A Corporate Strategy Is Key to Addressing the Growing Challenge of Identity Theft

 

July 2005

 

Reference Number:  2005-40-106

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

Freedom of Information Act (FOIA) Redaction Legend:

FOIA exemption (b)(3), in conjunction with I.R.C. § 6103, prohibits the disclosure of return and return information unless authorized. 

FOIA exemption (b)(7)(C) permits an agency to withhold information that could reasonably be expected to constitute an unwarranted invasion of a third party’s or parties’ personal privacy.

FOIA exemption (b)(7)(E) permits an agency to withhold information that could disclose techniques and/or procedures used in law enforcement investigations and release of such information could reasonably be expected to circumvent the law. 


 

July 22, 2005

 

 

MEMORANDUM FOR DEPUTY COMMISSIONER FOR SERVICES AND ENFORCEMENT

 

FROM:     Pamela J. Gardiner /s/ Pamela J. Gardiner

                 Deputy Inspector General for Audit

 

SUBJECT:     Final Audit Report - A Corporate Strategy Is Key to Addressing the Growing Challenge of Identity Theft (Audit # 200440043)

 

This report presents the results of our review to determine whether the Internal Revenue Service (IRS) has an effective process to educate and assist taxpayers that are victims of identity theft. 

Identity theft is one of the fastest growing crimes in the United States (U.S.).  It occurs when someone uses another individual’s personal information, such as his or her name, Social Security Number (SSN), credit card number, or other identifying information, without permission, to commit fraud or other crimes.  People whose identities have been stolen can spend months or years and considerable money repairing the harm identity thieves have done to their good names and credit records.  The reports of fraudulent tax returns as a percentage of the type of fraud committed by identity thieves almost doubled from Calendar Years 2002 (1.9 percent) to 2003 (3.7 percent). 

There are two primary types of identity theft that relate to tax administration.  The first type involves an individual using another person’s identity (name and SSN) to file a fraudulent tax return to steal a tax refund.  The second type involves using another person’s identity (name, SSN, or both) to obtain employment.  This frequently involves undocumented workers.

The IRS recognizes the growing challenge of identity theft and its effect on tax administration.  Existing processes and functions already deal with aspects of identity theft.  For example, the IRS conducts routine verifications when processing tax returns and conducting compliance checks that may identify instances of potential identity theft.  In addition, depending on the specifics of a potential identity theft issue, the tax return/case may be forwarded to various IRS functions for additional actions. Furthermore, the IRS has recently designated a senior executive to head an Identity Theft Task Force, a key goal of which is to develop an Enterprise Identity Theft Strategy.  During the course of this review, we discussed various concerns with IRS management.  In response, the IRS has begun to address some of these concerns as part of its Identity Theft Task Force.

However, the IRS currently has no corporate strategy to address identity theft issues.  It does not have a consistent process to educate and assist taxpayers and does not always take additional actions to deal with the individuals that have used another’s name and/or SSN to file fraudulent tax returns or obtain employment.  In addition, the IRS does not have comprehensive or centralized data on identity theft and as a result is unable to determine the effect identity theft has on tax administration.  Until the IRS develops an agency-wide strategy, it will be unable to help taxpayers and the Federal Government combat the growing threat of identity theft and assist criminal law enforcement’s efforts to prosecute offenders. 

We recognize that identity theft presents significant challenges to Federal and State Governments.  We understand the unique and significant challenges the IRS faces when dealing with issues of identity theft and tax administration.  To meet these challenges and balance customer service with enforcement, we recommended the Deputy Commissioner for Services and Enforcement (1) ensure agency-wide communication tools are updated to include information about identity theft, (2) ensure information provided by the IRS to taxpayers or for use by other Federal Government agencies when referring individuals to the IRS is complete and accurate, (3) develop agency-wide standards to ensure consistency when requiring taxpayers to substantiate claims and when allowing taxpayers future exemptions and credits, (4) develop specific closing codes for cases involving identity theft, and (5) develop an Enterprise Identity Theft Strategy that includes processes to proactively identify instances of identity theft and to resolve identification number discrepancies, while protecting tax revenue and enforcing the law.

Management’s Response:  The IRS agreed with our recommendations and has developed an Enterprise Identity Theft Strategy.  A primary component of this Strategy is outreach, and the IRS has made substantial progress in developing communication vehicles and making them available to the public.  Specifically, the IRS has established a web site on IRS.gov and provided updated information and contacts to the Federal Trade Commission.  It has also updated correspondence used to communicate with identity theft victims, finalized a plan to update major publications, and updated correspondence used to provide information to taxpayers who have duplicate returns.

The IRS has established the Multi-Agency Identity Theft Working Group and initiated a multiagency panel discussion with representatives from the Social Security Administration and the Department of the Treasury.  A key feature of its Victim Assistance Strategy is to develop consistency among processes to ensure taxpayers receive equitable treatment.  The IRS has modernized its process to dramatically reduce the time needed to resolve cases, thus reducing the need to suspend refunds or credits while cases are being resolved.

The IRS developed standards for documentation to be used to validate the identity of the taxpayer, the taxpayer’s address, and the fact of the theft in cases of identity theft.  The documentation required by the IRS is consistent with that required by the Federal Trade Commission and the Social Security Administration.

The IRS has refined its closing codes to include identity theft.  The Identity Theft Program Office will accumulate these data from the IRS and other sources, such as the Federal Trade Commission, to determine trends.  These trends will be used to develop or enhance outreach activities and communication vehicles and to focus resources on enforcement initiatives.

Prevention is the final part of the IRS Enterprise Identity Theft Strategy.  The Strategy outlines several options for initiatives targeted at preventing or deterring identity theft.  These activities will be monitored and coordinated through the Identity Theft Program Office. 

The IRS did not agree with the amount of the first outcome measure (a potential $8.5 million in inefficient use of resources), stating it should be revised from $8.5 million to $676,000 because the IRS believes we made an incorrect assumption.  The IRS also did not agree with the second outcome measure (a potential $9 billion in increased revenue over 5 years), stating it was based on a recommendation in the report to expand a current IRS tax withholding compliance program.  Management’s complete response to the draft report is included as Appendix V.

Office of Audit Comment:  We disagree with the IRS’ assertion that the outcome measure should be revised from $8.5 million to $676,000.  In addition, we did not recommend the IRS expand a current tax withholding compliance project; therefore, the second outcome measure is not directly related to the IRS’ current tax withholding compliance program.

Outcome Measure One:  Management stated that, in five of eight cases we reviewed, the IRS Individual Taxpayer Identification Number (ITIN) on the tax return was also used as the Taxpayer Identification Number (TIN) on the associated Wage and Tax Statement (Form W-2).  We agree that for the five cases there was a match between the ITIN used on the tax return and the TIN used on the Form W-2 and, in the situation where an ITIN was used on both the tax return and the Form W-2, no identity theft victim would result.  However, for the remaining three cases, the ITINs on the tax returns did not match the TINs on the associated Forms W-2.  For these three cases, the associated Forms W-2 contained SSNs. 

The figures supporting our outcome measure did not include situations relating to the five cases.  The figures included in our report involved only those occurrences in which an ITIN was used to file a tax return that claimed wages and no corresponding Form W-2 was located with this ITIN.  Therefore, the assumption is wages were earned and reported under another TIN.  If the characteristics relative to the underreporting meet the Automated Underreporter (AUR) Program criteria, these cases could be selected and ultimately closed as identity theft.  This would result in the inefficient use of resources.  The IRS has the ability to proactively eliminate these cases from AUR Program inventory if it captured this information.  Taking this action would be in line with its Enterprise Identity Theft Strategy of balancing service with enforcement by focusing on victim assistance, outreach, and prevention.  

Outcome Measure Two:  Although our outcome measure is calculated using the same withholding rate used in the IRS’ tax withholding compliance program, in neither our report nor discussions with management did we recommend the IRS expand its current tax withholding compliance project [W-4 withholding compliance program].  As our report states, we believe Form W-2 mismatches provide yet another data source for the IRS to analyze and begin to measure the impact that identity theft has on tax administration.  The mismatch file could be used by the IRS to develop compliance initiatives to address the identification number mismatches and to protect any tax revenue associated.  We recognize that working these cases on a case‑by‑case basis is probably not cost effective.  However, analyzing the data to develop initiatives may result in both resolving the mismatches and protecting tax revenue. 

Further, management indicates that the recommendation focuses limited compliance resources on a low-income population and that the outcome measure calculates tax withholding, not tax liability.  Management indicated it is likely that the $9 billion withheld on low-income taxpayers would be refunded.  We have recognized (as footnoted in Appendix IV) that individuals’ actual tax liabilities could be different once they file tax returns.  The actual tax liabilities could be more or less than the amounts withheld based on the exemptions, credits, and deductions the individuals claim on their tax returns.  However, until the individuals file tax returns, the actual tax liabilities are unknown to us as well as to the IRS. 

We continue to recommend the IRS Enterprise Identity Theft Strategy include processes to begin to resolve the identification number discrepancies that totaled 7.9 million for Forms W-2 in Tax Year 2002.  The IRS does not currently have a program that attempts to resolve the 7.9 million identification number mismatches or enforce tax laws relating to withholding and filing issues.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Michael R. Phillips, Assistant Inspector General for Audit (Wage and Investment Income Programs), at (202) 927-0597.

 

Table of Contents

Background

Current Processes Help Address Identity Theft Issues

The Internal Revenue Service Does Not Currently Have a Corporate Strategy to Address Identity Theft Issues

Recommendation 1:

Recommendation 2:

Recommendation 3:

Recommendation 4:

Recommendation 5:

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measures

Appendix V – Management’s Response to the Draft Report

 

Background

The Social Security Administration (SSA) and law enforcement officials cite identity theft as one of the fastest growing crimes in the United States (U.S.).  The 1990s spawned a new variety of criminal called identity thieves.  Identity theft occurs when someone uses another individual’s personal information, such as his or her name, Social Security Number (SSN), credit card number, or other identifying information, without permission, to commit fraud or other crimes.  Once identity thieves have an individual’s personal information, they can open new credit card accounts.  They can also file a fraudulent tax return to obtain an illegal tax credit or refund.

People whose identities have been stolen can spend months or years and considerable money repairing the harm identity thieves have done to their good names and credit records.  In the meantime, victims may lose job opportunities; be refused loans, education, housing, or cars; or may even be arrested for crimes they did not commit.

Two studies completed in July 2003 by Gartner, Incorporated, and Harris Interactive reported that there were approximately 7 million victims of identity theft in the prior 12 months.  That equaled an average of 19,178 victims per day.  For Calendar Year (CY) 2003, the majority of identity theft victims reported losses due to credit card fraud (33 percent).  Although only a small percentage of the total reported identity thefts related to fraudulent tax returns, the Federal Trade Commission (FTC) reported that the percentage of fraudulent tax returns filed by identity thieves almost doubled from CYs 2002 to 2003. 

A picture was removed due to its size.  To see the picture, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

Federal laws have been enacted making identity theft a crime

In October 1998, the Identity Theft and Assumption Deterrence Act made identity theft a crime.  The law defines identity theft as when someone “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.”  Violations of the law are investigated by Federal law enforcement agencies, including the U.S. Secret Service, the Federal Bureau of Investigation, the U.S. Postal Inspection Service, the SSA Office of the Inspector General, and the Internal Revenue Service (IRS) Criminal Investigation (CI) Division. 

Two additional laws reinforce the importance of identity theft.  The Fair and Accurate Transactions Act, signed into law in December 2003, establishes a national system of fraud detection so victims can alert all three major credit bureaus with a single telephone call.  The Identity Theft Penalty Enhancement Act was signed into law in July 2004 and adds an extra 2 years to a prison sentence if a criminal knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person in addition to committing another offense.  An additional 5 years will be added to a sentence related to a terrorism offense if identity theft is involved. 

The FTC is the Federal Government agency responsible for compiling identity theft complaint information

The FTC has been established as the Federal Government’s central repository for identity theft complaints.  It provides victim assistance and consumer education.  Although the FTC does not have the authority to bring criminal cases against identity thieves, it helps victims of identity theft by providing the victims with educational information in print, through its toll‑free hotline, and on its web site, consumer.gov/idtheft/.  The FTC’s goal is to provide information to assist victims in resolving problems that can result from identity theft.  The web site and hotline give individuals a single place to report identity theft to the Federal Government and receive helpful information.

Counselors at the FTC take complaints and advise individuals on how to deal with the problems that can result from identity theft.  In addition, the FTC, in conjunction with other organizations, has developed the ID Theft Affidavit to help victims of identity theft restore their good names.  The Affidavit can be used to report information to many organizations.

The FTC also serves as a central point for law enforcement agencies nationwide to research identity theft cases.  The FTC enters complaints into a secure database, the Identity Theft Data Clearinghouse.  The database contains identifying information of the victim, such as name, address, SSN, and date of birth.  The database also includes the type of identity theft; a description of the complaint; details of the identity theft (dates and the amount of money involved); other problems incurred by the victim as a result of the identity theft; identifying information on the identity thief, if known; and any companies or credit bureaus creating identity theft problems for the victim. 

Access to this database is limited to law enforcement authorities to assist them in their investigations.  Complaints may also be shared with some private companies, such as credit bureaus and other appropriate entities, to help them in their investigations and victim assistance.

The SSN is the most widely used identifier for Federal and State Governments and the private sector

An SSN is needed to get a job in the U.S.; to receive Social Security benefits and other Federal Government benefits; and, for most individuals, to file a tax return.  Many companies, such as banks and credit card companies, also ask for and use individuals’ SSNs to conduct business. 

To obtain an SSN for a child at birth, the parent completes an Application for a Social Security Card (Form SS‑5).  If the parent does not apply for the SSN at the same time he or she applies for the birth certificate, the parent will have to provide proof of age, identity, and U.S. citizenship for the child and proof of the parent’s identity.  Examples of these documents are a driver’s license, passport, employer identification card, school identification card, marriage or divorce record, health insurance card, military identification card, adoption record, or life insurance policy. 

The Internal Revenue Code requires the SSN to be used as an identifying number

A picture was removed due to its size.  To see the picture, please go to the Adobe PDF version of the report on the TIGTA Public Web Page

The Internal Revenue Code provides that any person filing a tax return, statement, or other document shall include an identifying number for securing proper identification for this purpose.  The SSN shall be used as the identifying number for individuals for this purpose, except as otherwise specified under regulations. 

In 1996, Treasury Regulations were issued to create an IRS Individual Taxpayer Identification Number (ITIN) that would provide alien individuals an identifying number to use to meet U.S. tax return filing requirements.  Treasury Regulations provide that the IRS assign ITINs to resident aliens that cannot obtain an SSN.  The ITIN is intended for tax purposes only and creates no inference regarding an alien individual’s right to be legally employed in the U.S. or that individual’s immigration status (i.e., the ITIN does not authorize a foreign individual to work or live in the U.S.).

Each year, the SSA receives wage reporting information from employers, including income reported on the Wage and Tax Statement (Form W-2).  The SSA processes about 240 million Forms W-2 from about 6.5 million employers.  These Forms W-2 record the wages earned by about 145 million workers annually. 

The chart was removed due to its size.  To see the chart, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

The IRS Information Reporting Program (IRP) is used to match taxpayer income and deduction information submitted by third parties to amounts reported on individual income tax returns.  The Internal Revenue Code, via the IRP, is the cornerstone of voluntary compliance and affects compliance and revenue across every taxpayer and market segment.  The IRP helps ensure a high level of compliance by requiring third parties, such as employers, banks, brokerage firms, and others, to file information returns reporting taxpayer income and certain deductions to the IRS.

Two primary types of identity theft relate to tax administration

The first type involves an individual using another person’s identity (name and SSN) to file a fraudulent tax return to steal a tax refund.  The individual committing this type of fraud frequently files the fictitious tax return electronically, early in the filing season.  The individual whose identity was stolen later files his or her tax return and the IRS identifies it as a duplicate tax return.  When this happens, the IRS freezes the second tax return, including any tax refunds due, and begins a process of corresponding with the individuals involved in the duplicate filing.  This requires considerable time and effort by the legitimate taxpayer to prove he or she is a victim of identity theft.  The victim’s tax refund, if frozen, will not be issued until the matter is resolved.

The second type of identity theft related to tax administration involves using another person’s identity (name, SSN, or both) to obtain employment.  This frequently involves undocumented workers.  The wage information is reported to the SSA by the employer (on the Form W-2) under the stolen identification information. 

In the case of identity theft, the person who stole the identity may use the SSN of another person but still use his or her own name.  When the Form W-2 information is received from the SSA, the IRS performs a match of the SSN and name on the Form W-2 to IRS records.  If the SSN and name on the Form W-2 do not match IRS records, the Form W-2 is considered invalid.

The IRS uses the Form W-2 information during the IRP process of matching wages to tax returns.  In the case of identity theft, the IRS identifies a mismatch or underreporting of income, when in fact the identity theft victim did not underreport his or her income.  If a mismatch is identified, the IRS will issue a notice to the individual involved in the mismatch (the victim) and propose an assessment of additional taxes owed relating to the underreported wages.  The victim must then work with the IRS to resolve the mismatch of wages, including trying to prove that he or she may be a victim of identity theft.

This review was performed at the IRS National Headquarters in the Wage and Investment Division Compliance and Accounts Management (AM) functions in Atlanta, Georgia; the CI Division, Taxpayer Advocate Service, and FTC offices in Washington, D.C.; the Andover, Massachusetts, Atlanta, Georgia, and Brookhaven, New York, Campuses; and the SSA office in Baltimore, Maryland, during the period June 2004 through January 2005.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

Current Processes Help Address Identity Theft Issues

The IRS recognizes the growing challenge of identity theft and its effect on tax administration.  Existing processes and functions already deal with certain aspects of identity theft.  For example, the IRS conducts routine verifications and checks when processing tax returns and conducting compliance checks that may identify instances of potential identity theft.  In addition, depending on the specifics of a potential identity theft issue, the tax return/case may be forwarded to various IRS functions for additional actions.

The IRS uses individuals’ names and SSNs as the primary identifiers when performing its routine verifications and checks.  For example: 

·         When processing a tax return, the IRS checks its records to ensure another tax return has not been previously filed for that tax year using the same primary taxpayer’s SSN listed on the tax return being processed.  This ensures there is not a duplicate tax return situation. 

If the IRS identifies that a tax return was previously filed under the same primary SSN, the AM function will attempt to resolve the duplicate tax return situation internally by researching IRS records to determine if the taxpayer or the IRS made an error entering the SSN on the tax return.  For example, it might compare the SSN on the tax return to the one on the attached Form W‑2.  

If the IRS is unsuccessful in resolving the duplicate tax return situation, it sends correspondence to both individuals that used the SSN.  This correspondence advises both individuals that duplicate tax returns have been filed under the same SSN.  This might be the first indication of a potential identity theft for both the IRS and the taxpayers.  The IRS requests specific identifying documentation from the taxpayers and forwards it to the SSA, which will attempt to resolve the SSN discrepancy (i.e., identify which individual is the rightful owner of the SSN).

·         Each year the IRS receives tax documents, called information returns, which are used to conduct compliance checks.  Information returns include the Form W-2 as well as other IRS forms used to report, for example, interest income, miscellaneous income, gambling winnings, and pensions.  Once the IRS receives the information returns, it performs computer verifications based on the taxpayers’ SSNs to match the information reported on the information returns to that reported on the tax returns.

If income (including wages) reported on an information return is not included in the income reported on the tax return, the IRS considers it an underreporter situation.  If there is no tax return filed for the income reported, the IRS considers it a nonfiler situation or Taxpayer Delinquency Investigation (TDI). 

Depending on specific criteria and resources available, either the IRS Automated Underreporter (AUR) function or TDI function will work selected underreporter and nonfiler cases to determine the correct amount of income that should have been reported.  The functions will issue correspondence to the underreporting taxpayer asking him or her to resolve the discrepancy.  The taxpayer may respond that the income is not his or her income. 

These routine verifications and checks are an integral part of the IRS’ tax administration and may serve as a first indication to the IRS and taxpayers of a potential identity theft.  However, neither the duplicate tax return nor underreporter process is designed to identify and deal with the issues and challenges of identity theft. 

In addition to the IRS functions detailed above, the IRS has a CI Division that deals with tax schemes that could include identity theft issues.  The CI Division investigates potential criminal violations of the Internal Revenue Code and related financial crimes.  It has investigative authority and usually works tax schemes involving multiple taxpayers or individual cases involving large amounts of taxes/money.  The CI Division has developed a Compliance Strategy to assist in identifying, developing, and investigating cases that foster confidence in the tax system and compliance with the law. 

The IRS’ growing awareness of the effect identity theft has on tax administration has resulted in the IRS recently designating a senior executive to head an Identity Theft Task Force, a key goal of which is to develop an Enterprise Identity Theft Strategy.  During the course of this review, we discussed various concerns with IRS management.  In response, the IRS has begun to address some of these concerns as part of its Identity Theft Task Force, including meeting with the SSA in an attempt to reduce the time needed to determine the owner of an SSN.

The Internal Revenue Service Does Not Currently Have a Corporate Strategy to Address Identity Theft Issues

The IRS does not have a consistent process to educate and assist taxpayers, and, although the IRS works toward resolving duplicate tax return and underreporting situations, it does not always take additional actions to deal with the individuals that have used another’s name or SSN to file fraudulent tax returns or obtain employment.  In addition, the IRS does not have comprehensive or centralized data on identity theft to determine the effect identity theft has on tax administration.

This happened because the IRS has not developed a corporate strategy to address the growing significance of identity theft and its effect on tax administration.  Until the IRS develops an agency-wide strategy, it will be unable to help taxpayers and the Federal Government combat the growing threat of identity theft and assist criminal law enforcement’s efforts to prosecute offenders.  Furthermore, one of the IRS’ strategic goals is to improve taxpayer service.  The IRS will be unable to meet this goal if an agency-wide strategy for handling identity theft issues is not developed.

In recent years, the IRS has developed a corporate strategy and agency‑wide approach to combat another issue that significantly affects tax administration, the Earned Income Tax Credit (EITC).  The IRS recognized that numerous functions dealt with different aspects of the EITC, a credit the IRS had identified as having a significant rate of noncompliance.  To better understand the causes and develop solutions, the IRS formed a Project Office to develop policy and procedures in an attempt to consistently deal with the issue.  The IRS continues to centralize many of the EITC processes. 

The IRS does not have a consistent process to educate taxpayers

Information on identity theft and the problems it presents with tax administration is not available to taxpayers using the communication methods the IRS normally promotes, such as key publications and the IRS Internet site (IRS.gov).  Key instructions and publications, including the U.S. Individual Income Tax Return (Form 1040) instruction booklet and Your Federal Income Tax (Publication 17), do not provide taxpayers with information on what they should do if they believe they are victims of identity theft.  The IRS also does not use its Internet site or its publications to refer taxpayers to the FTC.  However, IRS.gov does provide taxpayers with alerts on tax schemes that involve stolen identities.

Information provided by the IRS through its toll-free customer service telephone line, for use by other Federal Government agencies when referring taxpayers to the IRS, and correspondence sent to taxpayers does not adequately provide individuals with the information they need to resolve their issues.  For example:

·         When taxpayers contact the IRS toll-free telephone line, no general information is available on what they should do if they believe they are victims of identity theft.  The information available is limited to only those taxpayers that call and inquire about what to do if someone has filed a tax return using their SSN (duplicate tax return situations).  IRS procedures require the telephone assistors to advise taxpayers to contact the FTC.  Although the IRS does not have general information available through its toll-free telephone number, referral procedures provided by the IRS to the SSA instruct the SSA to refer individuals that report an identity theft involving a tax matter to the IRS toll-free customer service telephone number.

·         When individuals contact the FTC, referral procedures provided by the IRS instruct the FTC to refer these individuals to either the Office of the National Taxpayer Advocate (the IRS Taxpayer Advocate Service (TAS)) or the CI Hotline (the IRS Fraud and Abuse Hotline).  However:

o       IRS.gov does not have any general information on what taxpayers should do if they believe they are victims of identity theft. 

o       Officials in the TAS stated that the TAS should not be a contact for referral, but if the alternative is to have the taxpayer call the IRS toll‑free customer service telephone number, the TAS would rather take the call.  

o       Procedures for the Fraud and Abuse Hotline are inconsistent.  Both sets of CI Division procedures require that the victim’s information be collected.  However, the first set of procedures requires the information to be referred to the IRS Exam Identity Theft Unit, which does not exist.  The second set of procedures requires the Fraud and Abuse Hotline referrals to be sent to the local CI Division office.

Correspondence sent to taxpayers because of IRS verifications and checks contains incomplete or inaccurate information.  For example:

The AM function sends correspondence to taxpayers involved with a duplicate tax return situation.  The correspondence states, “The Form [xx] you filed with us for the tax year ended [xx] shows your social security number as [xx].  Our records show the same social security number belongs to another taxpayer.” 

However, at the time the correspondence is sent, the IRS does not know which taxpayer owns the SSN used to file both tax returns.  In addition, subsequent correspondence sent to these taxpayers does not appropriately inform them of all the ramifications of the duplicate tax return situation, (i.e., that, until the situation is resolved, the taxpayers will be unable to receive certain deductions and credits).  

With the percentage of fraudulent tax returns being filed by identity thieves almost doubling and the effect identity theft has on individuals whose information is stolen, the IRS needs to ensure taxpayers have sufficient information to help resolve their issues.  In addition, this information should ensure taxpayers understand the actions the IRS takes when trying to resolve the situation and how it affects them when trying to comply with their future tax obligations.

Recommendations

The Deputy Commissioner for Services and Enforcement should ensure:

1.      Agency-wide communication tools used to educate and assist taxpayers are updated to include information about identity theft and what to do if taxpayers believe they are victims of identity theft.  This should include referring taxpayers to the FTC.

Management’s Response:  The IRS agreed with this recommendation and has developed an Enterprise Identity Theft Strategy.  A primary component of this Strategy is outreach that focuses on updating communication and outreach vehicles.  The IRS has documented this Strategy in its Identity Theft Communication Plan and made substantial progress in developing these vehicles and making them available to the public.

Specifically, the IRS has established a web site on IRS.gov and provided updated information and contacts to the FTC.  It has also updated correspondence used to communicate with identity theft victims and finalized a plan to update major publications.

Lastly, the IRS has established the Multi-Agency Identity Theft Working Group and initiated a multiagency panel discussion with representatives from the SSA and the Department of the Treasury.

2.      Information provided by the IRS to taxpayers or other Federal Government agencies when referring individuals to the IRS is complete and accurate, including correspondence sent to taxpayers involved in a duplicate tax return situation.

Management’s Response:  The IRS agreed with this recommendation.  It has updated communication vehicles to include references to the FTC and SSA and will continue to collaborate with the FTC and SSA through the Multi-Agency Identity Theft Working Group on communication and outreach.  The IRS has also updated the correspondence used to provide more information to taxpayers who have duplicate returns.  Lastly, the IRS has reviewed various procedures regarding fraud referral to ensure they are comprehensive and address identity theft cases.

The IRS does not have consistent processes to assist taxpayers that may be victims of identity theft

Procedures and processes of the various IRS functions that assist taxpayers that may be victims of identity theft are not consistent.  For example:

·         The AM function attempts to resolve duplicate SSN discrepancies (the duplicate tax return situations) to ensure legitimate tax returns are filed with correct SSNs.  The function requests that taxpayers submit copies of identifying documents, such as a driver’s license, passport, or birth certificate.  It also asks taxpayers to provide their place of birth and parents’ names.  Once it receives this information, the AM function forwards the information to the SSA, which then attempts to determine which taxpayer owns the SSN.

While the SSA is conducting its research, the IRS assigns a taxpayer involved with the duplicate tax return situation a temporary Taxpayer Identification Number (TIN) to use when filing future tax returns.  Because temporary TINs are not valid SSNs, certain credits and deductions requiring an SSN will not be allowed, including the EITC and dependent exemptions.

·         The CI Division attempts to resolve duplicate tax return situations when there are indications of fraud.  In working these cases, the CI Division does not routinely assign a taxpayer a temporary SSN, although it does assign a temporary SSN when the fraudulent tax return includes a claim for the EITC.  Taxpayers determined to be the rightful owners of the SSNs can continue to file tax returns using their SSNs.  The CI Division will place a freeze code on the account of the rightful owner that enables it to monitor the account in subsequent years and prevent the issuance of false refunds in the future. 

·         The AUR and TDI functions focus on the underreporting or nonreporting of income.  Procedures enable taxpayers to provide support that the income is not theirs either verbally or in writing.  If the taxpayers claim the income is not theirs, the functions close the cases without any changes.

The National Taxpayer Advocate recognized the inconsistency with which the IRS assists potential victims of identity theft.  In the National Taxpayer Advocate 2004 Annual Report to Congress, the Advocate lists the inconsistency of procedures in IRS functions nationwide as one of the most serious problems facing taxpayers.  The Advocate cited the assistance the IRS provides to victims of identity theft as an example of these inconsistent procedures.

The function working the cases affects what information taxpayers are required to provide, as well as what credits and deductions taxpayers can claim while their cases are being resolved.  However, the information required to substantiate identity theft should be consistent to ensure equal treatment and appropriate resolution of the identity theft cases. 

Recommendation

The Deputy Commissioner for Services and Enforcement should:

3.      Develop agency-wide standards to ensure the information taxpayers are asked to provide to substantiate claims of identity theft is consistent throughout the IRS.  These standards should also ensure taxpayers are consistently allowed applicable future exemptions and credits while identity theft cases are being resolved.

Management’s Response:  The IRS agreed with this recommendation.  A key feature of its Victim Assistance Strategy is to develop consistency among processes to ensure taxpayers receive equitable treatment.  Through process reengineering efforts, the IRS has modernized the process to dramatically reduce the time needed to resolve cases as well as ensure consistency.  The substantial reduction in case resolution time will also reduce the need to suspend a taxpayer’s refund or credits while the case is being resolved, resulting in treatment consistent with that provided to taxpayer cases in the CI Division.

The IRS also developed standards for documentation to be used to validate the identity of the taxpayer, the taxpayer’s address, and the fact of the theft.  The documentation required by the IRS is consistent with that required by the FTC and the SSA.

The IRS does not have comprehensive or centralized data to measure the effect identity theft has on tax administration

Identity theft is not specifically recorded as a category when the IRS works cases that involve potential instances of identity theft.  Although the multiple functions that assist in these cases have closing codes that record how cases are resolved, the IRS has not developed specific closing codes to use when cases are resolved based on a claim of identity theft.  For example, the AUR function closes cases involving a claim of identity theft by using a code that indicates “case closed – complex issue not pursued.”  The TDI function closes these cases using a closing code that indicates “income below filing requirement.” 

Although these cases include claims of identity theft, a distinction cannot be made between cases closed because of identity theft and cases closed with “complex issue not pursued” or “income below filing requirements” not due to identity theft.  Without a consistent method to capture the cases involving identity theft, the IRS does not know how many taxpayers are affected and the extent of the effect on tax administration.

Although the IRS does not have comprehensive or consolidated data on identity theft, it does have existing data that can be used to begin to measure the effect of identity theft.  We analyzed selected data and obtained examples of data in which identity theft appears to be a component.  We believe these data could be used to begin to compile management information on identity theft.  In addition, these data sources could be used to develop compliance initiatives to address identification number discrepancies and to protect tax revenue associated with these discrepancies.  For example: 

·         A computer-matching program developed by the IRS identifies tax returns involved in a duplicate tax return situation with a high probability of being a case in which two individuals are using the same SSN to file a tax return.  Currently, this program uses characteristics from the duplicate tax returns.  The program identifies mismatches between secondary SSNs and zip codes from both tax returns filed for the same SSN and tax period. 

·         An analysis of Tax Year (TY) 2002 tax return data showed 378,418 tax returns filed using ITINs had income reported from wages; however, there was no ITIN on a related Form W-2 for these wages.  This could indicate that the ITIN filer is using an identity of another individual to gain employment.  In addition to the potential burden that may be caused to the individuals whose identities were used by the ITIN filers, the IRS could be inefficiently using its limited compliance resources.  For example, if the 378,418 individuals whose SSNs were used were identified by the AUR function as underreporter cases, the IRS would needlessly expend approximately $8.5 million in resources to close these cases with no changes.

·         An analysis of TY 2002 Forms W-2 showed 7.9 million mismatches for which the SSN and name on the Form W-2 do not match the SSN and name issued by the SSA (considered an invalid Form W-2).  For example:

o       A retired taxpayer’s SSN was reported on numerous other individuals’ Forms W-2 presumably used to gain employment.  The wages earned were reported on Forms W-2 under the SSN of the retired person; however, another name was used.  The Forms W-2 contained wage earners’ addresses in states different from that of the retired taxpayer.  The wages totaled ****(b)(3); (b)(7)(C)**** with tax withholdings of only ****(b)(3);
(b)(7)(C)****
.

o       About 9,500 separate companies were identified as each issuing 100 or more of the Forms W-2 on which the names did not match the SSNs and names on file with the SSA.  Over 1,000 of the 9,500 companies had discrepancies in 75 percent or more of their Forms W-2. 

Further analysis of the data indicates compliance problems similar to those identified in a new IRS tax withholding compliance program initiated in Fiscal Year 2005.  Under the guidelines of the new tax withholding compliance program, the IRS will send letters to individuals with low withholding and a tax compliance issue ****(b)(7)(E)**** proposing to set their withholding rates at the percentage withheld for individuals filing as single with zero exemptions.  At the same time, the IRS will send letters to employers advising them to withhold at the rate of single with 0 exemptions on a date specified in the letter (that will be no earlier than 45 days after the date of the letter) if the IRS does not subsequently contact them.  At any time after receiving the letter, including before the employer imposes the new withholding rate, the employee (taxpayer) may be able to justify to the IRS a filing status and/or a withholding rate different from that specified in the initial letter.

We analyzed the 7.9 million Forms W-2 using criteria similar to that used in the new IRS tax withholding compliance program.  In addition, we eliminated Forms W-2 with wages less than $7,950, the income threshold required for an individual to file a tax return if filing as single with no dependents.  We identified:

o       A total of 1,086,195 Forms W-2 on which the SSN was not used to file a TY 2002 tax return. 

o       A total of $19.7 billion dollars in income and $287 million in taxes withheld.  The average income and taxes withheld were $18,165 and $264, respectively.

o       Over 355,500 unique companies that issued the 1,086,195 Forms W-2.

If the IRS required the individuals listed on the 1,086,195 Forms W-2 to withhold at the single withholding rate with 0 exemptions, the potential increase in tax revenue would be about $9 billion ($1.8 billion annually over 5 years).  This assumes an average wage of $18,165 and a 10.86 percent withholding rate required for a person filing as single with no dependents. 

Identity theft presents significant challenges to Federal and State Governments.  We understand the unique and significant challenges the IRS faces when dealing with issues of identity theft and tax administration.  To meet these challenges and balance customer service with enforcement, the IRS needs to develop a corporate strategy that will proactively identify instances of identity theft and determine the optimum approach to resolving identification number discrepancies and reducing taxpayer burden, while protecting revenue and enforcing the law.

Recommendations

The Deputy Commissioner for Services and Enforcement should:

4.      Develop specific closing codes for cases involving identity theft that will allow the IRS to track and monitor the effect of identity theft on tax administration.

Management’s Response:  The IRS agreed with this recommendation.  The IRS has refined its AUR and TDI function closing codes to include identity theft.  The Identity Theft Program Office will accumulate these data from the IRS and other sources, such as the FTC, to determine trends.  These trends will be used to develop or enhance outreach activities and communication vehicles and to focus resources on enforcement initiatives.

The IRS did not agree with the amount of the first outcome measure (a potential $8.5 million in inefficient use of resources), stating it should be revised from $8.5 million to $676,000 because the IRS believes we made an incorrect assumption. 

Office of Audit Comment:  We disagree with the IRS’ assertion that the outcome measure should be revised from $8.5 million to $676,000.  Management stated that, in five of eight cases we reviewed, the ITIN on the tax return was also used as the TIN on the associated Form W-2.  We agree that for the five cases there was a match between the ITIN used on the tax return and the TIN used on the Form W-2 and, in the situation where an ITIN was used on both the tax return and the Form W-2, no identity theft victim would result.  However, for the remaining three cases, the ITINs on the tax returns did not match the TINs on the associated Forms W-2.  For these three cases, the associated Forms W-2 contained SSNs.

The figures supporting our outcome measure did not include situations relating to the five cases.  The figures included in our report involved only those occurrences in which an ITIN was used to file a tax return that claimed wages and no corresponding Form W-2 was located with this ITIN.  Therefore, the assumption is wages were earned and reported under another TIN.  If the characteristics relative to the underreporting meet the AUR Program criteria, these cases could be selected and ultimately closed as identity theft.  This would result in the inefficient use of resources.  The IRS has the ability to proactively eliminate these cases from AUR Program inventory if it captured this information.  Taking this action would be in line with its Enterprise Identity Theft Strategy of balancing service with enforcement by focusing on victim assistance, outreach, and prevention.

5.      Follow through on the Identity Theft Task Force’s goal of developing an Enterprise Identity Theft Strategy.  The Strategy should include processes to proactively identify instances of identity theft, resolve identification number discrepancies, and ensure appropriate tax withholding while enforcing the law.

Management’s Response:  The IRS agreed with this recommendation.  Prevention is the final part of the IRS Enterprise Identity Theft Strategy.  The Strategy outlines several options for initiatives targeted at preventing or deterring identity theft.  These activities will be monitored and coordinated through the Identity Theft Program Office. 

For example, the IRS will work with employers through several initiatives to reduce the incidence of theft related to employment, and tax return preparers who promote schemes for clients to make false claims of identity theft to underreport income and maximize refundable credits will face penalties and sanctions.

The IRS did not agree with the second outcome measure (a potential $9 billion in increased revenue over 5 years), stating it was based on a recommendation in the report to expand a current IRS tax withholding compliance program.  

Office of Audit Comment:  Although our outcome measure is calculated using the same withholding rate used in the IRS’ tax withholding compliance program, in neither our report nor discussions with management did we recommend the IRS expand its current tax withholding compliance program [Form W-4 withholding compliance program].  As our report states, we believe Form W-2 mismatches provide yet another data source for the IRS to analyze and begin to measure the impact that identity theft has on tax administration.  The mismatch file could be used by the IRS to develop compliance initiatives to address the identification number mismatches and to protect any tax revenue associated.  We recognize that working these cases on a case‑by‑case basis is probably not cost effective.  However, analyzing the data to develop initiatives may result in both resolving the mismatches and protecting tax revenue. 

Further, management indicates that the recommendation focuses limited compliance resources on a low-income population and that the outcome measure calculates tax withholding, not tax liability.  Management indicated it is likely that the $9 billion withheld on low-income taxpayers would be refunded.  We have recognized (as footnoted in Appendix IV) that individuals’ actual tax liabilities could be different once they file tax returns.  The actual tax liabilities could be more or less than the amounts withheld based on the exemptions, credits, and deductions the individuals claim on their tax returns.  However, until the individuals file tax returns, the actual tax liabilities are unknown to us as well as to the IRS. 

We continue to recommend the IRS Enterprise Identity Theft Strategy include processes to begin to resolve the identification number discrepancies that totaled 7.9 million for Forms W-2 in TY 2002.  The IRS does not currently have a program that attempts to resolve the 7.9 million identification number mismatches or enforce tax laws relating to withholding and filing issues.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the Internal Revenue Service (IRS) has an effective process to educate and assist taxpayers that are victims of identity theft.  To accomplish this objective, we:

I.                   Determined whether the IRS educates taxpayers that are victims of identity theft on the process to resolve their tax accounts. 

A.    Discussed with the appropriate officials how the IRS educates taxpayers on the process to resolve their tax accounts when they are victims of identity theft.

B.     Obtained and reviewed key communication vehicles to determine how the IRS educates taxpayers about its process for handling identity theft cases.

II.                Determined whether the IRS has an effective process to resolve taxpayer accounts when identity theft has occurred.

A.    Determined whether the IRS has a process to assist taxpayers whose identities are stolen for the purpose of obtaining employment or filing false tax returns.

B.     Determined whether State tax agencies may have a process that can be used by the IRS as a best practice when assisting taxpayers that are victims of identity theft.

C.     Determined whether the IRS has a management information system that captures information on identity theft cases.

D.    Determined whether the IRS can implement a proactive process to assist taxpayers that are victims of identity theft.

III.             Determined the potential amount of inefficient use of resources and increased revenue. 

A.    Determined the potential amount of inefficient use of resources from identity theft cases not being worked by the Automated Underreporter function.  The Automated Underreporter function works cases that show an underreporting of income.  The cases are a result of a match of the income reported by taxpayers on their tax returns to third-party information received by the IRS.  See methodology in Appendix IV.

B.     Determined the number of instances with an invalid Wage and Tax Statement (Form W-2) (Social Security Number and name do not match IRS records) for which there is no corresponding tax return for Tax Year 2002, the wages are below what would be included in the IRS Compliance Program and above the filing requirement, and the Form W-2 had a low withholding rate.

 

Appendix II

 

Major Contributors to This Report

 

Michael R. Phillips, Assistant Inspector General for Audit (Wage and Investment Income Programs)

Augusta R. Cook, Director

Russell P. Martin, Audit Manager

Pamela DeSimone, Lead Auditor

Patricia Jackson, Auditor

Mary Keyes, Auditor

Jeffrey Williams, Information Technology Specialist

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Commissioner, Small Business/Self-Employed Division  SE:S

Commissioner, Wage and Investment Division  SE:W

Chief, Criminal Investigation  SE:CI

Deputy Commissioner, Small Business/Self-Employed Division  SE:S

Deputy Commissioner, Wage and Investment Division  SE:W

Director, Business Systems Planning, Wage and Investment Division  SE:W:BSP

Director, Communications, Liaison, and Disclosure, Small Business/Self-Employed Division  SE:S:CLD

Director, Compliance, Wage and Investment Division  SE:W:CP

Director, Customer Account Services, Wage and Investment Division  SE:W:CAS

Director, Refund Crimes, Small Business/Self-Employed Division  SE:CI:RC

Acting Director, Strategy and Finance, Wage and Investment Division  SE:W:S
Acting Chief, Performance Improvement, Wage and Investment Division  SE:W:S:PI
Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Management Controls  OS:CFO:AR:M

Audit Liaisons:

Acting Chief, Customer Liaison, Small Business/Self-Employed Division  SE:S:COM 

            Acting Senior Operations Advisor, Wage and Investment Division  SE:W:S

 

Appendix IV

 

Outcome Measures

 

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration.  These benefits will be incorporated into our Semiannual Report to the Congress.

Type and Value of Outcome Measure:

·         Inefficient Use of Resources – Potential; $8.5 million (see page 9).

Methodology Used to Measure the Reported Benefit:

An analysis of Tax Year (TY) 2002 tax return data showed 378,418 tax returns filed using Internal Revenue Service (IRS) Individual Taxpayer Identification Numbers (ITIN) had income reported from wages; however, there were no ITINs on a related Wage and Tax Statement (Form W-2) for these wages.  This could be an indicator that the ITIN filer is using the identity of another individual to gain employment.  In addition to the potential burden that may be caused to an individual whose identity was used by the ITIN filer, the IRS could be inefficiently using its limited compliance resources to unnecessarily work underreporter cases.  If the 378,418 individuals whose Social Security Numbers (SSN) were used were identified by the Automated Underreporter (AUR) function as underreporter cases, the IRS would needlessly spend approximately $8.5 million in resources to close these cases with no changes.  This was calculated as follows:

Calculation of Total Salaries for AUR Function Employees for Fiscal Year 2004

Permanent salaries

$27,165,343

Temporary salaries

$11,820,606

Overtime

$2,066,222

Night differential

$652,053

Premium dollars

$784

Total salaries

$41,705,008

Calculation of Average Salary for AUR Function Employees

Total permanent, temporary, overtime, night differential, and premium dollars

$41,705,008

Total Full-Time Equivalents (FTE)

819

Average salary (total salaries/FTEs)

$50,922

 

Calculation of Time to Close an AUR Function Case

Minutes in a work year (2,096 hours x 60 minutes)

125,760

Cases closed in Fiscal Year 2004

2,257

Time to close an AUR function case (minutes in a work year/cases closed)

56 minutes

 

Calculation of Cost to Close an AUR Function Case

Average salary

$50,922

Minutes in a work year

125,760

Cost per minute (average salary/minutes in a work year)

$.40

Minutes to work/close an AUR function case

56

Cost to close an AUR function case ($.40 per minute x 56 minutes to work)

$22.40

 

Calculation of Inefficient Use of Resources

Cost to close an AUR function case

$22.40

ITIN tax returns with wages and no associated Form W-2

378,418

Inefficient use of resources if these cases did not go to the AUR function

$8.5 million

 

Type and Value of Outcome Measure:

·         Increased Revenue – Potential; $9 billion ($1.8 billion annually over 5 years) (see page 9).

Methodology Used to Measure the Reported Benefit:

We analyzed 7.9 million Forms W-2 using criteria similar to that in a new tax withholding compliance program the IRS is initiating in Fiscal Year 2005.  We eliminated from our results Forms W-2 that meet the dollar tolerance for inclusion in this new compliance program.  We also eliminated the Forms W-2 with earnings less than $7,950, the income threshold required for an individual if the filing status is single with no dependents.  In addition, we eliminated any individuals who filed a tax return for TY 2002.  Our analysis identified:

  • A total of 1,086,195 Forms W-2 on which the SSN was not used to file a TY 2002 tax return. 
  • Wages earned averaged $18,165, with taxes withheld averaging $264.
  • If the IRS required the individuals in the above population to withhold at the single withholding rate with 0 exemptions, using the average wages of $18,165, individuals would be required to have 10.86 percent of their wages withheld.  This would result in a potential $1.8 billion in increased tax being withheld.

The following is the calculation for the increased revenue:

Calculation of Invalid Forms W-2 (Grouped by the SSN) ****(b)(7)(E)****, Wages Between $7,950 and the IRS Withholding Compliance Program Dollar Tolerance,
and No
Tax Return Filed

Total invalid Forms W-2 (wages between $7,950 and the IRS withholding compliance program dollar tolerance)

1,822,995

Number of SSNs from invalid Forms W-2 used to file a tax return as the Primary taxpayer

391,701

Number of SSNs from invalid Forms W-2 used to file a tax return as the Secondary taxpayer

151,340

Total invalid Forms W-2 (****(b)(7)(E)****and wages between $7,950 and the IRS withholding compliance program dollar tolerance)

1,511,220

Number of invalid Forms W-2 on which the SSN was not used to file a TY 2002 tax return

1,086,195

Average wages

$18,165

Average withholding

$264

Total wages

$19.7 billion

Total withholding

$287 million

 

Calculation of Increased Revenue for Invalid Forms W-2 (Grouped by the SSN)
****(b)(7)(E)****, Wages Between $7,950 and the IRS Withholding Compliance Program Dollar Tolerance, and No Tax Return Filed

Total wages

$19.7 billion

Single with 0 exemptions withholding rate for average wages of $18,165

10.86 percent

Total withholding for single with zero exemptions withholding rate

$2.1 billion

Actual withholding on the 1,086,195 invalid Forms W-2 that were not used to file a
TY 2002 tax return

$287 million

Additional withholding for single with zero exemptions withholding rate

$1.8 billion

Projection over 5 years

$9 billion

 

Appendix V

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.