HMRC’s intention to make two-step verification (2SV) mandatory for individual and business taxpayers from September has prompted further grumblings from accountants about the practicality of the digital security infrastructure.
An Any Answers thread on the subject last week included the text of an email from HMRC explaining, “From September 2017, HMRC will make it a requirement for all businesses using their online tax accounts to register for 2 Step Verification (2SV) – if not already using it.”
When logging in from September, tax account users will be asked to register for the security mechanism. “The result of this minor change means greater security for customers and a safer experience when using our online services,” HMRC said.
The 2SV process involves giving HMRC a mobile number when a tax account is created, to which it sends a six-digit verification code whenever anyone attempts to log in to that account.
The point of 2SV is to protect personal tax data, but as part of that process HMRC wants to stop agents from using client IDs to log into their online records. But as kevinringer and many other AccountingWEB contributors have warned, agents will continue to go direct to client accounts because HMRC is not giving them access to data they need to see, such as how payments have been allocated against the client’s different tax liabilities.
The AccountingWEB conversation revolved around how agents would cope with the flood of client ID codes sent to mobiles at their firms as they circumvented the tax department’s security apparatus. One solution suggested was to get a pay-as-you-go mobile to receive the texts, while alan.rolfe recommended using a virtual mobile number text to email service.
These convoluted arrangements will be necessary “until HMRC gives us access to the information we need”, Kevin Ringer told AccountingWEB. “The only alternative they are offering is to write in, which is a waste of time and HMRC resources.”
2SV is coming for agents too, but more slowly. At the moment, those wanting to connect their software to HMRC’s application programming interfaces (APIs) will need to activate 2SVs to do so, and eventually the security regime will hold the key to online agent services. The authorisation process will only be required on an occasional basis for agents, and not every time they log in.
Previously, however, Ringer raised the alarm about confusion and security controls around 2SV after he received a spate of access codes for his business tax account while on holiday.
When he contacted the HMRC helpdesk, he had to go through an endless, repeating loop of security checks with helpdesk staff who were unable to trace the source of the texts (which later appeared to have been generated by a colleague accessing the account).
“My concern is HMRC has no procedure for investigating these cases and no security hotline,” he said.