You are required to report significant breaches of the Code of Professional Conduct (Code) that occurred on or after 1 July 2024 under the breach reporting obligations.

 There are 2 types of breach reporting requirements:

• Firstly, self-reporting: you must notify us in writing if you have reasonable grounds to believe that you have breached the Code, and that breach is a significant breach. 
• Second, reporting another tax practitioner: if you have reasonable grounds to believe another tax practitioner has breached the Code and the breach is a significant breach, you must notify us, and the recognised professional association (RPA) of the other tax practitioner (if applicable), in writing.

Check out our guidance for more information.

The breach reporting obligations were introduced as part of broader reforms by the government to improve the effectiveness of the Tax Agent Services Act 2009 TASA and the Tax Practitioners Board (TPB), and as a response to the PricewaterhouseCoopers tax leaks matter.

These obligations aim to enhance consumer protection and increase community confidence in the tax system and the tax industry by improving the conduct of registered tax practitioners providing tax agent services. 

By requiring the reporting of significant breaches of the Code, it will help the TPB and RPAs to focus compliance action, strategies, education, support and services on targeting higher risk issues impacting the tax profession.

Breach reporting obligations apply to any registered tax practitioner entity (individual, company or partnership) in relation to:

• their own conduct (self-reporting)
• the conduct of another registered tax practitioner.

Breach reporting obligations do not apply to reporting about conduct of unregistered tax preparers or clients of tax practitioners.  

Breach reporting obligations came into effect on 1 July 2024. This means you must notify us and the relevant RPA (if applicable) about a ‘significant breach’ of the Code that occurred on or after this date. This needs to be done within 30 days of the day you first have (or ought to have) reasonable grounds to believe there has been a ‘significant’ breach of the Code. 

No, breach reporting obligations started on 1 July 2024 for all registered tax practitioners. In relation to smaller firms with less than 100 employees, the 1 July 2025 start date only applies to the 8 additional Code obligations that were introduced under the Tax Agent Services (Code of Professional Conduct) Determination 2024 (Determination). 

Refer to The Code Determination – Background and context for further information about the obligations under the Determination. 

No, you are not required to report breaches that occurred before 1 July 2024. However, if the breach first occurred before 1 July 2024 but is ongoing on or after that date, the breach must still be reported. 

The obligation also does not apply in circumstances where a registered tax practitioner enters a new client engagement and becomes aware of conduct of the prior registered tax practitioner in relation to that client that gives rise to a breach that occurred before 1 July 2024. 

A significant breach of the Code is a breach that: 

• constitutes an indictable offence, or an offence involving dishonesty, under an Australian law 
• results, or is likely to result, in material loss or damage to another entity (including the Commonwealth)
• is otherwise significant, including taking into account any one or more of the following:
  • the number or frequency of similar breaches by the tax practitioner
  • the impact of the breach on the tax practitioner’s ability to provide tax or BAS agent services
  • the extent to which the breach indicates that the tax practitioner’s arrangements to ensure compliance with the Code are inadequate; or
• is a kind prescribed by the Tax Agent Services Regulations 2022 (TASR).

Determining if a breach of the Code is a ‘significant breach’ must be decided on a case-by-case basis, having regard to the particular facts and circumstances.

A breach may be considered significant if it doesn’t fall within the category of a ‘significant breach’ defined above but it is still sufficiently important, serious or material for it to be reported based on the circumstances. When deciding whether a breach is ‘otherwise significant’, you should take into account one or more of the following factors:  

• number and frequency of similar breaches of the Code
• impact of the breach on the registered tax practitioner’s ability to provide tax agent or BAS services 
• extent to which the breach indicated that the registered tax practitioner’s arrangements to ensure compliance with the Code are inadequate
• nature and scale of the registered tax practitioner's business
• number of clients involved
• complexity of the arrangements
• loss or potential financial or non-financial loss to clients
• vulnerability of affected clients
• impacts and harm on the tax system more broadly.

‘Reasonable grounds’ is defined as having a solid foundation for believing a ‘significant breach’ has occurred. This should be supported by appropriate facts and evidence. Although you do not need to have conclusive proof, you do need to be able to appropriately substantiate your claim and verify or corroborate it as appropriate. If you are not sure whether there has been a significant breach of the Code but have reasonable grounds for believing there has been, you must still notify us.

It’s important to know we may take action against you if a breach report is frivolous, vexatious or malicious. For example, if your claim involves a false or misleading statement, it may raise issues about your compliance with other requirements of the TASA, including being a fit and proper person and the requirement to act with honesty and integrity.

You should use your professional judgement regarding whether a breach will result in ‘material’ loss or damage to the Commonwealth. This should be based on the facts and circumstances. You may want to consider: 

• loss of revenue (including tax revenue) such as: 
  • the amount and scale of the loss (for example, through uncollected tax and tax debts)
  • the number and type of clients involved
  • the risk to future revenue if unreported 
  • the impact on the trust and confidence in the Commonwealth to manage revenue, and the tax system, more broadly
• reputation damage such as:
  • the nature, scale and severity of the damage or reputational risk
  • the impact on public perception
  • the risk of negative publicity and media coverage 
  • the impact or potential flow-on effects on revenue, agencies and stakeholder relationship
  • trust and confidence in the Commonwealth more broadly.

You are not expected to assume the role of ‘investigator’ or ‘auditor’, or to ‘go looking’ for potential breaches of the Code by other registered tax practitioners. Although the breach reporting obligations are a standing obligation, they do not require you to ‘continually’ self-assess as a reoccurring action (for example, daily assessment of whether a breach has occurred). You should use your professional judgement in the circumstances. 

Breach reporting must be made using:

• the 'online complaints’ form if the breach relates to the conduct of another tax practitioner; or
• the 'notify a change in circumstances’ form if the breach relates to your own conduct. 

All breach notifications, whether they are self-reported or about another tax practitioner, must be reported to us (and the RPA if applicable) within 30 days of the day you first have (or ought to have) reasonable grounds to believe there has been a significant breach of the Code.

Yes, you still have an obligation to report a significant breach of the Code to us and the RPA (if relevant), even if a breach has been rectified. This also applies even if you or the tax practitioner you are reporting has taken steps to address or remedy the breach. 

The key issue you need to consider when determining whether to report a breach in circumstances involving rectification, is whether, at the time you identify the breach, the breach has occurred, and it is significant. Rectification of a breach is a factor we may take into consideration when deciding what further action to take.

You must notify us (and the relevant RPA if applicable) about a ‘significant breach’ that occurred within 30 days of the day you first have (or ought to have) reasonable grounds to believe there has been a ‘significant’ breach of the Code. If you report a breach outside of the 30-day period, you must provide us with reasons and evidence for your delayed notification. We will take this into account when determining what action to take, if any.  

When you notify us that you or another tax practitioner has breached the Code, you cannot remain anonymous. You can however, let us know if you have concerns around confidentiality, including in relation to your personal details, when you complete the form.

Depending on your relationship with the other tax practitioner, you may be eligible for the extended tax whistleblower protections that commenced from 1 July 2024. 

Refer to Whistleblower legislation for more information in relation to whistleblower protections, including who is considered an ‘eligible whistleblower’. 

If you submit a breach report about another registered tax practitioner, we will not notify the other tax practitioner that a report has been received. We may, however, make contact with that other tax practitioner as part of our approach to investigating breach notifications. This includes determining the veracity of the report made.

If you are concerned about confidentiality, including your identity potentially being disclosed to the other tax practitioner, let us know when you submit your report.

Depending on the relationship between you and the registered tax practitioner you are reporting, you may be eligible for the extended tax whistleblower protections that commenced from 1 July 2024. This seeks to provide protections for disclosures by eligible whistleblowers to us relating to the misconduct of registered tax practitioners. 

If you are an ‘eligible whistleblower’, you will be afforded protection for your disclosure and have your identity protected, unless it is to an authorised body, or with your consent.

We may contact you to seek further information relevant to the breach being reported. We are limited in the information that we can disclose to you about action we take in relation to your report due to privacy and secrecy laws. We will however, provide you updates as appropriate where we are able to or required to by law.

Refer to Whistleblower legislation for more information in relation to whistleblower protections, including who is considered an ‘eligible whistleblower’. 

Yes, if you are aware that the registered tax practitioner you are reporting a breach about is a member of an RPA, you must notify that RPA about the breach in writing. You should contact them to find out how to notify them about a breach and what information they require.

If you are not sure if the tax practitioner is a member of an RPA, we recommend you check our Register which may include this information. You may also wish to make additional enquiries, including with the relevant RPA, to confirm membership. In some cases, the RPA website may provide a list of members. If after doing all this, you are unable to determine whether the tax practitioner is a member of an RPA, you should document this outcome and the steps you have taken in case it comes up as part of any future review or investigation.

To find out if a professional association is an RPA, you can check our list.

No, it is not an obligation under the TASA to report an unregistered preparer. 

However, if you would like to report an unregistered preparer to us, you need to do this in writing using our online complaints form. 

You can make an anonymous complaint, however, we will not progress the complaint unless you are able to provide sufficient information and evidence.

When lodging a complaint about an unregistered preparer, you should provide as much detail as possible, including any relevant documentation to support your complaint. We will not act on complaints without sufficient information and evidence. This is why we encourage you to provide your details and not remain anonymous so that we can get in touch with you if we need further information. 

See our complaints information for further guidance. 

We will triage breach reports as we do with any other complaints. We will make further enquiries regarding the breach notification, including verification of information provided to us by the complainant to assess and validate the potential breach. We will then decide whether a formal investigation will commence. 

Not all breach reports will lead to a formal investigation. We are also limited in the information we can disclose due to privacy and secrecy laws. However, all breach reports that we receive will provide us with valuable intelligence and data to shape our policies, services, and compliance. 

Consistent with our current risk-based approach to investigating complaints, we will undertake a preliminary analysis of the breach notification, make relevant enquiries and use information available to us to assess, validate and commence formal investigation where appropriate. Refer to the question below on the factors we consider before commencing a formal investigation.

A breach report made to us will not automatically trigger the commencement of a formal investigation. Consistent with our current approach to investigating complaints, we will undertake a preliminary analysis of the breach notification, make relevant enquiries and use information available to us to assess and validate the potential breach and mitigate the risk of frivolous, vexatious or malicious claims. 
We will take a risk-based approach when deciding whether to commence a formal investigation. To do this, we will consider several factors including, but limited to, the following: 

• nature of the breach
• seriousness of the breach and level of risk involved
• number and frequency of breaches
• whether there is sufficient evidence to support the breach notification 
• in the case of a breach notification about another registered tax practitioner, the circumstances surrounding the making of the notification and relationship between the parties 
• compliance history of the registered tax practitioner
• whether the breach has been rectified or remedied or any steps taken to address it
• nature and scale of the registered tax practitioner’s business
• number of clients involved
• impact or harm to clients and the tax system more broadly
• whether the breach notification is otherwise frivolous, vexatious or malicious based on the information provided
• if a breach is reported outside the 30-day notification period, the reasons for any delay in reporting the breach, and any consequences for our investigation and other agencies as a result of the delay.

Read our additional guidance on investigations, which includes information on the process, approach to dealing with complaints, investigations into breaches of the Code, and the process for the review and appeal of outcome of investigation decisions.  

We have a framework in place to mitigate and address the risks of registered tax practitioners making breach reports about another tax practitioner that may be frivolous, vexatious or malicious.

A report may be considered frivolous, vexatious or malicious if it is:

•  trivial and lacks substance
• made without sufficient grounds
• made for the purpose of wasting our time and resources
• brought with an ulterior or collateral purpose, or with the intent of causing harm to the tax practitioner being reported.  

We will assess the information provided and make further enquiries (as appropriate) to ensure the reporting of another registered tax practitioner’s conduct is reasonable and credible. We may take action against you if we consider that a breach report is frivolous, vexatious or malicious. For example, if the claim involves knowingly making a false or misleading statement. 

Such situations may raise issues about your compliance with other requirements of the TASA, including:

• the fit and proper person requirement, which you must meet to maintain your registration
• other Code items, including the requirement to act with honesty and integrity (Code Item 1). 

If you report a breach outside of the 30-day period, you must provide us with reasons and evidence for your delayed notification. We will take this into account when assessing the breach report and determining what action to take, if any.

For information about the consequences for failing to comply with the breach reporting requirements, see below.

A failure to comply with any of the breach reporting obligations from 1 July 2024 is a breach of: 

• the Taxation Administration Act 1953, which may carry criminal sanctions; and
• the TASA, specifically Code item 2, which requires tax practitioners to comply with the taxation laws in the conduct of their personal affairs. 

For breaches of the Code, we may apply one or more of the following administrative sanctions:

• a written caution
• an order
• suspension of registration 
• termination of registration (including a period within which a terminated tax practitioner may not re-apply for registration).

Find out more about the sanctions we can impose.