IRS gets high marks for fraud and identity theft initiatives

Current and former IRS officials sometimes grumble about the work of the Treasury Inspector General for Tax Administration, arguing that their reports and findings are overly harsh and often fail to take into account the tax agency’s historic funding and personnel limitations.

However, an audit released this week gives the agency high marks for its efforts cracking down on tax refund fraud and identity theft, utilizing a layered approach that combines new software, public-private partnerships and innovative pilot programs to save billions of dollars from ending up in the hands of criminals and fraudsters.

The topline figures over the past decade illustrate how much progress the agency has made. In 2012, TIGTA estimated the IRS lost approximately $5.2 billion, but that number has shrunk substantially over the past decade. The agency’s latest available numbers from 2019 peg losses between $90 million and $380 million, and its programs have identified 438,580 fraudulent tax returns, another 442,991 identity-theft related tax returns and prevented a collective $3.63 billion in improperly issued tax dollars. Numbers from 2018 claim a more than $6 billion in fraudulent tax returns that were identified and stopped before payments were issued.

“The actions taken on the part of the IRS have been extremely effective in addressing the identity theft epidemic and reducing its negative impact on tax administration,” auditors wrote.

In addition to the Return Review Program (RRP), a software system that scans tax returns and cross references them against more than 200 different filters designed to spot signs of fraudulent behavior or identity theft, the agency has also implemented a number of other programs since 2017 to create a layered defense against fraud. A group called the Fraud Referral and Evaluation Group conducts manual, human-based analysis for suspicious returns flagged by the RRP system. Another system, the Dependent Database, combines data from IRS, the Department of Health and Human Services, the Social Security Administration and other sources to spot identity theft.

The agency set up public private partnerships with two organizations – the Security Summit and the Identity Theft Tax Refund Fraud Information Sharing and Analysis Group (ISAC) – to share and exchange information with industry on the latest threats and best practices. Work from the 2019 Security Summit led to the development and incorporation of more than 50 data elements that can help identify or detect potential tax refund fraud.

It has also set up a dedicated resource center online, providing taxpayers with guidance on how to spot tax-related identify theft and tips on how to better protect their data from fraudsters by utilizing security software, passwords and identity protection PIN numbers developed by the agency.

Successful pilots have been expanded to further catch illegal behavior that fall through the cracks. One, the Deposit Account Verification Program, partners with industry providers to calculate a risk score for hundreds of thousands of suspicious returns that request refunds be sent via debit cards. Another, the External Leads Program, works with banks to cross reference refunds when there is a mismatch in names or other account characteristics between the return and the requested bank account.

Another program automatically locks tax accounts for individuals deceased individuals. The agency came under criticism last month for sending out stimulus checks to more than a million dead people, a problem officials attributed to not having full access to death data held by the Department of Treasury and Bureau of the Fiscal Service.

The agency is conducting several other fraud-based pilots, but the details are largely redacted from the report.

One area where the agency has fallen short is developing effective performance metrics for some of its anti-fraud efforts. The Taxpayer First Act passed in 2019 allows IRS to share fraudulent tax returns with ISAC partners, including the taxpayer’s name, IP addresses, device identification, email domain name, method of authentication, tax ID numbers and bank account and routing numbers. However, it has yet to begin such sharing for the 2019 or 2020 tax seasons, and the agency lacks meaningful metrics to measure the success of the ISAC’s work preventing fraud and identity theft.

“Currently, the only measure the IRS has relative to the ISAC is level of participation. IRS management stated that the increase in the participation results in more alerts posted, which shows the success of the ISAC,” auditors wrote. “Management also stated that participants would not continue to participate if the ISAC was not helpful to their organizations.

In a response attached to the audit, Wage and Investment Commissioner Kenneth Corbin said the agency has begun sharing potential identity theft data with ISAC partners and have set up a secure platform to do so. The agency will also roll out new ISAC Federal Tax Information Analytical Reports by 2022 that will seek to better measure the ISAC’s impact on curbing fraud.

“We recognize that those who we are combatting are sophisticated perpetrators and so we must continue to evaluate and refine our processes to identify fraudulent tax returns and protect revenue,” wrote Corbin.