify that: (a) the certified user continues to meet the eligibility requirements; (b) data security safeguards remain in place and meet current standards; (c) the Limited Access DMF is being used only for authorized purposes; (d) no unauthorized disclosures have occurred; failure to cooperate with an audit or findings of material non-compliance can result in certification suspension or revocation
§ 1110.300 — Application procedures: applicants submit a certification application to NTIS documenting their organizational structure, the specific fraud prevention use, their data security infrastructure, and a signed agreement to comply with all Part 1110 requirements; NTIS reviews applications and may request additional information; certifications, once granted, are renewable annually conditioned on the audit
§ 1110.400 — Fees: NTIS charges fees for Limited Access DMF access sufficient to cover the program's administrative costs; fee schedules are published separately and updated periodically; fees cover data delivery, certification processing, and ongoing audit oversight; the fee structure reflects NTIS's cost-recovery mandate under the American Technology Preeminence Act
§§ 1110.500–1110.504 — Accredited conformity assessment bodies: NTIS may designate third-party organizations as accredited conformity assessment bodies (ACABs) authorized to conduct the annual audits in lieu of NTIS directly; ACABs must be accredited by a recognized national accreditation body (e.g., ANAB — ANSI National Accreditation Board); NTIS publishes a list of currently accredited ACABs; certified users may select any ACAB from the list to conduct their annual audit; ACAB findings are reported to NTIS and become part of the certified user's compliance record

How It Affects You

If you work in financial services, insurance, or benefits administration: The Limited Access DMF is a critical fraud prevention tool for detecting "synthetic identity fraud" — where criminals combine a deceased person's Social Security number with a fabricated name and date of birth to create a new fraudulent identity. If your organization performs identity verification at account opening, benefit enrollment, or payment processing, you likely need (or already have) NTIS certification to access the Limited Access DMF. The 3-year restriction is the sensitive window — most fraudulent use of deceased persons' identities occurs within months of death, before the information reaches public records. Review whether your current vendor contracts include Limited Access DMF data and whether the vendor is properly certified; downstream recipients of DMF data from a certified primary user must also be certified.

If you are a genealogical researcher, journalist, or academic: The Part 1110 certification program excludes non-fraud-prevention uses. You retain access to the Public DMF (deaths more than 3 years old) which covers the vast majority of historical records. The SSA Death Index accessible through genealogical platforms (Ancestry, FamilySearch) is primarily drawn from the Public DMF. For recent deaths — journalists investigating fraud schemes or researchers studying mortality patterns — the 3-year delay before records move to the public tier creates a research gap that was not present before 2013.

If you are an executor, surviving spouse, or immediate family member: You may access a deceased family member's DMF record (to verify accuracy, correct errors, or document estate matters) without going through the NTIS certification process — immediate family members have direct access rights under the statute. Contact SSA directly to request or correct a death record. If you believe SSA's records incorrectly show a living person as deceased (a significant administrative problem that can freeze Social Security benefits and banking access), contact SSA's Office of Central Records Operations to initiate a correction; do not wait for the record to cycle off the restricted list.

If you run a compliance, RegTech, or identity verification firm: The Part 1110 certification program creates a recurring compliance obligation — not just a one-time credential. Annual audits, data security standards, and the prohibition on unauthorized re-disclosure mean DMF access requires ongoing operational investment. The accredited conformity assessment body (ACAB) pathway means you can use a third-party auditor rather than waiting for NTIS directly, which can reduce audit scheduling delays. If you are building a product that incorporates DMF data and reselling it, each downstream customer who receives Limited Access DMF data must independently be certified — a pass-through model where only you hold the certification and customers receive raw death records does not comply with Part 1110.

Legal Authority

42 U.S.C. § 1306c — Restriction on access to Death Master File; enacted as § 203 of the Bipartisan Budget Act of 2013; directs the Secretary of Commerce (through NTIS) to establish a certification program restricting access to SSA death records less than 3 years old; authorizes fees, audits, civil monetary penalties ($1,000/violation up to $250,000/year), and third-party conformity assessment bodies; defines eligible purposes and immediate family member exemptions
5 U.S.C. § 552a — Privacy Act; SSA's death records include SSNs and personal information; the Privacy Act's protections apply to SSA's own systems; Part 1110 creates a separate access-control layer for NTIS distribution
15 CFR Part 1110 — NTIS implementing regulations for the DMF certification program; governs application, eligibility criteria, permissible uses, audit requirements, and penalties

Key Mechanics

The Death Master File (DMF) is SSA's database of reported deaths linked to SSNs, names, dates of birth and death, and last known addresses. 42 U.S.C. § 1306c (Bipartisan Budget Act of 2013) created a two-tier access system: (1) Public DMF — deaths more than three years old; freely available through NTIS; used for genealogical research, actuarial analysis, and general fraud prevention; (2) Limited Access DMF (LADMF) — deaths within the past three years; access restricted to entities certified through NTIS's Part 1110 program. Certified access requires: demonstrating a fraud prevention purpose (financial institutions, government agencies, benefit programs, insurance companies, healthcare providers verifying beneficiary status); execution of a data user agreement with NTIS; submission to audits verifying appropriate data use and security; and prohibition on re-disclosure — certified users cannot share LADMF data with uncertified third parties, pass it to vendors, or use it for non-certified purposes. Accredited Conformity Assessment Bodies (ACABs) — third-party organizations approved by NTIS — conduct compliance audits and certify user adherence to program requirements. Violations carry civil monetary penalties of up to $1,000 per violation, up to $250,000 per calendar year. Immediate family members of recently deceased persons may request information about a specific decedent without certification. The 3-year restricted window is statutory — NTIS cannot modify it through rulemaking.

Statutory Authority

This rule implements:

42 U.S.C. § 1306c — Restriction on access to Death Master File: enacted as Section 203 of the Bipartisan Budget Act of 2013; directs the Secretary of Commerce (through NTIS) to establish a certification program restricting access to SSA death records less than 3 years old; authorizes fees, audits, penalties, and third-party conformity assessment bodies; defines eligible purposes and immediate family member exemptions
5 U.S.C. § 552a — Privacy Act: SSA's death records contain Social Security numbers and personal information; the Privacy Act's protections apply to SSA's own systems; NTIS's role as a distributor creates a separate layer of access controls that the Privacy Act does not directly address but that Part 1110 fills

Recent Rulemakings

15 CFR Part 1110 was established pursuant to the 2013 statutory mandate and has remained substantively stable. NTIS has updated the ACAB accreditation requirements and fee schedules administratively. The 3-year restricted window was set by Congress and cannot be changed by NTIS rulemaking; any modification would require statutory amendment.

Pending Action

Congressional interest in expanding Death Master File access restrictions — or conversely in making the full DMF freely available again for transparency purposes — periodically surfaces in hearings on federal data policy and identity theft prevention. No legislation amending 42 U.S.C. § 1306c has been enacted as of 2026.