Identity theft protection company LifeLock is reaching out to the Internal Revenue Service and offering technology to protect taxpayers against the threat of tax fraud.
Congress has been holding hearings to investigate the growing trend of identity thieves stealing personal information such as Social Security numbers and using it to claim tax refund money ahead of the actual taxpayers (see IRS and Social Security Urged to Curb Tax Fraud and Identity Theft). The IRS, under growing pressure from law enforcement authorities and the public, installed identity theft filters early this year and participated in a law enforcement sweep that netted over 100 people across 23 states (see IRS and DOJ Bust Identity Thieves Across U.S.)
LifeLock CEO Todd Davis said in an interview Thursday that his company has offered its identity theft protection technology to the IRS. He believes he could integrate the Tempe, Ariz.-based company’s technology with the IRS’s electronic filing system without delaying the tax filing process, while providing the IRS with a score that would indicate whether the tax refund claim has a low, medium or high risk of fraud, similar to the scores the company already provides to mobile phone service providers, banks and other customers.
Davis has seen the growing incidence of identity theft-related tax fraud firsthand.
“Unfortunately we’re seeing it grow within our own customer base,” he said. “People sign up for LifeLock, and we try to put a front line of defense in place. But there’s really no mechanism today that stops tax fraud or identity theft used for filing taxes because the IRS isn’t set up to authenticate a W-2 or even authenticate a tax return when it gets sent in, and the criminals have really begun to figure that out.”
Davis cited statistics from the Federal Trade Commission that found 27 percent of the identity theft complaints reported last year were related to government document fraud, such as criminals trying to get tax refunds or government benefits.
“The criminals try to go to the path of least resistance,” he said. “They know that these government entities are set up to accept a tax return and process it. They make it easy to quickly beat the system by setting up basically a gift card for a direct deposit, so they don’t have a [demand deposit] account and it’s not traceable.”
The identity thief then pretends to be a particular taxpayer, makes up a W-2 showing earnings of a few thousand dollars, and then files a tax return in a taxpayer’s name in February instructing the IRS to directly deposit the tax refund to the prepaid debit card. “Last year the IRS identified 582,000 taxpayers who were victims of identity theft,” said Davis. “That’s more than double the amount from three years prior.”
The IRS receives what appears to be a valid tax return, showing an appropriate Social Security number and a W-2, but rarely checks whether the tax return is coming from a valid source. “Within days they’re processing it and the tax refund is sent out,” said Davis. “Now when you send in your actual tax return, probably closer to March or even early April, it gets flagged and rejected because they already have one on file for you. And you have to now go and work to prove that the first one really wasn’t you. The IRS isn’t really set up well to handle over half a million victims of identity theft. Those billions of dollars are already gone. They have been put on prepaid debit cards and they’re long gone.”
Fixing a Broken System
Davis believes the system is broken for government agencies like the IRS and they need to put in place systems like the private sector already has. “We have the ability to do authentication,” he said. “You see it with your credit card. When they see something outside the norm that doesn’t look right, they want you to contact them. They say, ‘Hey, we see something weird. Can you confirm this?’ Similarly with LifeLock, our members get an alert. If we see someone is trying to get a new iPhone, put in a change of address form, get a new credit card, or open a new checking account, we just want to confirm that with you. We authenticate that before the transaction goes through and the damage is done.”
Davis believes that by working with the private sector, government agencies like the IRS can address the problem of identity theft.
“Companies like ours can immediately help them authenticate tax returns and filings,” said Davis. “Basically you’re triangulating. You’re looking at multiple data points other than the fact that they have a valid Social Security number. There are multiple places in this process we can authenticate. We can flag the ones that need more attention. We can use technology to vet those and then we can apply the resources that are currently spent trying to help 582,000 taxpayers who were victims. We do that pre-emptively on the front end vetting and authenticating, adding a bit of friction to a smaller percent of the filings themselves so that we eliminate the identity theft and the mess that we have to clean up on the back end before it ever happens.”
The IRS asked Congress to make legislative changes to restrict access to the Death Master File distributed by the Social Security Administration with information about the deceased, and allow the IRS to access the New Hires Database of people who have new jobs. Davis agrees those steps would help.
“The great news is there are actually entities like ours that already aggregate all that data,” he said. “We can see multiple touch points and a whole lot more. We can see utility records and credit card transaction records. If you added that to these other public databases—the death files, the employment records, the Postal Service moving records—along with the institutions where we can authenticate a W-2 to check if that is the real place and the appropriate wages, and if that is what the corporation or entity or LLC is filing from a corporate standpoint, all of that exists today. It’s just in disparate databases. With the ability to bring that together and run analytics, applying technology in an automated fashion, we could filter the front line of by far the majority of tax returns. It would allow them to be processed through this identity check, whereas today that doesn’t even happen.”
Davis said his company is hearing from the government that it is interested in fixing the problem. “I do believe that they will work with folks in the private sector to help address this,” he said. “But as you know, government’s involvement is big, and it takes a while to do.”
He explained that there is a bureaucratic process of determining whether a contractor meets various vendor guidelines, works with the General Services Administration, etc., along with other procedures. LifeLock does have a San Diego-based subsidiary called ID Analytics that has received some federal contracts already, however.
Fraud Risk Scores
Davis believes his company could help the IRS overcome restrictions on the types of information that it is allowed to access for identity authentication.
“Instead of the IRS trying to collect that, if you contracted with a private sector third party like a LifeLock, we could actually provide them a risk score,” said Davis. “We don’t need the government to process it. We can come back and say, ‘Given this information, we are able to assess a score for [a taxpayer] of a low probability, medium probability, or high probability of fraud, and on the medium here are the next steps you can take to further authenticate, and on the high, this is where you would dedicate your government resources to dig into this one and flag it for more attention.’ That way we’re working on it before the filing is completed and on record, whereas today they have to dedicate all these resources to clean it up afterward.”
Davis said LifeLock could start providing the scoring instantaneously to the IRS, as it does today for wireless providers, financial institutions, and utility and cable providers. He estimates that only 2 to 3 percent of the tax filings would generate “a high level of friction.”
“Criminals are leveraging the fact that you’re expecting a low risk,” he said. “We want to add a lot of friction to the ones that are red.”
Even though the IRS has proprietary systems in place, such as its new Modernized eFile system, Davis said LifeLock uses standard communication protocols that are probably also used by the IRS.
“They have standard interface protocols that they could map to,” he explained. “They would tell us what those interface protocols look like. It’s bidirectional for us.”
In less than a second, LifeLock could put a tax return into a queue where it would indicate where there was a low, medium or high risk of fraud without significantly delaying the tax return. Davis noted that taxpayers and the IRS need to expend significant amounts of time trying to sort out problems after a taxpayer finds their tax refund has been stolen, including police reports and prosecutions.
“It can cost them hundreds of hours of their personal time to clean this up,” he said.