The costly consequences of ignored compliance risks in business travel and work from anywhere

As business travel surges back to pre-pandemic levels and work from anywhere becomes a widely accepted norm, compliance risks have become an increasingly critical issue for organizations. Since the pandemic, the enforcement of remote work-related regulations across the globe has tightened significantly. While many companies have recognized the importance of assessing and mitigating compliance risks when their employees travel abroad, others continue to underestimate the dangers of inadequate handling and documentation. This is a risky oversight, as non-compliance with regulations such as immigration, visa, labor law and tax, can lead to severe legal and financial consequences for both employers and employees.

Although companies often manage to keep compliance breaches out of the public eye—understandably not wanting to make headlines for such issues—the risks are very real, and the impact can be substantial. Below, we will examine real-life examples of what can happen when compliance is ignored during business trips or work-from-anywhere arrangements.

‍

Why is business travel and work-from-anywhere compliance a big deal?

The pandemic highlighted how effectively authorities can collaborate across borders to enforce travel restrictions. While the pandemic may have passed, this global interconnectedness among authorities has only strengthened. For instance, systems like the EU’s Entry/Exit System and the U.S. ESTA now provide authorities with unprecedented levels of information about international travelers. Additionally, the European Labour Authority now helps EU member states conduct joint cross-border inspections. These inspections address complex cross-border fraud and irregularities by pooling resources and information from various enforcement agencies. This increased collaboration and data-sharing make it much more difficult for individuals to travel "under the radar," even for brief trips.

A notable example of this diligence is the enforcement of the Posted Worker Directive (PWD). Under this regulation, employees traveling for work to another EU country must be registered with local authorities to avoid legal penalties and fines. In 2023 alone, Luxembourg’s Labour Authority (ITM) imposed fines totaling 8.9 million euros for non-compliance with worker posting rules. The number of inspections also surged, from 10,000 in 2022 to over 17,300 in 2023. As more resources are dedicated to on-the-ground checks and penalties for posting offenses remain steep, compliance with PWD requirements is becoming increasingly critical—not only in Luxembourg but across the EU.

Even in celebratory contexts, compliance remains essential. During the 80th anniversary of D-Day in Normandy in 2024, British paratroopers participating in the commemoration were still required to show their passports. This illustrates that compliance is mandatory, regardless of the purpose of the trip.

These examples underscore the critical importance of adhering to compliance regulations, regardless of the destination, duration, or purpose of the trip. As authorities enhance their monitoring and enforcement efforts, the risks associated with non-compliance continue to escalate. In the following sections, we will delve into real-life examples of companies and employees who faced significant consequences after failing to comply with regulations during business and work-from-anywhere travel.

‍

Compliance risks in business travel and work-from-anywhere: Cases of trips gone wrong

There are seven key risk areas related to business travel and work-from-anywhere compliance: visa and work entitlement, permanent establishment, wage tax, social security, the Posted Workers Directive, labor law, and data security.

Each of these dimensions poses its own risks and requires specific risk mitigation measures, which you can explore in the WorkFlex remote work compliance handbook. We explore real-life examples of trips gone wrong, highlighting several of these key risk areas below.

‍

Permanent Establishment risk

A Permanent Establishment (PE) is a concept in international tax law where a business is considered to have a relevant presence in a foreign country, making it subject to local taxes. This designation can occur when business activities in the host country are substantial enough that local authorities view the company as having a taxable entity there. Several high-profile cases have involved companies like Netflix and Bosch facing large penalties due to their employees' work activities in foreign countries.

Netflix’s €2 million tax bill in India

Netflix ran into this issue in India in 2023. Even though they didn’t have an office in India, local authorities argued that the company had created a PE simply by having employees there. As a result, Netflix faced a €2 million tax bill. This shows how even a small business presence in a country can result in major financial consequences. India is known for its eagerness to find new sources of tax revenue, so companies need to be extra careful.

Bosch’s €320 million settlement in Italy

Bosch faced an even bigger problem in Italy. Italian tax authorities determined that Bosch had established a PE because some employees were working on local projects, mostly at Fiat’s premises. Bosch was hit with a €1.4 billion tax bill, and to avoid even more serious penalties, including potential jail time for employees, the company settled for €320 million. This case shows that PE risks are real, and failing to manage them can be extremely costly.

‍

Visa and work entitlement risks

When employees go on a business trip or work-from-anywhere trip, it’s highly important to acknowledge they or the company have ensured that the proper visa has been obtained to (a) enter the country and (b) perform work activities there. Immigration requirements depend on the traveler's nationality, the duration of the trip, and its purpose. Noncompliance with country-specific requirements may lead to the business traveler or workationer being denied entry, but it can also result in very significant penalties, as the examples below show.

Infosys and the U.S. visa penalty

One of the most well-known cases of visa-related issues involves the Indian IT giant Infosys mistakenly using the wrong type of visa for its U.S. employees. Instead of going through the more complicated and expensive process of getting H1B visas, they opted for easier-to-get B1 visas. This small mistake resulted in a €31.5 million penalty, the largest ever for a visa violation in the U.S. What’s striking is that only 0.02% of the company’s working days in the U.S. involved the wrong visa. Yet, the fine was massive, proving that even small missteps can lead to big problems.

Blocked at the U.S. border

Another risk comes when employees don’t fully understand the visa they are traveling on. A Canadian contractor who regularly traveled to the U.S. for business meetings found themselves blocked at the border despite using a visa exemption that had worked in the past. They had to sign a withdrawal of their application and were forced to miss their flight. This example highlights the unpredictability of border control. Employees need to be well-prepared to explain their purpose of travel and how it aligns with their visa.

Australian teacher detained in Thailand

An example of a work-from-anywhere trip ending badly—resulting in jail—occurred in Thailand. An Australian teacher, temporarily in Thailand on a tourist visa, was arrested for doing online work for his Australian employer. He mistakenly believed that because he wasn’t being paid in Thailand, remote work for an Australian employer will not seem relevant for the authorities. However, after a neighbor reported him, he was detained by officials. This case underscores how easily remote workers can find themselves in serious trouble if they do not have the correct visa, even when their work is purely online and for a foreign company.

‍

Data breaches during international trips

Another serious risk associated with business trips and work-from-anywhere trips is the heightened likelihood of data breaches.

When working remotely, employees are four times more likely to experience a data breach compared to those who work on-site. Due to lack of knowledge and instructions, many travelers tend to use unsecured public Wi-Fi and store passwords in unprotected documents, which makes them easy targets for cyberattacks. In 2024, the average cost of a data breach was $4.88 million, showing how expensive it can be for employers to fix these issues.

This highlights the need for strong cybersecurity measures: data transfer impact assessment before employees go on a business trip or work-from-anywhere trip, as well as proper guidelines on best practices for managing data securely when working from overseas.

‍

Lack of work-from-anywhere policy: the perfect environment for ‘hush trips’

Failing to address specific compliance issues, such as the risk of permanent establishment and data security, can prove costly. However, forbidding employees from taking work-from-anywhere trips can be equally problematic. In organizations where such trips are explicitly banned or the topic of work-from-anywhere policy is just not addressed, many employees take matters into their own hands, working from abroad without informing their employer—a practice commonly known as "hush trips." A clear indicator of this trend is the frequent discussions on Reddit forums.

On Reddit, users often ask questions anonymously, and many openly share their plans for extended trips abroad while continuing to work remotely. Common discussion topics include tax obligations, visa requirements, and concerns about Permanent Establishment (PE) risks. For example, one user asked if staying in Portugal for six months would trigger tax issues for her Irish employer, while another wondered if working in China for five months on behalf of a U.S. company could result in a PE issue. In other discussions, users even shared tips on hiding their international location from their employers, including using specific software on company devices.

These conversations reveal that many employees fail to fully grasp the serious implications their ‘hush trips’ can have on their employers. Even when Reddit users acknowledge the risks, many are still willing to take the chance in order to enjoy working from abroad. For employers, these secretive trips pose significant risks—not only from tax and legal perspectives but also in terms of fulfilling their duty of care toward their employees.

‍

Conclusion

The examples above show that no travelers, regardless of the trip's length or purpose, are immune from scrutiny by authorities. This highlights the critical need for a robust travel policy and trip management process in every organization, covering trip approvals, compliance risk assessments, and the implementation of risk mitigation measures. In the worst cases, failure to ensure that employees travel compliantly can result in significant penalties, fines, or, as in the case from Thailand, even imprisonment.

WorkFlex is committed to helping clients achieve 100% compliance for business trips and work-from-anywhere arrangements. Our solutions enable employers to navigate the complexities of compliance with an all-in-one, automated approach, avoiding the severe consequences of non-compliance.