Open banking regulation in the UK requires firms building payment services using customer account data to understand the FCA and PSR rulebook. Bratby Law advises firms and financial institutions on the regulatory perimeter for open banking services, particularly those launching payment initiation services and variable recurring payments under the Payment Services Regulations 2017. Rob Bratby serves as General Counsel to the UK Payments Initiative, providing direct insight into how commercial variable recurring payments (cVRPs) are being governed and implemented across the UK payments ecosystem.

When does open banking regulation become an issue?

Open banking regulation becomes material at several points in a firm’s development. Firms building or integrating account information services (AIS) or payment initiation services (PIS) into their products will cross the FCA regulatory perimeter. Banks and building societies implementing open banking APIs to enable third parties to access customer accounts need to consider their obligations as data holders and service providers. Third-party payment service providers seeking FCA authorisation for AIS or PIS must navigate the authorisation regime and meet ongoing conduct rules. Firms launching commercial variable recurring payment products, which allow customers to consent to variable payments from their accounts, must understand the PSR 2017 framework as amended by the 2019 Regulatory Technical Standards. Finally, firms designing products that rely on open banking data for credit decisions, cross-selling, or aggregation services must verify whether they have crossed into a regulated activity. The distinction matters significantly because it determines whether authorisation is required and which consumer protection rules apply.

Why open banking matters now

Variable recurring payments now account for 16% of all open banking payments in the UK, with commercial VRPs (sweeping VRPs mandated by regulation) driving growth as firms build new payment models. The UK Payments Initiative, formed by 31 firms, is building a centralised scheme to enable commercial VRP payments and dispute resolution outside the PSD2 mandate. First live cVRP payments are expected in the first quarter of 2026. HM Treasury is expected to introduce legislation in 2026 that will grant the FCA new powers to set open banking rules through the Long-Term Regulatory Framework, replacing the current interim regime based on PSR 2017. The FCA and Payments Systems Regulator will assess the progress of cVRP adoption towards the end of 2026 to determine whether the scheme meets consumer outcomes and market needs. The Regulators have applied temporary forbearance to the Competition Act investigation into UKPI’s centralised access fee pricing model, with an extension until either the legislative framework becomes law or 31 July 2027, whichever is earlier. Phase 1 cVRP use cases focus on utility payments, financial services payments (insurance renewals, mortgage payments), and government payments (council tax, student loans). Rob Bratby’s appointment as General Counsel to UKPI provides direct operational insight into how the cVRP framework is being built, the scheme rules, governance structure, and commercial models that participating firms will adopt.

Where firms get open banking wrong

Many firms approaching open banking treat it as a pure technology integration problem rather than a regulated activity. The first mistake is failing to understand that account information services and payment initiation services are regulated payment services under the PSR 2017, both of which require FCA authorisation unless an exemption applies. Firms often under-estimate the customer authentication and communication requirements, particularly the strict strong customer authentication standards and the need for explicit user consent at the point of payment. Building products first and seeking regulatory advice second creates costly rework when the regulatory perimeter analysis reveals that authorisation is necessary or that material compliance obligations exist. Confusion between sweeping VRPs (mandated by PSD2, free to consumers, regulated payment services) and commercial VRPs (voluntary, charged, scheme-specific rules) leads firms to design products that fall outside the regulatory framework or that breach consumer protection rules. Some firms launching cVRP products pay insufficient attention to dispute resolution design, under-estimating the complexity of refund rights and merchant indemnities in a scheme environment. Finally, firms fail to plan for regulatory change. The current open banking framework is interim; the statutory Long-Term Regulatory Framework will introduce new rules, and firms that build only to the current regime will face costly transition costs. Good regulatory strategy anticipates and plans for the transition.

What good looks like

Leading firms conduct a regulatory perimeter analysis before product design begins. They understand which regulated activity their product involves: is it AIS, PIS, or both? They design customer journeys that satisfy strong customer authentication requirements and deliver explicit consent at the point of payment. For firms participating in the cVRP scheme, good practice means understanding UKPI scheme rules, the dispute resolution mechanism, and how access fee models work. They plan for regulatory change by building products that can adapt to a statutory framework rather than a temporary interim regime. They consider whether the interim forbearance on Competition Act enforcement affects their commercial model, and plan for what happens when the forbearance expires. They secure specialist regulatory advice in the design phase rather than waiting until launch. Rob Bratby’s role as General Counsel to UKPI provides direct insight into the scheme’s governance, rule-setting and commercial model, and the detail of how the first cVRP payments are being structured. This experience informs Bratby Law’s advice on scheme participation, governance design, and dispute resolution. Good open banking firms also understand that open banking regulation sits within the broader UK payments ecosystem. Rules on authorisation, consumer protection, and dispute resolution interconnect across PSD2, DUAA 2025, and the emerging Long-Term Regulatory Framework.

When to instruct an open banking specialist

Instruct open banking specialists in the product design phase, before engineering resources are committed. A regulatory perimeter analysis will identify whether you need FCA authorisation and which conduct rules apply. If you are seeking FCA authorisation for AIS or PIS, specialist advice on the authorisation process, regulatory reporting, and CONC rules is essential before you apply. If you plan to participate in the cVRP scheme, instruct a specialist in scheme participation, governance, dispute resolution design, and access fee model treatment. Instruct specialists to review the open banking API implementation and customer authentication mechanisms for compliance with PSR 2017 and RTS requirements. Finally, if you have an existing open banking product built under the interim framework, instruct a specialist to advise on planning for the transition to the statutory Long-Term Regulatory Framework.

How Bratby Law helps with open banking

Bratby Law advises firms at every stage of open banking product development and regulation. We conduct regulatory perimeter analysis to determine whether your product involves AIS, PIS, or other regulated activities, and advise on the scope of authorisation or exemptions that apply. We advise on FCA authorisation for AIS and PIS providers, including pre-application strategy, regulatory reporting frameworks, and CONC consumer protection rules that govern how you interact with customers and handle disputes. For firms participating in the cVRP scheme, we advise on scheme participation, governance structure, merchant dispute resolution mechanisms, and access fee models in light of competition law considerations. We advise on open banking API compliance, including strong customer authentication design, consent mechanisms, and data handling obligations under the PSRs and DUAA 2025. We design dispute resolution mechanisms for open banking products, including refund rights, burden of proof, and settlement timescales. We advise on planning for regulatory change, helping firms understand the interim status of the current framework and preparing for the statutory Long-Term Regulatory Framework. Finally, we advise on consumer protection and liability, including how open banking regulation intersects with FCA Handbook rules on consumer credit, insurance distribution, and other regulated activities your business may involve. Rob Bratby’s role as General Counsel to UKPI means Bratby Law has direct insight into how the cVRP scheme is being built and the practical regulatory challenges firms face in implementation.

Frequently asked questions about open banking regulation

Do I need FCA authorisation to offer open banking services?

It depends on the service you are offering. If you are providing account information services or payment initiation services, you must be FCA-authorised as a payment institution or e-money institution unless you qualify for an exemption. Exemptions exist for certain electronic money services and within-scheme services. If you are providing data aggregation services or using open banking data for credit decisions or cross-selling, you may fall within other regulated activities that require authorisation. Conduct a regulatory perimeter analysis to determine whether authorisation is required.

What is the difference between sweeping VRPs and commercial VRPs?

Sweeping VRPs are mandated by PSD2 and the PSR 2017 amendments; they are a free service that firms must offer to customers who consent to variable recurring payments. Commercial VRPs are voluntary and charged; they sit outside the PSD2 mandate and are governed by scheme rules (such as UKPI cVRP scheme rules) rather than statutory regulation. The key difference is that sweeping VRPs are a regulatory obligation offering consumer protection, whilst commercial VRPs are commercially negotiated services with scheme-specific protections.

How does the cVRP dispute resolution mechanism work?

The UKPI cVRP scheme establishes a centralised dispute resolution process that sits outside the statutory framework. Consumers can dispute cVRP transactions through the scheme’s dispute process, which is faster and simpler than statutory chargeback processes. The scheme rules define refund rights, burden of proof, settlement timescales, and indemnity arrangements between consumers, merchants, and payment service providers. Scheme participants must implement dispute resolution procedures that comply with UKPI scheme rules.

What is the UK Payments Initiative?

The UK Payments Initiative is a scheme body formed by 31 firms to build a commercial variable recurring payments framework outside the PSD2 mandate. It develops scheme rules, operates a centralised dispute resolution process, and sets access fees for firms participating in cVRP payments. UKPI received a temporary exemption from the Competition Act by the Competition and Markets Authority, with forbearance on investigation into its access fee pricing model until the statutory Long-Term Regulatory Framework is in place or 31 July 2027, whichever is earlier.

When will the long-term regulatory framework for open banking be in place?

HM Treasury is expected to introduce legislation in 2026 to establish a Long-Term Regulatory Framework for open banking, which will grant the FCA new powers to set open banking rules. The statutory framework will replace the current interim regime based on PSR 2017. The timeline for parliamentary passage and implementation is uncertain, but HM Treasury has signalled that the framework will be in place within the parliamentary calendar. Firms should plan for transition well ahead of implementation.

What are the strong customer authentication requirements for open banking?

Strong customer authentication requires two independent factors of authentication (knowledge, possession, and inherence). For payment initiation and account information services, you must implement SCA at the point of customer initiation and when the customer consents to the service. The Regulatory Technical Standards set detailed rules on exemptions (low-risk transactions, trusted beneficiaries) and implementation methods. Exemptions are narrow, and firms must ensure that SCA is properly embedded in the customer journey.

Can I use open banking data for purposes other than the service the customer consented to?

No. The PSR 2017 restricts use of open banking data to the purposes for which the customer gave explicit consent. You cannot use open banking data for marketing, credit decisions, or other purposes without fresh consent. The DUAA 2025 also applies strict consent and data use rules to account data used for anything other than the service consented to. Unauthorised use constitutes a breach of both payment services and data protection regulation.

How does open banking regulation differ from PSD2?

Open banking is the broader market infrastructure (APIs allowing access to account data); PSD2 is the regulatory framework that mandates sweeping VRPs and imposes strong authentication and consumer protection rules. The UK adopted PSD2 into the PSR 2017. PSD2 applies across the EU and EEA; UK open banking regulation now sits in the PSR 2017 as amended. The Long-Term Regulatory Framework will introduce new rules tailored to the UK market rather than mirroring EU PSD2 rules.

Related payments regulation pages

See also our other payments regulation pages:

• Payments Regulation
• Authorisation and Licensing
• PSR and Scheme Governance
• Operational Resilience and DORA
• Safeguarding and Consumer Duty
• E-Money Regulation and EMI Compliance

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology