Our API risk model
As part of the Digital service provider (DSP) Operational Framework, we have categorised our application programming interfaces (APIs) by rating them according to a tiered level of risk model.
To work out the risk associated with our APIs being made available externally, we assess API characteristics against the potential business risks. This level-of-risk model is based on the characteristics and potential fraud that could occur through consumption of the API, such as sensitivity of content, type of content and the resulting action from the interaction.
Our API risk ratings are:
- 1 – no risk
- 2 – low risk
- 3 – medium risk
- 4 – high risk
Risk rating 1 – No risk
Access is only to generic data or data that is intended to be publicly available.
- Apply for advice or ruling.
- View Australian Business Register (ABR) data
Risk rating 2 – Low risk
This is an initial registration, where the request or submission results in creating registration data in the client register or ATO systems. This may include personal, sensitive or private data with the initial creation.
A request or submission results in, or could result in:
- viewing or updating registration data in or from the client register or ATO systems. Data excludes personal, sensitive or private data
- providing account data attached/captured in the client register or ATO systems such as lodge Single Touch Payroll pay event or dividend/interest report.
A user response does not contain personal, sensitive or private client data, such as a tax file number (TFN) or name. It also does not confirm through validation.
- Add a tax role
- View activity statement role
- Apply for Australian Business Number (ABN)
- Check ABN registration progress
- Third party transfer of data to ATO
- Tax file number declarations
- Taxable payments annual report (TPAR)
- Payment summary
Risk rating 3 – Medium risk
This is a request or submission that results in, or could result in, viewing or updating account data in or from the client register or ATO systems. Examples are returning an account/transaction list or updating a credit or debit position on an account.
A response contains, or could contain personal, sensitive or private client data that was provided as part of the user's request. An example is when a TFN is provided in the user's request and is confirmed in the user response.
A response validates by way of interaction with the client register or ATO systems' personal, sensitive or private client data. Examples are, validating a TFN, address or financial institution account (FIA) in ATO systems.
- Account list
- Transaction list
- Lodgment list
- Fund validations service list
- Outcome of assessment data
- Lodge an activity statement or excise return
Risk rating 4 – High risk
This is a request or submission that results in, or could result in, updating personal, sensitive or private client data in the client register or ATO systems.
A response contains, or could contain personal, sensitive or private client data that was not provided as part of the user's request. An example is when additional information, such as a TFN or FIA, is provided in the user response.
- View and update address, contacts and FIA
- Get communication view
- Make payment plan (could update FIA)
- Lodge Income Tax Return (could update FIA and name)
- Lodge Fringe Benefits Tax Return (could update FIA and name)
- Client pre-fill data
Identifying the characteristics of an API
We have identified the characteristics of an API by considering the following.
Type of data contained in the API
The type of data contained in an API can be classified into four groups:
- Public - generic and readily available in the public domain, for example, ABR public data
- Registration - creating or updating the tax or super profile of the client, for example, applying for an ABN, adding or updating a GST or excise registration
- Account - any financial or non-financial data about the tax or super profile of the client; as examples, reportable income, deductions, payments or offsets
- Personal, sensitive or private - information about an identified individual or entity that could be used to identify who the client is or proof of record ownership (PORO). Examples are TFN, address, FIA, contacts and non-public information from the ABR.
See the Office of the Australian Information Commissioner (OAIC) External link website for more information.
Type of data contained in the API response
Examples are when the response contains:
- only generic messaging or public data, for example, successful transmission or an ABN
- non interactive message validation without confirming client data
- interactive message validation confirming client data
- tax or super registration data
- tax or super account data
- personal or sensitive client data that was provided in the request
- personal or sensitive data that was not provided in the request.
Examples of resulting action in the client register or ATO systems based on the API request or submission include that:
- information is provided and is only attached or captured against the client record
- the client record is updated
- information from the client record is returned to the user.
Identifying the business risk
We have identified the business risk by considering where the action may directly or indirectly lead to fraudulent activity. The three main business risks are:
- information gain
- identity theft, for example, obtaining personal or sensitive information to steal or sell an identity
- personal gain, for example, obtaining personal or sensitive information to gain power or knowledge of another person
- commercial advantage, for example, obtaining business information to gain power or knowledge of a competitor
- financial gain
- directly obtaining refund, for example, updating FIA to obtain a refund
- indirectly obtaining refund, for example, adding a tax registration that could lead to a lodgment with a refund
- destructive behaviour
- individual hack, for example, a malicious actor creates incorrect records on a client account to cause harm or nuisance
- system hack, for example, malicious attempt to crash a service or system (denial of service attack).
For more information or to provide feedback, email DPO@ato.gov.au