Protecting the Integrity of the Tax System Against Tax Fraud and ID Theft:

What Industry Is Contributing

Stephen M. Ryan David HahnMcDermott Will & Emery Intuit, Inc.(202) 756-8333 (650) 944-3522sryan@mwe.com david.hahn@intuit.com

AMERICAN COALITION FOR TAXPAYER RIGHTS

(“ACTR”)

2

WHO IS THE AMERICAN COALITION FOR TAXPAYER RIGHTS (“ACTR”)?

• ACTR is a 501(c)(6)• Made up of 2 components: tax preparation companies and

financial service settlement companies• We help prepare approximately 90 million of the 140+ million

individual federal income tax returns• We provide approximately 18.6 million of the nearly 20 million

RTs• ACTR tax preparation companies:

– H&R Block– Intuit– Jackson Hewitt– Liberty Tax– Tax Act (2nd Story)– TaxSlayer– CCH Small Firm Services (UTS)

3

Continued: WHO IS ACTR?

• The tax companies’ offerings range from:– In person– Do-it-yourself software (DIY)– “Professional” software (used by CPAs, lawyers, other

preparers)

• ACTR financial services companies:– H&R Block– Refund Advantage– Republic Bank and Trust– Santa Barbara Tax Products Group

4

Understanding Tax Processing

4

1. Return Preparation

2. Return Filing & E-File

3. Return Processing& Refund Delivery

4. Prepaid Card

Refund Delivery

5

Diverse Tax ecosystem

“Manual”Self-Prepared

Category

ProfessionalTax

Software

Franchised & Independent

Preparers IRSe-file

Transmitters

Consumer Tax

Software

“Software” Self-Prepared

Category

“Preparer”Category

140M individual returns – over 80% are electronically filed

~60%

~30%

~10%

#’s are approximations based on various sources

$$ Refund Delivery:Direct Deposits to Banks & Prepaid Cards + Checks

EF Returns

Mailed Returns

6

CHARACTERISTICS OF TAX PREPARATION MARKETPLACE

• In 1999, 1.25 million taxpayers used private sector on-line products. In 13 years the industry (not just ACTR members) has gone from about 1% of taxpayers to 80% of taxpayers using Internet and electronic tax-preparation products

• The states and federal government did not pay for this change, but have benefited mightily, e.g.:– lower cost of processing returns– reduced errors in returns since software corrects routine taxpayer errors– taxpayers benefit in reduced burden and cost

• Industry marked by innovation, fierce competition and change• Software capabilities continue to increase, but not price• Competition is fierce within sectors (e.g., DIY), and between sectors (DIY v.

stores v. professionals)• Example: A recent market entrant less than 10 years old has become the #3

company in the industry in a decade

7

Understanding the THREATOur tax system is under attack by very capable criminals

Theft (or misuse)Of Identities

(directly or indirectly)

Delivery & Use of

Fraudulent

Refunds

Preparation & Filing of

Fraudulent Returns

enables…

resulting in…

1

2

3

As with all types of fraud, criminals constantly change their fraud schemes

Examples:Puerto Rican SS#RetireesNursing HomesSchoolsDeceased

Huge Volumes early in Tax SeasonFirst to file prior to real Tax Payer

Prepaid Cards used to move money

Authentication & Identity Gaps

8

Tax Fraud is fueled by an explosion in identity theft

• Identity theft is one of the fastest growing crimes in the U.S. – #1 consumer complaint received by FTC for last 11 years

• Fraud perpetrated against the government in 2010 was the most common form of reported identity theft crime

• IRS experienced significant increases in tax issues resulting from identity theft for tax years 2009-2011

Sources: Prepared Statement of IRS Commissioner Doug Shulman, during Hearings on Identity Theft before Subcommittee On Government Organization, Efficiency And Financial Management of the House Committee On Oversight And Government Reform , June 2, 2011.GAO Report: Taxes and Identity Theft (GAO11-674T),Testimony before the Subcommittee on Fiscal Responsibility and Economic Growth, Committee on Finance, U.S. Senate, released May 25, 2011.

Year # Tax-related ID Theft Incidents

2008 51,702

2009 169,087

2010 248,357

9

ACTR Agrees with GAO’s Framework for Fraud Prevention

“A well-designed fraud prevention system should consist of three crucial elements:(1) upfront preventive controls,(2) detection and monitoring, and(3) investigations and prosecutions.”

GAO Report GAO-06-954T, July 12, 2006, “Individual Disaster Assistance Programs Framework for Fraud Prevention, Detection, and Prosecution.”

10

Overall ACTR Ideas/Concepts

• Within the GAO framework, ACTR has focused on key taxpayer and fraud prevention outcomes intended to obtain the most “bang for the buck” in the short and long term:

– Increasing barriers to potentially fraudulent electronic filings– Companies can help IRS identify suspicious activity for enhanced processing by providing

more information at the time of electronic filing, and additional information after electronic filing, but not acting as a law enforcement adjunct against our customer

– We could help IRS identify legitimate taxpayers who we recognize as repeat customers for timely return processing and refund issuance by providing more information at the time of electronic filing

– Rejecting IRS refund issuance to direct deposit accounts that exhibit suspicious indicators

– Preventing or restricting access to previously issued IRS refunds in direct deposit accounts that exhibit suspicious indicators

– Further enabling law enforcement to identify and stop fraudulent activity quickly– Identifying and helping legitimate taxpayers who are prevented from filing their returns

or receiving their refund in a timely manner

11

Protecting the “Front Door”

Websites that only use UserID & Password may be increasingly vulnerable

Many breaches like:

Many consumers reuse their U/P

6.5 Million LinkedIn Passwords Reportedly Leaked, LinkedIn Is “Looking Into” It

Yahoo Confirms 450,000 Accounts Breached, Experts Warn Of Collateral Damage

12

What can IRS and other portions of government do to reduce and mitigate the impact of Identity Based Tax Fraud?– Improve on current Authentication of PIN/AGI– Obtain more data, such as Device ID– Industry and IRS can use better filtering and

detection capabilities– Continue to improve coordination and information

sharing in LE community is under say• IRS/CI, DOJ, FBI, US Postal, Secret Service, State LE

– Use expertise of industry groups willing to help• CERCA, ACTR, FFA and others

13

IRS.GOV Electronic Filing PIN Tool

14

Data Elements to Routinely Collect and provide as part of E-FIle

• Key data elements already collecting:– Filer Identity: Name/Social Security Number/DOB of filer– IP Address from which the efile was submitted– Bank Account: RTN/Account# of the bank account being to

which a refund transfer was requested– Email Address for filing status notifications– Street Address provided as the filer – Phone number provided as the filer

• Potential NEW Element– DeviceID = Globally Unique ID of the device (Computer,

SmartPhone, Tablet) used to submit the efile

15

A DeviceID should…

Accurately identify a unique device in a way that is resistant to manipulation

Recognize a returning device (e.g. Following Tax Year)

Allow for association of additional “high risk” returns Once certain user behavior is observed as “high risk”, linking to other returns

from the same DeviceID becomes possible.

Utilizing DeviceID enables Web Sites to uniquely identify users tied to unique machines and returns. This is a better method of identifying than IP address, PINs, or email/User IDs, which can easily be manipulated.

16

Once Data is Collected, Analytics and Risk Scoring can be performed by Government,

identifying possible Fraud Rules based on DeviceID can be used to calculate risk for transaction

Negative ListsDevice or IP is on “black” list or watch list

Velocity RulesHigh number of filings from same DeviceID

Static RulesDevice is using proxy server

Multi-level rules can be used to hold transaction IF Risky DeviceID and Risky bank account , then hold If Risk DeviceID and compromised Identity, then hold

Link Analysis on DeviceID can be used link filings and identify fraud rings

17

Understanding DeviceID

Web ServerWeb

Server

1. DeviceID javascript is loaded to the browser

1. DeviceID javascript is loaded to the browser

2. Device Fingerprint is generated and posted to the web server

2. Device Fingerprint is generated and posted to the web server

3. Web server makes a call to DeviceID Service

3. Web server makes a call to DeviceID Service

4. DeviceID Service returns a Globally Unique Device ID

4. DeviceID Service returns a Globally Unique Device ID

Users Web

Browser

Users Web

Browser

DeviceID Service

A DeviceID is not a MAC Address. A MAC Address is a serial number assigned to a computer’s network card, and is not available remotely to Web Servers

A DeviceID is based on observed device characteristics, using backend algorithms that determine the uniqueness of the device

How it works:

1. Javascript is embedded on the target web page which:

a. Looks for, or sets a device “tag” (e.g cookies) on the customer’s computer/device.

b. Captures characteristics of the customer’s computer and browser (IP Address, user agent, headers, mime-types, Plug-ins, etc)

2. The tag and fingerprint are sent by the Web Browser to the Web Server

3. The Web Server sends the tag and fingerprint to a DeviceID Service where it is associated with an existing DeviceID, or a new DeviceID

4. The DeviceID service returns the DeviceID to the Web Server and User can then be uniquely identified

5. IRS could build the DeviceID service or leverage various Vendors.