The Treasury Inspector General for Tax Administration has issued an audit report criticizing the Internal Revenue Service’s process for developing an online registration portal for Foreign Financial Institutions (FFIs) to register as required by the terms of the Foreign Accoutn Tax Compliance Act. (See prior post here.) TIGTA estimates that between 200,000 and 400,000 FFIs will eventually register through the FATCA portal.
The audit report, which is entitled “Foreign Account Tax Compliance Act: Improvements Are Needed to Strengthen Systems Development Controls for the Foreign Financial Institution Registration System,” is available here.
In the background section of TIGTA’s audit report, it describes FATCA as follows:
The Foreign Account Tax Compliance Act (FATCA) is an important development in the efforts to improve U.S. tax compliance involving foreign financial assets and offshore accounts. The FATCA legislation was enacted in 2010 as part of the Hiring Incentives to Restore Employment Act. Changes required by the FATCA will: 1) combat tax evasion by U.S. persons holding investments in offshore accounts; 2) expand the Internal Revenue Service’s (IRS) global presence; 3) pursue international tax and financial crimes; 4) fill a gap in the IRS’s information reporting system; and 5) generate additional enforcement revenue. The Department of the Treasury issued the final FATCA regulations on January 28, 2013.
The FATCA legislation directly impacts three key groups: 1) taxpayers who meet the reporting requirements threshold for foreign financial assets; 2) Foreign Financial Institutions (FFI) that report to the IRS foreign financial account information exceeding certain thresholds held by U.S. taxpayers; and 3) withholding agents who withhold a 30 percent tax on taxpayers who fail to properly report their specified financial assets related to U.S. investments.
Prior to the FATCA legislation, the IRS did not have an international system to detect tax evasion by U.S. persons holding investments in FFIs, including foreign financial assets or offshore accounts. The IRS is developing a new international system called the FFI Registration System (FRS) to support the requirements of the FATCA legislation. The FFIs will register and then provide offshore account information that is reported through the FRS. The new system is a major information technology investment for the IRS. The FRS is the first of the FATCA systems development projects planned through Fiscal Year 2017.
TIGTA performed the audit in order to “determine whether the IRS’s systems development approach for the FRS is sufficiently mitigating risks with the application of information technology management controls for successful development and delivery of requirements and capabilities aimed at FATCA milestones and goals.”
During the course of its audit, TIGTA discovered that the first release of the FRS was substantially developed and nearing deployment before its development was abruptly terminated. By November 2012, the IRS had made a significant investment in developing Release 1.0 of the FRS and was one month away from deployment of a major software release. At that time, however, IRS executives terminated Release 1.0 for the following reasons:
The FATCA regulations took more than 11 months to be finalized. During this time, the IRS was developing Release 1.0 of the FRS. After the final regulations were issued in January 2013, the IRS identified requirements in the regulations that were not part of the design of Release 1.0.
Department of the Treasury negotiations on IGAs with different countries identified changes for the FFIs responsibilities in the registration process. The Release 1.0 requirements did not meet the complexities of these registration changes; therefore, the IRS decided to terminate Release 1.0. In order to incorporate the requirements from the regulations and the IGA changes, the IRS began developing Release 1.1. As FATCA processes were developed, the IRS determined the need to create a unique identifier for the FFIs that successfully register. This unique identifier must be present on the IRS Participating FFI list to inform withholding agents of an FFI’s FATCA status and to track an FFI’s U.S. account reporting.
The IRS also informed TIGTA that FRS scope changes were necessary due to the following changes in the IGAs:
IGA negotiations with foreign countries resulted in the proposal of an alternative framework for implementing the FATCA.
Two Reporting Models were decided upon: Model 1 and Model 2. Reciprocal and Non-Reciprocal Versions of Model 1 were decided upon. In the case of a reciprocal Model 1 IGA, the IRS agrees to provide the country with reciprocal information on foreign citizens from their jurisdictions who have U.S. accounts.
Competent Authority Agreements would be entered into to further implement the IGAs.
The IRS spent $8.6 million and took 19 months to develop FRS Release 1.0 before the effort was terminated. The IRS originally planned to spend a total of $14.4 million to develop and deploy the FRS. However, the current cost estimate to deploy the system in Release 1.1 is $8.0 million. This $8.0 million in addition to the $8.6 million already spent on Release 1.0 results in a total cost of $16.6 million for the FRS.
Subsequently, the IRS modified and expanded the scope of the system requirements. The major redesign and initiation of a new development effort was necessary because the IRS did not sufficiently develop requirements for the initial Foreign Financial Institution Registration System as needed for new system development.
TIGTA found that while the IRS has taken steps to improve management controls for this major information technology investment, additional improvements are needed to ensure consistent adherence to risk mitigation processes for program management, security control processes, testing documentation, and requirements management. Specifically, TIGTA recommended that the Chief Technology Officer and the Commissioner, Large Business and International Division, timely identify and communicate system changes for future FATCA releases and ensure that the IRS consistently documents and maintains test cases and test results. In addition, the Chief Technology Officer should ensure that adequate program management controls are in place and consistently followed to allow the IRS to accomplish its FATCA goals and objectives. Finally, the Chief Technology Officer should ensure that all system requirements documentation includes the requirements being tested and all security requirements, and that corresponding test cases are identified and sufficiently traced, managed, and tested.
In its written response to the report, the IRS agreed with all six recommendations. However, TIGTA believes that the action plans provided by the IRS for two of the recommendations were not fully responsive.
On a related note, and as reported in a prior post, a group of influential banking associations, including the American Bankers Association, recently requested that Treasury and the IRS further delay implementation of FATCA for a variety of reasons. TIGTA’s audit report will only provide more ammunition to the growing calls for delay, to ensure that both the U.S. government and impacted stakeholders are able to fully prepare for FATCA implemementation.