Under President Biden’s new Build Back Better framework, the financial account information reporting proposal has been dropped from the budget reconciliation process. One of the chief concerns about that proposal was its potential to compromise taxpayers’ privacy interests.
That concern is still relevant even though it is somewhat reduced because of the shift away from added reporting. In recognition of the need to uphold the principle of confidentiality, Congress should strengthen the rules protecting taxpayers against disclosure. In particular, the IRS will likely use some of its added funding in the bill to engage contractors in processing and analyzing taxpayer data, so there should be greater safeguards to ensure that that data is kept confidential and properly used.
The IRS is planning to spend some of its proposed appropriation on new technology, which is badly needed. As Natasha Sarin, Treasury deputy assistant secretary for economic policy, explained on October 26, “From an enforcement perspective, the IRS just simply does not have the tools that it needs to be able to make meaningful strides with respect to compliance.”
Sarin said the recommendation for $80 billion in funding for the IRS was based on months of studying the IRS’s needs and determining what can be reasonably deployed in the budget time frame. “You’re running on 1960s technologies and trying to create systems where you can do complex machine learning or data analysis of the same taxpayer over time to understand whether there are discrepancies in tax returns, or similarly situated taxpayers to try and see whether people are appropriately paying what they owe,” Sarin said. She pointed out that those capacities don’t exist at the IRS because the agency’s systems are siloed and don’t communicate with one another.
Monitoring Contractors’ Safeguards
Using new technologies will almost certainly involve outside contractors, so Congress should probably reconsider the rules that contractors must follow when dealing with tax returns and return information to ensure that they properly balance the principle of confidentiality in section 6103.
Return information is protected from disclosure under section 6103(a) and required to be kept confidential. Section 6103(b)(2) defines return information as the following:
A taxpayer’s identity, the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, deficiencies, overassessments, or tax payments, whether the taxpayer’s return was, is being, or will be examined or subject to other investigation or processing, or any other data, received by, recorded by, prepared by, furnished to, or collected by the Secretary with respect to a return or with respect to the determination of the existence, or possible existence, of liability (or the amount thereof) of any person under this title for any tax.
The universe of return information will therefore include any data analysis and results for a particular taxpayer.
The IRS has broad power under section 6103(n) to disclose returns and return information to contractors, “to the extent necessary in connection with the processing, storage, transmission, and reproduction of such returns and return information, the programming, maintenance, repair, testing, and procurement of equipment, and the providing of other services, for purposes of tax administration.” The safeguards that contractors take are critical to protecting against breaches.
The regulations require a written contract both for the acquisition of equipment or other property and for services. The regulations define a “necessary” disclosure as one without which “the performance of the contract or agreement cannot otherwise be reasonably, properly, or economically carried out.”
Reg. section 301.6103(n)-1(b)(2) further explains that when services can be reasonably, properly, or economically performed by disclosing only parts of a return, then only the parts may be disclosed. Alternatively, if deleting taxpayer identity information “would not seriously impair the ability of the employees to perform the services,” then only the return with identity information deleted may be disclosed.
The regulations also contain safeguards under section 6103(n) that require contractors and their agents or subcontractors to agree before any disclosure of returns or return information to an inspection by the IRS of their site or facilities. That requirement was evidently written for an era of largely paper returns. The types of inspections that are needed in a digital age are different, and the regulations should probably be amended to reflect the added focus on IT developed and used by contractors.
That this should be an ongoing right and responsibility of the IRS should be clear in the regulations. The IRS must be sure that taxpayer information isn’t being disclosed or contractors’ systems aren’t breached by bad actors, but it also must have sufficient guardrails to ensure that contractors are using the data from the IRS only to accomplish the agency’s work.
The rest of reg. section 301.6103(n)-1 could also be revisited in light of recent computational developments. Under the current rules, contractors must comply “with all applicable conditions and requirements as the IRS may prescribe from time to time . . . for the purposes of protecting the confidentiality of returns and return information.” That leaves great potential for wide variations in contracts.
The heaviest stick the regulations use to discourage violation of the privacy requirements is to suspend or terminate “any duty or obligation arising under a contract or agreement with the Treasury Department.” The lighter stick is suspension of further disclosures of returns or return information until the IRS determines the conditions and requirements have been or will be satisfied. The regulations were last updated in 2007, when the IRS widened the scope of section 6103(n) by clarifying that contractors could re-disclose returns and return information to agents and subcontractors, as long as it provided written permission to do so.
The sole comment the IRS received on prop. reg. section 301.6103(n)-1 suggested that the regulations require each contractor or subcontractor to designate an employee to manage all disclosures by the contractor or subcontractor; to have the authority to impose the sanctions of stopping disclosures or suspending or terminating duties of lower-tiered subcontractors; and to have the authority to promptly apprise the IRS and higher-tiered contractors or subcontractors of breaches or noncompliance. The comment explained that given the magnitude of the risk of improper disclosure, “the process of flowing down disclosure responsibilities should have safeguards to discourage and prevent misdisclosures from occurring in the first place, and, failing that, a mechanism that facilitates the prompt reporting of such misdisclosures, so whatever damage control measures may be available can be deployed sooner rather than later.”
The IRS responded that the comment “was more in the nature of a contractual (case-by-case) rather than a regulatory recommendation,” and so did not adopt the recommendation or any added regulatory provision to address the problem raised. However much a case-by-case approach to establishing the responsibilities and liabilities of contractors with returns and return information was feasible in 2007, it’s far from ideal in 2021 when the scope of contracted work is set to expand dramatically.
The history of monitoring contractors is checkered, further justifying careful legislative and regulatory consideration of the implications of expanded contractor involvement in handling returns and return information. Before the 2007 final regulations, in a report on confidentiality and disclosure provisions in 2000, the Joint Committee on Taxation explained that “the IRS does not have the resources to fully monitor contractors’ safeguards under present law” (JCS-1-00, Vol. I, pt. 2).
The JCT’s comment related to a recommendation not to allow contractors to access returns and return information for administrative purposes unrelated to tax. The JCT noted that returns and return information “contain a ready source of information that could be useful for a variety of purposes.” The report concluded that expanding the scope of contractors’ access to returns and return information, at least for purposes unrelated to tax administration, violates section 6103’s principle of confidentiality and would compromise taxpayers’ privacy interests.
Partial Solution
The existing penalties for unauthorized disclosures no longer adequately protect taxpayers’ privacy interests and the IRS’s interest in the integrity of the tax system. Congress has a simple way to add extra incentives for contractors to be careful with taxpayer information by raising the penalties in the code for disclosures — intentional or not. Section 7431 provides a civil cause of action against officers or employees of the federal government and against any other person who “knowingly, or by reason of negligence, inspects or discloses any return or return information with respect to a taxpayer in violation of section 6103.”
The damages a plaintiff can collect are the greater of $1,000 for each act of unauthorized inspection or disclosure, or the sum of the actual damages plus any punitive damages for a willful inspection or disclosure. Plaintiffs who prevail are also entitled to the costs of the action and reasonable attorney fees.
The $1,000 statutory damages were established in section 357 of the 1982 Tax Equity and Fiscal Responsibility Act. They should be raised substantially to meaningfully deter either intentional or negligent disclosure. And since a disclosure or inspection that occurs because an outside contractor has compromised taxpayer data harms public confidence in the tax system, the contractors should pay a penalty to the IRS as well as to the affected taxpayers. Giving the penalties more teeth is a starting point for ensuring the confidentiality of taxpayer data when the IRS expands contractors’ access to taxpayers’ information.
The foreign bank account reporting penalties provide a counterpoint to the $1,000 penalty and suggest that it’s time to raise it. The maximum penalty an individual taxpayer may incur for a non-willful violation of the FBAR requirements is $10,000. An individual taxpayer who fails to file a form should not owe more than a company operating as an extension of the IRS for a negligent disclosure.
The failure to file doesn’t result in the same level of damage to the tax system as the negligent disclosure, because the former is capable of being completely remedied — the taxpayer files, pays what they owe and any penalties, and then continues in compliance, with no further harm to the system. But taxpayer information disclosure has harmful effects far beyond that. Disclosures undermine public trust in the tax system, in addition to the extensive damage that may result from disclosures to individuals.
The taxpayer who fails to file an FBAR is only failing to comply with their duty to pay taxes — an important duty, to be sure — but the contractor who negligently discloses taxpayer information is being paid by the IRS to safeguard taxpayer information, and that employment relationship should require a much greater standard of care. The fact of that remuneration implicates material disgorgement following a failure to fulfill the contracted duty. A $1,000 penalty is insufficient.
Moreover, the criminal penalties for willful FBAR violations are far higher than the criminal penalties for willful disclosure of returns or return information. Under 31 U.S.C. section 5322, an individual taxpayer committing a willful violation of the FBAR filing requirement faces a maximum penalty of $250,000 in fines or five years’ prison time, or both. In contrast, section 7213(a)(1) prescribes that willful disclosure by a federal government employee or, through section 6103(n), any person providing services “for purposes of tax administration” carries a maximum sentence of a $5,000 fine or five years in jail, or both.
Prosecutors could probably stack the $5,000 and five-year maximums for multiple disclosures because the statute says “any violation” carries those possible penalties. But proportionality is still lacking between the monetary penalty contemplated by the FBAR statute and that contemplated by the disclosure statute, and Congress should fix that.
In 1976 Congress amended section 7213(a) to make willful disclosures a felony instead of a misdemeanor and increased the maximum fine to $5,000 from $1,000 and the jail time to five years from one year (P.L. 94-455). But it isn’t 1976 anymore, taxpayer data no longer lives on paper ledgers in manila folders in cardboard bankers’ boxes, and the penalties that were appropriate then no longer are today.