RTA Web Services - your questions answered

7 April 2020 

Since the RTA launched its first Web Service for bond lodgements in mid-2019, thousands of customers have transitioned to the new services. Currently more than 38 per cent of all RTA bond lodgements and 65 per cent of all bond refunds are processed through Web Services. 

As the number of people accessing these services has increased, we’ve collated responses to common questions received from Web Services customers about how the RTA is protecting their security and privacy.

How does the RTA check the identity of customers using Web Services? 

To use RTA Web Services, customers must verify their identity through QGov, the Queensland Government’s secure digital identity verification service. Customers must provide 100 points of Government approved ID (e.g. driver’s licence or Medicare card) through QGov to prove that their digital identity matches their real-world identity. Logging into QGov is the legal, secure equivalent of providing a signature on a paper form.

If someone knows my bond number, can they refund the bond to themselves through RTA Web Services?

No, they cannot. The RTA Web Services are set up so a bond can only be refunded to the tenants or organisations listed on the bond with the RTA. Anyone using the Bond Refund Web Service must pass through the QGov portal and prove their identity using 100 points of Government approved ID, before they can request a refund. Even if they were able to verify pass this point, the RTA has put security matching measures in place to ensure a refund can only be made to customers who are registered as a party to the bond. If someone who is not on the bond tries to process a refund, RTA’s systems recognise this, and stop them.  

I’m a property manager - if someone finds out my organisation’s RTA ID, can they use Web Services to refund my customers’ bonds to themselves?  

No, they cannot. Anyone processing a bond refund on behalf of an organisation must first verify their identity through QGov’s secure, digital identity verification gateway. Even if they were able to proceed past this point, and they had your RTA ID, there are several additional safeguarding measures in place to prevent a bond from being fraudulently refunded.

For example, managing parties using the Bond Refund Web Service can’t change the bond contributors or add any bank account details for a refund. Other precautionary measures include requiring anyone updating an organisation’s details to verify their identity through a two-factor verification code, which is sent to the registered  company email address with the RTA.

What can I do to ensure I’m protecting my organisation’s digital security?

The RTA does everything in its power to ensure all our digital transactions are secure, but there are also steps you can take to protect your business’s online security:

  1. Make sure only authorised parties have access to your organisation’s systems
  2. If you see any suspicious Web Services notifications, contact the RTA immediately. The RTA sends Web Services notifications to your organisation’s registered email address
  3. Ensure you have proper offboarding procedures in place for when employees leave your organisation
  4. Keep your organisation’s details up to date with the RTA by using the Update Your Details Web Service.

Want to learn more? Tune into our Talking Tenancies podcast to hear our Chief Digital Officer Nasa Walton talk about the RTA Web Services’ security.

Note: If you do not have Australian-issued identification to verify your digital identity through QGov, you can use the RTA’s paper-based forms or call our helpdesk for assistance on 1300 366 311.

 

Original publication on 07 Apr 2020
Last updated on 16 Jun 2021

Note: While the RTA makes every reasonable effort to ensure that information on this website is accurate at the time of publication, changes in circumstances after publication may impact on the accuracy of material. This disclaimer is in addition to and does not limit the application of the Residential Tenancies Authority website disclaimer.