CUNA Mutual Group Risk Alert: Remain Vigilant During Tax Season

The Internal Revenue Service (IRS) lists refund fraud on the 2018 Dirty Dozen list of tax scams. Credit unions should not let their guard down – particularly in light of large-scale data breaches which provided fraudsters with the personally identifiable information needed to file fraudulent tax returns.

Fraudsters attempt to commit tax refund fraud by filing tax returns under another person’s name and Social Security number. Refunds from these bogus returns are then typically deposited into member accounts as ACH credit transactions or as checks to be deposited or cashed.

Although identity theft-related tax refund fraud reported by the IRS has decreased over the last few years, the IRS kept it on its Dirty Dozen list of tax scams.

Credit unions should be on the lookout for tax refund red flags, such as:

  • Multiple tax refunds going into a single member’s account.
  • Incoming ACH refunds where the name doesn’t match the account number.
  • Suspicious presentment of refund checks, or large volume of refund checks, coming through a business member’s account.

Refer to FinCen’s advisory on tax refund fraud for a comprehensive list of red flags.

To help combat this fraud, the IRS limits the number of refunds that are electronically deposited into a single financial institution account or pre-paid debit card to three. The fourth and subsequent refunds automatically convert to a paper refund check to be mailed to the taxpayer.

With many fraud cases involving ACH (direct deposit), you should be familiar with rules and guidance on ACH transactions, particularly:

  • Credit unions can post incoming ACH tax refunds using the account number (there is no requirement to match the name on the account).
  • If you become aware of an ACH tax refund being misdirected to the wrong account, you are required to notify the government, which can be accomplished by returning the ACH entry using the return reason code, R03 (No Account/Unable to Locate Account).

Refer to chapter 2 of the Green Book, Misdirected Payments section.

Risk Mitigation
Credit unions should consider these mitigation tips:

  • Understand your obligations related to tax refund ACH credits where the name does not match the account number. It is recommended you return these transactions using the R03 return reason code.
  • Do not look for a different account to post the ACH credit, even if the name might be associated with another account number, or it appears to be an error. Your credit union assumes liability for any problems by not posting to the account number in the ACH entry. It is recommended you return the credit using the R03 return reason code.
  • Return ACH credit refunds to closed accounts using the R02 return reason code, Account Closed. Do not post it to another active account.
  • Be cautious in responding to member inquiries about their refund being deposited to another member’s account due to an error in the account number. If the funds are available in the other member’s account and you are aware of a mismatch, return the credit using the R03 return reason code. Refer the member to the IRS for questions on the status of their refund.
  • Contact your Regional Payments Association with questions on how to handle ACH transactions or returns.
  • File a Suspicious Activity Report (SAR) if you know or suspect potential tax refund fraud.
  • Educate front-line staff that frequently handle deposits about tax refund scams.

Risk Prevention Resources
Access CUNA Mutual Group’s Protection Resource Center at cunamutual.com for exclusive risk and compliance resources to assist with your loss control. The Protection Resource Center requires a User ID and password.