Recommendation: The Commissioner of Internal Revenue should modify the title of IRS's employment-related identity theft action code 525 to reflect the type of employment-related identity fraud encompassed by this action code. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should assess and document the feasibility of incorporating additional checks into its automated checks of employment-related identity fraud for populations at risk of employment-related identity fraud, such as children, elderly, deceased persons, and individuals associated with multiple wage records. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should assess and document the costs and benefits of using the Withholding Compliance Program (WHC) to address compliance risks posed by potential employment-related identity fraudsters who owe taxes and take appropriate action, as needed. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should modify Automated Underreporter (AUR) to include wage discrepancy checks for victims of employment-related identity fraud once IRS has updated AUR's legacy programming code. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should, in collaboration with the Commissioner of Social Security, develop and document a plan for updating future Combined Annual Wage Reporting (CAWR) MOUs. The plan should identify actions, time frames, and responsible parties, including executive leadership. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should, in collaboration with the Commissioner of Social Security, develop and implement goals and performance measures for the CAWR MOU. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should, in collaboration with the Commissioner of Social Security, develop and document a strategy for assuring that the reviews required by the updated MOU are completed within the specified time frames. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should, in collaboration with the Commissioner of Social Security, clearly define data elements they exchange with SSA. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Social Security should, in collaboration with the Commissioner of Internal Revenue, develop and document a plan for updating future CAWR MOUs. The plan should identify actions, time frames, and responsible parties, including executive leadership. (Recommendation 9)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Social Security should, in collaboration with the Commissioner of Internal Revenue, develop and implement goals and performance measures for the CAWR MOU. (Recommendation 10)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Social Security should, in collaboration with the Commissioner of Internal Revenue, develop and document a strategy for assuring that the reviews required by the updated MOU are completed within the specified time frames. (Recommendation 11)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Social Security should, in collaboration with the Commissioner of Internal Revenue, clearly define the data elements they exchange with IRS. (Recommendation 12)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should designate a dedicated entity to provide oversight of agency-wide efforts to detect, prevent, and resolve business IDT, consistent with leading practices. This may involve designating one business unit as a lead entity or leveraging cooperative relationships between business units to establish a business IDT leadership team. This entity should have defined responsibilities and authority for managing fraud risk. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In January 2020, IRS agreed to designate a dedicated entity to provide oversight of agency-wide business IDT efforts and stated that it will determine the appropriate oversight structure and scope of authority.

Recommendation: The Commissioner of Internal Revenue should develop a fraud risk profile for business IDT that aligns with leading practices. This should include (1) identifying inherent fraud risks of business IDT, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, and (4) examining the suitability of existing fraud controls. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should develop, document, and implement a strategy for addressing fraud risks that will be identified in its fraud risk profile. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should ensure that IRS collects additional data on business IDT by identifying and implementing new fraud filters consistent with its fraud risk profile. This should include prioritizing IDT filters for tax forms determined to be most at risk based on an analysis of risk tolerances. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should identify and implement methods to address delays in resolving business IDT cases due to correspondence-based authentication. This could involve using different methods for taxpayer authentication based on the risk level of the return. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. In January 2020, IRS stated that it will complete an analysis of other authentication methods.

Recommendation: The Commissioner of Internal Revenue should establish customer service-oriented performance goals for resolving business IDT cases. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals for resolving business identity theft cases. In January 2020, IRS stated that it will review its customer service-oriented performance goals and modify them, as warranted, to address the resolution of business identity theft cases. Doing so would meet the intent of our recommendation.

Recommendation: The Director of the Secret Service should identify which types of investigations and activities best prepare special agents for protective responsibilities. (Recommendation 1)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The agency has submitted a 180-day letter describing actions it is planning to take in response to this recommendation.

Recommendation: The Director of the Secret Service should develop a framework to help ensure special agents have an opportunity to work, to the extent possible, investigations and activities that best prepare them for protection. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The agency has submitted a 180-day letter describing actions it is planning to take in response to this recommendation.

Recommendation: The Director of the Secret Service should establish a documented process to ensure that Office of Investigations resources are aligned with priority criminal threats. The process should outline key information to be included in plans for addressing priority threats. (Recommendation 3)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The agency has submitted a 180-day letter describing actions it is planning to take in response to this recommendation.

Recommendation: The Director of the Secret Service should identify investigations that address priority criminal threats agencywide and collect data on the resources expended to investigate the threats. (Recommendation 4)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The agency has submitted a 180-day letter describing actions it is planning to take in response to this recommendation.

Recommendation: The Administrator of the Centers for Medicare and Medicaid Services should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: HHS, on behalf of CMS, did not concur with this recommendation. In its February 2020 response to GAO, HHS stated that current NIST guidance to agencies was insufficient and that CMS would look forward to future guidance from NIST and OMB to help guide consideration of non-knowledge-based verification options. We continue to believe that our recommendation is valid because a variety of alternative methods to knowledge-based verification are available that CMS can consider to address the diverse population it serves. Further, NIST has agreed with our recommendation to develop additional guidance for agencies, and CMS may be able to use that guidance to identify a verification approach that does not really on knowledge-based techniques. We will continue to monitor the actions CMS may take to address the recommendation.

Recommendation: The Secretary of the Department of Veterans Affairs should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques. (Recommendation 6)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation. To fully implement this recommendation, VA needs to develop a plan with milestones to document the results of their evaluation of the alternatives the department stated it is interested in pursuing.

Recommendation: Congress should consider providing IRS with explicit authority to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: No action has been taken on this matter as of December 2019.

Recommendation: The Commissioner of Internal Revenue should develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS's efforts to protect taxpayer information while at third-party providers. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said that it agreed with the intent of the recommendation, but did not agree to implement it, citing the need for additional explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file. IRS reported that to effectively establish data safeguarding policies and implement strategies enforcing compliance with those policies, a centralized leadership structure requires the statutory authority that clearly communicates the authority of the IRS to do so. Without such authority, implementing the recommendation would be an inefficient, ineffective, and costly use of resources, according to IRS. We disagree that convening a governance structure or other centralized form of leadership would require additional statutory authority or be inefficient, ineffective, and costly. As discussed in the report, IRS has seven different offices across the agency working on information security-related activities that could benefit from centralized oversight and coordination, such as updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports.

Recommendation: The Commissioner of Internal Revenue should modify the Authorized e-file Provider program's requirements to explicitly state the required elements of an information security program as provided by the FTC Safeguards Rule. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with this recommendation and would update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include security elements that are consistent with the FTC Safeguards Rule. IRS plans to update the publication by November 2020.

Recommendation: The Commissioner of Internal Revenue should require that all tax software providers that participate in the Authorized e-file Provider program follow the subset of NIST Special Publication 800-53 controls that were agreed upon by the Security Summit participants. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, IRS does not plan to implement it without additional statutory authority to require Authorized e-file Provider Program participants to comply with the NIST Special Publication 800-53. We continue to believe that under IRS's existing authority, IRS has already established some information security requirements for a portion of tax software providers, those that are online providers. IRS has the opportunity to further establish standards for all tax software providers by incorporating the subset of NIST controls into its Authorized e-file Provider program, which would capitalize on the work it has completed with the Security Summit members.

Recommendation: The Commissioner of Internal Revenue should regularly review and update the security requirements that apply to tax software providers and other Authorized e-file Providers. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it will update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, with a formal memorandum to all internal stakeholders during the annual review process. IRS plans to take this action by November 2020.

Recommendation: The Commissioner of Internal Revenue should update IRS's monitoring programs for electronic return originators to include techniques to monitor basic information security and cybersecurity issues. Further, IRS should make the appropriate revisions to internal guidance, job aids, and staff training, as necessary. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, it does not plan to implement it. IRS reported it does not have the statutory authority to establish policy on information security and cybersecurity issues, nor to enforce compliance if noncompliance is observed. Additionally, IRS said that the specialized technical skills required to monitor compliance with information and cybersecurity standards, should statutory authority be granted, would require additional funding to meet those monitoring needs. However, as we reported, IRS already monitors physical aspects of information security, which goes beyond existing Authorized e-file Provider program requirements. Since most individuals now file tax returns electronically, having checks for physical security without comparable checks for cybersecurity does not address current risks, as cyber criminals and fraudsters are increasingly attacking third-party providers, as IRS has noted. We believe that incorporating some basic cybersecurity monitoring into the visits would provide IRS the opportunity to help inform the most vulnerable third-party providers of additional guidance and resources.

Recommendation: The Commissioner of Internal Revenue should conduct a risk assessment to determine whether different monitoring approaches are appropriate for all of the provider types in the IRS's Authorized e-file Provider program. If changes are needed, IRS should make appropriate revisions to the monitoring program, internal guidance, job aids, and staff training, as necessary. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with the intent of this recommendation; however it does not plan to implement it. IRS stated that absent statutory authority and funding, an assessment of the different monitoring approaches is moot. We disagree with this conclusion. As discussed in the report, IRS does not systematically monitor the existing security requirements for online providers, nor does it conduct information security or cybersecurity monitoring for all types of Authorized e-file Providers. We believe that IRS could conduct a risk assessment of its current monitoring program within existing statutory authority and make necessary changes that would provide better assurance that all types of providers are receiving some level of oversight and that IRS is addressing the greatest risk areas appropriately.

Recommendation: The Commissioner of Internal Revenue should standardize the incident reporting requirements for all types Authorized e-file Providers. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it would develop a standardized process for all Authorized e-file Providers to report security incidents to IRS. IRS said it plans to update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include this standardized process by November 2020.

Recommendation: The Commissioner of Internal Revenue should document intake, storage, and sharing of the security incident data across IRS offices. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS agreed with this recommendation. In November 2019, IRS said it agreed with this recommendation with respect to the formal process for tax professionals to report data breaches to the IRS through the Stakeholder Liaison function within the Communications and Liaison organization. According to IRS, procedures are documented in the Data Breach Incident Reporting Instructions that are followed during the intake process. IRS said that upon completion, the breach information is disseminated to other offices within the IRS, depending on the nature of the breach incident reported. According to IRS, all 2018 and 2019 Tax Pro Data Breach incidents remain stored in the Data Breach module of the Return Preparer Database. We will follow up to confirm the information IRS described and determine if these procedures cover all of the IRS offices included in our report.

Recommendation: The Director of CFPB should identify additional sources of information, such as through registering CRAs or leveraging state information, that would help ensure the agency is tracking all CRAs that meet the larger participant threshold. (Recommendation 1)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In July 2020, CFPB staff noted that they have reviewed state CRA registration information available to them, are working to obtain additional state registration information, and are exploring additional ways to leverage the information. GAO will continue to monitor CFPB's progress in leveraging additional sources of information that would help identify larger participant CRAs.

Recommendation: The Director of CFPB should assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks. (Recommendation 2)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In July 2020, CFPB staff noted that they were assessing whether, and if so, how and when, to incorporate data security risks into their supervisory prioritization. As part of that evaluation, CFPB is assessing whether those processes should incorporate data security risks CRAs pose to consumers in light of the agency's statutory authorities, supervisory responsibilities, and resources. GAO will continue monitoring CFPB's assessment of prioritization of CRA data security risks.

Recommendation: Congress should consider providing the Federal Trade Commission with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act to help ensure that the agency has the tools it needs to most effectively act against data privacy and security violations. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: As of July 2020, Congress has not passed legislation to provide FTC with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act.

Recommendation: Congress should consider legislation to require that returns prepared electronically but filed on paper include a scannable code printed on the return. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: Congress introduced the Acting on the Annual Duplication Report Act of 2019 on July 18, 2019. If enacted this legislation would require returns prepared electronically but filed on paper include a scannable code. Congress had not passed the legislation as of February 2020.

Recommendation: Based on the assessment in recommendation 2, the Commissioner of Internal Revenue should implement the most cost-effective method to digitize information provided by taxpayers who file returns on paper. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: IRS agreed with this recommendation and in December 2019 indicated that it plans to begin scanning and digitizing individual tax returns filed on paper beginning in October 2021. According to IRS, digitizing paper returns at intake would allow IRS to reduce processing time, use the same RRP fraud filters on all paper and electronic forms, and allow more pre-refund audits or investigations, among other benefits.

Recommendation: The Commissioner of Internal Revenue should evaluate the costs and benefits of expanding RRP to analyze individual returns not claiming refunds to support other enforcement activities. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: IRS agreed with this recommendation and told us expanding the use of RRP is an agency goal. In December 2019, IRS officials reported that internal IRS offices are collaborating on identifying priorities for expanding use of RRP to support other enforcement activities, such as pre-refund audits and investigations, and improve detection and treatment of fraud and noncompliance.

Recommendation: Based on the assessment in recommendation 4, the Commissioner of Internal Revenue should expand RRP to support identified activities. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of June 2019, IRS has not yet completed its analysis of the costs and benefits of expanding RRP, and therefore has not taken action to expand RRP based on this assessment. IRS agreed with the recommendation but noted that it must first evaluate opportunities to expand RRP. Implementing this recommendation could help IRS streamline the detection and treatment of fraud as well as promote voluntary compliance with tax laws.

Recommendation: Based on the estimates developed in Recommendation 1, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken preliminary steps to prioritize its foundational initiatives in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. For example, IRS documentation stated that initial efforts to update the original Roadmap included collecting implementation documents for the 14 foundational initiatives. IRS stated that this information and progress that IRS has made on the initiatives shows that the initiatives are a priority for IRS leadership. However, IRS has not used this information to clearly prioritize in-progress initiatives or supporting activities going forward. IRS stated that it intends to update its Roadmap annually, including prioritizing new and existing authentication initiatives and capabilities. IRS's continued attention to this action will help ensure that in-progress authentication initiatives are prioritized and completed.

Recommendation: The Commissioner of Internal Revenue should establish a policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication. This policy should include, for example, the frequency of assessments to be performed and timeframes for addressing deficiencies. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials had developed a draft policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication, as we recommended. IRS officials stated that once this policy is approved, it will be used to develop a plan to perform risk assessments for these authentication channels. IRS's continued attention to this recommendation will help ensure that it is aware of emerging threats to the tax environment.

Recommendation: Consistent with the policy developed in Recommendation 3, the Commissioner of Internal Revenue should direct the Identity Assurance Office and IRS business owners to develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials stated that they will develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication by May 2020. Until IRS develops and implements this plan, these authentication channels may be more vulnerable to fraudulent activity, including unauthorized attempts to access taxpayer information.

Recommendation: The Commissioner of Internal Revenue should establish a mechanism to collect data on outcomes for telephone, in-person, and correspondence authentication, consistent with federal standards for internal control. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials stated that the agency intends to implement this recommendation by spring 2020. Officials noted that developing a systemic solution for collecting data on all authentication outcomes is complex and involves multiple IRS business divisions. Until IRS fully addresses this recommendation, it will have limited insight into the number of taxpayers who fail authentication and the reason for failure.

Recommendation: The Commissioner of Internal Revenue should revise or establish, as appropriate, procedures to ensure data quality in the Account Management Services (AMS) consistent with federal standards for internal control. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS stated that it has planned enhancements to its authentication data collection procedures in AMS. Officials stated that by June 2020, they intend to implement improvements for ensuring data quality of authentication outcomes. Until IRS fully implements our recommendation, it will be limited in conducting systematic data analysis on taxpayer authentication outcomes.

Recommendation: The Commissioner of Internal Revenue should ensure that IRS business units have access to complete AMS data to monitor authentication performance and identify potential issues. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials told us that IRS has explored options that will allow the agency to more effectively record, track, and monitor authentication outcomes. IRS officials said that they are developing and testing a tool to document Taxpayer Protection Program interactions, outcomes of taxpayer authentication, and the reasons for authentication failures. Officials stated that IRS plans to have this tool implemented by spring 2020, one year later than originally planned. Officials stated that the delay is due to additional technical programming to fully develop the tool. We will follow up on IRS's actions to determine the extent to which they implement our recommendation.

Recommendation: The Commissioner of Internal Revenue should direct the Identity Assurance Office and other appropriate business partners to develop a plan--including a timeline, milestone dates, and resources needed--for implementing changes to its online authentication programs consistent with new NIST guidance. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS has taken steps to implement this recommendation. Efforts include developing plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials told us that they plan to work with external partners to perform additional testing on its new authentication platform this year, including a usability study to understand user experience. IRS officials also stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. IRS's timely implementation of NIST's guidance is critical to help the agency mitigate potential security weaknesses in its existing online authentication programs.

Recommendation: In accordance with the plan developed in Recommendation 8, the Commissioner of Internal Revenue should implement improvements to IRS's systems to fully implement NIST's new guidance. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS has taken steps to develop plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. As noted in our report, IRS's timely implementation of NIST's new guidance is critical, as it can help the agency mitigate potential security weaknesses in its existing online authentication programs.

Recommendation: The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, as GAO recommended in June 2018. IRS stated that the draft process was being reviewed by the Chief Privacy Officer and it expects to finalize the process in spring 2020. IRS also stated that the Identity Assurance office will be ready to use the repeatable process once it is approved by IRS leadership. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Recommendation: Based on the approach developed in Recommendation 10, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication. However, IRS had not yet included and prioritized these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS stated that it expects to finalize its process to evaluate alternative authentication options in spring 2020. IRS documentation states that it plans to update its Roadmap annually, but it has not articulated a timeline for doing so in 2020. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Recommendation: The Acting Commissioner of Internal Revenue should assess options for improving enforcement of late W-2 filing penalties, for example, by mailing notices before the next filing deadline. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of October 2019, IRS continues to disagree with this recommendation. IRS stated that it does not have all the information required for calculating and sending late penalty notifications prior to the beginning of the next filing season. However, in its response, IRS did not consider other options that could be available prior to finalizing penalty calculations, such as communicating with the employers earlier in the process. As noted in our report, quickly responding to employers that filed late increases the potential for compliance, thereby increasing the availability of W-2 data for systemic verification to detect and prevent fraud and noncompliance. We continue to believe that assessing the options for improving enforcement of late W-2 filing penalties, such as through earlier communication, would help IRS identify potential opportunities to encourage compliance with the W-2 filing deadline and verify more wage information before releasing refunds. We will continue to discuss options with IRS regarding this recommendation.

Recommendation: The Acting Commissioner of Internal Revenue should develop an evaluation plan to fully assess the benefits and costs, including taxpayer burden, of modifying the February 15 refund hold, and determine how this effort informs IRS's overall compliance strategy for refundable tax credits and fraud risk management. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, IRS has assessed the benefits of modifying the refund hold, but it has not assessed the costs, as GAO recommended in January 2018. In November 2018, IRS provided its assessment of the February 15 refund hold. In it, IRS reiterated its findings regarding the benefits of the refund hold. These benefits included potential savings if IRS modified the hold to include all taxpayers, extended the hold to a later date when more W-2 data are available, or made both changes. However, IRS did not include any assessment of costs to achieve these potential savings, such as the costs for IRS to review any additional returns that would be identified under a modified refund hold. It did not assess taxpayer burden, either. IRS also did not determine how the February 15 refund hold informs IRS's overall compliance strategy for refundable tax credits and its fraud risk management strategy. In January 2019, IRS took actions to hold more returns beyond the February 15 refund hold date using a risk-based selection method. Nevertheless, without a complete assessment of the benefits and costs, including taxpayer burden, IRS is making a decision based upon incomplete information. Further, if Congress or Treasury considered making any changes, they too would have incomplete information on which to direct IRS's actions.

Recommendation: Based on the benefits and costs assessment in Recommendation 3, the Acting Commissioner of Internal Revenue should use IRS's existing authority to modify the refund hold such that it minimizes the risk of releasing fraudulent or noncompliant refunds. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, IRS has taken actions consistent with our recommendations by modifying its filters to hold more returns claiming the Earned Income Tax Credit (EITC) or Additional Child Tax Credit (ACTC) beyond the February 15 refund hold date based on a risk-based selection method. In addition, in May 2019, IRS officials told us they are making similar changes for the 2020 filing season to hold more high-risk returns not claiming EITC or ACTC until W-2 data are available. This action, if taken, would be consistent with our recommendations. In 2018, IRS assessed the benefits of modifying the refund hold, however, it did not assess or document the costs, including taxpayer burden, or determine how the February 15 refund hold informs IRS's overall compliance strategy for refundable tax credits and its fraud risk management strategy. Completing these actions, along with the planned modifications, would fully address our recommendations, which would enable IRS to make decisions based on completed information.

Recommendation: The Acting Commissioner of Internal Revenue should assess the benefits and costs of additional uses and applications of W-2 data for pre-refund compliance checks, such as addressing underreporting, employment fraud, and other fraud or noncompliance before issuing refunds. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS provided results for a pilot encouraging voluntary compliance through expanded systemic verification using W-2 data. In the pilot, IRS sent soft notices to a targeted group of taxpayers whose returns under-reported income compared to W-2 data. In its analysis, IRS reported that some taxpayers voluntarily amended their returns after receiving the soft notice, resulting in a net increase in tax revenue. If IRS determines that the benefits outweigh the costs of adopting this practice based on the pilot results, or assesses additional options to address other fraud and noncompliance before issuing refunds, it would satisfy our recommendation. We will continue to follow IRS's progress on the pilot and its results.

Recommendation: Based on the assessment in Recommendation 5, the Acting Commissioner of Internal Revenue should implement any identified changes to improve pre-refund compliance checks. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS provided an evaluation of a pilot it conducted during tax year 2019. In the pilot, IRS sent soft notices to a targeted group of taxpayers whose returns under-reported income compared to W-2 data. In its analysis, IRS reported that some taxpayers voluntarily amended their returns after receiving the soft notice, resulting in a net increase in tax revenue. IRS told us they intend to continue the pilot during tax year 2020. We will continue to follow IRS's progress on the pilot and its results.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the Information Sharing and Analysis Center (ISAC) pilot better aligns with leading practices for effective pilot design. This should include (1) establishing criteria for assessing whether the pilot's objectives have been met before making decisions about its scalability and whether, how, and when to when to proceed to full implementation; and (2) developing a data analysis plan that identifies data sources and criteria necessary for effectively evaluating the pilot. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS transitioned the Information Sharing and Analysis Center (ISAC) from a pilot to full implementation in October 2018. As of June 2020, we have requested documentation from IRS related to this transition to determine if it is consistent with the recommendation to align with leading practices. We will continue to monitor ISAC activities.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the ISAC Partnership develops an outreach plan to expand membership and improve states' and industry partners' understanding of the ISAC's benefits. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The ISAC annual report released in April 2018 cites plans to continue to grow member participation from private sector and other government agencies and to provide opportunities to deepen members' participation with clear guidelines. As of June 2020, we have requested additional information about participation levels and ongoing outreach efforts. Developing an outreach plan to broaden membership to non-Security Summit members of industry and financial institutions would further promote stakeholders collaborating and sharing fraud information.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should require agencies to modify their inventories of systems containing personally identifiable information to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual Federal Information Security Modernization Act of 2014 reports.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: In the event that Congress again requires an agency to provide affected individuals with identity theft insurance in response to a breach of sensitive personal data, Congress should consider permitting the agency to determine the appropriate level of that insurance.

Agency: Congress
Status: Open

Comments: As of July 2020, Congress had not enacted legislation for which our Matter for Congressional Consideration would be applicable.

Recommendation: The Director of the Office of Management and Budget should, to the extent feasible, conduct an analysis of the effectiveness of the various identity theft services relative to alternatives, and revise OMB's guidance to federal agencies in light of this analysis.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As we reported in GAO-19-230, we contacted OMB several times between May 2018 and early March 2019 to update the status of this recommendation, and again in July 2020, but as of July 2020, OMB had not responded with an update.

Recommendation: The Director of the Office of Management and Budget should explore options to address the risk of duplication in federal agencies' provision of identity theft services in response to data breaches, and take action if viable options are identified.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: No executive action identified. As of July 2020, OMB had not responded to GAO's request for an update.