government icon, source: Eyewire

General Government: Identity Theft Refund Fraud

The Internal Revenue Service and Congress could potentially save billions of dollars in fraudulent refunds by improving the agency’s efforts to prevent refund fraud associated with identity theft.

Action:

Congress should consider providing the Secretary of the Treasury with the regulatory authority to lower the threshold for electronic filing of W-2s from 250 returns annually to between 5 to 10 returns, as appropriate.

Progress:

As of September 2017, no legislation has been enacted. Lowering the threshold would help the Internal Revenue Service prevent identity theft refund fraud by enhancing its ability to verify the employment information reported on tax returns before issuing refunds. Additionally, lowering the threshold would reduce the Social Security Administration's administrative costs of processing W-2 information.

Implementing Entity:

Congress

Action:

The Internal Revenue Service (IRS) should provide aggregated information on (1) the success of external party leads in identifying suspicious returns and (2) emerging trends, and develop a set of metrics to track external leads by the submitting third party.

Progress:

As of March 2017, IRS had taken steps to address GAO’s August 2014 recommendation—including developing timeliness metrics for managing leads and holding six feedback sessions with financial institutions participating in the External Leads Program—but had not provided documentation that the agency is providing meaningful feedback to external parties. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to provide feedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External Leads Program, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agency sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financial institutions. In August 2016, an industry group representing financial institutions reported that IRS had not begun providing meaningful feedback to financial institutions that are providing leads to IRS. In March 2017, IRS officials told us they were holding more frequent, monthly, feedback sessions with financial institutions. GAO will follow up with financial institutions to understand the extent to which IRS’s feedback has been timely and is actionable. Without accurate, timely, and actionable feedback, the more than 600 external parties participating in the External Leads Program do not know if the leads they provide to IRS are useful and they may not be able to assess their success in identifying IDT refund fraud or improve their detection tools.

Implementing Entity:

Internal Revenue Service

Action:

The Internal Revenue Service (IRS) should estimate and document the costs, benefits, and risks of possible options for taxpayer authentication, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) guidance.

Progress:

In May 2017, IRS implemented a business decision model to analyze and improve online taxpayer authentication tools, and provided GAO with results from one analysis. IRS's analysis (1) identifies expected costs for implementing an authentication tool, including IRS information technology costs and taxpayer burden; (2) compares the potential benefits to taxpayers and IRS for implementing versus not implementing the tool; and (3) identifies the risks associated with the project, the steps IRS has taken to mitigate them, and potential areas of increased risk if IRS were to implement tool, consistent with GAO’s January 2015 recommendation. 

Further, this analysis discusses how the tool aligns with IRS's strategic goals and includes a decision justification. IRS officials told GAO that this analysis served as the basis for IRS management's decision to approve implementing a new authentication tool. Further, IRS officials told GAO they find this analysis extremely useful and have also created a shorter cost-benefit-risk analysis template to facilitate decision making on smaller, day-to-day authentication issues.

Implementing Entity:

Internal Revenue Service

Action:

The Internal Revenue Service (IRS) should, in accordance with Office of Management and Budget (OMB) and National Institute for Standards and Technology (NIST) e-authentication guidance, (1) conduct an updated risk assessment to identify new or ongoing risks for the Taxpayer Protection Program’s (TPP) online and phone authentication options, including documentation of time frames for conducting the assessment, and (2) implement appropriate actions to mitigate risks identified in the assessment.

This action was identified in GAO’s May 2016 report, Identity Theft and Tax Fraud: IRS Needs to Update Its Risk Assessment for the Taxpayer Protection Program (GAO-16-508), and was added to the Action Tracker in April 2017.

Progress:

As of August 2017, IRS was taking steps to assess the risks of TPP authentication options, as GAO recommended in its May 2016 report. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. Based on the results of these assessments, the agency stated that officials are working to improve the level of assurance for the web application. In the interim, IRS reported that taxpayers will authenticate their identities by phone or in-person until the TPP web application has been sufficiently updated. According to officials, in February 2017, IRS implemented a new authentication process for TPP's phone authentication. Officials also told GAO they plan to finalize their review and risk assessment of TPP’s phone, mail, and in-person authentication by October 2017. Once this assessment is finalized, GAO will review the assessment and determine the extent to which IRS has implemented the recommendation. Conducting an updated risk assessment for TPP in accordance with e-authentication and risk management standards will enable IRS to identify appropriate opportunities to strengthen TPP authentication and prevent IDT fraudsters from passing and potentially receiving millions of dollars in refunds. In addition, strengthening TPP could improve IRS’s return on investment for its fraud detection efforts.

Implementing Entity:

Internal Revenue Service
  • portrait of
    • James R. McTigue, Jr.
    • Director, Strategic Issues
    • mctiguej@gao.gov
    • (202) 512-9110