ato logo
Search Suggestion:

Digital service provider Operational Security Framework

DSPs must meet DSP Operational Security Framework requirements to use our digital wholesale services through SBR.

Last updated 1 June 2022

The DSP Operational Security FrameworkExternal Link outlines what is required of digital service providersExternal Link (DSPs) that access and use our digital wholesale servicesExternal Link via Standard Business Reporting (SBR).

The DSP Operational Security Framework requirements reduce the risk of identity theft, tax refund fraud and system hacks. Controls to protect the confidentiality and integrity of client data, include but are not limited to:

  • data encryption
  • unique user logins – a requirement of all software products connected to our digital services
  • multi-factor authentication – an additional step, using two different types of ID to verify the user account
  • audit logging to capture user access and transactions
  • entity validation which confirms the registered entity using software is a legitimate entity with legitimate contact details
  • data is hosted in Australia by default – limiting risk of unauthorised access or inappropriate disclosure due to cross-jurisdictional policies.

We will update and change the DSP requirements to mitigate any emerging risks in our digital environment.

Users will not notice most of these security controls in their software, except for unique client logins and multi-factor authentication.

Multi-factor authentication is mandatory for most software products, namely cloud-based or online software, and is recommended for all other types.

We are committed to protecting your data, and we will restrict or de-whitelist DSP products (PDF, 303KB)This link will download a file that fail to conform to the DSP Operational Security Framework.

A range of services and support to help you stay up to date with the latest news and information can be found at Your practice – DSPs.

QC62007