The use of online services by tax agents and advisers to handle their clients' tax affairs continues to grow, due in part to mandatory requirements, but also because of the speed and accuracy they offer.
It's therefore vitally important that you protect your login details (User ID and password) as they allow access to your entire registered client base.
Online services enable you to create and update client information, and even at times, obtain repayments. If your confidential login details fall into the wrong hands, fraudsters may have the ability to generate false repayments and direct them to third parties without the knowledge of HM Revenue & Customs (HMRC), the tax agent or their client.
The login details could be obtained by one or more of the following methods:
Unauthorised use of your login details can lead to financial losses for tax agents, their clients, HMRC, as well as affecting the client/agent relationship. There is also the potential to undermine your clients' confidence in the ability to communicate or transact business with HMRC or their agent by email or online.
You should control the use of login details responsibly. If widespread access to the online service is required HMRC strongly suggest that you create additional users in the form of either 'Administrators' or 'Assistants' who will have access to the online service via their own individual login details.
Administrators and Assistants have differing associated responsibilities. Administrators are able to use all the features of the online service and can also create Assistants. Assistants can access a limited number of features of the online service.
Administrators can:
Assistants can:
It is important to undertake regular housekeeping surrounding your Administrators and Assistants. There are a variety of things you should do:
Review and update the list of Administrators and Assistants who have access to the online service. Please note - it is good practice to do this regularly, and certainly following change of duties or departure from the company of anyone who has access to your client list.
User ID's and passwords are unique to each individual Administrator or Assistant and should be kept secure. Ensure that passwords are changed regularly. Do not write login details down or tell anyone what they are, including HMRC staff.
Personal computers used by Administrators or Assistants performing company business at home must be subject to the same security measures as those within the office. The unintentional downloading of malicious software can be used to record confidential information remotely.
HMRC recommend that tax agents always access their client details via their own agent registration. They should not register as their client (individual or organisation) as this practice involves a degree of risk.
Each year, a very small number of tax agents' credentials are compromised, potentially leading to fraudulent activity and significant financial loss to the Exchequer. HMRC continually monitors this, and intervenes directly to support the agents affected and get them back to normal secure business with the department.
A key part of the procedure to reinstate an agent's credentials is changing the agent's passwords. Where agents do this for themselves, it causes no interruption to their business with HMRC, but if HMRC has to do it for an agent, the agent can be 'locked out' of their accounts for a period of up to seven days. For this reason, as part of supporting agents who have been affected, HMRC helps and encourages them to change their own passwords, and the vast majority do so easily and promptly.
There are however a small number of compromised agents who fail to change their passwords when asked, leaving them vulnerable to further fraudulent activity and the Exchequer to further financial loss. In these cases, HMRC will in future ultimately change the password directly, leading to the 'lock out' consequences set out above. HMRC will only take this action where the agent refuses to change their password, or fails to do so when asked, or where three attempts to make initial contact with the agent have been unsuccessful. This is clearly something agents would want to avoid, especially if it were to happen close to the 31 January Self Assessment filing deadline.
HMRC recommend that, for security reasons, agents regularly change their Government Gateway password. This should be undertaken at least once every three months.
HMRC takes security very seriously. HMRC constantly monitor systems and customer records to guard against fraudulent activity and use leading technologies and encryption software to safeguard their data. HMRC operate strict security standards to prevent any unauthorised access to services.
Electronic communications and transactions are a key part of HMRC business. However the advantages of online transactions can also give rise to a risk of fraud. HMRC, in common with all providers of online services is fully committed to the security of the information HMRC hold for you and the security of the information customers exchange with HMRC online.
HMRC is aware that agents occasionally experience issues around their own or their clients online accounts. Details of the current issues HMRC are aware of can be viewed at 'Service issues - Self Assessment'
After viewing the current known issues, should you still suspect that either:
you should contact 'The Online Services Helpdesk' immediately.
Your concerns will be sent to a specialist team who will investigate the unusual activity.
Changing your password
It is important that you regularly change your password, HMRC suggest that you do this at least every three months.
