HMRC authorisation – now 3 factor authentication!

Our tax software has, for some months, had a link to HMRC systems. It was therefore possible to click on a “Get HMRC data” icon and the software would pull down sources of PAYE earnings, gross pay and tax deducted. It would then compare this to entries already made or the information pulled down could be entered into the software. This worked pretty well – until last week!

Clicking on the “Get HMRC data” button produced an “Invalid authentication information provided” message. We therefore had to go into the administration area of the software to the HMRC data authorisation section and perform Re-authorisation. 

In the past, this meant inputting the user name and password used to access HMRC online systems. Two factor authentication had already been enabled – a telephone number had been selected. The telephone rings as soon as a button is clicked after entering the user name and password, and a 6-digit number is provided to key into the software.

That was how it used to work!

It now goes to another screen and asks for yet more information! Bear in mind this is a business log in – an agent account. It asked for first and last names, NI Number, Date of birth, UK passport number, Surname and given names on the passport and expiry date. Needless to say, I did not have my passport with me, so I ground to a halt. At this stage, I also contacted the tax software provider to ask in HMRC had changed their systems and it was confirmed they had done so. No communication to this effect, no indications on the way through that the system had changed!

I obtained the passport information and set up the authorisation the following day. There were other options if there was no valid passport apparently as one of my partners had tried to re-authorise but gave up when it started asking for passport details, having put in my name, date of birth etc. Did it require my details…or his details? He did not know if it was just my ID linked to that HMRC account. I do not know if my ID is linked to that HMRC login – it was created 20 years ago!

So – the system now works – pulling data from HMRC systems. But the very first one we tried produced different figures! We had a P45 sent in by the client-her employment ceased in June 2016. Whilst the tax figures agreed, the gross pay was around £9 different between the figures downloaded form HMRC and the P45….how is this possible?

Why can’t we obtain pension details in this way too? The pension providers operate PAYE in the same way as employers – perhaps this is a work in progress? I am sure I saw it working for one client though…?

Obviously, security is a very high priority – but when will 3 factor become 4 or even 5 factor?