The Income Verification Express Services Program Needs Improvements to Better Protect Tax Return Information
January 26, 2011
Reference Number: 2011-40-014
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone
Number | 202-622-6500
Email Address | TIGTACommunications@tigta.treas.gov
Web Site |
http://www.tigta.gov
HIGHLIGHTS
The Income
Verification Express Services Program Needs Improvements to Better Protect Tax
Return Information
Highlights
Final
Report issued on January 26, 2011
Highlights of Reference Number:
2011-40-014 to the Internal
Revenue Service Commissioner for the Wage and Investment Division.
IMPACT ON TAXPAYERS
Borrowers
cannot obtain loans unless they sign a consent that allows the Internal Revenue
Service (IRS) to disclose their nonpublic income information to their lenders. Lenders can obtain this income information
from the Income Verification Express Services (IVES) Program. Taxpayers’ personally identifiable information is at risk of theft or misuse when taxpayers submit
IVES requests for tax return information through third parties because controls
are insufficient to ensure taxpayer information the IRS provides to IVES
Program participants is protected.
WHY TIGTA DID THE AUDIT
Personally identifiable information, such as a Social Security
Number, is the most valuable tool an identity thief can obtain to commit
financial fraud. It becomes even more
valuable if it is linked to other personal data, such as income information
used to prepare a tax return. The IRS
should be able to assure taxpayers that it is taking every precaution possible
to protect their personal information.
The overall objective of this review was to evaluate regulations
and IVES enrollment policies that ensure lenders, such as banks, and companies
that specialize in making third-party requests for lenders (Income Verification
Specialists) properly protect taxpayers’ tax return information.
WHAT TIGTA FOUND
IVES
Program participants obtain and collect large quantities of taxpayers’ personally
identifiable information and associated tax return information that could be
used to commit identity theft. During
the last two calendar years, the IVES Program processed more than
10 million requests annually.
Nonetheless,
the IRS does not have a screening process and does not define minimum
requirements in the form of a user agreement to help ensure IVES Program participants
meet minimum standards and protect tax return information. To be eligible to receive large quantities of
taxpayer income information from the IRS via the IVES Program, applicants
simply must submit an IVES application and register for e-Services. In addition, the IRS does not require IVES Program
participants to maintain electronic security and not disclose the information they
receive from the IRS to nonaffiliated third parties.
WHAT TIGTA RECOMMENDED
TIGTA
recommended that the Commissioner, Wage and Investment Division, (1) develop
and enforce minimum requirements for the IVES Program; (2) update the IVES
application to include a statement that taxpayer information can only be used
for the purpose the taxpayer intended as well as ensuring the current version
is provided to all applicants, is posted on IRS.gov, and is the only version
accepted; (3) within one year of revising the IVES application, contact and
obtain a completed application from all current IVES Program participants; and
(4) revise transcript request forms to allow taxpayers to limit lenders’
disclosure of their tax return information to nonaffiliated third parties only
if it is in the course of processing or selling their loan.
The IRS agreed with our recommendations and plans to (1) explore minimum requirements for IVES participants; (2) revise the IVES application and ensure it provides the current version to all IVES applicants and on IRS.gov and only accepts the most current version from applicants; (3) obtain a completed version of the new form from all IVES Program participants; and (4) develop the necessary language for transcript request forms to allow taxpayers to limit lenders’ disclosure.
January 26, 2011
MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – The Income Verification Express Services Program Needs Improvements to Better Protect Tax Return Information (Audit # 201040043)
This report presents the results of our review to evaluate
regulations and Income Verification Express Services (IVES) enrollment policies
that ensure lenders, such as banks, and companies that specialize in making
third-party requests for lenders (Income Verification Specialists) properly
protect taxpayers’ tax return information. This audit is included in our Fiscal Year 2011
Annual Audit Plan and addresses the major management challenge of Taxpayer Protection
and Rights.
Management’s complete response to the draft report is included as Appendix IV.
Copies of this report are also being sent to the Internal Revenue Service managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account Services), at (202) 622-5916.
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Management’s Response to the Draft Report
Abbreviations
|
CBSV |
Consent-Based Social Security Number
Verification |
|
e-file |
electronic file |
|
IRS |
Internal Revenue Service |
|
IVES |
Income Verification Express Services |
Personally identifiable information, such as a Social
Security Number, is the most valuable tool an identity thief can obtain to
commit financial fraud. It becomes even
more valuable if it is linked to other personal data, such as income
information used to prepare a tax return.
More than 142 million taxpayers
entrust the Internal Revenue Service (IRS) with sensitive financial and
personal data, much of it on paper documents requiring protection. The law requires that tax returns and return information
shall be confidential, except as authorized.
The definition of tax return information includes a taxpayer’s identity and
the nature, source, or amount of income, payments, receipts, deductions,
exemptions, credits, assets, liabilities, net worth, tax liability, and tax
withheld.
Taxpayers commonly request tax return transcripts[1] for many reasons, which include verifying income to obtain a loan. They can order the transcripts directly from the IRS or others can order the transcripts on the taxpayer’s behalf. Lenders, Income Verification Specialists,[2] and other entities verify income information on behalf of a taxpayer through the IRS’s Income Verification Express Services (IVES) Program.
Lenders that loan money to individuals (borrowers) for mortgages require borrowers to verify their income before they approve their loans.[3] This is accomplished by the borrower signing a consent form that allows the lender to obtain a transcript of the borrower’s tax information directly from the IRS.
For lenders to obtain transcripts, borrowers complete and provide the lender with either a completed Request for Transcript of Tax Return (Form 4506-T) or a Short Form Request for Individual Tax Return Transcript (Form 4506T-EZ). The request must include the name, address, and telephone number of the third party to whom the IRS should send the income information—typically, the lender or an Income Verification Specialist.
A signed Form 4506-T or 4506T-EZ must be submitted to the IRS within 120 days of the borrower’s signature date. To obtain updated information, lenders should ask borrowers to complete and sign a new request form. In the past, to avoid this burden, lenders asked borrowers to sign blank request forms when applying for loans. In response, the IRS added a statement to the top of Form 4506-T instructing borrowers to not sign the form unless all applicable lines have been completed; however, the latest revision does not contain that statement.
Lenders that enroll in the IRS e-Services[4] Program can use the IVES Program to fax
bulk requests (Forms 4506-T and 4506T-EZ) to one of the five IRS Return and
Income Verification Services units.[5] The Return and Income Verification Services
units use the Transcript Delivery System[6]
to deliver tax return transcripts electronically
to IVES participants’ secure mailboxes
(Secure Object Depository) located on the e‑Services electronic platform. Lenders also contract with Income
Verification Specialists to order and obtain the transcripts for them.
The IVES Program automates bulk requests received from businesses that routinely submit a high volume of requests as part of their business operations (e.g., large mortgage or income verification companies). The IVES Program generally delivers transcripts to requestors within 2 business days. Participants retrieve their transcripts from a secure mailbox. During the last 2 calendar years, the IVES Program processed more than 10 million requests annually. It currently charges $2.25 for each request.
IRS e-Services and the IVES Program
Lenders and Income Verification Specialists must apply to the IRS’s e-Services and to the IVES Program to request bulk transcripts.
Once accepted into the IVES Program, participants can submit completed Forms 4506-T or 4506T-EZ to confirm the income of taxpayers.
Laws and regulations
Various laws address how third parties may disclose taxpayer information they obtain from the IRS. Title V of the Gramm-Leach-Bliley Act[7] specifically addresses disclosure and security laws for lenders and Income Verification Specialists working for lenders.
Exceptions to the Gramm-Leach-Bliley Act allow lenders to disclose
borrowers’ personal income information with nonaffiliated third parties.
The Gramm-Leach-Bliley Act contains restrictive privacy provisions relating to borrowers’ income information; however, lenders may still share taxpayers’ income information with third parties when they obtain it while servicing or processing a financial product or service that an individual requests (such as a mortgage loan). For example, lenders may disclose income information to nonaffiliated third parties in the course of selling a loan on the secondary market without giving notice to the borrower or allowing them to “opt out.” Lenders may also disclose income information to any third party (such as marketers) if the borrower does not specifically instruct the lender not to do so by “opting out.” Lenders must provide notices to their customers and consumers about their information-collection and information-sharing practices and give them the option to “opt out.” Figure 1 provides a list of the various laws and regulations on disclosure of taxpayer information.
Figure 1: Laws
and Regulations Regarding
Disclosure of Taxpayer Information
|
Gramm-Leach-Bliley Act |
Title
V of the Act restricts how lending institutions may share borrowers’ income
information, including income information received from the IRS; however, lenders may still share taxpayers’ income
information with third parties in connection with servicing or processing
a financial product or service that an individual requests (such as a
mortgage loan). Such
institutions must develop and give notice of their privacy policies to their
own customers and/or consumers before disclosing any individual's nonpublic
personal information (which includes personal financial information to nonaffiliated
third parties, thus giving notice and an opportunity for that individual to
"opt out" from such disclosure. This notice must be provided at least
annually. Lenders may also disclose income information to nonaffiliated third parties in the course of selling a loan on the secondary market without giving notice to the borrower or allowing them to “opt out.” |
|
Internal Revenue Code Section 6103 |
Tax
return information is confidential and no officer or Federal employee should
disclose tax return information except as authorized. Section 6103(c) authorizes the Treasury Secretary to prescribe requirements and conditions that would allow officers and Federal employees to disclose tax return information to persons the taxpayer designates in a request for or consent to such disclosure. |
|
Internal Revenue Code Section 7216 |
Section 7216 applies to any person who is engaged in the business of preparing, or providing services in connection with the preparation of, tax returns for compensation. Any such person who knowingly or recklessly discloses any information furnished to him or her for, or in connection with, the preparation of any such tax return, or uses any such information for any purpose other than to prepare, or assist in preparing, any such return, shall be guilty of a misdemeanor. |
|
Privacy Act of 1974[8] |
With
specifically mentioned exceptions, no agency shall disclose any record which
is contained in a system of records,[9] except pursuant to
a written request by, or with the prior written consent of, the individual to
whom the record pertains. Agencies
with systems of records (for example, taxpayer information) must establish appropriate
administrative, technical, and physical safeguards to ensure the information
contained in the records remains secure and confidential. This includes protecting the information
against threats or hazards which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom the agency maintains
information. In addition, each agency shall keep an accurate accounting of the date, nature, and purpose of each disclosure to any person or agency, as well as the name and address of the person or agency to whom disclosure is made. |
Source: Laws as cited.
This review was performed at the Wage and Investment Division Headquarters in Atlanta, Georgia, and the Return and Income Verification Services unit in Kansas City, Missouri, during the period June through October 2010. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our finding and conclusions based on our audit objective. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Controls Over the Income Verification Express Services Program Need Strengthening to Protect Tax Return Information From Disclosure
Taxpayer information is at risk of theft or misuse when taxpayers submit requests for tax return information through third parties because controls are insufficient to ensure taxpayer information the IRS provides to IVES Program participants is protected. Laws and regulations that protect taxpayer information do not always cover IVES Program participants.
Also, limited testing showed that IVES Program participants may be altering Forms 4506-T after taxpayers sign the forms.
The IRS has significant controls over e‑file Providers that submit tax returns and taxpayer information to the IRS, but controls are limited for IVES Program participants that receive taxpayer information from the IRS. Taxpayers need to be assured that the IRS is taking every precaution to protect their tax return information. This includes, but is not limited to, processing taxpayer requests for transcripts. IVES Program participants can obtain and collect large quantities of personally identifiable information and associated taxpayer income information that could be at risk for identity theft.[11]
The IRS does not set minimum requirements or
conduct suitability tests on the IVES Program applicants
E-file Provider applicants must meet program requirements and suitability checks in order to submit tax returns to the IRS. See Figure 2 for the types of e‑file Providers.
Figure 2: Types
of Authorized IRS E-File Providers
|
Electronic Return Originator |
Electronic Return Originators originate the electronic submission
of tax returns to the IRS. |
|
Intermediate Service Providers |
Intermediate Service Providers assist with processing tax return information between Electronic Return
Originators (or the taxpayer in the case of Online Filing) and a Transmitter. |
|
Online Providers |
Online Providers allow taxpayers to
self-prepare tax returns by entering return data directly on commercially
available software, through software downloaded from an Internet site and
prepared offline, or through an online Internet site. |
|
Reporting Agent |
Reporting Agents originate the
electronic submission of certain returns for their clients, and/or transmit
the returns to the IRS. A Reporting Agent
must be an accounting service, franchiser, bank, or other similar entity, |
|
Software Developers |
Software Developers write either
origination or transmission software according to the IRS e-file specifications. |
|
Transmitters |
Transmitters send electronic return
data directly to the IRS. Electronic
Return Originators and Reporting Agents may apply to be Transmitters and
transmit return data themselves, or they may contract with an accepted
third-party Transmitter that can transmit the data for them. |
Source: IRS e-file Application and Participation (Publication 3112).
The requirements and suitability checks for the e-file
Provider Program state
applicants must be:
Suitability checks may include:
The IRS also verifies the status of e‑file Provider applicants who submit professional
certifications in lieu of a fingerprint card to ensure they are still in good
standing with the particular organizations that issued the certifications.
IRS contractors must
also meet minimum standards and submit fingerprints for a background
investigation before the IRS will share taxpayer information with them. In addition to the background investigation,
an individual who will have access to taxpayer information must be Federal tax
compliant, a United States citizen or have lawful permanent resident status,
and registered with the Selective Service (for males born after 1959).
However, IVES
Program participants meet no minimum requirements and the IRS verifies only an applicant’s name, Social
Security Number, and date of birth. It does not conduct any suitability tests
(e.g., criminal background checks or tax compliance checks).
IVES Program participants are not always covered by laws that protect taxpayer information
Most IVES Program
participants are not covered by the same disclosure laws as tax return
preparers. Internal Revenue Code Section
7216 states that any person engaged in the business of preparing tax returns and who
knowingly or recklessly discloses information in connection with the preparation
of tax returns or uses any of the information for any purpose other than to
prepare a tax return shall be guilty of a misdemeanor. Upon conviction, the preparer shall be fined
not more than $1,000 and/or imprisoned not more than 1 year.
Disclosure
provisions for tax information in the Gramm-Leach-Bliley Act cover lenders, but
it provides exceptions for disclosure when lenders are servicing or processing a financial product or service that
an individual requests (such as a mortgage loan). Lenders may share loan information, including
tax information, with third parties unless the borrower specifically requests
the lender not do so.
There are no laws that
specifically apply to Income Verification Specialists unless they are working
on behalf of an entity covered by an existing law or regulation. For example, the Gramm-Leach-Bliley Act
applies to Income Verification Specialists if they work on behalf of a lender
and there is a contractual agreement between both parties. In this case, the lender is responsible for
specifying the data security safeguards against threats or hazards that the
Income Verification Specialists must follow and monitor how they handle
taxpayer information.
A review of a list of IVES Program
participants showed that there were 1,695 participants in the IVES Program as
of August 2010. From the information the
IRS retains on IVES participants, we could not determine if the participants
would come under one of the laws that prevent disclosure of taxpayer
information. The IRS does not require
applicants to provide the purpose of their participation in the IVES
Program. The Form 13803 requests
names, contact information, and Social Security Numbers, but when asked for the
Social Security Numbers for the participants, the IRS was unable to provide
them to us during our fieldwork.
In November 2009, the Department of the Treasury announced
e-signature[12]
guidelines for the
Prior to November 2009, the IVES Program did not require participants to agree to any rules, conditions, or terms that provide safeguards over tax information
Form 13803 (November 2009) provides IVES Program applicants with the following:
We are
now offering a Transcript Delivery System (TDS) bulk upload process which
allows you to create a text file for submission of multiple requests on one
spreadsheet. Please mark this box if you
wish to utilize the TDS bulk upload feature.
By marking this
box, you agree to review Publication 4557, Safeguarding Taxpayer Data, and to
abide by the guidelines of the publication.
The prior version of Form 13803, dated September 2006, did not include these statements. Safeguarding Taxpayer Data (Publication 4557) provides guidelines on establishing safeguards for IVES Program applicants:
·
Preserve the confidentiality and privacy of taxpayer data by
restricting access and disclosure.
·
Protect the integrity of taxpayer data by preventing improper or
unauthorized modification or destruction.
However, Publication 4557 only restricts disclosure of taxpayer information, but does not prohibit it. In addition, at the time of this audit, the November 2009 version had not been posted on IRS.gov; therefore, there is no assurance that any applicants are aware of these requirements or are following them.
The Social Security Administration has an extensive User Agreement for its Consent-Based Social Security Number Verification (CBSV) Program that:
When the Social Security Administration releases information to
program subscribers, the recipients may use it only for reasons specified by
the taxpayer. The IRS does not make
similar restrictions for taxpayer information.
The CBSV Program is a fee and consent-based Social Security Number verification service available to, among others, private companies.[13] Participating companies can use the CBSV Program to verify if a name and Social Security Number combination match the data in the Social Security Administration’s records. For each Social Security Number and name combination submitted to the CBSV Program, the Social Security Administration confirms that the submission either matches or does not match Social Security Administration records.
Similar to Form 4506-T transcript requests sent to the IRS, the CBSV Program requires the written consent of the Social Security Number holder before it will provide the requestor with information. However, the Social Security Administration allows only the requesting party to use the information they receive for the reason for which the Social Security Number holder specifies on the consent form.
The IRS does not include a space on either Form 4506-T or Form 4506T-EZ for taxpayers to specify the reason for disclosure or limit the use of the Forms for that use. The IRS does provide a warning to taxpayers on the Forms 4506-T that states the following:
If the transcript or
tax information is to be mailed to a third party (such as a mortgage company), enter
the third party’s name, address, and telephone number. The IRS has no control over what the third
party does with the tax information.
The Social Security Administration states that noncompliance with the User Agreement may be grounds for suspension or dismissal from the CBSV Program. The only cause for suspension listed when applying for the IVES Program is failure to timely pay fees. The suspension lasts until such time that the participant pays all outstanding invoices in full. While e-Services reserves the right to deny users access to any electronic services, products, and/or applications if the IRS becomes aware of misuse or abuse, such misuses (for example, the submission of a recycled or altered Form 4506-T) are not defined.
Limited tests showed some Forms 4506-T may be altered after the taxpayers signed them.
A limited review of completed IVES Program transcript requests identified faxed copies on which the third party presumably used a sticker to complete line 5 on the Form 4506-T. Line 5 asks for third-party information if the IRS is to mail the transcript to a third party. Because of this, we were unable to determine if the taxpayers signed the Form 4506-T with another third party’s name in line 5 and the company subsequently covered line 5 with a sticker. The IRS’s Internet instructions instruct IVES Program participants to insert the company’s name and address on line 5 after the taxpayers have completed and signed the Form.
|
IRS Internet Instructions for Completing Form 4506-T Have the taxpayer complete and sign Form
4506-T according to the instructions provided with the form. On line 5 (designation of a third party to
whom the transcript is to be delivered) insert your company’s name, address,
facsimile number, and the delegate’s user-ID for secure mailbox delivery. |
As we have reported, the IRS continues to implement improvements to its e‑file Provider Program controls to ensure only authorized providers participate in the e‑file Provider Program.[14] The IRS should now ensure that IVES Program participants are also subject to similar controls. It should also ensure that IVES Program participants, like those in the Social Security Administration’s CBSV Program, are required to maintain electronic security over taxpayer data and are prohibited from disclosing information they receive from the IRS on behalf of taxpayers and lenders.
Unauthorized disclosure of tax return information puts taxpayers at risk for improper use of their information, including identity theft. Identity theft occurs when someone uses personally identifiable information, such as an individual’s name, Social Security Number, credit card numbers, or other account information, to commit fraud and other crimes. Taxpayers need to be assured that the IRS is taking every precaution to protect their tax return information. This includes, but is not limited to, processing taxpayers’ requests for transcripts. IVES Program participants, most of whom may be lenders and/or Income Verification Specialists, obtain and collect large quantities of personally identifiable information and taxpayer income information that is vulnerable to disclosure if controls are not sufficient to protect it.
Recommendations
The Commissioner,
Wage and Investment Division, should:
Recommendation 1: Develop and enforce minimum requirements for the IVES Program that would help ensure participants are suitable to have a working relationship with the IRS and receive taxpayer information from the IVES program.
Management’s Response: The IRS agreed to explore minimum requirements for IVES participants, including background investigations and tax compliance checks.
Recommendation 2: Update Form 13803 to include a statement that
taxpayer information can only be used for the purpose the taxpayer/requestor
intended. Ensure the current version of
Form 13803 is provided to all applicants, is posted on IRS.gov, and is the only
version accepted.
Management’s Response: The IRS agreed with this recommendation. It will revise Form 13803 as requested. The IRS will ensure the current version of Form 13803 is provided to all IVES applicants and is posted on IRS.gov. It will also accept only the most current version from applicants.
Recommendation 3: Within 1 year of revising Form 13803, contact and obtain a completed
Form 13803 from all current IVES Program participants.
Management’s Response: The IRS agreed with this recommendation. Once it revises the Form 13803, the IRS will contact all current IVES Program participants and obtain a current version of the form.
Recommendation 4: Revise Forms 4506-T and 4506T-EZ to allow taxpayers
to limit lending institutions’ disclosure of their tax return information to
nonaffiliated third parties only if it is in the course of processing or
selling their loan.
Management’s Response: The IRS agreed with this recommendation. The Tax Forms and Publications function will work closely with IRS Chief Counsel to develop the necessary language.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to evaluate regulations and IVES enrollment
policies that ensure lenders, such as banks, and companies that specialize in
making third-party requests for lenders (Income Verification Specialists[15]) properly protect taxpayers’ tax return
information. To accomplish our
objective, we:
I. Determined how current regulations, laws, and IRS policies could be amended or modified to ensure third parties and lenders properly protect taxpayers’ tax return information from improper disclosure or theft.
A. Talked to representatives from the Department of the Treasury’s Office of the Comptroller of Currency to identify current laws and regulations addressing the protection of tax return information by lenders and Income Verification Specialists.
B. Discussed with IRS management the risks associated with sending tax return information to third parties and lenders.
C. Identified changes or additions to current laws and regulations (or the need for a new law or regulation) that would reduce the risk of third parties and lenders improperly using or disclosing tax return information as well as ensuring the data are protected from theft.
II.
Determined how
the IRS could strengthen IVES Program enrollment policies to ensure third
parties adequately protect tax return information from improper disclosure or
theft.
A. Determined if the IRS requires IVES Program participants
to meet specific standards for disclosure and security requirements.
B. Identified and evaluated the potential
security requirements for IVES Program participants, especially third parties
and lenders, which would help prevent identity theft[16] and improper disclosure of tax return
information.
III. Determined if third parties and lenders are improperly using Request for Transcript of Tax Return (Form 4506-T) or a Short Form Request for Individual Tax Return Transcript (Form 4506T-EZ) by reusing or resubmitting altered copies of the forms to request updated information from the IRS.
A. Obtained a list of IVES Program participants and reviewed the Transcript Delivery System[17] to determine which participants are lenders or third parties who specialize in providing tax return information to lenders.
B. Reviewed 391 hard copy Forms 4506-T at the Kansas City, Missouri, IVES Program location to determine if we could identify instances of alterations, post-dating by third parties, or forms submitted after 120 days of signature.
Internal controls methodology
Internal controls relate to management’s
plans, methods, and procedures used to meet their mission, goals, and
objectives. Internal controls include
the processes and procedures for planning, organizing, directing, and
controlling program operations. They include
the systems for measuring, reporting, and monitoring program performance. We determined the following internal controls
were relevant to our audit objective: the
IRS policies, procedures, and practices for helping to ensure the people to
whom it is sending large amounts of taxpayer information will appropriately
protect it. We evaluated these controls
by performing the steps previously noted.
Appendix II
Major Contributors to This Report
Michael E. McKenney, Assistant Inspector General for Audit (Returns
Processing and Account Services)
Augusta R. Cook, Director
Wilma Figueroa, Audit Manager
Kenneth Carlson, Lead Auditor
Pamela M. DeSimone, Senior Auditor
Patricia A. Jackson, Senior Auditor
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Commissioner for Services and Enforcement SE
Deputy Chief Information Officer for Strategy/Modernization OS:CTO
Deputy
Commissioner of Operations, Wage and Investment Division SE:W
Deputy
Commissioner of Services, Wage and Investment Division SE:W
Director, Privacy, Information Protection, and Data Security OS:P
Director, Customer Account Services SE:W:CAS
Director, Submission Processing SE:W:CAS:SP
Director, Electronic Products and Services Support, Wage and Investment Division SE:W:CAS:E:PSS
Chief Counsel CC
Chief, Program Evaluation and Improvement, Wage and Investment Division SE:W:S:PRA:PEI
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaison: Chief, Program Evaluation and Improvement, Wage and Investment Division SE:W:S:PRA:PEI
Appendix IV
Management’s Response to the Draft Report
DEPARTMENT OF THE TREASURY
INTERNAL REVENUE SERVICE
COMM1SSIONER
WAGE AND INVESTMENT DIVISION
December 21, 2010
MEMORANDUM FOR MICHAEL R. PHILLIPS
DEPUTY INSPECTOR GENERAL FOR AUDIT
FROM: Richard
Byrd. Jr. /s/ Richard Byrd
Commissioner, Wage and Investment Division
SUBJECT: Draft Audit Report
– The Income Verification Express Services Program Needs Improvement to Better
Protect Tax Return Information (Audit #201040043)
We have reviewed the
subject draft report and agree that the laws and regulations that protect
taxpayer information do not always cover Income Verification Express Services (IVES) Program participants. The
IVES is an extremely useful and valuable customer service that facilitates
taxpayers’ ability to obtain home loans and other financing by affording them a
prompt, secure, and accurate way to provide potential lenders verification of
income. While your report states that the taxpayers’ personally identifiable
information is at risk of theft or misuse when taxpayers submit IVES requests
for tax return information, you did not actually visit IVES participants or
otherwise determine that any such theft or misuse has occurred. Further, there
is nothing in your report that reflects any instances of unauthorized
disclosures by the IRS. We agree that measures could be taken to further ensure
a taxpayer’s return information disclosed to third party IVES participants, is
used only for its intended purpose, which is usually to secure a home loan.
It is important to
understand that after the IRS discloses return information to an IVES
participant pursuant to the taxpayer’s authorization and request, the IRS
generally has no legal control over what the third party does with the
information. Similar to other disclosures made by IRS under Internal Revenue
Code (IRC) section 6103, Disclosure of
returns and return information to designee of taxpayer, IRS is required by
law to ensure the initial disclosure is authorized. As your report correctly
points out, most IVES participants are not covered by the same reckless
disclosure and use limitations as tax return preparers under IRC section 7216.
Accordingly, under the applicable law, including the Privacy Act of 1974, once
a taxpayer’s information is legally disclosed to an IVES participant at the
taxpayer’s request, generally there are no further statutory controls limiting
use or further disclosure of this information. As a result, the only method
available to the IRS to impose any subsequent limited use or non-disclosure restrictions, is through the IVES Application Agreement
(Form 13803) each applicant must execute as a condition of participating in the
program.
While IRS agrees to
strengthen the IVES Application Agreement to better address protection and use
of taxpayer information, it should be clearly understood that IRS background
investigations, or compliance reviews of IVES participants prior to acceptance
into the program would not detect any inappropriate use of a taxpayer’s return
data. Further, because the IVES program honors over 10 million taxpayer
requests to provide their transcripts to almost 1,700 IVES participants
annually, IRS does not currently conduct, and does not have the resources to
implement, participant compliance reviews after initial suitability has been
determined.
Regarding your
recommendation to develop and enforce minimum IVES participant requirements, we
will explore the feasibility of implementing background investigations and/or
tax compliance checks (verification of federal tax compliance) as minimum
requirement for participation in the IVES program. Since IVES is a user fee
program, the cost of administering any suitability determination process will
also have to be addressed and consistent with reimbursable program guidelines.
Regarding your
recommendation to develop a user agreement ensuring that IVES participants
protect the taxpayer data they are authorized to receive and that limits the
use of this data to the purposes that the taxpayer intended, IRS has no
statutory or regulatory authority to impose such restrictions. We agree to
develop a modified Form 13803 to include a statement that IVES participants can
only use the taxpayer information they receive via Form 4506-T for the
purpose(s) specified by the taxpayer/requestor. The IVES application will also
continue to include guidance on safeguarding taxpayer data received from the
IRS. In this regard, we currently ensure that any new IVES participants agree
to review and abide by Publication 4557, Safeguarding
Taxpayer Data: A
Guide for Your Business. Media and Publications is
also reviewing Form 4506-T, Request for
Transcript of Tax Return, and Form 4506T-EZ, Short Form Request for Individual Tax Return Transcript. This
effort is to provide taxpayers the option to limit lending institutions’
disclosure of their tax return information to nonaffiliated third parties,
except in the course of processing or selling their loan. As previously noted,
IRS does not have the ability to police these restrictions.
Our comments to your recommendations are
attached. If you have any questions, please contact me, or a member of your
staff may contact Peter J. Stipek, Director, Customer
Account Services, Wage and Investment Division, at (404) 338-8910.
Attachment
Attachment
The Commissioner, Wage Investment Division, should:
RECOMMENDATION
1
Develop and enforce minimum requirements for the IVES Program that would help ensure participants are suitable to have a working relationship with the IRS and receive taxpayer information from the IVES program.
CORRECTIVE
ACTION
We agree to explore
minimum requirements for Income Verification Express Services (IVES)
participants to include a Background Investigation and/or Tax Compliance Check.
IMPLEMENTATION
DATE
January 15, 2013
RESPONSIBLE
OFFICIALS
Director, Submission
Processing, Wage and Investment Division
CORRECTIVE
ACTION MONITORING PLAN
The IRS will monitor
this corrective action as part of our internal management control system.
RECOMMENDATION
2
Update Form 13803 to include a statement that IVES Program participants can only use taxpayer information they receive via a Form 4506-T request for the purpose(s) they taxpayer/requestor intended. In addition, ensure the current version of Form 13803 is provided to all participants, posted on IRS.gov, and is the only version accepted.
CORRECTIVE
ACTION
We agree with this
recommendation. We will revise Form
13803, Income Verification Express
Service (IVES) Application, as requested.
We will ensure the current version of Form 13803 is provided to all
participants, posted on IRS.gov, and is the only version accepted. However, IRS
does not have the resources to visit or otherwise verify IVES participants are
in compliance with this agreement.
IMPLEMENTATION
DATE
September 15, 2011
RESPONSIBLE
OFFICIALS
Director, Submission
Processing, Wage and Investment Division
CORRECTIVE
ACTION MONITORING PLAN
The IRS will monitor
this corrective action as part of our internal management control system.
RECOMMENDATION
3
Within 1 year of revising Form 13803, contact
and obtain a completed Form 13803 from all current IVES Program participants.
CORRECTIVE
ACTION
We agree with this
recommendation. Once the Form 13803 has
been revised, we will contact all IVES Program participants and obtain a
current version of the form.
IMPLEMENTATION
DATE
September 15, 2012
RESPONSIBLE
OFFICIALS
Director, Submission
Processing, Wage and Investment Division
CORRECTIVE
ACTION MONITORING PLAN
The IRS will monitor
this corrective action as part of our internal management control system.
RECOMMENDATION
4
Revise Form 4506-T and 4506T-EZ to allow
taxpayers to limit disclosure of their tax return information so that lenders
may only share tax return information with nonaffiliated third parties if it is
in the course of processing or selling their loan.
CORRECTIVE
ACTION
We agree with this
recommendation. Tax Forms and
Publications will work closely with IRS Chief Counsel to develop the necessary
language. However, IRS does not have the
resources to visit or otherwise verify IVES participants are in compliance with
this disclosure limitation.
IMPLEMENTATION
DATE
January 15, 2012
RESPONSIBLE
OFFICIALS
Director, Tax Forms
and Publications, Wage and Investment Division
CORRECTIVE
ACTION MONITORING PLAN
The IRS will monitor
this corrective action as part of our internal management control system.
[1] Transcripts provide most of the information contained in a tax return.
[2] An Income Verification Specialist is a company that specializes in obtaining income information about individuals. Lenders often use them to verify the income of loan applicants.
[3] Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub.L. No. 111-203, 124 Stat. 2143, enacted July 21, 2010.
[4] A suite of web-based products that allows tax professionals and taxpayers to conduct business with the IRS electronically. These services are available 24 hours a day, 7 days a week, via the Internet.
[5] The five Return and Income Verification Service units with Income Verification Express Services are located in Fresno, California; Kansas City, Missouri; Cincinnati, Ohio; Austin, Texas; and Ogden, Utah.
[6]
The Transcript Delivery System automates the
validation, processing, and delivery of taxpayer information to taxpayers or
authorized third parties. The Transcript
Delivery System can be accessed by IRS employees and includes self-service
electronic communication, whereby the user can request and receive a transcript
interactively through the e-Services portal.
[7] Pub. L. No. 106-102, 113 Stat. 1338, enacted November 12, 1999.
[8] 5 U.S.C. § 552a (2006).
[9] The
Privacy Act defines a system of records as a group of any records under the
control of any agency from which information is retrieved by the name of the
individual or by some identifying number, symbol, or other identifying
particular assigned to the individual.
[10]
An authorized IRS e-file Provider is a business
or organization authorized by the IRS to participate in IRS e-file. It may be a sole proprietorship,
partnership, corporation, or other entity.
Applicants accepted for participation in IRS e-file are
Authorized IRS e-file Providers.
[11] Identity theft occurs when someone uses personally identifiable information, such as an individual’s name, Social Security Number, credit card numbers, or other personal information, to commit fraud and other crimes.
[12] An e-signature is an electronic process attached to or associated with a contract or other record and used as the legal equivalent of a written signature.
[13] To use the CBSV Program, users must pay a one-time, nonrefundable enrollment fee of $5,000 and then a transaction fee per Social Security Number verification request. The transaction fee is currently $5.00 per request, and users must pay the fee in advance.
[14] Better Screening and Monitoring of E-File Providers Is Needed to Minimize the Risk of Unscrupulous Providers Participating in the E-File Program (Reference Number 2007-40-176, dated September 19, 2007).
[15] An Income Verification Specialist is a company that specializes in obtaining income information about individuals. Lenders often use them to verify the income of loan applicants.
[16] Identity theft occurs when someone uses personally identifiable information, such as an individual’s name, Social Security Number, credit card numbers, or other personal information, to commit fraud and other crimes.
[17] The Transcript Delivery System automates the validation, processing, and delivery of taxpayer information to taxpayers or authorized third parties. The Transcript Delivery System can be accessed by IRS employees and includes self-service electronic communication, whereby the user can request and receive a transcript interactively through the e-Services portal.