WASHINGTON, D.C. – House Ways and Means Oversight Subcommittee Chairman Peter Roskam (R-IL) delivered the following opening statement at an Oversight hearing on the Tax Filing Season.
Remarks as prepared for delivery:
“Good morning. I think I speak for the many Americans when I say I’m glad Tax Day is over. Today’s hearing will review the results of the 2016 tax-filing season. Additionally, we will focus on the growing threats of identity theft and cybersecurity.
“Over 150 million Americans already have or soon will file taxes returns for 2015. They expect and deserve an efficient IRS that works for them. Two key aspects of that are ensuring a smooth filing season and protecting taxpayer data.
“Unfortunately, the IRS does not have the best track record with regards to either. Last year the Ways and Means Committee found the IRS deliberately diverted user fees away from customer service, resulting in service that even the IRS Commissioner called ‘abysmal.’
“Through Congressional oversight and appropriations, the IRS was forced to prioritize customer service. But the agency needs to act quickly to address identity theft-related tax fraud and cybersecurity issues.
“Fraud related to identity theft is growing at an alarming rate – it’s a serious crime that hurts millions of Americans and costs the government billions of dollars. In 2012, the Treasury Inspector General for Tax Administration, or TIGTA, reported the IRS could pay out $21 billion in fraudulent refunds over five years.
“If you have your identity stolen it can take months to get your life back together. TIGTA estimated it took an average of 278 days to resolve identity theft cases and nearly 20 percent of them weren’t even resolved correctly.
“While the IRS has taken some steps to prevent and detect identity theft, the agency is not keeping up with the criminals. Law enforcement officers say tax fraud is so easy it has become an addiction for some criminals. Former drug dealers hold tax-filing parties where they file hundreds of returns using stolen identities. As one suspect told police, ‘Why would I take the risk to sell drugs and get busted when I can put $10,000 on a card and do it all day long from home while the cartoons are on?’
“In 2010, police in Miami, Florida uncovered an entire tax preparation company set up to file fraudulent returns. It stole over $2 million from hardworking taxpayers.
“While law enforcement has had some success in this area, there are many sophisticated operations that continue unabated. As one police officer in Florida remarked, ‘you know there are guys out there doing it better. We’re getting the idiots.’
“Crime syndicates in Eastern Europe, for example, are making millions of dollars off the U.S. Government without ever setting foot in the country.
“And last May the IRS announced criminals had broken in to the ‘Get Transcript’ function on the agency’s website and accessed data on more than 100,000 Americans. The IRS suspended that specific program but the problem continues. Over 700,000 people are now estimated to have had their sensitive information stolen.
“Earlier this year, the agency also had to suspend its Identity Protection Personal Identification Numbers, or IP PIN online program. IP PINs are given to previous victims of identity theft in order to protect their tax returns. But the IRS discovered at least 800 tax returns filed by fraudsters who had stolen IP PINs.
“It is ironic, and terrifying, to see criminals access the very tool the IRS relies on to protect identity theft victims.
“Identity thieves are increasingly relying on cybersecurity breaches and other attacks to obtain taxpayer data. As the criminals evolve, we need to do the same.
“A few years ago, criminals would use stolen names and Social Security Numbers to fill out fraudulent returns just by guessing information. It’s simpler to catch this type of fraud because some information is often incorrect and can be flagged through data matching.
“Nowadays with identity thieves obtaining their information through cybersecurity hacks, the criminals often have ALL the information they need.
“The IRS needs to focus on advanced fraud-detection methods to keep up with increasingly sophisticated identity thieves. Does the IP address match the address on the return? For electronically filed returns, were the forms completed more quickly than a human preparer could fill them out?
“And the IRS needs to improve its information security. Both TIGTA and the Government Accountability Office have raised concerns with the IRS’s inability to protect taxpayer data. TIGTA found the IRS was fully meeting federal information security standards in only three of ten areas, and there were three areas with significant weaknesses that put taxpayers at risk.
“Last month, GAO reported additional problems with IRS security, including outdated software.
“Authentication is one of the biggest challenges. The IRS needs the ability to verify the people who are interacting with the agency are who they claim to be.
“TIGTA and GAO have reported the IRS’s current authentication standards are not enough to protect taxpayer data. We have seen those weaknesses play out in the IP PIN and Get Transcript hacks. These criminals were able to get in through the front door by passing the IRS’s authentication protocols.
“The IRS has always had problems with its information technology, and now criminals are getting better at exploiting it.
“Last year, the IRS convened a Security Summit of stakeholders and industry experts to try to address identity theft and cybersecurity. The agency has already announced it is working with software providers to enhance identity and validation procedures.
“Unfortunately, the IRS still has not made the common sense switch to multi-factor authentication. This is common practice in the private sector. Most people have experienced it when they want to access their bank accounts online. The bank won’t grant the user access until a code is sent to his or her phone or email account.
“The IRS needs to move in this direction, and quickly. Let me be clear, this isn’t the gold standard we’re talking about – it is the bare minimum the IRS needs to ensure people accessing accounts and filing returns are who they claim to be.
“Finally, I want to note identity theft-related tax fraud is not just committed by people outside the IRS. As TIGTA will testify today, there have also been instances of the IRS’s own employees using their positions to improperly access taxpayer data and claim fraudulent refunds.
“This is unacceptable, and should be addressed immediately. How can the IRS expect taxpayers to trust its agents with sensitive information when it can’t even prevent criminal activity among its own employees?
“It’s clear the IRS’s existing efforts to address identity theft and cybersecurity attacks are not enough. Criminals are already exploiting these weaknesses, exposing taxpayers to identity and costing the government billions of dollars every year.
“The troubled agency’s failure to improve its information security puts all of us at risk. We need to hold the IRS accountable for protecting taxpayer information and strengthening security. That starts right here, right now.”