To help protect the security of client information we suggest you: 

• use more secured methods than email to communicate this information – for example, a secure website, online mailbox or secure messaging 

• validate the email address with a recipient before sending any unencrypted email to them, to minimise the risk of unauthorised disclosure to a person who is not the intended recipient 

• only send this information by email as an encrypted or password protected attachment 

• maintain records of emails sent and received.  

Yes, this is an option if a tax practitioner wants to verify the information provided by a client.  

This arrangement would be acceptable, however, the TPB would not recommend retaining copies of ID documents, nor receiving them via email. 

Yes, there is usually a fee associated with DVS. 

Our draft guidance requirements differ between new and existing clients. When dealing with existing clients, it may not be appropriate or necessary to undertake the POI steps outlined in the draft Practice note. Ultimately, we expect that you exercise your professional judgement. You can find more information in our draft Practice note. 

When you buy another tax practice or acquire clients from another practice, we do not expect you to perform proof of identity checks for each client you are acquiring straight away.  

The seller tax practitioner should be passing on the proof of identity file notes or checklists for each client being transferred to your practice along with other relevant client records. Of course, the seller tax practitioner must be mindful of their Code of Professional Conduct obligations to maintain confidentiality of client information. They must have obtained all the relevant clients’ permission before passing on their records to you. 

During your ongoing engagement with the clients you have acquired, you should undertake POI checks as appropriate throughout your engagement with them.  

Yes, they would both be appropriate enquiries to make, assuming that they provide you with the company or trust’s full name, ABN or ACN and any other additional detail in order to make a reasonable assessment of the legitimacy of the company or trust’s identity. You would also need to check the identity of any individual representative instructing you on behalf of the company or trust, and ask for evidence that they are authorised to do so. 

Yes, the TPB’s requirements will still apply to practitioners providing services to not for profit organisations. 

You only need to do this for the client and any person you are dealing with that purports to represent the client. For example, anyone instructing you on behalf of a non-individual client. 

You do not need to meet face-to-face with the client to meet the proposed requirements. If you are engaging a client and/or their individual representative remotely you may choose to use videoconferencing facilities. In this situation our requirements remain the same as for registered tax practitioners who engage with clients face-to-face. If you sight original or certified identification documents through videoconferencing or with the use of a webcam, we would require you to make a note of this in your contemporaneous record of the POI checks undertaken.  

If certified copies of identification documents are sent electronically or by mail to the registered tax practitioner, we strongly recommend you destroy the copies after the POI checks and contemporaneous record have been completed and recorded. 

We do not recommend that you keep copies or originals of any identification documents of clients or their representatives. In fact, we strongly discourage this practise because we recognise these documents may be at risk of being stolen through cyber-attacks or even physical break-ins at your business premises. 

However, we do require you to maintain a record, such as a checklist, for POI checks done. 

We will accept a contemporaneous record (i.e. a checklist saying you have sighted the proof of identity documents) as evidence. No copy of these documents are required or recommended from the TPB's perspective. 

Yes, certified copies can be used for individuals. 

There is no need to record document numbers from our perspective. 

If a client doesn’t have the standard identification documents, for example they come from remote areas, or their documents were destroyed in a natural disaster, or if they came to Australia as refugees we suggest you take a flexible approach and use your professional judgement.  

We understand you may not be able to apply all the required checks, but what we do ask in these situations, is that you maintain records outlining the client’s circumstances and details of the steps you have taken to establish the client’s identity.  

If you need additional guidance on this we suggest you refer to AUSTRAC’s guidance on identifying customers who don’t have conventional forms of ID. 

This is one of the reasons why we developed this guidance for tax practitioners – to help you to comply with the Code.  

Our guidelines should help strengthen client verification processes as we have consulted widely and looked at best practices and controls.  

If you follow the TPB and/or the ATO’s guidelines in undertaking POI checks, you should be able to minimise risks of potential identity fraud.  

In this scenario, record keeping would play a crucial role. As soon as you complete POI checks, you should make a record or checklist as outlined in our guidelines such as date and time the POI checks were done, who performed the checks, what and how IDs were sighted, whether the documents were legible etc. 

If you undertake the above steps, then you would have met your obligations under the Code, even if identity fraud or theft occurred despite the checks and processes you undertook. 

You have a few options here. Where you are unable to clearly sight identity documents using a webcam, you can have them sent to you electronically. Please note here we are not recommending that identity documents are sent or received via emails. We strongly advise against this practice as email is not considered a secure form of communication due to risks of information being intercepted during transmission. 

You can use secure ways of obtaining documents electronically – for example: 

• via a secure website, secure online mailbox or secure messaging, or 

• as an encrypted or password protected attachment to an email. 

We recommend you seek independent professional advice from an ICT security provider if you intend to receive sensitive information or documentation electronically. 

Alternatively, refer to the ATO’s guidelines which provide information on how to undertake client verification checks using ATO or Document Verification Service (or DVS) sources.