Digital identification verification is the wave of the future at IRS
“IRS has seen tremendous improvements in performance and its processes allowing taxpayers to get through and access the service,” said GAO’s Jay McTigue.
| Guest: | Jay McTigue |
| Title: | GAO Director of Strategic Issues |
| Summary: | To prevent fraud, the IRS needs to make sure that tax filers are who they say they are. A new ID-proofing approach now means that more than 70% of filers can be verified digitally, but the GAO says IRS still needs to work on its privacy and program evaluation practices for digital identification. |
Interview transcript:
Jay McTigue As you’re aware, there’s a lot of interest in a number of different aspects of this. One is the use of artificial intelligence and facial recognition technology in allowing, in this case, taxpayers to access their information and also to access government services. At the same time, there’s been interest in reducing fraud in the provision of government services. IRS in particular, about 10 years ago, was struggling to keep up with and fight identity theft refund fraud, which costs the federal government billions of dollars on an annual basis. And so IRS moved to beef up its digital identity proofing, as well as looking for ways to allow taxpayers easy access of various services and applications on its website.
Terry Gerton So that seems all very aligned with several presidential administration intentions to reduce waste, fraud and abuse and to focus there. What did you find as you dug into the issue there at IRS?
Jay McTigue First and foremost, we found that IRS has made a lot of progress on this front. Back in the 20-teens, the Treasury was losing money to identity thieves who would file fraudulent tax returns claiming to be someone they were not. And this was prevalent across government. OMB and the National Institute of Standards and Technology put forward various guidance and requirements for federal agencies to strengthen protections over private citizens’ information that they were collecting. And there were other initiatives to make government services more available online. What we found at IRS, dating back to about 10 years ago, they began looking for ways to accomplish those goals of allowing taxpayers to access services, but also not to make it too easy so that fraudsters and others with ill intent could take advantage of the easy access via digital portals. And so, IRS started a program called SADI, Secure Access Digital Interface, to build new protocols and technology to allow access but build in security from the start. And what we found is that IRS, as they were standing up this platform, procured services from a third-party credential service provider called ID.me. This was around 2020 and maybe a little bit before then, and as we’re all aware, that also coincided with the start of the pandemic and various relief measures that Congress and the administration were trying to get out to citizens and taxpayers to help them weather the pandemic. And one of those initiatives was advanced payment of the child tax credit so families could access the credit — which they would qualify for once they file their tax return, but the advanced payment would make it available much sooner and provide financial relief for families. In order to do this, IRS quickly stood up SADI with the help of ID.me and actually allowed the program to be launched as Congress specified in the summer of 2020, and they were able to leverage an existing contract that the Treasury Department had with ID.me to procure these services very quickly. At the start, IRS has seen tremendous improvements in terms of the performance of taxpayers and its processes allowing taxpayers to get through and access the service. Before they moved to this new platform and ID.me, the number of taxpayers or the percentage of taxpayers who were able to authenticate was in the range of 30% to 40%, and this was the old password-based and out-of-wallet questions that people would — you know, IRS would ask taxpayers calling in and many people could not remember. I have trouble remembering how many different addresses or what banks I’ve used in the past. And with the new ID.me and facial recognition technology using biometrics, the pass rate immediately jumped to the 70% range and has continued to go upward to the 80% percent range. So taxpayers are able to get in, and IRS is protecting the Treasury as well as taxpayers’ private information.
Terry Gerton I’m speaking with Jay McTigue, he’s director of strategic issues at GAO. So it sounds like the classic GAO statement: Much progress has been made, much remains to be done. You have some recommendations in this report, tell us about those.
Jay McTigue IRS is doing a lot right in terms of overseeing the program and the service that they receive from ID.me. For example, they have a bi-weekly status calls with the vendor. ID.me provides various metrics and data for IRS to see how things are going. And a lot of the metrics are discussed and designed in consultation with IRS. In addition to that, in terms of protecting privacy, IRS has also directed ID.me to delete the biometric data that it collects within 24 to 48 hours. Any remote live chat sessions that they have also have to be deleted within a certain period of time. And furthermore, ID.me has to provide IRS with evidence that these deletions were made. And that’s all very good oversight. What we did find is that while ID.me provides a lot of data to IRS, IRS could do a better job of actually managing and using the data that’s being provided by ID.me. For example, this identity verification is used across roughly 30 or three dozen different applications that various taxpayers can use. And so while ID.me is providing data, IRS needs to look at the different applications and set goals and identify the objectives for each one of those interactions so that IRS can determine whether or not a 70% pass rate is good. You know, maybe that’s okay for a given application, but maybe it should be closer to 95% for some other applications, or maybe some other number might be appropriate. So first and foremost, IRS needs to identify goals and objectives for the different applications. Then, once they have those kinds of data, they need to actually look at the data and evaluate or assess whether or not it’s meeting the results and outcomes that IRS wants for the given application, the given set of taxpayers or others using the service. We also found that a lot of different offices and divisions are involved in procuring the ID.me solutions and using the solutions, but the information, the data that ID.me is providing the IRS, isn’t always shared widely, so the business owner may not be getting them, or the procurement office or the cybersecurity folks. Basically, we made a third recommendation that IRS ensure that all the parties internally who need and could help improve the program, you know, get that information and work together to continue improving the program and its applications. And then finally, the last recommendation we made has to do with IRS’s cataloging of its use of artificial intelligence. There are various laws and OMB guidance that require an agency to have an inventory of all the different uses and applications of AI technologies, and we found that this particular application was not in their inventory, even though IRS officials and ID.me, even on their website, acknowledge the use of artificial intelligence. That’s the technology driving facial recognition, so it was a bit of an oversight. The IRS needs to ensure that any kind of contracted AI, any kind services — frankly, more and more services are using artificial intelligence — they need to be on the lookout for when contractors may be using artificial intelligence technology to ensure it’s consistent with legal requirements and to help promote the transparency of the use of the data, the intent of the application and the outcomes. So those are our four recommendations. A lot of good is happening, but we think that IRS could do a little bit more in terms of managing and overseeing the program.
Terry Gerton Many federal agencies like the IRS have to validate their users. I’m thinking Social Security Administration, other agencies that manage grants. Would you say this sort of feedback that you gave the IRS is pretty universally applicable to other federal agencies? They should dig into this themselves and make sure they’re on the right track?
Jay McTigue Oh, absolutely. As I referenced, many of our findings and our recommendations are grounded in NIST guidance as well as OMB guidance and various statutes. So all of this would apply to other agencies and I would love for people to read the report and take the lessons back to their agencies as well.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
