The Internal Revenue Service met with a group of state tax administrators and tax industry leaders Tuesday to discuss additional steps they are taking for next tax season to strengthen safeguards against identity theft and tax refund fraud.
The public-private sector partnership announced success in identifying and testing more than 20 new data elements on tax return submissions that will be shared with the IRS and the states to help detect and prevent identity-theft related filings. In addition, the software industry is putting in place enhanced identity requirements and validation procedures for their customers to protect accounts from identity thieves.
“We’re here to give you an update on the protections we are putting in place for the upcoming filing season to better safeguard taxpayers and the tax system against stolen identity refund fraud,” said IRS Commissioner John Koskinen during a press conference. “As I said before, this is not a battle the IRS can fight alone. Joining me today are representatives of the electronic tax industry, the software industry and the states. These members of our Security Summit group have collaborated with the IRS since day one. We began mapping out a strategy in March and together we have made significant progress in just a few months.”
He noted that the collaborative group has added more members. “We now have 20 major players in the tax and financial industry working with us on this effort,” said Koskinen. “This is significant because the Security Summit now covers virtually the entire population of taxpayers who e-file their tax returns.”
Koskinen pointed out that 34 states have now signed a memorandum of understanding with the IRS, with even more planning to sign on in the weeks ahead. “It’s significant because 32 of the 42 states that have an income tax have already signed on,” he said. “It’s critical for us to continue making progress on this area because refund fraud related to identity theft has become a more complicated and serious threat to the nation’s tax system.”
Koskinen acknowledged that over the last few years the IRS has seen an increase in identity theft crimes being perpetrated by organized crime syndicates around the world. “These criminals have been able to gather enormous amounts of personal data from sources outside the IRS,” he said. “This makes protecting taxpayers more challenging and difficult, so I’m delighted to report that for next year’s tax-filing season we are on track to fulfill our goal of having new safeguards in place for taxpayers when they file their return.”
He promised that most of the new protections would be invisible to taxpayers. “But behind the scenes we’re putting in place a multilayered, multifaceted approach,” he said. “The states, the federal government, and private sector companies in the tax business—the people you see around the table—will all have strong new safeguards collectively in place for the 2016 tax-filing season. Our defenses are strong and our systems remain secure, but this year—to put it in sports terms—we’re going on offense like never before. We will have new data coming in to help identify fake returns and prevent fraudulent returns from going out the door. We’re working together to build a strong reinforced system that lets the taxpayers in and keeps criminals out and we will continue to prosecute identity thieves who steal refunds.”
When the Security Summit met last June, he noted, one of the biggest concerns involved what could be done to validate taxpayer identities and tax information when returns are filed. “Working together, the states, industry and the IRS came up with more than 20 data components that we can collect and share with each other when a return is filed,” said Koskinen. “This data, which is largely invisible to the taxpayer when their return is filed, will shine new light on potentially fraudulent returns.”
Along with the data sharing, the IRS will also continue to use its recently introduced Return Review Program to prevent fraud. “This is a relatively new and sophisticated fraud detection system designed by the IRS specifically to protect taxpayers,” said Koskinen. “I’m not interested in giving criminals a roadmap to our system, so I won’t go into a lot of details this morning on which data components we’re looking at, but let me give you just a few basic examples. If tax returns come from the same foreign Internet address, we’ll see that. If many tax returns are filed from the same device, we’ll see that as well. We can also see how long it takes to prepare a return online from the time a person logs in to when the return is filed electronically, so if a tax return appears to be automatically generated by machine, we’ll find that out as well. All of these give us a better defense against criminals trying to use stolen taxpayer information to file tax returns that are false and claim refunds, and we can do a better job of stopping the refund before it goes out the door.”
He noted that the program illustrates how government, the private sector and the states can work together toward a shared goal while maintaining clear lines of distinction between the roles they play in the "tax ecosystem."
“Industry is providing essential help by sharing key information,” said Koskinen. “This will allow the government, both the states and the IRS, to quickly and accurately make determinations of what is fraudulent and what is not, but this doesn’t change the roles we have traditionally played. It simply extends the current relationship to better protect taxpayers and the integrity of our entire tax system.”
Koskinen pointed out that private industry is cooperating in the effort to better protect taxpayers and the integrity of the tax system. “Our partners in private industry are also taking additional steps to protect customers who use tax software to fill out and file their returns,” he said. “Many of the improvements should look familiar because they’re currently used across the financial sector when you log into your accounts, things like additional security questions and device recognitions. The Security Summit has made remarkable progress so far, but more work remains. We’re looking beyond the upcoming filing season to see where we can make changes to protect the tax system over the long term.”
New password standards to access tax software will require a minimum of eight characters with upper case, lower case, alphabetical, numerical and special characters. A new timed lockout feature and limited unsuccessful log-in attempts will be incorporated in tax software, along with three security questions. There will also be “out-of-band verification” for email addresses, which is sending an email or text to the customer with a PIN, a common practice that is used throughout the financial sector.
Intuit CEO Brad Smith also pointed to the collaborative effort to fight fraud. “Protecting taxpayers and strengthening the integrity of the U.S. tax system is a team effort, and the progress we’ve made over the past eight months demonstrates our shared commitment to fight fraud,” he said. “Cooperation between government and industry is both essential and unprecedented. Together, we’re creating new ways to further validate taxpayers’ identities and the information they submit. Sharing what we’ve learned will strengthen the system and give taxpayers greater confidence when they file returns. Tax fraud is an evolving threat and we are evolving with it. These are significant changes that will further safeguard taxpayers and at the same time, accelerate government’s and industry’s ability to share information to combat fraud.”
H&R Block president and CEO Bill Cobb agreed that the IRS and the tax industry had accomplished a great deal, but needed to make more progress. “We’ve accomplished a lot this summer and have worked hard to build trust, accountability and sound plans across all constituencies,” he said in a statement. “Now is the time to solidify and implement those plans for the upcoming season. Again, it all won’t be accomplished in one season, which is why we have begun planning for what we’ll do in the future. The proof of real progress will be when the entirety of the industry is equally pursuing fraud prevention and seeing results.”