What this Practice Statement is about
This Practice Statement sets out our policy on the steps to take where there is suspected fraud [1] affecting a taxpayer by an entity (or entities) other than the taxpayer and not connected with the taxpayer. That is, the steps to take where we have reasonable grounds to suspect that: • the entity who committed the fraud acted without any authority to represent the taxpayer, and • the taxpayer has not contributed to or enabled or benefited from the entity's actions.
This Practice Statement does not apply where the suspected fraud is committed by: • a connected entity (including an authorised representative), or • the taxpayer.
Under our duties of good administration [2] , we must: • maintain the integrity of accounts and ensure they reflect a taxpayer's correct tax position, and • pursue amounts of collectable debt.
'Suspected' fraud does not require a formal finding of fraud. [3]
Suspected unconnected third-party fraud
Possible indicators that a third party may have acted without the taxpayer's authority include: • The taxpayer's personal details have been accessed or stolen and have been reported as stolen. • Lodgment, registration or updates to financial account details appear to have been made by someone other than - the taxpayer, or - someone to whom the taxpayer gave system access. • A financial institution confirms that the account receiving payment is in the name of a third party and transactions show the funds being used by that party. • The account the refund is paid into also receives multiple refunds in respect of different taxpayers.
The following situations are not cases involving suspected fraud by an unconnected third party: • The taxpayer is involved in, contributes to or benefits from the actions of the third party. This includes situations where the taxpayer has facilitated or otherwise enabled the third party's actions. Example 1 A taxpayer has someone lodge a return on their behalf that the taxpayer knows contains incorrect information. The taxpayer was involved in that person's actions and is responsible for them. Example 2 A taxpayer gives a person or entity their myGov login details or mobile phone to lodge a return. The taxpayer contributed to the person or entity's actions and is responsible for them. • A taxpayer provided the wrong account details, resulting in a refund going to that nominated account. Example 3 A taxpayer lodges a return with an incorrect digit in their account details, resulting in the refund being directed into a third party's account. The return of the misdirected payment into the third party's account must be resolved between the taxpayer and the third party. • A taxpayer directs us to pay a refund into an authorised representative's [4] account, and that person fails to pass on the refund to the taxpayer. Example 4 A taxpayer agrees to use an authorised representative's account to receive an income tax refund and updates their details through their return. The authorised representative doesn't pass on the income tax refund to the taxpayer. The authorised representative is a connected entity because it was engaged by the taxpayer. This Practice Statement only covers fraud by entities that are not connected with the taxpayer. This is a private matter between the taxpayer and the authorised representative. • An authorised representative alters the account details of the taxpayer held by us without the taxpayer's knowledge and the taxpayer's refunds are paid into the authorised representative's personal account. The authorised representative fails to pass on the refund to the taxpayer. Example 5 Christina, a sole trader, engages tax agent Alex to complete her activity statement. Christina supplies all the relevant information and signs a declaration authorising Alex to lodge the statement on her behalf. Alex sees Christina is entitled to a refund of $1,000 but alters the statement to increase the amount of refund to $5,000 and lodges it. Alex updates Christina's account details to Alex's own personal bank account. The refund is paid to Alex's personal account. Alex passes the refund amount based on the true information ($1,000) on to Christina but keeps the remainder. As Christina engaged Alex, they are connected entities. This Practice Statement only covers fraud by entities that are not connected with the taxpayer.
Steps in cases of suspected fraud
In a case where there may be fraud, the following needs to be done: • Step 1: Identify the circumstances that may indicate fraud. • Step 2: Arrange additional account protections. • Step 3: Engage Fraud and Criminal Behaviours (FCB). • Step 4: FCB or Frontline Operations (FO) makes finding on whether or not the case is one of suspected fraud and documents that finding. • Step 5: If warranted, undertake corrective actions.
Ask questions and gather information to identify the facts and evidence surrounding the potential fraud. This includes: • how the fraud came about • the nature of any interactions (or relationship) between parties, and • the connection (if any) between the taxpayer and the fraudulent activities.
Where the circumstances and information gathered in Step 1 indicate that fraud may have taken place, contact FO to apply appropriate account protection measures to the account. These may include: • updating authorised contacts and correcting account details • additional security measures to restrict access to online services • adding 'compromised' indicators or account activity suppressions (or both).
In all cases of possible fraud, a report must be made to FCB: see Chief Executive Instruction External fraud (link available internally only).
FCB will determine if cases are suitable for further investigation and prosecution.
FO should also be engaged early to manage the recovery of liabilities, including: • providing strategic advice and assistance during the course of audits or investigations, and • taking recovery action.
FO and FCB must make a finding on whether or not there is suspected unconnected third-party fraud (as defined in paragraphs 1A to 1B and 2A to 2B of this Practice Statement). This is to be done taking into account the facts and circumstances of the case.
The finding must be documented in accordance with business line case decision procedures.
If a finding is made that: • there is suspected unconnected third-party fraud – progress to Step 5, or • there was no fraud, any account protections put in place in Step 2 should be reviewed and, if considered appropriate, removed.
If a finding is made in Step 4 that there is suspected unconnected third-party fraud, consider what corrective actions are warranted. This will be determined on the facts and circumstances of the case by FO. This may include: • either - cancelling lodgments if available, or - facilitating amendments (either taxpayer or Commissioner initiated) to reflect the correct account position – that is, restoring the taxpayer's tax account to the position as if the suspected fraud had not occurred, and • other account actions if appropriate.
Lodgment corrections
We can only 'cancel' a tax return – that is, disregard 'the return', accepting that it has no effect – if an assessment has not yet been made.
An assessment has not been made if: • return processing stops before a notice of assessment is served, or • a company (or another full self-assessment taxpayer [5] ) has an original tax return lodged by an unconnected or unauthorised person. [6]
In those circumstances there is no assessment yet and we can cancel the return. If the taxpayer is required to lodge a return for that period, they must lodge an original return.
In all other circumstances, once an assessment has been served [7] , it is valid at law and cannot be cancelled. [8] Instead, the assessment needs to be amended to correct the tax position.
An activity statement lodgment may be cancelled if there hasn't been a deemed assessment (or amended assessment) and service. [9]
Only an activity statement lodged by the taxpayer or their authorised representative results in a deemed assessment under self-assessment.
However, if we have issued and served a notice of assessment, there is an assessment that cannot be cancelled (regardless of whether there has been suspected fraud). [10] In these circumstances the assessment needs to be amended.
If an incorrect refund amount is identified quickly, or is held in a frozen account, it may be possible to retrieve the funds using the Reserve Bank's electronic funds transfer recall facilities or via arrangement with the financial institution.
If it cannot be retrieved, then consideration can be given as to whether a fraud credit should be placed on the taxpayer's account and if it is, the posting of a recovery of overpayment debit (see paragraphs 4M to 4O of this Practice Statement).
The lodgment correction activities outlined in paragraphs 4A to 4I of this Practice Statement (cancelling or amending) will generally result in a posting of a liability on the taxpayer's account. This liability rests with the taxpayer unless a fraud credit is applied (or the funds are recovered as per paragraph 4H of this Practice Statement).
A fraud credit can only be placed on a taxpayer's account where we are taken to have never paid the taxpayer under the law.
This occurs when we are satisfied that there was unconnected third-party fraud resulting in a refund being paid into an account that does not belong to the taxpayer and the account was nominated by a person who was not authorised by the taxpayer, and the taxpayer did not otherwise contribute to, or enable, the person to make such a nomination.
If we are satisfied that there is unconnected third-party fraud and we know with sufficient certainty who received the fraudulent refund, then we may raise a liability on that entity's account for the amount overpaid. [11] The resulting liability will be subject to our debt recovery process.
If there is uncertainty about the identity of the unconnected third party that received the refund, FO may account for the overpayment on a Miscellaneous Amounts – Administered Account.
If the responsible party is later identified, FO can transfer that liability to that party's account.
More information