Federal Requirements Need Strengthening at Lockbox Banks to Better
Protect Taxpayer Payments and Safeguard Taxpayer Information
February 2002
Reference Number:
2002-30-055
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Redaction Legend:
2e = Law Enforcement Procedure(s)
February
27, 2002
MEMORANDUM FOR
COMMISSIONER, SMALL
BUSINESS/SELF-EMPLOYED
DIVISION
COMMISSIONER, WAGE AND INVESTMENT DIVISION
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for
Audit
SUBJECT: Final Audit Report - Federal
Requirements Need Strengthening at Lockbox Banks to Better Protect Taxpayer
Payments and Safeguard Taxpayer Information (Audit #200130048)
This
report presents the results of our review of the lockbox program in a Los Angeles bank. Our objective was to evaluate the physical and internal controls
to determine whether taxpayer remittances were adequately safeguarded and
taxpayer information was protected from unauthorized disclosure.
The Internal Revenue Service
(IRS) lockbox program consists of commercial banks that have contracted with the
Financial Management Service (FMS), another Government agency, to process tax
payments.
In summary, the Los Angeles
bank was in compliance with established Lockbox Processing Guidelines
concerning physical and data security for Calendar Year (CY) 2001. However, additional controls are needed in
the Guidelines to reduce the risks associated with processing large volumes of
taxpayer remittances that could lead to financial losses and erosion of
taxpayer confidence.
The Lockbox Processing
Guidelines need additional or clarified requirements in a number of areas,
including enhancing the video surveillance systems; testing disaster recovery
plans; providing for biological safeguards; and requiring background clearance
checks prior to handling IRS materials.
Management’s response was
due on February 7, 2002, with an extension granted to February 14, 2002. As of February 15, 2002, management had not
responded to the draft report.
Copies of this
report are also being sent to the IRS managers who are being affected by the
report recommendations. Please contact
me at (202) 622-6510 if you have questions or Gordon C. Milbourn III, Assistant Inspector General for Audit (Small
Business and Corporate Programs), at (202) 622-3837.
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix IV – Additional Issues
The Internal Revenue Service (IRS) lockbox program consists of commercial banks that have contracted with the Financial Management Service (FMS), another Government agency, to process tax payments. This program was designed to accelerate the deposit of tax payments by having taxpayers send their payments to commercial banks rather than to the IRS. There are 10 lockbox bank sites nationwide that each support 1 of the 10 IRS Submission Processing Centers (SPC). The lockbox bank sites augment the 10 SPCs’ remittance processing capabilities, to help the IRS optimize deposits to the Treasury and to increase interest savings.
Mellon Bank operates the Los Angeles lockbox bank that processes tax payments for the Fresno SPC. The bank receives payments for U.S. Individual Income Tax Returns (Form 1040 series), employment tax returns (Form 940 series), and other miscellaneous tax payments. The Los Angeles bank handled approximately 10 percent of the more than 84 million payments, totaling $311 billion, processed for the entire lockbox network in Fiscal Year (FY) 2000.
During FY 2000, 65 percent of the total paper remittances and 71 percent of the total dollars deposited by the IRS were processed through the lockbox banks. The presence of taxpayer information on the remittance documents received with the tax returns makes the protection of both the remittances and the associated taxpayer information a unique requirement for these processing sites. Secure facilities and systems are required, as well as background investigations on the large numbers of temporary employees required to handle the four annual peak periods when the tax payments are due.
The Lockbox Processing Guidelines represent the agreement among the IRS, the FMS, and the banks detailing the specific services that the bank will perform for the IRS. These services include tasks that the IRS would otherwise have to do, such as ensuring checks are properly endorsed and deposited, providing security over the remittances and taxpayer data, and creating computer tapes of payment transactions. The bank also receives, sorts, and ships tax returns to the IRS. The IRS and the FMS are responsible for providing oversight of bank activities to ensure that the lockbox banks adhere to the procedures in the guidelines.
While the lockbox system is intended to provide the
Government with efficient cash management, there have been instances of fraud,
waste, and abuse that demonstrated a need for increased controls. In FY 1998, over 400 checks were discovered
in a night shift manager’s desk drawer at a lockbox bank in Charlotte, North
Carolina. In FY 2001, control
weaknesses contributed to the loss of taxpayer payments and taxpayer
information at a lockbox bank in Pittsburgh.
Approximately 71,000 remittances
valued in excess of $1.2 billion were lost or destroyed.
Audit work was performed at the Los Angeles lockbox bank from September through October 2001. The audit was conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Although the Los Angeles bank was in compliance with established Lockbox Processing Guidelines concerning physical and data security for Calendar Year (CY) 2001, additional controls are needed in the Guidelines to reduce the risks associated with processing large volumes of taxpayer remittances that could lead to financial losses and erosion of taxpayer confidence.
Enhancements to video surveillance systems would aid in
prevention and detection of remittance theft
On-line monitoring by bank security personnel and review of historical back-up tapes for investigative purposes was hindered by having to view multiple cameras to follow the movement of work or employees.
In the Los Angeles lockbox bank there were 96 cameras, of which 66 focused on the processing areas and 30 focused on areas such as offices, entrances, doorways, loading platforms, and mail-opening machinery. While there were some cameras that provided wide-angle views, most cameras isolated specifically targeted areas. There were monitors capable of showing views for up to 16 cameras, located in 2 of the managers’ offices.
Video surveillance cameras should be capable of capturing macro and micro views of the operations. However, the Lockbox Processing Guidelines did not specify the need for the banks to configure cameras to capture panoramic views of the processing areas. Not having panoramic camera angles throughout the various processing areas makes monitoring the movement of work-in-process throughout the operation difficult and increases the risk of theft remaining undetected.
Testing of disaster recovery plans would reduce the risk of
revenue losses caused by processing delays
The disaster recovery plan has not been tested as required. The Lockbox Processing Guidelines require transshipment of remittances to a contingency site to validate the effectiveness of contingency processing.
The lockbox bank has requested, but not received, IRS authorization to perform live tests at its contingency site. The IRS has concerns about testing contingency plans with live taxpayer payments, as the inherent processing delays could result in additional penalty and interest to the taxpayer. However, untested contingency plans could result in unnecessary processing delays and loss of revenue to the Government, and adversely affect taxpayer relations in the event of an emergency at one or more of the lockbox sites.
Also, the Lockbox Processing Guidelines do not provide specific instructions on how to deal with biological and chemical threats such as Anthrax contamination. At a recent lockbox meeting with lockbox bank representatives, the IRS recommended that the banks use gloves and masks when handling IRS mail. The Los Angeles bank has mandated the use of gloves and made the use of masks optional. Special trash receptacles for used gloves and masks are being used, and computers and machinery are being cleaned by vacuuming rather than by air pressure. While the issue of biological and chemical attacks was not part of this review, Treasury Inspector General for Tax Administration audits of two other lockbox banks in FY 2002 will include a review of the handling of potentially contaminated mail.
Current Lockbox Processing Guidelines do not require couriers to have background clearance checks prior to handling IRS materials
While the Los Angeles lockbox bank had obtained police clearance check verifications for its couriers, there were no specific requirements in the Lockbox Processing Guidelines concerning them. Couriers handling taxpayer data and remittances should have background clearances commen-surate with those required of couriers used by the IRS. Though the IRS requires background clearances for couriers it employs, the Lockbox Processing Guidelines do not contain such a requirement.
The IRS was reliant upon the lockbox banks to employ sound business practices with regard to obtaining reliable couriers. However, the hiring of undesirable couriers increases the risk of theft or destruction of uncontrolled taxpayer remittances and data.
The Lockbox Processing Guidelines for CY 2002 include the requirement that Federal Bureau of Investigation (FBI) fingerprint check results be obtained for “each individual that will have access to the lockbox processing area.” Since couriers servicing the Los Angeles lockbox bank did not have access to the processing area but handled IRS materials, we discussed the intent of the 2002 Guidelines regarding courier fingerprint requirements with FMS management. The Guidelines have been subsequently updated to provide that a fingerprint check be obtained for “each individual that will have access to the lockbox processing area or taxpayer information.”
Current Lockbox Processing Guidelines do not require bank associates to have a completed background clearance check prior to processing IRS materials
Our review of hiring practices for a sample of bank associates
showed that there were 13 employees that began working at the Los Angeles
lockbox bank prior to receipt of a completed background clearance. As a result, undesirable employees may
process IRS data prior to receipt of a background clearance.
The IRS requires a completed FBI check for all of its employees prior to their entering on duty. However, the Lockbox Processing Guidelines did not address background clearance requirements for bank associates. The IRS relies on the bank to employ sound business practices in regard to obtaining clearances for its employees.
Lockbox Processing Guidelines for CY 2002 include the requirement for bank associates to receive an FBI fingerprint check. However, the guidelines do not specify that clearance must be received prior to associates processing IRS data.
Current Lockbox Processing Guidelines do not require temporary employees to have a completed background clearance check prior to processing IRS materials
While none of the temporary employees in our sample entered on duty prior to receipt of the police check clearances, these employees can be excepted from having police checks completed prior to entering on duty when staffing shortages exist during peak period processing. However, temporary employees are primarily hired for just this purpose – peak period processing.
Lockbox Processing Guidelines state that, “a police clearance check will be performed and the results obtained prior to the date on which the employment agency provides the temporary employee and every six months thereafter.” The Guidelines also state, “if insufficient staffing during a peak period is a problem, the requirement is to expedite a police clearance check as soon as possible.” In contrast, the IRS requires an FBI clearance for its employees prior to entering on duty.
The Lockbox Processing Guidelines requirement regarding this exception contradicts the intent of the rule. Using this exception could result in undesirable temporary employees processing IRS materials prior to receipt of a background clearance.
This issue was addressed in the Lockbox Processing Guidelines for CY 2002 to include the requirement that FBI fingerprint check results be obtained and questionable findings resolved prior to the temporary employee processing IRS information.
The validity of police clearance procedures for temporary
employees is questionable and may result in undesirable persons processing IRS
materials
Police clearance checks for temporary employment applicants may be unreliable. Applicants for temporary employment can avoid having felonies and misdemeanors identified by not providing address information for counties in which they have a police record.
Temporary employment applicants are required to provide a list of residences to the employment agency covering a minimum 7-year period. To obtain a police clearance check, a search for violations is made of police records by county of residence. The accuracy of the police clearance checks for temporary employees is dependent upon the correctness of the addresses provided by the applicant.
As there was no verification of the accuracy of the address provided by the applicant, this practice may result in undesirable temporary employees processing IRS materials until the background clearance denial is received.
The Lockbox Processing Guidelines for CY 2002 include the requirement for an FBI fingerprint check that would replace the current police check clearance procedure.
Prospective employees were not aware of the consequences of authorizing a police clearance check because the waiver form did not contain the required warning
The required “under penalty of perjury” clause did not appear on the police clearance check waiver form for use by temporary employees. The Lockbox Processing Guidelines require that, “the bank or employment agency will obtain from each temporary employee a written, signed waiver authorizing a police clearance check. This waiver must contain an UNDER PENALTY OF PERJURY clause with the signature.”
At the time of our review, the lockbox bank in Los Angeles had requested, but not received, a response from the Wage and Investment (W&I) Division Headquarters regarding the appropriate wording of the waiver. As a result, job applicants are not being advised of the consequences of their actions as required. The W&I Division provided the bank with the wording for the waiver subsequent to our review.
Clarification of guard service requirements is needed
There was no guard presence at the Los Angeles lockbox facility during the day shift in non-peak periods to monitor incoming packages and mail deliveries or oversee the processing areas.
Lockbox Processing Guidelines require that a security guard monitor incoming and outgoing packages, ensure that packages and courier vehicles are not left unattended, and patrol the lockbox processing areas. A primary function of the guard service is to permit authorized persons into a facility and, at the same time, keep unauthorized persons out.
There was no guard service presence during non-peak period shifts because the guidelines were unclear and, therefore, open to interpretation. The guard service portion of the guidelines mentions peak period in the requirements with no specific reference to non-peak periods. This condition was not identified during any of the various internal or external reviews conducted at the bank. IRS/FMS security review checklists do not specifically identify all guard duties for review.
Lockbox banks are more susceptible to internal or external threats when guard services are not employed as intended.
Clarification of courier service requirements is needed
The Los Angeles lockbox bank uses bank personnel in lieu of a courier service to transport remittance deposits to the depositary bank. Consequently, the daily lockbox deposits may not be receiving the level of security that would be provided by a courier service. Further, this practice is not commensurate with IRS courier use.
While the IRS requires the use of a courier service to transport its deposits to the depositary, the Lockbox Processing Guidelines do not specifically state that courier service is required. This issue was not raised during any prior internal or external reviews.
The Los Angeles lockbox bank plans to use a courier service for transport of daily deposits to the depositary bank beginning in CY 2002.
The Director,
Customer Account Services, W&I Division, should:
1. Include a requirement in the Guidelines that at least one video surveillance camera be dedicated to observing and recording a panoramic view of each processing area.
2. Consider involving the Office of Security in performing periodic security reviews at each lockbox bank.
3. Develop
test data for use in testing disaster recovery plans at the contingency sites
and ensure that tests are conducted as soon as possible.
4. Add
procedures to the Guidelines for the handling of potentially contaminated mail.
5. Add
a requirement to the Guidelines that clearance must be received prior to
couriers delivering and anyone processing IRS materials.
6. Clarify the Guidelines regarding guard service requirements to include non-peak periods and periodic security reviews of non-peak periods.
7. Require the use of courier services for the transport of all IRS materials.
Management’s Response: Management’s response to the draft report was due on February 7, 2002, with an extension granted to February 14, 2002. As of February 15, 2002, management had not responded to the draft report.
The Los Angeles lockbox bank was contractually required to provide adequate security, equipment, and facilities to safeguard all taxpayer payments and protect taxpayer information from unauthorized disclosure. Overall, the lockbox bank in Los Angeles was in compliance with and often exceeded the security requirements in the Lockbox Processing Guidelines for CY 2001. However, one processing area exit at the bank did not have adequate security to monitor egress.
The bank met or exceeded Lockbox Processing Guidelines
Our review of hiring practices showed that employee files appropriately
contained all required documentation. Controls governing the courier service used in the Los
Angeles lockbox bank ensured that couriers:
were properly authorized; displayed proper identification; signed
applicable mail logs; drove vehicles that met security requirements; were
insured; and did not enter the lockbox facility.
Physical and data security controls were in place and were sufficient to reduce the opportunities for theft or destruction of IRS materials. Controls included the use of security guards, locked entrances, visitor sign-in, employee identification badges, a video surveillance system, key access cards, an alarm system, and internal and external security reviews.
One processing area exit did not have adequate security to
monitor egress
There was one set of exit doors from the processing area that was not restricted by key card access. While there were video surveillance cameras in the area, some means of physical security is needed to reduce the potential risk associated with the removal of work from the processing area. The bank is required to ensure that adequate controls exist to prevent or minimize instances of theft.
The bank was prevented from installing key card access by
the fire department. Fire regulations
were cited that required one exit for unimpeded egress.
An exit from which work-in-process can be removed represents a potential high risk for large-scale losses of taxpayer payments and information.
8. The Director, Customer Account Services, W&I Division, should request that the bank alarm the doors.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to evaluate the physical and internal controls of the lockbox program in a Los Angeles bank to determine whether taxpayer remittances were adequately safeguarded and taxpayer information was protected from unauthorized disclosure. To accomplish our objective, we:
I.
Determined the adequacy of employee background
screening by reviewing a judgmental sample of 50 lockbox employee personnel
folders from personnel files of current or former, full-time or temporary
employees to ensure that required personnel information was present.
A.
Determined
whether employee screening was completed prior to employees entering on duty.
B.
Determined whether background checks were similar for
temporary and full-time employees.
C.
Determined whether background checks were commensurate
with Internal Revenue Service (IRS) standards for similar IRS positions.
D.
Reviewed
trip reports from January through April 2001 to determine if IRS Submission
Processing Center lockbox coordinators verified whether police background
checks were conducted.
II.
Determined whether remittance information was properly
received for transport to the IRS by an authorized courier service and reviewed
courier employee signatures on mail sign-in and delivery logs to determine that
the courier employees actually signed to receive and deliver deposit and
taxpayer information.
A.
Reviewed contracts for
courier service to assess whether the courier signatures on the mail sign-in
and delivery logs were signed by authorized courier employees.
B.
Reviewed contracts for courier services to identify
authorized courier services and courier employees.
C.
Determined whether couriers were restricted to only
those areas to which they required access.
D.
Determined whether courier vehicles met
minimum-security requirements.
E.
Determined whether couriers were bonded and insured, and
had background investigations satisfactorily completed.
F.
Assessed whether lockbox courier requirements were
commensurate with IRS courier requirements.
III.
Reviewed policies, procedures, and agreements (Lockbox
Depositary Agreements, Lockbox Network Memorandum of Understanding, Lockbox
Processing Guidelines, Internal Revenue Manual and any local procedures) to
determine whether IRS, Financial Management Service (FMS), and lockbox
responsibilities for physical security and data security were established.
A.
Identified
the type and frequency of security reviews performed by the IRS, the FMS, and
the lockbox bank from January 2001 to date to ensure proper monitoring.
B.
Reviewed security reports and prior audit reports to
determine if proper corrective actions had been taken on security breaches and
control weaknesses previously identified.
C.
Reviewed shift manager desk check logs (monthly desk
check of managers) and IRS desk check logs (weekly desk checks of the entire
floor) to determine if required desk checks were performed.
D.
Obtained a listing of former lockbox employees and
dates of separation. Selected a
judgmental sample of all 12 former lockbox employees terminated during March
and April of 2001 to determine whether identification badges/access cards were returned
timely and access to computer systems was properly removed. Obtained and reviewed the badge assignment
log to verify that the sampled former employees returned identification
badges/access cards on the date of separation.
Obtained and reviewed a listing of deleted employees from the lockbox
computer system to verify that the former employees were timely removed.
E.
Determined if remittances have been properly stamped
with “United States Treasury” in the payee section.
F.
Reviewed candling[1]
practices to ensure that the chance of remittances being destroyed was
minimized.
G.
Performed a
walk-through and observed physical security.
H.
Evaluated the controls over unprocessable documents
sent to the IRS from the lockbox bank.
I.
Evaluated the internal controls in place to protect
taxpayer information from improper disclosure or destruction at the lockbox
bank and during transshipment to the IRS.
J.
Determined whether the disaster recovery plan had been
updated and tested as required.
Appendix II
Major Contributors to This Report
Gordon C. Milbourn III, Assistant
Inspector General for Audit (Small Business and Corporate Programs)
Richard J. Dagliolo, Director
Robert K. Irish, Audit Manager
Daniel A. Zaloom, Senior Auditor
Carol C. Gerkens, Auditor
Stephen A. Wybaillie, Auditor
Appendix III
Commissioner N:C
Deputy
Commissioner N:DC
Deputy
Commissioner, Small Business/Self-Employed Division S
Deputy
Commissioner, Wage and Investment Division
W
Chief Counsel CC
Director, Customer Account Services, Wage and Investment
Division W:CAS
Deputy Director, Customer Account Services, Wage and
Investment Division W:CAS
Director, Office of Program Evaluation and Risk Analysis
N:ADC:R:O
National Taxpayer Advocate TA
Office of Management Controls N:CFO:F:M
Director, Legislative Affairs CL:LA
Audit Liaisons:
Commissioner, Small
Business/Self-Employed Division S
Commissioner, Wage and Investment
Division W
Appendix IV
These two issues and recommendations are being presented separately because of disclosure restrictions.
****2e****