CESOP

VAT fraud in the EU has reached considerable proportions: the €100 billion mark is likely to be crossed soon. The European Commission has therefore decided on countermeasures and issued a directive or regulation in February 2020 that will probably affect most payment service providers in the EU. With the Central Electronic System of Payment Information (CESOP), suspicious payments will be reportable in the future. This article provides an overview of the topic.

How does value added tax (VAT) fraud work?

Tax fraud through VAT evasion in the EU is based on a special feature of European VAT law, according to which supplies between EU companies are exempt from VAT. The condition is that they are not based in the same EU country or that one party is located outside the EU. In the simplest case, a good is sold from country A to country B VAT-exempt and sold in country B with VAT. The company in country B, however, does not pay the VAT, but “disappears” before the tax office can collect the tax debt.
Often the goods are sold back to the original seller via detours and the whole thing starts all over again. In the meantime, very large such sales tax carousels have been identified, operating in many countries with dozens of companies. Detecting the fraud and prosecuting it becomes extremely burdensome for individual national authorities. To minimize the risk of detection, the fraudsters have now turned to small individual transactions with high frequency.

CESOP mandatory from 2024! What is to be done?

Usually, institutions have to take care of their own customers (i.e., account holders), but CESOP is about the foreign payee, who usually has no legal relationship at all with their own organization. So the existing filters and analytics for AML and KYC, for example, won’t be able to help.

On January 1, 2024, the reporting system will go live, and by the end of the first quarter of 2024, the reports from the payment service providers will therefore have to be received. So not only banks are affected, but possibly any company that has a license for money transactions e.g.:

• E-money and payment institutions (payone, WEAT,…)
• Marketplaces (Amazon, Otto, ebay…)
• Issuer, acquirer and three party credit card companies (American Express, JCB, Concardis, …)

Four-party credit card companies (Visa, Mastercard) and also PISP and AIS service providers according to PSD2 are excluded.

If a payee is located abroad and has received more than 25 payments per quarter, all transactions must be reported to CESOP. Those who violate their reporting obligations may be subject to a fine. To demonstrate due diligence in CESOP matters, a “0” report is advisable. It is obvious that if the bank is suspected of involvement in tax fraud, not only the tax authority but also the financial supervisory authority will very quickly investigate the business operations more closely.

Who is concerned?

The CESOP guidelines specify various constellations of payer, bank and payee. The bank at which a transaction can be identified at all is always the one that has to report. In order to also recognize splits of payment flows, banks must check all payment types: Credit transfers, direct debits and card transactions. Since fast processing is typical for VAT fraudsters, monitoring SEPA Instant Payments will certainly lead to hits as well.
Of course, a bank must also subsume the number of transactions across multiple accounts of an account holder.

Service providers whose focus is not account management are also affected: e.g. marketplace providers and e-money institutions. If at least 25 payments are made to one and the same recipient per quarter, a report must be submitted. It does not matter if the payment is made to different accounts. E-money institutions are often very international with their business. They are supposed to use the customer’s “login country” when filtering transactions. Payment service providers who cannot rule out the possibility that they are involved in payments abroad should examine the regulation very carefully.

As with most other EU reporting requirements and statistics, CESOP is expected to expand and tighten as authorities race to come up with new ideas from fraudsters.

What data must be reported to CESOP?

The reporting obligation applies to very detailed information about a transaction, in particular with regard to the payer and payee postal address (structured address information). The banks or payment service providers involved are also queried, as well as any tax numbers mentioned in the transaction and the location of the transaction, e.g. if a card payment was made at the point of sale. An “electronic form” in the form of an XML schema file and manual is available for the report.

Banks with a state of the art payment system such as CBPay can take comfort in this new reporting requirement.

Source: European Commission