Annette Nellen
Annette Nellen

TTINs and protecting taxpayer identities

Final regulations issued in July 2014 broaden the ability to use truncated taxpayer identification numbers, but more needs to be done.

September 11, 2014
by Annette Nellen, Esq., CPA

Identity thieves seek taxpayer identification numbers (TINs) for many purposes. In February, the Department of Justice reported that from 2008 through May 2012, over 550,000 taxpayers had their identities stolen with the thieves claiming false tax refunds (DOJ press release, 2/24/14). Since at least 2012, the IRS has been reporting summaries of many real stories of how thieves obtain and use TINs.

This is not a new problem. Since at least 1980, the U.S. Government Accountability Office (GAO) has studied misuse of Social Security numbers (SSN) and offered solutions. Even a 1980 report includes examples of taxpayers using stolen SSNs to obtain improper tax refunds (HRD 81-20, 12/23/80).

Various actions have been taken to reduce the risk of TIN misuse. In 2009, the IRS tested the use of truncated TINs on certain payee statements. This program has now become a permanent one with the issuance of final regulations in July 2014. Will this help reduce identity theft? This article reviews the final regulations and their history, explains some weaknesses with the system, and notes a few proposals to further reduce the risk of identity theft involving TINs.

Truncation background

Since December 2006, merchants have been required to truncate credit and debit card numbers and to omit the expiration date on electronically printed receipts given to customers at the point of sale or transaction. Truncation means that no more than the last five digits of the card number may be printed (see Fair and Accurate Credit Transactions Act of 2003, P.L. 108-159, §113, and information from the Federal Trade Commission (FTC)).

This law is the likely impetus for the pilot program the IRS launched in 2009 to allow TINs on some tax documents to be truncated for 2009 and 2010. A truncated taxpayer identification number (TTIN) shows only the last four digits, with the others represented by asterisks or X’s (e.g., ***-**-1234).

The pilot program, launched by Notice 2009-93, applied only to paper forms issued to payees using the Form 1098 series, Form 1099 series, and Form 5498 series. Only SSNs, IRS individual taxpayer identification numbers (ITIN), and IRS adoption taxpayer identification numbers (ATIN) could be truncated. The IRS sought comments on the pilot program.

To allow additional time to study the program, the IRS extended it for 2011 and 2012 (Notice 2011-38). Form 1098-C, Contributions of Motor Vehicles, Boats, and Airplanes, was removed from the program because it was determined not to be a “payee statement” but instead an “acknowledgment” form required under Sec. 170(f)(12). And the IRS again asked for comments about the program.

In January 2013, the IRS issued proposed regulations that would officially allow for limited use of TTINs (REG-148873-09). The regulations were proposed under Secs. 6042, 6043, 6044, 6045, 6049, 6050A, 6050E, 6050N, 6050P, 6050S, and 6109. The regulations under all those Code sections, many of which contain information-reporting requirements, needed to be modified to clarify that a TTIN is acceptable. Basically, the proposed regulations followed the earlier notices. While some wanted the program expanded to include Forms W-2, Wage and Tax Statement, the IRS observed that the language of Sec. 6051(a) prevented this option.

The program remained voluntary, covering the same forms as allowed by the notices. The TTIN could be used only for the payee statement, not for the statement filed with the IRS. Also, the issuer of a form could not truncate its own identifying number on an information return or payee statement. One change from the notices was allowing TTINs on both paper and electronic payee statements. The proposed regulations could be relied upon before they were final.

Final truncation rules

The final regulations released in July (T.D. 9675), mostly adopt the proposed regulations. Key changes include:

  • Employer identification numbers (EINs) may also be truncated, in response to comments that noted that some issuers could not easily separate payee forms between EINs and TINs, and did not truncate as a result. Also, some small businesses with EINs have similar privacy concerns as taxpayers using SSNs.
  • Rather than specifying which payee forms can have a TTIN, the IRS will state which forms may not use a TTIN.

The details of the TTIN system are provided at Regs. Sec. 301.6109-4. Significant compliance points of the final regulations include:

  • Use of a TTIN, where permitted, is optional, not mandatory.
  • SSNs, ITINs, ATINs, and EINs can be truncated on both electronic and paper statements provided to payees, unless prohibited, such as for W-2s.
  • TTINs are not allowed on documents filed with the IRS.
  • The issuer’s TIN may not be truncated on any form.
  • The regulations apply on and after July 15, 2014.


While reducing the number of documents with a full TIN lessens the opportunity for stealing TINs, greater efforts are needed to address identity theft issues. For example, unlike truncating of credit and debit card numbers, truncating TINs on payee statements is optional, not mandatory. And TTINs are not allowed on Forms W-2, which are issued to over 80% of individual filers.

Also, TINs are still on documents in possession of the IRS, return preparers (including those who prepare information returns), and various government and private agencies.

In addition, a TTIN will not necessarily stop an identity thief. In a study released in 2009, researchers at Carnegie Mellon University determined that SSNs can be predicted from data in the public domain, such as birth date and location because of the process used to assign each part of the three data segments that constitute an SSN. They discovered that the first five digits of an SSN are the easiest to uncover. While a different number assignment strategy could be used to solve this problem in the future, it won’t affect existing SSNs (see Acquisti and Gross, “Predicting Social Security Numbers From Public Data,” 2009—paper and FAQs).

Additional actions needed

TINs are not well-protected. They are on documents, such as Forms W-2 and 1040, stored in government and private offices in both paper and electronic formats. Many websites and paper applications that have nothing to do with taxes ask for an SSN. The electronic and paper accumulation of these documents over many decades is overwhelming. Efforts going forward to reduce the number of complete TINs does nothing to address what is already in print.

Some suggestions to help reduce the opportunities for identify theft are briefly described below.

  • Consumer education: Frequent messages through various media outlets should be issued to remind people of the many places where their SSN may exist and the actions needed to eliminate this data.
  • Follow up on recommendations: The GAO and other government agencies have performed numerous studies to discover the many government (federal, state, and local) and private agencies that use and store SSNs. Various recommendations to reduce these risks have been made and should be reviewed and acted upon (e.g., search for “Social Security Number” at the GAO website. Also see The President’s Identify Theft Task Force Report (Sept. 2008)).
  • Eliminate SSNs from Medicare cards: Despite a common warning not to carry your SSN with you, individuals on Medicare or Medicaid must provide their card, which includes their SSN, to health care providers. Various reports and proposals have been issued to end this practice, yet it continues today (see, e.g., GAO, Centers for Medicare and Medicaid Services Needs to Pursue a Solution for Removing Social Security Numbers From Cards, GAO-13-761, Sept. 2013. Also, see S. 612, Social Security Number Protection Act of 2011, and H.R. 781, Medicare Identity Theft Protection Act of 2013 (113th Congress)).
  • Additional security: Additional measures can be required before an SSN can be used to obtain a tax refund and perform certain other tax functions. For example, a password or personal identification number (PIN) can be required. S. 2736, the Tax Refund Theft Prevention Act (113th Congress), co-sponsored by Sens. Ron Wyden, D-Ore., and Orrin Hatch, R-Utah, calls for Treasury to create such a system (among other security measures proposed, including allowing TTINs on W-2s).

Looking forward

The final regulations allowing (but not mandating) TTINs on numerous types of payee statements are a significant step forward in reducing the opportunities for identity theft. Yet, as this measure is not mandatory, the rules are not comprehensive, and the rules do not completely disguise TINs, more serious actions are needed by Congress and the IRS.

For practitioners, the final regulations provide an opportunity to discuss identity theft and data security with clients and to help clients implement the TTIN regulations.

Resources on avoiding and dealing with identity theft

 Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Annette Nellen, Esq., CPA, CGMA, is a tax professor and director of the MST Program at San José State University. She is an active member of the tax sections of the AICPA, ABA, and California State Bar. She is a member of the AICPA Tax Executive Committee and Tax Reform Task Force. She has several reports on tax policy and reform and a blog.