You probably heard that the IRS last week disclosed a massive security breach that allowed hackers to obtain detailed tax-return information on 104,000 taxpayers.
But you might not have connected that event with a procedure encountered by most home buyers seeking a mortgage: Lenders routinely require them to sign an IRS form that allows underwriters to obtain transcripts covering multiple years of past tax returns. The form involved is known as a 4506-T, and it’s part of the paper blitz applicants get hit with in the loan process.
So what’s the possible connection between the security hole at the IRS and your mortgage application? Is there some potential for abuse when loan officers and brokers pull your detailed tax data using third-party vendors? Is your most private financial information safe from hackers or other criminals?
The hackers penetrated what’s known as the “Get Transcript” application on the IRS’s Web site, www.irs.gov. Get Transcript, which was pulled offline in the wake of the breach, allowed individual taxpayers to access their tax information from past years, but they needed to navigate a minefield of identity-verification queries: Social Security number, e-mail address, “personal, financial and tax-related questions,” according to the IRS.
Though the IRS said that just half of hackers’ estimated 200,000 attempts to access tax transcripts were successful, the sobering fact remains: Criminals were able to steal prodigious quantities of private tax information.
Now to the 4506-T system used for mortgage applications. It works like this: You fill out the form, indicating which year or years of transcripts you authorize to be pulled. Your mortgage broker or lender then typically provides the form to a third-party vendor that has signed up with the IRS to access taxpayer transcripts via IVES, the Income Verification Express Service. Some of these vendors are large, well-known corporations, including credit-reporting agencies and data and technology enterprises that perform other services for mortgage lenders. Others are little-known and small.
To use the IVES system, according to IRS instructions online, vendors must submit basic information about their business and check a box indicating that they have read and agree to comply with an IRS publication spelling out procedures to “Safeguard Taxpayer Data.”
The IRS provided no comment to my requests for information on the 4506-T program and potential vulnerabilities to data breaches, nor would it say how many vendors participate in the tax-transcript program. Industry sources said the number of vendors involved is significant.
So where are the potential problems here?
Critics of the transcript system say that although there have been no reported breaches of taxpayer information to date, the relatively low bars set by the IRS to qualify and monitor third-party participants are troubling.
In 2011, the Treasury Department’s inspector general for tax administration conducted an investigation of the program and concluded that taxpayer information “is at risk of theft or misuse when taxpayers submit IVES requests for tax return information through third parties because controls are insufficient . . . .” A key problem, said the inspector general, is that the IRS did not have an adequate “screening process” nor adequate “minimum requirements” to ensure security and privacy. The agency promised to make improvements, but in the absence of an IRS response to questions in the wake of the Get Transcript breach, it’s not clear how many of the recommended reforms have been implemented.
Curtis R. Knuth, executive vice president of one major transcript vendor, New Jersey-based NCS, told me that his firm and others have urged the IRS to “toughen its standards” and security controls for participants, some of which are subject to “very minimal screening.” Without stricter requirements, Knuth said, “there is the potential” for breaches of mortgage applicants’ tax data.
However, the head of another large vendor of tax transcripts, Nick Lim, of California-based Veri-Tax, said that while “there is no system that is bulletproof,” his company “prides [itself] on taking security seriously” and that it completes annual audits designed to test data security to the highest standards. NCS also undergoes rigorous audits, Knuth said.
What to make of all this as a mortgage applicant? Could a loan application inadvertently open you to identity theft or worse? Based on the record so far, your tax data appears to be safe. Then again, the IRS — and thousands of taxpayers — thought the IRS’s in-house tax-transcript system was well guarded from theft and fraud. That turned out to be incorrect.
Ken Harney’s e-mail address is email@example.com.