An authorised representative can transition a software product to the new solution by entering the provider and product details below and certifying that the product meets the requirements stipulated below.

Requirements:

  • My software product's terms and conditions will display the following declaration to my clients:
    • "I acknowledge that [software provider name] , through the use of [software product name], is not providing an agent service and is not responsible for the preparation of any taxation, superannuation or other related documents on behalf of my business/entity. It can, however, submit transmissions (e.g. lodgements and prefill) through the SBR channel that my business/entity chooses to make through [software product name]."
  • My software will meet the following minimum user authorisation requirements:
    • Upon authentication the software must recognise the role of the user (e.g.  Authorised business representative or intermediary). This should determine what information the user is authorised to access and what functions they are able to undertake (for example must recognise the difference between an authorised representative and an intermediary).
  • My software product will meet the following Software ID requirements:
    • A unique (read only) 'Software ID' must be provided to authorised users for each software subscription or instance of software via secured electronic communication (or over the phone) 
    • The software must ensure the unique 'Software ID' of the software subscription or instance of software is automatically sent within the message of a transmission (Software ID not manually entered by client).
  • My software will meet the following minimum user  authentication standards:
    • The pass phrase must include a minimum password length of 6 characters, consisting of at least two of the following character  sets:
      • Lowercase alphabetic characters (a-z)
      • Uppercase alphabetic characters (A-Z)
      • Numeric characters (0-9)
      • Special characters
    • Failed authentication attempts  
      • Software developers must lock out user accounts after five failed log on attempts to reduce the risk of brute force attacks.
      • Software providers can implement a temporary lock out feature after five failed attempts (e.g. 10 minutes or 24 hours). Software developers must completely lock out the user account after a specific number of additional failed log on attempts (decided by the software developer).
      • Software must have a facility to allow authorised system administrators to reset locked accounts
Last updated: 
05 Sep 2018
Page ID: 
11