HMRC RTI and privacy

HMRC have a new system in place for payroll that means payroll details are sent to them each time people are paid. That is not too bad, but there is this new system for BACS payments too that allows HMRC to check the actual payment is made to the employee as well. It is a convoluted system that involves an extra field in the BACS payment and has led to a whole new way of running payroll if you use BACS. The BACS system advises HMRC of hashes that allows the payment to be checked without giving HMRC all of the details.

Anyway, there is a side effect that has occurred to me here. The receiving bank will no doubt see the BACS fields including this previously unused field. The field is not meaningful in itself, it is 4 characters, and for HMRC us has to start with a "/" character and then has three random characters.

However, the receiving bank can, now, in effect, see if a customer gets "proper payroll payments" in to their account. There will, of course, be lots of legitimate paid employers that get paid without a payroll bureau or direct BACS or some such doing this, but the bulk of people being paid by large companies or via bureaus will have this extra field on their pay. Indeed, as using this is part of HMRCs risk management, that will encourage more and more employers to use this for paying people.

So banks get to see if you are a "proper" paid employee, with pay details "properly" reported to HMRC, or not. Or at least have a clue towards that. It is not in fact definitive - nothing stops me sending this field on all payments we every make to anyone - but in practice the BACS systems will do "paying suppliers" and doing "payroll" as separate systems. So the presence of this field is a clue.

Will banks use this to consider the credibility or creditworthiness of a customer?


  1. Would be silly to use it as a major part of a credit check. Self employed people often don't have "payroll" payments into their accounts yet can be very worthy of credit.

    1. Possibly, but I can't help feeling it is a useful metric for banks. They probably want to watch self employed more closely even if that is not justified.

  2. I could imagine banks using it to define 'main banking accounts' -- so where some banks (e.g. Halifax, Santander) give you perks (£5/mo, cashback on DDs, etc) if you have a number of Direct Debits coming out of your account, they could start making them dependent on receiving an HMRC RTI tagged payment...

    But not everyone is paid by BACS, and it probably wouldn't be very popular, so they might not...

  3. I have a feeling that the bank using this field for anything at all would be against the Data Protection Act. Using data for purposes other than that for which it was collected (informing HMRC in this case) would be illegal.

    (I knew the DPA would come in handy one day! :-)

    Cheers, Howard


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

ISO8601 is wasted

Why did we even bother? Why create ISO8601? A new API, new this year, as an industry standard, has JSON fields like this "nextAccessTim...