The Impact of CESOP on Payment Service Providers

CESOP is the EU’s new Central Electronic System of Payment information. CESOP has been created by the European Commission to close the VAT gap in the EU, comprising the VAT revenue that Member States in the EU are missing as a result of errors and fraud. By collection data on cross-border payments, the EU expects to collect VAT that was previously unpaid. This article page provides an overview of all CESOP updates, like the Implementation Monitor.

Latest CESOP developments

April 2024

On April 4, the European Commission’s Directorate General for Taxation and Customs Union (the "DG") has released an Additional Clarification on the CESOP Reporting Guidelines. This document, which can be found on the DG's website, aims to offer payment service providers (“PSPs") improved guidance on the reporting of multiple transactions for the same payee. 

Please click the button on the right to read our article in which we will
address some highlights that this new guidance is putting forward.

CESOP explained

What is the legislation around CESOP?

CESOP is created through a change to the EU VAT directive, along with some implementing measures. It is at its core an administrative obligation on payment service providers in the EU (EU PSPs). These EU PSPs are required to keep records of cross border payments and report these transactional data on a quarterly basis.
 

Which transactions are subject to CESOP reporting requirements?

All cross-border payments where the payer is in the EU are affected. Any EU PSP processing a cross-border transaction needs to keep and report certain payment data. A relief applies for the payer’s EU PSP if the payee’s PSP is also in the EU. The relief does not extend to any intermediate EU PSP in payment chains that involve more than two parties.

Information on all such payments should be reported if the number of individual payments made to one single payee exceeds 25 in a calendar quarter.
 

When did CESOP come into force?

1 January 2024.
 

Who are subject to CESOP?

The reporting obligation applies to “payment service providers” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”). This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs).

In practice, banks, card schemes, merchant acquirers and CPSPs are affected the most, as well as retailers and marketplaces that have their own “inhouse” payment service provider governed by PSD2.

Parties who are covered by one of the exclusions, or who expect that the payments they process to not exceed the de minimis threshold should periodically monitor their position and put operational procedures in place to be able to comply with CESOP reporting requirements in case they no longer fall within the exclusions or below the threshold.
 

How are these data reported?

EU PSPs with reportable data are required to transmit this data every calendar quarter to the locally appointed tax authorities in their home Member States and (if applicable) any host Member States where they are active. (Home and host Member states both defined by PSD2.) The BIC/IBAN number is leading to determine the localisation of the payment’s payee and payer.

All data is to be transmitted in a standardised XML format. The XML schema is available on the EU Commission’s CESOP website.

The local tax authorities are, in turn, responsible to perform some data quality checks on the data and forward it into the central database at the EU level: CESOP.

Further, the European Commission provides updated XSD User Guides with information on XML schema definitions and other insights.

Which data elements should be reported?

Depending on transaction characteristics, the following data elements are to be included in the CESOP report by the reporting PSP:

Key considerations for EU PSPs facing CESOP

Managing relations with supervisors

We expect that multiple external stakeholders will be interested in the degree of CESOP compliance by organisations.

Multiple-country reporting

EU PSPs who are, next to their home Member State, active in other (host) Member States, need to design proper procedures to ensure timely compliance within all required jurisdictions. 

A common question we receive from clients is whether CESOP returns should be filed only in their home member state or in all EU member states where they provide payment services. Some PSPs have received conflicting information from local authorities, suggesting that CESOP returns must only be filed in the home member state. This understanding is incorrect. CESOP returns must be submitted in the member states where payment services are
provided. 

Misinterpretation of the legislation by local tax authorities is concerning, but PSPs should be aware that host Member States will require PSPs to report payment transactions taking place in their jurisdictions, even if these transactions were also reported in the home Member State. Non-compliance in any Member State may result in significant penalties of up to EUR 1 million per Member State.

Relevant questions to be answered:

• In which countries are CESOP reports due?
• How do you ensure all reportable transactions are reported?
• How do you ensure transactions are reported only once?
   

Impact on systems

CESOP is a data reporting obligation. Naturally, a large part of getting ready for compliance means determining where the required data is kept, assessing data quality and building data extract-transform-load (ETL) procedures. Considering the volumes involved in CESOP, particular attention should be paid to limit strain on systems where possible.

Relevant questions to be answered:

• Are all necessary systems and data sources fit for CESOP reporting?
• How can systems continuity and timely reporting be guaranteed?
• What kind of governance will be in place and how does this fit within the business control framework?
   

Data validation and quality assurance

Tax authorities have the responsibility to perform a data acceptance check every time they receive a CESOP report. If the data file fails this test, the PSP needs to correct the data and resubmit a new data set.

Relevant questions to be answered:

• How can you periodically monitor data quality?
• How do you prevent validation errors or questions?
• Which escalation procedures are in place in case the data file fails the acceptance testing?

What actions can you take?

EU PSPs covered by CESOP need to assess the extent of the impact on their organisation from multiple perspectives (resources, operations, systems). From there a roadmap can be established to execute a timely and effective response.

Essential aspects to consider:

• Impact assessment
  Determining the impact and building a road map for timely compliance
• Technology and implementation
  Executing on the roadmap
• Governance
  Integrating CESOP within the existing governance framework, managing interaction with regulators, implementing and monitoring data and compliance
• Communication and training
  Internal and external communication plan, raising awareness, process specific training
• Policies and procedures
  Updating policies and procedures, legal arrangements
• Knowledge management
  Monitoring local regulations and guidance continuously, identifying and addressing any deviations from EU standard

As the effective date (1 January 2024) has passed, there is little time to sit back and relax. Considering the volumes of data and the systems complexities involved, it is important to perform an impact assessment and build the roadmap for implementation on a very short term. After that, it will take some time to get stakeholders aligned, (re)design internal controls and build and test the required tooling.

If you need support or would like to discuss what CESOP means for your organisation, reach out to any of your usual Deloitte advisors, or contact one of our specialists below. You can also check our CESOP End-to-end Solution here.