Tax Practitioners Board Practice Note

The Tax Practitioners Board (TPB) has released this Practice Note (PN) to provide practical guidance and assistance to registered tax practitioners in relation to verifying client identities.

Disclaimer

This is a TPB Practice Note (TPB(PN)). It is intended to be for information only. While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the Tax Agent Services Act 2009 (TASA) or the Tax Agent Services Regulations 2022 (TASR).

In addition, please note that the principles and examples in this TPB(PN) do not constitute legal advice and do not create additional rights or legal obligations beyond those that are contained in the TASA or which may exist at law.

Document history

The TPB originally released this document as a draft practice note in the form of an exposure draft on 17 February 2021. The closing date for the submissions was 31 March 2021.

The TPB considered the comments and submissions received and now publishes the following TPB(PN) based on the TASA as at 17 February 2021.

On 1 April 2022, the TPB updated this TPB(PN) to replace references from the repealed Tax Agent Services Regulations 2009 to Tax Agent Services Regulations 2022.

On 17 January 2023, the TPB updated this TPB(PN) to incorporate further guidance for circumstances where the client instructing the registered tax practitioner is the employer of taxpayers. 

On 28 June 2023, the TPB made minor changes to this TPB(PN) to update references to the Australian Taxation Office's client verification methods.

Issued: 31 January 2022

Last updated: 28 June 2023

Introduction

1. Registered tax practitioners (registered tax agents and BAS agents^[1]), like many professionals are working in an environment which requires an increasing reliance on technology, remote work practices, and changing methods to engage with new and existing clients. As such, it is increasingly important that registered tax practitioners manage their practices in a way that minimises the risk of their practice being the target of fraudulent activities against themselves, their business, clients, taxpayers and/or the government.

2. In this Practice Note, registered tax practitioners will find the following information:

• relevant provisions of the Tax Agent Services Act 2009 (TASA) including the Code of Professional Conduct (Code) (paragraphs 6 to 7)

• the Tax Practitioners Board’s (TPB) minimum requirements (paragraphs 8 to 35)

• identifying discrepancies (paragraph 36)

• consequences of non-compliance under the TASA (paragraphs 37 to 41)

• case studies (paragraphs 42 to 55)

• further information (paragraph 56).

3. In developing the TPB’s proof of identity (POI) requirements for clients and representatives of clients, the TPB has been informed by a number of relevant considerations, including:

• the relevant provisions under the TASA, including the Code, and caselaw

• the Australian Taxation Office’s (ATO) recommendations in relation to establishing a client’s identity, particularly when accessing the ATO’s online channels

• the Accounting Professional Ethics and Standards Body’s (APESB)^[2] guidelines that broadly require accounting firms to consider the integrity of a client upon accepting or continuing an engagement. The client’s identity must be established and understood to meet this requirement

• the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, and the Anti-Money Laundering and Counter-Terrorism Financing Rules (collectively referred to as AML/CTF legislation).^[3] While most registered tax practitioners are not be governed by AML/CTF legislation, it outlines a structured and consistent customer verification process

• the State-based requirements for legal practitioners and conveyancers to undertake identity verification in certain circumstances.

4. This Practice Note addresses the TPB’s POI requirements for registered tax practitioners. However, registered tax practitioners need to also recognise that they may be subject to other related regulatory requirements as required by other organisations, such as the ATO or their professional association.  

5. This Practice Note contains the minimum requirements for most standard engagements between tax practitioners and clients (including through individual representatives). Tax practitioners should exercise their professional judgment when determining the processes to undertake in circumstances where the requirements of this Practice Note are not practical or applicable to a particular client engagement. When determining these processes, a risk-based approach should be undertaken where processes are more rigorous for engagements that pose a higher risk of identity theft and fraud. While processes may be different to those outlined in this Practice Note, they must not be of a lower standard. When exercising their professional judgment, practitioners must ensure they fulfil their obligations particularly in relation to Code item 7, Code item 9 and section 50-20 of the TASA (see Table 1 below).

Relevant provisions of the TASA including the Code of Professional Conduct

6. While there are no specific POI requirements in the TASA, there are a number of provisions that a registered tax practitioner may breach if they fail to take appropriate POI steps to verify a new or ongoing client’s identity, any representative of new or ongoing clients, and the representative’s authority to represent the client (if applicable). These include:^[4]

Table 1 – Relevant TASA provisions

Code item 1	You must act honestly and with integrity.
Code item 7	You must ensure that a tax agent service that you provide, or that is provided on your behalf, is provided competently.
Code item 9	You must take reasonable care in ascertaining a client’s state of affairs, to the extent that ascertaining the state of those affairs is relevant to a statement you are making or a thing you are doing on behalf of the client.
Fit and proper requirement	It is an ongoing registered tax practitioner registration requirement that: individual registered tax practitioners are fit and proper all directors of registered tax practitioner companies are fit and proper all individual partners in a registered tax practitioner partnership are fit and proper all directors of company partners in a registered tax practitioner partnership are fit and proper.
Section 50-20	You contravene this civil penalty provision if you are a registered tax agent or BAS agent and you make or prepare a statement to the Commissioner of Taxation that you know or are reckless as to whether the statement is false, incorrect or misleading in a material particular or omits any matter or thing without which the statement is misleading in a material respect.

7. Examples of cases where the TPB, Administrative Appeals Tribunal (Tribunal) and/or Federal Court have found that registered tax practitioners have breached the above provisions by, amongst other matters, failing to undertake appropriate POI identity measures are provided at paragraphs 44 to 57.

The TPB’s minimum requirements

8. The TPB requires that all registered tax practitioners take appropriate POI steps prior to providing tax agent services and BAS services, and on an ongoing basis, as appropriate. Similarly, in circumstances where an individual is representing a client (including individual and non-individual clients) in engaging the registered tax practitioner (an individual representative), the registered tax practitioner must also take steps to ascertain and verify the individual representative’s identity, and the authority for the individual representative to engage the registered tax practitioner on behalf of the client.

9. In determining what steps are appropriate in any given circumstances, the TPB requires that, at a minimum, registered tax practitioners comply with the requirements contained in Table 2 below.

Table 2 – Minimum requirements for verifying a client’s identity

Scenario	Required information	Required evidence to be sighted
Individual seeking to engage the registered tax practitioner in their own right	The Individual’s full name and either: residential address; or date of birth	An original or certified copy of a primary photographic identification document, or both of the following: an original or certified copy of a primary non-photographic identification document; and an original or certified copy of a secondary identification document.
Individual representative seeking to engage the registered tax practitioner on behalf of an individual client	Both the individual representative and individual client’s full names and either: residential addresses; or dates of birth;   and Authority of the individual representative to engage the registered tax practitioner on behalf of the individual client.	For both the individual representative and the individual client, an original or certified copy of a primary photographic identification document, or both of the following: an original or certified copy of a primary non-photographic identification document; and an original or certified copy of a secondary identification document; and a legal document demonstrating the authority of the individual representative to engage the registered tax practitioner on behalf of the individual client, including in relation to parental, guardianship or power of attorney representation.
Individual representative seeking to engage the registered tax practitioner on behalf of a non-individual client	The individual representative’s full name and either: residential address; or date of birth;  and The non-individual client’s full name and either: Australian Business Number (ABN); Australian Company Number (ACN); or any other additional detail in order to make a reasonable assessment[5] of the legitimacy of the non-individual’s identity;  and authority of the individual representative to engage the registered tax practitioner on behalf of the non-individual client.	For the individual representative, an original or certified copy of a primary photographic identification document, or both of the following: an original or certified copy of a primary non-photographic identification document; and an original or certified copy of a secondary identification document. For the non-individual client, documentation or data that verifies the existence of the non-individual client; and a legal document demonstrating the authority of the individual representative to engage the registered tax practitioner on behalf of the non-individual client.

10. Examples of the types of evidence that need to be sighted to satisfy the above requirements are contained in Table 3 below.

Table 3 – Examples of required evidence

Required evidence to be sighted	Examples
Primary photographic identification document	A driver licence or permit from Australia or overseas, including a digital driver licence An Australian passport A government proof of age card issued in Australia A foreign passport issued by a foreign government or the United Nations International travel documents issued by a foreign government or the United Nations A national identity card issued by a foreign government or the United Nations An ImmiCard provided by the Department of Home Affairs
Primary non-photographic identification document	An Australian birth certificate, birth extract or citizenship certificate[6] A foreign birth certificate or citizenship certificate[7] A government issued concession card, such as a pensioner concession card, a health care card, or a senior’s health care card.
Secondary identification document	A notice from the ATO or other government agency, such as Centrelink, that contains the individual’s name and residential address, issued in the past 12 months A municipal council rates notice or a utilities bill (such as a water, gas or electricity bill) that contains the individual’s name and residential address, issued in the past three months A Medicare card For an individual aged under 18, a letter from a school principal issued in the past three months that details the individual’s name, residential address and when they attended the school, or a student card if available Electoral roll details (checked against www.aec.gov.au).
Documentation or data that verifies the existence of non-individual clients	Extracts issued by the Australian Securities and Investments Commission (ASIC) or other Australian Government body Constituting or governing documentation (for example, trust deed or partnership agreement) Proof of the non-individual client’s business address Invoices issued/received in the non-individual client’s name.
Legal document demonstrating the authority of an individual representative to engage a registered tax practitioner on behalf of an individual client	Official or legal documents demonstrating parental, guardianship or power of attorney representation, for example: enduring power of attorney or similar document birth certificate adoption paper court order letter of authority (see paragraphs 13 and 14) signed doctor’s letter with explanation of circumstances. verbal authority after verifying the individual client and individual representative’s identities in accordance with the requirements of Table 2.
Legal document demonstrating the authority of an individual representative to engage a registered tax practitioner on behalf of a non-individual client	an Annual Company Statement or current company extract from Australian Securities & Investment Commission (ASIC), identifying the individual as an officeholder confirmation from ASIC that the individual is an officeholder; for example, through the ASIC registered agent portal if you are also an ASIC registered agent A trust deed A partnership agreement The constitution   The constitution of a registered cooperative copies of board meeting minutes documenting the appointment verbal authority from an existing authorised representative or officeholder (after verifying that person) ABR details employment contract indicating position; for example, tax manager the representative is clearly identified on the business's website or other corporate or organisational documents as holding a relevant role to the management of the business's taxation, superannuation or finance functions, for example, a chief executive officer, tax manager, chief financial officer or general manager.

 

11. When sighting verification documents to confirm the identity of a client and/or individual representative, registered tax practitioners must have regard to the following considerations:

• whether the photo in any identification document appears to match the details that have been provided by the individual (for example, age and gender)

• whether the name, address and date of birth match when comparing documentation.

12. If a registered tax practitioner is engaged by multiple related clients (or an individual representative of multiple related clients), the TPB requires the registered tax practitioner to undertake the verification steps outlined in Table 2 and Table 3 in respect of each of the clients and individual representative/s (for example, husband and wife, a partnership and individual partners, a company and its directors, trustees of a trust and its beneficiaries).

Mutual recognition

13. The requirements contained in Table 2 and Table 3 are consistent with the POI requirements that may also apply to registered tax practitioners under various regimes, including the ATO's methods for client verification and requirements of AUSTRAC (in relation to the AML/CTF legislation). In situations where a registered tax practitioner undertakes POI steps that vary from the requirements contained in Table 2 and Table 3, however comply with the ATO's methods and/or AUSTRAC's requirements, including by using any electronic/technological solutions accepted by the ATO and/or AUSTRAC, the TPB will generally consider these POI steps to also meet the TPB’s requirements.

Letters of authority

14. A letter of authority is a legal letter (including an email or emails) authorising a third party (agent) to act on an individual’s (principal) behalf in respect of discrete matters that are listed in the letter. Upon receipt of a letter of authority, the TPB expects that it may be appropriate, depending on the circumstances, for a registered tax practitioner to take additional steps to confirm the principal’s authorisation of the agent to act on the principal’s behalf, including for example, by following up with a telephone, video conference or face-to-face conversation with the principal.

15. Registered tax practitioners may wish to seek legal advice or make additional enquiries if they are unsure whether to accept a letter or email purporting to authorise an individual representative to act on behalf of a client or potential client.

Clients without conventional identity documents

16. Some clients may not be able to provide the identity documents listed in Table 3, including:

• some Aboriginal or Torres Strait Islander clients

• clients living in remote areas

• clients who have been affected by a natural disaster

• clients who have come to Australia as refugees

• clients who have limited access to identity documents (for example, due to experiencing family or domestic violence or homelessness)

• clients who have identity documents that have recently expired (for example, an elderly client who has not renewed their driver licence).

17. In these circumstances, the TPB would expect registered tax practitioners to take a flexible approach to undertaking POI steps in relation to such clients, which may be different to, and sometimes less than, the minimum requirements outlined in Table 2 and Table 3 above. Registered tax practitioners in these circumstances would be expected to complete detailed contemporaneous records to outline their client’s circumstances and details of the steps taken to establish the client’s identity (refer to paragraph 24).^[8]

Well-established clients

18. It may not be practical or necessary for a registered tax practitioner to undertake the POI steps outlined in Table 2 and Table 3 for clients and/or individual representatives whose identity the registered tax practitioner considers to be well-established. In order to protect themselves, their business and the government from fraud occurring in connection to identity theft, registered tax practitioners are required to exercise their professional judgement when making an assessment about whether a client or individual representative is a well-established client and whether or not it remains appropriate to undertake the POI steps outlined in this Practice Note.^[9]

19. If a registered tax practitioner makes an assessment that it is not appropriate or necessary to undertake the POI steps outlined in this Practice Note in relation to a well-established client, the TPB still requires that the registered tax practitioner retains a record of their assessment about the appropriateness of undertaking the steps outlined in Table 2 and Table 3, which should, at a minimum, address the matters listed at paragraph 22 below.

20. If a registered tax practitioner makes an assessment that it is not appropriate to undertake the POI steps outlined in Table 2 and Table 3 in relation to an individual representative of a client, the TPB still requires that the registered tax practitioner sights evidence that demonstrates the authority of the individual representative to engage the registered tax practitioner on behalf of the client, before providing tax agent services or BAS services.

21. Furthermore, if a registered tax practitioner has made an assessment that a client is a well-established client, the TPB requires that the registered tax practitioner adheres to the TPB’s requirements in relation to frequency and record-keeping.

Frequency

22. The TPB requires registered tax practitioners to undertake the POI steps outlined in Table 2 and Table 3 in respect of all new clients and individual representatives (subject to paragraphs 18 to 21 above). However, it is a matter for registered tax practitioners to determine the frequency of undertaking these checks, depending on the circumstances of the client, individual representative (if applicable) and the registered tax practitioner’s engagement, including but not limited to:

• the registered tax practitioner’s relationship and familiarity with the client, including whether the client was transferred to the registered tax practitioner through a transfer of business or practice (see paragraphs 31 and 32)

• the scope of the services provided to the client

• whether the engagement and interactions with the client takes place online, in-person or a combination of both

• whether there has been a change in the circumstances of the client

• any discrepancies that arise in relation to the client’s identity or other affairs

• any changes that arise in relation to an individual representative (if applicable)

• any changes that arise in relation to the relationship between the client and individual representative, or the authority for the individual representative to act on behalf of the client (if applicable)

• whether there has been continuity in the client’s engagement of the practitioner, or whether there has been a break in the engagement

• any requirements of the registered tax practitioner’s professional association or Australian Financial Services licensee (if applicable).

23. The TPB requires that registered tax practitioners make and retain a record of their assessment about the appropriate frequency in which they need to undertake POI steps outlined in Table 2 and Table 3 in respect of each ongoing client, which should, at a minimum, address the matters listed at paragraph 22 above.

Record keeping

24. The TPB does not require or recommend that registered tax practitioners retain copies or originals of identification documents (listed in Table 3) used as evidence to establish the identity of a client or their individual representative. This recognises that the retention of identification documents may increase the risk of registered tax practitioners being targeted by criminals undertaking identity theft.^[10] Accordingly, what the TPB requires is a contemporaneous record (for example, a checklist) to demonstrate that proof of identity steps were undertaken by registered tax practitioners. This record would include the following information:

• the date and time that proof of identity checks were undertaken

• the name and title of the person undertaking the proof of identity checks on behalf of the registered tax practitioner (if someone other than the registered tax practitioner)

• the identification documents that were sighted, and whether they were originals or certified copies (it is not recommended that registered tax practitioners record entire identity document numbers, however practitioners may wish to record the last or first digits of identity document numbers as evidence that they sighted the documents)

• how the identification documents were sighted (for example, in person, or electronically)

• confirmation that:

  • the identification documents are clear and legible and identify the client or individual representative

  • there does not appear to be reason to question the identification documents provided

• if the registered tax practitioner has made an assessment that the client is a well-established client in accordance with paragraphs 18 to 21 of the Practice Note, the reasons and basis for making this assessment (which should address any relevant matters, including those listed at paragraph 22).

25. The TPB requires that registered tax practitioners keep a record of the POI checks that they undertake in relation to each client and/or individual representative of a client for a minimum of five years after the engagement with the client has ceased.

Receiving identity documents electronically

26. The TPB does not recommend sending and receiving sensitive information or copies of identity documentation and/or evidence by email as this is not considered to be a secure method of transmission. As such, the TPB strongly recommends that registered tax practitioners arrange that any such information or copies of documents or evidence are provided to them by the client:

• via a secure website, secure online mailbox or secure messaging

• as an encrypted or password protected attachment to an email

• using another secure electronic solution that minimises the risk of interception of the sensitive information, identity document and/or evidence.

27. If a registered tax practitioner intends to receive sensitive information or copies of identity documentation and/or evidence electronically, the TPB recommends that the registered practitioner seek independent professional advice from an information and communication technology security provider about what controls are appropriate for their business and risk circumstances.

Remote verification

28. In circumstances where a registered tax practitioner is engaging with a client and/or their individual representative remotely through the use of videoconferencing, the TPB’s requirements remain the same as for registered tax practitioners who engage with clients face-to-face. If a registered tax practitioner sights original or certified identification documents through videoconferencing or with the use of a webcam, the TPB requires that the tax practitioner makes a note of this in the registered tax practitioner’s contemporaneous record of the POI checks undertaken. If certified copies of identification documents are sent electronically or by mail to the registered tax practitioner, the TPB strongly recommends that the registered tax practitioner destroy the copies after the POI checks and contemporaneous record have been completed and recorded.

29. However, if a registered tax practitioner engages a client and/or their individual representative through non-visual electronic communication (for example, using teleconferencing or email only) and is therefore unable to verify and compare the client’s identity with the certified copies of identification documents that have been provided, the registered tax practitioner should have regard to the ATO’s methods for verifying the client’s and/or representative’s identity, if they use the ATO’s online services to make a claim, lodgement or access any information in relation to the client.

30. Further information in relation to the ATO’s methods for client verification can be accessed on the ATO website.

Transferring a tax practice or client list

31. If there is a change in ownership of a tax practice and/or client list from one registered tax practitioner (seller tax practitioner) to another (buyer tax practitioner), the TPB would expect that copies of the contemporaneous POI records relating to affected clients of the seller tax practitioner are transferred to the buying tax practitioner as part of the transfer, along with other relevant client records. In this circumstance, the buyer tax practitioner would not be required, but may do so if they prefer, to undertake the POI checks outlined in Table 2 and Table 3 in respect of each new client upon the transfer taking effect. However, the requirements in relation to ongoing POI checks at paragraph 22 of this Practice Note would still apply and the buyer tax practitioner would be expected to consider undertaking POI checks as appropriate throughout the engagement with relevant clients.

32. The seller tax practitioner would also be expected to ensure that Code item 6 is complied with. Under Code item 6 the seller tax practitioner cannot disclose any information relating to a client’s affairs to a third party (including the buyer tax practitioner) without the client’s consent or a legal duty to do so.

Being engaged by another registered tax practitioner on behalf of a client

33. If a registered tax practitioner (the referring tax practitioner) is engaged by another registered tax practitioner (the advising tax practitioner) to provide advice or services to the referring tax practitioner on behalf of a client of the referring tax practitioner (or to the client directly), the advising tax practitioner will meet the TPB’s requirements if they receive written confirmation from the referring tax practitioner that the referring tax practitioner has undertaken proof of identity checks and confirmed the identity of the client.^[11] However, if the client seeks to subsequently engage the advising tax practitioner independently of the referring tax practitioner, it is recommended that the advising tax practitioner undertake the proof of identity checks outlined in this Practice Note in respect of the client.

Referral of a client from another registered tax practitioner

34. In circumstances where a client is referred to a registered tax practitioner from another registered tax practitioner to provide services directly to the client, the newly engaged registered tax practitioner must undertake the proof of identity checks outlined in this Practice Note in respect of the client, regardless of whether the referring registered tax practitioner has undertaken their own proof of identity checks in relation to the client.

Employer client representing taxpayer employees

35. In circumstances where the client instructing the registered tax practitioner is the employer of taxpayers, and the tax practitioner provides tax agent services for the taxpaying employees of the employer client, the tax practitioner must receive confirmation in writing from the employer client that the employer client has undertaken adequate POI checks in respect of the employees and that the employer has the authority to represent the employees to the registered tax practitioner. These POI enquiries must be either equal to or greater than the requirements of this Practice Note. The tax practitioner must put in place a process where any discrepancies or red flags in relation to the taxpayer employees are identified and appropriately escalated before any lodgements are made. In having these processes in place, the tax practitioner should bear in mind that it needs to be satisfied that the processes and systems it has in place ensure that POI checks are being undertaken appropriately by the employer client. If the practitioner makes a statement to the Commissioner where they are reckless as to the truth or accuracy of the statement, they may be contravening s50-20.^[12]

Identifying discrepancies

36. If after satisfying the requirements in Table 2, a registered tax practitioner identifies discrepancies with the information provided and claims made by the client or individual representative (if applicable), the registered tax practitioner should:

• ask additional probing questions of the client or individual representative, and/or seek additional documentation or evidence

• take steps to independently verify the information provided (if possible)

• decline the engagement if they are not satisfied that the information about the client’s or individual representative’s identity is correct

• consider notifying the TPB, the ATO, ASIC or other relevant authorities.

Consequences for non-compliance under the TASA

37. If a registered tax practitioner fails to take appropriate POI steps to verify a client’s or individual representative’s identity, the TPB may find that they have breached the TASA, in particular:

• the Code, for example:

  • Code item 1: you must act honestly and with integrity

  • Code item 7: you must ensure that a tax agent services that you provide, or that is provided on your behalf, is provided competently

  • Code item 9: you must take reasonable care in ascertaining a client’s state of affairs, to the extent that ascertaining the state of those affairs is relevant to a statement you are making or a thing you are doing on behalf of the client

• by failing to meet an ongoing tax practitioner registration requirement (for example, the fit and proper person requirement)

• the civil penalty provision relating to making a false or misleading statement to the ATO (section 50-20).

38. If a registered tax practitioner breaches the Code, the TPB may impose one or more administrative sanctions, as follows:

• issuing a written caution

• imposing an order requiring the registered tax practitioner to take one or more actions (for example, undertaking a course of education or providing tax agent services (including BAS services) under the supervision of another registered tax practitioner

• suspension of registration, or

• termination of registration.

39. If the TPB finds that a registered tax practitioner has failed to meet an ongoing tax practitioner registration requirement (for example, by no longer being a fit and proper person), the TPB may terminate the tax practitioner’s registration.

40. If an individual or entity is found by the TPB to have contravened a civil penalty provision of the TASA (for example, section 50-20), the TPB may apply to the Federal Court of Australia for a civil penalty to be imposed on that individual or entity.

41. Ultimately, determining whether a registered tax practitioner has contravened the TASA will be a question of fact. This means that each situation will need to be considered on a case-by-case basis having regard to the particular facts and circumstances of that case.

Case studies

42. The following cases highlight the importance of registered tax practitioners taking appropriate POI steps, and in circumstances where discrepancies arise in relation to the information provided by clients or individual representatives, to take appropriate steps to address these discrepancies.

TPB decision – John^[13]

43. John provided tax agent services to an individual purporting to be a taxpayer, with whom he engaged solely through an online platform. John did not ask for any POI documentation to verify the identity of the individual prior to providing the services to the individual, which included the lodgement of income tax returns. Upon lodging income tax returns with the ATO, the ATO advised John that the identity of the taxpayer who the individual purported to be had been compromised. Despite the advice of the ATO, John re-added the taxpayer to his client list to enable him to continue to make lodgements on the taxpayer’s behalf. The TPB found that John had breached:

• Code item 1: John lacked honesty and integrity by re-adding the taxpayer to his client list despite being advised by the ATO that the taxpayer’s identity had been compromised.

• Code item 7: John did not provide services competently by failing to verify the identity of the individual prior to providing services.

44. The TPB suspended John’s registration for six months and ordered him to:

• undertake a review of his procedures for completing and lodging client tax returns by an accredited cyber security expert, with a focus on verifying client identity and dealing with potential identity compromise

• provide the TPB with a report by the cybersecurity expert

• advise the TPB of any changes he made to his process as a result of the cybersecurity review.

TPB decision confirmed by the Administrative Appeals Tribunal - Nei Tung

45. Mr Tung accepted details of 346 taxpayers from six individuals (that he had never met before) that purported to be the individual representatives of those taxpayers and was asked to prepare tax returns for the taxpayers by the individual representatives. He did not ask for any POI information in relation to the 346 taxpayers or the six individual representatives and charged up-front cash payments in excess of his normal fees. Where details in the ATO tax portal indicated discrepancies, he ignored these and continued to lodge returns for those 346 taxpayers without further enquiries.

46. The lodgements made by Mr Tung were cancelled by the ATO as the associated tax file numbers (TFNs) were compromised. Mr Tung submitted that he considered the arrangement he had with the individual representatives was “fine” because he was provided with bank details for all the taxpayers, and he had no reason to doubt the legitimacy of the taxpayers’ bank accounts. However, 17 bank account numbers were used on four or more occasions and as many as eight occasions.

47. The TPB found that Mr Tung had breached:

• Code item 1: for lodging income tax returns notwithstanding there being a serious issue with the credibility of the taxpayers’ supporting documentation provided to him by the individual representatives

• Code item 7: by not undertaking adequate, if any, enquiries with the 346 taxpayers in order to ascertain if the information provided by the individual representatives was accurate, or accurately represented those taxpayers’ state of affairs

• Code item 8: by, amongst other matters, incorrectly claiming the spouse offset and deductions for work related expenses in income tax returns he lodged with the ATO

• Code item 9: by relying upon the documentation (payment summaries, signed taxpayer substantiation declarations and handwritten taxpayer details) provided by the individual representatives and not taking any steps to verify the accuracy of the documentation provided, prior to lodging the returns with the ATO.

48. Additionally, the TPB found that Mr Tung was no longer a fit and proper person and terminated Mr Tung’s registration as a tax agent, and applied a three-year period during which Mr Tung could not reapply for registration.

49. Mr Tung appealed the TPB’s decision to the Tribunal. The Tribunal upheld the TPB’s decision to terminate Mr Tung’s registration and impose a three-year period within which he cannot reapply for registration.

TPB and Federal Court decision - Hansig Kim

50. Mr Kim was visited by individual representatives whom he had not met before, and was asked to prepare 79 income tax returns on the basis of information which the individual representatives provided to Mr Kim on behalf of taxpayers. For the purpose of allowing him to prepare the returns the individual representatives provided Mr Kim with:

• PAYG (‘Pay as You Go’) payment summaries

• bank account details.

51. The summaries which the individual representatives provided to Mr Kim were false documents and had resulted from an exercise in identity theft. Real identities and TFNs were used to submit false tax returns which would then result in the ATO paying refunds into the bank account details provided which were maintained by the individual representatives.
52. Many of the returns lodged by Mr Kim included a number of instances of irregular claiming of a spouse tax offset as well as returns filed for persons who had left Australia. These matters would have given rise to discrepancies on the ATO’s Portal, if Mr Kim had utilised the Portal’s pre-filling function.
53. The TPB found that Mr Kim had breached:

• Code item 1: by misleading the ATO and the TPB in his responses regarding the circumstances under which he lodged income tax returns

• Code item 7: by failing to obtain correct information from taxpayers regarding their eligibility to claim the spouse tax offset as he did not make any enquiries with these taxpayers

• Code item 9: by failing to take reasonable care to ascertain the state of affairs of taxpayers who said that they did not see Mr Kim, and that there were grounds to question the information that he received

• Subsection 50-20 of the TASA: by being reckless as to whether statements in the relevant income tax returns that he prepared and lodged were false, incorrect or misleading in a material particular.

54. The TPB decided to terminate Mr Kim’s registration as a tax agent on the basis that he had ceased to meet the ongoing tax practitioner registration requirement that he is a fit and proper person. The TPB also imposed a period of three years within which Mr Kim may not reapply for registration as a registered tax practitioner, and applied to the Federal Court for a civil penalty in respect of the breaches of section 50-20 of the TASA.
55. The Federal Court found that Mr Kim had contravened section 50-20 of the TASA 158 times and ordered Mr Kim to pay a civil penalty of $4,000 in addition to the TPB’s costs.

Further information

56. Outlined below is a listing of reference material that may provide further guidance in relation to issues to consider in relation to verifying a client’s identity:

Agency	Information product	Purpose of document
Tax Practitioners Board	TPB(EP) 01/2010: Code of professional conduct	Further information regarding the Code of Professional Conduct in the TASA
	TPB(EP) 02/2010: Fit and proper person	Further information regarding the fit and proper person requirement in the TASA
	TPB(I) 17/2013: Code of Professional Conduct – Reasonable care to ascertain a client’s state of affairs	Provides guidance for tax and BAS agents in relation to the requirement to take reasonable care to ascertain a client’s state of affairs
	Security advice for tax professionals	Provides security information and guidance for tax professionals.
Australian Taxation Office (ATO)	ATO Online services for agents terms and conditions	Provides the ATO’s terms and conditions for using the Online services for agents
	Agent client verification methods	Provides guidance on how tax practitioners may perform client verification when engaging with the ATO systems.
AUSTRAC	AML/CTF programs	Information on the requirements of the AML/CTF legislation
	Customer identification and verification	Provides guidance on the customer identification and verification requirements under the AML/CTF legislation.
	Regulatory Guide 244: Giving information, general advice and scaled advice	Provides ASIC’s requirements in relation to giving information, general advice and scaled advice, including requirements regarding identifying a client’s relevant circumstances.
Office of the Australian Information Commissioner (OAIC)	Australian Privacy Principles (APPs) Guidelines	Outlines the mandatory requirements of the APPs, how the OAIC interpret the APPs, and matters the OAIC may take into account when exercising its functions and powers under the Privacy Act 1988.