ETAAC Chair Lists Principles for Improving Tax Administration

HEARING BEFORE THE SENATE SUBCOMMITTEE
ON TAXATION AND IRS OVERSIGHT

IMPROVING TAX ADMINISTRATION TODAY

TESTIMONY OF JOHN SAPP,
CHAIR, IRS ELECTRONIC TAX ADMINISTRATION ADVISORY COMMITTEE

JULY 26, 2018

Chairman Portman, Ranking Member Warner, other members of the Subcommittee, good afternoon.

Thank you for inviting me to testify at this hearing on Improving Tax Administration Today.

My name is John Sapp, and I am just finishing my tenure as Chair of the IRS Electronic Tax Administration Advisory Committee (ETAAC).

As you know, ETAAC was created by Congress in the IRS Restructuring and Reform Act of 1998. It has a diverse membership of individuals from the state departments of revenue, private industry, including the payroll community, and consumer groups. This diversity allows the IRS to receive a wide variety of perspectives on electronic tax administration and its impact on taxpayers.

ETAAC's primary focus was initially on researching, analyzing and advising the IRS on its electronic tax administration strategy and most specifically on achieving the goal of receiving at least 80% of major tax return types electronically. ETAAC is pleased to report that it estimates that IRS will achieve its 80% goal this filing season for all major return types¹. More recently, ETAAC's charter was expanded to include a focus on the urgent issue of Identity Theft Tax Refund Fraud (IDTTRF) and information security. This expanded focus reflects the ever-changing threat environment for electronic tax administration.

This year, ETAAC's Annual Report to Congress continued to focus on the work of the IRS Security Summit — an unprecedented collaborative effort lead by IRS to engage state governments and private industry to work together to fight IDTTRF and protect American taxpayers. Although we can never declare final victory over the criminal elements attacking our tax system, the Security Summit has made significant progress in the fight. That progress has been enabled by strong IRS leadership, the support of both the states and private industry and a collaborative mindset of all participants.

I am pleased to represent ETAAC today to provide a perspective on tax administration. After providing some brief context, I will offer my thoughts on the following four principles concerning IRS electronic tax administration illustrated with specific recommendations made by ETAAC in its 2017 and 2018 Reports to Congress:

• Security

• Accessibility

• Taxpayer Control

• Collaborative Development

Electronic Tax Administration Operates in a Challenging Environment

Initially, I would like to set context regarding some challenges facing electronic tax administration.

First, the need to supplement traditional IRS service delivery channels (phone, in person, etc.) is obvious. Electronic services — online but increasingly mobile — are an essential element in enhancing IRS' overall service channels. Both consumers and businesses expect to be able to conduct much of their business electronically, but they also expect to be able to talk with someone when necessary.

Second, electronic services operate in a high threat environment. The Subcommittee is well aware of the cyber security threats facing our nation. Cyber criminals are well-funded and very capable. They continue to target our tax system to obtain tax refunds fueled by the theft of personal information from a variety of government and private sources, most of which are external to our tax system. This fight will never end — as we close one door, the criminals look to find another. We need to raise our cybersecurity game across the board.

Third, like all consumers, taxpayers have high expectations for electronic services. They expect them to be secure, easy to use and integrated into their existing workflows. In ETAAC members' experience, the adoption rate for isolated or stove-piped solutions is not high — integrated solutions have higher adoption rates over time. A good example of this is electronic filing, which has been integrated into the tax software solutions used by taxpayers and tax professionals.

However, some taxpayer expectations are in tension with one another. For example, secure solutions necessarily require effective identity proofing and authentication — potential users must be able to prove they are who they say they are to gain access to “their” sensitive personal information. Traditional digital identity proofing solutions are typically somewhat tedious multi-step processes. As a result, security can be in tension with ease of use and accessibility — a particularly challenging balance to achieve.

Of course, ease of use and accessibility are elements of the overall customer service experience. Taxpayers who find electronic services difficult to use, or who are unable to access such services, understandably will revert to call IRS assistors or visit IRS offices to meet their needs.

Principles for Taxpayer-facing Systems

With this context, I will summarize some specific ETAAC recommendations supporting the key principles for electronic tax administration mentioned above — security, accessibility, taxpayer control and collaborative development.

Electronic Services must be secure

Security is a prerequisite for any electronic solution to be adopted, and standards are a foundational element for any secure system. In its 2018 Report, ETAAC identified potential gaps in the security standards covering our individual and business income tax systems. Specifically, the most prevalent security standard currently covering “tax preparers” is limited to those serving consumers — I'm referring to the FTC Safeguards Rule, which was implemented pursuant to the Gramm-Leach-Bliley Act (GLB).

Additionally, it is unclear whether the IRS has the authority to set or enforce minimum security standards for tax preparers, particularly because of the Loving and other cases which specify limitations on IRS' ability to “regulate” tax preparers.

ETAAC believes our tax system requires a high-level security standard, such as the one articulated in the FTC Safeguards Rule. Further, we believe IRS should have the authority to set and enforce security requirements for our tax system.

Electronic Services must be accessible

As I mentioned above, IRS' ability to remotely identity proof and authenticate taxpayers in a secure and reliable manner is a key enabler for electronic services. These are the processes by which the IRS collects, validates, and verifies information about a taxpayer to ensure the applicant is who they claim to be to a stated level of assurance. Digital identity management presents a technical challenge because it involves proofing and authenticating individuals over an open network, which presents opportunities for impersonation and attacks leading to fraudulent claims of a subject's digital identity.

The IRS has several online services with different levels of assurance. Some services provide access to less sensitive information such as refund status whereas others require the highest level of assurance because of the sensitivity of the information, e.g., Get Transcript Online, Get an IP PIN, IRS e-Services and the taxpayer online tax account.

The IRS' current remote identity proofing solution is the Secure Access identity management platform. Generally, Secure Access requires the taxpayer to successfully complete a process of validating their identity using personal information, an email address, third party public information and a cell phone. The IRS has constantly evolved its current Secure Access identity proofing platform, but it still has its limitations. For example, certain segments of the population may not be able to validate themselves digitally using Secure Access because of an insufficient public record or an inability to complete cell phone validation. While there may be alternative authentication methods provided by the IRS, the inefficiencies they create are cumbersome.

In our experience, the IRS is taking a deliberate, studied approach to identifying and pursuing solutions to this challenge. It is looking for ways to both protect taxpayer data and, simultaneously, enable more taxpayers to identity proof remotely. It is also considering solutions under development in both the governmental and private sectors. Of course, digital identity management is a broader challenge for all of government, not just the IRS.

ETAAC has made two recommendations in this area.

First, the IRS should continue to collaborate with key stakeholders to help IRS identify, test and implement new identity proofing and authentication solutions. This innovation effort should be done in a way that manages risks, but stakeholders should not expect zero defects. Innovation necessarily involves a mix of successes and failures. Small pilots can help to manage these risks.

Second, remote identity proofing solutions have inherent limitations and challenges. We have already mentioned the difficulty of navigating Secure Access to gain access to and use online solutions. For that reason, ETAAC's 2018 Report encouraged IRS to consider options to expand in-person identity proofing opportunities. The IRS may be able to leverage its existing physical locations for this purpose, or those of other government agencies with a larger and more diverse physical presence such as the Social Security Administration.

Additionally, our Report offered another option for the IRS to consider — the creation of a “Trusted Third Party” program to expand the availability of in-person taxpayer identity proofing. To illustrate this approach, we referenced IRS' previously created Certified Acceptance Agent (CAA) Program to improve access to Individual Taxpayer Identification Numbers (ITINs). A CAA is a person or an entity (business or organization) who, pursuant to a written agreement with the IRS, is authorized to assist individuals who do not qualify for a Social Security Number but still need a Taxpayer Identification Number (TIN) to file their taxes. The CAA facilitates the application process by reviewing the necessary documents, authenticating the identity when possible and forwarding the completed forms to the IRS. Applicants to become a CAA must complete a rigorous application process, including submitting an application and finger print cards, as well as completing mandatory training.

Adapting the Certified Acceptance Agent (CAA) Program model to this need may also correspond with taxpayer expectations. Most taxpayers expect their tax professionals or tax service providers (whether paid practitioners, software providers or volunteers in the VITA, TCE or LITC programs) to assist them in engaging with or accessing information from the IRS. Since these third parties are already reviewing physical identification documents in connection with tax preparation or may have other avenues for confirming identity not readily available to the IRS, they represent a possible opportunity to help identity proof taxpayers. ETAAC believes this option is worthy of consideration, likely starting with a small pilot program to test the concept.

An obstacle to this interaction may be the filing of Powers of Attorney on behalf of taxpayers by their tax preparer or representative. ETAAC has recommended (as have others) that the IRS enable the secure online submission of Powers of Attorney (Form 2848), which currently must be mailed or faxed.

Accessibility and ease of use are likewise considerations for IRS electronic services used by tax professionals. Difficulty in using or accessing tax professional services will again, potentially drive them to traditional IRS customer service channels, most particularly telephone assistors or tax professional hotlines.

Electronic Services must be under taxpayer control

Taxpayers must be “in control” of their services. For example, our 2018 Report mentions the benefits of taxpayers having the ability to provide access to their account information to their chosen tax service providers, whether tax professionals or software. However, taxpayers must always have the ability to control any such permissions whether at the time of any initial grant or on an ongoing basis. Additionally, any third parties that might be granted such access must meet some important thresholds such as completing background checks and meeting information security requirements.

On a related note, ETAAC made two recommendations in 2018 associated with taxpayer control. First, we recommended (as have other advisory committees) that the IRS continue to evaluate the concept of “account lock and unlock” feature as described in our Report. Second, we support the idea of expanding eligibility for the Identity Protection Personal Information Number (IP PIN) to all taxpayers, which others have supported including the National Taxpayer Advocate.

Electronic Services should be collaboratively developed

The development of electronic services that consumers will actually use is not as easy as it might seem. As pointed out in our 2018 Report, consumers will often “tell” you that they will use some proposed service that seems beneficial. In fact, that is often not the case.

Instead, as it attempts to develop electronic solutions, it is essential that IRS take advantage of the insights available from a variety of sources and stakeholders including taxpayers, states, tax technology providers, tax professionals, VITA providers and others. Additionally, product research is essential, but not sufficient. We believe the IRS should continue to test “minimum viable services” to see how taxpayers and tax professionals will actually use any online services, not just how they say they will use them.

For that reason, ETAAC recommended that IRS take a collaborative approach to developing online and mobile services. The Security Summit is a great example of the benefits of a collaborative approach.

Conclusion

In conclusion, IRS has been an engaged, collaborative and constructive partner in support of ETAAC's work with the Security Summit. ETAAC believes the improvement of tax administration can benefit from a collaborative effort.

Moreover, as we pursue initiatives to improve electronic tax administration, ETAAC encourages all of us to remember the guiding principles of:

• Security

• Accessibility

• Taxpayer Control

• Collaborative Development

Thank you again for the opportunity to provide my thoughts today. I am ready to answer any questions to the best of my ability.