CPAs Contend With Tax ID Theft

Tax-related identity theft fraud remains a widespread problem that is often difficult for victims and their tax preparers to correct, CPAs affirmed in a recent survey. For a second year, the annual tax preparation software survey conducted by The Tax Adviser and the Journal of Accountancy included questions about practitioners' experiences with tax identity theft (for other results, see "2016 Tax Software Survey"). For the 2016 tax preparation season, 59% of CPA tax practitioners said one or more of their clients were victims of tax identity theft during the year. That percentage is down slightly from the 63% of respondents who answered the question the same way in 2015.¹

Asked if clients were aware of the theft before attempting to file a 2015 tax return, almost half the respondents (1,083, or 49%) said some were and others were not. Respondents with only clients who did not previously know they had been victimized (29%) outnumbered those with only clients who did know (22%) (see Exhibit 3 below). This question showed a marked difference from 2015, when 44% of respondents said their clients were not aware of the theft beforehand.

Often, victims or their tax preparers discover the theft only when an attempt to file an income tax return fails because a return has already been filed for the tax year using that Social Security number (SSN). One of a CPA's first tasks then is delivering the unwelcome news to the client, who may then need to take additional measures to secure other financial accounts besides those needed to clear the taxpayer account. In the process, besides having to meet IRS administrative hurdles, CPAs often must manage clients' understandably distraught reactions in ways that may test their own relational skills.²

Difficulty Resolving the Problem

In percentages little changed from last year, the 2016 survey found most CPAs had some difficulty resolving clients' tax identity theft issues with the IRS. Given a five-point scale, with 1 being very difficult and 5 being very easy, the average was 2.7. Forty percent called the process difficult or very difficult, while more than one-third of respondents rated the effort a 3. Twenty-five percent rated it easy or very easy (see Exhibit 4 below).

IRS Changes

The IRS identified tax-related identity theft as No. 1 this year on its annual list of "dirty dozen" tax scams,³ but stopping fraudulent refunds based on identity theft is a problem the Service has long struggled with, and last year it suffered a major breach when its Get Transcript service was hacked by criminals. The IRS has implemented various screening programs to identify tax returns that involve identity theft and has implemented a process to limit the number of deposits it will make to a single bank account, but the Treasury Inspector General for Tax Administration (TIGTA) reported in December 2015 that the Service continues to struggle with identifying fraudulent returns.⁴ In her 2015 report to Congress, Nina Olson, the national taxpayer advocate, reported that the IRS had 600,000 tax identity theft cases in its inventory at the end of September 2015, a 150% increase from September 2014.⁵ She has been raising concerns about the IRS's ability to resolve tax identity theft cases since 2004.

In 2012, the IRS created 20 specialized identity theft units within the agency;⁶ then in 2015 it centralized its tax identity theft victim assistance units within its Wage and Investment division.⁷ The agency has also been participating in a "Security Summit" initiative with state tax administrators and tax software companies to try to improve security for taxpayers. The coalition is focusing on authentication, information sharing, and cybersecurity.

In June, the Service announced it had deployed a new, more secure version of its online Get Transcript service, employing a so-called double-authentication process that it said will be a template for taxpayer access to additional services in the future. Access to Get Transcript, which provides copies of taxpayers' tax transcripts, formerly required submission of an SSN and other personally identifiable information in a single-step "knowledge-based" authentication of the taxpayer's identity. That level of security was breached by criminals, the IRS announced in May 2015 as it shut down the service and investigated. The IRS ultimately identified approximately 724,000 taxpayer accounts that had been hacked. In its own investigation, TIGTA criticized the IRS's handling of the breach, saying, among other things, that the IRS had originally undercounted potential victims by nearly 621,000.

In its new incarnation, Get Transcript requires users to first register by providing an email address, a financial account number, and the number of a mobile phone with their name on the account. Along with a confirmation code users then receive by email, they can enter their taxpayer personal information and the filing status from their most recent tax return to obtain a transcript.  

Footnotes

¹Bonner, "2015 Tax Software Survey," 46 The Tax Adviser 598 (August 2015).

²See Benibo, Chambers, and Thorne, "Breaking Bad News to Victims of Identity Theft: Lessons From Medical Doctors," 222-2 Journal of Accountancy 30 (August 2016).

³IRS News Release IR-2016-28.

⁴TIGTA, Continued Refinement of the Return Review Program Identity Theft Detection Models Is Needed to Increase Detection (Rep't No. 2016-40-008) (Dec. 11, 2015).

⁵National Taxpayer Advocate, 2015 Annual Report to Congress, p. 182.

⁶National Taxpayer Advocate, 2012 Annual Report to Congress, pp. 45-46.

⁷National Taxpayer Advocate, 2015 Annual Report to Congress, p. 180.