Recently, a local newspaper reported on two ex-bankers who were sentenced for their roles in a two-year-long fraud scheme. These ex-bankers created fraudulent bank accounts, then generated more than 2,000 false tax returns totaling more than $2.8 million in fraudulent refunds. The IRS has plenty more stories of tax fraud to tell.
Currently, "file taxes" is number one on my to-do list, and maybe yours. Do you shiver considering the possibility a tax return in your name has already been filed by someone else? Criminals, organized or not, know they can earn a living by filing fake returns. Even a legitimate taxpayer who owes taxes can be a victim of identity theft tax (IDT) refund fraud, as defined by the Internal Revenue Service's (IRS) Security Summit. (Note: The Electronic Tax Administration Advisory Committee, which reports to Congress, calls IDT refund fraud stolen identity refund fraud, or SIRF).
Formed on March 19, 2015, the Security Summit joins the IRS, state departments of revenue, and members of the tax refund ecosystem to discuss ways to combat IDT refund fraud. The Summit currently has seven working groups, including one focused on refund authentication and fraud detection. We have blogged before on the importance of data analytics in detecting fraudulent filings; this working group is attempting to strengthen these data tools. The working group also laid out best practices for software providers in enhancing identity requirements and strengthening validation procedures. At the end of last year, Congress provided a big assist in these efforts by passing the Protecting Americans from Tax Hikes, or PATH, Act of 2015, which closes one of the biggest loopholes in the tax refund process by requiring employers to electronically file W-2 forms and 1099 forms with the IRS by January 31 of each year instead of March 31. This new requirement, which becomes effective in 2017, will allow federal and state taxing authorities to match returns with actual W-2s for the first time.
The Security Summit also has a Financial Services Working Group, which explores ways to prevent criminals from using stolen identification credentials to establish financial services products such as checking accounts and prepaid cards that would allow the criminal to access the proceeds of fraudulent returns. After all, fraud may not be realized until after processing the tax return. Refunds are distributed either by check or direct deposit via ACH, which can be sent to a prepaid account (card) or traditional bank account. The IRS can't determine which account type an ACH refund is destined for since routing number and account number aren't standardized by account type, nor is there a database of routing numbers to identify prepaid accounts. Some have suggested that knowing when it is a prepaid account could be helpful in risk rating the return before sending the refund. The Financial Services Working Group has developed a standard state ACH file-naming convention so that state tax refunds can be identified by the industry in order to apply enhanced fraud filtering. Suspicious state tax refund deposits can be detected based on amounts, name matching, account type, length of relationship, and volume of deposits or withdrawals. The new format standard will strengthen fraud control systems in that all tax refund deposits will be able to be further scrutinized.
The Security Summit has a total of seven working groups, and they have their work cut out for them. While I shiver to think I could be a victim to identity theft, I support the progressive efforts to stop this crime, especially in the pre-filing and pre-refund stages so the criminals can't see a reward for their efforts.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed