In March, HMRC introduced 2 Step Verification (2SV) which involves using a code sent to a mobile or landline phone along with the usual login details in a trial for business customers registered for self-assessment.
HMRC has said that, as part of the security measures it is introducing, it will ‘phase in the requirement for business customers enrolled in only self-assessment to use 2SV when accessing their accounts'.
We know that cybercrime and access to clients’ records is a developing problem and we and others are working with HMRC on these issues.
How will the 2SV service work? When logging in, HMRC will either text or send an automated message with a code which is required to gain access to a tax account. It has said ‘if customers lose their phone or change number, 2SV can be reset by ringing the Online Services Helpdesk'.
Why is HMRC providing this service? HMRC has said that the main reason is security for taxpayers, commenting: ‘We know that criminals attempt to use stolen login details to access and exploit customers’ tax accounts. Without the registered mobile or landline phone, they are less likely to succeed.
It’s easy and many of our customers already do it in other walks of life. 2SV is very common across internet banking and email services.
It is popular with users – in January 2016 around 600,000 Personal Tax Account users opted-in to use the service.’
What do your clients need to do? HMRC has said that at this stage they are not implementing the process for agents. Its advice is that ‘to use the service, your clients simply need to follow the on-screen steps when they login to their tax account having either a mobile or landline phone to hand'.
Protection against cyber risks Protection of data and more generally protection of businesses against cyber threats is a key but easily overlooked area. Liability of a business for data loss, reputation loss, theft and significant business disruption are just some of the potential horrors.
It is also becoming increasingly common, with both unsophisticated and sophisticated attacks. Insurance companies are increasingly asking specific questions around security and in many sets of terms and conditions for cloud-based software, clauses now specifically highlight that it is the business user who is responsible for data security.
There is a need for all businesses to assess risk, to establish preventative processes and procedures and to have a plan for what action is required if an attack were to take place. A useful starting point is the guidance called Cyber essentials.
This provides materials that businesses can download, including free documentation, but also contains a short self-assessment, which sets out security controls that help businesses protect themselves against the most common cyber threats.
Interaction with government is increasingly electronic, with businesses and agents representing businesses updating key information, transferring data and paying taxes and receiving refunds based on the data held. Where there is concern over a cybersecurity breach it is advisable to contact the appropriate government department. For example, HMRC has an updated list of the latest issues highlighted to it.
Where a breach is suspected, HMRC can be contacted via email so action can be taken quickly. One of the key parts of any security plan would be what should happen were an attack to occur and who should then be engaged with. Typically for a tax agent this would be to make contact with HMRC and any third parties that may have been impacted.