Show download pdf controls
  • Consultation paper –Transition to strengthening client verification

    Your feedback

    This paper invites your feedback on the proposed guidelines for transitioning to a new client verification standard.

    Closing date for comment: Thursday 10 June 2021

    Provide feedback by email to: TaxPractitionerConsultations@ato.gov.au

    Contact officer: Ken Kua, phone (02) 6216 1102

    We encourage you to raise any other relevant issues or specific concerns about matters discussed in this paper. Your responses may be made available to the public on the ATO website unless you indicate that you would like all or part of your response to remain in confidence. Automatically generated confidentiality statements in emails do not suffice for this purpose. Confidential elements should be marked or provided in a separate document.

    Purpose of paper

    The ATO is seeking feedback on our proposed guidelines for client verification within tax and superannuation practices.

    The guidelines are designed to set a minimum standard to be applied across the tax profession to ensure due diligence is taking place when engaging new clients, or where you suspect an existing client may have had their identity compromised. This is being done to address the growing risk of identity theft and fraud.

    We are seeking feedback on these guidelines, in particular about the impact on client and practice management, and practicalities of implementation.

    This paper is targeted at all tax practitioners, particularly tax and BAS agents using the Online services for agentsExternal Link, and those in the superannuation space.

    Background

    We have previously provided guidance on client verification to assist registered agents but this has not been prescriptive.

    Strong client verification helps to protect tax practitioners, their clients, and Australia’s tax and superannuation systems from misuse and abuse due to identity theft and related issues. With an ever increasing reliance on technology and remote work practices, the risks presented by this continue to rise.

    We are now proposing to establish a new client verification standard for tax practitioners as part of a transitional approach over the course of 2021. We are encouraging tax practitioners to voluntarily adopt these standards into business practices now, with the view for the standards to become compulsory in the future following:

    • an initial transition period
    • further consultation with the tax profession.

    Proposed Transition to strengthening client verification guidelines

    Our approach

    We have seen increasingly widespread and sophisticated attempts by criminals to commit refund fraud by stealing taxpayer identities. This has devasting financial consequences to affected individuals and a flow-on effect to the Australian community.

    Our experience with tax practitioners affected by identity breaches has highlighted varying levels of client verification. A lack of common approach leaves individual practices vulnerable with:

    • insufficient client verification
    • keeping unsecured documents that can be stolen through a physical break in.

    The ATO, Tax Practitioners Board and the broader tax profession have a shared responsibility to:

    • protect the Australian community
    • stamp out tax fraud committed through identify crime.

    To achieve this, we are designing better practices and solutions. These will strengthen and modernise client verification standards to:

    • support the tax profession in adopting better practices and controls, reducing vulnerabilities and opportunities for identity crime
    • protect the tax profession and clients by minimising the risk of tax fraud through identity theft.

    This guidance outlines a new client verification standard for tax practitioners as part of a transitional approach over the course of 2021. We encourage voluntarily adoption of these standards into business practices now. The standards will become compulsory in the future following:

    • an initial transition period
    • further consultation with the tax profession.

    We value the support of the tax profession in implementing these important controls. They will better protect the Australian community and tax and superannuation system from tax fraud through identity crime.

    With an increased reliance on technology and remote work practices, our tax and super systems (including tax and BAS agent practices) are targets for identity crime. To reduce the risk we are strengthening client verification standards. This guidance outlines our new client verification standard for tax practitioners as part of a transition over the course of 2021.

    We recommend tax and BAS Agents review their client verification processes as tax time approaches.

    The following sets out the minimum expectations for conducting client verification. Tax and BAS agents should take reasonable care in each interaction and where there are heightened risks consider applying additional identity verification checks.

    On this page:

    Who you need to verify

    We do not expect you to go back and verify your entire client base. Instead, we are asking that you perform identity checks from this point on for:

    • all new clients including representatives of new clients
    • new representatives of existing clients
    • existing clients where you have concerns the client may not be who they say they are.

    Scenario 1

    John is a tax agent who has been operating for 30 years. Bob is on John's client list, but John has not seen Bob for at least three years and is not overly familiar with him as a client due to the ad-hoc engagement over time. Bob calls John and asks him to amend his tax return for last year to include another $5,000 of work related expenses. He also makes an enquiry about rolling over his superannuation to a new fund. When John asks Bob to come in to supply the information to substantiate the expenses, Bob seems evasive and non-committal. Bob continues to pressure John to make the amendment and also says his bank account details have changed.

    Although Bob is an existing client, John has some concerns with the interaction given his lack of familarity with Bob and the nature of the request and advises Bob he will need to confirm his identity before making amendments to the tax return.

    End of example

    Verification methods

    As an agent, you can verify clients in any of three ways:

    For each client, the information they provide must match the details of the documents used for client verification; for example, name, TFN or ABN, address and/or date of birth (DOB).

    For each method a total of two separate proofs of identity must be verified. The exception is when a primary photographic proof of identity document can be verified using the Visual method.

    Agents may also apply these methods in combination to achieve a total of two separate proofs of identity. Combinations might include:

    • Visual (original non-photographic identification document or secondary identification document) and one piece of information verified using Source ATO
    • One piece of information verified using Source ATO and name and DOB (where applicable) or address on a primary or secondary document verified through Source DVS
    • Visual (original non-photographic identification document or secondary identification document) and name and DOB on a primary or secondary document verified through Source DVS

    If your client is acting on behalf of an entity or they are a representative of another person, you must first verify the identity of the representative using either the Visual or Source DVS methods. You may use the Source ATO method only if the representative IS ALSO your client. You must then verify that the authorised relationship exists, see Relationship verification.

    Visual

    Visual verification is only suitable when you are interacting with the client in person or by video. This method is also suitable before linking a client to your client list. For most clients, a visual check of a driver's licence will be all that is needed.

    Begin by seeking your client's name, TFN or ABN along with their address and/or DOB.

    Visual verification means you:

    • sight your client's identity documents
    • confirm visually that the details on the documents match those given by your client, and
    • once you link your client on ATO systems, confirm your client's name, TFN or ABN, along with their address and/or DOB, matches that on ATO records.

    In undertaking visual verification, the client should give either:

    • one original primary photographic identification document, or
    • one original non-photographic identification document plus one original secondary identification document.

    Certified copies of documents are also acceptable.

    When reviewing the documents, ensure the client is who they say they are by checking if the:

    • photo in the identification document matches the person
    • details such as name, gender, address and DOB are correct.

    Scenario 2

    Jenny attends Tim, the tax agent's practice, to lodge her tax return. Tim visually verifies Jenny’s identity by sighting her driver’s licence and confirms the photo, name and DOB matches that of Jenny.

    Tim uses his practice management software to record the date, time and identity document sighted. Tim does not retain, nor is he required to keep a copy of Jenny's driver's licence.

    End of example

    Source ATO

    Undertaking source verification using ATO systems involves comparing data provided by the client against data we hold. Source ATO verification is suitable for in person (including video) interactions and remote interactions.

    Begin by seeking your client's permission to link them using their TFN and DOB or ABN and name. After linking, verify that the name your client gave matches what is on ATO systems.

    Source ATO cannot be used to prove the identity of an individual representative of your client. Source DVS or Visual are the only appropriate methods for this.

    Once linked, you must verify two further pieces of information against ATO systems. You can only use the following information:

    • bank account details
    • details from an ATO-generated notice or lodged return that you can confirm on ATO systems
      • notice of assessment sequence number or reference number
      • activity statement document identification number
      • correspondence reference number.
    • ATO account details
      • recent account balance – information provided by client can be close, typically plus or minus ten percent
      • amount of any refund, payment or interest (general interest charge / shortfall interest charge) imposed – information provided by client can be close, typically plus or minus ten percent
      • amount and frequency of a payment plan
      • pay as you go instalment amount or rate.
    • information specific to the client, including  
      • name and membership number of super fund
      • private health insurance membership number.

    Scenario 3

    Tom seeks the services of Samantha, the BAS agent, to help manage the books for his gardening business that he operates as a sole trader. Tom signs a letter of engagement providing Samantha permission to initiate client/agent relationship through ATO systems and provides his ABN and DOB accordingly.

    Once linked, Tom shows Samantha evidence of his bank account details and recent activity statement document identification number; which Samantha is able to sight and verify against ATO systems.

    Satisified that client verification has been completed, Samantha agrees to take Tom on as a client and records completion of client verification, including date, time and the documentation that was sighted in person to confirm identity.

    Combination example

    Tom didn't bring a prior copy of an activity statement (including document identification number) with him. Tom supplies his medicare card along with his bank details as above. By using the Visual and Source ATO methods in combination, Tom's identity can be verified.

    End of example

    Source DVS

    Source DVS involves comparing a client's details on government issued identity documents against details held by a DVS provider. This method is suitable before linking a client using their TFN and DOB or ABN. This method is suitable for in-person (including video) and remote interactions.

    You must verify the clients name and their DOB or address against two separate government identity documents. At least one must be a primary identification document.

    To use this method, you must have an arrangement with an appropriate provider. Find out more at Gateway Service ProvidersExternal Link.

    Scenario 4

    Jane engages Sam, the tax agent, to help lodge her Income Tax Return. Jane does not have photo identification however brings her Australian Birth Certificate and Medicare Card as evidence of her identity. Sam sights the documents brought in by Jane and is able to verify her identity using Source DVS.

    Sam does not retain a copy of the identity documents shared by Jane but records completion of client verification, including date, time and the documentation that was sighted in person to confirm her identity.

    End of example

     

    Scenario 5

    Online Tax Company is a tax agent that operates primarily online. Jonathon visits Online Tax Company's website and wishes to use their service to lodge his tax return this year. As part of the sign-up process, Jonathon provides his name, DOB and address, accepts terms and conditions of engagment and confirms authority for Online Tax Company to act on his behalf. Jonathon's identity is then checked in the background using the DVS provider. His details are confirmed as matching his driver's licence and passport. Jonathon is allowed to proceed and complete his lodgment through Online Tax Company's service.

    Combination example

    Online Tax Company utilises a DVS service but has chosen an option that only checks against one identity document. Online Tax Company uses the Source ATO method in combination and checks the bank details on ATO systems against those the client provides. By using these methods in combination, the client verification process can be completed.

    End of example
    Documents you must use when undertaking Visual or Source DVS methods

    Document

    Types

    Primary photographic

    • Driver's licence or permit from Australia or overseas, including a digital driver's licence
    • Australian passport
    • Government proof of age card issued in Australia
    • Foreign passport issued by a foreign government or the United Nations
    • International travel documents issued by a foreign government or the United Nations
    • National identity card issued by a foreign government or the United Nations
    • ImmiCard provided by Department of Home Affairs

    Primary non-photographic

    • Australian birth certificate, birth extract or citizenship certificate
    • Foreign birth certificate or citizenship certificate
    • Government issued concession card, such as a pensioner concession card, a health care card, or a senior's health care

    Secondary identification documents

    • Australian Medicare card
    • Notice from the ATO or other government agency, such as Centrelink, that contains the person’s name and residential address, issued in the past 12 months
    • Municipal council rates notice or a utilities bill (such as a water, gas or electricity bill) that contains the person’s name and residential address, issued in the past three months

    For a person under 18 years old, either a:

    • Letter from a school principal issued in the past three months that details the person’s name, residential address and when they attended the school
    • Student card

    Clients without conventional identity documents

    Some clients may not be able to provide identity documents to pass client verification as they:

    • are living in a remote area; for example Aboriginal or Torres Strait Islander communities
    • have been affected by a natural disaster
    • came to Australia as a refugee
    • have limited access to identity documents; for example, due to experiencing family or domestic violence or homelessness.

    In these circumstances, we expect you to apply professional judgment to determine that, on balance, the person is who they say they are. We recommend you maintain accurate records at the time that outline the:

    • client's circumstances
    • details of steps you have taken to establish the client's identity.

    Potential fraud

    If you are unable to verify a client and suspect potential fraud:

    • do not give the client any private information, importantly do not share or confirm pre-fill information.
    • contact us so that we can stop any other attempts to use that identity.

    If you use the Source ATO method and suspect potential fraud, delink the client immediately and contact us.

    Relationship verification

    Take care to verify the authorised relationship for clients who act on behalf of other people or entities. In these situations, the individual acting on behalf of the person or entity must have their identity proven using the methods described above. They must also prove they are authorised through relationship verification.

    Acting on behalf of another individual

    You should take reasonable care to establish that an individual is acting on behalf of another individual. You must sight documents that prove they are authorised. Examples include:

    • a birth certificate, including evidence if a different name exists
    • adoption papers
    • a court order
    • a letter of authority – the letter should include the name, TFN, DOB and address of the client and name, DOB and address of the representative. The letter should indicate the specific tax matters the client has authorised the representative to complete and the time period the authority is valid for. The authority should be signed and dated by the client.
    • a power of attorney
    • a signed doctor's letter with an explanation of the circumstances
    • verbal authority after verifying the individual using one of the methods above.

    In applying reasonable care to verifying a relationship, you should consider the currency of the documents being utilised. If you have doubts about the authenticity of any document consider asking for further proof.

    If you cannot verify the relationship before linking, you may link the client first and then use ATO systems to confirm relationship using authorised contacts or associate data. However, you cannot link the authorised representative personally to confirm their identity; this must be done using Source DVS or Visual methods (unless the representative is also your client in which case Source ATO may be used). To change the authorised contact see Update your contact details or authorised contacts.

    Scenario 6

    Kelly is Jane's mother, Jane is working overseas but has some rental income from her house in Australia and dividend income from shares. Kelly visits Elaine, the tax agent, to lodge Jane's tax return. Kelly produces a letter of authority that Jane has signed instructing that Kelly has the authority to act on Jane's behalf for all taxation matters for the period of Jane's absence. The letter provides Jane's TFN. Elaine confirms Kelly's identity using the visual verification method above.

    End of example

    Acting on behalf of an entity

    You should apply reasonable care to establish the individual is authorised to act on behalf of the entity. You can apply one or more of the following as evidence of authorisation:

    • an Annual Company Statement or current company extract from Australian Securities & Investment Commission (ASIC), identifying the individual as an officeholder
    • confirmation from ASIC that the individual is an officeholder; for example, through the ASIC registered agent portal if you are also an ASIC registered agent
    • a trust deed
    • a partnership agreement
    • a constitution or certificate of incorporation for an incorporated association or a Constitution of a registered cooperative. These documents may identify the individual as an associate of the entity.
    • copies of board meeting minutes documenting the appointment
    • verbal authority from an existing authorised representative or officeholder (after verifying that person)
    • ABR details
    • employment contract indicating position; for example, tax manager
    • onsite presence at the business premises; for example, you meet with the person at the business location
    • representative is clearly identified on the business's website as holding a relevant role to the management of the business's taxation, superannuation or finance functions.

    In applying reasonable care to verifying a relationship, you should consider the currency of the documents being utilised. If you have doubts about the authenticity of any document, consider asking for further proof.

    If you cannot verify the relationship before linking, you may link the client first and then use ATO systems to confirm relationship using authorised contacts or associate data. However, you cannot link the authorised representative personally to confirm their identity; this must be done using Source DVS or Visual methods, unless the representative is also your client in which case Source ATO may be used.

    Scenario 7

    TimTax is operated by Tim the BAS Agent. Tim has been completing BAS lodgments for IT2000 Pty Ltd for 7 years. Tim has always dealt with Joan, one of the finance staff at IT2000. As the lodgment date approaches, Tim is contacted by Jason. Jason says he is now looking after the finance side of things at IT2000 and Joan has left. Jason says Joan departed the firm suddenly after some issues. As a result his details will not be on ATO systems.

    Jason emails a copy of the minutes from the last board meeting to Tim from his work email address JasonF@it2000.com.au and highlights the section acknowledging that Joan had left and Jason had been appointed as the new finance officer. Tim recognises the company email and letterhead is legitimate however, in order to be sure, he contacts one of the existing directors and confirms Jason is the new finance officer. Tim then confirms Jason's identity personally using either the Visual or Source DVS method.

    End of example

    Reviewing verification and authorisation

    It may be appropriate to undertake reviews of client verification and relationship authorisation for ongoing clients and individual representatives. In making these decisions we expect you apply reasonable care, taking into consideration the circumstances of the client.

    Elements to consider in decision making include:

    • the risks associated with the request; for example, changing contact or bank account details, lodging amendments or original returns/statements with higher refunds, rolling over superannuation or early access to superannuation
    • the risks associated with a representative; for example, claiming to represent many people or changes in who the representative is for a person or entity that cannot be independently verified or where there has been a relationship breakdown
    • whether there has been continuity in the client’s engagement of the practitioner, or whether there has been a break in the engagement
    • the extent of your relationship and familiarity with the client
    • whether there has been a change in the circumstances or any discrepancies that arise in relation to the client’s identity or other affairs
    • any requirements of the registered tax practitioner’s professional association or Australian Financial Services Licensee.

    Scenario 8

    InternetTax is an agent that predominantly offers an online tax return service. Initial registration is established providing enough client information to complete Source ATO client verification, acceptance of engagement terms and conditions, creation of a username, password and a multi-factor one time passcode, which can be used to login in future. Tax returns are reviewed by a suitably qualified accountant working for InternetTax before they are lodged.

    Upon lodgment of returning clients' Income Tax returns, the accountant notices that five members of the same extended family lodged their tax returns this morning around the same time. The tax returns all showed a significant uplift in expected refunds to $30,000 each. The financial institution details have also been updated for each client to the same account.

    The accountant decides to make contact with the family to confirm lodgment and re-verify identity. Before commencing re-verification the agent is told the family were broken into and a computer and mobile phone were stolen which had all of their passwords on it and the mobile number was linked to the multi-factor notification. The accountant does not proceed with the lodgments and reports the matter to the ATO.

    End of example

     

    Scenario 9

    A client who last lodged through InternetTax in 2015 logs on in July 2021 using their username and password and is required to establish multi-factor authentication (introduced to online products in 2019) to lodge their personal tax return for 2021 period.The client has used a different agent for lodgment of the returns in the intervening period. Due to the period of time that has passed and the requirement to establish multi-factor authentication, InternetTax re-verifies the client using the Source ATO method. The client passes re-verification and lodges their return.

    End of example

     

    Scenario 10

    Jenny is a tax agent running the firm GetYourTaxToday. The firm operates in a town with a lot of pass-through traffic. Many of Jenny's clients use her for her convenience and the fact that she offers refunds on the spot. Many of Jenny's clients are passing through and do not necessarily return each year.

    Last year, Jenny did the tax return for Angelo, an interstate truck driver working for a transport company. This was done through Angelo's girlfriend Tammy who completed appropriate client verification for her and Angelo and was an authorised contact with the ATO on Angelo's account. Tammy presented with all of the receipts and documents to support the lodgment.

    This year Tammy visits again and wants to lodge Angelo's tax return like last year. However, this time Tammy does not have the same receipts and documents as last year. She has also asked for the refund to go into a different bank account than last year, the bank account seems like her personal bank account.

    Jenny says she will need to contact Angelo to confirm she is still authorised, as a precaution. At this point Tammy appears to get agitated and rude, before saying 'don't worry about it' and walking out.

    Jenny calls Angelo who tells her she is no longer his girlfriend and instructs Jenny not to deal with her and remove her as an authorised contact with the ATO.

    End of example

     

    Scenario 11

    Kelly is the Tax Agent for Logo1999 Pty Ltd, a digital marketing company. Kelly recently prepared the 4th quarter BAS. A refund is expected for the BAS but it is still being processed. Kelly receives an email from Sam, one of the staff in the tax and finance team at Logo1999. The email says that the bank details for Logo1999 have recently changed, new bank details are provided. The bank details appear to be for a personal account at a different bank to the one Logo1999 normally uses.

    Kelly decides to make contact with Jennifer, the Tax Manager at Logo1999 to confirm the request. Jennifer tells Kelly she did not authorise the request. Kelly takes a closer look at the email and when she clicks on the email address the email is a gmail.com account. Logo1999 emails are usually user@logo1999.com. These extra checks prevented the possible payment of the BAS refund to a fraudster.

    End of example

    Recording client verification

    We do not recommend retaining identification documents. This may increase the risk of registered practitioners being targeted by criminals undertaking identity theft.

    Instead we recommend that you maintain a contemporaneous record (for example, a checklist) that includes the following information:

    • the date and time that you did proof of identity checks
    • the name and title of the person undertaking the proof of identity checks if they do it on your behalf
    • the identification documents that were sighted, and whether they were originals or certified copies.
    • how the identification documents were sighted (in person or electronically).

    Reasonable care

    In applying this document Agents should apply reasonable care. This may mean asking for additional proof beyond what is described in this document. This might be appropriate where the behaviour of the client is dismissive of the client verification process, not forthcoming, applying pressure or providing documents that appear to be fake or otherwise unusual. This behaviour should indicate a heightened risk, particularly in situations such as:

    • requests for bank account changes
    • requests to amend returns or statements (particularly to increase refunds)
    • requests to lodge returns or statements with significant or unusual refunds
    • requests to release or roll-over superannuation
    • requests for information off ATO systems including pre-fill information
    • request for personal information that would ordinarily be known to individuals or entities
    • where a person is acting on behalf of another person or multiple persons.

    Consultation questions

    1. What impact will this new client verification method have on your existing processes?
    2. How would you prepare new clients for this process?
    3. What could the ATO do to assist in this?
    4. In regards to Relationship verification, what challenges do you see in regards to your clients?
    5. Are the guidelines clear and easily understood?
      Last modified: 27 Apr 2021QC 65469