Invoice security depends on:
- the technology used ;
- existing controls within the enterprise;
- agreements concluded between the concerned parties.
The use of the Peppol network provides guarantees for the secured transfer of data. Access to the network is provided by certified service providers. You can compare this to a telecommunications network. On the other hand, the e-mail channel - even if it is very flexible - is very sensitive when it concerns invoice fraud and Internet crime (phishing, malware, ransomware, etc.).
'Service Providers' (also called 'Access Points') in the Peppol world are like letterboxes in the paper world: entry and exit points in a transport network ensuring efficient service. That responsibility can be shared among several operators provided they commit to common rules. In the Peppol context, those rules are set out in a contract, the 'Service Provider Agreement'. Service providers sign this contract with a Peppol authority (the coordinating Peppol authority, the Belgian non-profit association OpenPeppol, or the national Peppol authority, in Belgium FPS BOSA (Federal Public Service Policy and Support)). All service providers are aware of the various local regulations at the place where they want to operate.
The latest list of service providers who have signed a contract with FPS BOSA can be found here: Belgian Peppol Authority. You will also find the latest version of the Peppol Service Provider Agreement here (Dutch and French).
Can someone register my company without my permission?
In order to access the network, end-user identification (derived from KYC requirements, Know Your Customer, from the financial sector) is essential. This means that verification of your identity is necessary to establish a network connection. During the registration process, the software provider will request documentation that confirms your identity and will verify your authorisation to act on behalf of that company.
Why is end-user identification important?
In order to prevent identity fraud, correct end-user identification is essential. As with any system, the weak link is often found in operations that require manual intervention. However, this principle is not without obligation: a service provider that does not comply with the rules, will risk losing its certification and access to the network – and with it, its entire business.
Are there better methods than end-user identification?
Various service providers have automated part of the end-user identification process, for example through:
- identity verification: reading the certificate on the Belgian identity card, use of itsme©, etc.
- authorisation checks: verification based on the published function holders in the Crossroads Bank for Enterprises
The degree of automation often depends on the number of registrations that an application has to process, as this affects the payback period of an investment in (semi-)automation.
Furthermore, increased supervision of registration has an impact in terms of costs, charges and risks for all economic actors. Moreover, this never eliminates the risk of identity fraud in every transaction if someone gains illegal access to the IT system of the sender or recipient.
How far should we go in making systems complex in order to avoid human error? It is important to find a balance between security, user-friendliness and cost-efficiency. Identification of end users, carried out by certified service providers, in combination with the recently introduced mandatory IBAN name check, is currently the best possible compromise.
