CUNA Mutual Emerging Risk Alert: Defend Against Tax Refund Fraud

Tax fraud scams and identity theft is at a higher risk during tax filing season with fraudsters looking to claim bogus refunds. The Internal Revenue Service (IRS) and financial institutions have made substantial progress in the battle against identity theft-related tax refund fraud; however, credit unions and credit union members should remain vigilant in recognizing potential tax refund fraud.

Identity theft and other scams tend to be higher risk during the tax refund season. In fact, recent large-scale data breaches have provided fraudsters with the crown jewels of personally identifiable information that can be used to file fraudulent tax returns. During the tax fraud season, you may see fraudsters:

  • File fraudulent tax returns early in the tax filing season and have the refunds electronically deposited to accounts at credit unions via ACH;
  • Open fraudulent accounts at credit union for depositing the tax refunds; and
  • Convince an existing member to receive fraudulent refunds to their credit union account and forward the proceeds to the fraudster.

Be on the lookout for multiple tax refunds via ACH credits going into a single member’s account where the name does not match the account number.

To curtail ID theft related tax refund fraud, the IRS limits the number of refunds electronically-deposited to a single account or prepaid debit card to three. The fourth and subsequent refunds automatically convert to a paper refund check to be mailed to the taxpayer.

Credit unions receiving tax refunds via ACH are allowed to post the transaction by relying strictly on the account number in the ACH entry. There is no requirement to determine if the name contained in the ACH entry matches the name on the account. Federal law requires government benefit payments to be deposited into accounts in the name of the recipient or beneficiary, but it is not your responsibility to proactively identify discrepancies. However, if you are aware of a discrepancy where the name does not match the account number, you are required to notify the Department of Treasury.

The simplest way to send the notification is to return the ACH entry using the return reason code R03, No account/Unable to Locate Account. To understand your responsibilities for Federal government payments via ACH, refer to chapter 2 of the Green Book, Misdirected Payments section.

Risk Mitigation
Credit unions should consider these controls:

  • Understand your responsibilities to return tax refunds received via ACH if you notice the name does not match the account number. These entries should be returned using return reason code R03;
  • Do not attempt to resolve mismatches by looking for a different account to post the ACH credit, even if the name is associated with a different account number, or appears to be an error. Your credit union assumes liability by posting the ACH credit to a different account number;
  • Return ACH credit refunds to closed accounts using return reason code R02, Account Closed;
  • Due to privacy concerns, exercise caution in responding to member inquiries if their refunds were deposited to another member’s account. If the funds were deposited to another member’s account and you are aware of a name mismatch, you should return the ACH credit using return reason code R03;
  • File a Suspicious Activity Report (SAR) if you know or suspect potential tax refund fraud; and
  • Contact your Regional Payments Association should you have questions on handling ACH transactions or returns.

Risk Prevention Resources

Access CUNA Mutual Group’s Protection Resource Center at for exclusive risk and compliance resources to assist with your loss control. The Protection Resource Center requires a User ID and password. To learn more, review these resources: