The emerging threat of tax-related identity theft was one of the most pressing topics discussed at the VSCPA’s 2016 IRS Liaison Day. This annual event, aimed at giving small tax practitioners access to U.S. Internal Revenue Service (IRS) resources and representatives, was held Nov. 4 at the CPA Center in Glen Allen.
The IRS’s Criminal Investigation division (CI) is the outfit that handles ID theft cases, with one of their highest-profile recent wins happening right here in Virginia. Eddie Blanchard, a Florida man, was convicted in 2015 of 21 counts of fraud and identity theft related to fraudulent online job postings.
“We worked it here in Richmond,” CI representative Patrick Brown said in his Criminal Investigation update. “Eddie Blanchard and his cohorts would travel up from Miami and would set up false websites advertising jobs, which is how they got personal information. They would check into hotels here on West Broad, use their Wi-Fi to keep their anonymity, and then post these jobs. Then they would just churn out tax returns, then hustle back down with Miami and people would be none the wiser.”
Blanchard was ultimately undone through his own carelessness, which gave the CI the break it needed.
“They messed up,” Brown said. “They had a storage facility and they didn’t pay the bill, and the manager cut the lock and found all these index cards with personal information on it.”
The CI’s 3,150 worldwide employees include 2,200 special agents with exclusive jurisdiction over IRS Title 26 violations, which cover tax laws and convictions. Contrary to popular belief, it was undercover IRS agents, not Eliot Ness, who was largely responsible for the arrest of notorious gangster Al Capone.
“Capone wouldn’t have known Elliot Ness if he’d sat down to have coffee with him,” Brown said.
The CI’s major areas of focus include:
- International tax fraud
- Refund crimes and tax-related identity theft
- Abusive tax schemes, focusing on promoters and clients, domestic and offshores
- Money laundering and the Bank Secrecy Act
- Political/public corruption, including bribery, extortion, embezzlement, illegal kickbacks and entitlement and security fraud
- Virtual currency
- Organized crime drug enforcement
- Civil fraud referrals
International tax enforcement is another area of increasing importance for CI investigators. The department’s directive is to pursue all violations, including Foreign Bank Account Reporting (FBAR) issues, using all investigative avenues.
“It used to be considered a harmless white-collar crime, and the sentences reflected that,” Brown said. “Now we see the impact that it has and it’s much more of an area of focus.”
Like many companies, the CI has turned to artificial intelligence to speed up its investigations. Tax returns are screened through an algorithm used to identify suspicious activity, with flagged returns escalated to agents who determine whether or not to pursue a criminal case.
Brown described the IRS’s voluntary disclosure program, which has fielded more than 54,000 disclosures since its inception in 2009, as “very successful.” In this area, the CI is focused on promoters of offshore structures used to evade taxation, banks that willingly participate in such schemes and taxpayers who knowingly used such schemes and failed to make a disclosure.
It’s tax identity theft, though, that has stood out as a particular area of concern. Identity theft complaints jumped more than 47 percent from 2014 to 2015 on the back of a massive increase in consumer complaints about tax-related identity theft. An estimated 9 million Americans are impacted by the issue each year, and data breaches aimed at stealing identities have a $400 billion annual impact on the global economy.
Collection Due Process: Your Clients’ Rights and Responsibilities
IRS Associate Area Counsel Tim Heavner, who focuses on small businesses and the self-employed, updated the 61 attendees (19 virtual) on the best ways to efficiently and effectively resolve clients’ tax liabilities through the Collection Due Process (CDP) process.
The CDP process begins with the IRS filing a Notice of Federal Tax Lien or Notice of Intent to Levy against your client. Levies require prior notification against the offending party, while lien notices must be filed within five business days after the lien is filed.
That starts a 30-day window where you can get a CDP hearing in tax court. Any later and your client will receive an equivalent hearing held outside of tax court, without judicial review rights. Heavner discussed the issue of taking as much time as allowed while ensuring your client is compliant.
“I don’t mean delay for delay’s sake,” he said, “but the key to it is that it can be, and should be, a mechanism to take a potential client of yours who is not current in filing and payment and give them a hiatus that way.
“CDP is essentially useless if they are not filing and payment compliant. There’s nothing you can do for them. But if they walk in the door not that way and you help them get that way, you’ve had some success.”
If you’re representing a client who is in the CDP process, it’s imperative that you file IRS Form 2848, Power of Attorney and Declaration of Representative. Without that form, you won’t be able to speak to IRS representatives about your client’s accounts. Make sure the form lists all the periods involved in the notice or notices, and be sure to check the box after your own name and address, which authorizes the IRS to send documents to you.
When requesting a CDP or equivalent hearing, make sure to be thorough in documenting the periods and types of tax you are contesting. The periods and types listed on Form 12153, Request for a Collection Due Process or Equivalent hearing, are the only ones that will be considered during a hearing. Even if your client failed to give you all notices received, you won’t be allowed to bootstrap other periods or types after filing Form 12153.
When sending that form, be sure to use the U.S. Postal Service or an appropriate private delivery service, which will serve to prove your filing of the form, regardless of whether or not the IRS actually received your submission.
“Receipt doesn’t really matter,” Heavner said. “If you can prove that you mailed it through an approved service, it doesn’t matter if we get it.”
After filing Form 12153, you’ll hear from an IRS Settlement Officer, who will provide information on the IRS representatives handling the case and usually offer a face-to-face hearing. You can usually get the hearing rescheduled one time, provided you have a good reason.
If you’re working under a tight timeframe because the client fell into your lap late in the process, success in getting delays will depend on how long the IRS has been pursuing your client. Be realistic with your client about how much you can accomplish in your particular scenario.
In your communications regarding the case, make sure to address all concerns listed by the Settlement Officer as soon as possible. Failing to provide requested information will adversely affect your chances of a positive resolution, while failing to file delinquent tax returns disqualifies your client from reaching a collection alternative.
Positive outcomes of the CDP process could be abatement of tax, penalties and/or interest or a collection alternative. The Settlement Officer is not an advocate for your client or the IRS.
“Do your best to paint a picture. These are humans on the other side,” Heavner said. “Painting a picture and telling a story is always the best thing to do with the facts that you have.”
In the end, your responsibility to your client is to represent them to the utmost with the information available to you.
“A lot of times, that might not be in your control, because your client might not be getting you the information,” Heavner said. “But you need to make them aware that they might be closing doors on themselves.”
Tax-Exempt and Government Entities
IRS Program and Management Specialist Richard Crom discussed his area of focus, tax-exempt organizations, with a natural heavy focus on Form 990. That form, which allows an organization to show that it’s organized and operated as a qualified tax-exempt entity, must be filed by almost all 501(c) organizations, with the exceptions of churches and associations and conventions of churches, among a few others.
Those entities must file other forms from the 990 family. Private foundations must file Form 990-PF, while organizations with gross receipts below $200,000 and assets below $500,000 can file Form 990-EZ. Organizations with gross receipts below $50,000 can file Form 990-N.
If your client misses a year filing Form 990 or its equivalent, the IRS is generally willing to work with them as long as they make a good-faith effort to fulfill requirements. But three consecutive years without filing means automatic revocation of the offending organization’s tax-exempt status, meaning it may need to file tax returns and pay taxes, while contributions will no longer be tax deductible.
“If they miss one, it’s not the end of the world,” Crom said. “Just make sure they don’t miss three.”
Crom’s other key update dealt with the IRS’s new website for electronically filing Form 990. The website is now part of IRS.gov, and new users — including those who previously filed using the old system — must register to verify their identity.
As of October, 1,599,249 organizations had attained tax-exempt status from the IRS. Those organizations are governed by a group of 700 employees nationwide, including just 300 revenue agents.
Crom encouraged Form 990 filers to file electronically, citing an error rate of 20 percent on hard-copy submissions versus just 2 percent for electronic submissions. And he stressed that Form 990 filings are public information and should not include Social Security numbers or other personal information.
Protecting Your Clients Online
Following cybersecurity best practices is another way tax practitioners can protect their clients from identity theft. VSCPA member Art Auerbach, CPA, detailed some of those best practices in his cybersecurity session.
Auerbach stressed the need for appropriate device controls in protecting your clients’ personal information, citing bring your own device (BYOD) policies and hardware vendors as particular areas of concern.
“If you go to a competitor, are you walking out onto the street and to my competitor with my entire database?” Auerbach asked. “When you switch printers, are you taking the memory device out the way you would with a hard drive? Or are you letting whichever company sold you the printer take it, and maybe your tax data? Those are the things we’re seeing.”
The IRS itself is also taking precautions to encourage strong cybersecurity controls from tax preparers. In June, the agency released IRS Information Release 2016-94, detailing recommendations that emerged from this year’s IRS Security Summit.
The most impactful result of that meeting is the requirement that all individual tax software customers must upgrade their security credentials to a minimum of eight-digit password. Software vendors are complying and supplying verification data to the IRS.
Auerbach recommended every tax practitioner avail itself of one of the IRS’s most helpful services for combating identity theft.
“Every one of you sitting in here needs to, as a business and an individual, sign up for the IRS’s ‘Get Transcript’ program,” he said. “When you get on there, there are actually six different transcripts that you can get. The most obvious one is the one that shows what payments have been credited to your account. But another you can get is one that says what information returns are connected to your name and ID number.”
Nonprofit organizations, particularly churches, often make particularly easy targets for would-be cybercriminals. Auerbach said that several churches in his hometown of Atlanta have been victimized by hackers. CPAs can play a vital role in ensuring their clients have proper controls in place.
“When Moses came down from the mountain, he came down with an 11th commandment. It said that if thou art a CPA and thou joins a nonprofit organization, thou shalt be the treasurer,” Auerbach said. “So now you’re working for a small nonprofit organization that hasn’t spent a lot of money securing its database.”
If you operate in a cloud environment, make sure to do your due diligence in selecting a vendor. Ask your provider the following questions:
- Where is my data located?
- What happens if there are problems uploading or downloading data?
- Who owns the equipment where your storage is done?
- Are you sharing any stored information with anyone else?
- Do you have insurance?
- Do you have a written document security policy?
- Who mans your help desk? Where are they physically located?
Other cybersecurity best practices from Auerbach include:
Have separate passwords for your server and your tax software: “That is an absolute must. And if you have someone working for you, they’ll need access to your server, but not everyone needs access to the tax program.”
Be wary of people requesting payment through non-traditional means, who are often cybercriminals: “They don’t want you to use a credit card or a debit card because that’s too easy to trace. The latest thing is that they want you to go out to, let’s say, Target, and buy an iTunes card. They stay on the cell phone with you while you buy it and ask you to scratch off the little metal thing on the back and read the digits. When you do that, they’ve got the money, not you.”
Be mindful of your payees: “When you send a check, the only payee should be the United States Treasury. Not the Internal Revenue Service or anything else. If they ask you to pay someone else, it is a scam.”
Make sure your clients know the warning signs of tax scams: “Consider using a signature on your email saying, ‘The IRS never asks for payment of tax debts using a debit card.’”