Government 1 Flag

General government: Identity Theft Refund Fraud (2016-22)

The Internal Revenue Service could potentially save billions of dollars in fraudulent refunds by improving the agency's efforts to prevent refund fraud associated withidentity theft.

Year Identified: 2016
Area Number: 22
Area Type: Cost Savings & Revenue Enhancement

Actions

Action 1
Consolidated or Other

Congress should consider providing the Secretary of the Treasury with the regulatory authority to lower the threshold for electronic filing (e-filing) of W-2s from 250 returnsannually to between five to 10 returns, as appropriate.

Type
Congressional
Last Updated
March 31, 2020
Progress:

GAO is no longer assessing this action separately as it was consolidated under Action 9 in the 2018 Area 19 Tax Fraud and Noncompliance Action Tracker area and consideredaddressed.

Implementing Entity:
Congress
Action 2
Addressed

The Internal Revenue Service (IRS) should provide aggregated information on (1) the success of external party leads in identifying suspicious returns and (2) emerging trends,and develop a set of metrics to track external leads by the submitting third party.

Type
Executive Branch
Last Updated
March 21, 2018
Progress:

As of December 2017, IRS had addressed GAO's August 2014 recommendation by developing timeliness metrics for managing leads, holding six feedback sessions with financialinstitutions participating in the External Leads Program, and sharing information through the Security Summit. In November 2015, IRS reported that it had developed a databaseto track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to providefeedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External LeadsProgram, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agencysent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financialinstitutions. In March 2017, IRS officials told GAO they were holding more frequent, monthly, feedback sessions with financial institutions. Additionally, IRS providesfeedback and information sharing to financial institutions through the Security Summit. IRS provided information on the Security Summit's Financial Services Working Groupmet weekly to discuss new and emerging fraud trends, new ideas on fraud prevention and overall statistics for the External Leads Program to the Security Summit's FinancialServices Working Group participants. In December 2017, 8 of the 11 financial institutions who responded to GAO's outreach said that IRS's feedback was timely, meaningful,and actionable. Further, one organization told GAO that IRS's feedback was substantially improved from 2014. Accurate, timely, and actionable feedback to external partiesparticipating in the External Leads Program informs them if the leads they provide to IRS are useful and enables them to assess their success in identifying identity theftrefund fraud and improve their detection tools.

Implementing Entity:
Internal Revenue Service
Action 3
Addressed

The Internal Revenue Service (IRS) should estimate and document the costs, benefits, and risks of possible options for taxpayer authentication, in accordance with Office ofManagement and Budget (OMB) and National Institute of Standards and Technology (NIST) guidance.

Type
Executive Branch
Last Updated
October 18, 2017
Priority Rec.
This is a priority recommendation.
Progress:

In May 2017, IRS implemented a business decision model to analyze and improve online taxpayer authentication tools, and provided GAO with results from one analysis. IRS'sanalysis (1) identifies expected costs for implementing an authentication tool, including IRS information technology costs and taxpayer burden; (2) compares the potentialbenefits to taxpayers and IRS for implementing versus not implementing the tool; and (3) identifies the risks associated with the project, the steps IRS has taken to mitigatethem, and potential areas of increased risk if IRS were to implement tool, consistent with GAO's January 2015 recommendation. Further, this analysis discusses how thetool aligns with IRS's strategic goals and includes a decision justification. IRS officials told GAO that this analysis served as the basis for IRS management's decision toapprove implementing a new authentication tool. Further, IRS officials told GAO they find this analysis extremely useful and have also created a shorter cost-benefit-riskanalysis template to facilitate decision making on smaller, day-to-day authentication issues.

Implementing Entity:
Internal Revenue Service
Action 4
Addressed

The Internal Revenue Service (IRS) should, in accordance with Office of Management and Budget (OMB) and National Institute for Standards and Technology (NIST)e-authentication guidance, (1) conduct an updated risk assessment to identify new or ongoing risks for the Taxpayer Protection Program's (TPP) online and phoneauthentication options, including documentation of time frames for conducting the assessment, and (2) implement appropriate actions to mitigate risks identified in theassessment.

Type
Executive Branch
Last Updated
March 29, 2019
Progress:

As of December 2018, IRS had conducted risk assessments for TPP and implemented actions to mitigate risks identified in these assessments, as GAO recommended in May 2016. IRSconducted a risk assessment for TPP's online authentication option in May 2016 based on OMB and NIST guidance. As a result of this assessment, IRS took TPP's onlineauthentication option offline while working to improve the option's authentication standard. IRS relaunched the option in October 2018 with improvements, such as two-factorauthentication, that mitigate risks identified in the 2016 assessment. In 2017 IRS held a workshop to assess risks to other TPP authentication options, including the phoneoption. In February 2017 IRS implemented a new process for TPP phone authentication. By taking appropriate actions to mitigate risks identified in its TPP risk assessments,IRS will prevent fraudsters from passing TPP authentication and potentially receiving millions in refunds.

Implementing Entity:
National Security Personnel System Task Group
Action 5
Addressed

The Commissioner of Internal Revenue should direct the Identity Assurance Office, in collaboration with other Internal Revenue Service (IRS) business partners, to estimate theresources (i.e., financial and human) required for the foundational initiatives and supporting activities identified in its Identity Assurance Strategy and Roadmap.

Type
Executive Branch
Last Updated
March 31, 2020
Priority Rec.
This is a priority recommendation.
Progress:

As of January 2020, IRS had estimated the resources required for the foundational initiatives and supporting activities in its Identity Assurance Strategy and Roadmap(Roadmap), as GAO recommended in June 2018. IRS documentation states that as a first step in updating the original Roadmap, the Identity Assurance office worked withstakeholders to verify the progress made and current status of its 14 foundational initiatives. In addition, the Identity Assurance office collected existing information onhigh-level financial and human resource estimates for the 14 foundational initiatives and supporting activities that are currently underway or planned. Further, IRSdocumentation shows that it has completed five of the 14 foundational initiatives in its Roadmap; the remaining nine foundational initiatives are shown as "in progress" or"near complete." IRS stated that it intends to update its Roadmap annually to reflect changes in IRS priorities. IRS's continued monitoring of its foundationalinitiatives—and the resources required to complete them—will help ensure continued progress on its authentication efforts.

Implementing Entity:
Internal Revenue Service
Action 6
Partially Addressed

Based on the estimates developed in action 5, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in itsIdentity Assurance Strategy and Roadmap.

Type
Executive Branch
Last Updated
March 31, 2020
Priority Rec.
This is a priority recommendation.
Progress:

As of January 2020, the Internal Revenue Service (IRS) had taken preliminary steps to prioritize its foundational initiatives in its Identity Assurance Strategy and Roadmap(Roadmap), as GAO recommended in June 2018. For example, IRS documentation stated that initial efforts to update the original Roadmap included collecting implementationdocuments for the 14 foundational initiatives. IRS stated that this information and progress that IRS has made on the initiatives shows that the initiatives are a priority forIRS leadership. However, IRS has not used this information to clearly prioritize in-progress initiatives or supporting activities going forward. IRS stated that it intends toupdate its Roadmap annually, including prioritizing new and existing authentication initiatives and capabilities. IRS's continued attention to this action will help ensurethat in-progress authentication initiatives are prioritized and completed.

Implementing Entity:
Internal Revenue Service
Action 7
Partially Addressed

The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication,including technologies in use by industry, states, or other trusted partners.

Type
Executive Branch
Last Updated
March 31, 2020
Progress:

As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options forimproving taxpayer authentication, as GAO recommended in June 2018. IRS stated that the draft process was being reviewed by the Chief Privacy Officer and it expects tofinalize the process in spring 2020. IRS also stated that the Identity Assurance office will be ready to use the repeatable process once it is approved by IRS leadership.IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authenticationimprovements in a timely manner.

Implementing Entity:
Internal Revenue Service
Action 8
Not Addressed

Based on the approach developed in action 7, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity AssuranceStrategy and Roadmap.

Type
Executive Branch
Last Updated
March 31, 2020
Progress:

As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options forimproving taxpayer authentication. However, IRS had not yet included and prioritized these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap(Roadmap), as GAO recommended in June 2018. IRS stated that it expects to finalize its process to evaluate alternative authentication options in spring 2020. IRS documentationstates that it plans to update its Roadmap annually, but it has not articulated a timeline for doing so in 2020. IRS's continued attention to this action will help ensurethat it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Implementing Entity:
Internal Revenue Service
Action 9
New – Pending

The Commissioner of Internal Revenue should designate a dedicated entity to provide oversight of agency-wide efforts to detect, prevent, and resolve business Identity Theft(IDT) refund fraud, consistent with leading practices. This may involve designating one business unit as a lead entity, or leveraging cooperative relationships betweenbusiness units to establish a business IDT leadership team. This entity should have defined responsibilities and authority for managing fraud risk.

Type
Executive Branch
Last Updated
April 9, 2013
Priority Rec.
This is a priority recommendation.
Progress:

Pending

Implementing Entity:
Internal Revenue Service
Action 10
New – Pending

The Commissioner of Internal Revenue should develop a fraud risk profile for business Identity Theft (IDT) that aligns with leading practices. This should include (1)identifying inherent fraud risks of business IDT, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, and (4) examining thesuitability of existing fraud controls.

Type
Executive Branch
Last Updated
March 31, 2020
Priority Rec.
This is a priority recommendation.
Progress:

Pending

Implementing Entity:
Internal Revenue Service
Action 11
New – Pending

The Commissioner of Internal Revenue should develop, document, and implement a strategy for addressing fraud risks that will be identified in its fraud risk profile.

Type
Executive Branch
Last Updated
March 31, 2020
Progress:

Pending

Implementing Entity:
Internal Revenue Service
GAO Contacts