Tax professionals filing electronically need to get IRS form 8879 or form 8878 signed by their clients. However, traditional e-signature services do not support the IRS electronic signature requirements, specifically the knowledge-based authentication (KBA) requirement for electronic signatures performed remotely. This requirement is provided both in the latest IRS guidance and in IRS Publication 1345.
Meeting IRS Requirements
An electronic return originator (ERO) really has three options to get forms 8879 or 8878 signed by the client:
- Hand-written signature: When you opt to use hand-written signatures, also known as wet signatures, clients must sign paper copies.
- Electronic signature in person: If you are asking the client to visit you for the signature, using an e-signature instead of a wet signature helps you reduce your paper overheads and maintains digital records. The IRS requires that in this case the ERO must inspect a valid government picture identification; compare picture to applicant; and record the name, social security number, address and date of birth. If this verification has been performed for a prior year return, it need not be repeated.
- Remote electronic signature: This requires knowledge based authentication (KBA). Specifically, your electronic signature must perform identity verification that complies with National Institute of Standards and Technology (NIST) Special Publication 800-63, Electronic Authentication Guideline, Level 2 assurance level.
Can You Use KBA?
While a remote e-signature is convenient, KBA makes it expensive for you and hard to use for your clients.
- Expensive: E-signature services that do support KBA are very expensive: RightSignature for instance offers it in their $99/month plan, Signix charges $300/month, and DocVerify charges extra for KBA for each e-signature in addition to requiring their upper tier monthly plan to even enable the KBA option.
- Answering the KBA questions is hard for clients: KBA compliant identity verification typically involves answering 4 or more personal information questions selected from credit records or similar sources. Each question and the entire set needs to be answered within a specific time limit. No more than 2 or 3 failed attempts are allowed and answering even one question wrong marks the entire set of 4 (or more) questions as a failed attempt. So another 4 (or more) new questions need to be answered correctly after a failed attempt. Such a process is often followed for getting access to your credit report and you can try out how hard it is by attempting to request a free credit report from any of the major credit bureau websites.
- It is not very safe: With over 140 million credit reports stolen in large scale incidents including the Equifax breach, and given that the KBA system used by the IRS itself was hacked, the expense and inconvenience of KBA may not really protect anyone.
In addition to going through KBA, the IRS also requires that the signer's name, address, date of birth, and the social security number be recorded during the e-signature process. Entering such information into a third party website often raises concerns for clients both from an identity theft perspective and because the client may have negative information on their credit report that they do not want shared with any third parties. You do not want to waste time answering extra questions to explain why this is OK.
A More Client-Friendly Approach
The IRS guidance specifically states that hand-written signatures (wet-signature) even when performed remotely and sent to the ERO by email or an Internet-based service, are not considered electronic signatures. As a result the KBA requirements do not come into play.
This makes it possible to create a client-friendly approach to get the form 8879 signed without requiring your client to visit you and without you having to track snail-mail and paper copies.
The idea is to first send the prepared form 8879 securely to the client, but without adding road blocks such as signing up for a portal account or remembering their old password from the last year. The client prints their form and sends you a picture from their smartphone, again securely, but without having to enter any passwords. The process works in the following two steps:
Prepare the form 8879 or 8878 using your tax or accounting software as you normally do. To send it securely, without requiring clients to deal with account signups and passwords, send it using Encyro. Login to your Encyro account (sign up here to get an account if you do not have one), and compose a new message. If you use the Encyro Outlook Addin, you can send a secure message from Outlook itself.
Attach the 8879 (or 8878) and enter the client's email address (the form itself will not be sent to the email address, but a secure message notification will be).
You may customize the following template for your Encyro secure message content:
Please download, print and sign the attached IRS Form 8879. Your signature is required to submit your tax return on time. Once signed, please see my other email with Subject "Step 2: Return your signed 8879".
Send a plain-text email to the client (secure message is not required because this email does not contain sensitive data) asking them to access your Encyro upload page from their smartphone and upload a photo of the signed 8879 form. If you do not have an Encyro upload page yet, signup here for a free trial and once logged in, click on "My Upload Page" to create one (more details). An Encyro upload page allows a client to send you a secure message without a password but does not give access to any previously stored data (see example).
You may customize the following email template to email your client:
Please open this email on your smartphone and visit my upload page: https://www.encyro.com/<yourUploadAddress>.
Then click the "Browse or Take Photo" button to take a clear picture of the signed form 8879. Click Submit. This ensures that your form is sent securely (kindly do not email the signed form because email is not secure).
Remember to replace the upload page address in your email with your Encyro upload page address.
The two step approach above is convenient for clients because they do not have to visit you physically. You save valuable time and do not have to track paper documents in snail-mail.
The table below summarizes the steps:
|Step 1||Login to Encyro and send the 8879 to your client with a secure message asking them to print and sign.||Accesses message with one click (no password needed unless they have an Encyro account). Client prints and signs.|
|Step 2||Send an email (not encrypted) asking client to upload the signed 8879 securely on your upload page from their smartphone camera||Client accesses your email on a smartphone, clicks the upload page link and takes a picture of their signed form to upload securely.|
Get a free Encyro trial here to start sending and receiving messages and files securely without requiring clients to signup for any new accounts.