In an era of unceasing horror stories about breaches of sensitive consumer information, here’s some disquieting news for homebuyers: Federal auditors say the popular “tax transcript” program run by the IRS and used by millions of mortgage applicants a year lacks adequate security protections against disclosures of tax-return details to people who shouldn’t be allowed to obtain them.
In a little-noticed audit summary last week, the Treasury Department’s Inspector General for Tax Administration said that the IRS continues to have “ineffective” controls to ensure that “legitimate taxpayers authorized the release of their tax transcripts” and that the agency “delayed actions to reduce unnecessary taxpayer information from being disclosed.”
In 2015, the IRS suffered a major breach of its “Get Transcript” program, which allowed individual taxpayers to obtain tax transcripts. Using taxpayer information stolen elsewhere, criminals were able to pass IRS authentication procedures to access the files of more than 334,000 taxpayers, opening the door to potential tax-refund frauds. Treasury auditors say the Equifax hack of more than 145 million consumer files last year makes it of the “utmost importance” that the IRS fix security deficiencies “to ensure against unscrupulous individuals compromising this system to gain unauthorized access to tax information.”
The current audit targeted in part a specialized IRS service — one that provides lenders and others transcripts of loan-applicants’ tax filings. Mortgage borrowers routinely fill out an IRS Form 4506-T, which grants permission for third-party vendors to access their tax records and send them to banks and mortgage companies. Lenders use the service to verify applicants’ income.
Following a home-loan-related request, mortgage companies and banks generally receive tax transcripts within two to five business days. The overall transcript delivery system (TDS) program — which includes services for lenders, tax professionals and others — is massive: According to auditors, nearly 169 million transcripts were issued during calendar years 2014 through 2016.
A key security issue in the mortgage-related portion of the program is whether the third-party “requester” of a transcript has been properly vetted by the IRS and found eligible to receive transcripts. Some third-party players are giant corporations serving banks and the mortgage industry and order vast numbers of transcripts a year; others are small entities that order far fewer. After criticism about poor vetting, the IRS tightened its procedures in 2016 and required third-party entities to re-submit basic qualifying information. But auditors found the IRS still allowed more than 29,000 transcripts to be sent to parties that had not complied with the revised rules by its deadline and whose permission to participate should have been revoked.
Auditors also noted the intersection of transcript issues with identity theft and fraudulent requests for tax refunds using stolen consumer information. During tax years 2013 through 2016, they found that 222,534 taxpayer accounts “had a total of 647,208 tax transcripts requested for the same tax year” of a confirmed identity theft. Investigators also highlighted the current transcript system’s absence of limits on the numbers of transcripts that can be obtained on a single individual taxpayer.
Among the recommendations by auditors: Suspend the transcript service until better controls are established. The IRS declined to do so. But in a statement for this column, the IRS noted that it has now initiated the stricter controls sought by the audit, including multifactor authentication. This better enables the IRS to know “who is accessing its system and why and helps prevent account takeovers.” Auditors say they will monitor the recent changes to assess their effectiveness.
Asked what a shutdown of the transcript program would mean, Brandon Brahms, senior product manager for CoreLogic, one of the highest-volume providers of transcripts, said “it would grind the [mortgage] industry to a halt.” Curtis R. Knuth, president and CEO of NCS, another major provider, told me that although data security “needs to be tightened” further, changes undertaken by the IRS since late 2017 have improved protections. “Is anyone satisfied? No,” he said, but the IRS is making efforts despite severe budget cuts.
Bottom line for you as a mortgage applicant: Take the 4506-T form seriously, not just as another piece of the paper blitz involved in obtaining a loan. Most important: Never leave blank line 5 of the form, which identifies the third party that will obtain the transcript, and always fill out the specific tax years you agree to share.