ato logo
Search Suggestion:

Agent client verification methods

Gives additional context on how agents may perform client verification when engaging with our systems.

Last updated 18 May 2023

Strong verification is important

Read this in conjunction with the Tax Practitioner Board’s (TPB) Practice Note TPB(PN) 5/2022External Link Proof of identity requirements for client verification.

Strong client verification helps to protect tax practitioners, their clients, and Australia’s tax and superannuation systems from misuse and abuse due to identity theft and related issues. With an ever-increasing reliance on technology and remote work practices, the risks presented by this continue to rise.

This information is intended for registered tax practitioners (registered tax agents and BAS agents) using Online services for agentsExternal Link or practitioner lodgment services through software. It outlines practical steps to perform client verification when using our systems. If you follow this guideline in conjunction with the requirements prescribed by the TPB, you are deemed to have met the requirements of both agencies. In following the TPB’s Practice Note TPB(PN) 5/2022External Link, you are also deemed to have met our requirements with respect to client verification.

Our approach

Read these guidelines as minimum requirements. You are encouraged to go beyond these requirements if you still have concerns about a person's identity, even if you meet the minimum requirements.

We and the TPB seek to support you in managing client identity risks to your practice – the responsibility to verify client identity ultimately rests with you as the tax practitioner.

Who you need to verify

You need to verify all clients prescribed in the TPB’s Practice Note TPB(PN) 5/2022External Link.

Verification methods

You must verify 2 separate proof of identity documents using one or a combination of the methods in Table 1. The exception is when either of the following occurs.

  • A primary photographic proof of identity document can be verified using the visual method (such as a drivers licence).
  • The client-to-agent linking method is successfully used through the our online channels    
    • this method satisfies client verification in the initial interaction only (including additional related follow-up interactions within the same approximate time period)
    • refer to TPB Practice Note 5/2022External Link Proof of identity requirements for client verification – specifically the paragraphs 18 to 21 'Well-established clients' and paragraphs 22 to 23 'Frequency'.
Table 1. Verification methods

Method

Description

Visual

Visually checking a client's identification documents.

Suitable when you are interacting with the client in person or by video conferencing. For most clients, a visual check of a drivers licence will be all that is needed.

You must use the documents specified by the TPB Practice Note 5/2022External Link Proof of identity requirements for client verification.

Can also be used to prove the identity of an individual representative of your client.

Source ATO

Comparing data provided by the client against data on our systems. 

Suitable for in person (including video conferencing) interactions and remote interactions and digital interactions through software (for example, online customer portals).

Must not be used to prove the identity of an individual representative of your client unless the representative is also your client. Using this method when the representative is not your client would represent a potential breach in client privacy as you are not authorised to act for that person and to see their tax-held personal information.

Source DVS (Document Verification Service)

Comparing a client's details on government issued identity documents against details held by a DVS provider.

This method is suitable for in-person (including video conferencing) and remote interactions.

Can be used to prove the identity of an individual representative of your client.

Some DVS providers may also include facial (biometric) checks to confirm the face of the client matches the photograph on the identification document. Where this is available, we recommend this is utilised as this provides an additional layer of security.

Client-to-agent linking

We are progressively introducing client-to-agent linking technology that uses a secure client driven request through our online channels. If your client is already included, you will not be able to add them to your client list until they complete an agent nomination first.

This method substitutes for client verification in the initial interaction only (including additional related follow-up interactions within the same approximate time period).

You may apply these methods in combination to achieve a total of 2 separate proof of identity documents as outlined in Table 2.

Recording client verification

We and the TPB don't require you to or recommend that you retain identification documents. Retaining identification documents may increase your risk of being targeted by criminals undertaking identity theft. Instead, maintain records to demonstrate that you undertook proof of identity steps.

The TPB’s Practice Note TPB(PN) 5/2022External Link Proof of identity requirements for client verification specifically paragraphs 24 to 25 'Record keeping', has guidance on what should be noted as a contemporaneous record.

Using the verification methods

To complete the client verification, you will need to consider the interaction setting and method required and use in conjunction with the documents specified in the TPB Practice Note 5/2022External Link Proof of identity requirements for client verification.

You must verify 2 separate proof of identity documents using one or a combination of the methods in Table 1. The exception is when a primary photographic proof of identity document can be verified using the visual method (such as a drivers licence) or the client-to-agent linking method is successfully used through the ATO online channels.

Table 2. Combination of verification methods

Combinations

2 separate proof of identity documents

Visual
+
Visual

Verify at minimum 2 visual identity documents (original non-photographic identification document or secondary identification document).

Visual
+
Source ATO

Visual (original non-photographic identification document or secondary identification document)

and

verify at minimum 2 pieces of information verified using source ATO.

Visual
+
Source DVS

Visual (original non-photographic identification document or secondary identification document)

and

name and date of birth (DOB) or address on a primary or secondary document verified through source DVS.

Source ATO
+
Source DVS

Verify at minimum 2 pieces of information verified using source ATO

and

name and DOB or address on a primary or secondary document verified through source DVS.

Client-to-agent linking

Where this is performed successfully further client verification by the Agent is not required for that interaction. Client verification may still be required for future interactions.

When undertaking client verification, consider the following tips.

  • Don't ask for multiple client details from the same source or information that could be obtained from social media or public domain.
  • Don't confirm or deny responses to client verification questions. Instead, complete a series of questions and provide a final response at the end such as 'I am unable to verify your information at this stage'.
  • Don't divulge to the client any private information during the client verification process including pre-fill information.

Verification methods in detail

Visual method

Visual involves visually checking a client's identification documents.

Step 1 – Ask for your client’s name, TFN, or ABN along with their address or DOB.

Step 2 – You must use the documents specified by the TPB Practice Note 5/2022External Link Proof of identity requirements for client verification.

Sight your client’s identity documents. Cross check the details on the documents match those given by your client such as name, gender, address and DOB.

Note: If primary photographic ID has been provided, ensure the photo is a reasonable match to the person.

Step 3 – Obtain written or electronic authority from the client to act on their behalf and to link them to the client record in online services using their TFN and DOB or ABN and name for example, an engagement letter.

Step 4 – Once linked confirm your client’s name, TFN or ABN, address or DOB matches our records.

When undertaking client verification checks:

  • don't confirm or deny specific information from the ATO client record
  • don't give the client any private information
  • don't share or confirm pre-fill information.

Source ATO method

Comparing data provided by the client against data on ATO systems, requires linking to the client record. This cannot be used to prove the identity of an individual representative of your client unless the authorised representative is also your client.

Step 1 – Begin by seeking your client’s permission to link them using their TFN and DOB or ABN and name.

Step 2 – Once linked, verify the name your client gave matches the name on ATO systems.

Step 3 – Verify 2 further pieces of information against ATO systems. You can only use the following information:

  • bank account details
  • details from an ATO-generated notice or lodged return that you can confirm on ATO systems  
    • notice of assessment sequence number or reference number
    • activity statement document identification number
    • correspondence reference number
  • ATO account details  
    • recent account balance – information provided by client can be close, typically plus or minus 5%
    • amount of any refund, payment or interest (general interest charge / shortfall interest charge) imposed – information provided by client can be close, typically plus or minus 5%
    • amount and frequency of a payment plan
    • pay as you go instalment amount or rate
    • gross payment or tax withheld from income statement
    • reportable super contributions
    • HELP balance (a zero-balance value is not acceptable)
  • information specific to the client, including    
    • name and membership number of super fund
    • private health insurance membership number.

Source DVS method

Comparing a client’s details on government issued identity documents against details held by a DVS provider.

To use this method, you will need to have an arrangement with an appropriate Gateway Service ProviderExternal Link.

Step 1 – Begin by asking your client for their name and DOB or address.

Step 2 – Access via your DVS provider and verify the client’s name and DOB or address against 2 separate government identity documents as stated in the TPB Practice Note 5/2022External Link Proof of identity requirements for client verification (at least one must be a primary identification document).

When using DVS, you can record the Verification Reference Number (VRN) as part of your record keeping notes for recording client verification.

Client-to-agent linking

We have recently introduced client-to-agent linking functionality that creates greater certainty in the link between the agent and the client. This is being progressively developed and rolled out to different client groups. Client-to-agent linking secures the initial interaction and no further client verification checks are required for that interaction.

Client verification may still be required for future interactions, given the TPB’s Practice Note 5/2022External Link Proof of identity requirements for client verification, specifically the paragraphs 18 to 21 'Well-established clients' and 22 to 23 'Frequency'.

For more information, see Client-to-agent linking.

Relationship verification

For clients who act on behalf of other people or entities, you must verify both:

  • the representatives’ identity using the methods described in Table 1
  • that the representative is authorised through relationship verification.

Acting on behalf of another individual

To establish that an individual is acting on behalf of another individual. The steps are as follows.

Step 1 – Verify the identity of the representative using either visual or source DVS methods. Source ATO method can only be used if the representative is also your client.

Step 2 – Verify that the authorised relationship exists using one or more of the evidence prescribed by the TPB.

For more information, see TPB Practice Note 5/2022External Link Proof of identity requirements for client verification.

You can also verify the authorised relationship by looking at the authorised contacts listed on the ATO individual client record in which you are authorised to act on behalf of. You can only access the client's record after verifying the identity of the authorised representative.

In applying reasonable care to verifying a relationship, consider the currency of the documents being used. If you have doubts about the authenticity of any document, consider asking for further proof.

Acting on behalf of an entity

If your client is acting on behalf of an entity or they are a representative of another person, the verification process is as follows.

Step 1 – Verify the identity of the representative using either visual or source DVS methods. Source ATO method can only be use if the representative is also your client.

Step 2 – Verify that the authorised relationship exists using one or more of the evidence prescribed by the TPB. See TPB Practice Note 5/2022External Link Proof of identity requirements for client verification.

You can also verify the authorised relationship by looking at the authorised associated/contacts listed on the ATO client record in which you are authorised to act on behalf of. You can only access the client's records after verifying the identity of the authorised representative.

In applying reasonable care to verifying a relationship, consider the currency of the documents being used. If you have doubts about the authenticity of any document, consider asking for further proof.

Additional considerations

Potential fraud

In some circumstances, you may need to ask for additional proof beyond the minimum requirements prescribed by the TPB. This might be appropriate where you have doubts about the client’s identity even after completing the minimum checks. Examples are where the client:

  • is dismissive of the client verification process
  • is not forthcoming
  • applies pressure or provides documents that appear to be fake or otherwise unusual.

In making these decisions we expect you to apply reasonable care, taking a risk-based approach and considering the circumstances of the client.

Some elements to consider in decision making include the risks associated with:

  • the request, such as    
    • changing contact or bank account details
    • lodging amendments or original tax returns or statements with higher refunds, or with significant or unusual refunds
    • rolling over super or early access to super
    • requests to provide information from our systems including pre-fill
    • requests to confirm personal information that the “real” person or entity should already know
  • a representative, such as    
    • claiming to represent many people
    • changes in representatives for a person
    • an entity where the representative’s identity authorisation cannot be verified
    • where there has been a relationship breakdown
    • whether there has been continuity in the client’s engagement of the practitioner or whether there has been a break in the engagement
    • the extent of your relationship and familiarity with the client
    • whether there has been a change in the circumstances or any discrepancies that arise about the client’s identity or other affairs
    • any requirements of the registered tax practitioner’s professional association or Australian financial services licensee.

If you are unable to verify a client or the information provided and suspect potential fraud:

  • don't confirm the specific incorrect information or provide the correct information – instead ask for additional information that you can use to verify their identity
  • don't give the client any private information; importantly don't share or confirm pre-fill information
  • contact us so that we can take action.

If you use the Source ATO method and suspect potential fraud, delink the client immediately and contact us.

Remote verification including online agents

Extra care should be taken when engaging with a client remotely, particularly if this is undertaken solely through online or electronic means.

All verification methods in Table 1 are suitable for remote verification. Visual verification can only be undertaken through visual means of interaction, in an electronic sense this includes video conferencing or webcam where both the person being verified and their identity document can be compared. Source ATO, Source DVS and Client-to-agent linking methods may all be undertaken remotely without visual interaction with the client.

If you create your own online portal or software applications, you must ensure you protect the data from cyber-attacks. You should implement the ACSC’s Essential EightExternal Link mitigations.

We also have mandatory security requirements for software developers such as PLS providers. For example, you need to ensure that ATO data you access is not open to cybercrime.

Our Digital Service Provider (DSP) Operational Security Framework establishes the minimum level security requirements a DSP needs to meet to access ATO Digital Services. You can seek more advice from the Digital Partnership OfficeExternal Link.

Clients without conventional identity documents

Some clients may not be able to provide identity documents to pass client verification. As outlined by the TPB, you should take a flexible approach to verify the identity of these clients.

For more information, refer to the TPB’s Practice Note TPB(PN) 5/2022External Link Proof of identity requirements for client verification at paragraph 16 and 17.

Order of verification steps

We also recognise that some verification steps can be completed concurrently. However, it is critical that you don't inadvertently disclose any private information or pre-fill information about a client until all verification steps are completed successfully.

QC67529