25.25.12 Fraud Evaluation and Referral (FRE) Procedures for Integrity and Verification Operation (IVO)

Manual Transmittal

July 02, 2018

Purpose

(1) This transmits new IRM 25.25.12, Fraud Evaluation and Referral Procedures for Integrity and Verification Operation.

Material Changes

(1) This is a new IRM to establish written procedures for the Fraud Referral and Evaluation (FRE) Department.

Effect on Other Documents

None

Audience

Campus employees in Integrity & Verification Operation, Return Integrity Operation

Effective Date

(07-02-2018)

Denise D. Davis
Director, Return Integrity Operation
Wage and Investment Division

Program Scope and Objectives

  1. Purpose and Program Goals: This IRM section provides guidance for Integrity and Verification Operation (IVO) employees when they screen individual master file returns in the Electronic Fraud Detection System (EFDS) for possible identity theft and false income and withholding. Individual master file returns are scored through the Dependent Database (DDb) or through the Return Review Program (RRP) system. These scoring processes identify suspicious returns meeting the scoring tolerances for screening by IVO employees.

  2. Audience: The audience intended in this IRM is IVO employees.

  3. Policy Owner: The Return Integrity Operation (RIO) is the policy owner of this program.

  4. Program Owner: RIO is the program office responsible for oversight over this program.

Background

  1. Return Integrity Operation (RIO) strengthens the integrity of the tax system by:

    • Protecting the public interest by improving IRS’s ability to detect and prevent improper refunds

    • Serving the public interest by taking actions fairly and appropriately to identify, evaluate and prevent the issuance of improper refunds

    • Helping taxpayers understand the refundable tax credits for which they are eligible

Program Management and Review

  1. The program has reports to track the inventory, including receipts and closures.

  2. A quality control program is in place to review all processes to ensure accuracy and effectiveness.

Authority

  1. Refer to the following:

    • IRM 1.2.13.1.10, Policy Statement 4-21

    • IRM 1.1.13, Organization and Staffing, Wage and Investment Division.

    • Various Internal Revenue Codes (IRC) including but not limited to:

    • IRC 6402(a), Authority to make credits or refunds

    • IRC 6401, Amounts treated as overpayments

    • IRC 6404, Abatements of tax

    • IRC 6213, Requirements for a statutory notice, including math error authority

Responsibilities

  1. Return Integrity Operation (RIO) has responsibility for information in this IRM. Information is published in the IRM on a yearly basis.

  2. The Director of RIO is responsible for the policy related to this IRM.

  3. The Chief of the Data Management and Operation Staff (DMOS) is responsible for ensuring this IRM is timely submitted to publishing each year.

  4. More information can be found in IRM 1.1.13.7, Return Integrity and Compliance Services.

Acronyms

  1. For a list of Acronyms used throughout Integrity and Verification Operation (IVO) see IRM 25.25.1.1.5, Acronyms

Related Resources

  1. The related resources listed below may be utilized for account research and issue resolution. These related resources may be accessed through the IRS Intranet-Servicewide Electronic Research Program (SERP) site.

    • IRM 25.25, Revenue Protection

    • IRM 25.23, Identity Protection and Victim Assistance

    • IRM 21, Customer Account Services

    • IRM 2, Information Technology

    • IRM 3, Submission Processing

    • IRM 4, Examining Process

  2. The following IRMs should be used in conjunction with IRM 25.25.12:

    • IRM 25.25.1, Integrity and Verification Operation Business Master File Procedures

    • IRM 25.25.2, Revenue Protection Screening Procedures for Individual Master File Returns

    • IRM 25.25.3, Revenue Protection Verification Procedures for Individual Master File Returns

    • IRM 25.25.4, Integrity & Verification Identity Theft Return Procedures

    • IRM 25.25.5, Revenue Protection Special Handling Procedures

    • IRM 25.25.6, Taxpayer Protection Program

    • IRM 25.25.7, Automated Questionable Credit Program

    • IRM 25.25.8, Revenue Protection External Leads Procedures

    • IRM 25.25.9, Revenue Protection Prisoner Lead Procedures

    • IRM 25.25.10, Frivolous Return Program

    • IRM 25.25.11, Wage and Withholding Only (WOW) Procedures

    • IRM 25.25.13, Account Resolution for Integrity and Verification Operation

  3. IDRS restricted access accounts are accounts where a user must request special permissions to access the account through IDRS. Follow IRM 21.2.1.3.2, Authorized IDRS Access.

    Exception:

    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Fraud Evaluation and Referral Overview

  1. The mission of the Fraud & Referral Evaluation Department (FRE) is to protect revenue by identifying and dispositioning returns which display patterns of fraud (including identity theft).

  2. The Department Manager, Fraud & Referral Evaluation Department (FRE), reports to the Program Manager, Integrity & Verification Operations (IVO).

  3. To accomplish the mission, the Fraud & Referral Evaluation Department staff:

    • Identifies and takes action on return inventory that may show patterns of fraud and identity theft as required to protect revenue, taxpayers, and the integrity of the tax system.

    • Receives, researches and processes information leads submitted from a variety of sources(i.e., external leads, industry leads, internal referrals, and prisons).

    • Supports the operation by providing analytical support of inventory processes and reporting.

Fraud Evaluation and Referral Pattern Matching Overview

  1. The Fraud Referral and Evaluation (FRE) Department was established to evaluate returns not selected into the workload for potential fraud and ID theft. Because data mining models and filters learn from past behavior, it is necessary to review non-selected returns so the models do not continue to reinforce themselves. More so, because of the rapid changes made by criminals and those attempting to defraud the government through its tax return system, current models and filters must consistently be updated and improved upon using know patterns. Many of the common fraudulent schemes have been identified and require constant observation and monitoring to prevent refund fraudsters from exploiting those known areas. Concurrently, the FRE Department must scrutinize and look at large sums of data in untraditional ways (e.g., looking for the "Nulls" , using human behavioral patterns, and observing political events impacting the tax refund system), to identify any new and ingenious patterns that could result in the release of tax refunds to fraudsters.

  2. As these patterns change, FRE must also be able to quickly and robustly adapt/adjust. The FRE Department must operate without preconceptions and fixed notions, and instead think outside the box. FRE Analysts use a variety of techniques and tools, along with critical thinking and data attained from events taking place in the public, to create and update queries identifying any previously undetected fraud. FRE has an impact on reducing the number of external leads by catching them before refunds are released.

Pattern Matching Procedures

  1. Pattern matching is used to analyze returns en masse, not one by one. Utilize Discoverer to run assigned queries and adjust as applicable based on internal and external information.

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  3. Research query results to identify a pattern (this list is not all inclusive).

    Note:

    Utilize pre-refund and post-refund dates to assist in making determination of patterns.

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  4. Once a pattern has been identified:

    • Load/Import all selected returns into CASE. Ensure all selected returns are still in PS 0, PS 3 or PS 24.

    • Push the return to PS 30.

      Reminder:

      When pushing returns to Process Status 30 utilizing Case, do not push returns already assigned a treatment stream (e.g., PS 49/50) as it could possibly change the status of the return.

    • Input in the EFDS return notes the duplicate buttons that applied to your pattern (e.g., Dup WW, Dup zip code, Dup IP, etc.)

    • Input a secondary EFDS note "IVO FRE PATTERN" . The note must be on all returns pushed to PS 30.

    • If a return indicates "Tribal Income" additional research may need to be performed to verify the return before selecting the return for inclusion in a pattern. See IRM 25.25.2.6(1) note, Unsubstantiated Income and/or Withholding.

  5. Patterns obtained through discoverer queries can be researched on EFDS. Input Julian Date or Stop Refund Date in EFDS to identify pre-refund cases.

    Note:

    Don’t determine pattern of ID Theft from Current Year Return Spreadsheet only; research the Return Detail for a few returns prior to making a determination.

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ "≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ " ≡ ≡ ≡ ≡ "≡ ≡ ≡ ≡ ≡ ≡ ≡ " ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ "≡ " ≡ ≡ ≡ "≡ ≡ ≡ ≡ " ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  6. Research IP addresses based on the Average Refund, smallest to largest

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  7. Look for additional patterns within original pattern and utilize discoverer to identify additional returns

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡

    • ≡ ≡

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • ≡ ≡ ≡ ≡

Process Status 30

  1. Process Status 30, also known as ACE/ADJ in the Electronic Fraud Detection System (EFDS), identifies returns that were manually selected for the Taxpayer Protection Program (TPP) treatment. These returns can be identified from Integrity and Verification Operation screening inventory, Fraud Referral and Evaluation pattern matching, Criminal Investigation referrals, and other internal or external referrals.

  2. An Access database is used for monitoring process status (PS) 30 inventory. The following processes are queriable:

    • Current PS 30 inventory

    • All DLNs in PS 49

    • Tracks all DLNs placed into PS 30 at End Of Day

    • Identifies TC 971 AC 129 and AC 124 returns for the year

    • Identifies returns without the proper EFDS IDT note

    • Identifies the EFDS note captured for creating the model type

    • Identifies and creates e-mail by manager of incorrect note

    • Tracks all TC 971 AC 123 DLNs

    • Tracks all TC 971 AC 125 DLNs

PS 30 Selection Identification Procedures

  1. Fraud Referral and Evaluation (FRE) will identify new inventory in Process Status (PS) 30 using the disposition date:

    • Research for required Electronic Fraud Detection System (EFDS) note (IVO FRE PATTERN, IVO RSV IDT, etc.).

    • Determine if the return meets PS 30 criteria (not previously in the Taxpayer Protection Program (TPP), except for accounts containing a TC 971 AC 123 MISC field TPPRP or TPP Recovery).

    • Perform a “B 30” check (accounts that have been placed back into process status 30). The accounts on this spreadsheet must be checked on IDRS for TC 971 AC 124 or AC 129 to see if the return went through the TPP process. If there is no indication of prior TPP, set the return to be sent through the TPP process on the following Thursday. If there is an indication of prior TPP then send the “B 30” listing to management to have accounts removed from PS 30 and placed in the appropriate process status.

    • Provide feedback to managers if criteria are not met.

  2. For returns that meet the PS 30 criteria, FRE will determine the refund freeze process and initiate the appropriate freeze actions. Remove from PS 30 those returns not meeting the criteria.

    • Prepare batch freeze template for returns dispositioned to PS 30 after midnight the previous day up to the refund freeze cut off deadline, to generate TC 971 AC 134 and forward to BPX contact

    • Identify refund returns that were unable to be stopped using the batch freeze template for refund cancellation using CC NOREF, see IRM 25.25.2.4, Stopping / Releasing the Refund.

  3. Identify the appropriate TPP marker (e.g., TC 971 AC 124 or TC 971 AC 129), prior to the weekly master file cutoff deadline by taking the following actions:

    • EFDS return DLN is not posted - put on the template for the TC 971 AC 124

    • EFDS return DLN is posted

    If And Then
    1
    There is no TC 846 present
      Put on the template for the TC 971 AC 129
    2
    A TC 846 is present on the module
    there is an open IVO refund cancellation IDRS control Put on the template for the TC 971 AC 129
    3
    A TC 846 is present on the module
    there is No open IVO refund cancellation IDRS control Push return to PS 65 - input EFDS note "PS 30 REFUND LOST MOVED TO PS 65"
  4. Ensure the master file template was submitted to the server by the deadline and received by BPX.

Monitoring Process Status 30 Procedures

  1. The database is used for monitoring current year process status 30 inventory. The following processes are queriable:

    • Current PS 30 inventory

    • All ever in PS 49 DLNs

    • Tracks all DLNs placed into PS 30 at End of Day

    • Identifies TC 971 AC 129 and AC 124 returns for the year

    • Identifies 120 day old aged returns

    • Identifies returns without the proper EFDS IDT note

    • Identifies the EFDS note captured for creating the model type

    • Identifies and creates e-mail by manager of incorrect note

    • Tracks all TC 971 AC 123 DLNs

    • Tracks all TC 971 AC 125 DLNs

  2. Run Discoverer query "PS 30 Daily Inventory.DIS"

    1. Research for missing note

    2. Perform a "B 30" check (accounts that have been placed back into process status 30). The accounts on this spreadsheet must be checked on IDRS for TC 971 AC 124 or AC 129 to see if the return went through the TPP process. If there is no indication of prior TPP, set the return to be sent through the TPP process on the following Thursday. If there is an indication of prior TPP then send the "B 30" listing to management to have accounts removed from PS 30 and placed in the appropriate process status.

TPP Suspense Expired
  1. Returns still in PS 30 after 120 days are reviewed weekly in the Age Out process. If the refund has been released, the return is re-filed. Those with "no response" where the refund is still holding are dispositioned to STARS, mirroring the PS 49 process.

Entity Fabrication Selection Process

  1. Send initial letter to business requesting information.

Process Status 50 Procedures

  1. Returns that are in Process Status 50 are returns that were previously in Process Status 49 (ID Theft Hold) and have been determined not to be Identity Theft and have the following characteristics:

    • The TP has authenticated their identity.

    • The return met DM tolerance and has Resequence Code 1 (Res Code).

    • There is no IDOC attached to the return.

    • IDRS shows a TC 971 AC 052 on CC TXMOD.

    • The return has posted with a CCC 1 to hold the refund pending further review. Any other resequence code will be re-filed.

    • .

  2. Daily PS 50 IRP query.

  3. Run wage and withholding match and full year prisoner query.

  4. Review the file and determine the following:

    • returns that can be re-filed

    • returns that can be sent directly to scheme

    • returns that need to be reviewed by IVO TEs

    Reminder:

    Do Not disposition these returns to Ace Adjustments, because the return has already been through the IDT process (PS 49 - IDT hold).

  5. Once the determination is made, take the following actions:

    If Then
    returns that can be re-filed Disposition to re-file and release the refund with a TC 290 .00.
    returns that can be sent directly to scheme Disposition to scheme.
    returns that need to be reviewed by IVO TEs Refer on a daily report to IVO teams for account resolution.

Process Status 70 Procedures

  1. Run PS 70 Discoverer Query first each morning.

    • ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    • Filter the re-sequence codes to exclude Res Code 1 and Res Code 6 returns

    • Disposition returns to IVO Holding Queue – PS 70

    • The DLNs are run through an IRP and Prior Year Data Match Automation Process.

    • Send the DLNs of this new file to be included in the file of returns needing the hard freeze (TC 971 AC 134) by 9:00 am CST. The remaining returns are left in Process Status 0 and refund as normal.

    • Once the returns have been pushed to PS 70, notify the analysts to start dispositioning/working the returns.

Limited Direct Deposit Refund Procedures

  1. New direct deposit rules began in January 2015 to limit the number of United States Treasury Tax Refunds to be deposited into a single financial account to 3. All subsequent refunds will be automatically flipped to a paper check and issued to the address of record. The IRS will simultaneously issue a Notice CP 53X, A Message About Your Request for an Electronic Deposit Refund, to the address of record, informing the taxpayer of the delay, inability to deposit the refund to the account as requested, and the issuance of the paper check.

  2. Accounts impacted by the new direct deposit rules will contain the following:

    • A transaction code (TC) 841 for the original refund amount or split refund amount.

    • A Direct Deposit Reject Reason Code (DDRC) 49.

    • A TC 971 action code (AC) 850 with a DLN of "2827799999999Y" to flip the direct deposit refund to a paper check.

    • A TC 971 AC 804 with a MISC field of "CP 53X" .

    • A second TC 846 for the refund being issued as a paper check.

  3. For accounts where the paper check is returned to the IRS as undeliverable (TC 740) and appears on the Business Objects (BOE) Report, the Integrity & Verification Operation (IVO) take the following actions:

    • Update the Scheme Tracking and Referral System (STARS) to "DD" (multiple refunds) or "DR" (direct reject) as appropriate.

    • Update the STARS category to "7" .

    • After 60 days, query dispositions "DD" and "DR" in STARS and confirm the returned refund is still held on the account.

    • Confirm identity theft determination and reverse the account data using the Return Integrity Compliance Services (RICS) IDT Tool.

    Note:

    Any return rejected by the RICS IDT Tool will be worked manually per IRM 25.25.4, Integrity & Verification Identity Theft Return Procedures.

  4. If a Notice CP 53X is returned as undeliverable, it should be destroyed as classified waste, see IRM 21.5.1.4.10, Classified Waste.

S- Freeze Rejects

  1. Monitor S freeze for 60 days. If the refund remains in the account push to scheme.

Security Breach Leads

  1. Security Breach Leads- The IRS receives notification of specific security breach incidents from varied sources, usually related to a data breach of preparer client information. The EPSS Program area receives "Security Incident Reports" from software providers via a specified e-mail box when various security incidents have occurred at the software company. Some incidents involve specific IP Addresses that are attempting to obtain taxpayer data through the software companies’ programs. When these incidents are received, the information will be forwarded to IVO-FRE who uses these incident reports to identify revenue protection opportunities on additional questionable returns currently in the processing stream.

  2. Run Queries for TPP compromised note process.

    • 1 QRY Prim SSN to Breach

    • 2 QRY SP SSN to Breach List

    • 3Appnd Prim Breach to Master

    • 4Appnd SP Breach to Master

    • 9DLN’s Need IRP Note by load Date

    • TPP Comp Note Qry - run daily - add note to IRP "Compromised IRP Data - Do Not Release Based on IRP"

Bank Leads

  1. Leads are external information and communications about questionable tax refunds identified by a variety of stakeholders, including: national banks, state banks, savings and loan associations, mutual savings banks, credit unions, financial institutions, brokerage firms, government and law enforcement agencies, state agencies, tax preparation entities and various other sources. Bank Leads may involve treasury checks, direct deposits/ACH, refund anticipation loans or checks, and pre-paid debit cards.

  2. Leads from financial institutions are voluntarily submitted through the Lead Sharing Program and are forwarded to the IVO-FRE mailbox (efleads@irs.gov). The bank leads from the IVO-FRE mailbox are imported into "RICS Lead Management Database " supported by the IVO Department 1 External Leads Team. These leads are all post refund returns. The FRE Bank Leads Program utilizes the lead data within the Department 1 database to search for revenue protection and fraud trend identification opportunities

  3. The FRE Bank Leads Program uses the lead information to identify revenue protection opportunities on additional questionable returns currently in the processing stream. The FRE Bank Leads Program also uses these leads to identify new fraudulent filing patterns and trends. New trends are monitored for additional activity. Any identified returns are assigned to the appropriate processing streams. New filter rule suggestions are periodically forwarded to the appropriate teams in RICS/IVO for consideration.

  4. Lead Research

    • Using the bank leads obtained from the saved SSRS Report spreadsheet, review all returns for possible IDT returns. Continue reviewing the remaining lead data for fraudulent filing patterns.

    • Lead data may include some or all of the following: SSN, Bank Account, IP address, e-mail address, name, and physical address.

    • Discoverer, IDRS, EFDS and other systems are used to conduct lead research and identify fraudulent return patterns.

    • Leads will be worked differently based on the particular scenario. Refer to the Bank Leads Desk guide for current query processes.

    • Discoverer queries are based on identified lead fraud patterns and these queries are run daily.

  5. Lead Actions:

    • Disposition all possible ID theft returns to Process Status 30 (ACE/Adjustments) in EFDS. Input the following notes* in EFDS:
      "IVO FRE PATTERN"
      Summit (‘extlds Bank Leads-[DISCOVERER QUERY NAME]”)

    • Update database status to "Closed" .

Electronic Return Originator Leads (ERO)

  1. Electronic Filing Identification Numbers (EFINs) and Preparer Tax Identification Numbers (PTINs) are vulnerable to identity theft, breaches, and hijacking. Some cases involve EFINs or PTINs established with identity victims' names and social security numbers (SSNs). Other cases involve EFINs or PTINs originally established by legitimate return preparers or practitioners that then are misused by thieves in filing identity theft (IDT) returns. Yet other cases involve a compromised EFIN, under which the Service receives both a bona fide return from the legitimate owner of the EFIN and an IDT return from a thief. Electronic Product and Services Support (EPSS) and Return Integrity Operation (RIO) have been working together to identify suspicious EFINs, research them, and inactivate them, when applicable.

  2. Abusive return preparers have been a problem for the Internal Revenue Service (IRS) and for taxpayers for many years. These preparers, prepare returns that contain fraudulent/abusive items (for example, income, withholding, dependents, and refundable credits). Abusive return preparers create a problem for the IRS because these returns cost the government revenue and cost the taxpayers money when they are audited. It is often difficult to discern the abuse, because some taxpayers are in collusion with these preparers while others are not.

Electronic Filing Identification Number (EFIN) and Preparer Tax Identification Number (PTIN) Leads

  1. Suspicious EFIN, PTIN and Preparer information is received in a number of ways from numerous internal and external stakeholders. The most prominent method for receiving suspicious EFIN/PTIN leads is when they are sent to the RICS/IVO/FRE Fraud leads mailbox. The leads come in from EPSS, RAAS, RPO, Analysts, and sometimes from industry. The leads are assigned to an IVO FRE analyst to research and make a determination on what action needs to be taken. The analyst checks the EFIN application on the Employee User Portal (EUP), the EFIN owners IDRS accounts, EFDS information, addresses, and Accurint for relevant information. Additionally, the analyst pulls the return information from EFDS along with the EFDS statuses and uses all this information to make a determination as to whether the EFIN should be inactivated.

  2. Lead Research

    • Determine if the lead needs to be imported

    • Import the lead to the database

    • Using all available research tools, make a determination on the assigned EFINs/PTINs.

    • Research all EFINs assigned to the participant.

  3. This research must be thorough, because it helps determine if the EFIN was established using someone else’s stolen identity; if the good ERO is filing Identity Theft (IDT) returns; or if the EFIN has been compromised.

  4. The five main determinations that the IVO FRE analyst can make are:

    • Data Breach indicates the intentional or unintentional release of confidential information. In ERO cases the released confidential information would be the ERO clients’ Personally Identifiable Information (PII).

    • Application Misrepresentation indicates that applications were submitted with the wrong owners/principals listed

    • Compromised indicates that an otherwise good ERO’s EFIN has been hijacked; the EFIN is being used by a third party to file returns. In most cases you’ll see good and bad returns coming through the same EFIN.

    • EFIN filing IDT returns indicates that a valid EFIN owner is filing IDT returns.

    • IDT EFIN indicates that an EFIN was established with a stolen ID and then was used to file IDT returns.

  5. Lead Actions

    • Forward your determination to the primary Management and Program Analyst for review. All documentation to support your determination to EPSS must be included in an Excel spreadsheet.

      Reminder:

      After the review is completed the program manager will forward the recommendation to the EPSS IDT mailbox for resolution.

    • Update the FRE database with all required fields.

Abusive Preparer Leads

  1. 1) RICS/IVO/FRE employees are in a unique position to identify these abusive preparers. Their mission of fraud detection and revenue protection aligns with the identification of abusive preparers. In addition, they have access to data about these returns that are not generally available elsewhere in the IRS. This frequently results in the identification of groups of questionable returns all prepared by the same person.

  2. There is a process to refer these abusive preparer cases to the Lead Development Center (LDC) and to the Return Preparer Coordinators (RPCs) based on specific criteria. However, only the most egregious preparers may be referred and the referrals must be well researched and developed. These referrals may be a single preparer or a group of preparers within a single EFIN.

  3. Lead Research:

    • Determine if the lead needs to be imported

    • Import the lead to the database

    • Using all available research tools, make a determination.

    • Verify the CY return totals; > 500 returns for referral to the LDC and < 500 returns referral to the RPC.

    • Double check database to make sure the EFIN is still active, if inactivated review the comments to see if a referral is warranted.

    • Consider all EFINs associated with the firm we’re researching. We will be making a referral to the LDC/RPC for the firm, not an individual EFIN.

    • Capture everything the firm filed, including Paper and ELF

    • Check for open investigations in CI or Civil. Check everything in PS 29 for schemes.

    • Pull CY and PY return data using the EIN and/or PTIN, and use those DLN’s as the condition on the Preparer Query.

    • Check for confirmed IDT. If there is any, we would send the case to EPSS for IDT instead of referring it as an abusive preparer.

    • Fill out all required tabs on the recommendation spreadsheet

  4. Refer these abusive preparer cases to LDC (for abusive preparers filling more than 500 returns) and to RPCs (for abusive preparers filling fewer than 500 returns).

  5. Lead Actions:

    • Forward your recommendation to the primary Management and Program Analyst for review. All documentation to support your recommendation to the LDC/RPC must be included in an Excel spreadsheet.

    • After the review is completed the program manager will forward the recommendation to the LDC or the RPC for resolution.

    • Update the FRE database with all required fields accordingly

Industry Leads

  1. As part of the Security Summit Initiative, lead reports are received from American Coalition of Taxpayer Rights (ACTR) members as well as other participating software partners. The returns referred as part of these lead reports are reviewed and analyzed for possible identify theft characteristics. If a return is thought to be questionable, it is processed accordingly by the IRS to ensure revenue protection. Higher level analysis is then performed to aid in identifying additional returns and any filing patterns or trends that can be used in the future.

  2. Industry Lead files are received on the server through a secure data transfer process. A lead consists of two separate files: 1)a Control file and 2) a Data file.

    • Control File – (txt format) – this file contains company contact information pertaining to the data file.

    • Data File – (xml file format)* – this file contains the actual data records.

  3. Lead Research

    • Import the lead to the database

    • Process the Industry lead file.

    • Review all returns in Process Status 0 and 3 (with stoppable refund stop dates) to identify possible identify theft returns (pattern matching).

    • Disposition all returns identified as possible ID theft returns to Process Status 30 (ACE/Adjustments) through Case in the Electronic Fraud Detection System (EFDS) with the following notes:
      "extlds Industry Leads OL"
      "IVO FRE PATTERN"

    • Update LMS with all required fields

    • Update the lead status to "completed"

    • Move the lead files to the appropriate leads folder.

State Leads

  1. The State Leads Program is a new program within RICS that receives referrals from various State taxing agencies relating to fraudulent/IDT returns being filed at the State level. RICS uses these leads to identify questionable returns being filed at the federal level and to identify new fraudulent filing patterns and trends.

  2. Lead Research

    • Process the state lead file (Discoverer query).

    • Import the lead to the database

    • Update LM - FRE database with all required fields

    • Disposition all accounts as applicable

    • Update the lead status to "completed"

    • Move the lead to the appropriate leads folder.

Transcript Leads

  1. The JOC monitors the transcript request telephone application for situations where one telephone number calls the application over 5 times for more than five different TINS. When criteria are met, the JOC blocks the telephone number and refers the TINs to RICS. RICS performs two actions: IVO-FRE reviews filed returns for revenue protection, BPL-PAM inputs TC971 AC504 sends incoming returns through Clustering.

  2. Lead Research

    • Process the lead file (Discoverer query).

    • Import the lead to the database

    • Update LM - FRE database with all required fields

    • Disposition all accounts as applicable

    • Update the lead status to "completed"

Criminal Investigation (CI) List Procedures

  1. Criminal Investigation (CI) will route, by e-mail, data breach lists to Project Analytics and Modeling (PAM) for clustering. In addition, even if no return has been fled, CI will route, by e-mail, high risk lists (e.g., PII, hacked preparers) and imminent lists (e.g., Traffic Stops, Search Warrants, and Informant Leads), to Integrity & Verification Operation (IVO). The accounts will have Identity Theft (IDT) markers input (TC 971 AC 506, WI PRP LIST1) and a Letter 4904C to be issued to the taxpayer.

    Note:

    The letter will be issued only if a valid address is identified.

  2. CI will send a list of treasury check numbers via e-mail to IVO for IRS refunds that were identified through Traffic Stops, Search Warrants, and Informant Leads related to IDT. IVO will take the following actions:

    • Research treasury check numbers to identify the applicable tax year

    • Run cases through the Return Integrity and Compliance Services (RICS) IDT Tool for account resolution

    • Update Scheme Tracking and Referral System (STARS) to "CAT 7 CI"

    Note:

    Any cases rejected by the tool will be worked per IRM 25.25.4, Integrity and Verification Identity Theft Return Procedures.

Office of Child Support Enforcement (OCSE)

  1. The Office of Child Support Enforcement (OCSE) assists with the Treasury Offset Program (TOP) Offset Reversal process by supplying a file of social security numbers associated with accounts where TOP offsets were generated from suspect returns (possibly not filed by the true taxpayer). The file OCSE delivers is missing the tax period associated with the TOP offset which the Tax Examiners (TEs) need in order to complete the TOP Offset Reversal Process.

  2. Research is completed with the use of batch tools and Databases to find the following information:

    • The tax period associated with the TOP offset

    • The IRS determination:
      Yes: All funds requested back - this was not the true taxpayer
      No: No funds requested back - the offset was valid

  3. Lead Research:

    • Create the query

    • Research the accounts

    • Make the yes/no determination

    • Send the determination back to OCSE

GATT Procedures

  1. Review refile (PS28) daily for full year prisoner returns with verified good wages and withholding and a refundable credit

    • Query returns in Re-file that have the GATT EFDS note

    • Use GII IMFOLT reviewing for FS2 to determine if both were full-year prisoners (would exclude if one spouse had good income and was not incarcerated for the entire year)

    • Update STARS to CATG "8" Disposition "TT"

    • Input a TC 971 AC 134 daily on full-year prisoner returns that are loaded the previous day and claim a refundable credit

WOW and AQC Procedures

  1. Run CATG 12/15/16/17 DDb reports weekly.

MFT 32 Reversal Procedures

  1. The MFT 32 Reversal Process monitors accounts to ensure returns moved to MFT 32 (due to possible ID Theft) post back to MFT 30 after authentication of the taxpayer. FRE monitors the accounts after the actions are taken per IRM 25.25.6.7.1, MFT 32 Reversal Procedures and IRM 3.28.4.5.12, Returns on MFT 32. The inventory for this process is received through the Automated Aged Listing (AAL) Spreadsheet (SS) under control 14873 and worked through automation. Inventory that needs to be worked manually is assigned to Department 4.

  2. FRE process:

    1. Build Combined – Automated Age Listing (AAL) File

    2. Build Combined – Review File and separate into Files below:
      14873 – Review File: inventory to perform automation on before assigning to TEs
      Error Correction (EC) – Review File: corrections needed for control bases

    3. Separate 14873 – Review File into Buckets and work Review Files
      Bucket 1 - Return moved back to MFT 30, refund NOT held or there is a balance due
      Bucket 2 - Return moved back to MFT 30, refund held, income needs verification
      Bucket 3 - Return moved back to MFT 30, refund held, income does NOT need verification
      Bucket 4 - Return NOT moved back to MFT 30, refund held, return needs to be reprocessed
      Bucket 5 – Return moved back to MFT 30, refund held, unpostable needs to be posted in

    4. Perform STARS Deletion Process on returns FRE closed out/released refund

    5. Prepare and submit weekly report

STARS

  1. EFDS Executive Report must be run and distributed weekly.

Clean up

  1. Performed annually to ensure all returns are in a process or closed.

Process Status 28
  1. Run Discoverer query weekly

    • Input reversal for TC 971 AC 134, that were not input systemically

    • Input refund release for tool work

    • Send manual work to Team manager weekly