This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

Construction Industry Scheme Reform Manual

Authenticate customer: authentication: authenticate caller by telephone

CISR22000  Information contents

This action guide starts with a contact from a customer by phone to HMRC and ends at the point of either

  • Successful verification as to the identity of the caller, or
  • Your decision that the caller has not supplied sufficient information to enable you to determine that they are the customer concerned or are authorised to act on their behalf.

The same applies where HMRC has initiated the contact, likely by phone, and again you need to be sure that the person answering the call is the person concerned or authorised to act on their behalf. This is a similar but simplified process that is dealt with in CISR22670 where the call is outbound.

These steps must be carried out for all telephone contacts to ensure that the caller is who they say they are.

  1. Open the CIS system to obtain the ‘Identify Customer’ window
  2. Having established the contact’s identity and HMRC reference
* Enter the customer reference, UTR or NINO, AO Reference or Employer Reference, in the appropriate field. Where the system cannot find a record it displays the following message in red at the top left of the window ‘Customer cannot be found matching the reference number’. If this happens always check you have entered the correct reference before you try to find the customer using other search criteria. If the customer is unable to supply a correct reference number you may still be able to find their details using either the trace facility ‘Find Individual’ at [CISR22630]( or ‘Find Scheme’ at [CISR22640]( dependent on the record you are trying to trace. 
* Select a ‘Contact’ type from the available selection in the drop-down list
* Select a ‘Channel’ type from the drop-down list. In this case it will be ‘Phone (inbound)'
* Select the [OK] button
  1. This will open the ‘Authenticate’ window (described as Authenticate Individual, or Authenticate Partnership and so on, in accordance with the customer type).
You need to take particular care when this window includes a ‘Bogus’ contact indicator. The window also includes a ‘Contact’ link that enables you to access the Contact History Summary window, which will include a record of all such contacts during the last 3 months.  

If at any time you become suspicious of the contact identity you should record this by setting the ‘Bogus’ indicator at the top of the window.   

(Where the contact is unable to answer questions/supply correct details about the subject of the call you should invite the caller to send details in writing and politely and firmly, terminate the call).   
  1. Explain that for security reasons you need to ask a few questions to verify their identity.
  2. Invite the caller to supply answers to
* Both of the‘Mandatory’ Items, namely full name and address (this could be the customer's Home, Office or Site address),


* Three other items, at least one of which must be in the ‘Secure’ panel. 

It should be noted that if you choose to authenticate an address within the ‘Additional’ panel this must be a different address to the ‘mandatory’ address. If the same address is used an error message ‘Mandatory address and additional address authentication details should not be the same’ will appear in red at the top left of the window.  

If you choose to authenticate the company registration number (CRN) within the ‘Additional’ panel you should ignore the first 2 letters (which form part of the CRN) and enter only the numbers within the relevant field. For example where the CRN is CL0383491 enter 0383491.   

Also note that under the ‘Additional items’ panel there is a “drop down” menu relating to the contact telephone number. The full titles in the drop down menu will not be fully visible to the user in CIS but are:  

* Daytime Communication number
* Evening Communication number
* Mobile Communication number

Remember that if the caller is the customer's agent or capacitor, they must also be asked to supply two items of information from the following information (see [CISR22080](  

Agent/Capacitor name  

Agent/Capacitor client reference number  

Agent/Capacitor address  

Record the answers given using the ‘Pass’ or ‘Fail’ radio buttons. Completion of the appropriate window is self-explanatory though you may wish to remind yourself of the items specific to each customer type using the following links.  
CISR22030  Sole-trader
CISR22040  Limited company
CISR22050  Partnership
CISR22060  Unincorporated body (including a local authority)
CISR22070  Trust
CISR22080  Agent / Capacitor
CISR22090  Nominee / third party
  1. If, during the call, you become suspicious of the contact identity you should ask as many extra questions beyond the minimum required, to satisfy yourself that the individual is indeed who they claim to be.
  2. Where further ‘Additional’ questions are answered correctly:
* record them as a ‘Pass’ and,
* move on to deal with the purpose of the call by selecting the [OK] button.

With successful authentication the process ends with you moving to the CIS Main Menu to select the customer record and task that you wish to perform.  
  1. Where any ‘Additional’ questions are answered incorrectly: record them each as a ’Fail’ and,
* politely, but firmly, ask the caller to put the matter in writing and terminate the call.
* Record this by selecting the ‘Bogus’ checkbox at the top of the window. 
* Select [Cancel] to end the contact.


Where you believe that a suspect/bogus contact has been made, the updating of the CIS Contact History does not replace the need to make a report to the Telephone Standards Authority by way of your Security Liaison Officer.