– Calls for the ATO to improve its administration of taxpayer banking details and refunds to combat TaxID fraud
– IGTO interim (Phase 1) report into TaxID fraud makes 13 recommendations
The Inspector-General of Taxation and Taxation Ombudsman (IGTO) commenced an own-motion investigation into Tax identification (TaxID) fraud on 15 December 2023. This was in response to an increase in complaints and dispute investigations concerning TaxID fraud received by the IGTO.
The IGTO makes thirteen (13) recommendations for ATO improvement in this interim (Phase 1) report – The importance of bank account integrity.
Over 50% of stakeholder submissions to the IGTO identified instances of fraud where:
- There was an unauthorised change to the bank account details on the taxpayer’s ATO account in order to perpetrate the fraud;
- The ATO was unsuccessful in preventing the refund being issued to the fraudulent bank account;
- The estimated amount the fraud was more than $10,000;
- The fraud was identified by the taxpayer or their tax agent, rather than the ATO;
- The fraud involved unauthorised access to the taxpayer’s myGov account;
Bank fraud detection and response
A fundamental step in committing TaxID fraud is that a fraudster is able to remit money to a bank account that is controlled by that fraudster. This means that the fraudster must establish access to a relevant bank account that is linked to a legitimate taxpayer’s ATO accounts. This is necessary to ‘escape’ with the money.
Preventing, detecting and responding to TaxID fraud is important to maintain the integrity of the tax system and avoid proliferation, which impacts and erodes the Revenue.
ATO response
The ATO response, which is included in the report states:
The ATO is pleased that IGTO’s interim report recommendations align broadly with ATO-identified work in progress, and agree in principle with the majority of recommendations made. The ATO notes that some recommendations are dependent on matters for Government to consider. The ATO looks forward to IGTO’s final report with any remaining findings and recommendations from this investigation, and will provide an ATO response against each recommendation in both interim and final reports as a consolidated set at that time.
Karen Payne, IGT and Tax Ombudsman said: “The IGTO urges the ATO to consult and advocate for legislative authority to implement these critical IGTO recommendations where it believes it currently does not have the relevant authority.”
Case Studies
Chapter 3 of the report provides a small selection of case studies which demonstrate and illustrate the experience of people in the community who believe they have been the subject of, or have observed, TaxID fraud. They illustrate some of the concerns raised by the IGTO in this TaxID Fraud investigation and demonstrate the urgent need to implement the recommendations set out in this report.
- Case study 1 – Unauthorised access and bank account changes made after the ATO had locked the taxpayer’s ATO account;
- Case Study 2 – ATO reluctant to garnish funds sitting unclaimed in a Fraudster’s bank account but instead wanted the taxpayer’s consent to do so;
- Case study 3 – ATO asked Legitimate taxpayer to repay a $46,000 refund that was paid to a Fraudster without matching claimed Pay-as-you-go (PAYG) Withholding credits with an employer’s PAYGW reporting. The ATO did not seek any information and concluded that Mr B was not a victim of TaxID fraud after he disclosed that he shared his myGov details;
- Case study 4 – ATO controls did not prevent unauthorised change in bank account details, and taxpayer was not notified of those changes;
- Case study 5 – Taxpayer difficulties in proving they were not complicit in the fraud where a fraudulent bank account was opened in their name.
Recommendations and themes for improvement
The Phase 1 (interim) IGTO report makes 13 recommendations for the ATO to improve its administration of taxpayer banking details in the combat against Tax Identity Fraud. The recommendations comprise the following three (3) themes:
- Improvements to make the ATO less attractive to fraudsters by making it harder for them (and not legitimate taxpayers) to divert monies to the fraudster’s bank account;
- Improvements which harden the financial system against TaxID fraud by introducing more effective collaboration between the ATO and the banks on case-specific issues in real-time – especially through the Australian Financial Crimes Exchange (AFCX) and the Fintel Alliance;
- Improvements to better detect and prevent TaxID fraud by empowering the two key participants in the tax system to assist the ATO, who are much better placed than the ATO to quickly and more reliably determine if a transaction is part of TaxID fraud or not – i.e. Legitimate taxpayers and their agents;
Importantly, the IGTO recommends the ATO implement controls which better empower taxpayers to protect their own accounts real time (24/7), Karen Payne said: “This would be achieved by implementing ATO online functionality which allows taxpayers to immediately block online access to their accounts, and which can only be unlocked with their consent. Tax practitioners have reported instances where their requests for the ATO to block online access to taxpayers’ accounts have not been given effect as and when expected or they were unable or delayed in trying to contact the ATO’s call centre – especially over weekends and public holidays – which unnecessarily exposes the taxpayers’ online accounts”
For further information – Contact
Marjorie Johnston – Wordmakers
Mobile: 0407 329 430
About the IGTO
The Inspector-General of Taxation and Taxation Ombudsman (IGTO) has been supporting the integrity of the taxation and superannuation systems for over 20 years – as the Inspector-General of Taxation since 2003 and additionally as the Taxation Ombudsman since 2015. The IGTO provides an important safety net service in the tax system. Independent investigation of taxpayer complaints enhances community confidence in the integrity and fairness of the tax system and provides assurance to taxpayers in the fairness of their outcomes. This helps to enhance voluntary compliance. The IGTO also provides independent advice and assurance to Government on the taxation administration laws and systems.
Since 2015, the IGTO has performed dual roles, which complement each other:
- The Taxation Ombudsman provides independent assistance and assurance directly to taxpayers and tax professionals and investigates taxation complaints about the actions and decisions of the Australian Taxation Office (ATO) or the Tax Practitioners Board (TPB). The Taxation Ombudsman also conducts investigations of actions that have broader community impact or are commonly observed in a number of complaints to identify wider system improvements that address the causal issues.
- The Inspector-General of Taxation undertakes investigations of actions, systems and taxation laws (to the extent they deal with tax administration matters).
Attachment A – Recommendations
1. Improvements to make the ATO less attractive to fraudsters by making it harder for them (and not legitimate taxpayers) to divert monies to the fraudster’s bank account
1(a) The IGTO recommends the ATO systems monitor for suspicious devices and bank accounts (that is, ‘Known and Unknown Devices’ to allow it to verify that changes made in the ATO systems are authorised by the actual taxpayer and to detect devices and bank accounts associated with TaxID fraud)
ATO systems should monitor for ‘known device’ identification in real time, so that unknown or suspicious devices can be identified for further investigation and verification as well as the changes made by those devices to taxpayer bank account details on the ATO’s systems. Taxpayer messaging that prompts for verification and authentication are recommended . Monitoring should also prompt the ATO to investigate any changes made via devices that are known to be associated with fraud.
The IGTO also recommends that the ATO join the Australian Financial Crimes Exchange (AFCX) (see Recommendation 2(a) below).
1(b) The IGTO recommends that the ATO lodgement and processing controls should be enhanced as part of the self-assessment system so that it does not process suspicious lodgements that may be linked to TaxID fraud without verification
The ATO should develop tighter and more robust controls which pause the processing of suspicious filings – both original and amended lodgements – and suspend related refunds (see Recommendation 1(c) below) for verification where there are suspicious circumstances that indicate potential TaxID fraud.
For example, amendments to claim Pay-As-You-Go withholding (PAYGW) credits which exceed the PAYGW amounts recorded against the employee in the employer records should raise suspicion and investigation where the taxpayer’s ATO Online account information, such as contact details and bank account, have been changed (especially on an unknown device) before the refund is issued.
1(c) The IGTO recommends that ATO systems delay High Risk refunds unless and until there has been adequate authentication and verification of the bank account details
Refunds that involve a high risk of TaxID fraud (High- Risk refunds) can include unusual lodgement behaviours (original filings and amendments) and claims which generate refunds and that are coupled with recent changes in the taxpayer’s contact and bank account details. The IGTO recommends the ATO develop tighter and more robust controls which pause the processing of original and amended filings and lodgements for verification where the taxpayer’s ATO Online account information, such as contact details and bank account, have been changed at the time of or close to the time of lodgement (especially on an unknown device).
The ATO should not pay High Risk refunds unless and until there has been adequate authentication of the bank account details (note that Rrecommendation 3(a) provides upstream authentication when bank account details are changed).
Authentication of High-Risk refunds may include:
- Verifying any amendments to filed returns and change of bank account details directly with the taxpayer;
- Verifying whether a change of bank account details was made by the taxpayer (or their registered agent);
- Verifying the Australian Anti-Money Laundering/Counter-Terrorism Financing’s (AML/CTF)’s ‘Know Your Client (KYC) requirements (as part of the bank account opening process) have been met;
- Scanning the ATO systems to identify if the bank account is registered on unrelated taxpayer accounts.
Where the ATO believes it does not have the relevant statutory authority to implement this recommendation, then it should consult with the tax profession to identify the most appropriate legislative reform it could recommend to Government to implement this critical recommendation.
1(d) The IGTO recommends that, in the long term, the ATO bring its payment systems up to financial industry standards and develop a dedicated application for trusted devices to allow safe and trusted real time communications between the ATO and taxpayer for verification purposes
Each of the major banks has invested in systems applications to allow secure communications with their customers. The ATO should adopt a similar profile given its major role in the payments system. This would also enhance trust in the community and go some way to addressing the risk of unsuspecting taxpayers being scammed.
1(e) The IGTO recommends the ATO improve its governance and risk management of the TaxID fraud risk, especially with respect to ‘displacement’ evolutions in TaxID fraud, including by ensuring that:
i. business units incorporate into their annual planning and budgeting cycle, provision for resources that are needed to give effect to ‘rapid response’ changes in risk controls which address ‘displacement‘ evolutions in TaxID fraud, and
ii. a holistic governance and risk management approach is implemented whereby competing priorities of business units are quickly reconciled in light of the risks to the integrity of the tax system overall.
Further, the nature of TaxID fraud risk mitigation is dynamic. Fraudsters respond to new controls by innovating to exploit control vulnerabilities and finding new uses for emerging technologies. As a result, the ATO requires continual vigilance and a commitment to continually fine-tune its controls in its response. This is needed to minimise the risk of exponential growth of TaxID fraud activity as organisational inertia to adapt and address weaknesses in its control framework is quickly exploited and usually results in increased activity. Therefore, it is imperative that the ATO not only plan and provision for big urgent changes that are needed, but also ensure that its business units make provision for the ongoing updating of TaxID fraud controls and the quick implementation of those updates to address ‘displacement’ changes, as well as making provision for resources to quickly accommodate the resulting treatments that flow from these changes.
2. Improvements which harden the financial system against TaxID fraud by introducing more effective collaboration between the ATO and the banks on case-specific issues in real-time
2(a) The IGTO recommends that ATO actively engage with trusted participants in the financial system to combat TaxID fraud and join the AFCX and actively participate in the FRX on case specific issues
The IGTO understands that the ATO has access to the information that financial institutions share with Australian Transaction Reports and Analysis Centre (AUSTRAC). The ATO also participates in the Fintel Alliance. Although there are existing communication channels and arrangements that would permit the ATO to share information about case specific issues with banks, these communication processes are limited and not scalable.
Where a new prescribed taskforce was established or one of the existing taskforces, such as the Serious Financial Crime Taskforce (SFCT), accepted the TaxID fraud issue as their priority, then the ATO could disclose case-specific information via this taskforce directly to the members of this taskforce. However, this is subject to ATO restrictions and caveats regarding on-disclosure.
There is, however, another forum which would provide a more real-time and effective means of engaging with the banks on case-specific TaxID fraud issues. This is the AFCX’s Fraudulent Reporting Exchange (FRX), should the ATO become a member of the AFCX and subject to any legislative requirements. The FRX is a safe network that enables its members to efficiently report and address fraudulent activities.
The AFCX, also known as the National Fraud Exchange, is an independent, not-for-profit organisation that was formed by the four major Banks in 2016 to assist businesses combat financial-related crimes. It operates independently of government, law enforcement and its members, although it is funded by its members. The IGTO understands that participants have relevant and appropriate security vetting clearance.
The AFCX has the support of the Commonwealth Attorney-General’s Department and is a key limb in the Australian Government’s National Organised Crime Response Plan.
The AFCX is the primary channel through which the public and private sector coordinate their intelligence and data-sharing activities for the investigation and prevention of financial and cyber-crime.
The ATO is not a member of the AFCX and so does not access the information shared through the AFCX’s FRX. Based on stakeholder consultations, however, ATO membership would be welcome and the ATO is invited to join.
To the extent that establishing real-rime communication with the banks via FRX requires industry-agreed data protocols and specific legislative authority, the ATO should actively support and advocate for such initiatives to enable it to more actively and effectively engage with trusted participants in the financial system to combat TaxID fraud.
2(b) The IGTO recommends that the ATO verify taxpayers’ bank details with banks and determine whether the process to open those bank accounts creates additional risk factors
The ATO should cross reference bank details with banks to verify bank account details and obtain information to assess the risk of TaxID fraud. That is, information for risk score purposes that may indicate whether the account is at the higher or lower end of the risk spectrum – e.g. how the bank account was opened (in person/online), whether identity documents were sighted by bank employees or whether the documents were verified online through the document verification service.
This would allow bank accounts that are potentially controlled by an identity fraudster to be identified.
2(c) The IGTO recommends that the ATO systems provide banks with real-time verification of Tax File Numbers (TFNs)
The ATO should work with trusted financial institutions to develop systems that permit real time TFN verification as part of bank account opening processes. This would reduce the ATO’s exposure to the TaxID fraud risk. Also, financial institutions believe this will assist more broadly to improve fraud controls in the financial system.
3. Improvements to better detect and prevent TaxID fraud by empowering the two key participants in the tax system to assist the ATO, who are much better placed than the ATO to quickly and more reliably determine if a transaction is part of TaxID fraud or not – i.e. Legitimate taxpayers and their agents
3(a) The IGTO recommends that the ATO authenticate change of taxpayer or tax agent contact details which are high risk, which necessarily includes changes of:
-
Bank account details;
-
Mobile or other telephone contact details; and
-
Contact email addresses.
It should not be possible for taxpayers or tax agents to change certain contact details within the tax system without the change being verified and authenticated by the taxpayer. Changes that are high risk events should be determined by the ATO, but in the IGTO’s view these events would necessarily include changes to:
- Bank account details;
- Mobile or other telephone contact details; and
- Contact email addresses.
For example: Before accepting a requested change to high-risk details, the ATO should automatically alert the taxpayer via a “Was this you?” message and require their confirmation of the change via multi factor authentication (see recommendation 3(b)), using at least two taxpayer contact details that are recorded on the ATO systems and which pre-exist the requested change.
This could include:
- A one-time security number or personal identification number sent to the taxpayer’s mobile number or other email/registered device via a dedicated app (see recommendation 1(d));
- An email message sent to the taxpayer’s registered email account, or SMS and/or
- other non-digital channels for taxpayers who are unable or unlikely to verify digitally (for example, the incarcerated, the elderly and those in aged care, remote communities and victims of domestic abuse).
3(b) The IGTO recommends that the ATO implement systems which allow for multi-factor authentication
The ATO should:
- implement a real-time multi-factor authentication and confirmation system within the tax system for taxpayers; and
- use that system to require taxpayers’ confirmation before making any changes to a taxpayer’s contact and bank account details; and
- use a dedicated app on the taxpayer’s trusted device, pre-existing contact number or email address to alert the taxpayer to any new or overriding myGov linking event to their ATO Online account.
3(c) The IGTO recommends the ATO notify Tax Practitioners in a timely manner if a client has been removed from their tax agent’s client listing
Protecting the integrity of the tax system is a shared risk of the ATO, Tax Practitioners’ Board (TPB) and practising Tax Practitioners, amongst others. Tax agents likely have the best understanding of their client’s financial and tax circumstances and are also well placed to quickly detect suspicious activity, where they are appropriately prompted. Therefore, it is important for the ATO to provide timely and relevant information to notify Tax Agents when a client has been deleted from their client list – so that the agent can identify unscrupulous deletions.
Unless Tax Practitioners are notified that clients have been removed from their list, they cannot monitor for suspicious activity in respect of their client’s tax records.
Tax agents have (by chance) been able to identify fraudulent refunds in many cases, but rarely because they received the relevant notifications from the ATO. Accordingly, the fraud is invariably identified by the agent only after the fact. The ATO notification also does not provide sufficient information to identify the relevant client – so the agent does not know which taxpayer account to check.
If tax agents were informed of a client’s de-linking in a timely manner it would alleviate the consequences as well as the need to rely on the ATO and taxpayers being able to directly communicate with each other at the very time it is needed. Given the fact that tax practitioners are engaged to represent their clients’ best interests and are overall more practised in quickly identifying and diagnosing problems in tax administration, early communication by the ATO of changes to agent client listings would assist to prevent fraudulent filings and claims on the tax system.
Where the ATO considers it is effectively prohibited from advising tax agents that taxpayers have been de-linked from their agent account or removed from their client list, the ATO should:
- actively and collaboratively consult with the tax profession to explore how relevant and timely communications could be implemented;
- actively and collaboratively consult with the tax profession to ensure that the triggers, method and timeliness of such communications are appropriate and practicable for the tax profession; and
- if necessary, advocate for legislative change to ensure this important measure of protection against TaxID fraud is introduced.
3(d) The IGTO recommends the ATO implement controls which better empower taxpayers to protect their own accounts (24/7), by implementing ATO online functionality which allows taxpayers to immediately block online access to their accounts, and which can only be unlocked with their consent
Tax practitioners reported instances where their requests for the ATO to block online access to taxpayers’ accounts have not been given effect as and when expected. This has also been observed in IGTO Dispute Investigations. The only means for a taxpayer or practitioner to take action against suspected TaxID fraud is to contact the ATO’s call centre to have the account locked. This can sometimes unnecessarily increase the period in which taxpayers’ online accounts remain exposed, especially over weekends and public holidays.
Also, many taxpayers only access their online account once or twice per year to fulfill income tax lodgement obligations, which may be far too late to detect suspicious activity on their account which has not been detected by other means. Allowing them to easily lock their accounts in-between lodgement dates will significantly reduce the risk of TaxID fraud, by minimising the potential exposure times for unauthorised activity on these accounts.
Taxpayers should be empowered to initiate action to lock (and unlock) their account quickly and easily, even if they have no suspicion of any untoward activity on their account. They should also have confidence that the lock can only be lifted when they authorise this, by later passing the necessary authentication or contacting the ATO and passing the necessary proof of identity checks.
3(e) The IGTO recommends that the ATO provide a clearly identifiable and easily accessible online reporting page or contact centre where bank account details associated with TaxID fraud can be reported.
The ATO has webpages that provide guidance for victims of identity fraud and webpages that allow taxpayers or their representatives to report scams, unpaid superannuation and ATO officer corruption. However, those webpages do not allow reporting of TaxID fraud so that the (fraudulent) banking details can be captured and investigated by law enforcement agencies, the ATO fraud team or one of the many private public partnerships that are sharing information for the purposes of combatting financial crimes.
The IGTO has been unable to locate any ATO reporting page or contact centre where bank account details associated with TaxID fraud are specifically reported. The difficulty in locating such a reporting page was also raised as a concern in stakeholder submissions. This is a significant oversight and omission.