Enter Your E-mail

The Provincial Tax Practitioner looks at HMRC's security measures.

Introduction

We’re all familiar with HMRC’s obsession with the risk of disclosing sensitive financial information to a third party not authorised to receive it: compulsive overkill probably resulting from the time they embarrassingly lost the personal records of 25 million individuals. Such vigilance is therefore to be commended, despite the annoying and repetitive requests ‘in the interest of security’ that greet any telephone call to them: name of agent; address of agent including postcode; telephone number of agent; full name of client; address of client including postcode; occupation of client; UTR or NI or number; date of birth.

But it begs the question: how do we know the person answering the phone or phoning us is actually who they say they are?

HMRC caller: Could I first ask you a few security questions?

Cynical agent: Such as?

HMRC caller: Could you please confirm your telephone number?

Cynical agent: But you’ve rung me. Anyway, how do I know who you are?

HMRC caller: You’re being silly now.

Cynical agent: You started it.

What About Our Security Checks?

In the interest of security should we not be asking our own questions, to which we have already supplied a set of answers to be circulated within HMRC and only known to their employees and learned by rote? For example: who scored the winning goal in the 1955 cup final? What is the gestation period of a badger? How many rivets are there in the Forth Rail Bridge? Other than HMRC staff, only a committed quiz aficionado could possibly come up with the answers and a cold call from such a person trying to lure us into imparting sensitive financial information would be against all the odds (and only a dedicated quizzer would know those odds).

Incontinent Security   

So it was somewhat of a shock to this cynical old agent when he received a ‘Dear Sir or Madam’ letter from an HMRC office. No security checks necessary on our part; the letter was on HMRC headed paper. The UTR belonged to one of our clients but we didn’t seem to recognise our reference on the letter. Neither did we recognise the name of the taxpayer: the right UTR, but not necessarily the right name.

This was starting to perplex and intrigue us in equal measure. A copy of a letter apparently sent to our client was attached, which we read with considerable interest; far more interest in fact that we would normally employ, because…

It wasn’t our client.

The enclosures included a revised tax calculation, detailing name, address and all sources of income and allowances for our non-client.

It tends to make a mockery of the security procedures so vigorously enforced in verbal communications with HMRC, when someone signing a letter can’t be bothered to check the attachments. (Needless to say we returned it).

‘You’ve invented what, Walt?’

The Internet is a vast, shifting sea of information into which anyone can submerge themselves at the touch of a button. It was originally developed as a means of sharing and exchanging information, noble aims that would seem to preclude any need for security. However, as soon as we are encouraged to bank online and file confidential financial information electronically, security becomes paramount as we strive to prevent unauthorised access to personal details. Those aims of ease of access and confidentiality are mutually exclusive and in a permanent state of conflict with one another.

And within weeks, thousands of sets of company accounts, computations and CT600’s will be pouring into this vast electronic sea. 

Can you imagine what the wonderful American comedian Bob Newhart would make of it? (if you have never listened to the classic Sir Walter Raleigh telephone conversation, catch it on Youtube )

Newhart: (on telephone) You’ve invented what Walt? (aside to others in the room):  It’s nutty Walt on the phone, guys. (to caller) You’ve come up with a way to make all the information in the world accessible to anybody, anywhere at any time? Gee, that sure sounds like a winner Walt.

What’s that you say Walt? You’re now busy trying to find a way to stop everybody, everywhere and at anytime from accessing this information?

(Pause) Gee, don’t take this the wrong way big fellah, but isn’t that kinda contradictory? Sounds as though you might disappear where the sun don’t shine with that one Walt. 

Security: an Enigma?

HMRC believe they have an impenetrable security system. So did the Third Reich with their Enigma machines before the code breakers at Bletchley Park got to work and changed the course of the War. If someone can write computer security software then somebody, somewhere can break it. You might be forgiven for thinking that the Pentagon and NASA would have the daddy of security systems, and yet an allegedly autistic Gary McInnon managed to take a cyber-stroll through their computers. Would we ever know if anyone has hacked into HMRC’s computer system? Somehow I doubt they would risk a stampede back to paper filing. I suspect cyber attacks and thefts of sensitive information are rife, but as sure as Hell we won’t get to know about it.

‘Security v ‘Sausage-finger’ Syndrome

I now have a card reader for online banking and what took me 2 minutes to pay someone, now takes me 10. To access bank account: enter code and password; insert card, press ‘identify’, enter pin, enter pass code. To pay an amount: re-insert card, enter pin , press ‘sign’, enter recipient’s bank account number, enter amount, enter passcode etc., etc. And all this entering of numbers on a Lilliputian keypad. Anyone afflicted with Wall’s Syndrome (sausage-fingers) will take all day to enter the requisite digits with their own oversize digits. 

At this rate we’ll soon be issued with DNA readers to access accounts:

‘Cancel all appointments this morning would you please. I need to pay a bill; I’m going to the little boys’ room with my reader and may be some time.’

I have also accumulated more ID’s, usernames, pin numbers, codes and passwords than I can shake a stick at: all vital to accessing various applications and obtaining essential information. There are so many I really need to store them on a computer but then I’ll need to come up with yet another password that I can’t remember.

‘Don’t Tell Him Pike!’

The other worrying but inescapable fact is that the Internet depends on a reliable source of electricity, and our future supplies seem dependent on nothing more substantial than the vagaries of the prevailing winds across the UK.  

Now many of you out there may dismiss these gripes as the misinformed rants of an old fool, but I’m afraid that I can’t get away from a constant nagging doubt: you can have a myriad security checks and codes in place but human error, complacency and ingenuity are the Achilles’ heels in the system. It seems to me that the more emphasis HMRC places on computer technology and online filing, the more incongruously does human interaction seem to sit alongside it.

Two lines from Dad’s Army echo in my mind:

German officer (pointing at Corporal Pike): You, vot is your name?

Captain Mannering: Don’t tell him, Pike.

I rest my case.