In this article, Brown and Tucker discuss the IRS's most recent efforts to combat tax-related identity theft.
Copyright 2016 Kevin Brown and
All rights reserved.
* * * * *
Tax-related identity theft is a complicated and widespread problem for millions of individual and business taxpayers and for the IRS. It usually involves the unauthorized use of a taxpayer's personal or business information to fraudulently claim a tax refund. Most taxpayers are unaware that they are victims until they receive notice from the IRS or another federal or state agency.
Individual taxpayers are the most common target of tax-related identity theft, but business taxpayers are also at significant risk because identity thieves will steal employee information and other sensitive business information, such as employer identification numbers, either to file fraudulent business returns or to generate fraudulent individual income tax refunds by reporting false income and withholding on fictitious Forms W-2.
Fighting identity theft is increasingly challenging for the IRS, as thieves continue to develop more sophisticated ways of stealing personal and business information through a variety of data breaches and database intrusions targeting both the public and private sectors. Recent high-profile data security breaches involving the theft of hundreds of millions of customer payment cards, the breach of federal employee employment records, and other successful cyberattacks further illustrate the high-stakes business risks associated with cybercrime.
Identity theft cases are among the most complex for the IRS to handle, but even during times of budget constraints, the agency has looked for creative ways to improve its efforts on detection and prevention, provide assistance to victims, and successfully pursue criminal investigations.
B. IRS Detection and Prevention Efforts
1. Security Summit Initiative. The most collaborative effort to address tax-related identity theft is the Security Summit Initiative, a partnership between the IRS, state tax administrators, and the tax industry, including tax return preparation firms, tax software vendors, and payroll and tax financial product processors. This public-private partnership was launched in March 2015 to establish new safeguards to protect taxpayer information and the integrity of federal and state tax systems.1
Key initiatives for the 2016 filing season include:
- Taxpayer authentication. The tax industry is sharing with the IRS and state tax administrators more than 20 new data elements captured at the time tax returns are filed to help authenticate taxpayers, validate tax return information, and detect identity theft refund fraud.
- Fraud identification. The entire tax industry (previously a portion of the industry) is sharing with the IRS and state tax administrators aggregated information of suspected identity fraud and analytics to identify fraud schemes and locate indicators of fraud patterns.
- Information assessment. The IRS, state tax administrators, and the tax industry are looking to establish a formalized Refund Fraud Information Sharing and Assessment Center to more aggressively and efficiently share information between the public and private sectors to help stop the proliferation of fraud schemes and reduce the risk to taxpayers.
- Cybersecurity framework. The tax industry (now including all software companies) is aligning with the IRS and state tax administrators under the high standards of the National Institute of Standards and Technology cybersecurity framework to promote the protection of the tax-related information technology infrastructure.
- Taxpayer awareness and communication. The IRS, state tax administrators, and the tax industry created the "Taxes. Security. Together." campaign to raise awareness among taxpayers regarding the protection of sensitive personal, tax, and financial data.
2. Security requirements for tax software accounts. Private sector tax software vendors have implemented new security requirements to protect taxpayers using tax software accounts to prepare their tax returns. The new protections -- intended to ensure that only authenticated taxpayers can access their accounts -- include eight-digit alphanumeric passwords, security questions, lockout features, and methods to verify email addresses associated with the accounts.
3. Form W-2 anti-fraud initiatives. Each filing season, the IRS receives millions of returns from individuals requesting refunds based on wages and tax withholding reported on Forms W-2. The agency, however, does not receive the Form W-2 information from the Social Security Administration (SSA) until well after the peak filing season; as a result, it does not have real-time Form W-2 information during the period most returns are processed. Identity thieves routinely exploit this information gap by filing fraudulent refund claims early in the filing season using false income documents from authentic employers.
The IRS recently announced that 15 payroll service providers have sent the IRS copies of Forms W-2 for approximately 750,000 employers (more than 10 percent of U.S. employers) under an anti-fraud initiative that includes approximately 21 million Forms W-2. This initiative is designed to enhance the agency's ability to quickly detect fraudulent individual tax returns filed with stolen Forms W-2 and to protect legitimate Form W-2 recipients from becoming victims. This new partnership with payroll service providers further supplements an existing, more limited IRS fraud prevention program in which the IRS asked several large employers to voluntarily provide employee payroll records early in the filing season to enhance Form W-2 validation.
The Protecting Americans From Tax Hikes Act , enacted at the end of 2015, accelerates the due date for filing Forms W-2 with the SSA to January 31, effective for Forms W-2 filed in 2017 regarding wages paid in 2016. The new January 31 due date for Forms W-2 will make information available to the IRS sooner, thereby reducing the risk that fraudulent tax returns and refund claims will be processed.
4. Identity theft data models and filters. The IRS continues to increase the number and effectiveness of the identity theft data models and filters it uses to identify potentially fraudulent returns. The agency reports that these pre-refund filters prevent the processing of the vast majority of fraudulent returns. The IRS rejected or suspended the processing of 4.8 million suspicious returns and stopped 1.4 million identity theft returns, totaling $8 billion in fraudulent refunds, for calendar year 2015.2
5. Return Review Program (RRP). The RRP, the new IRS system to detect electronic identity theft returns, was pilot tested in 2014 and 2015. The IRS intends for the RRP to eventually replace the legacy systems it currently uses to detect identity theft.
The 2014 RRP pilot had positive results, detecting 25 percent more fraudulent returns than the existing systems, and so the IRS increased the number of returns RRP processed in 2015. However, a Treasury Inspector General for Tax Administration analysis of the 2015 results found that the RRP failed to detect a significant number of fraudulent returns that the current legacy systems discovered.3 According to the IRS, the detection gaps were a result of the RRP's selection models not having been fully implemented and the program being designed to detect newer identity theft schemes rather than older ones more easily detected by the systems already in place. The IRS is working to ensure that the RRP will detect identity theft as effectively as existing systems before it is fully implemented.
6. Limited number of direct deposit refunds. Several years ago, the IRS discovered identity theft patterns by noticing that thousands of tax refunds would sometimes be routed or deposited into a single bank account. The IRS response to this fraud was to set a limit of no more than three direct deposit refunds that could be deposited to a single financial account or prepaid debit card. Fourth and subsequent valid refunds must be mailed in the form of paper checks to the taxpayer.
C. Victim Assistance Efforts
1. New identity theft assistance organization and funding. The IRS recently consolidated most of its identity theft victim assistance efforts into a newly created identity theft victim assistance organization, which it operates in conjunction with its prevention and remediation efforts. The IRS hopes the organization will enhance its ability to provide consistent treatment of identity theft cases and to reduce the significant backlog in resolving them. Nonetheless, reports of taxpayer frustration with the time it takes to resolve identity theft cases continue. The current IRS budget includes additional funding earmarked to enhance identity theft detection and assistance.
2. Identity protection personal identification number (IP PIN) program. The identity theft victim assistance organization is also managing the IP PIN program, the IRS's main tool for protecting taxpayers against ongoing identity theft. The agency annually assigns an IP PIN to victims of identity theft who confirm their information with the agency and whose cases have been resolved. Primary and secondary taxpayers and their dependents enter the unique, six-digit identifier on their federal income tax returns to avoid delays in the filing of their returns and the receipt of their refunds.
The IRS has issued 1.5 million IP PINs and is offering the opportunity to opt into the IP PIN program to approximately 1.7 million taxpayers whom the agency has identified as having been potentially affected by identity theft. The IRS will continue allowing taxpayers who filed returns from Florida, Georgia, and the District of Columbia to opt into the program as those jurisdictions have among the highest incidence of identity theft in the country. The debate continues regarding the potential benefits and costs of expanding IP PINs to all taxpayers.
The IRS recently enhanced the IP PIN program by implementing an online process through its website that allows taxpayers who have lost or forgotten their IP PIN to create an account and retrieve it online.
3. Specific identity protection services not subject to income inclusion. Employers and other organizations frequently provide free identity protection services to individuals whose personal information may have been compromised in connection with a data breach involving the employer or another organization's record-keeping systems. The IRS reaffirmed in Announcement 2016-24 its position in Announcement 2015-225 that it will not include the value of identity protection services in an individual's gross income. Announcement 2016-2 expands this noninclusion treatment to cover the value of identity protection services provided to individuals in anticipation of a potential data breach.
D. Criminal Investigatory Efforts
Identity theft topped the fiscal 2015 list of investigative priorities for the IRS Criminal Investigation division, the IRS arm authorized to investigate potential criminal violations of the IRC. CI reported that it initiated 776 identity-theft-related investigations, resulting in 774 sentencings, for fiscal 2015.6 CI continues to be active in more than 70 multi-regional task forces or working groups including state, local, and federal law enforcement agencies.
The Identity Theft Clearinghouse (ITC) continues to develop and refer identity theft refund fraud schemes to CI field offices for investigation. ITC has received more than 10,750 individual identity theft leads involving 1.72 million returns with more than $11.4 billion in refund claims since its inception in fiscal 2012.7
The nationwide Law Enforcement Assistance Program (LEAP) provides for the consensual disclosure of federal tax return information associated with the accounts of known and suspected identity theft victims. More than 1,100 state and local law enforcement agencies from 48 states participate in LEAP.8
E. Continuing Challenges
The IRS has made substantial progress in its efforts to combat identity theft, but significant challenges remain as identity thieves employ new strategies to obtain sensitive information. The agency stated in February 2016 that identity thieves successfully used automated software to attack its systems in an attempt to generate e-file PINs to use with Social Security numbers stolen from other sources to electronically file fraudulent returns and refund claims. The IRS reported that 101,000 of the 464,000 unauthorized attempts were successful.9 The agency also stated in recent congressional testimony that aging computer systems, many placed in service in the early 1960s, are vulnerable to escalating cyberattacks and that additional funding is needed to shore up their ability to fend off these attacks.
The IRS has implemented many new strategies to fight identity theft, but this most recent attack is another example of the ever-evolving and increasingly sophisticated means identity thieves are using to attack IRS systems. The latest incident should be a warning for all individual and business taxpayers, including the largest corporations, about the importance of protecting sensitive information, as individual SSNs and business EINs are critical components that identity thieves use to unlock IRS systems and commit refund fraud.
3 TIGTA, "Continued Refinement of the Return Review Program Identity Theft Detection Models Is Needed to Increase Detection" (Dec. 11, 2015) .
4 2016-3 IRB 283.
5 2015-35 IRB 288.
6 CI, "IRS-CI Fiscal Year 2015 Annual Business Report" (Dec. 2015) .
9 IRS statement (Feb. 2016).
END OF FOOTNOTES
About Tax Analysts
Tax Analysts is an influential provider of tax news and analysis for the global community. Over 150,000 tax professionals in law and accounting firms, corporations, and government agencies rely on Tax Analysts' federal, state, and international content daily. Key products include Tax Notes, Tax Notes Today, State Tax Notes, State Tax Today, Tax Notes International, and Worldwide Tax Daily. Founded in 1970 as a nonprofit organization, Tax Analysts has the industry's largest tax-dedicated correspondent staff, with more than 250 domestic and international correspondents. For more information, visit our home page.
For reprint permission or other information, contact email@example.com