GAO Says IRS Needs Cybersecurity Standards for Third-Party Preparers

Chris Gaetano
Published Date:
May 10, 2019

While the IRS has extensive policies and procedures to protect data within its own organization, the Government Accountability Office noted that this protection does not extend to the third-party preparers that process 90 percent of taxpayer returns, representing a major security blind spot. The report said that, as part of a public-private partnership, 15 tax software providers voluntarily adhere to a set of 140 information security controls developed using guidance from the National Institute of Standards and Technology. These, however, represent only one-third of all tax software providers. Cooperation with IRS security standards must remain voluntary for now because the IRS lacks the authority to develop and implement minimum security requirements for those who use IRS systems. 

While the IRS already says that e-file provider programs are required to incorporate safeguards developed by the Federal Trade Commission, the GAO said the IRS provides little information on what these requirements are, and that most paid preparers don't even know about the rules. Industry groups have misconceptions about who is responsible for implementing information security, noting that one industry group official said that paid preparers and enrolled agents often think this responsibility falls only on tax software providers, or that their own computer antivirus represents adequate protection.

The GAO said that, first, the IRS should explicitly state the elements of the FTC information security rules to ensure that all types of authorized providers are aware of them and act in compliance. While this will still leave out those not in the authorized e-file programs, it would still make many more people aware of the rules. Nonetheless, this will still be an incomplete solution. To address this issue with all return preparers, the IRS would need direct enforcement action. However, given recent court cases striking down the IRS's ability to generally regulate the competence of return preparers, the IRS said actual enforcement would open the agency up to lawsuits. With this in mind, the GAO said Congress must act to explicitly give the IRS such authority. 

Legislation allowing the IRS to regulate return preparers is currently working its way through Congress. The bill, "The Taxpayer Protection and Preparer Proficiency Act of 2019," would give the IRS the explicit legal authority to regulate the practice of tax return preparers, including the ability to sanction them, up to possibly revoking their Preparer Tax Identification Number (PTIN). All return preparers, under this legislation, would be required to have a PTIN, so revoking one would effectively bar the person from filing returns on behalf of clients. Preparers would also be required to "satisfy any examination and annual continuing education requirements as prescribed by the Secretary" and complete a background check administered by the Treasury Department. Those who are already subject to continuing professional education and had to take a comparable exam to practice (so, basically, CPAs, attorneys and enrolled agents) would be exempt. 

The bill, however, lacks language specifically around information security. It is unknown whether regulations regarding information security standards would be covered in this bill, or whether it would require another piece of legislation. 

Click here to see more of the latest news from the NYSSCPA.