CESOP: new reporting requirements for PSPs

CESOP is a new EU-wide database that is introduced to combat VAT fraud in cross border e-commerce transactions. CESOP allows for centralization of information reported by PSPs to their local tax authorities. The data collected in CESOP can be analyzed by anti-fraud data experts. 

PSPs include payment institutions, credit institutions, electronic money institutions and post office giro institutions which are authorized under national law to provide payment services. This is defined in the Payment Services Directive 2 (Directive 2015/2366 EU, PSD2).

PSPs active in the EU will need to comply. The exemption for small PSPs laid down in article 32 PSD2 does not waive the CESOP reporting obligation. Even small PSPs are obliged to report data. A payment involves the PSP of the payee (the seller) as well as the PSP of the payer (the buyer). When the PSPs are located in two different Member States, the obligation to record and share data on cross-border payments rests with the payee’s PSP. This would be different if the payee’s PSP is located outside of the EU. In that case, the payer’s PSP located in the EU must comply with the CESOP reporting obligation instead. 

All cross-border payments where the payer is located in the EU are affected. A payment is cross-border when it is made by a payer located in an EU Member State to a payee located in another country. This could be either a Member State or a third country. For qualification as a cross-border payment, the localization of the payee and payer is determined by their BIC/IBAN number. The record keeping and reporting obligation only apply if a PSP provides payments service corresponding to more than 25 cross-border payments made to the same payee per calendar quarter. Every cross-border payment that can be traced back to a particular payee should be included. 

The following information of such payment should be recorded in a register and provided to the local tax authorities:

• BIC or business ID of the PSP;
• the (business) name of the payee;
• the VAT ID-number or other national tax number of the payee (if available);
• the IBAN or, in absence thereof, any other ID that identifies and localizes the payee;
• the BIC or business ID that identifies and localizes the payee’s PSP where the payee receives funds without having any payment account;
• the address of the payee (if available);
• information regarding the cross-border payments (including refunds) received by the payee, including (i) date and time of the payment / refund, (ii) the amount and the currency, (iii) the member state of origin and destination including the information used to determine the origin / destination, (iv) any reference identifying the payment and, if applicable, (v) information that the payment was initiated at the merchant’s physical premises.

The abovementioned information should be recorded in electronic registers. These registers must be kept for a period of three calendar years following the calendar year in which the cross-border payment occurred. 

The relevant data must be submitted in a standardized XML format within one month after the end of the relevant quarter.

The Netherlands

The Dutch Tax Authority has published a manual with further guidance on how to submit the relevant data. Software developers and data suppliers (i.e. PSPs within the scope of the CESOP reporting obligation) can register with the Dutch Tax Authority’s dedicated website. This gives you access to technical specifications, a Validation Test Service, which allows you to verify whether the format in which the data is submitted is acceptable. 

Belgium

In Belgium, a Royal Decree will have to be published regarding the filing method of the registers. 

Luxembourg

For Luxembourg, no details are known yet.

EU legislation does not contain a legal basis for administrative sanctions when PSPs do not comply with the CESOP reporting obligations. EU member states may determine the consequences of non-compliance and should enact legislation that allows for the sanction. 

In case of non-compliance with the CESOP reporting obligation in the Netherlands, PSPs could be charged with a maximum fine of EUR 900.000. This is the case if such non-compliance is due to willful intent or gross negligence. For Belgium and Luxembourg, sanctions will need to be determined. 

PSPs do not only face the risk of imposing penalties, but could also face other consequences. In accordance with Regulation EU 2016/679 on the protection of personal data, the data can only be kept and provided by the PSPs insofar as it is proportionate and remains limited to what is strictly necessary to combat VAT fraud. Inaccurate reporting of personal data may therefore also result in violation of privacy laws. This will be treated as a data breach. If the breach also leads to a violation of the Money Laundering and Terrorist Financing Prevention Act, the PSP may also come under scrutiny of relevant supervisory authority of the PSP (i.e. Dutch Central Bank for the Netherlands, the National Bank of Belgium for Belgium and the Commission de Surveillance du Secteur Financier (CSSF) for Luxembourg). 

The CESOP reporting obligation originates from an EU legislative package, amending the EU VAT Directive (Directive 2006/112/EC) and the Regulation on administrative cooperation and combating VAT fraud (Regulation (EU) No 904/2010). The legislative package was adopted by the Council of the European Union on 18 February 2020. The new reporting rules must be implemented by all EU member states as of 1 January 2024.

The Netherlands

The CESOP reporting obligation will be implemented by amending the Dutch Turnover Tax Act 1968. The legislation amending the Dutch Turnover Tax Act 1968 was adopted and was published on 18 April 2023. The CESOP reporting rules will come into effect on 1 January 2024.

Belgium

The CESOP reporting obligation will be implemented by amending the Belgian VAT Code and will also come into effect on 1 January 2024. 

Luxembourg

The CESOP reporting obligation has not yet been transposed, and no legislative bill has yet been drafted. There is no indication of timing yet.

The first CESOP reporting is due in April 2024 and covers in scope cross-border payments executed in Q1 2024. PSPs should therefore assess in which member states they will need to submit CESOP reports. Furthermore, PSPs should be making preparations, e.g. in their administration and IT-systems to ensure that they are able to comply with the CESOP reporting obligations as from 1 January 2024.