Perspectives from Partners: Federation of Tax Administrators

By Yejin Jang posted Mar 11,2016 08:58 AM


Welcome to “Perspectives from Partners” a monthly blog post featuring interviews from NASCIO’s partner organizations.  For our introductory post in the heart of the individual income tax filing season, we met with Federation of Tax Administrators (FTA) Deputy Director Verenda Smith.  Verenda serves as the liaison to the Internal Revenue Service (IRS) and works on issues related to IRS Publication 1075, which dictates security and safeguarding requirements state agencies must follow when handling federal tax information.  Prior to FTA, Verenda served in the Illinois Department of Revenue.

We asked Verenda her perspective on issues facing tax administrators and common CIO issues like consolidation and cybersecurity. 

About the FTA:

The Federation of Tax Administrators (FTA) is a nonprofit organization created in 1937 with a mission to “improve the quality of state tax administration by providing services to state tax authorities and administrators.” Membership at FTA includes principal tax collection agencies of the 50 states, the District of Columbia, Philadelphia, and New York City.

What would you like to tell state CIOs? What are you hearing from your membership about consolidation or centralization?

Tax agencies don’t control federal requirements. These are as hard for tax agencies to live with as it is for CIOs. We have more experience and background with these requirements, but, like the CIOs, we can’t tell the IRS what to do. At the end of the day, it’s their data, and they control its use.

As computers become more sophisticated and consolidation becomes more desirable, the first thing CIOs are recognizing is what tax agencies have always known: tax agencies are different. They have unique requirements that don’t necessarily make sense from a “computer” standpoint. They’re not being unreasonable. It’s just that they have their own structures that they work within and often must meet requirements that are new to CIOs.

FTA members are called in to the CIO’s office and hear, “We’re ready to consolidate you and bring you in the fold,” and they find themselves being the bearer of bad, difficult news. I hear that all the time.  CIOs are ready to hear about the usual issues like governance, who pays, continued access to data and services, charging for services, budget issues. But then they find they have to learn the history and background of federal tax information, specifically why the requirements for holding federal tax information that they are entrusted with goes beyond keeping information safe and secure.

Needless to say, FTA members are getting to know their working partners [CIOs] much more closely these days.

What issue(s) is FTA monitoring?

Generally, we keep an eye on Congress, especially if we identify anything that might affect states.

We are watching the federal budget. Congress is increasingly challenged to generate a budget. When one does appear, it is already halfway through the budget year. That undermines the ability for the IRS to make smart purchases. And when you have IT projects that are constantly stop and go – execution falters, gets delayed, rushes ahead — those of us who are working with IRS and federal agencies get a little worried about what that [delayed federal budget] means and how that will affect our work.

This is especially detrimental to the federal government’s efforts to keep up with IT needs. By the time an agency’s funding gets to where it needs to be, it has been delayed so many times that the technology is obsolete. It is a frightful model.

What’s on the horizon?

Forty-two states and the District of Columbia have an income tax so most states are battling income tax refund fraud.

We needed a new way to think about data. Starting more than a year ago, we brought together three sectors in a partnership: people who design software for preparation and filing of tax returns, states, and the IRS – and we’ve been coming together in a new way. Instead of each of us working independently on fraud identification, we’re working on fraud issues together. Much of that comes down to the use of the data and understanding what’s in each other’s data, what’s useful and what’s not.

What’s new is that we are spending time doing deep dives into information that the others have, instead of just working with our own data. Also, we are learning from one another, figuring out not only what data might be useful to me, but asking how do you generate it? What does it mean and not mean? How do I use that data and combine it with something else to make it useful? Understanding what the data is has been one of the main keys to making this Summit approach effective.

So we now have multiple sources of data coming from multiple points, and our analyses needs are sky rocking, so we’ll be getting an ISAC hosted by the IRS. It will be done in partnership with everyone (tax software companies, states, and the IRS) and it’s on behalf of everyone, but IRS has to host it. Implementation will happen in stages but this ISAC will be available in the foreseeable future.

The main mission of the ISAC is to do the best possible job in a more efficient way of performing our current tasks. The ISAC will improve our ability to analyze data and find trends. Trend-seeking is one of the great tools in fraud detection and prevention.  We have high expectations for the ISAC to efficiently receive and crunch much more data in one location, which we can then push out to everybody that needs it.

What are your members’ views on cybersecurity?

Our members don’t look to us to explain cybersecurity best practices, but we do facilitate sharing of ideas, problem-solving and so forth, and nowadays when we push information out to them, they jump on it. When we hear that there’s been a security breach, they’re all on the phone immediately to ask ‘Can you help us learn from this? Can you put us in touch with someone?’

What are some lessons you’ve shared about cybersecurity?

What our members want to know is: how did the bad actors get in?  What information did they have, and where did they get it, that allowed them to successfully masquerade as a taxpayer? What didn’t an agency do that would have kept them out, or that would have thwarted a bot attack? How is the affected agency or business communicating the breach or security threat to taxpayers or customers? But mostly, FTA members want to know where the weakness reside because many of them share the same processes. For example, they all have data at rest and there was a time when it was considered ok to not encrypt data at rest — data that was already protected deep inside a tax agency’s most secure systems — but that stopped with South Carolina. Very few days passed before state agencies were adopting new encryption practices.

There have been so many different examples this year of stolen information being used to facilitate refund fraud – just in the last two weeks, we’ve been dealing with fake phishing emails from CEOs of companies asking for payroll information from employees.  It has been frighteningly successful.

So tax agencies are wholly engaged in dealing with cybersecurity, in all possible ways. We had an interesting case last year where one state tax employee received a suspicious email.  He shared the email with his colleagues, urging them to be on the lookout for the same, noting that “they” knew too much and that it was tempting him to click on a suspicious link.  He even shared the phishing attempt with all other tax agencies with an alert. A few hours later, everyone learned that the email was a test.  His office had created the email to probe weaknesses in their system. Fortunately, nobody clicked. From that we learned that tax agency employees have been trained and know not to click on links in an email. And, of course, there are other technology-based tools in use as well that seek to make it impossible for a human to make an inadvisable move with an email.


For more information on items mentioned in this post:

IRS Commissioner Koskinen announces ISAC
IRS “Dirty Dozen” tax scams for 2016
CEO phishing scam, seeking employee payroll info
CEO phishing scam…happened to Snapchat