What is CESOP?
CESOP is the EU's new Central Electronic System of Payment information.
What is CESOP's purpose?
CESOP has been created by the European Commission to support efforts to close the VAT gap in the EU. The VAT gap is the VAT revenue that Member States in the EU are missing as a result of errors and fraud. By collection data on cross-border payments, the EU expects to collect VAT that was previously unpaid.
When will CESOP come into force?
1 January 2024.
Payment service providers face three key questions - what is CESOP, what needs to be reported within it, and what do they need to do now to get ready for it? Our video, a part of our FinSight | Future Focus series, answers these three questions.
What is the legislation around CESOP?
CESOP will be created through a change to the EU VAT directive, along with some implementing measures. It is at its core an administrative obligation on payment service providers in the EU (EU PSPs). These EU PSPs will be required to keep records of cross border payments and report these transactional data on a quarterly basis.
Which transactions are subject to CESOP reporting requirements?
All cross-border payments where the payer is in the EU are affected. Any EU PSP processing a cross-border transaction needs to keep and report certain payment data. A relief applies for the payer’s EU PSP if the payee’s PSP is also in the EU. The relief does not extend to any intermediate EU PSP in payment chains that involve more than two parties.
Information on all such payments should be reported if the number of individual payments made to one single payee exceeds 25 in a calendar quarter.
Who will be subject to CESOP?
The reporting obligation applies to “payment service providers” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”). This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs).
In practice, banks, card schemes, merchant acquirers and CPSPs will likely be affected the most, as well as retailers and marketplaces that have their own “inhouse” payment service provider governed by PSD2.
Parties who are covered by one of the exclusions, or who expect that the payments they process to not exceed the de minimis threshold should periodically monitor their position and put operational procedures in place to be able to comply with CESOP reporting requirements in case they no longer fall within the exclusions or below the threshold.
How will these data be reported?
EU PSPs with reportable data will be required to transmit this data every calendar quarter to the locally appointed tax authorities in their home Member States and (if applicable) any host Member States where they are active. (Home and host Member states both defined by PSD2.) The BIC/IBAN number is leading to determine the localization of the payment’s payee and payer.
All data is to be transmitted in a standardized XML format. The XML schema is available from the EU Commission’s CESOP website.
The local tax authorities are, in turn, responsible to perform some data quality checks on the data and forward it into the central database at the EU level: CESOP.
Which data elements should be reported?
Depending on transaction characteristics, the following data elements are to be included in the CESOP report by the reporting PSP:
Managing relations with supervisors
We expect that multiple external stakeholders will be interested in degree of CESOP compliance by organizations.
Multi-country reporting
EU PSPs who are, next to their home Member State, active in other (host) Member States, will need to design proper procedures to ensure timely compliance within all required jurisdictions.
Relevant questions to be answered:
Impact on systems
CESOP is a data reporting obligation. Naturally, a large part of getting ready for compliance means determining where the required data is kept, assessing data quality and building data extract-transform-load (ETL) procedures. Considering the volumes involved in CESOP, particular attention should be paid to limit strain on systems where possible.
Relevant questions to be answered:
Data validation and quality assurance
Tax authorities will have the responsibility to perform a data acceptance check every time they receive a CESOP report. If the data file fails this test, the PSP needs to correct the data and resubmit a new data set.
Relevant questions to be answered:
EU PSPs covered by CESOP will need to assess the extent of the impact on their organization from multiple perspectives (resources, operations, systems). From there a roadmap can be established to execute a timely and effective response.
Key aspects to consider:
Although the effective date (1 January 2024) is still quite far off, there is little time to sit back and relax. Considering the volumes of data and the systems complexities involved, it is important to perform an impact assessment and build the roadmap for implementation on a very short term. After that, it will take some time to get stakeholders aligned, (re)design internal controls and build and test the required tooling.
If you need support or would like to discuss what CESOP means for your organisation, reach out to any of your usual Deloitte advisors, or contact one of our specialists below.