Small Business Superannuation Clearing House Changes

Actionable Update to SMSF Bank Account Validation

ATO update introduces SMSF bank account validation aimed at improving the precision and security of superannuation contributions

Given the proximity of the next SG contribution deadline on 28 April 2024, it is important to take action ahead of this date to prevent potential compliance issues.

Key points

  • The ATO implemented a pivotal update within the Small Business Superannuation Clearing House (SBSCH) on 15 March 2024
  • This new system feature affects all small employers who use the SBSCH to pay superannuation to employee SMSFs
  • The ATO’s validation process requires small employers using the SBSCH to ensure perfect alignment between their employees’ SMSF bank account details and the corresponding fund bank account details recorded by the ATO
  • The validation focuses on the BSB and account number as registered under the SMSF’s Superannuation Role within ATO systems. For any employee where there is no exact match, the SBSCH will not process their superannuation payment.

Action Required: Review Employee Records

The ATO is contacting small employers likely to be impacted by the new SBSCH SMSF bank account validation process.

However, with SG obligations for the March 2024 quarter due no later than 28 April 2024, it is important for small businesses to act proactively.

If you are a small business using the SBSCH, it is important that you contact your employees to confirm that the SMSF bank account they pay superannuation contributions to, is the same as the SMSF bank account registered against the superannuation role with the ATO.

Where employees are unsure how to check if the bank account their employer makes super contributions to is the same as the one registered with the ATO, please contact Allan Hall for assistance on 02 9981 2300.

Should there be a need for an employee to amend SMSF bank details held by the ATO, it is crucial to communicate these changes to all fund members as the ATO will issue email or text alerts to ensure all fund members are informed.

Small employers delaying the review and update of their employees’ SMSF bank records risk facing SG shortfalls and potential penalties as there may be insufficient time to rectify a discrepancy.


qr code

QR Quishing Scams

Banks warn of Christmas QR code scams

Financial institutions and consumer advocates are sounding the alarm on the surge of Christmas-related scams, cautioning that criminals are employing a novel tactic by exploiting COVID-era QR codes to pilfer personal information.

What is Quishing?

Quishing is a form of phishing attack that uses QR codes instead of text-based links in emails, digital platforms or on physical items. Quishing is a social engineering technique used by scammers and cybercriminals to trick you into providing personal information or downloading malware onto your device.


A recent Westpac report highlighted that over half of reported scams related to purchases and sales in November and December last year. They emphasised that scammers often capitalise on the increased spending and potential distractions during the holiday season.

To illustrate the heightened risk, Westpac experienced a 5 per cent uptick in fraud-related calls following the facilitation of over 31 million point-of-sale transactions during the recent Black Friday and Cyber Monday sales.

Westpac’s research uncovered that 38 per cent of Australians fell victim to scams originating from fake websites, online retailers and marketplaces.

QR codes, once considered outdated by 2019, regained popularity during the COVID-19 pandemic due to the demand for contactless services. However, the Federal Trade Commission (FTC) in the United States has cautioned that scammers are now concealing harmful links in QR codes found at locations such as parking meters, cafes and bars.

The FTC outlined various deceptive tactics employed by scammers, including false claims of undelivered packages, account issues and fraudulent activities requiring immediate password changes. Young stressed the importance of verifying payment details before transferring funds and warned against clicking on links in SMS or email communications.

In the aftermath of clicking on deceptive links, individuals risk having their information stolen or malware installed on their devices.

Westpac identified several other prevalent Christmas scams, including enticing individuals to fake websites through social media advertisements, exploiting parcel-related anxieties with fake updates via SMS or email, and promoting seemingly lucrative fake investments.

Westpac also highlighted that investment scams pose a significant challenge, constituting half of all reported losses. These scams often promise substantial returns and involve scammers investing considerable time in grooming victims, making them difficult to identify.

In Australia, reported losses to Scamwatch on social media platforms have surged to over $66 million in 2023, marking a 40 per cent increase from the previous year. Consumer group Choice, along with 20 other organisations globally, is urging governments to mandate social media and technology companies to implement measures protecting consumers from scams.

Choice criticised tech giants such as Facebook, Instagram and Google for their failure to prevent scammers from exploiting their platforms, arguing that these companies possess the resources and technology to enhance consumer protection but are reluctant to do so without legal requirements.

Please note that Allan Hall will be closed from 22 December and will reopen on Monday 8 January 2024.


cyber security

ATO deadline reminder for contractor reporting

Taxable payments annual report (TPAR) lodgements due 28 August 2023

The ATO is reminding businesses required to lodge a Taxable payments annual report (TPAR) to do so by 28 August 2023.

This deadline is crucial for businesses falling under the TPRS regime to fulfil their reporting obligations.

Entities operating within the construction, cleaning, courier, road freight, information technology, security, as well as investigation or surveillance sectors, and that have engaged contractors in these domains, are mandated to comply with TPAR requirements.

Tony Goding, ATO Assistant Commissioner, stresses the TPRS’s pivotal role in levelling the playing field by ensuring all enterprises contribute their fair share of taxes. Not reporting payments to contractors and deliberately under-reporting income raises red flags, potentially triggering closer inspections by the ATO.

The TPRS serves as an instrument in the ATO’s arsenal, helping in the discovery of unreported income. The TPAR equips the ATO with an array of data points to uncover discrepancies, such as unreported earnings, non-submission of tax returns or activity statements, unjustified GST claims or misuse of Australian Business Numbers.

Recent ATO actions serve as a reminder of compliance expectations. Over 16,000 penalties were issued to businesses failing to lodge TPARs for prior years. With an average fine of around $1,110, these underscore the growing difficulty of evading ATO scrutiny, especially when utilising cash transactions to evade tax.

A recent example exemplifies the efficacy of the TPAR data. An investigation into a cleaning company unveiled a mismatch between declared income and actual earnings. Despite reporting $6,892 in income, the cleaning service provider was found to have received over $80,000 from multiple companies. An audit confirmed the non-submission of activity statements and concealed payments. This resulted in adjustments to the tax return and the imposition of penalties.


computer security

Enhancing cybersecurity with MFA

Adopting a multi-factor authentication (MFA) strategy

With technology advancing, it has become easier for hackers to gain access to our personal data.

In the past, passwords were considered the best line of defence against cybercriminals, but times have changed.

That’s why adding an extra layer of security to your online accounts is essential, not just for your information, but for your customer information too.

That’s where multi-factor authentication (MFA) comes in.

MFA is a security measure that combines two or more ways to prove your identity to allow access to an account. By doing this, it makes it much harder for cybercriminals to steal or compromise your credentials. MFA types include:

  • something you know such as a password, PIN or response to a challenge like naming the first street you lived in
  • something you have such as a physical token, smart card or an SMS sent to your phone containing a code
  • Something you are for example a fingerprint, facial recognition or iris scan.

Cybercriminals may still get their hands on your password, but they will need your biometrics or a code to fully unlock your account. While MFA is not available for every online account, it’s becoming a more widely-applied way to verify your identity. Banks, social media platforms and software providers are adopting this measure to protect their users’ information.

Enabling MFA on your email accounts and computer software, especially if working remotely, is crucial. Adopting this practice in a work capacity strengthens the protection of your systems and sensitive information.

Implementing this strategy, alongside the other cybersecurity best practices, gives your systems a greater line of defence in the event of a cyber incident. By taking proactive steps to secure your online accounts, you can help safeguard your personal information and that of your customers. So, take the time to set up MFA on your accounts and enjoy the peace of mind that comes with knowing your information is secure or visit the ACSC website to find out more about implementing your MFA strategy.


using xero on an iphone

Changes to multi-factor authentication coming for Xero customers

Over the last few years, our lives – and businesses across the world – have moved online at a rapid pace.

Unfortunately, cybercriminals have followed and are using new, digital methods to target Australians. As custodians of your data, Xero does all they can to protect the information held in your account.

One of the ways is through multi-factor authentication (MFA), a process designed to secure how you log in to Xero and verify it’s really you. An upcoming Australian Tax Office (ATO) update to MFA regulations means anyone that accesses an Australian organisation globally needs to re-authenticate their device every 24 hours when logging in to Xero.

What’s changing with MFA?

Many of Xero’s Australian customers would have started using MFA back in 2018 when it was first introduced by the ATO. Throughout 2021, Xero rolled out mandatory MFA for users in all other countries. Today, every Xero customer must use MFA when they log in.

Recently, in response to growing cybersecurity threats, the ATO updated its regulations around MFA for software providers like Xero. This means that the length of time a device is trusted for must be limited to 24 hours for cloud-based business applications, such as Xero. 

From early October, ‘remember me on this device’ will change. Currently, you can skip authentication for 30 days when signing in to Xero via MFA (such as through the Xero Verify, Google Authenticator or Authy apps), which remembers the unique device you’ve logged in with. With this update, you will need to re-authenticate your trusted device (such as a laptop, tablet or phone) every 24 hours.

When will this happen?

The 24 hour change to Xero’s MFA trust device frequency will start from early-October. From then, you’ll need to authenticate daily when you log in to your account.

Why is this being changed for Australian customers?

This is a regulatory change from the ATO and is to support cybersecurity measures to protect users’ valuable data – just think of all the critical information stored within your Xero account. It’s important to keep this safe.

You’ll likely remember when MFA was first mandated by the ATO. Just like last time, Xero is updating its platform to comply with this change and make it a smooth transition.

What if I’m in another country, like New Zealand, but access an Australian organisation in Xero?

This change doesn’t just apply to Australia but to anyone globally that accesses an Australian organisation – even if it’s just one account in Australia that you log in to. This is because you are accessing information (including personally identifiable information) that falls under the ATO’s remit.

Do I need to make any updates myself?

No – rest assured that the Xero platform will update automatically in early October. Since all Australian customers already use MFA, you won’t have to change anything about how you log in to Xero – except for daily authentication. This means you can continue to use your usual verification tool, whether it’s Xero Verify or a third-party app like Google Authenticator.

Why is cybersecurity so important and should I be worried?

Security has always been important at Xero and we want to keep your valuable business data safe. Since the start of the pandemic, activity by cybercriminals has been on the rise in Australia. As our lives have moved more and more online, so too have the approaches of cyber criminals.

They’ve continued to evolve and use increasingly sophisticated ways to entrap victims online. One of the most common types of cybercrime is phishing, which tricks you into clicking on a fraudulent email, text message or web link to then access your online accounts and steal your personal and business information.

How does MFA help protect me against cybersecurity threats?

MFA is one of many important tools used to safeguard against cybersecurity threats. It’s a security process which uses at least two different factors, something you know (your password) and something you have (mobile device), before you can enter your account.

This second layer of security is designed to prevent anyone else from accessing your account, even if they know your password. In fact, research shows that MFA can prevent up to 80% of data breaches.

What does this mean for Xero’s mobile apps?

Xero’s suite of mobile apps, such as the Xero Accounting App, Xero Expenses and Xero Projects, will also be impacted by these new regulations. When the new versions are introduced, you will no longer be able to choose the lock device option ‘Don’t lock it’. You will either need to use a security code, which will be available on Android for the first time and is currently available on iOS, or use Face ID.

What if I normally share my login with members of my team?

Shared logins reduce the security of your Xero account. The more people who have access to a login, the more likely it is to be compromised. Everyone who accesses an organisation in Xero should have their own login details (as per Xero’s terms and conditions).

If they don’t already, now is the time to make sure everyone is set up with what they need to securely use Xero. 

Read more about MFA here and troubleshoot any possible issues here »



Support to help businesses go digital

Digital Solutions — Australian Small Business Advisory Services

Round 1 of the Digital Solutions program will end on 31 March 2023.

What do you get?

The Digital Solutions – Australian Small Business Advisory Services program works with small businesses to make the most of digital tools and offers broader advice specific to your business needs such as:

  • how digital tools can help your small business
  • websites and selling online
  • social media and digital marketing
  • using small business software
  • online security and data privacy.

Digital Solutions is a 7-hour packaged service that offers 3 hours of one-on-one tailored support as well as group workshops or webinars.

Who is this for?

Small businesses with fewer than 20 full-time (or equivalent) employees, as well as sole traders, can access services at the subsidised rate. The service is available across all metropolitan and regional areas in Australia. 

How much does it cost?

The Digital Solutions program is $44 for 7 hours of support and your first interaction with the service is free. 

About the Digital Solutions advisers

Digital Solutions advisers hold formal qualifications in business or information technology-related disciplines and have at least 2 years’ experience providing digital advice to small or medium-sized businesses.

Contact your local Digital Solutions provider

There are Digital Solutions providers in each state and territory across Australia. Complete a short form to connect with your local provider.

Support for businesses affected by COVID-19

Digital Solutions providers are also offering general business advice to support you through this difficult time, including: 

  • business crisis management and business continuity planning
  • finance management and boosting cashflow
  • staff management and creating a safe work environment
  • retaining and staying connected to customers
  • resilience and wellbeing
  • COVID-19 stimulus packages for small business.

Find more at coronavirus information and support for businesses.



Stay safe over Christmas

Cybersafety and your business: is your data secure?

The ACCC’s Scamwatch has reported that losses to online shopping scams have increased 42 per cent this year, and they are warning Australians to be careful over the Christmas and holiday period.

There is no underestimating that cybercriminals are hyper-aware of small business and consumer spending habits, particularly exploiting Black Friday and Cyber Monday online shopping channels. It, therefore, is critical for businesses to revisit cybersecurity measures.

Data loss can be a costly nightmare for a business. In particular, businesses that invest significant time and capital into their budgets for the holiday season and marketing efforts respectively are at increased risk during the merriest of seasons.

Unfortunately, cyber attackers increasingly target businesses that are less likely to have extensive security protection in place. Cyber attacks are also on the rise due to businesses continually transforming their workplace, enabling and promoting a digital first approach.

Personal identifiable information, account details, credit card information, as well as digital activity and geographic location are at risk of exposure, with recovery efforts and delays due to data loss grinding productivity to a halt, during the busiest of seasons.

Could your business be at risk of a cyber attack? Follow these simple tips to increase cybersafety and security for your business.

my online shopping account

1.Educate your team

Nearly half of data loss happens when employees don’t know how to protect company data or are guilty of being careless. Ensure your employees do not use their business email address or passwords for online shopping. For any corporate personal technology such as a business laptop, mobile phone or tablet, all devices should have passcodes or passwords.

Let staff know how important data security is to your business. Discuss potential security risks and restrictions on employee access to HR, customer and financial data. Go over specific strategies for keeping paper and computer files secure – such as enabling 2-step authentication (2SA), restricting access to sensitive data with security passwords and taking care not to download apps that might carry malware.

2. Plan for security

Does your business have a customised plan in place which outlines your information assets, identifies potential security risks and the specific steps your organisation will take to mitigate those risks? Think of your data security plan as a living document; it will need to be updated regularly to keep up with shifts in digital technology as well as changes in personnel. A key aspect of your security plan is to outline how you ensure employee access to data terminates when they leave your company.

Conduct regular audits to test the effectiveness of your security plan, by monitoring how well your staff follow protocol. Following an audit, you’ll be able to address and fine tune strategies to keep your business safe and your data secure.

As part of your security plan, ensure that you work closely with your internal or external IT company and that they are aware of your security process and plans should a cyber attack occur.

3. Include a device policy

It’s hard to imagine small businesses functioning without mobile devices. The reality is, many small business employees work from home or remotely, staying in contact via a tablet, laptop computer or mobile phone. Unfortunately, the risk of a mobile device being lost, stolen or damaged is high. Protect your company data by requiring staff to keep company data off their personal devices – and set up work devices to be wiped remotely in the case of theft or loss.

Other key security measures are data encryption, up to date anti-virus protection and tracking software – as well as a system of regularly scheduled, automatic back-ups.

Your data security plan is only as good as how well it is followed.

Invest time to meet as a team to discuss security planning and address any questions about protocol. Be clear on the consequences of a data security breach should it be discovered the cause was due to employee negligence or outright theft. Think about how you can reward your staff for their efforts to protect your business by strictly following security protocols.

With more people shopping online this year due to COVID-19 restrictions,  the ACCC’s Scamwatch reports that scammers are now targeting Christmas shoppers. You can read their full article here.