We have compiled some of the questions we received during our webinar – Proof of identity requirements.
It is important to note our guidance on proof of identity is currently in draft form and is subject to change.
How can we protect client identity documents if they want to send them electronically?
To help protect the security of client information we suggest you:
- use more secured methods than email to communicate this information – for example, a secure website, online mailbox or secure messaging
- validate the email address with a recipient before sending any unencrypted email to them, to minimise the risk of unauthorised disclosure to a person who is not the intended recipient
- only send this information by email as an encrypted or password protected attachment
- maintain records of emails sent and received.
Can a tax practitioner use the Australia Post in person identity check system to verify a client?
Yes, this is an option if a tax practitioner wants to verify the information provided by a client.
Can we ask a client to sign their engagement letter and return identity documents electronically?
This arrangement would be acceptable, however, the TPB would not recommend retaining copies of ID documents, nor receiving them via email.
Do Document Verification Service (DVS) providers charge a fee for their service?
Yes, there is usually a fee associated with DVS.
Is the proof of identity verification process only for new clients or do we have to validate the identity of clients we have been acting for over many years?
Our draft guidance requirements differ between new and existing clients. When dealing with existing clients, it may not be appropriate or necessary to undertake the POI steps outlined in the draft Practice Note. Ultimately, we expect that you exercise your professional judgement. You can find more information in our draft Practice Note.
If I buy another tax practice or a client list, do I have to undertake a proof of identity check for all of the new clients?
When you buy another tax practice or acquire clients from another practice, we do not expect you to perform proof of identity checks for each client you are acquiring straight away.
The seller tax practitioner should be passing on the proof of identity file notes or checklists for each client being transferred to your practice along with other relevant client records. Of course, the seller tax practitioner must be mindful of their Code of Professional Conduct obligations to maintain confidentiality of client information. They must have obtained all the relevant clients’ permission before passing on their records to you.
During your ongoing engagement with the clients you have acquired, you should undertake POI checks as appropriate throughout your engagement with them.
To confirm a company ID do I just need to run an Australian Security and Investments Commission search? And for Trusts, sight a copy of the trust deed?
Yes, they would both be appropriate enquiries to make, assuming that they provide you with the company or trust’s full name, ABN or ACN and any other additional detail in order to make a reasonable assessment of the legitimacy of the company or trust’s identity. You would also need to check the identity of any individual representative instructing you on behalf of the company or trust, and ask for evidence that they are authorised to do so.
My organisation only works with not for profits – do we still need to go through the standard proof of identity checks?
Yes, the TPB’s requirements will still apply to practitioners providing services to not for profit organisations.
Is a proof of identity checklist required for every person we keep records for? For example, third party directors, members of private companies and beneficiaries of trusts?
You only need to do this for the client and any person you are dealing with that purports to represent the client. For example, anyone instructing you on behalf of a non-individual client.
What is the best way to verify a client’s identity if we do not meet face-to-face and only communicate online?
You do not need to meet face-to-face with the client to meet the proposed requirements. If you are engaging a client and/or their individual representative remotely you may choose to use videoconferencing facilities. In this situation our requirements remain the same as for registered tax practitioners who engage with clients face-to-face. If you sight original or certified identification documents through videoconferencing or with the use of a webcam, we would require you to make a note of this in your contemporaneous record of the POI checks undertaken.
If certified copies of identification documents are sent electronically or by mail to the registered tax practitioner, we strongly recommend you destroy the copies after the POI checks and contemporaneous record have been completed and recorded.
How should we save the documentation?
We do not recommend that you keep copies or originals of any identification documents of clients or their representatives. In fact, we strongly discourage this practise because we recognise these documents may be at risk of being stolen through cyber-attacks or even physical break-ins at your business premises.
However, we do require you to maintain a record, such as a checklist, for POI checks done.
Are we expected to take a copy of a client’s ID, or is it just a check list to say we have sighted the documents?
We will accept a contemporaneous record (i.e. a checklist saying you have sighted the proof of identity documents) as evidence. No copy of these documents are required or recommended from the TPB's perspective.
Can certified copies of identity documents be used for individuals as well?
Yes, certified copies can be used for individuals.
When checking ID is it ok if we note the last 4 digits of a driver licence?
There is no need to record document numbers from our perspective.
What do you do if there is no primary or secondary non photo ID is available?
If a client doesn’t have the standard identification documents, for example they come from remote areas, or their documents were destroyed in a natural disaster, or if they came to Australia as refugees we suggest you take a flexible approach and use your professional judgement.
We understand you may not be able to apply all the required checks, but what we do ask in these situations, is that you maintain records outlining the client’s circumstances and details of the steps you have taken to establish the client’s identity.
If you need additional guidance on this we suggest you refer to AUSTRAC’s guidance on identifying customers who don’t have conventional forms of ID.
What happens in situations where despite taking every care to validate a client or their representative’s identity, it is found later that the client or their representative is not genuine? Would we be penalised under the Code?
This is one of the reasons why we developed this guidance for tax practitioners – to help you to comply with the Code.
Our guidelines should help strengthen client verification processes as we have consulted widely and looked at best practices and controls.
If you follow the TPB and/or the ATO’s guidelines in undertaking POI checks, you should be able to minimise risks of potential identity fraud.
In this scenario, record keeping would play a crucial role. As soon as you complete POI checks, you should make a record or checklist as outlined in our guidelines such as date and time the POI checks were done, who performed the checks, what and how IDs were sighted, whether the documents were legible etc.
If you undertake the above steps, then you would have met your obligations under the Code, even if identity fraud or theft occurred despite the checks and processes you undertook.
Sometimes it may not be possible to clearly sight the identification documents when engaging with clients remotely via Zoom or Skype. How can we ensure information provided by clients is correct as face to face checks are not always feasible?
You have a few options here. Where you are unable to clearly sight identity documents using a webcam, you can have them sent to you electronically. Please note here we are not recommending that identity documents are sent or received via emails. We strongly advise against this practice as email is not considered a secure form of communication due to risks of information being intercepted during transmission.
You can use secure ways of obtaining documents electronically – for example:
- via a secure website, secure online mailbox or secure messaging; or
- as an encrypted or password protected attachment to an email.
We recommend you seek independent professional advice from an ICT security provider if you intend to receive sensitive information or documentation electronically.
Alternatively, refer to the ATO’s guidelines which provide information on how to undertake client verification checks using ATO or Document Verification Service (or DVS) sources.
Last modified: 29 June 2021