CESOP - Transmission of payment information by payment service providers in the context of the fight against VAT fraud
Last update 19.10.2023
As from 1st January 2024, payment service providers (PSP) will have to transmit information on:
- cross-border payments originating from Member States; and
- on the beneficiaries ('the payees') of these cross-border payments.
Payment service providers offering payment services in the EU will have to monitor the payees of cross-border payments and transmit information on those who receive more than 25 cross-border payments per quarter to the administrations of the Member States
This information will then be centralised in a European database: the Central Electronic System of Payment information (CESOP). The information will be stored, aggregated and cross-checked with other European databases.
All information in CESOP will then be made available to anti-fraud experts of Member States via the Eurofisc network.
The objective of this new measure is to give tax authorities of the Member States the right instruments to detect possible e-commerce VAT fraud.
Who is concerned
The reporting obligation is only applicable to the payment service providers defined in Article 243a of the Council Directive (EU) 2020/284 and which provide payment services in the European Union. PSP who do not provide payment services in the European Union do not have to fulfil any reporting obligation.
As regards the definition of what a payment service provider is, article 243a refers to the definitions laid down in Directive (EU) 2015/23664 ('PSD2'). However, not all payment service providers covered by the PSD2 are automatically subject to the CESOP reporting obligation. Indeed, article 243a limits the scope of the reporting obligation to the following 4 categories of payment service providers:
- credit institutions, which covers e.g. fully licensed banks established in Europe as well as European branches of credit institutions that have their head office outside the EU and which provide payment services;
- e-money institutions, which covers all payment service providers providing payment services via electronic money ('e-money'), e.g. electronic wallet providers and electronic voucher/card providers;
- payment institutions, which is a residual category that can cover all companies providing payment services that do not qualify for any of the other categories listed in the PSD2. It can include companies that provide payment services such as the issuance of credit/debit cards, acquisition of payment transaction, processing of payments, initiation of payments, platforms which provide payment services and act on behalf of both the payer and payee, etc.;
- post-office giro institutions which provide payment services.
Prerequisites
Setting up a business eSpace on MyGuichet.lu
You must have a business eSpace on the MyGuichet.lu platform. To create an eSpace, you must have an authentication product, i.e.:
- a LuxTrust product; or
- a Luxembourg identity card with an activated electronic certificate; or
- an eIDAS means of identification from another Member State of the European Union (EU) or the European Economic Area (EEA).
If you would like to use:
- a LuxTrust product, you will find all the necessary information on the specific help page on this subject;
- an eIDAS means of identification from another European country, you will find all the necessary information on the specific help page on this subject.
Persons who do not have an eIDAS means of identification or a Luxembourg national identification number (matricule) must contact the AED helpdesk (Registration Duties, Estates and VAT Authority - AED). Please bear in mind that in this case, there will be a delay of at least 15 days before being able to access MyGuichet.lu.
All notifications concerning your procedures (in particular delivery of validation messages or outcome of the upload procedure) are sent to the email address entered when the business eSpace was created. It is therefore recommended to have an functional mailbox or an email address that can be accessed by more than one person.
Certification of the CESOP business eSpace
Request for certification
Before you can transmit the required reports, you must submit an online CESOP business eSpace certification procedure using MyGuichet.lu (see 'Online services and forms') in order to prove that you are an authorised representative of the Payment Service Provider (PSP).
Supporting documents
You must provide the following for the certification of a CESOP business eSpace:
- a duly signed mandate (see 'Online services and forms'); and
- a recent extract from the Trade and Companies Register providing proof that the signatory is duly authorised to act on behalf of the legal person.
Inviting other persons to the certified business eSpace
You can invite other persons/colleagues to join your certified business eSpace on MyGuichet.lu. They will have access to the same information as you, irrespective of the role they were assigned.
Consequently, it is strongly recommended to:
- appoint at least 2 administrators for the certified business eSpaces; and
- create a business eSpace exclusively dedicated to CESOP in order to restrict the access rights to your different business eSpaces only to the people concerned.
Once the Luxembourg national authorities have checked and accepted the information provided, users will be granted access to their MyGuichet.lu certified business eSpace. They will find the procedure for submitting the file with the payments for the quarter under the name 'AED – Transmettre un message CESOP contenant les données de paiement' (Upload a CESOP payment data message' - see 'Online services and forms').
Deadlines
The 1st transmission of transaction files by payment service providers to the tax authorities of member countries must take place before the end of April 2024.
Reporting periods for PSP and submission deadlines:
- 1st Period, Q1 (January- March): 30 April
- 2nd Period, Q2 (April-June): 31 July
- 3rd Period, Q3 (July-September): 31 October
- 4th Period, Q4 (October-December): 31 January
How to proceed
File validation with the EC module
You must validate your files beforehand using the validation module provided by the EC in order to avoid uploading PDMs (Payment Data Message) that will be rejected straight away.
Transmission of reports via MyGuichet.lu
The CESOP Payment Data message (PDM), i.e. the XML file reporting the cross-border payments for a given quarter, will be uploaded using the platform MyGuichet.lu.
This is an authenticated procedure which requires a LuxTrust product or an eIDAS means of authentication.
Before the end of the month following the calendar quarter (before the end of the months of April, July, October and January) of the reporting period, you will be able to
- launch the procedure via your MyGuichet.lu business eSpace; and
- transmit the XML file with the quarterly cross-border payments to report.
Due to technical constraints, only one file per procedure is accepted.
XML files with the transactions can be zipped. A limitation on the size allowed for the upload will soon be determined.
File validation by the AED
The AED's systems will also validate the XML files submitted:
- if the file had no errors and was forwarded to the EC: you will receive an acknowledgment message in your MyGuichet business eSpace;
- if the validation finds errors in the uploaded file (FULL REJECTION): it will not be sent to the EC’s central CESOP. Instead, the system will send a list of the errors found to the PSP's business eSpace on MyGuichet.lu.
In this case, the user’s message will be considered as null and void (it will not reach central CESOP). So you will have to start a new procedure in order to upload a correct XML file (a transactions file with a MessageTypeIndic element with value CESOP100, i.e. new data) before the end of the month following the calendar quarter of the reporting period.
All messages transmitted by the national tax administrations will be validated by the EC’s CESOP central system syntactically and semantically.
Subsequently, the Luxembourg tax administration's systems will deliver to the users’ MyGuichet.lu business eSpace the ‘Validation result message’ (IE3V01 as defined in the XSD User Guide) generated by EC’s central CESOP, indicating if the validation has been successful.
Considering that some rules require to check historical data, only EC’s CESOP central system can determine if a message is fully valid. Hence, it could happen that a file forwarded by the national tax administration could be rejected by EC’s CESOP central system validations as PARTIALLY REJECTED.
In this case, you must:
- follow the correction mechanism described in the documentation (respecting the correlation IDs, an appropriate MessageTypeIndic, etc.); and then
- create a new CESOP file transmission procedure in your MyGuichet.lu business eSpace in order to upload the correction file.
Forms / Online services
AED - Request for certification of a CESOP business eSpace
To complete your application, the information about you collected from this form needs to be processed by the public administration concerned.
That information is kept by the administration in question for as long as it is required to achieve the purpose of the processing operation(s).
Your data will be shared with other public administrations that are necessary for the processing of your application. For details on which departments will have access to the data on this form, please contact the public administration you are filing your application with.
Under the terms of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, you have the right to access, rectify or, where applicable, remove any information relating to you. You are also entitled to withdraw your consent at any time.
Additionally, unless the processing of your personal data is compulsory, you may, with legitimate reasons, oppose the processing of such data.
If you wish to exercise these rights and/or obtain a record of the information held about you, please contact the administration in question using the contact details provided on the form. You are also entitled to file a claim with the National Commission for Data Protection (Commission nationale pour la protection des données), headquartered at 15, boulevard du Jazz L-4370 Belvaux.
By submitting your application, you agree that your personal data may be processed as part of the application process.
AED - Demande de certification d’un espace professionnel CESOP
Les informations qui vous concernent recueillies sur ce formulaire font l’objet d’un traitement par l’administration concernée afin de mener à bien votre demande.
Ces informations sont conservées pour la durée nécessaire par l’administration à la réalisation de la finalité du traitement
Les destinataires de vos données sont les administrations compétentes dans le cadre du traitement de votre demande. Veuillez-vous adresser à l’administration concernée par votre demande pour connaître les destinataires des données figurant sur ce formulaire. Conformément au règlement (UE) 2016/679 relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données, vous bénéficiez d’un droit d’accès, de rectification et le cas échéant d’effacement des informations vous concernant. Vous disposez également du droit de retirer votre consentement à tout moment.
En outre et excepté le cas où le traitement de vos données présente un caractère obligatoire, vous pouvez, pour des motifs légitimes, vous y opposer.
Si vous souhaitez exercer ces droits et/ou obtenir communication de vos informations, veuillez-vous adresser à l’administration concernée suivant les coordonnées indiquées dans le formulaire. Vous avez également la possibilité d’introduire une réclamation auprès de la Commission nationale pour la protection des données ayant son siège à 15, boulevard du Jazz L-4370 Belvaux.
En poursuivant votre démarche, vous acceptez que vos données personnelles soient traitées dans le cadre de votre demande.
Mandate to certify a CESOP business eSpace
To complete your application, the information about you collected from this form needs to be processed by the public administration concerned.
That information is kept by the administration in question for as long as it is required to achieve the purpose of the processing operation(s).
Your data will be shared with other public administrations that are necessary for the processing of your application. For details on which departments will have access to the data on this form, please contact the public administration you are filing your application with.
Under the terms of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, you have the right to access, rectify or, where applicable, remove any information relating to you. You are also entitled to withdraw your consent at any time.
Additionally, unless the processing of your personal data is compulsory, you may, with legitimate reasons, oppose the processing of such data.
If you wish to exercise these rights and/or obtain a record of the information held about you, please contact the administration in question using the contact details provided on the form. You are also entitled to file a claim with the National Commission for Data Protection (Commission nationale pour la protection des données), headquartered at 15, boulevard du Jazz L-4370 Belvaux.
By submitting your application, you agree that your personal data may be processed as part of the application process.
Procuration pour la certification d'un espace professionnel CESOP
Les informations qui vous concernent recueillies sur ce formulaire font l’objet d’un traitement par l’administration concernée afin de mener à bien votre demande.
Ces informations sont conservées pour la durée nécessaire par l’administration à la réalisation de la finalité du traitement
Les destinataires de vos données sont les administrations compétentes dans le cadre du traitement de votre demande. Veuillez-vous adresser à l’administration concernée par votre demande pour connaître les destinataires des données figurant sur ce formulaire. Conformément au règlement (UE) 2016/679 relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données, vous bénéficiez d’un droit d’accès, de rectification et le cas échéant d’effacement des informations vous concernant. Vous disposez également du droit de retirer votre consentement à tout moment.
En outre et excepté le cas où le traitement de vos données présente un caractère obligatoire, vous pouvez, pour des motifs légitimes, vous y opposer.
Si vous souhaitez exercer ces droits et/ou obtenir communication de vos informations, veuillez-vous adresser à l’administration concernée suivant les coordonnées indiquées dans le formulaire. Vous avez également la possibilité d’introduire une réclamation auprès de la Commission nationale pour la protection des données ayant son siège à 15, boulevard du Jazz L-4370 Belvaux.
En poursuivant votre démarche, vous acceptez que vos données personnelles soient traitées dans le cadre de votre demande.
Who to contact
-
Registration Duties, Estates and VAT Authority
CESOP Service1-3, avenue Guillaume
L-1651 Luxembourg
Luxembourg
Postal address :
B.P. 31 L-2010 Luxembourg
