Chances are that you filed your federal income tax return electronically this year: the Internal Revenue Service (IRS) estimates that nearly nine in ten individual taxpayers e-filed their tax returns in 2019. That was just one of the findings reported by the Electronic Tax Administration Advisory Committee (ETAAC) in its 2019 Annual Report to Congress which examined e-filing practices and challenges together with data security.
ETAAC was formed and authorized under the Internal Revenue Service Restructuring and Reform Act of 1998 (RRA 98). As part of RRA 98 (section 2001(b)(2)), ETAAC is required to report to Congress on issues related to electronic tax administration at least annually.
One of the key components of RRA 98 is section 2001(a) which states:
“It is the policy of Congress that—
(1) paperless filing should be the preferred and most convenient means of filing Federal tax and information returns;
(2) it should be the goal of the Internal Revenue Service to have at least 80 percent of all such returns filed electronically by the year 2007; and
(3) the Internal Revenue Service should cooperate with and encourage the private sector by encouraging competition to increase electronic filing of such returns.”
Obviously, we’re a bit beyond 2007 by now. So did the IRS meet its goal? The agency says yes. The IRS has consistently interpreted the 80% goal to apply to “major returns” which it defines as “those in which filers account for income, expenses and/or tax liabilities.”
According to the IRS, individual returns have the highest e-file rates. Those returns – the form 1040 series, including 1040-EZ – are considered major returns and represent 76% of those filed. By the numbers, the IRS receives almost 200 million tax returns each year, including approximately 150 million individual income tax returns, 15 million business income tax returns, 30 million employment tax returns and a variety of other return types.
However, not all 1040 series returns are accounted for in those e-filing rates. Missing is the form 1040X, Amended U.S. Individual Income Tax Return. In 2018, approximately 3.9 million forms 1040X were filed – but they were all filed on paper since there is no e-filing option for amended returns. According to the report, if forms 1040X were included in the definition of major returns, the IRS e-file rate would drop below 80%. (For more on amended returns, click here.) ETAAC recommends that IRS “could and should” allow for e-filing of form 1040X.
E-file rates have increased for other major return types, too, but not as quickly as those for individual returns. Specifically, the overall rate of e-filing for employment (payroll tax) returns remains low with numbers hovering in the 40s, about one-half of the e-file rate of most other major returns. Corporate, partnership and fiduciary tax return e-file rates consistently exceed 80%.
As the number of e-filed returns and electronic communication increase, so, too, do the complications – including cybersecurity threats. ETAAC highlighted efforts made by the Security Summit to address those issues head-on.
The Security Summit was formed in 2015 and includes representatives from the IRS, state tax revenue agencies, tax professional community, tax preparation firms, software developers, financial service companies, and members of the payroll community. The Security Summit has worked to suggest improvements for reviewing tax returns to stop fraud and to share information when security concerns or breaches occur. Their efforts, according to the IRS, are paying off: Between 2015 and 2018, the number of taxpayers reporting they were identity theft victims fell 71%. For those same years, the IRS protected a combined $24 billion in fraudulent refunds by stopping confirmed identity theft returns. (For more on the Security Summit, click here.)
ETAAC believes that IRS should continue building relationships as a vital component of the Security Summit and partner with external stakeholders. In addition to learning from these partners, IRS can work with those groups to boost the signal on outreach channels and share information when appropriate (and authorized).
ETAAC also recommends that the IRS reach out to the payroll community and encourage their participation in the Security Summit. The payroll community, ETAAC found, “seems more fragmented than the income tax software community.” That’s because some employers perform payroll functions in-house (with or without software) and may also contract with large reporting agents (like ADP or Paychex) or independent payroll service providers. Since payroll information is valuable, it’s essential to keep it secure. However, information may live across multiple databases with employers, software, and payroll/employment return compliance contractors, so that there may be many access points for thieves. Making matters worse, ETAAC found that “there is no basic security standard applicable to the business tax area to guide companies and employers.” The Security Summit is working to develop best practices around controls, but ETAAC believes it isn’t enough. The IRS should, outside of the Security Summit, work to communicate more effectively with the payroll community about risks and security issues.
ETAAC also highlighted issues related to digital identity proofing and authentication. Currently, the IRS uses a variety of identity authentication measures, including two-step verification (when the IRS texts your phone, as explained here) or asking taxpayers to provide information that only the taxpayer should know. Those tests are relatively standard but aren’t as robust as those you would encounter when you engage with your broker, bank or other financial institution.
Those methods aren’t ideal for all taxpayers and can result in limited access: some taxpayers may not have public financial information or cell phone accounts in their names. Because of those obstacles, the IRS found that only about 40% of taxpayers successfully complete the verification process to access information online. Fortunately, the rates for tax professionals are significantly higher.
And those authentication measures aren’t fool-proof since the bad guys already have some of your data. Your personally identifiable information (PII) is everywhere: at the doctor’s office (more here), in the cloud used by your financial advisors (more here) and on social media (more here). Even when your data hasn’t been stolen, thieves may already have mined your data from websites like Facebook. That presents a real challenge for the IRS: how can they improve security and protection of data while also improving the customer experience? Moving forward, the agency will have to find ways to safeguard taxpayer data and expand identity authentication and proofing in ways that will work with the diverse needs of taxpayers. That means all taxpayers, including your grandfather who won’t use a cell phone and your uncle who shuns in-person identity proofing services (like fingerprinting).
So how does IRS move forward? ETAAC recommends that Congress offer two things that the feds aren’t typically inclined to give IRS: money and authority. Specifically, ETAAC says that Congress should provide sufficient funding for the IRS to staff and execute security and data protection priorities as identified in the report. When it comes to authority, ETAAC recommends that Congress create an exception under section 6103 the Tax Code to permit the use and disclosure of federal tax information for more effective information sharing to identify and prevent tax refund fraud. ETAAC also recommends that Congress grant the IRS the authority to establish and enforce security standards across the board, especially since rules like the Federal Trade Commission (FTC) Safeguards only apply to tax preparers in consumer settings (and do not extend to employers or to businesses providing services to other businesses, including payroll). Without those resources, ETAAC suggests that IRS will not be able to meet the challenges before them.
You can read the complete report here (downloads as a PDF).