Luxembourg Tax Alert 2023-01

Payment services providers VAT legal package

Payment services providers VAT legal package

In February 2020, the Council adopted a legislative package aiming at imposing new reporting obligations on payment services providers (“PSPs”). The package is constituted by a Directive amending the VAT Directive[1] and an (updated) Regulation[2].

The adoption of this legislation occurs in a context where the use of the internet and new technologies has allowed more and more companies to become online sellers, sometimes without having any physical presence. In this rapidly evolving environment, Member States may face difficulties to trace or control every sale transaction and ensure in particular that online sellers are registered for VAT and that VAT is correctly applied on sales to EU consumers. The objective of these new rules is therefore to improve the fight against e-commerce VAT fraud.

As part of the PSP legal package, a new European reporting entity is created : the “Central Electronic System of Payment” or shortly, CESOP.

As a reminder, if the regulation does not require any national implementation measure as it is, as such, directly applicable; the directive needs nonetheless to be translated into national terms to be valid. Member States have consequently until 31 December 2023 to transpose the PSP directive into their national law.  

In August 2022, the EU Commission published guidelines related to the reporting of payment data from PSPs and their transmission to the CESOP by national tax administrations (“NTA”). These guidelines of 79 pages are not legally binding but contain additional practical information and examples on how to interpret the reporting requirements.

In September 2022, after the release of the guidelines, the EU Commission also organized a public workshop to answer all the CESOP and reporting related questions. If this event aimed at providing a better understanding of the legislation, it however fell short in solving all the practical questions referred by the PSPs. Currently, the adoption of the legal package and its concrete application triggers concerns for the banking industry.

Luxembourg Tax Alert 2023-01 Graph

Click on the picture to enlarge

Regulation 904/2010 focuses on the development of the CESOP which will collect and store the information provided by national tax authorities before sending them to anti-fraud experts to fight VAT fraud (EUROFISC).

Let’s have a look at the questions that you may ask yourselves about the reporting of the information through CESOP:


Who is considered as PSP for CESOP reporting?

The entities falling within the scope of the CESOP reporting are defined by reference to Directive 2015/2366[3] (“PSD 2 Directive”). Therefore, as underlined in the CESOP guidelines, are considered as payment services providers:

  • Credit institutions: this covers fully licensed banks established in Europe as well as European branches of credit institutions that have their head office outside the EU and which provide payment services;
  • E-money institutions: this covers all PSPs providing payment services via electronic money (e-money), for example wallet providers and electronic voucher/card providers;
  • Payment institutions: this may cover all companies providing payments services that do not qualify for any other of the listed categories in the PSD2.
  • Post-offices giro institutions providing payment services.

Central banks and public bodies may also be included – however they are not in the scope for the reporting to CESOP (as they do not provide payment services falling within the scope).

In addition to reporting matters, the above listed entities, when established within the EU, have the obligation to keep record of the payments they process and their beneficiaries (the “payees”).

What are the payment transactions in the scope of reporting?

As emphasized in the guidelines, the notion of payment or payment transaction is of paramount importance when determining whether the entity will need to record the data and report. In this respect, a payment corresponds to a “transfer of funds from a payer[4] (initiator) to a payee[5] (beneficiary)”. This also refers to the definitions included in the PSD2.

Further, the payments in scope are any credit transfers, direct debits, money remittance, card payments, electronic money payments, etc. The CESOP guidelines provide in this respect an extensive list of the transactions considered as falling within the scope of the reporting. It is however worth noting that some payment transactions are excluded (e.g., paper-based vouchers, cryptocurrencies).

Last but not least, only cross-border payments need to be reported.

What does “cross-border” payment mean?

A payment is considered “cross-border” where the payer is located in a Member State and the payee is located in a different Member State, or in a third territory/third country. 

To determine whether the payment is cross-border, i.e. to determine the place where the payers and payees are established, IBAN or any other identifier which identifies the payer/payee and related place of establishment or by default the BIC of the PSP are used. 

Which threshold does trigger the obligation to report?

Insofar as a same payee receives more than 25 cross-border payments per quarter through the same PSP, an obligation of data reporting should be triggered. A contrario, where the number of 25 cross-border payments has not been reached nor exceeded, no reporting will be required, but data recording obligations remain.

In a nutshell, where a PSP processes: 

Luxembourg Tax Alert 2023-01 Graph

Click on the picture to enlarge

It is worth underlining that payment transactions made by PSPs located in the same Member State fall outside the scope of reporting even when their number exceeds 25. 

When the threshold of 25 payment transactions is reached or exceeded, a certain number of information will need to be collected and processed by the PSP. 

What type of data must be collected and reported?

According to the legislation, the information to be kept by the PSPs related to the payment transaction include but are not limited to the following:

  • The BIC or any identifier code of the PSP,
  • The name or business name of the payee and its VAT identification number or other national tax identification number
  • The address of the payee (if available),
  • The IBAN or any other identifier allowing to determine the location of the payee,
  • The details of the cross-border payment (date, time, amount and currency, reference identifying the payment).

Some of the above listed data (e.g., BIC, ID reporting PSP, payee name, etc.) is “mandatory”. This means that the data element shall always be present in the form and reported. Failure to comply with this obligation may trigger in a non-compliance with the obligation of reporting.

Data considered “optional mandatory” (e.g., payee address) need to be reported when they are available and known by the PSP, otherwise, the non-reporting will as well be considered as a failure to comply with its obligations.

Obligation to report and reporting deadlines?

Only PSPs falling within the scope of the Directive should report the data. These conditions must be verified and fulfilled for each quarter.

As previously mentioned, the package will be in force as from 1 January 2024.

Therefore, the first obligation requirements on PSPs to their national tax administrations will cover the payment transactions occurring from January to March 2024. PSPs will need to transfer the data to their NTA at the latest by the end of the month following the calendar quarter to which the data relates (as explained below).

Further, once the data has been collected by the Member States’ NTAs, the latter will transmit the file to the CESOP by the 10th day of the second month following the end of the reporting period, i.e. by 10th May 2024.

In a nutshell, the reporting periods for calendar year 2024 may be summarized as follows:

Reporting period

Transmission by PSPs to national tax administrations Transmission by national tax administrations to CESOP
1st Period
(January – March 2024)
By 30 April 2024 BY 10 May 2024
2nd period
(April – June 2024)
BY 31 July  2024 BY 10 August 2024

3rd Period
(July – September 2024)

BY 31 October 2024 BY 10 November 2024
4th Period
(October – December 2024)
BY 31 January 2025 BY 10 February 2025

How to report?

The EU Commission put at disposal of the PSPs an XML Schema. This document should be used to transmit the data to the national tax authorities. Further, the national tax authorities will transfer the document to the CESOP. Details concerning the technical aspects of the implementation and use of the XML Schema in Luxembourg should be further communicated by the Luxembourg VAT authorities. 

Remaining interrogations at this stage?

At this stage, despite the publication of guidelines and explanations provided by the EU Commission, a lot of interrogations remain at the level of the PSPs and NTAs.

Computation threshold

The obligation to record the payment related transactions data and to transmit such data to the national tax authorities exists as soon as the number of 25 cross-border transactions per quarter is reached or exceeded, irrespective of the amount of such transactions. This might create a high volume of data to be recorded by each PSP, which needs to be kept for a period of 3 calendar years.

There is an obligation to aggregate the number of transactions in case the PSP has the information that several payments accounts are linked to the same payee.

Further interrogations might be raised with respect to consolidation of head-offices/branches structures, where branches are located in different Member States.  

Technical challenges

The data recording also triggers technical challenges at the level of the PSPs, as they should be able to process, record and further transmit the appropriate data to their national tax authorities. An important technological development might be required within a limited amount of time, as PSPs should be ready to report by 30 April 2024.

The national tax administrations might face these challenges as well, as they should be able to process, store and transmit the data provided by the PSPs to the CESOP.

Applicable penalties

The EU Commission specified that in case of non-reporting/non-reporting within the deadlines, incomplete or even over-reporting, penalties would apply. However, the legislation is quiet as to the amount of such penalties, so that each Member State seems to be responsible of determining the amount to be levied. This could create distortion between Member States and as to the determination of what should constitute a “right” penalty in this respect.

In Luxembourg, the draft legislation is currently under discussion but has not yet been published.

Your KPMG Indirect tax team is currently closely monitoring the national implementation of the PSP legal package and will let you know of any further developments.

In the meantime, should you have any question or need for assistance, please contact us.

[1] Council Directive (EU) 2020/284 of 18 February 2020 amending Directive 2006/112/EC as regards introducing certain requirements for payment services providers

[2] Council Regulation (EU) of 18 February 2020 amending Regulation (EU) 904/2010 as regards measures to strengthen administrative cooperation in order to combat VAT fraud

[3] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment service in the internal market, amending Directive 2002/65/EC, 2009/110/EC and 2012/36/EC and Regulation (EU) n°1093/2010 and repealing Directive 2007/64/EC

[4] The payer is “a natural or legal person who holds a payment account and allows a payment order from that payment account, or where there is no payment account, a natural or legal person who gives a payment order”

[5] The payee is “a natural or legal person who is the intended recipient of the funds which have been the subject of the payment transaction”.