To a certain extent, we all know the IRS is always watching. But recent legislative developments coupled with developments in sophisticated tracking and auditing technologies make that more of a reality each year. More and more business operations and payments are being digitized, the use of cryptocurrency is on the rise, and the digital transformation has exposed us to a heightened level of cybersecurity risk. As quickly as businesses and organizations transition to third-party service providers and cloud-computing technology in general, cyber-criminals develop and hone their skills. 

For now, the IRS’s watchful eye has turned to digital transactions. While the latest legislation doesn’t affect the $10 you sent via Venmo to your friend for spotting you for lunch last week, it could affect your annual reporting requirements. With tax law changing by the minute and cybersecurity risks multiplying exponentially, small businesses and nonprofit organizations need to approach both tax compliance and cybersecurity as core business responsibilities, not solely those belonging to accounting or IT.

Digital Payments Received Through Third-Party Platforms 

If you have processed debit, credit, or gift card payments anytime since 2011, you’re probably familiar with Federal Form 1099-K. Historically, taxpayers received this form for annual gross payments exceeding $20,000 and more than 200 total transactions, and enforcement has been lenient, to say the least. But the IRS is looking to capitalize on more small business and side-gig income and improve voluntary reporting compliance, so taxpayers can expect more rigid enforcement measures ahead.

However, beginning with tax year 2022, digital payment platforms like Venmo, Paypal, CashApp, and Zelle will be added to the mix of Payment Settlement Entities (PSEs), and PSEs will use Form 1099-K to report any number of transactions totaling $600 or more for the year. So if you have gotten paid or have been making payments through these platforms, you may be processing or receiving more 1099-Ks in lieu of 1099-NECs.

Cryptocurrency as Payment for Goods or Services 

Cryptocurrency transactions can be fast, convenient and worldwide. In particular, retailers and e-commerce businesses have started accepting Bitcoin more and more as payment. And cryptocurrency donations are pouring in for nonprofits as well. According to The Giving Block’s Annual 2021 Report, nonprofits received nearly $70,000 in crypto donations on average in 2021, a 66% increase from the average in 2020. While trading in cryptocurrency might open up opportunities and decrease barriers, it also presents questions and unknowns. Businesses and nonprofits that choose to accept cryptocurrency have to go into it with their eyes wide open to the tax consequences. 

For tax purposes, the IRS treats cryptocurrency as property. Typically, capital gains or losses are recognized, and investors are required to disclose cryptocurrency assets. Before a business takes cryptocurrency as payment or a nonprofit organization accepts a cryptocurrency donation, the respective entity needs to understand how selling or retaining the asset affects the investment itself and the associated tax liability.

In the past, digital wallets have not always been on par with accounting in terms of year-end reporting. It’s up to you, as the taxpayer, to calculate annual profits or losses across all exchanges and disclose taxable transactions appropriately. Service providers exist to help taxpayers aggregate their cryptocurrency-related tax information for year-end reporting if this becomes overwhelming.

Bolstering Your Organization’s Cybersecurity Defenses  

Digital currencies open up new doors, but they also open small businesses and nonprofits up to new and evolving cybersecurity threats. If you haven’t already, it’s time to reevaluate your internal controls. These measures help you defend financial, accounting, and other sensitive or proprietary information. Your organization needs to understand, fortify, and monitor these controls to prevent hazardous gaps in your security measures. 

Keep in mind cybersecurity extends to your third-party service providers as well. When vetting any third-party provider, you should inquire about their cybersecurity practices and expect to see them in your contract. In the event of a data breach, organizations should reference the Federal Trade Commission’s guidance. 

To that end, many organizations have chosen to form a digital and cybersecurity task force that includes representation from management, governance, IT, accounting, and other relevant departments like HR, and operations. Your task force should carefully review your digital payment and cybersecurity processes, procedures, and controls so that you can develop, document, implement, and monitor corrective actions.  

Contact Smith, Sullivan & Brown 

At SSB, we provide comprehensive tax, accounting, and business advisory services to nonprofit organizations and a variety of small businesses. If you’re ready to discuss your digital payment, cryptocurrency, or internal control cybersecurity strategy, contact us today.

by Elizabeth Sheridan, CPA, CFE  and Mary Babigian. CPA


Elizabeth Sheridan, CPA, CFE, is an Audit Manager at Smith, Sullivan & Brown. She is a Certified Public Accountant and a Certified Fraud Examiner. Elizabeth has ten years of experience providing specialized accounting and auditing services to nonprofit organizations.

Mary Babigian

Mary K. Babigian, CPA joined Smith, Sullivan & Brown in 2021 as Tax Manager and works with our small business, individual and nonprofit tax teams. She became a licensed certified public accountant in 1993 and has over 25 years of experience in taxation and accounting services at firms and companies in Massachusetts.