Key Issues > Duplication & Cost Savings > GAO's Action Tracker > Identity Theft Refund Fraud (2016-22)
government icon, source: Eyewire

General Government: Identity Theft Refund Fraud (2016-22)

The Internal Revenue Service and Congress could potentially save billions of dollars in fraudulent refunds by improving the agency's efforts to prevent refund fraud associated with identity theft.

Action:

Congress should consider providing the Secretary of the Treasury with the regulatory authority to lower the threshold for electronic filing of W-2s from 250 returns annually to between 5 to 10 returns, as appropriate.

Progress:

As of April 2019, Congress had lowered the e-filing threshold for partnerships, but not for all W-2 filers, as GAO suggested in August 2014. Section 301 of the Tax Technical Corrections Act of 2018, division U of the Consolidated Appropriations Act, 2018, lowered the threshold for e-filing by partnerships incrementally over time, eventually to 20 returns after 2021 (Public Law 115-141). However, these lower thresholds only apply to partnerships and not other W-2 filers. In April 2019, the House Ways and Means Committee reported on H.R. 1957, the Taxpayer First Act of 2019. If enacted, this legislation would lower the e-filing threshold for all filers. Lowering the threshold for all W-2 filers would help the Internal Revenue Service prevent identity theft refund fraud by enhancing its ability to verify the employment information reported on tax returns before issuing refunds. Additionally, lowering the threshold would reduce the Social Security Administration's administrative costs of processing W-2 information.

Implementing Entity:

Congress

Action:

The Internal Revenue Service (IRS) should provide aggregated information on (1) the success of external party leads in identifying suspicious returns and (2) emerging trends, and develop a set of metrics to track external leads by the submitting third party.

Progress:

As of December 2017, IRS had addressed GAO's August 2014 recommendation by developing timeliness metrics for managing leads, holding six feedback sessions with financial institutions participating in the External Leads Program, and sharing information through the Security Summit. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to provide feedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External Leads Program, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agency sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financial institutions. In March 2017, IRS officials told GAO they were holding more frequent, monthly, feedback sessions with financial institutions.

Additionally, IRS provides feedback and information sharing to financial institutions through the Security Summit. IRS provided information on the Security Summit’s Financial Services Working Group met weekly to discuss new and emerging fraud trends, new ideas on fraud prevention and overall statistics for the External Leads Program to the Security Summit’s Financial Services Working Group participants. In December 2017, 8 of the 11 financial institutions who responded to GAO’s outreach said that IRS’s feedback was timely, meaningful, and actionable. Further, one organization told GAO that IRS’s feedback was substantially improved from 2014. Accurate, timely, and actionable feedback to external parties participating in the External Leads Program informs them if the leads they provide to IRS are useful and enables them to assess their success in identifying identity theft refund fraud and improve their detection tools.

Implementing Entity:

Internal Revenue Service

Action:

The Internal Revenue Service (IRS) should estimate and document the costs, benefits, and risks of possible options for taxpayer authentication, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) guidance.

Progress:

In May 2017, IRS implemented a business decision model to analyze and improve online taxpayer authentication tools, and provided GAO with results from one analysis. IRS's analysis (1) identifies expected costs for implementing an authentication tool, including IRS information technology costs and taxpayer burden; (2) compares the potential benefits to taxpayers and IRS for implementing versus not implementing the tool; and (3) identifies the risks associated with the project, the steps IRS has taken to mitigate them, and potential areas of increased risk if IRS were to implement tool, consistent with GAO’s January 2015 recommendation. 

Further, this analysis discusses how the tool aligns with IRS's strategic goals and includes a decision justification. IRS officials told GAO that this analysis served as the basis for IRS management's decision to approve implementing a new authentication tool. Further, IRS officials told GAO they find this analysis extremely useful and have also created a shorter cost-benefit-risk analysis template to facilitate decision making on smaller, day-to-day authentication issues.

Implementing Entity:

Internal Revenue Service

Action:

The Internal Revenue Service (IRS) should, in accordance with Office of Management and Budget (OMB) and National Institute for Standards and Technology (NIST) e-authentication guidance, (1) conduct an updated risk assessment to identify new or ongoing risks for the Taxpayer Protection Program’s (TPP) online and phone authentication options, including documentation of time frames for conducting the assessment, and (2) implement appropriate actions to mitigate risks identified in the assessment.

Progress:

As of December 2018, IRS had conducted risk assessments for TPP and implemented actions to mitigate risks identified in these assessments, as GAO recommended in May 2016. IRS conducted a risk assessment for TPP’s online authentication option in May 2016 based on OMB and NIST guidance. As a result of this assessment, IRS took TPP’s online authentication option offline while working to improve the option’s authentication standard. IRS relaunched the option in October 2018 with improvements, such as two-factor authentication, that mitigate risks identified in the 2016 assessment.

In 2017 IRS held a workshop to assess risks to other TPP authentication options, including the phone option. In February 2017 IRS implemented a new process for TPP phone authentication. By taking appropriate actions to mitigate risks identified in its TPP risk assessments, IRS will prevent fraudsters from passing TPP authentication and potentially receiving millions in refunds.

Implementing Entity:

Internal Revenue Service

Action:

The Commissioner of Internal Revenue should direct the Identity Assurance Office, in collaboration with other IRS business partners, to estimate the resources (i.e., financial and human) required for the foundational initiatives and supporting activities identified in its Identity Assurance Strategy and Roadmap.

Progress:

Pending

Implementing Entity:

Internal Revenue Service

Action:

Based on the estimates developed in action 5, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap.

Progress:

Pending

Implementing Entity:

Internal Revenue Service

Action:

The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners.

Progress:

Pending

Implementing Entity:

Internal Revenue Service

Action:

Based on the approach developed in Action 7, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap.

Progress:

Pending

Implementing Entity:

Internal Revenue Service
  • portrait of
    • James R. McTigue, Jr.
    • Director, Strategic Issues
    • mctiguej@gao.gov
    • (202) 512-9110