Pursuant to Council Directive (EU) 2020/284 (“CESOP Directive”, “the Directive”), effective 1 January 2024 all payment service providers within the European Union (“EU”) are obliged to report specific cross-border payment transactions conducted on behalf of clients, as part of the EU's initiative to combat Value-Added Tax fraud. These recent provisions require payment service providers to deliver comprehensive details regarding processed payments. These entities are obligated to maintain records of cross-border payment data, and to share them with the tax authorities of EU Member States on a quarterly basis, commencing April 2024.
Why the combat against VAT fraud
CESOP was designed to enable the European Commission and Member States in identifying payment recipients, such as suppliers and service providers, who may have inadequately fulfilled their VAT obligations. By enhancing transparency and accountability in cross-border payment transactions, CESOP aims to mitigate instances of fraud within the digital marketplace.
Who is in scope
The new rules are aimed at the below four categories of Payment Service Providers (“PSPs”) as defined under Directive (EU) 2015/2366 (“PSD2 Directive”) that are active in the EU, including certain small PSPs that are subject to lighter PSD2 requirements. These include:
What payments are in scope
The scope of CESOP reporting focuses exclusively on cross-border payments originating within the EU, excluding domestic transactions and payments originating from third countries. Notably, reporting obligations are only triggered when a payee receives more than 25 payments per quarter, requiring PSPs to adhere to aggregation rules for threshold determination.
The application of location and aggregation rules presents practical complexities, obliging PSPs further, to establish clearly defined business rules. In determining the cross-border nature of payments, the primary rule relies on the IBAN or other unambiguous identifiers of the payer/payee, with a fallback to the BIC or equivalent identifier in the absence of an IBAN. Aggregation follows similar identifiers as location rules, with additional measures to identify linked payment accounts using available information such as payee details and identifiers. Ensuring consistency and proper documentation of these automated processes is essential for effective compliance.
Who needs to report
The reporting obligation falls on the PSPs that are part of the payment chain.
For intra-EU transactions (where both the payer and the payee are located in different EU Member States), the reporting obligation will generally fall on the PSP of the payee. For extra-EU transactions (where the payer is located in the EU, and the payee is located in a third country), the reporting obligation will generally fall on the PSP of the payer.
Where the transactions need to be reported
The basic rule is that reportable payments need to be reported in the Member State where the payment services have been provided. This could be the Member State where the PSP is established (i.e., home country) but also the Member States where the PSP provides payment services (i.e., host country). Depending on the set-up of the PSP and in absence of a ‘one-stop shop’-approach, this may result in reporting obligations in multiple Member States for individual PSPs.
This cross-border reporting obligation has a significant impact on how to handle, structure and collate the payments data for reporting purposes. The EU has published an XSD schema for delivering the data. The general schema contains more than 70 data fields and includes information for each reportable transaction about the payee, the payee’s PSP, the payer’s PSP and transactional information.
As the first submission period approaches (April 1 to April 30), PSPs are advised to remain vigilant regarding legislative updates and the diverse requirements across each EU country. Despite the overarching Directive's harmonisation objectives, the 27 member states have adopted vastly diverse registration and reports submission methods to comply with PSPs' reporting obligations. While in some Member States the registration processes are straightforward, others pose significant burdens.
It is recommended for PSPs not to underestimate the length and complexity of these procedures and to ensure preparedness for compliance in all jurisdictions where reporting is required.
CESOP compliance relies on a detailed approach to data management encompassing extraction, transformation, and filing processes. As such, PSPs are strongly encouraged to leverage on technology solutions to assist them in this process. Additionally, considering the complexity and evolving nature of CESOP requirements, PSPs are encouraged to engage third-party providers specialised in CESOP compliance to ensure adherence to regulations.
CESOP can bring significant operational and challenges to PSPs. PSPs should reflect on the following questions:
Nenad Ilic
Tax Partner, Banking & Capital Markets Tax Leader, PwC Luxembourg
Tel: +352 62133 24 70