PCLIA #7509 Report

Date of Approval: April 06, 2023

PIA ID Number: 7509

SYSTEM DESCRIPTION

Enter the full name and acronym for the system, project, application and/or database.

Bank Discrepancy, Bank Disc

Is this a new system?

Is there a PCLIA for this system?

Yes

What is the full name, acronym, and milestone of the most recent PCLIA?

Bank Discrepancy, BANK DISC, previous PCIA 4639

What is the approval date of the most recent PCLIA?

3/2/2020

Changes that occurred to require this update:

Expiring PCLIA

Were there other system changes not listed above?

What governance board or Executive Steering Committee (ESC) does this system report to? Full

name and acronym.

W&I Risk Committee

Current ELC (Enterprise Life Cycle) Milestones:

Operations & Maintenance (i.e., system is currently operational)

Is this a Federal Information Security Management Act (FISMA) reportable system?

Yes

GENERAL BUSINESS PURPOSE

What is the general business purpose of this system? Provide a clear, concise description of the

system, application or database, the reason for the system, and the benefits to the IRS to use the

information, and how the information will be used.

The Bank Discrepancy program is used by Accounting Operations to control and track bank

discrepancy inventories. The Bank Discrepancy Application controls and monitors

Unresolved Debit Vouchers (Standard Form (SF) 5515) received from depositaries which

indicate discrepancies between the original Deposit Ticket (SF 215A) and the supporting

checks such as: Encoding Errors, Slipped Blocks, piggyback checks, lost checks, and

improper SF 5515 charge backs. The federal tax deposits that business owners make to banks

to pay their quarterly taxes are not part of the bank discrepancy inventories. The Internal

Revenue Service (IRS) deposits all monies paid to IRS by the taxpayer. Discrepancies occur

when input errors in depositing the checks are encoded incorrectly. For example: the

taxpayer writes a check for $1,000.00, IRS encodes the check for $10,000.00 in error. The

depositary will return the $9,000.00 debit voucher back to IRS. The Bank Discrepancy

Application controls the returned Debit Voucher until the taxpayer is debited for the

$9,000.00 via the Dishonored Check File database. The application controls these cases by

systemically assigned sequence numbers for each debit voucher or deposit ticket number

entered. History is retained for each case. Baseline or customized reports can be generated

for management use. Managers, administrators, and account technicians for Bank

Discrepancy will have access to the data. This access is determined by the manager based on

a user's position and need-to-know. All data is manually input into the system. IRS

employees manually research/pull personally identifiable information (PII) data from

Integrated Data Retrieval System (IDRS). This is a manual interaction and not systemic one.

PII DETAILS

Does the system use, collect, receive, display, store, maintain, or disseminate IR Code 6103

taxpayer information: or any other type of Sensitive but Unclassified (SBU) information or PII

such as information about IRS employees or outside stakeholders?

Yes

Does the system use, collect, receive, display, store, maintain, or disseminate Social Security

Numbers (SSN's) or tax identification numbers (i.e., last 4 digits, etc.)?

Yes

What types of tax identification numbers (TIN) apply to this system?

Social Security Number (SSN)

List the approved Treasury uses of the SSN:

Interfaces with external entities that require the SSN

Legal/statutory basis (e.g., where collection is expressly required by statute)

Explain why the authorized use(s) above support the new or continued use of SSNs (or

tax identification numbers).

The Office of Management and Budget Circular A-130 requires that federal agencies

develop a mitigation or elimination strategy for systems that use SSNs, which the

Service continues to develop strategies to meet. An exception to that requirement is

when the SSN is uniquely needed to identify a user's record. ISR-S requires the use

of SSN's because no other identifier can be used to uniquely identify a taxpayer at

this time.

Describe the planned mitigation strategy and forecasted implementation date to mitigate

or eliminate the use of SSN's (or tax identification numbers).

The BANK DISC system requires the use of SSNs because no other identifier can be

used to uniquely identify a taxpayer at this time. SSNs are permissible from Internal

Revenue Code (IRC) 6109, which requires individual taxpayers to include their SSNs

on their income tax returns.

Employer Identification Number

Other Taxpayer Identification Number

Does this system use, collect, receive, display, store, maintain or disseminate other (non-SSN)

PII (i.e., names, addresses, etc.)?

Yes

Specify the PII Elements:

Name

Mailing Address

Tax Account Information

Does this system use, collect, receive, display, store, maintain, or disseminate SBU information

that is not PII?

Yes

Specify the types of SBU from the SBU Types List:

Agency Sensitive Information - Information which if improperly used or disclosed could

adversely affect the ability of the agency to accomplish its mission.

Official Use Only (OUO) or Limited Official Use (LOU) - Information designated as OUO

or LOU is information that: is exempt under one of the statutory Freedom of Information Act

exemptions; is prohibited by other laws or regulations; would significantly impede the

agency in carrying out a responsibility or function; or would constitute an unwarranted

invasion of privacy.

Are there other types of SBU/PII used in the system?

Cite the authority for collecting SBU/PII (including SSN if relevant).

PII for federal tax administration is generally Internal Revenue Code Sections 6001, 6011, &

6012e(a)

SSN for tax returns and return information is Internal Revenue Code Section 6109

PII about individuals for Bank Secrecy Act compliance 31 USC

Has the authority been verified with the system owner?

Yes

BUSINESS NEEDS AND ACCURACY

Explain the detailed business needs and uses for the SBU/ PII, and how the SBU / PII is limited

only to that which is relevant and necessary to meet the mission requirements of the system. If

SSNs (or tax identification numbers) are used, explicitly explain why use of SSNs meets this

criteria. Be specific.

Each data item is required to gather history from time of receipt to closing of each debit

voucher (DV) or deposit ticket (DT). The application is a control and tracking system for DV

and DT received from the depository.

How is the SBU/PII verified for accuracy, timeliness, and completion?

Each DV or DT is balanced prior to being entered on the application, meaning they are

crosschecked for verification purposes when assigned on the application. All reports have an

indicator that denotes cases that are over 90 days old. An age report can be generated and

customized to generate specific age dates.

PRIVACY ACT AND SYSTEM OF RECORDS

The Privacy Act requires Federal agencies that maintain a system of records to publish systems

of records notices (SORNs) in the Federal Register for records from which information is

retrieved by any personal identifier for an individual who is a US citizen, or an alien lawfully

admitted for permanent residence. The Privacy Act also provides for criminal penalties for

intentional noncompliance.

Does your application or this PCLIA system pertain to a group of any record from which

information is retrieved by any personal identifier for an individual who is a US citizen, or an

alien lawfully admitted for permanent residence? An identifier may be a symbol, voiceprint,

SEID, or other personal identifier that is used to retrieve information.

Yes

Identify the Privacy Act SORN(s) that cover these records.

IRS 24.030 Customer Account Data Engine Individual Master File

IRS 24.046 Customer Account Data Engine Business Master File

RESPONSIBLE PARTIES

Identify the individuals for the following system roles:

## Official Use Only

INCOMING PII INTERFACES

Does the system receive SBU/PII from other systems or agencies?

Yes

Does the system receive SBU/PII from IRS files and databases?

Yes

Enter the files and databases:

System Name: Integrated Data Retrieval System (IDRS)

Current PCLIA: Yes

Approval Date: 10/26/2021

SA&A: Yes

ATO/IATO Date: 9/20/2022

Does the system receive SBU/PII from other federal agency or agencies?

Does the system receive SBU/PII from State or local agency (-ies)?

Does the system receive SBU/PII from other sources?

Does the system receive SBU/PII from Taxpayer forms?

Yes

Please identify the form number and name:

Form Number: 5515

Form Name: Unresolved Debit Vouchers

Does the system receive SBU/PII from Employee forms (e.g., the I-9)?

DISSEMINATION OF PII

Does this system disseminate SBU/PII?

PRIVACY SENSITIVE TECHNOLOGY

Does this system use social media channels?

Does this system use privacy-sensitive technologies such as mobile, global position system

(GPS), biometrics, RFID, etc.?

Does the system use cloud computing?

Does this system/application interact with the public?

INDIVIDUAL NOTICE AND CONSENT

Was/is notice provided to the individual prior to collection of information?

Yes

How is notice provided? Was the individual notified about the authority to collect the

information, whether disclosure is mandatory or voluntary, the purpose for which the

information will be used, with whom the information may be shared, and the effects on the

individual, if any, if they decide not to provide all or any of the requested information?

Notice, consent, and due process are provided via IDRS and in the tax forms and instructions

filed by the taxpayer, and pursuant to 5 USC.

Do individuals have the opportunity to decline from providing information and/or from

consenting to particular uses of the information?

Yes

Describe the mechanism by which individuals indicate their consent choice(s):

Notice, consent, and due process are provided via IDRS and in the tax forms and instructions

filed by the taxpayer, and pursuant to 5 USC.

How does the system or business process ensure 'due process' regarding information access,

correction, and redress?

Notice, consent, and due process are provided via IDRS and in the tax forms and instructions

filed by the taxpayer, and pursuant to 5 USC.

INFORMATION PROTECTION

Identify the owner and operator of the system (could be IRS owned and Operated; IRS owned,

contractor operated; contractor owned and operated).

IRS Owned and Operated

The following people have access to the system with the specified rights:

IRS Employees

Users: Read Only

Managers: Read Write

System Administrators: Read Write

How is access to SBU/PII determined and by whom?

Managers in Campus Accounting Dishonored Check function will approve users via

BEARS. System Administrators/Managers determine access level for each user.

RECORDS RETENTION SCHEDULE

Are these records covered under a General Records Schedule (GRS, IRS Document 12829), or

has the National Archives and Records Administration (NARA) approved a Records Control

Schedule (RCS, IRS Document 12990) for the retention and destruction of official agency

records stored in this system?

Yes

How long are the records required to be held under the corresponding GRS or RCS, and how

are they disposed of? In your response, please provide the GRS or RCS chapter number, the

specific item number, and records series title.

Bank Discrepancy data is approved for deletion/destruction 6 years, 3 months after the period

covered by the account (Job No. N1-58-11-3, approved 6/5/12). These disposition

instructions are published in Document 12990 under Records Control Schedule (RCS) 29,

item 157. Any records generated and maintained by the system will be managed according to

requirements under IRM 1.15.1 and 1.15.6 and will be destroyed using IRS Records Control

Schedule (RCS) 29, and as coordinated with the IRS Records and Information Management

(RIM) Program and IRS Records Officer.

SA&A OR ASCA

Has the system been through SA&A (Security Assessment and Authorization) or ASCA (Annual

Security Control Assessment)?

Yes

What date was it completed?

1/4/2022

Describe the system's audit trail.

Audit trail records for the transactions identified above includes the following data elements,

where applicable: The type of event (e.g., command code), the terminal and employee

identification, date and time of input, and account accessed to include the Taxpayer

Identification Number (TIN), Master File Tax (MFT), and tax period. Bank Discrepancy is

following the appropriate audit trail elements pursuant to current Audit Logging Security

Standards.

PRIVACY TESTING

Does the system require a System Test Plan?

Yes

Is the test plan completed?

Yes

Where are the test results stored (or documentation that validation has occurred confirming that

requirements have been met)?

Treasury FISMA Inventory Management System.

Were all the Privacy Requirements successfully tested?

Yes

Are there any residual system privacy, civil liberties, and/or security risks identified that need to

be resolved?

Describe what testing and validation activities have been conducted or are in progress to verify

and validate that the applicable Privacy Requirements (listed in header) have been met?

The applications System Security Plan (SSP) show the results of the Privacy Controls in

Section 5. All Privacy controls were either tested or validated during the assessment. Bank

Discrepancy is currently in the Operations and Maintenance phase of its lifecycle.

Continuous Monitoring (now called Annual Security Control Assessment) occurs annually to

ensure that controls remain in place to properly safeguard PII.

SBU DATA USE

Does this system use, or plan to use SBU Data in Testing?

NUMBER AND CATEGORY OF PII RECORDS

Identify the number of individual records in the system for each category:

IRS Employees: Under 50,000

Contractors: Not Applicable

Members of the Public: 100,000 to 1,000,000

Other: No

CIVIL LIBERTIES

Does the system maintain any information describing how any individual exercises their rights

guaranteed by the First Amendment?

Is the system information used to conduct 'data-mining' as defined in the Implementing

Recommendations of the 9/11 Commission Act of 2007, Public Law 110-53, Section 804?

Will this system have the capability to identify, locate, and monitor individuals or groups of

people?

Does computer matching occur?

ACCOUNTING OF DISCLOSURES

Does the system include or require disclosure of tax or employee information to anyone other

than IRS employees in the performance of their duties, or to the person to whom the information

pertains or to a 3rd party pursuant to a Power of Attorney, tax, or Privacy Act consent?