Under regulations which came into force on 19 March, tax software suppliers can be hit with a £3,000 penalty if their software doesn’t transmit a defined set of metadata to HMRC alongside the tax report.
The metadata is required as a fraud prevention mechanism, to protect taxpayer’s data from being infringed or corrupted by criminals, by identifying a number of unique factors for the transmission. By matching this information with data already collected about the taxpayer or authorised agent, HMRC can be confident that the VAT return is submitted by the person responsible, and not by a criminal posing as the taxpayer or their agent.
In the past fraudulent self assessment tax returns have been submitted electronically when a tax agent’s login details have been stolen. The fraudster then submits income tax returns for the tax agent’s clients claiming tax refunds which are then directed into the criminal’s bank account.
The level of tax paid or reclaimed on VAT returns tends to be of a much greater magnitude than on SA income tax returns, so the temptation for criminals to intercept and alter an electronic VAT refund claim will be enormous.
Only MTD software
HMRC explains here that the APIs to be used in MTD filing software must include headers for the software developers to pass on the necessary metadata. There is currently no similar requirement to supply metadata when using the APIs used to pre-populate SA returns.
HMRC’s instructions to developers say that it will be mandatory for the metadata to be supplied when the MTD-compatible software uses APIs from April 2019 onwards. This is a very tight timetable as according to a number of the approved MTD software providers. The final specification for the metadata requirements were only issued by HMRC in early February 2019 and there has been no opportunity to live test software including the new functionality.
Who is caught?
The regulations (SI 2019/360) define a “software supplier” as a person who develops, or procures the development of, and supplies a program designed to submit to HMRC in electronic form; tax returns, information from electronic records or other information relevant to a person’s tax liability, and to receive information in electronic form in relation to those matters back from HMRC. In other words, this new penalty only applies to tax software which uses an API to send and receive tax related data to HMRC.
Accountants who supply tax software to their clients as a third party seller won’t be caught by this definition. However, where accountant have produced their own MTD-compatible software, either directly or in partnership with a software producer, they may be drawn into the definition of software supplier, and potentially be liable to a penalty if the software doesn’t deliver the correct metadata.
In tax, as with other law, penalties are generally imposed when a law is not complied with. However, in this case the requirement to deliver the metadata is set out as part of the software developer agreement, which HMRC says has no legal force.
Regulation 2 of SI 2019/360 says: “The Commissioners [HMRC] may by specific or general direction define the set of metadata receipt of which they consider necessary for the purpose of ensuring the authenticity and security of a delivery to them through relevant software of tax information.”
So here we have a penalty being applied for a failure to comply with an HMRC direction. Those HMRC directions do have the force of law if they are made in accordance with powers given under a regulation (statutory instrument), but the details of those directions are not discussed in Parliament or even consulted on.
Another unusual feature of this new penalty is that it is imposed on the tax software supplier rather than on the taxpayer or the taxpayer’s agent. This is unprecedented, and represents an acknowledgement of the power and responsibility held by the software developers in the chain of tax compliance between the taxpayer and HMRC.