Making Tax Digital: The Security Gap Every UK Accounting Firm Is Missing

Making Tax Digital (MTD) has fundamentally transformed how UK accounting firms handle client tax data. MTD for VAT became mandatory for VAT-registered businesses above the threshold in 2019, and for all VAT-registered businesses in April 2022. MTD for Income Tax Self-Assessment (ITSA) will roll out from April 2026 for sole traders and landlords with income over £50,000, lowering to £30,000 from April 2027, with government plans to extend to those above £20,000 from April 2028.

⚠️ Digital compliance without security compliance puts your practice and clients at serious risk.

HMRC mandates what you must file (digital records, quarterly submissions, API-linked software), but gives minimal instruction on how firms should secure the sensitive financial data now flowing through multiple digital touchpoints.

This guide fills that gap.

Why Security Must Be Core to Your MTD Strategy

The shift to MTD creates new security vulnerabilities that traditional accounting practices haven’t faced. Even firms with “pretty good” IT setups often discover gaps when they look at MTD through a security lens.

1. API Security Risks

MTD requires submissions to HMRC via secure APIs. Every API connection is a potential attack vector. HMRC requires all MTD software to use TLS 1.2 or higher, removing TLS 1.0/1.1 due to known security weaknesses.

2. Bridging Software Vulnerabilities

Bridging tools used to link spreadsheets or legacy systems to HMRC can create insecure transfer points if they are not properly encrypted or configured. Convenience without security is a recipe for exposure.

3. Data Breach Consequences

Under UK GDPR, accounting firms face fines up to £17.5 million or 4% of annual global turnover for data breaches involving client information. As MTD creates more digital flows, the attack surface increases significantly.

4. Regulatory Overlap: MTD + GDPR + Cyber Essentials

MTD compliance does not mean GDPR compliance or alignment with Cyber Essentials. These frameworks set security expectations that go far beyond HMRC’s technical specifications.

HMRC’s MTD Technical Security Requirements

While HMRC focuses on functional compliance, their specifications include several embedded security requirements that many firms either overlook or assume their software vendor has fully covered.

1. TLS 1.2 Encryption (Minimum Standard)

All communications with HMRC must use TLS 1.2 or above.

What this means for your practice:

• Your MTD software must support modern encryption.
• Older systems and servers may require upgrading or replacement.
• You should verify encryption readiness before the ITSA deadlines.

2. Fraud Prevention Headers

MTD API submissions must include fraud prevention HTTP headers that provide HMRC with audit and behavioural data to detect suspicious submissions and patterns of misuse.

What this means for your firm:

• Your software provider must implement these headers correctly.
• Non-compliant submissions risk being rejected by HMRC systems.
• Manual spreadsheet uploads alone cannot satisfy this requirement.

3. OAuth 2.0 Authentication

MTD uses OAuth 2.0 token-based authentication, ensuring only authorised users and applications can act for clients.

What this means for your firm:

• Passwords alone are no longer sufficient.
• Clients must explicitly authorise the software to act on their behalf.
• Your systems must handle token refresh and secure authentication flows robustly.

The 7 Hidden Security Risks in MTD Implementation

Most firms focus on getting data submitted correctly and on time. Very few step back and ask:

“Have we actually secured this entire MTD data flow end-to-end?”

Download the Full MTD Security Compliance Checklist

To support firms in preparing for MTD ITSA and securing digital tax data, we’ve created a comprehensive, step-by-step security checklist covering:

• Software vetting and due diligence
• Access control and authentication
• Encryption and backup strategy
• Network security and segmentation
• Client onboarding and authorisation
• Incident response planning
• Ongoing monitoring and logging
• GDPR and retention alignment
• Vendor assurance and DPAs
• AI governance (if software includes AI features)

Mapping MTD Security to Cyber Essentials & ISO Standards

Cyber Essentials

MTD aligns strongly with Cyber Essentials’ five core controls, which form the baseline for any safe digital tax environment:

• Firewalls
• Secure configuration
• Access control
• Malware protection
• Patch management

ISO 27001

ISO 27001 provides end-to-end security governance around MTD data, including:

• Formal risk assessments
• Incident response and escalation
• Business continuity planning
• Supplier and software assurance

ISO 42001 (AI Management System)

If your MTD or accounting software includes AI features, ISO 42001 helps you:

• Identify and reduce risks such as bias or misclassification.
• Maintain transparency over AI-assisted decisions.
• Control and protect data used for AI training or inference.

GDPR Obligations for MTD Data

MTD does not override GDPR. It increases your responsibility to manage tax data securely, transparently and lawfully.

Legal Basis

Processing is typically justified under:

• Legal obligation (HMRC-required submissions).
• Contract (engagement terms with clients).

Data Subject Rights

Clients retain the right to:

• Access their records.
• Request rectification of inaccurate data.
• Request erasure once retention requirements expire.

Data Processor Agreements

Every MTD software vendor acting as a processor must provide a Data Processing Agreement (DPA) that clearly sets out:

• What data they process.
• How they secure it (technical and organisational measures).
• How and when they notify you of a breach (fast enough for you to meet the 72-hour ICO reporting window).
• Where data is stored and processed (e.g. UK/EU data residency).

2025–2027 MTD Security Risks & Emerging Threats

As MTD expands and more taxpayers fall under ITSA, the threat landscape is evolving. Key trends include:

1. Phishing Targeting MTD Credentials

Criminals increasingly spoof HMRC or software providers to steal login details and authorisation tokens. Both staff and clients need to recognise these scams.

2. API Exploits

As API use expands, attackers will probe for implementation weaknesses, misconfigurations and unpatched vulnerabilities in MTD software and related integrations.

3. Supply Chain Attacks

A breach at your software vendor can compromise every client you serve. Vendor due diligence, contractual controls and ongoing monitoring are now essential.

4. AI-Generated Fraud

Generative AI makes falsified records and supporting documents harder to detect. Firms need anomaly detection, robust review processes and clear accountability for sign-off.

⚠️ Case Study: What Happens When MTD Security Fails (Scenario)

Recommended Resources

HMRC

• VAT Notice 700/22: Making Tax Digital for VAT
• MTD Developer Hub
• MTD Eligibility Guidance

Security Standards

• NCSC TLS Guidance
• Cyber Essentials Scheme
• ICO GDPR Guide

Industry

• ICAEW – Making Tax Digital Resources
• ICAS – Making Tax Digital
• AccountingWEB – MTD Hub

Conclusion: MTD Compliance Is Security Compliance

MTD represents a fundamental shift in how accounting firms collect, store and transmit tax data. The same digital infrastructure that improves efficiency also introduces new vulnerabilities.

By prioritising security, your firm will:

• Meet HMRC’s technical requirements.
• Comply with GDPR and data protection obligations.
• Align with Cyber Essentials and ISO frameworks.
• Protect clients from financial and reputational harm.
• Prepare for AI-driven workflows and future regulatory changes.

💡 The firms that treat MTD security as a strategic advantage—not a checkbox—will lead the industry.

The 2026 MTD ITSA deadline is approaching. Now is the time to begin strengthening your security posture.