ClientHub
      Back to home
      1. Help Center
      2. CountingWorks PRO 3.0
      3. ClientHub

      eSignature Compliance Policy for Form 8879

      Designed for Remote Authorization with Full IRS and NIST Alignment

      ๐Ÿ”’ Purpose

      This policy outlines our firmโ€™s procedures for verifying taxpayer identity and collecting compliant electronic signatures on IRS Form 8879 when the taxpayer is not physically present. It is designed to meet the requirements of:

      • IRS Publication 1345 (Rev. 10-2024), Section 5.3.2
      • NIST Special Publication 800-63-3, Identity Assurance Level 2 (IAL2)

      This document serves as formal confirmation that our process meets federal standards for secure, remote authorization โ€” while providing a modern, streamlined experience for clients.

      ๐Ÿ“˜ Governing Standards

      1. IRS Publication 1345, Section 5.3.2

      โ€œIf the taxpayer is not physically present, the ERO must use an identity verification method that meets the requirements of NIST SP 800-63-3, Identity Assurance Level 2 (IAL2), such as:

      • Knowledge-Based Authentication (KBA) using a third-party provider (e.g., LexisNexis, TransUnion), OR
      • A combination of two-factor authentication AND identity verification based on information the ERO knows or can confirm the taxpayer knows.โ€

      2. NIST SP 800-63-3 (IAL2)

      This national digital identity framework defines identity assurance levels for remote verification. IAL2 allows:

      • Remote identity proofing
      • Multi-factor authentication (2FA)
      • Use of client-specific known information as a verification layer
      • Detailed audit trails

      Appendix A.6 also notes that KBA is not the only path to compliance โ€” alternatives like identity verification based on known-user data and secure authentication are valid.

      โœ… Our Verified Signature Process (Aligned with Option 2)

      We use the IRS-approved Option 2 method to verify identity and capture eSignatures when the taxpayer is not physically present:

      โœ” 1. Two-Factor Authentication (2FA)

      The client is required to verify their identity using a time-sensitive code sent via SMS or email. This adds a second layer of authentication beyond login credentials.

      โœ” 2. Identity Verification Based on Client-Specific Data

      Before allowing signature on Form 8879, we confirm information that only the legitimate taxpayer would know, including:

      • Prior-year AGI or refund amount
      • Filing status
      • Date of birth
      • EIN or business info
      • Secure onboarding data

      This method meets IAL2โ€™s requirement for verifying at least two independent identity attributes.

      โœ” 3. Secure Audit Trail and Data Retention

      All verification and signature events are:

      • Encrypted in transit and at rest
      • Logged with IP address, timestamp, outcome, and session metadata
      • Retained for at least three years in accordance with IRS audit guidelines

      ๐Ÿ” Why This Is Compliant (Without Traditional KBA)

      Many platforms or reviewers may assume that only credit bureau KBA (like from LexisNexis or TransUnion) meets IRS standards โ€” but this is a misunderstanding of IRS Pub. 1345 and NIST SP 800-63-3.

      The IRS offers two fully valid compliance paths. We have chosen Option 2 because:

      • It is explicitly approved by the IRS
      • It aligns with NIST IAL2 requirements
      • It avoids costly per-transaction KBA services
      • It gives us full control and audit visibility
      • It streamlines the client experience

      Option 2 does not require KBA as long as the system is secure, the identity is verified using trusted information, and the audit trail is preserved โ€” which we meet on all counts.

      ๐Ÿ“Š Side-by-Side Compliance Matrix

      Requirement

      IRS Pub. 1345 (5.3.2)

      NIST SP 800-63-3 (IAL2)

      Our Implementation

      Remote signature accepted

      โœ… Yes

      โœ… Yes

      โœ… Yes

      2FA or MFA authentication

      โœ… Required in Option 2

      โœ… Required at AAL2

      โœ… Time-sensitive code required

      Use of client-known verification data

      โœ… Required in Option 2

      โœ… Permitted in Appendix A.6

      โœ… AGI, SSN, DOB, onboarding prompts

      Audit log retention (3+ years)

      โœ… Yes

      โœ… Required

      โœ… Logged and stored securely

      KBA via 3rd party (optional for Option 1)

      โœ… Optional

      โœ… Optional

      โŒ Not used (we use Option 2)

      Encryption and security controls

      โœ… Required

      โœ… Required

      โœ… AES-256 encryption in transit/at rest

      ๐Ÿงพ Summary: Statement of Compliance

      Our eSignature process for Form 8879 is:

      • โœ… Fully compliant with IRS Publication 1345, Section 5.3.2 (Option 2)
      • โœ… Aligned with NIST SP 800-63-3, IAL2 standards
      • โœ… Built with end-to-end encryption, 2FA, taxpayer-specific verification, and a complete audit trail

      This ensures secure, auditable, and valid authorization for every electronically filed return โ€” while reducing friction for clients and eliminating unnecessary KBA costs.

      ๐Ÿ” Final Notes

      We are committed to:

      • Maintaining compliance with evolving IRS e-filing regulations
      • Protecting client data with bank-grade encryption and secure authentication
      • Ensuring that our staff and systems operate with transparency and traceability at every stage of the return process

      If you are a software vendor, auditor, or regulatory reviewer and require additional documentation of our procedures, encryption methods, or verification logic, we are happy to provide it upon request.