Professional indemnity (PI) insurance is a requirement of the Tax Practitioners Board (TPB) for registered BAS agents, and is designed to protect you against a common law claim made by clients in the event that they suffer damage as a result of an error or omission made when undertaking client work. However, coverage is not automatic in the sense that just because a particular aspect of your work is covered by the policy (e.g. BAS preparation) does not always mean that your insurer will ‘pay up’ in the event that a successful claim is made against you.
Ensuring you have PI coverage for a particular aspect of your work is a two-step process comprising:
1. ensuring your policy covers the work you perform
2. ensuring you have acted reasonably
For example, when rendering a BAS service, step one is to ensure your policy terminology covers that service. The second step is that you must have acted ‘reasonably’. For example, when completing a BAS, if you have made GST claims when you know that the client does not have the required tax invoices, then the insurer may argue that while you were covered for mistakes made when preparing BASs, you have acted so unreasonably (and indeed outside the law) that they are denying coverage.
Bookkeepers are generally expanding their menu of services. This is due to a number of factors including data entry declining as a revenue stream (with the advent of cloud automation, bank feeds, etc.), market competition, and emerging opportunities for bookkeepers with new technology. While most industry PI policies will cover you for bookkeeping, payroll and ‘BAS services’, other services that you offer that are not BAS services may not be covered unless the terms of your policy have been changed to specifically include them. These services may include:
- debt collection
- management report preparation (KPI analysis and reporting)
- payroll tax-related services
- add-on selection/consultancy
- compliance speciality (other government reporting and licencing specialties).
From a TPB perspective, in terms of minimum PI requirements, they generally are not specific as to whether or not you have insurance for these ‘other’ services (as they only regulate BAS services and tax agent services).
However, you certainly should be concerned. In the event of a common law claim by a client, you may not be covered if your policy reflects a more traditional range of bookkeeping services. Ensure your policy captures all your current service offerings, and get on to your insurance provider if this is not the case.
An emerging aspect in the PI insurance arena is the issue of cyber security breaches. Putting to one side the IT cost, loss of data and loss of business profits that a cyber security event could cause, consideration should be given to the potential consequential loss of third parties.
Stories abound of passwords being hacked or systems being compromised, particularly with the array of scams circulating (including phishing scams, which attempt to steal account names and passwords by getting you to reveal them by replying to legitimate looking emails). Extensive information is contained in a typical accounting file e.g. TFNs, bank account details, payroll information, dates of birth, etc. If security is breached, this could be enough to cause a client significant financial loss and, in the worst of cases, enough to steal their or their employees’ identities, potentially leaving the bookkeeper exposed to a large claim. Multiply this over the entire client base (which a fraudster may have access to if cloud passwords of a bookkeeping business are obtained) and the damage inflicted and consequential claim against the bookkeeping business could be enormous. Check with your insurer as to whether your standard policy covers you for third-party loss caused by cyber breaches such as:
- an employee or principal of the bookkeeping business inadvertently disclosing cloud passwords
- the computer systems of a bookkeeping business being hacked, enabling access to client financial data
- a bookkeeping business being physically broken into and cloud passwords or IT storage devices obtained
- total loss of client data.
If your standard policy does not cover you, you may need to expand your existing policy or take out separate coverage. This is the first step in the insurance protection process — ensuring your policy covers you. The second is to act reasonably. In the area of cyber security, this may involve:
- not writing passwords down (either on office whiteboards, on post-it notes in the office, or in emails)
- having strong internal software and hardware security
- ensuring only limited, necessary parties have your AUSkey credentials and you use appropriate authority protocols (e.g. ensuring former employees no longer have access)
- not responding to suspicious emails that require password disclosure
- having good physical security
- having appropriate backup
Peter Thorp, director, Australian Bookkeepers Network
More from this columnist
- Is superannuation still a good option for your clients?
By Chris Morcom
- Practical advice for improving your cyber security
By Rob McAdam, Pure Hacking
- Blockchain: why it’s time for accountants to get on board
By Ben Scull, Thomson Reuters