From 25 September, businesses logging into their online HMRC tax accounts should start to notice some changes. This is because HMRC is now rolling out 2 Step Verification (2SV) procedures.
If you have a Digital Tax Account for your personal tax affairs, or bank online, you will already be familiar with the concept of 2SV. Under this system a user name and password is the first step to access an online account. The second step, which provides added security, requires the input of an access code issued to a device in the person’s possession.
This procedure has been compulsory for personal Digital Tax Accounts since August 2016. For individuals, this extra security is generally straightforward as the code can be sent to their own mobile or landline. For businesses, especially those with a number of staff requiring access, some planning is needed. The two main questions to consider are:
1.Who needs access to the business’s HMRC account(s)?
For a sole trader, this is straightforward, but in a larger business a number of staff may need access to the account(s). While everyone could share the same log in, and use the same device to receive access codes, it is preferable to set up delegate access. This gives each member of staff a separate user name and password with which they can access the business’s account. The existing business username and login effectively becomes an administrator account.
The user name and password for administrator access can then be controlled centrally within the business. This could be handled by the IT department or a senior member of staff. Care still needs to be taken to select an appropriate device to receive the access code for this account. The risk is that anyone needing administrative access could find themselves locked out if the access code is sent to a device owned by a member of staff who happens to be on holiday.
Each delegate account will also need to be secured by 2SV, leading to the next question…
2. How are staff going to receive access codes?
An access code can be sent to either a mobile, a landline or an app running on a tablet or mobile device which has been associated with the HMRC account.
If staff are to use a mobile, the business should consider whether they should use a personal mobile, a company mobile, or one acquired for the purpose that is kept securely in the office. If staff are using their own mobiles, procedures need to be in place to terminate access when they leave.
A landline may be a convenient option for businesses where all relevant staff are in the same room or office, but not be suitable where there is a central switchboard.
Businesses with poor mobile reception should consider using the HMRC app. This has to be downloaded to a mobile or tablet and then, once associated with the account and provided it is connected to the internet, the app can generate the necessary access codes.