IRS Has A Plan to Verify Taxpayers’ IDs. Now It Needs to Do It.

In 2016, the Internal Revenue Service stopped almost 87 percent of fraudulent tax returns. But scammers still got away with approximately $1.6 billion.

The tax agency has been working to improve its taxpayer authentication processes but there is more that can be done, according to a report from the Government Accountability Office.

The July 23 report focuses on IRS’ efforts to authenticate the identities of persons filing tax returns. The report cites recent examples of fraud enabled by poor authentication, such as the 2015 breach of the Get Transcript application, in which scammers were able to get the prior years’ tax returns of almost 725,000 taxpayers.

The agency is doing better, according to GAO, “including developing an authentication strategy with high-level strategic efforts.” But that effort seems to have stopped with the plan, as IRS “has not prioritized the initiatives supporting its strategy nor identified the resources required to complete them,” the report states.

The report notes several good ideas in the IRS’ “Identity Assurance Strategy and Roadmap,” developed in 2016, including a program to send push notifications to taxpayers alerting them of changes or actions taken on their account. This could help prevent potential fraud by alerting citizens to unauthorized actions, and the roadmap enumerates several steps the agency can take to implement this idea.

However, as of the report’s release, the IRS had yet to identify funding and resources needed to make these notifications a reality.

“In December 2017, IRS officials stated that they had developed business requirements for the foundational initiative to give taxpayers greater control over their online accounts. However, IRS has not identified funding for the initiative’s other supporting activities—such as developing requirements to send push notifications to taxpayers—and implementing them will depend on the availability of future resources,” according to the report.

GAO also chastised the IRS for focusing too much on its digital risks.

“While IRS regularly assesses risks to and monitors its online authentication applications, it has not established equally rigorous internal controls for its telephone, in-person and correspondence channels, including mechanisms to collect reliable, useful data to monitor authentication outcomes,” the report states. “As a result, IRS may not identify current or emerging threats to the tax system.”

In total, GAO made 11 recommendations, including identifying the required resources and prioritizing future efforts. The report also encourages the agency to collect more data on the outcomes of analog authentication methods, such as in-person, over the phone and through correspondence channels.

IRS officials agreed with all of GAO’s recommendations.