Executive Summary: U.S. lenders lost $3.3 billion to suspected synthetic identities tied to new accounts in 2024, and a significant share of those losses trace back to one failure: nobody verified whether the business name matched the tax ID on file with the IRS.[1] A TIN/EIN verification API automates that check in seconds, confirming that a business name and Employer Identification Number pairing is legitimate by querying IRS records in real time. This guide covers how TIN/EIN verification APIs work, how the IRS TIN matching system operates under the hood, what response codes mean for your underwriting rules, and how to integrate automated tax ID validation into your lending or compliance workflow.
What Is a TIN/EIN Verification API and Why Do Lenders Need One?
A TIN/EIN verification API is a programmatic interface that validates whether a submitted business name and Employer Identification Number (EIN) match IRS records. The API accepts two inputs, a business name and a nine-digit EIN, and returns a match or no-match result along with an IRS response code that explains the outcome.[2]
For alternative lenders, MCA providers, and fintech platforms processing thousands of applications per month, this check is a critical layer in the underwriting stack. A mismatched EIN and business name is one of the strongest fraud signals available, particularly for detecting synthetic identity fraud where bad actors pair a real EIN with a fabricated business name.[3]
Why Can't Lenders Just Use the IRS TIN Matching Portal Directly?
The IRS does offer a free TIN matching program through its e-Services portal, but it comes with significant limitations for high-volume operations.[4] The interactive mode caps lookups at 25 name/TIN combinations per request with a maximum of 999 requests per 24-hour period. The bulk mode handles up to 100,000 combinations, but results take up to 24 hours to return.[5] Neither option integrates into an automated underwriting pipeline.
A TIN/EIN verification API solves this by wrapping the IRS validation into a synchronous API call that returns results in seconds, maps cleanly to automated decision rules, and scales to the volume your operations demand.
What Is the Difference Between a TIN and an EIN?
A Taxpayer Identification Number (TIN) is the umbrella term the IRS uses for all tax identification numbers, including Social Security Numbers (SSNs), Individual Taxpayer Identification Numbers (ITINs), and Employer Identification Numbers (EINs). An EIN is the specific TIN type assigned to business entities. When lenders refer to "TIN verification" in the context of business lending, they almost always mean EIN verification, confirming that a business entity's name matches its EIN in IRS records.[6]
How Does the IRS TIN Matching System Actually Work?
Understanding the IRS matching logic helps you interpret API results correctly and build better decisioning rules around them.
What Is IRS Name Control Matching?
When a business files Form SS-4 to obtain an EIN, the IRS creates a "name control" derived from the first four characters of the legal business name. Every subsequent TIN match request compares the submitted name against this stored name control.[7] This means:
• Legal suffixes matter. "Acme Corp" and "Acme Corporation" may produce different name controls. The IRS matches against the name exactly as filed on the SS-4.
• Abbreviations cause mismatches. If a business filed as "Johnson & Associates LLC" but applies for a loan as "Johnson and Associates," the name control comparison may fail.
• Only ampersands and hyphens are allowed as special characters in the name control. All other special characters are stripped.[8]
What Do IRS TIN Matching Response Codes Mean?
The IRS returns numeric response codes that map directly to underwriting actions:
• Code 0: TIN and name match IRS records. Proceed with verification. The business identity is confirmed.
• Code 1: TIN not issued. The EIN does not exist in IRS records. This is a hard rejection signal, as the applicant is using a fabricated or invalid EIN.[9]
• Code 2: TIN issued, but name does not match. The EIN exists but is registered to a different business name. Request a W-9 from the applicant. This could indicate a legitimate name change or a fraud attempt.
• Code 3: TIN not matched due to incomplete IRS records. Manual verification is required. The IRS cannot confirm or deny the match.
• Codes 4 through 8: Various IRS-specific conditions. These cover scenarios like incorrect name type, IRS processing errors, and system limitations. Consult IRS documentation for details.[10]
For most lending operations, codes 0, 1, and 2 drive the majority of automated routing. Code 0 is a green light. Code 1 is an auto-decline. Code 2 triggers a manual review workflow to determine whether the mismatch is benign (name change, DBA filing) or malicious (identity fraud).
How Does TIN/EIN Verification Prevent Synthetic Identity Fraud?
Synthetic identity fraud is the fastest-growing financial crime category, with U.S. lenders exposed to $3.3 billion in suspected synthetic identities in the first half of 2024 alone.[1] In business lending, synthetic fraud takes a specific form: a bad actor registers a shell entity, obtains or fabricates an EIN, and applies for funding using a business name that does not match IRS records.
Where Does TIN Verification Fit in a Fraud Prevention Stack?
TIN/EIN verification catches a specific fraud pattern that other checks miss. Secretary of State verification confirms that a business entity is registered and active in a given state. But an entity can be active on state records while using someone else's EIN, or an EIN that was never issued. The IRS check adds a second identity layer that confirms the business is who it claims to be, not just that it exists.[3]
The most effective verification stack pairs these two checks sequentially:
1. Secretary of State API confirms the business is registered, active, and in good standing.
2. TIN/EIN Verification API confirms the business name and EIN match IRS records.
3. Result: Two-factor business identity verification. The entity is both legally active and identity-confirmed.
This is especially critical for alternative lenders who fund quickly. A merchant cash advance provider processing same-day funding does not have the luxury of manual W-9 review cycles. The API call takes seconds, and the IRS response code maps directly to a pass/fail decision rule.
"This was an area of the business that was completely manual still, sort of the Achilles heel." Joe Salvatore, Chief Risk Officer, Idea Financial
What Does a TIN/EIN Verification API Request and Response Look Like?
For CTOs and engineering leads evaluating a TIN verification integration, here is what the API interaction looks like in practice.
API Request Example
curl --location 'https://apigateway.cobaltintelligence.com/tinVerification?tin=123456789&businessName=Acme%20Corp' \
--header 'Accept: application/json' \
--header 'x-api-key: Your_API_Key'The endpoint requires two parameters: `tin` (the nine-digit EIN, formatted without dashes) and `businessName` (the legal business name as filed with the IRS). Authentication uses a standard API key passed in the header.
API Response Example (Match)
{
"name": "ACME CORPORATION",
"tin": "123456789",
"status": "Match",
"irsCode": 0,
"irsReason": "TIN and Name combination match IRS records",
"irsServiceStatus": "Available",
"lastIRSCheckDate": "2026-01-21T14:30:00Z"
}API Response Example (No Match)
{
"name": "ACME CORPORATION",
"tin": "123456789",
"status": "No Match",
"irsCode": 2,
"irsReason": "TIN issued but name does not match IRS records",
"irsServiceStatus": "Available",
"lastIRSCheckDate": "2026-01-21T14:31:00Z"
}What Response Fields Matter Most for Automated Decisioning?
• `irsCode` is the primary field for building routing logic. Code 0 proceeds, Code 1 rejects, Code 2 routes to manual review.
• `irsServiceStatus` tells you whether the IRS system is currently accessible. If "Unavailable," retry later rather than making a decision without the check.
• `lastIRSCheckDate` provides a timestamp for audit trails. This is the moment the IRS system was queried, not a cached result from hours or days ago.
The response is synchronous for most requests (under 5 seconds), with no need for callback URLs or polling. Integration typically takes 3 to 5 days for engineering teams already working with REST APIs.
Get your API key and test TIN verification in sandbox mode. No credits consumed during testing.
How Do Manual, Batch, and API TIN Verification Approaches Compare?
Not every organization is ready for real-time API integration. Here is how the three primary TIN verification approaches stack up for lending operations.
Manual W-9 Collection and IRS Portal Lookup
The traditional approach: collect a W-9 from every applicant, log into the IRS e-Services portal, and manually enter the name/TIN combination.
• Speed: Minutes per lookup, 24 hours for bulk batches.
• Volume limit: 25 interactive lookups per request, 999 per day.[4]
• Integration: None. Results must be manually entered into your loan management system.
• Error rate: Human data entry introduces transcription errors. Mistyped EINs or name variations cause false mismatches.
• Cost: Staff time at $25 to $40 per hour. At 5,000 applications per month, this is a full-time position dedicated to TIN checks alone.
Batch TIN Verification Services
Third-party services like TINCheck, Tax1099, and REALSearch accept spreadsheet uploads and return results in bulk, typically within minutes to hours.[11]
• Speed: Minutes for small batches, hours for large batches.
• Volume limit: Up to 100,000 per batch with most providers.
• Integration: File upload and download. Some offer API access as an add-on.
• Error rate: Lower than manual, but batch processing introduces latency. A TIN check that returns results 4 hours after the application was submitted may be too late for same-day funding operations.
• Cost: Per-lookup pricing, typically $0.10 to $1.00 per check depending on volume.
Real-Time API TIN Verification
An API like Cobalt Intelligence's TIN/EIN Verification endpoint processes each lookup in real time, returning results in under 5 seconds as part of an automated underwriting pipeline.
• Speed: Under 5 seconds per lookup.
• Volume limit: No per-request caps. Scale to your application volume.
• Integration: REST API with JSON responses. IRS codes map directly to automated routing rules.
• Error rate: Minimal. Parameters are validated before submission. No human transcription errors.
• Cost: Credit-based pricing (3 credits per lookup). Predictable unit economics at any volume tier.
[TABLE-1]
For lenders processing more than 1,000 applications per month, the real-time API approach eliminates the verification bottleneck entirely. One operations leader at a high-volume MCA provider estimated that manual SOS and TIN lookups consumed 175 or more hours per month across their team before switching to API automation.
What Compliance Requirements Does TIN/EIN Verification Address?
TIN verification is not optional for many financial operations. Federal tax law creates specific obligations around verifying taxpayer identification numbers, and the penalties for non-compliance are escalating.
How Does Backup Withholding Connect to TIN Verification?
Under IRS Section 3406, payers of reportable payments must withhold 24% of payments when the payee's TIN is missing or incorrect.[12] If the IRS sends a CP2100 or CP2100A notice indicating a TIN mismatch on a filed 1099, the payer must begin backup withholding immediately.[13]
For lenders issuing 1099 forms to borrowers (common in MCA and revenue-based financing), verifying the TIN before funding prevents costly backup withholding scenarios. Catching a mismatch before the 1099 is filed is dramatically cheaper than dealing with IRS notices after the fact.
What Are the Penalties for Incorrect TIN Submissions?
The IRS penalty structure for incorrect information returns continues to increase:[14]
• $60 per form if corrected within 30 days of the due date.
• $120 per form if corrected after 30 days but before August 1.
• $310 per form if not corrected by August 1 or not filed at all.
• Intentional disregard: $630 per form with no annual cap.
For a lender filing 5,000 1099s per year, even a 5% TIN error rate results in 250 incorrect forms. At the highest penalty tier, that is $77,500 in avoidable fines. Pre-filing TIN verification eliminates this exposure entirely.
How Does TIN Verification Support BSA/AML Compliance?
Beyond tax reporting, TIN/EIN verification supports Bank Secrecy Act and anti-money laundering requirements. FinCEN's Customer Due Diligence (CDD) rule requires financial institutions to verify the identity of beneficial owners and the legal entity itself.[15] A confirmed TIN match provides documented evidence that the entity's tax identity was verified against IRS records at the time of onboarding, creating an audit trail that examiners expect to see.
Combined with Secretary of State verification and OFAC sanctions screening, TIN verification completes the core KYB (Know Your Business) compliance stack. Learn more about building a full verification workflow in our guide to business verification APIs for alternative lenders.
Talk to our team about building a compliance-ready verification stack with TIN, SOS, and OFAC APIs.
How Should Engineering Teams Integrate TIN/EIN Verification Into Their Stack?
Integration is straightforward for teams already working with REST APIs, but there are implementation details that affect accuracy and reliability.
What Are the Integration Best Practices?
• Strip dashes from EINs before submission. Send `123456789`, not `12-3456789`. The API expects a nine-digit string with no formatting characters.
• Use the full legal name including suffixes. The IRS matches against the name filed on the SS-4. "Johnson LLC" and "Johnson" are different name controls. Include Inc., LLC, Corp., and other legal designators exactly as the business registered them.
• Check `irsServiceStatus` in every response. The IRS TIN matching system has scheduled maintenance windows and occasional outages. If the status returns "Unavailable," queue the check for retry rather than skipping it.
• Map IRS codes to automated routing rules. Code 0 proceeds. Code 1 auto-declines. Code 2 routes to a manual review queue with a W-9 request. Code 3 flags for manual investigation. Codes 4 through 8 log for exception handling.
• Pair with SOS verification in a sequential workflow. Run the Secretary of State check first (1 credit) to confirm the entity exists and is active. If active, run the TIN/EIN check (3 credits) to confirm identity. This sequence avoids spending TIN credits on entities that are already dissolved or suspended.
What Does the Integration Timeline Look Like?
Typical integration takes 3 to 5 days for a development team familiar with REST APIs. The process follows four steps:
1. Get your API key from the Cobalt Intelligence dashboard.
2. Test with sandbox mode using the `test=complete` parameter. No credits are consumed during testing.
3. Implement response handling for all IRS codes. Build routing logic for Code 0 (proceed), Code 1 (reject), Code 2 (manual review), and Codes 3 through 8 (exception handling).
4. Go live by removing the `test` parameter. Monitor `irsServiceStatus` and build retry logic for unavailability windows.
For a deeper technical comparison of verification API options, see our complete guide to business verification APIs for alternative lenders.
How Does TIN/EIN Verification Fit Into a Complete Business Verification Workflow?
TIN verification is most powerful when combined with other verification checks in a layered workflow. No single check catches every fraud pattern or satisfies every compliance requirement.
What Does a Full Verification Stack Look Like?
The most common verification sequence for alternative lenders combines four checks:
• Step 1: Secretary of State API. Confirm the business is registered, active, and in good standing in its claimed state. Returns entity status, filing date, officer names, and a timestamped screenshot for audit files. (1 credit)
• Step 2: TIN/EIN Verification API. Confirm the business name and EIN match IRS records. Returns IRS match code for automated routing. (3 credits)
• Step 3: UCC Filing Data API. Check for existing liens and secured interests. Reveals whether other lenders already hold priority positions. (1 credit, 11 states)
• Step 4: OFAC Sanctions Check API. Screen the business and its officers against the Treasury Department's SDN list for BSA/AML compliance. (1 credit)
This four-step stack costs 6 credits per application and typically completes in under 30 seconds for Steps 1 through 4 combined (with cached SOS data for pre-screening).
For lenders in the construction sector or those verifying professional service firms, adding the Contractor License Verification API and Court Records API extends the stack further. Read more about how TIN/EIN verification catches synthetic identity fraud before you fund.
Why Is Primary Source Data Critical for TIN Verification?
Many verification providers cache IRS data and return results from their own databases. This introduces staleness risk. A business could change its legal name with the IRS, and cached data would still show the old name as a match for weeks or months.
Cobalt Intelligence's TIN/EIN Verification API connects directly to the IRS TIN matching system in real time. Every request queries the IRS, not a cache. The `lastIRSCheckDate` field in the response confirms when the IRS was queried, giving your compliance team a defensible timestamp for audit purposes.[16]
This distinction matters most for compliance-sensitive operations where examiners will ask: "When was this TIN verified, and against what source?" A timestamp from an IRS query is a stronger audit artifact than a match against a third-party cache of unknown freshness.
Ready to automate TIN/EIN verification? Get your API key and start testing today.
What Are the Known Limitations of TIN/EIN Verification APIs?
Honest positioning builds trust with technical buyers. Here is what TIN/EIN verification does not do:
• It is validation only, not discovery. You must provide both a business name and an EIN. The API cannot search by EIN alone or discover unknown EINs. If you need to find a business's EIN, that is a different data product.
• Exact name matching is required. The IRS name control algorithm is strict. If the applicant provides a DBA name instead of the legal name filed on the SS-4, the check will return Code 2 (name mismatch) even though the EIN is valid. Your workflow should account for this by requesting the exact legal name on the application.
• No business enrichment data. The TIN check returns only match status and IRS codes. It does not return business details like address, officer names, or filing dates. For that data, use the Secretary of State API.
• IRS system availability. The IRS TIN matching system has maintenance windows and occasional outages. The `irsServiceStatus` field indicates current availability. Build retry logic for "Unavailable" responses.
• 3 credits per lookup. TIN verification costs three times what a basic SOS lookup costs, reflecting the direct IRS connection. Optimize by running SOS first and only checking TIN for entities that pass the initial entity status check.
.jpg){kind=small}
.png)