Tax refund fraud associated with identity theft (IDT) is a complex and rapidly changing threat facing the nation’s tax system. IDT refund fraud occurs when a refund-seeking identity thief obtains an individual’s identifying information and uses it to file a fraudulent tax return. IDT refund fraud burdens honest taxpayers who have had fraudulent tax returns filed in their name because they must deal with delayed refunds as they authenticate their identities with the Internal Revenue Service (IRS). Additionally, IDT refund fraud is an attractive target for criminals with a potentially high payoff. While its preliminary estimates have inherent uncertainty, IRS estimated that it prevented or recovered $22.5 billion in fraudulent IDT refunds in filing season 2014 (see figure). However, IRS also estimated, where data were available, that it paid $3.1 billion in fraudulent IDT refunds. Because of the difficulties in knowing the amount of undetected fraud, the actual amount could differ from these estimates. GAO has designated IRS’s enforcement of tax laws—which includes the agency’s efforts to combat IDT—as a high-risk area.
IRS Estimates of Attempted Identity Theft Refund Fraud, 2014
IRS’s 2014 estimates cannot be compared to those of previous years because of substantial methodology changes to better reflect new IDT refund fraud schemes and to improve the accuracy of its estimates, according to IRS officials. GAO is reviewing IRS’s IDT refund fraud estimates as part of ongoing work.
While IRS has taken steps to address this problem, IDT refund fraud remains a persistent and evolving threat. Without additional action by IRS and Congress, the risk of issuing fraudulent IDT refunds could grow. Recovering a fraudulent refund after it is issued can be challenging—if not impossible—because identity thieves often spend or transfer the funds immediately, making them very difficult to collect.
While there are no simple solutions to combating IDT refund fraud, GAO identified various options in its August 2014 and January 2015 reports that could realize cost savings, some of which would require legislative action. Because some of these options represent a significant change to the tax system that could likely burden taxpayers and impose significant costs to IRS for systems changes, it is important for IRS to assess the relative costs and benefits of the options. Such an assessment can help ensure an informed discussion among IRS and relevant stakeholders—including Congress—on the best option (or set of options) for preventing IDT refund fraud. IRS has taken steps to assess various options for combating IDT refund fraud, such as conducting a study of the costs and benefits of accelerating the deadlines of Form W-2 (Wage and Tax Statement). Building on this progress, IRS can thoroughly assess and quantify the costs, benefits, and risks of its authentication options for combating IDT refund fraud. The administration requested an additional $90 million and 491 full-time equivalents for fiscal year 2017 to prevent IDT refund fraud and reduce improper payments. IRS estimates that this $90 million would help IRS protect an additional $612 million in revenue in fiscal year 2017, as well as protect future revenue in future years.
Accelerate W-2 deadlines. In August 2014, GAO reported that the wage information that employers report on Form W-2 is not available to IRS until after it issues most refunds. If IRS had access to W-2 data earlier, it could match such information to taxpayers’ returns and identify discrepancies before issuing billions of dollars of fraudulent IDT refunds. Such matching could also provide potential benefits for other IRS enforcement programs, such as preventing improper payments via the Earned Income Tax Credit.
The Consolidated Appropriations Act, 2016, amended the tax code to accelerate W-2 filing deadlines to January 31. According to IRS, a program that would match W-2 data to tax returns before refunds are issued would save revenue by protecting a substantial part of the billions currently paid to fraudsters.
In August 2014, we reported that IRS had not fully assessed the costs and benefits of having available W-2 information for pre-refund matching, which could involve challenges such as a potential increase in W-2s that need to be corrected; required upgrades to IRS’s information technology systems; costs to employers and payroll providers; and logistical challenges for the Social Security Administration (SSA), which processes W-2 data before transmitting them to IRS. Further, GAO found that pre-refund W-2 matching may require other policy changes, such as delaying refunds or delaying the start of the filing season. In response to GAO’s recommendation, in September 2015, IRS provided GAO a report discussing (1) adjustments to IRS systems and work processes needed to use accelerated W-2 information, (2) potential impacts on internal and external stakeholders, and (3) other changes needed to match Form W-2 data to tax returns prior to issuing refunds, such as delaying refunds until W-2 data are available. This report will help IRS determine how best to implement pre-refund W-2 matching, given the new January 31 deadline for filing W-2s.
Increase electronic filing of W-2s. In August 2014, GAO reported that increased electronic filing would allow IRS to obtain timely, accurate data from a significant number of additional employers. It also could further enhance the benefits IRS could obtain from the accelerated W-2 deadline and pre-refund W-2 matching. Treasury requested the authority to reduce the current, 250-return annual threshold for employers required to file information returns electronically. SSA estimated that to meaningfully increase electronic W-2 filing, the threshold would have to be lowered to include those filing from 5 to 10 W-2s. In addition, SSA estimated an administrative cost savings of about 50 cents per electronically filed W-2. Based on these cost savings and the ancillary benefits they provide in supporting IRS’s efforts to conduct more pre-refund matching, a change in the electronic filing threshold is warranted. Without this change, IRS efforts to prevent fraudulent refunds could be hindered because some employers’ paper W-2s could be unavailable for matching until much later in the year due to the additional time needed to process paper forms. Increasing electronic filing of W-2s would support IRS’s strategic objectives to encourage compliance while minimizing costs and taxpayer burden.
Improve external leads programs. IRS partners with financial institutions and other external parties to obtain valuable information about emerging IDT refund trends and fraudulent returns that have passed through IRS detection systems. In August 2014, GAO reported that weaknesses in IRS’s external leads programs limit post-refund fraud detection. Specifically, IRS provides limited feedback to external parties on IDT external leads they submit and offers external parties limited general information on IDT refund fraud trends. Without accurate, timely, and actionable feedback, external parties do not know if the leads they provide to IRS are useful and have difficulty improving their own detection tools. While Section 6103 of the Internal Revenue Code limits the types of information IRS can share with external parties, IRS is able to share aggregated information. Communicating with third parties is consistent with federal internal control standards and IRS’s strategic plan objective to implement a robust enterprise risk management program by establishing routine reporting procedures to inform external stakeholders about operational risks. Of the requested $90 million increase for fiscal year 2017 described above, the administration requested about $1 million to improve the external leads program.
Enhance taxpayer authentication. In January 2015, GAO reported that IRS’s current authentication tools have limitations. For example, individuals can obtain an e-file personal identification number (PIN) by providing their name, Social Security number, date of birth, address, and filing status. Identity thieves can easily find this information, allowing them to bypass some, if not all, of IRS’s current automatic checks for IRS’s e-file PIN application, according to GAO analysis and interviews with tax software and return preparer associations and companies. After filing an IDT return using an e-file PIN, the fraudulent return would proceed through IRS’s normal return processing and would be subject to IRS’s IDT and fraud defenses, such as IDT filters.
IRS recently created a group aimed at centralizing several prior ad-hoc efforts to authenticate taxpayers across its systems. Planning documentation from the authentication group contains goals and short- and long-term priorities (including implementation plans). However, a commitment to cost, benefit, and risk analysis is not documented in the group’s short- and long-term priorities. The draft planning documentation makes no mention of where such analyses would be included in IRS’s priorities. Office of Management and Budget (OMB) guidance states that agencies should use cost-benefit analyses that consider alternatives to promote efficient resource allocation. As detailed in OMB and National Institute of Standards and Technology (NIST) guidance, agencies should also ensure that authentication processes provide the appropriate level of assurance by assessing risks. Without analysis of costs, benefits, and risks, IRS and Congress may not have quantitative information that could inform decisions about whether and how much to invest in the various authentication options.
Pub. L. No. 114-113, div. Q, § 201, 129 Stat. 2242 (Dec. 18, 2015). This change goes into effect for W-2s reporting payments made in 2016 and filed in 2017.
In February 2016, SSA officials commented that they believe the earlier January 31 filing date will minimally affect W-2 processing, although they are still reviewing this change. Officials further noted that prior to the passage of the Consolidated Appropriations Act, 2016, SSA had built the capacity to receive and process W-2 information with filing dates prior to February 28 as part of its modernization efforts. SSA officials plan to meet with IRS officials to discuss changes to W-2 processes.
26 U.S.C. § 6011(e)(2)(A). According to SSA officials, the agency would be able to easily process W-2s regardless of the threshold requirement for electronic filing of W-2s.
The authentication group later became the Identity Assurance Office.
In August 2014, GAO suggested that Congress should:
In August 2014, GAO recommended that IRS take the following two actions to provide timely, accurate, and actionable feedback to all relevant lead-generating external parties:
To ensure relevant information is available to decision makers, in January 2015, GAO recommended that IRS
IRS and Congress could potentially prevent a substantial portion of the estimated $3.1 billion in IDT refund fraud by taking these actions. However, estimating specific savings is challenging because the deceptive nature of fraud makes it difficult to measure outcomes of fraud prevention activities in a reliable way.
The information contained in this analysis is based on findings from the products in the related GAO products section. For the related products listed, GAO analyzed agency documents and interviewed officials from IRS, SSA, and other parties. GAO also analyzed budget data from IRS, reviewed related budget documents and IRS’s efforts to implement past recommendations, and interviewed IRS budget officials.
Table 12 in appendix V lists the activities GAO identified that may help IRS realize cost savings related to IDT.
With regard to GAO’s August 2014 recommendations on external leads, IRS reported in November 2014 that it would implement GAO’s recommendations. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held two sessions with financial institutions to provide feedback on external leads provided to IRS. In December 2015, IRS officials stated that the agency recently sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and is considering other ways to provide feedback to financial institutions. GAO is following up with IRS to understand future planned activities for IRS to provide feedback on leads to other financial institutions. Upon review of relevant IRS documentation and follow-up conversations with IRS officials, GAO will determine the extent to which IRS has addressed this recommendation.
In commenting on the January 2015 report, IRS agreed with GAO’s recommendation. According to IRS, the agency was creating an authentication group aimed at centralizing efforts to authenticate taxpayers across IRS channels (e.g., online, telephone, walk-in).This group later became the Identity Assurance Office. In November 2015, IRS officials told us that the agency has developed guidance for the Identity Assurance Office to assess costs, benefits, and risk, and that its analysis will inform decision making on authentication-related issues. IRS also noted that the methods of analysis for the authentication tools will vary depending on the different costs and other factors for authenticating taxpayers in different channels, such as online, phone, or in-person. While IRS is making progress, it has yet to analyze the costs, benefits, and risks of its range of authentication options and has not used analysis to select which authentication options to use for specific types of taxpayer interactions.
GAO provided a draft of this report section to IRS and SSA for review and comment. In response, IRS and SSA provided technical comments and in response GAO made changes to this report when appropriate.
For additional information about this area, contact James R. McTigue, Jr. at (202) 512-9110, or email@example.com.
Identity Theft (IDT) Refund Fraud Cost Estimates. The Internal Revenue Service's (IRS) fraud estimates met several GAO Cost Guide best practices, such as documenting data sources and detailing calculations. However, the estimates do not reflect the uncertainty inherent in measuring IDT refund fraud because they are presented as point estimates. Best practices suggest that agencies assess the effec...
Based on preliminary analysis, the Internal Revenue Service (IRS) estimates it paid $5.2 billion in fraudulent identity theft (IDT) refunds in filing season 2013, while preventing $24.2 billion (based on what it could detect). The full extent is unknown because of the challenges inherent in detecting IDT refund fraud.IDT refund fraud takes advantage of IRS's “look-back” compliance model. Under...