Variable Recurring Payments: The Political Landscape

In Part 1, we explored the technical foundations of Variable Recurring Payments. But technology is only half the story. VRPs exist at the intersection of regulatory ambition, commercial self-interest, and genuine consumer protection concerns. Understanding these dynamics is essential for anyone building in this space.

The promise of VRPs is compelling: a modern alternative to Direct Debit that gives consumers real control while enabling innovation in payments. The reality is messier. Banks are reluctant participants. Regulators are at odds with each other. And the fraud risks that kept Direct Debit out of certain markets haven't magically disappeared.

Where We Are Now: A Reality Check

Commercial VRP (cVRP) is real - but barely. It is stuck in a liminal state, shaped by political, technical, and commercial forces.

The UK announced a major commercial VRP scheme in December 2025, with first live payments expected in Q1 2026. UK Finance explicitly calls 2026 the year we'll see first commercial VRP transactions at any meaningful scale. So yes, cVRP is no longer theoretical. But what exists today is heavily constrained.

Wave 1: The Safe Bets

What's live (or imminently live) are the politically safe, low-risk use cases:

• Regulated utilities
• Government payments
• Financial services (pensions, investments)
• Rail tickets and charities

These are the use cases explicitly designed to avoid blowing up the cards industry immediately. They're necessary proving grounds, but they're not the prize.

Wave 2: The Real Disruption

The commercially significant use cases - the ones that actually threaten incumbent revenue streams - are still being negotiated:

• E-commerce checkout
• Retail subscriptions
• Embedded finance
• Platform payments (think Amazon, Tesco, Uber)

This is not fully live yet. The commercial model is still being thrashed out at UK Finance, with banks and fintechs negotiating fee structures. Anyone telling you commercial VRP is "here" is technically correct but practically misleading.

What Actually Exists at Scale

To be precise about the current state:

• Live: VRP sweeping, single immediate payments, pay-by-bank
• Pilot stage: Commercial VRP transactions (limited merchants)
• Agreements only: JROC commercial scheme frameworks
• Not at scale: retail e-commerce cVRP, Amazon-level adoption, mass-market merchant tooling, dispute/chargeback equivalents, mature consumer UX

Understanding this gap between announcement and reality is essential for anyone planning VRP-dependent product roadmaps.

The Regulatory Tug-of-War

The UK's approach to VRP regulation involves two powerful bodies with overlapping but distinct mandates: the Financial Conduct Authority (FCA) and the Payment Systems Regulator (PSR).

The FCA's Position

The FCA authorises and supervises payment institutions, including the Third Party Providers (TPPs) that initiate VRP payments. Their primary concerns are consumer protection and market integrity. The FCA has been cautious about non-sweeping VRPs, worried about:

• Authorised Push Payment (APP) fraud risk when consent boundaries are wide
• Consumer understanding of what they're agreeing to
• Dispute resolution when things go wrong
• The adequacy of TPP safeguards and capital requirements

The FCA's 2024 consultation on "Future of Payments" signalled support for VRPs in principle, but with heavy emphasis on consumer safeguards that some argue would neuter the commercial proposition.

The PSR's Push

The PSR has been more aggressive. Their mandate includes promoting competition and innovation in payment systems. From the PSR's perspective, VRPs represent exactly the kind of disruption the UK payments market needs - breaking the banks' grip on recurring payments and enabling new entrants.

In 2023, the PSR launched a consultation on mandating VRP support beyond sweeping use cases. Their proposals included requiring banks to offer commercial VRPs at regulated prices - a direct challenge to the banks' ability to resist or price-gouge.

The tension between FCA caution and PSR ambition has created uncertainty. TPPs don't know what rules they'll be operating under. Banks don't know what they'll be forced to support. And merchants are hesitant to invest in VRP integration without clarity on the regulatory endgame.

Two Years of Regulatory Limbo

The real story of VRP delay isn't just FCA vs PSR - it's that responsibility for VRPs has bounced between multiple bodies for years:

• CMA - initiated Open Banking via the Retail Banking Market Investigation, but their mandate ended with the CMA9 compliance period
• FCA - authorises TPPs and sets conduct rules, but initially treated VRPs as "someone else's problem"
• PSR - wanted to drive VRP adoption but lacked direct powers over API specifications
• HM Treasury - sets the strategic direction but doesn't regulate implementation details

This resulted in two-plus years of regulatory ping-pong. Each body could point to another as the responsible party. Only recently has the UK consolidated VRP leadership under FCA coordination, with the Joint Regulatory Oversight Committee (JROC) providing a framework for inter-regulator collaboration.

This meant banks could delay support without regulatory consequence. When multiple regulators share responsibility, no single one can compel action. Banks could legitimately claim they were "waiting for clarity" while the regulators sorted themselves out.

The Liability Question

Perhaps the most contentious issue is liability allocation. Under the Direct Debit Guarantee, consumers can claim back unauthorised or incorrect payments from their bank, who then pursues the merchant. It's a simple, consumer-friendly model that has built trust over decades.

VRPs disrupt this model. The payment is "authorised" - the consumer gave consent for payments within certain parameters. But what if they didn't understand the parameters? What if the TPP charged more than expected? What if the merchant went bust?

Banks argue they shouldn't bear liability for payments they didn't initiate and couldn't prevent. TPPs argue they shouldn't bear unlimited liability for implementing bank-provided APIs. Merchants worry about chargebacks eating their margins. And consumers just want their money back when something goes wrong.

The PSR has proposed a "tiered liability" model where responsibility depends on where the failure occurred. But the details remain contested, and without clear rules, VRP adoption will remain stunted.

Commercial Dynamics: Winners and Losers

VRPs threaten to redistribute billions of pounds in payment revenues. Understanding who gains and who loses explains much of the political resistance.

The Banks' Dilemma

UK banks had zero incentive to support VRPs. Not "little" incentive - zero. Consider what banks make billions from:

• Card interchange fees
• Merchant acquiring
• Payment processing

Commercial VRP kills card fees. It routes payments directly from consumer accounts to merchant accounts, bypassing the card rails entirely. The rational response from a bank executive is straightforward: "Why would I fund my own disintermediation?"

This isn't speculation or cynicism - it's explicitly acknowledged in industry commentary and reporting. Banks have been openly reluctant, and that reluctance is economically rational.

VRP as Strategic Nuclear Weapon

The language of "disruption" undersells what commercial VRP represents. It's better understood as a strategic weapon that, at scale, threatens multiple incumbent revenue streams:

• Direct Debit revenues at risk - Bacs processed 4.7 billion Direct Debit transactions in 2023. VRPs threaten to disintermediate this entirely.
• Card interchange erosion - Every subscription payment on a card generates fees for issuers. VRPs route around the networks completely.
• Merchant acquiring disruption - The entire card acceptance infrastructure becomes optional when merchants can pull directly from bank accounts.
• Big Tech wallet threat - If VRPs mature, Apple Pay and Google Pay become less essential. Account-to-account rails don't need wallet intermediaries.

Banks delaying VRP isn't obstructionism - it's rational economic self-preservation. They're being asked to build the infrastructure that will erode their own revenue streams.

The "Not Ready Yet" Defence

For years, the industry line on commercial VRP was "it's not ready yet." This deserves examination, because it's partially true and partially convenient.

Could banks technically do cVRP today? Yes - without doubt. Banks already have:

• Faster Payments infrastructure (live since 2008)
• Open Banking APIs (mandated since 2018)
• VRP sweeping APIs (live since 2022)
• Consent management systems
• Fraud detection engines

Commercial VRP is not a technical leap. The APIs exist. The rails exist. The authentication exists. What's missing isn't technology - it's political, commercial, and operational will.

The blockers were structural:

1. No commercial pricing model - Open Banking APIs were mandated to be free. TPPs wanted free payments. Merchants wanted cheaper than cards. Banks wanted revenue. Result: years of stalemate. Only now are sustainable fee structures being proposed.
2. No regulatory clarity - As discussed above, the multi-regulator environment gave banks cover for inaction.
3. No forcing function - Unlike sweeping VRPs, commercial VRPs weren't mandated by the CMA order. Banks could simply... not.

The CMA9 banks were legally compelled to support sweeping VRPs. For commercial VRPs, they've dragged their feet on API quality, imposed restrictive consent parameters, and signalled that pricing will not be cheap.

Banks Playing Both Sides

Some banks have adopted a hedge strategy - building their own VRP propositions to capture merchant relationships before fintechs can. NatWest's "Payit" and Barclays' business banking integrations are examples of banks trying to own the VRP experience rather than just provide the pipes.

The strategy: if VRPs are coming anyway, control the customer relationship. If a bank can position itself as the VRP provider to merchants, it preserves revenue even as the underlying rails change. Whether this works depends on execution and regulation.

The Fintech Opportunity

For payment fintechs, VRPs represent a massive opportunity:

• Lower costs - VRP transactions clear through Faster Payments, which is cheaper than card rails. Fintechs can undercut card-based subscription processors.
• Better success rates - No card expiry issues. No declined transactions due to lost cards. VRP payments succeed as long as the account has funds.
• Instant settlement - Unlike cards (T+2 or worse), Faster Payments settle immediately. This improves cash flow for merchants and fintechs alike.
• New business models - VRPs enable use cases that cards handle poorly: variable subscription pricing, usage-based billing, "save the change" features.

GoCardless, TrueLayer, Yapily, and others have built VRP capabilities and are pushing hard for regulatory support. But they face a chicken-and-egg problem: merchants won't adopt without consumer trust, and consumers won't trust without merchant adoption.

The Merchant Perspective

Merchants have mixed feelings about VRPs. The theoretical benefits are clear:

• Lower transaction costs than cards (potentially 50-80% savings)
• Fewer failed payments and involuntary churn
• Faster access to funds
• No card scheme rules to navigate

But merchants are risk-averse about payment infrastructure. They've invested heavily in card-based systems. They understand chargebacks and how to manage them. VRPs introduce new unknowns: How will disputes work? What happens when a customer claims fraud? Will consumers actually want to pay this way?

Early adopters tend to be digital-first businesses with tech-savvy customers - fintech apps, subscription software, online utilities. Mass-market adoption requires solving the trust and familiarity gap.

Why Visa and Mastercard Are Terrified

Let's be direct: commercial VRP is a direct substitute for card payments. Not a complement, not an alternative channel - a replacement for the core card use case.

Consider what cVRP replicates:

• Consumer checkout
• Subscription initiation
• Low-friction instant payment

All of this - without a card network. It's a merchant-initiated trigger directly to the consumer's bank. Visa and Mastercard become optional.

The existential threat to card networks isn't about a few subscription payments. It's about what happens when merchants realise they can:

• Eliminate interchange fees entirely
• Get instant settlement instead of T+2
• Avoid card scheme rules and compliance costs
• Own the payment relationship directly

Card networks have spent decades building irreplaceability. Consumer habits, merchant acceptance infrastructure, rewards programmes, trust - all creating moats that seemed permanent. VRPs don't attack these moats directly. They route around them entirely.

The Card Networks' Response

Visa and Mastercard aren't sitting idle. Their response has been multi-pronged:

• Card-on-file tokenisation - Making it easier for merchants to store and update card credentials, reducing failed payments (one of VRP's key advantages).
• Account-to-account acquisitions - Both networks have invested heavily in or acquired A2A payment providers. If the payment rails change, they want to own the new ones too.
• Loyalty deepening - Emphasising consumer benefits (points, cashback, purchase protection) that VRPs can't match. Making cards "sticky" beyond mere function.
• Merchant services expansion - Positioning as value-added partners, not just payment pipes. Fraud tools, analytics, credit - reasons to stay beyond the transaction fee.

The card networks' strategy is essentially: if VRPs do take volume, make sure we're embedded enough in the merchant relationship that we capture value regardless.

The Quiet Relief

Here's the uncomfortable truth: card networks may quietly welcome VRP's current constraints. Every year that commercial VRP stays in "pilot phase" is a year of preserved interchange revenue. Every regulatory delay is a gift.

The network moat remains consumer preference. Decades of rewards programmes have trained consumers to pay by card. VRPs offer merchants cost savings, but offer consumers... nothing obvious. No points. No purchase protection. No familiar flow.

Until someone solves the consumer value proposition - or merchants start offering discounts for VRP payments - cards retain the advantage. The networks know this.

The Big Tech Wildcard

Here's a scenario that should keep fintech founders awake at night: what happens when Big Tech decides to use cVRP directly?

Big Tech's VRP Play

Imagine:

• Apple Pay with native VRP - triggering account-to-account payments directly
• Google Pay doing the same via A2A rails
• Amazon embedding direct bank payment triggers at checkout

All of these bypass fintech intermediaries entirely. The payment becomes a direct relationship between Big Tech and the consumer's bank. Fintechs that built aggregation and orchestration layers suddenly find themselves optional.

Big Tech has the distribution, the consumer trust, and the engineering capability to implement VRP at scale. They don't need fintech partners - they just need bank APIs. Which, thanks to Open Banking mandates, they have.

The Uncomfortable Truth for Fintechs

Here's the cynical observation: fintechs loved Open Banking when banks were bad at it.

When bank APIs were clunky, unreliable, and poorly documented, there was value in the aggregation layer. Fintechs could smooth over bank inconsistencies, provide better UX, and add genuine value between consumer and bank.

But what happens when banks get good at VRP? When APIs are reliable, consent flows are smooth, and the technology just works? The aggregation layer becomes thin. The margin compresses. The value-add evaporates.

And if Big Tech enters with native VRP support, fintech intermediaries don't just lose margin - they become irrelevant. They're UI plugins, not platforms.

The Quiet Pivot

Astute fintech observers will notice that many payment-focused fintechs are quietly diversifying away from pure payments:

• Risk and fraud engines
• Identity verification
• Embedded finance orchestration
• Lending and credit
• Data platforms and analytics

This isn't coincidence. The smart money knows that payments alone is becoming commoditised infrastructure. The differentiation - and the margin - is moving elsewhere.

While fintechs publicly support cVRP expansion (it grows the market), the private calculus is more complex. VRP success that hands the consumer relationship to banks or Big Tech isn't a fintech win. It's a margin compression event.

Consumer Protection: Real Risks, Real Concerns

Consumer advocates have raised legitimate concerns about VRPs that deserve serious consideration.

The Consent Problem

VRP consent screens are complex. They show maximum amounts, periods, and cumulative limits. Research suggests most consumers don't fully understand what they're agreeing to.

Consider a typical VRP consent: "Allow ACME Corp to take up to £100 per transaction, up to £500 per month, for the next 12 months." That's a potential £6,000 exposure. Does the consumer understand this? Do they remember six months later when an unexpected charge appears?

The Direct Debit model is simpler: you authorise a merchant to collect what they're owed, and if something goes wrong, you claim it back. The explicit boundaries of VRPs, meant to protect consumers, may actually confuse them.

Consumer groups (including Which?) have called for:

• Standardised, plain-English consent language
• Mandatory confirmation before each payment (defeating the purpose for many use cases)
• Automatic expiry of unused consents
• Easy revocation through the bank app, not just the TPP

Fraud Vulnerabilities

Authorised Push Payment (APP) fraud has exploded in the UK. Criminals trick victims into sending money willingly - often by impersonating banks, HMRC, or trusted contacts. VRPs could become a new vector:

• Consent hijacking - Tricking a victim into authorising VRP consent to a fraudster's merchant account.
• Dormant consent exploitation - Compromising a TPP or merchant to drain accounts using existing consents.
• Parameter manipulation - Social engineering victims into accepting higher limits than they realise.

The banking industry's Contingent Reimbursement Model (CRM) for APP fraud doesn't clearly cover VRP scenarios. If a consumer was tricked into giving VRP consent, is that "authorised"? The liability frameworks haven't caught up with the technology.

Consent Fatigue

Open Banking has already trained consumers to click through consent screens without reading them. Account Information Services (AIS) connections typically require reauthorisation every 90 days, leading to regular consent flows that become routine and ignored.

VRP consents are higher stakes - they authorise actual payments, not just data access. But if consumers treat them with the same lack of attention, the safeguards become theatre. This is a design problem without easy solutions.

Vulnerable Customers

VRPs could disproportionately harm vulnerable customers:

• Elderly users unfamiliar with digital payments may not understand what they're authorising.
• People with cognitive impairments may struggle with complex consent parameters.
• Victims of financial abuse could have VRP consents created by controlling partners.
• People in financial difficulty may authorise VRPs that drain accounts needed for essentials.

Banks have duties under the FCA's Consumer Duty to consider vulnerable customers. How these duties apply to VRPs - where the bank doesn't initiate the payment - remains unclear.

The Path Forward

Despite the challenges, VRPs will likely become a significant part of UK payments infrastructure. The question is how quickly, and under what terms.

Regulatory Clarity

The PSR has been working on VRP frameworks to provide clearer rules, including on:

• Mandatory support requirements for non-sweeping VRPs
• Price caps or regulated interchange-style fees
• Liability allocation rules
• Consumer protection requirements

The FCA will likely add requirements around consent design, vulnerable customer protections, and dispute resolution. The challenge is balancing protection with usability.

Industry Coordination

Pay.UK, the operator of Faster Payments, has been working on VRP standards and infrastructure. Their New Payments Architecture (NPA) programme includes VRP capabilities that could provide more consistent implementation across banks.

UK Finance, the banking industry body, has been developing voluntary codes for VRP dispute handling. Whether these prove adequate, or regulators impose stricter rules, remains to be seen.

Consumer Education

VRPs will only succeed if consumers trust them. That requires:

• Clear, consistent branding (Direct Debit's logo recognition took decades to build)
• Public education about how VRPs differ from existing payments
• Visible, easy-to-use consent management in banking apps
• Rapid, fair dispute resolution when things go wrong

The industry needs to learn from the Direct Debit Guarantee's success: a simple promise that built consumer trust. VRPs need their equivalent.

International Developments

The UK isn't alone in exploring VRP-like capabilities. The EU's proposed PSD3 regulation includes provisions for "premium" payment initiation services with similar recurring consent models. Brazil's Pix has implemented recurring payments. India's UPI supports auto-pay mandates.

The UK has an opportunity to lead in VRP implementation, creating exportable standards and building fintech capabilities that can expand internationally. But only if domestic adoption succeeds first.

A Realistic Timeline

Based on current trajectories, here's a rough roadmap for commercial VRP evolution:

Phase 1: 2026

• Utilities and regulated merchants go live with constrained cVRP
• Early fintech pilots with selected merchants
• Bank-to-bank testing and API stabilisation
• Consumer awareness remains minimal

Phase 2: 2027-2028

• E-commerce adoption begins at scale
• Big retailers start rollout
• Wallet integration (Apple Pay, Google Pay) becomes a question
• Pricing models stabilise
• Chargeback/dispute frameworks mature

Phase 3: 2028-2035

• Mainstream adoption
• IoT-triggered payments emerge
• "Card-exit" tipping point for some merchant categories
• International standards alignment

The Brutal Reality

Banks could have done VRP in 2020. The technology was there. The rails existed. They didn't - because it threatened their business model. Every year of delay has been a year of preserved revenue.

The current timeline isn't a function of technical complexity. It's the pace at which commercial interests can be aligned and regulatory pressure applied. The speed of VRP adoption will be determined by politics, not engineering.

What This Means for Builders

If you're building VRP-enabled services, here's the pragmatic view:

• Start with sweeping - Me-to-me transfers are mandated and relatively uncontroversial. Build experience here first.
• Watch the regulatory calendar - PSR consultations and FCA guidance will shape what's possible. Stay engaged with industry bodies.
• Design for trust - Your consent flows, customer communications, and dispute handling will determine adoption. Don't just meet minimums.
• Plan for liability - Build reserves and insurance for dispute costs. The rules may change, and you need to be able to make customers whole.
• Target the right merchants - Focus on sectors where VRP benefits are clearest and consumer trust is highest. Don't try to boil the ocean.

VRPs represent a genuine opportunity to improve UK payments - lower costs, better success rates, more innovation. But the path there runs through regulatory complexity, commercial resistance, and legitimate consumer concerns. Success requires navigating all three.

Conclusion

Commercial VRP is less a technology problem and more a political economy problem.

The APIs exist. The rails exist. The authentication exists. What's been missing is the alignment of commercial interests, the resolution of regulatory jurisdiction, and the political will to force incumbents to cannibalise their own revenue streams.

The current state - Wave 1 rollout with constrained use cases, Wave 2 e-commerce scale entirely dependent on a sustainable commercial model - is a negotiated settlement, not a technical necessity. Every delay represents someone's preserved revenue. Every constraint reflects a political compromise.

For those building in this space, the implications are clear:

• Don't bet on timelines - they're political, not technical
• Understand whose revenue you threaten - they will resist
• Build where value can be captured regardless of VRP speed - risk, identity, orchestration
• Design for the constraints that exist, not the open market that might never arrive

VRP will reshape UK payments. But the journey there runs through commercial self-interest, regulatory compromise, and the hard realities of who captures value when the dust settles. The technology was never the hard part.