Verification through records checks and authentication questions may risk clients’ data security and be impractical for some.
Jeffrey Porter, CPA, chair of the AICPA’s Tax Executive Committee, sent a letter to IRS Commissioner John Koskinen in late September raising concerns about the IRS’s recently issued guidance on electronic signatures. The letter addresses the electronic signature standards that apply when a taxpayer does not appear in person before the tax return preparer to present a valid form of identification.
In March, the IRS updated Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to authorize taxpayers to sign, and practitioners to accept, e-file authorization forms containing electronic signatures. (For more on the new standards, see “E-File and Digital Signatures: Where Are We Now?” The Tax Adviser, June 2014, page 430.)
The IRS guidance requires the practitioner to record the taxpayer’s name, Social Security number, address, and birthdate and to verify that this information is “consistent with the information provided through record checks with the applicable agency or institution or through credit bureaus or similar databases.” The key to this verification, for taxpayers who do not appear in person, is that it conform to Level 2 assurance in National Institute of Standards and Technology (NIST) Special Publication 800-63, Electronic Authentication Guideline, and knowledge-based authentication or higher assurance level.
Level 2 assurance under this standard entails verifying the taxpayer’s identity through records checks with credit bureaus and other databases and includes dynamic knowledge-based authentication, which involves generating questions from U.S. public records and credit reports and requiring the taxpayer to correctly answer those questions.
In the context of electronically signing a tax return, the AICPA letter says, this implies it will require the tax return preparer to send the taxpayer’s data to an identity verification vendor before the taxpayer can sign the return.
The AICPA asked the IRS to clarify whether dynamic knowledge-based authentication is required in all cases where a taxpayer is electronically signing a return without appearing before the return preparer to show a valid form of identification. If dynamic knowledge-based authentication is required, the AICPA has identified three problems with it.
First, introducing a third-party identity verification vendor into the process increases the risk of compromising the taxpayer’s private data. Second, the process itself can harm the CPA’s trusted relationship with the taxpayer. And, third, dynamic knowledge-based authentication will not work for certain taxpayers who would most benefit from electronic signatures, such as children and expatriates, because they do not have enough personal information in U.S. public databases to allow the authentication to work.
The AICPA in its letter suggested some alternatives to dynamic knowledge-based authentication that the IRS should consider:
- Provide an exception to the dynamic knowledge-based authentication requirement for Circular 230 practitioners (i.e., CPAs, attorneys, and enrolled agents);
- Consider the taxpayer’s identity to be authenticated if the return preparer has a secure client portal requiring a strong password or shared secret questions for verifying the taxpayer’s identity; or
- Allow dynamic knowledge-based authentication to draw data only from within the return preparer’s secure firewall, so that sensitive taxpayer information does not have to be shared outside the firewall.
- Letter, Jeffrey A. Porter, CPA, chair of the AICPA Tax Executive Committee, to IRS Commissioner John Koskinen, Sept. 24, 2014
By Alistair M. Nevius, J.D., the JofA’s editor-in-chief, tax.