From 25 September 2017, HMRC will be rolling out increased online security procedures and making it mandatory for businesses accessing their online tax accounts to use the 2 Step Verification (2SV) procedure.
What is 2 Step Verification?
2SV combines the initial element of something the taxpayer knows – their login details, with a second element of something they own – such as a mobile or landline. Online banking uses the same concept.
After the initial log in with the usual Government Gateway account number and password, a six digit security code is issued to a mobile phone or landline to complete the process before access to the account is allowed. Users choose during the initial set up which of their devices should receive the code.
Some businesses may already have opted for 2SV earlier in 2017 as it has been an option for VAT, Corporation Tax and Pay As You Earn. The 2SV procedure has been compulsory for Digital Tax Accounts for individuals since August 2016.
What if we have poor mobile reception or a central switchboard?
For businesses where mobile reception is poor and/or using a landline is not practical because, for example, there is a central switchboard, HMRC upgraded the functionality of their app in May 2017 so it can be used to generate the required security codes.
The app can be used on a mobile or tablet which doesn’t have a mobile signal as long as the device is connected to the internet. The app is available on iTunes and Google Play. During the initial set-up of 2SV, the app is linked to the relevant HMRC account and can be used to generate security codes to allow future access. Each code obtained via the app is only valid for a 30 second period.
We would be interested to hear member’s experiences of the app – please email atttechincal [at] att.org.uk with the subject heading 2SV App.
What action should a business take in advance of 2SV becoming compulsory?
Businesses should identify what online HMRC tax accounts they have, who needs to access them and how those individuals will access the security code – whether via text message to a mobile or landline, or via the app. It is best to make this decision now, rather than delay until access is needed urgently.
If a mobile is to be used to receive the security code, a decision must be taken whether to connect to an existing staff/company mobile, one acquired specifically for the purpose, or an employee’s personal mobile number. If the decision is taken to acquire a mobile for the office for this purpose, consideration should be given to security of the device and ensuring it is charged and functioning. If staff use their personal phones, then procedures should be in place to ensure the number is dissociated from the account if they leave employment with the business. (See below for how to do this).
What if multiple employees need access to business records?
Our understanding from the HMRC Talking Points webinar on 2SV on 21 February 2017 (available here) is that individual members of staff can be given delegate access to log on to a business HMRC account. This means each member of staff will have their own Government Gateway credentials, and must then set up 2SV for those credentials themselves. Again, business owners may wish to record and manage delegate access on staff departures.
What about software which logs on automatically?
Some businesses will use software which logs into HMRC systems automatically in the background. When 2SV was introduced it was not initially made compulsory to avoid disruption to these so called silent log ins. On the grounds that 2SV is now being made compulsory we assume this has now been resolved – contact your software provider for details.
What happens if the linked mobile phone or landline number is changed?
If a business changes, loses, or no longer has access to the phone associated with the business account then it can be dissociated by contacting HMRC Online Services on 0300 200 3600. HMRC will then remove the phone from that account. 2SV will then need to be set up again with a new phone number.
What about agents?
As yet, 2SV is not part of the agent log in, but will be required when agents migrate from existing Government Gateway access to the new Agent Services system which is being developed as part of Making Tax Digital (MTD). We will keep this under review and keep members informed as it develops.
Why is 2SV being introduced?
HMRC believe 2SV will reduce the risks from phishing attacks (where criminals impersonate a known or trusted source to falsely acquire data) and malware and reduce the risk of an account being hijacked. Cyber security is important in our increasingly digital world. HMRC indicate that 2SV is becoming the industry standard approach.
For a further ATT article on cyber security see here.