Remote-first Entities: substance, governance, and the new red flags (2026 edition)

A remote-first business looks perfect on paper.

You work on Zoom. Your team is spread across countries. You sell globally. You keep costs low. And you set up a company in a “business-friendly” place.

Then one day, something simple happens:

• a bank asks for documents you don’t have,
• a tax authority asks where decisions are really made,
• a client asks for proof of “real presence,”
• or a remote employee accidentally creates a tax footprint in a country you never planned for.

In 2026, this is becoming normal. Not because remote work is “bad,” but because remote work creates border questions—and different institutions answer those questions in strict ways.

The goal is not to be scared. The goal is to build a remote-first entity that is audit-ready, bank-ready, and deal-ready.

What “substance” really means (three tests, one headache)

People talk about “substance” like it’s one rule. It isn’t.

In real life, substance is three overlapping tests:

1) Tax substance

This is about where the company is managed and controlled.
In plain language: Where are the big decisions made? Who makes them? Where are those people physically located when they decide?

2) Operational substance

This is about where the work happens.
Who does the key work? Where do they sit? Where are the functions, payroll, tools, and assets that create value?

3) Compliance substance (bankability)

This is about credibility and consistency.
Banks and partners ask: Do the documents match the story? Are owners clear? Are payments easy to understand? Is the setup “real,” or just a mailbox?

In late 2025, the OECD updated its guidance on when remote work can create a Permanent Establishment (PE) risk—meaning a company can be treated as having a taxable presence in another country because of where people work. In other words: “We’re not there” is no longer a safe default assumption. KPMG+2KPMG+2

Why 2026 is a red-flag year for paper structures

A few big policy and market shifts are raising the bar.

Remote work PE risk got clearer

OECD-related guidance published in November/December 2025 adds a practical framework for home-office PE analysis, including a 50% working time benchmark and a commercial reason test in many cases. That reduces some accidental risk, but it also makes enforcement easier because the questions are now clearer. EY+2EY+2

“Unshell” was dropped, but the logic stayed

The EU Council dropped the draft ATAD3 “Unshell” directive in June 2025. But the idea behind it—warning signs like no staff, no premises, outsourced directors, and treaty-shopping—still shows up in bank risk scoring and tax audits. INREV

The global minimum tax architecture favors real people and real assets

Under Pillar Two, the system explicitly uses measures tied to payroll and tangible assets in parts of the framework (the “substance” concept shows up in the mechanics). The OECD’s Side-by-Side package describes caps and limits calculated by reference to payroll and tangible assets, linking benefits to real activity. OECD

“It was repealed” does not mean “it’s forgotten”

In the UAE, firms have noted that even though ESR was repealed for financial years starting on/after 1 January 2023, audits of historical ESR filings have intensified. So older “substance era” paperwork still matters. Andersen+2K&L Gates+2

EU AML supervision is centralizing (banks get more conservative)

AMLA’s official timeline shows ramp-up through 2026–2028, including selection of entities for direct supervision in 2027 and direct supervision beginning in 2028. That tends to push more standardized (often stricter) onboarding expectations across the EU-linked banking system. AML/CFT Authority+1

And separately: the EU’s DAC8 rules for crypto-asset reporting enter into force on 1 January 2026, which adds reporting and recordkeeping pressure for many structures that touch digital assets or platforms. Taxation and Customs Union

The new red flags (2026): what actually triggers trouble

Think of red flags as “speed bumps.” One red flag may not kill you. But several together can.

Governance red flags (how decisions are made)

1. Nominee everything: directors/shareholders who cannot explain the business
2. No board minutes or resolutions: big decisions made in Slack with no formal record
3. Management spread across countries with no clear “decision home”
4. Contracts signed in one country, invoicing from another, leadership living in a third (story doesn’t match paperwork)
5. IP owned “somewhere cheap,” but product decisions happen elsewhere (value mismatch)

Operational red flags (where value is created)

6. No payroll where the company claims residence (only contractors abroad)
7. Key people in a higher-tax country who negotiate and close deals (classic PE risk area) KPMG+1
8. “Virtual office only,” with no evidence of real operating footprint
9. Cost base doesn’t fit the revenue (“too good to be true”)
10. Everyone is “remote,” but nobody can show who actually does the core work

Compliance/bankability red flags (what banks see)

11. Unclear or inconsistent source of funds
12. Vague payment purposes (“services,” “consulting”) with no contract trail
13. Refusal to clearly explain beneficial ownership and control, even if local laws feel flexible

A quick U.S. nuance: beneficial ownership reporting has been in flux. FinCEN issued an interim final rule in 2025 removing BOI reporting requirements for U.S. companies and U.S. persons under the CTA, while foreign reporting companies were still treated differently. Don’t read “flux” as permission to be opaque—banks and deal counterparties can still require clarity. FinCEN.gov+1

A simple Substance & Governance Scorecard (use this before you incorporate)

Score each area 0–5 (0 = weak, 5 = strong). Total out of 25.

1. Governance reality

• Do you have real directors who make decisions?
• Do you keep minutes and resolutions for major choices?

2. People and payroll

• Do you have employees (not only contractors)?
• Are key roles located where you claim substance?

3. Premises and operations

• Do you have fit-for-purpose space (not just mail forwarding)?
• Can you show basic operating activity (local providers, local systems)?

4. Remote work + PE controls

• Do you know where high-risk employees work?
• Do you limit deal-closing authority in unintended places?

5. Documentation quality (bank-ready)

• Can you explain ownership clearly?
• Can you explain money movement clearly?

Rule of thumb:

• 20–25: generally strong and defensible
• 14–19: workable but expect extra questions
• 0–13: high friction (banks, audits, deals)

The playbook: “Remote-first, audit-ready” entity design

This is the practical part. You don’t need a giant office. You need proof.

1) Governance that travels well

Remote-first companies fail when governance is casual.

Do this instead:

• Set a board calendar (quarterly is common)
• Keep written resolutions for big decisions: pricing, key hires, major contracts, financing, IP moves
• Keep a simple decision log: what was decided, by whom, when, and where

This is not bureaucracy for fun. This is your “receipt” when someone asks, “Who runs this business, and from where?”

2) Substance you can show (not just claim)

Substance is easiest to defend when at least some core activity matches the jurisdiction story.

Simple upgrades that help:

• Put 1–3 key roles on payroll where you claim the entity is resident (even a lean team can matter)
• Use premises that fit your business (a real workspace, not a mailbox)
• Make sure service agreements match reality (what is outsourced vs controlled in-house)

3) Remote work hygiene (PE controls)

The OECD commentary update makes this area more structured. Many summaries point to a 50% working time benchmark and a commercial reason test for home-office PE analysis. EY+2EY+2

What to do in simple terms:

• Identify high-risk roles: sales, deal negotiators, contract signers, country managers
• Write a one-page role authority policy: who can negotiate, who can sign, what needs HQ approval
• Track where high-risk people work (not forever, just enough to be credible)
• Document the commercial reason for any long-term presence in another country (if relevant)

4) Align “where IP sits” with “where decisions happen”

If the company’s most valuable thing is product or IP, mismatch is a common audit trigger:

• IP owned in one country
• product decisions made elsewhere
• revenue booked somewhere else

You don’t need a perfect world. You need a story that makes sense and documents that match it.

5) Build a “bank-ready” file (because banking is where weak setups die)

Banks don’t care about your branding. They care about risk.

Create a folder you can share quickly:

• ownership chart (beneficial owners, directors, signatories)
• governance evidence (minutes/resolutions)
• source of funds and major contracts
• invoice and payment purpose templates
• proof of operations (basic evidence your business exists)

Why so picky? Because banking and payments rely on data quality and transparency standards. Wolfsberg guidance focuses on clear roles and responsibilities in payment chains, and Wolfsberg questionnaires are widely used as practical benchmarks in banking due diligence. Wolfsberg Group+1

Three mini “failure stories” (composites based on common patterns)

Failure 1: The accidental PE salesperson

A company says it has “no presence” in Country X.
But a remote salesperson in Country X spends most of the year there and effectively negotiates deals.

Result: PE questions. Tax and payroll questions. Client diligence questions.
Fix: define sales authority limits, track locations for high-risk roles, document how deals are approved, and align practice with the OECD-style framework. EY+1

Failure 2: The bank onboarding that never finishes

The founder applies for an account. The bank asks:

• Who really controls the entity?
• Where are decisions made?
• Why does money flow through three jurisdictions?
• Where are the minutes?

Result: “Enhanced Due Diligence” that drags on—or a quiet rejection.
Fix: create the board pack and a simple narrative that matches contracts, invoices, and payments.

Failure 3: “ESR is gone, we’re done”… until the audit

A firm assumes old ESR filings don’t matter because ESR was repealed for later financial years. But auditors ask about historical years.

Result: painful document hunts and possible penalties.
Fix: treat old filings as live records; keep evidence that supports past claims. Andersen+1

The one-page “Board Pack” template (copy/paste list)

If you run a remote-first entity, keep this ready:

1. Company snapshot (what we do, who we serve, where we operate)
2. Org chart (owners, directors, signatories, key staff)
3. Decision log (last 90 days)
4. Board minutes/resolutions (last quarter)
5. Contract list (top clients, top vendors)
6. Banking map (accounts, purpose, expected flows)
7. Tax position summary (short memo, updated yearly)
8. Remote work policy (who can sign, who can negotiate, where high-risk roles can sit)

This is what makes you “easy to onboard” and “easy to diligence.”

A simple 30–90–365 day action plan

In the next 30 days

• Write your governance basics: minutes + resolutions template
• Build your ownership/control chart
• Write your “where decisions happen” narrative (one page)

In the next 90 days

• Fix high-risk roles: sales authority, signing authority, remote work policy
• Add at least some real operating footprint where you claim substance
• Build your bank-ready folder

Every year

• Refresh KYC documents and tax memos
• Review where people actually worked (especially deal roles)
• Re-check list risk, reporting changes, and banking expectations (EU AML centralization is still ramping) AML/CFT Authority+1

The takeaway

Remote-first is not a loophole. It’s a real operating model.

But in 2026, the institutions that matter—banks, tax authorities, and large counterparties—are converging on one simple question:

“Where is this company real?”

If you can answer that with:

• clean governance,
• people and operations that match the story,
• and strong documentation,

you don’t just reduce risk—you gain speed, bankability, and deal access.

I-Invest note: This is educational, not legal or tax advice. Rules vary by country and personal facts. Use qualified professionals for decisions.