Each year, properties funded by one of the Department of Housing and Urban Development’s (HUD) multifamily subsidy programs await notice of their Management and Occupancy Review (MOR) date. To many managers, this review is their final exam for the year. It often brings with it fear and trepidation as many owners and management agents use the MOR results as part of the site manager’s annual review.
The good news is that managers do not have to be caught off guard. Unlike most final exams, this one is available in advance. Simply Google “HUD Form 9834” and you will be able to download all 47 pages of the MOR process. When teaching the National Center for Housing Management’s Management and Occupancy Review Specialist (MORS) certification course, I take participants through the form section by section and discuss strategies to follow in preparing for the review. One of my recommendations is to set aside 15-20 minutes each day to review part of the MOR form and prepare answers to the questions contained in that section. This may involve gathering information or creating a new policy or procedure. In this article, I want to focus on one MOR area that seems to generate significant confusion — security of the data in the Enterprise Income Verification (EIV) system.
Compliance with EIV Security Requirements
Category E, Sections 17 and 20 of the HUD form 9834, asks nearly two-dozen questions about the security of the EIV data. In contrast, it only has nine questions about the use of the EIV data. Why is there such an emphasis on security?
The use of the EIV system is governed by the Federal Privacy Act (5 UDC 552a, as amended), which places restrictions on who can view a person’s records. Disclosure is also governed by the matching agreements that HUD has signed with the Social Security Administration (SSA) and the Department of Health and Human Services (HHS), the agencies that provide the data in EIV. Currently, these agreements allow access to:
- Owners and agents of HUD multifamily housing programs;
- Public Housing Authorities (PHAs) in conjunction with the operation of the Housing Choice Voucher (HCV) and Public Housing programs;
- Contract Administrators and HUD staff;
- Independent Public Auditors (i.e., CPAs, licensed Public Auditors, or registered Public Accountants);
- HUD Office of Inspector General (OIG) investigators for auditing purposes; and,
- Persons assisting with the recertification process (e.g., translators, guardians, Powers of Attorney, service coordinators, and other family members).
In a recent RHIIP Listserv Post (#408 on 3/29/2018), HUD clarified that consultants are not considered IPAs or agents of the owners and do not have the right to view EIV data under the current HHS and SSA computer matching agreements. It is important to note that this decision was not made by HUD program staff, but by the Office of General Council (OGC) during a review of the matching agreements. HUD recognizes the value of consultants in assisting to identify income errors resulting in the improper payment of subsidy. However, until the matching agreements are changed, consultants should not view EIV data when auditing tenant files for compliance.
This does not mean that consultants cannot review tenant files, however. If a property has a consultant assist with MOR preparation, the EIV data can simply be removed from the file before it is reviewed. When NCHM provides consulting services that involves reviewing files, we ask our clients to complete a form that documents that the EIV Income Report and Income Discrepancy Report were run, the date they was run, what income or employment was verified and the amount of the income. This process enables us to review the information without actually reviewing the report. Keep in mind this document is only for the consultant’s use. The actual EIV Income Reports will be maintained in the tenant files after the consultant’s review is completed.
During the MOR process, you will need to prove that you meet the EIV security requirements through your answers to those two-dozen questions.
To ensure that you can answer YES to all of these questions, review Sections 4 and 5 of Chapter 9 of the HUD Handbook 4350.3 REV-1. Those sections detail what security measures are required. If you already have an EIV Security Policy, read through it with the MOR questions in hand to be sure they are all covered in the document. If you don’t have a policy, you will need to write one, as it is required by 4350.3 REV-1 Par. 9-21B.
Section 17 of Category E also details certain documentation that must be maintained to ensure compliance with security measures such as:
- Owner Approval Letter
- Initial and Currently approved EIV CAAF form for the EIV Coordinator
- Initial and Currently approved EIV UAAF for each EIV User
- Signed EIV Rules of Behavior for each person who views EIV information in performance of his or her job but does not have access to the system
- Evidence that staff accessing or viewing EIV data have completed the Annual Security Awareness Training
Be sure to have these documents on hand when the reviewer arrives. One of the most common mistakes is not having documentation on site for a corporate employee who has access to the EIV data.
Properly securing EIV data should be a high priority. An impending MOR is a good time to conduct a review that you have good security policies and procedures in place as well as accessing the property’s readiness in all areas covered by the MOR.
Preparing for an MOR does not have to be a daunting process if you set aside time on a regular basis to gather the information.
Be prepared, and you could actually look forward to the MOR and confirm your status as a true professional. If you have any questions on how NCHM can help you, please contact us:
Phone: (800) 368-5625
 RHIIP stands for Rental Housing Integrity Improvement Program. The RHIIP Listserve is HUD’s way of communicating relevant news regarding occupancy and other operational matters that impact the HUD Multifamily Programs.