Payroll compliance guide
What is payroll compliance?
There is perhaps no more fundamental function in business than paying employees accurately and on time. Meeting contractual obligations to the people who give their time to the company is the most basic level of payroll compliance.
But there is a lot more to payroll compliance than that. Payroll is one of the most highly regulated functions in business today, often with layers of tax and employment law at the national, regional, local and, increasingly, multinational, level.
To ensure payroll compliance, employers must abide by a wide range of regulations relating to taxation and social insurance, delivery of statutory reporting, data protection, and employment conditions (including employee validation, minimum wage levels, benefits, allowances, leave entitlements, working hours and overtime rules). They need to maintain and file complete and accurate records – and pay the correct taxes – on time for every employee, in line with the latest regulations.
The growing trend to employ local talent means multinational companies now, more than ever, need a thorough understanding of local taxation and other employment laws.
Keeping on top of payroll-related rules and regulations in a single jurisdiction is complex enough. However, for companies handling global payroll, there is an intricate web of widely varying payroll-related regimes to keep up to speed on, and stay compliant with.
This is what makes payroll compliance one of the key drivers of complexity in doing business around the world. To make matters even more challenging, some of the most complex markets in which to do business are also the most punitive in terms of fines and penalties for non-compliance.
Payroll compliance is therefore one of the biggest areas of financial and reputational risk for multinational organisations: the consequences of making a mistake, even inadvertently, can be severe, putting companies at risk of investigation by the authorities.
Source: Global Business Complexity Index 2022 by TMF Group
Here are just a few examples of the potential consequences of non-compliance:
In China, as prescribed by the Security Law of the PRC, Articles 86, if an employer fails to pay an employee's monthly social insurance contributions on time and in full, the employer is required to make any underpaid or overdue amount within a stipulated period. Late payment interest will be imposed from the due date at 0.05% per day on underpaid/overdue payment; where the payment is not made within the stipulated period, the local authorities will impose penalty at a range from 100%-300% on the underpaid/overdue amount.
In Colombia, the Ministry of Labour has powers to monitor, verify and control compliance with employment standards. One of the toughest measures it can impose for non-compliance is the suspension of activities for up to 120 days, or even the closure of a company.
In the UK, penalties for failing to pay the National Minimum Wage are extremely punitive, at 200% of any arrears owed to the worker (up to a maximum penalty of £20,000 per worker). An employer's brand and reputation can also suffer, as the UK tax authority 'names and shames' employers that are penalised.
What are the key payroll compliance considerations?
The global payroll compliance landscape can be a difficult one to navigate and interpret. Overseas businesses can be subject to greater scrutiny on the part of local governments, regulators and tax authorities.
In more complex regulatory environments, there may be frequent changes to legislation, onerous payroll reporting requirements, detailed paper-based record keeping and complex salary calculations.
These are the key areas where compliance is a must:
These vary widely, and no two jurisdictions are the same. This highlights the need for local expertise: people on the ground who can assess each situation in the context of the local regulatory environment while meeting corporate needs.
There are as many, if not more, varieties of tax regime as there are countries in the world, often with variances across states and regions within nations. This lack of uniformity complicates the process of managing global payroll: there is no one size fits all when it comes to tax compliance.
With labour laws often titled strongly in favour of the individual, organisations need to adhere to strict processes for hiring new employees, as well as for terminations, whether voluntary or involuntary.
Source: Global Business Complexity Index 2022 by TMF Group
Every jurisdiction has its own specific requirements for which information must be reported, and when. In some countries, employers must keep up-to-date figures and report information to external authorities each month. In other countries, government reporting is much less of burden and is only required annually. For example:
- In the United Kingdom, all employers must notify Her Majesty's Revenue & Customs (HMRC) of their 'Pay As You Earn' (PAYE) liability at the same time as, or before, they make payments to employees. Reports must be submitted to the government each time the business completes a pay run - failure to comply results in fines.
- In some countries, the tax authorities are proactive. For example, the Finnish tax authority sends individuals a pre-filled tax return in the spring of each year. Once checked, if there is nothing to correct, it can simply be filed for personal records.
Social security registration and reporting requirements can be onerous, particularly where regulatory authorities are trying to address the issue of illegal workers. In Mexico, for example, employees are registered at the Social Security Institute and employers with workforces of 300 or more must file an audited report demonstrating they have paid the mandatory monthly premiums applicable to every employee (both employer and employee contribute).
Employment and tax rules are typically complex and different for expatriate workers dependent upon location and personal circumstances. There may or may not be reciprocal tax agreements in place between the host country and the expatriate worker's home country; there may or may not be a need to set up a business entity to employ expatriates. There may be the option for 'employment without establishment' (EwE) in the country. Whatever the options, it's important to set up and report on foreign personnel correctly.
Managing multi-country payroll can be made more complex by specific employee leave entitlements, which must be adhered to in order to remain compliant. These entitlements vary widely:
- Norwegian employees are not entitled to holiday pay during the first year of their employment, but they are still entitled to leave. However, if they worked with another employer prior to their current job, they will receive holiday pay from the previous employer.
- Companies with staff in the United Arab Emirates must provide them with at least 30 days of annual leave after more than one year of service. UAE labour law allows Muslim employees in the private sector unpaid leave amounting to 30 days, which can be taken once during their period of employment. This is to be used to perform the Hajj (the annual Islamic pilgrimage to Mecca).
Why must you consider data privacy laws?
Employing people brings with it a lot of paperwork – from information about training, skills and recruitment, to personal and confidential details such as addresses, pay and disciplinary records. While much of this information used to be stored in locked filing cabinets, it is increasingly being digitised. This carries huge advantages – but also big risks.
As the use of cloud-based payroll systems rises, so too does the risk of data breaches. And with an increasing amount of regulation focusing on how personal data is handled, payroll teams must have a clear, strict and transparent process for the storage and use of any data they hold on their employees.
The European General Data Protection Regulation (GDPR) brought the most significant data protection legislative changes for the management of employee’s personal data. Under the GDPR, employers must notify data breaches which carry a privacy risk for employees without undue delay and, where feasible, not later than 72 hours after becoming aware of them. Moreover, employers infringing this, and other GDPR requirements, can be subject to administrative fines of up to €20 million, or in the case of an undertaking, four percent of the total worldwide annual turnover of the preceding financial year.
Another example is Singapore’s Personal Data Protection Act 2012 (PDPA), which similarly governs the collection, use and disclosure of personal data by organisations, recognising individuals’ right to protect their personal data, as well as organisations’ needs to use this data. From 1 October 2022, Singaporean authorities can impose financial penalties of SG$1 million, or 10% of local annual turnover for organisations whose turnover exceeds SG$10 million, whichever is higher. The PDPA reiterates the liability of employers for acts of employees, and introduces personal liability for the improper use of data. Personal liability resulting in a conviction can be punished with a fine, not exceeding SG$10,000, or imprisonment for a term not exceeding three years, or both.
With similar data protection laws being introduced in many other jurisdictions, it is important for payroll teams to adequately manage compliance in every country their companies do business in. However, for payroll teams with global responsibility, it can be very difficult to keep up to date with changes in local data protection procedures and regulations. One way companies are addressing this is to work with partners who have the local knowledge and skills to ensure payroll compliance.
The updated data privacy laws require clear policies, procedures and guidelines to be in place, alongside technical and organisational security measures. Among others, these include:
- Adequately informing the (candidate/former) employees about the purposes their data will be used for in all stages of the (pre-/post-) employment and disclosing with whom the data will be shared and for what reason.
- Being transparent about the international data transfers and only transferring personal data outside the home jurisdiction if communicated in advance, if strictly necessary and upon having the required technical and organisational safeguards in place to protect the personal data to the same standard as in the home jurisdiction. You must use a proper legal basis for such transfer, various jurisdictions require different legal bases.
- Only requesting a new hire’s social security number and other legally required sensitive personal data after the candidate has accepted the position.
Securely deleting the rejected job candidates’ resumés in accordance with the predetermined data retention term, about which the candidate was informed in advance. - Seeking consent before using a resumé for a different role than the one the candidate applied for.
- Communicate about and have clear policies on purposes for retaining ex-employees’ personal data, and about the deletion thereof.
- Create a data inventory, identify and implement procedures to be able to securely delete all personal data processed in various systems.
- Avoiding monitoring of employees email, computer and telephone usage, unless the necessity has been shown and evidenced through a data protection impact assessment.
- If employees are being monitored on a large scale or if the employer core activity consists of the processing of a large scale of sensitive personal data, the GDPR requires a data protection officer (DPO) to be appointed to monitor the organisation’s compliance, with specific requirements for positioning and the role. Other jurisdictions, like Singapore, require the mandatory appointment of a DPO for all organisations.
- Informing employees about their rights in relation to data privacy laws, and enabling them to exercise these rights through, among other things, raising their awareness.
- Only entrusting the management of employee data to an accredited partner. In the HR and payroll services industry, to provide the required level of data security and information management, the main accreditations and compliance programmes are: International Standard on Assurance Engagements (ISAE) 3402; ISO 27001 – the standard for information security management systems; and ISAE 3402/SOC 1 report for payroll services.
What are the most common payroll mistakes?
It’s worth avoiding these common mistakes when it comes to running payroll across multiple jurisdictions, especially those with more complex regulatory frameworks:
- For many multinational companies, subsidiaries operating in some markets may not adhere to the same payroll standards as the company HQ – lacking the typical business controls, checks and approvals. This is often due to a lack of infrastructure and global systems, with local compliance frequently relying on spreadsheets, for example, which eliminates auditability and accountability. It pays to have consistent global policies and processes in place that apply to all payroll operations.
- Similarly, not having access to adequate global systems is one of the biggest barriers to effective global payroll management. From a payroll compliance perspective, having a consolidated view across payroll processing in every country is invaluable, particularly if it offers full visibility of payroll processing activities, performance and consolidated reporting.
- Unchecked electronic fund transfers (EFTs) present a serious fraud risk. A lack of regular audits or procedures to oversee payment authorisations can not only make it difficult to determine true employment costs, it can also expose the company to corrupt practices.
- Some employee ‘business expenses’ can also have tax implications. These need to be carefully monitored to ensure compliance and to guarantee that any reimbursements are correctly allocated, with the correct tax paid.
- The use of petty cash to cover ad hoc operational expenses, or even wages, can be particularly risky from an auditing and compliance point of view.
How to tackle global payroll complexity?
Ensuring organisations remain compliant in the face of complex and constantly changing requirements is one of the biggest challenges facing those managing global payroll operations. Requirements such as the need to keep paper records, rules around hiring and firing, and the administration of a large number of mandatory and customary benefits all contribute to creating a high administrative workload.
Not only must payroll managers navigate their way through the layers of complexity to get to grips with how labour laws, tax rules and other statutory legislation apply to their operations, they also need to differentiate between a statutory requirement and a commonly accepted practice and its potential impact on employee relations.
One of the greatest challenges global payroll teams face is understanding the changing legislative requirements. It’s not just that the requirements are complex and prescriptive, but many countries are also undergoing significant revisions to their labour laws, requiring subject matter experts to keep on top of changes.
In some countries, changes can be introduced at short notice to take place with immediate effect. There can also be uncertainty about interpretation.
Many companies have managed to address payroll compliance successfully by:
- working closely with other internal functions such as tax and treasury, legal, and compensation and benefits
- relying on system vendors and outsourcers
- bringing in targeted expertise on the ground
- relying on updates from third-party software providers.
Payroll is a substantial part of business expenses, but many organisations remain focused on the bigger picture. Regular assessments of payroll structure, employment policies and overall employee cost profile can be hugely beneficial, but are often overlooked. Such payroll health checks are a valuable tool for identifying areas where a company is overspending or where financial penalties may be incurred, as well as mitigating fraud risk or potential non-compliance.
