Real-time reporting is high on the European Union (EU) policy agenda. Hungary, Italy and Spain already implemented such a system, whereas France and Poland are planning to do so. Now that real-time reporting is even on the political table in Germany, it is not a question of if, but of when all EU Member States are moving towards real-time reporting.
Real-time reporting has proved to be an excellent tool to close the VAT gap. For example, Italy managed to reduce its annual VAT gap by €4 billion due to real-time reporting. This is especially relevant now that, due to the current crisis, it is expected that the EU VAT gap will rise by 17% towards €164 billion in 2020. However, existing real-time reporting solutions also come with flaws. The main problem is that they store an enormous amount of data in a centralised manner, often available in plain-text for the relevant public officials. Implementing real-time reporting in this way results in high cybersecurity risks but also simple theft from disgruntled employees or people wanting to make a quick buck by selling this data to the highest bidder. Modern technologies can help tax authorities create a secure real-time reporting system that enables them to close the VAT gap without this risk, which offers some additional opportunities.
The Rise Of Real-Time Reporting In The EU
Real-time reporting, Continuous Transactions Controls (CTC) or Transactions Based Reporting (TBR). All imply the same thing: all companies within a jurisdiction must send their invoices to the tax authority. Some countries limit this to B2B or just domestic transactions while others do B2B, B2C & intra-Community. This allows the tax authority to do (automated) checks on invoices. The importance of the invoice in closing the VAT gap is put forward by Prof. Mr. Dr. Redmar Wolf, because ‘payments are traced by following the path of invoices.’
Real-time reporting systems were first successfully implemented in Latin America. Countries such as Chile and Mexico reduced their VAT gap by 50%. These countries combined such systems with a mandatory e-invoicing regime. After seeing this success, real-time reporting reached the EU. Italy followed the Latin-American model by implementing the SdI system, which was accompanied by mandatory e-invoicing. As the latter requires a derogation of the EU VAT Directive Article 218 and 232, Hungary decided to implement real-time reporting without mandatory e-invoicing. Yet another form of implementation can be found in Spain, where companies need to report their books in near-time (4 days after issuing the invoice). This shows that real-time reporting can be implemented in many different ways.
The success of real-time reporting is also being noticed by the European Commission (EC). The EC is currently conducting a study into “digital reporting and e-invoicing” in the EU. This has lead to a proposal for legislation “modernising reporting obligations”, which “should ensure a quicker, possibly real-time, and detailed exchange of information on VAT intra-EU transactions and at the same time streamline the mechanisms that can be applied for domestic transactions”. In other words, real-time reporting is not only coming for domestic transactions, but this policy tool is also on the table to modernise real-time reporting for intra-Community transactions.
Vulnerabilities Of Existing Real-Time Reporting Solutions
Although real-time reporting is a handy tool to close the VAT gap, countries need to be aware of the security risks they can bring if not correctly implemented. Companies must send a massive amount of data to tax authorities, which they currently store in a centralised way. To conduct the analyses on the invoices, this data is even often made available in plain text to some public officials. This situation could end up to be problematic and expensive for three reasons:
- First, offering the right protection to the database where all invoice information is stored is very difficult. This is a result of the fact that the government needs to try to secure an entire system. In contrast, the ill-intended only need to discover one flaw to expose the data of potentially millions of people. This is a very costly endeavour from the governments’ perspective (or for any entity that tries to secure their database for that matter) as they have to spend millions or even billions each year just to secure their data.
- Second, if this costly security fails, the data might be exposed. Such data breaches are becoming more frequent every year. A very recent example was the data breach in Brazil that exposed data from potentially 220 million people. The information disclosed included the CPF number of almost all Brazilians. The CPF number is the identification number of individual Brazilian taxpayers, making this a highly relevant case for tax authorities.
- Third, it is problematic that some of the invoice information is made available in plain text to public officials because ‘humans are the weakest link in cybersecurity’ as humans tend to make mistakes. An often-quoted example is the exposure of information of 191 million U.S. voters. The reason for the data breach was a misconfigured database. In other words, it was a simple human error. Allowing government officials to see taxpayers’ data in plain text also leaves room for that data’s illegal trade. Recently, it was discovered that thousands of employees of the Dutch Municipal Health Services, which is in charge of the COVID-19 testing and vaccination policy, had direct access to sensitive personal information, resulting in the exposure of millions of e.g. telephone numbers and social security numbers. Another example was discovered by research institution Bellingcat. They showed how easy it was to buy detailed personal information of Russian Federal Security Service (FSB) agents.
The protection of data is especially relevant for invoices because invoices contain pricing information. If pricing information is exposed, it could significantly hurt individual companies and even the entire economy. Individual companies don’t want their data exposed because (1) they might be charging a different price to one buyer than to the other. This could negatively affect its client-relationship. Another potential adverse effect (2) is when this pricing information ends up with a competitor. Even worse, it would be if this ends up with a foreign competitor. This would allow the foreign company to outcompete the domestic company, potentially harming the entire economy.
This is why it is essential to provide maximum security for any real-time reporting system. Here, modern technologies can help.
Using Modern Technologies To Create A Secure And Efficient Real-Time Reporting System
Cryptography is an excellent tool to secure a real-time reporting system while, at the same time, similar results as with existing solutions can be achieved. By hashing invoice data, an efficient real-time reporting system can be created without storing any actual invoice data, therefore minimising the risks of cyberattacks.
To get a sense of how this works in practice, it’s essential to understand what hashing is. Hashing, which means “to chop”, “to confuse” or “to muddle”, transforms information into an unrecognizable, fully encrypted output. This output cannot be traced back to the input and is entirely unique. Therefore, it is also called an invoice fingerprint. So, if an invoice would be hashed, it would look like the code depicted in Figure 1, all the way down below “Invoice hash”.
Figure 1: An invoice being hashed
By only storing the invoice hash (or fingerprint) as depicted in Figure 1, tax authorities could achieve the same results as any existing real-time reporting solution. This is the case because the core idea of any real-time reporting is that, by requiring companies to report their invoice data to the tax authority, companies will no longer be able to file a VAT return that does not correspond with the VAT stated on the invoice. To achieve this, tax authorities don’t need to have all the exact invoice information. They only need to know if the data reported in the VAT return is the same as the data stated on the invoice. This can be achieved through invoice hashing. It allows the tax authority to know if taxpayers report the same amount of VAT to the tax authority (via their VAT return) as they are reporting on the actual invoice sent to the buyer.
Publishing The Invoice Hash To Create Verified Financial Information
Any real-time reporting solution, when implemented correctly, can already provide many benefits to businesses through further digitalisation. Real-time reporting can be especially beneficial for companies when combined with a mandatory e-invoicing regime. This would allow them to automate large parts of their business processes. However, mandatory e-invoicing is not necessary to implement real-time reporting successfully (see Hungary). Although a vital implementation decision, a full discussion about e-invoicing and real-time reporting is outside this article’s scope. The article will focus on the benefits the usage of invoice hashing combined with real-time reporting could bring, in addition to the already widely acknowledged benefits of real-time reporting in general.
These benefits can be achieved by publishing the invoice hashes on a publicly available ledger. This allows companies to provide mathematical proof that the invoice in their books is the same as the invoice reported to the tax authority for VAT purposes. This creates verified financial information and can help companies in a wide variety of ways. For example, it would allow companies to automate their audits, potentially saving a significant amount of money. Another possibility is to provide investors or shareholders real-time information about a company’s revenue, enhancing the transparency of the entire financial system. Both applications can prevent fraud cases like the Wirecard scandal, where €1.9 billion had disappeared out of the German company’s balance sheet.
Analysing the latest trends of the VAT reporting standards in the EU leads to the conclusion that real-time reporting is the future. However, there are still many decisions to be taken regarding how to implement these systems. This blog post tried to show that modern technologies can help to implement real-time reporting securely and efficiently. By only storing so-called invoice hashes and no actual invoice data, the same results as any existing real-time reporting solution can be achieved without risking damaging data breaches. Furthermore, by publishing these fingerprints in a publicly accessible ledger, real-time reporting could offer even more benefits to businesses than it already does today. This would allow for e.g. automated audits and giving investors real-time access to a company’s revenue.
Sascha Jafari is the CEO of summitto. Sascha can be reached via info@summitto.
 European Commission, Communication From The Commission To The European Parliament And The Council. An Action Plan For Fair And Simple Taxation Supporting The Recovery Strategy, p. 9, https://ec.europa.eu/taxation_customs/sites/taxation/files/2020_tax_package_tax_action_plan_en.pdf. 15-7-2020.