The hidden compliance risks of traditional corporate cards

Traditional corporate cards are embedded in enterprise finance for a reason. They are convenient, widely accepted, and familiar. Every major organisation issues them. Most employees carry one.

But convenience is not compliance. And for a growing number of CFOs and financial controllers across the world, the corporate card programme that once looked like an operational efficiency is quietly becoming the largest unmanaged compliance risk in their payables.

The Association for Financial Professionals (AFP) reports that physical corporate and commercial cards carry a 36% fraud rate, the highest of any payment method in the enterprise toolkit.

The ACFE’s 2024 Report to the Nations found that organisations lose an estimated 5% of annual revenue to occupational fraud, with expense reimbursement schemes running for a median of 18 months before detection. And in 2024, Oversight Systems documented a sharp increase in expense reimbursement and purchase card violations, driven by rising household financial pressure and the structural weaknesses of programmes that rely on after-the-fact review.

The compliance risks are not limited to fraud. They extend across audit trail integrity, segregation of duties, tax reclaim eligibility, data security, and regulatory reporting, risks that most organisations only discover when an auditor, regulator, or tax authority forces them to look.

This article maps the compliance risks hiding inside traditional corporate card programmes, explains why they are structural, not operational, and examines how embedded virtual cards eliminate them by design.

The gap between how organisations perceive their corporate card programmes and how those programmes actually perform under scrutiny is consistently wider than what enterprises expect.

A 2024 Upgraded Points survey of 500 American employees with company-issued cards found that 62% of corporate cardholders were aware of instances where company cards were misused for non-business activities within their organisation. Eighteen percent described the misuse as “commonplace.” One in five employees admitted to using their corporate card for personal expenses. And 30% of all cardholders reported receiving no specific training on appropriate card use.

The ACFE estimates that expense reimbursement fraud carries a median loss of $50,000 per case, up $10,000 from the 2022 report. Billing schemes involving corporate cards, fictitious vendor invoices, inflated charges, shell company payments, reach a median loss of $100,000 per case. And the 2025 AFP Payments Fraud and Control Survey found that 79% of organisations were victims of attempted or actual payment fraud in 2024.

These numbers describe what gets caught. The ACFE’s data suggests a significant portion never surfaces at all, expense reimbursement and billing schemes are among the longest-running fraud types, with median detection times of 18 months, and cases lasting 24 months or more when organisations rely on passive detection methods like tips and confessions instead of proactive controls.

The common variable here is the architecture of the payment instrument itself. Traditional corporate cards issue permanent, reusable credentials with no transaction-level controls, no real-time policy enforcement, and no native link between the spend event and the governance process that should surround it. The compliance failures are built into the design.

Fragmented and incomplete audit trails

The most fundamental compliance requirement for any payment is traceability: a complete, verifiable chain from the business need to the payment event, through every approval, validation, and policy check in between.

Traditional corporate cards make this structurally impossible. The card transaction exists in the bank’s system. The expense report lives in the T&E platform or a spreadsheet. The approval, if it exists, lives in email or a workflow tool, and the receipt, if the cardholder remembers to submit it, lives in a photo on their phone or a folder on their desk. The reconciliation happens weeks later, if it happens at all.

Australia’s National Audit Office (ANAO) made this point with uncomfortable precision in 2023–24, when it audited corporate card compliance across four Australian Government entities: the National Disability Insurance Agency, the Federal Court, the Productivity Commission, and the Australian Research Council. The findings were consistent across all four:

• 10% of monthly credit card reconciliation statements were not signed by either the cardholder or the reviewer, meaning transactions were processed without anyone formally verifying them.
• At the Productivity Commission, ANAO identified 72 card numbers used in 2022–23 that were not recorded in the entity’s card register, meaning the organisation did not have a complete record of which cards existed.
• At the Australian Research Council, 51% of issued credit cards went unused in 2021–22, creating dormant credentials with no active monitoring.
• Across multiple entities, cardholders failed to obtain proper approval for expenditures and to retain sufficient supporting documentation, the two most basic compliance requirements for any corporate card programme.

These failures are the predictable outcome of a payment method that generates transaction data in one system, approval data in another, and reconciliation data in a third. When auditors need to verify a payment, they are not reviewing a trail, they are reconstructing one. And the reconstruction is never complete.

Segregation of duties failures

Effective compliance requires that no single individual can initiate, approve, and benefit from a payment without independent oversight. Corporate card programmes routinely violate this principle, often without anyone noticing.

The ANAO’s 2024 audits documented a particularly instructive example. From a sample of 117 transactions, auditors identified 20 credit card acquittals for the CEO and other senior executives where the approving officer was junior to the cardholder. In the Australian Research Council specifically, the CEO and board members made 51 trips where the approving delegate was junior to the traveller, meaning the person signing off on the expense had less authority than the person who incurred it.

The ANAO noted that the ARC’s financial delegations did not require “one-up” approval and allowed approvers to be at the same level as, or junior to, the applicant. The risk of inappropriate positional authority was not addressed in the entity’s risk management documents.

This is a corporate card problem everywhere. When card spend is reviewed retrospectively by whoever happens to be available, segregation of duties never becomes a system-enforced control.

The ACFE found that 32% of occupational fraud cases were attributed to a lack of internal controls, and a further 19% involved overriding existing controls. Companies with strong segregation of duties controls detect fraud 50% faster. Traditional card programmes make those controls difficult to enforce and nearly impossible to verify.

Tax compliance exposure

Every corporate card transaction that lacks valid supporting documentation is a potential tax deduction at risk. For organisations operating in GST or VAT jurisdictions, including Australia, New Zealand, and the UAE, the exposure is significant and largely invisible until it surfaces during a tax audit.

In Australia, the ATO requires a valid tax invoice for any GST credit claim above A$82.50. The invoice must include the supplier’s identity and ABN, the date of issue, a description of the goods or services, and the GST amount. A credit card statement does not satisfy these requirements, it shows the merchant name and transaction amount, but not the itemised details or GST component that the ATO requires.

For an enterprise processing thousands of corporate card transactions per month, every claim submitted without a compliant tax invoice is a GST credit that may be disallowed on audit. The ATO does not estimate or negotiate, if the documentation is missing, the credit is denied.

The same principle applies in the UAE, where the Federal Tax Authority requires tax invoices with specific fields, including the supplier’s Tax Registration Number, the tax amount, and a description of goods or services, for all VAT input tax recovery. Under the VAT Penalties Decree, failure to comply attracts penalties starting at 2% of unpaid tax immediately, escalating to 4% after seven days and 1% per day thereafter, up to 300% of the amount owed.

In New Zealand, Inland Revenue requires GST tax invoices for all claims above NZ$50. The requirements mirror Australia’s: supplier details, GST registration number, date, description, and GST amount.

Corporate card programmes create tax compliance risk in three ways:

• Missing receipts and invoices. Cardholders forget, lose, or never request them. The transaction appears on the statement, but the supporting documentation required for a GST/VAT claim does not exist.
• Incorrect expense categorisation. Meals classified as office supplies. Personal purchases coded as business expenses. Entertainment expenses claimed as GST-eligible when they are specifically excluded. Each miscategorisation is a potential tax adjustment.
• Delayed or incomplete reconciliation. When card statements are reconciled weeks after transactions occur, errors in categorisation and missing documentation compound. By the time the BAS or VAT return is filed, the data underlying the tax position may be inaccurate.

For an enterprise with $50 million in annual card spend and a 10% GST/VAT rate, even a 5% failure rate in documentation compliance represents $250,000 in tax credits at risk per year, before penalties and interest.

Data security and PCI DSS exposure

Traditional corporate cards distribute static payment credentials across dozens or hundreds of employees, each of whom may store, share, or transmit card details in ways that create data security risks the organisation cannot monitor or control.

PCI DSS 4.0.1, the current Payment Card Industry Data Security Standard, applies to any organisation that stores, processes, or transmits cardholder data.

Non-compliance penalties range from $5,000 to $10,000 per month for the first three months, escalating to $25,000 to $50,000 for months four through six, and up to $100,000 per month thereafter. The average cost of a data breach in the financial services sector is approximately $5.97 million, according to IBM’s Cost of a Data Breach Report.

Corporate cards create PCI DSS exposure in ways that are difficult to mitigate:

• Static credentials can be compromised at any point during their multi-year lifecycle. A card number skimmed at a point-of-sale terminal, copied from an email, or intercepted during an online transaction remains valid until the card expires or is manually cancelled.
• Cardholders routinely store card details in unsecured locations, saved in browsers, written in notebooks, photographed on phones, shared via messaging platforms. Each instance is a potential PCI DSS violation the organisation may not know about.
• Physical cards can be lost or stolen, exposing the full credit line until the loss is reported and the card is deactivated. The AFP notes that lost or stolen physical cards represent a materially higher risk than virtual alternatives, where there is no physical credential to lose.

For organisations in regulated industries, banking, insurance, and superannuation in Australia under APRA CPS 234, or financial institutions in the UAE under CBUAE regulations, payment data security is a regulatory obligation that traditional card programmes make structurally difficult to meet.

Cross-border and multi-entity compliance gaps

For organisations operating across multiple jurisdictions, traditional corporate cards multiply every compliance challenge described above. Different entities operate under different tax regimes, different reporting requirements, different approval hierarchies, and often different card programmes, each with its own reconciliation process, its own policy framework, and its own audit trail (or lack thereof).

The Payments Journal reports that the average enterprise manages payments across 6.6 systems. When each entity operates its own corporate card programme through its own banking relationship, the result is:

• No consolidated view of card spend across the enterprise. Compliance, fraud detection, and policy enforcement happen at the entity level, not the enterprise level.
• Inconsistent policy enforcement. Approval thresholds, documentation requirements, and spending limits vary by entity, creating gaps that are invisible at the consolidated level.
• Per-entity reconciliation. Each entity reconciles its own card statements against its own invoices and expense reports, multiplying the manual effort and the opportunity for error.
• Regulatory reporting fragmentation. VAT returns, GST BAS filings, and e-invoicing submissions are prepared separately, often from different data sources, with no unified validation layer.

For enterprises that operate across borders, the compliance exposure is compounded by currency differences, language differences, and regulatory frameworks that are converging in their requirements (e-invoicing, real-time reporting, digital traceability) but diverging in their specifics.

The compliance risks embedded in traditional corporate card programmes are growing because the regulatory environment in every major market is moving toward real-time, digitally verifiable, end-to-end payment traceability, exactly the capability that traditional cards cannot provide.

In the UAE, the e-invoicing mandate taking effect from January 2027 requires machine-readable, Peppol-compliant invoice and payment data for all business transactions. Cabinet Decision No. 106 of 2025 established penalties of AED 5,000 per month for non-compliance and AED 100 per late invoice. The CBUAE imposed over AED 370 million in fines in the first half of 2025 alone for AML failures, and the enforcement trajectory is accelerating.

Organisations in the UAE face an additional cost of 4.19 AED for every AED lost to fraud, making uncontrolled corporate card spend a multiplied financial exposure.

The Central Bank (CBUAE) is simultaneously building Open Finance, a regulated framework, that enables licensed third-party providers to initiate payments and access financial data through standardised APIs via a centralised hub.

The framework moved from regulation to live operation in January 2026, when Commercial Bank of Dubai activated Open Finance, with Abu Dhabi Islamic Bank following shortly after. The CBUAE’s broader Financial Infrastructure Transformation Programme, nine initiatives targeting full integration by the end of 2026, is 85% complete.

As the UAE moves toward 100% API-driven, centralized financial infrastructure, relying on legacy corporate cards that sit outside this digital ecosystem becomes a massive operational and compliance liability.

In Australia, the ANAO’s 2024 audit series has put corporate card compliance squarely on the agenda for every Commonwealth entity. APRA CPS 230, effective since July 2025, classifies payment execution as a critical operation for regulated entities and requires strengthened operational risk management, including for third-party payment providers. And the government’s Peppol e-invoicing mandate requires at least 30% of invoices to be received electronically by July 2026, pushing procurement toward digital, auditable payment methods.

In New Zealand, the Serious Fraud Office estimates that under-reported public sector fraud could represent losses of NZ$500 million to NZ$5 billion annually. Central government agencies must be fully e-invoicing capable by January 2026, with large supplier mandates following by January 2027.

The compliance risks in traditional corporate card programmes are not caused by bad policies or careless employees. They are caused by the architecture of the payment instrument: static credentials, no transaction-level controls, no real-time governance, and no native connection between the spend event and the compliance framework surrounding it.

Embedded virtual cards address every one of these risks by replacing that architecture with one that is governed by design.

Transaction-level controls replace blanket credit limits

Every virtual card is generated for a specific transaction with a pre-set spending limit, a defined supplier or merchant restriction, and a configurable expiry window, often measured in hours or days. The card cannot be used at an unauthorised merchant, charged above the approved amount, or reused after the transaction settles.

This is a different control model entirely. The AFP reports that virtual cards have a 9% fraud rate, compared to 36% for physical corporate cards, a 75% reduction driven by eliminating reusable credentials entirely.

Audit trails are generated automatically

When a virtual card is embedded in your payables workflow, every transaction carries a complete audit trail from the moment the spend is requested to the moment it settles. The business need, the approval, the policy checks, the card generation, the transaction, and the reconciliation all occur within the same governed platform.

There is no trail to reconstruct. No statements to match against receipts. No missing documentation to chase. The audit evidence exists because the process generates it automatically.

Segregation of duties is enforced by the system

In an embedded model, the person who requests the spend, the person who approves it, and the system that generates the payment credential operate within a single workflow with role-based access controls. The platform prevents prohibited combinations, a user who approves a purchase cannot also execute the payment, at the system level.

This directly addresses the positional authority failures the ANAO documented. When the system enforces segregation, it does not matter whether the approver is junior to the cardholder. The system does not allow the conflict to occur.

Tax compliance becomes a by-product of the payment

When every virtual card transaction is linked to an approved invoice with validated supplier details, itemised descriptions, and correct tax identifiers, the documentation required for GST/VAT reclaim exists before the payment is made, not weeks later when someone reconciles the statement.

For enterprises, this means every transaction above the applicable threshold carries a compliant tax invoice by default. The GST/VAT credit is substantiated at the point of spend.

Data exposure is minimised by design

Virtual cards eliminate the PCI DSS risks inherent in static credentials. Each card number is generated for a single use and automatically deactivated after settlement. There is no long-lived credential to be stored, shared, intercepted, or compromised. Even if a virtual card number were intercepted, it cannot be reused, charged above its limit, or processed at an unauthorised merchant.

For regulated entities under APRA CPS 234 or CBUAE data security requirements, this is a material reduction in payment data exposure built into the architecture itself.

Cross-border visibility from a single platform

When virtual cards are managed through a unified orchestration layer that connects to multiple issuers across geographies, your enterprise gains consolidated spend visibility, consistent policy enforcement, and unified compliance reporting across every entity and jurisdiction, replacing the per-entity, per-card-programme fragmentation that traditional programmes create.

SpendConsole’s payables orchestration platform integrates virtual card payments directly into the governed procure-to-pay workflow, treating every payment as a compliance event.

Virtual cards from 75+ global issuers

SpendConsole connects enterprises to virtual card programmes from over 75 global issuers, including partnerships with HSBC and Mastercard, supporting payments in 50+ currencies. Each card is generated for a specific invoice or transaction with controls derived from the approved data: correct amount, correct supplier, correct time window, correct merchant category. No manual configuration required.

Policy enforcement at the point of transaction

Approval routing, spending thresholds, segregation of duties, duplicate detection, and supplier verification are enforced by the platform before a virtual card is generated, not reviewed after the transaction settles. SpendConsole has helped clients prevent over $18 million in unauthorised payments through these embedded controls.

Automated reconciliation and audit trails

Every virtual card transaction is automatically linked to the invoice, purchase order, and approval chain that preceded it. Bank feed integration matches payment confirmations to initiated transactions in real time, delivering a 90% reduction in manual reconciliation effort. The complete, immutable audit trail, from invoice receipt to settlement, is generated as a by-product of the payment itself.

Regulatory compliance by design

SpendConsole is an accredited Peppol Service Provider with native support for UAE PINT AE specifications. The platform validates TRN, VAT, and GST identifiers against regulatory databases in real time and generates compliant e-invoicing documents for organisations operating across the UAE, Australia, and New Zealand.

What are the main compliance risks of traditional corporate cards?

Traditional corporate cards create five categories of compliance risk: fragmented audit trails that must be manually assembled from multiple systems; segregation of duties failures where the same person can incur and approve spend; tax compliance exposure from missing documentation and incorrect categorisation; data security risks from static, reusable credentials distributed across employees; and cross-border compliance gaps when multiple entities operate separate card programmes with inconsistent controls.

How do virtual cards improve audit trail completeness?

Virtual cards embedded in a payables workflow generate a complete audit trail automatically. Because the card is generated from within the same platform that captures the business need, validates the invoice, enforces the approval, and settles the payment, every event is linked and timestamped without manual intervention. When auditors need to verify a payment, the trail already exists, no reconstruction required.

Do virtual cards eliminate segregation of duties risks?

When virtual card issuance is governed by the same workflow that handles approval routing, the platform enforces segregation of duties at the system level. The person who requests the spend cannot also approve it, and the person who approves it does not manually generate the card. Role-based access controls prevent prohibited combinations by design, addressing the positional authority failures that audit offices regularly identify in traditional card programmes.

How do embedded virtual cards improve tax compliance?

Every virtual card transaction generated from an approved invoice carries the validated supplier details, itemised descriptions, and tax identifiers required for GST/VAT reclaim, before the payment is made. This eliminates the documentation gaps that cause tax credit disallowances: missing receipts, incorrect categorisation, and incomplete tax invoices. For organisations in Australia (GST), the UAE (VAT), and New Zealand (GST), the tax documentation is a by-product of the governed payment process.

What is the fraud rate difference between physical and virtual corporate cards?

The Association for Financial Professionals (AFP) reports that physical corporate and commercial cards carry a 36% fraud rate, compared to 9% for virtual cards, a 75% reduction. The difference is architectural: virtual cards use single-use credentials with transaction-specific limits, supplier restrictions, and automatic expiry, eliminating the conditions that make physical card fraud possible.

How does PCI DSS apply to corporate card programmes?

Any organisation that stores, processes, or transmits cardholder data is subject to PCI DSS requirements. Non-compliance penalties range from $5,000 to $100,000 per month, and the average data breach in financial services costs $5.97 million. Virtual cards reduce PCI DSS exposure by eliminating long-lived credentials, each card number is single-use and automatically deactivated, meaning there is no persistent cardholder data to protect across the organisation.

What regulatory changes affect corporate card compliance in 2026–2027?

The UAE e-invoicing mandate (effective January 2027) requires digitally traceable, Peppol-compliant payment data. Australia’s CPS 230 (effective July 2025) classifies payment execution as a critical operation for regulated entities. New Zealand mandates full e-invoicing capability for public agencies by January 2026, with large supplier mandates by January 2027. All three frameworks require real-time, machine-readable, end-to-end traceability that traditional corporate card programmes cannot provide.