On 26 May 2020 the OECD Forum on Tax Administration (FTA) published a document entitled Tax Administration: Privacy, Disclosure and Fraud Risks Related to COVID-19.

Tax administrations are introducing measures to support taxpayers in the current crisis, delivering broader government support and taking action to ensure the continuity of their functions while protecting staff. These measures have been implemented quickly and there is a greater risk of problems in relation to disclosure, taxpayer privacy and tax fraud.

The OECD document looks at the risks involved and suggests possible strategies to reduce the likelihood of problems resulting from strategies such as remote working. The document is a result of input from tax administrations through surveys and meetings.

Security of Offices

There is a risk of unauthorised access to tax administration offices if they are closed or only partly staffed. The risk of theft of information or assets needs to be combated by increased verification checks on entry; guidance for staff about the increased security risks and the importance of protecting information on computers; locking offices and locking away unused equipment; and searches of bags and cars on leaving the premises.

As call centres will be more active than usual more guidance is required on the need to follow verification and information security requirements; guidance on transferring calls if the conversation is complex; routing of complex cases to more experienced staff; and information on how to answer commonly asked questions.

Substantial amounts of mail may still be received at offices where staff numbers are reduced, resulting in delays in processing documents. Storage of unprocessed mail may involve distinguishing between general and tax sensitive communications. Taxpayers should be advised to communicate electronically for routine matters without disclosing sensitive information. More secure locations may need to be found for storage of unopened mail.

Staff Working from Home

Where staff are working from home there is an increased risk of disclosure of tax relevant information to third parties such as family members. This may occur if personal information is worked on when non-government employees are present. The use of voice-activated assistants may also increase the risk of unintentional disclosure.

Guidance on home working should be issued and staff should be asked to perform a risk assessment of their remote working environment and complete checklists on security requirements. Advice could be given in relation to anti-spy screen protection, use of headsets, secure methods of disposing of confidential information and the risks of virtual assistants and of leaving devices unattended. Dealing with phishing attempts, junk and spam mail and reporting suspicious mail is also important.

Dangers arise from the use of insecure networks or applications as home networks may not have the same levels of security in the form of firewalls or network intrusion detection as the office systems. Guidance should be provided on protecting home networks, and passwords and verifications procedures should be strengthened. Potential security problems with non-government applications such as video conferencing should be the subject of guidance.

Risk of Fraud

Owing to the increased privacy and disclosure risks, and the potential for misinformation and confusion in the new situation, the risk of fraud is likely to substantially increase. There will be reduced controls in place and compliance and enforcement activity may be lower than usual.

The risk of identity fraud, where data on individuals or businesses is wrongfully obtained and used, will increase as data security will be more difficult to maintain. There will also be more risk of tax fraud as information may be intentionally falsified to reduce payments or obtain refunds. There will also be a greater risk of fraudulent behaviour by staff or other parties within the tax administration.

Tax administrations must remind individuals and businesses of the penalties for false declarations and may need to promote whistle-blowing opportunities. Administrations will also need to set up internal fraud risk assessments, increase checks required when paying out funds to taxpayers, and ensure that internal control and audit trail checks are conducted.