Proposed Regulations Would Allow Truncated SSN on Forms W-2 Furnished to Employees

The IRS recently issued proposed regulations that would allow employers to truncate employees’ social security numbers (SSNs) on copies of Forms W-2 furnished to employees, to help protect employees from identity theft.  The truncated SSNs must appear in the form of IRS truncated taxpayer identification numbers (TTINs): the first five digits of the nine-digit SSN are replaced with Xs or asterisks.  For example, a TTIN replacing an SSN appears in the form XXX‑XX‑1234 or ***‑**‑1234.  Employers may also use TTINs on Forms W-2 furnished to employees for payment of wages in the form of group-term life insurance.  But as with information returns filed with the IRS, employers cannot use TTINs on copies of the Forms W-2 filed with the Social Security Administration.   If finalized, these regulations would be applicable to Forms W-2 required to be furnished after December 31, 2018, due to concerns with providing state tax administrators sufficient time to accommodate TTIN usage on Forms W-2.  Comments on the proposed regulations are due by December 18, 2017.

The proposed regulations reflect statutory changes made in late 2015 by section 409 of the Protecting Americans from Tax Hikes (PATH) Act.  Section 409 of the PATH Act amended Code section 6051(a)(2) by striking “his social security account number” from the list of information required on Form W-2 and inserting “an identifying number for the employee” instead.  The IRS already permitted the usage of TTINs on a number of information returns furnished to payees including Forms 1095, 1099, 1098, and others.  The use of TTINs is intended to help reduce identity theft by reducing the number of documents that include both an individual’s name and TIN.

Late Form W-2s Doubled, Penalties to Come

The earlier filing deadline on January 31 for Forms W-2 resulted in more than double the number of late-filed returns, according to Tim McGarvey, Social Security Administration branch chief, who was speaking on an IRS payroll industry conference call.  He said that, to date, the SSA has received close to 50,000 late Form W-2 submissions, compared to an average of 25,000 late submissions annually in the past few years.  In response to an inquiry from the Tax Withholding & Reporting Blog, Mr. McGarvey indicated that the 50,000 submissions represent approximately 4 million late-filed 2016 Forms W-2.

In addition to the jump in the number of late-filed returns, Mr. McGarvey said that the number of Forms W-2c filed has also increased dramatically—up 30 percent from last year.  In response to an inquiry, Mr. McGarvey reported that the SSA has received approximately 2.7 million Forms W-2c in 2017, with some 2.2 million of those correcting 2016 returns.  That compares to a total of approximately 2 million Forms W-2c processed in 2015.

The January 31 deadline for filing and furnishing recipients with the Form W-2 and a Form 1099-MISC that reports nonemployee compensation (Box 7) became required under the Protecting Americans from Tax Hikes (PATH) Act to combat identity theft and fraudulent claims for refund (see prior coverage).

Late filers and those that struggled to provide accurate filings by the January 31 deadline should take steps now to prepare for the 2017 filing season.  Employers who provide taxable non-cash fringe benefits (such as the personal use of company cars) may want to consider imputing income for those benefits using the special accounting rule and flexibility in Announcement 85-113, if they are not already doing so.  Announcement 85-113 permits employers to treat non-cash fringe benefits as received on certain dates throughout the year (such as on the first of each month, each quarter, semi-annually, or annually).  It also allows employers to treat the value of non-cash fringe benefits actually received in the last two months of the calendar year as received in the following calendar year.  Making use of these rules can ease the year-end payroll crunch.  The earlier employers can provide copies of Forms W-2 to employees, the greater the chance there is for employees to identify errors and request corrections before the January 31 filing deadline.

IRS Guidance on Reporting W-2/SSN Data Breaches

The IRS recently laid out reporting procedures for employers and payroll service providers that have fallen victim to various Form W-2 phishing scams.  In many of these scams, the perpetrator poses as an executive in the company and requests Form W-2 and Social Security Number (SSN) information from an employee in the company’s payroll or human resources departments (see prior coverage).  If successful, the perpetrator will immediately try to monetize the stolen information by filing fraudulent tax returns claiming a refund, selling the information on the black market, or using the names and SSNs to commit other crimes.  Thus, time is of the essence when responding to these data breaches.

According to the IRS’s instructions, an employer or payroll service provider that suffers a Form W-2 data loss should immediately notify the following parties:

  1. IRS. The entity should email, with “W2 Data Loss” in the subject line, and provide the following information: (a) business name; (b) business employer identification number (EIN) associated with the data loss; (c) contact name; (d) contact phone number; (e) summary of how the data loss occurred; and (f) volume of employees impacted.  This notification should not include any employee personally identifiable information data.  Moreover, the IRS does not initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information.  Thus, these types of requests should not be taken as IRS requests.
  2. State tax agencies. Since any data loss could affect the victim’s tax accounts with the states, the affected entity should email the Federal Tax Administrators at for information on how to report the victim’s information to the applicable states.
  3. Other law enforcement officials. The entity should file a complaint with the FBI’s Internet Crime Complaint Center (IC3), and may be asked to file a report with their local law enforcement agency.
  4. Employees. The entity should ask its employees to review the IRS’s Taxpayer Guide to Identity Theft and IRS Publication 5027 (Identity Theft Information for Taxpayers).  The Federal Trade Commission (FTC) suggests that victims of identity theft take various immediately actions, including: (a) filing a complaint with the FTC at; (b) contacting one of the three major credit bureaus to place a “fraud alert” on the victim’s credit card records; and (c) closing any financial or credit accounts opened by identity thieves.

The IRS has also established technical reporting requirements for employers and payroll service providers that only received the phishing email without falling victim.  Tax professionals who experience a data loss also should promptly report the loss pursuant to the IRS’s procedures.

Recent FAA Serves as Warning to Employers Using PEOs

A recent Internal Revenue Service Office of Chief Counsel field attorney advice memorandum (FAA 20171201F) sounds a cautionary note for employers making use of a professional employer organization (PEO).  The FAA holds a common law employer ultimately liable for employment taxes owed for workers it leased from the PEO.  Under the terms of the employer’s agreement with the PEO, the PEO was required to deposit employee withholdings with the IRS and pay the employer share of payroll taxes to the IRS.  Alas, that was not what happened.

The taxpayer did not dispute that it had the right to direct and control all aspects of the employment relationship and was thus was the common law employer with respect to the employees, but asserted that it was not liable for the unpaid employment taxes. Under the terms of the contracts between the taxpayer and the PEO, the taxpayer would pay an amount equal to the wages and salaries of the leased employees to the PEO prior to the payroll date, and the PEO would then pay all required employment taxes and file all employment tax returns (Forms 940 and 941) and information returns (Forms W-2) with respect to the employees.

After the PEO failed to pay and deposit the required taxes, the Examination Division of the IRS found the taxpayer liable for the employment tax of those workers, plus interest. The taxpayer appealed, making several arguments against its liability: (i) the PEO was liable for paying over the employment taxes under a state statute; (ii) the PEO was the statutory employer, making it liable for the employment taxes; and (iii) the workers were not employees of the taxpayer under Section 530 of the Revenue Act of 1978.

The Office of Chief Counsel first explained that the state law cited by the taxpayer was not relevant because it was superseded by the Internal Revenue Code. The FAA rejects the taxpayer’s second argument because the PEO lacked control over the payment of wages, and thus it was not a statutory employer. The PEO lacked the requisite control because the taxpayer was obligated to make payment sufficient to cover the employees’ pay before the PEO paid the workers.  Finally, the Office of Chief Counsel denied the taxpayer relief under Section 530 of the Revenue Act of 1978 because that provision only applies to questions involving employment status or worker classification, neither of which was at issue.  Although the FAA makes clear that the common law employer will be on-the-hook for the unpaid employment taxes, the FAA did indicate that it would be open to allowing an interest-free adjustment because the taxpayer’s reliance on the PEO to fulfill its employment tax obligations constituted an “error” under the interest-free adjustment rules.

The FAA serves as a reminder that the common law employer cannot easily offload its liability for employment taxes by using a contract. Indeed, it remains liable for such taxes and related penalties in the event that the party it has relied on to deposit them fails to do so timely.  Employers who choose to make use of a PEO should carefully monitor the PEO’s compliance with the payroll tax rules to ensure that it does not end up in this taxpayer’s position.  Alternatively, employers should consider whether to use a certified PEO under the new regime established by Congress (earlier coverage  available here and here).  When using a certified PEO, the common law employer can successfully shift its liability to the PEO and is not liable if the PEO fails to comply with the payroll tax requirements of the Code.

W-2 Phishing Scam Targeting More Employers, Including Chain Restaurants and Staffing Companies

Yesterday, the IRS and state tax agencies issued a joint warning to employers that the Form W-2 phishing scam that first affected large businesses last year has now expanded to other organizations, including chain restaurants, staffing companies, schools, tribal organizations, and nonprofits.  The scam involves emails sent to payroll or human resources employees that appear to be from organization executives and request a list of all employees and their Forms W-2.  Once the scammer receives the information, it can be used to file false tax returns and claim employee refunds.

According to IRS Commissioner John Koskinen, this is one of the most dangerous phishing scams the tax world has faced in a long time.  The IRS and its state and industry partners, known as the “Security Summit,” have enacted safeguards in 2016 and 2017 to identify and halt scams such as this, but cybercriminals simply evolve their methods to avoid those safeguards.  A 2016 Government Accountability Office report found that in 2014, the IRS paid an estimated $3.1 billion in fraudulent identify theft refunds.  The report also found that the IRS prevented the payment of or recovered another $22.5 billion in identify theft refunds in the same year.  Both numbers were down from the prior year, but it is somewhat unclear whether that is a result of a change in the methodology used to calculate the estimates.

To add insult to injury, some scammers are going back to the well, by following-up on the Form W-2 request with an email requesting a wire transfer.  As a result, some entities have not only exposed their employees’ personal information and made them vulnerable to potential identify theft but also lost thousands of dollars.  Employers should ensure that payroll, treasury, and accounts payable processes and procedures are in place to prevent the unauthorized sharing of Form W-2 information and unauthorized wire transfers.

Organizations that receive a scam email should forward the email to, placing “W2 Scam” in the subject line.  In addition, organizations should file a complaint with the Internet Crime Complaint Center (IC3), which is operated by the FBI.  If an organization has already had Forms W-2 stolen, it should review the Federal Trade Commission and IRS’s recommended actions, available at and, respectively.  Employees concerned about identity theft can consult Publication 4524 and Publication 5027 for information.  If an employee’s tax return gets rejected because of a duplicate social security number, he or she should file Form 14039, “Identity Theft Affidavit.”

Earlier Deadline for Filing Forms W-2 and 1099-MISC Looms

The earlier filing deadline for the Form W-2 and a Form 1099-MISC that reports nonemployee compensation (Box 7) is fast approaching.  In prior years, electronic filers had until as late as March 31 to file copies of such forms with the IRS (or the Social Security Administration (SSA), in the case of Forms W-2).  Additionally, filers could request an automatic extension to push the deadline back another 30 days.  Many large filers requested automatic extensions in the normal course to provide extra time to clean up their filings and avoid penalties.  For 2016, however, Forms W-2 and Forms 1099-MISC reporting nonemployee compensation in Box 7 are required to be filed by January 31, 2017–the deadline for furnishing copies to recipients–regardless of whether they are filed electronically or on paper.

Section 201 of the Protecting Americans from Tax Hikes (PATH) Act, enacted last December, accelerated the filing deadlines to combat identity theft and fraudulent claims for refund.  In past years, the IRS often issued refunds to taxpayers well before filers were required to file copies of the Form W-2 with the SSA and copies of the Form 1099-MISC reporting nonemployee compensation with the IRS.  Because the IRS had to process certain tax returns and refund claims without having all of the third-party payor information, the process was susceptible to fraudulent returns claiming refunds.  The new January 31 deadline makes the payor information available to the IRS sooner, thus reducing the potential for fraud.  This change comes on top of temporary Treasury Regulations issued last year that eliminated the automatic 30-day extension for Forms W-2 and proposed Treasury Regulations that would eliminate the same extension for other information returns, including Forms 1099-MISC, when effective.  Because the proposed regulations are intended to take effect sometime after the filing of 2016 information returns, they will not affect the availability of the automatic 30-day extension for 2016 information returns.

Although the earlier deadline and elimination of automatic extensions address valid concerns, the new rules inevitably increase the risk of penalties for erroneous information returns under section 6721 of the Code.  Combined with the increased penalty rates adopted as part of the Trade Preferences Extension Act of 2015 (see prior coverage) and subsequent inflation adjustment, the new deadlines increase the risk of large penalties, particularly for large filers.  For example, many employers with large expatriate workforces use the first quarter of the year to perform tax equalization calculations and prepare tax returns for their overseas workers.  That process often results in adjustments to the Form W-2 that could previously be made before filing the forms with the SSA.  Now, those same adjustments may well result in penalties.  Although the filing of corrected Forms W-2 have not consistently attracted the automatic information reporting penalties that corrections of other information returns have historically attracted, the changes to the filing deadlines and the statutory penalty rates create cause for concern.

Given the earlier deadlines, filers should take steps now to prepare for the 2017 filing season.  For example, lining up outside vendors to prepare and print recipient copies of returns earlier in January will provide recipients with some time before the January 31 filing deadline to identify potential errors and request corrections.  Many filers have traditionally waited until late January to print and send recipient copies knowing that they had time to make corrections before the filing deadline.  That strategy is no longer prudent in the face of simultaneous IRS/SSA filing and recipient copy deadlines.  To that end, large filers should notify the departments making the payments of the earlier deadline, and instruct them to provide required information with sufficient lead time to allow for processing of the data to prepare information returns for review and timely filing.  Filers should consider setting deadlines for transmitting payment data internally early in January to allow for the earlier distribution of recipient copies.

In addition, filers of Forms 1099-MISC reporting nonemployee compensation in Box 7 should submit a Form 8809 requesting an automatic 30-day extension in January 2017 to extend the filing deadline until March 2.  This extension will provide some additional time to identify errors and make corrections before the returns are filed.  Filers who believe that a non-automatic 30-day extension is warranted for Forms W-2 should be forewarned that the IRS will only grant such an extension in extraordinary circumstances, such as a natural disaster or a fire that destroys the filer’s books and records.