Anoek van der Riet
Compliance anno 2023 may be more complex than ever. From ever-stricter laws and regulations to greater cybersecurity risks; there are quite a few challenges facing compliance officers.
Compliance challenge 1: Over-regulation
The sheer volume of laws and regulations poses perhaps the greatest compliance challenge. New regulations and tightening of regulations are currently in rapid succession, making the demands for compliance ever greater. It is difficult for companies to keep up.
Compliance officers cited the large number of changes in laws and regulations as their biggest challenge for 2022 in Thomson Reuters' Cost of Compliance 2022 report. Incidentally, this is nothing new, as a year earlier, stricter requirements and keeping up with changes were also the biggest challenges for compliance officers.
And it's not just compliance officers who are worried about this. More than a third of CEOs (36 percent) were "extremely concerned" about over-regulation in 2020. Executives then saw this as the biggest threat to their company's ability to grow. That was one of the conclusions in PwC's Annual Global CEO Survey..
A current example of new regulations with a major impact on compliance is the Corporate Sustainability Reporting Directive (CSRD). This is a guideline for reporting in an annual report on companies' impact on people and the climate. Depending on the size of the company, the new rules will apply from fiscal year 2024 (large companies that are already required to report under the Non-Financial Reporting Directive), fiscal year 2025 (all large companies), fiscal year 2026 (listed SMEs) or fiscal year 2027 (non-EU companies with more than €150 million in turnover).
Tens of thousands of companies will be affected by these new rules, which will be a "drastic change" for many companies, according to KPMG, involve. Wim Bartels, former KPMG partner, talks about the impact of the new sustainability rules for annual reports: "Although the rules won't take effect for some time, they are already affecting companies' day-to-day operations," Bartels said. "For example, if a company decides to build a new factory today, its impact on people, the environment and society must be clear in the longer term."
In short: the CSRD alone creates a large amount of new regulations on issues such as CO2 emissions, human rights, circularity and diversity. This while the laws and regulations that companies must comply with have been getting stricter in recent years anyway.
|
Because compliance is not just about following laws and regulations, it has strategic value. Read more in the blog: |
|
READING TIP - Why is compliance important?
Compliance challenge 2: Different laws and regulations in other countries
Additional compliance challenge for corporates operating internationally is the vast difference between countries. The laws that apply in one country do not always apply in another. Understanding and applying all those differences can be complicated.
A current example of this is how countries are dealing with VAT returns and the impact that has on how companies should invoice. This is, in fact, where a major shift is currently taking place.
From Post-audit to Continuous Transaction Controls
National governments miss out on a huge amount of VAT revenue every year. To illustrate, in 2019 European countries ran up a total of as much as €134 billioniv lost. To reduce this VAT gap, more and more governments are implementing a form of Continuous Transaction Controls (CTC).
Currently, most countries still use the so-called Post-audit model. This means that companies file their VAT returns every quarter and have to keep all their invoices so that they can be checked afterwards in one go during an audit. In the case of Continuous Transaction Controls, that audit happens in real time at the invoice level instead of afterwards, all at once. This means the government is watching every invoice exchanged between customer and supplier. France is on track to implement such a system, where the invoice is still sent directly from supplier to customer, but both parties must register the transaction with an accredited service provider.
Clearance model
Another form of Continuous Transaction Controls is the Clearance model. In this case, invoices are not sent directly from supplier to customer, but must first be sent to the government. Only after the government has registered this invoice, validated it and provided it with an authorization code, the invoice can be forwarded to the customer. Italy was the first EU country to implement this model in 2019 with the introduction of the Sistema di Interscambio.
Implications for method of billing
Post-audit models offer companies a lot of freedom in how they send and receive invoices. As long as they take care to store invoices correctly for an audit, you can still get away with a PDF there. Unlike the Post-audit model, Continuous Transaction Controls do come with regulations and technical specifications on how invoices should be exchanged. After all, every invoice must pass the government's system. Companies operating in countries where CTC applies are therefore required to e-invoice.
E-invoicing compliance requirements vary by jurisdiction. In addition, there is a jumble of formats and standards for e-invoices. Companies with international operations must decide for themselves how to tackle this patchwork of rules and obligations. Ensuring compliance can therefore be quite challenging for internationally operating companies.
Compliance Challenge 3: Cybersecurity and data privacy
Cybersecurity and data privacy also pose ever-increasing compliance challenges. Compliance officers from various industries, in an Accenture survey, point to these as the two biggest challenges they currently face. They expect this to continue to be the case for at least the next year.
The concerns surrounding cybersecurity do not come out of the blue. In fact, the number of reports of cyber incidents has tripled in the past five years, reports the Parool. In 2021, Dutch companies, large and small, faced an average of 294 cyber attacks per week. One in five entrepreneurs will have to deal with a successful hack at some point, says the Chamber of Commerce.. When this happens, it costs the entrepreneur an average of 67,000, but the damage can run into millions.
Of particular concern to companies is the rise in ransomware attacks. These attacks take down entire systems of organizations by holding information hostage. High sums of money are then demanded in exchange for releasing the systems. In addition, data regularly ends up on the street. You also have a lot to recover if it turns out that confidential data belonging to your customers or suppliers has been leaked ...
Compliance Challenge 4: Geopolitical tensions and conflicts.
Geopolitical tensions and conflicts are an unpredictable factor for international trade agreements and rules. For example, several sanctions against Russia already existed since 2014, but since Russia's invasion of Ukraine on Feb. 24, 2022, they have become a lot more. This complicates doing business with certain individuals, companies or organizations from Russia. In addition, numerous import and export bans are in place.
Of course, your own corporate must comply with all trade regulations. But it is also important that key suppliers elsewhere in the chain are not affected by the sanctions. Especially in the area of know your customer and know your supplier compliance, this requires a lot of work. Companies must continuously monitor and vet their customers and suppliers to ensure they remain compliant.
What are the non-compliance risks?
Despite these challenges, it is crucial to ensure that your organization is and remains compliant. Are you not (or no longer) compliant? Then you are in non-compliance. And that can have quite negative consequences.
Noncompliance risks are the potential consequences of an organization's failure to comply with laws and regulations. For example, this can result in large fines or claims for damages for breach of contract. Therefore, it is crucial for companies to take compliance seriously and take proactive measures to prevent noncompliance.
-
High fines. You can face huge fines for failing to comply with certain laws or regulations. For example, the fine for failing to comply with the AVG can be as high as 10 million euros or 2 percent of global sales, whichever is higher.
-
Criminal prosecution. In other cases, non-compliance may even lead to criminal prosecution, where the judge may impose a prison sentence on you. This applies, for example, to violating fraud or money laundering laws.
-
Breach of Contract. In contracts with customers, compliance is often a stipulated requirement. If you are not or no longer compliant, the other party may consider this a breach of contract and hold you liable for damages.
-
Image damage. Non-compliance can also lead to loss of face or scandal. Once your company is known for breaking the law, it is difficult to get rid of this image.
How does my company stay compliant?
In short; it can cost a company a lot if it is not compliant. Both monetarily and in the form of reputational damage. So compliance is hugely important, but the many challenges make it a complex story. Ever-changing laws and regulations that vary widely from country to country, political tensions and cybersecurity concerns are demanding more and more from the compliance department.
How can one deal with this and ensure that the organization remains compliant despite all the challenges? Automation can play a role in this. How? You can read that in the blog What does a compliant purchase-to-pay process look like?
Anoek
van der Riet
Contents Specialist
Anoek writes daily about purchase to pay, order to cash and Robotic Process Automation. She enjoys diving into topics such as e-invoicing, working capital and hyperautomation.