Business identity theft poses continuing challenges

Editor: James Sansone, CPA

Business identity theft patterns are constantly evolving, and the IRS has been expanding its efforts to combat the problem. The IRS broadly defines business identity theft as creating, using, or attempting to use a business's identifying information, without authority, to obtain tax benefits. The Treasury Inspector General for Tax Administration (TIGTA) said in a 2015 report that the IRS needed to improve its procedures for detecting and preventing business identity theft (see TIGTA Rep't No. 2015-40-082). In response, the IRS increased the number of identity theft detection filters it uses and updated Internal Revenue Manual (IRM) Section 25.23, Identity Protection and Victim Assistance.

Although the IRS's detection results improved for calendar year 2017, TIGTA concluded in a follow-up audit of the IRS's business identity theft procedures that a significant number of returns should have been screened for business identity theft but were not and that 23% of cases were not accurately processed (see TIGTA Rep't No. 2018-40-061). Since then, the IRS has further revised its procedures for detecting and preventing business identity theft. TIGTA continues to view identity theft as a threat to tax administration.

Reporting business identity theft differs from initiating an individual identity theft report. Individuals who suspect identity theft can complete a Form 14039, Identity Theft Affidavit, and send it to the address or fax number provided at the bottom of the form. They also can call a dedicated IRS phone line, 800-908-4490, if they have previously contacted the IRS about identity theft and have not achieved a resolution (more information is available at the IRS's "Taxpayer Guide to Identity Theft" webpage at irs.gov.

On the other hand, a business that suspects identity theft does not initially report the matter using a Form 14039 (or even a Form 14039-B, Business Identity Theft Affidavit, which is used for a different purpose). Business taxpayers are often "unaware their identities have been compromised until a notice or bill from the IRS is received," the IRS says (IRM §25.23.9.2(4)). Thus, a business taxpayer is frequently reacting to such a notice or bill by contacting the Service to ask to have the event considered as a possible identity theft.

A common type of tax-related identity theft is a fraudulent business return filed to receive refundable credits or to help perpetuate individual identity theft. The scheme may involve Form 1120, U.S. Corporation Income Tax Return; Form 1120S, U.S. Income Tax Return for an S Corporation; Form 1041, U.S. Income Tax Return for Estates and Trusts; and Form 1065, U.S. Return of Partnership Income, as well as Schedule K-1. As the IRS states, a business taxpayer may not even be aware that its identity has been compromised. The Service's "Tax Practitioner Guide to Business Identity Theft" (available at www.irs.gov tells practitioners to have the business respond to any notices immediately and contact the IRS "using the contact information on the notice or letter" if the business believes its employer identification number (EIN) has been used fraudulently.

Some notice-related­indicatorsinclude:

• The business receives an IRS notice about fictitious employees;
• The business receives an IRS notice regarding a defunct, closed, or dormant business after all account balances have been paid;
• The business receives an unexpected notice of a tax bill;
• The business receives information from the IRS it did not request; or
• The business receives an unexpected rejection or deficiency notice.

It is important to note that in these situations, the IRS is not contacting the business taxpayer because the IRS believes that there is fraudulent activity. Rather, the business may receive these notices and conclude something is suspicious, and the burden is on the business to contact the IRS to report a possible identity theft based upon the perceived suspicious notice. The notice will likely contain a general IRS phone number and address, which means the first step in reporting a possible business identity theft event could require some patience or telephone time on hold.

In addition to a notice-related indication of identity theft, a business taxpayer may independently discover suspicious activity without the benefit of an IRS notice containing a contact phone number and address.

Some non-notice indicators include:

• An extension-to-file request is rejected because a return with the EIN is already on file;
• An e-filed return is rejected because a return with a duplicate EIN is already on file;
• A tax transcript is received unexpectedly; or
• Expected and routine correspondence is not received.

If a business taxpayer has not received a notice from the IRS, one method of reporting suspected identity theft is for a representative of the company to call the Service's business accounts line, 800-829-0115. If the business has hired a practitioner to represent it, the practitioner can call the Practitioner Priority Service line and ask to be transferred to the correct department to discuss the taxpayer's issue and initiate an identity theft inquiry.

Another method of reporting business identity theft is to contact the Taxpayer Advocate Service (TAS). Completing and filing Form 911, Request for Taxpayer Advocate Service Assistance, with the business's local TAS office will notify the TAS of the taxpayer's issue. If the TAS accepts the case, it can refer the case to the IRS for an identity theft investigation. The TAS has offices in every state, the District of Columbia, and Puerto Rico. Call TAS at 877-777-4778 or visit taxpayeradvocate.irs.gov/contact-us for more contact information.

Generally speaking, a business taxpayer should not file a Form 14039, Identity Theft Affidavit, as in individual identity theft cases. If the IRS believes there may be identity theft based on its preliminary investigation but needs more evidence to reach a definite conclusion, it will send a Form 14039-B, Business Identity Theft Affidavit, to the business taxpayer to request additional information and documents vital to making an identity theft determination (IRM §25.23.9.7).

When a business taxpayer either reports suspected identity theft to the IRS as explained above or the IRS system detects and flags a filing due to indicators of possible identity theft, the IRS will not automatically code the case for identity theft. Instead the IRS must perform "extensive research" to make an ID theft determination (IRM §25.23.9.2(1)). In the case of an IRS-detected event, the Service will send a letter to the business taxpayer attempting to gather and verify information.

IRS-detected business identity theft

The IRS's Integrity and Verification Operation unit may flag a return for review. This unit screens potentially fraudulent tax returns to prevent improper refunds from being issued. If a return is flagged, the IRS will not post the return to the taxpayer's account. Instead, the IRS may issue a Letter 6042C, Entity Verification for Business, to the taxpayer to verify the taxpayer's identity or the validity of the return. Letter 6042C generally states that the IRS received the taxpayer's federal income tax return but needs additional information to process it. The letter asks a number of questions including the entity's EIN, any associated EINs for the entity, when the EIN was obtained, the taxpayer identification number for the principal owner, the entity's status, and any addresses associated with the entity in the past five years. The letter also inquires about the taxpayer's employees and the number of information returns filed under the entity's EIN.

The IRS warns that if the taxpayer does not timely respond to the letter with the requested information, it will not process the return. In that event, the taxpayer may receive notices of nonfiling (even if its return was validly filed), not receive refunds, or, if applicable, not have overpayments applied to the next year's estimated tax. If a return is not validated within a year, the IRS will delete the return (IRM §25.1.3.2.2(4)). If the IRS suspects that the entity itself is fraudulent, it may issue Letter 5263C, Entity Fabrication. A business taxpayer should respond to the letter as quickly and accurately as possible. (For more information, visit the IRS's "Understanding Your Letter 5263C, 6042C, or 6217C" webpage at www.irs.gov.)

Taxpayer-reported business identity theft

If a business taxpayer calls the IRS to report a suspected identity theft, the IRS employee is required to ask several questions to determine the facts surrounding the identity theft. Often, business filings may have false indications of identity theft due to a change in entity status, the creation or assignment of a second EIN, mixed entity issues where the EIN of another entity is inadvertently included on a return, the sale of a business, or because a former payroll company or practitioner continued to file for the business.

After investigating the matter, the IRS will send the business taxpayer a Form 14039-B, Business Identity Theft Affidavit, if the information provided by the taxpayer tends to show the potential for business identity theft but the IRS has been unable to reach a definite conclusion from its own research and needs further information from the taxpayer. When a completed Form 14039-B is received, the case must be moved into the identity theft workstream immediately. The IRS will notify the business taxpayer by sending an acknowledgment within 30 days that it received the Form 14039-B (IRM §25.23.9.4(1)). Unlike the affidavit used by individual taxpayers (Form 14039), Form 14039-B is not available to taxpayers online, and it can only be provided to a business taxpayer by the IRS after an initial report (IRM §25.23.9.7).

Additional processing

If, after research is completed, identity theft is confirmed or the IRS determines that "there is a high probability of ID theft," the IRS will code the business account with identity theft indicators (IRM §25.23.9.2(1)). The IRS may internally refer the case to various other units to be worked. The case will move into the identity theft treatment workstream, along with all research and information gathered from the taxpayer. The IRS will also issue to the business taxpayer a Letter 5064C, Identity Theft In-Process Letter. Identity theft cases are given priority, but if a case cannot be completed within the number of days specified in the acknowledgment letter, then the IRS will send an additional Letter 5064C in the interim. The interim Letter 5064C must include the approximate number of days it will take to resolve the taxpayer's account. Once a case is initiated, a business taxpayer should allow 180 days for resolution.

It is important to note that if a taxpayer fails to respond to IRS requests for information during the investigation, the identity theft case will be closed. However, the reviewing unit must attempt to contact the taxpayer by telephone no less than two times, and issue a Letter 5064C, to request the additional information before beginning closing procedures.

The agent handling a business identity theft case must perform a case closure analysis before closing the case. The analysis includes:

• Reviewing prior years (minimum of three) and subsequent years for any sign of unresolved identity theft;
• Releasing notice or enforcement holds as appropriate;
• Ensuring the business received the appropriate refund if one is due;
• Verifying and, if necessary, updating the taxpayer's address;
• Closing down fabricated EINs, and if the EIN is inactive, deleting filing requirements; and
• Sending a closing letter to the taxpayer (see IRM §25.23.9.6.3(1)).

The agent must issue Letter 4674C, Identity Theft Post-Adjustment Victim Notification Letter, to the taxpayer informing it of the outcome of the business identity theft claim.

If the IRS determines that there was no identity theft after reviewing all the information, or if the taxpayer failed to respond to requests for information, the Service will reverse the identity theft indicator codes on the account. If the taxpayer disagrees, the taxpayer must request reconsideration before the case may be referred to Appeals. The examiner must review all the evidence provided by the taxpayer before the case is referred to Appeals (see IRM §25.23.10.7.2).

A victim of identity theft may request a new EIN, but the IRS will issue one only if the identity theft had a federal tax administration impact, such as where the identity thief filed a fraudulent return under the original EIN (including amended returns) or submitted fraudulent income documents. To obtain a new EIN, the taxpayer must fill out a new Form SS-4, Application for Employer Identification Number, attach a completed Form 14039-B, and mail these forms to a specified service center address. When the forms are received, a new EIN will be assigned and then merged with the old number, and notification will be sent to the taxpayer. If a taxpayer wants a new EIN in the absence of a tax impact, the taxpayer must shut down the current business operations, file final returns, and submit a new Form SS-4 (IRM §25.23.9.9.7). Alternatively, the IRS may lock an account for identity theft when the EIN is fabricated or when a business no longer has any federal filing requirements (IRM §25.23.9.6.4).

Businesses that are confirmed or potential victims of identity theft can also request a copy of the related tax return and income documents, and the IRS will honor the request under specific circumstances. The Service will redact the copy to protect the personal information of the alleged identity thief, such as addresses and bank account numbers. The copy will disclose only the information that applies to the true taxpayer and that can be used to determine tax liability (IRM §25.23.9.10).

A business taxpayer may experience the consequences of identity theft in many ways. The business might not even suspect it has become a victim until it receives an IRS notice that does not make sense or notices other suspicious events. The identity theft may or may not be tax-related. The steps outlined above for detecting and reporting identity theft and understanding how the IRS processes a business identity theft case should help business taxpayers better navigate this evolving area of IRS procedures.