Student Aid

FAFSA Tax Info Transfer Tool Down Until October

• By Dian Schaffhauser
• 05/10/17

A tool that makes it easier for students to apply for federal financial aid won't be back up until Oct. 1, 2017. However, the Free Application for Federal Student Aid or FAFSA itself is still up and running.

The specific problem pertains to the Internal Revenue Service data retrieval tool, which provides tax data automatically to fill in parts of the FAFSA form. It's also used to fill in fields on the income-driven repayment (IDR) plan application for federal student loan borrowers. The IRS turned off the data retrieval tool after discovering that it was being hacked by identity thieves to file fraudulent tax returns.

In its place, FAFSA applicants need to enter their family's tax information manually. For the 2017–2018 academic year, the form requires tax information from 2015.

In written testimony to the House Oversight Committee, James Runcie, chief operating officer of the U.S. Department of Education's Office of Federal Student Aid, told committee members that the department had been receiving about 500 more customer inquiries a day related to the tool than before it was taken offline in early March. The department is focused on getting the tool up and running for the 2018–2019 aid cycle, which begins on Oct. 1.

Runcie wrote that the use of the tool "saves time and ensures greater accuracy of applicants' information." Each year, of the 20 million FAFSA forms submitted, about half use the DRT to transfer their tax information from the IRS; roughly 4.5 million borrowers use the DRT for their IDR plan applications.

However, in October 2016, the IRS contacted FSA about a potential vulnerability it identified with the DRT after performing a broad review to assess the security of taxpayer interactions with IRS systems. The challenge at that time was to come up with the best way to minimize the vulnerability "without causing a major disruption to students, parents, and borrowers," he explained. The IRS and FSA agreed to keep the DRT operational while the IRS increased monitoring of the tool for suspicious activity. The goal: to reduce the risk of exposing tax return information and other personally identifiable information associated with the DRT without limiting access to the FAFSA.

But by early March, the IRS had identified specific suspicious activity related to the DRT. It alerted FSA and stopped the use of DRT. FAFSA wasn't the target, Runcie told lawmakers. Criminals were using personal information obtained illegally from other sources — including name, Social Security number, date of birth, address and tax filing status — to start filling out FAFSAs. Then they used the DRT to access taxpayer information from the IRS, including the adjusted gross income, which was needed to file a fraudulent tax return.

While the IRS and FSA work out an "acceptable solution" to the vulnerability, FSA has used "multiple platforms" — contact centers, web announcements, social media, e-mail to school people, state memos and other forms — in an attempt to get the word out that FAFSA itself isn't broken; just the tool that helps transfer income information into FAFSA.

Once enhancements are made to encrypt or mask the sensitive data, Runcie stated, the IRS DRT will be reactivated. That's expected by the beginning of October.