Central Electronic System of Payment Information (CESOP)

CESOP is knocking on the door

The regulatory landscape for financial institutions (FIs) in Europe keeps evolving. While there have been several announcements that drew a lot of attention recently – for example PSD3 or the development of a digital Euro – other developments have been less closely followed by many market participants. One example that is worth mentioning is the Central Electronic System of Payment Information guideline, short CESOP.

The new regulation will enter into force by January 1, 2024. Hence, banks and payment service providers (PSPs) will be subject to updated recording and reporting obligations for cross-border transactions in a matter of just a few months.

What is CESOP and who is affected?

The CESOP was introduced by the European Commission to make it easier for payment service providers in the European Union to exchange cross-border payment data in time and seamlessly. The objective of the measure is to give tax authorities of the Member States the right instruments to detect possible e-commerce VAT fraud carried out by sellers established in another Member State or in a non-EU country.

To adhere to the new guidelines, payment service providers will be required to provide information on cross-border payments from EU Member States and on the beneficiary of these cross-border payments at quarterly intervals. Under the regulatory package, payment service providers offering payment services in the EU will have to monitor the payees of cross-border payments and provide information to EU Member State administrations on those receiving more than 25 cross-border payments per quarter.

CESOP will apply to banks and payment service providers in the European Union. However, in addition to these institutions, also the local authorities will be impacted by the new reporting guidelines. It is their responsibility to develop and expose the technical interfaces for the data exchanges that allow PSPs to provide standardized information. Furthermore, it is their duty to forward that data to the central CESOP database to enable the collection and analysis of the complete set of EU-wide data.

The implementation of CESOP has the ambitious goal to increase the efficiency of reporting payment data directly towards the responsible authorities. It also promotes transparency and maintains the integrity of data, which should foster trust among institutions and regulatory bodies. Additionally, CESOP is the attempt to facilitate streamlined cross-border payments, promoting economic cooperation between EU member states.

How will it be enforced?

Compliance with the new reporting guidelines will be of importance for the affected institution. Depending on the applicable law of the EU Member State, failure to comply with it can lead to hefty fines.

In Germany for instance, CESOP will be included in the VAT Act and in case of non-compliance banks or PSPs can be subjected to an administrative fine under Sec. 26a. This penalty, amounting to EUR 5,000 per violation, may be imposed if the filing or correction is found to be incomplete, incorrect, or submitted after the specified deadline. As there is no limit to the total amount of fines that can be charged, the German application of the law is among the strictest of those that have been defined so far.

Additionally, failure to retain the necessary documentation for a minimum of three years can also lead to the imposition of the fine.

For most PSPs this is a very spontaneous visit

Implementation time is tightly calculated …

The impending arrival of the CESOP regulation, set to take effect in less than four months, might present a challenge for some affected PSPs: The crux of the matter lies in the requirement for these financial entities to establish the necessary interfaces for reporting essential data to the respective authorities. Standardized reporting is mandated, which means that the data must be meticulously prepared to meet the specified criteria. This calls for comprehensive data management and validation processes, adding layers of complexity to existing reporting processes. At the same time, the readiness of the local tax authorities regarding interface specification and realization also offers little lead time for the PSPs. For example, the German tax authority has not published the implementation details of the interfaces on its side, but rather refer to the EU’s user guide for the submission of the payment and the defined XML schema. The latest iteration of this document is as of August 8, 2023. Against the background that large PSPs often have only 2 major releases per year, this volatility of requirements is likely to cause some challenges for the affected PSPs.

Moreover, technical integration poses another hurdle. Institutions which are present at multiple member states of the EU must set up the infrastructure required to report to the local tax authorities of each EU Member State on a recurring basis. The complexity intensifies as this entails interfacing with multiple regulatory bodies, each potentially with their own set of requirements and procedures. Ensuring seamless communication with these diverse entities is a daunting technical challenge that must be overcome to achieve compliance.

… and more will follow

Furthermore, while CESOP is a pressing concern, it is just one piece of a larger puzzle. Financial institutions in the EU are faced with a plethora of regulatory changes. These forthcoming developments, such as instant payments regulations, PSD 3 including the new PSR, the AI Act, and the potential introduction of a Digital Euro – to name a few – are poised to impact a wide spectrum of players blocking significant share of delivery capacity in the development pipelines.

Some of these changes may take effect sooner than expected, demanding a proactive approach to regulatory compliance. Institutions must embrace these changes, equip their delivery organizations with reasonable capacity to not cause delay in the realization of the backlog items which are required for innovation, market differentiation and business development. To thrive in this landscape, staying informed and being prepared for the regulatory future is and will continue to be essential.

How to deal with the surprise visit

As the deadline for the CESOP implementation approaches, PSPs need to assess their readiness considering the latest iteration of specifications in the related member states. This includes the technical capability of delivering the required cross-border payment data to the local authorities in the EU Member States they operate in, but also the operational readiness to monitor these reports and react in case of requests and irregularities.

PSPs which are not fully ready and estimated timeline for realization exceeds the due date are advised to assess potential levers to mitigate the risk of sanctions, e.g., ramp-up of delivery capacity, utilization of 3rd party solution components observable in the market, and direct communication to the relevant authorities to negotiate waivers for the fines if applicable.

Once the time-sensitive challenges regarding CESOP readiness have been solved, PSPs need to find appropriate instruments to avoid spontaneous short-term measures that ensure compliance with applicable law in the future. As regulations and reporting requirements are continuously evolving, they need to be closely observed and assessed regarding their impact on the institution to plan accordingly.

Tools such as a structured regulatory radar which is embedded in the project portfolio management can support financial institutions keep an overview of upcoming and relevant regulatory changes. This should then be translated in effort estimations and the overarching project backlog, to ensure that delivery capacity is actively managed and regulatory changes – also with short realization periods – do not lead to resource bottlenecks in the organization.