CESOP is a new tax reporting requirement for regulated payment service providers (PSPs) that went live on 1 January 2024. As of this date, PSPs must monitor payees (e.g. merchants) in relation to cross-border payments and report related payment data to tax authorities in the EU Member States. The goal of CESOP is to detect and combat VAT non-compliance and VAT fraud in cross-border B2C e-commerce by EU and non-EU payees. CESOP complements the EU VAT e-commerce recast that came into force on 1 July 2021. For more details, we refer to our previous insight here.
We have supported PSPs to understand CESOP requirements and worked with them towards implementation, including policies and controls for CESOP governance. Below are 5 key considerations for PSPs operating in the EU looking to navigate and manage these requirements.
We have worked with PSPs on impact assessments to understand whether they fall in or out the CESOP scope. The CESOP rules are wide and may capture any PSP authorized to offer payment services in the EU. This may also include small PSPs, intermediary PSPs, PSPs located in the European Economic Area (EEA), as well as online marketplaces and online platforms processing payments between payers and payees.
You may for example be out of scope of CESOP if you are an intermediary PSP, but you are not providing payment services to the payer or payee. You may also be out of scope if you provide payment services, but you avail yourself of an exemption under EU Directive 2015/2366 (PSD2), such as the commercial agent exemption, or the one for technical service providers (TSPs).
There is a CESOP reporting requirement if more than 25 cross-border payments are executed by a PSP to the same payee per calendar quarter. There is a cross-border payment for CESOP purposes when the payer is located in a given EU Member State and the payee is located in another EU Member State or in a non-EU country. In other words, domestic payment transactions where the payer and the payee are located in the same EU Member State are not reportable.
Note that locations of the payer and the payee are based on proxies, such as IBAN and BIC, and may not coincide with actual locations. However, informal CESOP guidance suggests that when different proxies are available resulting in different locations, the PSP must choose the proxy that best reflects the location. For example, where an IBAN country code deviates from the country identified during client onboarding. PSPs should determine their reporting strategy here, noting the EU VAT Directive does not always coincide with the informal guidance.
The CESOP reporting requirement is with the payee’s PSP, as long as the payee’s PSP is in the EU. This means that an EU-based payer’s PSP may have to report payments where the payee’s PSP is located in a non-EU country. However, even where EU payer’s PSPs have no reporting obligation, CESOP still requires these PSPs to monitor transactions for determining if the threshold of more than 25 cross-border transactions to the same payee is exceeded, i.e. should the EU payer’s PSP also execute payments to this payee where the payee uses a non-EU PSP.
We have worked with PSPs on determining a pragmatic approach, which may include a payment transaction mapping that blueprints data points and reporting requirements for different payment types and different payments scenarios.
Some data elements are mandatory to report (e.g. payee name), some are optional and should be provided when available (e.g. payee VAT number), and others are mandatory subject to the payment scenario (e.g. in case of a refund scenario). For some data elements, such as payee address, EU VAT law and informal guidance put forward different requirements, creating unclarity on the data that could or should be reported. Also, data needs to be aggregated e.g. when referring to the same payee, where the informal guidance suggests that payee’s PSPs have an increased duty of care to aggregate compared to payer’s PSPs.
As such, determining a strategy that governs data requirements and data quality, but also enables capturing data from multiple unconnected sources, may be a key challenge to comply with CESOP. When working with clients, it has appeared this cannot be a stand-alone data strategy for CESOP, but has to align with other data strategies. These may for example include BCBS 239 and the overall tax technology strategy.
PSPs should as a starting point file CESOP reports with the tax authorities in their home Member State. However, PSPs providing payment services in host Member States, may also need to file CESOP reports in these host Member States. This may especially be the case where PSPs have passported their PSD2 authorization to host Member States, which is an indication payment services are also provided there. Unlike in EU VAT for e-commerce or in DAC7, there is no one stop shop for CESOP (yet) to simplify tax reporting and tax authority relationship management. I.e. CESOP reports may thus need to be filed across multiple EU Member States, where PSPs need to manage tax authority registrations, tax authority reporting channels and tax authority relationships.
A key consideration for PSPs is how CESOP relates to GDPR, especially as there is a disconnect between the CESOP data retention period applicable to PSPs (3 years) and the CESOP audit period available to tax authorities (5 years). PSPs should determine a position being both CESOP and GDPR proof. Another key business requirement impacted by CESOP is if and how to inform customers of CESOP data sharing, for example via an update of T&C’s or the data privacy policy.
Andy van Esdonk, Head of VAT Netherlands at Bird & Bird, says:
“The first CESOP reports were successfully filed by PSPs by the end of April 2024. This is, however, just the beginning. I expect PSPs and e-commerce sellers are in for some significant impact.
For PSPs, CESOP is a burdensome tax reporting requirement, unprecedented and subject to interpretation. Given complexities and unclarities about certain rules, pieces of the informal guidance, and data management in general, full compliance seems challenging. It remains to be seen whether tax authorities will appreciate PSPs’ efforts to manage CESOP, or whether they will seek to penalize each and every missing or overreported piece of data. The latter would not be proportional in my view, especially if overall CESOP governance is of acceptable levels.
For e-commerce sellers, CESOP may result in increased tax authority scrutiny risk, now that any non-compliance may instantly come on the radar of the EU tax authorities. E-commerce sellers should ensure their EU VAT management is on point and they cannot afford to be unaware or uninformed about their EU VAT positions.
Depending on the success of CESOP, potentially accelerated by generative AI, I expect the payment data analysis will be deployed beyond EU VAT for e-commerce. This includes other area’s of EU VAT, other taxes or even domains outside of tax. The CESOP rules already anticipate on this by stipulating that CESOP data may for example be used for the assessment of other levies, duties, and taxes, which has already been subject to public criticism in the data privacy domain.”
Please contact Andy van Esdonk or your regular Bird & Bird contact to further discuss CESOP or EU VAT for e-commerce for your business.