Permanent establishment risk is the legal and tax exposure a company creates when its activities in a foreign country are sufficient for that country’s tax authorities to treat it as a local taxable presence, even without a registered office or subsidiary.<\/p>\n\n\n\n
Companies expanding across borders today face a compliance landscape that has grown considerably more complex over the past five years. Remote work has blurred the line between “exploring a market” and “operating in one.” A single overseas hire, a sales representative empowered to sign contracts, or a support team member working full-time from their home in Kuala Lumpur can each, under the right set of facts, constitute a permanent establishment (PE) for your company in that jurisdiction. The financial consequences range from retroactive corporate tax assessments and double taxation to worker misclassification penalties that can run into hundreds of thousands of dollars.<\/p>\n\n\n\n
This article breaks down permanent establishment risk explained in plain terms: what it is, what triggers it, how misclassification compounds it, and how companies expanding into Malaysia and Southeast Asia can structure compliant hiring from day one.<\/p>\n\n\n\n
TL;DR<\/strong><\/p>\n\n\n\n The concept of permanent establishment is anchored in Article 5 of the OECD Model Tax Convention<\/a>, which forms the basis for most bilateral tax treaties worldwide. Before 2017, PE was primarily about offices and factories. Post-COVID, a single remote employee working from their apartment in another country can potentially create a taxable presence for a company.<\/p>\n\n\n\n The OECD’s November 2025 update to the Model Tax Convention<\/a>, the first comprehensive revision since 2017, adds a new analytical framework and establishes a 50% working time benchmark along with a commercial reason test for home office PE assessments. What this means practically is that tax authorities now have clearer, more precise criteria to audit cross-border workforce arrangements. Companies that have operated in a grey area for years are finding that grey area has narrowed.<\/p>\n\n\n\n A PE occurs when a company has a fixed place of business in a foreign country, resulting in corporate income being taxed locally. Triggers include employees with authority to negotiate and sign contracts on behalf of the company, and activity that constitutes a core business function rather than a preparatory or auxiliary one.<\/p>\n\n\n\n The stakes are direct: businesses that do not pay taxes to a country that considers their operations established become liable for back taxes and interest owed. Fines, penalties, and increased audit scrutiny are the common consequences, and the business may also be required to pay back benefits, wages, and taxes.<\/p>\n\n\n\n Understanding the trigger points is the first step to avoiding permanent establishment overseas. The three most common scenarios for growing companies are:<\/p>\n\n\n\n The dependent agent trigger.<\/strong> If a remote employee can negotiate contracts, approve deals beyond pre-approved parameters, or act as the primary commercial contact managing ongoing customer relationships and revenue generation, local tax authorities may determine a taxable presence has been created. A sales lead in Penang who routinely closes contracts on your company’s behalf is not simply a remote worker. Under most treaty frameworks, they are a dependent agent, and that creates PE.<\/p>\n\n\n\n The time threshold trigger.<\/strong> The OECD’s updated two-part framework<\/a> establishes that if an employee spends less than 50% of their working hours at a foreign location over a rolling 12-month period, that location is generally not considered a fixed place of business. Exceeding 50% shifts the analysis to whether the employee’s presence serves a genuine commercial purpose for the business. For most companies with full-time overseas hires, the 50% threshold is crossed from the first month of employment.<\/p>\n\n\n\n The service duration trigger.<\/strong> Many jurisdictions, including several across Southeast Asia, apply a 183-day rule: countries consider a PE where employees work more than 183 days per year or perform core operational functions during that period. This is a particularly common trap for companies that begin with a short-term contractor arrangement and allow it to extend without formalising the relationship.<\/p>\n\n\n\n Worker misclassification is the practice of engaging employees under contractor agreements to avoid payroll obligations, statutory contributions, and employment law protections. It is one of the most common errors growing companies make when entering new markets, and it directly amplifies PE exposure.<\/p>\n\n\n\n Misclassification of employees as contractors can trigger PE and penalties. Tax authorities look to contracts, policies, and workflows to determine whether a worker truly operates independently or functions as an integrated part of the employer’s business.<\/p>\n\n\n\n Worker misclassification penalties vary by jurisdiction but the pattern is consistent: businesses found to be non-compliant face hefty fines, backdated benefit obligations, and wage recovery requirements. In Malaysia, employer of record misclassification risk carries particular weight because the Employment Act 1955 sets out statutory minimums, from annual leave entitlements to overtime pay, that apply to all qualifying employees regardless of how the engagement was initially structured.<\/p>\n\n\n\n Understanding Malaysia employment law for foreign companies begins with recognising that the Employment Act’s protections<\/a> extend to employees earning below a defined wage threshold, with amendments broadening its scope in recent years. Malaysia Employment Act foreign companies must navigate includes mandatory contributions to the Employees Provident Fund (EPF), SOCSO, and EIS, totalling approximately 15% to 16% of gross salary on the employer side. Misclassifying a worker to avoid these contributions does not eliminate the liability: it defers it and adds penalty interest.<\/p>\n\n\n\n In one engagement, a technology client working with SummitNext achieved full Malaysian statutory compliance for a team of eight within three weeks of engagement, avoiding retroactive EPF and SOCSO exposure that would have applied had they continued under informal contractor arrangements.<\/p>\n\n\n\n An employer of record (EOR) is a third-party organisation that legally employs workers on behalf of a client company in a foreign jurisdiction. Because the EOR is the entity of record, the client company does not acquire the employment relationship that typically triggers a dependent agent PE. The client directs the work; the EOR manages all statutory obligations.<\/p>\n\n\n\n The employer of record benefits<\/a> that are most relevant to PE management include:<\/p>\n\n\n\n Elimination of entity setup timelines.<\/strong> Establishing a foreign subsidiary typically takes 8 to 16 weeks and requires legal, banking, and regulatory registration across multiple agencies. SummitNext’s EOR model allows companies to onboard talent in Malaysia<\/a> in a fraction of that time, with EOR onboarding time running as low as one to three weeks for standard roles, enabling companies to test market fit before committing to entity formation.<\/p>\n\n\n\n Statutory compliance by design.<\/strong> The EOR handles EPF, SOCSO, EIS, and HRD levy contributions on behalf of the client, ensuring that Malaysia employment law for foreign companies is met from the first payroll cycle. This removes the misclassification exposure that arises when companies attempt to manage overseas payroll informally.<\/p>\n\n\n\n Defined authority limits.<\/strong> Because the employment contract sits with the EOR and not the foreign company, it is structurally easier to define and document that overseas workers do not hold contract-signing authority on the client’s behalf, which directly addresses the dependent agent PE trigger. Limiting the scope of foreign activities and avoiding granting signing authority to overseas staff are among the proven strategies for avoiding PE risk, and an EOR provides the contractual structure to enforce both.<\/p>\n\n\n\n SummitNext’s Distributed Delivery Model<\/a> treats compliance architecture and operational delivery as integrated considerations. Rather than treating PE risk as a legal footnote, it is embedded into workforce design decisions from the point of hiring brief through to contract structure and role definition. For companies entering Malaysia, the Philippines, or other Southeast Asian markets, this means the compliance layer is built in, not bolted on after a tax audit has already begun.<\/p>\n\n\n\n For a detailed breakdown of what EOR actually costs across Malaysia and the Philippines, see SummitNext’s guide to employer of record costs explained<\/a>.<\/p>\n\n\n\n The most effective time to address permanent establishment risk is before the first offer letter is signed. Four steps matter most:<\/p>\n\n\n\n Map the role against PE triggers.<\/strong> Determine whether the overseas position involves contract authority, revenue generation, or regular client-facing decision-making. If it does, the hiring structure needs to reflect that from day one.<\/p>\n\n\n\n Choose the right employment vehicle from the start.<\/strong> Using an EOR as the official employer means the client company is not seen as having a direct presence in the foreign jurisdiction. This does not eliminate every form of PE risk, but it removes the most common structural triggers.<\/p>\n\n\n\n Document everything.<\/strong> KPMG recommends<\/a> that companies document remote work arrangements and continuously monitor the development of international tax rules to avoid future risks. Time logs, role definitions, and reporting line documentation are the primary defence in a tax audit.<\/p>\n\n\n\n\n
What Is Permanent Establishment and Why Does It Matter Now?<\/strong><\/h2>\n\n\n\n
What Triggers Permanent Establishment Risk in Practice?<\/strong><\/h2>\n\n\n\n
Why Worker Misclassification Makes Permanent Establishment Risk Worse<\/strong><\/h2>\n\n\n\n
How an Employer of Record Reduces Permanent Establishment Exposure<\/strong><\/h2>\n\n\n\n
What Growing Companies Should Do Before Their First Overseas Hire<\/strong><\/h2>\n\n\n\n