Protecting the Integrity of the Tax System Against Tax Fraud and ID
advertisement
Protecting the Integrity of the Tax System Against Tax Fraud and ID Theft: What Industry Is Contributing Stephen M. Ryan McDermott Will & Emery (202) 756-8333 sryan@mwe.com David Hahn Intuit, Inc. (650) 944-3522 david.hahn@intuit.com AMERICAN COALITION FOR TAXPAYER RIGHTS (“ACTR”) WHO IS THE AMERICAN COALITION FOR TAXPAYER RIGHTS (“ACTR”)? • ACTR is a 501(c)(6) • Made up of 2 components: tax preparation companies and financial service settlement companies • We help prepare approximately 90 million of the 140+ million individual federal income tax returns • We provide approximately 18.6 million of the nearly 20 million RTs • ACTR tax preparation companies: – – – – – – – H&R Block Intuit Jackson Hewitt Liberty Tax Tax Act (2nd Story) TaxSlayer CCH Small Firm Services (UTS) 2 Continued: WHO IS ACTR? • The tax companies’ offerings range from: – In person – Do-it-yourself software (DIY) – “Professional” software (used by CPAs, lawyers, other preparers) • ACTR financial services companies: – – – – H&R Block Refund Advantage Republic Bank and Trust Santa Barbara Tax Products Group 3 Understanding Tax Processing 1. Return Preparation 2. Return Filing & E-File 3. Return Processing & Refund Delivery 4. Prepaid Card Refund Delivery 4 4 Diverse Tax ecosystem 140M individual returns – over 80% are electronically filed $$ Refund Delivery: Direct Deposits to Banks & Prepaid Cards + Checks ~60% “Preparer” Category Franchised & Independent Preparers Professional Tax Software e-file EF Returns Transmitters ~30% “Software” Self-Prepared Category ~10% “Manual” IRS Consumer Tax Software Mailed Returns Self-Prepared Category #’s are approximations based on various sources 5 CHARACTERISTICS OF TAX PREPARATION MARKETPLACE • In 1999, 1.25 million taxpayers used private sector on-line products. In 13 years the industry (not just ACTR members) has gone from about 1% of taxpayers to 80% of taxpayers using Internet and electronic tax-preparation products • The states and federal government did not pay for this change, but have benefited mightily, e.g.: – lower cost of processing returns – reduced errors in returns since software corrects routine taxpayer errors – taxpayers benefit in reduced burden and cost • Industry marked by innovation, fierce competition and change • Software capabilities continue to increase, but not price • Competition is fierce within sectors (e.g., DIY), and between sectors (DIY v. stores v. professionals) • Example: A recent market entrant less than 10 years old has become the #3 company in the industry in a decade 6 Understanding the THREAT Our tax system is under attack by very capable criminals 1 Theft (or misuse) enables… Of Identities Authentication & Identity Gaps (directly or indirectly) Examples: Puerto Rican SS# Retirees Nursing Homes Schools Deceased 2 Preparation & Filing of Fraudulent Returns resulting in… Huge Volumes early in Tax Season First to file prior to real Tax Payer 3 Delivery & Use of Fraudulent Refunds As with all types of fraud, criminals constantly change their fraud schemes Prepaid Cards used to move money 7 Tax Fraud is fueled by an explosion in identity theft • Identity theft is one of the fastest growing crimes in the U.S. – #1 consumer complaint received by FTC for last 11 years • Fraud perpetrated against the government in 2010 was the most common form of reported identity theft crime • IRS experienced significant increases in tax issues resulting from identity theft for tax years 2009-2011 Year # Tax-related ID Theft Incidents 2008 51,702 2009 169,087 2010 248,357 Sources: Prepared Statement of IRS Commissioner Doug Shulman, during Hearings on Identity Theft before Subcommittee On Government Organization, Efficiency And Financial Management of the House Committee On Oversight And Government Reform , June 2, 2011. GAO Report: Taxes and Identity Theft (GAO11-674T),Testimony before the Subcommittee on Fiscal Responsibility and Economic Growth, Committee on Finance, U.S. Senate, released May 25, 2011. 8 ACTR Agrees with GAO’s Framework for Fraud Prevention “A well-designed fraud prevention system should consist of three crucial elements: (1) upfront preventive controls, (2) detection and monitoring, and (3) investigations and prosecutions.” GAO Report GAO-06-954T, July 12, 2006, “Individual Disaster Assistance Programs Framework for Fraud Prevention, Detection, and Prosecution.” 9 Overall ACTR Ideas/Concepts • Within the GAO framework, ACTR has focused on key taxpayer and fraud prevention outcomes intended to obtain the most “bang for the buck” in the short and long term: – Increasing barriers to potentially fraudulent electronic filings – Companies can help IRS identify suspicious activity for enhanced processing by providing more information at the time of electronic filing, and additional information after electronic filing, but not acting as a law enforcement adjunct against our customer – We could help IRS identify legitimate taxpayers who we recognize as repeat customers for timely return processing and refund issuance by providing more information at the time of electronic filing – Rejecting IRS refund issuance to direct deposit accounts that exhibit suspicious indicators – Preventing or restricting access to previously issued IRS refunds in direct deposit accounts that exhibit suspicious indicators – Further enabling law enforcement to identify and stop fraudulent activity quickly – Identifying and helping legitimate taxpayers who are prevented from filing their returns or receiving their refund in a timely manner 10 Protecting the “Front Door” Websites that only use UserID & Password may be increasingly vulnerable Many breaches like: 6.5 Million LinkedIn Passwords Reportedly Leaked, LinkedIn Is “Looking Into” It Yahoo Confirms 450,000 Accounts Breached, Experts Warn Of Collateral Damage Many consumers reuse their U/P 11 What can IRS and other portions of government do to reduce and mitigate the impact of Identity Based Tax Fraud? – Improve on current Authentication of PIN/AGI – Obtain more data, such as Device ID – Industry and IRS can use better filtering and detection capabilities – Continue to improve coordination and information sharing in LE community is under say • IRS/CI, DOJ, FBI, US Postal, Secret Service, State LE – Use expertise of industry groups willing to help • CERCA, ACTR, FFA and others 12 IRS.GOV Electronic Filing PIN Tool 13 Data Elements to Routinely Collect and provide as part of E-FIle • Key data elements already collecting: – Filer Identity: Name/Social Security Number/DOB of filer – IP Address from which the efile was submitted – Bank Account: RTN/Account# of the bank account being to which a refund transfer was requested – Email Address for filing status notifications – Street Address provided as the filer – Phone number provided as the filer • Potential NEW Element – DeviceID = Globally Unique ID of the device (Computer, SmartPhone, Tablet) used to submit the efile 14 A DeviceID should… Accurately identify a unique device in a way that is resistant to manipulation Recognize a returning device (e.g. Following Tax Year) Allow for association of additional “high risk” returns Once certain user behavior is observed as “high risk”, linking to other returns from the same DeviceID becomes possible. Utilizing DeviceID enables Web Sites to uniquely identify users tied to unique machines and returns. This is a better method of identifying than IP address, PINs, or email/User IDs, which can easily be manipulated. 15 Once Data is Collected, Analytics and Risk Scoring can be performed by Government, identifying possible Fraud Rules based on DeviceID can be used to calculate risk for transaction Negative Lists Device or IP is on “black” list or watch list Velocity Rules High number of filings from same DeviceID Static Rules Device is using proxy server Multi-level rules can be used to hold transaction IF Risky DeviceID and Risky bank account , then hold If Risk DeviceID and compromised Identity, then hold Link Analysis on DeviceID can be used link filings and identify fraud rings 16 Understanding DeviceID A DeviceID is not a MAC Address. A MAC Address is a serial number assigned to a computer’s network card, and is not available remotely to Web Servers A DeviceID is based on observed device characteristics, using backend algorithms that determine the uniqueness of the device How it works: 1. 2. 3. 4. 5. Javascript is embedded on the target web page which: a. Looks for, or sets a device “tag” (e.g cookies) on the customer’s computer/device. b. Captures characteristics of the customer’s computer and browser (IP Address, user agent, headers, mime-types, Plug-ins, etc) The tag and fingerprint are sent by the Web Browser to the Web Server The Web Server sends the tag and fingerprint to a DeviceID Service where it is associated with an existing DeviceID, or a new DeviceID The DeviceID service returns the DeviceID to the Web Server and User can then be uniquely identified IRS could build the DeviceID service or leverage various Vendors. Users Web Browser 2. Device Fingerprint is generated and posted to the web server 1. DeviceID javascript is loaded to the browser Web Server 3. Web server makes a call to DeviceID Service DeviceID Service 4. DeviceID Service returns a Globally Unique Device ID 17
