Digital service provider Architecture Reference Group (DARG) – 3 April 2025

The DSP Architecture Reference Group (DARG) meeting was held in Sydney on 3 April 2025.

Participation is available to those Digital service providers listed as DARG members for the 2025/26 years.

Key outcomes

Summary

Below is a summary of key outcomes. Note: the full key outcomes and presentation materials are available on the DSP Hub. 

Landscape overview

Reflections from the DSP Strategic Working Group (SWG)

Meeting topics and points of interest from the SWG held on 2 April 2025 were brought to the group, including: 

• the key questions from the ATO's Tax 3.0 delivery workshop
• the Counter Fraud Program and how DSPs can support it and mitigate potential risks
• that consultations will take place to refresh the digital strategy which has changed since it was initially developed
• an overview of the pre-lodgment assurance workshop.

Message Queue (MQ) Upgrade Horizon

The group was provided information on an MQ upgrade that would eventually enable containerisation, rapid deployment, and reduced timeframes for upgrades.

Dashboard monitoring

Opportunities and benefits of updating dashboards was discussed, and included: a Bluemix overview, the value of using an API for consuming dashboard data, and the importance of DSPs being able to see the backend health.

Considerations:

• ATO dashboards should be a real time indication of system health
• Bluemix represents the SBR entry point and not the SBR backend services
• webhooks would be a preferred solution.

Transport Layer Security (TLS) and Protective Security Policy Framework (PSPF) changes

• TLS 1.2 has been implemented. TLS 1.3 will be enabled in May 2025 - upgrading to TLS 1.3 will become mandatory in the future
• the ATO will be ensuring external platforms with known risks are not being used within ATO networks
• ISO/IEC 27001:2022 is a good baseline, OSF controls will continue to be uplifted
• consideration must be given to the ethical use of Artificial Intelligence (AI). 

Delivery insight and future program 

An overview of current initiatives was provided, including:

• Partnership Tax Return enhancements
• XBRL to XML conversion roadmap
• implementation of a global and domestic minimum tax (OECD Pillar 2)
• inclusion of a superannuation contribution on government funded Parental Leave Pay (PLP).

The AS2025 release is aligned with the June production release and EVTE is available for testing. The AS2009 service to be deprecated 31 December 2026.

The Business Implementation Guide (BIG) for Client Communication Service has been updated to include the addition of the ATO app as a communication channel. (See ATO CLNTCOMM.0001.2020 Business Implementation Guide)

Considerations:

• does the Secure File Transfer Protocol Functionality (SFTP) fit the technical interfaces that will go to the broader industry
• the AS2023 service remediation working group has not yet reconvened - if required, a meeting will be scheduled after Production release.

A summary of change advices can be found in the Tracking Budget Measures - DSP Hub - Online services for DSPs.

Modernisation of Tax Administration System (MTAS) program 

Tax Time 2026 will see further changes to the trust tax return labels, including an expansion of data validations, and strengthening the integrity of data processing through data validation. 

SRP (real-time responses) is unlikely to be supported by the trust return given the extensive backend validations that will be performed. Existing usage of SRP for the trust return would have to move to BBRP. 

For future state, APIs on Digital Services Gateway (DSG) are being considered for prefills.

Comments included:

• BBRP responses would be improved by providing a reason
• field formats should be aligned across forms and between SBR and DSG to enable seamless interactions
• a consistent approach is required when writing APIs.  

SBR1 Decommissioning - risks to transition

Discussion took place to discover opportunities for decommissioning SBR1 and moving to alternate platforms.

Key callouts:

• preference was for SBR1 to be switched off with minimal lead time
• consideration should be given to providing channels for the community/tax practitioners to lodge tax forms
• some DSPs may not have the technology or resources to move off SBR1
• education is needed to ensure SBR1 users understand the security vulnerabilities they may cause by not transitioning.

Wholesale expectations of myID

This collaborative discussion identified key use cases for DSPs to implement myID in their software. 

Discussion topics:

• scope expansion of myID usage (see Expanding the government system Digital ID System)
• by December 2026, private sector services can apply to the Digital ID Regulator to join the Australian Government Digital ID System to verify their users and customers
• the ATO is exploring options in the form of business verified credentials that could assist with client verification processes
• integration with Relationship Authorisation Manager (RAM) is being considered to help verify business representatives

Insights were given into how myID could be used in DSP software. Use cases included the facilitation of employee onboarding, international authentication, and user roles/delegations. 

Key callouts:

• Integrating M2M based tokens with myID based tokens should be considered.
• Financial constraints may reduce the take up of myID in software.

Feedback and comments from this session will inform future discussions.

Tax 3.0 

DSPs shared their views on the ATO's Tax 3.0 readiness. Discussing security, technical, and architectural aspects, along with future opportunities and necessary changes. 

To maintain momentum for Tax 3.0, the ATO will facilitate Think Tanks and refresh the Digital Strategy in 2025. A broader group of developers, including financial institutions and internationals, will be consulted to ensure comprehensive input. 

Key callouts:

• the ATO should push data to software providers instead of developers pulling data
• legislative changes are needed to support software developers
• AI will be essential in software products to stay competitive.

Other business 

• Further conversations are needed around BBRP reliability.
• A suggestion was made to remove truncation from old forms during updates. 

Next meeting: Thursday, 17 July in Docklands, Melbourne.

If you have any questions, contact the secretariat by email at DPO@ato.gov.au or please raise a ticket through the DSP service desk.