Executive Summary: Synthetic identity fraud cost U.S. lenders over $3.3 billion in recent exposure tied to new accounts, and 44% of financial institutions now rank it as their top fraud type by case volume.[1] For alternative lenders processing hundreds or thousands of applications per month, a Secretary of State check confirms the entity exists, and a credit pull reveals payment history. But neither one answers a fundamental question: does this business name actually belong to this EIN according to the IRS? TIN/EIN verification fills that gap by anchoring the applicant's claimed identity to federal tax records in real time, catching mismatches that SOS data and credit reports were never designed to detect.
Why Is Synthetic Identity Fraud the Fastest-Growing Threat in Business Lending?
How Do Fraudsters Create Synthetic Business Identities That Pass Standard Underwriting?
A fraudster does not need to steal an entire identity. They only need to assemble enough legitimate data points to construct an entity that passes surface-level checks. According to the Federal Reserve Financial Services, criminals register a "business" with a state agency online, where the lack of in-person verification makes it easier to submit fabricated information, then apply for an EIN from the IRS.[2] The result is a shell entity with a valid state registration, a legitimate EIN, and no real commercial activity.
Sumsub reported a 311% increase in synthetic identity document fraud between Q1 2024 and Q1 2025, driven by AI tools that generate convincing business documents.[3] These synthetic entities pass SOS lookups because the state registration is real and pass basic EIN checks because the EIN was legitimately issued. With the average charged-off loss per synthetic identity reaching $13,000 according to Equifax, what they cannot pass is a TIN/EIN verification that cross-references the business name against IRS records.[1]
• State registration exploit. Online filing systems do not verify whether the person forming the entity has any connection to the EIN they claim. A fraudster can register "ABC Capital LLC" in Delaware while using an EIN issued to a completely different business.[2]
• EIN recycling. Criminals obtain EINs from dissolved or dormant businesses. The EIN is valid in IRS systems, but the name does not match the applicant's claimed business name.
• Document fabrication at scale. AI-generated W-9 forms and operating agreements appear legitimate during manual review but collapse under automated TIN verification.[3]
• Credit file manipulation. Synthetic entities build thin credit files through authorized user tradelines, creating enough history to pass automated credit checks.
What Does an EIN/Name Mismatch Actually Reveal About an Applicant?
When the IRS returns a code 2 response (TIN issued, name does not match), it means the business name on the loan application does not match the name the IRS has on file for that EIN. Legitimate businesses rarely have name mismatches with the IRS because they filed a specific legal name on their SS-4 form.
If an applicant claims to operate under an EIN but uses a different business name, one of three things is true: an innocent error (wrong legal suffix, abbreviation mismatch), a name change not updated with the IRS, or the applicant is using an EIN that belongs to a different entity entirely. For a VP of Risk, the EIN/name mismatch is a triage signal that demands additional scrutiny before funding.
How Much Is Manual W-9 Validation Costing Your Underwriting Team?
What Does the Manual EIN Verification Process Actually Look Like?
The IRS offers two manual paths. Interactive TIN Matching accepts up to 25 name/TIN combinations with real-time results.[4] Bulk TIN Matching accepts up to 100,000 combinations but takes 24 to 48 hours.[5] For an underwriting team, neither fits:
• Interactive matching caps at 25. At 2 to 3 minutes per lookup including portal navigation, 25 verifications consume over an hour.
• Batch matching introduces delay. Overnight waits break the same-day funding timelines that MCA and alternative lending markets demand.
• No system integration. Manual results must be copied into the lender's CRM or LOS, creating data entry errors and documentation gaps.
• Authentication overhead. The IRS portal requires separate credentials and sessions time out after inactivity.
"Sometimes the name is written wrong," noted one CTO at a lending infrastructure platform, describing the data quality challenges that manual processes amplify rather than resolve.[6]
Why Does Manual Verification Break Down at Scale?
The math is unfavorable. A lender processing 500 applications per month who verifies every TIN manually spends approximately 25 to 30 hours per month on verification alone. At 2,000 applications, that number approaches 100 hours per month, more than half an FTE dedicated entirely to typing names into an IRS portal.
When verification cannot keep pace with application volume, one of two things happens: either the lender slows down funding (losing deals to faster competitors) or the lender starts skipping verification steps (increasing fraud exposure). Manual verification also creates inconsistent documentation; when an audit requires a verification trail, the quality depends entirely on individual analyst discipline rather than systematic recording.
What Are the IRS Penalties for Getting 1099 Reporting Wrong?
TIN verification is not only a fraud prevention tool. It is a compliance requirement for any lender that reports payments on IRS Form 1099. Filing a 1099 with an incorrect TIN triggers penalties and obligations that most alternative lenders do not fully account for in their risk models.
How Does an Incorrect TIN Create Backup Withholding Obligations?
When the IRS identifies a name/TIN mismatch on a filed 1099, it issues a CP2100 or CP2100A notice to the payer.[7] Upon receiving the notice, the payer must:
• Send a First B Notice and a W-9 form to the payee within 15 business days.[8]
• Begin backup withholding at 24% on all reportable payments if the payee does not respond within 30 business days.[9]
• Send a Second B Notice if the same payee appears on a CP2100/CP2100A notice again within three years, at which point the payee must contact the IRS directly to resolve the issue.
The 24% backup withholding rate applies to the full payment amount. For alternative lenders making commission payments, referral fees, or interest payments reported on 1099s, this creates significant cash flow complications for both the lender and the payee.
What Is the Difference Between TIN Verification and 1099 Filing?
TIN verification happens before or during onboarding; 1099 filing happens after the fact. The penalty structure for information return errors follows a tiered system:[10]
• $60 per return if corrected within 30 days of the filing deadline
• $130 per return if corrected after 30 days but before August 1
• $330 per return if not corrected by August 1 or not filed at all
• $50 per instance for failure to provide the correct TIN
For a lender filing 1,000 information returns per year, even a 5% TIN error rate means 50 incorrect returns. At the highest penalty tier, that is $16,500 in penalties that pre-filing TIN verification would have caught entirely.
Why Is SOS Verification Alone Not Enough to Confirm Business Identity?
What Does Secretary of State Verification Confirm, and What Does It Miss?
Secretary of State verification confirms entity name, formation date, registered agent, and standing. For alternative lenders, the SOS API verification process confirms you are lending to a real, active entity.[11]
However, SOS data has a structural limitation: states do not collect or verify EINs. A business can register with a state without providing a federal tax ID, or can provide one that the state never cross-references against IRS records. A fraudster can create a legitimately registered state entity with a stolen EIN, and the SOS check will return a clean result. As the 50-state business entity verification guide documents, none of the 50 states verify EIN/name matches as part of their registration process.
How Does Two-Factor Business Identity Verification Work in Practice?
Two-factor business identity verification pairs state-level entity confirmation with federal-level tax ID validation. The concept mirrors two-factor authentication in cybersecurity: a single verification source can be compromised, but two independent sources are exponentially harder to fake simultaneously.
• Factor 1: SOS verification. Confirms the entity is registered, active, and in good standing at the state level. Catches dissolved entities, revoked registrations, and entities that never existed in the state's records.
• Factor 2: TIN/EIN verification. Confirms the business name matches the EIN on file with the IRS. Catches name mismatches, stolen EINs, and synthetic entities that used a legitimate EIN with a fabricated business name.
When both factors return clean results, the lender has confirmation from two independent government sources that the business name and tax identity are consistent. When either factor fails, it creates a specific, actionable signal: an SOS failure means the entity has a registration problem; a TIN failure means the entity has an identity problem. Each failure type triggers a different investigation path.
What Alternatives Exist for Automated EIN Verification?
How Do IRS Batch TIN Matching and Third-Party Services Compare?
The IRS e-Services portal is the most direct path, but the limitations of the interactive (25 max) and batch (24-48 hour delay) options make it impractical for high-volume lenders. Third-party providers bridge this gap:
• Wolters Kluwer and CSC. Enterprise compliance platforms that include TIN matching as one component of broader corporate compliance and entity management services. These platforms are designed for large financial institutions with existing compliance infrastructure, not for alternative lenders who need a lightweight API integration.
• Middesk. A KYB automation platform that bundles TIN matching with business verification, document collection, and risk assessment. Middesk's approach is broad but positions TIN verification as one feature within a larger (and more expensive) platform.[12]
• Tax1099 and TINCheck. Specialized TIN matching services focused on 1099 compliance rather than lending underwriting. These tools are optimized for accounts payable teams, not risk teams evaluating loan applications in real time.
• IRS batch program (direct). Free but limited to 100,000 lookups per submission with overnight turnaround. Suitable for periodic portfolio audits, not real-time underwriting decisions.
What Should a VP of Risk Evaluate When Choosing a TIN Verification Provider?
The critical evaluation factors for a lending workflow differ from those a compliance team would prioritize:
• Real-time response. Can the API return a result during underwriting, or does it require batch submission? For alternative lenders competing on funding speed, anything slower than synchronous response creates a bottleneck.
• IRS code granularity. Does the provider return the specific IRS response code (0, 1, 2, 3), or just pass/fail? Code 1 (TIN not issued) is a hard rejection; code 2 (name mismatch) is a conditional flag; code 3 (IRS records incomplete) requires manual follow-up. A binary pass/fail obscures these distinctions.
• Pairing with SOS data. Can TIN verification be combined with Secretary of State verification in the same workflow? Providers that offer only TIN matching force you to manage a second integration for SOS data.
• IRS system status visibility. Does the provider expose IRS system availability so your workflow can handle scheduled maintenance windows gracefully?
How Does Real-Time IRS TIN Matching Work Through an API?
For lenders who need real-time TIN verification in their underwriting workflow, Cobalt Intelligence's TIN/EIN Verification API connects directly to the IRS TIN matching system, returning results synchronously.
What Does an IRS TIN Match Response Actually Return?
The API accepts two parameters, a business name and a TIN (9 digits, no dashes), and returns the IRS match status with the specific response code.
curl --location 'https://apigateway.cobaltintelligence.com/tinVerification?tin=123456789&businessName=Acme%20Corp' \
--header 'Accept: application/json' \
--header 'x-api-key: Your_API_Key'{
"name": "ACME CORPORATION",
"tin": "123456789",
"status": "Match",
"irsCode": 0,
"irsReason": "TIN and Name combination match IRS records",
"irsServiceStatus": "Available",
"lastIRSCheckDate": "2026-01-21T14:30:00Z"
}The IRS response codes map directly to underwriting decisions:
• Code 0: TIN and name match. The business name and EIN match IRS records. Proceed with the verification workflow.
• Code 1: TIN not issued. The IRS has no record of this TIN ever being issued. This is a hard rejection signal; the applicant is using a fabricated or invalid EIN.
• Code 2: TIN issued, name does not match. The EIN exists in IRS records, but the business name does not match. Request a W-9 from the applicant and investigate further before funding.
• Code 3: TIN not matched, IRS records incomplete. The IRS cannot definitively confirm or deny the match due to incomplete records. Manual verification is required.
Each response includes the `irsServiceStatus` field, letting your workflow distinguish between "the IRS says this TIN is invalid" and "the IRS system was unavailable."
What Are the Limitations of Real-Time TIN Verification?
TIN/EIN verification is a validation tool, not a search or discovery tool. Every VP of Risk should understand these limitations:
• Validation only. You must provide both a business name and an EIN. The API cannot discover unknown EINs or search by EIN alone.
• Name control sensitivity. The IRS matches on the first four characters of the business name. Legal suffixes (LLC, Inc., Corp.) are significant. "Acme" vs. "Acme Corporation" may produce a false mismatch. Understanding IRS name control logic prevents rejecting legitimate businesses.
• No business data enrichment. Returns only match status and IRS codes, not business address, officers, or formation date. For entity data, use SOS API verification.
• IRS system availability. The IRS has maintenance windows and occasional outages. The API returns system status in every response so your workflow can handle unavailability.
How Do You Build a Two-Factor Business Identity Verification Workflow?
What Does the SOS-to-TIN Verification Sequence Look Like?
The recommended sequence runs SOS verification first, then TIN verification, because the SOS check provides the legal business name that improves TIN match accuracy:
• Step 1: SOS verification. Query the Secretary of State API with the business name and state of registration. Confirm the entity is registered and in good standing. Capture the legal business name exactly as it appears in state records.
• Step 2: TIN verification. Use the legal business name from the SOS response (not the name the applicant wrote on the application) to query the TIN/EIN Verification API. This reduces false positives from name formatting differences because the SOS-registered name is more likely to match the IRS-filed name.
• Step 3: Decision routing. Both pass = proceed to next underwriting step. SOS fails = entity registration problem. TIN fails with code 1 = invalid EIN (hard stop). TIN fails with code 2 = name mismatch (investigate). Either system unavailable = queue for retry.
This sequence takes seconds when automated through APIs, compared to 15 to 30 minutes for manual verification across both the state SOS portal and the IRS e-Services portal.
What Fraud Patterns Does Two-Factor Verification Catch That Single-Source Checks Miss?
Two-factor verification closes specific fraud vectors that neither SOS nor TIN verification can catch alone:
• Legitimate state registration, stolen EIN. A fraudster registers a new LLC (passes SOS) but uses an EIN from a dissolved business. TIN verification catches the name/EIN mismatch.
• Valid EIN, no state registration. A fraudster obtains a real EIN but never registers the entity with the state. SOS verification catches the missing registration.
• Name variation schemes. A fraudster registers "ABC Funding LLC" with the state but uses an EIN belonging to "ABC Finance Corp." TIN verification catches the name discrepancy.
• Dissolved entity reuse. An administratively dissolved entity is presented as active using the original EIN. SOS catches the dissolution; TIN verification confirms whether the entity is still associated with that EIN.
Lenders already using the Find Related Businesses feature gain a third verification layer: entity network checks reveal connected entities, while TIN verification confirms each entity's claimed tax identity. Combined with court records due diligence, an applicant with a TIN name mismatch and existing court judgments represents a materially different risk profile than a clean applicant.
What Should Your TIN Verification Checklist Look Like Before Funding?
What Are the Seven Pre-Funding TIN Checks Every Lender Should Run?
Before funding any business loan, MCA advance, or line of credit, run these TIN-related checks:
• Verify the EIN was issued. An IRS code 1 response means the TIN was never issued. This is a hard stop. No legitimate business operates with an EIN that the IRS has no record of issuing.
• Confirm the business name matches IRS records. An IRS code 0 confirms the match. Any other code requires investigation before proceeding.
• Cross-reference the SOS-registered name against the TIN-verified name. If the name on the state registration differs from the name the IRS has on file for that EIN, investigate why. Legitimate reasons include DBA filings and name amendments; illegitimate reasons include EIN theft and synthetic identity construction.
• Check the IRS system status at the time of verification. If the IRS system was unavailable during your check, the verification is incomplete. Do not treat an unavailable response as a pass. Queue the application for re-verification when the system comes back online.
• Document the IRS response code in your loan file. Every TIN verification should be recorded with the full IRS response (code, reason, timestamp, system status) in your LOS or underwriting system. This creates the audit trail that regulators and auditors expect.
• Verify the TIN format before submission. EINs must be 9 digits without dashes. SSNs used as TINs for sole proprietors follow the same format. Submitting incorrectly formatted TINs wastes API calls and delays the underwriting process.
• Run TIN verification on renewal applications, not just originals. Business names change, EINs get reassigned, and entities dissolve between funding cycles. A clean TIN check from 12 months ago does not guarantee a clean check today.
How Do You Handle IRS Code 2 (Name Mismatch) Without Killing Good Deals?
A code 2 response does not necessarily mean fraud. It means the business name you submitted does not match what the IRS has on file. Before rejecting the application, follow this triage process:
• Check for legal suffix differences. "Acme Corp" vs. "Acme Corporation" can cause a mismatch due to IRS name control logic. Re-submit with the full legal name including the correct suffix.
• Request a copy of the W-9. Ask the applicant for a completed W-9 showing the exact legal name associated with their EIN. Compare against the SOS-registered name.
• Check for DBA or name change filings. If the business changed its name with the state but not the IRS, ask for documentation (state amendment filing, IRS Form 8822-B).
• Escalate persistent mismatches. If the applicant cannot explain the discrepancy, or the W-9 name differs from both the SOS name and the application name, escalate to fraud investigation. Multiple inconsistent names across government records are a hallmark of synthetic identity fraud.
The goal is to resolve the mismatch with documentation before funding, so that your loan file contains a complete identity verification trail regardless of the outcome.
.jpg){kind=small}
.png)