When the Employee – Not the Company – Pays for Fictitious Invoices
A ruling from the Court of Justice of the European Union has upended a decade of conflicting case law in Poland, establishing that employees who issue fraudulent VAT invoices under their employer’s name bear personal liability for the tax – unless the employer failed to supervise them. The implications reach far beyond Polish fuel stations.
For years, the arithmetic of invoice fraud in Poland had an unsettling feature: the person who committed the crime and the person who paid for it were often not the same. An employee would issue fictitious invoices using the company’s data – its name, its tax identification number, its address. The employee would pocket the proceeds. And the company, upon discovery, would receive a tax assessment for the full amount of VAT shown on invoices it had never authorized, never seen, and never included in its returns.
The legal mechanism that produced this result was Article 108(1) of Poland’s VAT Act, which provides that the entity which “issues” an invoice showing VAT is obligated to pay that tax. Tax authorities routinely interpreted “the entity which issues” to mean “the entity named on the invoice as the seller” – regardless of who had physically created the document. The company’s name was on the paper; the company owed the tax. That the invoice had been fabricated by a rogue employee, operating a criminal enterprise from the company’s own premises, was treated as the company’s problem.
On January 30, 2024, the Court of Justice of the European Union put a stop to this.
The Rule: The Employee Pays
In Case C-442/22 – arising from a Polish gas station where a manager spent four years issuing 1,679 fictitious invoices totaling nearly 1.5 million zlotys in fraudulent VAT – the court established a principle that is as clear as European tax jurisprudence gets:
Where an employee of a VAT taxable person has issued a false invoice showing VAT, using the identity of the employer as a taxable person without the employer’s knowledge or consent, that employee must be regarded as the person showing VAT within the meaning of Article 203 of the VAT Directive – unless the taxable person failed to exercise the due diligence reasonably required in order to monitor the actions of the said employee.
The default, in other words, is employee liability. The employer escapes the tax bill unless it can be shown that the employer’s own negligence in supervision enabled the fraud.
The court’s reasoning proceeded from text to purpose to precedent. The word “shows” in Article 203 of the VAT Directive (“any person who shows VAT on an invoice is liable for payment”) implies agency – an active act of creation and disclosure. It was not the company that “showed” anything; it was the employee. As Advocate General Juliane Kokott observed in her opinion of September 21, 2023, the company in such cases “is rather a victim than a perpetrator” (Opinion of AG Kokott, Case C-442/22). To treat a good-faith employer as the debtor when the tax authority knows perfectly well who actually committed the fraud would be, the court held, “contrary to the objective of combating fraud” that the Directive pursues (para. 30).
The Exception: The Employer Pays When Supervision Failed
The court’s ruling is not an amnesty for employers. It contains a condition – and the condition has teeth.
An employer cannot claim good faith if it failed to exercise “the due diligence reasonably required in order to monitor the actions of the said employee.” In such a case, “the fraudulent actions of his employee can be attributed to the employer” (para. 35). The employer becomes the person who “showed” VAT on the invoices and must pay accordingly.
The Polish Supreme Administrative Court, applying this standard to the gas-station case on September 3, 2024 (I FSK 1212/18), translated the European formula into an operational test: due diligence requires, “in particular, the creation of a system (procedure) for monitoring invoicing activities carried out by employees.” Not aspiration. A system.
What Failure Looks Like
In the Lublin case, the company failed. The manager’s computer had never been inspected – not once in more than four years. She was authorized to issue invoices outside the station’s official accounting software, in Excel, with no one’s approval. Her job responsibilities had never been put in writing. The fraud involved other station employees who collected receipts on her behalf in exchange for payment, operating with what the court described as “an awareness of the complete absence of any supervisory system” (I FSK 1212/18, para. 3.8).
The court was blunt: “The principal charge against the appellant’s management consists in the excessive trust placed in P.G., coupled with the failure to establish appropriate internal control procedures.”
What Success Looks Like
The Warsaw Regional Administrative Court, ruling on November 24, 2023 (III SA/Wa 1058/23), reached the opposite result in a factually analogous case – and the contrast is instructive.
The company operated a chain of gas stations. A manager at one station had been issuing empty invoices for years. The court annulled both tax decisions and terminated the proceedings, holding that the company had acted in good faith.
What made the difference? The company had maintained security procedures and conducted audits – annually, with spot-checks of invoices. Upon discovery, it filed criminal complaints, audited all stations, issued corrective invoices, overhauled its IT systems, and tightened protocols. Three criminal courts had already convicted the employee. And – a detail the court found particularly telling – law enforcement had known about the fraud before the company did, yet had not informed it.
The court drew a distinction that illuminates the entire area: “One must distinguish between issuing invoices in the name of the company (within the scope of employment authority) and issuing invoices under the company’s name (within the framework of organized criminal activity and without its knowledge).” The manager had done the latter. The company was not a participant; it was a casualty.
“Combating tax fraud,” the court observed, quoting Advocate General Kokott, “is primarily the task of the state, not of private persons.”
When There Is No Employment Relationship at All
A separate category – resolved before the 2024 CJEU ruling and unaffected by it – involves identity theft by persons with no employment or agency connection to the company.
In 2017, the Polish Supreme Administrative Court held that a sole trader whose brother had forged his signature and used his company stamp on ten invoices was not the “issuer” under Article 108(1) – because a person who did not know about a document, did not consent to it, and did not introduce it into commerce cannot, in any meaningful sense, be said to have “issued” it (I FSK 1459/15).
In 2019, the court extended this to a bookkeeper engaged under a service contract who had simultaneously been the owner of the company receiving the fictitious invoices – effectively issuing invoices to herself (I FSK 1037/17). The court added its most-cited observation: accepting the opposite interpretation “would mean that anyone could drive any company into bankruptcy” simply by downloading its registration data and printing a fictitious invoice.
In these cases – no employment relationship, no supervisory obligation – the due-diligence test does not arise. The named company is not the issuer, full stop.
The Criminal Dimension
The employee who issues fictitious invoices faces consequences that extend well beyond a tax assessment. Under Poland’s Fiscal Penal Code, issuing unreliable invoices (Article 62(2)) carries fines of up to 720 daily rates or imprisonment. Under the Criminal Code, intellectual falsification of documents (Article 271(1) and (3)) is punishable by up to eight years’ imprisonment. Large-scale invoice falsification (Article 271a) carries sentences of three to twenty-five years where the value exceeds ten million zlotys.
In the Warsaw case, the employee was convicted in three separate criminal proceedings – under Article 62(2) of the Fiscal Penal Code and Articles 271(1) and 271(3) of the Criminal Code. A labor court, ruling on her dismissal, found that she “had full awareness of the acts she committed.”
Statute of Limitations: A Procedural Trap
Cases involving employee-issued fictitious invoices inevitably implicate the statute of limitations on tax obligations – five years from the end of the year in which the tax was due. Tax authorities can suspend this period by initiating fiscal-criminal proceedings linked to the obligation (Article 70(6)(1) of the Tax Ordinance).
But the suspension must be genuine – not instrumental. The Warsaw court (III SA/Wa 1058/23) found that criminal proceedings initiated against the company in November 2017, when the employee had already been convicted three times for the same acts, bore no real connection to the company’s tax obligation. The tax decisions, issued after the limitations period had expired, were void.
This is a practical defense worth examining in every case where the employer is the target: if the actual perpetrator is already identified and convicted, a fiscal-criminal investigation directed at the employer may lack the nexus required to suspend the limitations clock.
Corrective Invoices: Timing Is Everything
The CJEU has repeatedly held (Schmeink and Cofreth, C-454/98; Finanzamt Österreich, C-378/21) that Article 203 of the VAT Directive does not apply where the risk of revenue loss has been eliminated. If the issuer of a fictitious invoice has removed, “in good time,” the possibility that the recipient will deduct the VAT – by issuing a corrective invoice and ensuring that the recipient has reflected the correction – the obligation to pay lapses.
The Warsaw court went further: “Even bad faith does not preclude avoiding the application of Article 108(1) – provided the recipient subsequently reflects the corrective invoice in its settlement, per saldo ‘cancelling’ the tax effect.”
But the Supreme Administrative Court has consistently held (I FSK 1329/14; I FSK 315/14) that corrective action taken only after a tax audit has detected the irregularity does not meet the “good time” standard. The correction must precede the discovery.
What the Prudent Company Builds Now
The combined jurisprudence yields a concrete architecture of due diligence – one that courts have shown they will examine element by element.
A monitoring system for invoice issuance. The Supreme Administrative Court named this as the threshold requirement. It can be internal (a designated compliance function) or external (periodic audits by a professional firm). The Warsaw court accepted annual audits with spot-checks as sufficient.
Written delegation of invoicing authority. Every employee authorized to issue invoices needs a documented scope of authority specifying permissible systems, formats, and the requirement for supervisory approval of any deviation.
IT controls. Regular review of work computers used for invoicing, folder-access restrictions, invoice-numbering verification, and reconciliation of issued invoices against actual transactions.
External oversight of accounting functions. Engaging professional tax and accounting advisors to review invoice flows provides an independent control layer – particularly valuable in decentralized operations.
Documented post-discovery response. Immediate audit, criminal complaint, corrective invoices, IT modifications, tightened procedures. The Warsaw court credited every one of these steps in its good-faith assessment.
Internal policies. Rules governing access to corporate stamps, document-handling procedures, mandatory reporting of suspected irregularities, and prohibition of off-system invoicing without authorization.
The Broader Reach
The standard is not limited to gas stations. It applies to any business that authorizes employees to issue invoices – every company with a sales, accounting, or customer-service function. The risk is highest in industries with high transaction volumes, franchised or multi-location operations, and limited direct board-level oversight of individual sites.
The employer who fails to build a supervisory system pays a tax that was economically embezzled by a subordinate and exploited by third-party fraudsters. Recovery through civil litigation against the employee is theoretically available but, in practice, seldom adequate: employees who engage in systematic invoice fraud are rarely in a financial position to satisfy a judgment for the amounts involved.
The Architecture of the Answer
The jurisprudence that crystallized in 2024 replaced a decade of contradiction with a two-step framework:
Step one: Was the invoice issued by the employee without the employer’s knowledge and consent? If yes, the employee is the person liable for the VAT.
Step two: Did the employer exercise the due diligence reasonably required to monitor the employee’s invoicing activities? If not – if there was no monitoring system, no written procedures, no periodic review – the liability shifts to the employer.
The Lublin company had nothing: no computer audits, no written job descriptions, no invoicing controls. It paid.
The Warsaw company had procedures, audits, corrective action, and criminal complaints. It didn’t.
The difference between paying someone else’s tax bill and walking away free is, in the end, a question of infrastructure – of whether you built the system before the fraud, not whether you discovered it after.
Robert Nogacki – licensed legal counsel (radca prawny, WA-9026), Founder of Kancelaria Prawna Skarbiec.
There are lawyers who practice law. And there are those who deal with problems for which the law has no ready answer. For over twenty years, Kancelaria Skarbiec has worked at the intersection of tax law, corporate structures, and the deeply human reluctance to give the state more than the state is owed. We advise entrepreneurs from over a dozen countries – from those on the Forbes list to those whose bank account was just seized by the tax authority and who do not know what to do tomorrow morning.
One of the most frequently cited experts on tax law in Polish media – he writes for Rzeczpospolita, Dziennik Gazeta Prawna, and Parkiet not because it looks good on a résumé, but because certain things cannot be explained in a court filing and someone needs to say them out loud. Author of AI Decoding Satoshi Nakamoto: Artificial Intelligence on the Trail of Bitcoin’s Creator. Co-author of the award-winning book Bezpieczeństwo współczesnej firmy (Security of a Modern Company).
Kancelaria Skarbiec holds top positions in the tax law firm rankings of Dziennik Gazeta Prawna. Four-time winner of the European Medal, recipient of the title International Tax Planning Law Firm of the Year in Poland.
He specializes in tax disputes with fiscal authorities, international tax planning, crypto-asset regulation, and asset protection. Since 2006, he has led the WGI case – one of the longest-running criminal proceedings in the history of the Polish financial market – because there are things you do not leave half-done, even if they take two decades. He believes the law is too serious to be treated only seriously – and that the best legal advice is the kind that ensures the client never has to stand before a court.
