Director ID deadline is approaching

The Government has launched an awareness campaign to help company directors get their director identification number ('director ID') as the 30 November deadline approaches.

A director ID is a unique 15‑digit identifier that a company director will apply for once and keep forever. Director IDs are administered by the Australian Business Registry Services ('ABRS'), which is managed by the ATO. All directors of companies registered with ASIC will need a director ID and must apply by the 30 November deadline (although directors of Aboriginal and Torres Strait Islander corporations may have additional time to apply).Some people may not realise they are directors, so the campaign is targeting those that run small businesses, self‑managed superannuation funds, charities, not‑for‑profits, and even some sporting clubs.

The fastest way to apply is online at abrs.gov.au, and the director ID will be issued instantly once the application is complete. It is free to apply and directors must apply themselves, as they are required to verify their identity (and it is this "robust identification process" that will help prevent the use of false and fraudulent director identities). More information about director IDs, including who must apply, is available on the ABRS website. Feel free to contact our office if you need more information about this but, as noted above, we cannot actually make the application for you.

Why are credits and refunds being offset?

The ATO has reached out to small businesses who may have recently received a letter advising that they have a debt on hold and any credits or refunds would be offset against this debt.

As a result, such a small business may find that their refund or credit is less than expected. The ATO has advised that this process of offsetting refunds or credits temporarily paused due to the pandemic and its financial impact on taxpayers. However, the ATO has restarted offsetting refunds and credits to pay off debts on hold since June 2022. The ATO also sent out 'awareness letters' to some not-for-profits and individuals in September 2022, similarly advising them they had a debt on hold and any credits or refunds would be offset against this debt.

Taxpayers can use Online services for business to search for debts that were previously put on hold and not included in their account balance. A debt on hold remains payable and collection action may recommence if:

• the taxpayer's circumstances change, and the ATO has reason to believe they are now able to pay the debt;
• the taxpayer agrees to pay their debt; or
• the taxpayer has a refund or credit balance which will automatically be offset to their debt on hold.

ATO advice for SMSFs thinking about investing in crypto assets

The ATO recommends that trustees of self-managed super funds ('SMSFs') thinking about investing in crypto assets should seek professional advice from a licensed financial adviser. There are organisations who offer trustees help to set up a fund or use their existing fund to invest in crypto assets. However, the ATO notes that some of these organisations are not licensed to provide financial advice, which means the usual consumer protections and access to the Australian Financial Complaints Authority ('AFCA') are not available for using these services. There are many things to consider before deciding to invest in crypto assets, so it's important to get it right, especially since trustees are ultimately responsible for ensuring the investment complies with the super and tax laws. When investing in crypto assets, trustees must ensure it is allowed under the fund’s trust deed, is made in accordance with the fund’s investment strategy, and the trustee has considered the level of investment risk given the highly volatile nature of the investment. From a regulatory perspective it's important that:

The crypto assets are owned by the fund and are held separately from the trustee's own personal or business assets. This means the fund must have its own digital wallet, separate to any used by the trustee for personal or business purposes.

• The investment is valued at market value in line with the ATO's valuation guidelines.
• Any crypto assets that a member or related party hold personally are not sold to the fund or transferred to the fund as a contribution.
• The investment is consistent with the sole purpose test, and does not involve the giving of financial assistance to a member.

Check that holiday employees get the right super

The ATO is reminding employers that the holiday season is fast approaching, and that their holiday casuals may now be eligible for super. From 1 July 2022, employers need to pay super for employees at a rate of 10.5%, regardless of how much they are paid, because the $450-per-month threshold for super guarantee ('SG') eligibility has been removed. This change doesn’t affect other eligibility requirements for SG. In particular, workers who are under 18 still need to work more than 30 hours in a week to be eligible.

For example, Anish is a 17-year-old employee working a job at a hotel over the holiday season. Anish works 32 hours in a week at the hotel and earns $800 before tax. He also works 5 hours at his local café, earning $150. As Anish worked more than 30 hours in one week at the hotel, his employer will need to pay him super on the $800 earned. However, as Anish works less than 30 hours a week at the café and is under 18, he is not entitled to super from this employer.

The ATO recommends that employers check their payroll and accounting systems are up to date so they are correctly calculating their employees' SG payments, and that registered tax agents and BAS agents can help with their tax and other obligations.

Optus data breach

The ATO is aware of the recent Optus data breach and that people who have been affected might be concerned about their personal data, and is assuring people that ATO systems have not been affected by the Optus data breach. The ATO recommends that anyone who thinks they have been affected by the Optus data breach should contact Optus Customer Service on 13 39 37.

Information for those caught up in the data breach is available from the Australian Cyber and Security Centre at cyber.gov.au. The ATO also reminds the community that it is important to always be vigilant for suspicious activity. The following tips can help protect accounts and keep personal information safe:

• Use multi-factor authentication for accounts where possible.
• Be careful when clicking on links and providing personal information.
• Make sure contact details are up to date when using online services.

Can you prevent a hack?

In the wake of the Optus data leak, legislation before Parliament will lift the maximum fine for serious or repeated breaches of the Privacy Act from $2.2m to up to $50m. But there are no guarantees that even the strongest safety measures will prevent an attack. So, what does that mean for business and their customers? Legislation before Parliament will lift penalties for serious or repeated privacy breaches, provide new powers to the Australian Information Commissioner, require entities to provide detailed data to the Information Commissioner to assess public risk, and give the regulator greater information sharing powers. In a statement, Attorney General Mark Dreyfus said, “When Australians are asked to hand over their personal data they have a right to expect it will be protected.” But the question is, can any business claim that customer data will be protected from hackers? If a customer needs to disclose their personal information to your business to work with you, at the point the data is collected, your business is the custodian of that data. A duty of care exists from the moment the data is collected to the point the information is no longer required and destroyed.

The Privacy Act requires organisations to take “reasonable steps” to protect the data collected. ‘Reasonable’ steps “requires the existence of facts which are sufficient to [persuade] a reasonable person.” That is, in the event of a data breach, the business will need to prove the steps they have taken to protect client data. 

Lessons from RI Advice

Australian Competition and Consumer Commission v RI Advice Group Pty Ltd was a landmark case. While specific to the obligations of an Australian Financial Services License (AFSL), it demonstrates that ASIC are willing to pursue not just companies that breach their duty of care but the directors and officers involved. RI advice is a financial services company that, through its AFSL, authorised representatives to provide financial services. As you would expect, as part of providing financial services, the authorised representatives received, stored and accessed confidential and sensitive personal information. Between June 2014 and May 2020, nine cybersecurity incidents occurred at practices of RI Advice’s Authorised Representatives. Enquiries following the incidents revealed:

• Computer systems which did not have up-to-date antivirus software installed and operating
• No filtering or quarantining of emails
• No backup systems or back-ups being performed; and
• Poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

RI Advice took steps to manage their cybersecurity introducing a cyber resilience program, controls and risk management measures for its representatives including training, incident reporting, and contractual professional standard terms, but by its own admission, it took too long to implement. RI Advice was ordered to pay $750,000 towards ASIC's costs. Handing down the decision Justice Rofe said, “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Scams and how to avoid them

I got a text the other day “Hi Mum, I have broken my phone and I am using this number.” The “Hi Mum” scam has exploded with more than 1,150 Australians falling victim to the ploy in the first seven months of 2022, with total reported losses of $2.6 million. Once the scammer establishes contact, they start requesting money for an urgent bill or a replacement phone etc. For those with children or dependant family members, it is not that hard to believe. According to the Australian Consumer and Competition Commission (ACCC), two-thirds of family impersonation scams were reported by women over 55 years of age.

Another common scam is the lost or unable to deliver package texts and voicemail. With Christmas just around the corner, we can expect to see another escalation of this scam where tracking links purportedly from Australia Post, Toll, or Amazon etc., are used to instal malware. Once accessed, the malware will access your contacts and spread the malware and potentially access your personal information and bank details.

In July, the Australian Taxation Office (ATO) reported a new wave of ‘Tax refund SMSF scams’. The texts purported to be from the ATO stating that the individual had a tax refund and to click on the link and complete the form. Another scam purporting to be from the ATO advised that the recipient was suspected of being involved in cryptocurrency tax evasion and requested that they connect their wallet. At which point the wallet was accessed and any assets stolen.

The ACCC’s Targeting Scams report states that in 2021, nearly $1.8bn in losses were reported but the real figure is likely to be well over $2bn.

The largest combined losses in 2021 were:

• $701 million lost to investment scams with 2021 figures significantly increased by cryptocurrency scams - more scammers are seeking payment with cryptocurrency and losses to this payment method increased 216% to $84 million.
• $227 million lost to payment redirection scams.
• $142 million lost to romance scams.

Protecting yourself from scams

• Help educate older relatives. The over 55s are the most likely to fall victim to a scam.
• Always use the primary website or app of your suppliers not a link from a text or email.
• Don’t click on links from emails or text messages unless you are (absolutely) certain of the source. For email, if the sending email domain is not clear or hidden, hover over the name of the sending account to check if the email is from the company domain.
• For Government services, use your MyGov account. Any messages to you from the ATO or other Government services need will be published to your MyGov account. Never click on links purporting to be from a bank, ATO or Government department.

Protecting your business from scams

Payment redirection scams, where the email of the business is compromised, caused the highest reported level of loss for business in 2021 at a combined $227 million. Payment redirection scams involve scammers impersonating a business or its employees via email and requesting an upcoming payment be redirected to a fraudulent account. In some cases, scammers hack into a legitimate email account and pose as the business, intercepting legitimate invoices and amending the bank details before releasing emails to the unsuspecting business. Other times, scammers impersonate people using a registered email address that is very similar to one from a legitimate business.

• Educate your team about threats and what to look out for, the importance of passwords and password security, and how to manage customer information. Phishing attacks, if successful, provide direct access into your systems.
• Ensure staff only have access to the business systems and information they need. Assess what is required and close out access to anything not required. Also assess how customer personal information is accessed and communicated. Personal information should not be emailed. Email is not secure and it is too easy for staff to inadvertently send data to the wrong person.
• No shared login details or passwords.
• Complete a risk assessment of your systems and add cybersecurity to your risk management framework.
• Develop and implement cyber security policies and protocols. Have policies and procedures in place for who is responsible for cybersecurity, the expectations of staff, and what to do in the event of a breach. Your policies should prevent shadow IT systems, where employees download unauthorised software.
• Understand your organisation’s legal obligations. For example, beyond the Privacy Act some businesses considered critical infrastructure such as some freight and food supply operations are subject to the Security of Critical Infrastructure Act 2018. This might involve small businesses in the supply chain.
• Use multifactor authentication on your systems and third-party systems.
• Update software and devices regularly for patches
• Back-up data and have backup protocols in place. If hackers use ransomware to lock your systems, you can revert to your backup.
• If customer data is being shared with related or third parties domiciled overseas, ensure your customer is aware of where their data is domiciled and your business has taken all reasonable steps to enforce the Australian Privacy Principles. Your business is responsible for how the overseas recipient utilises your customer’s data.
• Only collect the customer data you need to provide the goods and services you offer.
• Ensure protocols are in place for accounts payable.
• Don’t forget the hardware – laptops, computers, phones.

Taxing fame: The ATO’s U-turn

Sportspeople, media personalities, celebrities and ‘insta’ influencers beware. The ATO has taken a U-turn on how fame and image should be taxed. If you’re famous and make an income from your fame and image, the way the ATO believes you should be taxed on the income you make may change under a new draft determination set to take effect on 1 July 2023. It is not uncommon for celebrities to attempt to transfer the rights to the use of their name, image, likeness, identity, reputation etc., to a related entity such as a company or trust. This related entity then manages these rights, generating income from exploiting their fame and image. For example, where a media personality’s image is used on product packaging. One of the aims of arrangements like this is to enable the income to taxed in the entity at a lower rate of tax or to be distributed to related parties who might be subject to lower tax rates.

What will change?

The new draft determination (TD 2022/D3) deals specifically with the rights to use a celebrity’s fame and image. The ATO’s argument is that the individual doesn’t have a proprietary right in their fame, which means that attempting to transfer the right relating to their fame to another entity would not be legally effective. That is, you cannot separate the fame from the individual, it vests with the individual regardless of any agreements put in place. As a result, any income relating to an individual’s fame or image that is received by a related entity is treated as if it was simply being collected on behalf of the individual and should be taxed in the hands of that individual. 

If the related entity isn’t deriving income in its own right then it would be much more difficult for the entity to claim a deduction for expenses that it incurs. The ATO’s updated approach doesn’t apply to situations where the individual is engaged by a related party to provide services. For example, if a celebrity is booked by a related entity to attend a product launch or promotional event the fees paid by the third party can potentially be treated as income of the related entity for tax purposes. However, in situations like this it is important to consider the potential application of the personal services income rules and the general anti-avoidance rules in Part IVA. The ATO’s general position is that income relating to the personal services of an individual should ultimately be taxed in the hands of that individual.

While the ATO’s new position will apply retrospectively and to income derived in future, the ATO indicates that a transitional approach will apply if the taxpayer entered into arrangements before 5 October 2022 that were consistent with the safe harbour approach that was set out in PCG 2017/D11. In these cases the ATO’s new approach will apply to income derived from 1 July 2023.

How high will interest rates go?

Low interest rates have been a mainstay since the global financial crisis of 2008. When the pandemic hit, Governments pushed stimulus measures through the economy and central banks reduced interest rates even further. Coming out of COVID, housing market demand was strong and prices boomed but at the same time, supply chains remained restricted and the problems amplified by geo-political tensions increasing input costs. Supply could not keep up with demand to support the recovery, pushing inflation higher and broader than expected for a longer period of time. To control inflation, central banks have responded by tightening monetary policy and lifting interest rates. But the good news is that inflation is likely to ease.

Inflation in the US has started to decrease from a high of over 9% in June 2022 to 7.7% in October, suggesting that interest rates may not rise as high and as aggressively as expected. Similarly in Australia, the Reserve Bank of Australia (RBA) Board raised the cash rate by 0.25% to 2.60% at its October 2022 meeting, a lower increase than many expected. The lower than expected rise suggests that inflation pressures, particularly wages growth, will be more subdued in Australia than overseas. Comparatively, Australian households are more sensitive to interest rates with more than 60% of mortgages variable rate loans. This is unlike the US where most borrowers are on 30-year fixed loans.

The increase in interest rates is starting to take effect helping to restore price stability. However, in its statement, the RBA said that it will be a challenge to return inflation to 2-3% while at the same time “keeping the economy on an even keel”. It concluded the path to achieving this balance is “a narrow one and it is clouded in uncertainty”. In housing, the correction in house prices deepened and broadened across Australia, with capital city prices falling by 1.4% in September 2022, rounding out a 4.3% decline over the third quarter. Housing finance approvals also continued to mirror the broader correction to date, with further declines across investor and owner-occupier loans.

So, where does all of this leave us? Inflation will stay higher for longer than originally anticipated. As a result, interest rates are expected to continue to increase, albeit at a slower rate, with the RBA resetting their view along the journey. Economists are predicting that the cash rate will increase to somewhere between 3.10% and 3.85% in the first half of 2023 and then remain stable until early 2024 before RBA policy pivots and interest rates lower in early 2024. Canstar analysis suggests that a 3.85% cash rate translates to an average variable rate of 6.73%. The difference between a 5.73% variable rate mortgage and 6.73% is $650 per month on a $1 million, 30 year mortgage. 

IMPORTANT: This communication is factual only and does not constitute financial advice. Please consult a licensed financial planner for advice tailored to your financial circumstances.  Please also note that many of the comments in this publication are general in nature and anyone intending to apply the information to practical circumstances should seek professional advice to independently verify their interpretation and the information’s applicability to their particular circumstances. Should you have any further questions, please email us at RGA Business and Tax Accountants at reception@rgaaccounting.com.au . All rights reserved. Brought to you by RGA Business and Tax Accountants.