CESOP: EU’s Cross-Border Payments Reporting Obligation

CESOP, the new reporting system, is set to come into force on 1 January 2024, applying throughout Europe as EU member states must transpose the EU directive into national law by then. The reporting obligation will apply to “Payment Service Providers (PSP)” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”), ensuring a smooth flow of information and compliance across the region.

Based on Directive 2015/2366/EU, the new regulations primarily affect payment service providers and banks that process cross-border payments. These institutions must transmit specific payment information to the financial administrations of EU member states. Collecting a combination of KYC (Know Your Customer) and transaction data, they forward this information to CESOP, the Central Electronic System of Payment Information.

This initiative from the European Commission aims to close the VAT gap across the European Union, which refers to the missing VAT revenue that EU Member States lose due to errors and fraud. Through CESOP, the EU hopes to recover previously unpaid VAT by analysing data on cross-border payments.

CESOP, introduced through an amendment to the EU VAT directive and implementing measures, places an administrative obligation on payment service providers (PSPs) within the EU. As a result of these changes, PSPs will be required to maintain records of cross-border payments and report this transactional data quarterly.

The new reporting obligations will apply to all cross-border transactions involving a payer based in the EU. However, relief may be granted for certain PSPs if the payee’s PSP is also in the EU. However, this relief will not extend to intermediate EU PSPs in more complex payment chains.

The new reporting obligation for the CESOP applies to a wide range of payment service providers (PSPs) as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”).

Affected entities include credit institutions, e-money institutions, payment institutions, and post-office giro institutions operating within an EU member state in accordance with PSD2.

The exemption for small PSPs (processing less than €3 million transaction value) does not apply to CESOP reporting obligations.

Banks, card schemes, merchant acquirers, and CPSPs are most likely to be impacted, as well as retailers and marketplaces with their own “in-house” PSP governed by PSD2.

Entities covered by one of the exclusions or anticipating that the payments they process will not exceed the de minimis threshold should periodically monitor their position and implement operational procedures to comply with CESOP reporting requirements if they no longer fall within the exclusions or below the threshold.

Reportable payments encompass various transaction types, including card payments, credit transfers, direct debits, e-money, e-vouchers, e-wallet payments, and money remittance transactions.

These transactions must be reported if they meet certain criteria, such as the payer being resident in the EU, the payment being cross-border, and more than twenty-five cross-border payments being made to the same payee in a calendar quarter. Payments from a payer not in a Member State to a payee in a Member State are considered out of scope.

Both the payee and payer’s PSPs must hold data on the transactions. However, only the payee PSP falls under the reporting requirements if both PSPs reside in the EU. This could become complicated as most transactions involve multiple transfers and consolidator PSPs.

PSPs are obliged to retain the relevant information for at least three years. Reporting of transactions occurs every quarter, with submissions due by the end of the month following the reporting quarter. Tax authorities must then forward the data to the CESOP database.

Payment service providers (PSPs) in the EU must report specific information on cross-border transactions involving a payer in the EU. The reporting obligation includes up to fifteen data fields, such as BIC/ID of the reporting PSP, payee information (name, VAT ID/TIN, account ID, address, and PSP BIC/ID), payment transaction details (date/time, amount, currency, and transaction ID), refund information (Y/N, link), country codes of the Member States, payer location information, and physical presence indication with reference. PSPs must report individual payments to a single payee if they exceed twenty-five transactions in a calendar quarter.

The main objective is to identify the payee, the fund recipient, and the online B2C transaction seller responsible for VAT. In most cases, the required information is already available to PSPs. The European Commission has confirmed that the reporting should be an automated electronic filing in XML format, submitted quarterly at the transaction level.

If both the payer’s and payee’s PSPs are in the EU, the payer’s EU PSP is granted relief; however, this relief does not extend to any intermediate EU PSPs involved in payment chains with more than two parties. The reported information aims to ensure better detection and prevention of VAT fraud in cross-border e-commerce transactions.

• 1st period (January – March): 30 April
• 2nd period (April – June): 31 July
• 3rd period (July – September): 31 October
• 4th period (October – December): 31 January

Data will be transmitted to CESOP by the 10th day of the second month following the end of the reporting period.

EU PSPs subject to CESOP will be required to transmit relevant data every calendar quarter to the locally appointed tax authorities in their home Member States and any host Member States where they are active, as defined by PSD2. The BIC/IBAN determines the localization of the payment’s payee and payer. The data must be transmitted in a standardized XML format. The XML schema is available from the EU Commission’s CESOP website. Local tax authorities are responsible for performing data quality checks before forwarding the information to the central database at the EU level: CESOP.

Fines of up to 5,000 euros may be imposed for false, incomplete, or late reporting.

These are the key challenges that PSPs must address on their journey to successful CESOP implementation.

Identify the payment channels: The companies concerned must identify the relevant channels for in-scope payments.

Clear identification of the parties involved: It is essential to identify and assign the parties involved via the various payment channels.

Intra-group allocation of payment transactions: Companies must ensure that payment transactions are correctly allocated to their subsidiaries and/or branches.

Ensuring CESOP compliance according to local requirements: For potential audits, companies must ensure compliance with CESOP requirements according to local requirements.

Determining the scope of reporting obligations: Companies must clarify to what extent they have reporting obligations in the different EU Member States.

Observance of data protection requirements: When implementing the new reporting obligations, companies must ensure compliance with data protection regulations.

This guide outlines the essential steps for PSPs to achieve compliance and navigate the complexities of CESOP while minimizing risks and ensuring a smooth transition.

Assess current processes and data: Ensure necessary resources and infrastructure are in place to manage CESOP reporting requirements.

Identify payment channels: Determine all channels used for in-scope transactions.

Perform impact assessment: Assess the impact of reporting data and aggregate eligible transactions per CESOP-specific instructions.

Identify ultimate debtor/creditor: Design procedures to report transactions without duplication.

Implement data quality checks: Establish timely reporting procedures and end-to-end reporting processes in a standardized XML format.

Address technical prerequisites: Collect necessary data from relevant IT systems and ensure data protection compliance.

Train and educate employees: Implement training and awareness programs about CESOP requirements for compliance.

Ongoing monitoring and review: Maintain compliance by regularly monitoring and reviewing systems and processes.

Ensure multi-jurisdiction compliance: Establish procedures for timely compliance in all required jurisdictions for EU PSPs operating in multiple Member States.

Build data ETL procedures: Assess data quality and create extract-transform-load (ETL) procedures for tax authorities.

Correct and resubmit data: If a CESOP report fails the data acceptance check, correct the data and resubmit a new dataset.

Note: Compliance with CESOP is crucial to avoid attracting regulatory attention and scrutiny from local data protection authorities enforcing the EU GDPR.

With the introduction of CESOP and new reporting requirements for PSPs, the EU continues making a significant effort to tackle VAT fraud in the e-commerce sector. As the new regulations come into effect on 1 January 2024, PSPs and e-commerce sellers must familiarise themselves with the reporting obligations and adjust their processes accordingly.

Ensuring compliance with the reporting requirements can be challenging for businesses operating across multiple member states. However, the centralisation of payment data through the CESOP database will enhance transparency and facilitate a more efficient exchange of information between EU tax authorities.

By monitoring and verifying the VAT registration of sellers and ensuring appropriate tax declaration in the respective member states, the EU aims to close the VAT gap and promote a fairer e-commerce market.

In conclusion, implementing CESOP and the subsequent reporting requirements for PSPs represent a significant step forward in the fight against VAT fraud in the EU e-commerce sector. As the system comes into effect, businesses must adapt to these new regulations to ensure compliance and maintain their competitive edge in the evolving European e-commerce landscape.

For more information on CESOP and the reporting requirements, visit the European Commission’s official website.