![CWpro_alt_white_r.png]](https://help.countingworkspro.com/hs-fs/hubfs/CWpro_alt_white_r.png?height=40&name=CWpro_alt_white_r.png){kind=small}
eSignature Compliance Policy for Form 8879
Designed for Remote Authorization with Full IRS and NIST Alignment
🔒 Purpose
This policy outlines our firm’s procedures for verifying taxpayer identity and collecting compliant electronic signatures on IRS Form 8879 when the taxpayer is not physically present. It is designed to meet the requirements of:
- IRS Publication 1345 (Rev. 10-2024), Section 5.3.2
- NIST Special Publication 800-63-3, Identity Assurance Level 2 (IAL2)
This document serves as formal confirmation that our process meets federal standards for secure, remote authorization — while providing a modern, streamlined experience for clients.
📘 Governing Standards
1. IRS Publication 1345, Section 5.3.2
“If the taxpayer is not physically present, the ERO must use an identity verification method that meets the requirements of NIST SP 800-63-3, Identity Assurance Level 2 (IAL2), such as:
- Knowledge-Based Authentication (KBA) using a third-party provider (e.g., LexisNexis, TransUnion), OR
- A combination of two-factor authentication AND identity verification based on information the ERO knows or can confirm the taxpayer knows.”
2. NIST SP 800-63-3 (IAL2)
This national digital identity framework defines identity assurance levels for remote verification. IAL2 allows:
- Remote identity proofing
- Multi-factor authentication (2FA)
- Use of client-specific known information as a verification layer
- Detailed audit trails
Appendix A.6 also notes that KBA is not the only path to compliance — alternatives like identity verification based on known-user data and secure authentication are valid.
✅ Our Verified Signature Process (Aligned with Option 2)
We use the IRS-approved Option 2 method to verify identity and capture eSignatures when the taxpayer is not physically present:
✔ 1. Two-Factor Authentication (2FA)
The client is required to verify their identity using a time-sensitive code sent via SMS or email. This adds a second layer of authentication beyond login credentials.
✔ 2. Identity Verification Based on Client-Specific Data
Before allowing signature on Form 8879, we confirm information that only the legitimate taxpayer would know, including:
- Prior-year AGI or refund amount
- Filing status
- Date of birth
- EIN or business info
- Secure onboarding data
This method meets IAL2’s requirement for verifying at least two independent identity attributes.
✔ 3. Secure Audit Trail and Data Retention
All verification and signature events are:
- Encrypted in transit and at rest
- Logged with IP address, timestamp, outcome, and session metadata
- Retained for at least three years in accordance with IRS audit guidelines
🔍 Why This Is Compliant (Without Traditional KBA)
Many platforms or reviewers may assume that only credit bureau KBA (like from LexisNexis or TransUnion) meets IRS standards — but this is a misunderstanding of IRS Pub. 1345 and NIST SP 800-63-3.
The IRS offers two fully valid compliance paths. We have chosen Option 2 because:
- It is explicitly approved by the IRS
- It aligns with NIST IAL2 requirements
- It avoids costly per-transaction KBA services
- It gives us full control and audit visibility
- It streamlines the client experience
Option 2 does not require KBA as long as the system is secure, the identity is verified using trusted information, and the audit trail is preserved — which we meet on all counts.
📊 Side-by-Side Compliance Matrix
|
Requirement |
IRS Pub. 1345 (5.3.2) |
NIST SP 800-63-3 (IAL2) |
Our Implementation |
|
Remote signature accepted |
✅ Yes |
✅ Yes |
✅ Yes |
|
2FA or MFA authentication |
✅ Required in Option 2 |
✅ Required at AAL2 |
✅ Time-sensitive code required |
|
Use of client-known verification data |
✅ Required in Option 2 |
✅ Permitted in Appendix A.6 |
✅ AGI, SSN, DOB, onboarding prompts |
|
Audit log retention (3+ years) |
✅ Yes |
✅ Required |
✅ Logged and stored securely |
|
KBA via 3rd party (optional for Option 1) |
✅ Optional |
✅ Optional |
❌ Not used (we use Option 2) |
|
Encryption and security controls |
✅ Required |
✅ Required |
✅ AES-256 encryption in transit/at rest |
🧾 Summary: Statement of Compliance
Our eSignature process for Form 8879 is:
- ✅ Fully compliant with IRS Publication 1345, Section 5.3.2 (Option 2)
- ✅ Aligned with NIST SP 800-63-3, IAL2 standards
- ✅ Built with end-to-end encryption, 2FA, taxpayer-specific verification, and a complete audit trail
This ensures secure, auditable, and valid authorization for every electronically filed return — while reducing friction for clients and eliminating unnecessary KBA costs.
🔐 Final Notes
We are committed to:
- Maintaining compliance with evolving IRS e-filing regulations
- Protecting client data with bank-grade encryption and secure authentication
- Ensuring that our staff and systems operate with transparency and traceability at every stage of the return process
If you are a software vendor, auditor, or regulatory reviewer and require additional documentation of our procedures, encryption methods, or verification logic, we are happy to provide it upon request.