The fragile nature of TFN a big roadblock for ATO portal access

Although discussions around whether financial advisers should be granted access to the ATO portal have ebbed and flowed throughout the years, there has recently been a renewed demand for this with advisers asking, if accountants can be granted access, why not them as well?

The big issue here, according to The Cyber Collective founder Fraser Jack, is not advisers themselves but just that so much is at stake when it comes to tax file numbers (TFN).

“From the ATO portal point of view, they’re very, very careful around tax file numbers, right? Because if you lose somebody’s passport number, you could probably get a new passport issued and they’ll end up with a new number,” Jack said on The ifa Show.

“If you lose their tax file number, that cannot be replaced. The way that the system is set up, it can never, ever be replaced.”

For this reason, he explained, the ATO needs to be extremely cautious about who it allows portal access to.

This then brings in points around cyber security, highlighting just how vital it is that those with portal access have robust protections in place.

However, the discussions around this can be fraught with frustration because accountants are already allowed this same access that advisers have continuously been denied, despite some accountants operating as single practitioners or otherwise outside a large firm, suggesting that they likely have similar levels of protection as financial advisers.

While it is generally accepted that larger firms will often have stronger cyber defensive capabilities, Jack said that “some of the larger ones still need a lot of work”.

“Whether it be in an accounting firm or an advice firm or any other type of professional service firm … there’s definitely a lot of people on different stages along their journey,” he said.

“I think that, you know, personally, that it comes back down to, if you’re running a professional practice and you can demonstrate your levels of protection over your client data and client information, you should have access to it, but at the end of the day, it’s a really difficult one to make one rule for everybody.”

But what about read-only access?

While these are all certainly valid concerns, advisers have largely agreed that gaining read-only access to the portal would be enough for their purposes and does raise the question of whether this could be a safe compromise.

Addressing this, Jack suggested that allowing this is definitely a lower-risk option; however, there are still inherent risks.

“I would agree that that’s something that could definitely be done without too much issue,” he said.

Part of the argument for read-only access is so advisers can verify information given by clients that could impact how and when financial decisions are made.

For example, being able to check if and when a client utilised a non-concessional contribution to their super so they know when they can utilise this option again.

This becomes a particularly important point when incorrect information given by clients, even by accident, can lead to a double up that can get the adviser in trouble with regulators.

One of the potential risks, Jack explained, is that if a scammer is able to access a person’s TFN then they could ultimately gain access to their MyGov accounts and potentially change prior tax returns to trigger a payout. Understandably, this is something that the ATO would be strongly trying to avoid.

“It would be very, very helpful for advice firms to have access to what they would consider the source of truth in the tech terms,” he added.

“We always work out where the actual source of truth is in the data and so, you know, having it in the portal or having access to see, because we all know that people forget that they’ve done stuff three years ago and whether they did bring forward or they did something it was sort of, it’s done and it’s forgotten about.

“And those things get missed by trying to get that information out of the client. So, yeah, it would be very handy to be able to go there and look at, this is what you’ve reported as your income, your contributions, your whatever it might be.”

To hear more from Fraser Jack, tune in here.