← Back to Resources Regulation & Compliance

Cyber Security for Bookkeepers and BAS Agents: What Your TPB Obligations Actually Require

Bookkeepers and BAS agents sit at the intersection of some of the most sensitive data any small business handles — TFNs, payroll records, business banking credentials, and client financial histories. New obligations under the TPB's 2024 Code Determination make it explicit: protecting that data is now a registered practitioner requirement, not just good practice.

8 February 2026  ·  7 min read  ·  Regulation & Compliance

There is a common misconception that cyber security obligations in the tax and financial services profession are primarily an accountant's concern — that BAS agents and bookkeepers, dealing mostly with transactional data rather than tax advice, occupy a lower-risk position. The data profile tells a different story.

A bookkeeper typically has access to their clients' cloud accounting software, business bank feeds, payroll systems, and supplier payment portals. They process superannuation contributions, manage employee TFN declarations, and in many cases hold the login credentials that allow them to operate across multiple client environments simultaneously. A single compromised bookkeeper account can expose a significant number of client businesses in one attack.

The Tax Practitioners Board's 2024 Code Determination makes clear that this level of access and data sensitivity carries corresponding obligations. For BAS agents and bookkeepers registered with the TPB, the requirement to maintain adequate security controls is now explicitly framed as a Code of Professional Conduct matter — with sanctions available for non-compliance.

16,965
registered BAS agents in Australia as at 30 June 2025 (TPB Annual Report 2024–25)
5 yrs
minimum retention period for client records under the 2024 Code Determination
1 Jul
2025: new Code obligations commenced for small practitioners (100 or fewer employees)

Bookkeepers Are Not Accountants — But the Obligations Overlap

While there is a separate post on this site covering cyber security for accountants and the TPB's obligations in that context, bookkeepers and BAS agents warrant their own treatment. The data access profile is different, the attack surface is different, and the path to a significant breach often runs directly through a bookkeeping practice.

Registered BAS agents are authorised under the Tax Agent Services Act 2009 (TASA) to provide BAS services — which include preparing and lodging activity statements, payroll tax work, and related compliance. This registration brings them squarely within the TPB's Code of Professional Conduct and all of the obligations that flow from it.

Many bookkeepers who are not themselves registered BAS agents work under the supervision of a registered tax agent or BAS agent. In that structure, the registered practitioner bears responsibility for the quality and security of the services provided — including the security practices of anyone they employ or engage to assist with client work.

What the TPB's 2024 Code Determination Requires

The Tax Agent Services (Code of Professional Conduct) Determination 2024 introduced eight additional Code obligations from 1 January 2025 (for larger practices) and 1 July 2025 (for practices with 100 or fewer employees). Among these is an explicit requirement to maintain adequate record-keeping systems that protect client information from unauthorised access, loss, and damage.

The TPB's guidance is clear that "adequate procedures, policies, systems and controls to protect the security and confidentiality of client records" is a baseline requirement — and that cyber security controls are a core part of meeting it. The TPB explicitly identifies the following as part of a compliant ICT control environment:

  • Installing and maintaining anti-virus software on workplace computers
  • Deploying firewalls on workplace computers and networks
  • Ensuring operating systems and software have the latest security patches applied
  • Protecting client records using encryption where possible
  • Using multi-factor authentication on online accounts, including email
  • Limiting access to client information to staff who need it for their role

These are framed as examples rather than an exhaustive checklist, but the practical message is straightforward: a registered BAS agent whose client files are stored in an unprotected email account, on an unencrypted laptop, or in a shared drive without access controls is at material risk of a Code breach finding if that data is subsequently compromised.

TFNs are not ordinary data. The Privacy (Tax File Number) Rule 2015 applies specifically to TFN recipients — including registered tax practitioners. It requires that TFN information be stored securely and only disclosed for purposes authorised under taxation law. A breach involving client TFNs creates dual exposure: a potential breach of the TFN Rule and a potential breach of Code item 6 (client confidentiality).

Your Regulatory Obligations

TASA 2009 — Code Item 6

Client Confidentiality

Registered BAS agents must not disclose client information to a third party without consent or legal obligation. Inadequate security controls that lead to unauthorised access are a breach of this obligation, regardless of whether the disclosure was intentional.

Code Determination 2024 — Section 30

Proper Record-Keeping and Data Security

Registered practitioners must maintain client records for at least five years and have adequate procedures to protect their security and confidentiality. The TPB explicitly identifies cyber security controls as part of meeting this obligation — not as a separate IT matter.

Privacy (Tax File Number) Rule 2015

TFN Information Handling

BAS agents who hold TFN information must comply with the TFN Rule — secure storage, limited use, and disclosure only for authorised purposes. Sending TFNs via unencrypted email is a specific practice flagged by the TPB as non-compliant.

Privacy Act 1988 (Cth) — NDB Scheme

Notifiable Data Breaches

BAS agents with annual turnover above $3M are covered by the Privacy Act and must report eligible data breaches to the OAIC and affected clients. Notably, practices below the $3M threshold are still covered by the Privacy Act for personal information collected in the course of AML/CTF obligations.

TASA 2009 — Breach Reporting

Significant Breach Reporting to the TPB

From 1 July 2024, registered practitioners must report significant breaches of the Code — including their own — to the TPB. A material cyber incident leading to client data exposure may constitute a significant breach requiring notification.

Cyber Security Act 2024 (Cth)

Ransomware Payment Reporting

Practices with turnover above $3M must report ransomware or extortion payments to the Australian Signals Directorate within 72 hours of making the payment. Bookkeeping practices are increasingly targeted given their privileged access to multiple client environments.

The Bookkeeper's Specific Attack Surface

Understanding why bookkeeping practices are targeted requires understanding what access they typically hold. A bookkeeper serving ten small business clients may have:

  • Active login credentials for ten Xero, MYOB, or QuickBooks environments
  • Connected bank feed access for each client's business accounts
  • Payroll processing access, including employee TFN declarations and super contribution portals
  • ATO online services access via myGovID or the practice's tax agent portal
  • Supplier portal access for some clients
  • Email correspondence containing payslips, bank statements, and financial reports

For an attacker, this access profile is extraordinarily valuable. Compromising a bookkeeper's email or device does not just expose one business — it creates a potential pathway into every client environment they manage. Business email compromise attacks targeting bookkeepers often seek to redirect payment runs, alter supplier banking details in accounting software, or intercept ATO correspondence.

Payroll fraud is a specific and growing risk for bookkeeping practices. An attacker who accesses a payroll system can redirect employee salary payments to accounts they control, modify bank account details for selected employees, or initiate fraudulent payroll runs. Payroll fraud of this kind is difficult to detect until the next pay cycle — and the reputational consequences for the bookkeeper are significant, independent of any legal liability.

Baseline Controls for Bookkeeping Practices

The controls most relevant to a bookkeeping practice's specific risk profile are a manageable set, but they must be applied consistently across all client environments and the practice's own systems:

  • MFA on all cloud accounting platforms — Xero, MYOB, QuickBooks, and similar platforms all support MFA; enabling it on each client environment protects both the client and the practice's access credentials
  • MFA on your email account — email is the single most common attack vector; a compromised email account exposes every client communication and document you have sent or received
  • MFA on the ATO's tax agent portal and myGovID — ATO-connected access is a high-value target; strong authentication on portal access is non-negotiable
  • Never send TFNs via unencrypted email — the TPB has been explicit about this; use secure portals or encrypted file transfer for any document containing TFN information
  • Role-based access controls — if you have staff or contractors, their access to client environments should be restricted to what they need for their specific role; not everyone needs full admin access to every client's accounting software
  • Separate credentials per client — where possible, avoid using a single set of credentials to access multiple client environments; if one credential is compromised, the blast radius should be limited
  • Payment verification procedure — any change to supplier or employee bank account details should be verified by calling the business or employee directly before processing; do not rely solely on email instructions
  • Secure, encrypted file storage — client documents, including payslips, tax records, and TFN declarations, should be stored in encrypted form, not in an unsecured shared drive or email folder
  • Documented retention and deletion schedule — five-year minimum retention, with a process for securely destroying records that are no longer required
  • Incident response plan — a documented process for responding to a suspected breach, including obligations to notify the TPB, the OAIC (if applicable), and affected clients

What Happens If Things Go Wrong

A cyber incident affecting a bookkeeping practice creates concurrent obligations that must be managed simultaneously and quickly. The typical sequence is:

  1. Contain the incident — reset credentials, revoke access tokens, and isolate compromised systems
  2. Assess the scope — determine which client environments were accessible and whether any data was exfiltrated or manipulated
  3. Notify affected clients — clients whose environments were accessed must be notified promptly; they need to take their own steps to secure their accounting systems and review recent transactions
  4. Assess Privacy Act obligations — if the breach involved personal information (including TFNs) of individuals and is likely to cause serious harm, it is an eligible data breach requiring OAIC notification
  5. Consider TPB breach reporting — if the incident constitutes a significant breach of the Code of Professional Conduct, it must be reported to the TPB
  6. Report ransomware payments — if a payment was made in response to extortion, report to the ASD within 72 hours (if your turnover is above $3M)

The most common failure mode in bookkeeper breach response is scope underestimation — assuming the incident was limited to the practice's own systems when in fact all connected client environments must be treated as potentially compromised until verified otherwise. If your credentials were stolen, every system those credentials accessed should be treated as suspect.

Assess Your Bookkeeping Practice's Cyber Security

Our Bookkeeper Health Check covers the controls most relevant to your practice — cloud platform security, TFN handling, payment verification procedures, client data protection, and TPB Code compliance. Scored results, prioritised recommendations, and a written report documenting your due diligence.

Bookkeeper Health Check

Related Articles

Cyber Security for Accountants

Registered tax agents and accountants face the same TPB Code obligations — understand where the obligations for both roles overlap.

Cyber Security for Financial Planners

Financial planners share TFN and financial record exposure with bookkeepers — the FIIG Securities case illustrates the enforcement consequences.

What Happens If Your Business Gets Hacked

If a bookkeeper account is compromised, every connected client is at risk — understand the breach response steps that follow.

References

  1. Tax Agent Services Act 2009 (Cth) — Code of Professional Conduct; registered tax practitioner obligations; TPB sanction powers. legislation.gov.au
  2. Tax Agent Services (Code of Professional Conduct) Determination 2024 — 8 additional Code obligations; commencement 1 July 2025 for small practices; record-keeping and data security requirements. tpb.gov.au
  3. Tax Practitioners Board, TPB(I) D59/2024: Obligation to Keep Proper Client Records — ICT control expectations; encryption, MFA, access controls; TFN Rule interaction. tpb.gov.au
  4. Tax Practitioners Board, TPB(PN) 4/2021: Use and Disclosure of a Client's TFN in Email Communications — specific guidance on TFN handling; cyber controls recommended; Code Item 6 implications. tpb.gov.au
  5. Tax Practitioners Board, TPB(I) 21/2014: Code of Professional Conduct – Confidentiality of Client Information — updated February 2025; outsourcing and offshore data processing; third-party disclosure obligations. tpb.gov.au
  6. Tax Practitioners Board, Annual Report 2024–25 — 16,965 registered BAS agents at 30 June 2025; cybersecurity featured as priority webinar topic. tpb.gov.au
  7. Privacy (Tax File Number) Rule 2015 — TFN recipient obligations; secure storage; authorised use and disclosure. oaic.gov.au
  8. Privacy and Other Legislation Amendment Act 2024 (Cth) — APP 11 clarification; technical and organisational measures requirement; effective 10 December 2024.
  9. Cyber Security Act 2024 (Cth), Part 3 — mandatory ransomware payment reporting; 72-hour timeframe; entities with annual turnover above $3M. legislation.gov.au
  10. Wolters Kluwer, TASA Record-Keeping Requirements for Tax Practitioners — overview of Code Determination record-keeping obligations; five-year retention. wolterskluwer.com