Do ISO’s in Online Payments Need to Apply VAT? I’m No VAT Expert But…
Yes. True to lawyerly form, there is a caveat already in the title of this dispatch. So make sure you double-check whatever I say here with someone who is actually a VAT expert. I know some good ones if you are looking for one. I’m an attorney and by law, we do not know anything about VAT...
That being said, I do regularly assist clients in the online payments space, and this week I ran into an interesting issue. If you are an online entrepreneur, you know there are lots of folks out there who make good money hooking payment service providers (PSPs) up with merchants as potential clients. These guys are generally known as ISO’s (Independent Service Organizations). Online businesses need payment processing to process debit or credit card payments made on their websites.
ISOs operate as intermediaries between the PSP and an online business looking for payment services. They bring them together and hope the merchant gets onboarded. If so, the ISO generally receives commissions from the PSP. Imagine you are an ISO and you have successfully onboarded a merchant with a PSP. Are your services subject to VAT? Do you need to charge the PSP any VAT on top of your commissions?
I had one advisor (not an expert) tell me the answer is no. The other one told me it's likely no. Yet another told me it's definitely yes... A friend of mine who is a former ISO said 'definitely not' and called me stupid for thinking that there could be any VAT on "commissions" received from a PSP. Apparently, he lives in a world where the label 'commissions' to denote a received payment (as opposed to 'fee') is relevant… (he’s really not an expert).
So what is it? I was curious myself at this point so I looked into it. It wasn’t central to my client’s case so no real VAT expert was put on this. All the people saying that ISO’s are exempt from VAT base that opinion on the general (EU) VAT exemption for services in relation to payments (including intermediary/brokerage services like ISO’s provide). This exemption is codified in the EU VAT Directive and the various national statutes. Basically, people advocating the exemption regard the ISO as an intermediary (since an ISO brings two parties together for payments) and they say this falls under the VAT exemption. But the devil is usually in the detail. So I started looking at the details. I found that whether the exemption applies depends on a functional analysis of the services provided by the ISO. If you are dealing with this stuff, you are well advised to conduct this functional analysis seriously. The last thing you want is to not apply VAT (when you have to) and then have to face the music years later.
Upon an examination of EU case law (most prominently the 2016 Bookit ruling), I can conclude that any exemption to the general rule that VAT must be charged for paid services must be interpreted very narrowly. In order for someone’s services to be exempt from VAT in the payments space, the service must constitute the payment transaction itself (i.e., the transaction which leads to a change in someone’s financial or legal status through a subsequent less or more ownership of money). Or, if the service does not constitute the payment transaction itself, the service must fulfill a specific and essential role in relation to a payment transaction.
Let's make this more concrete with some examples. When does a service constitute a 'specific and essential' part of a payments transaction? That is the case, for example, with a service which consists of the actual debiting or crediting of a bank account. That is (likely) also the case with a service consisting of instructing the debiting or crediting of a bank account. As these examples show, there must be an intensive functional proximity between the service looking for a VAT exemption and a transfer of funds.
Interestingly, I have learned that the question whether a service related to payments is exempt from VAT also depends on the question whether the service provider carries any liability for the successful achievement of the transfer of funds. If so, the exemption is more likely than not.
To give you an idea of how narrowly the exemption is interpreted, note the following. In the Bookit case, a payment service provider engaged by Odeon Cinema was in charge of collecting debit and credit card data from consumers buying movie tickets. It then was obliged to transmit this data to a merchant acquirer in order to obtain authorization codes from (ultimately) the issuing banks. Bookit would then, at the end of each business day, send a batch of card data together with the associated authorization codes to the acquirer so that the acquirer could collect payment from the various issuing banks.
These services by Bookit, prima facie, seem pretty closely linked to the relevant payments transactions (such as the payment transaction from issuing banks to the acquirer and subsequently to the merchant). Nevertheless, the EU court ordered that Bookit’s services do not constitute specific and essential roles in relation to a payment transaction. The transmission of card data to the acquirer and the obtainment of authorization codes was deemed more of an admin and tech service than a specific and essential payment service. I can hear you say: wait a second, without transmission of the card data the issuing banks would not be able to make any payments… It doesn’t work that way. It is not enough to say that without a specific action there would not be another action… The intense proximity must be there, i.e., the determination that the service constitutes a specific and essential part of the payment transaction (such as debiting a card or instructing the debiting of a card).
Now let's apply this to ISO’s within the payments industry. What do they do? ISO’s look for potential clients to present to acquirers. But they do not just pass on a phone number or an e-mail. ISO’s (as registered businesses) collect KYC, financial, business, and website info from the potential client. Such as processing history, percentage of chargebacks, revenue estimates, website details etc. They then submit this package of information to the acquirer they deem best for the service at hand. The ISO then commonly serves as the point of contact for both the acquirer and the merchant. ISO’s mediate during the onboarding process and often keep managing the relationship years afterward.
So how can we summarize these services? In essence, the ISO collects information, serves as a point of contact, and manages relationships. It seems like a management and admin service to me. In any case, it seems like a very far stretch to claim that any of these actions constitute a specific or essential part of the payment transaction (akin to debiting or crediting an account). It would also be a stretch to say that the ISO carries any liability for the successful execution of any payment transaction. ISO’s do not at all.
In short - I’m no VAT expert - but it seems pretty obvious to me that ISO’s are not VAT exempt and thus must (where applicable) apply the proper VAT treatment on their invoices.