InvoisSentry — 72-hour sentry for Malaysian SME e-invoicing

1. One-liner

Catches a Malaysian SME’s bad inbound MyInvois e-invoices before the 72-hour clock runs out — and flags audit gaps first.

2. Trend signal — why now?

Malaysia’s mandatory e-invoicing regime (MyInvois, run by LHDN) crossed a threshold this year. Businesses with RM1M–RM5M turnover were brought into scope from 1 January 2026 — that’s the SME mass market, not just large taxpayers. Every commercial transaction now routes through LHDN’s MyInvois platform for validation.

The mandate created two problems that did not exist 12 months ago, and neither is what the software market is selling against:

1. The inbound 72-hour clock. When a supplier issues an e-invoice naming you as buyer, LHDN validates it, and you — the buyer — have 72 hours to reject it if the TIN, address, MSIC code, or tax classification is wrong. Miss the window and LHDN auto-accepts it; correcting it afterwards requires the supplier to issue a credit/debit note, which most won’t bother to do. The bad invoice is now in your tax record.
2. The reconciliation trap. LHDN can instantly cross-reference the total value of validated e-invoices against your declared SST returns, Form C revenue, and bank deposits. The Tax Audit Framework names the triggers explicitly: persistent rejection rates, e-invoice-vs-SST mismatches, and B2C consolidation patterns that don’t reconcile to bank deposits.

This stopped being theoretical. In February 2026, LHDN reported identifying over 500,000 non-compliant cases and RM14 billion in unreported income, with active enforcement underway. Penalties run RM200–RM20,000 per offence under Section 82C of the Income Tax Act — a batch of 50 bad invoices is up to RM1M of exposure.

Every vendor in the market — JomeInvoice, Bukku, AutoCount, Financio, BDO middleware — sells the issuance side: get your outbound invoices into MyInvois. Nobody is selling the inbound watch + reconciliation side, because that pain only becomes real a few months after you start issuing — and that moment arrived in Q1 2026.

Provenance:

• Signal 1 (demand): LHDN flagged 500,000+ non-compliant cases and RM14B unreported income in Feb 2026; Tax Audit Framework explicitly lists rejection rates and e-invoice/SST mismatches as audit triggers — https://jomeinvoice.my/article/lhdn-e-invoice-penalty-malaysia-what-sme-owners-must-know-in-2026/ — 2026-05-22
• Signal 2 (feasibility): MyInvois public API/SDK is live (document retrieval, reject-document endpoint); SME band went live 1 Jan 2026, so the inbound-monitoring problem only became addressable in the last ~5 months — https://sdk.myinvois.hasil.gov.my/einvoicingapi/04-reject-document/ — 2026-05-22
• Signal 3 (economic): Malaysian e-invoicing middleware/software market already monetizing at RM100–RM60,000/yr across hundreds of thousands of in-scope SMEs — https://malaysia4u.com/einvoicing-guide — 2026-05-22 Category: Regulatory arbitrage

3. The opportunity

The mandate forced every Malaysian SME to plug into MyInvois. The whole vendor ecosystem treated that as a one-direction problem — “help you submit” — and stopped there. But MyInvois is a two-way ledger. Invoices arrive at you, validated, with a silent countdown attached. And the same ledger is what LHDN audits you against.

The incumbents (accounting software with a MyInvois module, standalone middleware) do the submission well and the watching badly or not at all. A focused product that does three things — monitors inbound documents, screens them for the error patterns that get a buyer in trouble, and continuously reconciles e-invoice totals to SST and bank — sits in a gap nobody is defending. This is not a disruption of an incumbent’s UX; it’s an adjacent job the incumbents skipped.

The regulatory calendar is the tailwind. Penalty-free relaxation for the RM1M–5M band was extended to 31 December 2027, and Phase 4 penalty enforcement begins 1 January 2027 — but the cross-referencing audit risk is live today regardless of penalty relaxation. LHDN doesn’t need the penalty clock to start an audit; it just needs a gap. The pain compounds monthly between now and the hard 2027/2028 dates.

4. Target market

• Primary customer: Owner-operated Malaysian SMEs with RM1M–RM5M annual turnover — trading companies, F&B operators, retailers, small manufacturers, professional-service firms — that started issuing MyInvois e-invoices on 1 Jan 2026. Run by the owner plus a bookkeeper or one accounts clerk; no in-house tax department. Often outsource SST/Form C to an external tax agent.
• Why they buy: “I submit my own invoices fine. What I can’t do is sit in MyInvois all day checking what suppliers sent me, and I have no idea if my numbers will reconcile when LHDN looks.” The fear is concrete — they’ve read the RM200–RM20,000-per-offence penalty and seen the 500K-case enforcement news.
• Rough TAM reasoning: The RM1M–RM5M turnover band is in the hundreds of thousands of registered Malaysian businesses. Even a serviceable obtainable slice of 5,000–15,000 paying SMEs is a multi-million-RM ARR business — well inside the $1M–$5M target without needing the whole market.
• Why now for them: They’ve been issuing for ~5 months. The first month-end reconciliations are messy, suppliers are sending invoices with wrong TINs, and the Feb 2026 enforcement news made “audit” a word they now say out loud. The relaxation period ending in 2027 is a countdown they can feel.

5. Product sketch (MVP)

• Inbound watch: connects to the SME’s MyInvois account (via API/middleware authorization) and pulls every e-invoice where they are named as buyer, in near-real-time.
• 72-hour countdown queue: every new inbound e-invoice lands in a dashboard with a live countdown; one-tap reject straight to MyInvois, with a daily WhatsApp/email digest so nothing ages out silently.
• Error screen: flags the buyer-risk patterns — TIN/ID-type mismatch (e.g. “Malaysian Individual” ID type with a company TIN), wrong MSIC code, suspicious tax classification, address mismatch — and tells the user why each one is a problem.
• Reconciliation monitor: continuously totals validated e-invoices (issued and received) and compares against the SME’s SST return figures and bank-deposit summaries, surfacing the exact gaps LHDN’s audit framework looks for.
• B2C consolidation check: for retail/F&B, checks that monthly consolidated e-invoices reconcile to bank deposits before the 7-day post-month submission deadline.
• Audit-readiness report: a monthly one-pager — “here is your e-invoice position, here are your reconciliation gaps, here is what an LHDN officer would see” — formatted to hand straight to the external tax agent.
• Supplier nudge: auto-generated message templates to send back to suppliers who repeatedly issue malformed e-invoices, so the problem stops recurring.

6. AI angle — what’s load-bearing

AI does the screening judgment, not decoration. The inbound feed is structured data, but deciding whether an invoice is a problem for this specific buyer is messy: MSIC code plausibility against the buyer’s business type, tax-classification correctness, description-vs-classification consistency, and ranking which of 40 inbound invoices today actually need a human’s 72-hour attention versus which are fine. An LLM does the classification-correctness reasoning and the natural-language “here’s why this is wrong and what to do” explanation that a non-accountant owner can act on. On reconciliation, AI explains which transactions are driving an e-invoice-vs-SST gap rather than just reporting the number. Remove the AI and you’re left with a raw data dump the customer already can’t interpret — which is exactly why the MyInvois portal itself isn’t enough. The AI is the layer that turns a ledger into a decision.

7. Localization angle

This is intrinsically Malaysia-first — it cannot be a generic global product. It is built around one specific government system (MyInvois/LHDN), one specific regulatory mechanic (the 72-hour buyer rejection window), one specific tax regime (SST, Form C), and Malaysian field requirements (TIN/ID-type rules, MSIC codes, the 55-field schema). Pricing must work in RM — a RM149–499/mo tier where a USD $49/mo tool would feel expensive. Distribution is local: Lowyat forums, Malaysian SME Facebook groups, and the network of tax agents and company secretaries who already advise these businesses. The deep coupling to one country’s system is a weakness for TAM but a strength for moat — see section 3 and 12.

8. Business model — path to $1M–$5M ARR

• Pricing: RM149/mo entry (low inbound volume), RM349/mo standard (full reconciliation + B2C consolidation check), RM699/mo for multi-entity owners and small accounting firms managing several clients. Annual billing discounted.
• ACV: Blended ~RM3,600/year (~USD $760) per customer.
• Rough math to $1M ARR: USD $1M ≈ RM4.7M. At ~RM3,600 ACV that’s ~1,300 paying SMEs — a small fraction of the RM1M–5M band.
• Rough math to $5M ARR: ~6,500 SMEs, OR a smaller customer count weighted toward the RM699 tax-agent/multi-entity tier. Realistically reached by adding a tax-agent channel where one firm onboards 20–80 of its clients at once.
• Expansion path: start single-entity → multi-entity → tax-agent firm-wide seat. Add usage-priced extras (per-entity reconciliation, archival/audit-defense document packs). The tax-agent tier is the real ACV lever — it converts a RM349 SMB sale into a RM5,000+ firm account.

9. Go-to-market wedge — first 100 customers

• Tax agents and company secretaries as channel partners. Malaysia has thousands of licensed tax agents and company-secretary firms already servicing exactly this RM1M–5M band. Sign 10–20 of them as referral/reseller partners — each has 30–150 SME clients drowning in the same problem. One firm-wide deal can deliver 20+ customers. This is the fastest path to the first 100.
• Lowyat + Malaysian SME Facebook groups. The e-invoicing threads on forum.lowyat.net and Malaysian small-business Facebook groups are active and full of owners venting about MyInvois cost and complexity. Show up with a free “72-hour inbound checker” — connect your account, see what’s sitting in your reject queue right now — as the lead magnet.
• Free MyInvois health-check audit. Cold-outreach to SMEs (scraped from SSM/business directories filtered to the turnover band and MSIC codes likely to have messy supplier bases) offering a one-time free reconciliation snapshot: “we’ll show you, in 10 minutes, the gaps an LHDN officer would see.” The report itself is the sales pitch.
• Co-marketing with non-competing middleware. Smaller MyInvois submission vendors have no inbound/reconciliation product; bundle InvoisSentry as the “watch” half of their “submit” pitch.

10. Build complexity — justification

Medium. The MyInvois API/SDK is public and documented (document retrieval, reject endpoint) — that’s off-the-shelf. The AI screening and reconciliation-explanation layers are standard LLM work on structured inputs. The genuine custom effort is (a) encoding LHDN’s field-validation and classification rules correctly and keeping them current as guideline versions ship (v2.3 already exists), (b) the reconciliation logic against SST/bank data, and (c) authorization plumbing into customers’ MyInvois accounts via middleware. A 2–3 person team with one person who genuinely understands Malaysian tax can ship a credible v1 in 3–4 months.

11. Gating checklist

Gate	Pass?	Note
Legal in target market	✅	Read/monitor tool on the customer’s own authorized MyInvois data; uses official API endpoints. No regulatory approval needed to launch.
Ethical — no harm / dark patterns	✅	Helps SMEs comply correctly; no exploitation.
Market exists (evidence above)	✅	Mandate live since Jan 2026; 500K+ enforcement cases; hundreds of thousands of in-scope SMEs.
1–5 person team can build this	✅	2–3 people, 3–4 months.
Launchable with <$50K / ₹40L	✅	Off-the-shelf API + LLM; main cost is the tax-domain hire’s time.

12. Feasibility score

Axis	Weight	Score	Notes
Problem intensity	20	15/20	Real, recurring (daily inbound + monthly reconciliation), money/penalty at stake. Capped because penalty relaxation to end-2027 softens the immediate “pay this week” urgency for the target band.
Demand evidence	15	12/20→12/15	500K enforcement cases, named audit triggers, active forum complaints. Slightly capped: complaints are about the mandate broadly, not yet about this specific inbound/reconciliation gap.
Build feasibility	15	11/15	Public API, standard LLM stack; custom work is the LHDN rule engine and reconciliation logic.
Distribution clarity	15	11/15	Tax-agent channel is strong and named; cold outreach is plausible; conversion math still partly assumed.
Revenue mechanics	15	11/15	RM pricing benchmarked against existing middleware spend; ACV realistic; tax-agent tier is the upside but unproven.
Time to first revenue	10	7/10	Free health-check → paid is a fast funnel; needs the 3–4 month build first, so not instant.
Defensibility	10	6/10	Soft moat: accumulating LHDN rule knowledge, tax-agent relationships, reconciliation data. Copyable by a focused competitor in ~12 months.
Total	100	73/100

13. Qualitative modifiers

Founder-fit tags

domain-expertise-required · technical-heavy — needs someone who genuinely understands Malaysian SST/LHDN mechanics, paired with a builder comfortable with API integration and LLM workflows.

Key assumptions to validate (3–5)

1. Assumption: SMEs in the RM1M–5M band feel the inbound 72-hour / reconciliation pain strongly enough to pay RM349/mo, not just the issuance pain. How to test: 30 interviews with in-scope SME owners and their bookkeepers; ask specifically about inbound rejections and month-end reconciliation, not the mandate in general.
2. Assumption: Tax agents will act as a reseller/referral channel rather than seeing this as competition to their own audit-prep billable hours. How to test: Pitch 15 tax-agent firms; measure how many sign a referral agreement vs. push back.
3. Assumption: MyInvois API access for third-party monitoring is practically obtainable for every customer (vs. blocked by their middleware vendor’s lock-in). How to test: Attempt live authorized read-access for 5 customers on 5 different accounting/middleware setups.
4. Assumption: The free “72-hour inbound checker” lead magnet converts to paid at a workable rate. How to test: Ship the free checker to 200 forum/Facebook leads; measure connect-account rate and free-to-paid conversion.

Risk flags

1. Platform dependency: Entirely dependent on the MyInvois API remaining open to third-party read/monitoring access. If LHDN restricts API scope or accounting incumbents wall off their integrations, the product is squeezed.
2. Incumbent absorption: AutoCount, Bukku, Financio could add an “inbound watch + reconciliation” feature to their existing modules. The defense is speed, the tax-agent channel, and depth of the reconciliation product before they notice.
3. Regulatory timing: Penalty relaxation extended to end-2027 dampens urgency in the near term; if LHDN extends again, the “fear” sales angle weakens and the pitch must lean harder on audit-cross-referencing (which is unaffected by relaxation).
4. Single-geography ceiling: Deep MyInvois coupling caps TAM at Malaysia. Fine for a $1M–5M outcome; a constraint beyond that — though the same rule-engine playbook could later port to Philippines EIS or other ASEAN mandates.

14. Structured verdict

Score:                  73/100
Verdict:                GO
Confidence:             Medium
Best-fit builder:       Malaysian tax/accounting domain expert paired with a technical builder
Time to revenue:        3–4 months to v1, then first paid within 4–8 weeks of launch
Capital to launch:      RM60,000–120,000 ($13–26K) — mostly the domain hire's time
Top 3 assumptions to validate first:
  1. SMEs pay RM349/mo for inbound + reconciliation, not just issuance — 30 owner/bookkeeper interviews
  2. Tax agents act as a channel, not a competitor — pitch 15 firms, count signed referral agreements
  3. Third-party MyInvois read-access is obtainable across common setups — test live on 5 accounts
Kill criteria:
  - Abandon if <8 of 30 interviewed SMEs rank inbound/reconciliation as a top-3 compliance worry
  - Abandon if MyInvois API read-access is blocked or unreliable on 3+ of 5 tested setups
  - Abandon if a major accounting incumbent ships an equivalent inbound-watch feature before v1 launch

15. Next step — 1-week validation sprint

• Day 1–2: Pull the MyInvois SDK docs; confirm exactly which inbound-document and reject endpoints are available to an authorized third party, and whether read-access works across the free portal and two common accounting setups. This is the binary platform-risk check.
• Day 3–4: Run 12–15 calls with RM1M–5M SME owners/bookkeepers and 5 tax-agent firms. Script targets the specific moments: a supplier e-invoice with a wrong TIN, the month-end reconciliation, the audit fear. Ask the tax agents directly: channel partner or competitor?
• Day 5: Decide. Go if API read-access is confirmed workable AND ≥8/15 SMEs name inbound/reconciliation as a real worry AND ≥3/5 tax agents are open to a referral arrangement. No-go if the API is walled off or the pain ranks below issuance and routine bookkeeping for nearly everyone.

The result is falsifiable: a working/blocked API test and a hard count of SMEs and tax agents who say yes — not a vibe.