Authorization and Auditing in Digital Tax Identity: Regulatory and Operational Pillars for Trust

Digital Identification Guide for the Tax Administration (II)

The digitalization of tax administrations requires more than just online portals and forms: it requires trust. The Digital Identity Guide for Tax Administrations argues that this trust is built on three integrated pillars: a robust regulatory framework that recognizes the legal validity of digital identity; authorization mechanisms that manage roles at the level of functionalities, objects, and data; and audit systems that ensure traceability, integrity, and evidence.

How can these pillars be implemented in practice, and why are they strategic for tax efficiency, security, and intelligence?

 

1. Regulatory Framework: The Basis for Functional Equivalence and Evidentiary Validity

The Guide emphasizes that digital identity must be grounded in a legal framework that defines concepts, security levels, institutional responsibilities, and rules of evidentiary admissibility.

The two key ideas are:

– Functional equivalence: Regulations must recognize that digital identification can serve the same function as in-person identification (e.g., a physical ID card), without requiring the same technical format. This ensures that digital transactions have the same legal force as in-person ones.

– Security and assurance levels: Establishing categories (low, medium, high) and minimum technical requirements for each level (biometrics, digital signatures, MFA, etc.) makes it possible to tailor controls to the risk associated with each transaction and ensure the admissibility of evidence in administrative or judicial proceedings.

Without this legal framework, technological tools cannot be fully effective. Digital signatures, verifiable credentials, and cross-border identification require clear rules that define their validity and acceptable use.

 

2. Delegate authentication, centralize authorization

The Guide recommends that, to the extent possible, tax authorities delegate the authentication function to a national system or ecosystem—which may be coordinated by an identity broker—and that the authorities themselves focus their efforts on authorization and audit processes.

However, this delegation requires that the administration retain control over authorization; that is, it must be able to manage what each type of user (individuals acting on their own behalf or individuals acting on behalf of companies) can do and at what level of security.

The Guide proposes a three-tier authorization model: functionalities, objects, and data. This allows, for example, an advisor to have access to file tax returns (functionality), to perform actions on specific tax returns for a taxpayer (objects), and to view only certain sensitive fields (data).

 

3. Management of Roles, Delegations, and the Principle of Least Privilege

Access assignments must follow the principle of least privilege. The Guide proposes the following:

– Predefined and customizable roles (taxpayer, advisor, accountant, manager, attorney) that allow for controlled sub-delegations.

– Permission lifecycle: additions, modifications, and removals must be logged and executed in a traceable manner; removals must trigger a cascading revocation of sub delegations.

– Support for temporary or object-based delegation, with specified durations and immediate revocation.

 

4. Auditing: Traceability, Evidence, and Risk Management

In an environment where many actions are performed by agents with delegated roles, auditing is essential. The Guide defines the minimum elements of robust traceability: a user identifier, a reliable timestamp, the origin (IP address and device fingerprint), a structured description of the action, and the previous state of the data.

The operational requirements are:

– Automatic capture of events and structured logs to enable searches and correlations.

– Immutable persistence of the audit trail (use of hashes and mechanisms that allow integrity to be verified over time).

– Correlation and analysis systems (SIEM/SOC) to detect anomalies, atypical access, or fraud attempts in real time.

– Retention policies aligned with data governance and safeguards to protect the confidentiality of logs (since they contain sensitive information).

In addition, digital evidence should be managed in accordance with international standards (ISO/IEC 27001/27002, NIST SP 800-92/137) to ensure its admissibility as evidence in administrative or judicial proceedings.

 

5. Recommended technologies: digital signatures, verifiable credentials, and continuous authentication.

The Guide prioritizes the shift toward methods based on digital signatures and verifiable credentials (W3C Verifiable Credentials + OIDC4VC/OIDC4VP) due to their robustness, the decentralization of credentials, and their usability on mobile devices.

The key points are:

– Cloud-based signing (HSM, FIPS) offers security with less friction than physical tokens.

– Verifiable credentials allow users to manage their credentials in a mobile wallet and present them with attribute selection (data minimization), facilitating both in-person and digital use cases.

– Continuous authentication and trusted device management add a risk-adaptive layer to prompt re-authentication for sensitive operations.

When combined with robust auditing and robust authorization rules, these technologies reduce the risk of impersonation and increase traceability.

 

6. Impact on Tax Intelligence and Compliance

The proper integration of digital identity, authorization, and auditing fuels tax intelligence: it enables the mapping of relationships between individuals and companies, the identification of signs of opaque structures, the detection of anomalous access, and the generation of predictive risk models. In particular, the traceability of roles and actions provides valuable metadata for relational analysis and the detection of atypical patterns.

Ultimately, digital identity alone is not enough. Without regulations to support it, without authorization models that ensure control, and without audits to preserve evidence, tax administrations cannot achieve the required level of trust.

The CIAT Guide summarizes this integrated approach and proposes a flexible roadmap for: establish frameworks for functional equivalence; integrate tax administrations into national ecosystems (either as consumers or providers of identity); transition from the username/password model to digital signatures and, in the long term, verifiable credentials; and strengthen the administration’s autonomy through granular authorization and audit systems that support tax intelligence.

Implementing these elements is not just a technological improvement: it is an institutional transformation that reduces fraud, facilitates interoperability, and enhances analytical capabilities.

 

 

Source: Digital Identity Guide for the Tax Administration, page 90.

21 total views, 21 views today

Leave a Reply

Your email address will not be published.

CIAT Subscriptions

Browse through the site without restrictions. Consult and download the contents.

Subscribe to our electronic newsletters:

  • Blog
  • Academic offer (Only in spanish)
  • Newsletter
  • Publications
  • News alert

Activate subscription

CIAT Members

Representatives, Correspondent and Authorized staff (TA)