quebec’s sales recording module (srm): fighting the zapper ... · pdf filecanadian tax...
Post on 17-Mar-2018
214 Views
Preview:
TRANSCRIPT
canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4, 715 - 61
715
Quebec’s Sales Recording Module (SRM): Fighting the Zapper, Phantomware, and Tax Fraud with Technology
Richard Thompson Ainsworth and Urs Hengartner*
P r é c i s
Le 28 janvier 2008, Jean-Marc Fournier, le ministre du revenu du Québec, a annoncé que d’ici la fin de 2009, Revenu Québec allait tester un nouvel appareil anti-fraude — le « module d’enregistrement des ventes » (Mev) — dans le secteur de la restauration. Le Mev est conçu pour détecter les enregistrements numériques des ventes qui ont été effacés ou supprimés dans les caisses enregistreuses électroniques et les systèmes au point de vente — un type de fraude qui contribue à plus de 425 millions $ par année de recettes fiscales non perçues uniquement dans le secteur de la restauration. Les études menées par le Québec indiquent que les restaurateurs recourent de plus en plus à la technologie pour modifier les enregistrements numériques dans le but de soustraire des revenus du fisc et d’éviter de déclarer et de verser les taxes qu’ils ont perçues. Le Mev aidera les vérificateurs de la province à mettre au jour ces activités frauduleuses.
Les autorités fiscales du monde entier ont adopté deux approches pour s’assurer de l’intégrité des enregistrements des ventes dans les secteurs à forte utilisation de l’argent en espèces : une approche axée sur les caisses enregistreuses, et une autre approche qui mise plutôt sur les principes de conformité et de coercition dans la promotion de bonnes pratiques commerciales. Avec la mise en place du Mev, le Québec prend les moyens pour devenir une administration fiscale axée sur les caisses enregistreuses.
L’article présente le Mev dans le cadre d’une analyse comparative. Les approches technologiques de l’Allemagne et de la Grèce (deux administrations axées sur les caisses enregistreuses) sont comparées avec celle des Pays-Bas (une administration fiscale qui mise sur les principes) qui prend appui sur d’intenses vérifications axées sur les technologies pour vérifier l’exactitude des enregistrements numériques.
Dans sa conclusion, l’auteur suggère qu’il y aurait lieu de s’inspirer du projet de rationalisation de la taxe de vente des États-Unis qui recourt à la certification par l’administration des technologies fiscales en vue d’assurer l’exactitude des déterminations des taxes sur les opérations.
* RichardThompsonAinsworthisoftheSchoolofLaw,GraduateTaxProgram,BostonUniversity(e-mail:vatprof@bu.edu).UrsHengartnerisoftheDavidR.CheritonSchoolofComputerScience,UniversityofWaterloo(e-mail:uhengart@cs.uwaterloo.ca).
716 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
A b s t r A c t
On January 28, 2008, Quebec’s minister of revenue, Jean-Marc Fournier, announced that by late 2009 Revenu Québec would begin testing an anti-fraud device—the “sales recording module” (SRM)—in the restaurant sector. The SRM is designed to detect the erasure of digital sales records in electronic cash registers and point-of-sale systems—a type of fraud that contributes to more than $425 million annually in lost tax revenues in the restaurant sector alone. Quebec studies indicate that restaurateurs are increasingly employing technology to alter digital records in order to conceal income from the business and avoid reporting and remitting taxes due. The SRM will assist provincial auditors in detecting such fraudulent activities.
Revenue authorities around the globe have taken two approaches to assuring the integrity of business records in cash-intensive industries: one approach secures the till; the other relies on principles of compliance and enforcement to encourage good business practices. With the introduction of the SRM, Quebec is taking steps to become a “fiscal till” jurisdiction.
This article considers the SRM in a comparative context. The technological approaches of Germany and Greece (both of which are fiscal till jurisdictions) are contrasted with the approach adopted in the Netherlands (a principles-based jurisdiction), which relies on intensive technology-based audits to assure digital record accuracy.
The article concludes with a suggestion that there may be something to learn from the US streamlined sales tax initiative, which employs government certification of tax technology to ensure the accuracy of transaction tax determinations.
Keywords: Fraud n tax evasion n restaurants n anti-avoidance n technology n srM
c o n t e n t s
Introduction 717Structure of Our Argument 723Schematic of Skimming with Zappers 724Fiscal Tills: Greece, Quebec, and Germany 728
Greece: Fiscal electronic Devices (FeCRs, AFeD Printers, and FeSDs) 728FeCRs and AFeD Printers 729FeSDs 732How FeCRs with AFeD Printers and FeSDs Defeat Zappers and Phantomware 733
Quebec: SRMs 735Germany: Smart Cards embedded in eCRs 741The Role of Audits in Fiscal Till Jurisdictions 746
Comprehensive Audit: The Netherlands 748Blending Rules and Principles: Certification of Third-Party Service Providers 751
1. How Does a CSP Get eCR and POS System Data? 7522. How Can a CSP Be Sure That the Data It Has Are Accurate
(Free from Manipulation)? 7543. What Standards Should the Government Use To Certify a CSP’s
Automated System? 7544. What Is the Most efficient and Cost-effective Way for a CSP
To Satisfy the Government’s Standards? 755Conclusion: Assessing Quebec’s SRM 757Appendix Comparison of Solutions in the Five Jurisdictions—A Graphic Summary 759
quebec’s sales recording module (srm) n 717
intro duc tio n
OnJanuary28,2008, theQuebecministerof revenue, Jean-MarcFournier, an-nounced1thatbylate2009RevenuQuébecwouldbegintestingadevice,the“salesrecordingmodule”(SRM),whichisprojectedtosubstantiallyreducetaxfraudintherestaurantsector.2OnNovember30,2009,thepilotprogramwasunderwaywith46restaurantsinsevencitiesinvolved.By2010or2011,SRMswillbemandatoryinallQuebecrestaurants,wheretheywillassureaccuracyandretentionofbusinessrecordswithinelectroniccashregisters(eCRs).TheQuebecgovernmenthasprom-isedtoprovidethenecessarynumberofSRMstorestaurantsatnocost.ThecosttotheQuebectreasuryforthewholeprogramisestimatedtobe$55million.3
TheproblemthattheSRMaddressesistheerasureofsalesrecordsfromtheeCRthroughaback-officeoreCR-embeddedprogram.TheeCR’srecordsarethecentral(insomecases,theonly)repositoryofbusinessdata.Asaresult,theeCR’sdataarerelieduponbytaxauthoritiestoverifysalesandincome.Thetargetisalwayscash.Credit,debit,cheque,orbanktransfertransactionsleaveotheraudittrails,butcashtransactionsarefoundonlyintheeCR.
InQuebec,asintherestoftheworld,restaurantsarethemostvulnerabletothisfraud.TheSRMtargetsthissector,althoughsimilarfraudscouldoccuringrocerystoresoranyotherbusinessmakingcashsalesdirectlytoconsumers.Business-to-businesstransactionsarenotcoveredbytheSRM.
ItiscleartoQuebec’srevenueministerthatnotonlyarelargevolumesofcashbeingskimmed(removedfromthesalesandprofitsrecordsofrestaurantsbytheirowners),butthisfraudagainstthepublicfiscisincreasing.Itisfacilitatedandaccel-eratedbytechnology.ThedigitalmanipulationofbusinessrecordskeptbymoderneCRsisalltooprevalent.Add-onsoftware(zappers),factory-ordistributor-installedsoftware,andold-fashionedmanualreprogrammingofeCRs (phantomware)arethemechanismsthroughwhichthemanipulationsarise.Twoexamplesofzappersareshowninfigures1and2.RevenuQuébechaspursuedthesedevices (knowngenerallyas“camoufleurdeventes,”orsaleszappers)overthepastdecade,andisconvincedthatsomethingmorethanatraditionalauditisneededtocounteractthemanipulations.
1 RevenuQuébec,“Pourplusd’équitédanslarestauration:ilfautqueçasepasseau-dessusdelatable”[“ForMoreequityintheRestaurantSectorItIsRequiredThat[BusinessIsConducted]AbovetheTable”],Communiqué de presse,January28,2008(online:http://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/autres/2008/28jan.asp)(translationonfilewithRichardT.Ainsworth,referredtoinsubsequentnotesasR.T.A.).
2 RevenuQuébec,“L’évasionfiscaleauQuébec:Facturationobligatoiredanslesecteurdelarestauration—Sous-déclarationdesrevenusdanslesecteurdelarestauration”[“TaxevasioninQuebec:ObligatoryBillingintheRestaurantSector—Under-DeclarationofRevenuesintheRestaurantSector”],January28,2008(PowerPointpresentationandtranslationonfilewithR.T.A.).TheFrenchtermforthedeviceis“moduled’enregistrementdesventes”(MeV).
3 CarolineRodgers,“Québecvadel’avantpourstopperlafraudefiscale,”January28,2008,atHôtels, Restaurants & Institutions(online:http://www.hrimag.com/spip.php?article2771)(translationonfilewithR.T.A.).
718 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
Relyingonmorethan230casessince1997,andsurveysofskimmingactivityintherestaurantsector,theministerofrevenuesummarizedthesituationasfollows:
Althoughthemajorityofrestaurateurscomplywiththeirtaxobligations,therestau-rantsectorremainsanareaoftheQuebececonomywheretaxevasionisrampant,bothintermsofincometaxandsalestaxes.Taxlossesinthissectorareimportant.QuebecRevenueestimatesthattheyare$425millionforthe2007-2008fiscalyear.4
Thezappers(andphantomwareapplications)thatarethemajorfacilitatorsofthis fraud are not confined to Quebec. Zappers and phantomware have spreadthroughoutCanada5andaroundtheworld. It isnotsurprising, therefore, thatanumberofjurisdictionshavelookedatautomatedsalessuppressionandhaveadopt-edtechnologicalcountermeasures,someofwhicharestrikinglysimilartotheSRM.Otherjurisdictionslooktotechnologyforanswers,butdifferwithrespecttothesophisticationofthetechnologythattheywoulddeploy.Inyetotherjurisdictions,traditionalauditratherthantechnologyispreferred;however,themostsuccessfulof these “audit-only” jurisdictions are adopting comprehensive (multitax) auditstrategies,withteamsofauditorssupportedbycomputerspecialists—ineffect,a“supersized”traditionalaudit.
Areviewofapproachesindicatesthattwopolicyorientationsguideenforcementactions in this area: one approach is rules-based; the other is principles-based.6Theyarenotmutuallyexclusive—degreesofblendingarecommon.Rules-based
4 Supranote2.Thebasisfortheminister’sestimatesisarigorousempiricalstudyperformedbyQuebec’sMinistèredesFinances,“TaxevasioninQuebec:ItsSourcesandextent”(2005)vol.1,no.1Economic Fiscal and Budget Studies1-6(online:http://www.finances.gouv.qc.ca/documents/eeFB/en/eef b_vol1_no1a.pdf ).Inapersonale-mailcommunication,June23,2009(onfilewithR.T.A.),GillesBernard,directeurgénéraladjointdelarecherchefiscale,RevenuQuébec,respondedtoaquestiononthe$425millionfigureusedbytheminister.Indicatingancillarylossesof$8millioninother(unspecified)taxes,Bernardstated,“Thetaxlossesare417M$(QST+IncomeTax).TheQST[Quebecsalestax]represents133M$andtheIncometaxlossesare284M$.Thislastamountcanbedoubledtotakeintoaccountthefederalincometax.”
5 CanadaRevenueAgency,“BusinessesWarnedAgainstUsingTaxCheatingSoftware,”Tax Alert,December9,2008:“TheCanadaRevenueAgency(CRA)isawarethatelectronicsalessuppressionsoftwareiscurrentlybeingmarketedandsoldtoCanadianbusinesses.Businessownersareremindedthathidingincometoevadetaxesisagainstthelaw.Usingthissoftwareisnotworththerisk....Businessesthathaveusedelectronicsalessuppressionsoftwarearesuspectedofhavinghiddenthousandsoftransactionsandmillionsofdollarsinsales”(online:http://www.cra-arc.gc.ca/nwsrm/lrts/2008/l081210-eng.html).SeealsoDarahHansen,“CookingtheBooks,”Vancouver Sun,December11,2008:followingallegationsbytheCRAthatfourChineserestaurantsinBritishColumbiahadparticipatedinahigh-techschemethatusedzapperstoevadetaxonmillionsofdollarsofreceipts,fivepeoplewerefacing25chargesaspartofanationwideinvestigation(online:http://www.canada.com/vancouversun/story.html?id=6c945ca6-f84a-43f6-86ad-221814731593&p=2).Alsoseeinfranote8.
6 europeanCommission,Directorate-GeneralTaxationandCustomsUnion,FiscalisCommitteeProjectGroup12,CashRegisterProjectGroup,“CashRegisterGoodPracticeGuide,”December2006,5-6(unpublishedreportonfilewithR.T.A.).
quebec’s sales recording module (srm) n 719
Fig
ur
e 1
Old
-Sty
le Z
appe
r, H
ard-
Wir
ed in
to E
lect
roni
c Ca
sh R
egis
ter
Thi
sis
an
old-
styl
eza
pper
,whi
chh
asb
een
hard
-wir
edin
toth
eel
ectr
onic
cas
hre
gist
er(e
CR
)and
isth
eref
ore
easy
tod
etec
t.T
hep
ictu
res
how
sth
eto
pof
the
eC
Rr
emov
ed;t
hela
rge
whi
tea
rrow
poi
nts
toth
ede
vice
.(R
epro
duce
dby
per
mis
sion
oft
heg
over
nmen
tofQ
uebe
c.)
720 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4Fi
gu
re
2 M
oder
n Za
pper
Usi
ng M
emor
y S
tick
Thi
sis
am
ore
mod
ern
zapp
er,w
hich
isa
mem
ory
stic
k(“
dong
le”)
that
isin
sert
edin
toth
eba
ck-o
ffice
com
pute
rsy
stem
that
co
llect
sda
tafr
omth
ebu
sine
ss’s
elec
tron
icc
ash
regi
ster
s.(R
epro
duce
dby
per
mis
sion
oft
heg
over
nmen
tofS
wed
en.)
quebec’s sales recording module (srm) n 721
jurisdictions adopt comprehensive and mandatory legislation regulating and/orcertifying cash registers. Jurisdictions taking this approach include Greece andGermany.WiththeadoptionoftheSRM,Quebecwillalsofallwithinthisgroup.Thesejurisdictionsareclassifiedgenerallyas“fiscaltill”(alsocalled“fiscalmemory”)jurisdictions.
Principles-based jurisdictionsrelyoncompliant taxpayers followingtherules.Complianceisenforcedwithanenhancedauditregime.Comprehensivemultitaxaudits (the simultaneous examinationof income, consumption, andemploymentreturns)areperformedbyteamsthatincludecomputerauditspecialists.Auditsarefrequently unannounced and preceded by undercover investigations that collectdatatobeverified.7JurisdictionstakingthisapproachincludetheUnitedKingdom,Canada, and theNetherlands.Francehas implementedaprogramofpreventiveauditsthattargettechnologyproviders.8AsimilareffortcanbefoundinQuebec,wherethecustomerlistsofauditedtechnologyprovidershavebeenusedtomaplaterauditsofbusinessessuspectedoftechnology-assistedskimming.9PriortotheadoptionoftheSRM,Quebecfellsquarelywithinaprinciples-basedclassification.Movingforward,Quebecwillmergebothapproaches,eventhoughitappearsthattheCanadaRevenueAgency(CRA)willcontinuetopursueonlyprinciples-basedenforcementtechniques.10
7 Forexample,therecentCanadianinvestigationinBritishColumbiaintotheallegeddistributionofsalessuppressionsoftwarebyInfoSpecSystemsInc.involvedaneight-monthundercoverinvestigationbytheRoyalCanadianMountedPolice(RCMP).Duringthisphaseoftheoperation,undercoverRCMPofficersposedaspotentialbuyersofsalessuppressionsoftware.ThisevidencesupportedallegationsthatInfoSpecSystemsInc.knowinglyprovidedrestaurantswithzappers.CanadaRevenueAgency,“ChargesLaidinLarge-ScaleTaxFraudInvestigation,”News Release,December10,2008(online:http://www.cra-arc.gc.ca/nwsrm/rlss/2008/m12/nr081210-eng.html).
8 “CashRegisterGoodPracticeGuide,”supranote6,at6.ThisistheapproachthattheCRAtookintheInfoSpecSystemsinvestigation.Targetingthesoftwareprogram(Profitek)“documents,CDs,computerfiles,salesnotebooks,anelectroniccalendar,e-mailandotherclientlists,”theCRAwasabletoconductanationwideinvestigation,which(accordingtotheVancouver Sun)is“continuingand[CRAofficials]expectmorechargestobelaid.”Hansen,supranote5.
9 Forexample,seetheinvestigationofAudioLabLP:RevenuQuébec,“RevenuQuébecenquêtesurunconcepteurdelogicieldepointdeventesoupçonnéd’avoirconçuetdistribuéuncamoufleurdeventes”[“RevenuQuébecInvestigationofaSoftwareDesignerOutletSuspectedofHavingDevelopedandDistributedZappers”],Communiqué de presse,October14,2005(online:http://www.revenu.gouv.qc.ca/en/ministere/centre_information/communiques/ev-fisc/2005/14oct.aspx)(translationonfilewithR.T.A.);andtheinvestigationofMichaelRoyreportedinRevenuQuébec,“FinesofMorethanOneMillionDollars—AFatherandHisTwoSonsConvictedforTaxevasioninConnectionwiththeZapper,”News Release,May2,2003(online:http://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2003/02mai.asp)(onfilewithR.T.A.).
10 InitsrecentTax Alertdealingwithsalessuppressionsoftware,theCRAemphasizedthatithas“over5,000employeesdedicatedtofindingunreportedbusinessincomeandensuringthattheproperamountoftaxesispaid,evenwhensalesrecordsaremissing.”Tax Alert,supranote5.
722 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
Itwouldbeveryhelpfulifacomparativecross-methodologyanalysisofthevari-ousapproachescouldbepresented(rules-basedwithandwithouttechnologyversusprinciples-basedwithandwithoutacomprehensiveaudit).Weneedtoquantifythecomplianceimprovementagainstthecostofgettingthatcompliance.Unfortunately,mostofthetechnologysolutionsareinprototype.PerhapsQuebec(asitmeasurestheeffectivenessofmovingfromtraditionalauditalonetotechnologyandaudit)willhavegoodmeasuresinafewyears.
Amidalltheinternationalconcern,itisnotablethattheUnitedStatesdoesnothaveacoordinatedzapperenforcementeffort.Infact,theUnitedStateshasuncov-ered only two zappers, one at Stew Leonard’s Dairy in Norwalk, Connecticut,where$17millionincashwasskimmed,11andtheotherattheLaShishrestaurantchaininDetroit,Michigan,wherecashsalestotalling$20millionwerezappedandallegedlysenttoHezbollahinLebanon.12ThereasonforthislowenforcementrateisthattheUSauthoritiesarehamperedintheirapproachtozappers.Federalincometaxauditsarenotcoordinatedwithstateandlocalretailsalestaxaudits,sotheauditsarenotcomprehensiveintheDutchsense.Inaddition,federalcomputerauditspe-cialistsarenotnormallyassignedtoauditsofsmallandmedium-sizedenterprises(SMes),andthisiswherethezappersare.
Nevertheless,iftheUnitedStatesbecameseriousaboutthisproblem,itmighthaveauniqueblendofrules-andprinciples-basedsolutionsinanextensionoftheStreamlinedSalesandUseTaxAgreement13(SSUTA).UndertheSSUTA,certifiedthird-partysoftwareproviders(CSPs)14couldbetaskedwithassuringeCRaccuracy.NotonlyistheSSUTAlegalframeworkoperational,butatpresentlevelsoftech-nology,aCSPcouldreadilyassurestatesthatthecorrectretailsalestaxwasbeingcollectedandremitted.At thesametime, itcouldassure federalauthorities thatzappers were not being used to underreport income. CSPs indemnify both sides
11 TheLeonardcasecameaboutwhenaUScustomsofficerinspectedasuitcasecarriedbyMr.LeonardononeofhistripstoSt.Martin:United States v. Leonard,37F.3d32,at35(2dCir.1994);aff ’d.67F.3d460(2dCir.1995).Detailsofthetaxfraudarepreservedintheappealsofthesentence.
12 UnitedStates,DepartmentofJustice,easternDistrictofMichigan,“LaShishFinancialManagerSentencedto18MonthsinPrisonforTaxevasion,”Press Release,May15,2007(online:http://nefafoundation.org/miscellaneous/FeaturedDocs/U.S._v_Aouar_DOJPR_Sent.pdf ).TheLaShishfraudapparentlycametolightasaresultoftheowner’sfailuretofileataxreturn.“Authoritiesdeclinedtocommentonhowthereportedcrimewasdiscovered,butaccordingtocourtrecords,Mr.Chahinefailedtofileataxreturnin2003”:RoyFurchgott,“WithSoftware,TillTamperingIsHardToFind,”New York Times,August20,2008(online:http://www.nytimes.com/2008/08/30/technology/30zapper.html).
13 StreamlinedSalesTaxGoverningBoard,StreamlinedSalesandUseTaxAgreement,adoptedNovember12,2002,amendedNovember19,2003,andfurtheramendedNovember16,2004(hereinreferredtoas“theSSUTA”).
14 SeeSSUTAsection230,definingacertifiedsoftwareprovideras“[a]nagentcertifiedundertheAgreementtoperformalltheseller’ssalesandusetaxfunctions,otherthantheseller’sobligationtoremittaxonitsownpurchases”(online:http://www.streamlinedsalestax.org/uploads/downloads/Archive/SSUTA/SSUTA%20As%20Amended%2009-30-09.pdf ).
quebec’s sales recording module (srm) n 723
(governmentandtaxpayer)againstloss.15CertificationoftheCSPwouldneedtobeundertakenjointly(bystateandfederalagencies),aswouldoversightoftheiroper-ation.QuebechasnotconsideredanSSUTA/CSPsolution,butitmightneedtolookatthisoptionifitplanstoextendtheSRMoutsidetherestaurantsector.
s truc t ure o F o ur A rgument
Thisarticlemovesbeyondadiscussionofthevarietyofsalessuppressionprogramsinuse—zappersandphantomware.16Itgoesbeyondadiscussionoftheeconomicimpactthatthiskindoffraudhasonlocalbusinesses,17andsidestepsaspeculativeinquiryintowherethemoneyfromthisfraudultimatelygoes—intothebusinessorinto the owner’s pockets.18 Those matters have been considered elsewhere. Ourconcernhereisonenforcementefforts,particularlytheSRM.Theintentistoassess
15 UndertheSSUTA,aCSPneedstoprovideasuretybondtoreceiveacontractfromthegoverningboard.Someenterpriseswillalsotakeoutaninsurancepolicy.
16 Fordiscussionoftheseprogramsandpossiblecountermeasures,seeRichardT.Ainsworth,“ZappersandPhantomware:TheNeedforFraudPreventionTechnology”(2008)vol.50,no.12Tax Notes International1017-29;RichardThompsonAinsworth,“ZappersandPhantomware:AreStateTaxAdministratorsListeningNow?”( July14,2008)vol.49State Tax Notes103-15;RichardThompsonAinsworth,“Zappers:Technology-AssistedTaxFraud,SSUTA,andtheencryptionSolutions”(2008)vol.61,no.4The Tax Lawyer1075-1110;andRichardT.AinsworthandHirokiAkioka,“electronicTaxFraud—AreThere‘SalesZappers’inJapan?”(2009)vol.11Kansai University Review of Economics1-34.
17 Thereisevidencethatthepresenceofazapperinthelocaleconomyhasadirectcompetitiveimpactonotherbusinessesinthearea,aswellasanimpactonenterprisesthatselleCRstoretailingbusinesses.Inapersonale-mailcommunication,February11,2008(onfilewithR.T.A.),MichaelO’Sullivan(ahearingofficerintheStateofConnecticutDepartmentofRevenue)indicated,“Myonlyrecentinstancethatinvolveda‘zapper’likeproductwasananonymouscallmyofficereceivedfromsomeoneinthecashregisterbusinesslookingforinformationonfilingacomplaintagainstacompetitor.Apparentlythecallerwasattemptingtomakeasaleatarestaurantandwasinformedthatanothercompanyattemptingtosecurethesamesalehadofferedtoinstallsuchaprogramintheregisterifhe/shewasgiventhesale.Thecallerdidnotelaborateastowhotheothersalespersonwasemployedbyoranyspecificsabouttheworkingsoftheprogram.Wedirectedtheindividualtoourspecialinvestigationsection.”ThesameobservationhasbeenmadebyGermaninvestigators:“Tillmanufacturersconfirmthatcustomersenquireaboutsuch[salessuppression]functions[ineCRs],andthattheyinfluencecustomerpurchasingdecisions.”SeetheGermanWorkingGrouponCashRegisters,Interim Report,March16,2005,citingBRHcomments2003,no.54,FederalParliamentcircular15/2020,November24,2003(original,inGerman,andtranslationonfilewithR.T.A.).
18 Theeconomicsofwherethemoneyfromskimminggoesisdifficulttoassess.Itmostlikelydependsonthepersonalmotivationsofthefraudster.Forexample,intheskimmingfraudatAleefGaragenewsstand/conveniencestoresintheUnitedKingdom,theskimmedfundswenttounder-the-tablepaymentstomorethan250workers.Becauseregularwageswereverylow,allowingemployeestoqualifyforwelfare,cashfromskimmingbecameanecessarysupplementforworkerretention.HMRevenue&Customs,“CompanyDirectorsJailedfor£5millionFraud,”News Release,November13,2007(online:http://nds.coi.gov.uk/clientmicrosite/Content/Detail.aspx?ClientId=257&NewsAreaId=2&ReleaseID=330199&SubjectId=36).Then
724 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
theanticipatedworkabilityandeffectivenessoftheSRMsolutionbycontrastingitwithsolutionsadoptedorunderdevelopmentinotherjurisdictions.
Wewillfirstpresentaroughschematicofhowazapperfacilitatesaskimmingfraud.Thenwewillconsiderthreerules-basedenforcementapproaches—theGreek“fiscalelectronicdevices”(FeDs),theQuebecSRMs,andtheGerman“smartcards.”NextwewillexaminetheDutchprinciples-basedapproach,whichisalsofavouredbytheUnitedKingdom.Finally,wewillconsiderhowCSPsinanSSUTAframeworkcouldbeusedtoachievesimilaroutcomesunderablendedrules-based/principles-basedapproach.Comparisonswillbemadethroughout.
schem Atic o F sK imming with Z A PPer s
TherearesixbasicstepsthatoccurinasalestransactionwhenacustomermakesacashpurchasefromabusinessusinganeCR:
1. Aconsumeridentifiesgoodsorservicesforpurchase. 2. Acashier,waiter,orothersalesassociatecreatesaproformabill19andpres-
entsittotheconsumerforapproval.20(Thisstepisnotalwayspresent.) 3. Theconsumerapprovesandofferstopayincash,21andtheproformabillis
finalized(agreedupon). 4. Thecashier“ringsup”thesaleintheeCR,whichgeneratesanitemizedrecord
ofeachgoodorservicesold.
again,asnotedabove,intheLaShishfraudinDetroit,azapperwasusedtoskimcashand(allegedly)sendittofundHezbollahterroristsinLebanon.UnitedStates,DepartmentofJustice,easternDistrictofMichigan,“SupersedingIndictmentReturnedAgainstLaShishOwner,”Press Release,May30,2007(online:http://www.justice.gov/tax/usaopress/2007/txdv072007_5_30_chahine.pdf ).Inyetanotherinstance,thistimeintheAustraliancaseRegina v. Ronen and Ors,2005NSWSC991,thezappersinstalledinaused-clothingstoreprovidedfundsthatwerewiredtotheowner’spersonaloverseasbankaccounts.
19 Thismayoccurbyscanningabarcode,directlyenteringaPLU(pricelookup)number,orenteringthenameofanitem(perhapsbypressingatouchscreen).
20 Inarestaurant,ifacustomerordersdirectly(andonly)fromthemenupresentedbythewaiter,theproformabillmaybefirstdraftedinpencilandthentransferredtoadigitalorderingsystemassociatedwiththeeCR.Inotherinstances,acustomermayinitiallyorderadrinkandanappetizerandthenplaceadditionalordersforfoodanddrinkthroughouttheevening.Thewaiterwillkeeparunningtallyofthebill.Itwouldbecommoninthiscasetopresentoneormoreproformabillsatvarioustimestokeepthecustomerawareofthetotalamountdue.
Inagrocerystorecontext,anitemizedproformabillingisfrequentlyvisibleonanLCDscreenthatthecashierandthecustomercanseeasitemsarerunthroughascanner.Somesupermarketstodayequiptheirshopperswithahandscannertopre-scanallpurchasesbeforearrivingatthecheckout.AllmoderneCRshavethecapabilitytopresentthisproformabillbothformallyandinformally.Theimportantpointisthattheproformabillcanbechangedbeforethesaleis“rungup.”Changesoccurasaresultofthecustomerandtheoperatoractinginconcert.
21 Zapperstargetcashsalesbecausecredit,debit,cheque,orbanktransfertransactionsleaveanaudittrail.
quebec’s sales recording module (srm) n 725
5. TheeCRthendirectstheprintertoissueapaperreceipt(invoice)forthecustomer.UndertheSRM(andotherfiscaltillsystems),thisistobeaverydetailedreceipt,whichwillincludea. alistoftheitemspurchased;b. apriceforeachitem;c. ataxabilitydeterminationforeachitem;d. asegregatedtaxamountforeachofthetaxeditems(ininstanceswhereall
itemsatanestablishmentaretaxed,andtaxedatthesamerate—astheywouldbeatarestaurant,forexample—thisfunctionwillbeperformedinaggregate);
e. theamountofcashtendered;f. thenetamountreturnedtothecustomerinchange;g. thedateandtimeofpurchase;h. thename,address,andidentificationnumberofthevendor;andi. thereceipt(invoice)numberofthetransaction.
6. Attheendoftheday,aseriesofelectronicreportsisgenerated,basedontransactionssentthroughtheeCR.22Thesereportsarereliedonbycompli-anceauditors.Thereportsarea. thedailyZreport(withresetfunctionality);23
b. thexreport;24andc. theelectronicjournal.25
22 Itisimportanttonotethatthefraudweareaddressingisa“backroom”issue.Wearenotsomuchconcernedwiththefalsificationofimmediatereal-timerecordsaswiththealterationofrecordsattheendoftheday.Seeinfranote26andtherelatedtextforfurtherdetailsofthispractice.
23 Oneofthemostimportantfunctionsofacashregisteristorecordthedetailsofdailytransactions—sales,taxescollected,mediatotals,discounts,voids,andmore.Thereportprintedattheendofthedayorshiftthatcontainsthisinformation,andresetstherecordforthenextdayorshift,isknownasthe“Z”report.TheZreportfunctionprintsthesalesonthecashregistertapewhileerasingthedatafromthememory.AZreportisaonce-onlyreportforasetperiodoftime.ManycashregistershaveaZ2featurethatallowsZreportstobeaddedtogether.Whenanoperator“Z2’sthemout,”thesereportsareerasedforalongerperiodoftime.Anexampleofa“Z2”reportisamonthlyreportthatwillbeusedtodateandrecordmonthlycashregistersales.everytimetheregisteris“Z’dout”(Reporttaken),thattotaliserasedfromthedailysalesfilesandaddedtothe“Z2”file.
24 xreportsareidenticalininformationandtimespantoZreports.xreportsonlyprovidereports;theydonotresetorclearthememory.xreportscanbetakenasoftenasneededwithnoeffectonsalesdatarecorded.
25 See“CashRegisterGoodPracticeGuide,”supranote6,appendixG,atparagraph1.2:“TheelectronicJournalusuallycontainsALLtransactionskeyedintothemorecomplextypesoftillsystemsandisthereforethedefinitiverecordtoobtainforauditpurposes.(Thereareexceptions,whereelectronicJournalscanbeprogrammed‘not-to-store’certainkeyingtransactionse.g.‘TrainingMode.’)”TheelectronicjournalshouldnotbeconfusedwiththeZreport—itisnotarecapoftheday’ssales.Theelectronicjournaltapeissupposedtobeacontinuous,step-by-steprecordofeverytransactionmade.Itismostusefulforgoingbackduringadaytolookformistakesthatweremade.Thisjournalhasbeenastapleintheelectroniccashregisterindustrysincethebeginning.ItcanbeusedtochecktheZreport.
726 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
If,afterstep6,azapperisinsertedintheeCR,orinthepoint-of-sale(POS)system,aseventhstepisaddedtothesequence.ThezapperallowstheusertoeliminatefromtheeCRandtheenterprise’sbusinessrecordsalltracesof(someorall)cashsaleswithoutfearofleavingadigitalrecordofthemanipulation(assumingtheab-senceofananti-frauddevice).Phantomwareapplicationswoulddothesamething,exceptthattheirprogrammingisembeddedintheeCR’soperatingsystem,nottem-porarilyaddedandthenremovedfromtheeCR.
Atthispoint,thecustomerhasinhishandsanaccuratereceipt(fromstep5),but(attheendoftheday)thezapperwillrewritetheinternalmemoryofthisreceiptinthe eCR—including the records in the Zreport, the xreport, and theelectronicjournal.This rewritingcreatesanewsalesprofilewithin theeCR.Selectedcashsalesareomitted.Forexample,inticketfiles(thedigitalrecordofspecificinvoicesissuedinsequence),thefilewouldberenumberedifanentireticketwereelimina-ted.Ifonlysomeitemsareremovedfromsometickets,orifthepriceofanitemischangedonaspecificticket,theamountsduewillberecalculated(andanewtaxduedetermined).ThealteredticketfileswillnowconfirmthealteredZreport,xreport,andelectronicjournal.TheeCR’srecordswillnotmatchcustomerreceipts,buttherecordsoftheeCRwillbeinternallyconsistent.26
Thus,oneofthecommon(traditionalaudit)approachestodetectingazapperisforanauditteamtovisitanestablishmentsuspectedofusingasalessuppressionde-vice(inadvanceoftheaudit),makecashpurchases,savethereceipts,andthentrytomatchthereceiptswiththedigitalfilesintheeCR.ThisisinfacthowRevenuQuébecuncovereditsfirstzapperin1996.27
Thenextthingtonoticeisthatitiseasytoskimsaleswithoutzapping.Thiscanbedoneatstep2,butitrequirescollusionbetweenthevendorandthecustomer.Aconsumertenderingcashcouldbeorallyofferedalowerprice(perhapsatax-free
26 Anti-fraudtechnologysuchasQuebec’sSRMandGermany’ssmartcards(discussedbelow)isnotdesignedtoeliminateallskimmingbutonlytopreservetherecordsofthetransactionsthatmakeittostep5.Theproblemofthezapperhasnotbeenthereal-timeskimmingfraudthatoccursatthecashregisterasthecustomerpays,butthefraudthatoccursinthebackroomaftertherestauranthasclosedfortheevening.Atthispoint,thezappergoesinandmanipulatestherecordstoallowthefraudstertomakethemlook“good.”Thereiscommonlysomestrategythatthefraudsterusestomakereceiptsnormal.Thus,azapperwouldbeusedonanightwhenanexceptionallylargeamountofcashhadbeentakenin.Iftheaveragedailycashtakewas,say,1,000eurosordollars,andinoneday10,000wasreceived,thenitwouldbeagoodtargetdayforazapper.However,adaywhencashreceivedwaslow(500,forexample)wouldnotbeagoodtargetday.Informationprovidedinpersonale-mailcommunicationswithMarcSimard,September15,2009andNorbertZisky,November18,2008(bothonfilewithR.T.A.).MarcSimardisthedirecteurdelarechercheentechnologiesliéesaucontrôlefiscal,RevenuQuébec;NorbertZiskyiswithGermany’sNationalMetrologyInstitute,orPTB(Physikalisch-TechnischeBundesanstalt).
27 Ainsworth,“ZappersandPhantomware:AreStateTaxAdministratorsListeningNow?,”supranote16,at104,note5.
quebec’s sales recording module (srm) n 727
price)whentheproformainvoiceisdrafted.Ifthecustomeragrees,thesaleissimplynot“rungup.”Asaresult,norecordoftheactual(finalized)transactionwillappearinthedailyZreportorthexreport.
Itispossiblethattheelectronicjournalmightpreservea“trace”oftheoriginaltransaction(iftheproformawasdraftedwiththeassistanceoftheeCR).Thetrans-actionwouldappearasanabortedsale.Itwouldlooktotheauditorasifthecustomerhaddeclinedthepurchasewhenshesawtheproformainvoice.Inarestaurantcon-text,multipleabortedsalesmightraisesuspicions,becausenormallythemealwouldalreadyhavebeenconsumed.However,inagroceryorconveniencestore,ahair-dresser’s,orabutcher’sshop,wherethecustommightbetodiscussatransactionbasedonaproformainvoice,abortedsalesmightnotsuggestthatanythingisamiss.
Somefiscaltilljurisdictionstrytoblockfraudsatstep2bypreservingeachkey-strokeintheelectronicjournal.ThesejurisdictionscertifyeacheCR.Tamper-proofelectronicjournalsaremadearequirementofcertification.
Anotherthingtonoticeisthatthereisaperiodoftime(afterthesaleiscomplet-edatstep3andbeforethezapperisinserted)whentherecordswithintheeCRarecompleteandaccurate.Thisperiodlastsatleastuptostep5—thepointwheretheeCRdirectstheprintertoissueaninvoiceforthecustomer.Theserecordsneedtobeaccuratebecausethecustomerwilldemandanaccurateinvoice.
Asaresult,manyfiscaltilljurisdictionsfocusonpreservingtamper-proofinvoices,andthesequencingofthoseinvoicesatstep5.ThisiswhattheSRMdoes.TheSRMmakeseveryreceiptusefulforcheckingtheeCR.Forexample,evenacreditcardtransaction(whichwasnottamperedwith)canprovideevidenceofmanipulation,ifan auditor can tell that the receiptwas renumbered.The SRMwill indicate thatsomeotherreceiptfurtherupthechainismissing,andanauditorwouldthenbeginthesearchforthemissingcashtransactions.
Principles-basedjurisdictionsfocusonthissamepoint,step5,buttheyneedtodirectlyfindanalteredreceipt.WithoutanSRM(orsimilardevicethatusesselectdataonthereceipttoderiveasignaturethatisprintedonthereceipt),itisdifficulttotellifasequenceofreceiptshasbeenmanipulated.Thismakespre-auditcashpurchasesand savedreceiptsacritical componentofaprinciples-basedauditor’sworkplan.TracesofazappercanalsobefoundbycomputerspecialistsexaminingtheelectronicjournalaswellasthexandZreportsproducedatstep6.
Afinalthingtonoticeisthatallcriticalelementsofthetaxreturn(atleastallele-mentsthatwouldbederivedfromaspecificeCR)areavailableatstep5.Theitemspurchased (step5a), the price charged (step5b), the taxability determination(step5c),andthetaxcollectedperitemorperinvoice(step5d)areallavailable.Inaddition,thecustomerhaspaidthetax.
Thus,itisentirelypossiblethatfiscaltill jurisdictionscouldrequirereal-timeproformareturnsbasedonthesefigures.Theycouldalsorequirereal-timeremissionofthetax.Inaretailsalestaxjurisdiction,thevendormightberequiredtoremittheentirereturnandpayment.Inavalue-addedtax(VAT)jurisdiction,theremittancewouldrepresentonlytheoutputportionofthereturn.TheinputVATcredits(de-ductions)wouldneedtobegatheredfromotherfiles.
728 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
Fisc A l till s: greece , Quebec , A nd ger m A n y
InadditiontoGreece,Quebec,andGermany,fiscaltilljurisdictionsincludeArgentina,Brazil,Bulgaria,Italy,Latvia,Lithuania,Poland,Russia,Turkey,andVenezuela.28ThediscussionthatfollowssetstheGreekandGermanregimesalongsideQuebec’sSRMinordertoilluminatetheattributesofthisnewanti-fraudtechnology.
Greece: Fiscal Electronic Devices (FECRs, AFED Printers, and FESDs)
Greecehashadcomprehensive,rules-basedfiscaltilllegislationinplaceforover20years.Technicalspecificationsforfiscalelectronicdevices,orFeDs,werepublishedwidelyin2004.29Whenconsideredasawhole,theserulesattempttoprovidedatasecurityatbothstep2andstep5ofthetransactionsequence.Inotherwords,theGreekapproachistosecuredatawhentheproformareceiptisbeinggenerated,andwhentheprinterisbeingdirectedtoissuethefinalreceipt.
UnderGreekrules,FeDsaredividedintotwocategories:(1)fiscalelectroniccashregisters (FeCRs),whichareaccompaniedbyautonomousfiscalelectronicdeviceprinters(AFeDprinters);and(2)fiscalelectronicsigningdevices(FeSDs).ThefirstareusedonlyinB2Ctransactions;thesecondmaybeusedineitherB2CorB2Btrans-actions.Bothpreservedigital“fingerprints”30ofdatafromtax-relateddocuments.
28 See“CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph1.
29 Aeuropeandirective(98/34/eCofJune22,2998)requiresthatwheneveramemberstateadoptsnewtechnicalrules,specifications,orlegalrequirements,thatstateisobligedtoannouncethistotheeuropeanUnionbeforetherulestakeeffect.Accordingtothisdirective,thereisaminimumstandstillperiodofthreemonths.Duringthisperiod,anymemberstate(ortheeuropeanCommission)hastherighttoexpressa“detailedopinion.”Theissuanceofadetailedopinionextendsthestandstillperiodforanotherthreemonths,allowingforfurtherconsiderationoftherulesbyallparties.GreecemadethetechnicalspecificationsforFeDspublicin2004.Asaresult,theGreekrulesarewellknownnotonlywithintheeuropeanUnionbutalsoamongthelargercommunityofeCRmanufacturersanddistributors.TherulesareavailableinGreekandinofficialtranslationsinenglish,French,andGerman,andcanbeaccessedontheInternet:“Codificationof/AddendatoTechnicalSpecificationsforInland-RevenueApprovedRegistersandSystems(OperatingProcedures)”(online:http://ec.europa.eu/enterprise/tris/pisa/app/search/index.cfm?fuseaction=pisa_notif_overview&iYear=2004&inum=135&lang=eN&sNLang=eN).
30 Atthispoint,itisnecessarytodefinetwokeytermsinthelanguageofcryptography:“digitalfingerprint”and“digitalsignature.”Adigitalfingerprintisastringofcharacterscomputedwithacryptographic(oropenmathematicalone-way)functionappliedtoaparticularsetofdata.Itisofconstantsize(20bytesiscommon)andcollusion-resistant(thatis,itisveryunlikelythattwodatasetswiththeidenticalfingerprintcanbefound).Adigitalsignatureisdifferent.Itiscomputedbyacryptographicfunctionthatisappliedtothedigitalfingerprint;thus,itisastepremovedfromtheoriginaldata.Inaddition,adigitalsignaturemakesuseofaprivatekey(knownonlytotheentitycomputingthesignature)andapublickey(availabletoanyone).Anyonecantakethepublickeyanduseittodeterminewhethertheentityusedthecorrespondingprivatekeytocreatethedigitalsignature.
ItisimportanttorecognizethisdistinctionbecausetheGreeksystem(informaldocuments,namesofequipment,andpublicpresentations)frequentlyusestheterm“signature”inreference
quebec’s sales recording module (srm) n 729
FECRs and AFED Printers“Fiscalelectroniccashregister”isatermthatincludesordinarystand-alonecashregistersandcashregistersequippedwithadvancedconnectioncapabilities (net-workorPC-operatedmachines).“Autonomousfiscalelectronicdeviceprinters”arefiscalprintersthatoperateonlyviaaconnectedcomputer.Theyhavenokeyboardordisplayterminal.Theydomorethanjustprintreceipts,however.AFeDprintersstoreandsecureintheirfiscalmemorythedatathathavepassedthroughthem(rev-enuefromsales,taxescollected,etc.).31
totheproductionandstorageofdigitalfingerprints.Thus,theFeSD(fiscalelectronicsigningdevice)producesandstoresdigitalfingerprints,notdigitalsignatures,althoughthenameofthedevicemightsuggestotherwise.Greece’scontributiontothe“CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph4.2.15,usesbothtermsinterchangeably:
TheFeSDreceivesthisdata,processesitwithaspecialsecurityalgorithm(SHA-1)thatcreatesahashvalue(sign)andsendstheresultofthisprocessingbacktotheconnectedcomputer.Thehashvalue,whichrepresentsasequenceofcharactersanddigitsistheuniqueelectronicdigital “fingerprint”ofthedataoftheslipbeingissued.FurthermoretheFeSDsavesthishashvalueinto[its]ownworkingdailymemoryandissuesarelevantslip....ThesupportingsoftwareoftheFeSDwhichislocatedintheconnectedcomputerreceivesthis“uniquesummary—signature”i.e.hashvalueandprintsitalongwiththeotherdataoftheissuedslip....[At]theendofthedaytheFeSDprocessesallthestoredhashvaluesoftheworkingdailymemory,producesageneraldailyhashvalueofall“summaries—signatures”oftheday,issuesa“Z”dayreportslip,onwhichthegeneraldayhashvalueiswritten....Thecomputersoftwarereceivesthisuniquegeneral“daysummary—signature”hashvalueandsavesitinaspecialelectronicfile....[Thereisalso]aDailyFiscalSigningRecordReportSlip—“Z”(DFSRRS)[and]DailySummary—SignatureSlip—(DSSS)[emphasisadded].
SeealsothePowerPointpresentationofPanosZafiropoulosattheNovember2007eUFiscalisexchangeProgram,“SafeguardingelectronicTaxData:DataLocking,‘Fiscal’electronicSigningDevices,”3,7,8,and10(onfilewithR.T.A.)(discussingthe“e-sign”process,“previousdaywholesignature,”“daywholesignature,”“formationofthesignaturestring,”“signaturestring(trace),”and“safeguardinge-signaturetraces,”whereineachinstancethediscussionisaboutdigitalfingerprints,notdigitalsignatures);and“Codificationof /AddendatoTechnicalSpecifications,”supranote29,paragraphs5.5and5.8(statutorydiscussionof“signing”process,butmeaning“fingerprinting”)inthesamecontextasabove.PanosZafiropoulosrepresentstheGreekrevenueauthorityontheFiscalisCommittee’sCashRegisterProjectGroup.Seeinfranote32andtherelatedtextforfurtherexplanationofthesecurehashalgorithm(SHA-1).
31 TheFeCRandAFeDprintermustbeequippedwitheitheratwo-rollpaperprintingstation,oraone-rollpaperslipprinterstationaswellasadailyelectronicjournal(eJmemory).eJmemoryisdifferentfromfiscalmemory.eJmemorystoresallinformationslipsandtickets(“legalreceipts”)fromtheissuanceofthepreviousZreportuntiltheissuanceofthenextZreport.Itissometimescalledthetemporarydailyslipstoragememory(TDSSM).“Fiscalmemory,”ontheotherhand,isthebasicsecureelementintheGreeksystem.ItisbasedonaprogrammableROM—readonlymemory—(ePROMorPROM)chipthatissecurelyplacedwithinthefiscalcashregister.Itisinthismemorythatallimportantfiscaldataarestored.eJmemoryiseitherpluggable/unpluggableorfixed.Itresidesinthefiscaldeviceandisalwaysaflashmemory.See“Codificationof/AddendatoTechnicalSpecifications,”supranote29,atparagraph2.11.Inapersonale-mailcommunication,August10,2009(onfilewithR.T.A.),
730 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
Adigitalfingerprintofthedatafromtheelectronicjournalmemory(eJmemory)iscomputedwithasecurehashalgorithm(SHA-1).32Thishashvalueispermanentlysafeguarded33 and stored in the fiscal memory. Daily sums (receipts and VATamounts)aresavedintothefiscalmemory,cumulativelyandonadailybasis.Thisfunction essentially preserves the x and the Z reports along with the electronicjournalwithdigitalfingerprints.34DisconnectinganyGreekdevice(inanefforttopreventatransactionfrombeingrecorded,ortoswitchdevices)willsealthedevice
PanosZafiropoulosconfirmed,“ThetypeoffiscalmemoryisROMbased,butwhatit[sic]isusedis[a]One-TimeProgrammable(OTP)ROMorUVerasableProgrammable(eP)ROMchip.Thisiswhythischipshallbeprotectedandcoveredbyspecialepoxyglue,insuchmannerthat[it]isimpossibletotakeitout(orreplaceit)withoutbreaking/destroyingthecasecover(theenclosure)oftheFiscalelectronicDevice.”
Securityforthefiscalmemoryisprovidedbyplacingthecircuitsinaspecialboxthatisplacedinaspeciallymodulatedreceptacle;theboxisanintegralpartofthemachine.AsdescribedbyZafiropoulos,thisfiscalmemoryboxisclampedandsealedwithanepoxyresininsuchawaythatremovalofthetaxmemoryboxisimpossiblewithoutdestroyingthecover.Thepreservationofdataisindependentofanypowersource.“CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraphs4.1,4.2.14,and4.3.6;and“Codificationof /AddendatoTechnicalSpecifications,”supranote29,atparagraphs2.11.4(includingatechnicaldiagramofthesealedbox)and2.17(specifyingthecasing,casingelements,andcasingseals).
32 Thesecurehashalgorithm(SHA-1)wasdevelopedbytheUSNationalInstituteofStandardsandTechnology.SHA-1isawidelyacceptedcryptographichashfunction.Itproducesa40-characterstringbyhexadecimalsymbols(20bytes),andthestring(orthe“hashvalue”)uniquelydefinestheprocesseddata(inthecaseofaneCRissuingreceiptsinB2Ctransactions,thesedataarethevaluesontheprintedreceipt).SHA-1isdescribedindetailintheFederal Information Processing Standards Publication180-2,“AnnouncingtheSecureHASHStandard,”August1,2002(online:http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf ).
33 “CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraphs4.3.1and4.3.2,specifiesthephysicalsecurityprecautionstaken:
4.3.1. Special security screwAccesstotheinsideoftheFCR[fiscalcashregister]isprotectedbyaspecialsecurityscrewconnectingtheupperpartoftheFCRwiththelowerpart.Thisscrewisfittedina...partofthemechanismcover[thatisvisibletotheclient].AccesstotheinsideoftheFCRisimpossiblewithouttheremovaloftheprotectivescrew.Forthesealingadesignatedmaterialisused(ex.Leadseal),whichdoesnottoleratescrapingsanditiscarriedoutinsuchawayastomake[it]impossibletoremoveitwithoutdestroyingit.
4.3.2. Authorized technicians - Access control codeOpeningandre-sealingcanbecarriedoutonlybyanauthorizedtechnicianofthesuitabilitylicenseholder,employedfortherepairingofmalfunctions.TheFeDfirmwarecontrols,throughaspecial algorithm—access code-password,theaccessofauthorizedtechnicianstoit[emphasisinoriginal].
34 Seeibid.,appendixD,atparagraph4.2.15,discussingthedailyfiscalsigningrecordreportslip—“Z”(DFSRRS)andthedailysummary—signatureslip(DSSS).Seealso,ibid.,adiscussionoftheperiodicalsummaryofmemoryreadingslip(PSMRS),whichisalsopreserved:“Note:Thekeepingofthestoredfiledofrequireddataofthesigningprocessisregulatedbythesameconditionsasthekeepingoftheelectronicjournal,mentionedearlier.”Notethatthereferenceto“thesigningprocess”shouldinsteadread“digitalfingerprintingprocess.”
quebec’s sales recording module (srm) n 731
inlessthan30seconds;anillegalreceiptmessagewillprintandwillberecordedonthetaxdataZregister;andafter10disconnect/reconnectefforts, thedevicewillautomaticallyshutdown.35Thisprocesstiesincloselywithapenaltyregime(ap-pliedagainstmanufacturers/distributorsofeCRsandretailers)thataimstodeterthesaleoruseofuncertifieddevices.36Anauthorizedtechnicianwithanaccesscontrolcodewillbeneededtorestorethedevice.37
ThecostofFeCRsvariesfrom�200-250to�800-1,000,dependingonthemanu-facturer.38everymanufacturer,developer,orimporterofaneCRintoGreecemustseekapprovalforeachspecificmodelthatitintendstosellintheGreekmarket.39AlicencetosellaspecificeCRisissuedbyaspecialtechnical(interparty)40body(com-mittee)andwillbeissuedonlywhentheeCRconformstoallstatutorytechnicalspecifications.41ApplicationsaremadetotheDepartmentofFiscalelectronicCashRegistersandSystemsoftheMinistryofFinanceandmustbeaccompaniedbyaworkingmodelofthesystemforwhichalicenceissought.Thecommitteehastheauthoritytoexamineanyadditionaldata(includingexperienceinthefield,businesssolvency,creditworthiness,andthetechnicalcapacityofpersonnel),andtheauthor-itytorecallandcancellicencesincaseswherematerialchangeshavebeenmadeinsystemsorintheconditionsunderwhichthelicencewasgranted.
Onceamodelhassuccessfullypassedalltests,thecommitteegivestotheinter-estedcompanyauniquelicencenumberforthespecificmodel.ThelicencenumberisrecordedbytheNation-WideInformationCenteroftheMinistryofFinanceandisprintedoneachreceipt(“legalreceipt”)issuedineachretailtransaction.Inaddition,thisnumberisrequiredtobeplacedonalabelthatisvisiblyfixedtoeachmachine.Asaresult,thecertificationofaspecificeCRcanbecheckedboththrough
35 “Codificationof/AddendatoTechnicalSpecifications,”supranote29,chapter3,atparagraph7.10,disconnection(discussingblockingofthedevice[7.10.2];recordsofthedisconnectionretained[7.10.3];theless-than-30-secondsrule[7.10.4];whathappenstoatransactionthatisinprocesswhenthedisconnectionoccurs[7.10.5];andrecordskeptintheZregister[7.10.6]).
36 “CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph4.2.1.
37 Seesupranote33,paragraph4.3.2.
38 PanosZafiropoulos,personale-mailcommunication,February24,2008(onfilewithR.T.A.).
39 Thereareroughly300,000to350,000FeCRsandPOSsystemswithsecurerecordingdevices(FeSDs)inGreece.Theturnoverofthesedevicesisbetween30,000and40,000machinesannually.Thereareover300differentmodelsofeCRscertifiedforuseintheGreekmarket,representingapproximately50differentmanufacturers,importers,anddistributors:“CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph4.1.
40 AninterpartybodyunderGreekrulesisacommittee,eachmemberofwhichisassignedbyoneofthepoliticalpartiesintheGreekParliament.Althoughthetermofofficeisfortwoyears,thecompositionofthecommitteewillchangeaspoliticalpowershiftsinGreekelections.
41 Technicalspecificationschangewithadvancingtechnology,andrevisionstothelawaremadeeverytwotofouryears.GuidanceonthesematterscomesprimarilyfromspecializedlaboratoriesoftheNationalTechnicalUniversityofAthens(NTUA).TheNTUAisalsoassignedbythecommitteetoperformallthenecessaryevaluationtestsoncarriedsamplesofFeCRs.
732 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
avisualinspectionofthemachineandbymatchingthelicencenumberonthema-chinewithagivenreceipt.
FESDsUnderGreekrules,abusinessownercanchoosetouseeitheranFeCR(anordinary,inexpensivecertifiedcashregister)oranFeSD.IfanFeSDisselected,itprobablymeansthattheownerhasthecapabilities,thetechnologyskills,orabudgetalloca-tionthatwouldallowtheuseofasophisticatedcomputersystem.
FeSDsaredesignedforB2Bapplications.Theyareusedprimarilytocomputeadigitalfingerprint42ofcriticaltaxdatathatisthenprintedontheinvoice.FeSDscanbeusedforanytaxdocument,includingafinalretailreceipt.TheFeSDisconnectedto thebusiness’s computer systemvia adedicatedport (RS-232;ethernet RJ-45;USB).AdrivermustbeinstalledtoallowthecomputersystemtointerfacewiththeFeSD.essentially,theFeSDfunctionsasavirtualprinter,allowingtheback-officesoftware(eRPsystemoraccountingsoftwarepackage)tofunctionnormally.How-ever,everytaxdocumentrequiredtoberecordedisdivertedthroughtheinterfacetotheFeSD,whereadigitalfingerprintiscreated(theSHA-1algorithmisapplied)andafingerprintistransmittedto(andprintedon)eachdocument.Thewhole-dayfingerprintispermanentlysavedintheFeSD’sfiscalmemory.43Thispreservesalldataonthedocumentindetail.44
Currently,thecostofanFeSDisbetween�450and�650;thus,anFeSDalonecancostmorethananFeCR.Forthisreason,smallerbusinessesdonotnormallyuseFeSDstoissuelegalreceipts.45economiesofscalealsocomeintothepicture,be-causeasingleFeSDcansupportmanycashregisterslinkedonanetwork.Itcanbeinstalledremotely(eveninanothercity),andneednotbedirectlyconnectedtothePOSterminal.
AnFeSDownerisobligatedtopreservefingerprinteddocumentsandtostorethemonasafedigitalmedium(opticalormagnetic).Thus,auditorscanchecktheintegrityofthesefilesbyrunningthesamealgorithm(SHA-1)andcomparinganewfingerprintagainsttheexistingonessecuredwithintheFeSD’sfiscalmemory.
42 “CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph4.2.15,discussingthisprocessas“signing”thereceipt,bywhichitmeansthatthefingerprintisbeingattachedtotheinvoice.ThePowerPointpresentationbyZafiropoulos,“SafeguardingelectronicTaxData,”supranote30,at2,3,7,and10,describesthisasane-signingprocess.
43 Fromahardwareandasecurityperspective,thereisverylittledifferencebetweenanAFeDprinter(withanelectronicjournal)andanFeSD.
44 PanosZafiropoulos,personale-mailcommunication,February24,2008,itemD(onfilewithR.T.A.).
45 InanefforttomitigatethecostofFeSDs,thetaxlawallowsownerstodepreciatethesedevicesasfixedassetsoverthreeyears.ThereisalsoagovernmentloanprogramtoassistinthepurchaseofallFeDs(FeCRs,AFeDprinters,andFeSDs).Theinterestontheseloansissubsidizedat3percent.
quebec’s sales recording module (srm) n 733
How FECRs with AFED Printers and FESDs Defeat Zappers and PhantomwareBecauseFeCRsarecertifiedforcompliancewithalltechnicalspecificationssetoutinGreeklaw—alawthatissupportedandupdatedregularlybytheresearchlabora-toriesoftheNationalTechnicalUniversityofAthens—itisaverysimplemattertodeterminewhetheraspecificeCRhasbeentamperedwith.
Factory-installedphantomwaremustberemovedbeforecertification.Ifaself-helpversionofphantomware46isontheeCR,eitheritwillbeblocked,ortherewillbearecordofthemanipulationsothatitsimpactonrevenueswillbeneutralized.OnlytruedatafromrealtransactionswillbepreservedandfingerprintedwithSHA-1inthefiscalmemory.Useofanadd-onzapperwillbeaviolationofthelicensingregulations.Itwillbedetectedinthesamemannerasself-helpphantomware.Se-verepenaltiesapply,butdetectiondoesrequireanaudit.
Throughthecertificationprocess,47theMinistryofFinancepreservesacopyofallapprovedfirmware.Accordingtotheministry,48itisasimplemattertocalculateachecksumvalue(CRC-3249orSHA-1)fortheobjectcodeofthefirmware.AnyauditorcanthenreadthecontentsoftheprogrammemoryofacertifiedeCRand
46 Foradiscussionofself-helpphantomware,seeAinsworth,“ZappersandPhantomware:TheNeedforFraudPreventionTechnology,”supranote16.
47 Over400differenttypesofeCRsandPOSsystemshavebeencertifiedtodate:PanosZafiropoulos,personale-mailcommunication,May28,2008(onfilewithR.T.A.).Thecertificationprocessmeansthat
afiscalcashregisteranditsfunctionalityiscompliantwiththegivensetoftechnicalrequirements,[andthatithasbeen]testedandfinallyapproved.Acopyofitsfirmware(theobjectcode)islaiddownduringtheapprovalprocess.Achecksumvalue(CRC-32orSHA-1)isalsocalculatedfortheobjectfileofthatfirmware.
Anyonewheneverhewants(let’ssayanauditorforauditpurposes)canreadthecontentoftheprogrammemoryofatestedmachineandeasilyunderstandifthereareanychangescomparingitwiththeobjectfilewhichisoriginallykeptinthecompetentdepartment.Thisisaprocessthatofcoursecanbedone,butrequiresalittlebitmore[effort]andmorequalifiedstaff.
PanosZafiropoulos,personale-mailcommunication,July22,2008(onfilewithR.T.A.).Therequirementsforthetestingaresetoutinthe“Codificationof/AddendatoTechnicalSpecifications,”supranote29.
48 PanosZafiropoulos,personale-mailcommunication,July22,2008(onfilewithR.T.A.).
49 CRC-32,orcycleredundancycheck,takesasinputadatastreamofanylength,andproducesasoutputavalueofacertainspace,commonlya32-bitinteger.Theterm“CRC”isoftenusedtodenoteeitherthefunctionorthefunction’soutput.ACRCcanbeusedasachecksumtodetectalterationofdataduringtransmissionorstorage.CRCsarepopularbecausetheyaresimpletoimplementinbinaryhardware,areeasytoanalyzemathematically,andareparticularlygoodatdetectingcommonerrorscausedbynoiseintransmissionchannels.TheCRCwasinventedbyW.WesleyPeterson:W.WesleyPetersonandD.T.Brown,“CyclicCodesforerrorDetection,”(1961)vol.49,no.1Proceedings of the Institute of Radio Engineers228-35.AlthoughCRC-32maynotbefullysecure,becausethesamehashvaluecouldbegeneratedwithdifferentdata,circumventingtheCRCisprobably(1)beyondthetechnicalskillofmost
734 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
determinewhetherchangeshavebeenmadeinthefirmware(throughphantomwareorzappers)bycomparinghisreadingwiththatofthefilekeptintheMinistryofFinance.
FeSDsaccomplishthesameresultasFeCRs.NeitherphantomwareapplicationsnorzapperinstallationsareeffectivewhenanFeSDisinstalled.TheFeSDwillfinger-printeachdocumentandpreserveatraceinthefiscalmemoryofthedevice.Deletionormanipulationoftherecordsassociatedwithcashreceiptsisnolongerpossiblewithoutdetection.
Thus,ifaGreekvendorproducesaproformareceiptthroughaneCR,thedetailsofthereceiptwillberecordedintheelectronicjournal.IftheeCRisanFeCR,thesedataentertheelectronicjournal,andwhentheAFeDprinterissetuptocapturethedata,theywillbefingerprintedwithasecurehashalgorithm(SHA-1).Thisfea-turemakesitpossibletoidentifyenterprisesthathaveroutinelyofferedcustomerslowerpricesinexchangeforvoidingtheproformainvoiceatstep2.ThiswouldnotbepossiblewithFeSDs.FeSDsarevirtualprinters,andifdataarenotbeingsenttoaprinter,anFeSDwillhavenoneedtoe-signit.
BothoftheGreeksolutionsareveryeffectiveatstep5enforcement.Ifareceiptisprinted,boththeFeCRwithanAFeDprintersolutionandtheFeSDsolutionwillassuretaxauthoritiesthatthetaxcollectedoncashtransactionshasbeenrecorded.Itisimportanttonote,however,thatalloftheseeffortsaredirectedonlyataccuraterecordretention.Returnsmuststillbepreparedandfiled,andpaymentsremittedforthetaxesdueorcollected,andtherevenueauthoritystillneedstoaudittoen-surecompliance.Admittedly,thisauditshouldbeeasier,butitisstillneeded.50
SMes,and(2)veryhighriskforthemanufacturer,whowouldfindthatallmachinesalreadysoldandinstalledinGreecewouldlosetheircertification.
exclusiverelianceontheCRC-32maynotbewellplacedtoday.TheCRC-32wasdesignedtodealwithnoiseintransmissionchannels.Itwasnotdesignedtodealwithmaliciouspeople(see,forexample,AxelleApvrille,“TrashCRC32,”June9,2009,Fortiguard Blog(online:http://blog.fortinet.com/tag/crc32/ ).GiventheCRC-32valueofaparticularfirmware,itiseasytoproducesomeother(maybemalicious)firmwarewiththesameCRC-32value.Forexample,theWebsiteforCRC32 Compensation Tools/Library(online:http://www.cr0.org/progs/crctools/ )offersatoolthattakesafile(forexample,maliciousfirmware),anoffsetinthefile,andatargetCRC-32value(forexample,CRC-32valueofcertifiedfirmware).Ifwetakethevaluereturnedbythetoolandinsertitintothefileatthegivenoffset,theCRC-32ofthefilewillnowequalthetargetCRC-32value.
Consideringtheavailabilityofthesetools,theMinistryofFinanceshouldnotbelievethatanattackisbeyondtheskillofmostSMeowners.evenifthiswerethecase,theownerwouldnothavetoperformthisattackhimself;therecouldbeathird-partysupplierwiththetechnicalexpertisetomakeandinstallthemaliciousfirmware.Thus,usingonlytheCRC-32forensuringtheintegrityofthefirmwareisnotsecure.However,theMinistryofFinancealsohasacopyoftheactualfirmware,notjustitsCRC-32value,onfile.Theministryshouldalwayscomparethefirmwareitself.ForSHA-1,comparingthefingerprintsissufficient.Inaddition,physicalanti-tamperingmechanismsusedbytheGreekministrymakeitdifficultforathirdpartytoreplacethefirmware.
50 SeeZafiropoulos,“SafeguardingelectronicTaxData,”supranote30,at12.
quebec’s sales recording module (srm) n 735
Quebec: SRMs
QuebecisrespondingtosalessuppressionfraudmuchasGreecehasresponded,butonbothamorelimitedandatechnologicallymoresophisticatedscale.51WheretheGreeksolutionisbasedondigitalfingerprints,Quebecgoesfurtherandprovidesdatasecuritythroughdigitalsignatures.Quebechasdeterminedthattechnologicalassistanceisnecessarybecausetherearenotsufficientauditresourcestohandletheestimated500newcaseseachyear,involvingcloseto10,000delinquentvendors.52
ComparedwiththeGreekapproach,theQuebecsolution(settobefullyrolledoutbetween2010and2011)islimitedintworespects:(1)itsscopeislimitedtotherestaurantsector,and(2)itsrangeislimitedtoanFeSD-likesolution.Quebechasspecificallyrejectedthe“FeCRwithanAFeDprinter”typeofsolution.53LikeGreece,Quebecapproaches the sales suppressionproblemfromanadequacyofbusinessrecordsperspective.Butalsoliketheprinciples-basedjurisdictions(theUnitedKing-domand theNetherlands),Quebec supplements technology solutionswith veryaggressivetraditionalaudits.
Thefirstmajor legislativeresponsetozappers inQuebeccameinJune2000,whenbookkeepingandrecord-keepingrequirementswereenactedspecifyingthatelectronicallystoreddata,togetherwiththemeanstoreadsuchdata,formedpartofaQuebecbusiness’sregularbookkeepingobligations.54Becausezappersmakedigitalrecordsunreliable,itwastheneasytospecificallyprohibitthedesign,manufacture,installation,sale,orleaseofzappersintheprovince.55Thelatterisapresumption-of-userule:itprovidesthatwheneverRevenuQuébecfindsazapper,itisallowedtopresumethatthezapperwasusedtosuppresssales.56
ThebusinessrecordsthatQuebecwasprimarilyconcernedaboutweretheZandxreportsandtheelectronicjournal,aswellasallofthedigitalsupportingfilesthat
51 Quebecperformedtwoempiricalstudiesofthezapperproblem.ThefirstwasconductedsoonaftertheJune2000legislativereformscameintoeffect.Itwasa“bookkeepingandrecords”auditconductedon70enterprises.Ituncovered41zappers.Soonthereafter,thesecond,morescientificstudy(“TaxevasioninQuebec,”supranote4)wasconducted.Theuseofstatisticalsamplingtechniquesmadethissecondstudymoreaccurateandauthoritative.DaveBergeron,personale-mailcommunication,June6,2008(onfilewithR.T.A.).DaveBergeronisanITspecialistwho,since2000,hasbeenworkingonzappersaspartofaspecializedauditunitatRevenuQuébec.
52 GillesBernard,“SolutionfortheUnder-ReportingofIncomeintheRestaurantSector,2,”PowerPointpresentationattheFederationofTaxAdministratorsAnnualConferenceheldinDenver,ColoradoonJune2,2009(onfilewithR.T.A.).
53 ThealternativeofcertifyingeCRsandmandatingtheuseofadevicesimilartoanAFeDprinterwasconsideredandexpresslyrejectedforcost(aswellasothertechnologicalandenforcement-based)reasons.Personale-mailcommunicationsfromDaveBergeron,November18,2008andMarcSimard,September15,2009(bothonfilewithR.T.A.).
54 ActRespectingtheMinistryofRevenue,RSQ,c.M-31,sections34and35.
55 Ibid.,section34.2.
56 Ibid.,section34.1.
736 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
werekeptinaneCRorPOSsystem.ThesearetherecordsthatresidewithinaneCRatstep5.Theyarepresumedaccuratebecausetheserecordsarethebasisofthedatasenttotheprintertoproducethecustomer’sreceipt.
ThisbringsQuebectotheplacewhereallfiscaltill jurisdictionsendup—thelegislativelydefined“legal receipt.”The legal receipt is thecentral enforcementdocumentinallfiscaltilljurisdictions.Quebecisnoexception;itrequiresthatallrestaurantsalesmustbeaccompaniedbyareceipt,andthenfurtherspecifiesthatthisreceiptmustpassthroughtheSRM,whereitise-signed.57
Penaltiesfornotissuingalegalreceiptareserious.Quebec’s2006-7budgetsum-marizedthepenaltiesasfollows:
Restaurantoperatorswhofailtoremitaninvoicetoacustomerwillincurapenaltyof$100asaresultofthisomissionandwillcommitanoffenceforwhichtheywillbeliabletoafineofnolessthan$300andnomorethan$5000.Forasecondoffencecommit-tedwithinfiveyears,thefinewillbenolessthan$1000andnomorethan$10000,andforanysubsequentoffencewithinthatperiod,nolessthan$5000andnomorethan$50000.58
Thelegalreceiptcanbeaveryeffectivetoolagainstskimmingbycollusionwiththecustomer(step2skimming).Ifanestablishmentconspireswithitscustomerstochargealesseramountinexchangeforengagingincashtransactionsunaccompan-iedbyaformalreceipt,therestaurantoperatorisinviolationofthelegalreceiptrule.Ifsurveillancedetectsthefraud,penaltieswillapply.Thereisavariantofthisfraudthatistroubling,becauseitdoesnotinvolvedirectcollusionwiththecustomer;instead,theoperatororownerproducesxeroxed,scanned,orotherwiseduplicatedvalidreceipts.59Theseremainamongthefraudsthatcanonlybedetected(atpres-ent)bytraditionalaudits,andtheyarethereasonforthehighmonetarypenaltiesattachedtothefailuretoprovidealegalreceipt.
Forexample,ifapizzashop’smostcommonorderisasinglelargepepperonipizza,itwouldbepossibletoissueonereceiptforthispizzaearlyintheday(theeCRwouldprinttheorder,price, tax,date, time,andnameoftheestablishmentcorrectly).Ifthisreceiptwasreproducedandgiventoeverycustomerwhoorderedthesamepizzathatday(withoutringingeachsubsequentsalethroughtheeCR),thecashreceivedcouldbeskimmedandthecustomerwouldhaveanapparentlyvalid
57 RSQ,c.T-0.1,section425.Therequirementforlegalreceiptsisfoundinseveralotherfiscaltilljurisdictions,includingHungary,Greece,Finland,Portugal,Denmark,andLatvia.See“CashRegisterGoodPracticeGuide,”supranote6,appendixA,atparagraphs1.3.1.1to1.3.1.5,andappendixD,atparagraphs3.2.1and4.2.6.
58 Québec,MinistèredesFinances,2006-2007Budget,AdditionalInformationontheBudgetaryMeasures,March23,2006,145.
59 Bernard,supranote52,indicatedthat“[i]fthesignedinvoiceisreturnedtothePOS,itispossibletodevelopaprogramthatre-usessignedinvoicesinspecificcircumstances.TheneteffectisequivalenttousingaZapper.”
quebec’s sales recording module (srm) n 737
receipt.Thetelltalesignofthisfraudisthetimecodeonthereceipt.Anauditorsuspectingthisfraudwouldneedtoorderapepperonipizzaat,say,5:00p.m.andnoticethatthereceiptindicatedasaleat8:00a.m.IfthereceiptpassedthroughtheSRM,itwouldalsohaveapparentlyaccuratebarcodes—althoughRevenuQuébecindicatesthatahand-heldscanner(discussedbelow)willbeabletocheckforthisfraudbycomparingtimestamps.
RevenuQuébecunveileditsplansfortheSRMpilotprojectinJanuary2008.AprototypewasdemonstratedattheannualconferenceoftheFederationofTaxAd-ministrators(FTA)inDenver,ColoradoonJune2,2009.60ThepilotprogrambeganinNovember2009.ParticipatingrestaurantsmustinstalltheSRMmicrocomputerbetweentheireCRorPOSsystemandreceiptprinter.61TheSRMwillreceivedata62fromspecifiedtransactions(thedraftingofguestchecks,registerreceipts,orcreditnotes).FromtheextracteddatatheSRMwillproduceadigitalfingerprintandadig-ital signatureof thefingerprint,whichwill thenbe transmitted to theprinter.63Hand-heldreaders(usedbyauditors)donotusepublickeyinfrastructure(PKI)64to
60 Physically,theprototypeSRMwasarelativelysmall(2×1×6-inch)metalbox,connectedtotheprinterandtheeCRbystandardcables.
61 Participationinthepilotprojectisvoluntary.Afterthepilotprojecthasended,mandatoryinstallationofthedeviceinrestaurantsthroughoutQuebecwilltakeplacegraduallyduring2010and2011.
62 RevenuQuébecwillnotdisclosethedataelementsthatareselectedforsigning.Thisinformationis“confidentialforsecurityreasons.”MarcSimard,personale-mailcommunication,August10,2009(onfilewithR.T.A.).
63 Inapersonale-mailcommunication,August7,2009(onfilewithR.T.A.),MarcSimardexplained:
Inadditiontoensuretheintegrityoftheinformationpresentedonthereceipt,thesolutiondesignedbyRevenuQuébecensuresthatthebar-codescannedbythe[hand-held]readerisproducedbythecertificatedeliveredby[RevenuQuébec]tothespecificMeV[SRM]whichgeneratesthissignature.ThesignatureisproducedbyacombinationofSHA-256andeCC-224.
ThismethodusesacertificatewhichincludesapublicandaprivatekeyissuedforeachMeV[SRM]withinformationthatidentifiestheMeV[SRM]andtherestaurant.
Wechoosetheellipticcurvealgorithm(eCC)toreducethelengthoftheresult(tobeconvertedtoabarcode)andtomaintainagoodstrength.TheefficiencyofeCCiswell-known,sinceitprovidessimilarcryptographicstrengthasRSAbutusesshorterkeys.Forourcase,eCCwitha224-bitkeysizeprovidessimilarstrengthtoRSAwitha2048-bitsize(seeNIST-800-57http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf ).
64 Publickeyinfrastructure(PKI)isasetofhardwareandsoftwareproceduresusedtocreate,manage,store,distribute,andrevokedigitalcertificates.Incryptography,aPKIisanarrangementthatbindspublickeyswithrespectiveuseridentitiesbymeansofacertificateauthority.Theuseridentitymustbeuniqueforeachcertificateauthority.Thebindingisestablishedthroughtheregistrationandissuanceprocess,which,dependingonthelevelofassurancethatthebindinghas,maybecarriedoutbysoftwareatthecentralauthority,orunderhumansupervision.
738 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
verifythatanyreceiptunderquestionwasactuallyproducedbyaspecificSRM(asdoestheGermansolution).65WiththeSRM,itisthe“SRMcertificate”thatperformsthisfunction.66
Thedigitalsignaturewillthenbeprintedonthereceiptfromwhichitwasde-rived.Thedigitalsignature,thedigitalfingerprint,andtherecordeddatawillallbepreservedwithinthefiscalmemoryoftheSRMforsevenyears.67Restaurantswillberequiredtosubmitsalessummaries,generatedbytheSRM,whentheysubmittheirtaxdeclarations.
TheQuebecgovernmentbelievesthattheSRMwill
n permitrestaurant[patrons]toverifythatthetaxestheypayareproperlyrecordedandassurethemthatthesefundswillberemittedtotheState;
n facilitatetheinterventionofRevenueQuebecincaseswhereareceiptisnotissuedorrecorded[step2skimming]orwhereattemptsaremadewithzappersorphantom-waretomanipulatethedataonthereceipt[step7skimming];
n allowRevenueQuebectoeasilyverifywhetherornotaspecificreceipthasbeenrecorded;
n preservesalesdataforthestatutorilyrequiredperiod;n makethedata-contentofeCRsmoreuniformandeasiertoaudit;n allowRevenueQuebectoquicklyidentifycaseswheresaleshavenotbeendeclared.68
AcriticaldifferencebetweentheGreekandtheQuebecapproachesisthatundertheGreeksystem,itisnotnecessarytohavemultipleFeSDsinanestablishmentthatnetworksmultipleeCRs—agrocerystoreoralargerestaurant,forexample.AlthoughasingleSRMmighthavebeenusedinasimilarmanner,toe-signreceiptsformultipleeCRs,thiswasdeemedtobeasecurityriskbyQuebecauthorities.Thus,anSRMhasaone-to-onerelationshipwith thereceiptprinter (butnotnecessarilywitheach
65 Thevalueofthehand-heldreadertoauditorscannotbeoverestimated.WhenQuebec’suseofabar-codescannerwasdemonstratedinJune2009attheFTA’sannualconference,theresponseoftheGermanrepresentatives,forexample,wasverypositive.SubsequentcorrespondencesuggestedthatGermanymayemulatethistechnique:
Inour[Germany’s]solutionweprintthedigitalsignature[on]thereceipt.Ifyouwanttoverifythereceiptyouhavetotypealldataofreceiptincludingthesignature[intoaPC].Ittakesalongtimebecauseyouwillmakeinputerrors.[If ]...youtestit,youwillfindoutthatthisisnotagoodpractice....I[haveused]apencilscanner....Itworks[well]andyouaremuchfaster.YoucanalsouseanormalscannerwithOCR.Wearetestingdifferentsolutions....Ifweusebarcodeswehavetohaveabarcodescanner.
NorbertZisky,personale-mailcommunication,August10,2009(onfilewithR.T.A.).
66 “The MEV [SRM] certificate[isused]toverifythatthereceiptwasproducedbyaspecificMeV[SRM]....[S]alessummariesaregeneratedandsignedbytheMeV[SRM].”MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).
67 Supranote2,slides6through8.
68 Ibid.,slide12.
quebec’s sales recording module (srm) n 739
eCR).69Thisdifferencehasasignificantfinancialimpactwhentheestimated$650costofeachSRMisfactoredintotheequation.
StepshavebeentakentopreventtamperingwiththeSRMonceitisinstalled.TheSRMisphysicallysecurewithinasealedmetalcasethatcannotbebrokenintowith-outleavingatrace.70TheSRMdoesnotcomewithabackuppowersource.UnlessrestaurateursalreadyhaveabackuppowersourcefortheireCRs,theSRMwillnotoperateincasesofpoweroutage,andtheoutagewillleavearecordofdisconnec-tionandreconnectionintheSRM.Thus,RevenuQuébecwillbealertedtoconductappropriate inspectionswheneverdisconnectionoftheSRMoccurs,regardlessofthecause.71
TheQuebecgovernmenthaspromisedtoshoulderthe$55millioncostofprovid-ingSRMstorestaurants,72butthereisnodiscussioninQuebecaboutextendingSRMapplicationsoutsidetherestaurantsector.Thisisthecaseeventhoughautomatedsalessuppressiontechnologyisnotconfinedtorestaurantfraud.73ItalsoappearsthatverysmallrestaurantsmaynotberequiredtouseSRMs.74
69 InformationpresentedwhentheSRMwasannounced(supranote2,slide7),showingoneSRMconnectedtoeitherasingleeCRoraPOSsystem,wasambiguousinthisregard,anddidnotreflecttheintendedone-to-onerelationship.ApersonalconversationwithDaveBergerononAugust11,2008clarifiedthispoint.
70 WewonderedhoweasyitwouldbeforanauditortodetectaphysicalinvasionoftheSRM.Therearenopubliclyavailable(detailed)responsesonthispointfromRevenuQuébec.Thisquestionmaybetooclosetothegovernment’ssecurityconcernstobeansweredingreatdetail,butcorrespondencewiththeministryonthispointstatesthat“safetyseals[willbeused]todetectattemptstophysicallybreakintotheMeV[SRM].”MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).Inaddition,fromappearances(aprototypewasmadeavailableforinspectionattheJune2009FTAconference),theSRMappearstobeverysecure.AttheFTAconferenceandothervenues,RevenuQuébechasbeenveryclearthatanyattempttophysicallybreakintotheSRMwillbedetected.SimilarsafeguardshavebeenbuiltintotechnologicalsolutionsadoptedinGreece,Germany,andotherfiscaltilljurisdictions.
71 Withregardtoelectricaldisconnections,whathappensifarestaurantsimplydecidestodisconnecttheSRMfromitspowersourceandmakesomesaleswiththeprinterdirectlyconnectedtotheeCR(bypassingtheSRM)?RevenuQuébechasindicatedthatthisissuefallsintotheauditarea.WiththeSRM’sabilitytodetectdisconnections,ministryofficialsfeelconfidentthateffortstodefeatthedeviceinthismannerwillbeidentifiable;thesubsequentreconnectionwouldalsoberecorded.MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).UnliketheGreeksystem,whichwillautomaticallyshutdowntheeCRafteritregistersaspecifiednumberofattempteddisconnectionsandreconnections,theSRMdoesnotappeartodothesame.
72 Supranote3.
73 Forexample,zappershavebeenfoundingrocerystoresintheUnitedStatesandtheNetherlands,inclothingestablishmentsinAustralia,andinhairdressingsalonsinFrance.
74 Supranote58,at144-45,indicatingthattheobligationofarestauranttouseSRMswillbedependentonwhethertherestaurantisrequiredtoremitareceipttocustomers.Thatrequirementisnotexpectedtobeuniversal,butinsteadwilllikelybedefinedandlimitedbyregulation.
740 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
SRMs,however,arenottheendofthestory.Quebec’sviewisthatSRMswillnoteliminatetheneedfortraditionalauditenforcement;rather,theSRMwillsupplementorextendthetraditionalaudit.75SRMswillintegrateintotraditionalauditstrategiesinthreeways:
1. theywillbethebasisforpre-auditinvestigation; 2. they will provide for rapid, digitally efficient confirmation of compliance
withbusinessrecordrequirements;and 3. theywillbringefficienciestoformalauditsbystandardizingrecordformats.
Withrespecttothefirstitem,althoughimmediatelyaftertheMarch23,2006budgetspeech,inspectionofbooksandaccountscontinuedasbefore,oncetheSRMisinplaceRevenuQuébecwillacceleratetheuseof(non-audit)inspectionteams.76Theseinspectorsarechargedwithmakingunannouncedvisitstorestaurants,toin-spectbooksandrecordsandtotakebackupcopiesofeCRandPOSprogramsintheirsearchforzappersandotherfrauds.Theseteamsaremadeupofanauditorandacomputerspecialist.WithSRMs,theseinspectorswillbeabletomorequicklyiden-tify the irregularities that would warrant transferring a case for formal audit orcriminalinvestigation.77
Withrespecttotheseconditem,thedigitalfingerprintandsignatureenvisionedfortheSRMisnotthesameasthealphanumerichashvalue(SHA-1)thatisprintedonthelegalreceiptinGreece.78TheSRMprintsabarcodethatcanbereadbyapocketcomputerthroughanintegratedopticalscanner.Thebarcodewillimmedi-atelyverifythatareceiptisa“legalreceipt,”certifiedbyagovernment-issuedSRM,andthatbothincomeandconsumptiontaxamountshavebeenproperlyrecordedinthefirm’sbusinessrecords.79Thehand-heldscanner isacritical (andgloballyunique)toolinRevenuQuébec’sefforttoincreasetheeffectivenessofitsaudits.80
75 Supranote2,slide12.
76 InQuébec (Sous-ministre du Revenu) c. Paré,2004CanLII39110(Que.CA),RevenuQuébecinspectionteamshadusedwarrantstosearchforzapperswithintheSquirrelcomputerizedcashregistersystemtowhichthedefendantheldexclusivedistributionrights,eventhoughtheinspectiondidnotrisetothelevelofaformalaudit.
77 RichardT.AinsworthandDaveBergeron,“Zappers:AutomatedSalesSuppression,”NewYorkProsecutor’sTrainingInstitute,Syracuse,NY,July31,2008(PowerPointpresentation,onfilewithR.T.A.).
78 Forexample,Zafiropoulos,“SafeguardingelectronicTaxData,”supranote30,at7,presentedthefollowingsignaturestringasarepresentativeexampleofthee-signingscriptthatwouldbefoundonareceiptissuedbyaGreekFeSD:D5A63F82962AB37886F975820883A76415DB614e0459000835920410030925eZI03013095.
79 Supranote2,slide12.
80 CouldacompleteauditofanestablishmentbeperformedwithanSRMandahand-heldscanner?RevenuQuébecindicatesthatthehand-heldscannerisnotintendedtobeusedforthispurpose.MarcSimard,personale-mailcommunication,September15,2009(onfilewith
quebec’s sales recording module (srm) n 741
Withrespecttothethirditem,theSRMwillmaketraditionalauditsmoreeffi-cientbystandardizingthedataflowsfromeCRsandPOSsystemsinusethroughouttheprovince.ItwillnolongerbenecessarytohavesubspecialistsinparticulareCRsavailabletoassistRevenuQuébecauditors,becausetheSRMwillstandardizethedatathatanauditorwillneedtodownloadontoalaptopcomputerinordertoper-formanaudit.81
Germany: Smart Cards Embedded in ECRs
The German Working Group on Cash Registers, representing the highest-tiercentralandregionaltaxauthorities,hasbeenexaminingautomatedsalessuppres-siontechnology(bothphantomwareandzapperapplications)inuseinthecountry.Aninterimreporthasbeenreleased.82Theproblemisdeemedtobeserious,andatechnologicalsolutionisenteringthefinalstagesoftesting.
TheGermansolution involvesstoringcriticaldata fromsales transactionsonsmartcardssecurelyembeddedineCRs.TheGermanNationalMetrologyInstitute(Physikalisch-TechnischeBundesanstalt [PTB]) is thehomeof the INSIKAproject(Integrierte Sicherheitslösung für Kassensysteme—Integrated Security SolutionsforCashRegisters).INSIKAbeganworkonprototypesofthesmartcardsolutionin2008.
PapersondigitalsignaturesbyNorbertZiskyofthePTB83convincedtheworkinggroupthatsigningtechniqueshadbeensufficientlytestedinsecurecommunication
R.T.A.).SimardexplainsthattheSRM(andthescanner)ispartofafour-partfraudpreventionstrategy(basedinlargepartonthedeterminationthatthefraudproblemismuchlargerthanzappersalone,andthatamuchbroadereffortisneeded).Thefour-partstrategycomprisesthefollowingsteps:
(1) Therestaurateurisobligedtoremitapaperreceiptorinvoicetotheclient.Thisisthekeytoconfirmingthataneconomictransactionhasoccurredbetweenabusinessanditscustomers.Inmostcaseswhereincomeisnotdeclared,hiddentransactionswerenotrecordedintheelectroniccashregister(eCR).
(2) RestaurateursmustproduceinvoicesusinganMeV[SRM]approvedbyRevenuQuébec,whichforcesthemtokeeprecords.
(3) RevenuQuébecwillstepupitsinspectionactivitiestoensurethatthetwoabovemeasuresareadheredto.NotethattheMeV[SRM]willallowustoredesignandspeeduptheinspectionprocessanddeterminemoreefficientlywhetherornotarestaurantiscomplyingwiththelaw.Withoutsuchinspections,businessesseekingtomaskincomewouldsimplynot[record]transactionsinthecashregister,regardlessofthecontrolmechanismsinplace(GreekorGermansolution,MeV[SRM],etc.).
(4) Thegeneralpublicismadeawareofrestaurateurs’obligationtoremitaninvoicetotheircustomers,inordertore-establishfiscalequityandfaircompetition.
81 Bernard,supranote52.
82 GermanWorkingGrouponCashRegisters,Interim Report,supranote17.
83 NorbertZisky,“ManipulationsschutzelektronischerRegistrierkassenundKassensysteme”[“ManipulationProtection—electronicCashRegistersandPOSSystems”],GermanFederalStandardsLaboratory,BrunswickandBerlin(May2005)(unpublisheddraftonfilewithR.T.A.);
742 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
settingswithmeasuringinstruments84thattheycouldformthebasisofasolutiontozappers.
TheINSIKAprojectwaschargedwithcompletingthetechnicalspecificationsforasignaturesmartcardbythesummerof2008.85TheworkwascompletedinFebru-ary2009.Includedwiththetechnicalspecificationsforthesignaturesmartcardisadeterminationof thedata structuresand formats,communicationprotocols,andsecurityanalysisforthesystem.Thefinalresultsoftheprojectwerepublishedat
and(March15,2004)(unpublisheddraft,translationonfilewithR.T.A.).Sincetheseearlypapers,therehavebeenseveralmodificationstoZisky’sproposal.Thecriticalchangesincludethefollowing:
1 Thesignaturedevice(smartcards)distributedbythetaxauthoritieswillbepersonalizedtothetaxpayernottothecashregister(cashbox);
2 Thesignaturedevicewillhaveasetofdedicatedsumstorageswhichwillbecontrolledbythesignaturedeviceitself.It[will]generatetherelevantdatafromthesetofdatatobesigned.Inthe[casewheretheremaybe]alossofsigneddatathetaxauthorities[willbe]abletoreadthestoreddatafromthesmartcard.Thesumstorages[arerequired]to[be]readoutperiodicallyand[arerequired]tobestoredaftersigning.
3 Thereceipts[must]containallrelevantdatafortheverificationofthetransaction(includingthesignature).These[receiptswillbe]exactlythesame[asthose]inthememory(fromthepointofviewofdatamodeling).Withthehelpof[thememoryrecord]youareabletovalidateeachreceipt.Falsificationofreceipts[is]notpossible.Butthereisalittleproblem[currently]:Ifyouhavethepaperreceiptyou[willneed]totypeineverycharacterintoyourcomputerbyhand(oryoumayuseascanner).Themanualtestofreceiptswithouttechnicalsupportwillbetheexception,butit[willbe]possible.
NorbertZisky,personale-mailcommunication,February15,2008(onfilewithR.T.A.).
84 SeeLuigiLoIacono,ChristophRulans,andNorbertZisky,“SecureTransferofMeasurementDatainOpenSystems”(2006)vol.28,no.3Computer Standards & Interfaces311-26;andtheSecureelectronicMeasurementDataexchange(SeLMA)Project(online:http://www.selma-project.de/ )(inGerman).ForabriefdescriptionofSeLMA,seeinfranote128andtherelatedtext.
85 Regardingthetimelineforthecompletionandimplementationoftheproject,NorbertZiskyindicatedinmid-summer2008:
Withourtechnicalworkwe[have]madealotofprogress.Importantpartsofthetechnicaldescriptionarenearlyfinished.Th[ese]documentswillbemadeavailableforthepublicin[the]autumn[of2008].Butthegeneraltechnicalconceptwillbepublishedearlier.
InautumnthefirsteCRswillbeequippedwiththesmartcard.Ourcashregisterworkinggrouphasfinishedtheworkontheinternal,professionalconcept.Thisconceptcontainsallneededstepsandstructurestosetupthesmartcardsolution.
AsIsaidoneofthemostimportantstepswillbethesetupofthepublickeyinfrastructure.Buttheearliestdatefor[mandatory]usewillbeJanuary1st2012or2013.
Personale-mailcommunication,July10,2008(onfilewithR.T.A.).Furtherdelayswereencountered,butbymid-2009thetechnicalspecificationsforthe
smartcardwerecompletedandpostedontheInternetathttp://www.insika.de/(inGermanonly;anenglishtranslationisexpected).AtaboutthetimethatQuebec’sSRMwillbeundergoingapilottest(NovembertoDecember2009),sotoowilltheGermansmartcard.NorbertZisky,personale-mailcommunication,July22,2009(onfilewithR.T.A.).
quebec’s sales recording module (srm) n 743
theInformationSecuritySolutionseuropeconferenceinthefallof2009,andareavailableontheINSIKAWebsite.86
Onthebasisoftherecommendationsoftheworkinggroup,VectronSystemsAGdeveloped(andiscurrentlydemonstrating)aprivatelydevelopedprototypeoftheGermansolution.UndertheVectronprototype,everyrecordthatholdssalesdata(oranyotheractivityperformedonaneCR)issecuredthroughadigitalsummaryfingerprintofthemaindataelementsintheeCR.AsecureelectronicsignatureisissuedforthisdigitalfingerprintbasedonPKI.87
TheessenceoftheGermansolutionrevolvesaroundcryptographyandsmartcardaccesstocryptographicdatapreservedwithintheeCRorPOSsystem.Iftherevenueauthorityaudits,itcanaccesseCRrecordsusingakeytoreadthedataanddeterminewhethertherehasbeentampering.AsdescribedbyZisky,
[t]hefiscallyrelevantdatarecordscanbeexaminedbothlocallyandaftertheirtrans-missionovervariouscommunicationchannels[.Processeswillbe]fullyautomaticwithrespecttotheirintegrityandauthenticity.Fortheelectronicsignatureoftherevenue[office]specialsmartcardsareused,whichareintegratedintothePOSsystems....
Therevenueofficewillprovideasmartcardwithacryptoprocessorforeachcashregister.Ontheserevenueofficesmartcardsacryptographicpairofkeyswithasecretandpublickeyisproduced.Thepublickeyiskeptforlaterfiscalexaminationoftherespectivedata.Thecertificateforthepublickeyisalsostoredonthesmartcard[s]themselves....
Inthecaseofthemarkingprocedure[thesigningprocedure]overthedatarecord—itis“signed”whenahashvalueisformed,whichisinturncodedbythesecretkeyofthesmart card. The formation of the hash value is a mathematical one-way function,whichcomprisesasingle(unique)valuefromthedataset.Itisthehashvaluethatsealsthedatarecord(anelectronicseal).Theformationofthesignatureisusedtoassignthedatarecordtothecash(involvedinthetransaction)and/orthepairofkeys....
Fortheconclusionoftheverificationprocessthetwohashvaluesarecomparedwithoneanother.Iftheseagreetheintegrityoftheregistereddatarecordisauthenticated.88
TheGermansolutionisafiscaltillsolution,butitisfarmoreflexiblethantheGreeksolution.ItissubstantivelysimilartoQuebec’sSRM;89however,theGermanmandateisbroader.WhereQuebecisconcernedwithonlytherestaurantsector,theGermanproposalisforalleCRsandPOSsystemstobefitted(atthebusiness’s
86 MathiasNeuhaus,JörgWolff,andNorbertZisky,“ProposalforanITSecurityStandardforPreventingTaxFraudinCashRegisters,”paperpresentedattheInformationSecuritySolutionseuropeconferenceheldatTheHague,October6-8,2009(copyonfilewithR.T.A.).
87 TheGermansolutiondoesnotanticipatethatauditorswillusehand-heldreaders,norwillbarcodesappearonreceipts.Instead,auditorswilluselaptopcomputersandenterthealphanumericcodeprintedonthebottomofareceipttoconfirmtheintegrityandaccuracyofthereceipt.(Seesupranote64foradescriptionofPKI.)
88 NorbertZisky,“ManipulationProtection,”supranote83,atparagraphs5.2and5.3.
89 NorbertZisky,personale-mailcommunication,August10,2009(onfilewithR.T.A.):“Quebec’sdevicegeneratesrealdigitalsignatures....Theystorethesignaturesofeachtransactioninsidethebox.Sothegeneralapproachofbothsolutionsisverysimilar.”
744 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
expense)withasmartcardcontainingacryptoprocessorthate-signsdesignated“tax-relevantdata.”Withthisdevice,theentireelectronicjournalcouldbesignedonaregularbasis;90oreachtransaction,whetheropenorclosed(sale,refund,train-ingsession,voidedsale,ortemporaryrecord),couldbedesignatedastax-relevantandsignedwheneverenteredintotheeCR.ItwouldnotmatterundertheGermansystemifnoreceiptwasissued,butauditingindividualtransactionswouldbemoredifficult.91ItwouldmatteronlythateachtransactionberegisteredinaneCRorPOSsystemthatwasfittedwithasmartcard.
BecausetheGermansolutionisfullydigital,therevenueauthoritywillbeabletoconductitsauditsofbusinessesremotely.AdatafeedmaybetakendirectlyfromeCRs,ordatamaybetransmittedthroughane-mailattachment.TheGreeksolu-tionscandothis,buttheQuebecSRMcannot.TheSRMpresentsdataandsecurityindigitalformat,buttheexpansionofauditcapabilitytoincluderemoteauditshasbeenrejectedbyRevenuQuébeconpolicyandprivacygrounds.92
ThereisanaggingquestionaboutthepossibilitythatmalicioussoftwarecouldbeaddedtoaneCRthathasbeenfittedwithasmartcard.93Thesamequestionarises
90 WiththeSRM,theelectronicjournaloftransactionsissignedbythedevice.MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).
91 However,Germanlegislationispendingthatwillrequiretheissuanceofalegalreceipt,alongwithotherlegislationthatwillimplementthesmartcardsolution.Thislegislationhasnotbeenactedupon.
92 DaveBergeron,personale-mailcommunication,November20,2008(onfilewithR.T.A.),ontherejectionofremoteauditsperformedbylinkingtothetaxpayer’sSRM.ItisquestionablewhetherRevenuQuébecisdealingwitharealprivacyconcernhere,ormerelywiththeappearanceofanintrusiononaprotectedprivacyinterest.Thereshouldbelittlethatshouldbeconsideredconfidentialinthebulktransmissionofitemizedbusinessrecordssettingoutdailysalesofgoodsorservices,providedthatthosesalesarenotfurtherassociatedwithanindividual—thatis,anunsuspectingcustomer.Itistheretentionofacustomer’spersonallyidentifiableinformation(PII)inbusinessrecordsthatisaprivacyconcern.Ifnothandledproperly,thismayleadtoanunauthorizedgovernmentintrusionintoprivatelives.SeeNeilM.RichardsandDanielJ.Solove,“Privacy’sOtherPath:RecoveringtheLawofConfidentiality”(2007)vol.96,no.1Georgetown Law Journal123-82,discussingtheoriginsanddifferentdevelopmentpathsofprivacylawintheUnitedStatesandtheUnitedKingdom—theUnitedStateswithanindividualisticunderstandingandtheUnitedKingdomwitharelationalunderstanding—andindicatingthatunauthorizeddisclosureofPIIwithinbusinessrecordsiscentraltoboth.Nevertheless,itiscommoninthetransactiontaxcontexttoputprotectionsinplacewheneverthird-partyaccesstotaxdataiscontemplated.Forexample,section321oftheSSUTA,supranote13,restrictsretentionofPIIbyCSPsperformingtaxcalculations.
93 UndertheGermansolution,eachkeystrokeprovidingdatathataredestinedforthesmartcardisassignedanumberbythesmartcarditself.Missingdatacanbeidentifiedbylookingforabreakinthesequencing.This,however,doesnotanswertheconcern;itonlypushesthehypotheticalbackintime,sothatthemalicioussoftwareintervenesbeforetheassignmentofanumber.Inapersonale-mailcommunication,August6,2009(onfilewithR.T.A.),NorbertZiskyconfirmedtheassignmentofthenumbersundertheGermansolution:“eachsetofdatawhichwillbesenttothesmartcardforsigningwillbeaddedwithasequencenumbergeneratedbythesmartcarditself.Thisisthemostimportantpartofoursolution.Thereforewedevelopedanewsmartcardpackagewiththisfunctionality.”
quebec’s sales recording module (srm) n 745
withQuebec’sSRM.Ifsoftwareweredesignedtointerceptdata(enteredintotheeCR)thatwasdestinedforthesmartcard—forexample,anysalesofaparticularbeer,oranysalesofbeerinexcessofthenumberofpeopleatatable—wouldthisdefeatthesystem?Thisisastep2,notastep5,fraud.AvalidreceiptwillnotbeissuedundereithertheGermanortheQuebecsolution.TheGermanresponsetothishypothetical is similar tothatofQuebec:becausethis fraudhappens inrealtime(atthecashregister)andnotattheendofthedayinthebackroom,itisanac-tivitythatremainsintherealmoftraditionalaudit.94Brazilencounteredexactlythisproblemin2007inOperação Tesouro(OperationTreasure-Hunt).95
However,undertheGreeksolution,whereitistheeCRitselfthatiscertifiedandnotanadd-onmicroprocessor(Quebec)oranadd-onsmartcard(Germany),thisfraudwouldbeuncovered.TheGreekapproachdirectlycertifiestheprogrammingwithintheeCR,andprovidesamachine-specifictestingmechanism.96
TheGreek,Quebec,andGermansolutionscanalsobedistinguishedonthebasisofthe“per-unit”costofimplementation.TheGermansolutionisfarandawaytheleastexpensive.BothGreeceandQuebechaverespondedtothehighcostsoftheirsolutions.UndertheGreekregime,theentirecostisbornebybusiness,althoughthegovernmentdoesprovidetaxbreaks(accelerateddepreciation)andfinancialas-sistance(low-interestloans)toassistwithhardwarepurchases.Quebec,ontheotherhand,planstoprovidetheSRMtobusinessesfreeofcharge.
ZiskyidentifiedthelowcostoftheGermansolution,estimatedatabout�50pereCR,asoneofitskeyfeatures:
In...thisapproach...fortheprotectionofelectroniccashregistersandPOSsystemsagainstthemanipulationofstoreddata[t]helargeadvantage...consistsofthereach-ingofacomparativelyhighlevelofprotectionwithonlysmallhardwareandsoftwareexpendituresinthePOSsystembeingnecessary.97
Heitemizedthecomponentsofthe�50estimateasfollows:
TheadditionalcostspereCRaretheresultof[the]costforthesmartcard(signaturedevice),approx.7-8euros,andforintegrationofthesmartcardtotheeCR,approx.20euros(includinghardwareandsoftware).[An]additional20eurosIcalculate[areneeded]foradditionalcommoncosts(smartcarddistribution,administrativecosts).Governmentsubsid[ies]arenotplanned.Butonthe[part]oftaxauthoritiessome
94 NorbertZisky,personale-mailcommunication,August10,2009(onfilewithR.T.A.):“Anauditor[should]see[thisfraud]inrealtimebecausenovalidsignatureisprintedonthereceipt.Itisthesameproblem[when]thetaxpayerdoesnotusetheeCReverytimeandputsthemoneyinhistrouserpocketdirectly.”
95 Seeinfranote102andtherelatedtext.
96 Seesupranote47.
97 Zisky,“ManipulationProtection,”supranote83,atparagraph5.1,andparagraph5.7(estimating�50).
746 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
expenditureisneeded.Certificatemanagement,testtools,trainingofthestaffoftaxauthorities[needtobeincludedinafullcostestimate].
Thepriceofsmartcardsiscalculatedon[a]baseofmorethan100,000cardsbe-causetheywillbeorderedbyacentralauthority.98
Vectron’sprototypeoftheINSIKAsmartcardsolutionhasanevenlowercostes-timate—a“[s]ingle-unitend-userprice[of ]lessthan�25.”99
The Role of Audits in Fiscal Till Jurisdictions
Allfiscaltilljurisdictionscontinuetorelyonauditstodetectfraud.Thetechno-logicalsolutionsdiscussedabove—whetherFeCRs,AFeDprinters,FeSDs,SRMs,orsmartcards—donotreplaceauditing;theyonlymakeauditingeasier.Thus,Quebecannouncedanincreaseintheuseofinspectionteamsintandemwiththeannounce-mentthatSRMswouldsoonbedeployed.TheSRMitselfisdesignedwithanauditor’seye.ItharmonizesdatafeedsfromwidelydiverseeCRs,andittranslatesthedigitalsignaturesonreceiptsintobarcodessothattheycanbescannedwithhand-heldopticalreaders.
Germany’sassessmentofthesituationissimilartoQuebec’s.Germanybelievesthatfraudtechnologyhasadvancedsofarthatsuccesswithtraditionalauditsisvir-tuallyimpossiblewithoutasecuretechnologicalrecord.InacommentdirectedtotheFederalMinistryofFinanceonNovember24,2003,theGermanFederalAuditOffice(Bundesrechnungshof[BRH])warnedthat
[t]he latest generation of cash registers and cash register systems makes it impossible for tax au-thorities to detect fraudulent declarations of cash receipts. In these systems, data that have been entered, as well as system-generated register and control data can be secretly tampered with. This leads to a high risk of lost taxes that cannot be overestimated. This situation must change immediately. . . .
Theanalysisrevealsthatauditorsandtaxinvestigatorshaveconstantlydiscoveredfraudulentmanipulationsofcashregistersandthedatatheystore.However,suchma-nipulationscouldonlybediscoveredinoldergenerationsofelectroniccashregistersandcashregistersystems.
Verificationofdatahasbecomeextremelydifficultsincetheintroductionofnewcashregistersandcashregistersystems.100
Brazil’sexperiencewitheCRmanipulationreinforcestheGermanandQuebecassessments.Relianceontechnologyalonetoblockmanipulationisnotsufficient.Nomatterhowmuchsecurityisplacedoverdigitalrecords,anauditisnecessary.
98 NorbertZisky,personale-mailcommunication,February19,2008(onfilewithR.T.A.).
99 VectronSystemsAG,“Tamper-ProofPOSData:ProjectgroepOnderzoekAdministratieveSoftware,”October31,2007,30(online:http://www.gbned.nl/downloads/xmllogistiek/poas/20071031%20Vectron.pdf ).
100 BRHcomments2003,no.54,supranote17,at197-98(emphasisinoriginal).
quebec’s sales recording module (srm) n 747
Brazilrequiresthata“blackbox”beattachedtoeacheCR.Thedevicesecurestheelectronicjournalandcanonlybeaccessedbythetaxadministration.Butasthe2007criminalauditofallthesupermarketsinBelém(Operação Caixa 2—OperationSec-ondRegister)demonstrates,fraudstersintentonskimmingwillfindawaytogetintotheblackbox.101Similarly,in2007,Operação Tesouro(OperationTreasure-Hunt)demonstratedthatfraudstershavebeensuccessfulintamperingwiththeblackboxthroughmalicioussoftware.Thisoperation,conductedinthestateofBahia,uncov-eredover300foodserviceestablishmentsthatusedsoftwaretomanipulatedatabeforeitwassenttotheblackbox.102
101 “OperaçãoCaixa2”(OperationSecondRegister),conductedbytheBrazilianFederalRevenueservice,beganonOctober1,2007.Intheearlystages,itinvolved50fiscalauditors,20taxanalysts,and20supportpersonnel(policeunits)operatingin10teamsinthecityofBelém.Onthefirstdayoftheoperation,fivecompanies(supermarkets)wereraided,175recordingmachineswereconfiscated,and60werefoundtohaveirregularities.Inaddition,17suppliersweresearched.Onthesecondday,fourmoresupermarketswereraidedinCapanema,andtwomoreinBragançaweresearched.“Thefiscalauditorandcoordinatorofthisactivity,JoséRenatoGomes,affirmsthatyesterday’sworkisessentialforfindingoutwhetherthiskindoffraudisallcomingfromBelém,fromthecorporationssupplyingtheequipment,orifitisbeingsetupandcarriedoutoutsidetheState.”“ReceitaFederalfiscalizasupermarcadosemBelém”[“FederalRevenueServiceInvestigatesSupermarketsinBelém”],Plantao Online Edition,October1,2007;“ReceitaFederaldáprosseguimentoàOperaçãoCaixa2”[“FederalReserveGivestheGo-AheadtoOperationCaixa2”],Plantao Online Edition,October3,2007;and“OperaçãoCaixa2divulgabalancehoje”[“OperationCaixa2ToReleaseResultsToday”],Plantao Online Edition,October18,2007(online:http://www.orm.com.br/plantao/comentar.asp?id_noticia=290720)(inPortuguese—sequenceofpostingonthefederalgovernmentWebpage;translationsonfilewithR.T.A.).
102 “OperaçãoTesouro”(OperationTreasure-Hunt)inthestateofBahiaisdescribedasfollows:
[S]evenbusinessmenfromthebarandrestaurantsector,aswellastheownersoftwoinformationsectorbusinesses,namelyNetworksandStellaSystems,[havebeen]accusedofbeingresponsibleforthedevelopmentofataxevasionsoftwareprogram....[Theoperationinvolved]28searchwarrants...35teams...comprisedof264people,...thecivilpolice,civilianandmilitarypoliceofficers,taxauditors,revenueagents,prosecutingattorneysandintelligenceprofessionals....Accordingtothetechniciansinvolved...between2005and2007thefraudulentaccountancyperformedbythe“Colibri”[hummingbird]softwareprogrampermittedtheillegalwithholdingofalmostR$2million.Thenumberofestablishmentsinvolvedintheschememaybeashighas300inthefoodservicesectoralone....[T]hesebusinessmenhavebeenwithholdingnearly40%oftheircompanies’turnover....[T]heColibrisoftware,developedbyNetworks,isadatabaseprogramforcommercialautomation,commonlyusedbybars,restaurantsandluncheonettes.ThefraudconsistsintheuseoftheprogramwithacertainconfigurationpermittingthedeactivationoftheReceiptIssuingDevice(eCF),andthuskeepingthemachinefromissuingareceiptduringpaymentforsalesofproductsorservices.
“Technologicalfraud?..Bahia::Fraude:SonegaçãoFiscalLevaseteempresáriosparaaPrisãoTerça-feira”[“TechnologicalFraud?Bahia:Fraud:SevenBusinessmenImprisonedforIllegalWithholdingofTaxes”],Journal da Midia,October2,2007(online:http://www.jornaldamidia.com.br/noticias/2007/10/02/Bahia/Sonegacao_fiscal_leva_sete_empres.shtml)(translationonfilewithR.T.A.).
748 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
TheexperienceofGreece,however,appearstostandincontrasttotheBrazilianaswellastheGermanandQuebecassessments.eventhoughregularauditsofFeCRs,AFeDprinters,andFeCDsareconductedbyGreekauthorities,nosignificanten-forcementactionsinvolvingeCRshavereachedthecourts,orcanbereferencedbytaxofficials.103Inlightofthe20yearsofcertificationexperiencethatGreecehaswitheCRs,onemighthaveexpectedthingstobedifferent.Itisnotclearwhetherthisisacaseoffalseconfidenceintechnology,acaseofsuperiortechnology,oracaseofasuperiordeterrenceprofile,butinlightoftheBrazilianinvestigations,theGreekapproachneedstobeconsideredcarefully.IsthedirectcertificationofaneCR,withthewillingnessanddemonstratedabilitytogoinandcheckforprogram-maticmodifications,asignificantdeterrent?104
comPrehensi v e Audit: the ne therl A nds
TheNetherlandsisattheotherextremeofthetechnology/traditionalauditcon-tinuum.TheDutchareconvincedthatauditsalonearesufficient.Theyrejectfiscaltilltechnology.ThefundamentalemphasisintheNetherlandsisondetailed,com-prehensive, and technologically penetrating audits. Direct government intrusionintotherecord-keepingsystemsofallbusinessesjusttocatchfraudstersisavoidedatallcosts.Followingapureprinciples-basedapproachtoenforcement,theNether-landsbelievesthatitcanrelyongoodbusinesspracticesandcomplianttaxpayers.
However,Netherlandsofficialsspeakaboutperforming“deepaudits”—thatis,auditsthatarenotfocusedsolelyonthesalesrecordsintheeCR.Adeepauditcon-sidersbusinessescomprehensively;itlooksatincometaxes,consumptiontaxes,andemploymenttaxessimultaneously,andwithheavystressontheinterrelationshipsamongtaxes.BenB.G.A.M.vanderZwet,leadauditorfortechnologycompliance,hasdescribedtheDutchapproachasfollows:
TheDutchTaxAuthorityisconvincedthattheappropriateapproachistouseprinci-plebasedlawsinthisarea.Thismethodinvolvesmaintainingthelawbystimulatingthecomplianceoftaxpayers.Itispremisedonabeliefthatweshouldbeworkingfromastartingpointoftrusttogetcompliance,ortoprovideexplanations.
Withrespecttotheproblemofauditabilityandthecompletenessofsalesforen-terpriseswithsizableover-the-counterpayments,theDutchTaxAuthorityhasdecidedtoworktoimprovevoluntarycompliance.
TheDutchTaxAuthorityiscooperatingwithsoftwaredevelopers,suppliersandmanufacturersofcashregisters,branchorganizations,andlargercompanies.105
103 AccordingtoPanosZafiropoulos,“[b]ecauseoftheverystrictandquitedetailedtechnicalspecificationsthatexistinGreeklegislation,therearenoinfamousfraudcasesregardingcashregistersbeingusedsofar.”Personale-mailcommunication,May10,2008(onfilewithR.T.A.).
104 ThereisconsiderableinterestintheGreeksysteminothercountries.Kenyahasadoptedit,andatthetimeofwriting(August2009),theGreekapproachwasalsobeingadoptedinKosovo.PanosZafiropoulos,personale-mailcommunication,August10,2008(onfilewithR.T.A.).
105 BenB.G.A.M.vanderZwet,“Note:Draft20080201—FiscalObligationsforCashRegistersintheNetherlands,”February1,2008(unpublisheddraftonfilewithR.T.A.).
quebec’s sales recording module (srm) n 749
TheNetherlandshasbeensuccessfulwiththisapproach.Oneof thebestex-amplesofhowacomprehensivemultitaxauditcanuncoverdatamanipulationsisthecaféDudokcase.106TheDudokcasealsoillustratestheconnectionbetweensalessuppressionfraudandthesymbioticrelationshipthatdevelopsbetweenSMesandtheireCRproviders.ThecaseinvolvedaDutch“grandcafé”—astyleofcaféwithspaciousfacilities,whichwelcomesdrop-incustomersandhasalargecash-basedclientele.Thistypeofoperationisanidealbusinessforskimming.
Dudokskimmedcashreceiptswithaprimitivezapperandusedaportionofthecashtopayemployeesunderthetable.TheDutchrevenueauthorities(Belasting-dienst)were suspiciousof the lowwages reportedand thought thatadditional,unreportedcompensationmightbebeingdistributedtoemployees.107Testimonyinthecaseindicatedthatontheseconddayofthepayrollaudit,themanagingdirectorofStraightSystemsBV108 visitedDudok,wherehewas approachedby the café’sowner-manager.StraightSystemsBVsuppliedtheFinishingTouchPOScashregis-tersthatwereusedbyDudok.Theowner-managerexplainedthathewashavingdifficultyaccountingtotheBelastingdienstforthewagesthatwerebeingreported,inpartbecausetheauditorswerealsoquestioningtheturnoverthatwasreported.Thenumbersdidnot“seemright” to theauditors, and theywere requestingbackupdata.Theowner-managerwasworriedthatthiswouldleadthemtotheprimitivezapperhewasusing.
ThemanagingdirectorofStraightSystemsexplainedtheexistenceofamoresophisticatedzapper,a“hiddendelete”optionalreadyembeddedintheFinishingTouchcashregisters.essentially,theembeddeddevicewas“ahiddenmenuoptionthat,afterenabling...,allowedoperatorsofcateringestablishmentstodeletecashregisterreceiptsfromthesystem.”109Afterthisdiscussion,anemployeeofStraight
106 DistrictCourtofRotterdam,LJN:Ax6802( June2,2006)(online:http://zoeken.rechtspraak.nl/resultpage.aspx?snelzoeken=true&searchtype=ljn&ljn=Ax6802)(inDutch,translationonfilewithR.T.A.);appealedtotheDistrictCourtofTheHaguewherethejudgmentwasupheld,LJN:BC5500(February29,2008)(online:http://zoeken.rechtspraak.nl)(inDutch;translationonfilewithR.T.A.).
107 LJN:BC5500,supranote106,atF3.Priortousingthephantomwareinstalledonitssystem,Dudokwasskimmingsalesinaveryamateurfashion.TheentiresalesrecordsofthePOSsystemweredeletedandrecordswerereconstructedonexcelspreadsheets.TheexaminingagentsdidnottrustthespreadsheetsandaskedforthePOSrecordsasabackuptoconfirmwhattheywerebeingshownontheaudit.BenB.G.A.M.vanderZwet,personale-mailcorrespondence,May28,2008(onfilewithR.T.A.).
108 StraightSystemsBVisaNetherlandscompanythatspecializesinsingle-serviceeCRsystemswhereallhardwareandsoftwarearedeveloped“inhouse.”ThecompanyWebsiteoffersa24-hourhelpdeskwherethereis“onepointofcontactforallhardwareandsoftwareforcheckout’sfrontofficeandbackofficesystems”(online:http://www.straight.nl)(inDutch;translationonfilewithR.T.A.).
109 LJN:Ax6802,supranote106,at“Considerationoftheevidence”(inDutch;translationonfilewithR.T.A.).Thecasediscussesthreesoftwareprograms:Twenty/Twenty,FinishingTouch,andTickview.exe.Twenty/TwentywasaUStouch-screenprogramthatdidnothavea
750 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
SystemsvisitedDudok,andexplainedandenabledtheapplicationoftheeraserule(thehiddendeletefunction).110Subsequently,thecafé’sowner-managerdecidedtostartusingtheoption.111Nevertheless,asvanderZwetrecounts,thefraudwasun-coveredbytheBelastingdienstauditors:
Themostinterestingthingabout[Dudok]isthatthediscoveryofthefraudwascom-pletelythebenefitofagoodandthoroughtaxaudit.Basedonourprinciplebasedlaw,taxofficerswerenotsatisfiedgettingthetotalreportsandMSexcelwork-pageswithtotalsalesetc.Theywantedthe[detailed] informationof thePOS.Thetaxofficerspersistedintheireffortstogetthedetailedinformation.ThisforcedtheentrepreneurtoaskthePOSsuppliertohelphimout....[He]wasawarethatoncethePOSrecordswereauditedthefraudwouldinstantlybeclear.
StraightSystemswashelpfulbyinstallinganadditionalhiddenfeatureofthePOSsystem.RecordsinthePOScould[now]bedeletedandtherecordsrenumberedsothatnogapswouldappear.
Athoroughinvestigationofthetampereddatabasesrevealedthedeletingoftherecordsanyway.Sothiswasnotsimplebadluck[forthetaxpayer]butagoodauditjoboftheTaxadministration!112
ThecourtupheldcriminaltaxfrauddeterminationsintheDudokcaseinrespectofunreported income,value-added,andpayroll taxes.BoththerestaurantoperatorandtheeCR/softwareproviderwereconvicted.
Twoothersuccessfulaudit-intensivecasesintheNetherlandsarenotable,bothofwhichinvolvedsoftwareenablingfraud:
n MicrocraftSoftwaredevelopedAnalyse(alsoknownasCxAnalyseandRetail)asamanagementinformationsystemforgrocerystores,butchers,andbakers.ItworkedoffacombinationofeCRsandgroceryscales.Thezappercouldbestartedwithahiddencombinationofkeystrokes,andtheusercouldthenin-dicateapercentageofturnoverthatwouldbeskimmed.113
n B&FSoftwareandComputersB.V.developedBeleids Informatie Systeem(BIS)forhairdressersandanadd-onprogramforzappingcashsalesthroughPOSand
phantomwareapplication.StraightSystemsBVaddedthephantomwareapplicationtoTwenty/TwentyandrenamedtheprogramFinishingTouch.Usingjustthisprogram,youcanviewthesalesticketandchangedata.Withasecretcommand,theTickview.exeprogramwithinFinishingTouchcanbeactivated,andtheoperatorisaskedifhewouldliketodeletethewholeticket.Ifanaffirmativeresponseisgiven,thesystemrecordsa“nosale”andtheentireaudittrailtotheoriginaldataiseliminated.BenB.G.A.M.vanderZwet,personale-mailcommunication,May28,2008(onfilewithR.T.A.).
110 ThetrialcourtinRotterdamreferstothephantomwareapplicationasa“hiddendeletefunction,”whereastheappealscourtinTheHaguereferstothephantomwareas“theeraserule.”
111 LJN:BC5500,supranote106,atF3.
112 BenB.G.A.M.vanderZwet,personale-mailcommunication,April16,2008(onfilewithR.T.A.).
113 SeeCaseLJN:AT5876,DistrictCourtofArnhem,July27,2005(inDutch;translationonfilewithR.T.A.).
quebec’s sales recording module (srm) n 751
clientinformationsystems.Aftertheoperatorenteredthepercentagetobeskimmed,thesystemselectedthecategoriesoftransactionstobeeliminated(forexample,malewalk-incustomerspayingcashwithoutspecialservices).114
GiventhesuccessoftheDutchauthoritiesinprosecutingsuchcases,itisclearthatanintensiveandcomprehensiveauditapproachworksagainstautomatedsalessuppressiondevices.ThereareanumberofsizablecasesintheNetherlands,andamuchlargernumberofcasesinQuebec,thatdemonstratetheeffectivenessofthisapproach.Quebec,however,unliketheNetherlands,isconvincedthatmorethananauditisneeded.TheSRMisarules-basedsupplementtotheauditeffort.115
TheUnitedKingdomhasindicatedthatitsharestheNetherlands’opinion,116andwouldprefertoavoiduniversalfiscaltillsolutions.However,arecentnationalpilotstudyof941UKenterpriseshasuncoveredclearevidenceoftaxfraudinvolvingphantomware.Giventheapparentscopeofthisfraud(whichhasnotbeenfullyana-lyzedasofthiswriting),theUnitedKingdommaychangeitspositionontheuseoffiscaltilltechnology.117
blending rule s A nd PrinciPle s: certiFic Atio n o F third - PA rt y serv ice Prov ider s
Certificationisthecommonthreadamongallthezapperenforcementeffortscon-sideredabove.Thisisapparentifwestepbackfromthedetails.Ineachinstance—Greece,Quebec,Germany,andtheNetherlands—thetaxauthoritiesrespondedtothethreatofautomatedsalessuppressioninthesamemanner:theyalllookedforcer-tificationofdigitalrecords.Rules-basedjurisdictionsimposedexternalcertificationregimestoforcebusinessestokeeptrustworthyrecords;principles-basedjurisdic-tionsinducedbusinessestodeveloptheirowninternal(self-)certificationregime.Inallcases,however,itisthereliabilityofdigitalrecordsthatisthemainconcern—andinallcases,thequestioniswhetherthecertificationistrusted.Bothapproacheswork.Butneitherapproach(rules-basednorprinciples-based)comeswithoutcostsandproblems.
In rules-based jurisdictions, theprospectof forcing all businesses to accept agovernmentpresenceinsidetherecord-keepingfunctionofprivateenterprises—thefiscaltillsolution—isconsideredbysometobefartoointrusive.Theobservationisthatthisremedyisoverlybroad,andneedstobemorefocused.Whyshouldall
114 B&F Optics BV,DistrictCourtofAmsterdam,August11,2005(inDutch;translationonfilewithR.T.A.).
115 TheQuebecapproachistohavetheSRMtogetherwithspecializedinspectionteamsandasignificantpublicawarenessprogram.Supranote2,slide5.
116 See“CashRegisterGoodPracticeGuide,”supranote6,atparagraph1.4.4andappendixe.
117 JenniferMitchell(HMRevenue&Customs,LocalCompliance,SMeInterventions),personale-mailcommunication,November26,2008(onfilewithR.T.A.).
752 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
salesactivitybecertifiedthroughgovernmentoversight,justbecausesomerecordsare untrustworthy? In Quebec, the government’s SRM minicomputer must beplacedbetweeneveryeCRandprinterineveryrestaurant(exceptperhapssomesmallrestaurants).InGermany,everyeCRwillberequiredtoinstallatamper-resistant,government-issuedsmartcardthatcanbeconfiguredtorecord,sign,andtransmitalldataprocessedbytheeCR.InGreece,nobusinesscanbeconductedwithoutprocessingtransactionsthroughagovernment-certifiedFeCRorFeSD.
Principles-based jurisdictions prefer a “hands-off ” approach, at least initially.Moralfactorsandgoodbusinesspracticesarereliedupontomakedigitalrecordstrustworthy.Unfortunately,thissolutionrequiresoversight,andtheoversightthatworksisanauditprogramthatisbothcomprehensiveandtechnologicallyintensive.eventhoughitismorethaninconvenientforasmallbusinesstohavetorespondtothesekindsofaudits,therealproblemisnotthecomplaintsofthebusinessowners;itisthefiscaldemandsplacedontherevenueauthoritythatmustconducttheaudits.Fundingisrarelysufficienttosecurethenecessaryauditteamsandcomputerauditspecialists.
Fortunately, there isanotheroption—certificationof intermediaries.Thisap-proachisusedintheUnitedStateswithCSPs(certifiedserviceproviders)undertheSSUTA.118TheSSUTAcanbeausefultemplateforjurisdictionsseekingtodeveloplessintrusiveandlessexpensivemethodsforcombattingautomatedsalessuppression.Currently,CSPsperformallconsumption-taxcompliancefunctionsfortheirclients.Theydeterminetaxabilityandthecorrectrates.Theyprepareandfilereturns,maketaxpayments,andimmunizethetaxpayerfromliabilityforerrors(excepttaxpayerfraud).
extendingtheCSP’sobligationstoincludecertificationbytheCSPtothegovern-mentthatthetaxpayer’seCRsandPOSsystemsarefreefromzappersandphantomwarewouldcreateanewenforcementregime.Fourquestionsneedtobeaddressed:
1. HowdoesaCSPgeteCRandPOSsystemdata? 2. HowcanaCSPbesurethatthedataithasareaccurate? 3. WhatstandardsshouldthegovernmentusetocertifyaCSP’sautomatedsys-
tem?Inotherwords,whatdatadoesataxauthorityneedinordertobesurethatitcantrusttheCSP’sattestationtotheaccuracyofthetaxpayer’ssystem?
4. Whatisthemostefficientandcost-effectivewayforaCSPtosatisfythegov-ernment’sstandards?
Possibleresponsestothesequestionsareprovidedbelow.
1. How Does a CSP Get ECR and POS System Data?
CSPscurrentlypulldatadirectlyfromtheeCRorPOSsystemtodeterminetax-abilityatstep4ofthetransactionsequence.Thedataarestoredinanindependent
118 Seesupranotes13to15andtherelatedtext.
quebec’s sales recording module (srm) n 753
(tamper-proof )auditfilebeforetheyareusedbythetaxpayertodrafttheinvoice(receipt).TheCSPmaintainsthisfiletoprotectitselffromliability.
Unlikefiscaltillsolutions,whichpreservedatathataresenttotheprinterfromstep5(proceduresathroughd)orfromstep6(whenthedataarerecordedinthexorZreportsortheelectronicjournal),theCSPisactuallyinvolvedingeneratingthecriticaldatasets.Inrealtime,theCSPdeterminesthetaxabilityoftransactions,calculates thetax,andpasses this informationbacktotheeCR.Thiseventhasathree-waydatacheck:
1. Thecustomerisdemandinganaccuratereceipt,andtheCSPandthebusi-ness(thevendor-taxpayer)mustproduceit.
2. Thebusiness(whichhastheprimaryobligationtocollectandcorrectlyremitthetax)isdemandingthattheCSPperformthistaxfunctionaccurately.
3. TheCSP(whichisassumingallthetax-complianceobligationsofthebusi-ness, includingremissionof taxes fromfundsprovidedbythebusiness) ismotivatedtobeaccurate(todetectanyfraud)becauseithasliabilityforanyerrorsinthecalculationandremittanceoftax,andmustcompensatethetaxauthorityforsucherrorsoutofitsownfunds.
WithaCSP-basedsystem,a“legalreceipt”isnotrequired.ItcouldbemandatedtocombatfraudoccurringoutsidetheeCR,ormaybeasafurthertoolagainstconsumer-businesscollusions,butitisnotnecessaryfortheCSP.Itislikelythattherevenueauthoritywoulddemandalegalreceipttofacilitateauditchecks.
TheSSUTAisavoluntarysystem.However,therearestrongincentivestopartici-pate.Businessesparticipatetogetrelieffromregularaudit,relieffrompenaltiesfortaxcalculationerrors,andrelieffromadditionaltaxes(penaltiesandinterest)thatstemeitherfromlatechangesinlawsorerrorsintaxabilitydeterminations.119CSPsparticipateforcommercialreasons:feesforservicefromthebusiness-clientorthestate,120andmoney-movementbenefits.TheseincentivesareoffsetbyashiftintaxliabilitytotheCSPifitmakeserrors.Onlyfraudbythebusiness-client(thetax-payer)121removesthisliability.122AllCSPsinsureagainsttheriskoftheirownerrors(sothereisalwaysafundoutofwhichmissingtaxescanbepaid).Theyarealsore-quiredtopostabondbeforereceivingcertification,andtheyarepermittedtoretainconfidentialtransactionaldatainordertodefendthemselves,ifnecessary.
119 SSUTA,supranote13,atsection9(a).120 Ibid.,atsections601to603(providingthatthegovernmentmayenterintocontractswitha
CSPtocompensatetheserviceproviderdirectlyonthebasisoftaxabletransactionsprocessed,orapercentageofinstanceswheresellerswithoutnexusvolunteertocollectsalestaxesthattheyarenototherwiseobligatedtocollect).
121 ACSPisalsorelievedfromliabilityforchargingandcollectingtheincorrectamountoftaxifthaterroriscausedbyerroneousdataprovidedbyamemberstateontaxrates,boundaries,ortaxingjurisdictionassignments,orifitisbasedonerroneousdataprovidedbythememberstateinthetaxabilitymatrix.SSUTA,supranote13,atsections328and331.
122 Ibid.,atsection9(a).
754 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
2. How Can a CSP Be Sure That the Data It Has Are Accurate (Free from Manipulation)?
ensuringtheaccuracyofthedatarelieduponiskeytotheSSUTAapproach.Inourview,themosteffectivewaytodothisistoadopttheGermansmartcardinthepri-vatesector.TheGermansmartcardcanbeconfiguredtosigneveryevent—completedsales,temporaryrecords,refunds,testmodes,openorpartiallycompletedtrans-actions. Thus, every keystroke could be recorded, collected, and signed on thesmartcard,andthentransmittedtotheCSP.123Thetaxauthoritycouldthendirectquestionsaboutanytransaction,oraboutthebusinessrecordsassociatedwithanyeCR,totheCSP.Onlyincasesoffraudwoulditbenecessaryforthetaxauthoritytoapproachthetaxpayer-client.Ifsuspicionswereraised,itwouldbeintheself-interestoftheCSPtoassistthegovernmentindeterminingthetruth.
UseofasmartcardwouldbeaformofcomprehensiveeCRmonitoring,buttheprivatesectorwouldbemonitoringtheprivatesector, incontrasttoanintrusivegovernmentoversightprogram.124Foradditionalprotection,itislikelythataCSPwouldalsoadopttheGreeksecurityregime;thatis,itwouldtakestepstocertifyeachspecificeCR,andthenkeepadigitalrecordoftheprogrammingofeachma-chinethatcouldbeconfirmedinthemannerofaGreekaudit.125
3. What Standards Should the Government Use To Certify a CSP’s Automated System?
WhatdatadoesataxauthorityneedinordertobesurethatitcantrusttheCSP’sattestationtotheaccuracyofthetaxpayer’ssystem?
ThedatapreservationstandardsthataCSPwouldneedtomeetifitweretocer-tifytheaccuracyofbusinessrecordsinaneCRshouldbethesamestandardsthata
123 Inapersonale-mailcommunication,November17,2008(onfilewithR.T.A.),NorbertZiskyconfirmed,“IfIgetthedatainBerlinfromaneCRinBostonIamabletochecktheintegrity(whetherthedataisunchangedagainsttheoriginaldata)andtheauthenticity(whetherthesignaturebelongseithertotheeCRor[to]thetaxpayer).Thekindofauthenticationdependsontheoperationalconceptofthetaxbody.Inprincipleeverytransaction[finalsales(step5)andtemporarytransaction(step2)]couldbetransferredtotheauditororaremoteserver.”
124 Notonlycouldalltransactions(finalandtemporary)betrackedande-signedbytheGermansmartcard,butallofthiscouldoccurinrealtime.However,theGermanplannershaveindicatedthat,becausethedataarecollectedbygovernmentauthorities,businesses“willhaveastrongresistanceagainstthisonlinetrackingoftransactions.”NorbertZisky,personale-mailcommunication,November17,2008(onfilewithR.T.A.).ThereisaSerbianproposaltodothis,butithasnotbeenwellreceived.MilanProkin,“TechnicalandFunctionalSpecificationofTurnoverControllers—DraftPreparedforFiscalisFPG12CashRegisterProjectGroup”(undated;onfilewithR.T.A.),7.Prokin(oftheFacultyofelectricalengineering,Belgrade)proposesasystemwhereby“[a]llmisusesoffiscalcashregisters,fiscalprinters,non-fiscalcashregistersandnon-fiscalprinterslistedinthedocumenttitledCashRegisterMisuseGuideareinherentlysolvedbyanewdevicecalledaturnovercontroller[acentraldatabasewheregovernmentserversstorealltransactiondata].”
125 Seesupranote47andtherelatedtext.
quebec’s sales recording module (srm) n 755
principles-basedjurisdiction,liketheNetherlands,wouldsetdownforalleCRs.Inaguide tobusinessesoutliningtheirfiscalaccountingobligations, theDutchtaxauthorityliststherequirementsthatabusinessmustmeetinordertobringitseCRsorPOSsystemintocompliancewithDutchlaw.126Theyinclude
n detailedrecordsavailableforthetaxauditorifandwhenrequired,n electronicpreservationofthedetailsoftransactions,n preservationofacompleteaudittrail,andn adequatemeasurestoguardagainstsubsequentalterationsinamannerthat
willensurethatdataintegrityismaintained.
TheDutchrequirementsmaynotbedifficultforlargerbusinessestomeet,butforSMes(whichiswherephantomwareandzappersarefound),therequirementsareburdensome.VanderZwetconfirms:
HardlyanyofthecashregistersorPointofSalesystemsbythemselves[comply]withthe requirements set out by the Dutch Tax Authority. With larger companies thisomissioncanbecompensatedforwithadequateinternalcontrolmeasures.Withoutsimilarinternalcontrolefforts,SMesthatmaybewillingtocomplywithDutchfiscalobligationswillfailintheirattempts.
n Dataneedstobestoredelectronically.n Facilitieshavetobeimplementedtoexportdatatodigitaldatacarriers.n Settingsof the software and the adequatedatabase structuresmust support a
properaudittrail.n Measuresmustbetakentoassurethereliabilityofretaineddata.127
Under theSSUTAmodel,a third-partyserviceprovidercouldnotbecertifiedunlessitcouldassuretaxauthoritiesthatitssystemaccurately,completely,andauto-maticallycapturedtherequireddatafromthetaxpayer’seCRs.Withthesedataonhand,theCSP’sattestationswouldbehighlycredible.
4. What Is the Most Efficient and Cost-Effective Way for a CSP To Satisfy the Government’s Standards?
CombiningthesmartcardwiththeSSUTAapproachappearstobethebestsolution.Itisfarlessexpensivethananyotheroption;itusesproventechnology,andtheCSPinanSSUTAcontextisaprovenlegalstructure.ButthereisalsoastrongargumentforblendingintheGreekapproachtoeCRcertification,aswellastheQuebecSRM’s
126 Belastingdienst,Your Cash Register and the Fiscal Accounting Obligations(TheHague:Belastingdienst,2007)(online:http://www.gbned.nl/downloads/xmllogistiek/poas/Your%20cash%20register%20and%20the%20fiscal%20accounting%20obligations.pdf ),paragraph6,“ChecklistforCashRegisters.”
127 VanderZwet,supranote105,at4.
756 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
bar-codereader.Mergingattributesofallthreesystems,aCSPvehiclemakesagreatdealofsense.
Theonlycompetingoptionisforthegovernmenttobecomethevehicleforim-plementation.However, even theGermanresearch teamsworkingon the smartcardprojectconcedethatdirectgovernmentinvolvementcompromisestheeffect-ivenessofthesolution.
TheGermansmartcardsolutioncomesfromsuccessfulresearchinlegalmetrol-ogy,specificallytheSeLMA(SecureelectronicMeasurementDataexchange)project.TheimmediategoalofSeLMAwasto“...ensurethesecuretransferofmeasuredenergy datafromdecentralizedmeterstotheauthorizedusersviaopennetworks.”128SeLMAsucceeded.TheprojectleaderssummarizedSeLMAasfollows:
SeLMA...developedasecurityarchitecturetoestablishtrustintheelectronictransferofdatafromthemetertodataacquisitionsystemsandfurthertothecustomers.Theintroduced security mechanisms are based on asymmetric cryptography and morespecificallyondigitalsignaturesthatenablethesignedmeasurementdatatobeverifiedandauthenticatedinconjunctionwithasuitablekeymanagement.Particularsecurityunitshavebeencreatedthatcontainthenecessarysecuritymechanisms.
TheSeLMAarchitecturerepresentsabestpracticesolutionofstrongcryptographicmechanismstosecureawiderangeofmetrologyapplicationsandiscompatiblewithappropriateeuropeandirectivesandguidelines.129
SeLMAlookedatnaturalgasmeters.TheSeLMAsolutionassuredmultipleparties(traders,distributors,ownersofdistributionnetworks,andconsumers)thatremotelymonitoredmeterswereaccurate.OnthebasisoftheassumptionthateCRsandPOSsystemsareonlyadifferentkindofmeterrecordingadifferentkindofdataflow,theSeLMAresearcherssuggestedthatthesamesolutioncouldapplyinthisnewcontextaswell.TheINSIKAproject(describedearlierinthisarticle)waslaunchedin2008toconsiderthisapplication.
There are two critical differencesbetween SeLMAand INSIKA: (1)the INSIKAdata represent confidential tax information (not natural gas measurements), and(2)thegroupofinterestedpartiesincludesthegovernment(whereasonlyprivatepartiesareinvolvedingasmetering).Theresearcherssoonbecameawarethatbusi-nesseswerestronglyresistanttoonlinetrackingoftransactionsbythegovernment.130Asaresult, theSeLMAsolutionwasnotable tobe fully implemented in INSIKA.Ziskynoted:
Therealtime,centralcollectionofverylargeamountsofdataisalreadybeingcarriedouttodayindifferentsectorsoftheeconomy.Oneexampleworthmentioningistheareaofspecialcontractcustomersforpowersupply.Ofapproximately300,000special
128 Iaconoetal.,supranote84,at312-13(emphasisadded).
129 Ibid.AlsoseetheonlinesourcefortheSeLMAproject,supranote84.
130 Seesupranote124,quotingfrompersonale-mailcommunicationwithNorbertZisky.
quebec’s sales recording module (srm) n 757
contractcustomers,energyamountsrecordedinintervalsof15minutesarereadoutdailyandstoredcentrally.Thesedata,relevanttocalibrationlaw,providethebasisforthemonthlybilling.Forthesakeofcompleteness,thefollowingshouldalsobementioned:workiscurrentlybeingdonetowardssecuringmeasurementdatacryptographically.
The decisive difference between the example of energy data transfer and the realtime, central recording of tax-relevant data consists in the fact that the data must be collected by the author-ities, rather than by a contracting partner.131
Simplyput,evenwhenthereis“nothingtohide,”therearerealprivacyconcernswhenthegovernmentgetstoointrusive.132
ThesearethesameissuesthatconfrontedtheSSUTA.Thereal-timecollectionoftaxdatabythegovernmentwasnotacceptabletobusiness,butthecollectionofsuchdatawasacceptablewhenathirdpartydidit.Thus,theissuechanged.Now,thequestionwaswhetherthegovernmentcouldtrustthethirdpartyasmuchasthetax-payerdid(ratherthanwhetherthegovernmentshouldbetrustedtocollectthedatadirectly).TheSSUTAanswerwasthat,yes,thegovernmentcouldtrustathirdparty,butonlyifthethirdparty’ssystemswerecertified.133(Similarly,theDutchtaxau-thoritywasconcernedwithfindingawaytoencouragevoluntarycompliancebytaxpayers,ratherthanimposingtoomuchgovernmentcontroloverprivatebusinessrecords.)
TheSSUTAwasbornasaninexpensive,voluntaryregimetostreamlinesalestaxcompliance.ItextendsauditimmunitytotaxpayerswhouseCSPs,becausetheCSPis trusted by the government. An SSUTA type of system to prevent zappers andphantomwareapplicationsineCRscouldbemademandatoryforallsectorsofaneconomy.Alternatively, it couldbe appliedonly inhigh-risk sectors,or it couldperhaps be made mandatory only for those taxpayers who had previously beenfoundtomanipulatesalesrecords.evenif itwereonlymandatoryforsometax-payers,participationinthesystemshouldremainanoptionforallbusinesses.ThiswouldincreasethepressureonthosewhodonotuseCSPstomaintaingoodrecords.Traditionalauditresourcescouldbemoreintensivelyfocusedonthissubset.
co nclusio n: A sse ssing Quebec ’ s sr m
WiththeSRMcurrentlyinoperationinaselectnumberofrestaurantsonavolunteerbasis,itseemsappropriatetoofferanassessmentofhoweffectivetheSRMcouldprovetobe,inlightoftheexperiencewithanti-fraudinitiativesinotherjurisdic-tions.Therearefivecriticalobservations.
131 Zisky,“ManipulationProtection,”supranote83,10-11(emphasisadded).
132 DanielJ.Solove,“ ‘I’veGotNothingToHide’andOtherMisunderstandingsofPrivacy”(2007)vol.44,no.4San Diego Law Review745-72.
133 Thereisarelatedissueoftrustinvolvingconsumers.ItwasnecessarytoaddaprovisiontotheSSUTAtoprotectpersonallyidentifiableinformation(PII)fromdisclosurewhenitwasinthehandsofthetrustedthirdparty.Seesupranote92.
758 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
1. The SRM will work. Coupled with a significant audit effort, the SRM willmostlikelybeaneffectivezapperandphantomwaredeterrentintheQuebecrestaurantsector.Thereareseveralreasonsforthis:a. theSRMissimilartotheveryeffectiveFeSDandFeCRwithAFeDprinter
thathasbeeninuseinGreeceforover20years;b. theSRMdeploymentisaccompaniedbyacommitmenttoincreasepre-
auditinvestigatorswhowillrefersuspectedfraudstersforfullaudits;andc. the SRMwill facilitate rapidpre-audit investigationsby embeddingbar
codesoneachreceiptthatwillverifythatitis“legal.”Allofthesefactorsbodewellfortheworkability,effectiveness,andultimatelythesuccessoftheSRM.
2. TheSRMisexpensive.QuebecestimatesthattheSRMwillcostapproximately$650perunit,anexpensethatwillbeborneentirelybytheQuebecgovern-ment.Theestimatedcost for fulldeploymentof theSRMthroughout therestaurantsectoris$55million.ThesecostsapproximatetheGreekcosts,butare10timestheper-unitcostoftheGermansmartcard,andtheypres-entQuebecwithascalabilityproblem.Inotherwords,ifQuebecwantstoeventuallyextendtheSRMthroughouttheeconomy,insteadoffocusingonasinglesector,themagnitudeoftheseexpensesmightforcethegovernmenttoeitherlimititsfinancialsupport(asisthecaseinGreece)ormovetoade-vicemodelledontheGermansmartcard.Becausezappersandphantomwarearenotconfinedtotherestaurantsector,thescalabilityoftheSRMsolutionneedstobeconsideredinadvanceoffullimplementation.
3. TheSRMisaninvoice-basedsolution.Quebec,likeGreeceandGermany,designeditssolutionaroundtheinvoice(receipt),andpassedlawsmandatingthatalegalreceiptmustbegivenineachsale.Thisrequirementraisescon-cernsabouttoomuchgovernmentinprivatebusiness:WhyshouldeverysaleneedtobeaccompaniedbyanSRM-signedreceiptwhenprofitsfromonlysomesalesareskimmed?However,thisinterventionintoprivatebusinessre-lationshipsisanecessarypartoftheenforcementregime,becausetheinvoiceisthetriggerthatsetsthewholedatasecurityprocessinmotion.FactoringinsomeDutchconcernsandlookingmorecloselyataCSP/smartcardsolu-tionmighthavesomemerit.
4. extendingamandatorySRMsolutionoutsidetherestaurantsectormaybedifficult.Indeed,thefactthatsomerestaurantshaveagreedtoparticipateintheSRMpilotprojectonavoluntarybasisdoesnotmeanthattheSRMwillbewidelyacceptedthroughouttherestaurantsector.Couldthegovernmentimpose mandatory use of the device throughout the economy? Quebec’sempiricalworksupportsarestaurantinitiative,butauditresultsintheNeth-erlands(aswellassomeearlycasesinQuebec)suggestthattheproblemismuchmorewidespread;grocerystores,conveniencestores,andhairdressersareallsuspect.InGermany,thereisconsiderableresistancetothesmartcardpreciselybecause it isbeingconsidered for thewholeeconomy.Quebec’ssingle-sectorapproachisunusualandmayultimatelyprovetobeunstable,
quebec’s sales recording module (srm) n 759
becauseitwillnotsolvethewholeproblem,andittreatsbusinessesunequally.Businessincentivesmaybehelpfulinthiseffort,andbyofferingthem,Quebecwouldbetakingapagefromtheprinciples-basedjurisdictions.TheSSUTAmodelhighlightstheincentivesthathaveworkedintheUnitedStates.
5. TheSRMisnotareal-timesolution.134ThereisnothingintheSRM,intheGermansmartcardproposal,orintheGreeksystemthatacceleratesaudit,returnfiling,ortaxremissionintorealtime.Real-timecomplianceisverypos-siblewithcertifiedsystems,butthiswouldrequireadoptionofaCSP/smartcardsolution.ItisanintriguingthoughtthattheCSP/smartcardwouldnotonlystopskimmingfraudswithzappersandphantomware,butalsobringtaxcomplianceintorealtime.135
A PPendi x comPA riso n o F so lutio ns in the Fi v e Jurisdic tio ns—A gr A Phic summ A ry
Admittedly,thereisaconsiderableamountofmaterialinourcomparativeassess-mentofzapperpreventionefforts,andalotofitishighlytechnical.Ifwekeepinmindthattheeffortherehasfocusedontechnologicalsolutionstobackroom(notreal-time) skimming of cash sales,136 there are some fundamental comparative
134 However,ifoneconsiderstheentireQuebeceffort—theuseoftheSRMwithhand-heldscannersinconjunctionwithenhancedmonitoringofrestaurantsbyinspectionteams—itislikelythatQuebeccomesclosertoareal-timeenforcementeffortthanotherjurisdictions.(Althoughthisisnotaformalreal-timeaudit,itmaywellresultinreal-timeenforcement.)
135 UseofaCSPsolutionwouldnot(intheopinionofRevenuQuébec)beeffectiveinpreventingalltypesoffraud.Forthisreason,RevenuQuébecremainscommittedtoverysubstantiveaudits(alongthelinesoftheDutchapproach)inconjunctionwiththeSRM.MarcSimardindicatesthat“aCSP-typesolution(includingcertificationofcomputersystems),wouldnotbeatalleffectiveincombatingothertypesofschemessuchasfailuretorecordinvoicesandtheabsenceofinvoices.Asexplainedearlier,therestaurateurmaydecidenottousethissystemtorecordsales,evenifhehasacertifiedsystem.Itisthereforequitelikelythatwiththistypeofsolution,restaurateurswillcontinueusingothertax-evasionmethods,whichmightevenreplacetheuseofzappers.RevenuQuébec’ssolution,whichismorecomprehensive,requiresthataninvoiceissuedbytheMeV[SRM]beremittedtothecustomer,ensuringthatthesalesamountisrecordedinthesystem.Customerawareness,combinedwithon-siteinspections,willplayanimportantroleinensuringtheeffectivenessofthissolution.”MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).
136 Real-timeskimmingrunstherangefromsituationswheretheownersimplychoosesnottoringasalethroughaneCR(andputsthecashdirectlyinhispocket),tosituationswheretheownerproducescopiesofcommonreceiptsandusesthecopiesofasinglereceiptmultipletimes(andthenputsthecashinhispocket).ThereareawholeseriesoffraudsthatcanoccurdirectlyattheeCR.Someofthemdoinvolvetechnology.AhiddenswitchcouldactivateaprogramintheeCRonanindividualtransactionbasisandpreventtheeCRfromfunctioning(sothatcashcouldbeputdirectlyinanowner’spocket).Allofthesereal-timefraudsrelyontheowner(oratrustedassociate)beingtheclerkattheeCR.Thesefraudstendtooccurinverysmallbusinesses(so-calledMomandPopestablishments),becausestealingreceiptsfrom
760 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4
points—costs, the nature of the security, and special features—that can providehandlestoassistanalysisoftheseveraloptions.
Costsrunfromapproximately$650to$50(�1,000to�30),withtheexpensebe-ingbornebythetaxpayer(Greece)orthegovernment(Quebec),oronoccasionbyathird-partyserviceprovider(theUnitedStates).Adoptionofthesesecuritydevicesis(orwillbe)eithermandatory(Quebec,Greece,andGermany)orvoluntary(theUnitedStates).Mandatoryadoptioncanbe limitedtoaspecificmarketsegment(Quebec).
Securityfeaturescanbeprovidedthroughdigitalfingerprintsalone(Greece)orthroughcombiningadigitalfingerprintandadigitalsignature(QuebecandGer-many). There are remote auditing possibilities (Germany), as well as hand-heldscanningoptionsthatcanbeutilizedtoassisttraditionalauditorsincomplianceef-forts(Quebec).
thegovernmentisonething,butinstructingemployeesintheartofstealingreceiptsfromthebusinessisquiteanothermatter.
ThecriticalpointwithzappertechnologyisthatthesedevicesallowfraudtomoveoutfrombehindtheeCRandintothebackroom.Itallowsthefraudtomigrateupthebusinesschain—fromthesingleMomandPopstoresintothemedium-sizedormultistorechainsofcommonlyownedbusinesses.Withazapper,anownercanputemployeesattheeCR,insistthattheyringsalesaccurately,butlateatnighteliminateselectedcashsalesfromthebusinessrecords.Itisthissecondleveloffraud(moreserious,involvinglargerbusinesses,andencompassinglargeraggregatesalestotals)thattheSRM(andtheothertechnologicalsolutions)isaimedat.TheSRMalonewillnotstopskimmingfrauds.Itisespeciallybadatdetectingreal-timeskimming.Auditsarestillnecessary,buttheSRMgivesRevenuQuébecahand-heldscanningdevicethat(alongwiththerequirementthatalegalreceiptmustalwaysbeissued)goesalongwaytowardaddressingtheseadditionalconcerns.
quebec’s sales recording module (srm) n 761
Sum
mar
y of
Fea
ture
s of
Ant
i-S
kim
min
g S
olut
ions
in F
ive
Juri
sdic
tion
s
Juri
sdic
tion
Cos
tC
ostp
aid
byM
anda
tory
/vol
unta
rySe
curi
tySp
ecia
lfea
ture
s
Que
bec
SRM
$650
per
eC
RG
over
nmen
tM
anda
tory
inr
esta
uran
tse
ctor
D
igita
lfing
erpr
inta
nd
digi
tals
igna
ture
Han
d-he
ldb
ar-c
ode
read
er
Gre
ece
FeC
R,A
FeD
pri
nter
FeSD
�20
0-25
0to
�80
0-1,
000a
�40
0-65
0pe
rm
achi
neb
Taxp
ayer
Man
dato
ryw
ithe
very
e
CR
inth
eco
untr
yD
igita
lfing
erpr
int
Mul
tiple
eC
Rs
can
bec
onne
cted
to
sing
led
evic
e
Ger
man
y
Smar
tcar
d�
30-5
0pe
rm
achi
nec
Und
ecid
edM
anda
tory
with
all
new
e
CR
sin
the
coun
try
Dig
italfi
nger
prin
tand
di
gita
lsig
natu
reW
illa
llow
rem
ote
audi
ting
Net
herl
ands
Com
preh
ensi
vea
udit
Unk
now
n(d
eem
edto
be
proh
ibiti
veb
yth
eN
ethe
r-la
nds
and
Ger
man
y)
Gov
ernm
ent
Ran
dom
/ris
k-se
lect
ed
audi
tN
ota
pplic
able
Not
app
licab
le
Uni
ted
Stat
es
CSP
and
SSU
TA
Fee
dete
rmin
edb
ym
arke
t-pl
ace
base
don
siz
eof
ta
xpay
er’s
busi
ness
and
se
rvic
esn
eede
d
Gov
ernm
entd
orta
xpay
erV
olun
tary
Dep
ende
nto
nsy
stem
ad
opte
dT
rust
edth
ird
part
y
a C
osto
fFe
CR
with
AFe
Dp
rint
er,l
ow-e
nda
ndh
igh-
end;
use
don
lyfo
rB
2Ctr
ansa
ctio
ns.
b C
osto
fFe
SDu
sed
for
B2B
and
B2C
tran
sact
ions
,and
pre
sum
esth
eex
iste
nce
ofa
ne
CR
or
PO
Ssy
stem
.c
Ass
umes
that
the
smar
tcar
dis
inse
rted
into
an
ewe
CR
.d
Ince
ntiv
epr
ovid
edu
nder
the
SSU
TA
tog
etso
me
taxp
ayer
sto
use
aC
SP;i
nsu
chc
ases
,gov
ernm
enta
ssum
esa
llco
sts.
Oth
erw
ise,
cos
tofa
CSP
isb
orne
en
tirel
yby
the
taxp
ayer
.
top related