Nationwide Guidelines and Controls for Lockbox Banks Need Further Improvement
Reference Number: 2002-30-180
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
September 18, 2002
MEMORANDUM FOR COMMISSIONER, SMALL BUSINESS/SELF-EMPLOYED DIVISION
COMMISSIONER, WAGE AND INVESTMENT DIVISION
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Acting Inspector General
SUBJECT: Final Audit Report – Nationwide Guidelines and Controls for Lockbox Banks Need Further Improvement (Audit # 200230035)
This report presents a summary of issues of national significance for the Internal Revenue Service’s (IRS) lockbox program. The overall objective of this review was to analyze the results of recent audits performed of lockbox facilities that process payments for Business Submission Processing Centers to identify national issues regarding the physical and internal security controls of the lockbox program.
The IRS’ lockbox program consists of commercial banks that have contracted with the Financial Management Service (FMS) to process tax payments. This program was designed to accelerate the deposit of tax payments by having taxpayers send their payments to commercial banks rather than to the IRS. In Calendar Year (CY) 2001, lockbox banks processed more than 72 million payments totaling over $329 billion.
With this acceleration can come significant risks, as was evidenced during 2001 when control weaknesses contributed to the loss of taxpayer payments and taxpayer information at a lockbox bank in Pittsburgh, Pennsylvania. Approximately 71,000 taxpayer remittances valued in excess of $1.2 billion were lost or destroyed.
In summary, the Lockbox Processing Guidelines (LPG) represent the agreement between the IRS, the FMS, and the banks detailing the specific services that the banks will perform for the IRS. The IRS has made a determined effort to ensure the LPG provides lockbox banks with specific, understandable instructions regarding such tasks as transporting mail, extracting tax returns and payments, processing payments, and maintaining security over IRS materials. Still, the IRS needs to make further improvements to the LPG and needs to address other issues related to security over tax payments and related documents, such as the distance between lockbox banks and the IRS Submission Processing Centers, and the use of non-United States (U.S.) citizens to process payments.
Specifically, we recommend that the Directors, Customer Account Services, Small Business/Self-Employed (SB/SE) and Wage and Investment (W&I) Divisions, ensure that criteria are established in future bid solicitations to limit the distance between lockbox banks and the Submission Processing Centers they service, and that they take actions to ensure that background checks are adequate for non-U.S. citizens working in lockbox facilities. The Director, Customer Account Services, W&I Division should also see that revisions are made to the LPG to address other weaknesses discussed in this report.
To present a complete discussion of the issues we identified which affected all lockbox banks and were not unique to the banks included in our review, we also included in this report additional information about two findings that were presented in a previous report (see pages 9 and 10). The IRS responded earlier to these two issues but agreed to reconsider them in light of the additional information we presented. Management’s complete response to the draft report is included as Appendix IV.
Office of Audit Comment: Subsequent to our review, more taxpayer checks were stolen from one of the IRS’ lockbox facilities. The evidence indicates that a crime ring from a foreign country may be involved in the negotiation of, and possibly the actual theft of, the checks. The IRS committees reviewing standards related to the hiring of non-U.S. citizens should carefully consider these events when developing their findings and recommendations.
Copies of this report are also being sent to the IRS managers who are affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Gordon C. Milbourn III, Assistant Inspector General for Audit (Small Business and Corporate Programs), at (202) 622-3837.
The Internal Revenue Service (IRS) lockbox program consists of commercial banks that have contracted with the Financial Management Service (FMS) to process tax payments. This program was designed to accelerate the deposit of tax payments by having taxpayers send their payments to commercial banks rather than to the IRS. There are 9 lockbox sites nationwide that support the 10 IRS Submission Processing Centers. The lockbox sites augment these Submission Processing Centers’ remittance processing capabilities, and were contracted to help the IRS optimize deposits to the Treasury and increase interest savings.
The lockbox banks receive payments for U.S. Individual Income Tax Returns (Form 1040 series), employment tax returns (Form 940 series), and other miscellaneous types of taxes. In Calendar Year (CY) 2001, lockbox banks processed more than 72 million payments totaling over $329 billion.
The Lockbox Processing Guidelines (LPG) represent the agreement among the IRS, the FMS, and the banks detailing the specific services that the banks will perform for the IRS. These services include tasks that the IRS would otherwise have to do, such as ensuring checks are properly endorsed and deposited, providing security over the remittances and taxpayer data, and creating computer tapes of payment transactions. The lockbox banks also receive, sort, and ship tax returns to the IRS. The IRS and the FMS are responsible for providing oversight of lockbox activities to ensure that the banks adhere to the requirements in the LPG.
While the lockbox system is intended to provide the government with efficient cash management, there have been instances of fraud, waste, and abuse that demonstrated a need for increased controls. In 1998, over 400 checks were discovered in a night shift manager’s desk drawer at a lockbox bank in Charlotte, North Carolina. In 2001, control weaknesses contributed to the loss of taxpayer payments and taxpayer information at a lockbox bank in Pittsburgh, Pennsylvania. Approximately 71,000 remittances valued in excess of $1.2 billion were lost or destroyed.
We conducted audit work in three separate audits at lockbox banks in Los Angeles, California; Dallas, Texas; and Cincinnati, Ohio from September 2001 through April 2002. Issues specific to these lockbox banks were reported previously so immediate corrective actions could be taken at local levels. This report discusses issues of national significance affecting the lockbox program overall. The audits were conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology are presented in Appendix I. Major contributors to the report are listed in Appendix II.
The lockbox banks serving the Ogden, Utah, and Philadelphia, Pennsylvania, Submission Processing Centers are located significant distances from those centers.
· The Dallas lockbox bank is located almost 1,400 miles from the Ogden Submission Processing Center. To send tax data and unprocessed remittances to Ogden, the lockbox bank uses two ground courier services and an air transport service.
· The Cincinnati lockbox bank is located almost 600 miles from the Philadelphia Submission Processing Center. Only one ground courier service is used to send tax data and unprocessed remittances from the lockbox bank to Philadelphia. One courier employee stated that he routinely took eight hours to make the trip. To make the trip in that time, the courier had to travel an average speed of 75 miles per hour.
This occurs because the IRS established no distance criteria between lockbox facilities and Submission Processing Centers when soliciting bids from commercial banks for lockbox services.
Shipments between lockbox banks and Submission Processing Centers contain sensitive, private information pertaining to taxpayers and their financial status. The IRS and lockbox banks have a legal obligation to protect the confidentiality of tax returns and related information. To help ensure this is accomplished, the IRS has mandated, in the LPG, the implementation of specific controls and procedures regarding the lockbox banks’ use of ground courier services, including the following:
· Courier services must provide lockbox management the names and proof of identity of each individual who will have access to IRS data.
· Courier employees must undergo Federal Bureau of Investigations (FBI) fingerprint checks before being granted access to IRS data.
· Courier services must provide lockbox management with disaster contingency plans to ensure that data continues to be transported in the event of disasters or other unforeseen events.
· Couriers must transport IRS data from the lockbox bank directly to the Submission Processing Center with no stops in between. Courier personnel must remain with IRS data until it has been delivered to the Submission Processing Center.
Although air transport services could also be considered “couriers,” it is not feasible to require air transport services to adhere to all of these controls and procedures. However, tax returns and related information should receive the same protection while under the control of air transport services as they do while under the control of ground courier services. Using only ground transportation alternatives means that the greater the distance between the lockbox facility and the Submission Processing Center, the greater the probability of vehicle problems or accidents, and the greater risk that couriers will make stops (e.g., for meals or personal needs) leaving the vehicle unattended. As a result, the risk of disclosure of sensitive taxpayer data and the theft of remittances is increased.
1. The Directors, Customer Account Services, Small Business/Self-Employed (SB/SE) and Wage and Investment (W&I) Divisions, should ensure that criteria are established in future bid solicitations to limit the distance between lockbox banks and the Submission Processing Centers they service.
Management’s Response: The IRS will issue a memorandum requesting that a “reasonable distance” evaluation criterion be established by FMS in future selection actions.
Lockbox banks often use non-United States (U.S.) citizens with lawful permanent residence status to process IRS tax payments. Unless lockbox banks can ensure that these non-U.S. citizens have no history of criminal activity (in their country of origin as well as in the U.S.), the use of these individuals to process IRS tax materials, including remittances, poses unnecessary risks to IRS materials.
An FBI fingerprint check must be performed for each individual who will have access to the lockbox processing area or taxpayer information. The results of the fingerprint check must be obtained prior to the date on which an individual is granted access to IRS data. For most U.S. citizens, this FBI fingerprint check could include their arrest records over most of their lifetime. However, because non-U.S. citizens (even those granted lawful permanent resident status) may have lived in this country for only a very short time, these FBI background checks may have very little information. Because of the extreme sensitivity of IRS data, and the risk of theft of monetary resources as well as taxpayers’ identities, background checks which only include the time a non-U.S. citizen has been in this country may not be sufficient. For example, there have been numerous cases of foreign nationals living in the U.S. who have committed identity theft against U.S. citizens.
The Department of State and the Immigration and Naturalization Service perform some background checks before issuing visas to non-residents or upgrading visas that may allow individuals to achieve lawful permanent resident status. However, neither we nor the IRS know the extent of those background checks. We made official requests for this information, and learned that every applicant for an immigrant visa to the U.S. has his or her name checked against the Consular Lookout and Support System, which contains the names of individuals ineligible or potentially ineligible for a visa under U.S. law. However, we were not able to learn exactly what would cause an individual’s name to appear on this system. This is of concern because recent disclosures in the press have shown that visas may be granted to foreign applicants without so much as an interview by a consular official. As of the date of this report, we had not received information regarding the background checks performed when individuals’ visas are upgraded to lawful permanent resident status.
Although the IRS hires only U.S. citizens to process tax returns and remittances, the IRS and FMS have allowed lockbox banks to hire non-U.S. citizens. Their policy is consistent with guidelines from the Department of the Treasury regarding the hiring of contract employees.
The uncertainty of the criminal histories of non-U.S. citizens hired by lockbox banks may lead to the hiring of undesirable individuals. This increases the risk of theft of remittances or misuse of other IRS materials.
2. The Directors, Customer Account Services, SB/SE and W&I Divisions, should:
Management’s Response: A task group under the Operations Security Committee will review the current standards and present findings and options to the committee for presentation to the Security Executive Steering Committee. If that committee determines the current standards provide inadequate protection or the risk is not reduced by other security measures, the IRS will incorporate more stringent requirements into the LPG after appropriate coordination with FMS and the Department of the Treasury.
Office of Audit Comment: Subsequent to our review, more taxpayer checks were stolen from one of the IRS’ lockbox facilities. The evidence indicates that a crime ring from a foreign country may be involved in the negotiation of, and possibly the actual theft of, the checks. The IRS committees reviewing standards related to the hiring of non-U.S. citizens should carefully consider these events when developing their findings and options.
The IRS has made a determined effort to ensure the LPG provides lockbox banks with specific, understandable instructions regarding such tasks as transporting mail, extracting tax returns and payments, processing payments, and maintaining security over IRS materials. The IRS has made many improvements to the LPG and has made it much more “user friendly.” However, the LPG is unclear or does not provide necessary instructions in the following areas.
Because of the great distances between some of the lockbox banks and the Submission Processing Centers which they service, some lockbox banks used air transport services to ship tax returns, unprocessable remittances, and other tax information. The LPG provides requirements to be followed by ground courier services regarding suitability of personnel, vehicles, and other equipment; security to be maintained over IRS data; bonding and/or insuring of courier employees; disaster contingencies; etc. However, it provides no such instructions regarding air transport services.
“Seeding” mail in extraction areas
An important detector of, and deterrent to, the theft of remittances involves purposely placing cash or intentionally misrouted checks among incoming mail to determine if employees will steal these remittances. This process is known as “seeding.” The LPG requires lockbox sites to perform seeding during April peak, using a minimum of 10 temporary employees. However, a subsequent section of the LPG states that seeding may be performed by FMS or IRS personnel, causing confusion regarding exactly who is responsible for seeding.
April peak is the time when the largest volume of individual income tax payments are processed, but is not the time when the largest number of business tax payments are processed. The requirement to seed during April was established when all 10 of the IRS’ Submission Processing Centers (and the lockbox banks serving them) processed receipts from both individual and business taxpayers. Since then, the IRS has consolidated the processing of business tax returns to two Submission Processing Centers. The LPG’s seeding requirements do not address peaks for business tax returns. The seeding of banks processing business tax payments might more appropriately be required during the first quarter of the calendar year when most business tax returns are filed, or throughout the year when quarterly business tax returns are filed.
Lockbox management reviews
The LPG requires lockbox management to perform reviews of several operations, however the guidelines do not always specify what management is to accomplish during these reviews, or how these reviews should be documented. For example, the LPG requires management officials to review items to be shredded; logbooks of key, proximity, and swipe cards; and courier logs. However, the guidelines do not specify the objectives of the reviews or what the management official should be looking for, and they do not specify how the reviews should be documented.
The LPG requires courier services to be bonded or insured for $1 million. However, the guidelines give no details regarding the specific type of coverage to be provided.
IRS officials continually updated and revised the LPG to provide specific understandable instructions to the lockbox banks. However, they had not identified the omissions and ambiguities discussed above. As a result, the IRS management’s control objectives were not always accomplished, and the risk of disclosure of sensitive taxpayer data and theft of remittances increased.
3. The Director, Customer Accounts Services, W&I Division, should ensure that appropriate revisions are made to the LPG to address the issues discussed above.
Management’s Response: The Director, Customer Account Services, W&I Division working with the Director, Customer Account Services, SB/SE Division, and the Director, Security Policy Support and Oversight, Office of Security Services will clarify the language and instructions in the LPG on the issues addressed in this recommendation.
In a prior report discussing the IRS’ lockbox facility in Los Angeles, California, we discussed and made recommendations regarding the following two issues that were of national significance and not related solely to the Los Angeles facility. The IRS did not agree with our recommendations. After completing our work in the Dallas, Texas and Cincinnati, Ohio lockbox facilities, we believe that these issues warrant further IRS consideration. While we are not making further formal recommendations regarding these issues, we encourage the IRS to reconsider its response to our prior ones.
There was no reasonable assurance that all mail received at post offices was actually delivered to the lockbox facilities. At the time of our reviews, the couriers personally loaded uncounted and unsecured mail at the post office for delivery to the lockbox bank. Consequently, we recommended the IRS provide for locking containers and coordinate with the post office in implementing inventory controls to reduce the risk of loss during the transfer of mail from the post office to the lockbox facility.
Subsequent to our reviews, the IRS instituted the procedure of having post office employees count and sign for the number of mail trays and tubs loaded into courier vehicles. Although this improved the controls over mail transported from the post office to lockbox banks somewhat, the risk of loss or theft of remittances and other IRS data is still significant.
The General Accounting Office’s Standards for Internal Control in the Federal Government require agencies to establish physical control to secure and safeguard valuable assets. In addition, the Standards require access to resources be limited to authorized individuals and accountability of their custody should be assigned and maintained.
While the LPG requires that outgoing shipments of remittances and tax information for courier delivery be placed in sealed packages and locked containers for shipment, the LPG does not address specific packaging or inventory control requirements for security concerning the handling of mail between the post office and the lockbox bank. IRS management believes that implementing a locked container process from the post office would be expensive and slow down the remittance process.
Discussions between the lockbox site manager and a local Postmaster in Cincinnati, Ohio showed the potential for “hands free” courier service to the lockbox bank. The Postmaster indicated that postal personnel could wheel mail carts directly into the courier vehicle via a loading platform and then padlock the door. The courier vehicle would then be unlocked at the lockbox bank with keys maintained there.
Enhancements to video surveillance systems would aid in prevention and detection of remittance theft
The LPG did not specify the need for banks to configure cameras to capture panoramic views of the processing area. Not having panoramic camera angles throughout the various processing areas makes monitoring the movement of work-in-process throughout the operation difficult and increases the risk of theft going undetected. As a result, we recommended the IRS include a requirement in the LPG that at least one video surveillance camera be dedicated to observing and recording a panoramic view of each processing area.
IRS management believes that panoramic view cameras may be of limited value. However, officials from the Treasury Inspector General for Tax Administration Office of Investigations advised us of the need for panoramic views as a result of difficulties encountered gathering evidence in their investigation of the Mellon lockbox bank losses identified in Pittsburgh, Pennsylvania. Further, during our reviews of lockbox facilities in Cincinnati, Ohio and Dallas, Texas, we found both facilities adequately incorporated both macro and micro views of entire processing areas.
The overall objective of this review was to analyze the results of recent audits performed of lockbox facilities that process payments for Business Submission Processing Centers to identify national issues regarding the physical and internal security controls of the lockbox program. To accomplish our objective we evaluated the following national issues:
I. Ambiguous or unclear instructions in the Lockbox Processing Guidelines.
II. Lockbox banks’ use of non-United States citizen labor.
III. Excessive distances between the lockbox banks and the Internal Revenue Service’s Submission Processing Centers.
IV. Security improvements needed for packages and unprocessable documents.
V. Additional controls needed for mail delivered by the courier from the post office.
A. Additional controls needed for courier services, including air transport.
Gordon C. Milbourn III, Assistant Inspector General for Audit (Small Business and Corporate Programs)
Richard J. Dagliolo, Director
Kyle R. Andersen, Audit Manager
Robert K. Irish, Audit Manager
Kyle D. Bambrough, Senior Auditor
Larry Madsen, Senior Auditor
Daniel A. Zaloom, Senior Auditor
Douglas C. Barneck, Auditor
Stephen A. Wybaillie, Auditor
Deputy Commissioner N:DC
Deputy Commissioner, Small Business/Self-Employed Division S
Deputy Commissioner, Wage and Investment Division W
Director, Customer Account Services, Small Business/Self-Employed Division S:CAS
Director, Customer Account Services, Wage and Investment Division W:CAS
Director, Security Policy Support and Oversight M:S:S
Associate Director, Personnel Security Office, Agency-Wide Shared Services A:PS:PSO
Chief Counsel CC
National Taxpayer Advocate TA
Director, Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O
Office of Management Controls N:CFO:F:M
Commissioner, Small Business/Self-Employed Division S
Commissioner, Wage and Investment Division W
The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.