Intuit is committed to providing our customers the best, safest, most convenient and secure tax products in the industry. With the increasing criminal attacks on the U.S. tax system at both the federal and state level, and the constantly evolving methods that cybercriminals use, we recognize that we must continuously accelerate and strengthen the measures we take to fight fraud.
We believe there is no industry partner that provides more or better reporting, or is taking a stronger leadership role both with the Internal Revenue Service and with the industry to help solve the cyberfraud problem than Intuit.
Recent unfounded claims have been made by former employees about Intuit’s security practices
Over the course of the last week, former Intuit employees have asserted to the media that Intuit has somehow placed profits ahead of ethics. These allegations are without merit and are based on these individuals’ misunderstanding of the facts and their mischaracterization of our business. In addition, the media has reported that one of these individuals has made a submission to the Securities and Exchange Commission with similar assertions, and we look forward to engaging with the SEC, if requested to do so.
Any suggestion that Intuit or any of its leaders made decisions to sacrifice customer security for financial gain doesn’t hold water.
As we became aware of these assertions, Intuit engaged outside counsel to conduct an extensive review of the emails and documents of several individuals in or associated with our TurboTax business who are in decision-making positions. That review did not yield a single example where a deliberate decision was made to sacrifice customer security and privacy for financial gain. Because it doesn’t happen.
We recognize that some employees who work in information security would like us to do more to prevent fraud, and we are committed to doing so as fast as we can to combat the constantly evolving and increasingly sophisticated methods of cybercriminals. But we cannot always immediately implement the most innovative methods to detect and prevent fraud without considering other factors.
For example, one of our ex-employees urged us to implement a security initiative (referred to as a “honeypot”) that deliberately provides access to simulated customer data in an attempt to intentionally lure fraudsters into our system to track their criminal behaviors. Contemporaneous notes from the meeting discussing that initiative indicate that this individual was directed to work with the business to ensure that the methods were appropriate to use on our tax platform given the sensitivity of our customers’ personal tax data. But before the company would consider implementation of this security strategy for the tax business, he was directed to first run honeypot experiments – and validate those experiments – in ways that would not risk our customers’ sensitive tax information.
There was also an assertion that we changed the cadence of our suspicious activity report that we proactively provide to the IRS for business gain. In 2012, Intuit proactively initiated and has since been providing the IRS what we call Suspicious Activity Reports to assist the IRS in detecting fraudulent returns. These reports include millions of suspicious returns.
While we provide the IRS with robust data-driven analytics to help them improve their ability to detect and reject fraudulent returns, privacy regulations prevent the IRS from disclosing how it uses information from industry reports with respect to specific returns. We have no reason to believe that the IRS depended on our suspicious activity reporting to make its own determinations, and several reports from the Government Accounting Office and IRS advisory committees support this contention.
Approximately two years ago we modified how we shared information about suspicious filings with the IRS. We made this change to improve the accuracy of our reports and provide the IRS with a useful tool to strengthen its own capabilities, while minimizing the incidences of us incorrectly flagging legitimate tax payers as potentially suspicious.
There was a clear business consideration behind the changes in reporting cadence, and it was squarely focused on our customer: the legitimate taxpayer. We recognized that stopping perfectly innocent taxpayers from doing business with Intuit would cause legitimate taxpayers to be turned away, forcing them to file their taxes through other methods. A mindset that assumes all taxpayers are somehow cheats would be fundamentally wrong. The American people are overwhelmingly honest and try their level best to be compliant in their taxpaying obligations.
The critical fact is that the amount of revenue resulting from any filings included on our suspicious filings report, but subsequently accepted by the IRS based on their own processes, is immaterial to Intuit’s business, and simply does not drive a business decision. Furthermore, after making this change in reporting cadence two years ago, there was a significant decrease in revenue from the filings included in our suspicious filings report to the IRS, but accepted as legitimate by the IRS.
There is absolutely no benefit to Intuit to try to process a fraudulent return. Intuit does not get paid through the refund transfer process unless the IRS accepts the return as valid and actually issues a tax refund. Moreover, Intuit’s market share is not based on submitted returns; it is based on accepted returns.
These economic realities fundamentally undermine any fanciful notion about the supposed competitive or monetary advantage gained by Intuit through the change in practice.
It is important to understand the role Intuit plays and in particular how we work with the IRS
We are committed to working with the IRS to safeguard the integrity of the tax administration system.
The IRS is the federal law enforcement agency responsible for the critical function of determining the legitimacy of filed tax returns, investigating and enforcing against possible fraud, and empowered under the law to make that ultimate determination. We do not have that authority.
While it is the IRS which makes the ultimate determination of whether a return is fraudulent under the law, our critical role is to share suspicious patterns of activity to help the IRS improve its ability to detect and reject fraudulent returns.
Since 2012, Intuit was the first to voluntarily produce and share suspicious patterns of activity with the IRS to help improve its ability to detect and reject fraudulent returns. The objective of this effort has been to help the IRS in developing its own suspicious return identification process.
As a part of this effort, Intuit has designed a robust fraud scoring system. The higher the score, the more suspicious the return. The scoring system looks at many different potential indicators of suspicious activity, and scores them based on how inherently suspicious those indicators are. When we see enough suspicious indicators, the return is flagged as “suspicious” and reported to the IRS.
In creating a set of filters, we seek to achieve two clear objectives: (i) help the IRS catch the bad actors, and (ii) seek to minimize the incidences of us incorrectly flagging legitimate tax payers as potentially suspicious. We know that for our customers, an erroneous rejection or investigation of a legitimate taxpayer’s return by the IRS becomes an onerous and time-consuming process for the legitimate taxpayer to establish his or her legitimacy and receive their refund.
Indeed, in the National Taxpayer Advocate’s 2012 Report to Congress, advocate Nina Olson identifies as a most serious problem the harm taxpayers suffer by unreasonable delays in the processing of valid refund returns. She states: “When the IRS holds legitimate refunds for extended periods, it further exacerbates the taxpayers’ hardships, especially for low income taxpayers who may need the refunds for food, medical care, rent, or utilities.”
The IRS has shared with us as recently as this week that they have found our reporting to be very helpful to the agency in fighting fraud.
Since the inception of our suspicious activity reporting, we have improved the speed of our process and techniques for identifying suspicious reporting with accuracy. The IRS systems have likewise evolved and improved over the last several years as they have reported to Congress.
That said, we, the industry and the IRS can and must do more. We are engaged in ongoing discussions to identify additional measures that can be implemented which would be additionally helpful.
We have shared specific recommendations to reflect that reality, and we are looking forward to engaging in further efforts that we hope will advance industrywide standards and requirements to support their needs. Our CEO proposed exactly that in a letter to the commissioner several weeks ago, in support of earlier industry association recommendations made to the IRS as well.
The core of Intuit’s business is and always will be our customers, and striving to do right by them
Our goal is to provide a service to our customers that emphasizes fairness, accuracy and safety.
In doing so, we use our best judgment every day, looking through three distinct lenses:
- The customer experience lens, where the goal is to ensure the path to creating and filing a return is fast and easy, with no unnecessary friction.
- The security lens, where the goal is to create an environment in which criminals are thwarted from perpetrating their crimes using our platform.
- The government lens: where the company has to work within and alongside the regulatory landscape at the federal and state levels.
We make decisions by taking into account all of these, in an effort to provide the public with tax compliance products and services anchored in principles of accuracy, fairness and security.
Our approach to security is continuously evolving to meet the rapidly changing threat environment
We have a team that is constantly innovating around security – and we evaluate these initiatives actively.
We take into consideration the security of our customers and their data, as well as the friction that may be caused by such measures if they become overly burdensome to legitimate taxpayers and detrimentally impact the way they engage with the product. Customer friction is not about selling more or less. It’s about ensuring we deliver on the customer experience they expect from us.
We are also guided by our belief that there is no single magic bullet in the fight against fraud, and that some of the most effective elements of our system are those behind the curtain, which the customer don’t see or experience directly.
We continue to make investments at multiple levels to protect the data that our customers entrust to us more broadly. More recent examples include:
- The broad roll-out of multi-factor authentication to fight against the recent wave of identity theft breaches that have occurred from sources outside the tax system in the past year. Given the radically changed fraud environment, and advances in our understandings from two recent pilot programs of how to create the right type of MFA system for our customers, we have now implemented a new MFA system, allowing us to reject more criminals, while letting the legitimate taxpayers continue on with their filings.
- We also recently acquired Porticor, a provider of sophisticated encryption technologies to protect customer data on systems and in the cloud;
- We have embarked on a multi-year path to migrate our applications onto the industry leading public cloud provider, Amazon Web Services, and the related joint investments we are making for security tools that enhance the security of applications running on a public cloud environment.
- We are applying big data style analytics that allow us to process billions of events on a daily basis, and detect and respond to the most important security threats;
- We employ dedicated, security-focused bot bashers and anti-hackers embedded within product teams;
- In April 2014 we hired “Nat” Rajesh Natarajan as senior vice president, product and engineering and chief technology officer of TurboTax. Natarajan came to Intuit from Paypal, and prior to that was at Saber and Travelocity; and
- We make ongoing investments in security-related training and awareness for our employees.
Furthermore, the security needs of today and tomorrow are not just about security features, and not just about securing one product. That was security 1.0. At Intuit we have been clear that our business model has rapidly evolved from distinct business lines to a platform which includes several products, which work together and seamlessly in our customers’ lives. We need security 2.0, which is platform-based. It is critical to implement security in an ecosystem context – more end-to-end, more complex, and more sophisticated. This ecosystem-level approach to security today is about security policy and security engineering.
As part of that process, and to further accelerate our efforts and bring talented additional minds to our work, we are engaging recognized security and tax fraud experts as consultants to assist us with our strategy for combating cybercrime.
As evidenced by these actions, and much more, Intuit is committed to continuing to lead our industry in the fight against tax fraud.
Leading the industry forward
Today, our industry leadership position continues.
We are leading the charge to promote a single set of best practices and standards in this area. It’s critical to understand that cybercriminals are always looking for a new target and testing multiple points of entry into an industry. So it’s not enough to simply take action unilaterally. The metaphor sometimes used is as viewing the criminals as air in a balloon, where it’s not a long-term solution simply to squeeze one end of the balloon, enabling the air to move to another part of the system.
We have all witnessed a step change in the magnitude of data breaches affecting Americans, with 13 million Americans having their identities stolen through data breaches in 2013. In 2014 that number exploded to 100 million. This has transformed the need to respond on all fronts.
That is why we have advocated for clear and uniform requirements that would govern the entire industry, protect innocent taxpayers, and help the Government win the fraud fight.
We strongly support the anti-fraud recommendations of the tax industry association, the American Coalition for Taxpayer Rights. The ACTR recommendations offered over the last three years call for IRS regulation of the tax industry with a consistent, uniform set of requirements on industry-wide fraud and suspicious return reporting.
Just last summer the GAO recommended, and IRS agreed, that reporting third parties should be given feedback about the value or accuracy of their reporting. Receiving that information from the IRS will help us further refine our reporting processes, and allow us to evolve them to most effectively aid the IRS in its efforts to detect and prevent fraud. Further, GAO recommends that the IRS provide industry feedback about the effectiveness of their suspicious filing reports so that companies could improve their own analytics. We welcome this as the next step in an evolving government-industry partnership to fight fraud.
In his recent remarks at the White House Cybersecurity and Consumer Protection Summit, President Obama spoke about the importance of the public-private partnership and the critical role information sharing has in combatting cybersecurity issues, declaring, “There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners.”
In closing, customers can trust Intuit. Their privacy and security is job number one, and we are passionate about protecting legitimate taxpayers, while providing them with a fast, safe and secure way to file their taxes and get the refunds that they deserve.
THIRD PARTY REFERENCES TO ABOVE POINTS
- The IRS Electronic Tax Administration Advisory Committee Annual Report to Congress 2012 — which is statutorily required under the law — confirms that there is currently no requirement for a return transmitter to filter out potentially fraudulent returns. Specifically, the report, at pages 21 -22 makes the following points:
- The report states that there is “confusion and concern” regarding the level of assistance that e-file service providers can provide the IRS in connection with fraudulent return identification;
- “The IRS should provide clear, unambiguous guidance regarding all of IRC §721617 and its associated sections in regards to what tax return preparers and e-file providers can and cannot do regarding the latitude available to help detect and report on identify fraud, and fraudulent and abusive returns”; and
- The report concludes with a recommendation that, “if allowed by the IRS,” a mechanism could be implemented to allow e-file transmitters to add “fraud indicators” to e-filed returns. This again confirms that there is no current requirement or even the ability for e-file transmitters to do this.
- A recent GAO report summarizes how the IRS is considering the question of the efficacy of current authentication technologies, with the government itself not having reached conclusions on this point. Therefore, we continue to pursue a wide range of initiatives beyond authentication. Full report here.