Key Issues > Duplication & Cost Savings > GAO's Action Tracker > Identity Theft Refund Fraud (2016-22)
government icon, source: Eyewire

General Government: Identity Theft Refund Fraud (2016-22)

The Internal Revenue Service could potentially save billions of dollars in fraudulent refunds by improving the agency's efforts to prevent refund fraud associated with identity theft.

Action:

Congress should consider providing the Secretary of the Treasury with the regulatory authority to lower the threshold for electronic filing (e-filing) of W-2s from 250 returns annually to between five to 10 returns, as appropriate.

Progress:

GAO is no longer assessing this action separately as it was consolidated under Action 9 in the 2018 Area 19 Tax Fraud and Noncompliance Action Tracker area and considered addressed.

Implementing Entity:

Congress

Action:

The Internal Revenue Service (IRS) should provide aggregated information on (1) the success of external party leads in identifying suspicious returns and (2) emerging trends, and develop a set of metrics to track external leads by the submitting third party.

Progress:

As of December 2017, IRS had addressed GAO's August 2014 recommendation by developing timeliness metrics for managing leads, holding six feedback sessions with financial institutions participating in the External Leads Program, and sharing information through the Security Summit. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to provide feedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External Leads Program, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agency sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financial institutions. In March 2017, IRS officials told GAO they were holding more frequent, monthly, feedback sessions with financial institutions.

Additionally, IRS provides feedback and information sharing to financial institutions through the Security Summit. IRS provided information on the Security Summit’s Financial Services Working Group met weekly to discuss new and emerging fraud trends, new ideas on fraud prevention and overall statistics for the External Leads Program to the Security Summit’s Financial Services Working Group participants. In December 2017, 8 of the 11 financial institutions who responded to GAO’s outreach said that IRS’s feedback was timely, meaningful, and actionable. Further, one organization told GAO that IRS’s feedback was substantially improved from 2014. Accurate, timely, and actionable feedback to external parties participating in the External Leads Program informs them if the leads they provide to IRS are useful and enables them to assess their success in identifying identity theft refund fraud and improve their detection tools.

Implementing Entity:

Internal Revenue Service

Action:

The Internal Revenue Service (IRS) should estimate and document the costs, benefits, and risks of possible options for taxpayer authentication, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) guidance.

Progress:

In May 2017, IRS implemented a business decision model to analyze and improve online taxpayer authentication tools, and provided GAO with results from one analysis. IRS's analysis (1) identifies expected costs for implementing an authentication tool, including IRS information technology costs and taxpayer burden; (2) compares the potential benefits to taxpayers and IRS for implementing versus not implementing the tool; and (3) identifies the risks associated with the project, the steps IRS has taken to mitigate them, and potential areas of increased risk if IRS were to implement tool, consistent with GAO’s January 2015 recommendation. 

Further, this analysis discusses how the tool aligns with IRS's strategic goals and includes a decision justification. IRS officials told GAO that this analysis served as the basis for IRS management's decision to approve implementing a new authentication tool. Further, IRS officials told GAO they find this analysis extremely useful and have also created a shorter cost-benefit-risk analysis template to facilitate decision making on smaller, day-to-day authentication issues.

Implementing Entity:

Internal Revenue Service

Action:

The Internal Revenue Service (IRS) should, in accordance with Office of Management and Budget (OMB) and National Institute for Standards and Technology (NIST) e-authentication guidance, (1) conduct an updated risk assessment to identify new or ongoing risks for the Taxpayer Protection Program’s (TPP) online and phone authentication options, including documentation of time frames for conducting the assessment, and (2) implement appropriate actions to mitigate risks identified in the assessment.

Progress:

As of December 2018, IRS had conducted risk assessments for TPP and implemented actions to mitigate risks identified in these assessments, as GAO recommended in May 2016. IRS conducted a risk assessment for TPP’s online authentication option in May 2016 based on OMB and NIST guidance. As a result of this assessment, IRS took TPP’s online authentication option offline while working to improve the option’s authentication standard. IRS relaunched the option in October 2018 with improvements, such as two-factor authentication, that mitigate risks identified in the 2016 assessment.

In 2017 IRS held a workshop to assess risks to other TPP authentication options, including the phone option. In February 2017 IRS implemented a new process for TPP phone authentication. By taking appropriate actions to mitigate risks identified in its TPP risk assessments, IRS will prevent fraudsters from passing TPP authentication and potentially receiving millions in refunds.

Implementing Entity:

Internal Revenue Service

Action:

The Commissioner of Internal Revenue should direct the Identity Assurance Office, in collaboration with other Internal Revenue Service (IRS) business partners, to estimate the resources (i.e., financial and human) required for the foundational initiatives and supporting activities identified in its Identity Assurance Strategy and Roadmap.

Progress:

As of January 2020, IRS had estimated the resources required for the foundational initiatives and supporting activities in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS documentation states that as a first step in updating the original Roadmap, the Identity Assurance office worked with stakeholders to verify the progress made and current status of its 14 foundational initiatives.

In addition, the Identity Assurance office collected existing information on high-level financial and human resource estimates for the 14 foundational initiatives and supporting activities that are currently underway or planned. Further, IRS documentation shows that it has completed five of the 14 foundational initiatives in its Roadmap; the remaining nine foundational initiatives are shown as “in progress” or “near complete.”

IRS stated that it intends to update its Roadmap annually to reflect changes in IRS priorities. IRS’s continued monitoring of its foundational initiatives—and the resources required to complete them—will help ensure continued progress on its authentication efforts.

Implementing Entity:

Internal Revenue Service

Action:

Based on the estimates developed in action 5, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap.

Progress:

As of January 2020, the Internal Revenue Service (IRS) had taken preliminary steps to prioritize its foundational initiatives in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. For example, IRS documentation stated that initial efforts to update the original Roadmap included collecting implementation documents for the 14 foundational initiatives. IRS stated that this information and progress that IRS has made on the initiatives shows that the initiatives are a priority for IRS leadership.

However, IRS has not used this information to clearly prioritize in-progress initiatives or supporting activities going forward. IRS stated that it intends to update its Roadmap annually, including prioritizing new and existing authentication initiatives and capabilities. IRS’s continued attention to this action will help ensure that in-progress authentication initiatives are prioritized and completed.

Implementing Entity:

Internal Revenue Service

Action:

The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners.

Progress:

As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, as GAO recommended in June 2018. IRS stated that the draft process was being reviewed by the Chief Privacy Officer and it expects to finalize the process in spring 2020.

IRS also stated that the Identity Assurance office will be ready to use the repeatable process once it is approved by IRS leadership. IRS’s continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Implementing Entity:

Internal Revenue Service

Action:

Based on the approach developed in action 7, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap.

Progress:

As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication. However, IRS had not yet included and prioritized these options, as appropriate, in IRS’s Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018.

IRS stated that it expects to finalize its process to evaluate alternative authentication options in spring 2020. IRS documentation states that it plans to update its Roadmap annually, but it has not articulated a timeline for doing so in 2020. IRS’s continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Implementing Entity:

Internal Revenue Service

Action:

The Commissioner of Internal Revenue should designate a dedicated entity to provide oversight of agency-wide efforts to detect, prevent, and resolve business Identity Theft (IDT) refund fraud, consistent with leading practices. This may involve designating one business unit as a lead entity, or leveraging cooperative relationships between business units to establish a business IDT leadership team. This entity should have defined responsibilities and authority for managing fraud risk.

Progress:

Pending

Implementing Entity:

Internal Revenue Service

Action:

The Commissioner of Internal Revenue should develop a fraud risk profile for business Identity Theft (IDT) that aligns with leading practices. This should include (1) identifying inherent fraud risks of business IDT, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, and (4) examining the suitability of existing fraud controls.

Progress:

Pending

Implementing Entity:

Internal Revenue Service

Action:

The Commissioner of Internal Revenue should develop, document, and implement a strategy for addressing fraud risks that will be identified in its fraud risk profile.

Progress:

Pending

Implementing Entity:

Internal Revenue Service
  • portrait of
    • James R. McTigue, Jr.
    • Director, Strategic Issues
    • mctiguej@gao.gov
    • (202) 512-9110