At a glance
Current Tax Practitioner Board (TPB) and Australian Taxation Office (ATO) regulatory obligations already require tax practitioners to appropriately and positively identify their clients and assess the risk of doing business with them.
However, with AI-driven identity theft on the rise, how can you be sure that clients are really who they claim to be?
Meeting your POI obligations
In 2022, the TPB and the ATO published mandatory verification requirements, which require accountants to undertake proof of identity (POI) before providing tax agent or BAS services to new clients, and on an ongoing basis with existing clients.
The guidelines are closely aligned in terms of the types of identity verification, but while the ATO’s guidelines are primarily for tax and BAS agents who use the ATO’s online services, the TPB’s guidelines apply to all tax practitioners, regardless of whether they use the ATO’s online services or not.
For individual clients, you are required to verify your client’s full name and date of birth or residential address via one primary photographic ID or, if this is not available, through a primary non-photographic ID, such as a birth certificate or government-issued concession card.
You’re also required to verify via a secondary ID, such as a Medicare card or a notice from the ATO or other government agency issued in the past 12 months that contains the individual’s name and residential address.
For “non-individual” clients, such as businesses, partnerships or trusts, additional verification is required. This may include their Australian Business Number, Australian Company Number or invoices issued or received in their name.
As some clients may not be able to provide conventional forms of ID, it’s recommended that you keep detailed records to outline the client’s situation and the steps taken to establish their identity. However, as recommended by the TPB, these records should not include copies or originals of identification documents.
AI and identity fraud
While money laundering and fraud are genuine concerns, requirements for verifying a client’s identity also carry the significant risk of identity theft and fraud, such as when you can’t meet a prospective client in person, or where the identification is stolen and used for fraudulent purposes — particularly through the use of AI.
“This risk is reduced or eliminated if the practitioner follows the TPB recommendations and only maintains a checklist of what they have sighted rather than actually retaining identification documents,” notes Neville Birthisel, adviser, regulations and standards at CPA Australia.
He maintains that the requirements for verifying a client’s identify are not where the risk is — how the verification information was provided is key.
“Business email compromise is a common tactic for cybercriminals, and identity theft could have been in play from that first contact with a potential client.”
Daniel Weis, cyber security expert and practice lead for penetration testing at Nexon Asia Pacific, says AI is currently used in several areas of fraud and identity theft.
“The email content being generated by AI can be near impossible to detect for the average person,” he says.
“They are well written, no spelling or grammar mistakes, or any other indicators that would typically stand out to an ordinary user that they looked for in the past.”
Weis adds that the use of “synthetic identities” is also increasing. This occurs when perpetrators create fake online identities that are used in fraudulent activities, such as applying for services or for use in online scams.
“We are also seeing AI being used for open-source intelligence gathering, where you provide the AI engine with a person’s basic details and it will find their entire online identity, as well as home address, phone numbers and so on. This is then used in identity theft and other fraud-style attacks,” says Weis.
“Deepfakes are also massive at the moment, and we’re seeing them in a lot of different attacks — from sophisticated phishing through to Microsoft Teams or Zoom-based attacks. We’re seeing CEO fraud and other business-compromising attacks using deepfakes. All it takes is a couple of photos of a face and the deepfake can be created,” Weis adds.
How to address the risks
At a time of heightened cyber security concerns, what steps can businesses take to reduce the risk of identity theft and fraud?
Weis says education is a vital first step. This includes educating staff on the risks and threats from AI and how it may be used.
“Next up is to have verification processes in place,” says Weis. “For example, if you get an email request to change some personal details, call the client and ask them to verify some details first.”
As email may not be a secure form of transmission, it is best not to request that ID documents be sent this way. If unable to undertake the necessary checks in person, look at alternate methods such as encrypted or password-protected attachments to an email.
The TPB requirements strongly recommend that registered tax practitioners arrange to have this information sent via a secure website or online mailbox, or via secure messaging or other electronic solutions that minimise risk of interception.
Weis also suggests using identity and document verification services, such as Equifax or ConnectID.
“You can also use personal questions to verify information that only the individual should know, such as mother’s maiden name, previous addresses and so on, but this often falls through the cracks as this information can often be found online.”
Weis recommends that accountants implement an ID or code system to verify customers before making any required changes or transactions.
“For example, you could assign a unique code to each individual or business client that only they know, and that they would not save anywhere or share,” he says. “Before actioning any requests, ask them for their code to verify it is them before making the changes.
“Once the code is provided, you could also introduce some secondary verification using those personal questions for extra assurance.”
