HMRC has updated the security guidance it has made available to tax agents. It has added the following paragraphs explaining what will happen if HMRC considers that an agent’s password has been compromised:
'Each year, a very small number of tax agents' credentials are compromised, potentially leading to fraudulent activity and significant financial loss to the Exchequer. HMRC continually monitors this, and intervenes directly to support the agents affected and get them back to normal secure business with the department.
'A key part of the procedure to reinstate an agent's credentials is changing the agent's passwords. Where agents do this for themselves, it causes no interruption to their business with HMRC, but if HMRC has to do it for an agent, the agent can be 'locked out' of their accounts for a period of up to seven days. For this reason, as part of supporting agents who have been affected, HMRC helps and encourages them to change their own passwords, and the vast majority do so easily and promptly.
'There are however a small number of compromised agents who fail to change their passwords when asked, leaving them vulnerable to further fraudulent activity and the Exchequer to further financial loss. In these cases, HMRC will in future ultimately change the password directly, leading to the 'lock out' consequences set out above. HMRC will only take this action where the agent refuses to change their password, or fails to do so when asked, or where three attempts to make initial contact with the agent have been unsuccessful. This is clearly something agents would want to avoid, especially if it were to happen close to the 31 January Self Assessment filing deadline.
'HMRC recommends that, for security reasons, agents regularly change their Government Gateway password. This should be undertaken at least once every three months.'