API risk ratings

Find information about our API risk ratings including:

Our API risk model

As part of the Digital service provider (DSP) Operational Framework, we have categorised our application programming interfaces (APIs) by rating them according to a tiered level of risk model.

To determine the risk associated with our APIs being made available externally we combine the characteristics with the potential business risks. The level of risk model is based on the characteristics and potential fraud that could occur through consumption of the API such as sensitivity of content, type of content and the resulting action from the interaction.

Our API risk ratings are:

The ATO Service Registry (SR) on sbr.gov.au includes a 'risk profile' section, within ‘Service actions’, where services have been allocated to the appropriate risk category.

Risk rating 1 – No risk

Characteristics

  • Access is only to generic data or data that is intended to be publicly available.

API examples

  • Apply for advice or ruling.
  • View Australian Business Register (ABR) data.

Risk rating 2 – Low risk

Characteristics

  • An initial registration, where the request or submission results in creating registration data in the client register or ATO systems. This may include personal, sensitive or private data with the initial creation.
  • A request or submission results in, or could result in:
  • viewing or updating registration data in/from the client register or ATO systems. Data excludes personal, sensitive or private data
  • providing account data attached/captured in the client register or ATO systems such as lodge Single Touch Payroll pay event or dividend/interest report.
  • A user response does not contain personal, sensitive or private client data, such as a tax file number (TFN) or name, nor confirm through validation.

API examples

  • Add a tax role
  • View activity statement role
  • Apply for Australian Business Number (ABN)
  • Check ABN registration progress
  • Third party transfer of data to ATO
  • Tax file number declarations
  • Taxable payments annual report (TPAR)
  • Payment summary.

Risk rating 3 – Medium risk

Characteristics

  • A request or submission results in, or could result in viewing or updating account data in/from the client register or ATO systems. For example, returning an account/transaction list or updating a credit or debit position on an account.
  • A response contains or could contain personal, sensitive or private client data that was provided as part of the users’ request. For example, a TFN is provided in the users request and is confirmed in the user response.
  • A response validates by way of interaction with the client register or ATO systems personal, sensitive or private client data. For example, validating a TFN, address or financial institution account (FIA) in ATO systems.

API examples

  • Account list
  • Transaction list
  • Lodgment list
  • Fund validations service list
  • Outcome of assessment data
  • Lodge an activity statement or excise return.

Risk rating 4 – High risk

Characteristics

  • A request or submission results in, or could result in updating personal, sensitive or private client data in the client register or ATO systems.
  • A response contains, or could contain personal, sensitive or private client data that was not provided as part of the users request. For example, additional information such as a TFN or FIA is provided in the user response.

API examples

  • View and update address, contacts and FIA
  • Get communication view
  • Make payment plan (could update FIA)
  • Lodge Income Tax Return (could update FIA and name)
  • Lodge Fringe Benefits Tax Return (could update FIA and name)
  • SuperTICK
  • EmployerTICK
  • Client pre-fill data.

Identifying the characteristics of an API  

We have identified the characteristics of an API by considering the following.

Consideration Description/examples

Type of data contained in the  API

 

The type of data contained in an API can be classified into four groups:

  • Public - considered to be generic and readily available in the public domain. For example, ABR public data.

     
  • Registration - considered to be creating or updating the tax and/or super profile of the client. For example, applying for an ABN, adding or updating a GST or Excise registration.

     
  • Account - considered to be any financial or non-financial data about the tax and/or super profile of the client. For example, reportable income, deductions, payments, offsets etc.

     
  • Personal, sensitive or private - considered to be information about an identified individual or entity which could be used to identify who the client is or proof of record ownership (PORO). For example, TFN, address, FIA, contacts and non-public information from the ABR. See the Office of the Australian Information Commissioner (OAIC) website for more information. 

Type of data contained in the API response

 

For example, the response contains:

  • only generic messaging or public data e.g. successful transmission or an ABN
  • non interactive message validation without confirming client data
  • interactive message validation confirming client data
  • tax or super registration data
  • tax or super account data
  • personal or sensitive client data that was provided in the request
  • personal or sensitive data that was not provided in the request.

Resulting action in the client register or ATO systems, based on the API request or submission

 

Examples include:

  • information is provided and is only attached or captured against the client record
  • the client record is updated
  • information from the client record is returned to the user.

Identifying the business risk

We have identified the business risk by considering where the action may directly or indirectly lead to fraudulent activity. The three main business risks are listed below.

Business risk Description

Information gain

  • Identity theft – for example, obtaining personal or sensitive information to steal or sell an identity.
  • Personal gain – for example, obtaining personal or sensitive information to gain power or knowledge of another person.
  • Commercial advantage – for example, obtaining business information to gain power or knowledge of a competitor.

Financial gain

  • Directly obtaining refund – for example, updating FIA to obtain a refund.
  • Indirectly obtaining refund – for example, adding a tax registration that could lead to a lodgment with a refund.

Destructive behaviour

  • Individual hack – for example, a malicious actor creates incorrect records on a client account to cause harm or nuisance.
  • System hack – for example, malicious attempt to crash a service or system (denial of service attack).

Contact us

For further information and to provide feedback email DPO@ato.gov.au

Find out more