Stephen M. Ryan David Hahn McDermott Will & EmeryIntuit, Inc.
description
Transcript of Stephen M. Ryan David Hahn McDermott Will & EmeryIntuit, Inc.
Protecting the Integrity of the Tax System Against Tax Fraud and ID Theft:
What Industry Is Contributing
Stephen M. Ryan David HahnMcDermott Will & Emery Intuit, Inc.(202) 756-8333 (650) [email protected] [email protected]
AMERICAN COALITION FOR TAXPAYER RIGHTS
(“ACTR”)
2
WHO IS THE AMERICAN COALITION FOR TAXPAYER RIGHTS (“ACTR”)?
• ACTR is a 501(c)(6)• Made up of 2 components: tax preparation companies and
financial service settlement companies• We help prepare approximately 90 million of the 140+ million
individual federal income tax returns• We provide approximately 18.6 million of the nearly 20 million
RTs• ACTR tax preparation companies:
– H&R Block– Intuit– Jackson Hewitt– Liberty Tax– Tax Act (2nd Story)– TaxSlayer– CCH Small Firm Services (UTS)
3
Continued: WHO IS ACTR?
• The tax companies’ offerings range from:– In person– Do-it-yourself software (DIY)– “Professional” software (used by CPAs, lawyers, other
preparers)
• ACTR financial services companies:– H&R Block– Refund Advantage– Republic Bank and Trust– Santa Barbara Tax Products Group
4
Understanding Tax Processing
4
1. Return Preparation
2. Return Filing & E-File
3. Return Processing& Refund Delivery
4. Prepaid Card
Refund Delivery
5
Diverse Tax ecosystem
“Manual”Self-Prepared
Category
ProfessionalTax
Software
Franchised & Independent
Preparers IRSe-file
Transmitters
Consumer Tax
Software
“Software” Self-Prepared
Category
“Preparer”Category
140M individual returns – over 80% are electronically filed
~60%
~30%
~10%
#’s are approximations based on various sources
$$ Refund Delivery:Direct Deposits to Banks & Prepaid Cards + Checks
EF Returns
Mailed Returns
6
CHARACTERISTICS OF TAX PREPARATION MARKETPLACE
• In 1999, 1.25 million taxpayers used private sector on-line products. In 13 years the industry (not just ACTR members) has gone from about 1% of taxpayers to 80% of taxpayers using Internet and electronic tax-preparation products
• The states and federal government did not pay for this change, but have benefited mightily, e.g.:– lower cost of processing returns– reduced errors in returns since software corrects routine taxpayer errors– taxpayers benefit in reduced burden and cost
• Industry marked by innovation, fierce competition and change• Software capabilities continue to increase, but not price• Competition is fierce within sectors (e.g., DIY), and between sectors (DIY v.
stores v. professionals)• Example: A recent market entrant less than 10 years old has become the #3
company in the industry in a decade
7
Understanding the THREATOur tax system is under attack by very capable criminals
Theft (or misuse)Of Identities
(directly or indirectly)
Delivery & Use of
Fraudulent
Refunds
Preparation & Filing of
Fraudulent Returns
enables…
resulting in…
1
2
3
As with all types of fraud, criminals constantly change their fraud schemes
Examples:Puerto Rican SS#RetireesNursing HomesSchoolsDeceased
Huge Volumes early in Tax SeasonFirst to file prior to real Tax Payer
Prepaid Cards used to move money
Authentication & Identity Gaps
8
Tax Fraud is fueled by an explosion in identity theft
• Identity theft is one of the fastest growing crimes in the U.S. – #1 consumer complaint received by FTC for last 11 years
• Fraud perpetrated against the government in 2010 was the most common form of reported identity theft crime
• IRS experienced significant increases in tax issues resulting from identity theft for tax years 2009-2011
Sources: Prepared Statement of IRS Commissioner Doug Shulman, during Hearings on Identity Theft before Subcommittee On Government Organization, Efficiency And Financial Management of the House Committee On Oversight And Government Reform , June 2, 2011.GAO Report: Taxes and Identity Theft (GAO11-674T),Testimony before the Subcommittee on Fiscal Responsibility and Economic Growth, Committee on Finance, U.S. Senate, released May 25, 2011.
Year # Tax-related ID Theft Incidents
2008 51,702
2009 169,087
2010 248,357
9
ACTR Agrees with GAO’s Framework for Fraud Prevention
“A well-designed fraud prevention system should consist of three crucial elements:(1) upfront preventive controls,(2) detection and monitoring, and(3) investigations and prosecutions.”
GAO Report GAO-06-954T, July 12, 2006, “Individual Disaster Assistance Programs Framework for Fraud Prevention, Detection, and Prosecution.”
10
Overall ACTR Ideas/Concepts
• Within the GAO framework, ACTR has focused on key taxpayer and fraud prevention outcomes intended to obtain the most “bang for the buck” in the short and long term:
– Increasing barriers to potentially fraudulent electronic filings– Companies can help IRS identify suspicious activity for enhanced processing by providing
more information at the time of electronic filing, and additional information after electronic filing, but not acting as a law enforcement adjunct against our customer
– We could help IRS identify legitimate taxpayers who we recognize as repeat customers for timely return processing and refund issuance by providing more information at the time of electronic filing
– Rejecting IRS refund issuance to direct deposit accounts that exhibit suspicious indicators
– Preventing or restricting access to previously issued IRS refunds in direct deposit accounts that exhibit suspicious indicators
– Further enabling law enforcement to identify and stop fraudulent activity quickly– Identifying and helping legitimate taxpayers who are prevented from filing their returns
or receiving their refund in a timely manner
11
Protecting the “Front Door”
Websites that only use UserID & Password may be increasingly vulnerable
Many breaches like:
Many consumers reuse their U/P
6.5 Million LinkedIn Passwords Reportedly Leaked, LinkedIn Is “Looking Into” It
Yahoo Confirms 450,000 Accounts Breached, Experts Warn Of Collateral Damage
12
What can IRS and other portions of government do to reduce and mitigate the impact of Identity Based Tax Fraud?– Improve on current Authentication of PIN/AGI– Obtain more data, such as Device ID– Industry and IRS can use better filtering and
detection capabilities– Continue to improve coordination and information
sharing in LE community is under say• IRS/CI, DOJ, FBI, US Postal, Secret Service, State LE
– Use expertise of industry groups willing to help• CERCA, ACTR, FFA and others
13
IRS.GOV Electronic Filing PIN Tool
14
Data Elements to Routinely Collect and provide as part of E-FIle
• Key data elements already collecting:– Filer Identity: Name/Social Security Number/DOB of filer– IP Address from which the efile was submitted– Bank Account: RTN/Account# of the bank account being to
which a refund transfer was requested– Email Address for filing status notifications– Street Address provided as the filer – Phone number provided as the filer
• Potential NEW Element– DeviceID = Globally Unique ID of the device (Computer,
SmartPhone, Tablet) used to submit the efile
15
A DeviceID should…
Accurately identify a unique device in a way that is resistant to manipulation
Recognize a returning device (e.g. Following Tax Year)
Allow for association of additional “high risk” returns Once certain user behavior is observed as “high risk”, linking to other returns
from the same DeviceID becomes possible.
Utilizing DeviceID enables Web Sites to uniquely identify users tied to unique machines and returns. This is a better method of identifying than IP address, PINs, or email/User IDs, which can easily be manipulated.
16
Once Data is Collected, Analytics and Risk Scoring can be performed by Government,
identifying possible Fraud Rules based on DeviceID can be used to calculate risk for transaction
Negative ListsDevice or IP is on “black” list or watch list
Velocity RulesHigh number of filings from same DeviceID
Static RulesDevice is using proxy server
Multi-level rules can be used to hold transaction IF Risky DeviceID and Risky bank account , then hold If Risk DeviceID and compromised Identity, then hold
Link Analysis on DeviceID can be used link filings and identify fraud rings
17
Understanding DeviceID
Web ServerWeb
Server
1. DeviceID javascript is loaded to the browser
1. DeviceID javascript is loaded to the browser
2. Device Fingerprint is generated and posted to the web server
2. Device Fingerprint is generated and posted to the web server
3. Web server makes a call to DeviceID Service
3. Web server makes a call to DeviceID Service
4. DeviceID Service returns a Globally Unique Device ID
4. DeviceID Service returns a Globally Unique Device ID
Users Web
Browser
Users Web
Browser
DeviceID Service
A DeviceID is not a MAC Address. A MAC Address is a serial number assigned to a computer’s network card, and is not available remotely to Web Servers
A DeviceID is based on observed device characteristics, using backend algorithms that determine the uniqueness of the device
How it works:
1. Javascript is embedded on the target web page which:
a. Looks for, or sets a device “tag” (e.g cookies) on the customer’s computer/device.
b. Captures characteristics of the customer’s computer and browser (IP Address, user agent, headers, mime-types, Plug-ins, etc)
2. The tag and fingerprint are sent by the Web Browser to the Web Server
3. The Web Server sends the tag and fingerprint to a DeviceID Service where it is associated with an existing DeviceID, or a new DeviceID
4. The DeviceID service returns the DeviceID to the Web Server and User can then be uniquely identified
5. IRS could build the DeviceID service or leverage various Vendors.