The Internal Revenue Service needs to improve how it handles third-party requests for access to taxpayer information and electronic signatures from representatives such as CPAs, enrolled agents and attorneys that could leave taxpayers at risk of identity theft, according to a new report.

The report, from the Treasury Inspector General for Tax Administration, evaluated the IRS’s efforts to implement a provision of the Taxpayer First Act of 2019 that requires the IRS to publish guidance to establish uniform standards for the acceptance of taxpayers’ e-signatures, which are supposed to validate taxpayer authorizations to disclose their information or grant a power of attorney to taxpayer representatives.

Taxpayers can grant a power of attorney to representatives such as CPAs who are given the authority to represent them before the IRS, the TIGTA report noted. The Tax Code also allows taxpayers to authorize a representative to access their tax returns and return information. Therefore, the IRS needs to implement the proper controls to authenticate the validity of the authorization forms to ensure taxpayers actually signed the form. “Without these controls, identity thieves could submit fraudulent authorization forms to steal the taxpayers’ information,” said the report.

The report found the IRS hasn’t made enough progress yet on developing an online third-party authorization tool to verify and accept taxpayers’ e-signatures on authorization forms. On top of that, the IRS didn’t meet the deadline of Jan. 1, 2020 under the Taxpayer First Act to publish guidance on standards for verifying taxpayers’ e-signatures on Form 2848, Power of Attorney and Declaration of Representative, and Form 8821, Tax Information Authorization.

The need is acute, as the IRS has been uncovering a number of fraudulent authorizations, but they aren’t always being assigned to the proper place. TIGTA’s review of 20 authorizations that the IRS confirmed as fraudulent in 2018 and 2019 identified 11 authorizations associated with 1,546 Taxpayer Identification Numbers that weren’t added to a “dynamic selection list” as required. The dynamic selection list, or DSL for short, is a list of TINs that the IRS has determined are at risk of tax-related identity theft , such as TINs from data breaches, associated with fraudulent authorizations from the IRS’s Centralized Authorization File, or CAF.

Once they’re added to the DSL, the TINs are monitored for use in the filing of tax returns submitted to the IRS. The tax returns that are identified are then sent for further screening and verification. However, TIGTA’s review of CAF numbers assigned from Feb. 7 through Nov. 2, 2019, found that tax examiners continued to erroneously assign multiple CAF numbers to the same representative at the same address. Tax examiners assigned 290 CAF numbers to 188 representatives who had the same name and address. In addition to those problems, IRS processes don’t identify and remove authorizations that belong to representatives who are deceased or incarcerated, or had their Preparer Tax Identification Number revoked by the IRS Return Preparer Office.

TIGTA also found that tax examiners aren’t rejecting the Forms 2848 they receive from representatives who don’t provide the bar jurisdiction, license or enrollment number for the professional credential they have reported. TIGTA estimates that 136,264 representatives may have reported a professional credential that they don’t have.

TIGTA made 12 recommendations to the IRS in the report, including that the IRS develop an alternative solution for verifying taxpayers’ e-signatures on Forms 2848 and 8821. The report also suggested the IRS add the 1,546 TINs already identified to its dynamic selection list, as well as perform a one-time clean-up of the CAF to identify all the representatives with multiple CAF numbers so it can remove the CAF numbers that were incorrectly assigned. The IRS should also develop procedures to conduct initial and periodic suitability checks of representatives to find out whether they’re deceased or incarcerated, TIGTA recommended. The IRS should remove those representatives’ authorizations in the CAF as appropriate, according to the report, and develop procedures for tax examiners to verify the professional credentials claimed by the representatives on Form 2848.

The IRS agreed with nine of TIGTA’s 12 recommendations. But TIGTA said the corrective actions won’t address two of its recommendations and is still concerned that, without an IRS process to verify a representative’s claimed professional credential on Form 2848, the IRS will continue to miss a significant fraud indicator on the form.

The IRS defended its handling of the taxpayer representative authorizations. “The Centralized Authorization File (CAF) stores information on Powers of Attorney and other representatives identified to act on behalf of taxpayers and/or to have access to their tax information,” said the IRS in a statement emailed toAccounting Today.“The IRS received and processed nearly four million authorizations in fiscal year 2019. The IRS acknowledges the burden on taxpayers and the tax professional community to apply physical signatures to forms, especially during these unprecedented times. The IRS is working on a solution to provide for the acceptance and authentication of Forms 8821 and 2848 with electronic signature images by early 2021. The IRS will continue to work on accepting digital transmissions of these forms in support of the Taxpayer First Act.”

The IRS pointed out that it’s also taking action to ensure inactive or ineligible representatives are identified. “The IRS continues to work with the tax professional community on solutions as we continue to expand and enhance our digital signature and authentication processes,” said the IRS statement.