When No One Knocks: How Inaction Enables Abuse in the IT-BPM Sector
“No collection without a final tax assessment” is a principle worth defending. Due process protects taxpayers from arbitrary state power, and no democracy should allow the collection of taxes without lawful authority.
But that principle leaves a more troubling question unanswered: what happens when no assessment ever begins?
In theory, tax enforcement follows a clear sequence. A Letter of Authority authorizes an audit. An assessment establishes liability. Collection follows, subject to appeal. The system is designed to balance the rights of the taxpayer and the interests of the State.
In practice, particularly in parts of the Philippine IT-BPM and BPO sector, the chain often breaks at the very first step.
No LOA.
No assessment.
No collection.
No appeal.
No accountability.
This is not a loophole in the law. It is a vacuum created by regulatory inaction. And that vacuum does not remain empty.
Over the past decade, offshore IT operations supporting foreign companies have expanded rapidly in the Philippines. Public disclosures highlight soaring revenues, global clients, and thousands of Filipino workers powering overseas businesses. Many of these operations are formally registered as Regional Headquarters (RHQs) under Republic Act No. 8756.
Under the law, RHQs are allowed only limited functions: supervision, coordination, and administrative support. They are explicitly defined as non-revenue-generating entities. That distinction determines tax treatment, regulatory exposure, and eligibility for incentives.
Yet without audits, no one asks the questions that actually matter.
Who controls recruitment and hiring?
Who directs daily operations tied to foreign revenue?
Who sets performance targets and staffing levels?
Who processes payroll and manages employee records?
Who enables the income ultimately declared abroad?
Without an LOA, these questions never leave the shadows.
The hidden data risk
The consequences of inaction extend beyond taxation.
Offshore IT-BPM operations are not just labor-intensive. They are data-intensive. Philippine-based workers routinely handle, generate, and store large volumes of sensitive personal data: payroll information, identification documents, tax records, performance evaluations, disciplinary files, and sometimes even customer data linked to foreign markets.
When RHQs or contracting entities operate beyond their lawful authority, a critical question arises: what is the lawful basis for this data processing?
If an RHQ is legally restricted to non-operational functions, yet in practice processes payroll, manages performance data, and controls workforce systems, then the data processing that supports those activities is itself placed on legally unstable ground.
The risk is not abstract.
When disputes arise, some employees report retaliation, legal pressure, or even public exposure of confidential employment records. Without clear employer accountability and effective regulatory oversight, workers are left exposed on two fronts: economically and informationally.
A question of scale
Publicly available disclosures show how large the stakes can be.
Consider a conservative, hypothetical illustration based solely on public admissions.
One offshore IT services provider disclosed revenue growth from AUD 12 million in FY22 to AUD 66 million in FY25, driven by offshore delivery. Philippine records and internal documents indicate a local workforce of approximately 1,900 to 2,000 Filipino employees supporting these operations.
Using conservative assumptions for illustration only:
• If just 50 percent of that revenue is enabled by Philippine offshore operations, that equates to AUD 33 million per year.
• Converted conservatively, this is roughly PHP 1.2 billion annually.
• At a 25 percent corporate income tax rate, this suggests approximately PHP 300 million per year in potential corporate income tax exposure.
• Over three years, this reaches roughly PHP 900 million, excluding withholding taxes, payroll obligations, penalties, surcharges, and interest.
These figures are not a tax assessment. They are a visualization of scale.
They raise a simple question regulators are empowered, but not compelled, to ask:
How can an operation enabling revenue of this magnitude be reflected in Philippine filings as a non-revenue-generating RHQ?
Where employee protection disappears
For workers inside these structures, the cost of inaction is immediate.
When corporate layering obscures who the real employer is, workers lose access to basic protections: security of tenure, clear grievance mechanisms, whistleblower protection, and accountability for retaliation. Complaints fall between entities. Responsibility is deflected. Legal remedies become slow, fragmented, and exhausting.
At the same time, workers’ personal data continues to circulate through systems they do not control, processed by entities whose authority is unclear and whose accountability is diffuse.
The result is a perfect storm:
• no audit to test tax compliance
• no clear employer to enforce labor rights
• no single data controller clearly accountable
• and no coordinated regulatory response
Due process versus permanent silence
This is not an argument for aggressive or abusive enforcement. Due process must be preserved. But due process cannot become a permanent justification for silence.
A system that never initiates review does not protect rights. It protects abuse.
If an offshore operation employs thousands of Filipinos, enables substantial foreign revenue, and processes sensitive personal data, should it remain effectively invisible to regulators simply because no Letter of Authority was issued?
And if regulators consistently choose not to look, who benefits from that silence?
The law already exists.
The workers are already here.
The data is already being processed.
The money is already moving.
What remains unanswered is whether the State is willing to knock.https://www.rappler.com/voices/thought-leaders/vantage-point-bir-freeze-letters-of-authority-philippines-revisit-gross-income-taxation/
