Americans who filed a tax return last year and are below the Cares Act income thresholds can receive a direct deposit in the bank account used for their most recent tax refund. The catch is that not all Americans are required to file tax returns. The Tax Policy Center, a joint venture of the Urban Institute and the Brookings Institution, estimates that about 10 million single taxpayers did not earn more than $12,200 in income and fit into this group of “non-filers.” This group includes some of the neediest members of our society. They’re entitled to receive stimulus payments, but the IRS does not have the information required to pay them.
Recognizing this problem, the IRS worked with Intuit to create a website where non-filers can register their bank account information to receive their stimulus payment. That’s a wonderful idea in theory, but it falls apart in practice. The brief form asks non-filers to prove their identity by providing their name, Social Security number, address, phone number and date of birth. The form also allows, but does not require, individuals to provide their driver’s license number.
But none of the information requested by the IRS is secret. Numerous data breaches over the past decade have exposed every one of these pieces of information for virtually every American to identity thieves. Data breaches have affected federal government employees, veterans and Equifax credit report subjects. Anyone who doesn’t fall into one of these three groups has probably been affected by smaller data breaches. This information is lost forever, irretrievably put up for sale on the dark web, where it sits available to identity thieves — allowing them to request a stimulus payment under the name of an unsuspecting non-filer.
The IRS should know better. The agency has fallen victim to this type of fraud before. In 2015, the IRS discovered that it had been victimized by attackers who gained access to the accounts of approximately 390,000 Americans. That system used stronger security than the Cares Act non-filer form — in addition to the identity questions above, it included security questions pulled from applicants’ credit files. It’s almost certain that the weaker Cares Act system will allow fraudsters to steal stimulus payments.
To get Cares Act payments into the hands of the low-income Americans who need them most, the government must perform additional vetting on non-filer claims to prevent fraud, and it should do so quickly.
The most effective way to accomplish this is by requiring that those filling out the Cares Act form upload a snapshot of their photo identification — a process used by many other federal systems. It’s relatively easy for a hacker to steal a driver’s license number; it’s far more difficult to obtain a photo of a driver’s license. For people who have no photo identification, the IRS should insist on sending a paper check so that the bank cashing the check can verify the depositor’s identity.
The IRS must also urgently investigate possible cases of fraud. Internal controls can search for red flags, such as multiple deposits being sent to the same bank account or deposits being sent to local banks far from the filer’s last known residence. Information provided by filers can be automatically cross-referenced with other federal databases for accuracy. Suspicious transactions should be flagged for manual review by an IRS analyst before funds are released.
After this crisis passes, the agency must prevent a problem like this from ever occurring again. Two independent watchdogs, the Treasury Inspector General for Tax Administration and the National Taxpayer Advocate, have both repeatedly informed the IRS that their identity and access management practices were not effective and required immediate investment to protect taxpayers and the government. It’s time to make that investment.