HMRC has updated its Government Gateway Terms and Conditions to prohibit screen scraping, robotic process automation (RPA), browser automation, and similar technologies that simulate human interaction to access HMRC services.
The policy is aimed at software that collects Government Gateway credentials and uses them to extract or aggregate client tax data. Rather than focusing solely on software developers, HMRC has indicated that accounting firms and agents may face consequences, including restrictions on their Agent Services Account (ASA), if unauthorised access methods are detected.
Key Takeaways:
- HMRC has banned screen scraping, RPA, and browser automation for accessing HMRC services.
- Accounting firms, not just software providers, could face enforcement action.
- HMRC may block access to an Agent Services Account (ASA) if unauthorised access is identified.
- Software that stores or uses Government Gateway credentials presents a significant compliance risk.
- Standard browser password managers remain permitted.
- Approved API integrations continue to be HMRC’s preferred and compliant access method.
- Firms should review their current software stack and verify how HMRC data is being accessed.
- Transitioning to API-based solutions can help reduce compliance and security risks.
What Is the HMRC Screen Scraping Policy Update?
The HMRC screen scraping policy update has created an important compliance issue for UK accountants, tax agents, and firms using third-party software to access client tax data.
HMRC has made it clear that software tools must not use screen scraping, robotic process automation, browser automation, or similar methods to access HMRC online services by simulating human behaviour. This applies especially where software collects Government Gateway credentials and uses them to sign in, extract, or aggregate client data.
Understanding Screen Scraping and Browser Automation
Screen scraping is a method where software extracts information from a website by reading what appears on the screen, rather than using an approved data connection.
Browser automation works in a similar way. It may imitate a person logging in, clicking through pages, copying data, and collecting information from HMRC systems.
| Method | What It Does | HMRC Position |
| Screen scraping | Extracts data from web pages | Prohibited where used to access HMRC services |
| RPA | Automates manual online tasks | Prohibited if simulating HMRC login journeys |
| Browser automation | Uses automated browser actions | Prohibited for unauthorised data extraction |
| API integration | Connects through approved channels | Permitted where authorised |
The Technologies Covered by HMRC’s Restrictions
HMRC’s updated position covers automation tools that imitate a human user.
This includes:
- Screen scraping tools
- Robotic process automation
- Browser automation software
- Credential-based tax data extraction tools
- Systems that store Government Gateway login details
The key issue is not simply automation itself. The concern is unauthorised access, credential storage, and data extraction outside approved HMRC routes.
Why Has HMRC Prohibited Screen Scraping and Automation Tools?
HMRC’s main concern is security. When third-party software collects Government Gateway credentials, it creates a risk that sensitive tax data could be accessed or handled inappropriately.
Many firms used these tools because they solved practical problems. They helped accountants collect information about penalties, interest, balances, tax positions, and client accounts. However, HMRC now views these methods as unsuitable for secure digital tax administration.
Security and Data Protection Concerns
Government Gateway credentials are highly sensitive.
If a third-party product stores or uses them, several risks arise:
- Login credentials may be exposed if the provider suffers a breach
- Clients may not fully understand how their data is accessed
- HMRC may be unable to verify whether access is properly authorised
- Firms may breach data protection or professional obligations
A senior tax technology consultant described the issue clearly:
“I have seen firms adopt automation because it saves time, but the danger is that speed can hide compliance risk. If software is logging in as though it is a person, the firm needs to ask whether that access is genuinely authorised and secure.”
HMRC’s Shift Towards API-Based Integrations
HMRC wants external software providers to use Application Programming Interfaces, commonly called APIs. APIs allow approved systems to connect securely with HMRC services.
This approach gives HMRC better control over authorisation, permissions, and data transfer. It also avoids the need for software providers to collect or store Government Gateway login credentials.
| Access Type | Credentials Stored by Software? | Secure Authorisation? | Allowed? |
| Screen scraping with stored login details | Yes | No | No |
| Browser automation using agent login | Yes or possible | No | No |
| Standard browser password saver | Locally by user | Not used for scraping | Yes |
| Approved API connection | No | Yes | Yes |
Which Software Practices Are Now Prohibited Under HMRC’s Updated Terms?
Under HMRC’s updated Government Gateway Terms and Conditions, the prohibited practices include any tool that uses automation to simulate a user journey for extracting or aggregating data.
This means firms should be cautious of software that:
- Requests Government Gateway usernames and passwords
- Logs into HMRC services on behalf of an accountant or agent
- Collects client data by reading HMRC web pages
- Uses browser automation to move through HMRC screens
- Claims to “sync” HMRC data without clear API authorisation
The HMRC screen scraping policy update is therefore not just a software provider issue. It directly affects accounting firms because HMRC may take action against the agent account linked to the access.
What Happens If an Accounting Firm Continues Using Screen Scraping Tools?
The most serious risk is that HMRC may block access to the associated Agent Services Account. This could disrupt a firm’s ability to manage client tax work.
Agent Services Account Access Restrictions
If HMRC detects unauthorised access through screen scraping or automation, the accounting firm may face consequences. This is important because HMRC is not only focusing on software developers. The firm using the tool may be penalised.
| Risk Area | Possible Impact on Firm |
| ASA blocked | Loss of access to client tax services |
| Client service disruption | Delays in submissions or responses |
| Compliance exposure | Questions over data handling and authorisation |
| Operational pressure | Manual workarounds may be needed |
| Reputational damage | Clients may lose confidence |
Potential Operational and Compliance Consequences
A blocked Agent Services Account could create serious workflow issues. Firms may be unable to access key client information, submit returns, or manage ongoing tax matters efficiently.
A practising accountant explained the concern in practical terms:
“My worry is not just the software being switched off. It is the knock-on effect for clients if the Agent Services Account is restricted. A firm could lose access at the worst possible time, especially close to filing deadlines.”
Are Government Gateway Password Managers and Browser Password Savers Still Allowed?
Yes, standard browser password savers and password managers are not the same as screen scraping tools.
The difference is purpose and behaviour. A browser password saver helps a user sign in manually. It does not automatically extract data, imitate user behaviour across HMRC systems, or aggregate client information.
However, firms should still have proper internal controls around password management. Staff should not share logins, store credentials insecurely, or allow third-party tools to use their Government Gateway details.
What Types of HMRC Integrations Remain Permitted?
HMRC still permits approved and secure methods of software integration.
Approved API Connections
API-based connections are the preferred route. They allow software to access data or submit information through controlled, authorised channels.
API connections usually involve:
- Secure authorisation
- Clear user permission
- No storage of Government Gateway passwords by the software
- Controlled access to specific HMRC services
- Better auditability
Secure Client Authorisation Processes
Approved systems may redirect users to HMRC to sign in and grant permission. The software then receives authorised access without directly collecting the user’s login details.
| Feature | Screen Scraping | Approved API |
| Uses Government Gateway credentials directly | Often yes | No |
| Simulates human login journey | Yes | No |
| HMRC can control access | Limited | Yes |
| Suitable for long-term compliance | No | Yes |
| Preferred by HMRC | No | Yes |
How Will the HMRC Screen Scraping Policy Update Affect UK Accountants and Tax Agents?
The update means UK accountants need to review their technology stack carefully. Firms can no longer assume that a useful automation tool is compliant simply because it works.
The main impact will be on firms using third-party products for HMRC data aggregation. This may include tools used to pull balances, liabilities, penalties, interest, or client account details.
Accountants should ask software suppliers direct questions about how HMRC data is accessed. Vague answers should be treated as a warning sign.
Why Did Accountants Previously Rely on Screen Scraping Solutions?
Many firms relied on screen scraping because HMRC’s digital systems did not always provide the level of data access accountants needed.
Screen scraping helped firms:
- Reduce manual checking
- Collect client information faster
- Monitor tax balances
- Identify penalties and interest
- Improve internal reporting
- Manage larger client portfolios
However, the fact that a tool improves efficiency does not mean it is acceptable under HMRC’s updated terms.
What Steps Should Accounting Firms Take to Remain Compliant?
Firms should act quickly but carefully. The priority is to identify whether any current software uses prohibited access methods.
Reviewing Existing Software Providers
Accounting firms should contact software suppliers and ask for written confirmation of how their systems connect to HMRC.
Useful questions include:
- Does the software use HMRC-approved APIs?
- Does it store Government Gateway credentials?
- Does it use browser automation or RPA?
- Does it simulate a user logging into HMRC?
- Can the provider confirm compliance with HMRC terms?
Identifying Credential-Based Automation Risks
Any product that asks for Government Gateway login details should be reviewed immediately. Firms should also check whether staff have entered agent credentials into third-party platforms.
Transitioning to API-Based Tax Technology
Where a tool relies on screen scraping, firms should plan to move to compliant alternatives. This may involve changing software providers, adjusting workflows, or accepting that some data must be accessed differently.
How Can Firms Assess Whether Their Current Software Is HMRC Compliant?
A practical compliance review can help firms reduce risk.
| Review Step | Action |
| List all HMRC-connected tools | Identify every product accessing HMRC data |
| Check access method | Confirm API or non-API connection |
| Review credential handling | Find out whether logins are stored |
| Contact suppliers | Request written compliance confirmation |
| Update internal policies | Restrict unauthorised tools |
| Train staff | Explain the difference between API and scraping |
Firms should keep a record of supplier responses. This may help demonstrate that reasonable checks were carried out.
What Does This Policy Mean for the Future of Tax Technology in the UK?
The HMRC screen scraping policy update shows that the future of tax technology will depend more heavily on approved APIs and secure authorisation.
For software providers, this may create pressure to build compliant integrations. For accountants, it means technology choices must now be judged not only by efficiency but also by security, authorisation, and HMRC acceptance.
The firms that adapt early are likely to face fewer disruptions. Those that continue using prohibited automation may face access restrictions and client service problems.
Conclusion: How Should UK Accountants Respond to the HMRC Screen Scraping Policy Update?
The HMRC screen scraping policy update is a clear warning for UK accountants and tax agents. Tools that use screen scraping, RPA, or browser automation to access HMRC services are no longer safe to rely on where they breach Government Gateway terms.
Accounting firms should review their software, question suppliers, remove credential-based automation risks, and move towards approved API connections. The goal is not only to avoid HMRC enforcement but also to protect client data and maintain trust.
FAQs
Is screen scraping now completely banned for HMRC services?
Screen scraping is prohibited where it is used to simulate human access to HMRC services, extract data, or aggregate client information without approved authorisation.
Can HMRC block an Agent Services Account without warning?
HMRC may restrict access where unauthorised access is detected. Firms should treat this as a serious operational risk and review software use immediately.
Are cloud accounting platforms affected by the policy update?
Cloud accounting platforms may be affected if they use screen scraping or credential-based automation. Platforms using approved HMRC APIs are generally the safer option.
What is the difference between screen scraping and API integration?
Screen scraping extracts data from web pages by imitating user activity. API integration uses an approved technical connection with secure authorisation.
How can accountants check if their software uses browser automation?
They should ask the provider directly whether the product stores Government Gateway credentials, simulates login journeys, or uses HMRC-approved APIs.
Does the policy affect Making Tax Digital software providers?
It may affect any provider accessing HMRC services. MTD-compatible software should use approved HMRC integration routes rather than screen scraping.
What should firms do if they discover non-compliant software in use?
They should stop using the risky access method, contact the provider, review client impact, and move towards compliant API-based software.