Source Extracts Index

Markdown extractions of every attachment + the AusTender landing page.

Source	Original attachment	Notes
atm-landing	(web — `Atm/Show/cea1b989…`)	ATM landing page metadata captured 2026-05-31
src-01-part1-conditions	`01-part1-conditions.docx`	RFI conditions of tender (terms, definitions, instructions)
src-02-part2-statement-of-requirements	`02-part2-statement-of-requirements.docx`	The key document — all LV / TV / S / P / A / H / IN / SC / OP / VISM / M / RM / UX requirements
src-03-part3-response-general	`03-part3-response-general.docx`	General response form (conditions, declarations)
src-04-part3a-response-technical	`04-part3a-response-technical.xlsx`	Technical response form (the compliance spreadsheet)
src-05-part4-response-financial	`05-part4-response-financial.docx`	Financial response form
src-06-part4a-response-pricing	`06-part4a-response-pricing.xlsx`	Pricing tables (T1 Licensing, T2 Discounts, T3 One-off, T4 Support, T5 Labour Rates)
src-07-foci-information-form	`07-foci-information-form.docx`	Foreign Ownership / Control / Influence form (Attachment A)
src-08-addendum-1	`08-addendum-1.pdf`	Issued addendum 1 (corrections / clarifications)
src-09-addendum-2	`09-addendum-2.pdf`	Issued addendum 2 (corrections / clarifications)

All attachments live in attachments/ (binary). Their downloaded SHAs are in attachments/INDEX.md.

Backlinks

Linked Pages

src-09-addendum-2

(page does not exist)

src-08-addendum-1

(page does not exist)

src-07-foci-information-form

Foreign Ownership, Control or Influence (FOCI) Information Form

Purpose

This Information Form is issued to obtain information necessary for the Australian Taxation Office (ATO) to understand any potential FOCI associated with your organisation and the proposed goods or services.

All potential suppliers must provide complete and accurate responses to all questions. Where a question is not applicable or information is unavailable, a clear explanation must be provided. Incomplete forms may require resubmission, and otherwise delay consideration and processing.

Supplier Details

Term	Definition
Legal entity name
ABN / ACN
Country of Incorporation
Contact name / Position
Email / Phone

FOCI Information Questions

Defence Industry Security Program (DISP) or Hosting Certification Framework (HCF) Status

Are you currently a member of the DISP or certified under the HCF?

☐No ☐Yes – If Yes, provide details below:

Identify the relevant program (DISP and/or HCF), current membership level or certification status, and date granted.

Confirm whether the goods or services being provided under this process align with or differ from those covered by your DISP membership or HCF certification and explain any differences.

Ultimate Ownership and Structure

src-06-part4a-response-pricing

Cover

	Request for Quotation



	Provision of xxxxx
	RFI-15434







	Request for Information
	RFI-15434 - Biometric Verification Capabilities to Support myID



	Attachment A – Pricing Tables
	Australian Taxation Office	Unclassified

Notes


	Table of Contents

	Table	Contents
	Table T1	Software Licensing
	Table T2	Tiered Discounts
	Table T3	One off costs
	Table T4	Ongoing Support and Maintenance
	Table T5	Labour Rates

T1 - Software Licensing

Table T1 - Software Licensing
Notes
1. All charges associated with the provision of the Licensed Software (other than support) should be listed in this table.	**	**	**	**	**	**	**	**	**	**	**	**	**
2. Additional categories or rows can be added as required.
3. For evaluation reasons, Tenderers MUST propose pricing for both a perpetual licence model (SP1.1), and a subscription pricing model if both models are commercially available by the Tenderer (SP1.2).
4. In relation to a perpetual licence, please specify if it includes Year 1 Support and Maintenance, if not insert costs in T3 for Year 1, Year 2 and Year 3 as applicable.
5. In relation to a subscription licence, please specify if it includes Support and Maintenance, if not insert costs in T3
6. If an unlimited licence option is available, please provide an unlimited licence option in addition to any standard licence models.
7. All amounts are to be GST exclusive.
8. For amounts subject to foreign currency variations nominate the currency.



INITIAL CONTRACT PERIOD SOFTWARE LICENSING - FROM COMMENCEMENT 12 MONTHS AND 36 MONTH TERM OPTION

SP1.1 - Perpetual licence model

Perpetual Software Licence (One Time) [Tenderer to insert line items for each item of Software being licensed.]	Quantity	Rate	Total	Foreign Currency	Pricing Assumptions
			0.0
			0.0
			0.0
Total Software Licence cost			0.0




SP1.2 - Subscription licence model

SP1.2.1 Subscription Software Licence [Tenderer to insert line items for each item of Software being licensed.]	Year 1	Year 2	Year 3	Total cost over term	Foreign Currency	Pricing Assumptions
				0.0
				0.0

Total Software Licence cost	0.0	0.0	0.0	0.0

T2 - Tiered Discounts

Table T2 - Tiered Discounts
Notes
1. A breakdown of each tier software package should be listed in this table.
2. Additional categories or rows can be added as required.
3. All amounts are to be GST exclusive.
4. For amounts subject to foreign currency variations nominate the currency.
5. There is no need to complete this table if tiered discounts do not apply



INITIAL CONTRACT PERIOD SOFTWARE LICENSING - FROM COMMENCEMENT 12 MONTHS TO FUTURE STATE

SP2.1 - Tier Licence Model

Product Description [Tenderer to insert line items for each tier system.]	Tier (Users)	Unit Type	Unit charge (GST exclusive)	Minimum Units	Invoicing Frequency
			0.0
			0.0
			0.0
Total Software Licence cost			0.0

Example:
Product Description	Tier (Users)	Unit Type	Unit charge (GST exclusive)	Minimum Unit Requirements	Invoicing Frequency
Software Product A	1 - 50	User	7500.0	1.0	Annually in advanced
Software Product A	51 - 100	User	5500.0	51.0	Annually in advanced
Software Product B	1 - 50	User	8500.0	1.0	Annually in advanced
Software Product B	51 - 100	User	8000.0	51.0	Annually in advanced

T3 - One off costs

Table T3 - One off costs
Notes
1. Tenderers should identify all one off costs in this table (including any expected pass-though costs).	**	**	**	**	**	**
2. Additional categories or rows can be added as required.
3. All amounts are to be GST exclusive.
4. For amounts subject to foreign currency variations nominate the currency.
5. Include in this section Training and One Time Services Implementation / Establishement costs

SS2.1 - One off costs

SP2.1.1 One off costs [Tenderer to insert line items for each one off cost.]	Quantity	Rate	Total	Foreign Currency	Pricing Assumptions



Total One off costs			0.0

T4 - Ongoing Support and Maint

Table T4 - Ongoing Support and Maintenance
Notes
1. All ongoing monthly support and maintenance charges should be listed in this table (ie all charges required to deliver the Contract support and maintenance requirements other than those costs covered in Tables T1 and T2. For example, support and maintenance charges should include the recurring charges associated with requirement for support and maintenance of perpetual licences or additional support fees for subscription licenses.
2. Tenderers MAY either insert one line item for all support, or separate line items for each item of support.
3. All amounts are to be GST exclusive.
4. For amounts subject to foreign currency variations enter nominate the currency.


SS3.1 - Ongoing Support and Maintenance

Ongoing Support and Maintenance costs [Tenderer to insert one line item for all support, or separate line items for each item of support.]	Year 1	Year 2	Year 3	Total cost over term	Foreign Currency	Pricing Assumptions
				0.0
				0.0
				0.0
Total Support costs	0.0	0.0	0.0	0.0

T5 - Labour Rates


Table T5: Labour Rates
[Note: Tenderers should insert in this Table T4 the daily labour rates that will apply to any ad hoc work agreed under a change order]

Notes
1. This Table sets out the Labour Rates that will apply.
2. The Tenderer should provide a daily rate that will apply for the Contract Period.
3. All amounts are to be GST exclusive.

LR5.1 Labour Rates [Tenderer to insert daily rates for each possible required role.]	Hourly rate (ex GST)	Daily Rate 8 hours (ex GST)

		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0
		0.0

src-05-part4-response-financial

[TABLE]

Part 4 – RFI Response Form – Financial

RFI Response Form – Financial

Introduction

The RFI Response Forms

This Request for Information (RFI) includes 5 RFI Response Forms:

Part 3 – RFI Response Form – General,
Part 3a – RFI Response Form – Technical (Excel Spreadsheet),
Part 4 – RFI Response Form – Financial and
Part 4a – RFI Response Form – Pricing Table Response (Excel Spreadsheet).
Attachment A – FOCI form

src-04-part3a-response-technical

How-To

RFI-15434 Provision of Biometric Liveness Detection Solutions that can support the strategic objectives of the myID app.
	Steps to complete SoR Response Form	Notes
1.0	In Column D - Select Response compliance for each criteria using the drop down menu
2.0	Column E - Add response to criteria and include an explanation on how you meet the criteria
3.0	Complete and Return the Security documents: FOCI Form
	The Tenderer should identify in the Part 3a RFI Response Form – Technical, each instance where either it, or its offer, only partially complies, or does not comply, with an item or paragraph in the Part 2 – Statement of Requirements:
	Where an item or paragraph is of an informative nature only, the Respondent should select “Partially complies” if it only partially understands and accepts it, or “Does not comply” if it does not understand and accept it, otherwise the Respondent will be taken to have understood and accepted it.

	Should you wish to supply additional information that will not fit into the Excel document, please supply them as attachments to the response and indicate what attachment is relevant to the Statement of Requirement.

SoR Response

#	Description	Criticality
Biometric Capture and Liveness Detection
LV-1	The solution MUST capture biometric images of sufficient quality for biometric comparison, complying with ISO/IEC 29794-5 when generating the image quality profile of the acquired image.	Mandatory	Partially Compliant
LV-2	The solution MUST implement automated image-quality controls within its biometric capability and provide clear user-interface guidance to direct a user to capture an image that meets the required image quality profile.	Mandatory	Non-Compliant
LV-3	The solution MUST employ presentation attack detection (PAD) to determine whether the acquired image originates from a living human subject present at the point of capture.	Mandatory
LV-4	The solution MUST complete image capture and presentation attack detection (PAD) as part of a single continuous process before the image is submitted to the ATO system for online biometric verification to prevent exploitation via separation of acquisition and PAD.	Mandatory
LV-5	The solution MUST ensure PAD technology meets at least Evaluation Assurance Level 2 (Level B) as defined by ISO/IEC 30107-3:2023 and the Digital ID (Accreditation) Data Standards.	Mandatory
LV-6	The solution MUST have been tested or validated by a qualified third-party biometric testing entity experienced in ISO/IEC 30107 to evidence the PAD meets Evaluation Assurance Level 2 (Level B) requirements.	Mandatory

Technical Verifaction and Biometric Binding
TV-1	When performing technical verification of a foreign ePassport, the solution MUST: a. Comply with the relevant sections of ICAO Doc 9303 for remote Public Key Infrastructure (PKI) verification; and b. Check any published certificate revocation lists (CRLs) or equivalent mechanisms to determine if the ePassport has been cancelled.	Mandatory
TV-2	When conducting online biometric binding, the solution MUST: • Complete binding within a single continuous workflow; • Include liveness detection as part of presentation attack (PAD); • Execute PAD at the point of capture; • Complete capture and PAD prior to submission for biometric binding; and • Use PAD technology that incorporates data from both the data capture subsystem and system-level monitoring consistent with ISO/IEC 30107-1	Mandatory
TV-3	The solution MUST demonstrate, with a minimum 90% confidence interval, that its biometric matching algorithm achieves a False Match Rate (FMR) of no more than 0.01% and a False Non-Match Rate (FNMR) of no more than 3%, in accordance with ISO/IEC TS 19795-9:2019.	Mandatory

Scalability
S-1	The solution MUST be scalable to ensure performance requirements are met under variable and increasing usage patterns.	Mandatory
S-2	The solution MUST support SaaS solution.	Mandatory

Performance

P-1	The solution MUST support peak loads of 10,000 verifications per hour with a 95th percentile response time ≤ 1000 ms.	Mandatory
P-2	The Tenderer MUST provide: (i) Licensed Software performance metrics and test regimes used; (ii) Licensed Software infrastructure design specifications and (iii) A Software Capacity Plan and supplier strategies for scaling.	Mandatory

Availability
A-1	The solution MUST achieve or exceed 99.95% availability. (Note: ATO provides cloud infrastructure where applicable.)	Mandatory

Hosting
H-1	The solution MUST be a cloud-hosted Software as a Service (SaaS) offering, delivered via a secure, scalable, and vendor-managed environment.	Mandatory
H-2	If cloud-based, the Tenderer MUST describe connectivity with current AWS technologies and services, connectivity methods (e.g., AWS PrivateLink) and resources required from ATO to support connectivity.	Mandatory

Integration

IN-1	The solution MUST support the Microsoft MAUI development environment and provide bindings for client API access.	Mandatory
IN-2	The solution MUST support operation through standard web browsers in addition to mobile platforms. This includes providing a seamless and secure user experience for individuals completing liveness verification via browser-based channels (e.g., Chrome, Safari, Edge, Firefox).	Mandatory
IN-3	Where the solution is not hosted within an ATO Software Service, the solution MUST not require server affinity.	Mandatory
IN-4	The solution MUST support silent automated deployments, including infrastructure setup (IaaS), where ATO is responsible for deployment.	Mandatory
IN-5	The Tenderer SHOULD provide two short case studies demonstrating delivery of similar services in high-volume, large-scale deployments, including references.	Desireable

Compliance

#	Description	Criticality
Security and Confidentiality
SC-1	The solution MUST be able to show evidence of ability to comply to PSPF, ISM, Essential 8 requirements and other security requirements as defined in Digital ID ACT 2024.	Mandatory	Partially Compliant
SC-2	The solution MUST be able to demonstrate ability to comply with the Australian Privacy Principles.	Mandatory	Non-Compliant
SC-3	The solution SHOULD secure all collected, held or used data (Personal Information, ATO Data, ATO Material, and inter-agency information) in use and at rest using ASD-approved cryptographic algorithms consistent with the Australian Government ISM or NIST.	Desirable
SC-4	The solution SHOULD include controls to ensure integrity of data generated within the client software or provided to the Facial Verification Service.	Desirable
SC-5	The solution/service MUST NOT transfer Personal Information outside Australia.	Mandatory
SC-6	The solution MUST be capable of meeting relevant ISM controls to allow the ATO’s Information Security Advisor to issue certification at the PROTECTED level.	Mandatory
SC-7	All Personal and ATO data MUST be hosted and stored in Australia and comply with Australian data sovereignty laws and the Data Hosting Certification Framework.	Mandatory
SC-8	The Tenderer SHOULD list all products used in delivery of Licensed Software, their function, whether third-party, and any access those products have to user data.	Desirable

Operations, Support and Maintenance
Operations
OP-1	The Tenderer MUST Provide secure, isolated non-production (production environments) coupled with 24x7 monitoring.	Mandatory
OP-2	The solution SHOULD enable dynamic, automated test environments with integration testing.	Desirable
OP-3	The provider MUST maintain data sovereignty and provide internal real-time service status visibility.	Mandatory
OP-4	The solution MUST continuously monitor access and privileged activities.	Mandatory
OP-5	The Tenderer MUST provide assurance that system access is limited to approved IP ranges that are regionally localised.	Mandatory
OP-6	The solution SHOULD provide mechanisms to detect early indicators of stress or coercion among personnel interacting with sensitive systems.	Desirable
OP-7	The solution MUST deliver real-time alerts for high-risk or policy-violating behaviors, including biometric failures.	Mandatory
OP-8	The solution SHOULD support tiered alerting based on risk severity and detect abnormal access or potential data loss incidents.	Desirable
OP-9	The solution MUST provide Australian-based NV1-cleared support, maintain compliance with ISM timelines, deliver governance reporting, and enable secure incident management via an iRAP-certified portal.	Mandatory
OP-10	The Tenderer MUST offer dedicated helpdesk, roadmap for fraud prevention, knowledge transfer, and demonstrate experience with government identity systems and security certifications as well as SLA mgt and governance.	Mandatory

Vendor Implementation, Support & Maintenance

VISM-1	The Tenderer MUST provide solution-specific support and troubleshooting via a formal helpdesk function.	Mandatory
VISM-2	The Tenderer MUST provide documented processes, manuals and operational instructions to support the solution.	Mandatory
VISM-3	The Tenderer MUST provide ongoing support to ensure software is kept up to date with regular patching and updates.	Mandatory
VISM-4	The solution MUST provide ongoing platform maintenance services.	Mandatory
VISM-5	The Tenderer SHOULD provide roadmaps and planned updates in fraud prevention and identity technology.	Desirable
VISM-6	The Tenderer SHOULD demonstrate proven experience in successful implementation of similar systems in other Government Agencies.	Desirable
VISM-7	The Tenderer SHOULD describe emerging technologies and recommendations based on vendor research.	Desirable

Maintainability

M-1	The Tenderer MUST keep Licensed Software up-to-date through maintenance and patches (including security patches) for the Licensed Software and any third-party components.	Mandatory

Reporting and Monitoring
RM-1	The solution MUST centrally log system activity, including security setting modifications, verification activities, and support shipping logs to ATO’s logging system.	Mandatory
RM-2	The solution MUST provide configurable metrics, dashboards and drill-down visualisations (e.g., capture time statistics, failure to enrol/acquire rates).	Mandatory
RM-3	The solution MUST provide ATO with appropriate access to view logs (requests, response payloads and processing status) for troubleshooting.	Mandatory
RM-4	The Tenderer MUST describe monitoring capability or integration options.	Mandatory

User Experience and Accessibility
UX-1	The solution MUST support Mobile First and Responsive Web Design methodologies.	Mandatory
UX-2	The Tenderer MUST provide UI standards, UI screen designs, and UX documentation including user flow mappings.	Mandatory
UX-3	The solution MUST conform to WCAG 2.1 Level AA for mobile and web browser experiences.	Mandatory
UX-4	The solution MUST provide the ATO with the ability to customise user experience elements.	Mandatory

src-03-part3-response-general

[TABLE]

Part 3 – Response Form – General

Response Form – General

Introduction

The RFI Response Forms

This Request for Information (RFI) includes 4 Response Forms:

Part 3 – RFI Response Form – General
Part 3a- RFI Response Form – Technical Response (Excel Spreadsheet)
Part 4 – RFI Response Form – Financial
Part 4a – RFI Response Form – Pricing Table
Attachment A – FOCI form

src-02-part2-statement-of-requirements

[TABLE]

Statement of Requirements

[TABLE]

[Background 4](#background)

[About myID 4](#about-myid)

[High-level system architecture diagram 5](#high-level-system-architecture-diagram)

[Request for Information 5](#request-for-information)

[Vision 6](#vision)

[Overview of Business Requirements 6](#overview-of-business-requirements)

[High Level Requirements & Prioritisation 7](#high-level-requirements-prioritisation)

src-01-part1-conditions

[TABLE]

Part 1 – Conditions of Response

Conditions of Response

Introduction

About the Australian Taxation Office

The Australian Taxation Office is the Australian Government’s principal revenue collection agency. Its role is to manage and shape tax, excise and superannuation systems that fund services for Australians, and its national headquarters are located in Canberra, ACT.

The ATO Charter outlines the rights and obligations of Australian Taxation Office clients under the law as well as the service and other standards they can expect in dealing with the Australian Taxation Office.
Employees of the Australian Taxation Office are subject to the Australian Public Service Values and are bound by the APS Code of Conduct contained in Part 3 of the Public Service Act 1999 (Cth). The APS Values and Code of Conduct are available on the Australian Public Service Commission website.
The Ethical business relationship statement sets out what contractors can expect from the Australian Taxation Office and its employees in their business dealings.
The ATO Environmental Policy Statement outlines the Australian Taxation Office’s commitment, through integrated environmental management principles, to reduce its environmental footprint.

atm-landing

src: ATM Landing — RFI-15434

Source URL: https://www.tenders.gov.au/Atm/Show/cea1b989-ceb0-4b36-8b48-ac1330062362 Captured: 2026-05-31 (authenticated session, ar-crawl session)

Current ATM View — RFI-15434

Biometric Verification Capability

Contact Details

Name: Alison Buchanan
Email: RFI15434@ato.gov.au

Metadata

Field	Value
ATM ID	RFI-15434
Agency	Australian Taxation Office
Category	43230000 — Software
Close Date & Time	4-Jun-2026 2:00 pm (ACT Local Time)
Publish Date	23-Apr-2026
Location	ACT, NSW, VIC, SA, WA, QLD, NT, TAS (Canberra, Sydney, Melbourne, Adelaide, Perth, Brisbane, Darwin, Hobart)
ATM Type	Request for Information
Multi Agency Access	No
Panel Arrangement	No
Multi-stage	No
Address for Lodgement	26 Narellan Street, Canberra City ACT 2601

Description

The ATO is seeking responses from the market for potential products and/or solutions for the requirement of a Biometric Liveness Detection Solution that can support the strategic objectives of the myID App. The intent of this RFI is identify the viability of potential solutions, the implementation and integration costs and the potential benefits of implementing this platform.

Conditions for Participation

Refer to attached documentation