The Internal Revenue Service is taking a different approach to fighting tax-related identify theft.
IRS Commissioner John Koskinen said the tax administration is beginning to “think like a criminal,” and trying to beat bad actors to their next step, as the agency shuts off more and more of their access points to taxpayer information.
“My ultimate goal was after we anticipate where the criminals are going, make this so unattractive and so difficult that criminals go somewhere else,” Koskinen said during a July 25 call with reporters. “I don’t think we’re going to put them out of business, they’ve got too much data and they’re too sophisticated and they have too much money. But if they want to go bother somebody else for a while that would be fine. I think we’re making progress moving in that direction.”
Koskinen said part of that strategy to deflect criminals is through the introduction of new data elements into next year’s filing season.
The data elements, or pieces of digital information from a tax return, are a product of the agency’s Security Summit — a partnership between IRS, states and tax professionals — which Koskinen organized and convened for the first time in March 2015.
“We’ve got a set of 20 items that were most likely to have an impact that we could actually implement,” Koskinen said of the original data elements.
Each year, the summit’s working group on security collaborates with IRS, Koskinen said, and “sifts through and looks at where are we, what are the additional filters or screens that we could put in, what are the additional strategies we could deploy, to go to the next level of difficulty for the criminals?”
The data elements and other summit work are doing some good for IRS. According to agency numbers, about 107,400 taxpayers reported they were victims of ID theft in the first five months of 2017. That’s compared to 204,000 ID theft reports in the same time frame of 2016.
That downward trend reflects annual identify theft reports. IRS counted 698,700 ID thefts in calendar year 2015, compared to 376,500 in 2016.
Despite the drop in individual identify theft reports, Koskinen said “we need to be prepared to fight on new fronts.”
“We’re seeing an increase in identity theft involving business-related tax returns,” the commissioner said. “This shows that identity thieves are constantly working to come up with new ways to get around the barriers we’ve put up.”
IRS reported between January and June 1, it identified roughly 10,000 business returns for potential ID theft, compared to 4,000 in 2016, and around 350 in 2015.
“While the number of businesses affected was relatively low, the potential dollar amounts were significant: $137 million for 2017, $268 million for 2016 and $122 million for 2015,” IRS reported.
To combat attacks on business-related tax forms, IRS is tailoring some of its new data elements for 2018 for businesses.
Those pieces of information about business clients will include:
the name and Social Security number of the company executive authorized to sign the corporate tax return.
parent company information.
Koskinen also urged tax preparers to be vigilant when handling the tax information of an individual or business.
Between January and June, IRS heard of 177 reported data breaches at tax preparers’ offices.
“There is only so much our organizations can do,” Koskinen said. “The fight against identity theft and refund fraud can be made easier if people take steps to keep their personal and financial data out of the hands of identity thieves. This includes both individuals and businesses. We need the public’s help, and we need the help of tax professionals across the country to protect against identity theft.”
The opposite of streamlined
Another way in which the IRS is looking to combat identity theft is by pursuing Streamlined Critical Pay (SCP) authority.
SCP is different than the general Federal Governmentwide Critical Position Pay Authority (CPPA), which the Treasury Inspector General for Tax Administration (TIGTA) recommended the IRS pursue in a July 24 report.
Koskinen said CPPA is “the opposite of streamlined,” because it requires approval from the Treasury Department, the Office of Personnel Management and the Office of Management and Budget.
“When dealing with cybersecurity experts, IT architectural people, design experts, they’ve got a lot of opportunities and a lot of people recruiting them,” Koskinen said. “So they may want to come join … but most of them if they’re looking for a new job, don’t want to wait six to eight months. Fortunately, we have increasing support on the Hill, the president’s budget this year, encourages or asks the Congress to reinstitute the streamlined critical pay program we had. It allowed for 40 positions, we never had more than 34; our prior chief information officer, our cybersecurity expert … online security people, all were people who were recruited from the private sector with streamlined critical pay. My hope is that the Congress will see fit to reinstitute that program, which was not renewed in 2013.”