FBR to Use Accredited Digital Signatures for Electronically Filed Tax Returns

Electronic Certification Accreditation Council of Ministry of Information Technology has proposed that the Federal Board of Revenue (FBR) should use accredited digital signatures for all tax returns electronically filed to ensure authenticity, integrity, and non-repudiation.

Sources told ProPakistani that the government has taken some important decisions regarding digital certificates issued by the accredited certificate service providers. Electronic Certification Accreditation Council of Ministry of Information Technology and Telecommunications has communicated the decisions to all the relevant authorities and organizations.

The issue of filing tax returns electronically with the digital certificates was discussed in detail during the last meeting of the Electronic Certification Accreditation Council.

The Federal Board of Revenue (FBR) apprised the Council that digital signatures are already fully implemented on the e-FBR portal but on an optional basis. Council proposed that accredited digital signatures should be used for all tax returns e-filing to ensure authenticity, integrity, and non-repudiation.

Electronic Certification Accreditation Council of Ministry of Information Technology declared that it is in the interest of the general public to obtain digital certificates from any Accredited Certificate Service Provider (ACSP) as the digital certificates issued by the ACSP are the only certificates recognized in the court of law.

In compliance with Secretary (IT), MoIT&T instruction, an awareness meeting was held under the Chairmanship of Brig (R) Viqar Rashid Khan with the delegates of SBP, SECP, FBR, NADRA, ECP, PTA MoITT and MoC on Regularization of E-Transactions under ETO-2002.

State Bank of Pakistan representatives requested information on the following:

  • Establishment of Public Key Infrastructure/Repository
  • Regulations under ETO-2002
  • Availability of Accredited Certification Service Providers

The Council has given the following clarifications:

  1. The establishment of PKI/Repository is in process for which tender has already been floated;
  2. Regulations under ET0-2002 already exists.
  3. There is only one CSP operating in Pakistan (NIFT) accredited by the Council for the first time in the history of Pakistan and now its renewal is in process.

The Council highlighted the reasons for the lack of interest in Accredited CSPs due to a shortage of demand. Therefore, the Council requested all authorities to incorporate and encourage the use of accredited digital signatures in their e-services and also make it mandatory by incorporating in their legislation/regulations.

Answering to the query by PTA, it was clarified that ECAC is not mandated to make regulations for the appropriate authorities but is only responsible to make regulations for ACSPs. However, Section 16 of ETO empowers authorities to specify/make procedures, technology and regulations to ensure the integrity of the information received. Furthermore, guidelines have already been spelled out for all the appropriate authorities under Chapter 2 & 3 of ETO-2002 for the e-transactions/documents.

Answering to a query from SBP, the difference between the electronic signature and advanced electronic signature was explained. It was clarified that unlike a simple electronic signature, a digital signature uses a PKI-based digital certificate issued by a certificate authority (CA) that binds an identity (such as a person or company) to a cryptographic key pair.

When a document is digitally signed with the signatory’s private key, the document’s exact content and the identity of the signatory are bound together to form a unique digital fingerprint, ensuring authentication of a document’s signatory has been validated by ACSP; integrity of the content of a document has not been altered since it was signed and non-repudiation that a signatory cannot plausibly deny his signatures.

SBP was of the view that ETO-2002 does not bar any Certification Service Provider to engage in the business without accreditation and it also provides legal validity of electronic records, messages and signatures. The council explained that although ETO-2002 recognizes all forms of electronic signature, but ETO gives preference for the heightened security attached to Accredited Digital Signature.

Therefore, ETO establishes a voluntary system of accreditation of Certification Authorities. The reliability is only supported by the use of an Accredited Digital Signature and with such a signature, the signed document is authentic and has integrity with a greater legal value. SBP being the prime financial institution along with other regulators to incorporate the use of accredited digital certificates to safeguard and protect the consumer’s e-transactions.

On the SBP query to ease down accreditation requirements, the Council explained that requirements cannot be reduced as these are prescribed by approved ACSP Regulations. However, ECAC is available for any facilitation or support required by CSPs in obtaining accreditation within the defined framework.

SECP apprised that digital certificates were incorporated for companies e-voting but its use was repealed in its 2017 regulations due to higher cost and processing time. These issues need to be considered while accreditation of CSPs.

Appreciating ECAC’s role in the security of electronic transactions, NADRA’s representative assured to collaborate with ECAC for wide interaction in the best interest of the Country. NADRA also proposed that HEC may also be advised to use a digital signature to secure the process of on-line verification of degrees/credentials. Council also highlighted the role of NADRA as a Registration Authority for its unique digital identity recordkeeping of-the individuals in the physical-world and-its use in online identification verification.

ECP also acknowledged ECAC concern and committed to incorporate the use of digital signatures for e-voting. The meeting concluded with the following decisions for implementation in the future: –

Decisions and Implementation Plan

Digital certificates issued by Accredited Certificate Service Provider are the only certificates recognized in the court of law with respect to authenticity, integrity and non-repudiation. Therefore, it is in the interest of the public to obtain digital certificates from an Accredited Certificate Service Provider. All Appropriate Authorities are requested to incorporate the use of Accredited Digital Certificates in their regulations at priority.

As per Global practices for enforcement of ETO-2002, ECAC to establish PKI/Repository (Root Certification Authority) – the technology for enabling digital signature. ECAC has already issued an advice letter to Governor SDP highlighting implications of non-compliance of ETO-2002 (Not use of Accredited Digital Signatures).

All Appropriate Authorities will ensure the use of Accredited Digital Certificates to create demand for implementation of ETO-2002. A close group of all regulators, Council members and officers be made on WhatsApp for discussion/clarification of implementation of ET0-2002. In the end, all Appropriate Authorities accepted the role of ECAC and the utility of Accredited Digital Certificates.