Harney: Time to get tough on tax transcripts

Though the IRS said that just half of hackers’ estimated 200,000 attempts to access tax transcripts were successful, the sobering fact remains: Criminals were able to steal prodigious quantities of private tax information.

Now to the 4506-T system used for mortgage applications. It works like this: You fill out the form, indicating which year or years of transcripts you authorize to be pulled. Your mortgage broker or lender then typically provides it to a third-party vendor who has signed up with the IRS to access taxpayer transcripts under the Income Verification Express Service. Some of these vendors are large, well-known corporations, including credit reporting agencies and data and technology enterprises that perform other services for mortgage lenders. Others are little-known and small.

To sign up on the system, according to IRS instructions online, vendors must submit basic information about their business and check a box indicating that they have read and agree to comply with an IRS publication spelling out procedures to “Safeguard Taxpayer Data.”

The IRS provided no comment to my requests for information on the 4506-T program and potential vulnerabilities, nor would it say how many vendors participate in the tax transcript program. Industry sources said the number of vendors involved is significant.

So where are the potential problems here? Critics of the transcript system say that although there have been no reported breaches of taxpayer information to date, the relatively low bars set by the IRS to qualify and monitor third-party participants are troubling. In 2011, the Treasury Department’s Inspector General for Tax Administration conducted an investigation of the program and concluded that taxpayer information “is at risk of theft or misuse when taxpayers submit IVES requests for tax return information through third parties because controls are insufficient … .” A key problem, said the Inspector General, is that the IRS did not have an adequate “screening process” nor adequate “minimum requirements” to ensure security and privacy. In its response to the auditors, the IRS promised to make improvements, but in the absence of an IRS response to questions in the wake of the Get Transcript breach, it’s not clear how many of the reforms have been implemented.

Curtis R. Knuth, executive vice president of one major transcript vendor, New Jersey-based NCS, told me that his firm and others have urged the IRS to “toughen its standards” and security controls for participants, some of whom are subject to “very minimal screening.” Without stricter requirements, Knuth said, “there is the potential” for breaches of mortgage applicant tax data.

However, the head of another large vendor of tax transcripts, Nick Lim, CEO of California-based Veri-Tax LLC, said that while “there is no system that is bulletproof,” his company “prides (itself) on taking security seriously,” and that it completes annual audits designed to test data security to the highest standards. NCS also undergoes rigorous audits, Knuth said.

What to make of all this as a mortgage applicant? Could a loan application inadvertently open you to identity theft or worse? Based on the record so far, your tax data appears to be safe. Then again, the IRS — and thousands of taxpayers — thought the IRS’ own in-house tax transcript system was well-guarded from theft and fraud. That turned out to be incorrect.