Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 5. Privacy, Information Protection & Data Security (PIPDS)

Section 3. Identity Theft and Incident Management (ITIM) Program

10.5.3  Identity Theft and Incident Management (ITIM) Program

10.5.3.1  (05-15-2009)
Purpose

  1. This manual defines the mission, objectives, and governance structure of the Identity Theft and Incident Management (ITIM) Program. It provides the organizational framework for carrying out specific policies and procedures aimed at preventing identity theft through the detection of data losses of taxpayers’ Personally Identifiable Information and timely responses to those occurrences.

10.5.3.1.1  (05-15-2009)
Background

  1. Federal agencies have been instructed by the Office of Management and Budget (OMB) and the Department of the Treasury to address the increasing occurrence of identity theft and to safeguard Personally Identifiable Information (PII). PII is information that, either alone or in combination with other information, can be used to uniquely identify, contact, or locate a person. Some examples of PII are: names, addresses, Social Security Numbers, bank account numbers, date of birth, biometric data, etc.

  2. Most significantly, the President’s Identity Theft Task Force recommended that Federal agencies improve their capacity to respond to PII data losses. In May 2007, OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, instructed Federal agencies to enhance their safeguards for PII and to enact incident handling and data loss notification policies.

  3. Identity theft exacts a heavy financial and emotional toll on its victims and severely burdens our economy. Because the IRS touches almost all Americans, we developed an Identity Protection Strategy to combat tax-related fraud and to assist taxpayers who are identity theft victims. The IRS is focused on prevention and assistance activities including a comprehensive approach to protecting taxpayer information. The IRS will enhance efforts through three primary goals: victim assistance, outreach, and prevention.

  4. The ITIM Program was created in response to these directives and recommendations and to ensure IRS compliance with OMB requirements for incident management, data loss notification, and identity theft protection.

  5. Consistent with the OMB mandates, the IRS will notify individuals who we determine to be at high risk of harm following a PII data loss. The affected individual(s) shall be notified without unreasonable delay following a risk assessment of the incident.

10.5.3.1.2  (05-15-2009)
Scope

  1. Safeguarding and preventing the unauthorized disclosure of PII is a responsibility that is shared by all IRS employees and contractors. Lost or disclosed PII may be used to perpetrate identity theft or other forms of fraud if the information falls into unauthorized hands.

  2. The provisions in this manual apply Servicewide when PII is collected, created, transmitted, used, processed, stored, or disposed of, to accomplish the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, and outsourced providers who are doing business with the IRS.

  3. The ITIM Program will strive to provide a uniform and consistent approach to victim assistance as it relates to identity theft tax issues. Further, the ITIM Program supports the Accounts Management Identity Protection Specialized Unit (IPSU), to provide victim assistance to include taxpayers who have not experienced any problems with, or received communications from, the IRS concerning their taxes but may become victims in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc.

10.5.3.1.3  (05-15-2009)
ITIM Program Mission

  1. The mission of the ITIM Program is to identify vulnerabilities, reduce risks for identity theft, and provide victim assistance.

10.5.3.1.4  (05-15-2009)
Goals

  1. The ITIM Program has the following goals:

    1. Increase collaboration and communication with IRS stakeholders and external partners;

    2. Promote employee understanding and responsibility in protecting PII;

    3. Identify vulnerabilities and reduce risks for identity theft;

    4. Enhance services and reduce burden and harm to identity theft victims;

    5. Reduce incidents of data loss; and

    6. Improve ITIM internal operations and employee training.

10.5.3.1.5  (05-15-2009)
ITIM Program Responsibilities

  1. The ITIM Program:

    1. Interprets federal laws, regulations, and policies relating to the protection of PII, see IRM 11.3, Disclosure of Official Information, for more information on disclosure laws.

    2. Coordinates with other program areas in the IRS to ensure compliance with OMB Memorandum 07-16 and related directives;

    3. Carries out activities as required by the ITIM Advisory Committee, which oversees the development and execution of the ITIM Program;

    4. Identifies and tracks data loss incidents;

    5. Conducts risk assessments of data loss incidents;

    6. Prepares all reporting documentation pertaining to data loss incidents;

    7. Makes notification recommendations regarding affected individuals based on assessed risk;

    8. Convenes and facilitates the PII Working Group to review data loss incident risk assessments and validate notification recommendations;

    9. Presents notification recommendations to the ITIM Advisory Committee for final decision and approval;

    10. Supports communications and other follow-up actions based on ITIM Advisory Committee notification decisions;

    11. Identifies emerging trends and develops appropriate strategies and responses;

    12. Develops, defines, monitors, and executes identity theft and incident management policies and procedures;

    13. Conducts risk assessments on IRS business processes; and

    14. Communicates and coordinates with external stakeholders (such as the Federal Trade Commission) to ensure consistency regarding identity theft issues.

10.5.3.1.6  (05-15-2009)
ITIM General Policy and Procedures

  1. The ITIM Program shall develop, publish, and assist in the implementation of policies and procedures that define IRS privacy and identity protection requirements. These products will comply with federal laws, regulations, and policies relating to the protection of PII.

  2. The ITIM Program shall monitor and evaluate the effectiveness of its identity theft and incident management policies and procedures, and update these policies and procedures as appropriate to improve the ITIM Program.

10.5.3.2  (05-15-2009)
Servicewide Identity Theft Guidance

  1. The ITIM Program has developed and implemented a program to track identity theft-related incidents to support the following objectives:

    1. Reduce taxpayer burden while addressing and resolving identity theft cases;

    2. Protect Treasury revenue by identifying suspicious filings before the refunds are generated; and

    3. Increase operational efficiency of the IRS by detecting and processing reported identity theft incidents as early and consistently as possible.

10.5.3.2.1  (05-15-2009)
Responsibilities Related to Identity Theft

  1. The ITIM Program has the following specific responsibilities relative to identity theft:

    1. Define, communicate, and assign responsibility for the IRS' substantiated identity theft incident tracking program;

    2. Oversee the maintenance, publication, and conveyance of the Servicewide Identity Theft Guidance Internal Revenue Manual, ensuring that the information that it contains remains current; and

    3. Communicate and coordinate with internal stakeholders to ensure consistency regarding identity theft policy and issues.

10.5.3.2.2  (05-15-2009)
Identity Theft and Substantiation Documentation

  1. Identity theft occurs when someone uses an individual’s personal information, such as name, Social Security Number (SSN), or other identifying information without permission, to commit fraud or other crimes.

  2. Taxpayers may notify the IRS when they experience an identity theft incident. In these instances, taxpayers must provide documentation to establish that they are identity theft victims.

  3. The procedures for collecting documentation to substantiate identity theft incidents identified by the taxpayer/victim are detailed in the paragraphs below.

  4. The following documentation is required for a victim to substantiate identity theft:

    1. Authentication of Identity – a copy of a valid U.S. federal or state government issued form of identification (Example: driver’s license, state identification card, social security card, passport); and

    2. Evidence of Identity Theft – a copy of a police report or completed Affidavit of Identity Theft provided by the Federal Trade Commission (FTC).

      Note:

      Although the FTC Identity Theft Affidavit currently states "do not send affidavit to the FTC or any other government agency," at this time, the IRS does accept this document.

      Note:

      If the FTC Identity Theft Affidavit is not notarized, it must contain the signature of the victim and the printed name and signature of one witness (a non-relative).

  5. The business unit function that is first notified by the taxpayer that he/she is a victim of identity theft is responsible for collecting substantiation documentation in a timely, accurate, and secure manner.

    1. Refer to function-specific IRM sections for guidance on collecting and handling substantiation documentation. The chart below identifies and provides links to applicable IRM sections.

      Function/Program Reference IRM
      Automated Collection System/Compliance Services Collection Operations IRM 5.19.1.9.2, Identity Theft Documentation, and IRM 5.19.2.7, IMF/BMF Identity Theft Procedures
      Accounts Management IRM 21.6.2.5, Identity Theft - General Information
      Accounts Management - Identity Protection Specialized Unit (IPSU) IRM 21.6.2.5.3, Identity Theft - Expanded Procedures
      Appeals IRM 8.1.6.4, Identity Theft Cases
      Automated Substitute for Return IRM 5.18.1.10.2.3.13.5, Identity Theft
      Automated Underreporter IRM 4.19.3.20.1.23, Stolen Identity
      Collection IRM 5.1.12.2.1.1, Substantiation Documentation
      Correspondence Exam IRM 4.19.13.25, Identity Theft
      e-Help Desk IRM 3.42.8.3.1.2, Identity Theft
      Examination IRM 4.10.2.8.6, Taxpayer Identity Stolen
      Field Assistance IRM 21.3.4.32, Identity Theft Overview
      Taxpayer Advocate Service Interim Guidance Memorandum
      Withholding Compliance IRM 5.19.11.4.13, Identity Theft

  6. Substantiation documentation:

    1. Must be legible;

    2. Must be secured and handled in the same manner as other sensitive taxpayer information; and

    3. Can be accepted from the taxpayer or someone who has power of attorney for the taxpayer (e.g., Form 2848, Power of Attorney and Declaration of Representative).

  7. A taxpayer is required to provide substantiation documentation to the IRS only once per incident. This documentation should be used by any business unit that requires substantiation documentation for an identity theft incident.

    Example:

    A taxpayer provides substantiation documentation to Automated Underreporter (AUR). The next year, Automated Collection System (ACS) receives a call from the taxpayer about a balance due notice, and indicates he/she does not owe because of identity theft related to the same incident reported to AUR. The taxpayer does not need to submit substantiation documentation again.

  8. See LEM 10.5.3.2.2 for more information on substantiation documentation.

10.5.3.2.3  (05-15-2009)
Identity Theft Incident Tracking Indicators

  1. The ITIM Program developed and implemented four identity theft indicator codes to centrally track identity theft incidents. Each indicator is input as a Transaction Code (TC) with Action Code (AC) to the affected taxpayer’s account at the entity level on Integrated Data Retrieval System (IDRS), command code ENMOD, on the Individual Master File (IMF). Below is a chart listing each indicator and its description.

    Indicator Description Tax Administration Impact Required: Substantiation Documentation Required: Input by:
    TC 971 AC 501 Taxpayer identifies himself/herself as a victim of identity theft.

    Example: Taxpayer receives an IRS notice of underreported income.     		Yes Yes Any Business Unit or Function
    TC 971 AC 504 Taxpayer identifies himself/herself as a victim of identity theft.

    Example: Taxpayer loses his/her wallet.     		No Yes Limited and reserved for use by the Accounts Management Identity Protection Specialized Unit
    TC 971 AC 505 IRS identifies a taxpayer whose PII was lost or disclosed because of an IRS data loss incident.

    Example: IRS loses a paper case file that contains taxpayer PII.     		No No Limited and reserved for use by Privacy, Information Protection & Data Security
    TC 971 AC 506 IRS identifies and confirms a taxpayer who is an identity theft victim.

    Example: CI identifies a taxpayer affected by a refund scheme.     		Yes No Limited and reserved for use by Criminal Investigation, Accounts Management, and Submission Processing

  2. For further detail about each of these indicators, see IRM sections 10.5.3.2.3.1 through 10.5.3.2.3.4.

10.5.3.2.3.1  (05-15-2009)
Taxpayer-Identified Identity Theft Affecting Tax Administration

  1. TC 971 AC 501 is applied to a taxpayer's account when each of the following occurs:

    1. The taxpayer contacts the IRS claiming that he/she is a victim of identity theft.

    2. The taxpayer's identity theft affects tax administration.

    3. The taxpayer provides substantiation documentation.

      Note:

      There may be instances where the identity thief who assumes another taxpayer's SSN, contacts the IRS. In these instances, TC 971 AC 501 is not applied to the taxpayer's account. Additionally, IRS employees should not notify the taxpayer in these situations. Instead, these incidents should be reported to the Fraud Detection Center (FDC) or local Criminal Investigation field office. The IRS currently only notifies taxpayers whose SSNs are fraudulently used by another individual through its systemic refund fraud, TIN-related problem procedures, and certain unpostable notification processes. See IRM 10.5.3.2.3.4 for information on this type of victim notification.

  2. Identity theft can affect tax administration in two primary ways:

    1. Employment-related or Income-related – Identity thief uses the victim’s SSN to obtain employment, resulting in what may appear as unreported income under the victim's account.

    2. Refund-related – Identity thief uses the victim’s SSN to file a false federal income tax return to obtain funds. If the thief files before the victim, the victim may not timely receive his/her refund.

  3. Identity theft may affect a taxpayer's account based on any of the following tax administration source criteria:

    1. Multiple filings (two or more tax returns filed for one taxpayer);

    2. Underreporting of income;

    3. Wrongfully altered tax return;

    4. No filing requirement; or

    5. Other tax administration source.

    Note:

    For an explanation of these criteria, See Exhibit 10.5.3-3(3).

  4. TC 971 AC 501 is input and displayed on IDRS command code ENMOD, and contains all of the following data elements:

    • Business Operating Division (BOD)/Function;

    • Program Name;

    • Tax Administration Source; and

    • Tax Year affected by the identity theft incident.

    Note:

    For acronyms and descriptions of these data elements, see Exhibit 10.5.3-3.

  5. TC 971 AC 501 can be input by any business unit when identity theft issues are encountered during the course of taxpayer case resolution.

    Example:

    A victim’s SSN is used to file a fabricated return to wrongfully obtain a refund, thus resulting in the duplicate filing of returns. The victim contacts Accounts Management and provides them with identity theft substantiation documentation.

  6. There can be more than one TC 971 AC 501 input or present for different functions in the same year.

    Example:

    A taxpayer provides substantiation documentation for identity theft after Accounts Management (AM) determined there was a case of identity theft for this taxpayer based on a duplicate filing. AM inputs TC 971 AC 501. Later that year, an Automated Underreporter (AUR) notice is created for the taxpayer due to the identity theft-related case. AUR inputs TC 971 AC 501 for the underreporter issue; thus resulting in two TC 971 AC 501s for different functions during the same year.

  7. There can be more than one TC 971 AC 501 input or present for different tax years by the same business function.

    Example:

    A taxpayer provides substantiation documentation for identity theft after his/her tax year 2005 electronic return was rejected due to a duplicate filing. A TC 971 AC 501 would then be placed on the account. The following tax year (2006), there is another duplicate filing on this SSN. Another TC 971 AC 501 would be placed on the taxpayer’s account for tax year 2006; thus two indicators would be on the account.

  8. Before requesting substantiation documentation or inputting TC 971 AC 501, review the taxpayer's account (ENMOD) to determine if a TC 971 (AC 501, 504, 505, or 506) identity theft indicator already exists. If any of these indicators exist, follow the if/then chart below:

    If... Then...
    TC 971 AC 501 is present

    1. Do not collect substantiation documentation.

    2. Input TC 971 AC 501 only if for a different tax administration source and/or tax period than the existing TC 971 AC 501(s).
    TC 971 AC 504 is present

    1. Do not collect substantiation documentation.

    2. Input TC 971 AC 501.
    TC 971 AC 505 is present

    1. Collect substantiation documentation.

    2. Input TC 971 AC 501.

    3. Notify the ITIM office immediately at Outlook directory mailbox - *PII. Send an encrypted e-mail to the ITIM office with the following information: taxpayer name, SSN, substantiation documentation used to substantiate theft and identity, and any other information available based on your contact with the taxpayer.

    Caution:

    Do NOT show any PII information of the taxpayer on the subject line of the e-mail. Show the subject line as, "AC 501 with AC 505 on taxpayer account."

    TC 971 AC 506 is present

    1. Do not collect substantiation documentation.

    2. Input TC 971 AC 501.

  9. Reviewing ENMOD is necessary to help prevent duplicative (identical) TC 971 AC 501 entries. While there may be multiple TC 971 AC 501s on an account, none should be identical, e.g., they will pertain to different tax years, arise from different tax administration sources.

  10. To input TC 971 AC 501, collect substantiation documentation (if needed) as referenced in IRM 10.5.3.2.2(4) and follow instructions in Exhibit 10.5.3-4.

10.5.3.2.3.1.1  (05-15-2009)
Actions Taken after TC 971 AC 501 Placed on Account

  1. Within a reasonable time frame after TC 971 AC 501 has been entered on an account, the taxpayer will receive Letter 4445c,Acknowledgement Notification, that contains all of the following:

    1. Confirmation that the substantiation documentation was received and accepted;

    2. Information about how the IRS will monitor the taxpayer's account and income tax returns; and

    3. Information about identity theft prevention and available identity theft-related resources.

    Note:

    Letter 4445c is currently limited and reserved for use by the ITIM Program. No other Business Operating Division (BOD) or function is authorized to issue this letter.

  2. The taxpayer should continue to file tax returns each tax year, as appropriate.

  3. See LEM 10.5.3.2.3.1.1 for more information.

  4. The presence of TC 971 AC 501 on an account should be used as a data point, along with other key information, to make case-related decisions. The existence of the identity theft indicator should not supersede or replace existing procedures for case resolution. Reference function-specific IRM procedures when working cases with identity theft issues. See IRM 10.5.3.2.6(1)(c) for a listing of these IRM sections.

  5. Certain functions will use the TC 971 AC 501 for reference and tracking purposes. For example, Automated Underreporter uses the indicator as a factor in selecting and prioritizing inventory.

10.5.3.2.3.1.2  (05-15-2009)
Manually Reversing TC 971 AC 501

  1. In some instances, it may be necessary to manually reverse TC 971 AC 501. Reversal may be necessary because of any of the following reasons:

    1. The taxpayer requests reversal.

    2. There was a keying or internal error in the input of the TC 971 AC 501.

    3. The original identity theft claim was fraudulent.

    4. The TC 971 AC 501 has an internally identified negative affect on the taxpayer.

    5. Other reasonable reason not listed above.

  2. If reversal is required, see Exhibit 10.5.3-5 for TC 972 AC 501 reversal input instructions.

10.5.3.2.3.1.3  (05-15-2009)
The Identity Protection Specialized Unit (IPSU) and Referrals to other Functions

  1. The Identity Protection Specialized Unit (IPSU) in Wage & Investment, Accounts Management, was established on October 1, 2008 to assist taxpayers that are, or may become, victims of identity theft. Part of IPSU's responsibilities include monitoring and controlling cases where taxpayers call in to the unit and open controls in other function(s) are already on the case. The IPSU will refer those types of cases via Form 14027, Identity Theft Case Monitoring, to other divisions or functions when an individual with a tax-related identity theft issue has called the IPSU. The form is used to notify functions that an IPSU caseworker will be monitoring case activity and following up on a regular basis. Form 14027 will be routed through designated Identity Theft Liaisons (see SERP/Who/Where - ID Theft Liaisons - Functional) and forwarded to functional employees within two business days of receipt.

    1. IPSU case workers will maintain a control in "B" (background) status only and will use case history information recorded by the division or functional employees to provide callers with the status of their account and progress toward resolution of their specific issue(s). IPSU case workers will not take adjustment action or otherwise disrupt the normal processing of the case in question.

    2. IPSU will fax Form 14027 to the functional liaison. The functional liaison will assign it to an employee within two business days and the employee will acknowledge receipt within two business days. Every 30 days, the function will update IDRS and/or AMS (Account Management Services), even if the status has not changed, such as WTTPREPLY (waiting for taxpayer reply). If 30 days pass with no updates, IPSU will contact the functional liaison for follow-up.

  2. Cases where taxpayers are victims of identity theft and there are NO open controls on the case, are considered another work stream coming in to the IPSU directly from the taxpayer and need to be addressed.

    Example:

    ACS issues a collection notice to a taxpayer showing a balance due. The taxpayer submits documentation and/or a copy of the IRS notice directly to the IPSU P.O. Box or fax number and indicates that the additional assessed tax is not his/hers. The taxpayer also indicates that someone is using his/her SSN for employment purposes. No open control is showing on IDRS.

    1. IPSU case workers will open a control "B" (background) status and initiate a Form 14027 to the division or function that initiated the correspondence to the taxpayer. Functional employees will work the case similar to those cases with open controls.

  3. See IRM 21.6.2.5.3, Identity Theft-Expanded Procedures, for additional information regarding the duties and responsibilities of the IPSU, including the monitoring of identity theft cases with open controls referred from the IPSU to other functions.

10.5.3.2.3.1.4  (05-15-2009)
Functional Responsibilities Regarding Referrals from the IPSU

  1. When division or functional employees receive a Form 14027 from their functional liaison, they are responsible for the following:

    1. Acknowledging receipt of the form (within two business days of receipt) by filling out Section V on page 2 of the form and faxing it to the IPSU;

    2. Recording periodic history entries (every 30 days) on IDRS or AMS; and

    3. Returning the form to the IPSU caseworker upon resolution of the case.

      Note:

      If the case received in the unit is forwarded to another function for action, functional employees will return Form 14027 to the IPSU identity theft caseworker (through their liaison), advising of the referral in Section VII.


    4. When the case is resolved by the responsible function and the control is closed, the functional employee will complete Form 14027 through Section VIII and return it to the IPSU (through their liaison) within two business days.

10.5.3.2.3.2  (05-15-2009)
Taxpayer-Identified Identity Theft Not Affecting Tax Administration

  1. TC 971 AC 504 is applied to a taxpayer’s account when the taxpayer contacts the IRS claiming that he/she is a victim of identity theft, and there is no known affect to tax administration.

    Example:

    A taxpayer lost his/her wallet on the subway and is concerned the loss may lead to identity theft in the future, or has noticed recent questionable credit card activity on one or more accounts.

  2. TC 971 AC 504 will be visible for reference in the event the incident becomes a tax administration concern. See Exhibit 10.5.3-6 and Exhibit 10.5.3-7 for information regarding this indicator.

  3. Input of this indicator is limited and reserved for use by the IPSU, which is comprised of two key functions:

    1. Identity Protection Specialized Unit, 1-800-908-4490 - a unit established specifically to receive identity theft-related calls. By contacting this unit, the taxpayer will be able to access automated messages as well as customer service representatives (CSRs). This toll-free number enables individuals who have experienced identity theft, but do not have a current tax-related issue, to report the incident to the IRS.

    2. Specialized identity theft caseworkers - employees who will process standard identity theft documentation and input the TC 971 AC 504 incident tracking indicator. Caseworkers will obtain identity theft substantiation documentation as referenced in IRM 10.5.3.2.2(4).

  4. See IRM 21.6.2.5.3, Identity Theft-Expanded Procedures, for additional information regarding the duties and responsibilities of the IPSU.

  5. If IRS employees are contacted by a taxpayer indicating a non-tax related identity theft, advise the taxpayer about the substantiation documentation needed to have an identity theft marker placed on his/her account. See IRM 21.6.2.5.3.1.1,Self Identified - Non-Tax Related Identity Theft, for additional guidance on this process. IRS employees may also refer the taxpayer to the IPSU at 1-800-908-4490 for additional information.

    Exception:

    Field Assistance employees should refer to their IRM 21.3.4.32.4,Non-Tax Related Identity Theft Issues, for procedures on how to assist taxpayers that may walk into a Field Assistance office (Taxpayer Assistance Center) with a non-tax related identity theft issue.

  6. In some instances, it may be necessary to manually reverse TC 971 AC 504. If reversal is indicated (TC 972 AC 504), see Exhibit 10.5.3-7 for a description of reasons for the reversal.

10.5.3.2.3.3  (05-15-2009)
IRS Data Loss Incidents

  1. TC 971 AC 505 is applied to a taxpayer’s account when the following occurs:

    1. A taxpayer’s PII was lost, breached, disclosed, or stolen, and

    2. The IRS notifies the taxpayer of this data loss incident.

    Example:

    While shipping taxpayer paper case files that contain PII, the files are lost. ITIM sends notification letters to these taxpayers.

  2. See IRM 10.5.3.3 for information on the IRS data loss process.

  3. Input of TC 971 AC 505 is limited and reserved for use by Privacy, Information Protection & Data Security (PIPDS) employees; however, this indicator will be visible and available for reference on the individual’s account. See Exhibits 10.5.3-8 and 10.5.3-9 for more information about this indicator.

    Note:

    When a TC 971 AC 505 is input on an account, PIPDS does not ask for or require identity theft substantiation documentation, as identity theft may not have occurred as of the date of the input of this action code.

  4. PIPDS inputs TC 971 AC 505 on an account regardless of the existence of any other identity theft indicator code (AC 501, 504, or 506) that may be present on the account.

  5. In some instances, it may be necessary to manually reverse TC 971 AC 505. If reversal is indicated (TC 972 AC 505), see Exhibit 10.5.3-9 for a description of reasons for the reversal.

  6. Instances where the IRS has experienced data loss could have a tax-related impact to the affected taxpayers in the future. If this occurs, follow guidance in the "If/Then" chart in IRM 10.5.3.2.3.1(8) as it pertains to TC 971 AC 505.

10.5.3.2.3.4  (05-15-2009)
IRS-Identified Identity Theft Affecting Tax Administration

  1. TC 971 AC 506 is applied to a taxpayer's account when the IRS identifies identity theft incidents that have tax administration affect. Such incidents can result from phishing and refund schemes, mixed entity research, or certain unpostable returns.

  2. TC 971 AC 506 is limited and reserved for use by the following functions: Criminal Investigation (CI), Accounts Management (AM), and Submission Processing (SP); however, the indicator is visible and available for reference on the taxpayer's account. See IRM sections 10.5.3.2.3.4.1, 10.5.3.2.3.4.2, and 10.5.3.2.3.4.3 below for information on how each of these functions use the TC 971 AC 506.

  3. The function that inputs the TC 971 AC 506 will notify the taxpayer (victim), by letter, that someone may have attempted to use his/her SSN. This victim notification letter includes information about identity theft prevention and available identity theft-related resources. Although the victim notification letter is unique for each function, each informs the taxpayer that he/she may be a victim of identity theft and that IRS has placed an identity theft indicator on his/her account. Victim notification letters and issuance procedures are contained in Accounts Management and Submission Processing IRM sections. See IRM sections 10.5.3.2.3.4.2 and 10.5.3.2.3.4.3 below for more information and function-specific IRM references.

    Note:

    Victim notification letters for CI-identified taxpayers ( Letter 4310c, ID Theft Refund Crimes Post-Adjustment Letter) are currently issued by the ITIM Program.

  4. See LEM 10.5.3.2.3.4 for more information.

  5. In some instances, it may be necessary to manually reverse TC 971 AC 506. If reversal (TC 972 AC 506) is indicated, see Exhibit 10.5.3-11 for a description of reasons for the reversal.

10.5.3.2.3.4.1  (05-15-2009)
Identity Theft Identified by Criminal Investigation

  1. TC 971 AC 506 is applied to a taxpayer's account when Criminal Investigation (CI) identifies identity theft incidents that have tax administration affect. Such incidents can occur when a taxpayer's identity is stolen via phishing or refund schemes verified by CI.

  2. When a TC 971 AC 506 is input on an account, CI does not ask for or require identity theft substantiation documentation.

  3. CI inputs TC 971 AC 506 on an account regardless of the existence of any other identity theft indicator code (AC 501, 504, or 505) that may be present on the account.

  4. See Exhibits 10.5.3-10 and 10.5.3-11 for more information about this identity theft indicator.

10.5.3.2.3.4.2  (05-15-2009)
Identity Theft Identified by Accounts Management

  1. Accounts Management inputs a TC 971 AC 506 identity theft indicator on the account of the "determined owner" of an SSN following procedures for TIN-related problem cases.

  2. Accounts Management (AM) conducts research to determine the owner of the SSN. If ownership is determined and research indicates that intentional misuse of the SSN is involved, AM inputs a TC 971 AC 506.

  3. See IRM 21.6.2.4.3, Mixed Entity Procedures, and IRM 21.6.2.4.4, Scrambled SSN Case Procedures, for Accounts Management procedures.

  4. See Exhibits 10.5.3-10 and 10.5.3-11 for more information about this identity theft indicator.

10.5.3.2.3.4.3  (05-15-2009)
Identity Theft Identified by Submission Processing

  1. Submission Processing inputs TC 971 AC 506 identity theft indicator on the account of a taxpayer, with an unreversed TC 971 AC 501, whose tax return becomes unpostable. See LEM 10.5.3.2.3.1.1(3)(a) for the type of tax return that meets this condition.

  2. See the following IRM sections for specific instructions:

    • IRM 3.12.37.14.10.1, Unpostable Code 147 Reason Code 1

    • IRM 3.12.179.43.1, UPC 147 RC 1 - Procedures for Action Codes 501 or 506

    • IRM 3.13.5.23.1.6, Assignment of an IRSN for "Possible ID Theft"

    • IRM 21.6.2.5.4, Unpostable 147 Reason Code 1 - (UPC 147 RC 1)

  3. See Exhibits 10.5.3-10 and 10.5.3-11 for more information about this identity theft indicator.

10.5.3.2.4  (05-15-2009)
Identity Theft Frequently Asked Questions

  1. What sources can I reference to get general information regarding identity theft and identity theft-related topics?

    Within the IRS intranet, the following provides information:

    • Office of Privacy, Information Protection & Data Security (PIPDS), Identity Theft and Incident Management - homepage for its identity theft program

    • IRM 1.2.25.2 - IRS Policy Statement on assisting taxpayers who report they are victims of identity theft
    There are also a host of external websites that provide general information on identity theft. These include:

  2. How is the IRS tracking and monitoring identity theft-related cases?

    1. The IRS will track identity theft-related incidents using Servicewide identity theft indicators on the IMF. Specifically, these codes will be placed on the IMF as Transaction Code (TC) 971 with an Action Code (AC) of 501, 504, 505, or 506. Taxpayers who have experienced identity theft affecting tax administration will have their returns filtered to distinguish legitimate returns from fraudulent ones. See IRM 10.5.3.2.3 for detailed descriptions of each indicator.


  3. When should the taxpayer submit identity theft substantiation documentation?
    The taxpayer is required to provide substantiation documentation in two scenarios:

    1. If the taxpayer reports that his/her identity has been stolen and there is a known affect on tax administration, see IRM 10.5.3.2.3.1 (TC 971 AC 501), or

    2. If the taxpayer reports that his/her identity has been stolen and there is no known effect on tax administration, see IRM 10.5.3.2.3.2 (TC 971 AC 504).

      Note:

      Substantiation documentation is not required for the input of the AC 505 and AC 506. See IRM 10.5.3.2.3.3 and IRM 10.5.3.2.3.4 for additional information about how these indicators are used.


  4. A taxpayer claimed he/she is a victim of identity theft, provided substantiation documentation, and the TC 971 AC 501 has been placed on the account. What happens next?

    1. Within a reasonable time frame after the TC 971 AC 501 has been entered, the taxpayer will receive an acknowledgement notification from the IRS to confirm that the documentation has been received and accepted. The acknowledgement letter also contains information about identity theft prevention and available identity theft-related resources.

    2. See LEM 10.5.3.2.4(4)(b) and LEM 10.5.3.2.4(4)(c) for additional information.


  5. Can there be more than one identity theft-related TC 971 placed on a taxpayer’s account?

    1. Yes, there can be multiple identity-theft related TC 971s input/present on a taxpayer’s account (e.g., different action codes, different tax years, and/or different functions). There are certain action codes (501, 505, and 506) that can be placed multiple times on an account. Each indicator represents an incident that meets the criteria of the specific indicator placed on the account. For further detail on each TC 971 identity theft indicator, see IRM 10.5.3.2.3.


  6. Under what circumstances can the identity theft-related tracking indicators (i.e., TC 971 with AC 501, AC 504, AC 505, or AC 506) be reversed?

    1. In some instances, it may be necessary to manually reverse the identity theft tracking indicators. Such instances include: taxpayer request, a keying or internal error, a fraudulent identity theft claim, or an internally identified negative impact on the taxpayer. For additional information on reversing an identity theft indicator, see the following IRM sections: 10.5.3.2.3.1.2, 10.5.3.2.3.2, 10.5.3.2.3.3, and 10.5.3.2.3.4.


  7. I see the "Identity Theft" notation on the IDRS entity (ENMOD) screen. What does this mean?

    1. An "Identity Theft" notation on the IDRS ENMOD screen indicates that this taxpayer has one of the four identity theft indicators placed on his/her account. The ENMOD screen with the TC 971 should provide you with more detailed information. See IRM 10.5.3.2.3 for detailed descriptions of each action code variation to the TC 971.


  8. What is the relevance of an identity theft indicator when I am working a case?

    1. The presence of one or more of the identity theft tracking indicators should be used as a data point along with other key information to make compliance or other decisions related to working or resolving the case. Substantiation of identity theft should not supersede or replace existing procedures for case resolution. Business units have IRM procedures in place for working cases that involve identity theft. IRM 10.5.3.2.6(1)(c) contains links to function-specific IRM sections that address identity theft-related cases and/or issues.


  9. The IRS identified the taxpayer as an identity theft victim and placed a TC 971 AC 506 on the account. What happens next?

    1. The taxpayer will receive a victim notification letter from IRS advising him/her that someone has attempted to use his/her SSN. The notification letter also contains information about identity theft prevention and available identity theft-related resources.

    2. See LEM 10.5.3.2.4(9) for additional information.

  10. Does Criminal Investigation (CI) investigate and prosecute identity theft-related cases?

    1. Identity theft incidents that affect tax administration may be reported to the Fraud Detection Center (FDC) or any local IRS CI field office. Additionally, CI currently investigates and recommends prosecution of identity theft-related schemes, such as phishing or refund schemes.


  11. A taxpayer indicates his/her identity has been stolen, but there is no indication that this incident affects tax administration. What general information and guidance can I provide this taxpayer?

    1. Advise the taxpayer about the substantiation documentation needed to have an identity theft marker placed on his/her account. See IRM 21.6.2.5.3.1.1,Self Identified - Non-Tax Related Identity Theft, for additional guidance on this process. IRS employees may also refer the taxpayer to the IPSU at 1-800-908-4490 for additional information.

    2. Inform the taxpayer of certain non-IRS resources that are available for assistance. Specifically, refer the taxpayer to the guidance available at http://www.irs.gov using the search term "identity theft."

    3. The identity theft indicator (TC 971 AC 504) is used to indicate identity theft incidents that do not yet affect tax administration.


  12. What is the role of the Accounts Management Identity Protection Specialized Unit?

    1. The Accounts Management Identity Protection Specialized Unit (IPSU) receives taxpayer calls and works with taxpayers who believe they have been victims of identity theft that does not affect tax administration. After a taxpayer provides substantiation documentation, the unit will apply a TC 971 AC 504 to the taxpayer’s account.

    2. IPSU also receives calls from taxpayers who believe they are victims of identity theft that does affect tax administration; however, these callers are referred to the appropriate functional business units for resolution. See IRM 21.6.2.5.3.1.2, Tax Related Identity Theft.

    3. IPSU periodically follows-up with these units to ensure the case is being worked appropriately.



10.5.3.2.5  (05-15-2009)
Identity Theft Issues/Responses

  1. This section of the IRM outlines identity theft-related issues and suggested responses, and supports IRS employees as they work to resolve identity theft-related cases. The responses outlined below provide information or links to existing function-specific IRM sections or websites that contain guidance on the issue raised.

    # Issue Action/Response
    1 Identity Theft Victim
    A taxpayer indicates that he/she is a victim of identity theft and there is tax administration effect, e.g., the taxpayer received an IRS notice.     		See IRM 10.5.3.2.2(3), Identity Theft and Substantiation Documentation, for detailed procedures on how a taxpayer should substantiate that he/she is a victim of identity theft.
    2 Taxpayer Substantiation Documentation
    A taxpayer provided substantiation documentation to substantiate an incident of identity theft affecting tax administration. Thus, a TC 971 AC 501 needs to be placed on the taxpayer’s account.     		See Exhibit 10.5.3-4 for detailed instruction on TC 971 AC 501 input.
    3 Substantiation Documentation Not Provided When Requested
    A taxpayer does not provide appropriate documentation to substantiate identity theft.     		Proceed with case resolution assuming the taxpayer is not a victim of identity theft.
    4 Taxpayer Requests new SSN
    A taxpayer requests a new (replacement) SSN because his/her identity has been stolen.     		Advise the taxpayer to contact the Social Security Administration at 1-800-772-1213 or website http://www.ssa.gov.
    5 Wrongful Use of Taxpayer’s SSN
    A taxpayer states someone is wrongfully using his/her SSN, but there is no known tax administration effect yet, e.g., someone used his/her SSN to open a bank account.

    1. Advise the taxpayer about the substantiation documentation needed to have an identity theft marker placed on his/her account. See IRM 21.6.2.5.3.1.1,Self Identified - Non-Tax Related Identity Theft, for additional guidance on this process. IRS employees may also refer the taxpayer to the IPSU at 1-800-908-4490 for additional information.

    2. Advise the taxpayer of the information on the irs.gov's web page at http://www.irs.gov/privacy/article/0,,id=186436,00.html, Identity Theft and Your Tax Records.

    6 Multiple Taxpayers Using Same SSN
    Multiple taxpayers are using the same SSN when filing their tax returns, creating duplicate returns. This condition is normally identified while working CP 36, Duplicate/Amended Filing Conditions, transcripts.     		Specific guidance contained in:
    IRM 21.6.2.4.3 (Mixed Entity Procedures).
    7 Reporting SSN Misuse
    A taxpayer has knowledge of another person filing a federal tax return with a stolen SSN.     		Specific guidance contained in:
    IRM 21.3.4.32.3 (Other Tax Related Identity Theft Issues);

    IRM 5.19.1.9.1(2) (Identity Theft - General Information); or

    IRM 5.19.11.4.13(1) (Identity Theft).
    8 CP 2000
    A taxpayer receives a CP 2000, Notice of Underreported Income, from the IRS
    and
    he/she never worked for this employer and believes he/she is a victim of identity theft.     		Assist the taxpayer in responding to the CP 2000.

    Specific guidance contained in:

    IRM 4.19.3.20.1.23 (Stolen Identity); or

    IRM 21.3.4.32.2 (Income Document Related to Identity Theft Issues)
    9 Delinquent Tax Return
    A taxpayer receives a notice regarding an unfiled tax return and indicates the reported income (e.g., Forms W-2, 1099) resulted from identity theft of his/her SSN.     		Specific guidance contained in:
    IRM 5.1.12.2.2.1 (Taxpayer is a Victim of ID Theft);

    IRM 5.18.1.10.2.3.13.5 (Identity Theft); or

    IRM 5.19.2.7 (IMF/BMF Identity Theft Procedures).
    10 Rejected Tax Return
    A taxpayer states that he/she tried to file electronically (on his/her own or through a preparer), but the return was rejected because another return using the taxpayer's information was filed earlier.     		Specific guidance contained in:

    IRM 21.3.4.32.1 (Tax Return Related Identity Theft Issues); or

    IRM 21.6.2.4.2.2 (Taxpayer Inquiries Involving Identity Theft).
    11 Tax Balance Due
    A taxpayer received a balance due notice and states he/she does not owe the taxes because of identity theft.     		Specific guidance contained in:

    IRM 5.19.1.9(3) (Identity Theft - General Information); or

    IRM 5.1.12.2.2 (Identity Theft Case Resolution).
    12 Examination
    A taxpayer received a statutory notice or is currently involved in an examination and indicates he/she is a victim of identity theft.     		Specific guidance contained in IRM 4.19.13.25 (Identity Theft).
    13 Bankruptcy
    A taxpayer indicates he/she is a victim of identity theft and has filed bankruptcy.     		Specific guidance contained in IRM 5.9.5.12 (Identity Theft).
    14 Economic Hardship
    A taxpayer is about to suffer significant hardship because of a tax-related identity theft issue.     		Prepare and submit e-911, Request for Taxpayer Advocate Service Assistance (And Application for Taxpayer Assistance Order) - electronic version.

    Note:

    If the taxpayer asks to contact Taxpayer Advocate Service directly, have the taxpayer call 1-877-777-4778 toll free or go to: http://www.irs.gov/advocate .

    15 Taxpayer requests EIN
    A taxpayer who has substantiated identity theft requests a new EIN to use for business purposes instead of an SSN.     		Specific guidance contained in IRM 21.7.13.5.1.4 (Determining the Need for an EIN: Sole Proprietor).
    16 E-mail from IRS
    The taxpayer states that he/she received an e-mail from the IRS requesting PII (i.e., SSN, EIN financial information).     		The IRS does not send e-mails requesting PII.

    See phishing (IRS-related phishing e-mail) for guidance on this issue.
    17 SSA benefits stopped or decreased
    A taxpayer claims that SSA has stopped and/or reduced his/her benefits because of a tax return filed with the IRS that the taxpayer claims not to have filed.     		If the taxpayer suffers or is about to suffer significant hardship as a result of this incident, prepare and submit e-911, Request for Taxpayer Advocate Service Assistance (And Application for Taxpayer Assistance Order) - electronic version.

    Also see IRM 21.6.2.5.2 (Identity Theft - One Return Present) for guidance.
    18 Perpetrator contacts IRS
    An individual contacts the IRS and admits to using a "borrowed" SSN to obtain work. He/She proves use of the SSN via pay stubs or another document (i.e., rent receipt, Information Returns Processing Transcript Request (IRPTR) address matches current address). He/She requests an IRPTR print-out because he/she wants to file a tax return using an ITIN.     		Specific guidance contained in IRM 21.3.4.32.2 (Field Assistance – Identity Theft).
    19 ID Theft Notification Letters
    (TC 971 AC 501)
    A taxpayer contacts the IRS after receiving Letter 4445c, Acknowledgement Notification, and the taxpayer has a TC 971 AC 501 on his/her account.     		Advise the taxpayer that the acknowledgement notification is for informational purposes only, and the taxpayer is not required to take any additional action at this time.
    20 ID Theft Notification Letters
    (TC 971 AC 506)
    A taxpayer contacts the IRS after receiving Letter 4310c, ID Theft Refund Crimes Post-Adjustment Letter, and the taxpayer has a TC 971 AC 506 on his/her account that was input by Criminal Investigation.     		Advise the taxpayer that the notification is for informational purposes only, and the taxpayer is not required to take any additional action at this time.

10.5.3.2.6  (05-15-2009)
Identity Theft Information Links

  1. This section of the manual provides links containing identity theft-related information and publications. Specifically, the links include publicly available websites and IRS intranet websites that house general information, as well as function-specific IRM sections that provide guidance on identity theft-related cases and issues.

    1. Publicly available external websites and publications that provide general information on identity theft and identity theft-related issues:

      # Title Description Link Owner
      1 FTC Identity Theft Website Federal Trade Commission (FTC) identity theft awareness homepage http://www.ftc.gov/bcp/edu/microsites/idtheft/ FTC
      2 FTC Identity Theft Affidavit Direct link to FTC Identity Theft Affidavit; includes instructions and guidance for completing FTC Affidavit http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/filing-a-report.html FTC
      3 IRS Public Identity Theft Website IRS publicly available identity theft awareness homepage; can also be accessed via the irs.gov homepage by performing a search on the term "identity theft" http://www.irs.gov/individuals/article/0,,id=136412,00.html IRS
      4 TAS Website Taxpayer Advocate Service website http://www.irs.gov/advocate TAS
      5 SSA Website Social Security Administration (SSA) homepage http://www.ssa.gov SSA
      6 SSA Identity Theft Website Social Security Administration (SSA) identity theft homepage http://www.ssa.gov/pubs/10064.html SSA
      8 Identity Theft Task Force Website Homepage for the President's task force on identity theft http://www.idtheft.gov Identity Theft Task Force
      9 IRS Phishing Website Instructions on how to report and identify phishing, e-mail scams, and bogus IRS websites http://www.irs.gov/privacy/article/0,,id=179820,00.html IRS
      10 Credit Bureaus Direct links to the three recognized credit bureaus: Equifax, Experian, and TransUnion http://www.equifax.com
      http://www.experian.com
      http://www.transunion.com       		Equifax, Experian, and TransUnion
      11 IRS Pub 4523 IRS Publication 4523 - Beware of Phishing Schemes Publication 4523 IRS
      12 IRS Pub 4524 IRS Publication 4524 - Security Awareness and Identity Theft Publication 4524 IRS
      13 IRS Pub 4535 IRS Publication 4535 - Identity Theft Prevention and Victim Assistance Publication 4535 IRS

    2. Internal IRS intranet links that provide general information on identity theft and identity theft-related issues:

      # Title Description Link Owner
      1 PIPDS Identity Theft Program Website Office of Privacy, Information Protection & Data Security (PIPDS) homepage for its identity theft program Identity Theft PIPDS
      2 Servicewide Policies and Authorities Contains a policy statement on how to assist taxpayers who report that they are victims of identity theft, as well as contact information for other relevant government agencies IRM 1.2.24.2 Organization, Finance, and Management
      3 Taxpayer Advocate Service (TAS) Identity Theft Guidance Provides guidance to TAS employees on using ID theft tracking indicator Taxpayer Advocate Service TAS - Interim Guidance Memorandum
      4 CSIRC Website Computer Security Incident Response Center (CSIRC) homepage CSIRC MITS

    3. Links to function-specific IRM's that address identity theft-related cases and/or issues:

      # IRM Part IRM Chapter Description Link
      1 Submission Processing Campus Document Services Provides guidance for the Entity function when Submission Processing employees receive requests for IRSN's as part of an identity theft-related case IRM 3.13.5.23.1.6
      2 Submission Processing Accounting & Data Control Contains general information on identity theft IRM 3.17.46.1.13
      3 Submission Processing Electronic Tax Administration Provides guidance to e-help Desk employees when a taxpayer reports that he/she is a victim of identity theft IRM 3.42.8.3.1.2
      4 Submission Processing Electronic Tax Administration Provides guidance to e-help Desk employees when a taxpayer reports that he/she is a victim of identity theft IRM 3.42.7.2.4
      5 Examining Process Examination of Returns Includes guidance on identity theft substantiation and audit considerations IRM 4.10.2.8.6
      6 Examining Process Audit Reconsideration Provides guidance for Reconsideration Units when correspondence is received that indicates the taxpayer is a victim of Identity Theft IRM 4.13.3.19
      7 Examining Process Liability Determination Provides guidance on use of AUR Process Code 39 (Stolen Identity-No Change Closure) IRM 4.19.2.7.14
      8 Examining Process Liability Determination Provides guidance on use of AUR Process Code 69 (Stolen Identity-No Change Closure) IRM 4.19.2.7.32
      9 Examining Process Liability Determination Provides guidance on use of AUR Process Code 89 (Stolen Identity-No Change Closure) IRM 4.19.2.7.46
      10 Examining Process Liability Determination Provides guidance to AUR when a taxpayer states that underreported income is the result of his/her identity being stolen or the illegal use of his/her SSN IRM 4.19.3.20.1.23
      11 Examining Process Liability Determination Provides guidance on substantiating incidents of identity theft and assisting victims during the examination process IRM 4.19.13.25
      12 Collecting Process General Collecting Procedures Provides guidance to revenue officers (RO's) when a taxpayer indicates that he/she is a victim of identity theft IRM 5.1.10.2.2
      13 Collecting Process General Collecting Procedures Contains Collection Field Function (RO) procedures and guidance on identity theft-related issues/cases IRM 5.1.12.2
      14 Collecting Process Bankruptcy and Other Insolvencies Provides guidance to support a bankrupt taxpayer who is a victim of identity theft IRM 5.9.5.12
      15 Collecting Process Liability Determination Provides guidance to determine the tax liability of a taxpayer who has substantiated that he/she is a victim of identity theft IRM 5.18.1.10.2.3.13.5
      16 Collecting Process Liability Collection Provides guidance on addressing a caller claiming to be a victim of identity theft; also contains guidance on other general questions about identity theft IRM 5.19.1.9
      17 Collecting Process Liability Collection Provides guidance on addressing victims of identity theft that are in the Return Delinquency Program IRM 5.19.2.6.4.5.4
      18 Collecting Process Liability Collection Contains detailed procedures to work and resolve identity theft related cases that involve IMF and BMF return delinquency IRM 5.19.2.7
      19 Collecting Process Liability Collection Provides guidance to address a caller claiming to be a victim of identity theft; also includes guidance to resolve issues resulting from a taxpayer claiming that an unrelated Form W-2 has been filed under his/her account IRM 5.19.11.4.13
      20 Appeals Appeals Function Provides guidance regarding identity theft substantiation; outlines the process of updating the taxpayer's file with an "ID" code as soon as identity theft has been substantiated IRM 8.1.6.4
      21 Criminal Investigation Investigative Process Provides guidance regarding the investigation of identity theft-related tax and money laundering cases IRM 9.5.3.3.11
      22 Criminal Investigation Investigative Process Details the Identity Theft and Assumption Deterrence Act of 1998 and how it is to be applied at the IRS IRM 9.5.5.2.4
      23 Customer Account Services Accounts Management and Compliance Services Operations Houses information on scams, phishing, and fraudulent schemes IRM 21.1.3.24
      24 Customer Account Services Field Assistance - Identity Theft Provides guidance to TAC employees in order to help them understand and respond to identity theft related issues IRM 21.3.4.32
      25 Customer Account Services Refund Inquiries Provides guidance on identity theft-related cases resulting in refunds that were direct deposited into the wrong account IRM 21.4.5.10
      26 Customer Account Services Individual Tax Returns Provides guidance to CSRs regarding telephone inquiries where a taxpayer indicates he/she is a victim of identity theft and has not yet filed a return IRM 21.6.2.4.2.1
      27 Customer Account Services Individual Tax Returns Provides guidance regarding taxpayer inquiries involving identity theft IRM 21.6.2.4.2.2
      28 Customer Account Services Individual Tax Returns Provides account adjustment guidance when working TIN-related problem cases involving identity theft when more than one return is present IRM 21.6.2.5.1
      29 Customer Account Services Individual Tax Returns Provides account adjustment guidance when working TIN-related problem cases involving identity theft when only one return is present IRM 21.6.2.5.2
      30 Customer Account Services Individual Tax Returns Provides account adjustment guidance when working cases involving TIN-related problems that may involve identity theft IRM 21.6.2.4.2
      31 Customer Account Services Individual Tax Returns Provides instructions for making an adjustment to a taxpayers account when an Economic Stimulus Payment is directly deposited into the wrong account as a result of an identity theft related issue IRM 21.6.3.6.6.1
      32 Customer Account Services Individual Tax Returns Contains guidance on working identity theft issues pertaining to Economic Stimulus Payments IRM 21.6.3.6.7.7
      33 Customer Account Services Assigning Employer ID Numbers (EIN) Provides guidance to IRS employees for identity theft related cases where an EIN was not requested by the taxpayer IRM 21.7.13.4.2.7
      34 Customer Account Services Business Tax Returns & NMF Accounts Includes guidance for cases when taxpayers request EIN in lieu of SSN for business purposes due to identity theft issues IRM 21.7.13.5.1.4
      35 Special Topics Refund Hold Program Provides guidance on how to respond to written refund requests from a taxpayer; including identity theft-related cases IRM 25.12.1.8.1.3
      36 Special Topics Statute of Limitations Provides guidance to work and resolve identity theft- related cases involving a refund request IRM 25.6.1.10.2.9.5

10.5.3.2.7  (05-15-2009)
Technical Working Group for Identity Theft Victim Assistance

  1. The Technical Working Group for Identity Theft Victim Assistance (TWG) is a cross-functional group that discusses unique identity theft cases where the taxpayer has been unduly burdened. The TWG was established through a collaborative effort with TAS, and is facilitated by the ITIM Program.

  2. The overall purpose of the TWG is to provide a forum for developing recommendations on how processes and procedures can be improved to address and reduce the burden on taxpayers who are victims of identity theft. The TWG:

    1. Provides a medium for cross-functional discussion and data gathering on identity theft issues;

    2. Analyzes identity theft cases where the victim has been significantly burdened;

    3. Determines if there are existing procedures to address key issues;

    4. Discusses ideas on how related procedures can be developed and/or improved; and

    5. Develops recommendations for process improvements.

  3. The TWG meets periodically and is comprised of representatives and subject matter experts from the various business units and functions. During the meetings, TWG participants discuss a taxpayer identity theft case and provide analysis and function-specific insight regarding existing processes and procedures pertaining to the case and taxpayer treatment. Through this discussion, the group suggests ideas to improve existing procedures and/or provides recommendations for procedures that may need to be developed.

10.5.3.3  (05-15-2009)
Detecting, Reporting, and Responding to Data Loss Incidents

  1. The ITIM Program shall develop and utilize procedures and tools for:

    1. Detecting, reporting, and responding to Personally Identifiable Information (PII) data loss incidents;

    2. Mitigating risks associated with such incidents before substantial damage occurs;

    3. Notifying and consulting with appropriate law enforcement officials and other offices or authorities; and

    4. Improving procedures to reduce identity theft and data loss incidents.

10.5.3.3.1  (05-15-2009)
Data Loss Incidents Intake and Risk Assessment

  1. ITIM will perform a risk assessment for all data loss incidents involving PII. See Incident Management Intake and Risk Assessment Process for more information on the risk assessment process.

  2. The purpose of the risk assessment is to estimate the risk of harm to individuals resulting from an incident involving PII.

  3. In accordance with the IRS risk assessment methodology, the major categories of risk of harm are defined as follows:

    1. High risk: The loss or theft of the PII is likely to cause severe or catastrophic harm to affected individuals;

    2. Moderate risk: The loss or theft of the PII is likely to cause serious harm to affected individuals; and

    3. Low risk: The loss or theft of the PII is likely to cause limited or no harm to affected individuals.

  4. The IRS risk assessment will consider the following factors, at a minimum:

    1. Type of information disclosed, e.g., whether the data loss incident involved PII, i.e., SSN's, addresses, and names;

    2. Damage potential of information disclosed, e.g., whether the information can be used to cause harm, such as identity theft or public embarrassment;

    3. Context of use, e.g., refers to the context in which the PII is collected, stored, used, processed, disclosed, or disseminated;

    4. Obligation to protect, e.g., refers to the consideration of specific laws or regulations when determining additional or special requirements governing the protection of PII;

    5. Likelihood the information is accessible, e.g., whether data was encrypted using an encryption product approved for government use by the National Institute of Standards and Technology (NIST), and meets Federal Information Processing Standard (FIPS) 140-2 specifications;

    6. Scope of harm that could occur, e.g., disclosure of private facts, financial loss, tax fraud, or identity theft; and

    7. Ability of IRS to mitigate potential harm.

10.5.3.3.2  (05-15-2009)
Incident Notification

  1. The IRS will notify affected individuals after the discovery of a data loss incident that results in a high risk of harm to these individuals.

  2. The IRS will identify these affected individuals by marking their accounts with identity theft indicator TC 971 AC 505. See IRM 10.5.3.2.3.3, IRS Data Loss Incidents, for additional information.

10.5.3.3.2.1  (05-15-2009)
Timeliness of the Notification

  1. The IRS will notify individuals affected by data loss incidents involving PII without unreasonable delay following the completion of the risk assessment process.

  2. The IRS has discretion to delay notification in cases where notification could adversely interfere with an ongoing criminal investigation or compromise national security and the delay will not increase the risk of harm to any affected individuals.

10.5.3.3.2.2  (05-15-2009)
Notification Signature

  1. The Director, Privacy, Information Protection & Data Security (PIPDS) shall sign notification letters to individuals affected by a data loss incident.

10.5.3.3.2.3  (05-15-2009)
Contents of the Notification

  1. The IRS will notify individuals affected by data loss incidents using a standard notification letter. The IRS may use a unique letter when deemed necessary and appropriate. Notifications will be written plainly and clearly, and will generally include, at a minimum, the following information:

    1. A brief description of what happened, including the date of the data loss incident;

    2. A description of the type of PII disclosed as a result of the data loss incident (e.g., name, SSN, date of birth, address);

    3. Actions that affected individuals should take to protect themselves from potential harm;

    4. A toll-free number affected individuals can contact for more information;

    5. A statement that the IRS has provided or will provide affected individuals with credit monitoring at no cost for twelve months, and the contact information for the credit monitoring service; and

    6. Websites and other resources that provide information about identity theft prevention and protection.

10.5.3.3.2.4  (05-15-2009)
Means of Providing Notification

  1. The IRS will provide written notification to the taxpayer's address of record on IDRS.

  2. Based on the number of people affected and the urgency with which they may need to receive notice, the IRS may supplement written notification with other means of communication such as through newspapers or other media outlets.

  3. At the discretion of the ITIM Advisory Committee (AC), and consistent with applicable law, the IRS may notify external entities. In making its decision, the ITIM AC will consider whether notifying external entities would:

    1. Aid the public in its response to the incident (e.g., whether constructive notification via media channels would help the IRS alert affected individuals more effectively and expeditiously than via notification letter alone);

    2. Facilitate the IRS’ ability to mitigate the potential harm resulting from the data loss incident (e.g., preparing counterpart entities such as the Federal Trade Commission (FTC) that may receive a surge in inquiries);

    3. Contribute to unnecessary public alarm; or

    4. Create an unnecessary burden on the public, external entities, or affected individuals.

10.5.3.3.3  (05-15-2009)
Reassessment

  1. The Director, Privacy, Information Protection & Data Security (PIPDS), in concert with the AC, will reevaluate the level of risk previously assigned to each data loss incident.

10.5.3.3.4  (05-15-2009)
Ongoing Support

  1. Based on the circumstances of the data loss incident, the IRS will provide ongoing support to affected individuals. This post-notification assistance and support may include, but is not limited to, the following:

    1. A dedicated toll-free number staffed by trained IRS personnel to respond to general data loss incident-related inquiries;

    2. Information on websites and other resources providing information about identity theft prevention and protection; and

    3. Coordination with business units on data loss incidents that affect taxpayers’ tax returns, such as phishing schemes.

10.5.3.3.5  (05-15-2009)
Retention and Disposition

  1. The IRS will adhere to all document retention schedules in accordance with IRM 1.15, The Records and Information Management Program. This applies to all materials in electronic or hard copy format that are created in response to a PII data loss incident.

  2. The IRS will also assign a mailbox for any notification letters returned to sender as undeliverable. The IRS will promptly dispose of such letters in accordance with IRS privacy and security policies and procedures.

10.5.3.3.6  (05-15-2009)
Handling Taxpayer Inquiries Regarding Data Loss Letters

  1. ITIM sends notification letters ( Letter 4281c, Identity Theft and Incident Management Breach Notification Letter) to affected individuals. In some instances, IRS phone assistors may receive calls from taxpayers that have received Letter 4281c. If an employee receives a call from an individual in response to Letter 4281c, or the individual asks to speak to the employee whose number appears on Letter 4281c (0569599999), the employee should refer the individual to 1-866-225-2009. The Referral Units (RU's) in the Philadelphia and Kansas City Campuses support this dedicated number and are trained to respond to Letter 4281c questions.

  2. Correspondence received in response to Letter 4281c or addressed to employee 0569599999, should be forwarded to the Philadelphia Referral Unit at the following address: Philadelphia Referral Unit, P.O. Box 411, Bensalem, PA 19020. The Referral Unit can provide further assistance regarding the data loss incident and information to protect the taxpayer's personal data, including information about free credit monitoring from one of the three credit bureaus.

10.5.3.4  (05-15-2009)
Identity Theft Risk Assessments and Vulnerability Mitigation Process

  1. The ITIM Program has initiated Identity Theft Risk Assessments and Vulnerability Mitigation efforts that involve conducting risk assessments on prioritized business processes. The aim is to enable the business units to proactively address vulnerabilities and weaknesses and reduce the likelihood of exposure due to loss or theft of taxpayer and employee PII. These efforts will allow the IRS to:

    1. Identify identity theft-related vulnerabilities within IRS business processes;

    2. Provide potential mitigation strategies for vulnerabilities identified during the risk assessments;

    3. Remediate risk vulnerabilities identified during the risk assessments, potentially reducing IRS' overall exposure to identity theft threats; and

    4. Monitor and track vulnerabilities throughout the business process life-cycle.

  2. The risk assessments consist of process-specific evaluations to determine where key areas (people, process, and technology) that handle PII are susceptible to identity theft. The risk assessment includes the determination of the probability and impact of each threat, compares IRS safeguards in the current environment against leading safeguard practices, and provides safeguard enhancements that may reduce the risk associated with the identified vulnerabilities.

  3. In addition, the risk assessment process includes supporting the ongoing effort to reduce the unnecessary usage of SSN's throughout the IRS.

  4. Through these efforts, ITIM upholds the commitment of the IRS to provide taxpayers with an accurate and efficient means for filing taxes and upholding tax law, while safeguarding the sensitive information of taxpayers and employees.

10.5.3.5  (05-15-2009)
Awareness Training and Education

  1. The ITIM Program shall institute measures to inform IRS personnel of their responsibilities for protecting taxpayers and employees against the loss, disclosure, or theft of their PII.

  2. The ITIM Program also supports the annual Information Protection Mandatory Briefing managed by the Office of Privacy and Unauthorized Access of Taxpayer Information (UNAX) Programs, which provides information regarding privacy, disclosure basics, computer security, and UNAX.

10.5.3.6  (05-15-2009)
Reporting Losses, Thefts, and Disclosures of Sensitive Information

  1. When sensitive information is lost, stolen, or inadvertently disclosed in any way, whether it be electronically, verbally or in hardcopy form, employees are required to report the incident. Within one hour of becoming aware of the loss, theft, or disclosure of sensitive information, you are required to report the incident to:

    1. Your manager,

    2. Computer Security Incident Response Center (CSIRC) online, or call 1-866-216-4809, and

    3. If the incident involves the loss or theft of an IT asset or hardcopy data, TIGTA at 1-800-366-4484.

  2. An exception to the normal reporting requirements is made for disclosure incidents involving a potential erroneous notice issuance. Employees who learn of such an incident will not be required to notify CSIRC. The employee will follow existing procedures in IRM 21.3.1.1.1 to notify the Notice Gatekeeper, who will notify CSIRC as necessary after an initial analysis of the incident. This procedure minimizes the potential for inaccurate, incomplete, and duplicate reporting of incidents to CSIRC, lessens the operational impact of reporting an incident, and focuses resources on correcting the error to prevent additional breaches. Potential erroneous notice issuances should be reported to the Notice Gatekeeper online through the Servicewide Notice Information Program (SNIP) website.

  3. Form 10848, Report of Unauthorized Inadvertent Disclosure of Tax or Privacy Act Information, is obsolete and will no longer be used for reporting disclosure incidents.

  4. The CSIRC incident reporting form should be used by all employees for reporting losses, thefts and disclosures of sensitive information. The Computer Security Incident Reporting Form is designed to be used online.

  5. Disclosure incidents (inadvertent disclosures) will no longer be reported to TIGTA as part of this process.

  6. If you see indications of an intentional unauthorized disclosure, the incident must be reported to TIGTA. See IRM 11.3.1.6(2) and IRM 11.3.38.6(1).

Exhibit 10.5.3-1  (05-15-2009)
Glossary

Access - The ability or opportunity to gain knowledge of personally identifiable information.
Breach - The loss of control, disclosure, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
Data Loss (Breach) Notification - The process of notifying affected individuals following the discovery of a PII data loss incident when the incident results in a high risk of harm to these individuals. Also known as PII data loss incident notification.
Data Loss Incident Risk Assessment - A risk assessment conducted on an IRS incurred data loss incident containing PII. The risk assessment includes factors that must be considered, specifically the context of the incident and the data that was disclosed. Example - An IRS employee in the field loses a taxpayer case assigned to him. It contained PII data such as name, address, SSN, and other tax data. It is not known if the loss of the PII data will lead to identity theft. The IRS conducts a risk assessment and examines key factors to consider and determine when notification should be given to the taxpayer.  
Federal Information Processing Standard (FIPS) - Publications issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Trade Commission (FTC) - An independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, with the principal mission of promoting "consumer protection" and the elimination and prevention of what regulators perceive to be "anti-competitive" business practices.
Harm - Includes any of the following effects of a breach of confidentiality, integrity, availability, or fiduciary responsibility:
   a) Potential for blackmail;
   b) Disclosure of private facts;
   c) Mental pain and emotional distress;
   d) Potential for secondary uses of the information that could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem;
   e) Identity theft; or
  f) Financial loss.
Identity Theft - A fraud that is committed or attempted, using a person's identifying information without authority.
Identity Theft Liaison - A listing of individuals in the business units that are the contacts for the W&I AM IPSU, when IPSU sends Form 14027, Identity Theft Case Monitoring for monitoring account activity on cases with open controls. A current listing of Identity Theft Liaisons (Functional) can be found on SERP under the Who/Where tab.  
Identity Theft Risk Assessments (and Vulnerability Mitigation Process) - Risk assessments conducted on prioritized business processes within the IRS to determine the level of risk associated with those systems. The risk assessment review will help determine where key areas (people, process, and technology) that handle PII are susceptible to identity theft. Once a risk assessment review is conducted, the business unit that owns the process is given a complete report and analysis of the risks involved with that particular process. The business unit will attempt to mitigate the risks involved by analyzing the report and taking appropriate actions. (Example - An identity theft risk assessment is conducted of the Automated Collection System (ACS) to determine the level of risk associated with that system. A risk assessment report is issued and the business unit will attempt to mitigate the risks to minimize the possibility of loss of PII.)  
Incident Management - The process of managing incidents involving the loss or disclosure of data.
Information Technology - Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.
ITIM Advisory Committee - A committee established to oversee ITIM activities, specifically the development of Servicewide identity theft and PII data loss policies and procedures, development and execution of ITIM program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives.  
Loss - Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data or Personally Identifiable Information (PII) such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data.
National Institute of Standards and Technology (NIST) - A non-regulatory federal agency within the U.S. Department of Commerce that develops and promotes measurement, standards, and technology.
Office of Management and Budget (OMB) - A cabinet-level office that oversees the activities of federal agencies and monitors the adherence of their assigned federal programs to presidential policies.
Personally Identifiable Information (PII) - A specific type of IRS sensitive but unclassified (SBU) data which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
PII Incident - An actual or suspected loss of control, disclosure, unauthorized disclosure, unauthorized acquisition of, or unauthorized access to PII. PII incidents include situations where persons other than authorized users may or do have access to PII for an unauthorized purpose. This applies to PII maintained in electronic or hard copy format.
PII Incident Notification - See Data Loss (Breach) Notification.
PII Working Group - A decision making body chaired by the Deputy Director, ITIM. Membership consists of senior management and key technical experts from all key business and functional unit stakeholders. Policy roles include: a) Review ITIM program policy analyses and recommendations, b) Provide further analysis, data collection and support material for AC decision making, and c) Provide recommendations to AC for final decision making. Operational roles include: a) Review ITIM case risk analyses and recommendations, b) Provide further analysis, data collection and support material for AC decision making, c) Approve low-risk case decisions, and d) Provide medium and high-risk case recommendations for victim notification to AC for final decision making.  
Risk - The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment - The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security and privacy controls that would mitigate this impact.
Safeguards - Protective measures prescribed to meet the privacy requirements specified for an information system.
Technical Working Group for Identity Theft Victim Assistance (TWG) - A cross-functional group that meets periodically to provide a forum for developing recommendations on how processes and procedures can be improved to address and reduce the burden on taxpayers who are victims of identity theft.  
Unauthorized Access - The willful unauthorized access and/or inspection of tax returns and return information.

Exhibit 10.5.3-2  (05-15-2009)
References

The ITIM Program was established to ensure Servicewide implementation of federal directives to protect citizens and government employees against data losses and misuse of sensitive personal data. The following are the principal documents involving the ITIM Program:


OMB Memoranda

  1. M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006

  2. M-06-16, Protection of Sensitive Agency Information, June 23, 2006

  3. M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006

  4. M-06-20 (M-05-15), Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 17 2006

  5. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

OMB Memoranda are available at Office of Management and Budget at http://www.whitehouse.gov/omb/memoranda.

Other Federal Guidance

  1. Combating Identity Theft: A Strategic Plan, The President’s Identity Theft Task Force Report, April 2007

  2. Combating Identity Theft, Volume II: Supplemental Information, The President’s Identity Theft Task Force Report, April 2007

  3. President’s Identity Theft Task Force Report Summary of Interim Recommendations, September 2006


The President’s Identity Theft Task Force documents are available at http://www.idtheft.gov/

IRS Internal Revenue Manuals

  • IRM 10.5.1, Privacy, Information Protection & Data Security

Exhibit 10.5.3-3  (05-15-2009)
Acronyms and Definitions

The following tables describe the terms and acronyms used for TC 971 AC 501, 504, 505, and 506 identity theft indicator codes. The three tables are: 1) BOD/Function, 2) Program Name, and 3) Tax Administration Source.

  1. BOD/Function

    Term/Acronym Description
    AP Appeals
    CI Criminal Investigation
    MITS Modernization & Information Technology Services
    PPDS Privacy, Information Protection & Data Security
    SBSE Small Business / Self-Employed
    TAS Taxpayer Advocate Service
    WI Wage & Investment

  2. Program Name

    Term/Acronym Description
    ACS Automated Collection System
    AM Accounts Management (IRS-identified identity theft)
    AMADJ Accounts Management (TP-identified identity theft)
    ASFR Automated Substitute for Return
    AUR Automated Underreporter
    AP Appeals
    CA TAS Case Advocate
    CFBALDUE SB/SE: Field Collection - Taxpayer Delinquency Accounts
    CFDELRET SB/SE: Field Collection - Taxpayer Delinquency Investigations
    CONGINQ Congressional Inquiry
    CORR SB/SE Correspondence Exam
    CSCO Compliance Services Collection Operations
    CSIRC Computer Security Incident Response Center
    EXAM W&I Correspondence Exam
    FA Field Assistance
    FLDEXAM Field Exam
    FO CI - Field Operations
    OPIP Office of Privacy & Information Protection
    PHSH CI - Phishing
    PREREF Pre-Refund
    RFND CI - Refund Crime
    SP Submission Processing
    TDI Tax Delinquency Investigation
    WHC Withholding Compliance

  3. Tax Administration Source

    Term/Acronym Description
    ALTRD Substantiated identity theft incidents where a victim's return has been wrongfully altered to steal all or portions of the refund
    INCOME Identify theft identified and substantiated due to an underreporting of income
    MULTFL Identity theft identified and substantiated due to two or more tax returns filed for one taxpayer
    INCMUL Identity theft identified and substantiated due to both underreporting of income and multiple filings
    NOFR Substantiated identity theft incidents where the victim does not have a filing requirement
    OTHER Identity theft which cannot be identified as related to any existing Tax Administration Source types

Exhibit 10.5.3-4  (05-15-2009)
TC 971 AC 501 — Taxpayer-Identified Identity Theft Affecting Tax Administration

Input instructions for TC 971 AC 501 are as follows:

  1. Obtain the following information:

    • Entity - SSN;

    • Business Operating Division (BOD)/Function (See Exhibit 10.5.3-3);

    • Program Name (See Exhibit 10.5.3-3);

    • Tax Administration Source (See Exhibit 10.5.3-3); and

    • Tax Year affected by identity theft.

  2. Navigate to FRM77

    • Sign into IDRS;

    • Enter ENMOD (SSN), then press ENTER;

    • Enter ENREQ, then press enter; and

    • Enter REQ77.

    • FRM77 is displayed for the selected SSN.

  3. Enter the TC 971 AC 501

    • Change the MFT to 00;

    • Change the TX-PRD to 000000;

    • Enter the TC with 971;

    • Enter TRANS-DT (enter the current date);

    • Enter SECONDARY-DT (enter the tax year affected by the identity theft incident in the format MMDDYYYY);

    • Enter MISC (enter your specific BOD/Function, Program Name, and Tax Administration Source, see Exhibit 10.5.3-3); and

    • After REMARKS, enter IDENTITY THEFT.

Exhibit 10.5.3-5  (05-15-2009)
TC 972 AC 501 — Reversal of TC 971 AC 501

Input instructions for TC 972 AC 501 are as follows:

  1. Obtain the following information:

    • Entity - SSN;

    • BOD/Function (See Exhibit 10.5.3-3);

    • Program Name (See Exhibit 10.5.3-3);

    • Tax Year of the TC 971 AC 501 being reversed; and

      Note:

      The tax year must match the tax year of the TC 971 AC 501 that is being reversed.

    • Transaction date of the TC 971 AC 501 being reversed.

  2. Navigate to FRM77

    • Sign into IDRS;

    • Enter ENMOD SSN, then press ENTER;

    • Enter ENREQ, then press ENTER; and

    • Enter REQ77.

    • FRM77 is displayed for the selected SSN.

  3. Enter the TC 972 AC 501

    • Change the MFT to 00;

    • Change the TX-PRD to 000000;

    • Enter the TC with 972;

    • Enter TRANS-DT (enter the transaction date of the TC 971 AC 501 being reversed);

    • Enter SECONDARY-DT (enter the tax year of the TC 971 AC 501 being reversed in the MMDDYYYY format);

    • Enter MISC (Modify the Reason Code field with the reason for the reversal. Select one of the reasons from the TC 972 AC 501 Reason Codes table below); and

    • Enter REMARKS (enter your remarks).

The following table describes the TC 972 AC 501 reason codes:

TC 972 AC 501 Reason Codes
Reason Description Value
Taxpayer Request The taxpayer requests the 971 be reversed. TPRQ
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and should be reversed to discontinue the negative impact. IRSADM
False Identity Theft Claim The original identity theft incident claim was determined to be fraudulent. FALSE
Other The reason for the 971 reversal does not meet any of the reason descriptions above. OTHER

Exhibit 10.5.3-6  (05-15-2009)
TC 971 AC 504 — Taxpayer-Identified Identity Theft Not Affecting Tax Administration

Important: Input of Action Code 504 is limited and reserved for use by the W&I Accounts Management Identity Protection Specialized Unit.

TC 971 AC 504 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC REMARKS
Input date of TC 971 AC 504 Date identity theft occurred (per taxpayer). BOD, Function, and taxpayer impact. (See the Impact to Taxpayer table below.) Comments
Impact to Taxpayer
Term/Acronym Description
ACCT One or more personal accounts have been opened under the victim's identity or the victim reported questionable account activity.
BOTH Both EMPL and ACCT.
EMPL Victim's SSN Used for Employment.
NKI No known impact has been identified by the taxpayer.

Exhibit 10.5.3-7  (05-15-2009)
TC 972 AC 504 — Reversal of TC 971 AC 504

The miscellaneous field for TC 972 AC 504 reflects the reason for the reversal of TC 971 AC 504. See the TC 972 AC 504 Miscellaneous Field chart below for the reasons and values for the MISC field.

TC 972 AC 504 Miscellaneous Field
Reason Description Value
Taxpayer Request The taxpayer requests the 971 be reversed. TPRQ
Keying or Internal Error The 971 was due to a typographical mistake or other internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and should be reversed to discontinue the negative impact. IRSADM
False Identity Theft Claim The original identity theft incident claim was determined to be fraudulent. FALSE
Other The reason for the 971 reversal does not meet any of the reason descriptions above. OTHER

Exhibit 10.5.3-8  (05-15-2009)
TC 971 AC 505 — IRS Data Loss Incidents

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Information Protection & Data Security personnel.

TC 971 AC 505 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC
TC 971 AC 505 input date Date the data loss incident occurred. BOD, Function, and Incident Reference Code (number assigned to the data loss case). This number begins with the literal "IR" and is followed by 11 numeric digits. For example: IR20080211034

Exhibit 10.5.3-9  (05-15-2009)
TC 972 AC 505 — Reversal of TC 971 AC 505

The miscellaneous field for TC 972 AC 505 reflects the reason for the reversal of TC 971 AC 505. See the following chart for reasons and values for the MISC field:

TC 972 AC 505 Miscellaneous Field
Reason Description Value
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and should be reversed to discontinue the negative impact. IRSADM
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER

Exhibit 10.5.3-10  (05-15-2009)
TC 971 AC 506 — IRS-Identified Identity Theft Affecting Tax Administration

Important: Input of Action Code 506 is limited and reserved for use by the following functions: Criminal Investigation, Accounts Management, and Submission Processing.

TC 971 AC 506 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC XREF-TIN
Input date of TC 971 AC 506 Tax year at issue date. BOD, Function, and Program that input the TC 971 AC 506. (See the Miscellaneous Field table below.) Optional field that, when populated, displays a TIN (e.g., SSN, ITIN, or IRSN).
TC 971 AC 506 Miscellaneous Field
Description BOD / Function Program Name Tax Administration Source
Phishing Schemes CI PHSH N/A
Refund Fraud CI RFND N/A
Other CI OTHER N/A
Input on true SSN owner’s account when a non-legitimate unpostable return with UPC147 has been filed using the taxpayer’s SSN as identified and determined by SP. WI SP UPCMUL
Input on the identified IRSN corresponding to the non-legitimate unpostable return with UPC147 as identified and determined by SP. WI SP UPC147
Input on true SSN owner’s account per TIN-related problem case procedures. WI AM MULTFL
Other identity theft-related incident, affecting tax administration identified and substantiated by Accounts Management. WI AM OTHER

Exhibit 10.5.3-11  (05-15-2009)
TC 972 AC 506 — Reversal of TC 971 AC 506

The miscellaneous field displays the reason for the reversal. See TC 972 AC 506 Miscellaneous Field chart below for reasons and values for the MISC field:

TC 972 AC 506 Miscellaneous Field
Reason Description Value
Taxpayer Request The taxpayer requests the 971 be reversed. TPRQ
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and should be reversed to discontinue the negative impact. IRSADM
False Identity Theft Claim The original identity theft incident claim was determined to be fraudulent. FALSE
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER

More Internal Revenue Manual