Updated Oct 16, 2023
In This Section |
|
This section contains the following topics:
|
1. General Safeguarding Procedures
Introduction |
|
This topic contains information on security and restrictions on release of tax data, including
|
Change Date |
|
September 6, 2023
|
XIV.4.B.1.a. Required Safeguards |
|
As a condition of receiving Federal tax information (FTI), the Department of Veterans Affairs (VA) must establish and maintain, to the satisfaction of the Internal Revenue Service (IRS), certain safeguards that are designed to prevent unauthorized uses of the information and to protect the confidentiality of the information.
Reference: Safeguarding procedures are located within IRS Publication 1075.
|
XIV.4.B.1.b. Security Briefings |
|
The Veterans Service Center Manager (VSCM) and Pension Management Center Manager (PMCM) shall ensure that all employees who handle FTI are briefed annually on
A security briefing must be held for each new employee as soon as they report for duty.
Important: A list of the employees attending the briefing must be maintained for two years. After subsequent briefings, the list from two years prior will be destroyed under RCS VB-1, 13-100.300.
|
XIV.4.B.1.c. Penalties for Tax Information Disclosure |
|
26 U.S.C. 7213(a)(1) provides that any Federal employee who willfully and unlawfully discloses tax return information may be
It also provides that the employee shall be discharged from employment upon conviction for an unlawful disclosure.
Note: The above disclosure restrictions and penalties apply even after employment has ended.
|
XIV.4.B.1.d. Taxpayer Civil Suit |
|
26 U.S.C. 7431(a)(1) permits a taxpayer to bring a civil suit for damages against the U.S. if any Federal employee knowingly or negligently discloses any tax return information in violation of IRC 6103.
|
XIV.4.B.1.e. Definition: Need to Know |
Need to know is defined as an individual who requires access to FTI to perform their official duties (e.g. a file is needed by an employee when the income recipient is in the office and is asking to see the information). Employees of the Board of Veterans’ Appeals (Board) are considered to have a need to know if a claim containing FTI is appealed.
Note: When access to FTI is needed, it may be obtained, but only by employees with a need to know.
Reference: For more information on transferring FTI on an appeal issue, see M21-1, Part XIV, 4.B.2.k and l.
|
XIV.4.B.1.f. Minimum Protection Standards |
|
Minimum Protection Standards are designed, by IRS, to provide agencies with a basic framework of minimum-security requirements. The objective of these standards is to prevent unauthorized access to FTI and thus requires two of the following four barriers:
Explanations of these barriers are provided in IRS Publication 1075.
Note that while two barriers are required, during duty hours, employees need not lock FTI in a locked box if they step away from their desks for a short period of time without leaving the general vicinity. They should avoid leaving FTI out in the open and should take practical measures to avoid inadvertent and unauthorized disclosures of FTI.
During non-duty hours, employees must ensure documents containing FTI are stored in a locked box or secondary locked location (security room or security container) to prevent disclosures to unauthorized personnel.
Important:
|
XIV.4.B.1.g. Transporting FTI |
|
Employees transporting FTI between a primary location to a secondary location (i.e., building to building) need to secure the FTI in a locked security container during transport.
Note: The transporting and receiving location must log the FTI in accordance with M21-1, Part XIV, 4.B.2.j.
|
XIV.4.B.1.h. FTI AWS Policy |
VA may authorize an alternate work site (AWS) for FTI if it is determined the area can be properly protected in accordance with the requirements listed in the Talent Management System course titled Safeguarding Federal Tax Information (VA 3847680) and IRS Publication 1075.
FTI remains subject to the same safeguard requirements and the highest level of security possible. Employees must follow all FTI policies and procedures when authorized to work at an AWS, including those related to
Note: Disruptions of work by family, friends, or other sources may occur. Employees must have the ability to secure information (such as computer screen locking) to be an authorized AWS that handles FTI.
|
XIV.4.B.1.i. Prohibition of Releasing FTI by Fax |
|
Faxing FTI is strictly prohibited. If FTI is faxed, it may be an improper disclosure of FTI. Refer to M21-1, Part XIV, 4.B.1.m for reporting procedures.
|
XIV.4.B.1.j. E-mailing FTI |
Do not include FTI within an e-mail or as an attachment to any recipient.
Send policy questions pertaining to FTI in an encrypted email to VAVBAWAS/CO/PENSION POL & PROC. Include only the claim number and the specific question.
Important: If FTI is included in an e-mail, it may be an improper disclosure of FTI. Refer to M21-1, Part XIV, 4.B.1.m for reporting procedures.
Note: VA Central Office employees may, on occasion, initiate e-mails containing FTI so long as the IRS guidelines in IRS Publication 1075 are met.
In accordance with IRS Publication 1075, VA Central Office personnel will ensure that
|
XIV.4.B.1.k. Releasing Information Over the Telephone |
|
VA employees may only speak directly to the individual whose FTI data was received. Speaking with a relative, spouse, or a friend even if the individual who received the income grants permission, is not allowed.
Telephone development is allowed to
Example: IRS reports dividend income of $2,000 per year; however, the claimant did not report dividend income. The VA employee calls the claimant and the claimant explains that they did not think to include the dividends as the dividend payments are set up to automatically roll over into their savings account and that the $2,000 is accurate. Since the claimant has confirmed the FTI, the VA employee can use the call as verification.
Important: VA employees may not accept a statement taken over the phone as verification of a claimant’s income if the amount is less than FTI reported by IRS and the Social Security Administration.
Reference: For information regarding disclosures to fiduciaries, see M21-1, Part XIV, 4.B.4.
|
XIV.4.B.1.m. IR Policy and Reporting Procedures |
Upon discovering a possible improper inspection or disclosure of FTI, to include breaches and security incidents, an Assistant VSCM (AVSCM) or PMCM (APMCM) must contact the office of the appropriate special-agent-in-charge, Treasury Inspector General for Tax Administration (TIGTA) immediately, but no later than 24 hours, after identification of a possible issue involving FTI.
Note: Call the local TIGTA Field Division Office first located within IRS Publication 1075. If unable to contact the local TIGTA Field Division, contact the National Office Hotline Number: 1-800-589-3718.
Concurrently to contacting TIGTA, an AVSCM or APMCM must send an incident report (IR) to the Office of Safeguards mailbox at safeguardreports@irs.gov using the IRS-approved encryption techniques. Use the term Data Incident Report in the subject line of the e-mail. The IR should include, but is not limited to:
Important: Do not include FTI in the IR. Even if all information is not available, immediate notification is the most important factor, not the completeness of the data incident report.
Note: The VSCM and PMCM shall ensure each regional office (RO) develops and maintains an IR policy that addresses roles and responsibilities pertaining to data breaches involving FTI in accordance with IRS Publication 1075, Sections 9.3.8 and 10.0.
Reference: For definitions of inspection and disclosure, see IRC 6103(b)(7) and (8).
|
XIV.4.B.1.n. Quarterly Reports Required for Improper Inspection or Disclosure of FTI |
ROs are required to submit a quarterly report, Improper Inspection or Disclosure of FTI, on the number of improper inspections or disclosures of FTI. Quarterly reports are due 14 working days after the end of the following months:
Reports are required in the following format:
Pension management centers (PMCs) must e-mail their reports to: VAVBAWAS/CO/P&F TNG QUAL OVRST. Veterans Service Centers (VSCs) must e-mail their reports to: VAVBAWAS/CO/212A.
Note: If a VSC/PMC had zero instances of improper inspections or disclosures for a particular quarter, then a negative response is required to the appropriate mailbox when the report is due.
|
2. Storing and Handling of FTI
Introduction |
|
This topic contains information on storing and handling FTI including
|
Change Date |
|
January 6, 2022
|
XIV.4.B.2.a. VSC FTI Storage |
|
VSCs must establish an orange, light-weight FTI folder for each case requiring further action. Tax return information (for example, the worksheet), must be filed in the FTI folder, previously referred to as Income Verification Match (IVM) folders. FTI folders must be kept separately in a locked file. The FTI folder must be returned to the locked files at the end of each day. There are no exceptions. Attach an overprint flash to the claims folder to alert employees that there is an FTI folder.
Important: Charge cards must be used to maintain a complete record of charge-outs and must also reflect the date files are returned to storage.
Reference: For more information on the maintenance and release of locked files, see M21-1, Part II, Subpart ii, 2.B.2.
|
XIV.4.B.2.c. Approved VBA Systems for FTI |
|
The Veterans Benefits Administration (VBA) has obtained approval to process or store FTI in the following systems:
Important: Do not store or upload FTI directly into the VBMS electronic claims folder as this system has not been approved for storage. FTI is stored in the secured FFR.
Reference: For more information on how to view FTI documents, see the FTI View Reference Guide.
|
XIV.4.B.2.d. Removing an FTI Document Within VBMS and Securely Storing in the FFR |
If a PMC/VSC employee discovers an FTI document within VBMS, outside of the restricted FTI DOCUMENTS tab, print out all FTI documents and send for imaging and storage to the secure FFR.
Once imaged and securely stored, call-in or create a service desk ticket for tracking purposes for VBMS. An AVSCM or APMCM must send an e-mail to the VBMS POC requesting deletion of the FTI documents. Use the term FTI Documents outside of the restricted FTI DOCUMENTS tab in VBMS in the subject line of the e-mail. The e-mail must contain:
Important: Do not include FTI in the e-mail. Once a confirmation e-mail is received from VBMS stating the documents in question have been deleted, close/resolve the service ticket created, if applicable. References: For more information on
|
XIV.4.B.2.f. Award Prints |
|
Keep FTI-related award prints in the claims file. Annotate the award print, See FTI Folder, to alert others that the documentation supporting the award action can be viewed in the FTI DOCUMENTS tab within VBMS.
Exception: If the award print has been annotated with FTI, the award print may no longer be stored in the claims file. It must be stored in the FTI locked file or in the FFR secure folder.
|
XIV.4.B.2.g. Destroying Contents of the Paper FTI File |
|
An FTI folder and its contents may be destroyed three years after a final decision, based on Federal tax return information, has been made by the VSC, PMC, or appellate body. Any identifying information on the file will be shredded.
Exception: The IVM worksheet from a case requiring a benefit adjustment may be destroyed 30 days after the decision becomes final.
|
XIV.4.B.2.h. Destroying Scanned FTI |
|
For any paper FTI materials imaged and stored in the secure FFR, ROs need only retain any paper FTI (which includes any extraneous copies, photo impressions, printouts, carbon paper, notes, stenographic notes, and work papers) materials for 90 days, after imaging quality control is complete.
Follow the steps in the table below when destroying paper FTI materials.
Important: After the materials have been destroyed, store the log for five years from the date of destruction of the last item on the log.
Exception: The IVM worksheet from a case requiring benefit adjustment may be destroyed 30 days after the decision becomes final.
|
XIV.4.B.2.i. Requirements for Destroying FTI |
|
FTI must be destroyed by being
Note: Microfilm and microfiche must be destroyed by burning.
|
XIV.4.B.2.j. FTI Tracking Log |
Retain an FTI tracking log to document the creation, movement, and/or destruction and content of
The designee of the PMCM or VSCM must maintain the log.
If using the log to track disposal and if all Federal tax return materials for a particular year are destroyed, the log does not have to identify each individual record destroyed. It is adequate to document that all Federal tax returns for a particular year were destroyed in accordance with established procedures.
If only part of any particular year’s tax materials is destroyed, the disposal log must record the
Note: The RO may place a paper flash on the FTI generated, in lieu of a log, so long as the required information is on the paper flash.
Example:
 Important: The log and/or paper flash may be destroyed five years after the destruction of the last item entered in the log or on the flash.
|
XIV.4.B.2.k. Transferring Paper FTI Materials When Scanning Is Possible |
|
If the claims folder is transferred to another location, the FTI must be available to the receiving location (Board, another RO, Office of Inspector General, Committee on Waivers, etc.).
Prior to sending the folder, all remaining FTI in orange light-weight folders should be scanned into the secure FFR. Once completed, a flash should be placed in the claims folder noting that FTI is contained in the secured FFR.
Important: Log the scanned FTI in accordance with M21-1, Part XIV, 4.B.2.j.
|
XIV.4.B.2.l. Transferring FTI When Scanning Cannot Be Done |
|
Follow the steps in the table below if scanning cannot be done and the paper FTI must be transferred to another RO.
Important: The transporting and receiving location logs the FTI in accordance with M21-1, Part XIV, 4.B.2.j.
|
3. Disclosure of FTI
Introduction |
|
This topic contains information on Freedom of Information Act (FOIA) requests, including
|
Change Date |
|
December 21, 2017
|
XIV.4.B.3.a. Releasing FTI |
|
FTI can be released only as permitted by IRC 6103. Generally, tax return information may be released to the taxpayer, usually the income payer or income recipient.
|
XIV.4.B.3.b. FOIA Requests for Tax Information by Someone Other Than a Taxpayer |
|
If a Freedom of Information Act (FOIA) request for tax return information is received from someone other than the tax payer, the written reply to the FOIA request must tell the requester that IRC 6103 prohibits disclosure of tax return information in response to a FOIA request and cite FOIA exemption (b)(3).
The reply also must advise the requester of the right to appeal the withholding of this information to VA’s Office of General Counsel (OGC). Questions concerning the release of tax return information to anyone other than the taxpayer should be referred to the District Counsel. To find the local OGC, see the OGC website.
|
XIV.4.B.3.c. Disclosure to POA |
|
VA may disclose tax return information to an individual or a Veteran’s service organization (VSO) designated by the individual that the tax information pertains to. For FTI purposes, the assignment of a VSO as power of attorney (POA) is restricted to five years from the date the VA Form 21-22, Appointment of Veterans Service Organization as Claimant’s Representative is signed. If the beneficiary and their spouse are both income recipients for the same tax year match, each must execute a separate POA.
The individual representative of a VSO need not be a named individual. It is sufficient that VA Form 21-22 contain the job title.
Example: “any DAV service officer,” of the VSO.
If IVM development action appears necessary and the date the VA Form 21-22 was signed exceeds five years, or will likely exceed five years before the FTI action is completed, then forward the claimant a new VA Form 21-22 to complete.
Note: If a specific person is named on VA Form 21-22, access should be limited to only that individual.
|
XIV.4.B.3.d. Prohibition of Releasing FTI to a Member of Congress |
|
Do not release FTI to a Member of Congress. If a Congressional inquiry is received as a result of a proposal to reduce or terminate benefits or after benefits have been reduced or discontinued, inform the Member of Congress that
Note: The exact amount of reduction may be furnished.
|
XIV.4.B.3.e. Releasing Non-FTI to a Member of Congress |
|
Information which is not FTI, including income information provided to VA by an income payer including copies of IRS Forms W-2 or 1040, U.S. Individual Income Tax Return, filed with the IRS, may be released to a Member of Congress only when the Member of Congress seeks the
|
XIV.4.B.3.f. Committee on Waivers Decisions |
|
Copies of Committee on Waivers decisions, including relevant tax return information, may be referred to the Debt Management Center.
|
XIV.4.B.3.g. FOIA Requests Relating to Safeguard Reports and Documents |
Safeguard Reports and related documents in possession of Federal, State, and local agencies are considered the property of the IRS. They are subject to disclosure restrictions under Federal law and IRS rules and regulations and may not be disclosed to anyone outside the agency. Use the language below to respond to a FOIA request, Sunshine or Information Sharing request, and/or Open Records provisions request to include, but not limited to:
You have requested reports that are property of the Internal Revenue Service (IRS). Any request for the release of IRS records is subject to disclosure restrictions under Federal law and IRS rules and regulations. To obtain these records, you must file a Freedom of Information Act (FOIA) request with the IRS. For more information on how to file a FOIA request with the IRS, please visit https://www.irs.gov/uac/IRS-Freedom-of-Information.
|
4. Limitation on Fiduciary Contact
Introduction |
|
This topic contains information on limitations on fiduciary contact, including
|
Change Date |
|
December 21, 2017
|
XIV.4.B.4.a. IRS Limits on VA |
|
IRS regulations do not permit VA to disclose FTI to a fiduciary for verification of FTI unless the fiduciary is a court-appointed guardian. If the corporate record shows the beneficiary is incompetent and not being paid directly, send verification letters to the beneficiary and/or beneficiary’s spouse (the person the FTI was received on).
Important: Coordination will be required with fiduciary hubs to obtain the beneficiary’s mailing address as it may differ from the fiduciary address.
Reference: For more information on notifying a Federal fiduciary of a monetary benefit, use the language found in M21-1, Part XIV, 4.B.4.f.
|
XIV.4.B.4.b. Fiduciary Worksheets Prior to Fiscal Year 2015 |
|
Prior to fiscal year 2015, worksheets for fiduciary cases were sent separately to the PMCs with a transmittal stating that the referrals were fiduciary cases. These cases must be reviewed to determine which have court-appointed guardians.
|
XIV.4.B.4.c. Verifying FTI in Court-Appointed Guardian Cases |
|
If there is a court-appointed guardian, ask the guardian to verify the FTI via a letter.
|
XIV.4.B.4.d. Verifying FTI in Federal Fiduciary Cases |
|
If the payee is a Federal fiduciary who is appointed by VA only, ask the income recipient to verify the FTI via a letter.
|
XIV.4.B.4.e. VA Fiduciary Underreported Income |
If it is determined that a VA fiduciary underreported income, notify the fiduciary activity via a letter at the time of reduction or discontinuance.
|
XIV.4.B.4.f. Notifying Federal Fiduciaries of Award Changes |
Award letters containing rate changes may be sent to a Federal fiduciary only if FTI is not contained within the letter. If FTI is contained within the letter, send a separate letter notifying the fiduciary of award changes using the following language:
We are contacting you because we have adjusted [insert beneficiary’s name] award due to federal tax information (FTI) that was previously unreported. We have sent letters directly to [insert beneficiary’s name] regarding this issue because federal law prohibits us from disclosing FTI to anyone other than the taxpayer unless the fiduciary has been appointed by a court of law. If you have been appointed fiduciary by a court of law, please provide us evidence of the appointment.
We have adjusted [insert beneficiary’s name] payments as follows:
[Insert rate and effective date table from beneficiary’s letter.]
|
5. IIR
Introduction |
|
This topic contains information on the IIR, including
|
Change Date |
|
September 6, 2023
|
XIV.4.B.5.a. Inspection of Security Procedures |
|
Every three years, a person designated by the Director must conduct an independent inspection of security procedures. Headquarters office facilities housing FTI and any agency computer facility that houses FTI must conduct an independent inspection of security procedures at least every 18 months. This review must be conducted by someone who does not access FTI and has no authority or responsibility for maintenance of claims files.
Example: A management analyst.
The schedule is located on the Pension and Fiduciary Service website under Federal Tax Information (FTI) Match.
|
XIV.4.B.5.b. Information to Include in the IIR |
|
Include the following items in the IIR:
Reference: For more information on the template for the IIR , see the Federal Tax Information (FTI) Match.
|
XIV.4.B.5.c. IIR Retention |
|
The inspection records will be filed in a separate file and for purposes of meeting IRC 6103(p)(4) requirements, will be retained for a period of five full years (even if reviewed by the IRS). At that time the inspection records may be destroyed.
|
XIV.4.B.5.d. Deficiencies |
|
If any unresolved deficiencies are noted during the reporting period, the RO management analyst (or designee) will
|
XIV.4.B.5.e. Where to Send Reports |
|
PMCs must e-mail their reports to: VAVBAWAS/CO/P&F TNG QUAL OVRST. VSCs must e-mail their reports to: VAVBAWAS/CO/212A.
|
XIV.4.B.5.f. Disclosure of the Report |
IIRs are property of the IRS subject to disclosure restrictions under Federal law and IRS rules and regulations and may not be disclosed to anyone outside the agency.
Reference: For more information on language to use when responding to a request for an IIR outside the agency, see M21-1, Part XIV, 4.B.3.g.
|
6. FTI Destruction Memo
Introduction |
This topic contains information on FTI Destruction Memo, including
|
Change Date |
September 6, 2023
|
XIV.4.B.6.a. Reporting Destroyed FTI |
Each year, all facilities that have the ability to access, store, process, and/or transmit FTI must submit an FTI Destruction Memo.
Include the following items in the FTI Destruction Memo:
Note: The FTI Destruction Memo must be signed by the Director (electronic or wet signature) or designee.
Reference: The Office of Field Operations disseminates the FTI Destruction Memo via e-mail by December 1st of the reporting calendar year.
|
XIV.4.B.6.b. When to Submit the FTI Destruction Memo |
The FTI Destruction Memo is due no later than January 5th of the next calendar year (i.e. January 5, 2018, to report calendar year 2017 FTI destroyed).
|
XIV.4.B.6.c. Where to Send Reports |
PMCs must email their reports to: VAVBAWAS/CO/P&F TNG QUAL OVRST. VSCs must email their reports to: VAVBAWAS/CO/212A.
|
XIV.4.B.6.d. Disclosure of the FTI Destruction Memo |
FTI Destruction Memos are property of the IRS subject to disclosure restrictions under Federal law and IRS rules and regulations and may not be disclosed to anyone outside the agency.
Reference: For language to use when responding to a request for an FTI Destruction Memo outside the agency, please see M21-1, Part XIV, 4.B.3.g.
|