How to Build Automated Tax Filing Software: A Complete Guide to SST CSP Certification
If you've ever wondered how companies like Avalara, TaxJar, or TaxCloud automate sales tax calculation and filing, you're in the right place. This guide breaks down exactly what it takes to build tax automation software and become a Certified Service Provider (CSP) under the Streamlined Sales Tax Agreement (SSUTA).
I recently reached out to the Streamlined Sales Tax Governing Board (SSTGB) to understand the certification process. What follows is a comprehensive breakdown of the requirements based on their official documentation.
What is the Streamlined Sales Tax Agreement?
The Streamlined Sales Tax Agreement (SSUTA) is a cooperative effort between 24 U.S. states to simplify and standardize sales tax collection. It was created in response to the complexity of collecting sales tax across thousands of jurisdictions with different rates, rules, and filing requirements.
Under this agreement, Certified Service Providers (CSPs) are authorized to calculate, collect, and remit sales tax on behalf of businesses. CSPs receive compensation from the member states (typically a percentage of tax collected) rather than charging businesses directly.
Current SST Member States (24 Total)
Arkansas, Georgia, Indiana, Iowa, Kansas, Kentucky, Michigan, Minnesota, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Rhode Island, South Dakota, Tennessee, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming.
Current Certified Service Providers
There are currently only 6 certified CSPs competing in this space:
- Avalara - The market leader, publicly traded
- TaxCloud (FedTax) - Free tier available, targets SMBs
- Sovos - Enterprise-focused
- Accurate Tax
- Avior Computing
- Exactor
Part 1: Application Requirements
Before you can even begin building, you need to prepare extensive documentation for your CSP application. This includes corporate, financial, and staffing information.
Corporate Background Documentation
- Company history and background
- Legal entity type (Corporation, LLC, Partnership)
- Principal officers and key personnel
- Ownership structure
- Jurisdictions where you're authorized to do business
- Office locations and business facilities
- Any relevant business licenses
Financial Soundness Requirements
This is where it gets serious. You must demonstrate financial stability through:
- Three years of audited financial statements - Must be prepared by an independent CPA in accordance with GAAP
- Business plan - Demonstrating long-term viability including 3-year financial projections and plans for continuing operation
- Bank reference letters - From your primary banking institutions
- Proof of insurance - General liability and errors & omissions coverage
Staffing Requirements
Personnel requirements are rigorous:
- Criminal background checks - Required for all personnel with access to taxpayer data or financial systems
- Organizational chart - Showing management structure and reporting relationships
- Key personnel qualifications - Detailed resumes for technical leads, security officers, and management
- Staffing plan - How you'll maintain adequate staffing levels
Part 2: Technical System Requirements
This is the core of what you're building. Your tax engine must handle four main functions:
1. Tax Determination (Rate Lookup)
Your system must accurately determine the correct tax rate for any transaction. This requires:
- Address geocoding - Converting addresses to precise lat/long coordinates, then to FIPS jurisdiction codes
- FIPS code mapping - Each jurisdiction has a unique Federal Information Processing Standard (FIPS) code. A single address can have up to 20 overlapping jurisdictions (state, county, city, special districts)
- Rate database - Updated quarterly with rate files from each state
- Boundary files - Geographic boundaries for each jurisdiction, also updated quarterly
2. Taxability Matrix Implementation
Different products are taxed differently across states. The SSUTA maintains a Taxability Matrix with 200+ product categories. Your system must:
- Implement all matrix product categories
- Handle exemptions (e.g., clothing may be exempt in some states)
- Apply the correct rules for each state/product combination
- Update when states change their taxability rules
3. Electronic Return Generation (SER)
You must generate Simplified Electronic Returns (SER) in a specific XML schema format. The SER schema includes:
- Header information (CSP ID, period, state)
- Seller registration data
- Jurisdiction-level detail (gross sales, exempt sales, taxable sales, tax collected)
- Adjustments and amendments
- Digital signatures
The XML schemas are maintained by the SSTGB and available in their Technology Guide.
4. Payment Processing (ACH)
Tax payments must be remitted via ACH (Automated Clearing House):
- ACH Debit - State pulls funds from your account
- ACH Credit - You push funds to the state
- Support for both methods required
- Must handle payment timing rules for each state
Additional Technical Requirements
- Store-and-forward capability - Transaction data must be stored locally if connection to central system is lost, then forwarded when connection is restored
- Real-time and batch processing - Support both API calls and bulk file uploads
- Multi-channel support - Handle transactions from web, mobile, POS, EDI, etc.
Part 3: Security Standards (The Hard Part)
Security requirements are where most applicants will struggle. You must demonstrate compliance with multiple frameworks:
Required Security Frameworks
- FISCAM (Federal Information System Controls Audit Manual) - The primary framework
- NIST - Specifically AC-1 through AC-22 (Access Control family)
- ISO 27002 - Information security controls
- SSAE 16/18 - Service Organization Controls (SOC) reports
Specific Control Categories
| Category | Requirements |
|---|---|
| General Controls (100 series) | Security planning, risk assessment, personnel security, physical security, contingency planning |
| Application Controls (200 series) | Application development, change control, software acquisition, testing |
| Software/Database Admin (300 series) | Database security, backup procedures, system administration |
| Sufficiency of Information (400 series) | Audit trails, transaction logging, reporting capabilities |
| Data Transmission Security (500 series) | Encryption (128-bit minimum), secure transmission protocols, network security |
| Privacy Standards (600 series) | Data handling, customer privacy, disclosure controls |
| Right to Audit (700 series) | State audit access, record retention, audit trail availability |
Encryption Requirements
- Minimum 128-bit encryption for all data transmission
- TLS 1.2 or higher for API communications
- Encrypted storage for sensitive data at rest
- Key management procedures documented
Record Retention
- Minimum 4 years - Required for all transaction data
- 7 years preferred - Recommended for audit trail completeness
- Must maintain records for each seller, each jurisdiction, each transaction
Part 4: Testing Process
The certification testing is rigorous and ongoing. Here's what to expect:
Initial Certification Testing
- Test Deck Processing - You'll receive CSV files with test transactions (21 input fields per record). Your system must process these and output results in the specified format (93 columns including up to 20 FIPS jurisdiction codes).
- End-to-End Testing - Process test transactions through your entire system, generate SER returns, and submit to the test environment.
- State-by-State Verification - Each member state reviews your results for their jurisdiction.
Test Deck Format
Input fields include:
- Transaction ID, Date, Type
- Ship-from and Ship-to addresses (street, city, state, ZIP)
- Product category (taxability matrix code)
- Transaction amounts
- Customer type (retail, wholesale, exempt)
Output requirements include:
- All input fields echoed back
- Calculated tax amounts by jurisdiction
- FIPS codes for all applicable jurisdictions (up to 20)
- Applied tax rates
- Exemption codes if applicable
Quarterly Recertification
Certification isn't one-and-done. You must:
- Process new test decks every quarter
- Update your system with new rates and boundaries within specified timeframes
- Submit results within the testing window (typically 2-3 weeks)
- Maintain passing scores across all states
Part 5: Ongoing Obligations
Once certified, you have continuing obligations:
- Quarterly rate updates - States publish new rates quarterly; you must implement within 10 days of the effective date
- Boundary file updates - Geographic boundaries change; must be implemented promptly
- Annual audits - SSAE audits and state reviews
- Performance monitoring - Uptime requirements, response time SLAs
- Incident reporting - Security incidents, system outages must be reported
- Annual recertification - Full review of continued compliance
Realistic Assessment: Should You Build This?
Before you embark on this journey, consider:
Barriers to Entry
- Three years of audited financials - A startup can't apply until it's been operating (and audited) for 3 years
- Security compliance costs - SOC 2 audits alone run $50K-$150K annually
- Development time - Building a production-ready tax engine is 12-24 months of development
- Ongoing maintenance - Quarterly updates require dedicated engineering resources
- State relationships - Each state must approve your participation in their program
The Business Model
CSPs are compensated by the states, not directly by businesses. The compensation varies by state but is typically a percentage of tax collected (often 1-3%). This means:
- You need high transaction volume to make money
- You're competing with well-established players (Avalara has been doing this since 2004)
- The free-to-business model makes it hard to differentiate on price
When It Makes Sense
Building CSP software might make sense if:
- You already have a large customer base (e.g., e-commerce platform, ERP vendor) and want to add tax automation as a feature
- You're building for a specific vertical where existing solutions are inadequate
- You have the capital and patience for a multi-year certification process
- You can achieve scale quickly through existing distribution channels
Alternative: Build for Non-SST States
If full CSP certification seems daunting, consider that many businesses need tax automation for states not in the SST program. California, Texas, Florida, New York, and other major markets have their own filing systems. Building automation for these states doesn't require SSTGB certification (though it has its own challenges).
Resources and Next Steps
If you're serious about pursuing CSP certification, here are your next steps:
- Review the official documentation - Visit the SSTGB CSP Applicants page
- Download the appendices - Appendix C (Minimum Standards), Appendix E (Testing Process), and Appendix G (Certification Standards)
- Review the Technology Guide - XML schemas, SER format, and technical specifications
- Contact the SSTGB - They're responsive and can answer specific questions about the application process
Conclusion
Building automated tax filing software that competes with Avalara and TaxJar is absolutely possible, but it's not a weekend project. The CSP certification process is rigorous by design - these systems handle billions of dollars in tax revenue and sensitive business data.
The good news? There are only 6 certified providers serving a market that continues to grow as more businesses sell online and across state lines. If you have the resources and commitment, there's room for innovation in how tax automation is delivered to businesses.
The key requirements to remember:
- 3 years of audited financials
- Compliance with FISCAM, NIST, and ISO 27002 security standards
- Technical implementation of geocoding, rate lookup, taxability matrix, and SER generation
- 128-bit encryption minimum, 4-7 year record retention
- Quarterly testing and recertification
Good luck, and feel free to reach out if you have questions about the process.