Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Mellon Bank EFT File Transfer using Secure Drop Box Server

 

Privacy Impact Assessment – Mellon Bank EFT File Transfer using Secure Drop Box Server

Mellon EFT System Overview

This interconnection security agreement between Mission Assurance, Enterprise Networks and Enterprise Operations documents a very real and very near term IRS business requirement of EFT files to/from Mellon Bank (Pittsburgh) to the mainframes at the Martinsburg Computing Center and Tennessee Computing Center via an extension of the Enterprise File Transfer Utility (EFTU).  The EFTU supports multiple source and destination transfer points and schedules the file transfers, checks the file integrity and checks file transfer requests against a set of file transfer rules.  The EFTU supports only those file transfers that have been approved and scheduled.  Each combination on transfer points represents a unique program or application requirement. 

The Mellon Bank EFT Transfer generates a payment request to a clearing house bank for the monthly installment agreement payments.  It then generates a credit to the taxpayer when the money is deposited to the IRS.  It then retains the taxpayer’s bank information.  If a notification is given by the clearing house bank that there is no payment, then the credit will be reversed and a penalty is generated.

The IRS Electronic Funds Transfer System (EFT) generates either a monthly payment request or a pre-note verification to our Automated Clearing House (ACH) Vendor MELLON Bank Pittsburgh PA. The payment requests are our monthly Direct Debit installment agreement payments (DDIA’s).  When a payment request is generated, the IRS credits the taxpayer account with the amount to be collected.  If a payment request is not satisfied or a taxpayer bank account can not be verified, a notification is sent to the IRS by MELLON Bank indicating the reason.  The IRS will then reverse the credit and issue a penalty if appropriate or contact the Taxpayer for correct bank information. 

The IRS currently XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX two EFT files (EFT 1211 and EFT 1801) to/from Mellon Bank our ACH Vendor.  There could be as many as 10 EFT1211 files each weekday (Mon-Fri) one for each Service Center ALN’s that are transmitted via MITRONS to Mellon Bank.  The EFT1801 file is transmitted to the IRS from MELLON. There could be a maximum of 10 files each day and as few as zero (this is dependant on payment requests not being collected or bad pre-notes)

The EFT 1211 File contains – Taxpayer name, SSN/EIN, Bank account info and payment amount. The EFT 1801 File contains – Taxpayer name, SSN/EIN, Bank account info and payment amount.

System of Records Number(s)

Treasury/IRS 30.003 Requests for Printed Tax Materials Including Lists

Data in the System

1. Describe the information (data elements) available in the system in the following categories. (Provide copy of data dictionary if available.)

A. Taxpayer
B. Employee (including employee log-in info)
C. Other (Describe)

A,B,&C – Taxpayer data is on IRS forms discussed.  The data is merely passed through and temporarily stored in the drop box.  There is no employee data other than audit trails.  There is system-generated information.  Data files that are sent from IRS, Campuses, are SBU files.  The EFT 1211 files are Direct Debit Installment Agreement for Delinquent Taxpayer Accounts that have signed Installment Agreements with the IRS. These files are issued to Mellon Bank currently via XXXXX XXXXX XXXXX XXXXX. The proposed method of transfer for these EFT 1211 files is through the XXXXX XXXXX XXXXX XXXXX.

The only employee access to the drop box server will be by designated Systems Administrators from Tier 2 for regular scheduled maintenance and any downtime of the server.

The drop box server has no other users.  The server is designed to be a secure pass through system that will temporarily store data files sent from Mellon Bank.  A Work Order script runs on the drop box server that sends the data file control record information via File Transfer Protocol (FTP) to the Enterprise File Transfer Utility (EFTU) XXX XXX XXX.  The data file control record is checked against pre-established data file parameters on the EFTU 12038 control database.  If all parameters of the control record fit those registered in the EFTU control data base, then EFTU initiates an FTP Pull of the data file from the drop box server.  EFTU then sends an FTP message to the XXXXX XXXXX XXXXX that runs the Mellon Bank EFT data files.  If the XXXXX XXXXX is up and ready to receive the data file, then EFTU initiates an FTP PUSH.  This process goes in reverse for those data files initiated on the XXXXX XXXXX destined for Mellon Bank.
 
2. Describe/Identify which data elements are obtained from files, databases, individuals, or any other sources:

A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)

A,B,C,D,E,F – Only data file indicators will be passed through the EFTU12038 database. This database will contain – File Name, File Size, File Frequency, File Owner, File Destination, Internet Protocol (IP) address for Internal IRS Campus/Computing Center customers plus the secure drop box server and Password, Time of day file is processed, cycle time, file owner email and phone number, and Point of Contact for error resolution.

IRS Campuses, Tennessee Computing Center (TCC) and Martinsburg Computing Center (MCC) will issue these EFT 1211 files to Mellon Bank, Pittsburgh.  Mellon Bank issues a return bank reject file, EFT 1801, that contains Taxpayer SSN, Bank Account info, and payment amount that was not collected.  IRS Mission Assurance requires that every internal project that will send/receive data files from the IRS to an external partner MUST complete an Interconnect Security Agreement (ISA).  The ISA is used to verify an external source server.  Also XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX.

3. Explain why each data item is needed for the business purpose of the system. 

The data items from Mellon are used to verify whether a taxpayer account is fulfilled.  Mellon is the designated ACH bank for this EFT Transfer supporting Offers in Compromise. 

4. a. How will each data item be verified for accuracy, timeliness and completeness?

The data files sent in from Mellon Bank are only those files that indicate that a taxpayer does not have sufficient funds to cover their Offer in Compromise.  These data files are checked for accuracy, timeliness and completeness by the EFT runs on the XXXXX XXXXX.  EFTU will only authenticate the data file if it is  pre-established on the EFTU 12038 database.  This database is used to control, authenticate and authorize data file transfers from the drop box server to EFTU.

4. b. Is there another source for the data that is more reliable? Explain why that source is not being used.  NO.

5. How will the data generally be retrieved by the users?

EFTU uses the file naming convention of the data file being transmitted to check against a pre-established entry in the EFTU 12038 database.

6. Can the data be retrieved by a personal identifier (name, SSN, or other unique identifier)?   If yes, explain when it will be retrieved this way.

EFT 1801 contains Taxpayer Name, SSN/TIN, Bank account and rejected payment request or rejected pre-note request. It is not typically retrieved by this indicator.

Access to the Data

7. Who will have access to the data in the system?  (Users, Managers, System Administrators, Developers, Other)

Database Administrators will have access.  For updating data in the 12038 database.  System Administrator for routine maintenance and error resolution.

8. How is user access to the data determined and by whom?  Describe the procedures and persons responsible for determining access.  Include a description of the process used to determine "need to know" for different categories of users.

All Users of EFTU and the Drop Box server must pre-register for EFTU by submitting an OL-5081, Form 12038, EFTU registration Form and pre-establishing their data file transfers in the EFTU 12038 database. Campuses/TCC/MCC issue EFT 1211 files to Mellon Bank, Pittsburgh, as payment requests for Direct Debit Installment Agreements Delinquent Taxpayer Accounts. Access to the Drop Box server is pre-determined through the completion of an Interconnect Security Agreement (ISA).

9.  Do other IRS systems provide, receive or share data in the system? 
If Yes- list the system(s) and describe which data is shared.  
If No, Skip to question 12.

There is only one interface system with the secure drop box; and that is the EFTU system in MCC.  All data files sent to and received in the drop box will be routed to the EFNS.

10. Have the IRS systems described in Item 9 received an approved security certification and approved Privacy Impact Assessment?  If yes, provide copies of memoranda.

The Drop Box Server received a certification on September 15 and an Accreditation on September 20, 2004. 

11. Will other agencies receive data in any form from this system?  If yes, provide copy of inter-agency agreement.

No.  The data files that are sent/received in the drop box to/from Mellon Bank will be solely IRS owned.

Administrative Controls of Data

12. What are the procedures for eliminating the data at the end of the retention period?  Cite IRM reference.

Data files sent/received in the secure drop box are retained on the drop box server for no longer than a few hours.  If a connection to either EFTU for incoming files or Mellon Bank for out going files, the drop box will delete the files that it received from either of the two connected system points.

13. A.  Does this system have new technology?  No. 

13. B.  How does this new technology affect taxpayer or individual privacy?

Taxpayer SSN, Bank Account and payment amount XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX.  All internal IRS connections are completed via FTP transfers governed by EFNS.

14. Will this system have the capability to identify or locate individuals or groups?  If so, describe the business purpose for this capability.  NO.

15. Will this system have the capability to monitor individuals or groups?  If so, what controls are in place to prevent unauthorized monitoring?  NO.

16. Can use of the system allow IRS to treat taxpayers, employees or others differently?  Explain.  N/a.

17. Can the use of the system allow IRS to make determinations about individuals that would not have been possible otherwise?  Explain.  NO.

18. Does the system ensure due process by allowing affected parties to respond to any determination that may harm them prior to final action?  Explain.

N/a. The XXXXX XXXXX XXXXX XXXXX does not retain data files.  This drop box server infrastructure is strictly a ‘pass-through‘ system.

19. If the system is web-based, does it use persistent cookies or other tracking devices to identify the web visitor?

N/a.  This system is not a web-based interface.
 


Page Last Reviewed or Updated: December 10, 2004