Protecting Taxpayers from Identity Theft Tax Refund Fraud
Identity theft is one of the fastest growing crimes in America. It is a persistent and evolving threat, and its harm on its victims cannot be overstated. Identity thieves commit this crime by stealing personally identifiable information, from limitless sources, and then use that stolen information to perpetuate a number of fraudulent schemes. One such crime is filing a tax return in the name of the victim to collect a tax refund. Identity theft tax refund fraud (IDT refund fraud) places an enormous burden on the entire tax ecosystem, with the most painful and immediate impact being on the victims whose personal information is used to commit the crime and the most pervasive impact being an erosion of public confidence in our tax system.
Today’s identity thieves are a formidable enemy. They are an adaptive adversary, constantly learning and changing their tactics to circumvent the safeguards and filters put in place to stop them from committing their crimes. Some of the individuals committing IDT refund fraud include high-tech global rings who are engaged in full-scale organized criminal enterprises for stealing identities and profiting from that information. As the criminals increase in sophistication, so do the number and scope of data breaches, which serves to further expand the network and warehousing of stolen and compromised identity information, and in turn increases the potential for that stolen identity information to ultimately reverberate through the tax system.
In recent years, the Internal Revenue Service (IRS), various state revenue agencies (States) and the tax industry (Industry) have adopted strategies focused on prevention, detection and victim assistance, and these strategies have led to many notable improvements for taxpayers.
Despite these improvements, and as the 2015 tax filing season progressed, it became clear that IDT refund fraud would continue to present significant challenges. Individual taxpayers, tax professionals, tax software companies, and payroll and tax financial product providers joined a growing chorus of stakeholders concerned about the increasing volume and sophistication of attempts to monetize stolen identity information through attacks on the tax system.
In recognition of escalating challenges and the need to act quickly to prepare for the next tax filing season, IRS Commissioner John Koskinen called on leaders in the public and private sectors to come together and work collaboratively to protect taxpayers from IDT refund fraud.
On March 19, Commissioner Koskinen convened an unprecedented Security Summit meeting in Washington, D.C. with IRS officials, the chief executive officers (CEOs) of the leading tax preparation firms, software developers, payroll and tax financial product processors, and state tax administrators to discuss common challenges and ways to leverage our collective resources and efforts. The IRS organized the meeting on March 19 through the auspices of the Electronic Tax Administration Advisory Council (ETAAC) and by working with the:
- Federation of Tax Administrators (FTA), which represents state tax authorities;
- Council for Electronic Revenue Communication Advancement (CERCA), whichprovides a forum and a liaison between the IRS and the tax software industry; and
- American Coalition for Taxpayer Rights (ACTR), which advocates for policies to protect taxpayers and the voluntary income tax compliance system.
The Summit participants agreed to commit their leadership and resources to work together to combat this growing problem, and to that end, the group agreed to form a public-private partnership committed to protecting the nation’s taxpayers and the tax system from IDT refund fraud. Three specialized working groups were established from the Summit, with members from the IRS, States and Industry co-chairing and serving on each group. They came together quickly to find areas of consensus and identify solutions for protecting taxpayers in 2016 and subsequent tax filing seasons.
First, the “Authentication” working group was tasked with identifying opportunities for strengthening authentication practices, including identifying new ways to validate taxpayers and tax return information, and new techniques for detecting and preventing IDT refund fraud.
Second, the “Information Sharing” working group agreed to work on identifying opportunities for sharing information that would improve our collective capabilities for detecting and preventing IDT refund fraud.
Third, the “Strategic Threat Assessment and Response” (STAR) working group was tasked with looking ahead, to enable the development of proactive, rather than reactive, initiatives and solutions to combat this crime. Specifically, the STAR team’s objective was to take a holistic look at the entire tax ecosystem, identify points of vulnerability (threats/risks) related to the detection and prevention of IDT refund fraud, develop a strategy to mitigate or prevent these risks and threats, and review best practices and frameworks used in other industries.
Over the course of a 2-month period, the three working groups met continuously, brainstormed and collaborated. There was recognition that no silver bullet exists in the fight against this crime and that adopting a multi-layered and coordinated approach is critical to protecting taxpayers and creating barriers for the thieves across the entire tax ecosystem, on both the federal and state level. The working groups’ unprecedented and rigorous collaboration resulted in the development of several recommendations that were agreed to by the Summit participants, as described in greater detail below.
Summit Working Group Recommendations
The following section summarizes the solutions collectively identified and agreed upon by the Summit participants, including those that can be implemented in time for the 2016 filing season and those with a longer implementation horizon.
Pre-Refund Authentication & IDT Refund Fraud Detection
- New Tax Return-Related Data Elements: The working groups identified over 20 data elements that can provide additional and improved capabilities for authenticating a taxpayer and tax return information to detect IDT refund fraud. Working with Industry and the States, the IRS is currently testing these new data elements to gain greater insight into their full potential, and this analysis will inform the strategy for using these data points to combat IDT tax fraud. Additional testing and refinement of these elements will occur over the next two months. Extensive public discussion of these new elements would provide a roadmap to the IDT criminals and undermine the effectiveness of these elements to protect taxpayers from IDT refund fraud. As such, this report will not provide extensive details or specifics related to these new elements.
Generally speaking, however, one or more of these new data points will, for example, flag and detect improper and repetitive use of Internet Protocol numbers and computer mechanized fraud.
- Adaptive Approaches: To be effective, these new data elements and the approaches to using them cannot remain static because the criminals are constantly developing new schemes. As such, the Summit partnership will be engaged in a continuous dialogue around these elements, and adapting and strengthening existing defenses while developing new strategies.
- Strategy: These data elements will be submitted to the IRS and States with the tax return transmission. No single element will be determinative of whether the return is that of a legitimate taxpayer or of a criminal posing as the taxpayer, but these elements will be used in conjunction with the IRS and the States’ IDT filters and algorithms to allow for stronger pre-refund authentication and for new and innovative IDT refund fraud detection. For the 2016 filing season and beyond, Industry and government will use a closely coordinated and multi-layered approach at all stages of return processing, resulting in a heightened and shared awareness of the criminals’ tactics and schemes and allowing for better safeguarding of taxpayers and the tax ecosystem.
Using Post-Filing Analytics to Detect and Prevent IDT Refund Fraud
- External Leads Process: Safeguarding taxpayers and the tax system from IDT refund fraud compels the public and the private sectors to be diligent and vigilant in detecting and preventing IDT refund fraud patterns and schemes. These schemes tend to be replicated until they no longer work, and, as such, early detection is critical. These schemes often cannot be detected by looking at a single return in isolation, but rather when a collection of returns is aggregated, the fraud pattern or scheme becomes apparent. Currently, the IRS, through its external leads program, collaborates with financial institutions, software companies, prepaid card companies and other third parties who provide valuable information about emerging identity theft trends and fraudulent returns that have been detected from analytics performed after returns have been transmitted to the IRS and States. The external leads program has yielded valuable information from those who have been voluntarily participating and has served as an effective tool in identifying and stopping IDT refund fraud schemes.
- Standardized Industry Leads Requirement: Because of the effectiveness of the voluntary external leads program, the Summit Industry participants recommended that the IRS require, as a condition of participating in e-file, that all return transmitters perform these analytics post-filing and provide, on a recurring and timely basis, anonymized and aggregated data to the IRS on IDT refund fraud patterns and indices. The IRS will provide this information to the States, who will also use it to bolster their fraud detection and prevention efforts.
- Strategy: With Industry’s support for this requirement, the IRS and States have taken steps to have this requirement in place for the 2016 filing season. The IRS and States are committed to providing timely feedback to return transmitters performing these analytics, as a way to strengthen the process and the protections through shared insight, innovation and continuous collaboration.
Tax Ecosystem Refund Fraud Information Sharing & Assessment Center (ISAC)
- ISAC Framework: ISACs have been formed and leveraged in several sectors, including financial services and aviation, to provide a secure platform for the sharing of information among and between the public and private sector members of a particular ISAC. These ISACs enable detection of patterns and risks, and provide for early warnings to the members. The Summit participants explored the merits of creating an ISAC-like threat assessment arrangement for the tax ecosystem and determined that doing so would be a logical and important extension of this public-private partnership. A tax ecosystem ISAC would allow for significant gains in detecting and preventing IDT refund fraud and would provide better data to law enforcement to investigate and prosecute identity thieves.
- Strategy: The Summit participants are continuing to pursue this concept and determine the path forward for standing up an ISAC that would provide the entire ecosystem with a threat assessment capability, and early warnings and insights about IDT refund fraud schemes through nimble and agile information sharing.
Framework for Improving Critical Infrastructure Cybersecurity
- NIST Cybersecurity Framework: The NIST cybersecurity framework consists of standards, guidelines and practices to promote the protection of critical infrastructure.
Published in early 2014, this voluntary framework was created through collaboration between industry and government, in recognition of the importance of reducing cyber risks to critical infrastructure. The framework provides for a prioritized, flexible, repeatable and cost-effective approach to help owners and operators of critical infrastructure manage risks related to cybersecurity.
- Aligning Around a Framework: The IRS and the States currently operate under the NIST 800-53 framework (applicable to government frameworks). The Summit Industry participants discussed and agreed to align under the NIST cybersecurity framework, with many of the Industry partners already operating under such a framework.
- Strategy: The IRS will work with NIST to deliver a presentation to the Summit participants on the NIST cybersecurity framework, updates and planned enhancements.
The Summit participants will determine how the elements of this risk-based framework apply across the tax ecosystem and will evaluate framework implementation, with an eye toward short-term and long-term approaches.
Identity Proofing and Trusted Source Authentication
- Identity proofing: Identity theft has placed a sharp focus on the need for a multi-level approach to verifying the identity of the person attempting to file his or her return or otherwise interact with the IRS, States or Industry. The Summit participants have discussed opportunities for identity proofing, including in-person proofing, technology enabled “remote” proofing, risk-based identity proofing and opt-in models.
- Trusted Source or Partner Authentication: The Summit participants, through the working groups, have considered a minimum baseline for Industry authentication at account creation and for account access after creation (e.g., multi-factor authentication, customer account validation via “trusted computer,” out-of-wallet questions, auto-email generation for confirmation of account changes, etc.). Along with identity proofing, there is general agreement that a multi-layered approach is critical for authenticating a taxpayer, the taxpayer’s data and the taxpayer’s return, and that the multi-layers would need to evolve as IDT refund fraud is ever changing.
- Strategy: Further work is being done to identify recommendations for best practices that can be adapted or leveraged for the tax ecosystem. The Summit participants agreed upon the criticality of a multi-layered approach to identity proofing and authentication that strikes the right balance between providing protection against threats to taxpayers and the ecosystem and enabling taxpayer access to the ecosystem and desired services.
Taxpayer Awareness, Outreach and Education
- Raising Taxpayer Awareness: The IRS, industry and the States agreed that more can be done to inform taxpayers and raise awareness on issues related to identity theft and the protection of sensitive tax and financial data. The prevention of IDT refund fraud can be helped by taxpayers being more aware of protecting their personal information, their financial information, their tax records and their electronic devices.
- Strategy: The Summit participants widely recognize the importance of raising taxpayer awareness and agree on combining efforts to provide greater collaboration and execution of communication efforts to reach an increasingly diverse set of taxpayers across the nation. These efforts, which will begin in conjunction with the 2016 filing season, will be focused on a range of things such as tips for protecting taxpayers to sharing information about emerging threats and scams – all with a goal of providing wider communication about issues affecting IDT refund fraud. These communication efforts will be conducted at the national, state and local level and will focus on traditional media, social media and the internet.
Existing Proposals for Congressional Consideration
Congress can help in the fight against IDT refund fraud by passing several important legislative proposals in the President’s FY 2016 Budget proposal, including the following:
- Acceleration of information return (Forms W-2, 1099, etc.) filing due dates
- Extending IRS authority to require truncated SSNs on Form W-2
- Expanded access to the Directory of New Hires
- Modifying criminal tax penalties for IDT refund fraud
- Correctable error authority
- Authority to regulate tax return preparers
The public-private partnership has begun the planning for implementing the agreed-upon recommendations, including the necessary programming modifications, outreach and communications, with the intent of having these IDT refund fraud detection and prevention solutions ready for the 2016 filing season and beyond.
The public-private partnership also agreed that the IRS, States and Industry must continue to work together diligently to be nimble and adaptive, and to communicate and share information broadly to stop IDT refund fraud schemes as they are developing and prevent them from spreading across the tax ecosystem. Issues such as identity proofing and authentication are recognized as never-ending challenges that compel further collaboration among Summit participants, since identity thieves have proven to be resourceful and creative in compromising even the best multi-layered controls designed to protect against infiltration. As described above, the Summit participants identified multiple issues warranting further partnership in the months and years ahead, and have enthusiastically committed to continue to tackle these issues together as a group.
About the Participants
Through the auspices of ETAAC, the IRS was joined in this effort by representatives of state tax authorities and through their respective associations, the industry of tax return software developers, preparers, and transmitters.
The Electronic Tax Administration Advisory Committee (ETAAC)
ETAAC provides an organized public forum under the Federal Advisory Committee Act for discussion of electronic tax administration issues in support of the overriding goal that paperless filing should be the preferred and most convenient method of filing tax and information returns. ETAAC members convey the public’s perception of the IRS electronic tax administration activities, offer constructive observations about current or proposed policies, programs, and procedures, and suggest improvements.
Federation of Tax Administrators (FTA)
FTA was organized in 1937 to improve the quality of state tax administration by providing services to state tax authorities and administrators. These services include research and information exchange, training, and intergovernmental and interstate coordination. The Federation also represents the interests of state tax administrators before federal policymakers where appropriate.
Council for Electronic Revenue Communication Advancement (CERCA)
CERCA, launched in 1994, was founded at the direct request of the Internal Revenue Service in order to provide a forum and a liaison point between the IRS and industry as well as other key stakeholders. CERCA’s board members include the following companies: Drake Software, Tax Products Group, Intuit, H&R Block, ADP, FileYourTaxes.com, Jackson Hewitt, Liberty Tax Service, Petz Enterprises, River City Bank, TaxSlayer, Thomson Reuters, and Wolters Kluwer.
American Coalition for Taxpayer Rights (ACTR)
ACTR advocates for policies to protect taxpayers and the voluntary income tax compliance system. ACTR members include the following companies: CCH Small Firm Services, H&R Block, Intuit, Jackson Hewitt, Liberty Tax Service, Refund Advantage, Republic Bank & Trust Co., Tax Products Group, TaxSlayer and TaxAct.