Open banking and the regulatory framework

Open banking in the United Kingdom is built on a regulatory and competition law framework that requires the nine largest current account providers to share customer data and accept payment instructions from authorised third parties. The framework derives from two sources: the Competition and Markets Authority’s Retail Banking Market Investigation Order 2017 and the Payment Services Regulations 2017 (PSRs 2017), which transposed the second EU Payment Services Directive (PSD2) into UK law.

Under PSRs 2017, two new categories of regulated payment service provider were introduced. Account Information Service Providers (AISPs), regulated under regulation 33, may access account data held by the customer’s bank with the customer’s explicit consent. Payment Initiation Service Providers (PISPs), regulated under regulation 34, may initiate payments directly from the customer’s account. Both must be authorised or registered by the Financial Conduct Authority (FCA) under Part 2 of PSRs 2017.

The Open Banking Implementation Entity (OBIE) was established pursuant to the CMA Order to develop the technical standards, API specifications, and governance arrangements required to make open banking operational. These standards are now maintained by Open Banking Limited. The UK’s open banking ecosystem has grown to over 100 regulated providers and more than 7 million active users.

Variable recurring payments

Variable recurring payments (VRPs) represent the next phase of open banking. A VRP is a payment initiated by a PISP under a long-lived consent, where the amount may vary between payment events within parameters agreed by the customer. Unlike a direct debit, the payment is initiated through the open banking infrastructure rather than the Bacs scheme, and unlike a standing order, the amount is not fixed.

The first mandated use case for VRPs is sweeping: the automatic movement of funds between accounts held by the same person. The CMA’s Retail Banking Market Investigation Order 2017 (as varied in 2020) required the nine largest current account providers to implement sweeping VRPs. This obligation is enforced by the CMA.

Non-sweeping or commercial VRPs (cVRPs) extend the model to payments between different persons, covering use cases such as subscription payments, utility billing, and e-commerce. The Joint Regulatory Oversight Committee (JROC), comprising the FCA, the Payment Systems Regulator (PSR), HM Treasury, and the CMA, published its roadmap for the future of open banking in 2023. The JROC roadmap identifies cVRPs as a priority, with a phased roll-out beginning with regulated utility and financial services sectors.

Regulatory requirements for VRP participants

Firms participating in the VRP ecosystem face regulatory requirements across several dimensions. PISPs initiating VRPs must hold FCA authorisation under PSRs 2017 regulation 5 and comply with the conduct of business requirements in Part 7, including the obligation to obtain explicit consent under regulation 67 and to execute payment transactions in accordance with regulation 86. For cVRPs, the consent framework is more complex: the PISP must ensure the customer has agreed to the specific parameters of the recurring payment mandate, including maximum amounts, frequency, and duration.

Account Servicing Payment Service Providers (ASPSPs), typically banks, must provide access to their payment accounts through dedicated interfaces compliant with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Open Standards of Communication. The FCA’s Approach Document on Payment Services and Electronic Money (updated 2024) sets out supervisory expectations on interface availability, performance, and contingency mechanisms.

Scheme governance adds a further layer. The JROC framework envisages that cVRP participants will operate within a multilateral framework that sets the rules on liability allocation, dispute resolution, and customer protection. The design of this framework is ongoing. Participants must plan for compliance with scheme rules that may impose obligations beyond the PSRs 2017 statutory baseline.

Customer protection and liability

The customer protection regime for VRPs is governed by PSRs 2017 Part 7. Regulation 76 provides that where a payment transaction is initiated through a PISP, and the transaction is unauthorised, the ASPSP must immediately refund the payer. The ASPSP may then seek to recover from the PISP under regulation 77. For authorised transactions that were incorrectly executed, the liability framework in regulations 91 to 93 applies.

The position is more complex for cVRPs. Where a payment is authorised under a VRP mandate but the customer disputes the amount or timing, the question is whether the payment falls within the consent parameters. The JROC cVRP framework is expected to introduce a dispute resolution mechanism specific to commercial VRPs, similar in function to the chargeback rights available under card scheme rules. Until that framework is finalised, the contractual arrangements between the PISP, the merchant, and the customer will determine the practical allocation of liability.

Strong customer authentication (SCA) requirements apply to VRPs under PSRs 2017 regulation 100. For sweeping VRPs, SCA is required at the point of mandate setup but not for each subsequent payment. For cVRPs, the SCA requirements will depend on the risk profile of the transaction and the applicable exemptions, including the trusted beneficiary exemption and the transaction risk analysis exemption.

How bratby.law helps

bratby.law advises banks, payment institutions, fintechs, and platform operators on the regulatory, contractual, and operational aspects of open banking and VRPs. Our managing partner holds a General Counsel appointment at UK Payments Initiative Limited and advises on payments scheme governance, participant onboarding, and regulatory strategy.

Our work in this area includes:

• FCA authorisation and registration for AISPs and PISPs under PSRs 2017
• Drafting and negotiating VRP mandate terms, customer-facing consent flows, and merchant participation agreements
• Advising on the JROC cVRP framework, including scheme governance design, liability allocation, and dispute resolution mechanisms
• Regulatory gap analysis for banks implementing VRP access obligations under the CMA Order
• Consumer protection and SCA compliance for VRP payment flows
• API access agreements, technical specification compliance, and dedicated interface obligations
• Integration of open banking capabilities into telecoms billing, subscription, and e-commerce platforms

Book a call

For advice on open banking regulation, VRP implementation, or FCA authorisation, book a call with Rob Bratby.

FAQs

Do I need FCA authorisation to offer VRPs?

Yes. A firm initiating VRPs is acting as a PISP and must be authorised or registered under PSRs 2017 regulation 5. The authorisation requirements are the same whether the VRP is a sweeping or commercial payment. Operating without authorisation is a criminal offence under regulation 138. The FCA Register confirms whether a firm holds the required permissions.

What is the difference between sweeping VRPs and commercial VRPs?

Sweeping VRPs move funds between accounts held by the same person, typically to optimise savings or manage cash flow. They are mandated by the CMA Order and the nine largest banks must support them. Commercial VRPs (cVRPs) involve payments to third parties, such as merchants or service providers. cVRPs are not yet mandated. The JROC roadmap provides for their phased introduction, beginning with regulated sectors. The regulatory treatment, scheme governance, and customer protection mechanisms differ between the two categories.

How does the cVRP dispute resolution mechanism work?

The cVRP dispute resolution mechanism is being developed as part of the JROC framework. It is intended to provide customers with rights comparable to card scheme chargeback protections. The mechanism will address disputes about payment amounts, timing, and whether a payment fell within the mandate parameters. Until the framework is finalised, liability allocation depends on the contractual terms between the PISP, the customer, and the merchant. Firms should build dispute resolution processes into their VRP participation agreements now.

What are the SCA requirements for VRPs?

Strong customer authentication is required when the VRP mandate is created. For sweeping VRPs, SCA is not required for subsequent individual payments under the mandate. For cVRPs, the SCA position depends on the applicable exemptions in PSRs 2017 regulation 100 and the associated Regulatory Technical Standards. The trusted beneficiary and transaction risk analysis exemptions may apply. The FCA’s Approach Document provides guidance on when exemptions are available and the conditions that must be met.

How does open banking interact with telecoms and subscription services?

Open banking payment initiation offers telecoms operators and subscription platforms an alternative to card and direct debit payments. VRPs are particularly relevant for recurring subscription billing, where the payment amount may vary by usage. bratby.law advises on the integration of open banking payment flows into telecoms billing systems, including the regulatory classification of the telecoms operator, the contractual framework with the PISP, and compliance with both PSRs 2017 and the Communications Act 2003.

Related payments regulation pages

See also our other payments regulation pages:

• Authorisation and Licensing
• PSR and Scheme Governance
• Operational Resilience and DORA
• Safeguarding and Consumer Duty

See also: AI and Automated Decision-Making.