Breach reporting changes ‘coming home to roost’, says IPA
The professional body is seeing a rising influx of inquiries and practical issues emerging from the significant breach reporting obligations.
The Institute of Public Accountants is seeing a steady increase in questions and inquiries relating to the significant breach reporting obligations, with the obligations having been in place for six months now.
The significant breach reporting obligations require registered tax practitioners to notify the Tax Practitioners Board about significant breaches that occurred on or after 1 July 2024.
All breach notifications must be reported within 30 days of the day a practitioner first has reasonable grounds to believe there has been a significant breach of the code.
Tony Greco, IPA general manager of technical policy, said: "We're getting lots of calls already [about those obligations], such as 'do I have to dob in this other practitioner, I've just taken on a new client? That one is coming to roost now all the time as we expected."
Breach reporting has created its own nuances, Greco added, particularly where clients move around between accounting firms or where a practitioner hears something in a discussion group at a conference.
Greco noted that while the breach reporting obligations only apply to breaches that occurred from 1 July 2024 onwards, there can still be issues or confusion about whether it applies where it relates to a repetitive behaviour or issue.
There will also be issues where a client has switched accountants and the previous accountant warned them not to do something and the client has done it anyway.
"It could be that the previous accountant had that conversation and the client just said 'No, thank you'."
"That would work in the accountant's favour if the TPB did investigate, but there are those practical issues."
The IPA said that the recent guidance released by the TPB shortly before Christmas should help tax practitioners navigate some of the practical issues with breach reporting.
Greco said accountants will also soon need to content with the other breach reporting requirements for clients, which will commence from July for smaller accounting firms.
"We're in this new world where we've got governance arrangements that make these things mandatory from both a practitioner perspective and for clients who are reckless and don't want to follow the law," he said.
In some cases, Greco said that even where firms let those clients go, they must decide whether to take the next step and make a notification.
"That's the new world order."
"Self and peer reporting against another registered practitioner is now a mandatory feature of our ever-increasing governance obligations."
