Regulatory burden as a result of CESOP: Smaller banks and specialised institutions facing particular pressure

By Carsten Lange

With the “Central Electronic System of Payment Information” at its core, the EU has implemented an instrument to fight VAT fraud in e-commerce, the implementation of which poses some key challenges to financial institutions. Smaller financial institutions, promotional banks and e-money institutions, in particular, are likely to be confronted with relatively high costs.

From the beginning of 2024, payment service providers will have to record certain cross-border payments and transmit them to the Federal Central Tax Office (BZSt) on a quarterly basis. This is based on an amendment to the VAT System Directive, which stipulates additional obligations for payment service providers to combat VAT fraud. The information transmitted is collected in the Central Electronic System of Payment Information (CESOP). The tax authorities of the EU member states can then access this data to detect possible fraud. It, therefore, represents a kind of data retention for cross-border payments.

The obligation applies to all payment service providers within the meaning of the Payment Services Directive. In addition to payment institutions, these include all banks and e-money institutions. Ultimately, the existence of incoming or outgoing cross-border payments is sufficient for an institution to have to get to grips with the Directive. Specialised and promotional banks or e-money institutions, in particular, are unlikely to see themselves as payment service providers and are, therefore, more likely to be surprised by the scope of these new obligations.

The following example illustrates this point:

  • A German specialist bank manages the business accounts of a local pharmaceutical distributor, who has a customer base spread all over Europe. Its EU customers pay for the delivery of goods by bank transfer. The bank, as the payment service provider (PSP) of the payee, is responsible for recording these transactions.

Institutions falling within the scope of the Directive must carefully consider whether the recorded payment transactions need to be reported. A reporting obligation exists, in particular, if the following three criteria apply:


  1. Payment is made from a payer/account or goes to a payee/account within the EU.
  2. The transaction takes place in another EU Member State or in a third country outside the EU.
  3. More than 25 cross-border payments are made in one quarter to one and the same payee.

As part of our advisory approach to CESOP, we have developed a Question Matrix that we can use in collaboration with banks and building societies (Sparkassen) to efficiently check whether the institution is actually affected. In doing so, DPS takes into account the fact that the financial institutions are already tied up in many ongoing projects with their regulatory expertise.

If this internal review determines that a reporting obligation exists, the following questions come into focus:

  • What data must be reported to the BZSt or CESOP?
  • Where can this data be found?

Subsequently, the identified data sources have to be analysed. For example, in terms of accessibility, quality and performance. Under certain circumstances, data analytics expertise should also be included here. This is because the payment data must not only be retained – rules and criteria for the selection of reportable transactions must also be developed and implemented.

In addition, the subsequent data transmission must be set up as a new internal bank process based on the “Payment Data XSD User Guide”. The EU document, which has been refined in several instances, describes the payment data reporting to be carried out in an XML format. The overall structure of the notification adheres to the design used in other Trans-European Systems (TES) funded by the Directorate-General for Taxation and Customs Union (DG TAXUD) and is based on OECD standards.

In view of the challenges described above, financial institutions should not simply put the issue of CESOP on the back burner. Less than 8 months remain to prepare their own systems. Due to its long-standing and broad expertise in payment transactions in combination with its own data analytics team, DPS stands at your side as a suitable consulting partner for the implementation of the EU directive against VAT fraud.

Addition from 28.7.2023: DPS has meanwhile launched a complete solution for banks on the market with the CESOP Compliance Service. You can find out more about it in this interview.


COUNCIL DIRECTIVE (EU) 2020/284 of 18 February 2020 amending Directive 2006/112/EC with regard to the introduction of certain requirements for payment service providers;

Questions about the implementation of CESOP?

Do you have questions about CESOP? In an initial, non-binding discussion, we will clarify together whether the DPS team can support you in implementing the requirements.

You have question about our expertise, our services or products? You are looking for support in a specific mission? Please feel free to contact us.