CESOP: New transactional reporting regime for European payment service providers

Within the broader framework of the digital economy, and the difficulties EU Member States experience in the taxation of e-commerce transactions, new measures are being created by the European Commission and the Member States to monitor VAT payments, VAT obligations and combat VAT fraud. The CESOP regulations are one of these measures. In particular, CESOP will enable the European Commission and the Member States to identify payment recipients (suppliers, service providers, etc.) that might not have fulfilled their VAT obligations properly. 

The new rules are aimed at the below four categories of PSPs as defined under Directive (EU) 2015/2366 (PSD2 Directive) that are active in the EU, including certain small PSPs that are subject to lighter PSD2 requirements.

Institutions in scope of CESOP include:

• Fully licensed banks and other credit institutions,

• Payment institutions,

• Electronic money institutions, and 

• Post office giro institutions.

Only the cross-border payments that originate from within the EU are potentially reportable. This implies that domestic transactions (where the payer and the payee are located in the same EU Member State) are out of scope. This also means that transactions that originate from outside of the EU (i.e., where the payer is located in a third country) are out of scope too.

It is also important to note that the reporting obligation is triggered only when the same payee receives more than 25 payments per quarter (regardless of how many accounts that payee has). PSPs are therefore required to apply certain aggregation rules to determine whether the 25-payment threshold is exceeded.

Location rules and aggregation rules are complex to apply in practice and automated business rules should be clearly defined, consistent and properly documented.

With respect to the location rules, the location of the payer and the payee (and therefore the cross-border character of the payment) is determined based on the following rules:

• Primary rule: IBAN of the payer’s / payee’s account or any other identifier which unambiguously identifies, and gives the location of the payer / payee

• Fall back rule: In the absence of an IBAN / other identifier, the BIC or any other identifier which unambiguously identifies, and gives the location of, the PSP acting on behalf of the payer / payee.

As regards the aggregation rules, the following should apply:

• Basic rule: aggregation using the same identifiers as those used under the location rules (IBAN, bank account number, e-account number, etc.)

• Additional rule: In addition, PSPs must attempt to identify whether two payment accounts are linked to the same payee using the information available to them (payee name, address, VAT/Tax ID, email, etc.).

The reporting obligation falls on the PSPs that are part of the payment chain. 

For intra-EU transactions (where both the payer and the payee are located in different EU Member States), the reporting obligation will generally fall on the PSP of the payee. For extra-EU transactions (where the payer is located in the EU and the payee is located in a third country), the reporting obligation will generally fall on the PSP of the payer.

Example 1:  Three account holders of a Luxembourg PSP make respectively 5, 10 and 20 payments (credit transfers) to the same payee located in Switzerland in a given quarter. All three account holders are located in Luxembourg.

Analysis: Payments are extra-EU payments since the payers are located in the EU (Luxembourg) and the payee is located in a third country (Switzerland). The reporting obligation will therefore be on the PSP of the payers (Luxembourg PSP). To determine whether the 25-payment threshold is exceeded, the Luxembourg PSP will need to aggregate all payments made to the same payee. In this case, there are 35 payments in total made to the same payee (i.e. Switzerland), thus exceeding the 25-payment threshold. The Luxembourg PSP will therefore need to report the transactions.

Example 2:  An account holder of a Luxembourg PSP receives 50 payments (credit transfers) from payers located in France in a given quarter. 

Analysis: Payments are intra-EU payments since the payers are located in France and the payee is located in Luxembourg. The reporting obligation will therefore be on the PSP of the payee (Luxembourg PSP). To determine whether the 25-payment threshold is exceeded, the Luxembourg PSP will need to aggregate all payments made to the same payee. In this case, there are 50 payments in total made to the same payee (i.e. Luxembourg).  The Luxembourg PSP will therefore need to report the transactions.

It has to be noted that in certain complex payment chains involving multiple PSPs, the same payment transaction might be reported multiple times.

The basic rule is that reportable payments need to be reported in the Member State where the payment services have been provided. This could be the Member State where the PSP is established (i.e., home country) but also the Member States where the PSP provides payment services (i.e., host country). Depending on the set-up of the PSP and in absence of a ‘one-stop shop’-approach, this may result in reporting obligations in multiple Member States for individual PSPs. 

Example 3:  A Luxembourg PSP (e-money institution) has passported its payment licence in all EU and EEA Member states. In a given quarter, it processed 50 payment transactions for a Polish client and 80 payment transactions for a Swedish client. All payments are intra-EU payments, and the Polish and Swedish client both qualify as payees for such payments.

Analysis: Payments are intra-EU payments. The reporting obligation will therefore be on the PSP of the payees (Luxembourg PSP). The 25-payment threshold is exceeded for both payees since the Polish client receives 50 payments, and the Swedish client receives 80 payments in the same quarter. Since the payment services have been provided in Poland and Sweden, the Luxembourg PSP will need to report the payments to the Polish (50 payments) and Swedish (80 payments) tax authorities, respectively.

This cross-border reporting obligation has a significant impact on how to handle, structure and finally collate the payments data for reporting purposes. The EU has published an XSD schema for delivering the data. This has to be translated into guidance of each Member State, which could result in differences in reporting schema (like in the Netherlands) and infrastructure of individual Member States. 

The general XSD schema contains more than 70 data fields  and includes information for each reportable transaction about the payee, the payee’s PSP, the payer’s PSP and transactional information.

Nil reporting may be possible in the case the PSP has no payments for the reporting period (the XSD Schema provides a specific field/flag in that respect). The CESOP system supports a correction mechanism enabling PSPs to resubmit reports with corrected payment date.

The CESOP Directive (Council Directive (EU) 2020/284) will need to be transposed into Luxembourg domestic law by the end of 2023. It will start being applied from 1 January 2024. The draft law transposing the Directive is already available.

The directive is brief and presents a significant amount of ambiguity regarding the application of certain rules. The European Commission has stated that they are currently working on a Frequently Asked Questions document with the objective of providing more precise guidance on CESOP regulations. Additionally, it is anticipated that the tax authorities in Luxembourg will eventually release their own domestic guidelines to address these uncertainties.

Although additional guidance is expected, it is still possible that there may be variations in the interpretation of the rules among Member States. Estimating the extent of such discrepancies is currently challenging. Furthermore, we anticipate that there will be deviations in the local XSD schemas as well (like in the Netherlands).

On a positive note, we expect that in the medium term certain Member States will allow machine-to-machine submissions, making it possible to submit CESOP reports from PSPs systems to tax authorities’ systems without manual intervention.