What to Do If a Client Withholds eAFS Login Credentials

When a client withholds eAFS login credentials, the safest response is not to force access, guess passwords, or quietly reset the account. The practical problem is urgent: the Annual Income Tax Return attachments, Audited Financial Statements, and related BIR documents may be due soon. But the legal risk is just as serious. You need to protect the client’s tax compliance, your own professional record, and the security of the taxpayer’s BIR account.

What the eAFS Account Is Used For

The BIR Electronic Audited Financial Statements system, commonly called eAFS, is the BIR’s online facility for submitting Audited Financial Statements and other required attachments to the Annual Income Tax Return in PDF format. The BIR identifies eAFS as a web-based service for online submission of AFS and other required attachments. (Bureau of Internal Revenue)

For many corporations, partnerships, and certain taxpayers required to submit audited financial statements, eAFS is not just an administrative convenience. It is the practical way to complete post-AITR compliance.

Typical eAFS submissions may include:

  • Audited Financial Statements
  • Filed Annual Income Tax Return
  • Statement of Management Responsibility
  • BIR Form 1709, when applicable
  • Tax debit memo, proof of payment, or payment confirmation
  • Other required attachments depending on the taxpayer’s classification and BIR issuances

Under BIR Revenue Memorandum Circular No. 43-2021, the eAFS system is used for submitting duly filed Income Tax Returns and required attachments, including BIR Form No. 1709, and taxpayers must scan and submit documents following prescribed procedures and naming conventions.

This means that if you are the accountant, bookkeeper, tax preparer, or consultant handling the filing, lack of access can stop you from completing the job.

First Principle: Do Not Access the Account Without Clear Authority

Even if the client is difficult, unresponsive, or trying to blame you for delay, you should not do any of the following:

  • Guess the password
  • Use an old password after authority has been withdrawn
  • Access the client’s email to retrieve OTPs
  • Use another person’s credentials
  • Reset the eAFS account through the company email without written authority
  • Ask an employee to secretly forward login details
  • Upload documents after the client has clearly instructed you not to proceed

Under Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, “illegal access” means access to the whole or any part of a computer system without right. The law also defines “without right” as conduct undertaken without or in excess of authority. (Supreme Court E-Library) (Supreme Court E-Library)

That matters because eAFS is a government online system. If your authority is unclear, expired, disputed, or revoked, logging in may expose you to unnecessary cybercrime and data privacy issues.

The safer rule is simple: no written authority, no access.

Is the Client Required to Give You the eAFS Password?

Not always.

A client is not automatically required to share a password just because you are the accountant or tax preparer. Login credentials are sensitive access tools. A careful client may reasonably refuse to send passwords through text, email, Viber, or Messenger.

However, if the client hired you to submit the eAFS filing and agreed to cooperate, the client must provide a lawful way for you to perform the work. That may be through:

  • Written authorization to access the eAFS account
  • Temporary login details
  • A screen-sharing session where the client enters the password
  • The client personally uploading the files you prepared
  • Updating the authorized representative details
  • Creating or recovering the account through official eAFS channels
  • Giving you an SPA, board resolution, or secretary’s certificate when required

The issue is not always “password sharing.” The real issue is whether the client is giving you a lawful and workable way to complete the engagement.

Legal Basis: Contract, Agency, Tax Compliance, and Data Privacy

Contract obligations under the Civil Code

Under Article 1159 of the Civil Code of the Philippines, obligations arising from contracts have the force of law between the parties and must be complied with in good faith. (Lawphil)

If your engagement letter, service agreement, email confirmation, or written instructions require the client to provide access, documents, approvals, and cooperation, the client’s refusal may become a contractual issue.

Article 1170 also provides that those who are guilty of fraud, negligence, delay, or who contravene the tenor of their obligations may be liable for damages. (Lawphil)

In plain English: if the client’s refusal prevents you from doing the work, document it clearly so you are not later blamed for non-filing.

Agency rules when you act for the taxpayer

Many tax engagements create an agency relationship, where one person acts on behalf of another. Article 1868 of the Civil Code defines agency as a relationship where a person binds himself to render service or do something in representation of another, with the latter’s consent or authority. (Lawphil)

If you are acting as the client’s authorized representative, you must stay within the authority given. Article 1887 says the agent must act according to the principal’s instructions, and Article 1889 makes an agent liable for damages if, in a conflict between his interest and the principal’s, he prefers his own. (Lawphil)

This is why it is risky to “just file anyway” when the client has withheld authority or credentials.

Data privacy and confidentiality

An eAFS account may involve personal information, tax identification numbers, financial statements, signatures, email addresses, and corporate records. Under Republic Act No. 10173, or the Data Privacy Act of 2012, unauthorized access or intentional breach of systems where personal or sensitive personal information is stored may carry imprisonment and fines. Unauthorized disclosure of personal or sensitive personal information is also penalized. (National Privacy Commission)

If you are a CPA, accountant, or tax service provider, confidentiality also matters professionally. Republic Act No. 9298, the Philippine Accountancy Act of 2004, regulates the practice of accountancy in the Philippines, and professional accountants are expected to observe professional and ethical standards. (Lawphil)

Who Is Responsible If the eAFS Filing Is Missed?

As between the taxpayer and the BIR, the taxpayer remains primarily responsible for tax compliance.

Your role as accountant or tax preparer does not erase the taxpayer’s obligation to file returns, pay taxes, keep records, and submit required attachments. The National Internal Revenue Code imposes penalties for failure to file returns, pay taxes, keep required records, or supply correct and accurate information when required by law or regulations. (Bureau of Internal Revenue)

That said, a service provider can still face problems if the client later claims:

  • “I gave everything to my accountant.”
  • “They should have known the deadline.”
  • “They failed to remind me.”
  • “They had access before, so they should have submitted.”
  • “They lost the password.”
  • “They refused to help because of unpaid fees.”

This is why your evidence trail matters. The goal is to show that you acted promptly, professionally, and within lawful authority.

What to Do Immediately If the Client Withholds eAFS Login Credentials

1. Check your engagement documents

Review the engagement letter, proposal, emails, text messages, and billing terms.

Look for provisions on:

  • Scope of work
  • Client responsibilities
  • Deadlines
  • Access to government portals
  • Authorization to file
  • Payment conditions
  • Suspension or withdrawal of services
  • Limitation of liability
  • Data privacy and confidentiality
  • Turnover of records

If there is no written engagement letter, reconstruct the agreement from emails, invoices, chat messages, and prior dealings.

2. Send a clear written request

Do not rely on verbal follow-ups. Send a written request through email and, if needed, another traceable channel such as Viber, Messenger, or registered mail.

Your message should state:

  • The exact deadline involved
  • The documents already prepared
  • The specific access needed
  • The lawful alternatives available
  • The consequence if access is not provided
  • A reasonable deadline for response

Use neutral wording. Avoid threats. Avoid emotional accusations.

Example:

We have prepared the documents for eAFS submission. To complete the filing, we need either: (1) written authority and temporary eAFS access; (2) a scheduled call where your authorized officer will log in and allow us to upload the files; or (3) confirmation that your company will upload the attached documents directly. If we do not receive access or instructions by [date/time], we will be unable to complete the eAFS submission on your behalf.

3. Offer password-safe alternatives

Some clients withhold credentials because they are worried about security. That is not always bad faith.

Offer safer options:

Option How it works Best for
Client logs in during a video call You guide the upload while the client controls the password Clients who do not want to share credentials
Temporary password Client changes password before and after the filing Faster filing with controlled access
Authorized representative update Client formally authorizes the accountant or tax agent Recurring compliance work
Client uploads prepared files You prepare PDFs and naming conventions; client submits Clients who want full account control
Password recovery through official email Client uses the eAFS forgot password process Lost or forgotten access

The eAFS portal includes account registration and password recovery features, including a forgot password page requiring the username and company email. (eafs.bir.gov.ph)

4. Prepare a “non-access” file note

Create an internal memo or file note stating:

  • Date and time access was requested
  • Person contacted
  • Exact credential or authorization requested
  • Deadline explained
  • Client’s response or non-response
  • Alternatives offered
  • Attachments sent
  • Screenshots or proof of messages

This is important if the matter later becomes a fee dispute, negligence claim, BIR explanation, or professional complaint.

5. Send the client a ready-to-upload package

Even without credentials, you can often reduce harm by giving the client everything needed to upload personally.

Send:

  • Properly named PDF files
  • Checklist of attachments
  • Step-by-step upload instructions
  • Filing deadline reminder
  • Statement that the client must verify before submission
  • Request for a copy of the eAFS confirmation receipt after upload

Do not hold the taxpayer’s essential compliance files hostage merely because of friction over credentials, unless your contract and applicable law clearly support your position. Withholding records can create more problems than it solves.

6. Escalate before the deadline, not after

If the deadline is near, send a final access notice.

The final notice should be calm and specific:

  • “We cannot submit without access or written authority.”
  • “We have provided the prepared documents for your direct filing.”
  • “The taxpayer remains responsible for timely submission.”
  • “We will treat the matter as client-controlled unless instructions are received by [time].”

This is not just formality. It prevents confusion over who is responsible for the final act of filing.

7. Preserve proof of BIR system issues, if any

Sometimes the problem is not only the client. The eAFS system may slow down, reject uploads, or become unavailable during peak filing season.

For 2025 AFS submissions, BIR RMC No. 46-2026 addressed system-related issues and allowed certain taxpayers who could not successfully submit through eAFS by May 15, 2026 to submit or resubmit through eAFS until May 25, 2026 without penalties arising solely from the delayed attachment submission. The circular also recognized a prescribed contingency email procedure for certain submissions, subject to validation and possible BIR requirement to re-upload or provide hard copies.

For future filing seasons, do not assume the same extension applies. Always check the current BIR revenue memorandum circulars for that taxable year.

What If the Client Is Abroad or the Owner Is a Foreigner?

Many Philippine corporations are managed by owners, directors, or officers who are abroad. This often causes delays because the accountant in the Philippines cannot get the OTP, company email access, or signed authorization on time.

Practical points:

  • If a foreign-based officer must sign an SPA, authorization, or board document for use in the Philippines, notarization and apostille or consular authentication may be needed depending on the country.

  • The Philippines uses the apostille system for documents covered by the Apostille Convention, while documents from non-Apostille countries may still require consular legalization. The DFA’s Apostille resources explain the use of apostilles for documents that previously required authentication. ([Apostille

    ]9)

  • For corporations, a secretary’s certificate or board resolution may be better than an individual authorization, especially if the accountant will repeatedly handle BIR submissions.

  • If OTPs go to a foreign number or old employee email, resolve the account recovery issue early. Do not wait until the last filing week.

Foreign ownership does not remove Philippine tax compliance obligations for a Philippine-registered corporation or Philippine-source tax matters.

Common Scenarios and How to Handle Them

The client refuses to give the password but still wants you to file

Ask for an alternative method. The client can log in while you guide the upload, or the client can authorize a temporary password. If the client refuses all workable methods, confirm in writing that you cannot complete the submission.

The client says they lost the eAFS login

Use the official eAFS recovery route. The forgot password function requires the username and company email. If the company email is inaccessible, the client may need to coordinate with the appropriate BIR office and prove authority over the taxpayer account.

The former bookkeeper controls the email and credentials

This is common in small businesses. The taxpayer should retrieve or change control of the company email, then update access through official channels. If the former bookkeeper refuses to return company-controlled credentials or records, preserve communications and prepare a formal demand.

The client is withholding credentials because of unpaid fees

Separate the access issue from the collection issue. If the client’s tax deadline is approaching, document the unpaid balance but avoid actions that may look like you intentionally caused non-compliance. For unpaid professional fees, use a demand letter and proper civil remedies.

The client later blames you for late filing

Your best defense is a clean timeline: reminders, access requests, alternatives offered, files delivered, final notice sent, and no unauthorized login.

Documents You Should Keep

Document or proof Why it matters
Engagement letter or proposal Shows scope and client responsibilities
Email requesting credentials or authority Proves timely request
Screenshots of follow-ups Shows diligence
Prepared PDF attachments Shows work was completed
Final notice before deadline Shifts responsibility if client fails to cooperate
Client refusal or non-response Supports your explanation
Proof of system downtime, if any Relevant if delay was due to eAFS issues
eAFS confirmation receipt, if filed Best proof of successful submission
Billing records Useful for fee disputes

Remedies If the Client’s Refusal Causes Loss

If the dispute is only about money, such as unpaid professional fees, reimbursement, or a small contractual claim, the Rules on Expedited Procedures in First Level Courts may apply. The Supreme Court has recognized small claims procedures for money claims not exceeding ₱1,000,000, exclusive of interest and costs. (Supreme Court of the Philippines)

If both parties are individuals residing in the same city or municipality and the dispute falls within Katarungang Pambarangay coverage, barangay conciliation may be required before filing a court case. Supreme Court Circular No. 14-93 explains that barangay conciliation under the Local Government Code is generally a pre-condition for covered disputes before court action, subject to exceptions. (Lawphil)

For business-to-business or corporation-related disputes, barangay conciliation often does not apply in the same way it does to disputes between natural persons. In those cases, the usual route is a written demand, negotiation, mediation if agreed, and court action if necessary.

Frequently Asked Questions

Can I log in to the client’s eAFS account using an old password they gave me before?

Only if your authority is still valid and clearly covers the current filing. If the client has withdrawn authority, changed instructions, or disputed your role, do not use old credentials.

Can I reset the eAFS password if I know the username and company email?

Not without proper authority. Password recovery should be done by the taxpayer or an authorized representative. If you initiate recovery, keep written authorization.

Is withholding eAFS credentials automatically illegal?

Not automatically. A client may have legitimate security reasons for refusing to share passwords. It becomes a legal problem if the refusal breaches the engagement agreement, prevents required compliance, or is used in bad faith to shift blame.

Who pays the penalty if the eAFS submission is late because the client refused access?

As far as the BIR is concerned, the taxpayer is generally responsible for compliance. Between you and the client, responsibility depends on the facts, contract, communications, and whether you acted with diligence.

Should I report the client to the BIR?

Usually, no. A client’s refusal to give credentials is normally a private engagement issue, not something to report immediately. Focus first on documenting the refusal, giving the client the prepared files, and preserving your position.

Can I refuse to continue working if the client will not cooperate?

Yes, if your contract allows withdrawal or if the client’s conduct makes lawful performance impossible. Send a written withdrawal or suspension notice, return or transmit essential client documents appropriately, and avoid abandoning a deadline without warning.

What if the client asks me to upload documents I know are incomplete or false?

Do not upload documents you know or reasonably believe are false, misleading, or unauthorized. Ask for correction or written clarification. Tax filings can create civil, criminal, and professional consequences.

What proof does the client need after successful eAFS filing?

The client should keep the eAFS confirmation receipt or transaction reference, submitted PDFs, filed AITR, proof of payment, and related attachments. These should be stored with the taxpayer’s annual tax records.

How long should tax records be kept?

BIR rules require taxpayers to preserve books of accounts and other accounting records for ten years, subject to special rules when there is a pending tax case, protest, or refund claim. Revenue Regulations No. 17-2013 explains this ten-year retention period. (Bir CDN)

What is the best way to avoid this problem next year?

Use an engagement letter that clearly states who controls the eAFS account, who receives OTPs, who uploads, who keeps the confirmation receipt, and what happens if the client does not provide access by a stated deadline.

Key Takeaways

  • The taxpayer remains primarily responsible for BIR compliance, but the accountant or tax preparer must protect their own record.
  • Do not guess, reset, or use eAFS credentials without clear written authority.
  • A client does not always have to share a password, but must provide a lawful way to complete the agreed work.
  • Document every request, reminder, refusal, and deadline warning.
  • Offer secure alternatives such as client-controlled login, temporary password, direct client upload, or authorized representative arrangements.
  • Send the client a ready-to-upload filing package if access is withheld.
  • Preserve screenshots and proof if eAFS system issues occur.
  • Use written notices, demand letters, barangay conciliation where applicable, or small claims procedures for fee and damage disputes.
  • The best protection is a clear engagement letter before tax season begins.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.