From multi-factor authentication to corporate criminal prosecutions, HMRC is systematically closing the gaps in its enforcement infrastructure. Here’s what practitioners need to know — and do — before the deadlines hit.
There’s been a quiet shift in how HMRC talks about tax agents over the past twelve months. The language has moved from “partnership” to “accountability.” From “guidance” to “mandation.” And starting April 7, 2026, that shift becomes something you’ll see every time you log in.
HMRC is introducing mandatory multi-factor authentication (MFA) for tax agents accessing GOV.UK services. It’s been in testing with a volunteer group since early 2026, with a wider roll-out confirmed for the end of June. But the awareness campaign starts in two weeks — and if you’re not ready, you’re going to feel it.
What’s actually changing
From April 7, every agent signing in to their HMRC account on GOV.UK will see a new page promoting the MFA roll-out, with links to the updated Tax Agent’s Handbook. This isn’t optional — it’s a mandatory step in the sign-in journey.
The full MFA requirement is currently targeted for delivery by end of June 2026, though HMRC has caveated this as “subject to successful testing.” In practice, that means agents should assume June is the hard deadline and plan accordingly.
There are some important nuances. The changes only apply to web sign-in on GOV.UK. PAYE and Making Tax Digital for VAT services are unaffected — for now. But if you use automated processes or third-party software for your sign-in journey, HMRC has explicitly warned that you should “check whether any software updates are needed and allow time for those adjustments.”
That’s HMRC-speak for: if your workflow breaks, that’s your problem.
Why now?
The timing isn’t coincidental. HMRC has been dealing with a persistent problem: compromised agent accounts. When an agent’s credentials are stolen or shared, the attacker doesn’t just get access to one tax return — they get access to every client on that agent’s books. It’s a systemic vulnerability, and HMRC has been under pressure to close it.
The announcement notes that HMRC will be “contacting agents who they recognise would benefit from early adoption of the additional security MFA offers.” Read between the lines: this means agents who’ve previously had their accounts suspended or who’ve reported security incidents. If you get that call, it’s not a suggestion — it’s a strong hint that your account has been flagged.
For larger practices running automated sign-in processes, this is potentially disruptive. Many firms use scripted or software-managed authentication to handle large client portfolios. MFA introduces a human-in-the-loop requirement that could break those workflows unless software providers update their integrations before June.
The enforcement picture is broader than you think
MFA isn’t happening in isolation. HMRC has been systematically tightening its enforcement infrastructure across multiple fronts, and the numbers tell the story.
The latest update on Corporate Criminal Offence (CCO) investigations, published in the week ending 17 March, shows HMRC is actively pursuing 11 live CCO investigations as at 31 December 2025. It has secured one charging decision and has a further 32 opportunities under review. An additional 126 opportunities have been reviewed and rejected.
These numbers are small in absolute terms, but the trend matters. The CCO was introduced in September 2017 and spent its first several years largely dormant — dismissed by many practitioners as a paper tiger. The fact that HMRC now has 11 active investigations and one prosecution suggests the enforcement machinery is warming up.
The CCO targets corporates that fail to prevent the facilitation of tax evasion by their “associated persons” — which includes employees, agents, and other intermediaries. If you’re a tax agent, you are exactly the kind of associated person that HMRC’s CCO framework was designed to cover. The link between agent account security (MFA) and corporate liability (CCO) is not lost on HMRC’s enforcement division.
Meanwhile, digitisation marches on
Running alongside these enforcement developments is HMRC’s ongoing programme to digitise and standardise every aspect of the tax return process.
The consultation on modernising company tax returns, which closes on 2 June 2026, proposes full prescription of computation formats — meaning standardised, fully tagged XBRL submissions — along with mandatory online filing for amended returns. HMRC’s proposed timeline would see final specifications published by September 2026 and a live pilot running from October 2027.
Separately, HMRC has launched a call for evidence on business systems integration, looking at how accounting software, point-of-sale systems, and banking platforms could be connected to reduce manual data entry. Responses are due by 4 June 2026.
The pattern is clear: HMRC wants to see more data, in a standard format, flowing through digital channels that it controls. Manual processes, paper amendments, and unstructured submissions are being systematically eliminated. Each of these initiatives individually might seem manageable. Together, they represent a fundamental shift in how HMRC expects agents and businesses to operate.
What you should do now
If you run or work in a tax practice, here’s the practical checklist:
- Audit your sign-in processes. Identify every person and system that accesses your HMRC agent account. Determine which ones rely on automated sign-in flows and flag them for potential MFA disruption.
- Contact your software providers. Ask specifically whether their products will support MFA for GOV.UK agent sign-in by June 2026. Get written confirmation and a timeline.
- Review your CCO procedures. If you haven’t revisited your reasonable prevention procedures since 2017, now is the time. The enforcement numbers are climbing, and “we didn’t think they’d actually prosecute” is not a defence.
- Respond to the consultations. The company tax return and business systems integration consultations both close in early June. These are genuine opportunities to influence implementation — particularly on the exemptions for mandatory online filing of amendments, where digital exclusion and enquiry-related amendments are still being shaped.
- Plan for the year ahead. Between MFA (June), MTD for income tax (ongoing), the CT600 consultation (closing June), and the business systems integration call for evidence (closing June), Q2 2026 is going to be one of the most change-intensive quarters practitioners have faced in years. Get your project plan together now.
The bottom line
HMRC is no longer content to be a passive recipient of whatever tax agents choose to file, in whatever format, through whatever login method they prefer. The direction of travel is unmistakable: standardised data, secure access, digital-only channels, and meaningful enforcement for those who don’t comply.
The agents who adapt early will find that most of these changes — particularly MFA and standardised computation formats — actually make their lives easier once implemented. The ones who wait will spend Q3 firefighting.
Two weeks until April 7. Start now.
Tanous is a UK advisory firm specialising in tax strategy, M&A, and CFO services. If you need help preparing your practice for HMRC’s digital transformation programme, get in touch.