Central Electronic System of Payment Information (CESOP)

CESOP—A significant European Union (EU) wide reporting requirement impacting payment service providers

If you thought implementing Foreign Account Tax Compliance Act (FATCA)/Common Reporting Standard (CRS) was hard, try CESOP!

Introduced by the European Commission with the objective of fighting Value-Added Tax (VAT) fraud, the CESOP, as it is now commonly referred to, places significant reporting obligations on the EU Payment Service Providers (PSPs) regulated by the revised Payment Services Directive (PSD2), to report in-scope cross border payments processed by it with effect from 1 January 2024. Whilst the ask is daunting, this appears to fit in with a wider global trend of countries imposing greater tax reporting obligations on businesses.

Where did this come from?

With e-commerce platforms becoming an ingrained part of our lives, CESOP originated from a concern that consumers located in one EU Member State were making purchases from other jurisdictions which were either incorrectly subject to a wrong amount of VAT or no VAT at all. Therefore, the whole objective of CESOP is to close this VAT gap and fight potential VAT fraud.

What is interesting to note is that the focus is solely on cross border payments, as we understand the tax authorities believe that they have good oversight over local purchases/payments but yet to get a firm grip on cross border payments.

How big a deal is it?

For several months now we have had discussions with numerous stakeholders, and the one point which stands out is that the implementation of CESOP is likely to be challenging for both PSPs and the tax authorities alike given the short timeline.

From PSP’s perspective, it is important that they review their systems to identify in-scope establishments and/or branches and payments, consider whether these systems capture the relevant data required to be reported for each in-scope payment, and then collate, process, and report data on such in-scope payments in all the EU Member States where they operate. One PSP informally mentioned that CESOP could impact 70 systems and require them to report over 1 billion payments in the course of a year!

Additionally, now that the EU VAT Directive has been amended to incorporate CESOP-related provisions, national governments are also working at brisk speed to finalise their legislation and set up the required infrastructure to handle such volumes of data. Whilst some countries like France and Germany have already published their final legislation, others are not far behind as they are either awaiting formal ratification of their legislation or are in the process of finalising drafts.

Whose concern is it within the business?

Whilst CESOP has been/is being embedded into the VAT legislation with the objective of fighting VAT fraud, the underlying VAT treatment of the transaction to which the payment relates does not matter to the PSP which processes such payments, as it is unaware of what the payment relates to. Moreover, the definition of the payment that needs to be reported is in line with the definition of a ‘payment transaction’ under PSD2, and not the VAT legislation.

The data points that need to be reported includes transaction data, as well as data on the payee/payer. Such information may be held within different systems of a business, such as operations, payments, and/or anti-money laundering (AML)/know your customer (KYC). This indicates that CESOP will not be just limited to the Indirect Tax and Tax Operations teams but that it will also have a significant impact on Payments, Operations, Compliance, and Information Technology (IT) teams.

How do I know if I am impacted?

The first and the easiest step to identify whether a business is impacted by CESOP is to check whether it is regulated by PSD2. If you are a credit institution, electronic money institution, postal giro, or a payment institution operating in the EU, the chances are that you are regulated by PSD2.

Once you have determined that the PSP is in-scope, it is then important to assess whether its payment services are in-scope as it is a combination of both, which results in a CESOP reporting obligation for the PSP.

In-scope payments are essentially a cross border transfer of funds from a payer in one country to a payee in another country and could include credit transfers, direct debits, card payments, money remittances, as well as issuing of payment instruments and acquiring of payment transactions.

Do I report all payments?

If you thought that we are now done with the hard bits, you’re in for a surprise!

CESOP places the reporting obligation of an in-scope payment on the payee’s PSP unless the payee’s PSP is established outside of the EU. In such instances, the reporting obligation will then fall on the payer’s PSP who is based in the EU. It is therefore extremely important that impacted PSPs are to identify who the payee and payer for each transaction. This may sound straightforward, but what makes it complex is that a single payment could have a number of PSPs involved, and therefore identifying the correct payee and payer is not always easy.

Additionally, a PSP is only required to report those transactions when more than 25 payments are made to a single payee. This means a PSP also needs to track how many payments are being made to a payee, and whether those payments cover all the payee’s accounts with the PSP.

If this sounds like it’s starting to get out of hand, PSPs also needs to consider General Data Protection Regulations (GDPR). As the penalties for non-compliance with GDPR are severe, PSPs have to ensure personal data, that are not legally required to be reported as part of the filing, is not reported by the PSP.

Where do I report in-scope payments?

Impacted PSPs will be required to report in-scope payments in all the EU Member States they operate in. Reporting is to be done every quarter in eXtensible Markup Language (XML). The first record will be due by 30 April 2024. Whilst 12 months may seem like there is still lots of time, have you noticed we are already in September and more than half of 2023 has flown by?

Once the PSP submits the data, the baton passes on to the tax authority who must then forward the data to the CESOP within 10 days following the filing deadline. After receiving the data, another validation has to be performed before it is accepted or refused in whole/part.

For further information, please contact Gary Campbell.

Did you find this useful?