government icon, source: Eyewire

General Government: Identity Theft Refund Fraud

The Internal Revenue Service and Congress could potentially save billions of dollars in fraudulent refunds by improving the agency’s efforts to prevent refund fraud associated with identity theft.

Action:

Congress should consider providing the Secretary of the Treasury with the regulatory authority to lower the threshold for electronic filing of W-2s from 250 returns annually to between 5 to 10 returns, as appropriate.

Progress:

As of March 2018, no legislation had been enacted. Lowering the threshold would help the Internal Revenue Service prevent identity theft refund fraud by enhancing its ability to verify the employment information reported on tax returns before issuing refunds. Additionally, lowering the threshold would reduce the Social Security Administration's administrative costs of processing W-2 information.

Implementing Entity:

Congress

Action:

The Internal Revenue Service (IRS) should provide aggregated information on (1) the success of external party leads in identifying suspicious returns and (2) emerging trends, and develop a set of metrics to track external leads by the submitting third party.

Progress:

As of December 2017, IRS had addressed GAO's August 2014 recommendation by developing timeliness metrics for managing leads, holding six feedback sessions with financial institutions participating in the External Leads Program, and sharing information through the Security Summit. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to provide feedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External Leads Program, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agency sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financial institutions. In March 2017, IRS officials told GAO they were holding more frequent, monthly, feedback sessions with financial institutions.

Additionally, IRS provides feedback and information sharing to financial institutions through the Security Summit. IRS provided information on the Security Summit’s Financial Services Working Group met weekly to discuss new and emerging fraud trends, new ideas on fraud prevention and overall statistics for the External Leads Program to the Security Summit’s Financial Services Working Group participants. In December 2017, 8 of the 11 financial institutions who responded to GAO’s outreach said that IRS’s feedback was timely, meaningful, and actionable. Further, one organization told GAO that IRS’s feedback was substantially improved from 2014. Accurate, timely, and actionable feedback to external parties participating in the External Leads Program informs them if the leads they provide to IRS are useful and enables them to assess their success in identifying identity theft refund fraud and improve their detection tools.

Implementing Entity:

Internal Revenue Service

Action:

The Internal Revenue Service (IRS) should estimate and document the costs, benefits, and risks of possible options for taxpayer authentication, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) guidance.

Progress:

In May 2017, IRS implemented a business decision model to analyze and improve online taxpayer authentication tools, and provided GAO with results from one analysis. IRS's analysis (1) identifies expected costs for implementing an authentication tool, including IRS information technology costs and taxpayer burden; (2) compares the potential benefits to taxpayers and IRS for implementing versus not implementing the tool; and (3) identifies the risks associated with the project, the steps IRS has taken to mitigate them, and potential areas of increased risk if IRS were to implement tool, consistent with GAO’s January 2015 recommendation. 

Further, this analysis discusses how the tool aligns with IRS's strategic goals and includes a decision justification. IRS officials told GAO that this analysis served as the basis for IRS management's decision to approve implementing a new authentication tool. Further, IRS officials told GAO they find this analysis extremely useful and have also created a shorter cost-benefit-risk analysis template to facilitate decision making on smaller, day-to-day authentication issues.

Implementing Entity:

Internal Revenue Service

Action:

The Internal Revenue Service (IRS) should, in accordance with Office of Management and Budget (OMB) and National Institute for Standards and Technology (NIST) e-authentication guidance, (1) conduct an updated risk assessment to identify new or ongoing risks for the Taxpayer Protection Program’s (TPP) online and phone authentication options, including documentation of time frames for conducting the assessment, and (2) implement appropriate actions to mitigate risks identified in the assessment.

This action was identified in GAO’s May 2016 report, Identity Theft and Tax Fraud: IRS Needs to Update Its Risk Assessment for the Taxpayer Protection Program (GAO-16-508), and was added to the Action Tracker in April 2017.

Progress:

As of December 2017, IRS had conducted risk assessments for its TPP online and phone options and had taken actions to mitigate risks, but needed to implement updates to its TPP authentication process, as GAO recommended in its May 2016 report. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. Based on the results of these assessments, the agency took TPP’s online authentication service offline and stated that officials are working to improve the level of assurance for the web application. In the interim, taxpayers authenticated their identities by phone or in-person.

According to officials, in January 2017, IRS held a workshop to assess TPP’s risks in all channels, including TPP’s phone option, and in February 2017, IRS implemented a new authentication process for TPP's phone authentication. In August 2017, IRS held a second workshop to analyze TPP risks realized during the 2017 filing season. IRS also completed its post-season analysis of potential refunds paid to fraudsters and identified additional analyses to identify identity theft trends. In December 2017, officials told GAO they plan to re-launch TPP online authentication in two phases.  IRS plans to  launch the first phase in March 2018 to allow taxpayers to inform IRS that they did not file the return in question. The second phase, which IRS plans to launch in late 2018, will enable taxpayers who did file the returns in question to authenticate their identities and receive their refunds.  Implementing improvements to strengthen TPP could help IRS prevent fraudsters from passing authentication and potentially receiving millions of dollars in refunds, as well as improve IRS’s return on investment for its fraud detection efforts.

Implementing Entity:

Internal Revenue Service
  • portrait of
    • James R. McTigue, Jr.
    • Director, Strategic Issues
    • mctiguej@gao.gov
    • (202) 512-9110