From 2024, all EU PSPs will be required to record and report transactional data of cross-border payments. This includes banks, electronic money institutions and other regulated payment institutions. When implementing CESOP, companies must navigate between multiple stakeholders and their interests. If you provide payment services covered by PSD2, you need to start assessing the extent of the impact and form a proportionate, effective and timely response.
Please click below to read our latest updates on CESOP developments.
CESOP is the EU’s new Central Electronic System of Payment information. CESOP has been created by the European Commission to close the VAT gap in the EU, comprising the VAT revenue that Member States in the EU are missing as a result of errors and fraud. By collection data on cross-border payments, the EU expects to collect VAT that was previously unpaid. This article page provides an overview of all CESOP updates, like the Implementation Monitor.
Managing relations with supervisors
We expect that multiple external stakeholders will be interested in the degree of CESOP compliance by organisations.
EU PSPs who are, next to their home Member State, active in other (host) Member States, need to design proper procedures to ensure timely compliance within all required jurisdictions.
A common question we receive from clients is whether CESOP returns should be filed only in their home member state or in all EU member states where they provide payment services. Some PSPs have received conflicting information from local authorities, suggesting that CESOP returns must only be filed in the home member state. This understanding is incorrect. CESOP returns must be submitted in the member states where payment services are
provided.
Misinterpretation of the legislation by local tax authorities is concerning, but PSPs should be aware that host Member States will require PSPs to report payment transactions taking place in their jurisdictions, even if these transactions were also reported in the home Member State. Non-compliance in any Member State may result in significant penalties of up to EUR 1 million per Member State.
Relevant questions to be answered:
Impact on systems
CESOP is a data reporting obligation. Naturally, a large part of getting ready for compliance means determining where the required data is kept, assessing data quality and building data extract-transform-load (ETL) procedures. Considering the volumes involved in CESOP, particular attention should be paid to limit strain on systems where possible.
Relevant questions to be answered:
Data validation and quality assurance
Tax authorities have the responsibility to perform a data acceptance check every time they receive a CESOP report. If the data file fails this test, the PSP needs to correct the data and resubmit a new data set.
Relevant questions to be answered:
EU PSPs covered by CESOP need to assess the extent of the impact on their organisation from multiple perspectives (resources, operations, systems). From there a roadmap can be established to execute a timely and effective response.
Essential aspects to consider:
As the effective date (1 January 2024) has passed, there is little time to sit back and relax. Considering the volumes of data and the systems complexities involved, it is important to perform an impact assessment and build the roadmap for implementation on a very short term. After that, it will take some time to get stakeholders aligned, (re)design internal controls and build and test the required tooling.
If you need support or would like to discuss what CESOP means for your organisation, reach out to any of your usual Deloitte advisors, or contact one of our specialists below. You can also check our CESOP End-to-end Solution here.