CESOP – new EU wide VAT record keeping and transactional reporting obligations for PSPs

Deloitte Malta Tax Alert

6 October 2022

A new EU legislative package will, as of 1 January 2024, require payment service providers (‘PSPs’) providing services covered under Directive (EU) 2015/2366 (‘PSD II’) to keep a record of payment transactions and to report this to the tax authorities of EU Member States through a Central Electronic System of Payment information (‘CESOP’).

What is the rationale of CESOP?

In recent years, the growth in e-commerce has boosted the online sale of goods and services across the EU, giving non-compliant online players an opportunity to gain an unfair advantage by evading their VAT obligations. The new set of rules, which consist of two legislative texts (a Directive and a Regulation), increase recording and reporting obligations and aim to improve the fight against VAT fraud related to e-commerce.

The European Commission has also published guidelines with respect to the CESOP record keeping and reporting obligations, explaining the new rules while providing clarifications with regard to their application by way of practical examples covering a variety of payment transactions.

Which conditions trigger the reporting obligation of PSPs under the CESOP?

The three cumulative conditions that trigger the reporting obligation of a PSP (the ‘reporting entity’) are as follows:

(i) The reporting entity must be a PSP as defined under PSD II (The entities in scope); and
(ii) The reporting entity must provide specific payments services as defined below (The payments in scope); and
(iii) The reporting entity must be involved in the processing of a payment between a payer and a payee, where the payment is initiated by a payer in an EU Member State (The payment services in scope).

Which entities are in scope?

The reporting obligation applies to the below four categories of PSPs, if they provide payment services in the EU:

  • Credit institutions;
  • E-money institutions;
  • Payment institutions; and
  • Post-office giro institutions.

In practice, retailers and marketplaces that have their own “in-house” payment service provider governed by PSD II are also likely to be impacted by the new reporting obligations.

Which payment services are in scope?

The reporting obligation applies to PSPs which provide the following payments services:

  • Executing payment transactions and transfers of funds on payment accounts;
  • Executing payment transactions covered by a credit line;
  • Issuing of payment instruments and acquiring of payment transactions; and
  • Money remittance.

Which further conditions must be satisfied in order to trigger the CESOP reporting obligations?

Once the above-mentioned conditions are satisfied, the reporting obligation will only be triggered if two further conditions are cumulatively met, which are determined by a monitoring test performed by the PSPs and are as follows:

  1. The payment reported must be a cross-border payment; and
  2. The PSP executes at least 25 payment transactions in that Member State to a single payee (per quarter).

How will these data be reported to their home Member State?

EU PSPs which satisfy the above conditions will be required to report data every calendar quarter to the appointed tax authorities of their home Member State (Member State where the registered office of the PSP is located) and (if applicable) the host Member State (Member State in which a PSP has an agent or a branch or provides payment services) where they are active.

All data is to be transmitted in a standardised XML format. The XML schema is available from the EU Commission’s CESOP website. Tax authorities will have the responsibility to perform a data acceptance check every time they receive a CESOP report. If the data file fails this test, the PSP needs to correct the data and resubmit a new data set.

What records must be kept / reported?

PSPs covered by CESOP will be required to keep records containing the following information in electronic format for a period of three calendar years from the end of the calendar year of the date of the payment:

  • BIC or other code that unambiguously identifies the PSP;
  • Name of the payee, as it appears in the records of the PSP;
  • VAT ID number or other national tax number of the payee (if available);
  • IBAN or similar unique identification that gives the location of the payee;
  • BIC that unambiguously identifies and gives the location of the PSP acting on behalf of the payee, where the payee receives funds without having a payment account;
  • Address of payee as it appears in the records of the PSP (if available);
  • Details of the cross-border payment and any related refund namely:

i. The date and time of payment / refund;
ii. The amount and currency of the payment / refund;
iii. MS of origin of the payment received by or on behalf of the payee, the MS of destination of the refund as appropriate, and the information used to determine the origin or the destination of the payment / refund;
iv. Any reference which unambiguously identifies the payment;
v. Where applicable, information that the payment is initiated at the physical premises of the merchant.

What do PSPs need to do?

EU PSPs covered by CESOP will need to assess the extent of the impact on their organisation from multiple perspectives including operations, risk and systems. From there, a roadmap can be established to execute a timely and effective response.

Impact assessment

Determine the impact and
build a roadmap for timely compliance

Technology and implementation

Execute the roadmap


Integrate CESOP within the existing governance framework

Manage interaction with regulators

Implement and monitor data and compliance

Communication and

Internal and external
communication plan

Raise awareness 

Policies and procedures

Update policies and

Knowledge management

Monitor local regulations and

Identify and address deviations from EU standard


Considering the effective date (1 January 2024) and the expected volumes of data and potential system complexities involved, it is important to perform an impact assessment as soon as practicable to be in a position to build a roadmap for implementation and get stakeholders aligned, (re)design internal controls and build and test the required systems. To discuss the applicability and implications of CESOP on your business in greater detail, please do not hesitate to contact us.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?