Making Tax Digital (MTD) is a core part of HMRC’s ambition “to become one of the most digitally advanced tax administrations in the world”.
In the first phase of its implementation, from April 2019, it aims to create a secure, personalised digital tax account offering a quick, simplified, joined-up and online way for businesses to predict, monitor, calculate and file their VAT payments.
Requirements for businesses
With the public beta pilot of up to 500,000 businesses underway since October 2018, April 2019 will introduce requirements:
- For a further £1.2million businesses registered for VAT with a taxable turnover above £85,000
- To keep VAT records digitally, and
- File quarterly returns using MTD-compatible software that is able to use HMRC’s API platform.
Currently, only 10% to 12%of SMEs are estimated to use VAT software.
This means that, to comply with the MTD requirements, SMEs will have to update their existing, or purchase new hardware and software.
Implications for cyber security
General concerns have been raised regarding SMEs’ readiness for MTD implementation: lack of awareness, limited resource availability, understated costs of compliance and administrative burdens are mentioned repeatedly.
In addition, tax administration at present is a popular cybercrime target. An increase in digital records and electronic interactions presents new opportunities for cyber criminals. Quarterly reporting to HMRC offers criminals potential access to a new soft target of vast quantities of business data.
The risks are higher yet in light of SMEs’ general lack of digital readiness, often lacking experience in keeping digital data secure while coming to terms with technologies including cloud computing and reporting through APIs.
Mitigating the cyber risks of MTD transition
What, then, should SMEs do to mitigate the cyber risks of their MTD transition?
1. Understand your needs
Businesses that currently use accountancy software packages and have experience of digital reporting will have different requirements to those that need to change their processes from paper-based reporting from the bottom-up.
2. Pick your software providers carefully
Don’t be baffled by the choice of accountancy cloud and software packages available, and don’t rely on HMRC to offer a software systems selection tool to those businesses that are going digital for the first time.
Make sure that providers offer you confidence regarding their data storage arrangements and are able to reassure you in relation to the security of their software.
HMRC is working closely with third party software developers to design and develop products that will enable businesses to comply quickly, easily and securely with their MTD obligations.
While HMRC does not require third party software providers to meet security requirements or assess their products, it does expect developers to take the security of data and its proper management, handling, storage and processing very seriously, and follow best practice in developing software and fixing vulnerabilities. HMRC has published a list of approved, MTD for VAT compatible products on GOV.UK to help businesses make an informed choice of software to meet their needs.
3. Don’t forget the basics
The basic rules of cyber hygiene continue to apply, indeed, even more so in the advent of digital tax systems. Despite manufacturers’ best efforts, it isn’t possible to create perfectly secure software, and the risk of data loss where scans or digital images are stored on devices without back-up is real.
Refresh your knowledge and understanding of the basic cyber security principles, for example by using the National Cyber Security Centre Small Business: Cyber Security Guidance, but at a minimum, remember to:
- Back-up your data adequately so even if it is lost or held to ransom, there is a (literal) back-up plan; and
- Patch and update your digital tax software so any new security vulnerabilities are fixed before cyber criminals are able to exploit them to maximum effect.
4. Be suspicious
As the deadline for MTD implementation approaches and businesses require guidance, software solutions and support more urgently, cyber criminals will seek to take advantage, for example, by impersonating HMRC representatives.
Acknowledging that there are no sure-fire ways of identifying a well-crafted and targeted phishing email, you should nevertheless beware of emails, texts, calls and other correspondence purporting to be from HMRC.
FSB Essential members can ring the Tax and VAT Advice Line on 0345 0727727 with any queries around MTD.