In response to pressure from CUNA and other organizations, the Internal Revenue Service (IRS) has decided to delay the Oct. 24 deadline for implementation of significant changes for credit unions and other lenders who use the Income Verification Express Service (IVES) to verify borrower income when underwriting mortgages.
Users of the IVES system would have been required to re-register and validate their identities through Secure Access authentication, with only one month between the announced changes and the Oct. 24 deadline.
“We are concerned that some components of the new IRS cybersecurity requirement, as well as the incredibly short implementation timeline, could create operational problems that might significantly impair consumer’s ability to obtain credit to purchase a home,” the letter reads.
CUNA has 2 concerns with the new requirement, the first being insufficient time to prepare. The second is that the IRS requirement is not a standard cybersecurity practice for business-to-business (or government) data exchanges.
“The IRS has designed a single cybersecurity process to cover IRS interactions with both individuals and computer systems. Best practices for cybersecurity are typically not the same for human interactions as they are for system-to-system data exchanges,” the letter reads. “The IRS solution is inefficient and unworkable for vendors that utilize system-to-system data exchanges with the IRS.”
The IRS called for the use of multifactor authentication through the use of mobile phones. While the practice has proven efficient for individual taxpayers or tax practitioners, CUNA believes the technique is not appropriate for system-to-system data exchanges.
This is due to existing “clean room” policies at many financial institutions that prohibit the presence of mobile phones, as well as the onerous requirement that could lead to hundreds of mobile verifications being necessary per day.
According to the IRS, a new implementation date for the changes has not been set, and the agency will spend the next few weeks in discussions with key stakeholders affected by potential changes to discuss security protocols and the next steps in the process.
The IRS stated Friday that it will share any information on a new effective date with e-Services users once a new effective date is set.