Download Breach reporting factsheet

Breach reporting requirements have been strengthened to support the majority of tax practitioners in their voluntarily compliance with professional and ethical standards. By raising the professional and ethical standards of tax practitioners, breach reporting improves the provision of tax practitioner services, enhances consumer protection, and increases community confidence in the integrity of the system that regulates those services and the tax profession. 

As a registered tax practitioner, you must comply with your breach reporting requirements. This means you must notify us (and the relevant recognised professional association (RPA) if applicable) if you have reasonable grounds to believe that you or another tax practitioner has breached the Code of Professional Conduct (Code) and that breach is a ‘significant breach’. 

Significant breach

A ‘significant breach’ of the Code is a breach that:

• constitutes an indictable offence, or an offence involving dishonesty, under an Australian law
• results, or is likely to result, in material loss or damage to another entity (including the Commonwealth)
• is otherwise significant, including considering, any one or more of the following factors:
  • the number or frequency of similar breaches by the tax practitioner
  • the impact of the breach on the tax practitioner’s ability to provide tax or BAS agent services
  • the extent to which the breach indicates that the tax practitioner’s arrangements to ensure compliance with the Code are inadequate; or
  • is a kind prescribed by the Tax Agent Services Regulations 2022 (TASR).

Determining if a breach of the Code is a ‘significant breach’ will be decided on a case-by-case basis, having regard to the particular facts and circumstances.

Reasonable grounds

You must have reasonable grounds to believe a ‘significant breach’ has occurred. This means you must have a solid foundation or factual basis for your belief, supported by appropriate facts and evidence. Although you don’t need to have conclusive proof, you do need to be able to appropriately substantiate your claim and verify or corroborate it as appropriate. If you are not certain if there has been a significant breach of the Code but have reasonable grounds for believing there has been, you must still notify us.

It’s important to know we may take action against you if a breach report is frivolous, vexatious or malicious. For example, if your claim involves a false or misleading statement, it may raise issues about your compliance with other requirements of the Tax Agent Services Act 2009 (TASA), including being a fit and proper person and the requirement to act with honesty and integrity.

Notification period

You must notify us (and the relevant RPA if applicable) about a ‘significant breach’ that occurred on or after 1 July 2024. All breach notifications must be reported within 30 days of the day you first have (or ought to have) reasonable grounds to believe there has been a ‘significant’ breach of the Code. 

How to notify us

If you are:

• self-reporting because you have breached the Code, lodge a notify a change in circumstances form
• reporting another tax practitioner because they have breached the Code, lodge a complaints form.

When reporting significant breaches of the Code to us, whether the breach relates to your own conduct, or the conduct of another tax practitioner, you should ensure the following information is included in your breach report:   

• details of the Code item(s) that have been breached, including the date of the breach
• reasons why the Code item(s) were breached, including details of the conduct giving rise to the breach
• the test you are relying on to conclude the breach is ‘significant’, and the reasons why (if there is more than one test or reason all should be provided)
• the ‘reasonable grounds’ you are relying on to conclude there has been a significant breach, including details, of:
  • the facts and evidence relied on
  • any reasonable enquiries made, or independent evidence obtained, to support, verify or corroborate a breach (where relevant)
  • whether, and to what extent, you have sought professional advice, including legal advice, to support your report (where relevant)
• supporting documentation relevant to determining whether a breach is ‘significant’ or you have ‘reasonable grounds’ for your belief
• the date you considered you had ‘reasonable grounds’ to believe a significant breach had occurred. If the breach report has been lodged outside the 30-day notification period, the reasons for the delay
• details of any previously lodged breach reports, or decisions made not to report, that may be relevant, for example:
  • reports lodged by another tax practitioner entity about the same breach, or 
  • decisions made not to report due to our compliance approach for breaches already reported, as discussed in the TPB(I) D53/2024 Breach reporting under the Tax Agent Services Act 2009.

Where the breach report relates to the conduct of another tax practitioner, you should also provide the details of your relationship with the tax practitioner. If you are concerned about confidentiality, including your identity potentially being disclosed to the other tax practitioner, you should advise us.

While some of the above information may be captured in the forms used to lodge the breach report, you should provide as much detail as possible about the breach.  

How to notify RPAs 

You need to notify a RPA when reporting another tax practitioner and you are aware of the other tax practitioner’s membership. We expect registered tax practitioners to make reasonable enquiries to establish whether the other tax practitioner is a member of an RPA.

As a starting point, you can view our list of RPAs and check our Register to see if another tax practitioner is a member of an RPA.  While we encourage tax practitioners to review and update their details on the Register, it is not always up to date, so you should check the RPAs website to see if they provide a list of members and/or make direct enquiries with the RPA to confirm membership. 

To check if a professional association is accredited by us, you can check our list.

Further, you should contact the relevant RPA to find out how to notify them of the breach and what information they require.

Remaining anonymous

When you notify us that you or another tax practitioner has breached the Code, you cannot remain anonymous. You can however, let us know if you have concerns around confidentiality, including in relation to your personal details, when you complete the form.

Depending on your relationship with the other tax practitioner, you may be eligible for the extended tax whistleblower protections that commence from 1 July 2024. See Whistleblower legislation for more information in relation to whistleblower protections, including who is considered an ‘eligible whistleblower’. 

What happens after you notify us of a breach?

Once you have submitted your form, you will receive an acknowledgement email with a reference number. We may contact you for further information. 

How we investigate breach notifications

Not all breach reports will lead to a formal investigation. However, all breach reports that we receive will provide us with valuable intelligence and data to shape our policies, services, and compliance. 

Consistent with our current approach to investigating general and whistleblower complaints, we will undertake a preliminary analysis of the breach notification, make relevant enquiries if applicable, and use information available to us to assess and validate the potential breach and mitigate the risk of frivolous, vexatious or malicious claims. 

The TPB take a risk-based approach when deciding whether to commence a formal investigation. In making this decision, we will consider several factors including: 

• nature of the breach
• seriousness of the breach and level of risk involved
• number and frequency of breaches
• whether there is sufficient evidence to support the breach notification 
• in the case of a breach notification about another tax practitioner, the circumstances surrounding the making of the notification and relationship between the parties 
• compliance history of the registered tax practitioner
• whether the breach has been rectified or remedied, or any steps taken to address it
• nature and scale of the tax practitioner’s business
• number of clients involved
• impact or harm to clients and the tax system more broadly
• whether the breach notification is otherwise frivolous, vexatious or malicious based on the information provided
• if a breach is reported outside the 30-day notification period, the reasons for any delay in reporting. 

Failing to comply 

A failure to comply with any of the breach reporting obligations from 1 July 2024 is a breach of the: 

• Taxation Administration Act 1953, which may carry criminal sanctions
• Tax Agent Services Act 2009 (TASA) (Code item 2), which requires tax practitioners to comply with the taxation laws in the conduct of their personal affairs. 

A failure to comply may also impact on you meeting the fit and proper person requirements and other Code items.

We recognise breach reporting obligations are new and our focus is first on consultation, education and awareness and improving voluntary compliance, supervisory and regulatory systems. However, we will be responsive to higher risk misconduct and regulatory breaches and will take action where warranted. 

In the case of a breach of the TASA, sanctions could include:

• a written caution
• an order requiring a specified action
• suspending registration
• terminating registration (imposing a ban on re-registration for up to 5 years).

Further information *

• TPB(1) D53/2024 Breach reporting under the Tax Agent Services Act 2009
• Breach reporting obligations
• Summary of obligations diagram