In the first part of our overview of the Mexican network clearance model, we explained how the Mexican Tax Administration (SAT) implemented its Comprobante Fiscal Digital por Internet (CFDI), its XML e-invoicing format, in 2011. To validate and control the invoices, PAC entities (Proveedor Autorizado de Certificación) are carrying out tax duties on behalf of the SAT. In the following article, we will review the benefits of having a network of certified third parties, and some of the inherent structural issues.
Benefits: Availability and accessibility to a wide range of services
The overall consensus on the benefits of having a network of certified third parties is the availability and range of the services offered to the taxpayers. As the SAT imposes requirements and standards, it provides a common foundation on top of which a variety of services privately operated can be built. In practice, these services can be multilingual, sector-specific, related to the volume of invoices, etc.[1] Furthermore, as the SAT requires PAC entities to have free applications available, it supports the implementation of CFDI by medium and small companies that thus have access to a wide range of free services. Besides, this network should ensure the continuous availability of services for companies. That is supported by the large number of entities composing the network, thus eliminating the single point of failure, as mentioned in Part 1. Lastly, PAC entities are controlled and audited continually and could lose their accreditation if they fail to maintain their compliance with the requirements.[2]
Issues: Shifting the responsibility to taxpayers and service providers
Some of the issues might not be that obvious. However, there are inherent risks associated with having a large number of service providers carrying out tax duties. The first risk identified is that the SAT is exempting its liability on two levels: (1) it is the responsibility of companies to make sure their contracts with PAC entities are protecting their data and security key; (2) it is the responsibility of PAC entities to protect and secure CFDI data.[3] Therefore, when a security concern is arising, the blame can be shifted to companies and service providers.
As an example, KPMG Mexico recorded a data breach from November 2018 to February 2019. KPMG Mexico employees illegally downloaded, from the SAT, sensitive information and data of their clients. The hacked data included purchase prices, sales prices, payroll, payments, collection, etc. Furthermore, the SAT did not intervene and declared that the responsibility lies with the taxpayers who gave access to their data to a third party.[4] This raises some questions about the audit process that the SAT should be operating. Lastly, if it was that easy for KPMG employees to download and compile client’s information through the SAT portal, it is safe to assume that any employee of PAC entities could perform the same action.
Company and invoice data are highly sensitive information. If they are leaked, they can harm companies and entire sectors, especially if the data falls into the hands of (foreign) competitors.
Proposing a better way forward: Securing sensitive company information
It cannot be stressed enough how crucial it is to ensure the confidentiality and security of business information. A solution to both, achieving an increased VAT revenue, while at the same time offering the maximum protection of invoice information, is applying modern cryptography to real-time reporting. This technology allows the tax authority to make calculations on fully encrypted invoice data. In this way the tax authority can perform checks and controls without having to rely on certified third party service providers. Furthermore, when making use of blockchain technology the problem of a single point of failure can be overcome without introducing a network clearance model. Fully securing invoice data through modern cryptography allows the creation of a verified financial information network.
This was our last episode in the mini-series about the so-called Mexican-model. If you have any remarks, please reachout to info@summitto.com
[1] CIAT (2020) ICT as a Strategic Tool to Leapfrog the Efficiency of Tax Administrations, p.289, available online at: < https://www.ciat.org/Biblioteca/Estudios/2020-ICT_STL_CIAT_FMGB.pdf >
[2] ibid.
[3] (In Spanish) El Economista ‘México emite 211 facturas electrónicas por segundo’, 31 October 2018, accessible online at: https://www.eleconomista.com.mx/economia/Mexico-emite-211-facturas-electronicas-por-segundo-20181031-0148.html
[4] ibid.