WAHEED SHAHZAD BUTT VS SECRETARY, REVENUE DIVISION, ISLAMABAD, 2014 PTD-FEDERAL-TAX-OMBUDSMAN-PAKISTAN 1353 (2014)

2014 P T D 1353

[Federal Tax Ombudsman]

Before Dr. Muhammad Shoaib Suddle, Federal Tax Ombudsman

WAHEED SHAHZAD BUTT

Versus

SECRETARY, REVENUE DIVISION, ISLAMABAD

Complaint No.20/ISD/FBR(1)/507 of 2013.

Income Tax Rules, 2002---

----R.73 (6)---Establishment of the Office of Federal Tax Ombudsman Ordinance (XXXV of 2000), S.2(3)---Maladministration---Manipulation of data of by an unauthorized E-Intermediary---Complainant contended that in the e-system designed by the Federal Board of Revenue, anyone could exploit the verification process of the Election Commission of Pakistan, by filing income tax returns/wealth statements without the actual taxpayer's consent, permission or knowledge; and any election contestant could damage his opponent's candidature through filing his wrong income tax returns/wealth statements through an E-Intermediary---Validity---Revenue could not offer any plausible, justifiable defense against the evidence provided by the complainant---Federal Board of Revenue appeared to have badly failed to devise a secure automated online system to safeguard confidential and classified data of taxpayers---Gross negligence and incompetence together with possibility of collusion of Pakistan Revenue Automation Limited employees with criminal elements could not be ruled out---All such was a maladministration---Federal Tax Ombudsman recommended that Federal Board of Revenue to (i) take immediate remedial steps to ensure fool proof security of taxpayers' data (ii) create a system where addition of a client of E-Intermediary was predicated on verification by the Commissioner concerned; (ii) System must not issue the activation code without the electronic approval by the Commissioner (iii) ensure that annual withholding statements and withholding certificates etc generated through the Federal Board of Revenue web portal do not end up in fraudulent criminal hands and (iv) commission a thorough investigation by a credible third party in relation to the vulnerabilities system.

Sardar Irshad Shaheen, Advisor for Dealing Officer.

Waheed Shahazad Butt, for Authorized.

Imtiaz Ahmad, CEO, PRAL, Rafi, Manager PRAL, Nasir Khan, Deputy Director, I&I, FBR, Islamabad, I&I, FBR, Islamabad, for Departmental Representative.

FINDINGS/RECOMMENDATIONS

DR. MUHAMMAD SHOAIB SUDDLE, FEDERAL TAX OMBUDSMAN.---The complainant, an advocate by profession, has alleged maladministration on the part of the FBR involving negligence and incompetence in ensuring security/safety of taxpayers' confidential and classified data.

2.The main contention of the complainant is that any

E-Intermediary (EI) can show a taxpayer as his client in the FBR's e-system even without knowing his e-mail ID or mobile number, thereby breaking into the confidential data held by the FBR.

3.In order to ascertain the genuineness of the complaint, the complainant and the relevant officials of FBR, including CEO PRAL were called for a hearing on 2-4-2013. The CEO PRAL, Mr. Imtiaz Ahmed, Manager PRAL, Mr. Rafi along with a representative of FBR, Mr. Nasir Khan, attended the proceedings.

4.The complainant, who is a registered EI, practically demonstrated how easy it was to have un-authorized access to confidential data of any taxpayer. During the hearing, he took mobile number of FBR representative, Mr. Nasir Khan, and requested the FBR's e-system to add Mr. Nasir Khan as his client. Shockingly the e-system immediately sent an activation code on the personal mobile number of Mr. Nasir Khan without cross verifying whether or not he was actually the EI of Mr. Nasir Khan. Done during the hearing, it established severe flaws in the FBR's e-system.

5.The complainant next demonstrated that it was not necessary to use the mobile number of the taxpayer to break into the system. Any mobile number could be used to show a taxpayer as a client of the EI. Also, the data of a taxpayer could be manipulated without his permission, consent and knowledge.

6.The complainant then demonstrated how the withholding tax statement of a government department could be successfully filed. He filed the withholding statements of Election Commission of Pakistan, Federal Public Service Commission, Cabinet Division, and FTO Secretariat. With permission, he successfully manipulated the FBR's e-system to show himself as an employee of FTO Secretariat who was paid a salary of Rs.25 million, with income tax deducted on his salary at Rs.5 million for tax year 2011. If that was not enough FBR's e-system, he filed a return of income of FTO Office for tax year 2010 with the Electronic Document Number (EDN) 31531105 showing an income of Rs.100 billion, with Rs.25 billion as tax paid by the FTO Secretariat and Rs.99 (only) as refund due.

7.The complainant remarked that if FBR data was any guide for the purposes of verification of income declared in the tax returns and tax paid, then FTO Secretariat was the 'highest tax-paying institution' that had deposited Rs.25 billion income tax in tax year 2010.

8.The complainant added that in the e-system designed by FBR, anyone could exploit the verification process of the Election Commission of Pakistan, by filing income tax returns/wealth statements without the actual taxpayer s consent, permission or knowledge. Also, any election contestant could damage his opponent's candidature through filing his wrong income tax returns/wealth statements through an EI. In other words, the whole ECP verification process could be manipulated. Even a candidate could manage to show that he was a regular taxpayer, without being an NTN holder.

9.The complainant further added that for adding a taxpayer as a client of an EI, it was necessary to attach an authority letter from him, which was not being followed by PRAL. A taxpayer having NTN certificate and e-enrollment is required to confirm through his mobile number his e-mail address which is already available with PRAL. Only after checking his email PRAL is supposed to send activation code only to the taxpayer's number.

10.Though the extreme vulnerability of FBR's e-system was demonstrated publically, the CEO PRAL was not ready to accept the naked truth. He contended that it was a legal requirement under Rule 73(6) of the Income Tax Rules, 2002 that a taxpayer must authorize the EI through authority letter and only then he could add him as his client. However, the authority letter could not be cross checked by the presently devised e-system, but could be called by the concerned tax officer, if he so desired. He also denied that the data of any taxpayer could be manipulated by an unauthorized EI.

11.The D.Rs. could not offer any plausible, justifiable defense against the evidence provided by the complainant. They could not belie the withholding statements and tax returns of FTO Secretariat, among others.

FINDINGS:

12.FBR appears to have badly failed to devise a secure automated online system to safeguard confidential and classified data of taxpayers. Gross negligence and incompetence together with possibility of collusion of PRAL employees with criminal elements could not be ruled out. All this is reflective of maladministration as defined in section 2(3) of the FTO Ordinance 2000.

RECOMMENDATIONS:

13.FBR to--

(i)take immediate remedial steps to ensure fool proof security of taxpayers data;

(ii)create a system where addition of a client of EI is predicated on verification by the Commissioner concerned. The system must not issue the activation code without the electronic approval by the Commissioner;

(iii)ensure that annual withholding statements and withholding certificates etc. generated through the FBR web portal do not end up in fraudulent criminal hands;

(iv)commission a thorough investigation by a credible third party in relation to the vulnerabilities system; and

(v)submit compliance report within 30 days.

CMA/35/FTOOrder accordingly.