IRS urged to fix security holes in tax transcript program

The Internal Revenue Service should be doing more to protect the security of tax transcript information available through its Income Verification Express Service program, according to a new report.

The report, released last Thursday by the Treasury Inspector General for Tax Administration, found the IRS needs to put in place extra security to prevent the unauthorized release of tax information through the IVES system. TIGTA also evaluated the IRS’s efforts to implement some provisions of the Taxpayer First Act, the IRS reform law passed by Congress in 2019, related to the IVES program. The provisions restrict redisclosures and uses of tax return information and require the IRS to implement an online system to process IVES transcript requests, publish standards for the acceptance of taxpayers’ electronic signatures, and verify the identity of any individual opening an e-Services account. The IRS has taken some steps to improve the security of the system in recent years, but the report indicates that it still has some work to do.

The report comes as the IRS is facing increasing demands on its resources, not only from the mandates in the Taxpayer First Act to improve taxpayer service and upgrade the IRS’s aging computer systems, but also to process Economic Impact Payments and other parts of the COVID-19 relief packages passed by Congress, as well as deal with its traditional job of running the nation’s tax system. The IRS has been under pressure to improve the cybersecurity of various self-service tools offered through its website after identity thieves were able to use the Get My Transcript service and other apps to get access to taxpayer information. The IRS was forced to close down the app in May 2015 for over a year until it could add better authentication in June 2016.

Andrew Harrer/Bloomberg

The IVES program is aimed more at banks and financial institutions, which can submit requests to the IRS, on behalf of their clients, to get tax transcripts for individuals and businesses. To reduce the risk of releasing taxpayer information to unauthorized parties, the IRS has to authenticate the validity of the tax transcript request forms to make sure that the taxpayers themselves signed the forms. In 2019, the IRS processed nearly 14 million tax transcript request forms.

TIGTA found the IRS put in place steps to ensure tax transcripts could be accessed only by authorized IVES participants. In Dec. 2017, for example, it implemented a multifactor authentication process called Secure Access for e-Services to prevent unauthorized access to taxpayer data. The following August, the IRS announced it was implementing a new format for individual tax transcripts in order to redact personally identifiable information from them in an effort to safeguard taxpayer data.

“Secure Access is an important step in protecting against the growing threat of cybercriminals and the unauthorized access of taxpayer data,” wrote Kenneth Corbin, commissioner of the IRS’s Wage and Investment division, in response to the report. “As part of a broader effort across all transcript delivery channels and products, the IRS implemented new transcript products to mask personally identifiable information.”

However, TIGTA found some of the main processes aren’t working as intended to make sure taxpayers authorize the release of their tax transcripts. “For example, the IRS requires participants to provide an independent audit report on their electronic signature process by January 31st each year,” said the report. “However, as of July 31, 2020, the IRS received this report from only 15 (2 percent) of the 748 participants. In addition, key requirements for participants’ use and acceptance of electronic signatures were not addressed in the audit reports, and two reports were not prepared by an independent party.”

The IRS is in the process of addressing these concerns. The agency is developing an online system to process IVES participants’ tax transcript request forms. It will replace the current system, which is only partially automated and requires employees to manually process the transcript requests. The new system will enable the IRS to continue processing IVES transcript requests if the IRS experiences another crisis, like COVID-19, which caused the agency to close in-person operations at its tax processing centers.

TIGTA found some other problems with the processing of tax transcripts. The IRS didn’t revise its transcript request form to require IVES participants to provide their clients’ names to substantiate that taxpayers had expressly given their permission for disclosure of their tax information. In addition, IVES program analysts at the IRS didn’t conduct compliance reviews in 2019 to ensure participants completed the required client certifications. TIGTA pointed out that the certifications are important because they validate the identity of the parties that ultimately receive the transcripts. Finally, the IRS didn’t do enough suitability checks on 577 IVES participants that were “grandfathered” into the program in February 2016 when IRS management implemented the suitability checks.

TIGTA made 15 recommendations in the report, including a suggestion that the IRS allocate enough resources to the IVES program to identify and suspend participants that don’t complete the electronic signature certification and submit the annual independent audit report on time to the IRS. The IRS agreed with all 15 of TIGTA’s recommendations and plans further improvements on the system.

“To meet the requirements of Section 2201 of the Taxpayer First Act, we are modernizing the IVES program to deliver transcript requests in real time through the internet, with enhanced safeguards to accommodate a fully automated process that meets taxpayer needs,” wrote Corbin in response to the report. “Automating the manual aspects of our program will eliminate processing errors and permit resources to be redirected elsewhere.”

He anticipates the program updates will be completed by 2023.