Best Practices for Working with the CRA Electronically

Practitioners and tax payers are using the secure online portals offered by the CRA more frequently, which is why it is requested to the CRA to provide some of the best practices to use them. We've summarized the CRA's recommendations below and included other suggestions for electronic communication from member companies for you to think about when you are practicing.

Beware of reusing passwords from different systems to gain access to CRA.

Your clients and you should make use of unique usernames (where it is possible) as well as passwords to bank accounts, CRA portals, and other web-based services that store sensitive personal data. The federal government also published a list of easy and helpful ways to keep passwords safe that you might consider using. For instance, passwords must:

• be unique
• have a minimum character length
• use numerals and special characters
• be regularly updated, for example, monthly

Log in to CRA portals with secure connections.

Be aware when you sign in to websites that contain sensitive information, such as the CRA's portals on the internet, on networks, or devices that are not secure. This will ensure that your data transmissions remain safe. Secure connections help to reduce the risks.

Allow email notifications in My Account.

The service informs taxpayers via email of the time or the address of their direct deposit or when details are modified. Customers who receive these notifications but haven't authorized any change should notify the CRA immediately.

Monitor My Account.

Your clients and staff members should examine My Account for any unsolicited changes or unusual actions. Staff members, keeping an eye on their My Account is important because suspicious activity could impact the access they have to My Account and RAC.

Choose RAC access levels with care.

Your company should have guidelines regarding the different types of access RAC that are granted to various staff members. Users who have access to Level 2 or 3 can access and edit data; therefore, you should limit access to those who require it to perform their job. This is particularly important for accounts for businesses as the ability to move payment between programs or years within programs.

Eliminate former employees or partners RAC.

Your company should have an internal departure procedure or checklist that includes the removal of employees, partners, and other personnel from RAC after they leave your company to ensure that their access to client's personal information isn't reestablished. Also, you should regularly check the employee roster within RAC to make sure that all employees who were previously part of the firm have been removed and there are no additional people who have been included by accident.

Make sure that clients have authorization from your firm, not the individual members of your firm.

If you are requesting your clients to sign a representative authorization, ensure that they are authorized to use your firm's name as your business's number or a RAC number for group identification (if your company uses this option). If a customer authorizes the individual members of your company through the representative's RepID, it is possible that you lose access to the internet for the client in the event that the member leaves the company.

Don't rely too heavily on RAC when you file your client's documents.

The online services of the CRA are an excellent source of information; however, they shouldn't be used to replace properly documented client files. Keep in mind that if you've been removed from the position of authorized representative, you won't be able to access the most important elements of a tax filing, like notices of assessment. So, it is recommended to take a backup of these important elements within your firm's client files. The access to these documents can be crucial in the event there is a disagreement with a client or dispute.