CESOP

VAT fraud in the EU has reached considerable proportions: the €100 billion mark is likely to be crossed soon. The European Commission has therefore decided on countermeasures and issued a directive or regulation in February 2020 that will probably affect most payment service providers in the EU. With the Central Electronic System of Payment Information (CESOP), suspicious payments will be reportable in the future. This article provides an overview of the topic.

How does value added tax (VAT) fraud work?

Tax fraud through VAT evasion in the EU is based on a special feature of European VAT law, according to which supplies between EU companies are exempt from VAT. The condition is that they are not based in the same EU country or that one party is located outside the EU. In the simplest case, a good is sold from country A to country B VAT-exempt and sold in country B with VAT. The company in country B, however, does not pay the VAT, but “disappears” before the tax office can collect the tax debt.
Often the goods are sold back to the original seller via detours and the whole thing starts all over again. In the meantime, very large such sales tax carousels have been identified, operating in many countries with dozens of companies. Detecting the fraud and prosecuting it becomes extremely burdensome for individual national authorities. To minimize the risk of detection, the fraudsters have now turned to small individual transactions with high frequency.

CESOP mandatory from 2024! What is to be done?

Usually, institutions have to take care of their own customers (i.e. account holders), but with CESOP it is also about the foreign payee, who usually has no legal relationship at all with their own organization. If the own customers send money to a recipient outside the EU, this may be subject to reporting. So the existing filters and analytics for AML and KYC, for example, won’t be able to help.

On January 1, 2024, the reporting system will go live, and by the end of the first quarter of 2024, the reports from the payment service providers will therefore have to be received. This means that not only banks are affected, but also any company that has a license for money transactions and carries out payments itself, for example:

• E-money and payment institutions (payone, WEAT,…)
• Marketplaces (Amazon, Otto, ebay…)
• Issuer, acquirer and three party credit card companies (American Express, JCB, Concardis, …)

Four-party credit card companies (Visa, Mastercard) and also PISP and AIS service providers according to PSD2 are excluded.

First and foremost, check whether your own account holders receive payments from abroad (EU, non-EU). If there are more than 25 payments per quarter (across all payment types and accounts!), this must be reported.
As mentioned above, payments from your own customers may also be subject to the reporting obligation: If the recipient is located in a non-EU country, it must also be checked whether more than 25 transactions have been made in a quarter.
Those who violate their reporting obligation may be subject to a fine. In order to demonstrate due diligence in matters of CESOP, a “0” report is advisable, although it is not yet mandatory. It is obvious that if the bank is suspected of involvement in tax fraud, not only the tax authority but also the financial supervisory authority will very quickly investigate the business operations more closely.

Who is concerned?

The CESOP guidelines specify various constellations of payer, bank and payee. The bank at which a transaction can be identified at all is always the one that has to report. In order to also recognize splits of payment flows, banks must check all payment types: Credit transfers, direct debits and card transactions. Since fast processing is typical for VAT fraudsters, monitoring SEPA Instant Payments will certainly lead to hits as well.
Of course, a bank must also subsume the number of transactions across multiple accounts of an account holder.

Service providers whose focus is not account management are also affected: e.g. marketplace providers and e-money institutions. If at least 25 payments are made to one and the same recipient per quarter, a report must be submitted. It does not matter if the payment is made to different accounts. E-money institutions are often very international with their business. They are supposed to use the customer’s “login country” when filtering transactions. Payment service providers who cannot rule out the possibility that they are involved in payments abroad should examine the regulation very carefully.

As with most other EU reporting requirements and statistics, CESOP is expected to expand and tighten as authorities race to come up with new ideas from fraudsters.

What data must be reported to CESOP?

The reporting obligation applies to very detailed information about a transaction, in particular with regard to the payer and payee postal address (structured address information). The banks or payment service providers involved are also queried, as well as any tax numbers mentioned in the transaction and the location of the transaction, e.g. if a card payment was made at the point of sale. An “electronic form” in the form of an XML schema file and manual is available for the report.

Banks with a state of the art payment system such as CPG.classic can take comfort in this new reporting requirement.

Source: European Commission