Payment Service Providers (“PSPs”) that operate in Europe will need to comply with new record keeping and reporting obligations if they are involved in cross-border payments. These PSPs will have to keep registers with detailed information on cross-border payments that they have to share with local tax authorities on a quarterly basis. The data will be included in a European database called Central Electronic System Of Payment Information (“CESOP”). The aim of this CESOP reporting obligation is to combat VAT fraud in cross-border e-commerce transactions. The reporting obligation will enter into force on 1 January 2024. To comply with the new rules, PSPs should start setting up their systems and processes.
Would you like to know whether your organization is affected and what you can do? Below you will find answers to frequently asked questions.
What is CESOP and why is it created?
CESOP is a new EU-wide database that is introduced to combat VAT fraud in cross border e-commerce transactions. CESOP allows for centralization of information reported by PSPs to their local tax authorities. The data collected in CESOP can be analyzed by anti-fraud data experts.
What is a PSP?
PSPs include payment institutions, credit institutions, electronic money institutions and post office giro institutions which are authorized under national law to provide payment services. This is defined in the Payment Services Directive 2 (Directive 2015/2366 EU, PSD2).
Who needs to comply with the CESOP reporting obligation?
PSPs active in the EU will need to comply. The exemption for small PSPs laid down in article 32 PSD2 does not waive the CESOP reporting obligation. Even small PSPs are obliged to report data. A payment involves the PSP of the payee (the seller) as well as the PSP of the payer (the buyer). When the PSPs are located in two different Member States, the obligation to record and share data on cross-border payments rests with the payee’s PSP. This would be different if the payee’s PSP is located outside of the EU. In that case, the payer’s PSP located in the EU must comply with the CESOP reporting obligation instead.
What transactions must be reported?
All cross-border payments where the payer is located in the EU are affected. A payment is cross-border when it is made by a payer located in an EU Member State to a payee located in another country. This could be either a Member State or a third country. For qualification as a cross-border payment, the localization of the payee and payer is determined by their BIC/IBAN number. The record keeping and reporting obligation only apply if a PSP provides payments service corresponding to more than 25 cross-border payments made to the same payee per calendar quarter. Every cross-border payment that can be traced back to a particular payee should be included.
What data should be recorded and reported?
The following information of such payment should be recorded in a register and provided to the local tax authorities:
- BIC or business ID of the PSP;
- the (business) name of the payee;
- the VAT ID-number or other national tax number of the payee (if available);
- the IBAN or, in absence thereof, any other ID that identifies and localizes the payee;
- the BIC or business ID that identifies and localizes the payee’s PSP where the payee receives funds without having any payment account;
- the address of the payee (if available);
- information regarding the cross-border payments (including refunds) received by the payee, including (i) date and time of the payment / refund, (ii) the amount and the currency, (iii) the member state of origin and destination including the information used to determine the origin / destination, (iv) any reference identifying the payment and, if applicable, (v) information that the payment was initiated at the merchant’s physical premises.
The abovementioned information should be recorded in electronic registers. These registers must be kept for a period of three calendar years following the calendar year in which the cross-border payment occurred.
How should the data be reported?
The relevant data must be submitted in a standardized XML format within one month after the end of the relevant quarter.
The Dutch Tax Authority has published a manual with further guidance on how to submit the relevant data. Software developers and data suppliers (i.e. PSPs within the scope of the CESOP reporting obligation) can register with the Dutch Tax Authority’s dedicated website. This gives you access to technical specifications, a Validation Test Service, which allows you to verify whether the format in which the data is submitted is acceptable.
In Belgium, a Royal Decree will have to be published regarding the filing method of the registers.
For Luxembourg, no details are known yet.
What are the risks of non-compliance?
EU legislation does not contain a legal basis for administrative sanctions when PSPs do not comply with the CESOP reporting obligations. EU member states may determine the consequences of non-compliance and should enact legislation that allows for the sanction.
In case of non-compliance with the CESOP reporting obligation in the Netherlands, PSPs could be charged with a maximum fine of EUR 900.000. This is the case if such non-compliance is due to willful intent or gross negligence. For Belgium and Luxembourg, sanctions will need to be determined.
PSPs do not only face the risk of imposing penalties, but could also face other consequences. In accordance with Regulation EU 2016/679 on the protection of personal data, the data can only be kept and provided by the PSPs insofar as it is proportionate and remains limited to what is strictly necessary to combat VAT fraud. Inaccurate reporting of personal data may therefore also result in violation of privacy laws. This will be treated as a data breach. If the breach also leads to a violation of the Money Laundering and Terrorist Financing Prevention Act, the PSP may also come under scrutiny of relevant supervisory authority of the PSP (i.e. Dutch Central Bank for the Netherlands, the National Bank of Belgium for Belgium and the Commission de Surveillance du Secteur Financier (CSSF) for Luxembourg).
What is the relevant legislation and how will it be implemented in the Benelux?
The CESOP reporting obligation originates from an EU legislative package, amending the EU VAT Directive (Directive 2006/112/EC) and the Regulation on administrative cooperation and combating VAT fraud (Regulation (EU) No 904/2010). The legislative package was adopted by the Council of the European Union on 18 February 2020. The new reporting rules must be implemented by all EU member states as of 1 January 2024.
The CESOP reporting obligation will be implemented by amending the Dutch Turnover Tax Act 1968. The legislation amending the Dutch Turnover Tax Act 1968 was adopted and was published on 18 April 2023. The CESOP reporting rules will come into effect on 1 January 2024.
The CESOP reporting obligation will be implemented by amending the Belgian VAT Code and will also come into effect on 1 January 2024.
The CESOP reporting obligation has not yet been transposed, and no legislative bill has yet been drafted. There is no indication of timing yet.
How should PSPs prepare for the CESOP reporting obligation?
The first CESOP reporting is due in April 2024 and covers in scope cross-border payments executed in Q1 2024. PSPs should therefore assess in which member states they will need to submit CESOP reports. Furthermore, PSPs should be making preparations, e.g. in their administration and IT-systems to ensure that they are able to comply with the CESOP reporting obligations as from 1 January 2024.