The bill adds a new statutory duty for agencies to supply structured payment metadata to the Treasury disbursement system for every disbursement: a short purpose description, the Treasury Account Symbol (TAS), and the Business Event Type Code. It requires annual verification by certifying officials, directs OMB to post the payment data publicly after certification, and allows an agency head to exempt payments tied to sensitive law enforcement or national security operations while still reporting aggregated details in budget materials.
Beyond public reporting, the bill broadens Treasury’s tools for preventing improper payments. It authorizes Treasury access to the National Directory of New Hires and to certain IRS and Social Security information (in privacy‑preserving form), permits limited redisclosure to contractors and state partners, and changes several statutes (including the FCRA and section 3325 of title 31) to enable bank‑account verification and Do Not Pay matching.
For compliance officers and agencies that move money, the measure replaces informal practices with statutory obligations and creates new operational, privacy, and implementation issues for Treasury and program offices to manage.
At a Glance
What It Does
Requires agency heads to provide, in the format the Treasury requires, for each payment a brief purpose description, the Treasury Account Symbol, and a Business Event Type Code; mandates annual accuracy checks and written attestation by certifying officials; and directs OMB/Treasury to publish the data publicly. It also expands data access for the Do Not Pay working system to include the National Directory of New Hires, specified IRS return data, and Social Security Administration PII, and adjusts FCRA language to permit consumer‑report uses for improper payment detection.
Who It Affects
Federal certifying and disbursing officials across executive agencies, independent regulatory agencies, Congress, federal courts, territories, and the District of Columbia that use Treasury disbursement systems; Treasury and OMB for implementation and public posting; downstream users of Do Not Pay (agency fraud units, contractors, and state program administrators); and recipients whose bank and tax information may be accessed to validate payments.
Why It Matters
It converts payment metadata and anti‑fraud matching practices into statutory requirements, increasing transparency and creating a single source of structured payment records at Treasury while also broadening sensitive data flows into Do Not Pay. That raises both the potential to reduce improper payments and the need for strict privacy, security, and operational controls—plus new compliance burdens for payment offices.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates section 3337 in title 31 to force agencies to attach meaningful metadata to every payment they submit to Treasury for disbursement. That metadata is not a long audit trail but three specific elements: a short description of why the payment exists, the Treasury Account Symbol (the TAS that identifies the appropriation), and the Business Event Type Code that classifies the activity.
Treasury will set the technical format. Agencies must then continue to check that information at least annually: certifying officials must evaluate accuracy, and agency heads must give a written attestation to their disbursing officials.
Public visibility is built in: once a payment is certified the bill directs OMB to have Treasury publish the required payment fields on the public FFATA/USAspending‑style site within 30 days. The statute recognizes a carve‑out: agency heads can exempt payments tied to ‘‘sensitive operations’’—defined to include classified, law‑enforcement, or other information‑protected activity—but those exempted payments must still be reflected in an aggregated form in the agency’s budget justification annex (controlled unclassified or classified as appropriate).Separately, the bill strengthens Do Not Pay matching and validation.
It amends several statutes so Treasury can query the National Directory of New Hires, use consumer reports under a narrowed FCRA exception, and receive a limited set of IRS return fields (TIN, filing status, AGI, Schedule C info, account routing, identity‑theft flags, and filing status over a Secretary‑determined rolling period of at least three years) in a confidentiality‑preserving way for Do Not Pay purposes. The Social Security Administration must also enter an agreement to provide PII (name, DOB, SSN at minimum) to Treasury for Do Not Pay matching.
Finally, the bill requires agencies, before certifying vouchers, to take steps to verify bank account information and compare proposed recipient accounts to other records—bringing prior verification practices into statute and authorizing Treasury and agency heads to issue guidance.Implementation rests largely with Treasury: the Secretary may issue regulations or guidance and the bill contains a rule of construction that prevents creating legal liability for disbursing officials acting under the statute. Practically, the measure centralizes payment metadata at Treasury and expands the roster of data sources used to detect and recover improper payments, but it leaves many operational details—format standards, privacy and redisclosure rules, enforcement posture, and funding for new system work—to administrative design.
The Five Things You Need to Know
For every payment submitted to a Treasury disbursement system the agency must provide three fields: a brief purpose description, the Treasury Account Symbol (TAS), and a Business Event Type Code, in the format the Secretary requires.
Certifying officials must evaluate payment‑level information at least annually and agency heads must provide a written attestation to disbursing officials confirming accuracy.
OMB must direct Treasury (or the accountable agency head) to publish the payment fields on the public FFATA/USAspending site within 30 days after certification, unless the payment is exempted as a sensitive operation.
Agency heads may exempt payments that would harm sensitive operations (classified, law enforcement, or otherwise legally protected information), but the agency must include aggregated data about exempted payments in its budget justification annex (controlled unclassified or classified as needed).
The bill gives Treasury expanded matching access for Do Not Pay: it can query the National Directory of New Hires, receive specified IRS return fields for a rolling multi‑year period in a privacy‑preserving way, obtain SSA PII, and redisclose information to authorized contractors and state or federal partners to identify, prevent, and recover improper payments.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Who counts as an agency and what 'sensitive operations' means
The statute defines ‘‘agency’’ broadly to include executive agencies, independent regulatory agencies, and any entity that uses a Treasury disbursement system—including Congress, federal courts, territorial governments, and the District of Columbia. It also defines ‘‘sensitive operations’’ to capture activities where disclosure would risk death, serious bodily injury, classified or exempt information, or otherwise violate statutory secrecy. That definition controls the exemption mechanism and therefore sets the threshold for what payments can avoid public posting or detailed reporting.
Mandating payment metadata and annual attestation
This provision requires the head of an agency to send three discrete data elements to Treasury with each disbursement: purpose, TAS, and Business Event Type Code, in Treasury’s required format. It creates an annual loop: certifying officials must review each payment’s data for accuracy, and agency heads must provide written confirmation to disbursing officials. The provision formalizes a division of responsibility between certifiers (accuracy checks) and disbursers (receipt and further management), which will necessitate updates to agency payment policies and internal control frameworks.
Publish payment fields publicly unless exempted; aggregated reporting for exemptions
After a payment is certified, OMB must direct Treasury (or the accountable agency head outside Treasury) to post the three data fields on the federal public spending website within 30 days. The statute creates an operational exception for ‘‘sensitive operations’’: agencies may withhold detailed reporting if the head verifies that disclosure would adversely affect such operations. However, exempted payments are not invisible—agencies must include aggregated information that would have been reported in a controlled unclassified annex or classified annex of their next budget justification materials, which embeds congressional visibility while preserving operational secrecy.
Require account verification and record comparison before certification
The bill amends the voucher certification statute to require agencies, before certifying vouchers, to take steps to verify recipient bank account information and to compare that account data with other agency payment records. Treasury (with agency approval) may issue guidance. Practically, this moves account‑validation practices from discretionary internal controls into a statutory precondition for certification, which could change timing and technical requirements for disbursing staff and payment systems.
Give Treasury access to the National Directory of New Hires and clarify consumer‑report uses for Do Not Pay
The bill amends Social Security Act section 453(j) to permit the Secretary of the Treasury to access the National Directory of New Hires for improper payment work and to redisclose that data to agents, contractors, and Federal/non‑Federal agencies engaged in the effort. It also tweaks the Fair Credit Reporting Act to carve out certain Do Not Pay uses—specifically, allowing consumer report‑based changes to Federal disbursements (and Do Not Pay actions) intended to improve disbursement accuracy and authorizing Treasury use and redisclosure of consumer report data to partners. Those changes create new redisclosure pathways that will need contractual, privacy, and audit controls.
IRS to provide select return fields in privacy‑preserving form; SSA to provide PII for Do Not Pay
The Internal Revenue Code amendment directs the IRS Commissioner to supply Treasury, on request, a specified set of return fields (TIN, filing status, AGI, Schedule C income/loss, filing year, bank routing/account info, identity‑theft indicators, and nonfiling flags) covering a Secretary‑specified rolling period of at least three years, formatted to preserve confidentiality and intended solely for Do Not Pay matching. Separately, the bill adds a new SSA section requiring the Commissioner to enter an agreement to provide at least name, date of birth, and SSN for Do Not Pay. Both provisions expand highly sensitive interagency data flows and explicitly permit limited redisclosure to authorized agents and State administrators.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Department of the Treasury and the Do Not Pay program — Gains statutory access to structured payment metadata and multiple data sources (NDNH, limited IRS fields, SSA PII, consumer reports) to improve improper‑payment detection, matching accuracy, and recovery.
- Federal program integrity offices and agency fraud teams — Receive clearer, standardized payment fields and statutory authority to use broader data matches, improving the speed and quality of investigations and overpayment recoveries.
- Congressional budget analysts and the public — Benefit from near‑real‑time, standardized payment data posted publicly (subject to exemptions), improving transparency into how appropriations are spent and enabling external oversight and analysis.
- State agencies administering federally funded programs — If authorized to receive redisclosures, they can use the Do Not Pay working system matches to prevent improper payments in joint federal‑state programs.
Who Bears the Cost
- Agency certifying and disbursing officials — Face new statutory duties to collect formatted metadata, verify bank accounts before certification, perform annual attestations, and update internal controls and IT interfaces.
- Department of the Treasury — Must expand the disbursement system, implement public posting workflows, manage new data feeds (NDNH, IRS, SSA, consumer reports), craft redisclosure agreements, and fund privacy/security controls.
- Privacy officers, CIOs, and contractors — Will incur compliance costs to implement confidentiality‑preserving transfers, contract amendments for redisclosure, audit capabilities, and likely expanded logging and access controls.
- Payment recipients and vendors — May experience additional verification steps or delays in payment processing and face greater exposure if sensitive account or tax data are used for matching and redisclosed to contractors.
Key Issues
The Core Tension
The central dilemma is between maximizing transparency and program integrity on one hand—by funneling richer payment metadata and broader data matches into a single Do Not Pay‑enabled Treasury system—and protecting operational secrecy, individual privacy, and program continuity on the other; the bill makes aggressive data flows statutory without spelling out the technical, contractual, and accountability guardrails that would reconcile those conflicting objectives.
The bill trades one set of problems for another. Centralizing structured payment metadata at Treasury and broadening matching inputs should reduce some types of improper payments, but it simultaneously expands the number of systems and actors holding PII and tax return data.
Although the statute requires Treasury to preserve confidentiality and allows privacy‑preserving disclosures from IRS, it leaves the technical and operational standards—encryption, de‑identification techniques, access logs, retention limits, and audit rules—to Treasury guidance or regulation. That gap creates risk: inconsistent implementation across agencies could lead to accidental disclosures or disproportionate redisclosure breadth under vaguely defined authorities.
The sensitive‑operations exemption addresses security concerns but creates a blunt instrument: agency heads certify exemptions without a detailed public test, and the only public accountability mechanism is aggregated reporting in budget annexes. That approach protects operations but reduces external oversight and may encourage over‑use of the exemption.
Separately, the bill authorizes redisclosure of NDNH, IRS, SSA, and consumer‑report data to contractors and non‑Federal agencies; without robust contractual controls and monitoring, redisclosure chains can multiply privacy risks and create uncertainty about legal liability—even though the law includes a rule of construction shielding disbursing officials from liability for actions taken under the statute. Finally, operationalizing bank‑account verification and standardized Business Event Type Codes across diverse legacy payment systems will require funding and a multi‑year implementation plan; absent clear resource allocations, smaller offices and non‑Treasury disbursing officials could struggle to comply on schedule.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.