The Canada revenue agency's (CRA) introduction of a new auto-fill system for online tax filers earlier this year is part of an ongoing effort to streamline the filing of tax returns by turning it into an online process. But how does this relentless move to digital tax filing affect your clients' security and privacy?
The CRA has nudged taxpayers away from paper-based tax returns consistently, which, the agency states, cost up to four times as much to process as online returns. The trend started with TELEFILE, the CRA's telephone filing service, followed by the introduction of the NETFILE online tax-filing system in 2001. When the latter went online, the agency received 443,000 individual tax returns via the Internet. That number reached almost four million by 2004, then about 84% of the more than 26 million tax returns filed this year.
This year, the CRA introduced another feature designed to lure taxpayers online by adapting a system originally aimed at professional tax return preparers, making this system available to individual tax filers. The tax data delivery (TDD) system, introduced in 2015, was designed for professionals using the EFILE service on behalf of their clients. In February 2016, the CRA renamed this service Auto-fill My Return and made it available to individual users of the NETFILE system.
The auto-fill feature used by NETFILE users draws on the information that the CRA already retains about Canadian taxpayers in a variety of forms, including:
- T3s (statement of trust income allocations and designations)
- T4s (statement of remuneration paid)
- T4As (statement of pension, retirement, annuity and other income)
- T5s, T5007s and T5008s (covering investment income, benefits and securities transactions)
- RC62s (universal child-care benefit statement)
- RC210s (working income tax benefit advance payments statement)
- and RRSP contribution receipts.
As part of this expansion, the CRA also gave online users access to these information slips directly within their My Account online service.
The auto-fill feature also uses individual-specific data, such as the RRSP contribution limit, capital gains and losses, and tuition payments. All of these amounts will be filled in in advance in software certified to support NETFILE.
The auto-fill feature is optional in NETFILE-approved software, and users typically will have to choose to use this feature - although many taxpayers have, according to the government; 5.5 million tax returns had used the auto-fill tool as of July.
If the auto-fill tool is used, the software contacts the CRA's computer system using the same credentials that a taxpayer would use to access his or her My Account section on the CRA's website. The tool then downloads the available information to populate the applicable fields in the tax return.
For the 2015 tax year, the CRA states, all information was available by early March. If the same is true for this year's returns, then taxpayers should be able to take advantage of the auto-fill tool for 2016 as long as they aren't too quick off the mark.
Because the tool is a new feature, users shouldn't rely entirely on its accuracy. A thorough review of information downloaded through the tool will be important. Support forums for some tax software, such as UFILE, have shown that some T4A data downloaded to tax-filing software was inaccurate. As well, other data from various federal and provincial tax credits will not be imported into the software, making a careful eye still necessary.
If a client's accountant is using EFILE-certified software that supports the auto-fill option, he or she also will have access to other information, some of which the CRA gathers from third parties. These data include reassessments and balances owing, along with the working income tax benefit, and immigration and emigration dates.
The privacy implications of the Auto-fill service, which shows just how much the CRA knows about taxpayers, cannot be assessed yet. However, the CRA already compares tax information from various slips internally. The CRA's matching program checks each slip's information in the agency's database against the income information provided on a return in order to find any disparities that could suggest unreported income. This search engine is the same one that generates notices of reassessment, and possible penalties, for Canadians who haven't reported the correct figures.
The CRA has made other attempts to streamline its tax-filing process in the name of cost savings. In 2013, for example, the CRA terminated TELEFILE and stopped mailing the T1-General tax package. (Canadians now must ask for paper T1 forms.)
The agency also ceased mailing individual access codes to NETFILE users, asking them instead to use their social insurance number and birth date when filing tax returns.
This move provoked concern from NDP members of Parliament, who fretted about the privacy implications of using information that could be obtained from other sources and, therefore, used to defraud taxpayers. For example, the U.S. Internal Revenue Service has been battling this type of fraud, in which criminals file tax returns with someone else's social security number and collect the refund. The Office of the Privacy Commissioner of Canada complained that it wasn't consulted on the matter and has sought more information from the CRA.
As the CRA continues to streamline and automate the filing of tax returns, more information about Canadians will be accessible online.
The My Account login service offered by the CRA still relies on a username and a password for logging in. Usernames and online passwords are deemed insecure widely, on the basis that this information easily can be used by unauthorized users if stolen, Indeed, crooks have stolen passwords by the millions by hacking various commercial and government services.
The CRA has attempted to increase security and simplify access to the agency's systems by using the SecureKey Concierge service, which enables taxpayers to log into their accounts via their bank's online banking login screen. The CRA doesn't get to see a taxpayer's banking login details, and the bank doesn't get to see the tax information. However, as this mechanism still relies entirely on passwords, this process does little more than transfer the security weaknesses to the participating banks.
Companies increasingly are turning to two-factor authentication (2FA) to help protect their online accounts. This method uses something a taxpayer would know (username and password), along with something the taxpayer already has (either a special security token sent in the mail or to a smartphone).
The website that a taxpayer wants to log into uses the device being used in the process to help verify the user's identity, on the assumption that the user would be the only person in possession of the device. The device may store a digital "key" or, in some cases, produce a code that the user then enters into the site's login field along with their other login details. Unfortunately, neither the CRA nor any of the seven financial services institutions currently partnered with the CRA under the SecureKey Concierge initiative supports 2FA.
In April 2014, the CRA was forced to shut down the tax-filing system for several days after the Heartbleed computer bug was found to have infiltrated the system. A Canadian teenager had used the bug to compromise about 900 social insurance numbers, the agency revealed. One thing that would have prevented this attack would have been to implement 2FA to use a "private key" stored on the taxpayer's device.
All of these privacy concerns leave your clients - whether using SecureKey Concierge or not - with some basic security hygiene options to help protect their data. Using "strong" passwords (collections of numbers, symbols and letters, and of sufficient length) is one approach. Words you'd find in the dictionary, personal names and topics obviously linked to the user also should be avoided. When asked for "security questions" by the CRA's site, advise against choosing question/answer combinations that are easy for others to discover.
Clients should never reuse login credentials for different websites - and passwords should be changed frequently.
Your clients may take all of these steps to maintain the privacy of their data, but, ultimately, taxpayers depend on the CRA to protect that data - a potential problem, given that there have been some privacy and security hiccups at the CRA in the past.
In 2014, the CRA admitted that its staff had caused 32 privacy breaches by accessing individual tax records without authorization. Another breach that year saw the release of private information about 1,014 taxpayers to the CBC media network.
In April 2016, the CRA was forced to offer credit protection to some taxpayers after their private information was sent to others. That incident, which affected a Northern Ontario riding, saw information about 16 people mailed to the wrong recipients, who were given access to names, social insurance numbers, phone numbers and addresses.
© 2016 Investment Executive. All rights reserved.