Open CESOP: The Commission’s new data collection frenzy

CESOP | PayTechLaw

First, the bad news:  The Commission has again looked more closely into cross-border (or more simply “XB”) payments in the EU. It is planning a supranational database known as “CESOP” (“Central Electronic System of Payment Information”) under its supervision. From January 2022, XB payment data of all payment service providers (credit institutions, payment and e-money institutions) in the EU will be stored on there. Its aim is to facilitate the search for VAT fraudsters in XB e-commerce.

A few weeks ago, the Commission successfully passed EU Regulation 2019/518. This regulation governs price equality for XB payments in euros compared to domestic transactions, even for payment service providers in non-euro countries. Additionally, card issuers and Dynamic Currency Conversion (DCC) providers must provide cardholders with detailed information about the applicable conditions at the POS or ATM. We have already discussed the regulation in this blog, which has a significant impact, particularly on the card business (see my entry on Reg. 924).

Supranational data retention in CESOP

The new proposal cooked up in the Commission’s Advent kitchen (December 2018) concerns the following personal and company-related payment data which is recorded on the payee’s side: amount, date and time, name and VAT ID. This is because it is in these areas where potential VAT fraudsters are based, in the form of e-commerce traders offering goods and services across borders. The fraud is roughly estimated to amount to €5 billion per year. Today, where they come across suspicious circumstances during tax audits, national tax authorities have to request the relevant payment data from the payment service providers involved and cooperate with their colleagues in other member states. However, this is a tedious procedure for the officials involved. It will of course be easier and much more efficient if in future all XB payment data is stored in a supranational database. Moreover, such a database, which is permanently fed by payment service providers, opens up completely new possibilities in tracking down fraudsters with the help of artificial intelligence.

The data input is to be supplied from both sides of the market. Obligations are placed on the payment service providers (PSPs) of the payer as well as the payee. Nearly all PSPs listed in the appendix to PSD2 are affected, with the exception of PSPs for cash deposits and disbursements and the “new” PSPs (payment initiation and account information services). In an ideal scenario, each payment transaction is therefore reported from both sides. The data is then “matched” and adjusted in the CESOP database. Considering the objective of the whole campaign, tax investigators are actually only looking for the C2B payment data generated in e-commerce transactions: where the payer is a consumer in Member State A, the payee is an online merchant in country B (member state or not). Since this user role cannot be identified when looking at a set of data, as a consequence all data is recorded as a precautionary measure, including B2B, C2C, etc. Even XB card payments at the physical POS are affected. This is, of course, absurd as the aim is only to combat VAT fraud in e-commerce. And what were the principles of the EU GDPR again? Ah, yes: data economy and data minimisation. Another question: Why is data retention at a decentralised level at the relevant PSPs not sufficient? The transmission of all telecommunications data by telecommunication companies to Europol would certainly also be a very effective means against evil Islamists. It would seem that it is not only the danger of terrorism but also tax evasion that justifies many means.

Does this mean that data protectionists are running riot? Not so far. The European Data Protection Supervisor was well behaved and waved the proposal through without raising his finger.

Methodological weaknesses

Apart from these general issues, the proposal also shows methodological weaknesses. In order to prevent the CESOP from bursting, the intention is to introduce a minimum threshold for data collection: 25 XB payments to the same payee per quarter per PSP. This would be a good idea if it were not for the fact that this minimum threshold is intended to apply not only to the PSP of the payee but also to the PSP of the payer. The volume of data provided by the payers’ PSP depends on its size or the market concentration of the PSPs in a country and is therefore arbitrary.

A further weakness is the assumption that the residence of the payer and the payee in a member state is identical to the domestic registered seat of the relevant PSP. This runs counter to the central aim of several of the EU’s past regulatory projects to promote the cross-border use of PSPs within the EU as a single payment transaction area. As a result, many actual (and for VAT purposes) domestic transactions are deemed to be XB transactions and vice versa. For example: cardholders and traders are in Austria, but the acquirers in Germany.

Does this mean the affected (many thousand) PSPs in the EU are running riot? There were some public consultations in the run-up to the December proposal as well as after its publication. In the run-up, response from the industry was minimal (3 statements). One PSP, however, estimated the internal costs for data collection and provision at 100,000 euros per year. The few responses to the consultation after it had been published, came from Germany a few weeks ago (DK and PVD), the Netherlands and some European associations (EPSM and EPIF). At least the general tone was very critical or even negative. Somehow the topic is apparently not yet properly on the agenda in the industry throughout Europe.

Methodology bypassing the market

And now (finally) the good news: The Commission will probably not manage to avoid a thorough revision of the proposal. This will give the politicians time to think things over again properly. What has happened?

One of the most common reasons why ministers with PhDs in Germany lose their office and titles before their term is up are copyright infringements through plagiarism in the preparation of their doctoral theses (Guttenberg, Schavan; currently being looked at: Family Secretary Giffey). Other people’s findings were presented as flashes of genius without referencing their true source. Embarrassing, but not punishable, on the other hand, is misunderstanding other people’s ideas. This can be due to the source not having been properly understood or simply not read correctly. The consequence: a deduction of points but no disqualification. However, the situation becomes problematic if an entire theory – or, as in this case, the proposal to amend a directive – is erected on the basis of such a misunderstanding. The European Commission has obviously made this mistake.

The proposed methodology for the collection of the required data is based on the nomenclature of credit transfers and direct debits as laid down in the Single European Payments Area Regulation (“SEPA Regulation” 260/2012). This Regulation mainly contains technical rules for SEPA credit transfers and direct debits (IBAN, BIC and other standards). The methodology of the proposal is therefore tailored to payment account-based interbank payment transactions and is also suitable for this purpose. For the card business with its aggregated and multi-polar payment chains between the relevant PSPs (issuers and acquirers), the methodology is no longer appropriate. So, is the methodology then suitable for recording XB payment data in the e-commerce sector?

The Commission mistakenly assumes that credit transfers and direct debits play the main parts in this context. In relation to its proposal it states:

Recently, more than 90% of online purchases from European consumers were settled via credit transfers, direct debits and card payments.

Even if this statement was correct for domestic e-commerce transactions in some member states, the proposal relates to XB e-commerce. This is not mentioned here. In the analysis of the impact assessment, however, the statement is clarified (with reference to the same sources):

94% of payments for cross-border online purchases use electronic payments, credit or debit cards, or prepaid cards.

The cited sources do not present data on actual use, but rather the preferences of the consumers surveyed. Well, this can be ignored if one assumes that the preferences selected in the survey correspond to some extent with the actual behaviour of the payers. The second mistake is more serious. In its proposal, the Commission tacitly assumes that “electronic payments” probably means credit transfers and direct debits. However, the source to which the Commission refers (an analysis by the International Post Corporation) states exactly the opposite. In XB e-commerce, consumers from 31 countries surveyed (including non-EU countries) prefer in the first instance so-called “alternative” payment methods which are not executed via bank accounts, such as PayPal and Alipay (39%), followed by card payments (37%). Credit transfers achieve only 5%, direct debits are summarised under the section “other”. The second source cited in the draft directive (DPD Group e-shopper barometer 2017) reaches comparable conclusions for the EU: a clear preference for “digital wallets” and card payments.

This means: The methodology should focus on the payment instruments that are most prominent in XB e-commerce transactions. These are – on the basis of the sources cited – definitely not bank account-related credit transfers and direct debits. My proposal: as a first step, the Commission should draw up a thorough inventory of the EU payment transaction market in XB e-commerce with the help of experts familiar with this matter. On the basis of these results, an appropriate methodology for data collection could then be developed. Fortunately, this will take time. And that is the good news. Because: Time will tell.

The Federal German Council has already boldly stated that it doubts whether the objective (combating VAT fraud) can be achieved by the present proposal

in a proportionate and expedient manner.

Additionally, it fears an unmanageable data salad at CESOP level and advises to critically appraise the statement of the European Data Protection Supervisor. Perhaps the European Council will follow now, recommending that the Commission simply bury the immature proposal inconspicuously and quietly. Close CESOP! I would, of course, attend the funeral service and then, I promise, forever hold my peace on this topic in this blog.


Cover picture: Copyright © fotolia / Dmytro

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like