Best Practices for Working with the CRA Electronically

Practitioners and taxpayers are making use of the secure portals of the CRA more frequently, which is why the CRA provided some of the guidelines for using them. We've summarized the CRA's suggestions below, as well as other suggestions for electronic communication from member companies for you to think about when you are practicing.

Beware of reusing passwords from different systems to gain access to CRA.

Your clients and you should utilize unique usernames (where feasible) as well as passwords to bank accounts and CRA portals as well as other online services that hold sensitive personal data. The federal government also published a list of easy and helpful methods for keeping passwords secure that you ought to consider using. For example, passwords can:

• be unique
• must have a minimum length of characters
• use numerals and special characters
• be regularly updated, for example, monthly

Log in to CRA portals with secure connections.

Be cautious when you log into websites with sensitive data like the CRA's portals on the internet, on networks, or devices that are not secure. This ensures that data transmissions remain safe. Secure connections help to reduce the risks.

Allow email notifications on My Account.

The service alerts taxpayers via email whenever they receive an email if their bank address or details is altered. Anyone who receives these alerts but hasn't signed on to any changes should notify the CRA immediately.

Monitor My Account.

Your employees and clients must be sure to check My Account for any unsolicited changes or unusual actions. For employees, monitoring their My Account is essential. My Account is important since suspicious activity may affect the access they have to My Account and RAC.

Choose RAC access levels with care.

Your company should have guidelines that govern the degrees of access granted to RAC that are permitted to various staff members. Users who have access to Level 2 or 3 can access and edit data; therefore, you should restrict access to the employees who require it to perform their job. This is particularly important for accounts for businesses as you can transfer funds between programs or years within programs.

Eliminate former employees as well as partners RAC.

Your firm must have an internal departure procedure or checklist for removing employees, partners, and other personnel from RAC after they leave your company to ensure that their access to personal information isn't reestablished. It is also important to regularly review the employee roster within RAC to make sure that the former members of your firm have been removed and there are no additional people who have been added accidentally.

Make sure that clients have authorization from your company and not any individual members of the firm.

If you are requesting your clients to sign a representative authorization, make sure they have authorized your company through your business' number or a RAC number for group identification (if your company has this option). If a customer authorizes one of the members of your company through the representative's RepID, it is possible that you lose access to the internet for the client should that person leave the company.

Don't rely too heavily on RAC when you document your client's files.

The CRA's online resources can be a valuable resource for information, but they shouldn't be used to replace properly documented client files. Be aware that if you're removed from the position of authorized representative, you are no longer able to access the most important elements of a tax filing, like notices of assessment. Therefore, you must take a backup of these essential elements within your firm's client files. Access to these documents can be crucial in the event of a dispute between clients.