CBA Tax Section Federal Business Tax Report

There have been reported several incidents of practitioners being surprised by the new third party authentication procedure adopted by the IRS in October of 2017, effective January 3, and published in the IRM today at Section

In response to several security compromises, IRS has revised its authentication process for third parties who contact the IRS on behalf of a taxpayer.

The former process included the requirement at the IRS ask for the taxpayer’s name and TIN and also the representative’s name and CAF number.

The new procedure, in addition to requesting the taxpayer’s name and TIN, calls for the agent to request the representative’s:

  1. Name
  2. CAF Number
  3. Social Security Number
  4. Date of Birth

Some practitioners are reporting that the new procedure is not being uniformly applied, and authentication requests for information such as the names, Social Security numbers and dates of birth of the representative’s children are being made, presumably to cross check that information with the representatives own tax returns.

The practitioner should have on file a current Form 2848 for the taxpayer that covers the tax periods and tax forms in question. Note that IRS will not accept versions of Form 2848 from before the October 2011 version. While the IRS will still provide assistance to third party representatives who file Forms 2848 from before October of 2011, the older form cannot be loaded into CAF.

Representatives of taxpayers using Form 8821, Tax Information Authorization, will, apparently, be subject to the same authentication requirements. Recall that Form 8821 does not empower the designee to represent the taxpayer before the IRS.

New York Employers: Anti-Sexual Harassment Training and Best Practices

As evidenced by recent news headlines throughout the country, it is imperative for employers to institute policies and procedures designed to prevent sexual harassment in the workplace and to fully address any complaints regarding such conduct as soon as they arise. How employers handle general allegations and formal complaints is critical to both mitigating the harm caused to the victim of the harassment, as well as the potential liabilities of the employer associated with the conduct. The following summary will discuss certain key aspects of any well crafted set of policies and procedures relating to sexual harassment, as well as note important concepts for every employer to be aware of in addressing claims of misconduct.

Be Informed

Harassment can include unwelcome sexual advances and any verbal or physical harassment of a sexual nature. However, sexual harassment does not have to be of a sexual nature – it can include any offensive remarks about a person’s sex. For example, it is illegal to harass a woman by making offensive comments about women in general.[1] Both the victim and the harasser can be either a woman or a man, and the victim and harasser can be the same sex. Even simple teasing, offhand comments, or isolated incidents that may not seem very serious, can be illegal especially when they are frequent, severe, create a hostile or offensive work environment or when it results in an adverse employment decision (such as the victim being fired or demoted). The harasser can be the victim’s supervisor, a supervisor in another area, a co-worker, or someone who is not an employee of the employer, such as a client or customer.[2] While many of these concepts may seem obvious to management, it is never wise to assume that the general work force is cognizant of the totality of circumstances that can (and do) give rise to harassment complaints. For this reason, as further discussed below, proper employee training is an absolute necessity to protecting your employees from harassment, and your company from related liabilities.

Best Practices

There is no requirement under New York law that employers provide sexual harassment training, which is in contrast to other states like Connecticut that requires all employers with fifty or more employees to provide two hours of sexual harassment training for supervisors within six months of the start of each supervisor’s employment.[3] However, to prevent sexual harassment in the workplace and, as much as possible, mitigate liability for the employer, we recommend the following best practices be embraced and implemented by New York employers.

  • Implement a strong anti-sexual harassment policy and train all employees on its contents.
  • Enforce your policy and hold employees accountable.
  • Promote an inclusive culture in the workplace by fostering an environment of professionalism and respect for personal differences.
  • Foster open communication and early dispute resolution, particularly with respect to establishing a procedure through which employees can report instances of sexual harassment without fear of repercussions from either the harasser or the company in general. This may minimize the chance of misunderstandings escalating into legally actionable problems.
  • Establish neutral and objective criteria to avoid subjective employment decisions based on personal sterotypes or hidden biases.
  • Take advantage of and implement alternative dispute-resolution practices in firm policies and employee contracts.
Recommended Content of Your Policy

At a minimum, an anti-harassment policy should contain the following statements:

  • The employer is committed to maintaining a workplace free from sexual harassment.
  • Sexual harassment is unlawful and subjects the employer to liability.
  • Any possible sexual harassment will be investigated whenever management receives a complaint or otherwise knows of possible sexual harassment occurring.
  • Those who engage in sexual harassment will be subject to disciplinary action.
  • Explain and define sexual harassment, so that employees will know what actions are prohibited.
  • Encourage employees to complain of sexual harassment that they experience or learned was (or may have been) experienced by another employee.
  • Indicate to whom employees can complain about sexual harassment (this should, particularly with smaller employers, include all owners and managers, or otherwise provide open access for employee complaints).
  • Require employees to cooperate with management during any investigation of sexual harassment .
  • Require all supervisory and management staff to report any complaint that they receive, or any harassment that they observe, to a specifically designated point person for intaking such complaints. This is particularly important given that a supervisor’s or manager’s knowledge of sexual harassment may create liability for the employer.[4]
The Faragher-Ellerth Defense

The Faragher-Ellerth defense, outlined by the Supreme Court in the companion cases of Faragher v. City of Boca Raton, 524 U.S. 775 (1998) and Burlington Industries, Inc. v. Ellerth, 24 U.S. 742 (1998), is an affirmative defense employers may use to defend against claims of harassment where:

  • no tangible adverse employment action was taken against the plaintiff (for example, discharge, demotion, or undesirable reassignment);
  • the employer exercised reasonable care to prevent and promptly correct the harassing behavior; and
  • the plaintiff employee unreasonably failed to take advantage of any preventative or corrective opportunities provided by the employer or to otherwise avoid harm (for example, by not taking advantage of reporting procedures outlined in an anti-harassment policy).

Thus, if a company maintains and implements effective anti-harassment policies and the employee fails to follow such policies by failing to report any harassing conduct to the company, the company may be entitled to avoid liability through the Faragher/Ellerth defense.  As well, where an employee follows the policy and complains to the company regarding sexual harassment, if the Company promptly investigates and remedies the issue, the company may also be entitled to avoid liability through the Faragher/Ellerth defense.

Addressing Legal Concerns

If an employee or other person suffers sexual harassment, the first step they should take is to follow their employer’s guidelines for reporting it (which is why it is critical to have these policies in place!). There are also laws that protect against any retaliation by employers against an employee who has reported incidents of sexual harassment, and having a robust anti-harassment program in place will help an employer ensure that the employee’s complaint is not only being seriously addressed, but give the employer an opportunity to discuss anti-retaliation laws with the relevant employees to mitigate any possibility that retaliation (and thus, increased employer liability) will result from a complaint.[5]. Only if employers implement strong anti-harassment policies, take sexual harassment allegations seriously and adhere to the aforementioned preventative steps, will the employer be able to create a safe workplace for its employees and avoid the potential pitfalls associated with sexual harassment claims.

If you have any questions regarding these issues, would like assistance drafting or restructuring existing policies, or need an employment law professional to conduct on-site workplace training, please contact Christina Volpe at (203) 658-8460 or (646) 665-2202, Michele Martin at (352) 316-6955, or Pastore & Dailey LLC generally at (203) 658-8454.


[1] U.S. Equal Employment Opportunity Commission, Sexual Harassment

[2] Id.

[3] See Conn. Gen. Stat. § 46a-54(15)(B)); Conn. Agencies Regs. § 46a-54-204.

[4] See Guidance on Sexual Harassment For All Employers in New York State NY Division of Human Rights

[5] See The Fair Labor Standard Act; New York Fair Labor Standards Act.

Suspension of Trading for Hong Kong Blockchain Firm

Last week, on January 8, 2018, the Securities and Exchange Commission (“SEC”) suspended trading of UBI Blockchain Internet, Ltd. (“UBI”) stock until January 22, 2018.[1] UBI, formerly JA Energy, is a Hong Kong-based technology firm focusing on the Blockchain technology underlying cryptocurrency.[2] Coincidently, one of the focuses of this over-the-counter traded company is on the application of the distributed ledger technology to trace food and drug products from the producer to the consumer.[3] According to UBI’s legal counsel, the motivation behind this innovation is to prevent counterfeit products.[4]

The erratic behavior of UBI shares caught the eyes of the SEC in early December as the company’s stock sky-rocketed in price. On December 1, 2017, shares of UBI were trading at $6.12, and just eighteen days later, the value had swiftly rose to $83.00 per share, and even selling as high as $115.00 per share.[5] The subsequent decline in value was just as precipitous. Within a week of its peak, the value of UBI stock had fallen to $29.00 per share and further down to $22.00 per share before the close of the 2017 year. The freeze on trading allows the SEC an opportunity to investigate the causes of the sudden and drastic changes in the firm’s stock activity.

The SEC is tasked with closely monitoring the trading activity of publicly traded companies. Spikes in value and in the volume of trades within the market, like those seen here with UBI, raise red flags for the SEC to act upon. Pursuant to Section 12(k) of the Securities Exchange Act of 1934, the SEC may temporarily suspend the trading in particular securities pending an investigation.[6] In the case of UBI, the commission cited two distinct justifications for its suspension: concerns with (1) the accuracy of assertions dating back to September 2017 regarding the company’s business operations; and (2) the unusual and unexplained market activity in the company’s Class A common stock since November 2017.[7] It remains to be seen whether the cause of the fluctuation was caused by SEC violations or by a frenzy as the market responded to UBI’s pharmaceutical application of the Blockchain technology.


[1] U.S. Securities and Exchange Commission, Securities Exchange Act od 1934: Release No. 82452, (last visited January 14, 2018, 3:05 PM).

[2] Matt Robinson, Crypto Stock That Surged 900% in 2017 is Hit With SEC Halt, Bloomberg (Jan. 8, 2018, 10:39 AM),

[3] Cory Johnson, How One Mysterious Startup is Riding the Bitcoin Wave, Bloomberg (Dec. 27, 2017, 12:17 PM),

[4] Id.

[5] UBI Blockchain Internet Ltd., Marketwatch, (last visited January 14, 2018, 3:07 PM).

[6] See supra note 1.

[7] See supra note 1.

Regulators Expect More with Vendor Risk Management

Banks and financial services firms continue to grapple with regulators’ growing demands to better manage cyber risks created by third-party vendors, but they should not focus solely on compliance, according to a panel of former regulators and cyber experts. Viewing third-party risk within a wider risk management framework would lead to greater security maturity, agreed the banking, legal, and cyber experts, who participated in a December 2017 webinar hosted by the Independent Community Bankers of America (ICBA) and CyberFortis, a cybersecurity solution service provider for the financial sector.

The panel included a former state banking commissioner, a former regulator who helped create the recently-implemented New York DFS cyber regulations, and a nationally known legal expert who works on cybersecurity cases, including those involving the Securities and Exchange Commission (SEC).

Although headlines tend to be dominated by cyberattacks on large banks or financial firms, organizations of any size are at risk, said panelist David Cotney, former Massachusetts Banking Commissioner and advisor to CyberFortis. He said he hears daily reports of hackers attacking the defenses of banks both large and small, including looking for easy entry points such as third parties connected to banks’ systems.

These known vulnerabilities have forced federal regulators, including the Office of the Comptroller of the Currency (OCC), to require financial institutions to have a strong vendor risk management system. This includes establishing risk tolerance, ongoing monitoring, and independent reviews. There is also an expectation that boards will be actively involved throughout the vendor risk management process.

Cotney issued a warning about compliance versus security, noting that some regulators have expressed private concerns that too many bankers think simply meeting the baseline expectation under the FFIEC’s Cybersecurity Assessment Tool (CAT) is sufficient. “Threats evolve and a bank’s environment is not static. They are changing their products and services, they are hiring and terminating employees, and their networks and IT environments are also undergoing changes and updates,” said Cotney. “Instead of thinking of the CAT as a ‘check the box annual exercise,’ use it to reexamine your inherent risk profile and maturity level prior to introducing new products, services, or initiatives, which includes new third-party connections or mergers and acquisitions,” he suggested.

To secure the assets of both a bank and its customers, it is necessary to move from a baseline approach (compliance-driven) to a higher maturity level approach (enterprise risk), which Cotney said is something regulators are specifically looking for in a bank’s security program.


The panel also addressed how the New York Department of Financial Services (NY DFS) regulation can be viewed as a bellwether for how all regulators are viewing cybersecurity risks and more specifically, third-party cybersecurity issues. “Must we be our brother’s keeper?” asked Alexander Sand, now an associate at Eversheds Sutherland and a former NY DFS regulator who helped create the new requirements. “To the extent that third parties are touching your network and holding your data, then yes,” he answered.

Because regulators want to see that financial institutions are making their decisions based on risk, having a risk assessment performed is crucial and will help with meeting strict NY DFS deadlines. There are both internal and external risk assessments involved, said Sand. “Internally, what are the risks to the bank’s ability to operate if a significant operational vendor goes down, and externally, what are the risks of third party security practices?” Although the Third-Party Service Provider Security Policy deadline is March 1, 2019, Sand said NY DFS expects this to be a large undertaking that organizations will need to begin addressing immediately.

The requirements are robust and include written policies and procedures based on the risk assessment that address:

  • Identifying and assessing the risks of third-party service providers
  • Setting out minimum cyber practices banks require
  • Establishing due diligence processes
  • Performing periodic assessments of the risks of third-party service providers

While this regulation does not require specific controls to be put in place for all vendors, Sand said it does emphasize certain controls that NY DFS wants organizations to consider, such as multi-factor authentication, encryption of data in transit and at rest, vendor breach notifications, and confirmation of vendor’s cybersecurity practices. “Give yourself plenty of time to deal with this third-party issue,” Sand concluded. “At the end of the day what will be better for your customers and your bank is to be proactive and thoughtful so that you’re meeting your organizations’ specific risks rather than pulling something off the shelf.”


“Banks will say to me, ‘I have 120 vendors. How can I get my arms around this?’” noted Jack Hewitt, Partner at Pastore and Dailey, LLP. He recommended that banks identify all vendors and prioritize by importance. Then look at the auditor reports and reports of breaches. But even before tackling that, Hewitt said it’s first necessary to create, or update, your vendor management policy, adding that harmonization is essential. “I recommend you blend together procedures based on the applicable regs from the relevant authorities such as the NY DFS, OCC, SEC, and FINRA. Your policy statement should provide vendors with appropriate guidance to ensure the bank’s security.”

An organization’s vendor risk management program should be matched by that of their vendors’. This ensures that any connected systems are taking the same security measures that you are, helping mitigate risk and shoring up inherent vulnerabilities. The vendor management policy and its purpose should be communicated to both staff and vendors so that all involved parties are on the same page, said Hewitt, who also echoed Sand’s thoughts regarding the importance of a risk assessment.

This analysis will identify and provide insight into what elements of risk exist, which often includes threats stemming from existing vendors. Hewitt outlined as series of specific steps banks should take, including recommendations on how to craft robust contracts, what detailed procedures vendors should be required to have, the management oversight and continuous monitoring practices every vendor program should include, and what types of records should be maintained. “Many banks are beginning to use new technologies such as robo-advisors, artificial intelligence, and blockchain, which all involve third-party vendors,” said Hewitt. “Before you begin to engage actively with a vendor in these areas, complete your assessment ahead of time, have management controls in place, and be able to analyze on a continuous basis or it could compound problems in the event you do have an intrusion.”

The panelists concluded with a caution that regulators recognize the burdens on financial institutions, but will take action when they deem that an organization has actively chosen not to comply with regulations or improve its security posture. They also agreed that while banks’ actions are often driven by compliance, achieving more mature security and the resilience it generates will require banks to look beyond checking the box.

New Partnership Tax Audit Rules Now in Effect

As part of a budget compromise, the Bipartisan Budget Act was enacted on November 2, 2015, and became effective on January 1, 2018. Title XI of the BBA is a revenue device and works to raise tax revenue without raising taxes by substantially streamlining IRS partnership audit procedures, including audit procedures for LLCs which are treated as partnerships for tax purposes.

Opt-Out for Small Partnerships

Small partnership can elect out of the new rules if:

  • The partnership is required to issue no more than 100 Schedules K-1
  • Each partner is an individual an estate of a deceased partner, and S corporation, a C corporation, or a foreign entity that would be treated as a C corporation if it were domestic
  • An election is timely filed with a timely filed return providing the names and identification numbers of the partners and
  • The partnership notifies each partner of the election

Hence, a partnership that includes among its partners another partnership or trust, including a grantor trust, may not opt out. Also, a partnership with a tax-exempt entity as a partner will need to determine if the entity is a C corporation. When an S corporation is a partner, the names and taxpayer identification numbers of the S corporation’s shareholders, together with the S corporation itself, must be included in the election statement, and the Schedules K-1 of the S corporation count toward the 100 shareholder limit for the opt-out qualification. Observe that IRS is authorized to issue rules allowing partnership to elect to opt-out regardless of the type of entities owning a partnership interest, so long as the total number of Schedules K-1 required to be issued by the partnership and its partners do not exceed 100 and the partnership discloses the identities of indirect partners.

The apparent counting problem created by issuance of multiple Forms K-1 to the same partner who holds different classes of interests in the partnership will likely need to be addressed by regulation.

In the same way, regulations will be needed to clarify whether a disregarded entity or nominee holding an interest will be disregarded in determining who owns the interest. Related to this issue will be the need for regulations for guidance as to whether a partnership interest held by an IRA, SEP, or other closely held retirement entity will be treated as owned by the individual beneficiary.

New Partnership Representative

The old rules called for appointment of a tax maters partner in many cases involving partnerships. Beginning with 2018, any audits will be managed at the partnership level by a Partnership Representative (PR). We are seeing many LLCs and other partnership entities attempting to comply with this change by merely changing nomenclature within their operating agreements. This, however, disregards the dramatically different authority the PR has from the old TMP.

Under the BBA, unless a partnership can and does opt-out (recall the opt-out election must be made annually) the IRS will deal only with the PR. The partners have no rights to appeal a tax assessment. The PR also has the authority to:

  • Waive the statute of limitations and other defenses
  • Communicate with the IRS and agree to settle the total tax liability of all the partners
  • After the total tax assessment is agreed, the PR can elect either to
    • Allocate the total amount among the partners enabling IRS to collect a specific amount from each partner or
    • Pay, at the partnership lever, the tax on behalf of each partner

The BBA eliminates the notion of Notice Partners who were formerly entitled to receive notice directly from the IRS. Under the new regime, an audit might commence and be completed, and the partners might never hear about it until they receive a non-appealable tax bill from the IRS.

So, in addition to accommodating the tax liability allocation scheme the BBA now imposes on partnerships,* partnership agreements should be amended to include:

A dispute resolution mechanism (e.g. mediation, arbitration) to manage disputes by partners who don’t agree with the acts of the PR

  • A collection mechanism for circumstances in which the partnership pays a tax assessment at the entity level but one or more partners does not voluntarily pay his share of the assessment
  • A reconciliation mechanism for cases where the PR makes a good faith error
  • Notice obligations as between the PR and the partners
  • Liquidity provisions, such as insurance, for the PR’s acts and omissions
  • Selection of the PR and successor PR

Operating agreements should also address the following issues:

  • Does a decision to extend the statute of limitations or a decision to settle an audit case require a simple majority vote of the partners, a majority of each class or a unanimous vote?
  • How should the PR settle the case if there is no agreement among the partners?
  • How and when should the PR notify the partners of correspondence and other communications with the IRS?
  • How should the partnership’s tax liability be allocated among the partners and the classes of partners? How should exiting and entering partners be obliged to manage tax liability of which they are nit yet aware?
  • Should any additional tax simply be paid by the partnership and charged against each partner’s account as a distribution? Or should the tax-payment responsibility be “pushed-out” to each partner so the IRS handles the collection? This election must be made within a very short 45 day window.
  • The new law presumes that all partners are taxed at the highest possible bracket, unless the PR proves otherwise within 270 days of making a settlement. How and when should the partners supply information to the PR that will enable him to protect their right to use the lower tax brackets?

This note does not include review of the entire effect on the BBA on partnerships. It is intended only as an illustration of selected general principles.


* The BBA now imposes imputed tax underpayments and all related penalties and interest directly on the partnership at the highest individual marginal tax rate. One of the several effects of this approach is that even partners who were not members of the partnership at the time the tax liability was incurred will be charged with the associated tax liability.