Why Automate?

Automation of the VATnr/name verification is advantageous for all parties involved:

• Labour reduction for the companies involved. If orders can be automated, it may be possible to reduce prices, and thus grease the exchange of goods within the EU. Automation allows for such fast feedback that a web interface can instantly report an error to its visitor, requesting immediate repairs instead of going through a manual exception handling process that is a nuisance to both seller and buyer.
• Labour reduction for the tax office. The tax office is cautious to handle more than five verifications in a phone call, or more than fifteen in a letter. This is because they wish to handle verification requests with some speed, but it also gives an impression of the pressure involved in making the verifications.
• The right information at the right time. VAT numbers and company names can change at any time. The verifications would ideally be done at the precise instant that they are needed, instead of continued use of lookups of half a year ago. With automated procedures, this memoryless verification is the simplest possible implementation, and since it hardly adds any cost it would be the implementation of choice. And that would be to the advantage of the VAT system, preventing any VAT number fraud.

Privacy

There is an online tool called VIES that enables anyone to enter a VAT number and see if it exists. What this tool will not always give, is the name of the company under that number. The reason is privacy of those companies, a concern that is certainly appreciated. But in effect, it renders the tool useless to validate a VAT number in general.

Instead, a web form that would accept a company name and a VAT number would be more useful. The company name would have to be matched with some semi-intelligent algorithm, but that should be possible with current technology. Or, a buying company could be asked to provide the exact name of its company as registered under the VAT number.

If privacy of companies towards the webmaster of the verification tool is a concern (as seems to be the case), then it is possible to use secure message digesting schemes to verify the company names. Instead of submitting the comany name, a secure message digest of the VAT number and company name, both in a canonical form, could be submitted to the tool for verification.

As an example, here is how such a hash would be calculated:

Company name:     OpenFortress B.V.
VAT number:       NL813323253B01
Digest algorithm: SHA1
Digest input:     NL813323253B01 OpenFortress B.V.
Digest output:    8A35 A616 3C65 B61B CCFE  F778 136C D698 5A27 7D10

Certainty

The online tool can be turned into something useful, but it still does not implement VAT laws (as we have them in the Netherlands). The tool simply answers yes or no, without providing anything that can be used as proof.

Ideally, the tool would display a message which is digitally signed. The PGP format provides a straightforward, textual format that is easily copied/pasted from a website, either by a human or a tool. For the foregoing example, the secure hash would be submitted for verification, and lead to the following timestamped outcome:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

EXAMPLE MESSAGE:

Following is the message digest of a string comprising of:
 - VAT number of an EU company
 - a space
 - The name of the company

The following is the value of the SHA1 message digest:
   8A35 A616 3C65 B61B CCFE  F778 136C D698 5A27 7D10

This value has been looked up in the VAT system for the Netherlands on:
   Wednesday, March 29, 2006
This date is also marked in the digital signature on this message.

On this day and 30 days following it, it is ALLOWED to trade with this
company at 0% VAT for any EU company outside the Netherlands.

-----BEGIN PGP SIGNATURE-----
Version: OpenFortress Digital signatures http://openfortress.nl/

iQCVAwUBRCpO0RkR0SUDFqlQAQIUXwP9Gh9oEQmpKdw5T818oV4duTY+HLCHR7D4
2km2nb65GntcnCvsy+a2kyi3Ju2E6uDIcdUxlASKh5BF60F/Jq4zBAH0IeXz0jJC
ZPsc1dHhdxcL0Ayxzre5cowX/nXHu3bagsuCJRZqjx/xPOyYDSy12csWuLW0RmgX
swEyx4fcZ9M=
=521x
-----END PGP SIGNATURE-----

This message can be verified and processed automatically.

An administration that implements the (Dutch) VAT laws would simply keep track of these pieces of information:

• billing information, charging 0% VAT
• the inputs and outputs of the message digest
• a PGP-signed statement like above, from a reliable source

Note how no manual labour is forcefully required in any of these.

Another approach

The PGP-signed statement given above can also be brought in by the buying party, for example on a website that processes a sale. This would shift the burden of VAT number verification from the seller to the buyer, which is probably a reasonable change. The selling party is free to demand this shift of work, because it uses the same technical facilities.

This pre-validation probably uses signatures by the buying party's tax office. This is no problem because PGP keys can acknowledge each other's validity, ideally under a suitable signing policy. In such a setup, every EU member nation would locally sign VAT statements like above, and every EU member would acknowledge the PGP key of every other EU member.

One step further would be to grant a PGP key to every company, and have the VAT number as one of its user identities. The tax office of the company's country could validate that identity, and revoke the validation when this is required. The PGP web of trust that already exists then makes it possible to validate such validations and retractions. Automatically.

Digital signature technology from OpenFortress

OpenFortress firmly believes that digital signatures can leverage automation in everyday practice, this is just an example. We are always willing to look into these matters to expedite automation.

We wish to empasise the importance of signing policies for any signing standard, be it for PGP or a less practical technology. As soon as we raise the funding to standardise our signing policy project we will move to it, to the benefit of the industry as a whole.