In its effort to combat VAT fraud the EU has introduced, and proposed, a number of new reporting measures which will impact payment services providers (banks, electronic money institutions and other regulated payment institutions) and digital asset / cryptocurrency service providers and create additional tax reporting burden.
We set out below an overview of the following specific topics:
Impacted businesses will need to assess the extent of the impact on their organization from multiple perspectives (resources, operations, systems). From there a roadmap can be established to execute a timely and effective response.
New rules will require payment service providers (“PSPs”) covered by the EU PSP directive (“PSD2”) to report certain cross-border payments on a quarterly basis. The rules will be effective across the EU and will commence on 1 January 2024.
The rules will impact banks, electronic money institutions and other regulated payment institutions
CESOP is the EU's new Central Electronic System of Payment information.
CESOP was created by the European Commission to support efforts to close the VAT gap in the EU. The VAT gap is the VAT revenue that Member States in the EU are missing as a result of errors and fraud. By collection data on cross-border payments, the EU expects to collect VAT that was previously unpaid. The reporting obligation applies to “payment service providers” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”). This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs).
CESOP will be created through a change to the EU VAT directive, along with some implementing measures. It is, at its core, an administrative obligation on EU PSPs. These EU PSPs will be required to keep records of cross border payments and report these transactional data on a quarterly basis.
All cross-border payments where the payer is in the EU are affected. Any EU PSP processing a cross-border transaction needs to keep and report certain payment data. A relief applies for the payer’s EU PSP if the payee’s PSP is also in the EU. The relief does not extend to any intermediate EU PSP in payment chains that involve more than two parties.
The reporting obligation applies to “payment service providers” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”). This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs).
In practice, banks, card schemes, merchant acquirers and CPSPs will likely be affected the most, as well as retailers and marketplaces that have their own “inhouse” payment service provider governed by PSD2.
Parties who are covered by one of the exclusions, or who expect that the payments they process to not exceed the de minimis threshold should periodically monitor their position and put operational procedures in place to be able to comply with CESOP reporting requirements in case they no longer fall within the exclusions or below the threshold.
EU PSPs with reportable data will be required to transmit this data every calendar quarter to the locally appointed tax authorities in their home Member States and (if applicable) any host Member States where they are active. (Home and host Member states both defined by PSD2.) The BIC/IBAN number is leading to determine the localization of the payment’s payee and payer.
All data is to be transmitted in a standardized XML format. The XML schema is available from the EU Commission’s CESOP website.
The local tax authorities are, in turn, responsible to perform some data quality checks on the data and forward it into the central database at the EU level: CESOP
Depending on transaction characteristics, this table outlines the data elements to be included in the CESOP report by the reporting PSP:
1. BIC/ID reporting PSP | 9. Amount |
2. Payee name | 10. Currency |
3. Payee VAT ID/TIN | 11. MS of payment origin |
4. Payee account ID | 12. MS of refund destination |
5. Payee PSP BIC/ID | 13. Payer location information (payment origin) |
6. Payee Address | 14. Transaction ID |
7. Refund Y/N, link | 15. Physical presencse |
8. Date/time |
On 8 December 2022, the European Commission presented a new addition to the Directive 2011/16/EU on Administrative Cooperation in the field of taxation, which will introduce tax reporting requirements for transactions concerning digital assets (e.g., cryptocurrency and certain non-fungible tokens (“NFTs”)).
The annual reporting obligations of the Council Directive is set to impact services providers such as crypto-exchanges and marketplaces, crypto asset service providers and anyone providing services enabling reportable users to complete crypto-asset exchange transactions. Crypto assets that are used for payment or investment purposes will become reportable transactions under the DAC8 directive. Reportable transactions will also include transactions involving digital assets and fiat currency, as well as exchanges between different digital assets and will also include both domestic and cross-border transactions.
Reportable service providers will be required to make an annual disclosure of reportable transactions by customer, digital asset type and value. Extensive onboarding of customers will also be required which will including collecting personal data such as names, addresses, Tax Identification Number and places of birth of any individual considered reportable users.
The new onboarding requirements require that service providers repeat the onboarding of existing customers within a 12-month grace period after DAC8 comes into force, after which date customers who have not provided all the relevant information may no longer be served. For reportable users who are entities, information identifying any controlling persons of the entity may be required.
DAC8 introduces minimum penalties for failure to comply with national provisions implementing DAC8. The minimum penalty for non-compliance is EUR 50,000 for a reporting crypto-asset service provider with an annual turnover less than EUR 6 million. With an annual turnover above EUR 6 million, the minimum penalty is EUR 150,000.