Blog Post
An actual link to the ATO Digital Service Providers (DSP) requirements is here where you can read it from the horses mouth.
https://softwaredevelopers.ato.gov.au/operational_framework/further-guidance-requirements
Multi-Factor Authentication (MFA) MUST be implemented and cannot be turned off however it does not say the same for inactivity time out. You will note there are certain areas of the regulations where the terms 'must', 'should' etc. etc. apply.
Your business analysts should have consulted with the users (i.e. customers) and asked whether we want an opt out or switch-off function. Some sort of acceptance of liability on the customer side would be reasonable. I must say I have only used MYOB for a few months and a switch to Xero is looking likely as it is clear your software change management is almost non-existent.
Hi Thorns001, the exact piece from the ATO on inactivity has been shared a few times in the thread. Sorry if you missed it.
You can find it on this page here
https://softwaredevelopers.ato.gov.au/operational_framework/further-guidance-requirements
And snipped below for you as well.
We have worked alongside the ATO to implement these changes and can assure it was not a random interpretation of the requirements
- Wiffco28 days agoCover User
Mike, I think the crux of the problem here is you guys are just not listening. There are many options available to you which for some reason you are choosing to ignore. Firstly, you could have allowed users to run their own desktop files and only sign in to lodge STP. You already know how to make that work, that's what we did with STP phase 1. And the ATO is clear on this, they talk about a hosted system, as in files that are online, this is where the security requirement comes in. So give users the option to take their files offline! Secondly you already have a user security structure within MYOB that blocks access to payroll information, yet you are choosing to not use any of it. Even worse, in the trade desk / retail environment setup mentioned in this thread, you forced users to activate payroll, which then in turn forces the use of the lockout. My problem is, you have never explained WHY you have gone down this path. You have a team of programmers, you must be rolling in money because ever since STP the subscription fees have gone up 50% or more. This used to be a great product but the attitude of MYOB is really starting to get to people. Look how long it took us to be able to put more than 256 characters in an Invoice line. That was like 5 years!!! This is your opportunity to turn things around and show your customer base you care. I implore you, don't mess it up!
- Jo1527 days agoExperienced Cover User
Sorry, now attached, see the notes section! regarding not intended for the end user!
- MikeG127 days agoAdmin
Good morning Jo15 , as previously stated, MYOB worked alongside the ATO to implement these changes.
It has not been the case where MYOB has chosen to interpret the guidelines set by the ATO however we please.
The changes made by MYOB around 24hour 2FA and the 20-30minutes inactivity timeout adhere to the expectations and guidelines set by the ATO.
We have openly provided the links to the ATO as evidence of why these changes are being made, not so that alternative interpretations can be found of the guidelines.
- Jo1531 days agoExperienced Cover User
Thats ridiculous, Same BS. I just clicked onto page you sent! cannot find anywhere it is telling Myob to time out their client's software! The only time I am connected to the ATO is when I have processed payroll and upload to the ATO! All other time I am NOT CONNECTED TO THE ATO! I don't get it.
- MikeG131 days agoAdmin
Hi Jo15, once on the page you could try ctrl + F and then search the word 'inactivity'. Or else I snipped the piece of the article in my reply above already.
MYOBs software connects to the ATO so much adhere to these requirements regardless of whether the individual file has payroll in use, the connection exists regardless.
- Jo1530 days agoExperienced Cover User
I tried this on the ATO website and nothing came up with this search????
once on the page you could try ctrl + F and then search the word 'inactivity