Saturday, 25 May 2013

BACS/RTI hash

All employers that pay using BACS with their own service user number (SUN) have to include a hash in the data they send to HMRC RTI.

But what does this check? It checks no more than the submitter has access to BACS. The hash covers all sorts of data (sort codes, amount, etc) but all HMRC see is the hash and the amount (as confirmed by an FoI request). They check nothing more. They explicitly do not see any bank details!

To pass the HMRC tests, if you don't have a BACS SUN you do nothing, but if you do, all you have to do is make a payment matching HMRCs expectation and create the hash to submit. The payment can be to anyone (even yourself, which is perfectly valid as a BACS payment). The real payments to staff do not have to flag as payroll payments and so do not get seen by HMRC.

So, if you have any issues managing the hash and the payments you can fudge it making payments to yourself. Quite separately you can pay staff which may or may not match what and when HMRC expect. As long as the hash matches the RTI submission is valid.

The HMRC system for RTI makes it a nuisance to make adjustments at the last minute or retrospectively or even to commit some frauds. Well, it would, if the checking was not so trivially thwarted and pointless.

Anyone wanting to play the system for any reason, fraudulent or not, can do so. The only people actually caught out by this are those poor saps trying and failing to meet their requirements. Real fraudsters have no problem as it is simple for them to pass the tests for the hash.

So, how much has this crazy system cost? How much do HMRC pay VOCA? How much has BACS s/w changes cost? Payroll systems changes? Payroll bureaus? I am submitting another FoI for that,.

And what of companies inconvenienced by the changes even if we did not pay staff by BACS (we happen to do so), like us. Lloydslink pulled their BACS system as not HMRC RTI compliant - costing us a small fortune to re-work it all. That is a cost for this mad system and would apply to us even if we did not pay staff by BACS because we used Lloydslink for DD collections and were forced to change.

Why make a system that is so easily thwarted? Why make a system that is hard to code and comply with? Why make a system that costs lots of people money? Why?

4 comments:

  1. Sounds like a typical government IT system, It was probably a ploy by some contractor to make some cash at the taxpayers expense.

    ReplyDelete
  2. The sad thing is, this sounds like one 'flaw' which could genuinely have been well-intentioned, trying to avoid feeding HMRC all your banking details unnecessarily! I'm not sure it's as big a problem as it sounds, either: yes, you could easily create 'fake' payments to yourself (or make a payment to another account you control which then returns the money, etc) - just like you can print off fake payslips saying you paid M Mouse £1234.56, whether you did or not.

    I do shudder to think what the cost must have been to implementing the whole setup, though - and just having a system for sending "A&A has paid RevK £1000 at 11:05 on 2013-05-27" would surely achieve the same without the effort or the BACS work.

    ReplyDelete
  3. Since I am part of financial service Provider organization whatever idea I have regarding the “hash” I would like to share with you all.
    “Hash” in RTI is also known as “RTI cross reference”, will enable HMRC to support the Tax Data
    Returned against the payment made to the individual. Employers paying their man through BACS using their own Service User Number must include a hash in their RTI submission. The hash should be produced and submitted at or before the time payment instructions are issued.

    ReplyDelete
    Replies
    1. My point is that it proves nothing but the fact that the payer does BACS. They can make payments to themselves of the reported amount and use that hash. There is no check to confirm who was paid. This means someone wanting to pay people somehow differently to the PAYE RTI can do so - either by not doing BACS and so not sending an hash, or by doing BACS and therefore able to make payments and hashes that are unrelated to pay. In fact, someone wanting to pay people differently by PAYE RTI can now give HMRC a false sense of security that the payments match because they see the hashes and amounts match at VOCA. Yet this whole pointless process has cost a lot of time and effort even for people not doing BACS to pay staff - hundreds of Lloydslink customers had to change DD collection because Lloydslink stopped their bureau because of the extra BACS requirements for RTI.

      Delete