EU CESOP reporting obligations impact

From 1 January 2024, all payment service providers (PSPs) operating in the European Union (EU), including Banks, Electronic Money Institutions, and other Regulated Payment Institutions will be required to record and report transactional data of cross-border payments in every EU Member State where they provide certain payment services via the Central Electronic System of Payment information (CESOP). PSPs will have to monitor and transmit transactional information on payees involved in more than 25 transactions per quarter to the national administrations of the relevant member states.

The CESOP regulations also apply to businesses in the Middle East (ME) which provide payment services in EU Member States. Therefore, if your services are covered by the European Payment Services Directive (PSD2), appropriate measures should be taken to assess the impact’s extent. Consequently, it is crucial to devise a proportionate, effective, and timely response to comply with the CESOP obligations.

The data gathered will be centralized within CESOP, an initiative crafted to support efforts to close the VAT gap in the EU.

Guidelines for ME Businesses Navigating CESOP

Businesses in the ME providing payments services in the EU should:

• Determine whether payment services in scope of CESOP are provided in EU. 
• Determine in which EU Member States a CESOP reporting obligation exists.
• Assess the operational impact of CESOP reporting.
• Implement technology and processes to become CESOP compliant as of 2024.
• Map the risks of non-compliance and prioritise accordingly.

CESOP applicability

The reporting obligation applies to “payment service providers” who provide certain payment services in EU Member States. This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs). The payment services in scope of CESOP are included in points 3-6 of Annex 1 of PSD2.

ME businesses can also be subject to CESOP reporting obligations if they provide in scope payments services in the EU. This could (for example) be the case if they provide these payment services via a local EU entity or via an EU branch of the ME PSP.

How the data should be reported 

PSPs with reportable data will be required to transmit this data every calendar quarter to the locally appointed tax authorities in their home Member States and (if applicable) any host Member States where they are active. All data is to be transmitted in a standardized XML format. There will be no one-stop-shop and therefore there could be potentially reporting obligations in 27 different EU Member States for PSPs (which can have different XML formats and requirements). 

How can Deloitte help

PSPs covered by CESOP will need to assess the extent of the impact on their organization from multiple perspectives (resources, operations, systems).

Deloitte offers an end-to-end solution (including an impact assessment), combining our capabilities and expertise across Tax, Legal, Business and Technology.

Helpful links 

• Deloitte CESOP website on which we regularly provide updates.
• Information on our Deloitte CESOP end-to-end solution.
• Website of the European Commission on CESOP.