IRS RESPONSE TO RECOMMENDATION: The Global IDT Report contains IRS-wide IDT information, in the “Prevention & Detection” and “Victim Assistance” sections. The Return Integrity and Compliance Services (RICS) and Submission Processing (SP) identity theft cases are accounted for in the report.

Our analysis indicated there were 78,500 unreversed identity theft claim markers compared to the 178,000 identified in the report. Identity theft claim markers are placed on taxpayers accounts when the taxpayer initially contacts the IRS to report that they are a victim of identity theft. The taxpayer is advised to submit a Form 14039, Identity Theft Affidavit, to support their claim. Although the identity theft claim should be reversed if the taxpayer fails to submit their Form 14039 or other documentation to support their claim of identity theft, we have identified instances where the identity theft claim indicator was not reversed. We have submitted a programming change to correct this issue with a planned implementation date of 2019.

CORRECTIVE ACTION: N/A

TAS RESPONSE: While RICS and SP IDT cases are included in Prevention & Detection inventory shown on the Global IDT Report, we do not agree with the IRS’s assertion that the Global IDT Report includes RICS and SP cases in the Victim Assistance inventory. Per the Data Dictionary definition of Victim Assistance Inventory:

This area of the report includes the Identity Theft Victim Assistance Inventory (IDTVA). Displayed are the beginning inventory, receipts, closures, and ending inventory for each year with the last column showing the change in inventory from the current year to the prior year at the current reports point in time. The bullet at the bottom shows how many BMF receipts there were (included in the table), with a year to year comparison as well.

This definition of Victim Assistance Inventory makes it clear that it includes IDTVA inventory, but does not make mention of IDT cases worked by other functions. Certain IDT cases may be worked outside of IDTVA, such as by RICS and SP, and are eligible to receive IP PINs (which are issued to victims of tax-related IDT, so these taxpayers should be counted as such). See IRM 25.23.2.19, IMF Identity Theft Worked by Functions Outside Accounts Management IDTVA (Oct. 13, 2016). Failure to include these cases in the Global IDT Report under Victim Assistance Inventory substantially underreports the volume of IDT cases the IRS receives and resolves.

We commend the IRS for taking action to ensure that the pending IDT marker is reversed where the purported IDT victim fails to provide documentation to support the IDT claim. However, we note that the 178,000 unreversed IDT markers that TAS Research found in its data pull specifically excluded cases that had unresolved IDT markers with a pending claim (i.e., where the IRS was awaiting documentation from the taxpayer to substantiate the IDT claim). Thus, all of the unreversed open IDT markers in our data pull were claims not properly worked to conclusion, after the documentation had been received from the victim. TAS Research re-ran the query in June 2018, and although it did not find as many taxpayers with unresolved TIN issues, it still found significantly more of these cases than indicated by W&I. TAS Research is working with W&I to reconcile the discrepancy.

ADOPTED, PARTIALLY ADOPTED or NOT ADOPTED: Partially Adopted

OPEN or CLOSED: Closed

DUE DATE FOR ACTION (if left open): N/A

IRS RESPONSE TO RECOMMENDATION: ​​The IDTVA function is a centralized operation that consolidates work previously performed by different parts of the IRS, reduces the need to refer work to other functions, and limits the creation of multiple cases for one taxpayer. The result is expedited resolution of all taxpayer issues. We expanded the case assignment logic to ensure victims are assigned to an employee with the necessary skill sets to address all issues and tax years. There is one caseworker to initiate and receive correspondence if additional information is required to resolve the case. The correspondence sent when a case is closed addresses each open tax year. The IRS provides victims of identity theft with a special toll-free hotline for assistance, ensuring taxpayers can reach an IDT specialist any time during business hours, and not depend on the availability of a single IRS employee. In addition, the IRS provides a special toll-free number for the Taxpayer  Protection Program (TPP). All Customer Service Representatives staffing the IDT specialty line and the TPP toll-free line can review the taxpayer’s case file and respond accordingly. We have also established a process for providing the assigned IDTVA caseworker’s contact information.

CORRECTIVE ACTION: N/A

TAS RESPONSE: We appreciate the clarification that the customer service representatives (CSRs) staffing the toll-free IDT hotline are able to provide, upon request from the victim, the contact information for the assigned IDTVA assistor. Some taxpayers may be perfectly fine calling the IDT hotline and speaking with the first-available CSR; other taxpayers may desire to speak with one assistor throughout the resolution of their IDT case. We applaud the IRS’s decision to allow the IDT victim both options.

However, we note that there is no process in place for an IDT victim to work with a sole contact person in situations where the IDT case is worked outside of the IDTVA organization. We believe that IDT victims should be entitled to speak with a sole contact person, regardless of which function in the IRS works the IDT case.

ADOPTED, PARTIALLY ADOPTED or NOT ADOPTED: Partially Adopted

OPEN or CLOSED: Closed

DUE DATE FOR ACTION (if left open): N/A

IRS RESPONSE TO RECOMMENDATION: As identity thieves continue to become more sophisticated, the IRS has tightened its security in response to the increased threat. We are taking steps to make it harder for identity thieves to successfully masquerade as taxpayers and file fraudulent refund claims on behalf of these taxpayers. The IRS recognizes that large data breaches of personally identifiable information (PII) create difficulties and frustration for the victims and financial ecosystem. Large-scale data breaches are a reminder of the value of data for fraudulent purposes and identity theft. Over the last several years, the IRS IDT fraud filtering processes have remained effective, even in situations of large losses of PII.

The IRS uses several robust tools to assist in combating tax-related identity theft and fraud, including tools that are specific to addressing taxpayers who have been victims of a data loss of federal tax information (FTI). Data losses involving federal tax-related data can be used to file returns that appear to be coming from the true taxpayer. The IRS’ existing models and filters have been updated to address the level of sophistication used to file these fraudulent returns. We have implemented the use of Dynamic Selection Lists to allow monitoring of specific accounts of taxpayers who have been victims of an FTI data breach when the data compromised would have a direct impact on federal tax administration. This process allows the IRS to more effectively identify these suspicious returns and results in better protection for taxpayers’ federal tax accounts and increased revenue protection. While this practice can result in a higher false detection rate, it is a necessary defense to protect taxpayers affected by known incidents and to deter bad actors from continuing to exploit compromised taxpayer data.

The Taxpayer Protection Program has protected a substantial number of returns and amount of revenue. Under recently enacted legislation, the due date for filing Forms W-2, Wage and Tax Statement, and W-3, Transmittal of Wage and Tax Statements, with the Social Security Administration (SSA), and Form 1099-MISC, Miscellaneous Income, reporting nonemployee compensation to the IRS, has effectively been accelerated to January 31, beginning in calendar year 2017. Enhancements to IRS systems that allow income information received from SSA to be processed and, in turn, leveraged for systemic income and withholding verification enable the release of refunds related to validated returns quicker.;

CORRECTIVE ACTION: N/A

TAS RESPONSE: The National Taxpayer Advocate appreciates the daunting task the IRS has to protect the federal fisc from paying out improper refund claims. In no way are we implying that it is easy to stop fraudulent claims while maintaining a low false detection rate. However, we are saying that false detection rates in excess of 50 percent are unreasonably high, and that the IRS can do better.

When legitimate filers are selected by a fraud detection filter, it interrupts their lives in a significant manner. Many taxpayers rely on their tax refund dollars to fund long-awaited repairs, to pay for holiday expenses, or simply to get through the heating season. A delay in getting their refund could constitute a hardship. If a filter is stopping refunds and the IRS later learns that more than half of the refunds stopped are legitimate, then the IRS is not doing its job effectively, to the detriment of taxpayers.

The IRS mentioned the use of “Dynamic Selection Lists” to offer protection to victims of large scale data breaches. It causes us great concern that the IRS had an 85 percent false detection rate for the nearly 280,000 tax returns it selected for additional review due to a taxpayer identification number being on such a dynamic selection list.  Given the extremely high false detection rate, it is unclear whether the IRS made any adjustments to its fraud detection filter after incorporating the experience of these taxpayers.

It won’t be easy, but we believe that the IRS can and should work with data analytics firms to develop/expand/modify fraud detection models that both protect revenue and minimize impact to legitimate filers. The National Taxpayer Advocate met with one data analytics firm this spring; they currently work with tax administrators from various states and from around the world, and felt confident that it could help the IRS use sophisticated modeling to achieve this goal.

ADOPTED, PARTIALLY ADOPTED or NOT ADOPTED: Not Adopted

OPEN or CLOSED: Closed

DUE DATE FOR ACTION (if left open): N/A

IRS RESPONSE TO RECOMMENDATION: Since the IRS started issuing them in 2011, the IP PIN has been an effective tool to prevent identity theft and facilitate the detection of refund fraud before it occurs. We are currently exploring the feasibility of expanding IP PIN eligibility to all taxpayers in its current state.

CORRECTIVE ACTION: Since the IRS started issuing them in 2011, the IP PIN has been an effective tool to prevent identity theft and facilitate the detection of refund fraud before it occurs. We are currently exploring the feasibility of expanding IP PIN eligibility to all taxpayers in its current state.

TAS RESPONSE: We commend the IRS for developing, improving, and expanding the IP PIN program since its inception in 2011. We believe that it is an extremely effective method of protecting a taxpayer. We understand that there are costs associated with administering the IP PINs (including staffing phone lines to assist taxpayers who inevitably misplace their IP PINs), but we note that there are even more significant costs from the risk of refund claims being paid out to identity thieves. The National Taxpayer Advocate is encouraged that the IRS is conducting a feasibility study regarding expansion of the IP PIN program (the IRS states that it expects to complete its analysis by August 2018).

ADOPTED, PARTIALLY ADOPTED or NOT ADOPTED: Partially Adopted

OPEN or CLOSED: Closed

DUE DATE FOR ACTION (if left open): N/A

IRS RESPONSE TO RECOMMENDATION: ​​The IRS continues to take the protection of taxpayer information very seriously and look for ways to provide secure, user friendly access to taxpayer information. Although not all data breaches result in tax-related identity theft, we acknowledge that personal information is widely available to fraudsters because of data breaches at external entities. The IRS has many existing policies, procedures, and technologies across the enterprise to combat this threat and mitigate these risks. In terms of taxpayer authentication, the IRS, along with all federal agencies, must follow the National Institute of Standards and Technology (NIST) Special Publication 800-63-2, e-Authentication Guidelines, when interacting with taxpayers through web-based, online applications. The NIST guidance ensures that taxpayer data is protected according to the OMB guidelines, which provide the method for assessing risk related to online transactions so that PII and federal tax information is protected and secured. When registering for the IRS’ online services, through the Secure Access e-Authentication application, users go through multiple steps to verify their identity.

To assist individuals and businesses who may have been a victim of a data breach, the IRS publishes information regarding how to report a data loss. The IRS has also established procedures for businesses to report a data loss to their local Stakeholder Liaison and to report a Form W-2 data loss to dataloss@irs.gov.

CORRECTIVE ACTION: N/A

TAS RESPONSE: The IRS is put in a difficult position as more and more data breaches of third parties occur. There simply is so much personally-identifying taxpayer information out there for unscrupulous individuals to use to commit tax refund fraud. When the IRS is provided with a list of taxpayers who may have been potentially exposed, it has procedures in place to ensure those taxpayers receive special review. However, the IRS can do more to assist victims when a fraudulent return gets through the IRS fraud detection filters.

For example, certain companies that have learned of a large-scale data breach offer credit monitoring services to impacted individuals for X number of years. This is a “free” service to the individuals, because the company pays for it. The IRS may be able to offer IP PINs to victims of large-scale data breaches by negotiating with the company that experienced the data breach to pay a user fee covering the cost of the IRS’s administering the IP PINs. We believe this is an idea that should be explored.

ADOPTED, PARTIALLY ADOPTED or NOT ADOPTED: Partially Adopted

OPEN or CLOSED: Closed

DUE DATE FOR ACTION (if left open): N/A