Penalties for tax software developers

Fixed auto enrolment penalties for non-compliant employers
iStock_Penalty notice_hutchyb
Share this content

Under regulations which came into force on 19 March, tax software suppliers can be hit with a £3,000 penalty if their software doesn’t transmit a defined set of metadata to HMRC alongside the tax report.

Fraud prevention

The metadata is required as a fraud prevention mechanism, to protect taxpayer’s data from being infringed or corrupted by criminals, by identifying a number of unique factors for the transmission. By matching this information with data already collected about the taxpayer or authorised agent, HMRC can be confident that the VAT return is submitted by the person responsible, and not by a criminal posing as the taxpayer or their agent.

In the past fraudulent self assessment tax returns have been submitted electronically when a tax agent’s login details have been stolen. The fraudster then submits income tax returns for the tax agent’s clients claiming tax refunds which are then directed into the criminal’s bank account.

The level of tax paid or reclaimed on VAT returns tends to be of a much greater magnitude than on SA income tax returns, so the temptation for criminals to intercept and alter an electronic VAT refund claim will be enormous.   

Only MTD software

HMRC explains here that the APIs to be used in MTD filing software must include headers for the software developers to pass on the necessary metadata. There is currently no similar requirement to supply metadata when using the APIs used to pre-populate SA returns.

HMRC’s instructions to developers say that it will be mandatory for the metadata to be supplied when the MTD-compatible software uses APIs from April 2019 onwards. This is a very tight timetable as according to a number of the approved MTD software providers. The final specification for the metadata requirements were only issued by HMRC in early February 2019 and there has been no opportunity to live test software including the new functionality.

Who is caught?

The regulations (SI 2019/360) define a “software supplier” as a person who develops, or procures the development of, and supplies a program designed to submit to HMRC in electronic form; tax returns, information from electronic records or other information relevant to a person’s tax liability, and to receive information in electronic form in relation to those matters back from HMRC. In other words, this new penalty only applies to tax software which uses an API to send and receive tax related data to HMRC.

Accountants who supply tax software to their clients as a third party seller won’t be caught by this definition. However, where accountant have produced their own MTD-compatible software, either directly or in partnership with a software producer, they may be drawn into the definition of software supplier, and potentially be liable to a penalty if the software doesn’t deliver the correct metadata.

New frontier  

In tax, as with other law, penalties are generally imposed when a law is not complied with. However, in this case the requirement to deliver the metadata is set out as part of the software developer agreement, which HMRC says has no legal force.

Regulation 2 of SI 2019/360 says: “The Commissioners [HMRC] may by specific or general direction define the set of metadata receipt of which they consider necessary for the purpose of ensuring the authenticity and security of a delivery to them through relevant software of tax information.”

So here we have a penalty being applied for a failure to comply with an HMRC direction. Those HMRC directions do have the force of law if they are made in accordance with powers given under a regulation (statutory instrument), but the details of those directions are not discussed in Parliament or even consulted on.

Another unusual feature of this new penalty is that it is imposed on the tax software supplier rather than on the taxpayer or the taxpayer’s agent. This is unprecedented, and represents an acknowledgement of the power and responsibility held by the software developers in the chain of tax compliance between the taxpayer and HMRC.

About Rebecca Cave

Consulting tax editor for Accountingweb.co.uk. I also co-author several annual tax books for Bloomsbury Professional and write newsletters for other publishers.

Replies

Please login or register to join the discussion.

22nd Mar 2019 10:35

So this means that the software suppliers are now sending private information about me and my computer to HMRC and can be fined for not doing so? Looks like GDPR is a thing of the past already. Can the ICO fine the tax software companies for breaching GDPR in order to fulfil HMRC "regulations" (since "regulations" are presumably not covered by the legal requirement exemption)?

Thanks (4)
to Tim Vane
22nd Mar 2019 22:20

I saw a different angle, being that HMRC are now more about collecting penalties than about collecting tax.

Perhaps HMG have simply forgotten what they are supposed to be doing.

Thanks (5)
avatar
By mkowl
to Tim Vane
25th Mar 2019 10:08

Tim Vane wrote:

So this means that the software suppliers are now sending private information about me and my computer to HMRC and can be fined for not doing so? Looks like GDPR is a thing of the past already. Can the ICO fine the tax software companies for breaching GDPR in order to fulfil HMRC "regulations" (since "regulations" are presumably not covered by the legal requirement exemption)?

Excellent point

Thanks (3)
avatar
to Tim Vane
25th Mar 2019 11:20

I don’t think it would be classed as private information in the gdpr sense, much of it is transmitted with your browser with every request anyway. It is things like the size of the window, version of operating system, version of our software etc. If suddenly you start transmitting VAT refund requests from a different IP address using a different operating system and different software that will set off the alarm bells.

David Forbes

Thanks (2)
avatar
to daveforbes
25th Mar 2019 15:55

daveforbes wrote:

I don’t think it would be classed as private information in the gdpr sense, much of it is transmitted with your browser with every request anyway. ...

David Forbes


I disagree with this view.
GRPR is specific in that it refers to information that can be used to identify an individual. Knowledge of the detail of exact browser setup very much narrow you down [see e.g. panopticlick].
However, GDPR excludes info that is HMG specified for the purpose of security and tax collection, so under that aegis it may be OK - but I suggest that this cannot be at the mere whim of HMRC and needs some statutory basis.
Thanks (3)
avatar
By rbw
to Tim Vane
25th Mar 2019 11:41

Tim Vane wrote:

So this means that the software suppliers are now sending private information about me and my computer to HMRC and can be fined for not doing so?

That is not how I read it. The regulation requires the software supplier (S) to "ensure that the program operates" to add the right stuff every time a person who uses it (U) sends information to HMRC. So:

a. (usually) the data doesn't go anywhere near S
b. the GDPR applies to U not S
c. if HMRC don't get the right stuff they'll come after S rather than U.

I'd have thought that U would prefer that to HMRC coming after U :)

Not unlike chasing manufacturers rather than drivers if cars don't meet emission standards?

The data is being sent to HMRC by whoever is using the software.

Thanks (2)
avatar
25th Mar 2019 10:24

Pray, what financial penalties apply to HMRC for their incompetence, dilatoriness, wilful misinterpretation of the law and generally p*ss*ng agents off?

Thanks (6)
avatar
By Jas28
25th Mar 2019 10:26

The article says "where accountant have produced their own MTD-compatible software, either directly or in partnership with a software producer, they may be drawn into the definition of software supplier, and potentially be liable to a penalty if the software doesn’t deliver the correct metadata."

So, if I write an Excel spreadsheet for a client, and they use bridging software to submit their returns, could I be drawn into the definition of software supplier, or is it just the supplier of the bridging software who is liable?

Thanks (0)
to Jas28
25th Mar 2019 10:31

An Excel spreadsheet is not software, it's a spreadsheet. The software suppliers in this arrangement are Microsoft and the people who make the bridging software. Since Microsoft haven't designed their software to file anything with HMRC, it's just the bridging software supplier to whom this is relevant.

Thanks (1)
avatar
to Jas28
25th Mar 2019 11:24

It is a requirement on the software actually doing the transmission, though I suppose if the bridging software required you to include certain data in the spreadsheet and you did not or supplied incorrect information.

Thanks (1)
25th Mar 2019 16:30

Well they are just trying to stop criminals stealing the clients/ their money. The alternative is severance of the left hand for theft as in some countries. I wonder if that's more of a deterrent than a metatag. We will never know....

Thanks (0)
avatar
25th Mar 2019 18:15

That is quite intrusive. I might be on a remote island in Papua New Guinea one week, in one of my other 7 homes in other countries in another week. It is none of HMRC's business where and from what device I send them data. Also many of have IP addresses which are not static and regularly change or might use a lap top one day and a computer for the next quarter.

I am holding off registering - only 70,000 have done so and 1.1m people have not. I want HMRC now to tell me which software product I have to buy which meets this very new requirement. I really just want them to tell me the name of one very cheap and easy to use bridging software. I do not want to spend a second on looking at different software. I am not an unpaid tax collector. I am trying to run a business.

Thanks (4)
avatar
to EnglishRose
26th Mar 2019 11:08

EnglishRose wrote:

That is quite intrusive. I might be on a remote island in Papua New Guinea one week, in one of my other 7 homes in other countries in another week. It is none of HMRC's business where and from what device I send them data. Also many of have IP addresses which are not static and regularly change or might use a lap top one day and a computer for the next quarter.

I read it the same way you did, but on reflection, I think it's saying software suppliers will be fined for not sending any metadata, it's not saying it has to be the same metadata every time.

If the metadata doesn't match up with previously collected data, they will stall the refund and make further enquiries.

Thanks (0)
avatar
to EnglishRose
26th Mar 2019 11:57

Well said!!!

Thanks (1)
avatar
25th Mar 2019 22:25

Quick look at the regs

http://www.legislation.gov.uk/uksi/2019/360/pdfs/uksi_20190360_en.pdf

Reg3(4) - the software supplier is not liable "to the extent that the person using it to deliver tax information to the Commissioners has blocked the collection of, or manipulated, such metadata" and Reg 4(2) - the software supplier is liable to only 1 penalty per product in any 12 months

Another point (from the explanatory notes) is that directions under the regs are to be published on gov.uk so it may be worth keeping an eye out for them as directions are mentioned in several of the MTD regs in different contexts

Thanks (0)
avatar
26th Mar 2019 08:20

Extract above
'This is a very tight timetable as according to a number of the approved MTD software providers.'

Yes it does seem to have come around quick after months of speculation, it may not be the only think that is thrust upon us at short notice.

Thanks (1)
26th Mar 2019 16:04

HMRC have presumably not considered the fact that VAT might reasonably be filed from several dozen different machines and devices if they engage a firm who deals with VAT as a "process" as opposed to a "personal service" with allocated staff. Moreover even in my small outfit, either my assistant or I might file, using potentially 3 physical locations and 4 devices. A slightly larger one with a manger/junior and some holiday & sick cover from another department would probably double that.

Sounds fairly unworkable to me.

Thanks (2)
27th Mar 2019 12:19

My guess is that this entire concept stands a chance of being at least as effective as the BACS tag metadata in RTI filings.

Which is to say, not effective at all, at anything.

Thanks (0)