CESOP, VAT and PSD2: ten things payment service providers, businesses processing payments and e-commerce merchants should know before go-live on 1 January 2024
Written By
1. What is going live on 1 January 2024?
Effective 1 January 2024, the European Union is introducing a new tax reporting requirement for payment service providers (PSPs), including card issuers, acquirers or other businesses processing payments.
As of this date, PSPs must monitor their merchants in relation to cross-border payments and report related payment data to the EU Member States. The data will be collected and centralised in a new EU database called the Central Electronic System of Payment information (CESOP), where it will be stored, aggregated and cross-checked with other EU databases. All information in CESOP will be made available to anti-fraud experts of the EU Member States.
2. Why?
The goal of CESOP is to detect and combat VAT non-compliance and VAT fraud in cross-border B2C e-commerce by merchants established in another EU Member State or in a non-EU country. Since most B2C e-commerce transactions are executed via PSPs and PSPs are considered to avail of the underlying payment data, PSPs will now be tasked with the new tax reporting requirement to contribute to aforementioned goal. CESOP complements the EU VAT e-commerce recast that came into force on 1 July 2021.
3. Which PSPs are in scope of CESOP?
PSPs covered by Article 1(a) to (d) of EU Directive 2015/2366 on payment services in the internal market (PSD2) are in scope of CESOP. This definition includes PSPs like credit institutions, electronic money institutions, payment institutions, etcetera. Note that small PSPs making use of the exemption for small payment service providers of Article 32 PSD2 are also in scope of CESOP.
If you are correctly not authorised as a PSP (e.g. because you are taking the view that you are not providing a payment service at all; or that you are providing a payment service but can avail of an exclusion such as the PSD2 commercial agent exclusion), then you should not fall within the scope of CESOP.
4. Which payment services and payments are in scope of CESOP?
PSPs that are authorised to provide payment services covered by points (3) to (6) of Annex I of PSD2 are in scope of CESOP, such as execution of payment transactions, acquiring and money remittance. Payments in scope of CESOP are in principle payment transactions covered by Article 4(5) PSD2 or money remittance covered by Article 4(22) PSD2.
5. What triggers the CESOP reporting obligation?
First, you should be a PSP in scope of CESOP and provide payment services in scope of CESOP and execute payments in scope of CESOP. Second, the payments should be cross-border and you should execute more than 25 cross-border payments per calendar quarter to the same merchant.
6. When is a payment cross-border for CESOP?
There is a cross-border payment for CESOP when the payer is located in a EU Member State and the merchant is located in another EU Member State or in a non-EU country. The location of the payer and the merchant is based on proxies, such as IBAN or BIC, and may not coincide with actual locations. There is no relation with the place-of-supply-rules or place-of-establishment-rules in EU VAT.
This means that a payment between a payer and a merchant both resident in one EU Member State could still be a cross-border payment for CESOP. For example if the merchant uses an acquirer in another EU Member State with an IBAN of that EU Member State. Vice versa, a payment between a payer and merchant resident in different EU Member States may not be a cross-border payment for CESOP, for example where that merchant uses an acquirer with an IBAN in the EU Member State of the payer.
7. When is the threshold of more than 25 cross-border payments exceeded?
There should be more than 25 cross-border payments per calendar quarter to the same merchant. Note this is a threshold per EU Member State and may not be consolidated on a PSP level. However, consolidation or aggregation should be done by PSPs as far as merchants are concerned, for example where one merchant in one EU Member State uses different payment methods.
8. Who should record, report, where, how, what, and when?
PSPs should as a starting point keep sufficiently detailed records of merchants and payments. The tax reporting requirement itself is primarily with the PSP of the merchant, e.g. with the acquirer for card-based payments. The tax reporting requirement may however shift to the PSP of the payer, e.g. with a card issuer in the case of card-based payment, where the PSP of the payee (e.g. the acquirer) is established in a non-EU country.
PSPs should report payment data with the tax authorities in their home EU Member State and, where applicable, with the tax authorities in their host EU Member States. Note there is no One Stop Shop and PSPs may therefore be subject to CESOP reporting obligations in multiple EU Member States if payment services are passported across the EU. This means that PSPs should deal with different tax authorities, different tax authority portals and different tax authority reporting channels.
The payment data that should be reported is detailed and may for example include the BIC of the PSP, name of the merchant, VAT number of the merchant, IBAN of the merchant, BIC of the merchant, address of the merchant, details of the cross-border payments and details of refunds.
Lastly, CESOP will be a quarterly tax reporting requirement. The first reportable period covers Q1 of 2024 and has a reporting deadline of 30 April 2024. The EU Member States should transmit the data to CESOP by the 10th day of the following month, starting 10 May 2024.
9. Why is this development relevant for e-commerce merchants?
With CESOP, tax authorities across the EU will have more data and options to audit e-commerce merchants. This shows the ever remaining importance for merchants engaged in B2C e-commerce in the EU to manage VAT correctly. This especially includes the EU VAT rules for e-services that came into force on 1 January 2015, the EU VAT e-commerce recast of 1 July 2021, as well as the EU’s VAT in the Digital Age proposals that are on the horizon for enactment.
10. Final comments
Andy van Esdonk, Head of VAT Netherlands at Bird & Bird says: “With only a couple of months left to 1 January 2024, PSPs and other businesses processing payments should advance their CESOP design and implementation. If they have not started yet, it is now key to expedite an internal CESOP business case and an impact assessment. This could be followed up with a blueprint, including a payment transaction mapping and an identification of data points. Having said that, also e-commerce merchants need to make sure they manage VAT correctly, as tax authority audits and tax authority scrutiny in the EU because of CESOP may otherwise be expected.”Caroline Brown, Legal Director at Bird & Bird in the UK specialising in VAT considers: “CESOP fits in a wider trend where certain business sectors are targeted to exchange information with tax authorities. We have seen this primarily with online platforms, but now with PSPs as well. Online platforms that are also PSPs need to address CESOP on top of other developments, such as deemed seller rules in many VAT systems globally, as well as the OECD model rules for reporting by digital platform operators, also known as DAC7 in the EU.”
Ferdinando Ferri, Senior Associate at Bird & Bird in Italy specialising in VAT concludes: “It is a priority of the EU to detect and combat VAT non-compliance and VAT fraud in cross-border B2C e-commerce. Businesses should therefore not underestimate the importance of CESOP for their tax governance, especially since non-compliance with CESOP may result in significant penalties or sanctions. The EU has published informal guidance, FAQ’s and a XSD user guide explaining the data required for the CESOP XML Schema, which may be helpful for businesses when addressing this topic.”
Please contact Andy van Esdonk, Caroline Brown, Ferdinando Ferri or your regular Bird & Bird contact to further discuss CESOP, VAT and e-commerce, or PSD2.
