Speaking at the Institute of Certified Bookkeepers National Conference in Sydney, executive director Matthew Addison said the ATO’s release of its operational framework for digital service providers (DSPs) reflected its urgency in managing emerging threats associated with taxpayer data.
Some of the guidelines released by the ATO include DSPs being assessed using certain security standards, having a personnel security integrity check such as a police check, as well as implementing multi-factor authentication.
“The software companies are subject to certification and assessment if they are providing you a service that interacts with the tax office, their people now have to have police checks, their coders have to be non-criminals, anybody that is accessing data has to be certified,” said Mr Addison.
“They are doing all of this work in the background and software in our environment is going to look very different, it is going to behave differently.”
In particular, for tax practitioners’ products, DSPs must implement multifactor credentials within these products and services by 31 March 2018 and mandate their use by 30 June 2018.
For products and services where users potentially have access to large volumes of taxpayer or superannuation related information (e.g. payroll) DSPs must implement multifactor credentials by 30 June 2018 and mandate their use by 30 September 2018.
For all other products and services hosted by the DSP, DSPs must implement multifactor credentials by 30 September 2018 and mandate their use by 31 December 2018.
Responding to a question from the floor, Mr Addison said that while BAS agents are currently not required to undergo integrity checks, it could be on the cards as the ATO starts managing risks.
“I do believe [police checks could be mandatory] somewhere in the next five years, absolutely,” said Mr Addison.
“I am starting to go down the journey to nearly get in before government to say if you're out there as a certified bookkeeper, an ICB member in practice, maybe you need a police check so you're up there and anybody that you're competing with that isn't a certified practising member who doesn't have a police check — that's another credibility item.
“Watch this space, I was in a meeting with the chair of the TPB in the last week and they are certainly opening up on some of this.”