New IRS Identity Authentication and ID Theft Protection Guidelines

Tax Law and News ID theft

Identity theft has become a central theme and concern for all of us in the tax preparation profession – and it seems as if the problem has exploded in the last few years. I can remember 10 years ago when I might have had one client who had an issue; last year, we had dozens of clients become victims.

As a profession, we, along with the software that serves us, have an important obligation and responsibility to ensure we are doing what we can to protect our clients and ourselves. Gone are the days when we could wave our hand and say, “Ahh, not an issue for my firm.” We have to take the new provisions seriously that the IRS and industry are implementing together.

The IRS started a campaign this year called “Protect Your Clients: Protect Yourself.” Some of the new guidelines include the following:

  1. Require strong passwords on all computers and tax-related software programs.
  2. Require periodic password changes every 60-90 days.
  3. Ensure emails that have taxpayer data are encrypted.
  4. Protect your facility from unauthorized access.
  5. Create security requirements for each staff member for access to computer information.

As you can see, this is going to require us to work in slightly different ways, but if that means I can help ensure my clients are not victims of these terrible crimes, then I am all for it.

One provision that will affect my firm is the new Identity Authentication that we will have to comply with this year. This means no more “Admin” logins that everyone uses; instead, you will have to register each person that needs access to the software as a separate user, and they will need to log in upon program start up or launch. This will create more work for me and my staff, and the fact that the passwords change each quarter is another small headache.

But, when I compare that to what can happen if I don’t … It’s a SMALL PRICE TO PAY!

Think about it. All it takes for my firm to be in big trouble is for a client or law enforcement to trace a breach back to my firm, or the handling of taxpayer data by my firm. Not only will this generate terrible publicity for me, but financially, the risks could also outweigh what my malpractice insurance will cover.

My point is this: we have to start getting in front of this and take the steps necessary to protect our clients and ourselves. These new tasks are easy compared to what could happen if we don’t comply.

If you are just getting started as a firm, all this may be enough to make you run away. Yes, this is scary stuff for a new tax preparer, but don’t run. We need good accountants in our industry, and if you educate yourself and use the expertise of the software providers you choose, you will do great.

One issue you should be aware of is how long it takes to get an Electronic Filing Identification Number (EFIN) and security around your EFIN. If this is your first year, and you are what we call “new to the world,” then you need to be getting your EFIN right now. It can take up to 45 days to process, so there is no time to waste. There is a big rush at year-end, so do it now.

For new and established firms, protecting your EFIN is a big deal. You should be reviewing your EFIN status and contact information during the year. Make sure the address and contact information is accurate.

In addition, watch the activity on your EFIN. Make sure others are not using it and that returns associated to your EFIN match your client list and returns you filed in your operations. These criminal tax frauds love to get their hands on other EFINs.

Bottom line: Let’s sharpen up our operations this year. Let’s be the group that does its part and welcomes the security we can provide to our clients. Let’s work with our software vendors and the IRS to better the system. Our clients and our communities are counting on us.

Editor’s note: It was announced on Oct. 17 that the IRS has decided to delay the Oct. 24 date for requiring e-services users to re-register and validate their identities through Secure Access authentication. In the next few weeks, the IRS plans to connect with key stakeholders affected by the e-services changes to discuss security protocols and the next steps in this process. A new implementation date has not been set. When a new date is set, the IRS will share the information widely with e-services users.