Operational framework

This page provides information about the Operational framework for you and your products.


The Operational Framework is part of our response in recognising and responding to the increased risks posed by API based (wholesale) digital services. These risks arise because of the significant increase in the volumes of APIs being made available; significant growth in the range, number and complexity of digital service providers, and increased volumes and velocity of transactions.

We are at the forefront of API exposure and are significantly more advanced than other revenue agencies. We recognise that we are creating new opportunities and will thus need new frameworks and technologies for the emerging world of APIs.

The framework identifies the commitment to:

  • enrolment, identification, authentication and authorisation technologies being made available to clients,
  • streamlining the registration and whitelisting process to consume our APIs; and
  • security measures including ongoing monitoring to safeguard sensitive client data.


June 2017

Since September 2016, work has been underway to develop the elements of the framework. We have identified five threshold considerations on which it needs to determine a position. These are:

  • registration and whitelisting,
  • multi-factor authentication,
  • onshore/offshore hosting arrangements,
  • supply chain visibility, and
  • encryption in transit.

We are working with ABSIA and other industry associations on ensuring our requirements are practical but sufficiently protect the integrity of the taxation and superannuation system.

September 2016

An update (PDF, 732.39KB) of the certification component of the framework was discussed at the Strategic working group (SWG). The group was informed that the purpose of the questionnaire is to advise us about the product, environment and work practices of developers. We will use the information to make a decision on granting access to transact electronically. There is no minimum requirement other than completing the questionnaire accurately. Minutes (PDF, 377.49KB) are available.

August 2016

An update (PDF, 732.39KB) was prepared following the discussion at the Technical Working Group (TWG) meeting. The latest version (0.8) of the instructions (PDF, 438.29KB) to assist SWD to complete the security operational questionnaire is now available.

July 2016

The draft minimum Third party products and services minimum security requirement and Third party products and services security policy requirements were shared at the 21 July 2016 Technical working group. Minutes (PDF, 361.69KB) are available.

Action items include:

  1. The ATO to confirm to developers it complied with the minimum security requirements.
  2. ATO General Counsel to advise whether the consultation papers represent a software developer indemnity.
  3. The ATO to publish a summary of the security review outlining the intent behind and recommendations to provide minimum security requirements to software developers.

April 2016

The Operational framework for developers and service providers (PDF, 724KB) is now available. Feedback can be provided to the Software Industry Partnership Office at any time.

Working group members

Consultation with the working group is complete.

Consultation (meetings, seminars, workshops)


  • 8 September - Strategic working group
  • 21 July – Technical working group
  • 3 March – ATO-SwD Partnership Event – framework discussion
  • 17 February – Phone meeting on proposed certification minimum requirements with working group
  • 19 January – Phone meeting on certification with the working group


  • 17 December – Initial phone meeting on registrations with the working group
  • 25 November – ABSIA representative at ATO workshop in Canberra


 For feedback and questions email Software Industry Partnership Office.