Last month, the ATO released its Operational Framework for Digital Service Providers (DSPs) as part of its response to the business risks and security implications presented by the growth of digital services across the digital economy.
In particular, for tax practitioners’ products, DSPs must implement multifactor credentials within these products and services by 31 March 2018 and mandate their use by 30 June 2018.
For products and services where users potentially have access to large volumes of taxpayer or superannuation related information (e.g. payroll), DSPs must implement multifactor credentials by 30 June 2018 and mandate their use by 30 September 2018.
For all other products and services hosted by the DSP, DSPs must implement multifactor credentials by 30 September 2018 and mandate their use by 31 December 2018.
“If you use cloud-based software, there are changes to the way you need to authenticate,” said the ATO.
“Your digital service provider now needs to have multifactor authentication. This means you may require additional security or password steps to access your practice management software.
“This does not affect how you access the portals.”
On top of multifactor authentication, DSPs will have to meet relevant requirements including, authentication; encryption; supply chain visibility; certification; data hosting; personnel security; encryption key management; and security monitoring practices.
According to the ATO, the framework is aimed at providing confidence to tax practitioners that they “have secure processes in place for the data you share through your practice management software”.
Earlier, Institute of Certified Bookkeepers executive director, Matthew Addison, said that the new framework was a reflection of the ATO’s urgency in addressing data threats.
“The software companies are subject to certification and assessment. If they are providing you a service that interacts with the tax office, their people now have to have police checks, their coders have to be non-criminals – anybody that is accessing data has to be certified,” said Mr Addison.
“They are doing all of this work in the background, and software in our environment is going to look very different; it is going to behave differently.”