TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Income Verification Express Services Program Needs Improvements to Better Protect Tax Return Information

 

 

 

January 26, 2011

 

Reference Number:  2011-40-014

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

Phone Number   |  202-622-6500

Email Address   |  TIGTACommunications@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

 

HIGHLIGHTS

 

The Income Verification Express Services Program Needs Improvements to Better Protect Tax Return Information

Highlights

Final Report issued on January 26, 2011

Highlights of Reference Number:  2011-40-014 to the Internal Revenue Service Commissioner for the Wage and Investment Division.

IMPACT ON TAXPAYERS

Borrowers cannot obtain loans unless they sign a consent that allows the Internal Revenue Service (IRS) to disclose their nonpublic income information to their lenders.  Lenders can obtain this income information from the Income Verification Express Services (IVES) Program.  Taxpayers’ personally identifiable information is at risk of theft or misuse when taxpayers submit IVES requests for tax return information through third parties because controls are insufficient to ensure taxpayer information the IRS provides to IVES Program participants is protected.

WHY TIGTA DID THE AUDIT

Personally identifiable information, such as a Social Security Number, is the most valuable tool an identity thief can obtain to commit financial fraud.  It becomes even more valuable if it is linked to other personal data, such as income information used to prepare a tax return.  The IRS should be able to assure taxpayers that it is taking every precaution possible to protect their personal information.

The overall objective of this review was to evaluate regulations and IVES enrollment policies that ensure lenders, such as banks, and companies that specialize in making third-party requests for lenders (Income Verification Specialists) properly protect taxpayers’ tax return information. 

WHAT TIGTA FOUND

IVES Program participants obtain and collect large quantities of taxpayers’ personally identifiable information and associated tax return information that could be used to commit identity theft.  During the last two calendar years, the IVES Program processed more than 10 million requests annually. 

Nonetheless, the IRS does not have a screening process and does not define minimum requirements in the form of a user agreement to help ensure IVES Program participants meet minimum standards and protect tax return information.  To be eligible to receive large quantities of taxpayer income information from the IRS via the IVES Program, applicants simply must submit an IVES application and register for e-Services.  In addition, the IRS does not require IVES Program participants to maintain electronic security and not disclose the information they receive from the IRS to nonaffiliated third parties.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Commissioner, Wage and Investment Division, (1) develop and enforce minimum requirements for the IVES Program; (2) update the IVES application to include a statement that taxpayer information can only be used for the purpose the taxpayer intended as well as ensuring the current version is provided to all applicants, is posted on IRS.gov, and is the only version accepted; (3) within one year of revising the IVES application, contact and obtain a completed application from all current IVES Program participants; and (4) revise transcript request forms to allow taxpayers to limit lenders’ disclosure of their tax return information to nonaffiliated third parties only if it is in the course of processing or selling their loan.

The IRS agreed with our recommendations and plans to (1) explore minimum requirements for IVES participants; (2) revise the IVES application and ensure it provides the current version to all IVES applicants and on IRS.gov and only accepts the most current version from applicants; (3) obtain a completed version of the new form from all IVES Program participants; and (4) develop the necessary language for transcript request forms to allow taxpayers to limit lenders’ disclosure.

 

January 26, 2011

 

 

MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Income Verification Express Services Program Needs Improvements to Better Protect Tax Return Information (Audit # 201040043)

 

This report presents the results of our review to evaluate regulations and Income Verification Express Services (IVES) enrollment policies that ensure lenders, such as banks, and companies that specialize in making third-party requests for lenders (Income Verification Specialists) properly protect taxpayers’ tax return information.  This audit is included in our Fiscal Year 2011 Annual Audit Plan and addresses the major management challenge of Taxpayer Protection and Rights.

Management’s complete response to the draft report is included as Appendix IV.

Copies of this report are also being sent to the Internal Revenue Service managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account Services), at (202) 622-5916.

 

 

Table of Contents

 

Background

Results of Review

Controls Over the Income Verification Express Services Program Need Strengthening to Protect Tax Return Information From Disclosure

Recommendations 1 through 4:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

 

Abbreviations

 

CBSV

Consent-Based Social Security Number Verification

e-file

electronic file

IRS

Internal Revenue Service

IVES

Income Verification Express Services

 

 

Background

 

Personally identifiable information, such as a Social Security Number, is the most valuable tool an identity thief can obtain to commit financial fraud.  It becomes even more valuable if it is linked to other personal data, such as income information used to prepare a tax return.  More than 142 million taxpayers entrust the Internal Revenue Service (IRS) with sensitive financial and personal data, much of it on paper documents requiring protection.  The law requires that tax returns and return information shall be confidential, except as authorized.  The definition of tax return information includes a taxpayer’s identity and the nature, source, or amount of income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, and tax withheld.

Taxpayers commonly request tax return transcripts[1] for many reasons, which include verifying income to obtain a loan.  They can order the transcripts directly from the IRS or others can order the transcripts on the taxpayer’s behalf.  Lenders, Income Verification Specialists,[2] and other entities verify income information on behalf of a taxpayer through the IRS’s Income Verification Express Services (IVES) Program.

Lenders that loan money to individuals (borrowers) for mortgages require borrowers to verify their income before they approve their loans.[3]  This is accomplished by the borrower signing a consent form that allows the lender to obtain a transcript of the borrower’s tax information directly from the IRS.

For lenders to obtain transcripts, borrowers complete and provide the lender with either a completed Request for Transcript of Tax Return (Form 4506-T) or a Short Form Request for Individual Tax Return Transcript (Form 4506T-EZ).  The request must include the name, address, and telephone number of the third party to whom the IRS should send the income information—typically, the lender or an Income Verification Specialist.

A signed Form 4506-T or 4506T-EZ must be submitted to the IRS within 120 days of the borrower’s signature date.  To obtain updated information, lenders should ask borrowers to complete and sign a new request form.  In the past, to avoid this burden, lenders asked borrowers to sign blank request forms when applying for loans.  In response, the IRS added a statement to the top of Form 4506-T instructing borrowers to not sign the form unless all applicable lines have been completed; however, the latest revision does not contain that statement.

Lenders that enroll in the IRS e-Services[4] Program can use the IVES Program to fax bulk requests (Forms 4506-T and 4506T-EZ) to one of the five IRS Return and Income Verification Services units.[5]  The Return and Income Verification Services units use the Transcript Delivery System[6] to deliver tax return transcripts electronically to IVES participants’ secure mailboxes (Secure Object Depository) located on the e‑Services electronic platform.  Lenders also contract with Income Verification Specialists to order and obtain the transcripts for them.

The IVES Program automates bulk requests received from businesses that routinely submit a high volume of requests as part of their business operations (e.g., large mortgage or income verification companies).  The IVES Program generally delivers transcripts to requestors within 2 business days.  Participants retrieve their transcripts from a secure mailbox.  During the last 2 calendar years, the IVES Program processed more than 10 million requests annually.  It currently charges $2.25 for each request. 

IRS e-Services and the IVES Program

Lenders and Income Verification Specialists must apply to the IRS’s e-Services and to the IVES Program to request bulk transcripts.

  • To register for e-Services, applicants must provide their legal name, Social Security Number, date of birth, telephone number, home and email address, and the Adjusted Gross Income from either the applicant’s current year or prior year filed tax return. 
  • To register for the IVES Program, each participating company must complete an IVES Application (Form 13803).  Form 13803 requests basic information about the business, including name, address, telephone number, and fax number.  It also requires the name of the principal owner or controlling officer of the company.  The principal can be the owner, business manager, or officer who has the responsibility to administer the company’s participation in the IVES Program.  The form also asks for a primary point of contact that would be available on a daily basis in case the IRS needs to contact the company.  Finally, it asks for a Responsible Official, or the person who manages the IVES Program at each business office location.  The company can choose to designate a Responsible Official or just a principal to oversee the process.

Once accepted into the IVES Program, participants can submit completed Forms 4506-T or 4506T-EZ to confirm the income of taxpayers. 

Laws and regulations

Various laws address how third parties may disclose taxpayer information they obtain from the IRS.  Title V of the Gramm-Leach-Bliley Act[7] specifically addresses disclosure and security laws for lenders and Income Verification Specialists working for lenders.

Exceptions to the Gramm-Leach-Bliley Act allow lenders to disclose borrowers’ personal income information with nonaffiliated third parties.

The Gramm-Leach-Bliley Act contains restrictive privacy provisions relating to borrowers’ income information; however, lenders may still share taxpayers’ income information with third parties when they obtain it while servicing or processing a financial product or service that an individual requests (such as a mortgage loan).  For example, lenders may disclose income information to nonaffiliated third parties in the course of selling a loan on the secondary market without giving notice to the borrower or allowing them to “opt out.”  Lenders may also disclose income information to any third party (such as marketers) if the borrower does not specifically instruct the lender not to do so by “opting out.”  Lenders must provide notices to their customers and consumers about their information-collection and information-sharing practices and give them the option to “opt out.”  Figure 1 provides a list of the various laws and regulations on disclosure of taxpayer information.

Figure 1:  Laws and Regulations Regarding
Disclosure of Taxpayer Information

Gramm-Leach-Bliley Act

Title V of the Act restricts how lending institutions may share borrowers’ income information, including income information received from the IRS; however, lenders may still share taxpayers’ income information with third parties in connection with servicing or processing a financial product or service that an individual requests (such as a mortgage loan). 

Such institutions must develop and give notice of their privacy policies to their own customers and/or consumers before disclosing any individual's nonpublic personal information (which includes personal financial information to nonaffiliated third parties, thus giving notice and an opportunity for that individual to "opt out" from such disclosure.  This notice must be provided at least annually.

Lenders may also disclose income information to nonaffiliated third parties in the course of selling a loan on the secondary market without giving notice to the borrower or allowing them to “opt out.”

Internal Revenue Code Section 6103

Tax return information is confidential and no officer or Federal employee should disclose tax return information except as authorized.

Section 6103(c) authorizes the Treasury Secretary to prescribe requirements and conditions that would allow officers and Federal employees to disclose tax return information to persons the taxpayer designates in a request for or consent to such disclosure.

Internal Revenue Code Section 7216

Section 7216 applies to any person who is engaged in the business of preparing, or providing services in connection with the preparation of, tax returns for compensation.  Any such person who knowingly or recklessly discloses any information furnished to him or her for, or in connection with, the preparation of any such tax return, or uses any such information for any purpose other than to prepare, or assist in preparing, any such return, shall be guilty of a misdemeanor.

Privacy Act of 1974[8]

With specifically mentioned exceptions, no agency shall disclose any record which is contained in a system of records,[9] except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains. 

Agencies with systems of records (for example, taxpayer information) must establish appropriate administrative, technical, and physical safeguards to ensure the information contained in the records remains secure and confidential.  This includes protecting the information against threats or hazards which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom the agency maintains information.

In addition, each agency shall keep an accurate accounting of the date, nature, and purpose of each disclosure to any person or agency, as well as the name and address of the person or agency to whom disclosure is made.

Source:  Laws as cited.

This review was performed at the Wage and Investment Division Headquarters in Atlanta, Georgia, and the Return and Income Verification Services unit in Kansas City, Missouri, during the period June through October 2010.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.  We believe that the evidence obtained provides a reasonable basis for our finding and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

Controls Over the Income Verification Express Services Program Need Strengthening to Protect Tax Return Information From Disclosure

Taxpayer information is at risk of theft or misuse when taxpayers submit requests for tax return information through third parties because controls are insufficient to ensure taxpayer information the IRS provides to IVES Program participants is protected.  Laws and regulations that protect taxpayer information do not always cover IVES Program participants. 

  • IVES Program participants are not required to meet any minimum standards or similar standards the IRS established for Electronic File (e‑file) Providers[10] and contractors. 
  • The IRS does not require that IVES Program participants agree to maintain electronic security and not disclose the information they receive from the IRS to nonaffiliated third parties.

Also, limited testing showed that IVES Program participants may be altering Forms 4506-T after taxpayers sign the forms.

The IRS has significant controls over e‑file Providers that submit tax returns and taxpayer information to the IRS, but controls are limited for IVES Program participants that receive taxpayer information from the IRS.  Taxpayers need to be assured that the IRS is taking every precaution to protect their tax return information.  This includes, but is not limited to, processing taxpayer requests for transcripts.  IVES Program participants can obtain and collect large quantities of personally identifiable information and associated taxpayer income information that could be at risk for identity theft.[11]

The IRS does not set minimum requirements or conduct suitability tests on the IVES Program applicants

E-file Provider applicants must meet program requirements and suitability checks in order to submit tax returns to the IRS.  See Figure 2 for the types of e‑file Providers. 

Figure 2:  Types of Authorized IRS E-File Providers

Electronic Return Originator

Electronic Return Originators originate the electronic submission of tax returns to the IRS.

Intermediate Service Providers

Intermediate Service Providers assist with processing tax return information between Electronic Return Originators (or the taxpayer in the case of Online Filing) and a Transmitter.

Online Providers

Online Providers allow taxpayers to self-prepare tax returns by entering return data directly on commercially available software, through software downloaded from an Internet site and prepared offline, or through an online Internet site.

Reporting Agent

Reporting Agents originate the electronic submission of certain returns for their clients, and/or transmit the returns to the IRS.  A Reporting Agent must be an accounting service, franchiser, bank, or other similar entity,

Software Developers

Software Developers write either origination or transmission software according to the IRS e-file specifications.

Transmitters

Transmitters send electronic return data directly to the IRS.  Electronic Return Originators and Reporting Agents may apply to be Transmitters and transmit return data themselves, or they may contract with an accepted third-party Transmitter that can transmit the data for them. 

Source:  IRS e-file Application and Participation (Publication 3112).

The requirements and suitability checks for the e-file Provider Program state applicants must be: 

  • A United States citizen or legal resident alien.
  • 21 years of age as of the date of the application.

Suitability checks may include:

  • Criminal background check. 
  • Credit history check. 
  • Tax compliance check to ensure all required tax returns are filed and paid and to identify fraud and preparer penalties.

The IRS also verifies the status of e‑file Provider applicants who submit professional certifications in lieu of a fingerprint card to ensure they are still in good standing with the particular organizations that issued the certifications.

IRS contractors must also meet minimum standards and submit fingerprints for a background investigation before the IRS will share taxpayer information with them.  In addition to the background investigation, an individual who will have access to taxpayer information must be Federal tax compliant, a United States citizen or have lawful permanent resident status, and registered with the Selective Service (for males born after 1959).

However, IVES Program participants meet no minimum requirements and the IRS verifies only an applicant’s name, Social Security Number, and date of birth.  It does not conduct any suitability tests (e.g., criminal background checks or tax compliance checks).

IVES Program participants are not always covered by laws that protect taxpayer information

Most IVES Program participants are not covered by the same disclosure laws as tax return preparers.  Internal Revenue Code Section 7216 states that any person engaged in the business of preparing tax returns and who knowingly or recklessly discloses information in connection with the preparation of tax returns or uses any of the information for any purpose other than to prepare a tax return shall be guilty of a misdemeanor.  Upon conviction, the preparer shall be fined not more than $1,000 and/or imprisoned not more than 1 year.

Disclosure provisions for tax information in the Gramm-Leach-Bliley Act cover lenders, but it provides exceptions for disclosure when lenders are servicing or processing a financial product or service that an individual requests (such as a mortgage loan).  Lenders may share loan information, including tax information, with third parties unless the borrower specifically requests the lender not do so.

There are no laws that specifically apply to Income Verification Specialists unless they are working on behalf of an entity covered by an existing law or regulation.  For example, the Gramm-Leach-Bliley Act applies to Income Verification Specialists if they work on behalf of a lender and there is a contractual agreement between both parties.  In this case, the lender is responsible for specifying the data security safeguards against threats or hazards that the Income Verification Specialists must follow and monitor how they handle taxpayer information.

A review of a list of IVES Program participants showed that there were 1,695 participants in the IVES Program as of August 2010.  From the information the IRS retains on IVES participants, we could not determine if the participants would come under one of the laws that prevent disclosure of taxpayer information.  The IRS does not require applicants to provide the purpose of their participation in the IVES Program.  The Form 13803 requests names, contact information, and Social Security Numbers, but when asked for the Social Security Numbers for the participants, the IRS was unable to provide them to us during our fieldwork.

In November 2009, the Department of the Treasury announced e-signature[12] guidelines for the Home Affordable Modification Program and provided guidance on the methodology for using electronic signatures to complete the process.  The only document in the package that borrowers cannot electronically sign under Treasury guidelines is the Form 4506-T.  The IRS’s inability to implement an e‑signature program for Forms 4506-T within the lending industry is an indirect result of the vulnerabilities of the IVES Program.  In contrast with e-signatures accepted from e-file Providers who are screened, IRS management is not prepared to accept the risk of receiving e-signatures from IVES Program participants because they have not been subjected to the same requirements.

Prior to November 2009, the IVES Program did not require participants to agree to any rules, conditions, or terms that provide safeguards over tax information

Form 13803 (November 2009) provides IVES Program applicants with the following:

We are now offering a Transcript Delivery System (TDS) bulk upload process which allows you to create a text file for submission of multiple requests on one spreadsheet.  Please mark this box if you wish to utilize the TDS bulk upload feature.

    By marking this box, you agree to review Publication 4557, Safeguarding Taxpayer Data, and to abide by the guidelines of the publication.

The prior version of Form 13803, dated September 2006, did not include these statements.  Safeguarding Taxpayer Data (Publication 4557) provides guidelines on establishing safeguards for IVES Program applicants:

·         Preserve the confidentiality and privacy of taxpayer data by restricting access and disclosure.

·         Protect the integrity of taxpayer data by preventing improper or unauthorized modification or destruction.

  • Maintain the availability of taxpayer data by providing timely and reliable access and data recovery.

However, Publication 4557 only restricts disclosure of taxpayer information, but does not prohibit it.  In addition, at the time of this audit, the November 2009 version had not been posted on IRS.gov; therefore, there is no assurance that any applicants are aware of these requirements or are following them.

The Social Security Administration has an extensive User Agreement for its Consent-Based Social Security Number Verification (CBSV) Program that:

  • Details Program use.
  • Restricts the use of information provided.
  • States how CBSV Program participants should conduct annual compliance reviews.
  • Outlines participants’ responsibilities.

When the Social Security Administration releases information to program subscribers, the recipients may use it only for reasons specified by the taxpayer.  The IRS does not make similar restrictions for taxpayer information.

The CBSV Program is a fee and consent-based Social Security Number verification service available to, among others, private companies.[13]  Participating companies can use the CBSV Program to verify if a name and Social Security Number combination match the data in the Social Security Administration’s records.  For each Social Security Number and name combination submitted to the CBSV Program, the Social Security Administration confirms that the submission either matches or does not match Social Security Administration records.

Similar to Form 4506-T transcript requests sent to the IRS, the CBSV Program requires the written consent of the Social Security Number holder before it will provide the requestor with information.  However, the Social Security Administration allows only the requesting party to use the information they receive for the reason for which the Social Security Number holder specifies on the consent form.

The IRS does not include a space on either Form 4506-T or Form 4506T-EZ for taxpayers to specify the reason for disclosure or limit the use of the Forms for that use.  The IRS does provide a warning to taxpayers on the Forms 4506-T that states the following:

If the transcript or tax information is to be mailed to a third party (such as a mortgage company), enter the third party’s name, address, and telephone number.  The IRS has no control over what the third party does with the tax information.

The Social Security Administration states that noncompliance with the User Agreement may be grounds for suspension or dismissal from the CBSV Program.  The only cause for suspension listed when applying for the IVES Program is failure to timely pay fees.  The suspension lasts until such time that the participant pays all outstanding invoices in full.  While e-Services reserves the right to deny users access to any electronic services, products, and/or applications if the IRS becomes aware of misuse or abuse, such misuses (for example, the submission of a recycled or altered Form 4506-T) are not defined.

Limited tests showed some Forms 4506-T may be altered after the taxpayers signed them.

A limited review of completed IVES Program transcript requests identified faxed copies on which the third party presumably used a sticker to complete line 5 on the Form 4506-T.  Line 5 asks for third-party information if the IRS is to mail the transcript to a third party.  Because of this, we were unable to determine if the taxpayers signed the Form 4506-T with another third party’s name in line 5 and the company subsequently covered line 5 with a sticker.  The IRS’s Internet instructions instruct IVES Program participants to insert the company’s name and address on line 5 after the taxpayers have completed and signed the Form.

IRS Internet Instructions for Completing Form 4506-T

Have the taxpayer complete and sign Form 4506-T according to the instructions provided with the form.  On line 5 (designation of a third party to whom the transcript is to be delivered) insert your company’s name, address, facsimile number, and the delegate’s user-ID for secure mailbox delivery.

 

As we have reported, the IRS continues to implement improvements to its e‑file Provider Program controls to ensure only authorized providers participate in the e‑file Provider Program.[14]  The IRS should now ensure that IVES Program participants are also subject to similar controls.  It should also ensure that IVES Program participants, like those in the Social Security Administration’s CBSV Program, are required to maintain electronic security over taxpayer data and are prohibited from disclosing information they receive from the IRS on behalf of taxpayers and lenders.

Unauthorized disclosure of tax return information puts taxpayers at risk for improper use of their information, including identity theft.  Identity theft occurs when someone uses personally identifiable information, such as an individual’s name, Social Security Number, credit card numbers, or other account information, to commit fraud and other crimes.  Taxpayers need to be assured that the IRS is taking every precaution to protect their tax return information.  This includes, but is not limited to, processing taxpayers’ requests for transcripts.  IVES Program participants, most of whom may be lenders and/or Income Verification Specialists, obtain and collect large quantities of personally identifiable information and taxpayer income information that is vulnerable to disclosure if controls are not sufficient to protect it.

Recommendations

The Commissioner, Wage and Investment Division, should:

Recommendation 1:  Develop and enforce minimum requirements for the IVES Program that would help ensure participants are suitable to have a working relationship with the IRS and receive taxpayer information from the IVES program.

Management’s Response:  The IRS agreed to explore minimum requirements for IVES participants, including background investigations and tax compliance checks.

Recommendation 2:  Update Form 13803 to include a statement that taxpayer information can only be used for the purpose the taxpayer/requestor intended.  Ensure the current version of Form 13803 is provided to all applicants, is posted on IRS.gov, and is the only version accepted.  

Management’s Response:  The IRS agreed with this recommendation.  It will revise Form 13803 as requested.  The IRS will ensure the current version of Form 13803 is provided to all IVES applicants and is posted on IRS.gov.  It will also accept only the most current version from applicants.

Recommendation 3:  Within 1 year of revising Form 13803, contact and obtain a completed Form 13803 from all current IVES Program participants.

Management’s Response:  The IRS agreed with this recommendation.  Once it revises the Form 13803, the IRS will contact all current IVES Program participants and obtain a current version of the form.

Recommendation 4:  Revise Forms 4506-T and 4506T-EZ to allow taxpayers to limit lending institutions’ disclosure of their tax return information to nonaffiliated third parties only if it is in the course of processing or selling their loan.

Management’s Response:  The IRS agreed with this recommendation.  The Tax Forms and Publications function will work closely with IRS Chief Counsel to develop the necessary language.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to evaluate regulations and IVES enrollment policies that ensure lenders, such as banks, and companies that specialize in making third-party requests for lenders (Income Verification Specialists[15]) properly protect taxpayers’ tax return information.  To accomplish our objective, we:

I.                   Determined how current regulations, laws, and IRS policies could be amended or modified to ensure third parties and lenders properly protect taxpayers’ tax return information from improper disclosure or theft.

A.    Talked to representatives from the Department of the Treasury’s Office of the Comptroller of Currency to identify current laws and regulations addressing the protection of tax return information by lenders and Income Verification Specialists.

B.     Discussed with IRS management the risks associated with sending tax return information to third parties and lenders.

C.     Identified changes or additions to current laws and regulations (or the need for a new law or regulation) that would reduce the risk of third parties and lenders improperly using or disclosing tax return information as well as ensuring the data are protected from theft.

II.                Determined how the IRS could strengthen IVES Program enrollment policies to ensure third parties adequately protect tax return information from improper disclosure or theft.

A.    Determined if the IRS requires IVES Program participants to meet specific standards for disclosure and security requirements.

B.     Identified and evaluated the potential security requirements for IVES Program participants, especially third parties and lenders, which would help prevent identity theft[16] and improper disclosure of tax return information.

III.             Determined if third parties and lenders are improperly using Request for Transcript of Tax Return (Form 4506-T) or a Short Form Request for Individual Tax Return Transcript (Form 4506T-EZ) by reusing or resubmitting altered copies of the forms to request updated information from the IRS.

A.    Obtained a list of IVES Program participants and reviewed the Transcript Delivery System[17] to determine which participants are lenders or third parties who specialize in providing tax return information to lenders.

B.     Reviewed 391 hard copy Forms 4506-T at the Kansas City, Missouri, IVES Program location to determine if we could identify instances of alterations, post-dating by third parties, or forms submitted after 120 days of signature.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objective:  the IRS policies, procedures, and practices for helping to ensure the people to whom it is sending large amounts of taxpayer information will appropriately protect it.  We evaluated these controls by performing the steps previously noted.

 

Appendix II

 

Major Contributors to This Report

 

Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account Services)

Augusta R. Cook, Director

Wilma Figueroa, Audit Manager

Kenneth Carlson, Lead Auditor

Pamela M. DeSimone, Senior Auditor

Patricia A. Jackson, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Deputy Chief Information Officer for Strategy/Modernization  OS:CTO

Deputy Commissioner of Operations, Wage and Investment Division  SE:W

Deputy Commissioner of Services, Wage and Investment Division  SE:W

Director, Privacy, Information Protection, and Data Security  OS:P

Director, Customer Account Services  SE:W:CAS

Director, Submission Processing  SE:W:CAS:SP

Director, Electronic Products and Services Support, Wage and Investment Division  SE:W:CAS:E:PSS

Chief Counsel  CC

Chief, Program Evaluation and Improvement, Wage and Investment Division  SE:W:S:PRA:PEI

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaison:  Chief, Program Evaluation and Improvement, Wage and Investment Division  SE:W:S:PRA:PEI

 

Appendix IV

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

ATLANTA. GA 30308

 

               COMM1SSIONER

WAGE AND INVESTMENT DIVISION

 

 

December 21, 2010

 

 

MEMORANDUM FOR MICHAEL R. PHILLIPS

    DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                            Richard Byrd. Jr. /s/ Richard Byrd

    Commissioner, Wage and Investment Division

 

SUBJECT:                     Draft Audit Report – The Income Verification Express Services Program Needs Improvement to Better Protect Tax Return Information (Audit #201040043)

 

We have reviewed the subject draft report and agree that the laws and regulations that protect taxpayer information do not always cover Income Verification Express Services (IVES) Program participants. The IVES is an extremely useful and valuable customer service that facilitates taxpayers’ ability to obtain home loans and other financing by affording them a prompt, secure, and accurate way to provide potential lenders verification of income. While your report states that the taxpayers’ personally identifiable information is at risk of theft or misuse when taxpayers submit IVES requests for tax return information, you did not actually visit IVES participants or otherwise determine that any such theft or misuse has occurred. Further, there is nothing in your report that reflects any instances of unauthorized disclosures by the IRS. We agree that measures could be taken to further ensure a taxpayer’s return information disclosed to third party IVES participants, is used only for its intended purpose, which is usually to secure a home loan.

It is important to understand that after the IRS discloses return information to an IVES participant pursuant to the taxpayer’s authorization and request, the IRS generally has no legal control over what the third party does with the information. Similar to other disclosures made by IRS under Internal Revenue Code (IRC) section 6103, Disclosure of returns and return information to designee of taxpayer, IRS is required by law to ensure the initial disclosure is authorized. As your report correctly points out, most IVES participants are not covered by the same reckless disclosure and use limitations as tax return preparers under IRC section 7216. Accordingly, under the applicable law, including the Privacy Act of 1974, once a taxpayer’s information is legally disclosed to an IVES participant at the taxpayer’s request, generally there are no further statutory controls limiting use or further disclosure of this information. As a result, the only method available to the IRS to impose any subsequent limited use or non-disclosure restrictions, is through the IVES Application Agreement (Form 13803) each applicant must execute as a condition of participating in the program.

While IRS agrees to strengthen the IVES Application Agreement to better address protection and use of taxpayer information, it should be clearly understood that IRS background investigations, or compliance reviews of IVES participants prior to acceptance into the program would not detect any inappropriate use of a taxpayer’s return data. Further, because the IVES program honors over 10 million taxpayer requests to provide their transcripts to almost 1,700 IVES participants annually, IRS does not currently conduct, and does not have the resources to implement, participant compliance reviews after initial suitability has been determined.

Regarding your recommendation to develop and enforce minimum IVES participant requirements, we will explore the feasibility of implementing background investigations and/or tax compliance checks (verification of federal tax compliance) as minimum requirement for participation in the IVES program. Since IVES is a user fee program, the cost of administering any suitability determination process will also have to be addressed and consistent with reimbursable program guidelines.

Regarding your recommendation to develop a user agreement ensuring that IVES participants protect the taxpayer data they are authorized to receive and that limits the use of this data to the purposes that the taxpayer intended, IRS has no statutory or regulatory authority to impose such restrictions. We agree to develop a modified Form 13803 to include a statement that IVES participants can only use the taxpayer information they receive via Form 4506-T for the purpose(s) specified by the taxpayer/requestor. The IVES application will also continue to include guidance on safeguarding taxpayer data received from the IRS. In this regard, we currently ensure that any new IVES participants agree to review and abide by Publication 4557, Safeguarding Taxpayer Data:  A Guide for Your Business. Media and Publications is also reviewing Form 4506-T, Request for Transcript of Tax Return, and Form 4506T-EZ, Short Form Request for Individual Tax Return Transcript. This effort is to provide taxpayers the option to limit lending institutions’ disclosure of their tax return information to nonaffiliated third parties, except in the course of processing or selling their loan. As previously noted, IRS does not have the ability to police these restrictions.

Our comments to your recommendations are attached. If you have any questions, please contact me, or a member of your staff may contact Peter J. Stipek, Director, Customer Account Services, Wage and Investment Division, at (404) 338-8910.

 

Attachment

 

Attachment

 

The Commissioner, Wage Investment Division, should:

 

RECOMMENDATION 1

Develop and enforce minimum requirements for the IVES Program that would help ensure participants are suitable to have a working relationship with the IRS and receive taxpayer information from the IVES program.

CORRECTIVE ACTION

We agree to explore minimum requirements for Income Verification Express Services (IVES) participants to include a Background Investigation and/or Tax Compliance Check. 

IMPLEMENTATION DATE

January 15, 2013

RESPONSIBLE OFFICIALS

Director, Submission Processing, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

The IRS will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 2

Update Form 13803 to include a statement that IVES Program participants can only use taxpayer information they receive via a Form 4506-T request for the purpose(s) they taxpayer/requestor intended.  In addition, ensure the current version of Form 13803 is provided to all participants, posted on IRS.gov, and is the only version accepted.

CORRECTIVE ACTION

We agree with this recommendation.  We will revise Form 13803, Income Verification Express Service (IVES) Application, as requested.  We will ensure the current version of Form 13803 is provided to all participants, posted on IRS.gov, and is the only version accepted. However, IRS does not have the resources to visit or otherwise verify IVES participants are in compliance with this agreement.

IMPLEMENTATION DATE

September 15, 2011

RESPONSIBLE OFFICIALS

Director, Submission Processing, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

The IRS will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 3

Within 1 year of revising Form 13803, contact and obtain a completed Form 13803 from all current IVES Program participants.

 

CORRECTIVE ACTION

We agree with this recommendation.  Once the Form 13803 has been revised, we will contact all IVES Program participants and obtain a current version of the form.

IMPLEMENTATION DATE

September 15, 2012

RESPONSIBLE OFFICIALS

Director, Submission Processing, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

The IRS will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 4

Revise Form 4506-T and 4506T-EZ to allow taxpayers to limit disclosure of their tax return information so that lenders may only share tax return information with nonaffiliated third parties if it is in the course of processing or selling their loan.

 

CORRECTIVE ACTION

We agree with this recommendation.  Tax Forms and Publications will work closely with IRS Chief Counsel to develop the necessary language.  However, IRS does not have the resources to visit or otherwise verify IVES participants are in compliance with this disclosure limitation.

IMPLEMENTATION DATE

January 15, 2012

RESPONSIBLE OFFICIALS

Director, Tax Forms and Publications, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

The IRS will monitor this corrective action as part of our internal management control system.



[1] Transcripts provide most of the information contained in a tax return.

[2] An Income Verification Specialist is a company that specializes in obtaining income information about individuals.  Lenders often use them to verify the income of loan applicants.

[3] Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub.L. No. 111-203, 124 Stat. 2143, enacted July 21, 2010.

[4] A suite of web-based products that allows tax professionals and taxpayers to conduct business with the IRS electronically.  These services are available 24 hours a day, 7 days a week, via the Internet. 

[5] The five Return and Income Verification Service units with Income Verification Express Services are located in Fresno, California; Kansas City, Missouri; Cincinnati, Ohio; Austin, Texas; and Ogden, Utah.

[6] The Transcript Delivery System automates the validation, processing, and delivery of taxpayer information to taxpayers or authorized third parties.  The Transcript Delivery System can be accessed by IRS employees and includes self-service electronic communication, whereby the user can request and receive a transcript interactively through the e-Services portal.

[7] Pub. L. No. 106-102, 113 Stat. 1338, enacted November 12, 1999.

[8] 5 U.S.C. § 552a (2006).

[9] The Privacy Act defines a system of records as a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

[10] An authorized IRS e-file Provider is a business or organization authorized by the IRS to participate in IRS e-file.  It may be a sole proprietorship, partnership, corporation, or other entity.  Applicants accepted for participation in IRS e-file are Authorized IRS e-file Providers.

[11] Identity theft occurs when someone uses personally identifiable information, such as an individual’s name, Social Security Number, credit card numbers, or other personal information, to commit fraud and other crimes.

[12] An e-signature is an electronic process attached to or associated with a contract or other record and used as the legal equivalent of a written signature.

[13] To use the CBSV Program, users must pay a one-time, nonrefundable enrollment fee of $5,000 and then a transaction fee per Social Security Number verification request.  The transaction fee is currently $5.00 per request, and users must pay the fee in advance.

[14] Better Screening and Monitoring of E-File Providers Is Needed to Minimize the Risk of Unscrupulous Providers Participating in the E-File Program (Reference Number 2007-40-176, dated September 19, 2007).

[15] An Income Verification Specialist is a company that specializes in obtaining income information about individuals.  Lenders often use them to verify the income of loan applicants.

[16] Identity theft occurs when someone uses personally identifiable information, such as an individual’s name, Social Security Number, credit card numbers, or other personal information, to commit fraud and other crimes.

[17] The Transcript Delivery System automates the validation, processing, and delivery of taxpayer information to taxpayers or authorized third parties.  The Transcript Delivery System can be accessed by IRS employees and includes self-service electronic communication, whereby the user can request and receive a transcript interactively through the e-Services portal.