The Canada Revenue Agency (CRA) is continually looking to improve service delivery and regularly receives feedback on its services. The Agency has heard from its clients that it can be challenging to remember multiple usernames and passwords, especially as organizations require users to create more complex passwords.

In support of the Pan-Canadian Trust Framework, the CRA, as part of the federal government, sought provincial partnerships to be able to leverage their provincial digital IDs. This allows citizens to use their provincial credentials to access CRA services instead of having to create another username/password.

As provinces are the issuers of foundational documents (e.g. birth certificates, health cards, driver’s licenses, etc.) with in-person services, they are well placed to identity proof individuals.

The CRA is currently partnered with the province of British Columbia (BC). From February 2020 to December 2021: 223 107 individuals (unique users) have used their BC Services Card credentials to sign-in to CRA’s secure portals, representing close to 2 million sign-ins (1 976 674). As additional provinces establish digital identity programs, the CRA will explore future partnerships.

The State Taxation Administration (STA) is building a national network to provide a secure and consistent digital identity, laying a solid foundation for smart taxation. Based on legal identity and a national authoritative authentication source, the digital identity connects legal persons and natural persons handling tax related business on behalf of enterprises. This is done through confirmation by both parties, and covers all taxpayers, and supports accurate services and management of taxpayers.

Over 80% of taxpayers use an approved digital identity to access secure digital services offered by STA including comprehensive information reporting, tax declaration and payment, certificate issuance, tax refunds, tax administrative licenses and other tax issues. Taxpayers are also allowed to authorise third parties to represent businesses and access secure digital services.

With the digital identity, the scope to save costs is increased as taxpayers only need to register in one place. This can then be recognised in other places, and the digital identity can also connect identities via across devices, and applications. It also provides the ability to allow taxpayers to choose a variety of authentication and login approaches, such as Short Message Service (SMS), ID card, digital certificate, and face recognition.

With the continuous development of the national network of digital identity, it will further provide unified and authoritative identity services for all taxpayers and tax officials to facilitate smooth progress of the digital transformation of the People’s Republic of China's tax collection and administration.

From 2021 taxable persons, who are not established, have no habitual residence, or have no permanent establishment in Georgia are obliged to register and pay VAT if they are engaged in the supply of digital services. Digital services include telecommunication, radio or television broadcasting and electronically supplied services.

To support this, the Georgia Revenue Service (GRS) designed a special platform, VAT Portal on Digital Services, for a simplified registration and reporting process. While developing this new measure, GRS studied international practice in the taxation of digital services and consulted with Business at OECD (BIAC). The VAT portal is therefore a product of intensive communication with stakeholders who contributed their experiences and views in developing simplified registration and reporting systems for VAT payers. Tax can also be paid in both Georgian Lari and foreign currencies (USD or EUR) which can be selected at the time of the registration on the VAT portal.

The Swedish Tax Agency’s risk-evaluation service for business registration applications was launched in May 2021. This AI-based service categorises applications based on a set of established risk factors, and applications are then processed in different ways, depending on the category assigned.

The Swedish Tax Agency receives about 300 000 applications per year. About 70% of applications to register a business in Sweden are completed digitally, and approximately 95% of these digital applications are entirely automated.

Previously, the categorisation process was manual and very time consuming. After less than one year in operation, the first version of the risk-evaluation service has already yielded a solid return on investment with business registration process shortened by up to six days and a cost reduction of SEK 28 million (approximately 16% of the total cost of the business registration process).

Further developments took place during 2021, including the introduction of risk-evaluation support for paper-based applications for business registration. In early 2022, robotic process automation (RPA) was introduced for low-risk applications. So far, about 450 applications per week – a total of 1 300 – have been processed using RPA, further contributing to the benefits.

Sources: Canada (2022), China (People’s Republic of) (2022), Georgia (2022) and Sweden (2022).

The development and implementation of the RUT system (Single Tax Registry), is a result of the collaboration between the Federal Administration of Public Revenue and the provincial collection agencies to improve, simplify and modernize the actions that taxpayers have to take to fulfill their tax obligations. In addition, it guarantees a higher quality of information for all Argentine tax administrations.

Previously, taxpayers had to register and maintain data in several different registries. The loading of the same data in completely different registries resulted in a loss of time for the taxpayer, and multiple errors and inconsistencies across the databases. This meant it was very difficult to conduct cross-validations between agencies.

Now, through a block chain, the data from the Federal Registry is shared in almost real-time with the participating agencies. The benefits of this federal tool are that the taxpayer does not have to upload the data to several tax administrations, leading to higher quality data which adheres to the principle of uniqueness of the data. This is also leading to a reduction in the administrative management time in the event of errors and/or inconsistencies.

See Annex 3.A for supporting material.

The Australian Government’s Digital Identity Program aims to make it easier for Australians to securely access Government online services. The Australian Tax Office (ATO) was responsible for delivering myGovID and part this was the ability to determine that a photo taken by a user of the myGovID app is of a true and live person. With user consent, the image captured is used to undertake a one-to-one match with an existing photo of the user on a stored identity document held by the Australian Government, for example a passport using the Government’s Face Verification Service. Once the match is complete the image used in the myGovID app is deleted and is not stored.

This significant improvement in Digital Identity authentication enables individuals to apply for and automatically receive a Tax File Number from the ATO or Customer Registration Number from Services Australia, allowing access to services online and in real-time. Previously, individuals needed to attend an office in person, undertake an interview and wait to receive their notification via mail. Other benefits include a reduction in the occurrence of fraud and to the burden on contact centre operations.

As a result of the digital ID programme, government agencies have seen a reduction in call volumes and manual processing and the ability to re-use functionality to streamline services. Benefits to taxpayers have been significant during the COVID-19 pandemic as they have been able to easily access government stimulus support measures, anywhere, anytime, without the need to attend an office or endure delays due to processing times.

In 2016, the Italian Revenue Agency has introduced the possibility for taxpayers to access the pre-filled income tax return using the Public Digital Identity System (SPID). In 2018, access via SPID was extended to all services provided in the “reserved area” of the Revenue Agency. From 2021, in addition to SPID, taxpayers may also use Electronic Identity Card (CIE). This means that, all citizens, including those authorized to operate on behalf of legal persons, can now access the “reserved area” through SPID and CIE credentials.

This means for example that SPID allows the registration of leasing contracts, the consultation of electronic invoices, the submission of pre-filled income tax returns, as well as the submission of documentation necessary to solve irregularities notified to taxpayers.

See Annex 3.A for supporting material.

The Dutch Government’s Digital Identity Program is exploring solutions for giving citizens and businesses highly secure digital identities as well as more control over their (personal) data. As a contributor to this program, the Netherlands Tax Administration (NTA) found two main concepts for SSI based solutions:

• The first concept is based upon a Digital Identity Wallet that supports functions that include: secure access, digital signing and mandate services, and real-time data management. The first working prototype provided a validated statement of income to a citizen that can be shared at their own discretion with several (private) service providers. The conclusion was SSI can support easier tax services, enhance privacy and transparency and reduce the need for reporting and auditing.

• The second concept is a Legal Entity Wallet; the NTA participated in a proof-of-concept exercise ‘Digitally starting an Enterprise’. The concept has been worked out through every step from the civil-law notary to establishing the wallet, registration at the Chamber of Commerce, the NTA issuing the VAT number ID and the opening of a bank account. The ‘enterprise wallet’ provides more certainty in the proceedings and is used to collect and share verifiable credentials. NTA expects more tax related services can be added to this wallet, creating a brand new channel of interaction.

Sources: Argentina (2022), Australia (2022), Italy (2022) and the Netherlands (2022).

In response to increasing cyber-attacks, the CRA enhanced its security with the introduction of multi-factor authentication (MFA) to the 14.6 million online account holders. Initially, MFA was implemented only allowing for one-time passcodes to be issued by SMS or through a voice message to those with a North American phone number.

Once implemented, it became clear that this MFA solution did not fit all users. CRA received feedback from segments of the taxpayer population, such as those without a phone, those with only international phone numbers and business communities. The CRA held further dialogue with its stakeholders to understand their challenges and barriers.

As a result of these discussions, the CRA developed a supplementary non-phone method of MFA, the passcode grid (PCG). The PCG is a printable, randomly generated grid of characters, similar to a bingo card. For those that choose this method, users are prompted for the characters from various coordinates on this grid at each login.

With the implementation of this enhancement, the CRA is able to retain a strong security position but also respond to user needs such that all Canadians are well served. With the addition of the PCG, the CRA was able to achieve its security goals and adopt mandatory MFA for 100% of its users.

E-mail phishing has been recognised as a constantly evolving security threat in the Finnish Tax Administration (Vero). Since phishing can potentially affect all staff, Vero has started to use automated, gamified phishing simulations to make staff more resistant to phishing attacks.

The awareness program teaches users to identify and report malicious e-mails. The training does not require much time. On average, users receive a simulation e-mail every other week, taking 3-5 minutes of their time. Simulations are sent directly to users' inboxes, users report them and receive a micro training in the portal if they wish. As staff members can never know which emails are part of the training and which are genuine, the simulations make security awareness a part of everyone's daily work life thus keeping them alert at all times.

In practice, users are asked to report all suspicious e-mails via a simple reporting button, available upon installing in their Outlook programme. The threshold for reporting is very low, and the game develops with the users: the more e-mails you report, the harder they become for you to identify. Using the same reporting button for all suspicious e-mails helps Vero catch genuine phishing as well as train the staff.

The automated gamified phishing simulation tool has proven to be very effective, with Vero successfully catching real threats due to early reporting. Furthermore, as the tool takes care of the content of the simulation messages, so Vero does not have to use much time or other resources to create new material.  

In 2021, the Internal Revenue Service (IRS) accelerated the development and launch of Secure Access Digital Identity (SADI) as a new online identity verification platform for accessing self-help tools on the IRS.gov website. SADI was designed and implemented as the next generation identity proofing solution to improve taxpayer access to IRS online services while also meeting digital identity guidelines established by the National Institute of Standards and Technology.

This new process is revolutionising how the IRS identity proofs and authenticates taxpayers by implementing a federated approach to authentication that includes working with a third-party Credential Service Provider (CSP). CSPs are trusted technology providers that conduct identity proofing and credential management services for access to digital services, now including IRS online tools. This federated approach allows taxpayers to access applications across different, participating agencies using a single set of credentials trusted by multiple parties. It also extends access to more users by offering an expanded set of documents to verify identities, as well as offering improved help desk services and support for multiple languages.

The IRS is in the process of migrating all online protected applications behind the modernised SADI platform. From 21 June 2021 through 31 December 2021, 5.9 million taxpayers successfully created their SADI credentials, which accounted for 23.1 million online sessions, making this IRS program the largest digital identity federation in US history.

Sources: Canada (2022), Finland (2022) and the United States (2022).

To help taxpayers protect their personal and tax information, the CRA recently introduced a new digital two-step verification process to confirm the authorization of third-party representatives in its digital portals. This change made it easier for individuals and businesses to confirm who can access their personal and tax information and help them play an active role in protecting this information. Whether the taxpayer is an individual or a business, they can now confirm third party requests for access to their personal and tax information by signing in to the secure portals, without waiting for a confirmation call from the CRA.

For all but a few exceptions, this innovative process saved the CRA from having to contact individuals and businesses by telephone to verify requests for authorizations received, saving time and resources on the part of both the CRA and its clients. With this new process, individuals and business owners can confirm the requests on their own time and representatives are able to track the status of their requests online.

Before the process was implemented, additional staff needed to be hired and trained to handle the number of confirmation calls that needed to be made. Since its implementation, the amount of confirmation calls required have decreased by 88% (or 5 278 total calls made since implementation versus 42 314 calls over the same period last year).

Source: Canada (2022).