Agent access in 2026: every HMRC login is about to have a name on it
A year ago HMRC lost around £47 million to people logging into tax accounts that were not theirs. Multi-factor sign-in, and the end of quietly using a client's own login, are landing on agents this month. What changes, why the case law makes it more than IT housekeeping, and the two jobs worth doing before the end of June.
A year ago this week, HMRC admitted that criminals had walked into around 100,000 online tax accounts and helped themselves to roughly £47 million in repayments. Nothing was hacked. The logins were collected elsewhere, through phishing and stolen data, and then used to sign in as the taxpayer, or to set up an account in someone's name before they ever had one. Once you are inside the account, the screen treats you as the taxpayer.
That episode is the backdrop to two changes landing on agents right now, and together they redraw the record of who actually touches a client's tax account.
The first is a reminder HMRC and the institutes have repeated through May and into this week. Using a client's own sign-in credentials puts an agent in breach of HMRC's standard for agents. The online terms say an agent should never ask a client to share their log-in details, and the professional conduct guidance goes further: members should avoid even knowing the client's personal credentials, save in genuinely exceptional cases. The shortcut was always against the rules. It is now being said out loud, and often.
The second is multi-factor authentication. HMRC is bringing it in for agent accounts, with the wider rollout expected by the end of June, subject to testing. From then, signing in to your agent services or online services account will take more than a Government Gateway ID and password. You will also enter a one-time code, from an authenticator app, a text or a voice call. HMRC is recommending an app as the main method with a second route as backup, because the day a code does not arrive is the day you cannot file.
There is a quieter part of the same change that will cost firms more time than the codes themselves. HMRC wants each member of staff who needs access to have their own individual log-in, not a single shared firm one. In the older online services account, that means the administrator going into each client record and allocating it to a named user. For a practice that has run on one set of credentials for years, that is not a five-minute job.
It would be easy to treat all of this as IT housekeeping. The case law shows it is not.
Consider who is responsible when a return is wrong. Schedule 24 of the Finance Act 2007 makes a person liable for a careless inaccuracy in any document given to HMRC on their behalf, unless they can show they took reasonable care. HMRC's own guidance puts it bluntly: a person cannot simply appoint an agent and deny responsibility for their tax affairs. The tribunals have spent years working out where that responsibility ends, in cases like Hanson v HMRC [2012] UKFTT 314 (TC), and the answer has stayed consistent. What is filed in your client's name remains your client's return. So the question of who pressed submit, and under whose authority, is not administrative trivia. It is the difference between a position you can defend and one you can only assert.
Then there is what happens when access is abused on purpose. In Badoume v HMRC [2026] UKFTT 484 (TC), decided in March, the Tribunal looked at a firm that had filed refund claims stuffed with expenses the client was never entitled to. When HMRC enquired, the firm's explanation was that twenty per cent of a taxpayer's expenses can simply be claimed, which the Tribunal called an utterly false premise. These so-called refund factories work by filing fabricated claims at volume and taking a cut, leaning on the fact that HMRC's systems pay first and check later. They are a large part of why HMRC now cares so much about proving not just that a return was filed, but who filed it and whether they had any business doing so.
Put the £47 million, Hanson and Badoume next to each other and the direction of travel is hard to miss. HMRC is rebuilding the trail of who did what inside a client's account, and closing the gaps that let someone act as the taxpayer without leaving their own fingerprints. A shared firm login leaves a flat record: every action looks like it came from the same place, or worse, from the client. Individual credentials and a verified second factor mean each filing and each change to a return carries a named person behind it. That cuts both ways, and mostly in the honest firm's favour. The day a client says they never authorised something, or HMRC asks who amended a figure, a clean access trail is the thing that answers for you.
So two jobs are worth doing this month, while it is calm. If any client work still runs through client credentials, stop, and move those clients onto proper agent authorisation so you are acting under your own account, not theirs. And set up individual logins now for everyone who touches HMRC, get an authenticator app and a backup method in place, and start allocating clients to named users rather than discovering the size of that task on the morning the rollout lands.
None of this is dramatic. It is housekeeping. But the £47 million HMRC lost a year ago was housekeeping too, right up until it wasn't. The firms that come through the next year cleanly will be the ones who can show, without reaching for memory, exactly who did what, and when.
Lexendo
Find the risk across your client portfolio — before HMRC does.
Six domains of UK tax and compliance coverage. 198 HMRC sources. 265 tribunal decisions. 30-day money-back guarantee.
Get started →If Lexendo doesn't find a risk worth acting on in your first 30 days — full refund.