Machine translations by Deepl

Your bank account: the shortcut to your private life (part 2)

CESOP: detecting VAT fraud through your bank account 

If you have a bank account (and who can do without one?) then many government departments, to a greater or lesser extent, have access to your private data. How does that work?

In a series of short articles, Privacy First clarifies what data authorities can already access and what more is in the pipeline. Part 2 of this series is about CESOP: a database to detect VAT fraud through your payment details.

What is CESOP?

As an account holder, you may end up in an EU database known as CESOP: the ''Central electronic system of payment information'. This CESOP is a central European database, designed to make it easier for public administrations in Europe to detect VAT fraud through information exchange between tax authorities and banks.

Since this year, all banks and other payment service providers in Europe have to pass on information about their account holders to the tax authorities if those account holders receive more than 25 international payments per quarter. The banks transmit this information to the tax authorities of the country where the payment recipient is located or resident. The national tax authorities in turn pass on the data received to CESOP so that fraud experts can use that data and compare it with other data to combat VAT fraud. The data can also be used to investigate other levies and taxes. The rules apply to all European banks and payment service providers, making CESOP a comprehensive database containing the data of billions of payments.

What does CESOP have to do with my bank details?

CESOP does not seem directly relevant to account holders receiving less than 25 international payments per quarter. Yet it is inevitable that CESOP will eventually affect very many account holders. What about this?

The rules state that a payment is 'cross-border' if the person to whom it is made is resident or established abroad. As a result, any account holder who occasionally buys a product from the online shop of a foreign company of any size - even if that company uses a Dutch bank account number - comes within the scope of CESOP. Thus, any account holder in the Netherlands who buys something from Alibaba or Amazon is affected by CESOP. The same goes for any account holder in the Netherlands who pays for a cup of coffee at the railway station in Antwerp or Brussels. After all, Alibaba, Amazon or the coffee kiosks in Antwerp and Brussels have in common that they will receive more than 25 payments per quarter from account holders from abroad.

What information is transmitted to CESOP?

The information banks have to pass on to the tax authorities about payers is currently limited. Only the location of the payer is passed on. About beneficiaries, banks have to pass on much more information. This includes the name, address and IBAN.[1] The rules make no distinction between payments to companies, non-profit organisations or individuals. Thus, individuals who receive more than 25 international payments per quarter from abroad are also registered in CESOP with their name and address details. The rationale behind this is that someone who receives more than 25 international payments per quarter is engaged in a commercial activity so that VAT is due.

Is access to CESOP controlled?

According to European Commission data, 40 tax authorities are currently affiliated to CESOP.[2] National authorities shall designate officials to have access to CESOP and the relevant officials shall remain employed by their own national tax administration. The control of whether employees lawfully access the database and use that data lawfully remains the responsibility of the relevant tax administration.[3] Perhaps nice to know in this context, that according to recent statement by the State Secretary of Finance, 72% of the Dutch Tax Administration's business processes have not yet been tested against the AVG.[4]

Privacy First position

Privacy First has concerns about CESOP and the flow of information about account holders towards the tax authorities and CESOP. With CESOP, the government is looking for foreign suppliers of goods and services who mistakenly do not pay VAT and thus commit VAT fraud. For this purpose, however, data on almost all cross-border payments must be reported. This includes information on payments where the supplier does not commit fraud and payments where there is no VAT obligation, such as payments between individuals or donations to charities. Privacy First believes that a disproportionate system has been rigged with CESOP.

Apart from the design of CESOP, Privacy First is also concerned about the function creep built into this system. The purpose of CESOP is to detect VAT fraud, but the rules state that the data from CESOP can also be used to investigate other levies and taxes.[5] The wording 'other duties and taxes' is so vague that it is not inconceivable, over time, that CESOP will be used for all kinds of purposes other than VAT fraud detection. Fraud experts with access to CESOP can already combine the data with information from other databases, e.g. Europol.[6] The system deliberately pre-sorts for later extensions and additions and linking to other databases.

CESOP is another example of how the government uses bank accounts and payment data as a central element in monitoring and detection tasks for broadly defined purposes. Citizens cannot live without bank accounts, but have no idea that the government has access to their accounts through many channels. The government's wide use of bank data is very worrying and raises the question of whether the government takes citizens' fundamental rights seriously.


[1] Article 39d of the Turnover Tax Act 1968.




[5] Art. 55(1), Regulation (EU) No 904/2010.