On a regular basis, Retail Payments Risk Forum members get asked, "What is the most significant risk facing the industry today?" While we often have lively, wide-ranging discussions on payment matters, we quickly reach consensus when asked the aforementioned question. Generally speaking, we would all answer "cybersecurity" (as would many other experts).
To fully understand the significance of cybersecurity, we have to explore other root risks. For payments, one of the largest issues is cybersecurity attacks that aim to steal identities. Identity theft is a not a new issue, but, more than ever, it's attached to cybersecurity. In the spirit of tax season and identity theft, I‘d like to provide an update on the recent efforts of the IRS Security Summit as it works to protect the industry from identity theft related to tax fraud.
Last year was the first full year for the IRS Security Summit and its seven work groups. Thanks to this industry collaboration, the IRS received 237,750 new identity theft affidavits between January and September 2016—50 percent fewer than what the IRS received during the same period in 2015. In addition, in 2016, the IRS stopped 50 percent more fraudulent returns from processing compared to 2015, preventing $7.2 billion in fraud losses. Even more promising is that fewer fraudulent returns actually made it to the IRS in the first place.
These results show improvements at each point of the tax refund cycle by the combined efforts of tax professionals, state tax agencies, financial services partners, and designated IRS personnel. Several tactical approaches the work groups are developing include:
- Identification of data elements transmitted on both business and individual tax returns that can be used to identify fraud
- A program to allow financial institutions to flag suspicious refunds before they are deposited
- The requirement for tax software products to improve password practices and customer validation procedures
- A new W-2 verification code for taxpayer authentication
- The External Leads Program for suspicious refund returns
- National education and awareness campaigns
- National Institute of Standards and Technology Cybersecurity Framework for the tax industry
- The creation of a cyber-threat assessment tool
This year, the IRS Security Summit is continuing its work with efforts cyber in nature. In January, the summit launched the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (IDTTRF-ISAC). This association will issue early warnings, identify fraud schemes, assess threats, address cybersecurity issues, and provide better data for law enforcement. While the design work for the IDTTRF-ISAC is still in progress, the work group has already reviewed the sharing practices followed by the Department of Health and Human Services and the Federal Aviation Administration. To provide the tax ecosystem a highly secure, web-based information exchange will require dedicated, well-qualified analytic and cybersecurity professionals to join an already effective, mostly volunteer task force.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed