By Guest Blogger Paul W. Pocalyko, CPA, CFF, CFE

---

Just as last tax season was peaking toward the final filing deadline, the United States Office of Personnel Management noticed it had been hacked. A few months later it revealed that one of the single largest data breaches in U.S. history had occurred, potentially affecting more than 21.5 million individuals. Stolen information included personally identifiable information, such as Social Security numbers, names, dates and places of birth, and addresses.

Even if you never worked for the government or filled out forms for a security clearance, there is a high likelihood that some of your information was contained in that breach. The Standard Forms (SF) 86 (Questionnaire for National Security Positions) asks about family members, college roommates, and foreign contacts among other relationships. The 127 page form asks among other relevant data:

• Where Have You Lived – Name of person who knows you at that address and their current address
• Where Have You Gone to School – Name of person who knows you and their current address
• Where Have You Work – Employer/verifier and supervisor name and title and current work address

Holding this set of data, almost any enterprising criminal could undertake any number of frauds through an identity theft mechanism. One of the most likely is associated with the IRS and fraudulent refunds.

The IRS is doing a great deal to combat this ever growing problem.  Even with new efforts the numbers are staggering. Per the IRS: “The Identity Theft Clearinghouse continues to develop and refer identity theft refund fraud schemes to Criminal Investigation Field Offices for investigation. Since its inception in FY12, it has received over 7,600 individual identity theft leads. These leads involved approximately 1.47 million returns with over $6.8 billion in refunds claimed.”

The IRS also reported that it had halted more than 19 million suspicious returns as of October 2014.  

Still, the problem continues to grow.

The underlying issue that allows these schemes to persist is that the IRS’s fraud detection system is outdated and based on after-the-fact validation. It takes very little data to file for an electronic refund – name, Social Security number, and date of birth. The IRS accepts tax filings beginning Jan. 1. Validation of those filings does not occur until after March, when employers are required to submit correct payroll information to the agency. At that point more than half of all refunds have been provided.  A thief armed with three bits of data can file for a refund on Jan. 1, and by law the IRS must process the refund within 30 days -- months before it has the ability to confirm the validity of the electronically filed return.  

If you are an individual whose identity is compromised and you have fallen victim to this scheme, I am sympathetic to the difficulties you now face. Doubtless the vast majority of people who are affected did nothing wrong. They protected their information, secured documents, shredded outdated paperwork, and trusted those who held their information to keep it secure.

In mid-November many individuals whose data were taken received a letter from the acting director of the U.S. Office of Personnel Management. It provided information on credit and identity monitoring services, encouraging recipients to enroll and take advantage of the program. Ironically, the director noted that she, too, was someone whose information was taken, and shared the “concern and frustration” the recipient was experiencing.

For those who experience ID theft, the IRS does make available the ability to obtain an IP PIN (Identity Protection Personal Identification Number) to use when filing tax forms. The PIN can be obtained by filing Form 14039 or by enrolling through the IRS website. An IP PIN is an added layer of defense to help previous and potential victims of identity theft protect their tax returns. Filers get a new IP PIN every year. Once you sign up for an IP PIN you will need to use it on all federal tax returns in the future. 

Ultimately, the solution to the problem will require significant changes to the IRS process; perhaps amending the law related to the time period allowed to provide refunds.

While no one can assure you that your identify will never be taken, I can offer up one scenario that will at least not make you wait for a refund if someone files a fraudulent return using your name. With proper tax planning and working with your CPA/tax preparer you can often estimate your obligation and work toward a small refund or small amount owed. I am aware that many people view the tax refund as a forced savings plan with a cathartic effect when it arrives in your hands. Instead, take the potential for refund fraud as a wakeup call, and start a disciplined approach to tax management and financial planning. That way, at least you will not be waiting for your refund for six months to a year, or longer, while the IRS sorts out your filings.

Visit the PICPA’s tax help page for more resources to help you tame your taxes.

---

Paul W. Pocalyko, CPA, CFF, CFE, is senior vice president with Hill International’s Construction Claims Group in Philadelphia.  He has nearly 35 years of experience in forensic accounting, financial consulting, and litigation support services. He has served as an arbitrator in various disputes and is frequently called upon to provide expert testimony. Mr. Pocalyko is a member of the PICPA and chairs the CPA Image Enhancement Committee.