CESOP – An EU-wide VAT transactional reporting obligation for payments has been saved
CESOP – An EU-wide VAT transactional reporting obligation for payments
From 2024, all EU PSPs will be required to record and report transactional data of cross-border payments. This includes banks, electronic money institutions and other regulated payment institutions. When implementing CESOP, companies must navigate between multiple stakeholders and their interests. If you provide payment services covered by PSD2, you need to start assessing the extent of the impact and form a proportionate, effective and timely response.
2 February 2023
- CESOP Implementation Monitor - update 1 February 2023
- The Dutch Association of Tax Advisers publishes view on Dutch proposal implementing the EU CESOP Directive (15 December 2022)
- Dutch CESOP proposal sent to House of Representatives (24 October 2022)
- NL Council of State publishes critical view on CESOP implementation (3 October 2022)
- Multi-country reporting under CESOP (28 September 2022)
- CESOP Guidelines from the European Commission updated (August 2022)
- New reporting obligations for EU financial institutions (update June 2022)
CESOP at a glance
CESOP is the EU's new Central Electronic System of Payment information.
Why will CESOP be created?
CESOP has been created by the European Commission to support efforts to close the VAT gap in the EU. The VAT gap is the VAT revenue that Member States in the EU are missing as a result of errors and fraud. By collection data on cross-border payments, the EU expects to collect VAT that was previously unpaid.
What is the legislation around CESOP?
CESOP will be created through a change to the EU VAT directive, along with some implementing measures. It is at its core an administrative obligation on payment service providers in the EU (EU PSPs). These EU PSPs will be required to keep records of cross border payments and report these transactional data on a quarterly basis.
Which transactions are subject to CESOP reporting requirements?
All cross-border payments where the payer is in the EU are affected. Any EU PSP processing a cross-border transaction needs to keep and report certain payment data. A relief applies for the payer’s EU PSP if the payee’s PSP is also in the EU. The relief does not extend to any intermediate EU PSP in payment chains that involve more than two parties.
Information on all such payments should be reported if the number of individual payments made to one single payee exceeds 25 in a calendar quarter.
When will CESOP come into force?
1 January 2024.
Who will be subject to CESOP?
The reporting obligation applies to “payment service providers” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”). This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs).
In practice, banks, card schemes, merchant acquirers and CPSPs will likely be affected the most, as well as retailers and marketplaces that have their own “inhouse” payment service provider governed by PSD2.
Parties who are covered by one of the exclusions, or who expect that the payments they process to not exceed the de minimis threshold should periodically monitor their position and put operational procedures in place to be able to comply with CESOP reporting requirements in case they no longer fall within the exclusions or below the threshold.
How will these data be reported?
EU PSPs with reportable data will be required to transmit this data every calendar quarter to the locally appointed tax authorities in their home Member States and (if applicable) any host Member States where they are active. (Home and host Member states both defined by PSD2.) The BIC/IBAN number is leading to determine the localization of the payment’s payee and payer.
All data is to be transmitted in a standardized XML format. The XML schema is available from the EU Commission’s CESOP website.
The local tax authorities are, in turn, responsible to perform some data quality checks on the data and forward it into the central database at the EU level: CESOP.
Which data elements should be reported?
Depending on transaction characteristics, the following data elements are to be included in the CESOP report by the reporting PSP:
- BIC/ID reporting PSP
- Payee name
- Payee VAT ID/TIN
- Payee account ID
- Payee PSP BIC/ID
- Payee Address
- Refund Y/N, link
- MS of payment origin
- MS of refund destination
- Payer location information (payment origin)
- Transaction ID
- Physical presence Y/N, reference
Key considerations for EU PSPs facing CESOP
Managing relations with supervisors
We expect that multiple external stakeholders will be interested in degree of CESOP compliance by organizations.
- Tax authorities: at the heart, CESOP is a tax reporting requirement and therefore a matter of tax compliance. The local tax authorities in each of the home and host Member States where an EU PSP operates will be responsible for auditing the CESOP data and increasing taxpayer compliance.
- Financial supervisors: CESOP has primarily been designed as an instrument to combat VAT fraud and money laundering within the EU. Not complying fully or timely with CESOP will attract financial markets regulators’ attention. Apart from complying with CESOP itself, the data processed by organizations can contain information on fraudulent transactions on EU PSPs networks. Failure to effectively detect fraud in time can result in inquiries and fines.
- Data protection authorities: CESOP includes specific instructions on how PSPs should filter data to remove most of the potentially personal data that is, in the view of the legislator, not strictly necessary to realize CESOP’s aim. If the filtering is applied too strictly, organizations risk non-compliance, but if the filtering is not applied strictly enough organizations face scrutiny from the local data protection authorities enforcing the EU GDPR. Complying with CESOP is therefore somewhat of a tightrope walk: one step in the wrong direction can have serious consequences.
EU PSPs who are, next to their home Member State, active in other (host) Member States, will need to design proper procedures to ensure timely compliance within all required jurisdictions.
Relevant questions to be answered:
- In which countries are CESOP reports due?
- How do you ensure all reportable transactions are reported?
- How do you ensure transactions are reported only once?
Impact on systems
CESOP is a data reporting obligation. Naturally, a large part of getting ready for compliance means determining where the required data is kept, assessing data quality and building data extract-transform-load (ETL) procedures. Considering the volumes involved in CESOP, particular attention should be paid to limit strain on systems where possible.
Relevant questions to be answered:
- Are all necessary systems and data sources fit for CESOP reporting?
- How can systems continuity and timely reporting be guaranteed?
- What kind of governance will be in place and how does this fit within the business control framework?
Data validation and quality assurance
Tax authorities will have the responsibility to perform a data acceptance check every time they receive a CESOP report. If the data file fails this test, the PSP needs to correct the data and resubmit a new data set.
Relevant questions to be answered:
- How can you periodically monitor data quality?
- How do you prevent validation errors or questions?
- Which escalation procedures are in place in case the data file fails the acceptance testing?
What you can do
EU PSPs covered by CESOP will need to assess the extent of the impact on their organization from multiple perspectives (resources, operations, systems). From there a roadmap can be established to execute a timely and effective response.
Key aspects to consider:
- Impact assessment
Determining the impact and building a road map for timely compliance
- Technology and implementation
Executing on the roadmap
Integrating CESOP within the existing governance framework, managing interaction with regulators, implementing and monitoring data and compliance
- Communication and training
Internal and external communication plan, raising awareness, process specific training
- Policies and procedures
Updating policies and procedures, legal arrangements
- Knowledge management
Monitoring local regulations and guidance continuously, identifying and addressing any deviations from EU standard
Although the effective date (1 January 2024) is still quite far off, there is little time to sit back and relax. Considering the volumes of data and the systems complexities involved, it is important to perform an impact assessment and build the roadmap for implementation on a very short term. After that, it will take some time to get stakeholders aligned, (re)design internal controls and build and test the required tooling.
If you need support or would like to discuss what CESOP means for your organisation, reach out to any of your usual Deloitte advisors, or contact one of our specialists below.