The Home Office plans to introduce enhanced security measures for the sponsor management system to combat issues with unauthorised access and phishing attacks. There isn’t currently any definite timeline for this but we recommend sponsors take action now to ensure continued access to the sponsor licence once the new 2 factor verification process is introduced.
Currently those with access to a company’s sponsor licence (Level 1 and Level 2 Users) just need their User ID and password to log into the sponsor licence. Under the new approach, Level 1 Users will also need to enter a one-time passcode (OTP). This will be sent to their mobile phone and/or email address listed on the sponsor licence.
Access to the sponsor management system is clearly crucial for sponsors, including in order for them to be able to assign Certificates of Sponsorship to new or existing sponsored workers and to comply with their reporting duties. Any inability to log into the sponsor licence could also expose the business to sponsor compliance action.
Action points for sponsor licence holders
Check that the current Level 1 and Level 2 Users listed on the sponsor licence are still current and meet the eligibility requirements to act in these roles. Where individuals have left the organisation or do not meet the eligibility requirements, you should deactivate them on the sponsor licence – but first ensure there is another Level 1 User able to access the sponsor licence. We recommend ensuring that there are always at least two individuals in the Level 1 User roles at any one time (including at least one person who is an employee or officer of the sponsor organisation)
Given the forthcoming 2-factor verification process, check the mobile number and email address of each Level 1 User on the sponsor licence (this should be their work mobile number and work email address)
Ensure that all Key Personnel on the sponsor licence (Level 1 and Level 2 Users, Authorising Officer and Key Contact) are trained to identify phishing attacks
Ensure all Key Personnel are aware they will need to update their contact details on the sponsor licence if these change
The move to two-factor authentication is a positive step to seek to keep an organisation’s sponsor licence secure but could introduce logistical headaches if the contact details on the licence are not kept up to date.
