BEPS on Substance and Transparency


BEPS Report on Action Plan 5 focusses on the concern of preferential tax regimes that risk being used for artificial profit shifting. The report seeks to address the concern through suggesting the methodology for ‘substantial activity requirement’ separately for IP and other regimes and also improving the transparency through compulsory spontaneous exchange of certain rulings.

From an impact standpoint, it needs to be seen, how the OECD guidance on substance requirements and transparency is locally adopted and implemented by various countries. However, it certainly is a call to companies with cross-border multi-tier structures to review their structures in the backdrop of the ‘substantial activity requirements’ laid down by OECD.

Value creation through intangibles


The OECD final report on BEPS in relation to value creation through intangibles requires that a taxpayer would benefit from IP regime only to the extent the taxpayer itself has incurred the R&D expenditure that gives rise to IP income. This will require changes in business models, significant people functions, etc. to be performed in the country providing tax benefits. This will necessitate the tax payer to review the existing IP structures and evaluate the overall tax impact in the case of a change in the structures/regimes under which it is currently operating.

Prevention of treaty abuse


Treaty abuse, and in particular treaty shopping, was one of the main concerns of the BEPS project. Treaty shopping refers to the case when a taxpayer claims a tax treaty benefit when they are not really entitled to. Anti-abuse provisions have therefore been agreed upon by countries to be introduced in their tax treaties.

Making cross-border dispute resolution mechanisms effective


Disputes could bring with them costs and potential reputation risk. Thus, in the BEPS world, it is vital to make cross-border dispute resolution mechanisms effective. In line with OECD’s guidance, apart from the continuing political will, India could certainly do with some suitable modifications to treaty provisions, especially the inclusion of Article 9(2) in all treaties and gearing up for bilateral APAs.

The new TP documentation requirements - How will you manage your reporting burden?


Taxpayers need to prepare their organizations and reporting systems to meet the significant obligations of the revised TP documentation and country-by-country reporting requirements under Action 13 of the BEPS project.  Taxpayers also need to align this with the POEM concept introduced in the domestic tax law in 2015. The wider transparency that will result from these requirements is one of the most significant impact of BEPS that taxpayers will need to address in the coming months.

Cyber Warriors: A PwC India cyber security game

Sivarama Krishnan, Leader, Cyber Security, PwC India

New-age attacks are handcrafted, state-motivated and driven by innovation, to bypass the typical standards of cyber defence. But is this constant change considered adequately to influence an organisation’s decision? What would it take for an organisation to shoulder the responsibility of combatting attacks?

The organisation needs to understand that there is no silver bullet for neutralising a cyberattack, since a successful strike comprises multiple threat vectors. There is also a limit to the resources (people, processes and technology) that can be spared for preventing attacks; even the portfolio for an attacker is wide open and so are the complementary defence solutions. In a catastrophic situation, the response time for the organisation to think and react is even more reduced. All these factors adversely affect the revenue of the company and lead to a loss of customers. This is, indeed, a cyber maze that needs to be navigated.

But how?

Experience the cyber maze through gamification

PwC presents Cyber Warriors, asimulation of key decision-making parameters to realise the concept of cyber security by helping the players learn about core cyber defence solutions and exposing them to the arsenal of new-age cyber weapons.

Explore how your decisions impact revenue and customer confidence in real time, through gameplay, in the event of a cyberattack. Gamification reflects the use of game thinking, including game progress mechanics, player avatar control, rewards, penalties, collaborative problem-solving and competition, when in a non-game situation. This can be used to enhance security awareness, and the results are tightly connected to the real world.

Cyber Warriors: Key objectives

  • Recognise the reputational, customer and financial impacts of cyber threats in a simulated environment

  • Simulate effective use of company resources (costs incurred) to contain attacks, with around 2,000 scenarios that demonstrate the impact of attacks and effectiveness of potential defence solutions, thereby creating a situational awareness of cyber security

  • Understand and build awareness of the right amount, priority and kind of investments in cyber security to protect company assets

  • Assess how to anticipate and proactively manage risks to business objectives, and improve the company’s security posture

The gameplay

The business impact of a cyberattack is a pivotal decision-making attribute for board members, and in this context, Cyber Warriors becomes a tool for the board. The game runs in proactive and reactive modes of defence, combatting breach, compromise and attack. Based upon a real-time threat scenario, the defender is given an option to mitigate the attack and protect the organisation.

The two game roles are ‘attacker’ and ‘defender’. The defender makes effective use of firm resources (people, processes and technological solutions), while the attacker strikes, compromises and breaches security using the information and resources supplied to him. The game relates the impacts of an attack in terms of revenue, customer confidence, time elapsed, costs incurred, resources bought and symptoms of the attack, and also shows the effects of the solutions deployed by the organisation (defender) in the common zone, known as the War Zone. The side that makes the maximum impact as calculated based on these parameters is the winner.

With this objective, the gameplay takes the firm through many cyberattack simulations, so the organisation can choose the optimum solution for defence and realise the return on investments. A game recap provides detailed analysis of the attack vis-à-vis the solution map, cost details, revenue change map, customer confidence map and the return on investment.

Ashish Bhugra, Manager, Cyber Security, contributed to this article, with inputs from Aditya Jain, Consultant, Cyber Security and Sarvesh Jha, Sr. Analyst, Cyber Security. For more information on our Cyber Security services, write to

Decoding tax aggressive strategies


This action plan specifies disclosure rules to address the challenges faced by the tax authorities due to a lack of timely and comprehensive information on aggressive tax planning strategies.

Schemes and items to be reported should be clearly prescribed giving illustrations.
Higher level of maturity in tax functions of both tax payers and the revenue authorities is needed to mitigate the risk of damage to reputation of tax payers and to provide a conducive investment environment.

Tax payers - final call to reset your PE status


Tax payers were held to believe a PE was created only in certain circumstances given specific conditions in the treaty for agency activities, presence within a permitted threshold period, activities being considered auxiliary/preparatory, etc. This may however need a re-look and would now require a more holistic evaluation of business activities, which create a PE.

The need for cyber security

Sivarama Krishnan, Leader, Cyber Security, PwC India 

The digital playground has become a dangerous place to be.

Nation-states, hackers and organised crime syndicates are the cyber security villains that everybody loves to hate. Cyber espionage backed by a nation-state, or multibillion-dollar losses to an organisation due to cyberattacks— this is the stuff of front-page headlines. But while such events may make for eyeball-grabbing news, they’re a veritable nightmare for corporates.

There has been an unprecedented rise in cybercrime rates and associated security breaches. In 2014, the World Economic Forum rated cyberattacks among its top five risks in terms of likelihood, which is expected to increase more rapidly in the coming years, if the right security is not put in place.

Cyber security breaches

Cyber security breaches lead to global negative publicity for the victim firm, loss of shareholder value, reduced profits, and stolen product designs. They cost millions of dollars in breach-mitigation expenses. They impact innovation, service operations information and company strategies, and erode customer trust—which is indispensable to any business.

This year, overall financial losses as a result of cyber incidents increased by 135% over previous year, which is a sharp rise As security incidents grow in frequency, the costs of managing and mitigating breaches are also rising. For companies with revenue worth more than 1 billion USD, we have observed that in 2013, the average financial losses due to security incidents accounted for 3.9 million USD, whereas in 2014, the figure stood at 5.9 million USD. There has been a plethora of new-age cyberattacks, and the innovation in attack vectors is a major contributor to the ever-evolving threat landscape. As incidents continue to proliferate across the globe, it’s becoming clear that cyber risks will never be completely eliminated and will, from time to time, impact organisations.

Cyber security villains

The cyber security villains today are both external as well as internal to the organization. However, we have observed a big shift from outsiders, comprising cyber terrorists, organised crime, hacktivists, competition and nation-states, to insiders, consisting of current employees, former employees, service providers, etc.

Statistically, insider crimes are more costly and damaging than incidents perpetrated by an outsider. As per the responses received to our GSISS 2016 survey, insiders caused nearly 15 security incidents for every 10 caused by outsiders in 2015. Yet, a majority of us are unprepared for such insider threats. They need to be tackled on multiple fronts by adopting a holistic, risk-based cross-functional security effectiveness approach, because the insiders know exactly where to look for the organisation’s most valuable information—its crown jewels, so to speak.

Board’s involvement

Despite the high-profile security breaches perpetrated by cyber villains last year, the board is often not involved in critical initiatives that determine the effectiveness of the security mechanisms against threats and risks. Statistically, less than 46% of the board understands the costs and benefits of cyber security programmes. The barrage of incidents over the past year has resulted in a lot of discussion about the board’s involvement in the security function. Yet, for all the chatter, organisations clearly have not elevated security to a board-level agenda for discussion. Effective security awareness will not only require adequate funding by the board, but also more involvement and commitment to security maturity.

An effective security programme mantra

Based on the GSISS survey, the top five security challenges faced by organisations are:

  • Encryption in storage and in transit (19.7%)

  • Identity theft and loss of individual information (19.2%)

  • Authentication (18.8%)

  • Identity and privileged access management (17.4%)

  • Monitoring of access and information use (16.9%)

The challenges arise mainly because many organisations today are largely unsure of what is the right amount of investment in the right mix of solutions for effective security management, and thus also of the return on investment on security. Organisations forgo the alignment of security strategy with business needs. Businesses should identify and invest in the right cyber security practices, ones that are the most relevant to today’s threat landscape, which is evolving every single day in terms of motives, resources and methods. It is the need of the hour to fund processes that integrate predictive, preventive, detective and incident response capabilities that minimise the impact of an attack.

Being resilient to threats requires individuals and organisations to be on their toes to identify/detect threats, and quickly mitigate them to minimise impact by having an effective security monitoring strategy. A right mix of people, practitioners, tools, processes and leadership involvement is the mantra for an effective security programme.

Where is the doorway out of the cyber maze?

We have observed that businesses that have effective security awareness management report significantly lower average financial losses from cyber security incidents. The trick is to understand the sophistication of cyberattacks, symptoms when under attack, right antidote and defence mechanism, time taken to contain the attack, right kind of investments, and so forth.

  • Do you want to experience the impact of a cyberattack in a simulated environment and see how it affects customer confidence and company revenue? 
  • Do you want to observe the benefits of, and return on investment on, cyber solutions in a simulated game environment? 
  • Are you aware of the different terms, forms of attack and defence solutions in the cyber sphere?

Ashish Bhugra, Manager, Cyber Security, contributed to this article. For more information on our Cyber Security services, you can reach him at

Understanding identity theft: An investigator’s perspective

Murali Talasila, Partner, Forensic Services, PwC India

Of all the imposters and identity thieves in history, Frank Abagnale Jr is probably the most famous. His life was portrayed in the biopic ‘Catch Me If You Can’, which demonstrates his deceptive antics in a humorous light, while showing the repercussions of this form of fraud. At a time when the only way to stay in touch was snail mail, and when dot matrix printers were considered high-tech, Frank demonstrated the ease with which he was able to impersonate bankers, attorneys, general physicians and even pilots. Without so much as a personal computer, he was able to successfully impersonate more than eight identities by forging cheques and confidence tricking.

Over time, this has only become simpler. With the advent of new technology and more people willing to relocate their data onto online platforms, it is easier for us to maintain long-distance relationships and make global purchases online. Unfortunately, though, this has also exposed our cyber weaknesses to fraudsters and pirates.

An identity can be stolen either by actually pilfering the documents that prove the victim’s background (credentials and qualifications), or by creating a cyber profile (of a person who is deceased, alive or fictitious) and assuming that persona as one’s own. The most common consequences of identity theft now include credit card fraud, employment fraud, and government documents and benefits fraud. These are primarily a result of cyber hacks, dumpster diving(s), shoulder surfing, and physical loss of portable items (handbags, mobile phones, laptops and so on).


Identity theft is not only meant to cause people financial loss, but also to harass them and commit a variety of other related offences. For high net worth individuals, identity theft usually leads back to someone personally known to the victim and with a vendetta against them. In the recent past, there’s been a spike in the number of people accessing the Dark Net with reportedly stolen identities. Therefore, to begin investigating a case of identity theft, it is important to establish the motive. This sets the course for the investigation by helping to understand to what lengths the perpetrator would have been willing to go to get what he was seeking.

From an investigator’s perspective, one of the most crucial pieces of information is the detailed and chronological account of the victim’s life and experiences. To get to this involves collecting the victim’s biographical details. Subsequently, the investigator visits the victim’s residential and office addresses and other frequently visited places, to ascertain vulnerabilities and draw up a list of suspects. The victim’s most frequented stores and ATMs are also vital, as is the CCTV footage, if any, from these places.

From evolved social engineering to skimming devices installed at points of sale (POS), it is a little-known fact that untapped investigative opportunity exists in seizing these POS terminals along with the more traditional electronic devices like computers, tablets, and mobile phones.

Circuit boards and microprocessors to which skimming devices are connected hold tremendous metadata, e.g. the manufacturer or fabricator’s logo imprinted on it, a serial number, or an order number. While the more tech-savvy criminal may use these circuit boards or trusted platform modules (TPMs) to store authentication credentials, the less experienced miscreant may leave DNA traces (even fingerprints, if we are lucky) on the circuit boards while forging the connections.

Further, these devices are built on microcontrollers that require firmware to be installed on them to capture and store data, which is later retrieved by the perpetrator. This firmware always has a digital signature and can be traced on the target machine. Although this will require access from the manufacturer of the target machine, data gathered from this can provide insights on timelines and access logs, which may be corroborated with security feeds and CCTV footage to help in locating a suspect. Additionally, trails of fund transfers during routing of money through dummy accounts before they reach the perpetrator (final beneficiary) play an important role in identifying digital footprints and geographical boundaries of the theft.

Section 66C of the Indian IT Act of 2000 (similar to section 1028A of title 18 of the United States Code, which deals with aggravated identity theft) speaks about identity theft thus: “Whoever, fraudulently or dishonestly, makes use of the electronic signature, password, or any other unique identification feature of any other person shall be punished with imprisonment.”

This clearly shows that no quantification of loss or harassment is required to warrant an arrest, but only clear-cut evidence of malpractice and misuse of another person’s identity.

However, although these investigations are predominantly considered open-ended time-wise, they usually follow one of two distinct paths, neither of which may lead to the immediate arrest of the accused. On one hand, victims may choose to block all their credit cards, social media accounts and bank accounts. This leads to a passive and retrospective investigation that runs the risk of giving the perpetrator a heads-up and allowing them time to disappear without a trace. On the other hand, all of the victim’s social media and bank accounts are left active and enabled, with the knowledge of the authorities, in the hope that they’d serve as a honeypot for the perpetrator, who’d eventually access any of them again. In such a case, tracers are set up to locate and detain the fraudster.

It is paramount that we, as people, employees, and individuals living in a digital age, understand the complications caused by not being proactive in keeping our identities protected. Safeguarding against larceny and similar vulnerabilities (e.g. by proactively setting up firewalls around our home and office networks) in addition to creating complex Wi-Fi Protected Access (WPA2) passkeys can go a long way. Moreover, shredding documents such as credit card statements and receipts is always a better way to dispose of documents than just throwing them away. Finally, always being wary of phishing scammers—no matter that one may seem paranoid—is vital.

With contributions from Sachin Yadav, Associate Director, Forensic Services, and Rahul Vallicha, Consultant, Forensic Services


The opinions expressed in the blogs are personal.


Related Posts Plugin for WordPress, Blogger...