Payment service providers have an obligation to provide information about cross-border payments as of 1 January 2024 (CESOP)
We recommend taking part in stakeholder testing. The testing is now ongoing and will end on 22 March 2024. You can test CESOP submittal in your browser on the testi.ilmoitin.fi website or via the ApitamoPKI testing API. If you want to take part in stakeholder testing, first submit a testing start notification to the email address email@example.com.
Starting 1 January 2024, payment service providers in the EU will have a new obligation to provide information about cross-border payments. Payment service providers include banks and credit institutions, for example. The obligation to provide information is based on the amendment under the payment information directive (EU 2020/284). The objective of the amendment is to reduce VAT fraud in international e-commerce and to ensure fair competition between companies.
Payment service providers must retain information on cross-border payments and report it to the Tax Administration for each calendar quarter. The Tax Administration forwards the information to the Central Electronic System of Payment information (CESOP) maintained by the Commission. Payment transaction information can be utilised in tax control.
What does a payment service provider mean?
Payment service provider refers to a payment institution or a credit institution that usually needs an authorisation to operate. Payment service providers include banks, for example. In addition, “payment service provider” may refer to an issuer of electronic money and to a postal company that has a universal service obligation.
Payment service refers to bank transfer, direct debiting, card payment by a bank or credit card, transmission of money and electronic wallet services, for example.
What payments does the obligation to provide information apply to?
The obligation to provide information concerns cross-border payments, i.e. payments where the payer is located in an EU Member State and the recipient is either in another EU Member State or outside the EU. The locations of the payer and the recipient are identified based on the IBAN account number or another such identifier.
Payment refers to an action where funds are transferred, withdrawn or made available, or to a money transmission service where funds received from the payer are transferred directly to the payment recipient.
Reporting and retaining information
Payment service providers must report electronically on the payment services they provide in Finland. The information must also be retained in electronic format for a period of 3 years after the year when the payment was dated.
The payee’s payment service provider needs to report information concerning the payment transaction when this payment service provider is located in an EU Member State. However, if the payee’s payment service provider is located outside of the EU, the information-reporting requirement lies on the payment service provider of the payer.
Reports on cross-border payments are filed quarterly. Normally, a report must be filed within 1 month from the end of the previous quarter. No extension is granted for filing the report. The due dates are:
- January–March: by 30 April
- April–June: by 31 July
- July–September: by 31 October
- October–December: by 31 January
Information must be reported only if more than 25 cross-border payments are made to the same payment recipient in Finland during the calendar quarter.
Read more in the guidelines published by the Commission: Guidelines for the reporting of payment data from payment service providers and transmission to the Electronic Central System of Payment information (CESOP) (europa.eu)
What information needs to be reported?
The payment service provider must report and retain the following information on payment transactions:
- name or business name of the payment recipient
- payment recipient's IBAN account number or other unique identifier
- BIC code of the payment service provider acting on behalf of the payment recipient
- payment details, such as the amount and time of payment.
In addition, the payment service provider must report its BIC or other unique identifier, such as a Business ID. For example, if banks belonging to a consortium share the BIC code, the service provider must use another code as identifier.
How to report the information
Reports are submitted as a file based on the CESOP XML schema in the Ilmoitin.fi service or through the API.
For submittal of records, e-identification is required. Read more about identification. To submit reports through the API, the payment service provider also needs a certificate. Read more about applying for a certificate.
When a report has been submitted, the payment service provider receives a response indicating whether the report complies with the requirements. If the report was insufficient, it must be resubmitted. The response indicates what part of the report needs to be corrected. The Tax Administration may also contact the payment service provider directly about the corrections needed.
If the obligation to provide information is neglected
If a payment service provider neglects the obligation to provide information, a third-party filer's negligence penalty may be imposed. A negligence penalty may be imposed on the payment service provider if no report is submitted at all or if the service provider otherwise neglects the obligation to provide information. The amount of penalty depends on how severe the negligence is, and the maximum amount is €15,000.
In addition, a negligence penalty may be imposed if the obligation to retain data is neglected.
More information: Detailed guidance on the negligence penalty for a third-party submitter of cross-border payment data (available in Finnish and Swedish, link to Finnish)
The purpose of stakeholder testing is to test how CESOP reports go from Ilmoitin.fi to CESOP and back as well as how Tax Administration systems process CESOP reports. You can test CESOP submittal in your browser on the testi.ilmoitin.fi website or via the ApitamoPKI testing API. In order to start testing, submit a testing start notification to the email address firstname.lastname@example.org.
The start notification must include the following information:
- which environment you will conduct the tests in (testi.ilmoitin.fi and/or ApitamoPKI)
- your certificate (if you are using ApitamoPKI)
- when you will conduct the tests
- name and ID of the payment service provider
- name of the software that generates and tests the reports
- software contact persons or testers and their contact details.
After you have submitted the testing start notification, the Tax Administration will send you the following information that you will need in the testing:
- personal ID used as the testing ID
- payment service provider’s ID used in testing (ReportingPSP/PSPId)
- payment service provider’s name used in testing (ReportingPSP/Name).
Please note that you must not use actual production data in testing, and that all test data must be anonymised. The files submitted in the testing environment must not be larger than 10 MB.
Other tests can be conducted on testi.ilmoitin.fi or via ApitamoPKI while stakeholder testing is ongoing and after it has ended. The difference to stakeholder testing is that the submitted CESOP reports are not processed in the Tax Administration systems because the reports do not have the name and ID details assigned for them in stakeholder testing. The reports are also not transferred to CESOP, which means that no validation messages are received for them. However, you can use the checking feature in the Ilmoitin.fi testing environment to make sure that the software you use produces CESOP reports in the correct format for Ilmoitin.fi.
- Finnish national legislation enters into force on 1 January 2024
- Legislation applied as of 1 January 2024
- First report for January–March 2024 to be filed by 30 April 2024
Schedules for software developers
- Technical guidance was published on 31 March 2023: Payment service provider's report on cross-border payments (CESOP report)
- Testing of structures, elements, Ilmoitin.fi checks and uploading possible in the Ilmoitin.fi test environment starting 12 June 2023
- Structures, elements and Ilmoitin.fi checks available in the production environment of the Ilmoitin.fi service starting 28 November 2023
- Uploading possible in the production environment of the Ilmoitin.fi service starting 1 April 2024
- Payment information directive: Council Directive (EU) 2020/284
- Payment information regulation: Council regulation (EU) 2020/283
- Government proposal: HE 317/2022 (available in Finnish and Swedish, link to Finnish)
- Guidelines for the reporting of payment data from payment service providers and transmission to the Electronic Central System of Payment information (CESOP) (europa.eu)
- Frequently Asked Questions on Commission's website: CESOP - FAQ
- Commission's CESOP Expert Group: Call for applications for the renewal of the membership of the Expert Group
If you have any questions, please send email to: