Your Employee’s Fraud, Your Tax Bill

When a gas-station manager in Poland spent four years selling fictitious invoices under her employer’s name, the question of who should pay the resulting tax debt travelled all the way to Luxembourg. The answer has reshaped how European law thinks about corporate responsibility.

The facts of the case that would eventually reach the Court of Justice of the European Union have the texture of a middling crime thriller – the kind where the scheme is ingenious enough to work for years but too simple to survive a single competent audit.

A limited-liability company in eastern Poland operated a gas station. Its manager – hired in November 2005, trusted by the board, responsible for the entire on-site operation – ran, alongside the legitimate business, a parallel enterprise. Between January 2010 and April 2014, she issued one thousand six hundred and seventy-nine fictitious invoices bearing her employer’s name, tax identification number, and address. The invoices were sold to cooperating businesses, which used them to claim fraudulent deductions of value-added tax. The total VAT siphoned from the Polish treasury: 1,497,847 zlotys – roughly three hundred and twenty thousand euros.

The mechanism was resourceful in the way that long-running frauds tend to be: it piggybacked on real transactions. Employees at the station collected authentic cash-register receipts from customers who hadn’t asked for formal invoices. The manager attached these genuine receipts to fabricated invoices issued to entirely different parties – parties who had never purchased a liter of fuel at the station but who now possessed documentation suggesting otherwise. The fabricated invoices looked credible because each one corresponded to a real sale; the fraud lay not in the transaction but in the identity of the supposed buyer.

The fictitious invoices differed from legitimate ones in format (they used an alternative numbering convention), in medium (they were produced in Excel rather than the station’s official bookkeeping system), and in handling (they were never forwarded to the company’s accountants and never appeared in its tax returns). Their electronic copies were stored in a password-protected folder on the station’s computer. Their paper originals were placed in sealed envelopes inside a blue folder at the cash register, from which cooperating cashiers handed them to clients who came to pick them up. The manager did not print backup copies, precisely to avoid creating a paper trail. The scheme lasted more than four years before a cross-check audit by the tax authorities – not any internal review by the company – brought it to light (Regional Administrative Court in Lublin, judgment of February 23, 2018, I SA/Lu 987/17, at 2–4 of the reasoning).

The company fired the manager under Article 52 of the Polish Labor Code – immediate dismissal for gross misconduct. Criminal proceedings followed. None of that was controversial. What proved explosive was a different question altogether: who owes the VAT that appeared on the fictitious invoices?

The Statute and Its Ambiguity

Article 108(1) of Poland’s VAT Act – the domestic transposition of Article 203 of the EU’s VAT Directive – provides that when a legal person, an organizational unit without legal personality, or a natural person “issues” an invoice showing a VAT amount, that entity is obligated to pay it. The provision is not a penalty. As Poland’s Constitutional Tribunal confirmed in 2015 (P 40/13), and as the Court of Justice of the European Union has repeatedly emphasized, its purpose is preventive: to eliminate the risk that a recipient of an invoice will claim a deduction for VAT that was never remitted to the treasury.

The interpretive difficulty arises when the entity named on the invoice as the seller is not the entity that physically created, signed, and introduced the document into commerce. The statute says the entity that “issues” the invoice must pay. It does not say the entity whose data appear on the invoice must pay. In ordinary circumstances, the two are identical. In cases of employee fraud, they diverge – and the divergence proved, for nearly a decade, irreconcilable within the Polish judiciary.

Two Lines of Authority

The Objective Line: The Named Seller Pays

One current of Polish jurisprudence held that the entity identified on the invoice as the seller is, for purposes of Article 108(1), the issuer – regardless of who physically produced the document. The Supreme Administrative Court endorsed this position in 2013 (I FSK 362/12), reasoning that where an employee authorized to issue invoices does so fraudulently, the employer bears the organizational risk. The employee was not a stranger to the company; she was its agent, empowered to act in its name. Releasing the employer from the tax consequences, the court argued, would “shift responsibility for the conduct of business from entrepreneurs onto the state, which cannot be accepted.”

This line of reasoning had a certain blunt logic: the employer chose the employee, granted her authority, and failed to supervise her. The employer, not the state, should bear the cost.

The Subjective Line: The Actual Creator Pays

The competing position emerged forcefully in a June 2017 ruling by the Supreme Administrative Court (I FSK 1459/15). The case involved two brothers – one a sole trader, the other a person with no formal employment or agency relationship to the business – where the latter had used the former’s company stamp and forged his signature on ten invoices. The court held that the trader could not be treated as the invoice issuer: “A person whose data were unlawfully used in the content of an invoice – an entity under whose identity another entity unlawfully ‘impersonated’ itself – is not the issuer of the invoice obligated to pay tax under Article 108(1).”

The reasoning was textual. The statute uses the verb “issues” (wystawi), which denotes an act of creation and introduction into commerce. A person who did not know the document existed, did not consent to its creation, and did not deliver it to anyone cannot, in any linguistically coherent reading of the provision, be said to have “issued” it.

Two years later, in October 2019 (I FSK 1037/17), the Supreme Administrative Court extended this reasoning to a case involving a bookkeeper who had access to the company’s premises, accounting records, and corporate stamps under a service contract. The bookkeeper – who was simultaneously the owner of the company receiving the fictitious invoices – had issued four empty invoices in the client company’s name. The court ruled for the company, adding an argument whose clarity has made it the most-quoted passage in this area of Polish tax law:

“The interpretation presented by the court of first instance is not acceptable. It implies that every taxpayer is liable for the unlawful use of its publicly available data. In other words, if someone randomly selects a company from the National Court Register and issues an invoice naming that company as the supplier, the company is obligated to pay the VAT shown on the invoice. Such an interpretation means that, in a straightforward – if unlawful – manner, one could drive any company into bankruptcy.”

The deadlock between these two lines forced the Supreme Administrative Court, in the gas-station case, to refer a preliminary question to the Court of Justice of the European Union.

The Luxembourg Answer: Case C-442/22

The Court of Justice (Eighth Chamber – Piçarra, Jürimäe, Safjan) delivered its ruling on January 30, 2024. The operative paragraph reads:

Article 203 of the VAT Directive must be interpreted as meaning that where an employee of a VAT taxable person has issued a false invoice showing VAT, using the identity of the employer as a taxable person without the employer’s knowledge or consent, that employee must be regarded as the person showing VAT within the meaning of that Article 203, unless the taxable person failed to exercise the due diligence reasonably required in order to monitor the actions of the said employee.

The court adopted neither the objective nor the subjective line of the Polish courts. It created a conditional default: the employee is liable unless the employer’s negligence in supervision shifts the balance.

The Three-Step Reasoning

Step one: scope of Article 203. The court recalled that the provision exists to “eliminate any risk of loss of tax revenue that may arise from the right of deduction” provided for in the VAT Directive (para. 24, citing Stroy trans, C-642/11, para. 32, and Finanzamt Österreich, C-378/21, para. 20). The issuer of an invoice showing VAT is obligated to pay that amount “regardless of any fault, where there is a risk of loss of tax revenue.” But – and this caveat has significant practical implications for the question of corrective invoices – “where such a risk of loss is excluded, Article 203 of the VAT Directive does not apply” (para. 25, citing Finanzamt Österreich, C-378/21, para. 24).

Step two: identifying the debtor. The phrase “any person” in Article 203 encompasses both VAT taxable persons and non-taxable natural persons (para. 27). But the text alone cannot resolve who the “person showing VAT” is when an employee has appropriated the employer’s tax identity to commit invoice fraud – the phrase “any person” could refer to either (para. 28). The court resolved the ambiguity teleologically: it would be “contrary to the objective of combating fraud” to treat the employer – whose identity was stolen – as the person who showed VAT, “where that issuer is acting in good faith and the tax authority is aware of the identity of the person who actually issued that false invoice” (para. 30).

Step three: the due diligence test. Drawing on its established jurisprudence on the right of deduction (Teleos, C-409/04, para. 65; Mahagében and Dávid, C-80/11 and C-142/11, para. 54), the court held that “a similar obligation of due diligence should, in the context of Article 203 of the VAT Directive, be imposed on the employer with respect to his employee, in particular where that employee is required to issue VAT invoices in the name and on behalf of his employer” (para. 35). An employer who has not exercised the diligence required to control the employee’s actions and thereby prevent the misuse of the employer’s tax identity cannot be regarded as acting in good faith. In that case, “the fraudulent actions of his employee can be attributed to the employer,” and the employer becomes the person who showed VAT within the meaning of Article 203 (para. 35).

The assessment of due diligence is to be made by the tax authority or the court hearing the case, through “an overall assessment of all the relevant circumstances” (para. 36).

The Polish Standard: NSA, September 3, 2024

Armed with the Luxembourg ruling, the Polish Supreme Administrative Court returned to the gas-station case (I FSK 1212/18) and upheld the tax authorities’ decision against the company. The court’s formulation of the legal standard – which now governs the application of Article 108(1) in Polish law – deserves quotation in full:

Article 108(1) of the VAT Act must be interpreted as meaning that where an employee of a VAT taxable person has issued a false invoice showing VAT, using the identity of the employer as a taxable person without the employer’s knowledge or consent, the employer is not regarded as the person showing VAT within the meaning of Article 108(1) only when the employer has exercised the due diligence reasonably required to monitor the actions of the said employee, including in particular the creation of a system (procedure) for monitoring invoicing activities carried out by employees.

The phrase “a system (procedure) for monitoring” is the decisive contribution of the Polish court. It translates the European standard of “due diligence” into an organizational requirement: there must be a procedure, and it must actually function.

What Failed in the Gas-Station Case

The court identified five failures that, taken together, established the company’s lack of due diligence:

First, the manager’s computer had not been subjected to any review during the entire multi-year period of the fraud – not by her deputy, not by the company’s president (para. 3.8). Second, she was authorized to issue invoices outside the station’s official bookkeeping system, using Excel, without any additional approval from her employer. Third, her job responsibilities had never been formally defined in writing; she operated under an informal, unwritten scope of authority that was “very broad.” Fourth, the fraud lasted more than four years and involved the active participation of other station employees who collected receipts in exchange for payment – “which indicates that both she and these employees felt safe in carrying out the scheme, due to their awareness of the complete absence of any supervisory system.” Fifth, the company’s president tolerated the practice of the manager performing work during her leave periods, including carrying documents outside company premises and creating files on her personal computer.

The court was explicit about the central reproach: “The principal charge against the appellant’s management consists in the excessive trust placed in P.G., coupled with the failure to establish appropriate internal control procedures that might have deterred her from undertaking activities bearing the hallmarks of fraud against the employer” (para. 3.8).

And it made one further point that eliminates a potential defense: whether the fictitious invoices were created on the company’s computer or on the manager’s personal device is “irrelevant to the outcome, given the finding that the appellant had no supervisory procedures whatsoever for controlling the use of company computers by employees issuing invoices” (para. 3.9). The deficiency was systemic, not evidentiary.

The Warsaw Counterpoint: III SA/Wa 1058/23

Nine months before the Supreme Administrative Court’s final ruling in the Lublin case – and two months before the Luxembourg judgment – the Regional Administrative Court in Warsaw reached the opposite conclusion in a factually analogous case.

The Warsaw case also involved a gas-station chain and a manager who had been issuing fictitious invoices with the company’s data. The court annulled both tax decisions and terminated the tax proceedings entirely, holding that the company could not be treated as the invoice issuer.

The distinguishing element was not the nature of the fraud – which was identical – but the nature of the employer’s conduct. The court, drawing on the opinion of Advocate General Juliane Kokott in the then-pending C-442/22, articulated the distinction that separates the two outcomes: “One must distinguish between issuing invoices in the name of the company (within the scope of authority arising from employment law) and issuing invoices under the company’s name (quasi within the framework of organized criminal activity and without the company’s knowledge).”

The Factors That Made the Difference

The company had maintained internal security procedures and conducted audits – annually, and twice in one particular year, including a spot-check of VAT invoices. Upon discovery of the fraud, it filed criminal complaints with prosecutors, conducted audits across all its stations, issued corrective invoices zeroing out the fictitious ones, banned the issuance of collective invoices at stations, modified its IT systems to prevent the creation of unauthorized invoices, and tightened its audit protocols.

Three criminal courts had already convicted the manager – in February 2016, September 2016, and January 2017 – for issuing unreliable invoices (under Article 62(2) of the Fiscal Penal Code) and for intellectual falsification of documents (under Articles 271(1) and 271(3) of the Criminal Code). A labor court, ruling on the lawfulness of her dismissal, found that she “had full awareness of the acts she committed.”

Perhaps most remarkably, the court noted that law enforcement had known about the manager’s criminal activity well before the company did – the first criminal conviction predated the company’s discovery by at least seven months. The company had learned of the irregularities not from any government agency but from a newly assigned on-site supervisor who stumbled upon discrepancies during routine housekeeping.

The court’s conclusion was pointed: “If the organs of the state already knew about the criminal conduct of the enterprise’s employee and did not share that knowledge with the enterprise – even though the enterprise was vitally interested in it, having itself been defrauded by its own worker – then those same organs cannot now contend that the problem of fictitious invoicing was the enterprise’s alone to solve.”

And it invoked the Advocate General’s observation that “combating tax fraud is primarily the task of the state, not of private persons. Even the protection of tax revenue cannot lead to burdening with VAT a taxable person who has nothing to do with the fraud.”

The Identity-Theft Line: When There Is No Employment Relationship

The due-diligence test applies only where there is an employment relationship – and therefore an obligation to supervise. Where the person who created the fictitious invoice has no employment or agency connection to the named taxpayer, the analysis is simpler: the named taxpayer is not the issuer, full stop.

In I FSK 1459/15 (2017), the Supreme Administrative Court held that a sole trader whose brother – with no employment or contractual relationship – had used his company stamp and forged his signature on ten invoices was not the issuer under Article 108(1). “In light of the interpretation adopted by the Supreme Administrative Court, it is unnecessary to examine the due diligence of a party who is not the issuer of the invoice, since a party who is not the issuer has no obligation to pay the tax shown on it.”

In I FSK 1037/17 (2019), the court reached the same result where the actual issuer was a bookkeeper engaged under a service contract who was simultaneously the owner of the company receiving the fictitious invoices. The bookkeeper, “in issuing fictitious invoices, was not acting as a person representing the Company, but as a person representing P.” – the recipient.

Both rulings remain fully applicable after the 2024 CJEU judgment, which addressed only the employer-employee configuration.

Statute of Limitations: The Fiscal-Criminal Suspension Trap

These cases inevitably raise the question of limitations periods. Poland’s general statute of limitations for tax obligations is five years from the end of the calendar year in which the tax was due. Tax authorities can, however, suspend this period by initiating fiscal-criminal proceedings linked to the obligation in question (Article 70(6)(1) of the Tax Ordinance), provided the taxpayer is notified.

The two cases diverged sharply on this point.

In the Lublin case, the Supreme Administrative Court accepted the suspension. Criminal proceedings had been opened in June 2014 – more than a year before the first expiration date. The court found that, at the inception of the investigation, it was not possible to definitively exclude management’s involvement in the fraud. “One cannot speak of an instrumental use of fiscal-criminal proceedings solely to obtain a favorable suspension of the limitations period.”

In the Warsaw case, the court reached the opposite conclusion. Criminal proceedings against the company were initiated in November 2017 – by which time three criminal courts had already convicted the manager personally for the same acts. The court found no plausible basis for directing the investigation at the company and held that the proceedings bore no genuine connection to the non-performance of the company’s tax obligation. The tax decisions, issued after the limitations period had expired, were void. The court cited an earlier ruling (Regional Administrative Court in Gliwice, I SA/Gl 515/22): “One cannot accept a situation in which the initiation of criminal proceedings, the suspected offense in which has no direct connection to the non-performance of a specific tax obligation and does not relate to the subjective dimension of that obligation – that is, to a specific taxpayer – can be regarded as a circumstance suspending the limitations period.”

Criminal Exposure: Beyond the Tax Bill

The tax liability under Article 108(1) is only one layer. Under Poland’s Fiscal Penal Code, the issuance of unreliable invoices (Article 62(2)) carries fines of up to 720 daily rates or imprisonment. Under the Criminal Code, invoice falsification (Article 271a) is punishable by six months to eight years’ imprisonment, rising to three to twenty-five years where the value of the invoices exceeds ten million zlotys. Filing a tax return containing false data (Article 56 of the Fiscal Penal Code) is a further basis for liability that can reach both the employee and – in certain configurations – persons responsible for oversight within the company.

Independently of criminal proceedings, tax authorities may seek prejudgment security over the taxpayer’s assets before a final tax decision is issued, including bank-account freezing orders that can paralyze ongoing business operations.

Corrective Invoices and the Elimination of Revenue Risk

A distinct but related question – flagged by both the CJEU and the Warsaw court – is whether the obligation under Article 108(1) (or Article 203 of the Directive) can be avoided by eliminating the risk of revenue loss through corrective invoices. The Court of Justice has repeatedly held (Schmeink and Cofreth, C-454/98; Finanzamt Österreich, C-378/21) that where the risk of tax-revenue loss has been excluded, Article 203 does not apply.

In practice, this means that if the issuer of a fictitious invoice has eliminated “in good time” the risk that the recipient will deduct the VAT – for instance, by issuing a corrective invoice and ensuring that the recipient has reflected the correction in its own returns – the obligation to pay the tax lapses. The Warsaw court went further, observing that “even bad faith does not preclude avoiding the application of Article 108(1)” – provided the revenue loss has been factually eliminated. “The introduction into commerce and deduction of input VAT by the recipient of the invoice does not preclude the non-application of Article 108(1) – on condition that the recipient subsequently reflects the corrective invoice in its settlement, per saldo ‘cancelling’ the tax effect.”

But timing matters. The Supreme Administrative Court has consistently held (I FSK 1329/14; I FSK 315/14; I FSK 2015/14) that corrective action taken only after a tax audit has detected the irregularity does not meet the “good time” standard. The correction must precede – not follow – the discovery.

The Practical Architecture of Due Diligence

The combined jurisprudence of 2024 yields an operational checklist – not a theoretical framework but a set of concrete organizational measures whose presence or absence courts will examine.

An invoice-monitoring system. This is the element the Supreme Administrative Court singled out in its September 2024 ruling. It can take the form of internal controls by a designated compliance officer, external audits by a professional firm, or a combination. The Warsaw court accepted annual audits with periodic spot-checks of invoice accuracy as sufficient.

Written delegation of authority. Every employee authorized to issue invoices should have a documented scope of authority specifying which systems they may use, what formats are permissible, and what additional approvals are required for departures from standard procedure. The absence of such documentation was a factor in the Lublin outcome.

IT controls. Regular review of work computers used for invoicing, folder access restrictions, invoice-numbering verification, and reconciliation of issued invoices against actual commercial activity. The Lublin court was visibly struck by the fact that no one had examined the manager’s computer in over four years.

Segregation and oversight of bookkeeping functions. The engagement of external tax and accounting advisors to review or independently verify invoice flows provides an additional control layer – particularly for businesses with decentralized operations where corporate management cannot directly oversee each location.

Documented response to detected irregularities. The Warsaw court explicitly credited the company’s post-discovery conduct: immediate audit, criminal complaint, corrective invoices, IT modifications, and tightened procedures. A company that reacts swiftly and transparently occupies fundamentally different ground than one that, in the court’s language in the Lublin case, relied on “excessive trust.”

Internal policies and codes of conduct. Workplace regulations addressing access to corporate stamps and seals, document-handling procedures, mandatory reporting of suspected irregularities, and prohibition of invoice issuance outside official accounting systems. Advocate General Kokott described the aggregate of such measures as a “simple internal risk-management system” – the minimum threshold for good faith.

Who Is Affected

Though the formative cases involved fuel retailers, the standard is universal. It applies to any business that authorizes employees to issue invoices – effectively every company with a sales, accounting, or customer-service function. The risk is acute in industries with high transaction volumes, decentralized structures (franchise networks, multi-location retail), and limited direct board-level oversight of individual sites.

The employer who gets it wrong pays a tax that was, in economic substance, embezzled by a subordinate and exploited by third-party fraudsters – a bill for someone else’s crime. Recovery through civil litigation against the employee is theoretically available but practically illusory: employees who engage in invoice fraud are rarely in a position to satisfy a judgment for the sums involved.

Conclusion

The jurisprudence that crystallized in 2024 replaced a decade of contradiction with a clear two-step framework. The default rule is that the employee – as the actual creator of the fictitious invoice – bears the obligation to pay the VAT. That default shifts to the employer only where the employer failed to exercise the due diligence reasonably required to monitor the employee’s invoicing activities, including, in particular, the establishment of a monitoring system.

The divergent outcomes in the Lublin and Warsaw cases – arising from nearly identical fact patterns – confirm that the details of a given situation are decisive. A tax authority’s finding that due diligence was lacking does not foreclose the employer’s right to challenge the assessment, both before administrative bodies and before the courts. But that challenge requires evidence, not rhetoric: documented procedures, audit records, written delegations of authority, and proof of timely response to detected irregularities.

The devil, as it turns out, really is in the invoices – and in the procedures you either built to catch them or didn’t.

Robert Nogacki, attorney-at-law (radca prawny), Skarbiec Legal, Warsaw

Legal basis:

• Article 108(1), Polish Act of March 11, 2004, on Tax on Goods and Services (consolidated text: Journal of Laws 2024, item 361)
• Article 203, Council Directive 2006/112/EC of November 28, 2006, on the common system of value added tax
• Article 70(1) and (6)(1), Polish Tax Ordinance Act of August 29, 1997 (consolidated text: Journal of Laws 2023, item 2383)
• Article 62(2), Polish Fiscal Penal Code of September 10, 1999 (consolidated text: Journal of Laws 2024, item 628)
• Article 271a, Polish Criminal Code of June 6, 1997 (consolidated text: Journal of Laws 2024, item 17)

Case law:

• CJEU, January 30, 2024, C-442/22, P sp. z o.o. v. Director of the Tax Administration Chamber in Lublin
• Opinion of Advocate General Kokott, September 21, 2023, Case C-442/22
• Polish Supreme Administrative Court, September 3, 2024, I FSK 1212/18
• Warsaw Regional Administrative Court, November 24, 2023, III SA/Wa 1058/23
• Lublin Regional Administrative Court, February 23, 2018, I SA/Lu 987/17
• Polish Supreme Administrative Court, June 27, 2017, I FSK 1459/15
• Polish Supreme Administrative Court, October 23, 2019, I FSK 1037/17
• Polish Supreme Administrative Court, April 10, 2013, I FSK 362/12 and I FSK 363/12
• Polish Constitutional Tribunal, April 21, 2015, P 40/13
• CJEU, January 31, 2013, Stroy trans, C-642/11
• CJEU, December 8, 2022, Finanzamt Österreich, C-378/21
• CJEU, September 27, 2007, Teleos, C-409/04
• CJEU, June 21, 2012, Mahagében and Dávid, C-80/11 and C-142/11
• CJEU, September 19, 2000, Schmeink and Cofreth, C-454/98
• CJEU, April 29, 2004, Gemeente Leusden and Holin Groep, C-487/01 and C-7/02
• Gliwice Regional Administrative Court, December 22, 2022, I SA/Gl 515/22

Robert Nogacki

Robert Nogacki – licensed legal counsel (radca prawny, WA-9026), Founder of Kancelaria Prawna Skarbiec.

There are lawyers who practice law. And there are those who deal with problems for which the law has no ready answer. For over twenty years, Kancelaria Skarbiec has worked at the intersection of tax law, corporate structures, and the deeply human reluctance to give the state more than the state is owed. We advise entrepreneurs from over a dozen countries – from those on the Forbes list to those whose bank account was just seized by the tax authority and who do not know what to do tomorrow morning.

One of the most frequently cited experts on tax law in Polish media – he writes for Rzeczpospolita, Dziennik Gazeta Prawna, and Parkiet not because it looks good on a résumé, but because certain things cannot be explained in a court filing and someone needs to say them out loud. Author of AI Decoding Satoshi Nakamoto: Artificial Intelligence on the Trail of Bitcoin’s Creator. Co-author of the award-winning book Bezpieczeństwo współczesnej firmy (Security of a Modern Company).

Kancelaria Skarbiec holds top positions in the tax law firm rankings of Dziennik Gazeta Prawna. Four-time winner of the European Medal, recipient of the title International Tax Planning Law Firm of the Year in Poland.

He specializes in tax disputes with fiscal authorities, international tax planning, crypto-asset regulation, and asset protection. Since 2006, he has led the WGI case – one of the longest-running criminal proceedings in the history of the Polish financial market – because there are things you do not leave half-done, even if they take two decades. He believes the law is too serious to be treated only seriously – and that the best legal advice is the kind that ensures the client never has to stand before a court.