BRINGING SMES ONTO THE E-COMMERCE HIGHWAY (English)
Out of the shadows with fiscal compliance technology White Paper Retail Innovation HTT AB
1. 1
ROADMAP TO A TAX REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
Out of the shadows
Sales tax fraud prevention with fiscal compliance technology
WHITE PAPER – 1st Edition
November 2014
3. 3
ROADMAP TO A TAX REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
THE GREAT CHALLENGE OF THE SHADOW ECONOMY
SPOTLIGHT ON THE PAIN POINT
RETAIL AND HOSPITALITY SECTORS
The shadow economy has started off as a
predominantly cash-based phenomenon rooted largely
in undeclared work and underreporting of taxable sales
and income. Underreporting of income to avoid
taxation, primarily by smaller businesses, accounts for
one third of Europe’s shadow economy. Underreporting
has been most prevalent in cash-based sectors such as
shops, convenience stores, bars and restaurants, but it is
no longer a phenomenon isolated to cash handling. New
sectors for fraud of this kind are rapidly emerging.
The advent of digital technologies has brought
unprecedented sophistication to payment transaction
processing. High-tech payment solutions exist today
that are capable of severely restricting scope for tax
evasion. Yet a variety of factors combined enable the
shadow economy’s continued survival.
INSIDE THE POINT OF SALES
Most countries today require retailers to record
payment transactions within a general framework of a
fiscal law regulating business bookkeeping and
imposing a value added tax on a commercial sale. At
present, sales and value added tax are most often
recorded by cash registers and some jurisdictions
require specifically every business to use a cash register
– a point of sales system. The point of sales equipment
landscape is made up of a range of customised hardware
and software, varying from low-tech to high-tech: from
traditional electronic cash registers (ECR) and PC-based
POS systems, to EFT-POS
31
terminals, mobile-POS
devices and virtual and cloud-based payment systems
operating on tablets or smartphones.
The sales records stored by these devices are generally
not alterable by the operator and are used as the basis
for tax assessments and audits by a tax authority. It
would ordinarily pave the way for full tax compliance.
However, some retailers and traders find a way round
the rules either by “skimming” sales; the old fashioned
way of simply omitting to ring up transactions or by
using special techniques to not accurately record sales
and thereby reduce their tax bill. Software programs are
used in ECRs or POS- systems to alter business records,
allowing owners to skim payment receipts. Automated
sales suppression software has turned into a global
problem. They are now commonly used all over the
world to manipulate data records of sales transactions
inside cash registers or payment-recording software.
1
VISA: The Shadow Economy in Europe, 2013/A.T
Kearney/Dr. Schneider Univ. of Linz Austria
2
Demos.org, “Tax evasion”, 2011
3
EFT-POS: Electronic Funds Transfer at the Point of Sale
The financial crisis has given governments worldwide a powerful incentive to tackle the shadow economy – the mass of
unreported and hidden economic activity that costs nations vast amounts in lost tax revenue every year. The advantages
are compelling. Tighter control and compliance measures raise tax revenue, leading to stronger government budgets,
higher economic growth and greater scope for social spending.
In Europe alone, the shadow economy is estimated to €2.1 trillion and represents 18.5% of total economic activity,
according to the company VISA
1
. The revenue loss in the US due to tax evasion was estimated to more than $300 billion
2
during 2010 and the European Commission estimates that EU member states lose up to €1 trillion per year – resources
that if properly collected could ease some of the burden on hard-pressed state spending programmes.
The challenge of tax evasion– and the financial benefits of tackling it – have been focusing minds at the highest political
level and discussed at G20 and EU summits meetings. Both joint coordinated actions and individual national policy
initiatives are taken to clamp down on tax evaders. In this context, fair business competition and fair distribution of public
resources are strong political motivators.
The exponentially increase in the use of digital technologies has undoubtedly a huge impact on the presence and
performance of tax fraud in modern society - and the opportunities to curb the same. This paper will highlight a
specifically evident example of this development.
5. 5
ROADMAP TO A TAX REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
NEW FRAUD FRONTIERS
THE FUTURE IS HERE
Digitalization offers new opportunities and enables new
types of industrialized fraud in an increasing number of
tax related sectors: tax refund fraud by identity theft,
online payroll social tax fraud and digital VAT carousel
fraud are just a few examples.
4
The digital revolution has brought rapid evolution to the
Point of Sales (POS) and a transformation that will
continue in the next several years: a technology shift
from traditional cash registers to mobile devices on new
platforms of smartphones and tablets and a transition of
back-office systems to the cloud.
Inevitably, the sophistication of digital fraud techniques
is as fast moving as the POS progress, spreading from
the traditional store POS to mobile, virtual and cloud-
based payment solutions, e-commerce as well as B2B
domestic or cross-border digital invoicing. They will
increasingly be performed remotely in parallel by
physically installed fraudulent software. When sales
data recorded in a POS-system is transmitted to a cloud,
it is open to further data manipulation; fraud-in-the-
cloud.
Fraud by sales data manipulation in ECRs and POS
systems is not only a threat for governments and tax
revenue authorities. It is also a security concern for retail
and hospitality businesses challenged by employee theft
and internal embezzlement.
A recent report from Cyphort
5
highlights the security of
POS systems as businesses increasingly are threatened
by hacker attacks using malware to compromise
financial card data and CRM data.
Clearly, digital security solutions stemming from fiscal
compliance requirements serve more than a public
revenue purpose. It solves retail payment tax fraud,
business internal embezzlement and POS malware for
valuable data asset theft. In this respect, business needs
and public challenges and needs coincide.
4
Capgemini: Digital – Blue Skies or a Perfect Storm for
the Taxman? 2013
5
Cyphort Labs Special Report: POS Malware Revisited,
2014
The profoundness of the POS transformation will reflect
on tax administration. Authorities will have to keep pace
with the development of new methods of committing
fraud and tools to crack the integrity of digital systems.
Understanding the digital footprints that electronic
records leave is a key capability. Authorities must ensure
having the expertise in online business methods and
models in order to be able to adjust their compliance
models.
THE POTENTIAL COST OF FAILURE TO ACT
Capgemini has forecasted
6
which actual impact the
growth of digital fraud techniques will have on the US
and EU markets by 2020. If relying on existing ways and
means of fighting digital fraud, there will be a huge
hurdle to overcome. It is estimated that digital fraud will
almost double to over $34 billion in the US and $35
billion in the EU by 2020, from $18.6 billion and $18.2
billion in 2012 respectively.
According to Capgemini’s projections, automated sales
suppression (zapping) will grow extremely fast.
Estimated tax loss due to “zapping” will to grow by 167%
in the US and 235% in the EU. This growth will be driven
by an increase in restaurant sales and rising taxes.
There are undeniably strong incentives and good
opportunities to curb the increase of sales tax fraud and
the use of fraudulent digital techniques in payments and
point of sales: using digital technology to digital fight
technology.
6
Capgemini: Digital – Blue Skies or a Perfect Storm for
the Taxman? 2013
6. 6
ROADMAP TO A TAX REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
THE SOLUTION: FIGHTING TECHNOLOGY WITH TECHNOLOGY
FISCAL COMPLIANCE SOLUTIONS
Historically there have been a number of attempts to step up the level of security and handling of cash registers to prevent
tax fraud, with fiscal printers or cash registers with fiscal memories. With the advancement of cash register products, from
traditional to modern devices and systems, the clamping down on retail payment fraud calls for more advanced security
solutions. Fiscal compliance solutions are today considered the only available tools to prevent sales suppression and
manipulation of fiscal information inside the ECR/POS; falsifying of recorded taxable sales data.
Fiscal compliance solutions are usually a combination of software and hardware technology based on cryptographic
techniques securing and storing transaction data on a memory card:
encrypted signatures (using symmetric-keys) or
certificate signatures [e-signatures] using Public Key Infrastructure (PKI) (asymmetric keys)
A signature - a unique ID and traceable code for each payment transaction – is generated from receipt data (the fiscal
information): date/time, ID, type, total sales/refund amount, VAT total / % etc. The point of storage can be a smart card, a
SIM card or a general memory card on a hardware motherboard. The fiscal compliance solution can be fully embedded into
any kind of cash register system (or receipt printer), placed externally into a separate control unit connected to the
ECR/POS for offline retrieval or placed in the cloud, storing encrypted real-time digital records on a server.
LEGISLATIVE FRAMEWORK CONDITIONS: A NATIONAL AFFAIR
IT TAKES MORE THAN TECHNOLOGY
For fiscal compliance technology to have an effect of
preventing retail tax fraud there has to be a legislative
framework, comprehensive audit strategies and
technical requirements in place. Efficient technological
countermeasures depend on regulating POS technology
and use - the core of the problem being the cash
register.
Tax revenue policy is a national competence. As yet, no
global standards exist for fiscal compliance solutions,
nor a universal model applicable in every jurisdiction.
Even the EU lacks European-wide directives dictating
the rules. Countries that want to tackle retail tax fraud
and close the tax gap therefore act alone. Legislative or
regulatory actions in this area are usually based on a
fiscal law.
Each country chooses its unique setup of rules and
regulations, often as an integral part of specific national
anti-tax-evasion and shadow economy action plans that
seek to increase tax revenue and establish fairer
competition among businesses by directly combating
the risk area – and facilitating taxpayer compliance.
Achieving these objectives not only raises tax revenue
but also invariably results in more cost-efficient tax
collection and administration.
For cash registers, the emphasis of governmental
intervention varies from less to more direct control: at
the one end of the scale is a less prescriptive “soft”
approach and at the other a more invasive “tough”
control approach. Policies range from proactivity and
prevention to reactivity and prosecution. A common
main concern is the reliability of digital records. Any
policy option comes with costs as well as benefits,
problems and challenges.
“The tough approach”
A mandatory control system – enforced compliance
The tough approach commonly involves regulations
that mandate the use of certified cash registers and
provisions requiring a fiscal compliance technology. The
technology can either be embedded in the cash register
device or printer - or placed in an attached control unit
sometimes called the “black box”.
The tough approach takes the route of enforced
compliance. It imposes technical requirements on the
ECR and POS (both hardware and software) making it
impossible for the user – the business owner – to
manipulate transaction data stored. Together with a
comprehensive audit mandate and an external
certification regime, it makes it possible for the tax
7. 7
ROADMAP TO A TAX REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
revenue authority to retrieve transaction data for
control in tax audit offline or online in remote audit.
Sweden, Belgium, Hungary, Turkey and the Canadian
province of Quebec have chosen a policy approach of
this rule-based kind.
In cases like these, regulating technology and use of
cash registers is not the only policy ingredient.
Legislation also needs to give an extended inspection
and control mandate for the Tax Revenue Authority,
and often a regulation that demands merchants to offer
the consumer a unique receipt for each purchase -
making payment transaction more traceable and
penalty fines for those not complying by the rules.
“The soft approach”
A voluntary control system – cooperative compliance
The soft approach is characterised by legislation that
relies on compliant taxpayers and cash register
providers help them keep trustworthy records.
Regulations may require ECR or POS use and the ability
to retrieve transaction data for control in a
comprehensive tax audit. This approach could demand
device certification either by their own self-certification
regime or by a third party service provider, focussing on
certification of software and digital records. It does not
mandate the integration of a specific fiscal compliance
technology. This approach requires a comprehensive
audit program.
Compliance schemes may be based on industry or
market cooperation, relying on producers and providers
to guarantee that their products cannot be manipulated.
In this case, a regulatory framework is often developed
and established in a partnership between the authorities
and the industry, the latter taking full responsibility for
certification and compliance.
One example of this approach is the Netherlands’
“Quality Mark for Reliable POS systems” scheme, where
suppliers in cooperation with the tax authorities have
developed a model of risks for POS systems in order to
stimulate compliance with tax audit requirements.
A policy mix
There are of course options to steer a perhaps middle
course or a blend of the above approaches. One is for
example requiring all cash registers to have online
connectivity to the tax agency but not to specifically
require a cash register certification or impose data
security standards. Like the soft approach, this route
potentially leaves the system open to fraud performed
by sales suppression software to manipulate data inside
the cash register. Another example is the criminalisation
of possession of sales suppression software – a quite
common policy measure among US states.
FOCUS ON END OBJECTIVES - SERVING TAX AUDIT
NEEDS
The fiscal compliance technology is targeting the risk
area – the reliability of data recording inside the cash
register, where fraud is performed – and facilitates fraud
detection through inspections, securing evidence and
traces when for example using digital forensic tools in
computer forensic investigations by specific e-auditors.
Together with the comprehensive legal framework it
can deter acts of fraud. Fiscal compliance technology
contributes to cost-efficient administration of
inspection and tax collection; data can easily be
retrieved, controlled and analysed.
Evidently, the requirements of fiscal compliance
solutions are high. They must offer a high level of
reliability, data security, accuracy and traceability.
Solutions must be flexible, adjusted to specific tax audit
and analysis needs.
Fiscal compliance solutions have to be able to secure
data transmission needed between cash registers and
the authorities – either retrieved offline on a memory
card in inspections and audits or transferred online by
GPRS or a Ethernet connection to authorities’ back
office servers enabling online data monitoring and
remote audit.
The choice of solution depends on which specific needs
that have to be met. Tax authorities are looking to
facilitate their audit and tax control through online data
transfer, making it more cost-efficient or for the sake of
the possible compliance impact of the monitoring.
Online functionality offers both opportunities and
challenges.
Cash register connectivity facilitates the delivery of
several types of data and also enables immediate
software upgrades through a connected system. Real-
time data monitoring makes audit processes more
efficient by reducing the number of on-site tax
inspections. Buffering data functionality facilitates
business operations. In the event of power loss, data can
be stored momentarily and operations can continue.
8. 8
ROADMAP TO A TAX REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
On the other hand the online feature requires data
traffic capacity and adds burdensome yearly costs for
end-users as well as tax authorities’ ability and capacity
to store and process data for online monitoring. A
centralised system of control, expanding the audit
capability to include remote audit, can be politically
difficult to adopt. It touches upon sensitive public policy
issues of surveillance and privacy.
GETTING TO IMPACT
BEST PRACTICES
Adequate comparable data is lacking on the relative
effectiveness of the above policy approaches to combat
tax evasion and fraud. Despite the quite rapidly
evolvement of the legal trend in this area, there is a
need for comparative analysis of the available
approaches which could quantify the compliance
improvement against the cost of achieving desired
impact. So far, the well documented effect studies done
are those of two rule-based policy measures; the
Sweden’s Cash Register Act and the scheme introduced
by the Province of Québec mandating sales recording
modules (SRMs) in the restaurant sector
7
.
THE SWEDISH SUCCESS STORY
The Swedish Tax Agency in 2013 reported that the
Swedish system of new cash register regulations in its
first three years had delivered sustainable concrete
results in terms of substantial recouping of tax revenue
previously lost to the shadow economy and the
establishment of fairer competition in the retail
marketplace.
The point of departure was the Swedish Tax Agency
assessment that it was losing approximately €200
million in taxes every year, a large part due to
unreported sales emanating largely from cash
transactions in the hospitality and beauty service
sectors.
7
Revenue Quebec: Mandatory Billing in the Restaurant
Sector, http://www.revenuquebec.ca/en/a-
propos/evasion_fiscale/restauration/default.aspx
The agency identified the widespread use in these
sectors of tax fraud software to underreport sales. This
discovery brought cash registers and their use and
regulation into the government’s spotlight.
The Ministry of Finance’s response was to decide to
focus on technical requirements for ECRs and POS
systems by requiring them to be fitted with a data
control mechanism. The ministry assigned the Tax
Agency to draft a new legislation for cash registers and
implement provisions for new technical requirements.
The Swedish Cash Register Act of 2010
8
require anyone
selling goods and services in return for cash or debit card
payment to use a certified cash register connected to a
certified control unit known as a “black box”. The
regulations also oblige the vendor to provide and offer a
transaction receipt to the customer for all purchases.
The legislation, which took the route of enforced
compliance (the “tough approach”), also gave the tax
agency two new tools for effective control of cash
transactions by mandating it to conduct control visits
and compliance inspections in addition to its standard
tax audits.
8
Swedish cash register and control unit regulations
(SKVFS 2009:1-3) – documentation, general guidelines
etc:
http://www.skatteverket.se/servicelankar/otherlanguag
es/inenglish/employersbusinessescorporations/cashregis
terlegislation.4.69ef368911e1304a6258000272.html
Nevertheless, the online functionality alone is not a
solution to avoid digital fraud performed inside the cash
register. Connecting all ECR/POS devices to tax authority
back office servers can be a first easy step to have
information about the cash register structure and
businesses in the market. It offers a possibly more cost-
efficient administration of control and inspection.
Ultimately it is only regulations requiring fiscal compliance
technology to secure fiscal data that will actually prevent
technology assisted fraud committed inside the ECR/POS.
9. 9
ROADMAP TO A TAX REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
Characteristics in brief
The subjects of the Cash Register Act are all merchants
and retail/hospitality businesses owners, a few
exceptions are allowed, for example a threshold by level
of business turnover. Sales data is secured by encrypted
signature with a software key provided by the Tax
Agency and data is stored on a memory card in tamper
proof external control. In audit data is unlocked with the
software key offline.
The control unit is certified separately, as well as the
cash register certified together with fiscal control unit.
Unique identification of cash registers is required and
the possession of a cash register must be declared at the
Tax Agency. The new law extended the tax agency
mandate to make an increased number of inspections.
The fine penalty for a merchant if non-compliance is
relatively low: €1000-2000. Updating of the
requirements and provisions has since been made,
eliminating first group of exemptions and facilitating
compliance.
The outcome
In June 2013, the Swedish Tax Agency published an
impact review of the new system’s first three years of
operation. The agency found the new rules had been a
resounding success, enabling it to recover €1 billion in
tax revenue that would previously have been
undeclared. The grey economy turned white.
It is concluded that the new rules had eradicated digital
fraud technology from the retail marketplace. “Prior to
introduction of the new regulations, cash register
manufacturers and retailers that did not supply
equipment capable of facilitating tax avoidance found it
difficult to survive in prevailing market conditions. The
legislation has all but erased demand for such
equipment and thus helped to put the cash register
industry on a sounder footing,” the report said.
The spirit of dialogue
The focus of the new law was to protect serious
businesses owners from unfair competition from less
serious businesses and to increase the legitimacy of the
tax system to make tax evasion harder.
Dialogue with the cash register industry and the retail
market was critical to achieve this objective because
implementation involved additional costs for retailers in
upgrading their cash registers and for ECR/POS
manufacturers and providers in integrating their
products with the fiscal control units.
A Cash Register and Payments Council for
representatives of manufacturers and suppliers was set
up as a dialogue forum for the industry and the Swedish
Tax Agency during and after the launch and
implementation phases. The Council is hosted by the
business association of Swedish ITC & Telecom
Industries.
In interview responses provided to the evaluation
report, Swedish companies and trade associations said
the Cash Registers Act had made it easier to compete on
equal terms and that dialogue with the Tax Agency had
improved.
FUNDAMENTALS OF SUCCESS: ROADMAP TO A REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
How is actual and sustainable impact attained?
Common sense tells us there is no such thing as an
opportunity without a cost. Tax reform requires political
will, regulatory capacity and a readiness to commit
resources upfront.
Current evidence indicates that a comprehensive
legislation requiring use of certified cash registers fitted
with fiscal compliance technology is the most effective
route to curb retail payment tax evasion.
Embarking on the tax reform route and imposing
requirements on technology is not a single action. It
requires an integrated approach and a multi-step,
dynamic process from planning to implementation.
Every country is unique and parameters will differ both
at national and regional level. Nevertheless, observing a
few key fundamentals will maximise the scope for a
positive outcome.
Clearly define objectives and needs: Clarity on the
desired results and how to reach them is all-important.
A thorough impact and cost-benefit assessment is
paramount. Fiscal compliance technology has to be
understood as a tool. The focus must be on functionality
so the right demands are made on technology,
investigating and defining the end policy objectives and
audit needs first before determine which kind of
technology and transmission option.
10. 10
ROADMAP TO A TAX REVENUE OPPORTUNITY WITHOUT A TAX INCREASE
Keep eyes on the future: To be ahead of the rapid
technology game in point of sales and sales suppression
software, having a long-term perspective is vital. A
responsive and flexible mind-set will avoid a lock-in
situation for next generation POS and future platforms
and make legislative measures adequately address the
continuous sophistication of digital fraud techniques.
Know the market dynamics: Market analysis is
fundamental to establish whether technology causes or
facilitates tax compliance problems, in which sectors
and to what extent. A thorough assessment of the size,
structure and technology level of the cash register
market is a prerequisite to accurately calculate costs,
benefits and implementation capacity.
Time-plan sustainably and regulatory clarity: Defining
provisions and drafting technical requirements takes
time and expertise. A realistic time plan from start to
enforcement is generally 12-18 months. Unclear
provisions, giving unnecessary room for interpretations,
will inevitably cause implementation delays.
Consider incentives: Barriers to market acceptance of
new regulations can be lowered through different kinds
of incentives such as cost sharing between market and
government in form of subsidies or lower taxes on
labour costs.
Educate and engage the public: The public does not
always see the link between paying taxes and enjoying
high-quality welfare services. Communication
campaigns that inspire consumers and citizens to
choose businesses that play fair – and to encourage it by
demanding transaction receipts – will make a difference
towards reform impact.
Market and industry dialogue: Tax compliance can be
enforced. However, full effectiveness relies on
behaviour and actions rooted in trust in the public
system. It is essential to gain market acceptance for
cash register legislation from business owners and the
ECR/POS industry. The optimal way to cultivate market
approval is to engage in dialogue with retail market
representatives and the cash register industry. Creating
stakeholder forums in which all stakeholders have a
voice, is a productive step in this direction.
Create a win-win for public and for business: In times
of financial restraint, business growth is imperative. The
introduction of security technology is enabling and
facilitates business opportunities rather than hindering
them. Drivers for innovation and new sources of growth
that benefit business are an essential component of any
legislation to combat retail tax evasion.
Openness is the golden rule of the European
experience: Open working methods are the best route
to take when defining needs and finding the optimal
technical and legislative solutions. It is important to aim
for the “open solution”; acknowledging that a solution
has multiple components to make it complete.
Achieving an open and complete fiscal compliance
solution requires promotion of open competition among
ECR /POS producers and technology providers. In
Europe, the Single Internal Market of the European
Union and its competition regulations creates natural
room for several technology providers to deliver in fair
competition.
Test benches: Being attentive to the rapid technology
development and anticipating the future as well as
having an “open solution” approach, means giving room
for testing, benchmarking and evaluation of a potential
solution and system. By giving priority to proof of
concept validations, test benches and pilot projects,
decision making processes will be better underpinned
and ensure efficient implementation processes where
unnecessary delays and costs are avoided.