Proposed Regulations Would Allow Truncated SSN on Forms W-2 Furnished to Employees

The IRS recently issued proposed regulations that would allow employers to truncate employees’ social security numbers (SSNs) on copies of Forms W-2 furnished to employees, to help protect employees from identity theft.  The truncated SSNs must appear in the form of IRS truncated taxpayer identification numbers (TTINs): the first five digits of the nine-digit SSN are replaced with Xs or asterisks.  For example, a TTIN replacing an SSN appears in the form XXX‑XX‑1234 or ***‑**‑1234.  Employers may also use TTINs on Forms W-2 furnished to employees for payment of wages in the form of group-term life insurance.  But as with information returns filed with the IRS, employers cannot use TTINs on copies of the Forms W-2 filed with the Social Security Administration.   If finalized, these regulations would be applicable to Forms W-2 required to be furnished after December 31, 2018, due to concerns with providing state tax administrators sufficient time to accommodate TTIN usage on Forms W-2.  Comments on the proposed regulations are due by December 18, 2017.

The proposed regulations reflect statutory changes made in late 2015 by section 409 of the Protecting Americans from Tax Hikes (PATH) Act.  Section 409 of the PATH Act amended Code section 6051(a)(2) by striking “his social security account number” from the list of information required on Form W-2 and inserting “an identifying number for the employee” instead.  The IRS already permitted the usage of TTINs on a number of information returns furnished to payees including Forms 1095, 1099, 1098, and others.  The use of TTINs is intended to help reduce identity theft by reducing the number of documents that include both an individual’s name and TIN.

Employers Likely Need to Update Their Processes Based on New Requirements for Employer Refund Claims of FICA and RRTA Taxes

On March 20, the IRS released Rev. Proc. 2017-28, providing guidance to employers on employee consents used to support a claim for credit or refund of overpaid taxes under the Federal Insurance Contributions Act (FICA) and the Railroad Retirement Tax Act (RRTA). The revenue procedure requires the employee consent to contain, among other information, the basis for the refund claim and a penalties of perjury statement. In addition, it permits employers to request, receive, and retain employee consent electronically, and clarifies the “reasonable efforts” an employer must make, if it fails to secure employee consent, to claim a refund of the employer’s share of overpaid FICA or RRTA taxes. Many of the requirements in the revenue procedure were included in a proposed revenue procedure contained in Notice 2015-15. Rev. Proc. 2017-28 also provides the circumstances under which an employee consent may use a truncated taxpayer identification number (TTIN).  Employers will need to review the new requirements and update their existing FICA refund process to ensure that process satisfies the new requirements.


Treasury Regulation section 31.6402(a)-2 provides general rules for employers to claim refunds of overpaid FICA and RRTA taxes. An employer must file the refund claim on the form prescribed by the IRS (e.g., Form 941-X) and designate the return period to which the claim relates, explain the grounds and facts supporting the claim, and meet other requirements under the regulations and the form’s instructions. An employer that is granted a tax refund of FICA or RRTA taxes (including any applicable interest) must give the employee his or her share.

To protect an employee’s interests, the regulations prohibit the refund of the employer share unless the employer (a) has first repaid or reimbursed the employee, or (b) has included a claim for refund of the employee share of FICA or RRTA taxes, along with the employee’s consent. Similarly, to claim refund of the employee share, the employer must certify that the employer has repaid or reimbursed the employee share or has secured the employee’s written consent for the refund claim, except to the extent taxes were not withheld from the employee. But these requirements do not apply, and the employer may claim refund for the employer share, to the extent that either (a) the taxes were not withheld from the employee’s compensation; or (b) the employer cannot locate the employee or the employee will not provide consent after the employer has made reasonable efforts to either secure the employee’s consent or to repay or reimburse the employee.

New Rules on Requesting and Retaining Employee Consent

45-day consent period. A request for consent must give employees a reasonable period of time to respond, not less than 45 days. The request must clearly state: (a) the purpose of the employee consent; (b) that the employer will repay or reimburse the employee share (including allocable interest) to the extent refunded by the IRS; and (c) that an employee cannot authorize the employer to claim a refund on the employee’s behalf for any overpaid Additional Medicare Tax. A request for consent may include an express presumption that if an employee’s response has not been received by the employer during the specified time period, the employee will be considered as having refused to provide the employee consent. However, a failure to respond may not be deemed consent. A request for consent also may include a request that the employee keep the employer informed about any change in the employee’s mailing address or email address.

Electronic Consent. An employer may establish a system to request, furnish, and retain employee consent in an electronic format that ensures the authenticity and integrity of the electronic signature and record. Although an employer may use electronic consent, the employer must provide an employee, upon request, the option to review the consent request and to provide the consent in paper format.

Reasonable Efforts. An employer may claim a refund of the employer share of FICA and RRTA tax without obtaining employee consent only if the employer makes “reasonable efforts” to repay or reimburse the employee or secure the employee’s consent and the employer cannot locate the employee or the employee will not provide consent. The reasonable efforts rule is satisfied if an employer fulfills the following requirements.

  • Request for consent. The employer properly requests the employee’s consent.
  • Email receipt acknowledgement. Any electronic request for consent asks the employee to affirmatively acknowledge the request (e.g., by clicking on a voting button (YES) or by sending a reply message). A read-receipt message is not sufficient.
  • Record retention. The employer retains a record of sending the request for consent, including the mailing or personal delivery record, the email record (including any receipt acknowledgement), or the employee’s reply declining the request.
  • Second delivery attempt. If the employer’s initial request fails to be delivered, the employer must attempt to secure consent a second time, with a 21-day response period from the date of the second request. In particular, if a mailing is undeliverable, the employer must make a good faith attempt to determine the employee’s current address and if a new address is discovered, send the request again by mail or personal delivery. Alternatively, the employer can email the request to the employee. If an email is undeliverable (e.g., due to problems with the employee’s email address) or if the employee does not acknowledge receipt of the email, the employer must send a request in paper to the employee’s last known address by mail or personal delivery.

New Rules on Employee Consent

Required Items. Employee consents are subject to a list of requirements, two of which are noteworthy. First, the employee must identify the specific basis of the refund claim. The revenue procedure provides a detailed example: “request for refund of the social security and Medicare taxes withheld with regard to excess transit benefits provided in 2014 due to a retroactive legislative change.” It is unclear how detailed the basis provided must be to satisfy this requirement. Second, the consent must contain the employee’s signature under a penalties of perjury statement. The penalties of perjury requirement will complicate efforts to obtain employee consents and written statements as employees are often reluctant to sign documents under threat of perjury even when they are certifying true statements. This is particularly true with regard to former employees.

In addition to the two requirements described above, an employee consent must:

  • contain the employee’s name, address, and taxpayer identification number (TIN);
  • contain the employer’s name, address, and employer identification number (EIN);
  • contain the tax period(s), type of tax (e.g., social security and Medicare taxes), and the amount of tax for which the employee consent is provided;
  • state that the employee authorizes the employer to claim a refund for the overpayment of the employee share; and
  • with regard to refund claims for employee tax overcollected in prior years, include the employee’s written statement certifying that the employee has not made previous claims (or that the claims were rejected) and will not make any future claims for refund of the overcollected amount.

Use of TTIN. To address concerns regarding identity theft, the revenue procedure allows the use of a TTIN in place of the employee’s complete social security number (SSN) if the employer prepares the employee consent and prepopulates the TIN field with the TTIN. A TTIN may not be used, however, if the employer requests the SSN as the employee’s TIN or if the employee furnishes the TIN as part of the consent.

As a result of the new guidance, many employers will need to update their employee consent procedures to comply with the new rules, most of which are not specified in the Code or the implementing Treasury regulations. FICA tax overpayments frequently occur, and failure to obtain the proper employee consent, or failure to follow the procedures for requesting consent, can delay the employer’s refund claim. The new requirements apply to employee consents requested on or after June 5, 2017.