The Internal Revenue Service added new data elements last tax season to its computer system filters to catch suspected cases of identity theft-related tax fraud totaling $4.1 billion, according to a new report, but it posted information about the secret data elements on its public website IRS.gov before removing it.
The report, from the Treasury Inspector General for Tax Administration, said the IRS tested 23 new federal tax return related data elements during the 2016 filing season in accordance with procedures in the Internal Revenue Manual. All 23 of the data elements became part of the IRS’s Return Review Program system, although the IRS ended up using only three of the elements to systemically filter returns and help identify potential instances of identity theft tax refund fraud during the 2016 filing season.
As of March 25, 2016, the IRS identified approximately $4.1 billion in suspected identity theft tax refund fraud, of which $72 million (from 21,000 tax returns) could be attributed to the three new data elements. The IRS also attributed the prevention of 24,000 taxpayer returns from being incorrectly selected as potential identity theft tax refund fraud returns to one of the three data elements.
For the other 20 data elements, there was not enough historical data to create business rules that would allow the IRS to use them systematically during the 2016 filing season. The IRS’s Applications Development division plans to decide in future filing seasons on potentially using the data elements.
The IRS wants to keep the data elements confidential and be kept a secret from the public. TIGTA said it agrees with the IRS’s position and did not reveal them in the report to protect them from public exposure.
Nevertheless, TIGTA’s audit team did a search of the IRS’s public website and found schemas that included several of the new data elements. It notified the IRS about this finding and the IRS responded by removing the schemas containing the data elements from IRS.gov. TIGTA also identified two other documents on the IRS’s public website containing information related to the data elements. One of the documents included specific information about one of the new data elements.
TIGTA recommended the IRS permanently remove the data elements from public access to ensure that inappropriate use cannot occur. The IRS should also do a thorough inspection of its public websites and publications to determine if other data element information is available to the public and ensure it is removed, TIGTA suggested, and the agency should put in place a secure process to provide the data elements to valid parties who have a need to access them, such as tax software developers.
The IRS agreed with one recommendation and plans to implement a secure process to provide the data elements to valid parties. The IRS partially agreed with two other recommendations and removed the schema information from its website. TIGTA maintains that data element exposure on the IRS public website and in publications increases the risk of fraud, and stands by its recommendation to remove data element information from the IRS’s public website and in publications to minimize potential misuse.
In response to the report, Debra Holland, commissioner of the IRS’s Wage and Investment Division, noted that the IRS convened a Security Summit in March 2015 with CEOs of the leading tax preparation firms, software developers, payroll and tax financial product processors and state tax administrators to discuss ways to leverage their collective resources to combat identity theft refund fraud. One of the outcomes was that software providers shared approximately 20 data elements from tax returns with the IRS and the states that could identify possible fraud. The IRS held subsequent meetings of the Security Summit last year and this year.
As a result of the Security Summit, from January to April 2016, the IRS stopped $1.1 billion in fraudulent refunds claimed by identity thieves on more than 171,000 tax returns, compared to $754 million in fraudulent refunds claimed on 141,000 returns for the same period in 2015, Holland noted. “Better data from returns and information about schemes resulted in better internal processing filters that identify fraudulent tax returns,” she noted.
She agreed that the processes and procedures used by the IRS to spot identity theft should not be made public, but she pointed out that the IRS publishes the schemas necessary for filing tax returns because software developers need to use them to develop their tax prep applications.
“New data elements, resulting from the Security Summit, were added to the schemas to assist in fraud detection,” Holland wrote. “While it was preferable to provide some form of secure access to the schemas, a workable solution could not be implemented in time for the 2016 filing season. The IRS made an informed decision to accept the business risk of making the schemas public but not to include any information about the elements in Modernized e-File publications to provide them as much protection as possible. While knowledge about the existence of data elements in the header schemas might be helpful to fraudsters, those data elements by themselves do not necessarily increase the risk of fraud. The IRS removed the schema information from IRS.gov in March 2016, shortly after the audit team brought their concern to our attention.”