From 2024, all EU PSPs will be required to record and report transactional data of cross-border payments. This includes banks, electronic money institutions and other regulated payment institutions. When implementing CESOP, companies must navigate between multiple stakeholders and their interests. If you provide payment services covered by PSD2, you need to start assessing the extent of the impact and form a proportionate, effective and timely response.
CESOP is the EU's new Central Electronic System of Payment information.
CESOP has been created by the European Commission to support efforts to close the VAT gap in the EU. The VAT gap is the VAT revenue that Member States in the EU are missing as a result of errors and fraud. By collection data on cross-border payments, the EU expects to collect VAT that was previously unpaid.
CESOP will be created through a change to the EU VAT directive, along with some implementing measures. It is at its core an administrative obligation on payment service providers in the EU (EU PSPs). These EU PSPs will be required to keep records of cross border payments and report these transactional data on a quarterly basis.
All cross-border payments where the payer is in the EU are affected. Any EU PSP processing a cross-border transaction needs to keep and report certain payment data. A relief applies for the payer’s EU PSP if the payee’s PSP is also in the EU. The relief does not extend to any intermediate EU PSP in payment chains that involve more than two parties.
Information on all such payments should be reported if the number of individual payments made to one single payee exceeds 25 in a calendar quarter.
1 January 2024.
The reporting obligation applies to “payment service providers” as defined in the Payment Services Directive (Directive (EU) 2015/2366 of the European Parliament and of the Council, “PSD2”). This encompasses credit, electronic money, post office giro and payment institutions, including those benefiting from the small payment institutions exemption (SPIs).
In practice, banks, card schemes, merchant acquirers and CPSPs will likely be affected the most, as well as retailers and marketplaces that have their own “inhouse” payment service provider governed by PSD2.
Parties who are covered by one of the exclusions, or who expect that the payments they process to not exceed the de minimis threshold should periodically monitor their position and put operational procedures in place to be able to comply with CESOP reporting requirements in case they no longer fall within the exclusions or below the threshold.
EU PSPs with reportable data will be required to transmit this data every calendar quarter to the locally appointed tax authorities in their home Member States and (if applicable) any host Member States where they are active. (Home and host Member states both defined by PSD2.) The BIC/IBAN number is leading to determine the localization of the payment’s payee and payer.
All data is to be transmitted in a standardized XML format. The XML schema is available from the EU Commission’s CESOP website.
The local tax authorities are, in turn, responsible to perform some data quality checks on the data and forward it into the central database at the EU level: CESOP.
Depending on transaction characteristics, the following data elements are to be included in the CESOP report by the reporting PSP:
We expect that multiple external stakeholders will be interested in degree of CESOP compliance by organizations.
EU PSPs who are, next to their home Member State, active in other (host) Member States, will need to design proper procedures to ensure timely compliance within all required jurisdictions.
Relevant questions to be answered:
CESOP is a data reporting obligation. Naturally, a large part of getting ready for compliance means determining where the required data is kept, assessing data quality and building data extract-transform-load (ETL) procedures. Considering the volumes involved in CESOP, particular attention should be paid to limit strain on systems where possible.
Relevant questions to be answered:
Tax authorities will have the responsibility to perform a data acceptance check every time they receive a CESOP report. If the data file fails this test, the PSP needs to correct the data and resubmit a new data set.
Relevant questions to be answered:
EU PSPs covered by CESOP will need to assess the extent of the impact on their organization from multiple perspectives (resources, operations, systems). From there a roadmap can be established to execute a timely and effective response.
Key aspects to consider:
Determining the impact and building a road map for timely compliance
Executing on the roadmap
Integrating CESOP within the existing governance framework, managing interaction with regulators, implementing and monitoring data and compliance
Internal and external communication plan, raising awareness, process specific training
Updating policies and procedures, legal arrangements
Monitoring local regulations and guidance continuously, identifying and addressing any deviations from EU standard
Although the effective date (1 January 2024) is still quite far off, there is little time to sit back and relax. Considering the volumes of data and the systems complexities involved, it is important to perform an impact assessment and build the roadmap for implementation on a very short term. After that, it will take some time to get stakeholders aligned, (re)design internal controls and build and test the required tooling.
If you need support or would like to discuss what CESOP means for your organisation, reach out to any of your usual Deloitte advisors, or contact one of our specialists below. You can also check our CESOP End-to-end Solution here.