HMRC has spent years telling me to go digital. Making Tax Digital, software-only accounts filing at Companies House from April 2028, 28,000 of its own staff handed a Microsoft Copilot that the Whitehall trial reckoned saved each of them about 26 minutes a day (The Register, 2026). So there is a particular irony in the guidance that surfaced this June. If I automate my way around HMRC's own creaking Government Gateway, it can switch off my access to every client at once.
Here is my view up front, and I am about as pro-automation as an accountant gets. HMRC is right on the security principle and wrong on the timing. It has reaffirmed the ban before building the thing that would make the ban painless. I still read it as a reason to look hard at what my software does behind the login, because the safe play is simple: APIs yes, scraping no.
TL;DR: HMRC has reaffirmed that automation tools, including screen scraping, scripted sign-in and robotic process automation, must not be used on the Government Gateway, whether reading or writing data. The sanction is blocking your agent services account. Properly authorised API access is fine. Audit your stack now, before multi-factor authentication breaks scripted logins this autumn.
What has HMRC actually banned?
Automation tools that sign in to the Government Gateway by pretending to be a human. HMRC's guidance, published on 27 May 2026 and pushed to practitioners in Agent Update 144, uses the term to cover "browser automation, screen scraping, scripted sign-in, or robotic process automation," and it states these "are not permitted under the Government Gateway Terms and Conditions, regardless of whether data is being read or written" (GOV.UK, 2026).
Screen scraping is the bit most clients have never heard of, so here is the plain version. It is software that logs in as if it were you and lifts whatever is on the screen, because there is no proper interface to ask the system for the data directly. The crackdown targets third-party products that collect a firm's HMRC sign-in details and use them through their own dashboard to pull and aggregate client tax data at scale.
Why did thousands of firms start scraping in the first place?
Because HMRC's own plumbing does not give agents a clean way to get the data they need. There is no tidy interface to pull accumulated penalties, interest, balances on account, or the PAYE, Self Assessment and corporation tax position across a whole client list in one go. So practices filled the gap themselves, by handing a tool their Gateway login and letting it do the clicking.
This is not a fringe habit. AccountingWEB reports that potentially thousands of firms use such solutions to plug gaps in HMRC's digital services (AccountingWEB, 2026). The guidance even concedes the point, noting that "APIs provided by HMRC do not yet provide access to all the data that firms legitimately need." The demand for scraping is a symptom of missing interfaces, not of rogue agents.
Where is the line between an API and a screen scraper?
One asks the system politely through a published door; the other climbs in through the window wearing your face. An API is HMRC's own interface, designed for software to talk directly to its systems, and this policy explicitly does not restrict it (GOV.UK, 2026). Your MTD filing software submits through an API, which is why filing is unaffected.
A scraper has no such door, so it borrows your credentials and simulates a person clicking. That is the side of the line HMRC has ruled out. Most practitioners have never had to think about which side a convenient tool sits on, because it just worked. The honest answer for a lot of firms is that they genuinely do not know, and finding out is now the job. I wrote about a related discipline when AI confidently gave clients the wrong VAT deadline: convenience is not the same as compliance, and the gap between them is where the trouble lives.
Could this really get my agent account blocked?
Yes, and that is the part that should focus minds. HMRC says that where it detects unsafe access it may include "blocking access to HMRC web services accounts to prevent disclosure of customer data to third parties" (GOV.UK, 2026). Losing your agent services account is the nuclear outcome, because the whole practice runs on it. An afternoon saved is not worth your access to every client at once.
There is a second reason the clock is ticking. HMRC is switching on multi-factor authentication for agent accounts, with the final activation window running 28 September to 15 October 2026 (ICAEW, 2026). A scripted login cannot easily get past a code sent to your phone. So even a firm that ignores the rule will find the plumbing stops cooperating this autumn. The decision to move off scraping is being made for you whether you like it or not.
What am I auditing in my own stack this week?
Three things, and none of them are dramatic. First, I am asking every provider a blunt question: does this tool collect my Gateway sign-in details or simulate a human login to read data? If the answer is yes, it stops until HMRC's promised clarity arrives. Second, I am drawing the clean line through my workflows: anything API-based stays, anything that logs in and scrapes goes. Third, I am re-confirming the rule I never break anyway, which is that you do not share live Gateway credentials with a product you do not control.
This sits on top of work I had already done. The mandatory tax-agent registration and the AML reforms both turned on the same point: a solo practice is its own single point of failure, so the security of agent access is the business, not an IT footnote. HMRC's enforcement is sharpening in parallel, from the £175m Quantexa network-analytics deal to the wider push behind a £59.2bn tax gap it wants to shrink (GOV.UK, 2026). The regulator is getting more capable, and access discipline is how you stay on the right side of it.
Is HMRC being fair about this?
Half and half, and I will not pretend otherwise. The security logic is sound. Sharing or automating live credentials genuinely does expose client data, and credential-sharing already breaches HMRC's Standard for Agents. On that, HMRC is correct, and the firms treating a third-party scraper as harmless have been quietly carrying a real risk.
The timing is the grievance. HMRC has reaffirmed the ban while admitting its APIs do not yet cover what agents need, and it has promised "greater clarity later this year" without committing to the interfaces that would make scraping pointless (GOV.UK, 2026). The right response to the review is not to defend scraping. It is to make the case that the cure for the workaround is to build the door. I use AI and cloud tools every working day, the same way I think about which work to hand the machine and which to keep, and even I read this as a prompt to look behind the login.
Frequently Asked Questions
Does HMRC allow screen scraping or browser automation of the Government Gateway?
No. HMRC's guidance, published on 27 May 2026 and reaffirmed in Agent Update 144, states that automation tools including browser automation, screen scraping, scripted sign-in and robotic process automation are not permitted under the Government Gateway Terms and Conditions, regardless of whether data is being read or written.
What is the difference between API access and screen scraping for HMRC services?
An API is HMRC's own published interface that lets software submit or retrieve data directly and securely, without using your personal sign-in details. Screen scraping borrows your Gateway login and simulates a human clicking through the website to extract what is on screen. The policy restricts scraping but explicitly does not restrict properly authorised API access, so your MTD filing software is unaffected.
Could my firm's automation software get my agent services account blocked?
Yes. HMRC says that where it detects unsafe access it may block access to its web services accounts, including the agent services account a practice relies on to file returns. The safest step is to ask your provider whether their tool collects your sign-in details or simulates a login, and to stop using any feature that does.
When will HMRC say what automation is actually allowed?
HMRC has stated it is considering how safe, secure and appropriate automation should operate and intends to provide greater clarity later in 2026. Until then, the prudent position is to rely on HMRC's published APIs and to avoid any tool that signs in to the Government Gateway on your behalf.
If you are not sure whether a tool in your practice or business touches HMRC's Gateway the wrong way, get in touch. I am happy to run through your stack and help you separate the API-based tools worth keeping from the workarounds worth dropping before autumn.