CESOP – a significant EU wide reporting requirement impacting payment service providers
If you thought implementing FATCA / CRS was hard, try CESOP! Introduced by the European Commission with the objective of fighting VAT fraud, the Central Electronic System of Payment Information (‘CESOP’) as it’s now commonly referred to, places significant reporting obligations on EU Payment Service Providers (‘PSPs’) regulated by the revised Payment Services Directive (‘PSD2’), to report in-scope cross border payments processed by it with effect from 1 January 2024. Whilst the ask is daunting, this appears to fit in with a wider global trend of countries imposing greater tax reporting obligations on businesses.
Where did this come from?
With e-commerce platforms having become an ingrained part of our lives, CESOP originated from a concern that consumers located in one EU Member State were making purchases from other jurisdictions which were either incorrectly subject to a wrong amount of VAT or no VAT at all. Therefore, the whole objective of CESOP is to close this VAT gap and fight potential VAT fraud.
What is interesting to note is that the focus is solely on cross border payments, as we understand the tax authorities believe that they have good oversight over local purchases / payments but are yet to get a firm grip on cross border payments.
How big a deal is it?
For several months now we have had discussions with numerous stakeholders, and the one point which stands out is that the implementation of CESOP is likely to be challenging for both PSPs and the tax authorities alike given the short timeline!
From a PSP’s perspective, it is important that they review their systems to identify in-scope establishments and/or branches and payments, consider whether these systems capture the relevant data required to be reported for each in-scope payment, and then collate, process and report data on such in-scope payments in all the EU Member States where they operate. One PSP informally mentioned that CESOP could impact 70 of their systems and require them to report over 1 billion payments in the course of a year!
Additionally, now that the EU VAT Directive has been amended to incorporate CESOP-related provisions, national governments are also working at brisk speed to finalise their legislation and set up the required infrastructure to handle such volumes of data. Whilst some countries like France and Germany have already published their final legislation, others are not far behind as they are either awaiting formal ratification of their legislation or are in the process of finalising drafts.
Whose concern is it within the business?
Whilst CESOP has been / is being embedded into the VAT legislation with the objective of fighting VAT fraud, the underlying VAT treatment of the transaction to which the payment relates does not matter to the PSP which processes such payments, as it will be unaware of what the payment relates to. Moreover, the definition of the “payment” that needs to be reported is in line with the definition of a ‘payment transaction’ under PSD2, and not the VAT legislation.
The data points that need to be reported include transaction data as well as data on the payee / payer. Such information may be held within different systems within a business, such as Operations, Payments and / or AML/KYC. This indicates that CESOP won’t be just limited to the Indirect tax and Tax Operations teams but that it will also have a significant impact on Payments, Operations, Compliance and IT teams.
How do I know if I am impacted?
The first and the easiest step to identify whether a business is impacted by CESOP is to check whether it is regulated by PSD2. If you are a credit institution, an electronic money institution, postal giro or a payment institution operating in the EU, the chances are that you are regulated by PSD2!
Once you have determined that the PSP is in-scope, it is then important to assess whether its payment services are in-scope as it is a combination of both which results in a CESOP reporting obligation for the PSP.
In-scope payments are essentially a cross border transfer of funds from a payer in one country to a payee in another country and could include: credit transfers; direct debits; card payments; issuing of payment instruments and acquiring of payment transactions; and money remittances.
Do I report all payments?
If you thought we are now done with the hard bits, you’re in for a bit of a surprise!
CESOP places the reporting obligation of an in-scope payment on the payee’s PSP unless the payee’s PSP in established outside the EU. In such instances, the reporting obligation will then fall on the payer’s PSP who is based in the EU. It is therefore extremely important that impacted PSPs identify who the payee and payer are for each transaction. This may sound straightforward, but what makes it complex is that a single payment could have a number of PSPs involved, and therefore identifying the correct payee and payer is not always easy.
Additionally, a PSP is only required to report those transactions where more than 25 payments are made to a single payee. This means a PSP also needs to track how many payments are being made to a payee and whether those payments cover all the payee’s accounts with the PSP.
If this sounds like it’s starting to get out of hand, PSPs also need to consider General Data Protection Regulations (’GDPR’) by ensuring that personal data not legally required to be reported as a part of the filing is not reported by the PSP, as the penalties for non-compliance with GDPR are severe.
Where do I report in-scope payments
Impacted PSPs will be required to report in-scope payments in all the EU Member States they operate in. Reporting is to be done in XML and will have to be made every quarter - the first records are due by 30 April 2024. Whilst 10 months may seem like there is still some time, have you noticed we are already in June and the last few months since the start of 2023 have just flown by?
Once the PSP submits the data, the baton passes onto the tax authority who must then forward the data to the CESOP by the 10th day post the filing deadline. After receiving the data, another validation is performed, and it is then accepted or refused in whole / part.
How can Deloitte help?
As a starting point, we are happy to have a chat and help you dissect the what, when and hows of CESOP. If you need further assistance, Deloitte also offers an end-to-end solution which combines its capabilities and expertise across Tax, Payments, Data and Technology.
This solution includes a discovery, design and build phase, plus the use of our bespoke CESOP platform for ongoing filings, as well as project support and change management.
