Welcome to CPA at Law, helping individuals and small businesses plan for the future and keep what they have.

This is the personal blog of Sterling Olander, a Certified Public Accountant and Utah-licensed attorney. For over nine years, I have assisted clients with estate planning and administration, tax mitigation, tax controversies, small business planning, asset protection, and nonprofit law.

I write about any legal, tax, or technological information that I find interesting or useful in serving my clients. All ideas expressed herein are my own and don't constitute legal or tax advice.

Tax Refund Fraud

To continue the theme of my last post, this post discusses a specific type of identity theft: tax refund fraud. According to NBC News (and which I can verify from my own experience), all it takes to be able to electronically file a fraudulent tax return in someone else's name is a matching name, birth date, and social security number. With that information, all a thief needs to do is fabricate some wages and an employer, report a bogus tax withholding amount, and the difference between those two numbers will be refunded however the thief directs. This works because, to quote NBC:
By law, the tax-refund system as it is currently constituted amounts to a "pay first, ask questions later" system... In other words, an imaginative crook in possession of the three basic items of a person's identity could... get the money within 30 days—the amount of time the law says that the agency must refund tax filers.
Actually, by entering their own direct deposit information on the fraudulent return, the thief could get the refund in a couple days and not have to worry about trying to cash a refund check in the victim's name. Alternatively, a patient thief could paper file a fraudulent return and not even need the victim's birth date since that is not requested on the tax form itself.

The only obstacle to success in this crime is a voluntary program whereby some financial institutions can refuse to deposit a tax refund into an account on which there is a different name from the taxpayer. But not all institutions perform this cross check. Here is some Q&A from the Bureau of the Fiscal Service, a division of the Treasury that operates the federal government's deposit systems:
Can an RDFI [Receiving Depository Financial Institution] rely strictly on the account number in the ACH Entry Detail Record when posting a tax refund payment to a customer's account?

Yes, an RDFI may post IRS tax refunds received through the Automated Clearing House (ACH) network using the account number only....

Is an RDFI liable for an IRS tax refund sent to an account that does not belong to the named or intended recipient?

No. An RDFI is not liable for an IRS tax refund sent through the ACH network to an erroneous or fraudulent account since the IRS provided incorrect account information.
In other words, the IRS is required by law to authorize a refund before verifying if it is legitimate, and the Bureau of the Fiscal Service will authorize the deposit into any account reported to them by the IRS. The bank has no obligation to verify that the name on the refund destination account matches the name of the taxpayer. The real taxpayer will be left to clean up the mess when they discover they can't file their own return. Of course, the thieves will likely be caught after the fact, but the moral of the story is to avoid the mess by protecting your personal identification information and filing your tax return early.