Show download pdf controls
  • Strengthening client verification guidelines

    In developing this guideline, the ATO has consulted with the Tax Practitioners Board (TPB) and the tax profession to ensure consistency and alignment. This guideline should be read in conjunction with the TPB’s Practice Note TPB(PN) 5/2022External LinkProof of identity requirements for client verification.

    On this page

    Strong verification is important

    Strong client verification helps to protect tax practitioners, their clients, and Australia’s tax and superannuation systems from misuse and abuse due to identity theft and related issues. With an ever-increasing reliance on technology and remote work practices, the risks presented by this continue to rise.

    There are increasingly widespread and sophisticated attempts by criminals to commit refund fraud by stealing taxpayer identities. This has devasting financial consequences to affected individuals and a flow-on effect to the Australian community. Our experience with tax practitioners affected by identity breaches has highlighted varying levels of discrepancies in client verification practices.

    This guideline is intended for registered tax practitioners (registered tax agents and BAS agents) using Online services for agentsExternal Link or practitioner lodgment services through software. It outlines how you undertake client identity verification. In following this guideline, you will have met the requirements prescribed by the TPB. Failure to take appropriate proof of identity steps to verify a client's or individual representative's identity may result in a breach of the Tax Agent Services Act 2009 and disciplinary actions by the TPB.

    Our approach

    For most agents, there will be little change to your existing client verification practices. To minimise risk and protect your practice and clients from identity theft, our recommendation is that you start adopting these changes straightaway.

    This guideline is part of the TPB and ATO’s transition towards mandating minimum standards of client verification. We will continue to consult with the TPB and the tax profession before mandating these minimum requirements. You are encouraged to adopt these standards on a voluntary basis between now and then.

    These guidelines should be read as minimum requirements. You are encouraged to go beyond these requirements if you still have concerns about a person's identity, even if the minimum requirements are met.

    Although the ATO and the TPB seek to support you in managing client identity risks to your practice, the responsibility to verify client identity ultimately rests with you as the tax practitioner (see Practice Note TPB(PN) 5/2022External LinkProof of identity requirements for client verification). As such, you should take reasonable care in applying these guidelines to specific scenarios.

    Reasonable care

    In applying the minimum standards outlined in this guideline, agents should apply reasonable care. In some circumstances, you may need to ask for additional proof beyond what is described in this document. This might be appropriate where the client:

    • is dismissive of the client verification process
    • is not forthcoming
    • applies pressure or provides documents that appear to be fake or otherwise unusual.

    This behaviour indicates heightened risk, particularly in situations such as:

    • requests for bank account changes
    • requests to amend tax returns or statements (particularly to increase refunds)
    • requests to lodge returns or statements with significant or unusual refunds
    • requests to release or roll-over super
    • requests for information off ATO systems including pre-fill information
    • request for personal information that would ordinarily be known to individuals or entities
    • where a person is acting on behalf of another person or multiple persons.

    Who you need to verify

    We do not expect you to go back and verify your entire client base. Instead, we are asking that you perform identity checks from this point on for:

    • all new clients including representatives of new clients
    • new representatives of existing clients
    • existing clients where you have concerns the client may not be who they say they are.

    Example: verification and nature of enquiry

    John is a tax agent who has been operating for 30 years. Bob, who owns a small business called Bob's Homewares, is one of John's long-time clients. Bob has always met John in person to manage the tax affairs of his business.

    Martin attends John's practice, informing John that he works with Bob and is there to handle the business's tax returns for the current year.

    John doesn't know Martin, and Bob has not advised John about the arrangement. John explains to Martin that as part of the client verification requirements, he will need verify his identity and authority to act on behalf of Bob's Homewares.

    John asks Martin for his full name along with his address and DOB. He then asks Martin to provide photographic ID to verify those details. Martin shows John his driver's licence, which John uses to visually confirm his details and match to his photo.

    John asks Martin if he has any documents to show he is authorised to act on behalf of Bob's Homewares. Martin advises he had prepared documentation but has left it at the office. He tells John that he is listed as an authorised contact on the ATO record for the business. John checks the client record for the business and can see that Martin is listed as an authorised contact.

    As this is the first time that John has met Martin without any prior notice from Bob, he takes the extra step of calling Bob. He was able to confirm Martin's authority to act on behalf of the business.

    John has taken all the necessary steps to confirm Martin's identity and authority.

    End of example

    Recording client verification

    We and the TPB do not recommend retaining identification documents. Retaining identification documents may increase your risk of being targeted by criminals undertaking identity theft. Instead, you should maintain contemporaneous records to demonstrate that proof of identity steps were undertaken.

    For further information, refer to the Tax Practitioners Board’s Practice Note TPB(PN) 5/2022External Link Proof of identity requirements for client verification.

    Verification methods

    You must verify 2 separate proof of identity documents using one or a combination of the methods in table 1. The exception is when a primary photographic proof of identity document can be verified using the visual method (such as a drivers licence).

    Table 1. Verification methods

    Method

    Description

    Visual

    Visually checking a client's identification documents.

     

    Suitable when you are interacting with the client in person or by video. For most clients, a visual check of a drivers licence will be all that is needed.

     Can be used to prove the identity of an individual representative of your client.

    Source ATO

    Comparing data provided by the client against data on ATO systems. 

    Suitable for in person (including video) interactions and remote interactions and digital interactions through software, (for example, online customer portals).

     

    Cannot be used to prove the identity of an individual representative of your client unless the authorised representative is also your client.

    Source DVS (Document Verification Service)

    Comparing a client's details on government issued identity documents against details held by a DVS provider.

     

    This method is suitable for in-person (including video) and remote interactions.

     

    Can be used to prove the identity of an individual representative of your client.

    You may apply these methods in combination to achieve a total of 2 separate proof of identity documents as outlined in Table 2.

    Table 2. Combination of verification methods

    Combinations

    Two separate proof of identity documents

    Visual

    +

    Visual

    Verify at minimum 2 visual identity documents (original non-photographic identification document or secondary identification document)

    Visual

    +

    Source ATO

    Visual (original non-photographic identification document or secondary identification document)

    and

    Verify at minimum 2 pieces of information verified using Source ATO

    Visual

    +

    Source DVS

    Visual (original non-photographic identification document or secondary identification document)

    and

    Name and DOB or address on a primary or secondary document verified through Source DVS

    Source ATO

    +

    Source DVS

    Verify at minimum 2 pieces of information verified using Source ATO

    and

    Name and DOB or address on a primary or secondary document verified through Source DVS

    Visual method

    Step 1

    Begin by seeking your client’s name, TFN, or ABN along with their address or DOB.

    Step 2

    Sight your client’s identity documents.

    If primary photographic ID has been provided, ensure the photo matches the person.

    Confirm visually the details on the documents match those given by your client such as name, gender, address and DOB.

    You must use the documents specified by the TPB Practice Note 5/2022External Link Proof of identity requirements for client verification.

    Step 3

    Obtain written or electronic authority from the client to act on their behalf and to link them to the client record using their TFN and DOB, or ABN and name, for example, an engagement letter.

    Step 4

    Once linked confirm your client’s name, TFN or ABN, address or DOB matches ATO records.

    When undertaking client verification checks:

    • do not confirm or deny specific information from the ATO client record
    • do not give the client any private information
    • do not share or confirm pre-fill information.
     

     

    Example: visual verification

    Jenny goes to Tim's tax practice to lodge her tax return. Tim visually verifies Jenny’s identity by sighting her driver’s licence and confirms the photo, name and DOB matches that of Jenny.

    Tim uses his practice management software to record the date, time and identity document sighted. Tim does not retain, nor is he required to keep, a copy of Jenny's driver's licence.

    End of example

    Source ATO method

    Step 1

    Obtain written or electronic authority from the client to act on their behalf and to link them to the client record using their TFN and DOB, or ABN and name, for example, an engagement letter.

    Step 2

    Once linked, verify the name your client gave matches the name on ATO systems.

    Step 3

    Verify, at minimum, 2 further pieces of information against ATO systems. You can only use the following information:

    • bank account details
    • details from an ATO-generated notice or lodged return that you can confirm on ATO systems  
      • notice of assessment sequence number or reference number
      • activity statement document identification number
      • correspondence reference number
       
    • ATO account details  
      • recent account balance – information provided by client can be close, typically plus or minus 5% (a nil balance value is not acceptable)
      • amount of any refund, payment or interest (general interest charge or shortfall interest charge) imposed – information provided by client can be close, typically plus or minus 5%
      • amount and frequency of a payment plan
      • pay as you go instalment amount or rate
      • gross payment or tax withheld from income statement
      • reportable super contributions
      • HELP balance (a nil balance value is not acceptable)
       
    • information specific to the client, including    
      • name and membership number of super fund
      • private health insurance membership number.
       

    When undertaking client verification checks:

    • do not verify the same pieces of information for all clients (instead, randomise requests for identity verification purposes)
    • do not ask for multiple client details from the same source or information that could be obtained from social media
    • do not confirm or deny responses to client verification questions. Instead, complete a series of questions and provide a final response at the end such as 'I am unable to verify your information at this stage.'
    • do not give the client any private information
    • do not share or confirm pre-fill information.

     

     

    Example: source ATO method

    Tom seeks the services of Samantha, a BAS agent, to help manage the books for his gardening business that he operates as a sole trader. Tom signs a letter of engagement providing Samantha with permission to initiate a client/agent relationship through ATO systems and provides his ABN and DOB.

    Once linked, Tom shows Samantha evidence of his bank account details and recent activity statement document identification number, which Samantha is able to sight and verify against ATO systems.

    Satisfied that client verification has been completed, Samantha agrees to take Tom on as a client and records completion of client verification, including date, time and the documents that was sighted in person to confirm identity.

    Jae, a sole trader operating a small printing business, decides to use Samantha's services. She doesn't have a prior copy of an activity statement (or document identification number). Instead, Jae supplies her Medicare card along with her bank details and super fund details. Samantha visually checks Jae's Medicare card details and asks Jae to sign a letter of engagement providing permission to initiate a client/agent relationship through ATO systems and using Jae's ABN and DOB.

    Once linked Samantha notes that Jae's bank details and super fund details match the records on ATO systems. By using the Visual and Source ATO methods in combination, Jae's identity can be verified.

    End of example

    Source DVS method

    To use this method, you will need to have an arrangement with an appropriate provider. Find out more at Gateway Service ProvidersExternal Link.

    Step 1

    Begin by asking your client for their name and DOB or address.

    Step 2

    Access via your DVS provider and verify the client’s name and DOB or address against 2 separate government identity documents as stated in the TPB Practice Note 5/2022External Link Proof of identity requirements for client verification (at least one must be a primary identification document).

     

    Example: source DVS

    Jane engages Sam, the tax agent, to help lodge her tax return. Jane does not have photo identification, however brings her Australian birth certificate and Medicare card as evidence of her identity. Sam sights Jane's documents and is able to verify her identity using Source DVS.

    Sam does not retain a copy of the identity documents shared by Jane but records completion of client verification; including the date, time and the documents that he visually checked to confirm her identity.

    End of example

     

    Example: DVS service provider

    Online Tax Company is a tax agent that operates primarily online. Jonathon visits Online Tax Company's website and wishes to use their service to lodge his tax return this year. As part of the sign-up process, Jonathon provides his name, DOB, TFN and address. He accepts the terms and conditions of engagement and confirms authority for Online Tax Company to act on his behalf. Jonathon's identity is then checked in the background using the DVS provider. His details are confirmed as matching his driver's licence and passport. Jonathon is allowed to proceed and complete his lodgment through Online Tax Company's service and a record of the verification is retained in the software.

    In addition to a client's name, DOB and TFN, Online Tax Company also uses a DVS service but has chosen an option that only checks against one identity document. Online Tax Company uses the Source ATO method in combination and checks the bank details and email address on ATO systems against those the client provides. By using these methods in combination, the client verification process can be completed.

    End of example

    Clients without conventional identity documents

    Some clients may not be able to provide identity documents to pass client verification. As outlined by the TPB, you should take a flexible approach to verify the identity of these clients.

    For further information, refer to the Tax Practitioners Board’s Practice Note TPB(PN) 5/2022External Link Proof of identity requirements for client verification.

    Relationship verification

    For clients who act on behalf of other people or entities, you must verify both:

    • the representatives’ identity using the methods described in Table 1
    • that the representative is authorised through relationship verification.

    Acting on behalf of another individual

    To establish that an individual is acting on behalf of another individual. The steps are as follows.

    Step 1

    Verify the identity of the representative using either Visual or Source DVS methods.

    Source ATO method can only be used if the representative is also your client.

    Step 2

    Verify that the authorised relationship exists using one or more of the evidence prescribed by the TPB.

    For more information see: TPB Practice Note 5/2022External Link Proof of identity requirements for client verification.

    You can also verify the authorised relationship by looking at the authorised contacts listed on the ATO individual client record in which you are authorised to act on behalf of. You can only access the client's record after verifying the identity of the authorised representative.

    In applying reasonable care to verifying a relationship, consider the currency of the documents being used. If you have doubts about the authenticity of any document, consider asking for further proof.

    Example: acting for another individual

    Kelly is Jane's mother. Jane is working overseas but has some rental income from her house in Australia and dividend income from shares. Kelly visits Elaine, the tax agent, to lodge Jane's tax return. Kelly produces a letter of authority that Jane has signed instructing that Kelly has the authority to act on Jane's behalf for all taxation matters for the period of Jane's absence. The letter provides Jane's TFN. Elaine confirms Kelly's identity using the visual verification method.

    End of example

    Acting on behalf of an entity

    If your client is acting on behalf of an entity or they are a representative of another person, the verification process is as follows:

    Step 1

    Verify the identity of the representative using either Visual or Source DVS methods.

    Source ATO method can only be use if the representative is also your client.

    Step 2

    Verify that the authorised relationship exists using one or more of the evidence prescribed by the TPB.

    For more information see: TPB Practice Note 5/2022External Link Proof of identity requirements for client verification.

    You can also verify the authorised relationship by looking at the authorised associated/contacts listed on the ATO client record in which you are authorised to act on behalf of. You can only access the client's records after verifying the identity of the authorised representative.

    In applying reasonable care to verifying a relationship, consider the currency of the documents being used. If you have doubts about the authenticity of any document, consider asking for further proof.

    Example: seeking further proof

    TimTax is operated by Tim the BAS Agent. Tim has been completing BAS lodgments for IT2000 Pty Ltd for 7 years. Tim has always dealt with Joan, one of the finance staff at IT2000. As the lodgment date approaches, Jason contacts Tim. Jason says he is now looking after the finance side of things at IT2000 and Joan has left. Jason says Joan departed the firm suddenly after some issues. As a result his details will not be on ATO systems.

    Jason emails a copy of the minutes from the last board meeting to Tim from his work email address JasonF@it2000.com.au and highlights the section acknowledging that Joan had left and Jason had been appointed as the new finance officer. Tim recognises the company email and letterhead is legitimate; however, in order to be sure, he contacts one of the existing directors and confirms Jason is the new finance officer. Tim then confirms Jason's identity personally using either the Visual or Source DVS method.

    End of example

    Reviewing verification and authorisation

    It may be appropriate to undertake reviews of client verification and relationship authorisation for ongoing clients and individual representatives. In making these decisions we expect you apply reasonable care, taking into consideration the circumstances of the client.

    Elements to consider in decision making include (but are not limited to):

    • the risks associated with the request; for example, changing contact or bank account details, lodging amendments or original tax returns or statements with higher refunds, rolling over super or early access to super
    • the risks associated with a representative, as examples  
      • claiming to represent many people
      • changes in representatives for a person
      • entity where the representative’s identity
      • authorisation cannot be verified
      • where there has been a relationship breakdown
       
    • whether there has been continuity in the client’s engagement of the practitioner, or whether there has been a break in the engagement
    • the extent of your relationship and familiarity with the client
    • whether there has been a change in the circumstances or any discrepancies that arise in relation to the client’s identity or other affairs
    • any requirements of the registered tax practitioner’s professional association or Australian financial services licensee.

    Example: suspicious lodgments

    InternetTax is an agent that predominantly offers an online tax return service. Initial registration process involves:

    • obtaining sufficient client information to complete Source ATO client verification
    • client acceptance of engagement terms and conditions
    • creation of a username, password and a multi-factor one time passcode, which can be used to log in in future.

    Tax returns are reviewed by a suitably qualified accountant working for InternetTax before they are lodged.

    Upon lodgment of returning clients' tax returns, the accountant notices that 5 members of the same extended family lodged their tax returns this morning around the same time. The tax returns all showed a significant uplift in expected refunds to $30,000 each. The financial institution details have also been updated for each client to the same account.

    The accountant decides to make contact with the family to confirm lodgment and re-verify identity. Before commencing re-verification, the agent is told the family home was broken into. A computer and mobile phone were stolen that had all of their passwords on it and the mobile number was linked to the multi-factor notification. The accountant does not proceed with the lodgments and reports the matter to the ATO.

    End of example

     

    Example: time lapses

    Azari last lodged through InternetTax in 2015. She logs on in July 2021 using her username and password. She is required to establish multi-factor authentication (as introduced to online products in 2019) to lodge her personal tax return for the 2021 period. She has used a different agent for lodgment of her tax returns in the intervening period. Due to the period of time that has passed and the requirement to establish multi-factor authentication, InternetTax re-verifies Azari using the Source ATO method. Azari passes re-verification and lodges her tax return.

    End of example

     

    Example: confirming authorised contact

    Jenny is a tax agent running the firm GetYourTaxToday. The firm operates in a town with a lot of pass-through traffic. Many of Jenny's clients use her for her convenience and the fact that she offers refunds on the spot. Many of Jenny's clients are passing through and do not necessarily return each year.

    Last year, Jenny lodged Angelo's tax return. Angelo is an interstate truck driver working for a transport company. This was done through Angelo's girlfriend, Tammy, who completed appropriate client verification for her and Angelo and was an authorised contact with the ATO on Angelo's account. Tammy presented Jenny with all of the receipts and documents to support the lodgment.

    This year, Tammy visits again and wants to lodge Angelo's tax return like last year. However, this time Tammy does not have the same receipts and documents. She has also asked for the refund to go into a different bank account than last year and the bank account seems like her personal bank account.

    Jenny says she will need to contact Angelo to confirm she is still authorised, as a precaution. At this point Tammy appears to get agitated and rude, before saying 'don't worry about it' and walking out.

    Jenny calls Angelo who tells her Tammy is no longer his girlfriend and instructs Jenny not to deal with her and remove her as an authorised contact with the ATO.

    End of example

     

    Example: bank account fraud

    Kelly is the Tax Agent for Logo1999 Pty Ltd, a digital marketing company. Kelly recently prepared the fourth quarter BAS. A refund is expected for the BAS but it is still being processed. Kelly receives an email from Sam, one of the staff in the tax and finance team at Logo1999. The email says that the bank details for Logo1999 have recently changed and new bank details are provided. The bank details appear to be for a personal account at a different bank to the one Logo1999 normally uses.

    Kelly decides to make contact with Jennifer, the Tax Manager at Logo1999, to confirm the request. Jennifer tells Kelly she did not authorise the request. Kelly takes a closer look at the email and when she clicks on the email address the email is a gmail.com account. Logo1999 emails are usually user@logo1999.com. These extra checks prevented the possible payment of the BAS refund to a fraudster.

    End of example

    Online agents

    The ATO recognises that more registered tax practitioners are adopting online practices with minimal agent client face to face or physical contact.

    Online agents who provide services through a web, cloud- or software-based customer portal must adopt stronger and more stringent client verification processes.

    The verification methods used by online agents must meet the following.

    Step 1

    Ensure that client details match ATO records (full name, TFN, DOB)

    Step 2

    Verify any 2 additional pieces of information using a combination of verification methods in table 2.

    You should limit using data that could easily be identifiable through social media, such as residential address, email address, phone number or employer ABN.

    If you are creating an online portal or software, there are additional requirements that you will need to meet to ensure storage, transmission of the data maintains a high level of security. For example, you need to ensure that ATO data you access is not open to cybercrime.

    Our Digital Service Provider (DSP) Operational Security Framework establishes the minimum level security requirements a DSP needs to meet in order to access ATO Digital Services. You can seek further advice from the Digital Partnership OfficeExternal Link.

    Potential fraud

    If you are unable to verify a client or the information they provided and suspect potential fraud:

    • do not confirm the specific incorrect information or provide the correct information, instead ask for additional information that you can use to verify their identity
    • do not give the client any private information, importantly do not share or confirm pre-fill information
    • contact us so that we can stop any other attempts to use that identity.

    If you use the Source ATO method and suspect potential fraud, delink the client immediately and contact us.

    Example: unable to verify client or information provided

    Tam is approached by a potential new client, Quinn who is looking to lodge their individual tax return through Tam's tax practice. Tam advises Quinn that as part of TPB and ATO client verification requirements, he will need to confirm Quinn's identity.

    Using the Source ATO method, Tam asks Quinn for permission to link them using Quinn's TFN, DOB, and name. Quinn provides those details and Tam is able to verify that Quinn's name matches the name on ATO systems.

    Tam then asks Quinn if they have additional details that he can use to verify their identity. Quinn provides their bank account details and private health membership number. Tam checks the details against ATO systems and is able to verify Quinn's bank details; however there is a mismatch in private health membership details.

    Tam does not confirm the mismatch with Quinn and instead sees that Quinn has a payment plan in place. He asks Quinn if they have a payment plan in place with the ATO. Quinn says they do. Tam asks for details of the payment plan and Quinn is able to provide details of the arrangement including frequency and amounts and current balance, which matches ATO systems.

    Tam has exercised reasonable care and taken extra steps to confirm Quinn's identity and takes them on as client and proceeds with giving tax services. He records the identity check's undertaken on his practice's client engagement form.

    End of example

     

    Example: randomising questions

    Bree is approached by Maree, a potential new client to help with her tax return. Bree advises Maree of TPB and ATO verification requirements and gets her permission to link her and confirming her name on ATO systems.

    Bree undertakes proof of record ownership and asks Maree if she had brought additional information that she can verify. Maree has her bank account details and tells Bree that she also has $2,400 in HELP debt. Bree checks Maree's bank details and notices on of the digits in the account number Maree provided didn't match the record on ATO systems. The HELP debt Maree quoted also differed from the amount in ATO systems by 4%.

    Without confirming the discrepancy, Bree asks Maree for her super fund details and Maree is able to provide details that match records on ATO systems. Bree also notices Maree received a refund from her last tax return. She asks her what the outcome was from her last tax return. Maree was able to tell Bree that she received a refund and the amount, which matched her records.

    Bree has exercised reasonable care and taken extra steps to confirm Maree's identity. She records the identity checks undertaken on her practice's client engagement form.

    End of example
    Last modified: 07 Feb 2022QC 67529