In this the Tax Institute’s Member Newsletter: TaxVine No. 17 (20.5.22), Senior Advocate, Robyn Jacobson, CTA, explains the new client verification guidelines that will impose new obligations on tax practitioners in an effort to address identity theft.
Strengthening client verification
What is identity theft?
Identity theft is insidious. It can wreak devastating financial, social and personal havoc on victims, leaving scars for many years. The risk of identity theft has never been higher or had more serious implications. The Australian Cyber Security Centre (ACSC) defines identity theft to be when a cybercriminal gains access to your personal information to steal money or gain other benefits.
The ACSC’s Annual Cyber Threat Report 2020–21 reports that:
- Over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports
- Self-reported losses from cybercrime total more than $33 billion.
The COVID-19 pandemic and the resulting lockdowns meant millions of people were confined to their homes, spending many more hours at home and online, and relying on the internet to purchase goods and access services they previously would have obtained offline. Cybercrime of course existed pre-pandemic but the increase in online activity and change in behaviour has been exploited by cyber criminals, particularly preying on those who are more vulnerable in our community. Thankfully, many consumers have become savvier and more aware of cyber fraud during the pandemic, but the risk remains high.
What is tax refund fraud?
Increasingly, we see widespread and sophisticated criminals attempt to commit tax refund fraud by stealing taxpayers’ identities. ATO web guidance advises that refund fraud is claiming a tax refund or other benefit by providing the ATO with false information, and often involves identity crime where personal identity information is stolen and used to lodge fake refund claims in someone else’s name. It is more than a careless or accidental mistake because it is undertaken deliberately and deceitfully.
New client verification guidelines
Client verification is not a new concept. Client verification protects your firm and your clients by accurately identifying each client and validating the legitimacy of their identity documents.
The Tax Agent Services Act 2009 (TASA) does not contain specific proof of identity (POI) requirements, although sections of the Code of Professional Conduct in section 30-10 of the TASA have always required registered tax agents and BAS agents to act honestly in their dealings, provide their services competently, take reasonable care in ascertaining a client’s state of affairs and meet the fit and proper person requirement.
On 27 April 2021, the ATO released a consultation paper titled Transition to strengthening client verification. The ATO has since released client verification guidelines (guidelines) for client verification within tax and superannuation practices to address the growing risk of identity theft and fraud for practitioners who use Online services for agents (OSfA) or practitioner lodgment services(PLS). These guidelines should be read in conjunction with the guidance released by the Tax Practitioners Board (TPB).
On 31 January 2022, the TPB released Practice Note TPB(PN) 5/2022 Proof of identity requirements for client verification (Practice Note) to provide practical guidance and assistance to registered tax practitioners when verifying client identities. The Practice Note provides guidance on engagements relating to individual clients as well as non-individual clients (such as a company or a trust). Failure to take appropriate POI steps to verify a client’s or individual representative’s identity may result in a breach of the TASA and disciplinary actions by the TPB.
The purpose of the new guidance is to provide greater certainty around how tax and superannuation practitioners should verify their clients’ identities and how this is evidenced. Phase 1 of the guidelines was implemented as a ‘soft touch’ from 1 July 2021 and involves identifying new clients. Many practitioners are already doing this voluntarily as a matter of standard practice management. Phase 2 will mandate a digital solution for client verification. There is currently no fixed date for Phase 2.
While the ATO’s guidelines apply only to those practitioners who use OSfA or PLS, the TPB’s Practice Note applies to any registered tax or BAS agent who provides a tax agent service (as defined in section 90(5) of the TASA) for a fee. This includes the provision of tax advice to a client even where there is no lodgment as such.
What do the guidelines say?
The guidelines:
- are designed to set a minimum standard to be applied across the tax profession to ensure due diligence is taking place when engaging new clients, or where there is a concern that an existing client may have had their identity compromised
- will apply to all tax practitioners, particularly registered tax agents and registered BAS agents using OSfA, and superannuation practitioners
- set out:
- who needs to be verified
- how to record the client verification process
- verification methods and what identity documents are required
- how to verify the authorised relationship for clients who purport to act on behalf of other people or entities.
It is not recommended that you retain clients’ identification documents as retaining identification documents may increase your risk of being targeted by criminals undertaking identity theft. You should instead verify the identity of your clients and maintain contemporaneous records to demonstrate that POI steps were undertaken.
Verification may be undertaken using one of three methods:
- Visual — Suitable only when you are interacting with the client in person or by video. In most cases, a visual check of a driver’s licence is sufficient.
- Source ATO — Compares data provided by the client against data held by the ATO, such as bank account details, a notice of assessment reference number or an activity statement document identification number, or payment plan details.
- Source DVS (Document Verification Service) — Compares a client’s details on government issued identity documents against details held by a DVS provider.
You will need to exercise your professional judgment where identity documents are not readily available, such as for those living in remote Indigenous communities, refugees, those affected by natural disasters and those who have limited access to identity documents due to experiencing family or domestic violence or homelessness.
What about existing clients?
The TPB does not expect you to go back and verify your entire client base. You will have well-established relationships with many of your clients, and it may not be practical or necessary to verify these clients. The TPB accepts that tax practitioners can exercise their professional judgment when assessing whether a client (or individual representative of a client) is a well-established client and whether it is appropriate to undertake the POI steps outlined in the Practice Note.
Where the practitioner determines that the POI steps need not be undertaken for a well-established client, a file note should reflect the exercise of this judgment (this may be done progressively across the well-established client base) and the tax practitioner should still sight evidence that demonstrates the individual representative has the authority to engage the tax practitioner on behalf of the client.
Certainly identity checks should be performed from now on for:
- all new clients, including representatives of new clients;
- new representatives of existing clients; and
- existing clients where you are concerned the client may not be who they claim to be.
What should I do if I suspect potential identify fraud?
If you are unable to verify a client and suspect potential fraud:
- do not confirm the specific incorrect information or provide the correct information — instead ask for additional information that you can use to verify their identity
- do not give the client any private information and do not share or confirm pre-fill information
- contact the ATO so that further attempts to use that identity can be stopped.
Are the guidelines mandatory?
These guidelines should be read as minimum requirements and are not currently mandatory for practitioners. The TPB and ATO are undertaking further consultation with the profession and intend to transition towards mandating these minimum standards of client verification. In the meantime, the TPB and the ATO encourage you to voluntarily adopt these standards into your practices now. The ATO and the TPB will support you in managing client identity risks to your practice, but the reality is that the evidentiary burden to verify client identity ultimately rests with you as the tax practitioner.
You are encouraged to go beyond these minimum requirements if you have concerns about a person’s identity. It is prudent to protect yourself, your firm and your clients against the risk of identity theft. You have many competing priorities in your practice but don’t wait to act until after you or your clients suffer financial, operational and reputational damage.
The extent of change to your existing client verification practices will depend on how progressed your firm is with implementing safeguards. Firms that have already taken steps to protect themselves and their clients will likely need to make only incremental changes to their processes. For other firms, implementing automation and digital solutions will provide much greater protection of confidential and sensitive identify data than existing manual solutions but may necessitate an investment in these technologies.
Final comments
New regulation and change is rarely welcomed; particularly after the last couple of years that have placed exceptional demands on the profession. This does, however, present an opportunity to digitalise the onboarding of clients and reduce your and your clients’ risk of identify theft. Post-pandemic, clients will continue to be onboarded remotely; this won’t change any time soon. The importance of secure practices for client verification and the benefits of digitisation cannot be understated. The photocopier, scanner and email are simply not secure enough in today’s world.
Our free-for-members webinar, Understanding your client verification obligations, was held on Tuesday 17 May in conjunction with our business partner, InfoTrack. Our expert panel, comprising John Ahern, CEO of InfoTrack, Nadja Harris, Acting Director, Policy and Legislation at the TPB and Ken Kua, Assistant Director at the ATO, explained the new guidelines in detail and discussed the impact the changes will have on practitioners. A recording of the webinar can be found here.
Our Tax Policy Assistant, Zoe-Marie Beesley, has posted in Community about this preamble. Join the conversation and share your thoughts and ideas on the new client verification standards.
As always, we welcome your views and thoughts, which you can provide here.
[Tax Month – May 2022 – Previous Month, 5.6.22]