Agencies look to digital financial outlets to disburse relief funds

The Treasury Department and Small Business Administration are scrambling to pay out hundreds of billions of dollars in stimulus checks to individuals and in small business loans, but the desire for speed may be leaving the process open to cybersecurity vulnerabilities and fraud.

The Coronavirus Aid, Relief and Economic Security (CARES) Act creates new economic impact payments of up to $1,200 for individuals as well as an additional $500 per child. For about 80% of taxpayers who already file and receive their tax refunds through direct deposit, those payments will come automatically through the same electronic transfer system that is used to distribute Social Security and Veterans Affairs benefits.

Millions of Americans who didn't file federal taxes over the past two years or who don't have traditional bank accounts must get their money another way.

Paper checks could take months to process and deliver according to Treasury Department estimates.

To get the money in the hands of Americans sooner, the IRS unveiled a new web tool that allows non-filers to apply to receive their stimulus checks digitally, either straight to their bank account or through online payment services like PayPal, Venmo and CashApp.

However, without any additional protections or protocols in place, the potential for fraud or identity theft could be high. In order to qualify for a payment, the IRS tool asks individuals to provide proof of identity in the form of their name, date of birth, Social Security number, mailing address, email address and bank account, type and routing numbers. Other identifiers, such as a valid state driver's license or an IRS Identity Protection PIN, are also accepted but are not required.

Even before the CARES Act was signed into law, the Federal Trade Commission and the Federal Deposit Insurance Corporation were warning consumers on the likelihood of scammers trying to impersonate official organizations in order to obtain credentials to divert relief funds.

Experts and government watchdogs believe that relying on such "knowledge-based" authenticators -- like Social Security numbers and date of birth -- is no longer useful or appropriate, since an explosion of hacks targeting private companies over the years has led to such information becoming widely available for sale on the internet.

Eva Velasquez, president and CEO of the non-profit Identity Theft Resource Center, told FCW that her organization has not received complaints from taxpayers about stimulus-related fraud yet, but it expects to in the coming weeks and months, particularly if the IRS is just relying on the personally identifiable information described in the online tool.

The vulnerabilities in relying on "static PII" to authenticate applicants' identities are the same as they are for regular tax fraud, but even more prevalent in an environment where the government is looking to quickly get funds to those who need them.

"I do think we are choosing speed over caution … and there are legitimate arguments for why one is better than the other," she said. "It's really hard to say we need to be really cracking down on fraud and stopping these payments over every tiny discrepancy because there could be legitimate reasons for them."

Velasquez said agencies like IRS should also be utilizing their existing fraud analytic systems to monitor the payments where possible and ensure they are sharing data with agencies who deal with populations that disproportionately make up non-filers, like veterans and low-income Americans.

The IRS has not responded to requests for comment from FCW about what else it may be doing to track or mitigate fraud related to non-filer stimulus payments.

Tax fraud using PII continues to be a significant problem. According to an interim Treasury audit released this week, the IRS has reported 30,038 fraudulent tax returns totaling $135.6 million in refunds so far this tax filing season. The tax agency also claims its fraud detection protocols prevented 98% of those returns. However, the Government Accountability Office warned last month that the agency's fraud technology must be updated as it continues to rely too much on PII about Americans to authenticate their identities.

Further, some online payment service apps may not have the same identity-authentication or cybersecurity controls in place that are more common in the heavily regulated banking industry. PayPal has issued online guidance detailing how users can get paid through PayPal Cash or credit cards and recently announced it has received approval from SBA to disperse small business loans through the platform.

The CARES Act also sets aside $350 billion for guaranteed loans to small businesses to help them keep workers on payroll during the economic downturn caused by the outbreak.

SBA will be responsible for dispersing nearly $350 billion in guaranteed loans to help small businesses deal with the economic fallout of the coronavirus pandemic. The explicit goal of the legislation, as detailed in a corresponding interim regulation, is to "provide relief to America's small businesses expeditiously" by giving all lenders delegated authorities and streamlining regular loan program requirements. The rule also specifies that SBA will allow lenders to "rely on certifications of the borrower in order to determine eligibility."

In order to be eligible for the Paycheck Protection Program, businesses are asked to submit payroll processor records, payroll tax filings and other documentation. However, borrowers who don't have those records can also provide other supporting documentation, such as bank records that are "sufficient to demonstrate the qualifying payroll amount," and businesses can use electronic signatures or consents regardless of the number of owners.

The rule states borrowers who knowingly use the program's funds for unauthorized purposes could be charged with fraud, but it relies almost entirely on self-certification from businesses that the funds will be used properly. Newly approved lenders under the program aren't obligated to check any further, though they are encouraged to set up anti-money laundering compliance programs if they haven't already.

Velasquez said her organization views fraud mitigation between the government and online payment apps as "a shared responsibility" and wondered how the process would differentiate when an applicant's PII and online service account don't match, noting there could be legitimate reasons behind the discrepancy. At press time, PayPal had not responded to questions from FCW about what it may be doing to further combat or mitigate fraud while processing stimulus checks or small business loans.