The Gramm-Leach-Bliley Act still applies to CPAs

The information encoded in your DNA determines your unique biological characteristics, such as sex, eye color, age and Social Security number. –  Dave Barry

The fight against identity (ID) theft is starting to bear fruit: The number of taxpayers who reported that they were victims of identity theft to the IRS dropped in 2016. This means 376,000 fewer taxpayers reported ID theft, a drop of 46%. Also, the IRS stopped 883,000 tax returns with confirmed identity theft links from getting through the system in 2016. That helped lead to a 37% drop in stolen returns that year.

Dave Barry is a funny guy, but ID theft is no laughing matter. Fraud detection is still one of National Taxpayer Advocate Nina Olson’s “most serious problems” as indicated in her 2016 Annual Report to Congress.

Olson sites a 2015 Treasury Inspector General for Tax Administration (TIGTA) report that said although the IRS’s fraud detection efforts were able to stop between $22 billion and $24 billion of false refunds from being issued, identity thieves were still able to steal approximately $5.75 billion in the 2013 filing season.

ID theft is such a concern to her that she recommends the IRS consider initiating a research study that considers the costs and benefits of holding taxpayer refunds until after filing season ends. It’s a controversial suggestion, given 70% of taxpayers expect a refund and want it NOW. The delay would give IRS time to match information it receives from third-party information filers with the 1040s filed, and a better shot at stopping the fraudulent returns.

This topic is so important that when the AICPA recently updated its Guiding Principles of Good Tax Policy, “information security” (tax administration must protect taxpayer information from all forms of unintended and improper disclosure) was added as one of two new principles.

One law passed by Congress to control the ways that financial institutions deal with individuals’ private information is the Gramm-Leach-Bliley Act (GLB), also known as the Financial Modernization Act of 1999. The Act has three sections:

1. The Financial Privacy Rule, which regulates the collection and disclosure of private financial information;
2. the Safeguards Rule, which specifies that financial institutions must implement security programs to protect such information; and
3. the Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses)

The Financial Privacy Rule requires financial institutions (defined to include tax return preparers) to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. CPAs (“accountants and auditors”) are exempt from this rule. (§313.15(a)(3)) The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect, clients’ nonpublic personal information. CPAs are not exempt from the safeguards requirements; CPAs must still have a written information security plan. 

In a recently publicized case, TaxSlayer LLC entered into a settlement with the Federal Trade Commission (FTC) for violating both the Financial Privacy and Safeguard Rules. The violations came to light because hackers gained access to roughly 9,000 TaxSlayer taxpayer accounts and filed fraudulent returns. As part of its settlement with the FTC, the company must obtain biennial third-party compliance assessments with these rules for the next 10 years.

The FTC provides information on how to comply with the safeguards rule. The IRS also has useful information on this topic, including in Publication 4557. The AICPA provides information and tools related to identity theft, too.

Finally, I’d recommend having a conversation with your professional liability insurance carrier about ID theft and information security. The digital world has created the need for cybersecurity protection. And while every firm must do their best to ensure their client’s information is secure, they should also obtain a cybersecurity policy to protect the future of the firm in the event of a breach.

Dave Barry also said that “[g]ravity is a contributing factor in nearly 73 percent of all accidents involving falling objects.” The connection between the lack of information safeguards and ID theft may be almost as compelling. Don’t become a statistic.

Ed Karl, CPA, CGMA, Vice President –Taxation, Association of International Professional Accountants

 ID theft courtesy of Shutterstock.

     

Related Stories

• Beyond tax: Extending your success
• Tax Reform and Fairness – A Necessary Balance
• How to Fail in Your Tax Practice