Lax security of ‘tax transcript’ program could expose borrowers’ info
WASHINGTON — In an era of unceasing horror stories about breaches of sensitive consumer information, here’s some disquieting news for homebuyers: Federal auditors say the popular “tax transcript” program run by the IRS and used by millions of mortgage applicants each year lacks adequate security protections against disclosures of tax-return details to people who shouldn’t be allowed to obtain them.
In a little-noticed audit summary last week, the Treasury Department’s Inspector General for Tax Administration said that the IRS continues to have “ineffective” controls to ensure that “legitimate taxpayers authorized the release of their tax transcripts” and that the agency “delayed actions to reduce unnecessary taxpayer information from being disclosed.”
In 2015, the IRS suffered a major breach of its “Get Transcript” program, which allowed individual taxpayers to obtain tax transcripts. Using taxpayer information stolen elsewhere, criminals were able to pass IRS authentication procedures to access the files of more than 334,000 taxpayers, opening the door to potential tax-refund frauds. Treasury auditors say the Equifax hack of more than 145 million consumer files last year makes it of the “utmost importance” that the IRS fix security deficiencies “to ensure against unscrupulous individuals compromising this system to gain unauthorized access to tax information.”
The current audit targeted in part a specialized IRS service — one that provides lenders and others transcripts of loan-applicants’ tax filings. Mortgage borrowers routinely fill out an IRS Form 4506-T, which grants permission for thirdparty vendors to access their tax records and send them to banks and mortgage companies. Lenders use the service to verify applicants’ income.
The overall transcript delivery system (TDS) program — which includes services for lenders, tax professionals and others — is massive: According to auditors, nearly 169 million transcripts were issued during calendar years 2014 through 2016.
A key security issue in the mortgage-related portion of the program is whether the third-party “requester” of a transcript has been properly vetted by the IRS and found eligible to receive transcripts. Some third-party players are giant corporations serving banks and the mortgage industry and order vast numbers of transcripts a year; others are small entities that order far fewer. After criticism about poor vetting, the IRS tightened its procedures in 2016 and required third-party entities to resubmit basic qualifying information. But auditors found the IRS still allowed more than 29,000 transcripts to be sent to parties that had not complied with the revised rules by its deadline and whose permission to participate should have been revoked.
Auditors also noted the intersection of transcript issues with identity theft and fraudulent requests for tax refunds using stolen consumer information. During tax years 2013 through 2016, they found that 222,534 taxpayer accounts “had a total of 647,208 tax transcripts requested for the same tax year” of a confirmed identity theft. Investigators also highlighted the current transcript system’s absence of limits on the numbers of transcripts that can be obtained on a single individual taxpayer.
Among the recommendations by auditors: Suspend the transcript service until better controls are established. The IRS declined to do so. But in a statement for this column, the IRS noted that it has now initiated the stricter controls sought by the audit, including multifactor authentication. This better enables the IRS to know “who is accessing its system and why and helps prevent account takeovers.” Auditors say they will monitor the recent changes to assess their effectiveness.
Bottom line for you as a mortgage applicant: Take the 4506-T form seriously, not just as another piece of the paper blitz involved in obtaining a loan. Most important: Never leave blank line 5 of the form, which identifies the third party that will obtain the transcript, and always fill out the specific tax years you agree to share.