Scam messages have been sent out in the Tax Administration’s name. Read more about scams

Payment service providers have an obligation to provide information about cross-border payments as of 1 January 2024 (CESOP)

We recommend taking part in stakeholder testing. The testing is now ongoing and will end on 22 March 2024. You can test CESOP submittal in your browser on the website or via the ApitamoPKI testing API. If you want to take part in stakeholder testing, first submit a testing start notification to the email address  

Starting 1 January 2024, payment service providers in the EU will have a new obligation to provide information about cross-border payments. Payment service providers include banks and credit institutions, for example. The obligation to provide information is based on the amendment under the payment information directive (EU 2020/284). The objective of the amendment is to reduce VAT fraud in international e-commerce and to ensure fair competition between companies.

Payment service providers must retain information on cross-border payments and report it to the Tax Administration for each calendar quarter. The Tax Administration forwards the information to the Central Electronic System of Payment information (CESOP) maintained by the Commission. Payment transaction information can be utilised in tax control.

What does a payment service provider mean?

Payment service provider refers to a payment institution or a credit institution that usually needs an authorisation to operate. Payment service providers include banks, for example. In addition, “payment service provider” may refer to an issuer of electronic money and to a postal company that has a universal service obligation.

Payment service refers to bank transfer, direct debiting, card payment by a bank or credit card, transmission of money and electronic wallet services, for example.

What payments does the obligation to provide information apply to?

The obligation to provide information concerns cross-border payments, i.e. payments where the payer is located in an EU Member State and the recipient is either in another EU Member State or outside the EU. The locations of the payer and the recipient are identified based on the IBAN account number or another such identifier.

Payment refers to an action where funds are transferred, withdrawn or made available, or to a money transmission service where funds received from the payer are transferred directly to the payment recipient.

Reporting and retaining information

Payment service providers must report electronically on the payment services they provide in Finland. The information must also be retained in electronic format for a period of 3 years after the year when the payment was dated.

The payee’s payment service provider needs to report information concerning the payment transaction when this payment service provider is located in an EU Member State. However, if the payee’s payment service provider is located outside of the EU, the information-reporting requirement lies on the payment service provider of the payer.

Reports on cross-border payments are filed quarterly. Normally, a report must be filed within 1 month from the end of the previous quarter. No extension is granted for filing the report. The due dates are:

  • January–March: by 30 April
  • April–June: by 31 July
  • July–September: by 31 October
  • October–December: by 31 January

Information must be reported only if more than 25 cross-border payments are made to the same payment recipient in Finland during the calendar quarter.

Read more in the guidelines published by the Commission: Guidelines for the reporting of payment data from payment service providers and transmission to the Electronic Central System of Payment information (CESOP) (

What information needs to be reported?

The payment service provider must report and retain the following information on payment transactions:

  • name or business name of the payment recipient
  • payment recipient's IBAN account number or other unique identifier
  • BIC code of the payment service provider acting on behalf of the payment recipient
  • payment details, such as the amount and time of payment.

In addition, the payment service provider must report its BIC or other unique identifier, such as a Business ID. For example, if banks belonging to a consortium share the BIC code, the service provider must use another code as identifier.

Read more about the Business ID and how to get it in the YTJ service (Business information system).

How to report the information

Reports are submitted as a file based on the CESOP XML schema in the service or through the API. 

For submittal of records, e-identification is required. Read more about identification. To submit reports through the API, the payment service provider also needs a certificate. Read more about applying for a certificate.

When a report has been submitted, the payment service provider receives a response indicating whether the report complies with the requirements. If the report was insufficient, it must be resubmitted. The response indicates what part of the report needs to be corrected. The Tax Administration may also contact the payment service provider directly about the corrections needed.

If the obligation to provide information is neglected

If a payment service provider neglects the obligation to provide information, a third-party filer's negligence penalty may be imposed. A negligence penalty may be imposed on the payment service provider if no report is submitted at all or if the service provider otherwise neglects the obligation to provide information. The amount of penalty depends on how severe the negligence is, and the maximum amount is €15,000.

In addition, a negligence penalty may be imposed if the obligation to retain data is neglected.

More information: Detailed guidance on the negligence penalty for a third-party submitter of cross-border payment data (available in Finnish and Swedish, link to Finnish)

Stakeholder testing

The purpose of stakeholder testing is to test how CESOP reports go from to CESOP and back as well as how Tax Administration systems process CESOP reports. You can test CESOP submittal in your browser on the website or via the ApitamoPKI testing API. In order to start testing, submit a testing start notification to the email address 

The start notification must include the following information: 

  • which environment you will conduct the tests in ( and/or ApitamoPKI)
  • your certificate (if you are using ApitamoPKI)
  • when you will conduct the tests
  • name and ID of the payment service provider
  • name of the software that generates and tests the reports
  • software contact persons or testers and their contact details. 

After you have submitted the testing start notification, the Tax Administration will send you the following information that you will need in the testing: 

  • personal ID used as the testing ID
  • payment service provider’s ID used in testing (ReportingPSP/PSPId)
  • payment service provider’s name used in testing (ReportingPSP/Name). 

Please note that you must not use actual production data in testing, and that all test data must be anonymised. The files submitted in the testing environment must not be larger than 10 MB. 

Other testing

Other tests can be conducted on or via ApitamoPKI while stakeholder testing is ongoing and after it has ended. The difference to stakeholder testing is that the submitted CESOP reports are not processed in the Tax Administration systems because the reports do not have the name and ID details assigned for them in stakeholder testing. The reports are also not transferred to CESOP, which means that no validation messages are received for them. However, you can use the checking feature in the testing environment to make sure that the software you use produces CESOP reports in the correct format for 


  • Finnish national legislation enters into force on 1 January 2024
  • Legislation applied as of 1 January 2024
  • First report for January–March 2024 to be filed by 30 April 2024

Schedules for software developers

Further information

If you have any questions, please send email to:


Page last updated 2/9/2024