In a previous blog I wrote about how governments can save money through passport renewals. Today we look at tax returns.
I still remember the time when returning the yearly tax report involved a trip to the local tax office in Finland, picking up a number, waiting with dozens of others for half an hour or more in a queue and finally getting to speak to the tax officer, as I had some questions about the tax report. Imagine doing this twelve times a year if you were running your own business.
How Companies Used to File Their Taxes
Companies need to turn in their tax reports monthly so that the government can calculate their revenue. There's more to that, but the gist of it is revenue. They also need to file their annual tax report. In the old world this was done by submitting paper based tax reports. Small to medium sized businesses used to outsource this to accounting companies. Larger enterprises had their finance department for doing things like this. Each tax return needed to be handled by the tax administration manually and you can imagine the cost related to that. I would pity the tax officer who would try to decipher my scribbles.
So, the tax administration needed a solution to make this whole process easier for the organizations who had a VAT number (tax reporting obligation). They also needed to automate this process as much as possible. The obvious answer was the internet. Let the companies submit their tax information through the net. This happened ages ago, we are talking about late 90's here.
Once the companies started to adopt this new way and accounting software packages started to include upload capabilities, things were chugging along nicely for years. As the gears in government turn slowly, the new requirement for appropriate Identity and Access Management (IAM) was recognized slowly but surely. The government needed to properly authenticate the user who was uploading the information, but also verify that this particular user had the authorization to do so.
The Future of Filing Taxes with Identity and Access Management
Finland is relatively small in terms of population and number of organizations. Currently there are around 350,000 organizations having a VAT number. The majority of the companies are small to medium sized businesses and many of them still outsource their finance administration to accounting companies. Then there are the bigger companies that have multiple locations and several different people filing the tax information.
The correct level of authentication is easy to solve, as we have a working BankID authentication scheme that almost everyone uses when logging into the government (and quite a few private sector) services. So, there is a strong authentication option people can use, but it does not solve the more important issue of authorization. The tax administration online service asks "Are you authorized to use this service?" This is especially important when accounting companies file reports on behalf of several different companies. It is not the job of accounting companies or their employees to claim they are filing the tax report on behalf of the company X – it's Company X's duty to properly authorize the accounting company to do so. The same applies to internal employees, they need to be suitably authorized.
Now if you work the numbers and the use cases described above, you will soon get an impression that modelling this online would've been an impossible task and it would have been for the tax administration to do this by themselves. Even if they somehow managed to build a system to handle that kind of information, it would have been outdated on day one. People change jobs inside the companies, leave the organization, or new employees will take over tasks from previous (authorized) employees. Accounting companies acquire new customers and lose existing customers. The simple fact is that the tax administration does not have the complete visibility to the structure and personnel of their customers (the VAT organizations).
Katso was built to solve this challenge. Katso is a portal where companies can register, acquire an admin account, authorize their employees, or authorize other companies to represent them in tax administration services. Instead of tax administration trying to keep this data up-to-date and current, the solution was to outsource the management of identities and authorizations to their customers (the 350 000 or so VAT organizations).
During the registration process they will generate an OTP (one-time-password) pad for strong authentication that they can manage through the self-service. Each BankID authentication event costs an average 0.30€ (£0.24 / $0.33) and can create considerable costs in the long run so it was considered better to have an independent strong authentication credential (KATSO OTP).
Identity and Access Management with Katso
Katso includes a wealth of self-service workflows to facilitate all kinds of operations related to identity, access and authorization management. All tasks are completed by the companies themselves. The only thing the tax administration has to do is to manually grant the admin account in some rare cases where the registration process can't be automated (as it is in most cases, where the admin account registration request and the right to sign legal documents as the company representative can be automatically verified from the corporate registry).
Today, the tax administration has very accurate and up-to-date information on their customers. They can properly check that the user entering the online service is properly authorized. The authorization is based on a role associated to a particular online service and granted by the admin user of the company (the admin role can also be delegated). They can even check the authorization information at the time the user pushes to "submit" button, if they want to be absolutely certain that the user still has a valid authorization to do so.
As the Katso system was generic in design and during development it was noted that other government agencies could benefit from the same system, it is now used in over 100 online services including customs, social security, healthcare, police, employment, pension etc… and by 350 000 organizations. Katso is a ground breaking solution for eGovernment and Katso has been instrumental in allowing different government agencies and departments transfer their services online. One prime example of a very traditional service is passport renewal that can now be done online.
Katso is the finalist in the IT Awards European Software and IT Excellence in the ISV category for the best government solution and Katso was the father of GlobalSign's CustomerID solution. I was personally responsible for the requirement specifications, working together with the tax administration for the first two and a half years of its life. Now you can deploy the same solution to your environment in simply weeks using GlobalSign CustomerID. For the local government, the cost savings can be calculated in hundreds of millions and their customers can now enjoy extensive self-services and more importantly – they don't have to dip the pen into the ink and mail their documents to government agencies anymore. I also think that Katso is largely responsible for the disappearance of the fax machine in Finland.