Caution with APIs or solutions that claim to comply with VERI*FACTU

Currently, in the course of various audits, over 120 development companies, recognized as leaders in the field, consult us about solutions promoting APIs or similar for the implementation of the anti-fraud regulation or VERI*FACTU, suggesting their acquisition with the promise that these APIs conform to the legislation.

Given that the anti-fraud regulation is broad enough to raise several issues that must be demanded from these providers, it is important to include certain aspects that, as companies developing billing solutions, should not be overlooked when hiring an API platform or similar.

When evaluating these platforms as options, keep in mind the following advice:

Presently, there are no platforms that fully comply with the anti-fraud regulation.

This is because many platforms commit to complying with VERIFACTU; however, the anti-fraud regulation includes 4 additional sections beyond the regulation, which relate to billing, accounting, and management processes. These requirements exceed what is established in VERIFACTU, RD1619/2012, and others.

Advice: An API platform alone does not guarantee 100% compliance with the anti-fraud regulation; it is also necessary to comply with the rest of the legal framework.

VERI*FACTU Compliance Certificate

If the software is installed in 100 clients, our sanction calculator estimates a fine of approximately 1.2 million euros for non-compliance during the first year for the developing company. Will you leave the possibility of facing this fine in the hands of a third party?

Advice: Demand in writing a report from an independent auditor that clearly certifies the compliance with VERI*FACTU, with evidence that ensures its operation.

API platforms must manage and protect all XML records during the mandatory period

Proper management of XML files during the time that the taxpayer is required to retain them is crucial. API companies must ensure their integrity and preservation, as well as their custody chain and retention during this period.

Advice: Request an evaluation report from an independent auditor that demonstrates with evidence the appropriate security controls.

Communication based on electronic certification

If the API system manages certificates and keys to facilitate invoice communication through VERI*FACTU, this service must comply with eIDAS and LSEC. A system that handles certificates and keys must meet certain security levels, for example, ensuring that the backups made by the API system, which contain the taxpayer’s certificates and keys, are kept secure to prevent serious identity theft. Additionally, the legislation demands that certificates and keys be “under the exhaustive control” of the taxpayer.

If, on the other hand, it is proposed that communication is carried out with the service provider’s electronic certificate, it is necessary to demand compliance with the applicable legal framework.

Advice: Require legal compliance and a report from an independent third party to confirm it.

Conclusions

The use of third-party APIs or external certificate repositories does not guarantee, in any of the cases this auditor has reviewed, the complete compliance with the anti-fraud regulation by the developing company and its solution, also being necessary to comply with other legal obligations beyond VERIFACTU. Before hiring an API that implements VERIFACTU, it is essential to request a report from an independent third party that, through evidence, demonstrates its reliability; otherwise, you face the risk of multimillion-dollar sanctions for both the developing company and the taxpayers.