Resilience and digitalisation: compliance in flux
This article was originally published in Governance and Compliance magazine in July 2017. You can read the original text here.
The digital revolution is gathering pace. Characterised by a fusion of technologies and attitudes that are blurring the lines between the physical and digital spheres, this shift is bringing with it changes in behaviours and a new environment in which businesses will need to operate.
It’s not only small, nimble start-ups that are taking advantage of new technology, it is large corporates who are using the power of digital technology to rewire markets and empower customers. Companies that are agile, collaborative and data driven – in both their customer interactions and back office processes as well – are edging ahead of their competitors.
To the world of compliance, this digital transformation brings immense opportunities but also a new set of challenges. Business processes must be run in as responsible a way as ever, based on solid models informed by performance, position and prospects, and founded on the principal that ongoing monitoring and stewardship responsibilities must be met.
How can businesses achieve this in a digital world where it seems rules are there to be broken?
There are many examples of new challenges thrown up by businesses attempting to navigate digitisation. Two currently in the spotlight centre around managing a digital workforce and maintaining security in a digital world; the experiences of Uber and TalkTalk demonstrate well the complexity of digital compliance.
Uber, a business often cited as a star of the digital business model, has seen some fairly heavy scrutiny with respect to its relationship with its workforce. In a judgment handed down last October, an employment tribunal ruled that Uber drivers are workers and not self-employed contractors.
The case was brought by current and former Uber drivers, largely to address Uber’s decision not to pay the national minimum wage or holiday pay, although two drivers also made whistleblowing claims. Uber’s defence centred around its positioning as a technology business providing an operating platform not as a transport provider, shifting compliance responsibilities dramatically.
Similarly, compliance is important when it comes to maintaining security. Increasingly, businesses are moving critical infrastructure online, making them more vulnerable to digital threats. One high profile example of a business that has seen the dark side of digitalisation is TalkTalk.
In late 2015, a cyber-attack breached the accounts of 157,000 customers to steal data and as a direct result the company lost 101,000 customers and suffered costs of £60 million. The attack also prompted a £400,000 fine from the information commissioner Elizabeth Denham, who said that TalkTalk had failed to properly scan its infrastructure for possible threats. Better compliance checks could potentially have prevented the attack from happening in the first place.
Both the Uber and TalkTalk examples highlight that compliance processes must be watertight to avoid events that are not only expensive, but can cause lasting damage to a brand.
Complying in a new era
Despite the teething pains, this fourth industrial revolution powered by digital transformation does bring with it a more efficient and effective way of doing business that should not be ignored. Besides the benefits of online banking, next-day delivery and streaming content, day-to-day business processes are also smoother.
But what impact does all this change have on regulations? Compliance in business processes needs to be water tight – from order to cash.
As an electronic invoicing specialist, one question we frequently encounter at Tungsten Network is whether an electronic invoice is legal in a particular jurisdiction. The answer, perhaps surprisingly to some, is far from clear. In the EU, the European Commission has issued a Directive to mandate the use of electronic invoicing by the public sector by 2018. Elsewhere, however, the status is different.
Take India, for example. Until now, the question of whether e-invoicing could be compliant at all has been far from clear cut. As an e-invoicing firm, Tungsten Network was able to ensure compliance in terms of tax and regulatory requirements in 47 countries, and our members were requesting that we add India to our network to become the 48th.
Increasing numbers of businesses are seeing opportunities in the fast-developing market of the sub-continent, so it made sense for us to pursue. The main obstacle was around whether digital signatures were legally permitted to prove the authenticity of invoices. Businesses use these to attest to invoices’ authenticity; it entails attaching an encrypted code to any electronically transmitted document to verify its contents and the sender's identity. This acts as a way of ensuring that important information and documentation has not been compromised and is secure, accurate and up to date.
Working closely with the regional governments of eight key states Tungsten was able to demonstrate the benefits and help establish e-invoicing as legally accepted in India. As ever in the world of compliance, however, the situation continues to evolve. Later this year the Indian government is expected to introduce a new Goods and Services Tax nationally, superseding the current state-level requirements.
I use the India example as it demonstrates neatly the vital role compliance professionals play in enabling businesses to run as efficiently and effectively as possible. In theory, electronic invoicing is possible anywhere, however legal requirements around invoicing are constantly shifting. Keeping up to date with global compliance issues is important, and something on which Tungsten spends considerable time and resources. It is also something about which our members care deeply, which is why we created an Introduction to Compliance guide that explains the complexities of invoice requirements among countries around the world.
Tackling the black market through technology
Tungsten’s entry into India supports the Indian government’s commitment to digitisation as it seeks to tackle corruption and mitigate its vast black economy. Several countries around the world have already embraced e-invoicing to fight fraud and tax evasion, and businesses are readying themselves to support Indian business and government in their digital development.
If you have the proper controls and checks in place, e-invoicing is an exceptionally efficient way for a business to keep on top of compliance, because checking documents electronically is a much faster and more accurate process than performing manual reviews. This aspect of e-invoicing can be very appealing to governments as well, because fraudulent invoices can be identified more effectively. The prospect of a stronger economy with less money leaking out illicitly can make digitisation extremely appealing. Latin American countries such as Brazil and Mexico, for example, mandated the use of electronic invoicing as a way to ensure the VAT gap is filled.
Europe is also now making real progress to increase adoption. Germany is currently preparing to join Austria, Spain and Italy in making e-invoices mandatory for public sector processing of accounts. A draft law currently working its way through the Bundestag states that invoices will have to be transmitted and received electronically, and contain structured data which means emails of pdf files will not be sufficient) in a format that enables electronic processing.
Understanding the landscape in Europe is important. The goal is less to tackle the VAT gap and more about tackling the barriers to pan-European trade that result from varying invoicing systems and standards.
This is also the motivation behind the previously mentioned E-invoicing/Procurement Directive (2014/55/EU), which requires that electronic invoices are accepted in all member states' public sector procurement by 2018. The European Commission estimates that e-invoices could mean annual benefits of up to €40 billion, as they are easy to process, reach the customer faster, and can be stored centrally at very low cost.
Achieving these savings, however, requires new regulations around compliance, in particular in relation to a standardised format and process across the EU, something currently under discussion.
To ensure businesses are fighting fit for the digital age means continuing to maintain the highest standards in terms of compliance. From an accounts payable perspective, aside from automation there are some strategies that can help.
Firstly, it’s important that everyone in the business is aware of the danger from cyber scams and fraud. Tactics used by fraudsters include embedding viruses in attachments, suspicious invoices attached to an email and sending duplicate invoices. If staff are knowledgeable about these potential routes, attempts to attack a business are far more likely to be caught in time.
Another strategy is to take steps to achieve ISO 27001. Commonly linked to security requirements and controls in technology, this standard provides independent verification that a business is committed to guaranteeing the confidentiality, integrity and availability of information. It covers a wide set of processes and controls, and demonstrates the importance of the security of information throughout legal, technology, product, projects and customer relationship management. We deal with vast reams of customer data, and the security of this information is paramount, so we use this as our baseline.
The digital revolution will enable businesses to be far more agile in response to opportunities and challenges on the horizon. To ensure continued success, however, a strategy that focuses on resilience as well as responsiveness is vital. The reputation as a responsible business continues to be the greatest asset of many organisations, digital or otherwise. To maintain it requires detailed thought and careful planning by compliance professionals, enabled by developments in technology.