FTC enhances website tool as watchdog criticizes IRS safeguards.
With government and industry marking National Tax Identity Theft Week, the Federal Trade Commission on Thursday announced enhancements to its fraud reporting website, acting just as an inspector general faulted the Internal Revenue Service for missing some fraudulent tax returns in a pilot detection program.
Identity thieves victimized 17.6 million Americans in 2014, FTC Chairwoman Edith Ramirez told reporters in a conference call, saying the 490,000 complaints to her agency in 2015 marked a 47 percent increase over the previous year. “It can take years to recover from,” she said while unveiling “enhancements to the FTC’s special reporting website identitytheft.gov that “will make it easier for consumers to report theft and recover from it.”
Improvements include Spanish translations, step-by-step instructions and pre-filled forms so that victims can find out whether their personal information was used to open a credit card account, for example, and steps they can take on “how to put a recovery plan in action,” Ramirez said. “We only collect information we need—we don’t, for example, ask for Social Security or driver’s license numbers.”
The IRS has stepped up its focus on combatting identity theft since it announced last May that hackers had breached its “Get Transcript” database containing more than 300,000 individual tax accounts. It has since set up a partnership with private tax professionals and companies called the Security Summit, resulting in new detection safeguards and authentication requirements in time for the 2016 filing season now underway.
But a report released Thursday by the Treasury Inspector General for Tax Administration found some programming errors in an IRS tax return fraud detection system launched in 2009. A pilot program called the Return Review Program implemented in 2014, while successfully identifying some fraudulent returns missed by other systems, failed to catch 54,175 separately confirmed identity theft tax returns with refunds totaling more than $313 million.
The watchdog noted that its ongoing monitoring of IRS progress against identity theft prompted the agency to implement a new process that limits the number of its refund deposits to a single bank account to three. "TIGTA’s review of this process identified programming errors that resulted in 5,516 direct deposits totaling almost $13.5 million that were not converted to paper refund checks,” the report said. "The IRS addressed two of the programming errors and plans to correct the remaining error by August 2016."
The tax agency also failed to respond consistently when refund checks were returned as undeliverable, in some cases not issuing a new check as required or following through on whether the undeliverable check was evidence of fraud, the IG found.
The IRS largely agreed with TIGTA’s recommendations that it improve programming and tighten processes for following through on detection.
The tax agency’s more recent efforts against identity theft include the launch last October of an educational video series on YouTube featuring joint efforts with state tax authorities.
But IRS officials acknowledge that the solutions from last year’s Security Summit are a work in progress. TIGTA in December reported that the agency was not keeping up with private-sector standards in requiring multi-factor authentication passwords with which taxpayers access online accounts. The IRS this week told Nextgov those extra protections should be in place later this year.
Nor do the agency’s new safeguards take full advantage of third-party databases—public records to verify that tax filers are who they claim they are, said Steve Lappenbusch, manager for tax and revenue market planning at the private LexisNexis Risk Solutions. The IRS’s Security Summit partnership “is not a bad first step, but in my opinion it won’t solve the problem completely because it doesn’t reach the tax industrial complex” that includes a larger universe, including tax preparation firms, he told Government Executive. “Where agencies such as the IRS are really struggling” is trying to apply the same tools to refund fraud as to identity theft,” he said, making a case for his company’s patented program and supercomputer databases that connect multiple disparate pieces of data together to provide a comprehensive look into a filer.
LexisNexis Risk Solutions’ clients, among them many state tax departments, are able to “explore a lot of the gray areas” in what has been reported in a tax return, such as “the rest of that identity over the years” so that officials can ask people to prove who they are, Lappenbusch said. “The issue is to get the right data and link them together to see if they are reflective of reality” so that more identity theft and tax fraud—which can go undetected for months or years--can be headed off proactively.
Asked to respond to the LexisNexis critique, the IRS emailed a statement saying, “Among the many new safeguards from the Security Summit Initiative are additional information sharing between the IRS, the states and the tax software industry. For example, software providers will be sharing more than 20 new data elements from the tax return that will help the IRS determine the legitimacy of the return. Also, IRS filters perform matches with other federal databases, in addition to the historic filing patterns within our own database,” it said.
“The IRS, states and industry also are sharing information about identity theft and fraud schemes they see emerging during the filing season. And, as part of the Security Summit Initiative, we are establishing an Information Sharing and Analysis Center,” which by 2017 “will centralize, standardize and enhance data compilation and analysis and allow the sharing of actionable data and information.”
To enlist more help from the public in combatting identity theft, the IRS this month launched a new awareness campaign titled “Taxes. Security. Together.”
“People continue to fall victim to phishing schemes that compromise their critical passwords and allow thieves access to their banking accounts, credit card companies or even tax software companies,” the statement said. “Increasingly, these are sophisticated cybercriminals who expertly disguise their phishing emails or texts. Personal and financial data stolen from outside the tax system but used to file fraudulent returns creates a burden on the legitimate taxpayer, the IRS, the states and the industry.”
The threat of identity theft was never likely to diminish during a single week.