In its effort to combat VAT fraud the EU has introduced, and proposed, a number of new reporting measures which will impact payment services providers (banks, electronic money institutions and other regulated payment institutions) and digital asset / cryptocurrency service providers and create additional tax reporting burden.

We set out below an overview of the following specific topics:

• What businesses should be doing now

• The scope of the CESOP rules coming into force on 1 January 2024

• The scope of the proposed DAC-8 reporting rules due to come into force on 1 January 2026

Are you impacted by CSEOP and / or DAC-8? What can you do?

Impacted businesses will need to assess the extent of the impact on their organization from multiple perspectives (resources, operations, systems). From there a roadmap can be established to execute a timely and effective response.

• Impact assessment

• Determining the impact and building a road map for timely compliance

• Technology and implementation

• Executing on the roadmap

• Governance

• Integrating CESOP and / or DAC-8 within the existing governance framework, managing interaction with regulators, implementing and monitoring data and compliance

• Communication and training

• Internal and external communication plan, raising awareness, process specific training

• Updating policies and procedures, legal arrangements

• Knowledge management

CESOP comes into force on 1 January 2024

New rules will require payment service providers (“PSPs”) covered by the EU PSP directive (“PSD2”) to report certain cross-border payments on a quarterly basis. The rules will be effective across the EU and will commence on 1 January 2024.

The rules will impact banks, electronic money institutions and other regulated payment institutions

Overview of the Key Questions

What is it?

CESOP is the EU's new Central Electronic System of Payment information.

Why was CESOP be created?

CESOP was created by the European Commission to support efforts to close the VAT gap in the EU. The VAT gap is the VAT revenue that Member States in the EU are missing as a result of errors and fraud. By collection data on cross-border payments, the EU expects to collect VAT that was previously unpaid. The reporting obligation applies to “payment service providers” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”). This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs).

What is the legislation around CESOP?

CESOP will be created through a change to the EU VAT directive, along with some implementing measures. It is, at its core, an administrative obligation on EU PSPs. These EU PSPs will be required to keep records of cross border payments and report these transactional data on a quarterly basis.

Which transactions are subject to CESOP reporting requirements?

All cross-border payments where the payer is in the EU are affected. Any EU PSP processing a cross-border transaction needs to keep and report certain payment data. A relief applies for the payer’s EU PSP if the payee’s PSP is also in the EU. The relief does not extend to any intermediate EU PSP in payment chains that involve more than two parties.

Who will be subject to CESOP?

The reporting obligation applies to “payment service providers” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”). This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs).

In practice, banks, card schemes, merchant acquirers and CPSPs will likely be affected the most, as well as retailers and marketplaces that have their own “inhouse” payment service provider governed by PSD2.

Parties who are covered by one of the exclusions, or who expect that the payments they process to not exceed the de minimis threshold should periodically monitor their position and put operational procedures in place to be able to comply with CESOP reporting requirements in case they no longer fall within the exclusions or below the threshold.

How will these data be reported?

EU PSPs with reportable data will be required to transmit this data every calendar quarter to the locally appointed tax authorities in their home Member States and (if applicable) any host Member States where they are active. (Home and host Member states both defined by PSD2.) The BIC/IBAN number is leading to determine the localization of the payment’s payee and payer.

All data is to be transmitted in a standardized XML format. The XML schema is available from the EU Commission’s CESOP website.

The local tax authorities are, in turn, responsible to perform some data quality checks on the data and forward it into the central database at the EU level: CESOP

Which data elements should be reported?

Depending on transaction characteristics, this table outlines the data elements to be included in the CESOP report by the reporting PSP:

DAC 8 – proposed to come into force on 1 January 2026

On 8 December 2022, the European Commission presented a new addition to the Directive 2011/16/EU on Administrative Cooperation in the field of taxation, which will introduce tax reporting requirements for transactions concerning digital assets (e.g., cryptocurrency and certain non-fungible tokens (“NFTs”)).

Reporting obligations

The annual reporting obligations of the Council Directive is set to impact services providers such as crypto-exchanges and marketplaces, crypto asset service providers and anyone providing services enabling reportable users to complete crypto-asset exchange transactions. Crypto assets that are used for payment or investment purposes will become reportable transactions under the DAC8 directive. Reportable transactions will also include transactions involving digital assets and fiat currency, as well as exchanges between different digital assets and will also include both domestic and cross-border transactions.

Who is concerned by DAC8?

Reportable service providers will be required to make an annual disclosure of reportable transactions by customer, digital asset type and value. Extensive onboarding of customers will also be required which will including collecting personal data such as names, addresses, Tax Identification Number and places of birth of any individual considered reportable users.

The new onboarding requirements require that service providers repeat the onboarding of existing customers within a 12-month grace period after DAC8 comes into force, after which date customers who have not provided all the relevant information may no longer be served. For reportable users who are entities, information identifying any controlling persons of the entity may be required.

Penalties

DAC8 introduces minimum penalties for failure to comply with national provisions implementing DAC8. The minimum penalty for non-compliance is EUR 50,000 for a reporting crypto-asset service provider with an annual turnover less than EUR 6 million. With an annual turnover above EUR 6 million, the minimum penalty is EUR 150,000.