Nationwide Guidelines and Controls for Lockbox Banks Need
Further Improvement
September 2002
Reference Number:
2002-30-180
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
September
18, 2002
MEMORANDUM FOR
COMMISSIONER, SMALL BUSINESS/SELF-EMPLOYED DIVISION
COMMISSIONER, WAGE AND
INVESTMENT DIVISION
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Acting Inspector General
SUBJECT: Final Audit Report – Nationwide
Guidelines and Controls for Lockbox Banks Need Further Improvement (Audit #
200230035)
This
report presents a summary of issues of national significance for the Internal
Revenue Service’s (IRS) lockbox program.
The overall objective of this review was to analyze the results of
recent audits performed of lockbox facilities that process payments for
Business Submission Processing Centers to identify national issues regarding
the physical and internal security controls of the lockbox program.
The
IRS’ lockbox program consists of commercial banks that have contracted with the
Financial Management Service (FMS) to process tax payments. This program was designed to accelerate the
deposit of tax payments by having taxpayers send their payments to commercial
banks rather than to the IRS. In
Calendar Year (CY) 2001, lockbox banks processed more than 72 million payments
totaling over $329 billion.
With
this acceleration can come significant risks, as was evidenced during 2001 when
control weaknesses contributed to the loss of taxpayer payments and taxpayer
information at a lockbox bank in Pittsburgh, Pennsylvania. Approximately 71,000 taxpayer remittances
valued in excess of $1.2 billion were lost or destroyed.
In
summary, the Lockbox Processing Guidelines (LPG) represent the agreement
between the IRS, the FMS, and the banks detailing the specific services that
the banks will perform for the IRS. The
IRS has made a determined effort to ensure the LPG provides lockbox banks with
specific, understandable instructions regarding such tasks as transporting
mail, extracting tax returns and payments, processing payments, and maintaining
security over IRS materials. Still, the
IRS needs to make further improvements to the LPG and needs to address other
issues related to security over tax payments and related documents, such as the
distance between lockbox banks and the IRS Submission Processing Centers, and
the use of non-United States (U.S.) citizens to process payments.
Specifically,
we recommend that the Directors, Customer Account Services, Small
Business/Self-Employed (SB/SE) and Wage and Investment (W&I) Divisions,
ensure that criteria are established in future bid solicitations to limit the distance
between lockbox banks and the Submission Processing Centers they service, and
that they take actions to ensure that background checks are adequate for
non-U.S. citizens working in lockbox facilities. The Director, Customer Account Services, W&I Division should
also see that revisions are made to the LPG to address other weaknesses
discussed in this report.
To present a complete discussion of the issues we identified which affected
all lockbox banks and were not unique to the banks included in our review, we
also included in this report additional information about two findings that
were presented in a previous report (see pages 9 and 10). The IRS responded earlier to these two
issues but agreed to reconsider them in light of the additional information we
presented. Management’s complete
response to the draft report is included as Appendix IV.
Office
of Audit Comment: Subsequent to our
review, more taxpayer checks were stolen from one of the IRS’ lockbox
facilities. The evidence indicates that
a crime ring from a foreign country may be involved in the negotiation of, and
possibly the actual theft of, the checks.
The IRS committees reviewing standards related to the hiring of non-U.S.
citizens should carefully consider these events when developing their findings
and recommendations.
Copies of this report are also being sent to the IRS managers who are affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Gordon C. Milbourn III, Assistant Inspector General for Audit (Small Business and Corporate Programs), at (202) 622-3837.
Lockbox Banks’ Use of Non-United States Citizen Labor May Put
Tax Data at Risk
Lockbox Processing Guidelines Do Not Always Provide Clear Instructions to Lockbox Banks
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix IV – Management’s Response to the Draft Report
The Internal Revenue Service (IRS) lockbox program consists
of commercial banks that have contracted with the Financial Management Service
(FMS) to process tax payments. This
program was designed to accelerate the deposit of tax payments by having
taxpayers send their payments to commercial banks rather than to the IRS. There are 9 lockbox sites nationwide that
support the 10 IRS Submission Processing Centers. The lockbox sites augment these Submission Processing Centers’
remittance processing capabilities, and were contracted to help the IRS
optimize deposits to the Treasury and increase interest savings.
The lockbox banks receive payments for U.S. Individual Income Tax Returns (Form 1040 series), employment tax returns (Form 940 series), and other miscellaneous types of taxes. In Calendar Year (CY) 2001, lockbox banks processed more than 72 million payments totaling over $329 billion.
The Lockbox Processing Guidelines (LPG) represent the agreement among the IRS, the FMS, and the banks detailing the specific services that the banks will perform for the IRS. These services include tasks that the IRS would otherwise have to do, such as ensuring checks are properly endorsed and deposited, providing security over the remittances and taxpayer data, and creating computer tapes of payment transactions. The lockbox banks also receive, sort, and ship tax returns to the IRS. The IRS and the FMS are responsible for providing oversight of lockbox activities to ensure that the banks adhere to the requirements in the LPG.
While the lockbox system is intended to provide the government with efficient cash management, there have been instances of fraud, waste, and abuse that demonstrated a need for increased controls. In 1998, over 400 checks were discovered in a night shift manager’s desk drawer at a lockbox bank in Charlotte, North Carolina. In 2001, control weaknesses contributed to the loss of taxpayer payments and taxpayer information at a lockbox bank in Pittsburgh, Pennsylvania. Approximately 71,000 remittances valued in excess of $1.2 billion were lost or destroyed.
We conducted audit work in three separate audits at lockbox banks in Los Angeles, California; Dallas, Texas; and Cincinnati, Ohio from September 2001 through April 2002. Issues specific to these lockbox banks were reported previously so immediate corrective actions could be taken at local levels. This report discusses issues of national significance affecting the lockbox program overall. The audits were conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology are presented in Appendix I. Major contributors to the report are listed in Appendix II.
The lockbox banks serving the Ogden, Utah, and Philadelphia, Pennsylvania, Submission Processing Centers are located significant distances from those centers.
· The Dallas lockbox bank is located almost 1,400 miles from the Ogden Submission Processing Center. To send tax data and unprocessed remittances to Ogden, the lockbox bank uses two ground courier services and an air transport service.
· The Cincinnati lockbox bank is located almost 600 miles from the Philadelphia Submission Processing Center. Only one ground courier service is used to send tax data and unprocessed remittances from the lockbox bank to Philadelphia. One courier employee stated that he routinely took eight hours to make the trip. To make the trip in that time, the courier had to travel an average speed of 75 miles per hour.
This occurs because the IRS established no distance criteria between lockbox facilities and Submission Processing Centers when soliciting bids from commercial banks for lockbox services.
Shipments between lockbox banks and Submission Processing Centers contain sensitive, private information pertaining to taxpayers and their financial status. The IRS and lockbox banks have a legal obligation to protect the confidentiality of tax returns and related information. To help ensure this is accomplished, the IRS has mandated, in the LPG, the implementation of specific controls and procedures regarding the lockbox banks’ use of ground courier services, including the following:
· Courier services must provide lockbox management the names and proof of identity of each individual who will have access to IRS data.
· Courier employees must undergo Federal Bureau of Investigations (FBI) fingerprint checks before being granted access to IRS data.
· Courier services must provide lockbox management with disaster contingency plans to ensure that data continues to be transported in the event of disasters or other unforeseen events.
· Couriers must transport IRS data from the lockbox bank directly to the Submission Processing Center with no stops in between. Courier personnel must remain with IRS data until it has been delivered to the Submission Processing Center.
Although air transport services could also be considered “couriers,” it is not feasible to require air transport services to adhere to all of these controls and procedures. However, tax returns and related information should receive the same protection while under the control of air transport services as they do while under the control of ground courier services. Using only ground transportation alternatives means that the greater the distance between the lockbox facility and the Submission Processing Center, the greater the probability of vehicle problems or accidents, and the greater risk that couriers will make stops (e.g., for meals or personal needs) leaving the vehicle unattended. As a result, the risk of disclosure of sensitive taxpayer data and the theft of remittances is increased.
1. The Directors, Customer Account Services, Small Business/Self-Employed (SB/SE) and Wage and Investment (W&I) Divisions, should ensure that criteria are established in future bid solicitations to limit the distance between lockbox banks and the Submission Processing Centers they service.
Management’s Response: The IRS will issue a memorandum requesting that a “reasonable distance” evaluation criterion be established by FMS in future selection actions.
Lockbox banks often use non-United States (U.S.) citizens with lawful permanent residence status to process IRS tax payments. Unless lockbox banks can ensure that these non-U.S. citizens have no history of criminal activity (in their country of origin as well as in the U.S.), the use of these individuals to process IRS tax materials, including remittances, poses unnecessary risks to IRS materials.
An FBI fingerprint check must be performed for each individual who will have access to the lockbox processing area or taxpayer information. The results of the fingerprint check must be obtained prior to the date on which an individual is granted access to IRS data. For most U.S. citizens, this FBI fingerprint check could include their arrest records over most of their lifetime. However, because non-U.S. citizens (even those granted lawful permanent resident status) may have lived in this country for only a very short time, these FBI background checks may have very little information. Because of the extreme sensitivity of IRS data, and the risk of theft of monetary resources as well as taxpayers’ identities, background checks which only include the time a non-U.S. citizen has been in this country may not be sufficient. For example, there have been numerous cases of foreign nationals living in the U.S. who have committed identity theft against U.S. citizens.
The Department of State and the Immigration and Naturalization Service perform some background checks before issuing visas to non-residents or upgrading visas that may allow individuals to achieve lawful permanent resident status. However, neither we nor the IRS know the extent of those background checks. We made official requests for this information, and learned that every applicant for an immigrant visa to the U.S. has his or her name checked against the Consular Lookout and Support System, which contains the names of individuals ineligible or potentially ineligible for a visa under U.S. law. However, we were not able to learn exactly what would cause an individual’s name to appear on this system. This is of concern because recent disclosures in the press have shown that visas may be granted to foreign applicants without so much as an interview by a consular official. As of the date of this report, we had not received information regarding the background checks performed when individuals’ visas are upgraded to lawful permanent resident status.
Although the IRS hires only U.S. citizens to process tax returns and remittances, the IRS and FMS have allowed lockbox banks to hire non-U.S. citizens. Their policy is consistent with guidelines from the Department of the Treasury regarding the hiring of contract employees.
The uncertainty of the criminal histories of non-U.S. citizens hired by lockbox banks may lead to the hiring of undesirable individuals. This increases the risk of theft of remittances or misuse of other IRS materials.
2. The Directors, Customer Account Services, SB/SE and W&I Divisions, should:
Management’s Response: A task group under the Operations Security Committee will review the current standards and present findings and options to the committee for presentation to the Security Executive Steering Committee. If that committee determines the current standards provide inadequate protection or the risk is not reduced by other security measures, the IRS will incorporate more stringent requirements into the LPG after appropriate coordination with FMS and the Department of the Treasury.
Office of Audit Comment: Subsequent to our review, more taxpayer checks were stolen from one of the IRS’ lockbox facilities. The evidence indicates that a crime ring from a foreign country may be involved in the negotiation of, and possibly the actual theft of, the checks. The IRS committees reviewing standards related to the hiring of non-U.S. citizens should carefully consider these events when developing their findings and options.
The IRS has made a determined effort to ensure the LPG provides lockbox banks with specific, understandable instructions regarding such tasks as transporting mail, extracting tax returns and payments, processing payments, and maintaining security over IRS materials. The IRS has made many improvements to the LPG and has made it much more “user friendly.” However, the LPG is unclear or does not provide necessary instructions in the following areas.
Because of the great distances between some of the lockbox banks and the Submission Processing Centers which they service, some lockbox banks used air transport services to ship tax returns, unprocessable remittances, and other tax information. The LPG provides requirements to be followed by ground courier services regarding suitability of personnel, vehicles, and other equipment; security to be maintained over IRS data; bonding and/or insuring of courier employees; disaster contingencies; etc. However, it provides no such instructions regarding air transport services.
“Seeding” mail in extraction areas
An important detector of, and deterrent to, the theft of remittances involves purposely placing cash or intentionally misrouted checks among incoming mail to determine if employees will steal these remittances. This process is known as “seeding.” The LPG requires lockbox sites to perform seeding during April peak, using a minimum of 10 temporary employees. However, a subsequent section of the LPG states that seeding may be performed by FMS or IRS personnel, causing confusion regarding exactly who is responsible for seeding.
April peak is the time when the largest volume of individual income tax payments are processed, but is not the time when the largest number of business tax payments are processed. The requirement to seed during April was established when all 10 of the IRS’ Submission Processing Centers (and the lockbox banks serving them) processed receipts from both individual and business taxpayers. Since then, the IRS has consolidated the processing of business tax returns to two Submission Processing Centers. The LPG’s seeding requirements do not address peaks for business tax returns. The seeding of banks processing business tax payments might more appropriately be required during the first quarter of the calendar year when most business tax returns are filed, or throughout the year when quarterly business tax returns are filed.
Lockbox management reviews
The LPG requires lockbox management to perform reviews of several operations, however the guidelines do not always specify what management is to accomplish during these reviews, or how these reviews should be documented. For example, the LPG requires management officials to review items to be shredded; logbooks of key, proximity, and swipe cards; and courier logs. However, the guidelines do not specify the objectives of the reviews or what the management official should be looking for, and they do not specify how the reviews should be documented.
The LPG requires courier services to be bonded or insured for $1 million. However, the guidelines give no details regarding the specific type of coverage to be provided.
IRS officials continually updated and revised the LPG to provide specific understandable instructions to the lockbox banks. However, they had not identified the omissions and ambiguities discussed above. As a result, the IRS management’s control objectives were not always accomplished, and the risk of disclosure of sensitive taxpayer data and theft of remittances increased.
3.
The Director, Customer Accounts Services, W&I
Division, should ensure that appropriate revisions are made to the LPG to
address the issues discussed above.
Management’s
Response:
The Director, Customer Account Services, W&I Division working with
the Director, Customer Account Services, SB/SE Division, and the Director,
Security Policy Support and Oversight, Office of Security Services will clarify
the language and instructions in the LPG on the issues addressed in this
recommendation.
In a prior report discussing the IRS’ lockbox facility in
Los Angeles, California, we discussed and made recommendations regarding the
following two issues that were of national significance and not related solely
to the Los Angeles facility. The IRS
did not agree with our recommendations.
After completing our work in the Dallas, Texas and Cincinnati, Ohio
lockbox facilities, we believe that these issues warrant further IRS
consideration. While we are not making
further formal recommendations regarding these issues, we encourage the IRS to
reconsider its response to our prior ones.
There was no reasonable assurance that all mail received at
post offices was actually delivered to the lockbox facilities. At the time of our reviews, the couriers
personally loaded uncounted and unsecured mail at the post office for delivery
to the lockbox bank. Consequently, we
recommended the IRS provide for locking containers and coordinate with the post
office in implementing inventory controls to reduce the risk of loss during the
transfer of mail from the post office to the lockbox facility.
Subsequent to our reviews, the IRS instituted the procedure
of having post office employees count and sign for the number of mail trays and
tubs loaded into courier vehicles.
Although this improved the controls over mail transported from the post
office to lockbox banks somewhat, the risk of loss or theft of remittances and
other IRS data is still significant.
The General Accounting Office’s Standards for Internal
Control in the Federal Government require agencies to establish physical
control to secure and safeguard valuable assets. In addition, the Standards require access to resources be
limited to authorized individuals and accountability of their custody should be
assigned and maintained.
While the LPG requires that outgoing shipments of
remittances and tax information for courier delivery be placed in sealed
packages and locked containers for shipment, the LPG does not address specific
packaging or inventory control requirements for security concerning the
handling of mail between the post office and the lockbox bank. IRS management believes that implementing a
locked container process from the post office would be expensive and slow down
the remittance process.
Discussions between the lockbox site manager and a local
Postmaster in Cincinnati, Ohio showed the potential for “hands free” courier
service to the lockbox bank. The
Postmaster indicated that postal personnel could wheel mail carts directly into
the courier vehicle via a loading platform and then padlock the door. The courier vehicle would then be unlocked
at the lockbox bank with keys maintained there.
Enhancements to video surveillance systems would aid in prevention and detection of remittance theft
The LPG did not specify the need for banks to configure
cameras to capture panoramic views of the processing area. Not having panoramic camera angles
throughout the various processing areas makes monitoring the movement of work-in-process
throughout the operation difficult and increases the risk of theft going
undetected. As a result, we recommended
the IRS include a requirement in the LPG that at least one video surveillance
camera be dedicated to observing and recording a panoramic view of each
processing area.
IRS management believes that panoramic view cameras may be
of limited value. However, officials
from the Treasury Inspector General for Tax Administration Office of
Investigations advised us of the need for panoramic views as a result of
difficulties encountered gathering evidence in their investigation of the
Mellon lockbox bank losses identified in Pittsburgh, Pennsylvania. Further, during our reviews of lockbox
facilities in Cincinnati, Ohio and Dallas, Texas, we found both facilities
adequately incorporated both macro and micro views of entire processing areas.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to analyze the results of recent audits performed of lockbox facilities that process payments for Business Submission Processing Centers to identify national issues regarding the physical and internal security controls of the lockbox program. To accomplish our objective we evaluated the following national issues:
I. Ambiguous or unclear instructions in the Lockbox Processing Guidelines.
II. Lockbox banks’ use of non-United States citizen labor.
III. Excessive distances between the lockbox banks and the Internal Revenue Service’s Submission Processing Centers.
IV. Security improvements needed for packages and unprocessable documents.
V. Additional controls needed for mail delivered by the courier from the post office.
A.
Additional controls needed for courier services,
including air transport.
Appendix II
Major Contributors to This Report
Gordon C. Milbourn III, Assistant Inspector
General for Audit (Small Business and Corporate Programs)
Richard J. Dagliolo, Director
Kyle
R. Andersen, Audit Manager
Robert K. Irish, Audit Manager
Kyle D. Bambrough, Senior Auditor
Larry Madsen, Senior Auditor
Daniel A. Zaloom, Senior Auditor
Douglas C. Barneck, Auditor
Stephen A. Wybaillie, Auditor
Appendix III
Commissioner N:C
Deputy
Commissioner N:DC
Deputy
Commissioner, Small Business/Self-Employed Division S
Deputy Commissioner, Wage and Investment Division W
Director, Customer Account Services, Small
Business/Self-Employed Division S:CAS
Director, Customer Account Services, Wage and Investment
Division W:CAS
Director, Security Policy Support and Oversight M:S:S
Associate Director, Personnel Security Office, Agency-Wide
Shared Services A:PS:PSO
Chief Counsel CC
National Taxpayer Advocate
TA
Director, Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk
Analysis N:ADC:R:O
Office of Management Controls N:CFO:F:M
Audit Liaisons:
Commissioner, Small Business/Self-Employed Division S
Commissioner, Wage and Investment Division W
Appendix IV
The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.