SOC 2 Meets Death Master File Certification Requirements

The System and Organization Controls (SOC) framework may be mapped to achieve requirements of the National Technical Information Service’s (NTIS) Limited Access Death Master File (LADMF) certification. When choosing SOC 2 to achieve your LADMF certification, businesses may also benefit from the marketing value of their SOC 2 attestation, which demonstrates your commitment to access and process client data in a secure manner.

The LADMF certification has many practical uses that span across industries, such as insurance, banking, health care, public sector, and investment management. Access to the data is commonly used by organizations to help prevent fraud and validate certain financial transactions (e.g., to stop payment of annuities or retirement benefits upon death, validate death claims, and research unclaimed property). Given its sensitivity, the requirements of the NTIS are intended to keep safe personally identifiable information of deceased citizens.

Death Master File Attestation

Organizations seeking access to the LADMF are required annually by NTIS to self-certify that they have designed and implemented controls in place for receipt and maintenance of the LADMF. These organizations must undergo an independent assessment by an Accredited Conformity Assessment Body (ACAB) every three years to ensure that the controls are adequate to secure LADMF information. Further, these organizations are subject to scheduled and unscheduled audits from the NTIS with steep penalties levied for violation of the rule.

SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The framework is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

The standards in SOC 2 may be mapped to the assessments required by NTIS, which provides entities with the benefit of being SOC 2 compliant while simultaneously meeting the requirements for access to the LADMF.

Choosing the SOC 2 compliance framework helps organizations meet their Death Master File requirements and adds value when marketing to new customers. Customers often require a SOC 2 from organizations with whom they work, especially for cloud-based services, to ensure their data is protected.

AAFCPAs is an ACAB with extensive experience assisting those seeking certification and access to the LADMF.

If you have questions about your DMF assessment or a SOC 2 attestation, please contact Andrew Mathieson at 774.512.9089,; or your AAFCPAs Partner.

Talk SOC

About the Author

Andrew is a seasoned IT risk & cybersecurity advisor and a leader in AAFCPAs’ Business Process & IT Consulting Practice responsible for providing information risk management, cybersecurity, and special IT attestation solutions. He helps clients—and those charged with governance and risk management—navigate their digital ecosystem with confidence. This confidence enables further innovation through technology! Andrew has extensive experience providing direction, supervision, performance, and review of audit engagements, including SOC 1, SOC 2, SOC for Cyber security, and SOC 2+HIPAA. He also provides HITRUST Certification examinations and assessments, GDPR assessments, FFIEC assessments, GLBA assessments, HIPAA assessments, Internal Risk Assessments, and SOX 404 audits. He renders these services across a variety of industries, including Healthcare, Managed IT Services, SaaS/PaaS/IaaS companies, Data Centers, Cloud Services, Collection agencies, Printing and Mailing companies, Financial Corporations, and diverse nonprofit organizations.