The IRS reports that its cases of tax-related identity theft and corresponding fraudulent refunds issued have dropped significantly, due in part to more shared information with state and industry partners (see IRS News Release IR-2016-144, highlighting a reduction by more than half of identity theft affidavits filed by taxpayers in 2016 from a year earlier, and "2017 Tax Software Survey," and the sidebar, "Fewer CPAs See Tax ID Theft").
These and other initiatives were put in place in 2016 in response to recommendations of the Security Summit in which they collaborated (see "Tax Matters: Security Summit Touts Improvements in Its First Year," JofA, Sept. 2016). More initiatives were set for this year, many of which are not visible to taxpayers. They include:
- Thirty-seven new data elements help ensure that a tax return is being filed by the real taxpayer.
- The tax preparation industry is sharing with the IRS and states 32 data elements from business tax returns.
- Over 20 states are working with the financial services industry to create their own version of a program that allows the industry to flag suspicious refunds before they are deposited into accounts.
- The private sector is pursuing efforts to ensure refunds go into the true taxpayers' accounts.
- Use of a verification code on Form W-2, Wage and Tax Statement, will be expanded. For tax year 2016, about 2 million were verified; for this year, over 50 million will be verified.
- The software industry has strengthened password requirements for individual and tax professional users.
The creation of a new identity theft refund fraud information sharing and analysis center (ISAC) will provide better data to law enforcement to investigate and prosecute identity thieves.
A campaign by the IRS, state tax agencies, and the tax software industry to increase awareness about data security will continue. "Taxes. Security. Together." was launched in 2015 to encourage preparers and taxpayers to take greater data security precautions and to learn how to recognize and avoid phishing emails that seek to trick people into providing sensitive data, such as Social Security or credit card numbers.
Enrolling in IRS news releases and registering for e-News for Tax Professionals on IRS.gov (see irs.gov are among the ways to keep abreast of the latest email scams and other fraud schemes.
SAFEGUARD CLIENT DATA AND COMMUNICATIONS
Tax professionals have been targeted by criminals, and the IRS has urged tax professionals to use the best security practices available. IRS Publication 4557, Safeguarding Taxpayer Data, is a good resource that includes an action checklist for ensuring data security. Another resource is the IRS webpage "Protect Your Clients; Protect Yourself."
It is paramount for tax preparers to preserve the confidentiality and privacy of taxpayer data by restricting access and disclosure.
Tax preparers can help protect clients and their businesses from identity theft by monitoring their preparer tax identification number (PTIN) accounts to ensure the number of returns filed using the number matches IRS records.
Some tax preparers transmit sensitive taxpayer information, such as completed forms and communication, to clients via email attachments. They may think they are providing an adequate level of security by using the built-in, password-protected encryption feature of Microsoft Office and Adobe Acrobat files. But this is not an optimal solution for several reasons. First, the password to decrypt the files must be provided to the client as well, and emailing it would seem to defeat the purpose of encryption. Safer would be to call clients and tell them the password, which also has obvious drawbacks, not the least of which is client error in typing it. When this happens, clients may complain they are unable to open the files. One possible solution, if time permits, is to resend the password-protected file, monitor the issue, and perhaps call the client and walk him or her through the password process.
Such clients might prefer to choose their own password, perhaps using their self-generated e-filing personal identification number (PIN), which might be easier for them but still not the best practice for security. At the very least, when selecting a PIN, clients should not use familiar dates, such as the birthdate of a family member or some other easily identifiable number. Identity thieves may have access to this information.
Yet another way CPAs with such clients can possibly protect themselves from liability is by sending clients a release letter each year allowing them to select whether they will receive taxpayer-sensitive data with or without passwords. This letter may be sent along with the tax planner. However, as with the planners, clients often ignore written requests. Then it is the CPA's call, and the author's recommendation is to subsequently send all taxpayer-sensitive data password-protected.
But none of these practices can afford as much safety as using a client portal or other secure file-sharing solution. A number of products are tailored specifically for tax and accounting practices, some available as an add-on module to the most widely used tax preparation software products.
CPAs are trusted professionals and need to be diligent in this arena. To win the war against identity theft, tax practitioners need to join with the IRS and taxpayers.
Sebastian B. Murolo (firstname.lastname@example.org) is an assistant professor at Queensborough Community College CUNY in Bayside, N.Y.
To comment on this article or to suggest an idea for another article, contact Paul Bonner, senior editor, at Paul.Bonner@aicpa-cima.com or 919-402-4434.