The POI requirements are already in force. Tax practitioners should already have some processes in their practice to verify the identity of clients that have engaged them to provide tax agent or BAS services. We have released formal guidance to provide our minimum requirements for client verification to help minimise the risk of tax practitioners becoming the target of fraudulent activities against themselves, their clients or the government. 

In developing our guidance, we have worked closely with the Australian Taxation Office (ATO) and considered other relevant materials relating to client verification processes, in order to make these processes contemporary and consistent.

Tax practitioners should exercise their professional judgment when determining the processes to undertake client verification in circumstances where the requirements included in our Practice Note are not practical or applicable to a particular client engagement. When determining these processes, a risk-based approach should be undertaken where processes are more rigorous for engagements that pose a higher risk of identity theft and fraud. 

When an individual representative (or representatives, if they act jointly) seeks to engage you on behalf of a non-individual client, such as a trust, you are required to verify the identity of the:

• Individual representative (or representatives, if they act jointly)
• non-individual client.

You must also verify the authority of the individual representative to engage you on behalf of the non-individual client. For example, if the individual representative of a trust is the trustee (or the trustees acting jointly), you must verify the identity of the individual trustee(s), and their authority to engage you on behalf of the trust (i.e. as demonstrated by the trust deed).

If you have been engaged to provide tax agent or BAS services to the beneficiaries of the trust, you will also need to verify the identity of the beneficiaries.

See Table 2 in our Practice Note for further information on what details of clients should be verified and the evidence that can be used for verification.

For long-standing or well-established clients, we understand that it may not always be practical or necessary for you to undertake POI. However, you must exercise your professional judgement and assess whether it is appropriate to undertake POI on them at that point in time. If you make an assessment that it is not necessary to undertake POI on a well-established client, you must make a record of the reasons for your decision not to undertake POI at that point in time.

If an individual representative has engaged you on behalf of a well-established client, we require that you sight evidence demonstrating the authority of the representative to engage you on behalf of the client, before you provide tax agent or BAS services.

For further information, refer to the ‘Well-established clients’ section in our Practice Note.

We expect you to undertake POI checks for your existing clients throughout your engagement with them. If you have a well-established relationship with a client, you should assess whether it is necessary or appropriate to conduct POI checks on them at this time. You can consider a range of factors to make this assessment – for example, the extent of your relationship with the client, any change of contact or bank account details, any amendment requests to tax returns resulting in higher refunds, or a change in relationship between the client and their representative. If you decide not to undertake POI for an existing client at this point in time, you must keep a record of the factors you considered to make the decision.

If the change in officeholders includes a change to the individual (or individuals) who are authorised to engage you as a tax practitioner on behalf of the not-for-profit entity, then you will need to repeat the client verification process to confirm this authority. If there is a new individual representative authorised to engage you on behalf of the not-for-profit entity, you will also need to verify the identity of the individual representative. 

For examples of identification documents and legal documents demonstrating this authority, refer to Tables 2 and 3 in our Practice Note.

The client-to-agent linking process of the Australian Taxation Office (ATO) does not override your obligations to undertake client proof-of-identity. The client-to-agent linking process only provides the ATO with verification that someone has the authority to act on behalf of an entity within Online Services for Business. The process does not verify the identity of the person that has engaged the services of a tax or BAS agent.

 For further information on the ATO’s methods for client verification, refer to the ATO website.

Yes, to identify an individual representative, you will need to sight an original or certified copy of a primary photographic identification document, or both of:

• an original or certified copy of a primary non-photographic identification document
• an original or certified copy of a secondary identification document.

Additionally, you will need to sight a document or data that verifies the existence of the non-individual entity and a legal document that confirms that authority of the individual representative to engage you as the tax practitioner of the corporate entity.

For examples of the required evidence, refer to Table 3 in our Practice Note. 

If another registered tax practitioner has engaged you to provide advice or services to them on behalf of their client/s, you need to obtain written confirmation from the referring tax practitioner that they have undertaken POI checks and confirmed the identity of client/s referred to you. 

However, if you are providing advice or services directly to a client referred to you by another registered tax practitioner, you must undertake POI checks and confirm the identity of the client regardless of whether the referring tax practitioner has previously undertaken their own POI checks.

You should determine the frequency of undertaking POI checks on your clients, depending on the circumstances of the client, their individual representative (if applicable) and the engagement. You may a consider a range of factors, including but not limited to:

• your relationship and familiarity with the client, including whether the client was transferred to you by another registered tax practitioner through a transfer of business or practice
• the scope of services provided
• how client interactions take place – online, in-person or a combination of both
• any discrepancies that arise relating to the client’s identity or other affairs
• any changes that arise in relation to an individual representative (if applicable), their authority to act on behalf of the client or the relationship between the client and individual representative (if applicable)
• whether the client has continued to engage you or there has been a break in the engagement
• any requirements you may need to comply with for your professional association or as an Australian Financial Services licensee (if applicable).

You must make and retain a record of your assessment of how frequently you need to undertake POI for your clients, including the factors you considered in making that assessment.

You would need to consider various factors to determine whether to conduct POI checks, including your relationship and familiarity with the client, the length of the break in the engagement, whether there have been any changes in the client’s circumstances, and the scope of the services you have been engaged to provide.

If you decide that it is not appropriate or necessary to undertake POI because you consider that the client’s identity is well-established, you must make a record of your assessment. Your assessment record must address the factors you considered (as outlined in paragraph 22 of our Practice Note) to reach the decision not to conduct POI checks.

You must conduct POI checks prior to providing tax agent or BAS services to new clients and on an ongoing basis to existing clients as appropriate. Whether you interact with the client online or in-person is a factor you may consider in determining the frequency of POI checks required. 

Refer to our Practice Note for further information.

Providing tax advice is a tax agent service and you must always undertake POI before providing tax agent or BAS services to new clients, regardless of whether those services include lodgement services. For ongoing clients, the scope of the services you provide may be a factor you consider in determining the frequency of undertaking POI checks for future engagements. 

You are required to make and retain a record of your assessment of the appropriate frequency for undertaking POI checks with respect to ongoing clients.

When there is a transfer of ownership of a tax practice and/or clients, the seller tax practitioner would be expected to provide copies of contemporaneous POI records of relevant clients to the buyer tax practitioner. In this circumstance, the buyer tax practitioner would not be required to conduct POI but may do so if they prefer. Once clients are acquired, the buyer tax practitioner must consider undertaking POI checks on these clients as appropriate throughout the engagement with these clients.

See ‘Transferring a tax practice or client list’ section in our Practice Note.

Our POI requirements apply to registered tax practitioners providing a tax agent or BAS service to their clients. If the software training provided is only general in nature, does not relate to a client’s particular circumstances, and clients are not reasonably expected to rely on the training to assist in meeting their obligations and liabilities under a taxation law, then this is not considered a tax agent or BAS service and POI requirements will not apply.

Refer to our Information Sheet for further information on the obligations which apply to digital service providers, including software training providers.

You can use original or certified copies (physical or digital) of original documents to conduct POI checks. If you intend to receive copies of identity documents electronically, we strongly recommend that you:

• seek independent professional advice from an information and communication technology security provider about what security controls are appropriate for your circumstances, and
• destroy the copies after a contemporaneous record of your POI checks has been completed.

For further information, see ‘Receiving identity documents electronically’ in our Practice Note.

If you are verifying the authority of an individual representative (such as the holder of a power of attorney) to engage you on behalf of an individual client, our minimum requirements are that you sight original or certified copies of:

• the primary photographic identification document, or both primary non-photographic and secondary identification documents, for both the client and the representative
• the legal document demonstrating the authority of the individual representative to engage you as a registered tax practitioner on behalf of the individual client. 

For examples of these documents, refer to Table 3 in our Practice Note.

No, if you are engaging an individual client and verifying their identity, sighting a non-photographic ID on its own is not sufficient to meet our minimum requirements. We require you to sight:

• an original or certified copy of a primary photographic identification document, or
• an original or certified copy of both:
  • a primary non-photographic identification document
  • an original or certified copy of a secondary identification document. 

See Table 3 (at paragraph 10) in our Practice Note that provides a list of legal documents that can be used to verify the authority of an individual representative to engage a registered tax practitioner on behalf of a non-individual client.

Some types of secondary identification documents, such as a council rates notice or a utilities bill, must have been issued in the past 3 months to meet our minimum requirements. These requirements have been informed by a number of considerations, including the relevant provisions of the Tax Agent Services Act 2009, ATO and Accounting Professional & Ethical Standards Board guidelines, requirements under Anti-Money Laundering and Counter-Terrorism Financing legislation, and State-based requirements in some circumstances.

You can use primary photographic identification documents such as a driver licence or permit from Australia or overseas (including a digital driver licence), an Australian passport, a foreign passport issued by a foreign government or the United Nations, or international travel documents issued by a foreign government or the United Nations.

If you are engaging with the individual client or their representative remotely, such as through the use of videoconferencing, you should also consider the guidance on remote verification in our Practice Note.

Refer to the guidance on the ATO website about using the document verification service (DVS) method to conduct POI.

If you decide the DVS method is appropriate for your circumstances, a list of approved DVS gateway service providers is published on the IDmatch.gov.au website.

In circumstances where an individual client is unable to provide a primary photographic identity document, you must use a primary non-photographic identity document (original or certified) and a secondary identity document (original or certified). 

For a list of these documents, see Table 3 in our Practice Note.

You can verify a client's identity and sight identity documents remotely through the use of videoconferencing. Our requirements remain the same whether you undertake POI face-to-face or remotely. If you sight original or certified identity documents through videoconferencing or with the use of a webcam, you must make a note of this in your records as soon as the POI checks are completed.

However, if you use non-visual methods to engage with clients and are unable to verify the client’s identity by comparing with their photographic IDs provided, you should refer to the ATO’s Agent client verification methods if you use their online services.

While you may accept a letter of authority by email for a representative to act on behalf of an individual client, we expect you to consider the circumstances and assess whether it is appropriate to take additional steps to confirm the authorisation – for example via telephone, video conference, or a face-to-face conversation with the client.

You may also wish to seek legal advice or make additional enquiries if you are unsure whether to accept the authority of the individual representative to act on behalf of a client or potential client.

For specific guidance on using data on ATO records to verify the identity of a client, refer to the ATO website. Note that this method cannot be used to verify the identity of an authorised representative on your client, unless the representative is also your client. 

When sighting identification documents to confirm the identity of a client or their representative, you must check whether the:

• photo in the identification document appears to match the details provided by the client or their representative (for example, age and gender)
• name, address and date of birth match when comparing documentation.

If you identify any discrepancies with the information provided and claims made by the individual, you should:

• ask additional questions, and/or request additional documentation or evidence
• see if you can independently verify the information provided, where possible.

If you are still unable to verify or are not satisfied that the information about the client’s identity is correct, you should decline the engagement. 

You should also consider notifying us at the TPB, the ATO, ASIC or other relevant authorities, if you are lawfully permitted to do so.

While we don’t have a checklist, we have developed a factsheet for clients that you may find helpful as it summarises the details of clients that need to be verified and types of documents you can use for undertaking POI. You may also wish to download this factsheet to share with your clients.

You must keep a record of the POI checks undertaken in relation to a client for a minimum of 5 years after you cease the engagement with the client.

No, we do not recommend that you keep originals or copies of identity documents as it increases your risk of being the target of fraudulent activity. We require you to keep a contemporaneous file note or record (for example, a completed checklist) about the checks that you have undertaken.

For guidance on what information this record should contain, refer to the ‘Record keeping’ section in our Practice Note.

We require that you keep a record of the POI checks that you undertook on clients, or records of your decision not to undertake POI, for a minimum of five years after the engagement with the client has ceased. We may ask to see these records to ensure that you are meeting your obligations under the Tax Agent Services Act 2009, including the Code of Professional Conduct. 

This includes obligations under section 30 of the Code Determination to keep records that correctly record the tax agent or BAS services you have provided, or that are provided on your behalf, to each of your clients (including former clients). For further information, refer to the guidance on our website.   

We strongly recommend you arrange for sensitive information to be provided to you by clients:

• via a secure website, secure online mailbox or secure messaging
• as an encrypted or password protected attachment to an email
• using another secure electronic solution that minimises the risk of interception of the sensitive information, document or evidence.

We also recommend you seek independent professional advice from an information and communication technology (ICT) security provider about what controls are appropriate for your business and risk circumstances.

We recommend you seek independent professional advice from an ICT security provider if you intend to receive sensitive information or documentation electronically. 

Alternatively, refer to the ATO’s guidelines which provide information on how to undertake client verification checks using ATO or Document Verification Service (or DVS) sources.