Although frequently associated with medical billing, billing compliance affects all industries with varying degrees of difficulty. For instance, leveraging a variety of payment intervals (monthly, annual, usage-based) and diverse pricing strategies, software-as-a-service (SaaS) companies face additional accounting process complexities that can directly affect billing compliance.
Unlike traditional businesses that recognize revenue upon the delivery of the products or services purchased, SaaS companies must account for deferred revenue and accrued liabilities, as well as discounts, bundles, rebates, price concessions, refunds, and a variety of payment intervals and pricing schemes. For SaaS organizations that sell internationally, exchange rate fluctuations become an additional consideration, making payment reconciliation even more difficult and error prone. Add to that data usage, data storage, and data sharing, as well as security measures, and compliance becomes exponentially more complicated.
Considered an umbrella term, billing compliance encompasses the regulations and frameworks that companies – large and small/public and private – should follow. It’s important to note that not all billing compliance regulations are mandatory, and some regulations are industry specific, such as the Health Insurance Portability and Accountability Act (HIPPA) as well as state/country or region-specific standards like the California Consumer Protection Act (CCPA) and the General Data Protection Regulation (GDPR).
This blog examines the 4 things you need to know about billing compliance, including:
- The three types of compliance and why they’re important
- Compliance standards and regulations
- The risks of noncompliance
- How billing automation helps to ensure compliance
Data, Security and Billing Compliance: What They Are and Why They’re Important
Not a one-and-done initiative, billing compliance is an ongoing journey that requires constant diligence, as well as adjustments to keep pace with its ever-changing rules and regulations. Regardless of whether the regulation is mandatory or not, it’s in every company’s best interest to comply with the regulations that are appropriate for their industry and geographic location.
Viewed as a form of risk management, compliance can be divided into three categories – financial, data, and security. Not a one-and-done initiative, compliance requires constant diligence, as well as adjustments to keep pace with its ever-changing rules and regulations. While the focus of this blog is on billing compliance, we’ll cover data compliance and security compliance too.
Let’s look at each of the compliance categories in more detail.
Financial Compliance
Compliant billing practices accurately reflect the financial health of the company. By being in compliance, your billing data (customer payments, revenue per user, customer lifetime value (CLV), etc.) ensures that the company has the factual financial figures needed to accurately report revenue, calculate taxes, forecast future cash flow and customer churn, have the insights needed to make intelligent strategic decisions, and ensures compliance with global accounting standards, tax laws, and payment regulations. The financial transparency gained through financial compliance builds credibility with investors, as well as improves relationships between the company and stakeholders, the board, and customers.
Data Compliance
Not to be confused with data governance, data compliance focuses on adherence to laws, regulations, and standards related to data management and privacy. It leverages policies and procedures that provide the guidance organizations require to collect, process, and use data. Data protection laws define how to ensure data is securely managed and protected from unauthorized access and use, malware, and other cybersecurity threats. Critical to data security is data control, and compliance with data standards and regulations helps ensure the confidentiality, integrity, and availability of a company’s data.
Security Compliance
When it comes to security compliance, companies such as SaaS organizations that sell software have additional security concerns and protective measures. By complying with legal standards, regulatory requirements, industry best practices, and contractual obligations, the company and its customers are better protected from security breaches and fraud.
While each of the above provides distinct compliance requirements, they are closely intertwined. For example, many companies bill based on usage such as minutes, bandwidth, text messages, Internet of Things (IoT) services, etc. To accurately bill for usage, massive amounts of data is required, and that data needs to be normalized, routed, and rated before invoices can be generated. This is where data compliance becomes a necessity.
Let’s take a closer look at compliance standards and regulations as they relate to finance, data, and security.
Top Compliance Standards and Regulations
Not an exhaustive list of compliance standards and regulations, the following provides the key ones your organization should implement to reap their benefits (and avoid noncompliance repercussions).
Finance Compliance
ASC 606
Jointly developed by the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB), ASC 606 applies to all public companies, private businesses, and nonprofits that enter into contractual agreements with customers. ASC 606 is a framework that accounts for all costs incurred by customers to help companies recognize revenue more consistently. The ASC 606 framework consists of a 5-step process – 1) identify the contract, 2) identify the performance obligation, 3) determine the transaction price, 4) allocate the transaction price, 5) recognize revenue.
International Financial Reporting Standards (IFRS)
Similar to ASC 606, IFRS 15 are a set of globally accepted accounting rules that details how businesses should recognize, measure, present, and disclose revenue from customer contracts, providing mandatory rules for the statement of financial position, statement of comprehensive income, statement of changes in equity, and statement of cash flows. Required in more than 150 jurisdictions, including Brazil, the European Union, India, and South Korea, it consists of the same 5 steps as ASC 606.
Generally Accepted Accounting Principles (GAAP)
Set by the Financial Accounting Standards Board (FASB), GAAP consists of a collection of commonly followed accounting rules and practices. The GAAP was designed to ensure a company’s financial statements are consistent, comparable, and complete. It provides 10 key principles, including the:
- principle of regularity
- principle of consistency
- principle of sincerity
- principle of permanence of methods
- principle of non-compensation
- principle of prudence
- principle of continuity
- principle of periodicity
- principle of materiality
- principle of utmost good faith\
Data Compliance
California Consumer Protections Act (CCPA)
Enacted in 2018, this act provides California residents with increased privacy and consumer protection by providing greater control over the data that companies can collect, use, and share. Further, it provides California consumers with the ability to delete personal information that organizations have collected, opt out of having their personal information sold, and the right to exercise their CCPA rights without discrimination. Businesses that meet any of the following criteria are subject to the CCPA:
- Have an annual gross revenue of more than $25 million.
- Gathers, buys, sells, or receives the personal information of more than 100,000 California residents, households, or devices annually.
- Derives 50% or more of their annual revenue from selling the personal information of California residents.
This law applies to for-profit companies that do business in California, regardless of where the company is located.
General Data Protection Regulation (GDPR)
Similar to the CCPA, GDPR is a European Union (EU) regulation that affects any company, regardless of location, that handles the personal data of EU residents. It grants EU residents control over their data and encompasses, 1) data minimization: where companies are encouraged to collect and process only the necessary personal information needed to fulfill the order, 2) consent: requires businesses to obtain explicit consent from users before collecting their data and allows users to easily withdraw consent, 3) data protection: requires organizations to implement robust security measures, such as encryption, security audits, and a reliable incident response plan to protect personal data from breaches, 4) right to access and erasure: provides users with the right to access their personal data being held by companies, as well as request the removal of their data, 5) data protection officer: specific to larger enterprises or companies that process particularly sensitive data may be required to appoint a Data Protection Officer.
Health Insurance Portability and Accountability Act (HIPPA)
Intended to provide patients with more control over their sensitive data such as health records, it provides safeguards that healthcare providers must be in adherence to ensure the privacy of health information. Unlike some certifications, HIPPA is mandatory for any software company that does business with covered entities. The minimum requirements in determining whether a business is required to adhere to HIPPA include – 1) The Privacy Rule, HITECH and Omnibus Rule, and the Security Rule, security safeguards, transport and storage encryption, secure backup and disposal of data, and signing and following a business associate agreement.
Security Compliance
Payment Card Industry Data Security Standard (PCI DSS)
Regardless of geographic location this standard is a requirement for all companies that accept, process, store, or transmit credit card information. PCI DSS consists of a set of security protocols to ensure card holder data is safe from data breaches and theft. Companies found to be in noncompliance can face severe penalties, including fines, legal costs, increased audit requirements, being banned from accepting certain payment cards, poor brand reputation, diminished public image, and customer loss.
System and Organization Controls 1 and 2 (SOC 1 and SOC 2)
While voluntary, SOC 1 and SOC 2, were developed to help companies handle sensitive information and data in a consistent and reliable manner. SOC 1 focuses on the financial controls of the organization, meaning the company has the necessary controls in place to accurately record and report financial data. SOC 2 assesses the broader range of controls related to the AICPA’s Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance indicates that the company has secure measures in place to protect sensitive customer information.
International Organization for Standardization (ISO/IEC 27001)
In collaboration with the International Electrotechnical Commission (IEC) on electrotechnical standardization, ISO provides a framework that identifies, analyzes, and mitigates security risks of assets, including financial information, intellectual property, employee details, and information entrusted to companies by third parties. Although not mandatory for most companies, compliance provides customers with the reassurance that the business has the tools and systems needed to protect their data.
Payment Services Directive 2 (PSD 2)
Referring to the second European Payment Services Directive, PSD 2 is a regulation that enhances digital payment security standards and fosters transparency within the financial services ecosystem. Consisting of strict security requirements for electronic payments and the protection of consumers’ financial data, under the requirement for Strong Customer Authentication (SCA) it can require businesses to use two independent sources of validation before processing a financial transaction. Even recurring transactions, which traditionally have been exempt from additional authentication, could require SCA. However, certain merchant-initiated transactions – which can include subscription payment – may be exempt depending on the specific conditions.
Non-Compliance: What’s the Risks?
Viewed as a form of risk management, the regulations and frameworks provide a guide to help companies set up internal compliance processes. Depending on whether the regulation is mandatory or not, the risks and consequences may vary. However, non-compliance can result in:
- Failing to securely handle data.
- Paying significant fines for non-compliance violations.
- Security and privacy law breaches
- Significant legal costs.
- Allegations of fraud.
- Unwanted media due to large-scale data breaches and leaks.
- Inability to accept payments from customers.
- Disruption of customer service.
- Damage to the company’s reputation.
- Customer churn.
- Criminal penalties.
On the other hand, ensuring compliance helps your business grow and reach its full potential, and key to having all the pieces of this complicated puzzle is compliant billing practices.
Why BillingPlatform Should be Part of Your Compliance Journey
By automating your billing practices, you gain the ability to easily adhere to all compliance standards, as well as eliminate manual effort and streamline the workload. BillingPlatform provides the tools needed to accurately recognize revenue – ASC 606/IFRS 15, secure customers’ payment and personal information – PCI and GDPR, protect customers’ sensitive information (ISO and SOC 1 and SOC 2), ensure digital payment security (PSD 2), and much more.
With a focus on a company’s security, our cloud-based solution was built to minimize risk and ensure compliance. BillingPlatform delivers a comprehensive solution that equips you with a secure architecture, application-level encryption, roles-based permission, global compliance, sharing groups, advanced approvals, and audit history.
As a company, we continually monitor the regulatory environment in order to provide our customers with the capabilities and expertise needed to adhere to data security measures and maintain regulatory compliance. With our solution, you’re able to reduce risk and adhere to strict compliance and security standards, enabling you to run your business with greater efficiency, accuracy, and control. Take a guided tour of BillingPlatform today and see for yourself.
