IRS transcript program found lacking in safeguards
IKenneth R. Harney
n an era of horror stories about breaches of sensitive consumer information, here’s some disquieting news for homebuyers: Federal auditors say the popular “tax transcript” program run by the IRS and used by millions of mortgage applicants a year lacks adequate security protections against disclosures of tax-return details to people who shouldn’t be allowed to obtain them.
In 2015, the IRS suffered a major breach of its “Get Transcript” program, which allowed individual taxpayers to obtain tax transcripts. Using taxpayer information stolen elsewhere, criminals were able to pass IRS authentication procedures to access the files of more than 334,000 taxpayers, opening the door to potential tax-refund frauds.
The current audit targeted in part a specialized IRS service — one that provides lenders and others transcripts of loanapplicants’ tax filings. Mortgage borrowers routinely fill out an IRS Form 4506-T, which grants permission for third-party vendors to access their tax records and send them to banks and mortgage companies. Lenders use the service to verify applicants’ income.
Following a homeloan-related request, mortgage companies and banks generally receive tax transcripts within two to five business days.
A key security issue in the mortgage-related portion of the program is whether the thirdparty “requester” of a transcript has been properly vetted.
Among the recommendations by auditors: Suspend the transcript service until better controls are established. The IRS declined to do so, but noted that it has initiated stricter controls sought by the audit, including multifactor authentication. This better enables the IRS to know “who is accessing its system and why and helps prevent account takeovers.”