CESOP - Transmission of payment information by payment service providers in the context of the fight against VAT fraud
Last update
Since 1st January 2024, payment service providers (PSP) are required to transmit information on:
- cross-border payments originating from Member States; and
- on the beneficiaries ('the payees') of these cross-border payments.
Payment service providers offering payment services in the EU will have to monitor the payees of cross-border payments and transmit information on those who receive more than 25 cross-border payments per quarter to the administrations of the Member States
This information will then be centralised in a European database: the Central Electronic System of Payment information (CESOP). The information will be stored, aggregated and cross-checked with other European databases.
All information in CESOP will then be made available to anti-fraud experts of Member States via the Eurofisc network.
The objective of this new measure is to give tax authorities of the Member States the right instruments to detect possible e-commerce VAT fraud.
Who is concerned
The reporting obligation is only applicable to the payment service providers defined in Article 243a of the Council Directive (EU) 2020/284 and which provide payment services in the European Union. PSP who do not provide payment services in the European Union do not have to fulfil any reporting obligation.
As regards the definition of what a payment service provider is, article 243a refers to the definitions laid down in Directive (EU) 2015/23664 ('PSD2'). However, not all payment service providers covered by the PSD2 are automatically subject to the CESOP reporting obligation. Indeed, article 243a limits the scope of the reporting obligation to the following 4 categories of payment service providers:
- credit institutions, which covers e.g. fully licensed banks established in Europe as well as European branches of credit institutions that have their head office outside the EU and which provide payment services;
- e-money institutions, which covers all payment service providers providing payment services via electronic money ('e-money'), e.g. electronic wallet providers and electronic voucher/card providers;
- payment institutions, which is a residual category that can cover all companies providing payment services that do not qualify for any of the other categories listed in the PSD2. It can include companies that provide payment services such as the issuance of credit/debit cards, acquisition of payment transaction, processing of payments, initiation of payments, platforms which provide payment services and act on behalf of both the payer and payee, etc.;
- post-office giro institutions which provide payment services.
Prerequisites
Setting up a business eSpace on MyGuichet.lu
You must have a business eSpace on the MyGuichet.lu platform. To create an eSpace, you must have an authentication product, i.e.:
- a LuxTrust product; or
- a Luxembourg identity card with an activated electronic certificate; or
- an eIDAS means of identification from another Member State of the European Union (EU) or the European Economic Area (EEA).
If you would like to use:
- a LuxTrust product, you will find all the necessary information on the website of LuxTrust;
- an eIDAS means of identification from another European country, you will find all the necessary information on the specific help page on this subject.
If you do not have a Luxembourg national identification number (matricule), please see our dedicated information page on how to obtain such a number.
All notifications concerning your procedures (in particular validation messages or messages concerning the transmission of files) are sent to the email address entered when the business eSpace was created. It is therefore recommended to have an functional mailbox or an email address that can be accessed by more than one person.
Certification of the CESOP business eSpace
Request for certification
Before you can transmit the required reports, you must complete an online CESOP business eSpace certification procedure using MyGuichet.lu (see 'Online services and forms') in order to prove that you are an authorised representative of the Payment Service Provider (PSP).
Supporting documents
You must provide the following for the certification of a CESOP business eSpace:
- a duly signed mandate (see 'Online services and forms'); and
- a recent extract from the Trade and Companies Register providing proof that the signatory is duly authorised to act on behalf of the legal person.
Inviting other persons to the certified business eSpace
You can invite other persons/colleagues to join your certified business eSpace on MyGuichet.lu. They will have access to the same information as you, irrespective of the role they were assigned.
Please note: PSPs must keep track of the persons who have access to their certified business eSpace.
Consequently, it is strongly recommended to:
- appoint at least 2 administrators for the certified business eSpaces; and
- create a business eSpace exclusively dedicated to CESOP in order to restrict the access rights to your different business eSpaces only to the people concerned.
Once the Luxembourg national authorities have checked and accepted the information provided, users will be granted access to their MyGuichet.lu certified business eSpace. They will find the procedure for submitting the file with the payments for the quarter under the name 'AED - Upload a CESOP payment data message' (see 'Online services and forms').
Deadlines
The 1st transmission of transaction files by payment service providers to the tax authorities of member countries must take place before the end of April 2024.
Reporting periods for PSP and submission deadlines:
- 1st Period, Q1 (January- March): 30 April
- 2nd Period, Q2 (April-June): 31 July
- 3rd Period, Q3 (July-September): 31 October
- 4th Period, Q4 (October-December): 31 January
How to proceed
File validation with the EC module
You must validate your files beforehand using the validation module provided by the EC in order to avoid uploading PDMs (Payment Data Message) that will be rejected straight away.
Transmission of reports via MyGuichet.lu
The CESOP Payment Data message (PDM), i.e. the XML file reporting the cross-border payments for a given quarter, must be transmitted using the MyGuichet.lu platform or the MyGuichet.lu mobile app. This is a procedure requiring authentication.
This is an authenticated procedure which requires a LuxTrust product (private or professional) or an eIDAS means of authentication.
Before the end of the month following the calendar quarter (before the end of the months of April, July, October and January) of the reporting period, you will be able to
- launch the procedure via your MyGuichet.lu business eSpace; and
- transmit the XML file with the quarterly cross-border payments to report.
Due to technical constraints, only a single 20 MB file is accepted per procedure. It can be in XML or ZIP format, provided that the size of the unzipped file is less than 900 MB. The ZIP file may only contain one XML file and must not be encrypted or password-protected.
If you split your message into several files – due to the size restrictions or for organisational reasons – you will have to create and transmit as many procedures as there are files to submit. All the filenames must conform to the naming convention proposed by the European Commission (EC) in the documentation: PMT-<quarter>-<year>-<countryMS>-<pspID>-<partNumber>-<totalParts>.
File validation by the AED
The AED's systems will also validate the XML files submitted:
- if the file had no errors and was forwarded to the EC: you will receive an acknowledgement message in your MyGuichet.lu business eSpace;
- if the validation finds errors in the uploaded file (FULL REJECTION): it will not be sent to the EC’s central CESOP. Instead, the system will send a list of the errors found to the PSP's business eSpace on MyGuichet.lu.
In this case, the user’s message will be considered as null and void (it will not reach central CESOP). So you will have to start a new procedure in order to upload a correct XML file (a transactions file with a MessageTypeIndic element with value CESOP100, i.e. new data) before the end of the month following the calendar quarter of the reporting period.
All messages transmitted by the national tax administrations will be validated by the EC’s CESOP central system syntactically and semantically.
Subsequently, the Luxembourg tax administration's systems will deliver to the users’ MyGuichet.lu business eSpace the ‘Validation result message’ (IE3V01 as defined in the XSD User Guide) generated by EC’s central CESOP, indicating if the validation has been successful.
Considering that some rules require to check historical data, only EC’s CESOP central system can determine if a message is fully valid. Hence, it could happen that a file forwarded by the national tax administration could be rejected by EC’s CESOP central system validations as PARTIALLY REJECTED.
In this case, you must:
- follow the correction mechanism described in the documentation (respecting the correlation IDs, an appropriate MessageTypeIndic, etc.); and then
- create a new CESOP file transmission procedure in your MyGuichet.lu business eSpace in order to upload the correction file.
Online services and forms
Who to contact
CESOP Service
-
Registration Duties, Estates and VAT Authority (AED) CESOP Service
- Address:
-
1-3, avenue Guillaume
L-1651
Luxembourg
Luxembourg
B.P. 31, L-2010 Luxembourg
- Phone:
- (+352) 247 80 800
- Email address:
- aed.cesop@en.etat.lu
Related procedures and links
Procedures
Links
Further information
-
Central Electronic System of Payment information (CESOP)
on the Indirect Taxation Portal
-
Central Electronic System of Payment information (CESOP)
on the website of the European Commission
Legal references
-
Règlement (UE) n° 904/2010 du Conseil du 7 octobre 2010
concernant la coopération administrative et la lutte contre la fraude dans le domaine de la taxe sur la valeur ajoutée
-
Règlement (UE) 2020/283 du Conseil du 18 février 2020
modifiant le règlement (UE) no 904/2010 en ce qui concerne des mesures de renforcement de la coopération administrative afin de lutter contre la fraude à la TVA
-
Directive (UE) 2020/284 du Conseil du 18 février 2020
modifiant la directive 2006/112/CE en ce qui concerne l’instauration de certaines exigences applicables aux prestataires de services de paiement
-
Directive 2006/112/CE du Conseil du 28 novembre 2006
relative au système commun de taxe sur la valeur ajoutée
-
Loi du 26 juillet 2023
portant modification de la loi modifiée du 12 février 1979 concernant la taxe sur la valeur ajoutée en vue de la transposition de la directive (UE) 2020/284 du Conseil du 18 février 2020 modifiant la directive 2006/112/CE en ce qui concerne l’instauration de certaines exigences applicables aux prestataires de services de paiement