The Internal Revenue Service (IRS) earlier this year updated its rules to authorize taxpayers to sign, and practitioners to accept, e-file authorization forms containing electronic signatures, a fact that the American Institute of CPAs (AICPA) applauded in a September 24 letter to IRS Commissioner John Koskinen. The authorization offers convenience by allowing a client to remotely authorize a preparer to e-sign the tax return rather than signing it in person.
However, the AICPA asked the IRS to consider alternatives to better protect taxpayers’ confidentiality as the current rules could put taxpayer data at risk. “Introducing a third-party (the identity verification vendor) into the signing and e-filing process increases the risk of data privacy issues arising from the process,” the Institute observed in its letter.
The IRS guidance requires the practitioner to record the taxpayer’s name, Social Security number, address and birthdate and to verify that this information is “consistent with the information provided through record checks with the applicable agency or institution or through credit bureaus or similar databases.” This verification is called dynamic knowledge-based authentication.
Other problems with the current process, as outlined by Jeffrey A. Porter, chair of the AICPA’s Tax Executive Committee, include the potential impact on the CPA’s trusted relationship with the taxpayer. “Subjecting clients to a series of invasive personal inquiries may raise questions as to why their private data has been disclosed to the identity verification vendor,” Porter wrote.
Also, he pointed out that dynamic knowledge-based authentication will not work for certain taxpayers, such as expatriates, children, immigrants, the elderly and recently divorced spouses who have limited personal credit history because they do not have enough personal information in U.S. databases.
The AICPA suggested some alternatives to the IRS:
Create an exception to the dynamic knowledge-based authentication requirement for Circular 230 Federally Authorized Tax Practitioners because of their unique status and the trusted advisor relationship they have with their clients;
Consider the taxpayer’s identity as authenticated if the tax return preparer has a secure portal for interaction with the taxpayer-client requiring a unique strong password, or shared secret questions through which the client has provided the answer to verify the taxpayer’s identity, and
Employ dynamic knowledge-based authentication by drawing only on data within the electronic return originator/tax return preparer’s own firewall as opposed to third-party databases, thereby eliminating the need to disclose sensitive data outside of their firewall.