Send fraud prevention data

Version 3.3 issued 27 January 2025
Check what has changed

Why you must send data

We monitor transactions to help protect your customers’ confidential data from criminals and fraudsters. To make this possible, you must send us specific types of user audit data.

When you use some of our APIs, you have to submit HTTP fraud prevention headers. We use the data to support prosecutions for tax and duty fraud.

Warning You are required by law to submit header data for the VAT (MTD) and Income Tax Self Assessment (MTD) APIs. This includes all associated APIs and endpoints.

We work with you to help meet this specification. If after discussions with HMRC an application continues to submit incorrect or missing data, software providers may be fined and blocked from using HMRC APIs. Check the Compliance and Sanctions Guidelines (PDF).

Privacy and security

HMRC has the right to collect audit data. We follow best practices set out by the Information Commissioner’s Office.

Transaction monitoring is a key security approach used in the UK and globally. Our approach follows the National Cyber Security Centre (NCSC) and the Cabinet Office’s recommended guidance (PDF).

For more information or to review your privacy notices, check the data protection impact assessment (PDF). You can also check the regulations.