The Canada Revenue Agency and its corporate ancestors have a well-deserved reputation for helpful e-government solutions. Canadians may not be cheerful when they file their tax returns electronically — as millions do every year — but they are confident that the process will be efficient and their personal information will be secure. Now CRA is extending that ease of use to include the large number of people who rely on others to prepare and submit their tax returns.
As Adrian Raghunandan, a CRA Senior Programs Officer with the Authentication Management Services group, told a session at this year’s Lac Carling Congress, the Agency’s initiative will offer a common approach to authentication and authorization for third parties accessing CRA programs and services that are or will be available online — on behalf of a client.
Right now, only individuals are authorized to use online CRA services such as My Account and Address Changes Online. The authorization of third parties is only done through a paper-based process, and there is no online method for representatives to authenticate and carry out transactions on behalf of clients From a paper-based process, the Agency is now moving towards an electronic form of third-party authentication, registration and authorization, offered as an online service. Representatives will be able to authenticate and register, clients will be able to authorize representatives, and representatives will be able to transact business on behalf of their clients.
The objective of the project is to provide secure, simple, flexible, client-controlled access by authorized representatives of CRA clients (both individuals and business) to CRA’s online services deployed on Secure Channel (SC), consistent with a multi-channel service approach. As a Catalytic Project, it will drive real integration across departments, channels and jurisdictions. The agency is taking a phased approach to ensure success. The first phase, for CRA clients who need help with individual tax matters, will occur in 2005. Those clients will be able to go online and authorize representatives to act on their behalf — people like relatives, neighbours and accountants. Businesses will follow in 2006. With this infrastructure in place, the door opens to wide-scale business authentication and delegations for businesses, enabling e-commerce between businesses and the federal government.
Businesses acting for their clients will be able to register both their firms and its employees as representatives, giving clients the flexibility to name the entire firm or one or more of its employees as their representative. A representative will authenticate, get an ePass, register with CRA and receive a RepID (representative identifier) that he/she provides to the individual. Getting an ePass and registering as a representative are activities that will typically occur one time only.
Individuals who wish to appoint representatives to act on their behalf go through a similar process to identify themselves to the agency before filling out the form that authorizes their representative. The individual will authenticate, get an ePass, then identify the representative using the RepID provided by the representative and finally authorize that representative. The individual will be able to designate an entire firm to represent him or her, or designate individuals working for the firm. Once authorized, the representative is ready to operate on behalf of the individual. Again, getting an ePass and authorizing a representative are activities that usually happen just once.
CRA consulted with the tax services industry before developing its third-party system, and the model was focus tested across the country. One of the strengths of the system is that individual users will be authenticated and recognized to CRA, allowing the agency to know who it is dealing with at all times. This promotes assurance and confidence in the system. The process is neutrally designed, making it adaptable by and therefore portable to business programs and other jurisdictions. However, other government departments and jurisdictions using an adapted third-party process will use different program data and identifiers for authentication, and different program data for authorization.
Richard Bray (firstname.lastname@example.org) is an Ottawa-based freelance journalist specializing in high technology issues.