WASHINGTON—The IRS has delayed the Oct. 24 deadline for implementation of significant changes for credit unions and other lenders who use the Income Verification Express Service (IVES) to verify borrower income when underwriting mortgages, reported CUNA, which stated the move resulted from pressure from itself and other organizations.
Users of the IVES system would have been required to re-register and validate their identities through Secure Access authentication, with only one month between the announced changes and the Oct. 24 deadline, CUNA explained in a letter to the IRS.
“We are concerned that some components of the new IRS cybersecurity requirement, as well as the incredibly short implementation timeline, could create operational problems that might significantly impair consumer’s ability to obtain credit to purchase a home,” the letter reads.
CUNA stated that it has two concerns with the new requirement, the first being insufficient time to prepare. The second is that the IRS requirement is not a standard cybersecurity practice for business-to-business (or government) data exchanges.
“The IRS has designed a single cybersecurity process to cover IRS interactions with both individuals and computer systems. Best practices for cybersecurity are typically not the same for human interactions as they are for system-to-system data exchanges,” the letter reads. “The IRS solution is inefficient and unworkable for vendors that utilize system-to-system data exchanges with the IRS.”
The IRS called for the use of multifactor authentication through the use of mobile phones. While the practice has proven efficient for individual taxpayers or tax practitioners, CUNA said it believes the technique is not appropriate for system-to-system data exchanges.
This is due to existing “clean room” policies at many financial institutions that prohibit the presence of mobile phones, as well as the onerous requirement that could lead to hundreds of mobile verifications being necessary per day, CUNA explained.
According to the IRS, a new implementation date for the changes has not been set, and the agency will spend the next few weeks in discussions with key stakeholders affected by potential changes to discuss security protocols and the next steps in the process, reported CUNA, adding that the IRS stated Friday that it will share any information on a new effective date with e-Services users once a new effective date is set.