Prepared by:

Please share this information with members of your staff who make tax deposits and file related tax forms, as well as programming staff who support these functions.

Background

Service and compensation information for employees who work for employers covered under the Railroad Retirement Act (RRA), are maintained by the Railroad Retirement Board (RRB) for the purpose of administering the RRA and Railroad Unemployment and Insurance Act (RUIA). Employee address records are maintained by the RRB for the purpose of mailing Form BA-6 , "Certificate of Service Months and Compensation", to those same employees.

Covered employers are required, by the last day of February, to submit Form BA-3 , "Annual Report of Creditable Compensation", for all employees who performed compensated service in the previous year and Form BA-11 , "Report of Gross Earnings", for all employees whose social security number ends with the digits “30.” Employers may also submit employee mailing addresses on annual Form BA-3 (rather than submitting a separate Form BA-6a , "Address Report", Form BA-6 ). Employers are also required to submit Form BA-4 , "Report of Creditable Compensation Adjustments", as necessary to report adjustments to previously submitted service and compensation reports. Additionally, employers are required to submit Form BA-9 , "Report of Separation Allowance and Severance Pay", when such payments are made to employees.

New Reporting Options

The RRB now offers file transfer protocol (FTP) interchange and e-mail as options for submitting Form BA-3, BA-4, BA-6a, BA-9 and BA-11 report files. The new options may be used starting with the reporting season that begins January 1, 2008. New record layouts are also effective as of January 1, 2008.  Information on accurate data content and format is available in the Employer Reporting Instructions.

Privacy and Security Considerations

Because RRB reporting forms contain sensitive personal information such as social security numbers, we must exchange information securely to ensure that no one can intercept and read or alter the information. Accordingly, we are required to take security precautions that meet standards currently prescribed by the National Institute of Standards (NIST).

FTP Interchange

• What is FTP and how does it work?
  File Transfer Protocol (FTP) is used to transfer files between two computers by sending data over a data communications network such as the Internet.
   
• FTP transfers require a FTP server and a FTP client. The FTP server continuously waits or “listens” for incoming connection requests that are initiated by FTP clients. In order to complete the connection, the FTP server will require the FTP client to authenticate itself by providing a valid set of credentials; typically a valid username and password. If the credentials supplied to the server by the client are valid, the FTP server will allow the connection to be completed. Once the connection is completed, the client may download files from the FTP server, upload files to the FTP server or modify existing files on the server depending on the FTP server’s access controls and existing agreements between the participating parties.
   
• How will FTP protect data?
  To ensure the confidentiality of personally identifiable data such as social security numbers, the RRB requires Secure FTP (SFTP) data transfers. We also prefer to use Open PGP encryption utilizing a Public/Private key pair to ensure that the data is encrypted at all times. SFTP uses an encrypted connection on TCP port 22. Generally, the process involves the reporting employer creating a public/private encryption key pair and sending the public key to the RRB for authentication purposes. If the employer wanted the RRB to send the output files back to one of their servers, then the RRB would also create a public/private key pair and send the RRB’s public key as well.
   
• How is an FTP Interchange with the RRB established?
  The first step in this process is for the RRB and each interested employer to agree upon and then implement the specific procedures and programming needed to allow FTP interchanges. The most likely method will be via the Internet. The employer would then act as the “server” and the RRB would act as the “client.” RRB personnel in the Compensation and Employer Service Center (CESC) would be provided access to the railroad’s secure FTP server through a designated user ID and password. Once the applicable compensation/service information is ready to be conveyed to the RRB via the reporting forms, the employer would fax a completed Form G-440 , "Reports Specification Sheet" (which must be signed by an authorized employer official), to notify CESC of a pending report. The RRB would then use desktop FTP software to access and download the information at an agreed-upon time and location. You may contact the Quality Reporting Service Center of CESC for additional information or instructions on implementing FTP exchanges with the RRB. The e mail address and telephone number are shown at the top of this letter.

E-mail Submissions

• Why use secure e-mail?
  Because the forms contain sensitive personal information such as social security numbers, we must exchange information securely to insure that no one can intercept and read or alter the information. To meet NIST security requirements, all e-mail messages we exchange must be encrypted and signed with a Digital ID, and information will be protected in accordance with security controls outlined in NIST guidance 800-53.
   
• Why do I need a Digital ID or certificate?
  A Digital ID or certificate is a computer file that identifies the sender. E-mail software uses this file to "digitally" sign e-mail messages to prove a sender’s identity to the recipient’s computer.

A digital signature does two things:

• It lets the recipient of the e-mail confirm the identity of the sender, and
• It tells the recipient that the e-mail was not tampered with in transit.

A Digital ID typically contains the following information:

• Your public key
• Your name and e-mail address
• Expiration date of the public key
• Name of the company (the Certification Authority (CA)) who issued your Digital ID
• Serial number of the Digital ID
• Digital signature of the CA

• How will encryption protect data?
  To encrypt (scramble) data we use a system with two keys. The key pair consists of a public and a private key. The keys are used like keys in a lock, except the key pair requires one key to secure the lock and another to open the lock.

When you request and install a Digital ID, your Web browser creates both a private key that can only be used with the Digital ID you requested, and a public key that becomes part of your Digital ID. Access to your private key will be password protected.

With key pairs, your e-mail application will use the RRB’s public key to encrypt messages you send to us. The RRB, upon receipt of your encrypted e-mail message, will use our matching private key to decrypt the message.

• How do I exchange a secure e-mail with the RRB?
  Before you can send the RRB an encrypted message, you must first get our public key. You do this by simply requesting we send you a signed e-mail message, which contains our Digital ID and public key. Then your e-mail application can automatically store the RRB’s Digital ID with public key in your contacts folder until you need to use it. Your e-mail application uses the RRB public key to encrypt the messages you send to us. From that point on, only the RRB's private key can decrypt the message.

When the RRB sends you an encrypted message, we will use your public key. Once the e mail message is encrypted with your public key, only those individuals in your organization who have the matching private key can decrypt the message.

Steps:

• Acquire a Digital ID from a company called a Certification Authority (CA), for example, Verisign or Thawte Certification. The cost of an individual Digital ID is about $20.00 per year.
• Once you have received and installed a Digital ID, distribute it to the RRB by sending an e-mail message to the cesc@rrb.gov mailbox. The Digital ID that you send contains your public key. This will allow the RRB to send you encrypted e-mail messages using your public key. Only you will have the corresponding private key that allows you to decrypt the RRB reply.
• The RRB will acknowledge your e-mail submission by sending you our public key for the cesc@rrb.gov mailbox. This will allow you to send encrypted e-mail requests containing the RRB’s public key. Only the RRB will have the corresponding private key to decrypt the e-mail message.
• Once the parties have stored each others’ Digital IDs, all further e-mail exchanges can be made securely.

Please follow the same provisions regarding completion and submission of Form G-440 as previously described.

Paperwork Reduction Act (PRA) Notice

Federal agencies may not conduct or sponsor, and respondents are not required to respond to, any collection of information unless it displays a valid OMB number. If you wish, send comments regarding the accuracy of our estimates or any other aspect of these forms, including suggestions for reducing completion time, to

• Form BA-3
  The information contained in this report, which is required by law under Section 9 of the Railroad Retirement Act (RRA) and Section 6 of the Railroad Unemployment Insurance Act (RUIA), is needed to pay RRA and RUIA benefits and is authorized for collection under OMB control number 3220-0008 . This report is due at the Railroad Retirement Board by no later than the last day of February after the report year. Failure to report or the making of a false or fraudulent report can result in criminal prosecution or civil penalties, or both. We estimate the electronic version of this form, transmitted by e-mail or FTP, takes an average of 46.25 hours per response to complete, including time for reviewing the instructions, getting the needed data, and reviewing the completed form.
   
• Form BA-4
  The information contained in this report, which is required by law under Section 9 of the Railroad Retirement Act (RRA) and Section 6 of the Railroad Unemployment Insurance Act (RUIA), is needed to adjust compensation and service creditable under the RRA and RUIA and is authorized for collection under OMB control number 3220-0008. Failure to report or the making of a false or fraudulent report can result in criminal prosecution or civil penalties, or both. We estimate the electronic version of this form, transmitted by e-mail or FTP, takes an average of 1 hour per response to complete, including time for reviewing the instructions, getting the needed data, and reviewing the completed form.
   
• Form BA-6a
  The information specified on this form, which is required by law under Section 7(b)(6) of the Railroad Retirement Act and Section 209.12 of the Code of Federal Regulations and is authorized for collection under OMB control number 3220-0005, will be used by the Railroad Retirement Board to mail to the employees of your company Form BA 6, Certificate of Service Months and Compensation. Failure to report or the making of a false or fraudulent report can result in criminal prosecution or civil penalties or both. We estimate the electronic version of this form, transmitted by e-mail or FTP, takes an average of 15 minutes per response to complete, including time for reviewing the instructions, getting the needed data, and reviewing the completed form.
   
• Form BA-9
  The information contained in this report, which is required by law under Section 9 of the Railroad Retirement Act (RRA) and Section 6 of the Railroad Unemployment Insurance Act (RUIA) and is authorized for collection under OMB control number 3220 0173, is needed for two purposes: to establish eligibility for an additional lump-sum amount under the RRA and to establish a disqualification period under the RUIA. Failure to report or the making of a false or fraudulent report can result in criminal prosecution or civil penalties, or both. We estimate the electronic version of this form, transmitted by e-mail or FTP, takes an average of 1 hour and 16 minutes per response to complete, including time for reviewing the instructions, getting the needed data, and reviewing the completed form.
   
• Form BA-11
  The purpose of this report, which is required by Section 7(b)(6) of the Railroad Retirement Act and is authorized for collection under OMB control number 3220 0132, is to obtain the gross earnings for a sample of employees. This information is required for computation of the Financial Interchange with the Social Security Administration and the Centers for Medicare & Medicaid Services. The report is due at the Railroad Retirement Board by no later than the last day of February following the report year. Failure to report or the making of a false or fraudulent report can result in criminal prosecution or civil penalties, or both. We estimate the electronic version of this form, transmitted by FTP, takes an average of 5 hours to complete, including time for reviewing the instructions, getting the needed data, and reviewing the completed form. We estimate that the secure E-mail version of this form, takes an average of 30 minutes per response to complete, including time for reviewing the instructions, getting the needed data, and reviewing the completed form.