FS-2015-23, October 2015
On March 19, 2015, IRS Commissioner John Koskinen convened an unprecedented Security Summit with public and private tax administration leaders to discuss common challenges and ways to combat tax-related identity theft.
IRS officials, the chief executive officers (CEOs) of the leading tax preparation firms, software developers, payroll and tax financial product processors, and state tax administrators came together to identify those steps that could be taken before the 2016 filing season and beyond.
On June 11, 2015, Summit participants announced they had reached agreement on a series of recommendations to protect taxpayers and protect the integrity of the federal and state tax systems.
Three working groups specializing in authentication, information sharing and cybersecurity focused on developing ways to validate the authenticity of taxpayers and information included on tax return submissions, information sharing to improve detection and expand prevention of refund fraud, and threat assessment and strategy development to prevent risks and threats.
On Oct. 20, 2015, Koskinen and Summit participants provided an update on the progress made by the working groups. For security reasons, only general details of many Security Summit activities will be discussed publicly.
The following is an update on each of the working groups.
Authentication Work Group
Authentication was the fundamental starting point as participants agreed to do more to verify the authenticity of the taxpayer and the tax return at the time of filing. The team:
- Identified and successfully tested inclusion of more than 20 new data elements from tax return submissions that will be shared with the IRS and the states and will assist in detecting and preventing identity theft returns. Some of these elements to protect against fraud include:
- Reviewing the transmission of the tax return, including the improper and/or repetitive use of Internet Protocol numbers, the Internet ‘address’ from which the return is originating.
- Reviewing computer device identification data tied to the return’s origin.
- Reviewing the time it takes to complete a tax return, so computer mechanized fraud can be detected.
- Capturing metadata in the computer transaction that will allow review for identity theft related fraud.
- Reached agreement for software providers to enhance identity requirements and strengthen validation procedures for new and returning customers to protect against account takeover by criminals. This provision will be one of the most visible to taxpayers in 2016 because it includes:
- New password standards to access tax software will require a minimum of eight characters with upper case, lower case, alpha, numerical and special characters.
- A new timed lockout feature and limited unsuccessful log-in attempts.
- The addition of three security questions.
- Out-of-band verification for email addresses, which is sending an email or text to the customer with a PIN – a common practice used throughout the financial sector.
These 2016 filing season actions will serve as the baseline for on-going discussions and additional enhancements for the 2017 filing season. This means stronger protections for 2015 year tax returns filed this filing season.
Strategic Threat Assessment & Response (STAR) Work Group
Tax industry participants agreed to align with the IRS and the states under the National Institute of Standards and Technology (NIST) cybersecurity framework to promote the protection of information technology (IT) infrastructure. The IRS and states currently operate under this standard, as do many in the tax industry. New steps include:
Held preliminary meeting with NIST to develop strategy for larger STAR audience.
- Conducted NIST information session on the cybersecurity framework.
- Conducting follow-up sessions to develop strategy for how the NIST cybersecurity framework will be applied for all organizations within the tax industry.
Information Sharing Work Group
- Agreed on the need to create an Information Sharing and Analysis Center (see more below).
- Updated IRS Publications 1345 and 3112 for filing season 2016 to require industry e-file providers who file 2,000 or more returns to perform research and analysis and provide any identity theft data to the IRS and the states.
- State operating agreements have like-kind requirements for data sharing and lead reporting for 2016 to the IRS.
- The IRS, at the request of industry and states, will act as a conduit and facilitate industry data sharing with states via a Secure Data Transfer (SDT) “flow through” process for the 2016 filing season.
- Creation of a new memorandum of understanding regarding roles, responsibilities and information sharing pathways currently in circulation with states and industry. So far, 34 state departments of revenue and 20 tax industry members have signed along with the IRS and endorsing organizations.
In addition to the three work groups, participants recognized the need for creating additional teams to enhance and expand collaborative efforts. Since June, three new work groups and one new sub-group have been established and started work. These new work groups are:
Information Sharing and Analysis Center Sub-Group (ISAC)
A sub-group of the Information Sharing work group, ISAC will centralize, standardize, and enhance data compilation and analysis to facilitate sharing actionable data and information. Target date for operations is filing season 2017.
Financial Services Work Group
The group will work to examine and explore additional ways to prevent and deter criminals from potentially accessing tax-time financial products, deposit accounts, and pre-paid debit cards. By identifying best practices, this could assist government and industry in preventing identity theft and combatting stolen identity refund fraud.
Communication and Taxpayer Awareness Work Group
The group aims to increase awareness among individuals, businesses and tax professionals on the need to protect sensitive tax and financial information. The June Security Summit report recommended taking steps to increase taxpayer awareness. The work group will conduct a coordinated media campaign beginning next month.
Tax Professional Work Group
Initial Security Summit efforts focused on tax software and tax issues surrounding the do-it-yourself taxpayer to identify immediate changes for 2016. However, all Summit participants recognize the critical role that the nation’s tax professionals play within the tax industry, in both the federal and state arenas.
This work group will examine how new requirements will affect tax preparers who use professional software, how the preparer community will be affected by the overall data capture and reporting requirements and how the preparer community can contribute in the prevention of identity theft and refund fraud.
- News Release 2015-117, IRS, States, Industry Continue Progress to Protect Taxpayers from Identity Theft
- IRS and Partner Statements on the October 2015 Security Summit Meeting