Digital Services Update – May 2018

Jun 11, 2018

HMRC’s May update contains the latest on Making Tax Digital, cyber security and the forthcoming corporate interest restriction deadline.

“Digital Services Updates

Making Tax Digital for Business (MTDfB)

Recent media coverage of HMRC’s reprioritisation exercise conflated delays to the Making Tax Digital for Individuals programme with the timeline for Making Tax Digital for Business.

MTD will be mandated for VAT for those businesses with income above the VAT threshold from April 2019, as planned.

As the Financial Secretary to the Treasury announced last July, the pace at which businesses will be required to keep digital records and send information to us through Making Tax Digital has been slowed to make the transition as smooth as possible, particularly for smaller businesses.

Delivery of the MTD service has, however, continued at pace. As part of the HMRC prioritisation exercise, MTD for Business was identified as a high priority programme.

We continue to work closely with software developers on both MTD pilots - testing the technology and the user experience.

MTD Agent Services and Income Tax Pilot

As we reported last month, Agents can now set up an agent services account and sign up to use software to send Income Tax updates on behalf of their clients.  Currently the pilot is open to self-employed businesses with income from one business.  We will advise you via the usual channels when the pilot is open to landlords with income from property; and to all self-employed business.

In summary, Agents can now

  • Create an Agent Services account (accessed from gov.uk)
  • Link existing SA and VAT client relationships to their Agent Services account (accessed from their Agent Services Account page)
  • Sign up SA clients to MTD for Income Tax quarterly reporting (accessed from gov.uk)
  • Link their agency MTD-compatible software to HMRC (accessed through their software)
  • Submit updates through their agency MTD-compatible software on behalf of a client
  • View MTD data and calculations on behalf of a client through software

Additionally, an agent can now access a digital authorisation service from their Agent Services Account for a new MTD SA client (a digital 64-8 for MTDB). Their new client can digitally confirm this authorisation to HMRC.

The existing paper 64-8 process can still be used for Self-Assessment, and any new clients added to an agency’s GG credential in this way will be recognised for MTD SA.

Some key messages:

A number of software developers want their existing agent customers to trial their MTD product for Income Tax - you should contact your software provider if you are interested.

In response to some of the questions raised through recent webinars, we are developing some key messages and additional guidance for Agents which will be available through an extended Agent Update in June. 

We are also running more MTD webinars on 21 and 22 May with a substantial part of the session on Agent Services Account. Some of the key messages we will cover include:

  • An agency cannot submit data for a client in MTD until their agency software is MTD compatible. They should not sign up their clients to MTD until they have this in place
  • An agency can set up their new Agent Services Account and link their agent/client relationships
  • An agency will receive a new GG ID as part of signing up for their Agent Services Account; they still need and should use their existing GG IDs for all existing non-MTD services
  • The new MTD Agent Services Account is needed in addition to any other agent services they currently use
  • When an agency links their SA and VAT relationships to their new Agent Services Account, this does not make any change at all to their existing relationships or how they use them through their existing GG IDs

We will also address some of the Frequently Asked Questions we get.

VAT Pilot

We continue test this service with invited volunteers.  Currently we are focusing on VAT registered businesses with the most straightforward affairs.  We will let you know when the pilot is widened to other VAT registered businesses. 

You will be able to sign up your clients to the pilot before April 2019 when it becomes mandatory for those above the VAT threshold to keep digital records for VAT and send their VAT returns through MTD using software.

Cyber Security

Password-stealing Malware

Many services and applications are delivered over the internet and accessed through web browsers, which include email, accountancy applications, customer relationship management tools, and HMRC online services.

These applications provide a wealth of opportunity for cybercriminals, providing access to personal and financial data and monetary transfers.  Many of these services require a username and password to access them, and one way these credentials are targeted is with malicious software.  These programs use a number of techniques to steal and exploit credentials, and understanding these threats can inform your defences.

There are two common angles for stealing credentials: intercepting them from the web browser at the point of login, and stealing stored credentials ‘remembered’ by the web browser.

The first provides the criminal with active credentials, often with helpful context from other data that is stolen as you interact with a website.  However, the victim’s anti-virus product could receive an update and remove the malware at any time, so the time window for stealing credentials may be limited.

Many types of malware will also steal stored credentials.  These are usernames and passwords that are helpfully saved by your web browser and automatically filled-in as you revisit those websites.  Each of the major web browsers store these details in different places on your computer, each of which are targeted by the malware developers.  These stored credentials may have not been used for some time, accounts may have been closed, etc.

Fortunately for criminals, people tend to re-use passwords across websites.  This means they can try these stolen credentials on many popular websites to determine if the victim has a registered account.  There are also popular ‘credential stuffing’ tools available which automates this process for them.

Whether your credentials are stolen from your own PC, or from one of the websites you have used in the past, these criminal methods pose a threat to your online accounts.  One effective defence against these attacks is the use of multi-factor authentication, which is typically a one-time login code delivered to another device.  Password manager applications also provide the convenience of ‘remembered’ passwords with additional security benefits.

Understanding cyberattacks helps organisations understand why recommended security controls and processes are important, and provides context to response plans.  For example, changing passwords of your frequently accessed websites following the discovery and removal of malware.  More information on common attacks and defences can be found on the NCSC website: https://www.ncsc.gov.uk/white-papers/common-cyber-attacks-reducing-impact.

NCSC also have guidance on password policies for an organisation: https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

They also provide helpful, practical advice about password managers, multi-factor authentication and account security: https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks

Corporate Interest Restriction- deadline 30 June 2018

Corporate groups within the scope of the Corporate Interest Restriction rules are required to submit an interest restriction return and should use the portal provided for electronic submission, accessible from the webpage Corporate Interest Restriction on deductions for groups.

The normal deadline is 12 months after the period of account, but for those groups whose period of account ends between 1 April 2017 to 29 June 2017, this is extended to 30 June 2018. Where an interest restriction is due, a full return is required, containing the required calculations and allocations of restrictions to UK group companies. If there is no interest restriction, an abbreviated return can be made; this identifies the group members but does not contain calculations. Templates are available on the above webpage.

Software developers can develop their own products, either to populate similar templates or create a bespoke return form providing the necessary information. The information should be presented in the same order as in the HMRC template. A small level of manual input is needed  on the electronic form which forms part of the return.”

END OF HMRC UPDATE