With the continuous development of electronic payments, a Central Electronic System of Payment Information (CESOP), has become an essential tool to fight against VAT fraud at the European level. According to the October 2023 report “VAT Gap in the EU” by the European Commission, the VAT gap for 2021 is expected to be EUR 61 billion. In response to this loss for the authorities and the community, the Council adopted a legislative package to combat VAT fraud. Payment data collected by the Member States will be stored and processed in the CESOP database, which the EU will finance for the benefit of Member States.
Entry into force of CESOP is 1 January 2024 and will have multiple impacts on procedures, operators’ awareness, payment processing, information collection, selection of data to be exchanged, formatting of data in XML reports and reporting to one or several authorities.
With less than two months to go, this article outlines the impacts of CESOP on businesses and the steps necessary for successful implementation.
Overview
Council Directive (EU) 2020/284 (“the Directive”) alongside Council Regulation (EU) 2020/283 introduced new recording and reporting obligations for Payment Service Providers (PSPs) providing payment services within the EU, applicable as of 1 January 2024. In Luxembourg, these new obligations have been introduced by the Law of 26 July 2023 transposing Council Directive (EU) 2020/284 of 18 February 2020, amending Directive 2006/112/EC, published on 2 August 2023 in the Official Journal of the Grand-Duchy of Luxembourg.
The new regulations aim to tackle VAT fraud, empowering the national authorities of each Member State to carry out controls. PSPs must record and report data on cross-border payments falling within their local law obligations, usually mirroring the Directive. The data collected by different Member States will then be exchanged between them and centralized in a European database: Central Electronic System of Payment information (CESOP). This data exchange will enable tax authorities to detect potential VAT fraud, by identifying sellers behind websites or marketplaces. All data will be collected in standardized, but still country-specific, formats and consolidated within the CESOP database for reconciliation at the EU level. Subsequently, anti-fraud specialists of Member States will have access to the information contained within the CESOP database.
Who is in scope of the CESOP obligations?
Nearly all PSPs operating in an EU Member State, even those benefiting from the small payment institutions exemption, must comply with CESOP obligations. Reference is made to Article 243a of Directive 2015/2366 (PSD2). The PSPs involved can be classified into four categories:
- Credit institutions, which include banks established in Europe and European branches of credit institutions headquartered outside the EU.
- E-money institutions, which can cover a wide range of PSPs providing electronic payment services such as electronic wallet providers and electronic voucher/card providers.
- Payment institutions encompass a wide spectrum of businesses that offer payment services, such as credit and debit card issuance, payment acquisition, payment processing, payment initiation, and more.
- Post office giro institutions, which provide payment services.
What are the CESOP recording and reporting requirements?
PSPs providing payment services within the EU must document and disclose payments on a quarterly basis when all the following criteria are met:
- The PSP provides payment services in a Member State of the European Union. This includes legal entities, permanent establishments (PEs), and passported services.
- A payment is made, which is an in-scope payment type. Broadly all payments covered by PSD2 are in scope, such as credit transfers, direct debits, credit cards, e-money and remittances.
- The payer is located in the European Union. Their location is typically determined by the country identifier, their IBAN or another relevant identifier if an IBAN is not involved.
- The payment is a cross-border transaction, either between two Member States or involving a third country.
- If over 25 cross-border payments are made to the same payee within a calendar quarter – the payments can come from anyone and go to the payee. If the payee has many accounts, the PSP must aggregate them.
PSPs are required to maintain records of payment activities meeting the above criteria along with relevant information using an electronic format. Data must be stored for three years from the end of the calendar year of the date of the payment.
In terms of reporting obligations, the CESOP report filing will have to be filed separately in every EU Member State where the PSP provides payment services. The report must be submitted electronically and in a specified XML format, determined locally by the relevant authorities. For every quarter, the CESOP reporting deadline will be one month after the end of the quarter. The deadline for the first reporting is 30 April 2024, regarding the in-scope payments performed during the first quarter of 2024.
How to prepare for the go-live?
PSPs must address several challenges, which include identifying all payment channels and payment methods used for in-scope transactions and assessing whether the required data for reporting is complete, accurate, and available. They must also understand intragroup relationships and map payment transactions to subsidiaries or branches across countries, both within and outside the European Union.
Furthermore, they must aggregate the data and establish rules and criteria for selecting the relevant transactions to be recorded and reported. They should also implement an end-to-end reporting process to produce and send the data in the required XML format to local authorities, on a quarterly basis. It may be beneficial for PSPs to leverage existing data warehouse and data reporting processes developed in the context of PSD2 (Fraud Reporting) and PSR (Payment Statistics Reporting). However, it is worth noting that these reporting formats only include statistics of transactions and do not detail information on a per-transaction basis. Consequently, payment flows involving multiple intermediaries and PSPs offering different services (such as acquisition, easy access to specific markets, payment concentration, cash pooling, treasury management, cash custody and account maintenance) lead to various stakeholder declarations at different stages.
The CESOP report filing must be completed separately in each EU Member State where the PSPs have an establishment and where they provide their services (so-called home and host Member States). Therefore, numerous PSPs other than banks may have to make reports in various jurisdictions. In some instances, they might have to file distinct reports in all 27 Member States, resulting in a total of 108 reports per year. This not only increases the operational burden but also the need for quality assurance of the data.
Considering the short time remaining before the CESOP regime is fully functional and the varying penalties imposed by the EU Member States for tardy or inaccurate reporting, it is crucial for PSPs to promptly determine the most effective course of action and establish their target operating model to guarantee compliance with reporting obligations and associated regulations by January 2024. Innovative target operating models include full or partial outsourcing of the data processing and reporting. This includes identifying and filtering transactions, ensuring data quality, creating various reports, submitting to individual or multiple authorities, and more.
Consequences of non-compliance
Penalties and sanctions are left to the discretion of Member States. Some Member States have already announced severe penalties for non-compliance that can be multiple hundreds of thousands of euros per quarterly period. Non-compliance with the obligations under CESOP will become expensive due to the obligation to submit CESOP returns in each Member State.
Non-compliance with CESOP obligations can have consequences beyond tax penalties. For instance, incorrect reporting of personal data (e.g., by not properly applying the threshold of 25 payments per quarter) can lead to the violation of private data and may be treated as a data breach. Conversely, if a PSP fails to comply with CESOP, a financial supervisory authority may hold them accountable if the breach results in a failure to fulfil their legal obligations under AML legislation.
The new CESOP obligations aim to equip tax authorities with better tools to combat VAT fraud. PSPs will now have additional recording and reporting duties regarding relevant payment transactions originating from an EU Member State.
The CESOP regime will go live on 1 January 2024, in all 27 Member States. PSPs must ensure readiness to monitor the payment activities for CESOP purposes, and submit their returns covering Q1 2024 transactions before 30 April 2024. Time is limited, so seeking the aid of experts and considering the outsourcing of compliance tasks can be a valuable asset.