Identity Theft: Staying One Step Ahead of the “Bad” Guys

It seems that rarely a week goes by without news of another data breach. In February, Anthem, then the nation's second-largest health insurance provider, announced that hackers broke into data­bases containing personal information on 80 million customers and employees; in July, the federal Office of Personnel Management reported that 21.5 million individuals' sensitive information, including Social Security numbers, was stolen; and, possibly most disturbing, this spring the IRS Get Transcript Application was hacked, and approximately 334,000 taxpayers' data were stolen. While it is unknown how many of these data breaches result in actual identity thefts, it is safe to say that the number of incidents is increasing.

According to a U.S. Government Accountability Office report (GAO-14-633), in 2013, the IRS paid out an estimated $5.2 billion in fraudulent refunds, while preventing $24.2 billion in payouts of fraudulent refunds; in a 2015 survey by The Tax Adviser and the Journal of Accountancy, 63% of CPAs reported at least one of their clients was a victim of tax identity theft during the 2015 filing season.

For the first time, the author's practice had two clients whose returns were rejected because returns had previously been filed using their Social Security numbers. While this is not a large number, it does bring additional stress into an already stressful time and requires the preparer to assist clients in managing and resolving the issue. Clients typically do not understand how this "could have happened" to them and why it is taking so long to resolve.

It is important to understand that, while no silver bullet can stop all identity theft tax refund fraud, a number of steps can be taken to minimize the opportunities for identity thieves to be successful. For example, this past filing season, the IRS began limiting the number of refunds that can be deposited into the same bank account. While this is a small step, it does make it harder for criminals to receive multiple refunds. However, today's identity thieves are formidable foes for the IRS. They are constantly adapting and changing their tactics to stay one step ahead of the safeguards and filters put into place by the IRS.

The AICPA has been supportive of and advocated for a number of proposals to help the IRS fight identity theft tax refund fraud, including:

• Using truncated Social Security numbers on Form W-2, Wage and Tax Statement, and all types of tax forms and returns provided to a client, employee, or other recipient.
• Granting the IRS access to the National Directory of New Hires database for the sole purpose of identifying and preventing fraudulent tax return filings and claims for refund.
• Expanding the identity protection personal identification number (IP PIN) program. Allowing more taxpayers to obtain an IP PIN, not just those who have already had fraudulent returns filed, would let them be proactive in protecting their tax filings instead of being reactive after their tax identification number has been stolen.
• Accelerating due dates for filing Forms W-2 and 1099 and requiring the Social Security Administration to immediately transmit Form W-2 information to the IRS upon receiving it. Accelerating the forms' due dates should increase the likelihood that the IRS can properly match the reported information with amounts reported on tax returns, thereby reducing the risk of identity theft and fraudulent refunds' being issued.
• Creating criminal penalties for misappropriating a taxpayer's identity in connection with tax fraud. This proposal would make it a felony under the Code for a person to use a stolen identity to file a tax return.

In June, the IRS announced a collaborative effort with tax preparation and software firms, payroll and tax financial product processors, and state tax administrators to fight identity theft tax refund fraud. While many of the details of the proposals are intentionally not being disclosed to prevent criminals from adapting their processes to the changes, the IRS did announce these initiatives:

• Taxpayer authentication: New data elements will be submitted to the IRS and states with the tax return transmission for the 2016 filing season. The data elements include, but are not limited to, reviewing the transmission of the tax return for improper or repetitive use of an Internet Protocol number, which is the internet address from which the return is originating; reviewing computer device identification data from the return's origin; reviewing the time it takes to complete a tax return so computer-mechanized fraud can be detected; and capturing metadata in the computer transaction that allows review for identity-theft-related fraud.
• Fraud identification: The groups agreed to expand sharing of fraud leads. For the first time, the entire tax software industry will share aggregated analytical information about their filings with the IRS to help identify fraud. This post-return filing process has produced valuable fraud information because trends are easier to identify with aggregated data. This expanded effort will ensure a level playing field so everyone approaches fraud from the same perspective, making it more difficult to engage in tax fraud.
• Information assessment: The groups will establish a formalized Refund Fraud Information Sharing and Assessment Center to more aggressively and efficiently share information between the public and private sectors to help stop the proliferation of fraud schemes and reduce the risk to taxpayers. According to the IRS, this will help in many ways, including providing better data to law enforcement to improve the ability to investigate and prosecute identity thieves.
• Cybersecurity framework: Participants in the tax industry agreed to align with the IRS and states under the National Institute of Standards and Technology cybersecurity framework to promote the protection of information technology.
• Taxpayer awareness and communication: The IRS, the tax software industry, and states agreed to do more to inform taxpayers and raise awareness about the protection of sensitive personal, tax, and financial data to help prevent fraud and identity theft. While these efforts have already begun, they will increase during the 2016 filing season.

These collaborative efforts, however, do not come without some concerns, particularly in the area of taxpayer authentication. While it is understandable that the IRS is not disclosing the particular data elements to be used in taxpayer authentication (to prevent the ID thieves from adapting their processes), it raises concerns about how it will affect the preparation of income tax returns. Will preparers need to input additional information to verify taxpayers' identity? How will the need for additional authentication affect CPAs' relationships with long-standing clients? And will the authentication steps slow down processing of tax returns (and refunds)? The AICPA is always ready and willing to provide insights from those on the front lines (i.e., its members) to assist the IRS in developing a process that works for taxpayers, preparers, and the tax system.