HMRC, online tax accounts, 2SV

Press release: ATT urges businesses to prepare for 2 Step Verification

1 September, 2017

The Association of Taxation Technicians (ATT) is advising businesses who need to access online HMRC tax accounts to get prepared for an additional layer of security that becomes compulsory from later this month.

HMRC are making it mandatory for businesses accessing their online tax accounts to use the 2 Step Verification (2SV) procedure. Examples of tasks that will involve the use by a business of their HMRC tax accounts include filing VAT or corporation tax returns or PAYE data. The new security procedures are similar to those used in online banking and are intended to reduce the risk of accounts being hacked.

2SV combines something the taxpayer knows, their login details, with a second element of something they own, such as a mobile or landline. After the initial login, a security code is issued to the mobile or landline which must be entered for access to be granted to the account. Alternatively a code can be generated from a mobile or tablet by an HMRC app which has been associated with that account.

Although HMRC will introduce the 2SV procedure gradually from 25 September 2017, it could be some weeks or months further down the line before businesses come across the extra security depending on what they are filing and how often. Agents acting on behalf of businesses use separate agent portals to access client details and will not be affected by this change.

Yvette Nunn, Co-chair of ATT’s Technical Steering Group, said:

“Businesses must consider now what online HMRC accounts they have, who needs access and how their staff will receive the security code. There are various options and businesses should decide in advance of logging on which works best for them. 

“Receiving the security code via a business landline may work well for a small business, but probably would not for a larger business with a central switchboard. Businesses with poor mobile reception may need to use the HMRC app.

“For businesses with a number of staff needing online access to HMRC systems, there is a function which allows separate logins or delegate access to be given to individual employees. These employees will have to set up 2SV in turn on their own or company mobiles, landline or app.

“Where a business allows staff to use their own mobiles or tablets to receive codes or run the app, procedures should be introduced to ensure these devices are dissociated from the business account if the employee leaves. 

“Some businesses might choose to acquire a company mobile for the specific purpose of receiving codes or running the HMRC app.  With this approach, the device will need to be secured and someone given responsibility for keeping it charged – the modern equivalent of winding up the office clock!” 

Notes for editors

  1. The use of 2SV is backed by the National Cyber Security Centre and promoted by Cyber Aware and Action Fraud.