ISLAMABAD: Federal Tax Ombudsman (FTO) has out-rightly rejected the Federal Board of Revenue’s (FBR) policy of expiry of passwords of taxpayers and directed the FBR to issue a new policy.
According to the FTO’s directive to the FBR, it is found that the password expiry policy without consultation with the taxpayers is arbitrary and unfair, hence constitutes maladministration in terms of the FTO Ordinance 2000.
Details of the case revealed that following multiple complaints, an own motion investigation was initiated while exercising powers under the FTO Ordinance 2000, regarding recent policy of FBR for change of passwords every 60 days for all taxpayers which created hardships for taxpayers.
A taxpayer while using the “forgot password” option will have to go through the steps having eight entries to make before getting access to his data. However, applying the same procedure to all the taxpayers/registered person is a harsh measure and tantamount to extra drain on taxpayers’ resources. Ideally, the FBR first should have identified taxpayers whose data was frequently prone to cyber security attacks and data breaches. It would have been appropriate if the data update measures were restricted to such vulnerable taxpayers only. The step was taken on the recommendations of internal committee of PRAL/FBR and no other stakeholder was involved for input on the issue.
Alternatively, the taxpayers’ password should not expire. However, they may be alerted by warning text, “You have not changed your password for long and are prone to threat of hacking”. This policy is being followed in banks and they use warning message for their customers to take care of their passwords.
FTO has directed Secretary Revenue division to form a committee including all the stakeholders and business community leaders to review the current policy of password updates every 60 days for all the taxpayers and formulate a new policy after obtaining inputs from all the stakeholders.
Copyright Business Recorder, 2025
