CESOP and the penalty for noncompliance

As of January 1 of this year, payment service providers are required to keep track of certain cross-border payments in a separate register and report these electronically through the tax authorities to the central EU CESOP (Central Electronic System of Payment information) database. The CESOP reporting obligation is a new tool in the fight against VAT fraud, particularly targeting e-commerce. The first reporting deadline is April 30, 2024. While some payment providers have already submitted their first CESOP report, many of them are currently working hard to meet this deadline. From a practical point of view this is a huge job with quite a regulatory- and workload for all payment providers. And to make an omelette, you’ve got to crack a few eggs….

However, for non-compliance with the CESOP reporting requirement, EU member states have also set penalties. Fines for non-compliance vary in the various member states between € 13,000 and € 2,000,000 on an annual basis. Reason enough to take a closer look at the CESOP reporting obligation and the fine for non-compliance.

Combating VAT fraud

The CESOP reporting requirement was created as an anti-fraud tool for cross-border e-commerce. The growth of e-commerce makes it increasingly easy and common for goods and services to be purchased abroad. When VAT on such goods and services has to be paid in EU country A, while the supplier is located in EU country B or outside the EU, it is easier for the foreign supplier to evade its VAT obligations with e-commerce transactions than with physical and/or local transactions. Especially when supplying goods and services to private consumers (consumers). After all, consumers have no administrative obligations, so failure to declare and pay VAT is even more difficult to control. Fraudulent businesses take advantage of the tax authorities’ lack of information and by not paying VAT, they have a market advantage over all other businesses that do comply with their VAT obligations.

It is against this background that the CESOP reporting requirement was established. After all, businesses and also most consumers pay for their online purchases electronically through payment service providers. To process those payments, payment providers usually have specific data to identify the recipient or ‘beneficiary’ of the payment, the date of the transaction, the amount, the EU country from which the payment was made, and whether or not the payment was initiated in a physical location of the merchant. These details are particularly important in cross-border payments, in order to check in which EU country VAT is payable, whether VAT has been paid, and to detect fraud. For this reason, payment providers are required to specifically register such information and report this electronically through the tax authorities to the central EU CESOP database.

CESOP reporting requirement

EU-based payment providers are required to report specific payment data, starting from 26 cross-border payments to the same payee per quarter. The website of the Dutch tax authorities describes which companies qualify as payment providers[1] and which specific data must be provided. Useful, but not nearly enough information to do the reporting properly. For more practical information one can, for example, look at the Leidraad (guidance note) issued by the European Commission in connection with CESOP.[2]

Another important document for practitioners is the Handleiding van de Belastingdienst (tax authorities’ manual) on CESOP. This manual provides more insight for day-to-day practice.

Despite all the commentary on the new reporting requirements, it is no piece of cake for payment providers. It puts a huge additional administrative burden and great responsibility on them. Payment providers must collect all the data from their business and check it for accuracy, and then put that data into the desired format of the registry and reporting system. This is easier said than done. For reasons of privacy, a.o. on the basis of the AVG, payment providers have worked to store their customers’ data separately for each purpose. Systems are often not linked and not all departments can look into each other’s systems.

In addition, not every piece of information requested by CESOP may have been kept on file. Besides this, very often it is not clear which payment provider is required to report when, and if so, in which EU member state, or which payment transactions are or are not covered by the reporting requirements. Are payments in cryptocurrency covered by the reporting requirement, or payments to a trust account, or refunds via credit card? What about foreign branches involved in payments to the same ‘payee’, or a refund of which the original payment was not yet covered by CESOP? These are some of the questions which the European Commission answers in the Q&A that can be found on its website. It is a living document which will be supplemented or amended as needed.

Implementation issues and questions which payment providers encounter every day are legion, despite all the commentaries. Day-to-day practice is always more unruly than previously thought.

Mistakes are easily made

Not surprisingly, many payment providers are still trying to get their first report done properly and on time. As said earlier, this is complicated and a mistake is easily made, or the report is in danger of being submitted too late after all. What happens then?

The sanctioning of errors or fraud in CESOP reporting is being left to the EU member states. In the Netherlands, a penalty for non-compliance is included in the Wet op de omzetbelasting 1969 (Wet OB) (turnover tax act of 1969). Section 41 of the Wet OB states that a penalty can be imposed for non-compliance with the CESOP reporting obligation if the non-compliance is due to intent or gross negligence on the part of the payment provider. A penalty can also be imposed if, intentionally or through gross negligence, data is being reported related to fewer than 26 cross-border payments to the same payee in a calendar quarter.

The burden of proof for intent and gross negligence lies with the tax authorities. Daily practice will show how this will be handled. The parliamentary history does not clarify on this, nor has a policy been established. For example, the CESOP penalty has not yet been included in the Besluit Bestuurlijke Boeten Belastingdienst (decree on administrative fines of the tax authorities).

A submitted report is checked at two levels. The local tax authorities check whether the report complies with the mandatory format. If not, the payment provider receives a message with the error codes. Although it is not clear from the law or guidelines, it follows from both the Leidraad van de Commissie (Commission’s Guideline) and the Handleiding van de Nederlandse Belastingdienst (manual of the Dutch tax authorities) that the payment provider must be given the opportunity to correct any errors. In that case, the report must be corrected and resubmitted in its entirety. After submission to the CESOP database, the data are checked for content. If any inaccuracies are found, the payment provider is notified and must be given the opportunity to correct and resubmit only the incorrect data. In both cases, this means that the payment provider is given a recovery opportunity and a new deadline for submitting the data (the Commission uses a maximum of 30 days for this in the Guideline, the Dutch manual gives no indication of a deadline). Only when there is a failure to comply with this, there can be – in my view – talk of non-compliance within the meaning of Section 41 of the Wet OB. As far as I am concerned, intent or gross negligence are no given then, yet.

According to the European Commission, the directive also provides for the possibility of spontaneous correction of errors. A kind of repentance, if you will. Payment service providers can spontaneously send new files with the corrected data to Member States as soon as they themselves determine that they have sent incorrect data to CESOP. No deadline is set for the spontaneous correction. Nevertheless, there is a lower and an upper limit to avoid fines. For example, the Commission indicates in its Guidance that spontaneous corrections are never sent before the deadline of the reporting period to which they relate. The question is how the tax authorities will use the untimely spontaneous correction for possible fines. This will have to be seen in day-to-day practice. Will it be used as a presumption of proof? If so, the payment provider will have to be given the opportunity to defend itself against that presumption. Furthermore, spontaneous corrections must in any case be reported in CESOP before the end of the data retention period. By the way, there is something weird about this. The power to fine for non-compliance expires after 5 years, while the retention period for CESOP data for payment providers is only three years because of the AVG.

Amount of the fine

In the Netherlands, the maximum amount of the fine is based on the amount of the sixth category referred to in artikel 23, vierde lid, van het Wetboek van Strafrecht (article 23, paragraph 4, of the Criminal Code, which in 2024 is € 1,025,000. Therefore, on an annual basis the fines can get as high as € 4,100,000. Pretty hefty sums, if you ask me.

IN CONCLUSION

The legislative history explains only briefly why this penalty category was chosen, even though it differs from other administrative fines for sales tax. However, the words “at most” do emphasize that a fine must be appropriate and necessary in each specific case. With the CESOP reporting requirement being new and facing many challenges in terms of implementation, I can imagine that the tax authorities will be cautious when it comes to sanctioning this year. In any case that seems fair to me, especially also when it comes to the amount of the fine.

Conclusion

Because payment providers may be subject to CESOP in multiple EU countries, they may also face fines in multiple countries. Most EU countries have now announced that non-compliance with CESOP reporting can be fined.[3]  The amounts of the fines vary quite a bit. For example, the maximum fine in Estonia runs up to € 13,400 per year, while in France the maximum fine is € 2,000,000 per year and Lithuania charges € 6,000 per violation. In addition, what qualifies as a finable offense varies per member state. For payment providers with reporting obligations in multiple countries, it is important to take this into account. The CESOP reporting requirement was created to combat VAT fraud, mainly in e-commerce. Implementing it and doing proper and accurate reporting puts a considerable administrative burden on payment providers. With the first reporting deadline approaching, it is also good to pay attention to consequences in case of possible non-compliance. Almost all EU member states have already introduced fines and communicated the amounts thereof. Should you be faced with impossibilities in compliance, threat or announcement of a fine, it is wise to consult a lawyer in order to prevent or limit the damage.

[1] For the term payment provider, the definition as contained in the PSD2 guideline.

[2] And the additional guideline Guideline of April 3, 2024; currently only available in English.

[3] It is not known yet what Spain will do.