Editor in Chief (interim) AccountingWEB
Share this content

HMRC warns against using client IDs

24th Dec 2015
Editor in Chief (interim) AccountingWEB
Share this content
HMRC

HMRC is upgrading its online access system in preparation for the agent online self serve (AOSS) regime it plans to launch next year, and has warned accountants they will no longer be able to log in to SA Online using clients’ details.

AOSS has been long in the making, but is now caught up in the personal tax account project instigated earlier this year. Individual taxpayers are now being invited to sign up for their PTAs using the GOV.UK Verify mechanism rather than the government gateway.

According to HMRC’s latest Agent Update, “The personal tax account isn’t currently designed for use by agents. We will be improving the service to provide agents access, until then you should not try to access it on behalf of your client.”

The ramifications for using this popular technique for accessing HMRC Online are dire: “If you log on to submit your clients return using your client’s credentials this can create security alerts which HMRC staff need to investigate. This can delay clients receiving their repayments.”

Most agents have their own HMRC Online IDs and have gone through the online client authorisation process that gives them access to HMRC’s services for agents. In advance of the new security regime, the department is urging agents who have not registered to do so before 31 December to avoid complications during January’s self assessment peak.

Further news on developments around AOSS are available via the HMRC tax agent blog.

Replies (15)

Please login or register to join the discussion.

avatar
By AccSec
24th Dec 2015 14:08

Will that stop the abuse of the system?

"If you log on to ..receiving their repayments" (4th para from the top)

I cannot see how this will stop abuse of the system. A client needs to give their login details and the Agent does not need to enter their details as adviser of the client on the SA return and who will know the difference between who has submitted the online return, the client or his Agent? The Agent receives his fee by quoting his Account detail on the SA Return or collects if from the client if the client's bank details are noted on the repayment section of the SA Return. 

Thanks (0)
Tony Margaritelli, ICPA Chairman
By Tony Margaritelli
24th Dec 2015 14:40

Using Client's ID

I raised this issue at the recent Agent Strategy Group and as the minutes of the meeting state "A lively discussion followed". We are awaiting clarification from HMRC on exactly what they expect from agents. It has been pointed out on more than one occasion by myself and my colleagues that if agents had been either granted access or were able to view everything the clients was able to view then many concerns would be removed. We are monitoring the situation and hope to have some form of answer in the new year. - Tony Margaritelli Chair ICPA    

Thanks (9)
By Tim Vane
25th Dec 2015 22:52

I and others have already discussed this topic over the last few months on accounting web, and accountants should welcome the steps being taken.

The point is that the fraud detection algorithms being introduced by HMRC in January are based on the same techology that is used by banks and other institutions. This flags up unusual account activity and suspicous patterns.

So when an agent logs in using a client's login this is registered as unusual behaviour for the client (who will not have used the agent's computer before) but will be added to the client's allowed pattern of behaviour.

When the agent logs in as a second client for whatever reason, the HMRC servers will recognise this as unusual activity for the second client but will also note that this login occurred from the same computer as the first (possibly unconnected client). This login would likely also succeed but flags would be raised.

By the time the agent has logged in as a third, fourth and fifth client from the same location, alarm bells are ringing on the HMRC servers - this is typical of activity by a fraudster who has obtained multiple sets of client details by phishing. At this point several things are likely to happen. We don't know the protocols but we can make educated guesses. My expectation is that first, the agent's computer and IP address will be flagged as suspicous. That may well impact the agent severely, stopping him from further interaction with HMRC. Secondly, all the clients accessed by that agent would possibly be locked out, and any existing transactions would be frozen (e.g repayments being processed etc). Thirdly, a human at HMRC will be alerted - or more likely the alert will be placed in a queue and looked at in due course, HMRC being known for having a very small number of competent humans.

The fraud prevention algorithms may also decide that the agent related to all these clients is also compromised and block that agent id as well, along with other agent ids associated with the same firm. Possibly all other clients associated with that firm will also be flagged. It is likely that HMRC systems will be programmed to block everything, then allow human ops to determine what the situation is.

All of which measures seem entirely sensible. Notwithstanding the fact that HMRC need to provide alternative means of access to the relevant client data for the agent to use, as Tony mentions above, given the current exponential rise in cyber crime and the huge risk to HMRC's users and HMRC themselves of fraudulent activity, any measures to safeguard client information should be praised by all.

 

 

Thanks (7)
By Moonbeam
03rd Jan 2016 11:04

So how do we cope with updating PAYE DD's?

I reluctantly adjust 2 clients' PAYE dd's each month by logging into their company's own HMRC account.

The whole process is unreasonably complicated, not helped by HMRC changing the way areas are accessed whenever it suits them.

The 2 clients in question find online banking difficult enough to understand, and there is no chance of my persuading them to set up a standing order that they change themselves each month.

In future HMRC must allow agents direct access to this facility if they want the PAYE paid over on time.
 

 

 

Thanks (1)
David Ross
By davidross
04th Jan 2016 11:17

As usual, the cart before the horse

If HMRC got their finger out and allowed agent access to see PAYE and VAT payments, we would not need to go in via the client ID to untangle messes.

It is true that the agent Beta service for PAYE allows access to some PAYE payment information, but it is severely degraded from what is available to employers. Notably one cannot see where one client payment has been allocated to multiple periods, perhaps across several Tax Years. Does this imply that the 'new' system will be poorer than the present one? That would not be a surprise (see for instance how NatWest 'upgraded' its paper statements a few years ago, or how Microsoft 'upgraded search and replace in Excel)

Being Company Secretary
I am Company Secretary for a number of client companies, so am properly entitled to login with the Company's details, as an officer of the company. Presumably the security 'experts' at HMRC have thought of this? One computer being used for a number of separate businesses - what is so extraordinary about that?

Yours,

Angry of Bournemouth

 

 

Thanks (7)
avatar
By dmmarler
04th Jan 2016 11:26

It is not just client company secretaries

Frequently an individual is the company secretary for a group of companies and will have the same log on ID for all.  This would be the same for a payroll supervisor and deputy.  From the description above, HMRC's system will throw them out as well so disabling their companies' access - and then who will get the fines for late submission?

Thanks (1)
avatar
By Bruce Roberts
04th Jan 2016 12:27

Following HMRC instructions

So when HMRC humans suggest that we obtain a client's login details to access PAYE payment details unavailable to agents (to sort out problems often caused by HMRC) are they breaching theri own security protocols?  HMRC humans (as I shall always refer to them now) advise this because it is too much hassle for them to provide the information to the agent in writing and they refuse to do it over the telephone. I despair of the whole system.

Thanks (0)
avatar
By paulfieldcrest
04th Jan 2016 12:42

Once again - just not thinking it through

David Ross is right to be angry - I am too.

I am a freelance part-time accounts manager for about fifteen different businesses.  For five of them I am also a Director of the company.  In each case I handle whatever HMRC submissions and administration that the company tasks me with.  They do not appoint me as their agent - I am an integral part of each team, albeit on a freelance basis.

If my client authorises me to log in to their HMRC account, either from their office, or mine, how can HMRC possibly justify labelling this activity as suspicious or unauthorised?  What if the client has never once logged into the account, and didn't even set it up (because I did) - who's the authorised user then?

It beggars belief that HMRC could come up with such a two dimensional view of how companies (and individuals) manage their tax affairs - clearly they can either do it themselves, or they can appoint an agent.  No other option will be countenanced.  Naive in the extreme.

Thanks (2)
avatar
By arnold28
04th Jan 2016 13:23

ICAEW Guidance

In May 2015, ICAEW updated its guidance in this regard and state in Tech 02/15 Tax chpater 3.36 -

Ideally a member will explicitly file in his capacity as agent. In some cases HMRC will issue a pin code to the client for the agent to use. A member is advised to use the facilities provided for agents and to avoid knowing or using the client’s personal access credentials wherever possible

 

http://www.icaew.com/~/media/corporate/files/members/regulations%20stand...

Thanks (0)
avatar
By razertoo
04th Jan 2016 16:20

So...........?

.........if I have used clients' log in credentials consistently to submit VAT returns over a number of years (because no matter how many times I attempt authorisation they never provide the code before it's expiry date), will my computer be "recognised" and therefore accepted the log in as "normal activity"?.  Or will the potential problems highlighted by Tim Vane come back to haunt me?

Thanks (0)
avatar
By Tim Robinson
05th Jan 2016 10:22

I hope

that each and every member of the digital teams at HMRC are following this thread!

I too am faced with the PAYE problems first identified by Tim Vane above and I am sure most practising accountants are as well - it is a very common problem.

It is all very well my Institute updating its guidance but if we as agents do not have access to the same HMRC information that our clients do then what is the alternative?  I came to the conclusion some time ago that the poor development of the HMRC Agent Online systems can only mean that agents are being squeezed out.

Thanks (0)
David Ross
By davidross
07th Jan 2016 16:04

I have just sent this email;

To: [email protected]

 

Thanks for your email "Self Assessment update" received today

 

Dear Ruth,

 Could you please look urgently at the ‘security’ question re clients access being used by agents As this discussion thread on AccountingWeb shows, many agents use client logins for legitimate reasons, principally to sort out messes such as misallocations of PAYE payments. Others are themselves the point of contact for multiple clients (for instance, I am Company Secretary for about 50 companies - it is not a ’security issue’ that I login on their behalf). I am impressed by the work of your colleagues in IT, who seem to have been recruited from industry and have imported industry-standard practices. These will include the praiseworthy attention to security you refer to as well as many other benefits - we all hope to see a Government IT programme (the first) that actually works and is not vastly over budget. But enhanced security of this sort is the cart before the horse. It is no good telling agents that we will get access to full date Next Year (12 months away). That is Jam Tomorrow. We will be able to stop using client IDs when you provide us with the online information via the agent portal (WELL overdue).  You either need to bring this forward, or stop us getting blocked from online access by imposing ’security measures’ on us. What will happen if you block an agent from access in January 2017, with loads of Self Assessment Returns to be filed? - mayhem!   PS I did arrange the email in paragraphs, but this Forum software likes to take them out

Thanks (2)
avatar
By Yonder Dave
16th Jan 2016 17:42

Is this another example of HMRC not knowing

how things work in the real world?

Like others have mentioned I use clients IDs on a regular basis. We specialise in the bookkeeping and payroll for SMEs where the Director does not have the inclination or means to deal with online procedures. We have one blind client and at least one who does not have internet access.

For the majority of clients I have registered them with Gov Gateway and added the services they need. Although I add them to my Agents ID there are occasions I need to check balances and payments that I can’t see through Agent access.

I eagerly await to see the response to David Ross’ email!

Thanks (0)
By Charlie Carne
22nd Mar 2016 15:52

Update re accessing HMRC via client login credentials

I was speaking to one of the AOSS team at HMRC this week and was told that they had not heard about the blocking of agents' logins as a consequence of agents using client ID's. 

To be fair to HMRC, the December Agent Update (page 12) only said that "if you log on to submit your clients return using your client’s credentials this can create security alerts which HMRC staff need to investigate. This can delay clients receiving their repayments". There is no mention of consequences arising from simply viewing data that is available on the client portal, nor is there mention of the possible blocking of agents' access to their own portal. There is no need for agents to file returns using the client's credentials (as agents can file with their own credentials, even when there is no 64-8 in place), so this is not a problem.

I am, however, strongly in agreement with the broad sentiment of this thread that HMRC need to urgently address the issue of giving agents access to all of the same information and access rights to make the same changes to client details (eg change of client trading address or stagger period on the VAT record) that is available to their clients. It is wholly unacceptable for any actions or reports whatsoever to be available only via the taxpayer login, whilst at the same time discouraging the agent from accessing that portal.

Thanks (0)
avatar
By Bournemouth Payroll
22nd Mar 2016 16:29

Good work

I agree with every word

Thanks (0)