Technical tax area: General articles
Process for tax agents to obtain electronic authorities to act
Summary
Inland Revenue has introduced an additional process to:
- enable tax agents to obtain authorities to act on behalf of their clients electronically
- provide tax agents with processes to authenticate their clients' identities prior to linking them as a client on Inland Revenue's system via a third-party provider.
For most tax agents there will be no changes to Inland Revenue's current requirements.
Background
The current process is for tax agents to have their clients physically sign a written authority to act on their behalf. The tax agent then holds this written authority on file.
Legislation provides the opportunity for the Commissioner to implement electronic authentication of customers. This new process will provide consistency in how tax agents work with customers.
In June 2009 a prescribed manner for obtaining authorities to act electronically was issued to certain tax agents operating in an "e" environment (see Appendix B). Developments in the "e" environment and the use of third parties for delivering services has led to this additional prescribed manner being issued to all tax agents.
It is important to note that the prescribed manner issued in June 2009 still remains current and acceptable. The additional prescribed manner offers another solution to tax agents operating in the "e" environment.
The traditional hand-signed authority to act process remains acceptable to Inland Revenue.
Electronic "authority to act" - what you must do
Section 81(4)(l) of the Tax Administration Act 1994 allows the Commissioner of Inland Revenue to make available customer information where the customer has "authorised in writing or in such other manner as the Commissioner prescribes in that behalf".
This section allows the Commissioner to provide an electronic "authority to act" from your client. To allow this, specific requirements must be met to establish the identity of your client.
To ensure sufficient authority to act has been obtained, the Commissioner must be satisfied that the customer's identity has been verified.
It is the joint responsibility of tax agents and Inland Revenue to maintain a consistent standard in the way we verify our customers. We have developed a process that provides a level of confidence for taxpayers while maintaining the integrity of the tax system.
Verification of the identity of the client giving the authority
A client's identity may be verified through the use of a third-party provider. Using a current New Zealand driver's licence, the tax agent may use a third-party provider to verify client identity. The third-party provider must be reputable and be authorised to verify at least five points from a current New Zealand driver's licence. They must also be able to confirm that the driver's licence is a valid one and has not been reported stolen/cancelled. The points for verification must include:
- first name
- middle name (if given)
- last name
- driver's licence number
- version number.
Where a client does not hold a current New Zealand driver's licence, a copy of the client's identity document (see Appendix A) must be obtained and held.
For identity to be seen as verified, all five points must match. The third-party provider is required to send the tax agent a confirmation report advising whether verification has been successful. The confirmation report must state accepted/rejected next to each key point and include the: name of the third-party provider; time; and date the verification report was requested and completed.
The confirmation report is to be held on file by the tax agent as verification of client identity in line with standard practice statement GNL-430: Retention of business records by electronic means (Dec 03). Where a confirmation report comes back as unsuccessful, a second attempt may be made. If in the second instance a confirmation report comes back as unsuccessful, the tax agent must then request a copy of the client's photo ID as outlined in the Appendix.
The tax agent must be able to provide a hard copy of the verification report at the request of the Commissioner.
As the tax agent does not receive an actual copy of the client's photo identification using this process, a bank account match must also be completed. The client must provide the tax agent with a bank account under the name submitted as part of the identity verification. Any final refund for the client may only be refunded into the bank account with the corresponding name (either directly from Inland Revenue or via the agency's trust account). Joint bank accounts are also acceptable, where the joint account name includes that provided during verification process. Details of bank account name and number must be held on file alongside the verification report of client identity.
If a client is not willing to provide a bank account number, any refund must then be issued by cheque. The cheque must be made out to the client's full name as provided by the identity document during the verification process (either directly from Inland Revenue or via the agency's trust account). A copy of the cheque issued must be made and held on file by the online tax agent (this is not required if the refund cheque is issued by Inland Revenue direct to the client).
The process of bank account matching reduces the risk of identity fraud. The perceived benefit of identity fraud through online tax agents is reduced where a bank account match is completed. Substantial effort would be required by an individual to create a bank account for the purpose of obtaining a refund from an online tax agent through the use of identity fraud.
Client must provide sufficient authority
Inland Revenue recognises that some online tax agents adopt a "tick box" approach for obtaining authority to act from the customer. Where this approach is used, the tax agent must make clear as a minimum all the following points for Inland Revenue to be satisfied that sufficient authority to act has been obtained. The authority to act must:
- authorise the tax agent to obtain the customer's information from Inland Revenue
- state the name of the tax agency and/or individual agent's name, plus staff that will be acting on behalf of the customer
- state what tax types the tax agent will be acting on behalf of the customer (the online tax agent may wish to specify "ALL" tax types to ensure full understanding of the client's tax position)
- specify the time for which the authority to act endures and how and when the authority to act can be terminated by either party
- state to the customer that linking allows the tax agent to have full access to information held by Inland Revenue and ability to modify customer details relating to the tax type they are linked for
- state where correspondence for linked tax types will be directed, either to the online tax agent or the client
- state that authority is given for any refund credits to be transferred to the agency's trust account prior to refund to the client (if applicable)
- authorise the online tax agent to prepare, submit and sign tax returns on behalf of the client.
Each point above must have its own "tick box" so the customer is fully aware of the agreement they are entering into when authorising authority to act to the tax agent.
The authority to act points must be agreed to separately from the online tax agent's terms and conditions or contract agreement.
A copy of the customer's authority to act must be held on file along with the verification of identity.
Consequences of not obtaining sufficient authority to act
Section 34B(8) of the Tax Administration Act 1994 states:
-
The Commissioner may remove a person from the list of tax agents if the Commissioner is satisfied that -
(a) the applicant is not eligible to be a tax agent:
(b) continuing to list the applicant as a tax agent would adversely affect the integrity of the tax system.
The Commissioner may remove a person from the list of tax agents where continuing to list the applicant as a tax agent would adversely affect the integrity of the tax system.
Timeframe
If choosing to operate in an "e" environment, with the use of a third party for client identity verification, full adherence to the specification outlined above is required by 1 February 2012.
If tax agents have any questions regarding these requirements they should in the first instance contact their agent account manager or community compliance officer.
Appendix A - acceptable forms of ID
There are two separate criteria for authentication purposes. The first is for customers 16 years and over and the second is for persons under 16 years.
Customers 16 years and over
Acceptable proof requires customers, 16 years and over, of tax agents to establish their identity by providing identity documents which must contain a photo of the client as listed below:
- New Zealand driver's licence
- New Zealand passport (please scan/copy the pages showing photo, name and specimen signature)
- overseas passport with New Zealand immigration visa/permit (please scan/copy the pages showing photo, name, any pages showing current work, visitor permits, or residency documentation and a specimen signature) or call Inland Revenue on 0800 227 774 for exempt list
- New Zealand firearms or dealers' licence
- New Zealand 18+ card
- International Drivers' Permit (issued by a member country of the UN Convention on Road Traffic)
- New Zealand certificate of identity (issued by Department of Labour or Department of Internal Affairs).
For a child under 16
Full New Zealand birth certificate issued on or after 1 January 1998. Birth certificates issued after 1 January 1998 carry a unique identification number. If you hold a birth certificate issued before 1 January 1998 and wish to hold a birth certificate with a unique identification number, contact the Department of Internal Affairs.
Plus full proof of the parent or guardian identity by providing one legible scanned copy of an identity document which must contain a photo as listed above.
Appendix B: June 2009 enabling electronic authority to act
The following standards have been identified under which the Commissioner of Inland Revenue can prescribe a manner to enable electronic authority to act:
- Establishing the identity of the client giving the authority
- Client must provide sufficient authority
- Tax agent is able to record and store the client's authority
- Inland Revenue has access to information.
Verification of the identity of the client giving the authority
The identity of the person providing the authority to act must be established to a degree of confidence to be reasonably sure that they are entitled to provide that authority, ie, it is their information they are authorising the tax agent to access, or they have the authority to authorise the tax agent to access information regarding a non-individual (eg, a shareholder/director of a company).
They would scan or copy their ID and email or fax/post to agent. The agent would then save the email, IP address, and time logs of the email. This proposed process has itself introduced a new level of risk; the ability to manipulate documents electronically to facilitate identity theft. This risk can be managed with controls and measured to ensure if any increase in identity theft occurs, this can be addressed (see "Back-up controls" below).
The form of ID required will be one legible scanned copy of an identification document that contains a photo. The only acceptable identification documents are listed at Appendix A.
If the PTS customer is a child under 16, the child's parent or guardian is required to provide:
- one legible photocopy of a document which shows the relationship between them and the child such as a full birth certificate, and
- full proof of their own identity as parent or guardian by providing one legible photocopy of an identity document which must contain a photo as listed in Appendix A.
Client must provide sufficient authority
The authority received by the tax agent must be adequate for them to act for the customer with regard to their tax affairs and to receive information held by Inland Revenue (eg, if the tax agent is to link the client for the GST tax type then the client's authority should cover GST). This authority must have the customer's signature (by hand) and can be scanned and emailed or faxed to the agent to facilitate electronic transmission.
Currently Inland Revenue does not provide any guidance through policy as to the content of a client's written authority. There is no proposed change to this position.
Tax agent is able to record and store the client's signed authority to act and ID
A record of the authority and ID provided by the client must be able to be maintained to standards agreeable to Inland Revenue. The standards would follow those required for the electronic storage of business records (as set out in standard practice statement GNL-430).
These standards are as follows.
Auditable
Client authorisations provided electronically must be kept in a manner that allows Inland Revenue to readily review that authority and identification documents of the person who provided them
e-Format
Format of electronic records
Internal controls must be adequate to ensure that all client authorisations provided electronically, including those provided through the Internet, are completely and accurately captured.
Format of electronic records originally in paper form
Paper records transferred to electronic form must be copied completely and accurately in a format identical in all respects to the source-paper document.
Any additional information must not obscure the view of the original record information and must be distinguishable as additions to the original record.
Emails
Emails that communicate a client's authority to act to a tax agent are required to be retained with their origin, destination and time of electronic communication.
Hardware/software
In the event of hardware/software changes:
- facilities for retrieving electronic records that have been stored on the former system must be retained or;
- the electronic records must be converted to a compatible system and both sets of files retained complete with documentation showing the method of transfer and controls in place to ensure the transfer was complete and accurate.
Security
Tax agents should be able to demonstrate that their electronic records systems are secure from both unauthorised access and data alterations.
This usually involves developing and documenting a security program that:
- establishes controls to ensure that only authorised personnel have access to electronic records;
- provides for back-up and recovery of records;
- ensures that personnel are trained to safeguard sensitive or classified electronic records; and
- minimises the risk of unauthorised alteration, addition or erasure.
Back-up
Back-up and recovery procedures must be sufficient to guarantee the availability of electronic records.
Retrievable
The electronic records must be readily accessible and capable of being retrieved on legible hard copy (printouts) or supplied in electronic form (on electronic media and unencrypted in a form able to be read by Inland Revenue staff) if required.
Inland Revenue access to information
Inland Revenue must be able to access the:
- evidence used to establish the client's identity
- record of the authority provided by the client.
Assistance to Inland Revenue officers
Adequate viewing and printing facilities should be made available free of charge to Inland Revenue officers. If requested, persons must locate selected records that have been stored and print any items selected, free of charge to Inland Revenue officers.
Persons must be available to explain the operation of their computer system to Inland Revenue officers. This is the case whether the system is owned and operated by the person or out-sourced to a third party.
An electronic facility by which a tax agent obtains a client's authority to act that meets these criteria would reduce the risk that the releasing of that client's information to that tax agent will not breach the provisions of section 81 of the Tax Administration Act 1994.
Back-up controls
AAM sample check ID is stored
As part of the tax agent's extension of time (EOT) agreement, our Agent Account Managers (AAMs) periodically request to view samples of the authorities to act when visiting tax agents to ensure that the requirements set out above are being met. As part of this policy we would introduce the requirement to view the ID provided at the time of the authority, and match these to those types of ID stated in this policy.
AAM sample check stored ID to Inland Revenue-held documents
Also, AAMs would sample-check the details of the PTS customer and in some circumstances the source documents held within Inland Revenue to the ID to ensure reasonable checks have been undertaken to establish the identity.
At the time of linking the customer, ask agents:
- whether they hold authority to act, and
- where this is a PTS customer, have they established the identity of the customer.
Validate the correct customer received the refund
Outbound calls could be made to validate the customer (using existing contact centre validation rules) and confirm receipt of refund. A sample check of customers who engage the services of an electronic PTSI or who provided their identity documents electronically could be undertaken at regular intervals to identity occurrences of identity theft.
Monitor for increase in identity theft-related fraud
Assess whether the level of identity fraud in PTSI's have increased and amend this policy where necessary to address any risks that may emerge. Ongoing monitoring should be undertaken for any escalating behaviour that may indicate potential fraud, ie, recent PTS refund then registration of new entity with that PTS customer associated, and or tax types GST/FAM/Tax Credits and subsequent refund applications.
PTS intermediaries
PTSIs would be required to capture all occurrences where reasonable steps have been undertaken to establish the identity and where that identity was not established.
PTSI would be required to capture the email, IP address, and time logs of the authorities.
Other pages in: General articles
- Kiwifruit PSAv issues and effects on growers - information for agents
- Notice - Income tax treatment of unsuccessful software development
- Review of Public Information Bulletins
- Changes to the disputes resolution process
- Making tax easier - Government consultation June 9 to 23 July 2010
- Guidance on a "reasonable daily travelling distance"
- Protocols between the Solicitor-General and Commissioner of Inland Revenue
- Panel statement RAP 002: Process for resolving potential unintended legislative changes in the Income Tax Act 2007
- Inland Revenue's Public Rulings Unit
- Secondhand goods input tax credits - marine farming licences and leases
- Statement on fringe benefit tax and motor vehicle multi-leases
- Subsidised transport provided by employers to employees - value for fringe benefit tax purposes
- New tax information exchange agreement with the Netherlands on behalf of the Netherlands Antilles
- The Commissioner's Table of Depreciation Rates
- Notice - Income Tax Act 2007
- The Adjudication Unit - its role in the dispute resolution process
- Removal of 5 cent coins from circulation - effect on GST tax invoices
- Summary of unintended legislative change submissions where Rewrite Advisory Panel considered there was no unintended legislative change
Date published: 17 Nov 2011
Back to top