Are you sharing too much? The risks of giving your ITR credentials to CAs

To enhance security and accountability, it’s suggested that authorizing CAs for tax filing on the e-filing portal should be mandatory, as it is for tax audits. (Image:  Pixabay)
To enhance security and accountability, it’s suggested that authorizing CAs for tax filing on the e-filing portal should be mandatory, as it is for tax audits. (Image: Pixabay)


  • You do not need to share ITR login and Password with Your CA. Here are the alternatives

When it comes to cyber hygiene, the golden rule is: “Don’t share your login ID, password, or OTP with anyone." This is especially true for financial services. Yet, when filing income tax returns (ITR), the Income Tax (IT) department seems to be sleeping on this crucial advice.

The dilemma of sharing credentials

Hiring a chartered accountant (CA) to file your tax return often requires sharing your login credentials for the ITR filing portal. Without these, the CA cannot submit your ITR online. Surprisingly, there’s no dedicated section in the taxpayer’s account for CAs to be authorized to file returns. As Sambhav Daga, a practising chartered accountant, explains, “Only those cases where mandatory tax audit is required or the CA has to represent the assessee in a matter, CA has to be added as the authorised partner in their account. For just tax filing, it’s not compulsory."

This loophole means anyone with your credentials, even non-professionals, can file your ITR without authorization. This access also exposes sensitive information, including past tax returns and bank account details.

Read this | Income tax deadline looms: Know your ITR forms to avoid penalties

CAs that Mint spoke to noted that only a few taxpayers express concerns about sharing their login credentials, while most are comfortable doing so. “New clients who sign up online and haven’t met us in person or have not come to us through another client are apprehensive of sharing all their financial information," said Karan Batra, founder,

Daga concurred, saying that only 1 out of 10 clients exhibit this hesitation. “These are new clients, and after using the services of the same CA for two or three years, they willingly share their login credentials thereafter," he said.

In fact, it’s common practice for tax firms to maintain a database of their clients’ login credentials. “It’s time-consuming to call each client every time the tax professional needs some information. Even most assessees don’t like that," said a partner in a tax firm, speaking on the condition of anonymity.

(Graphics: Mint)
View Full Image
(Graphics: Mint)

Alternatives to sharing credentials

However, for those uneasy about sharing personal details, there are alternatives. Instead of providing login details, taxpayers can send necessary documents like the Annual Information Statement (AIS), Form 26AS, and Taxpayer Information Summary (TIS) directly to their CA. The CA then prepares the ITR and sends it back to the taxpayer for them to submit it themselves. However, this process is not as straightforward as it sounds. It can mean extra work, as the documents cannot be sent as PDFs or Excel sheets to the CA.

“We need the details in a technical format to import the information into the software used for preparing the ITR. The documents have to be in JSON or XML format," said Batra.

More here: Own foreign stocks or MNC Esops? Omit them from ITR at your peril

Some CAs ask for files in both PDF and technical formats as they need the former to read the details and the latter to prepare the ITR.

Once the ITR is prepared, the CA sends back the prepared ITR also in JSON format, as the tax filing utility does not accept other files. “This involves back and forth as we first share the draft ITR as a PDF for the assessee to check, and later in JSON format, which they can use to submit the ITR," said Batra.

This process can also be more costly, with some CAs charging an additional 10-20% due to the increased time and effort involved.

The role of e-Return Intermediaries (ERI)

Another solution is engaging an e-Return Intermediary (ERI). These tax professionals have licences issued by the tax department, allowing them to file returns without accessing the taxpayer’s login details.

Tax filing platforms like Clear and Quicko have ERI licenses. When you file your ITR through one of these platforms, your ITR is submitted through their APIs (Application Programming Interface) integrated with the IT e-filing portal. Even when you opt for their CA-assisted option to file the tax return, your personal details remain secure with the platform.

“The CA who assists in tax filing on Clear cannot download the assessee’s documents. Nor is the customer required to share their phone number, email ID, or any other information with the CA. The CA files the ITR on our platform, after which their access to the taxpayer’s tax return is cut off," highlighted Avinash Poleppaly, senior director -product and business head at Clear.

The IT e-filing portal provides a list of all the ERIs. There are three types of licences issued: type 2 licences for online platforms like Clear, which grant API access; type 1 licences for professionals who file ITRs using offline utilities; and type 3 licences for CAs. If you prefer not to use platforms like Clear, you can look up CAs under the type 3 licence list.

However, there are only 32 ERIs holding type 3 licences, as per the Income Tax website. These include major tax firms like EY which means taxpayers have limited options that fit their budget.

The IT department rolled out type 3 licenses two years ago, but uptake has been low. An ERI-licensed tax professional, who wished to remain anonymous, told Mint, “The process is easy, but the department is not issuing them readily. A mix of lack of awareness and difficulty in obtaining the license is preventing more tax professionals from taking it."

The need for secure authorization

To enhance security and accountability, it’s suggested that authorizing CAs for tax filing on the e-filing portal should be mandatory, as it is for tax audits.

“Apart from securing taxpayer’s personal information, it will also bring in accountability for CAs who wrongly advise clients to claim bogus tax deductions," Daga asserted.

Also read: How Section 80C of IT Act has fallen out of sync with inflation

By implementing mandatory authorization, the IT department can safeguard sensitive taxpayer information and ensure greater accountability within the tax filing process.

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.