What is a Variable Recurring Payment (VRP)?

A Variable Recurring Payment (VRP) is a UK Open Banking payment instruction that lets an authorised payee initiate a series of payments from a customer's bank account under a single, long-lived consent. Each payment can be a different amount, on a different date, but every payment has to fall within the limits the customer set when they granted the consent — typically a per-payment cap, a per-period cap (daily, weekly, monthly), and an overall validity period. VRPs ride on Faster Payments rails, settle in seconds, and have none of the chargeback baggage of cards.

VRPs are the closest thing UK Open Banking has produced to a card-on-file replacement. Card-on-file lets a merchant charge any amount at any time — the customer trusts the merchant not to overcharge, and the card network's chargeback rules are the safety net. A Direct Debit lets a payee pull any amount, with notice, under the Direct Debit Guarantee. A VRP sits between the two: the customer pre-agrees the rules, the bank enforces them, and the consent can be revoked at any time from inside the customer's banking app.

Two flavours: Sweeping VRP and Commercial VRP

There are two kinds of VRP in the UK, and the distinction matters because the rules and the costs are different.

Sweeping VRP covers payments between accounts that the same person owns — moving money from a current account to a savings account, or to an offset mortgage, or to pay a credit card balance. The CMA9 banks (the nine largest UK retail banks) were ordered by the Competition and Markets Authority to support sweeping VRP free of charge, and they went live with it in summer 2022. If you're using a money management app that automatically sweeps spare cash into a savings pot, that's running on sweeping VRP.

Commercial VRP (sometimes called "non-sweeping VRP" or just "cVRP") covers everything else — paying a subscription, topping up a wallet, paying a utility bill on a variable amount, settling a buy-now-pay-later instalment. Commercial VRP isn't covered by the CMA order, so banks can charge for it, and they're rolling it out commercially under separate bilateral agreements. Pay.UK and the Joint Regulatory Oversight Committee (JROC) are working on a multilateral framework to make cVRP a single standard rather than a patchwork of bank-by-bank deals — the pilot phase started in 2024 and a phased rollout is underway during 2025-2026.

How a VRP actually works

The setup looks like this. The payee (a merchant, a billing platform, an Open Banking provider) sends the customer to their bank's authentication flow — in-app, web redirect, or a deep link from the merchant's site. The customer sees the limits they're being asked to approve: "Up to £500 per payment, up to £1,500 per month, until 1 January 2028." They approve with Strong Customer Authentication — usually biometrics or a banking-app confirmation. The bank stores the consent, generates a consent ID, and hands that back to the payee.

From then on, every time the payee wants to take a payment, they call the bank's API with the consent ID and the amount. The bank checks the payment against the stored limits. If it fits, the bank moves the money over Faster Payments and the payment settles in seconds. If it doesn't fit — over the per-payment cap, over the monthly cap, outside the consent period — the bank rejects it. No charge, no exception, no chargeback flow.

The customer can cancel the consent at any moment from their banking app. They don't have to talk to the merchant. They don't have to go through a Direct Debit Guarantee claim. They just revoke it and the payments stop.

VRP vs Direct Debit

Direct Debit and VRP both let a payee pull recurring payments of varying amounts, but they're not the same thing.

With Direct Debit, the customer signs a mandate that authorises the payee to take any amount, at any time, as long as the payee gives advance notice (usually 10 working days for variable amounts). The customer's bank has no idea what's a reasonable amount — it can't tell the difference between a legitimate £200 energy bill and a £2,000 mistake. The customer's protection is the Direct Debit Guarantee, which gives them an immediate refund if the payment was wrong, and the bank then claws the money back from the payee.

With a VRP, the limits are baked into the consent and enforced by the customer's bank in real time. A payment that exceeds the limit doesn't happen in the first place, so there's nothing to dispute. There's no Direct Debit Guarantee equivalent because there's no equivalent need for one. Settlement is instant on Faster Payments rather than three working days on Bacs.

The trade-off is reach. Direct Debit works with every UK bank account. VRP works only with banks that have built the consent infrastructure, which today means the CMA9 for sweeping and a growing subset of those plus a few challengers for commercial.

Consumer protection

Payments made under a VRP fall under the Payment Services Regulations 2017 like any other Open Banking payment. The customer's bank is responsible for executing the payment correctly and for honouring the limits. If the bank pays out more than the consent allows, the bank is on the hook for the refund. If the merchant requests a payment within the limits and the customer later regrets it, that's a commercial dispute between customer and merchant — the bank's job is just to enforce the consent.

Authorised push payment fraud cover under the new PSR mandatory reimbursement rules (in force October 2024) applies to VRPs the same way it applies to other Faster Payments. If a customer is tricked into setting up a fraudulent VRP, the reimbursement framework treats it as an APP fraud claim.

Current state of UK adoption (May 2026)

Sweeping VRP is mature. Every CMA9 bank supports it and there are dozens of authorised Open Banking providers offering sweeping products — savings round-ups, automated debt repayment, offset mortgage sweeps.

Commercial VRP is moving but slowly. NatWest was the first CMA9 bank to launch commercial VRP at scale in summer 2023, with HSBC, Lloyds, and Barclays following on staggered timelines through 2024-2025. The JROC blueprint for a multilateral cVRP framework was published in 2024, with the first non-sweeping use cases (regulated utilities, government, financial services) targeted for live rollout during 2025-2026. By 2027, the expectation is that cVRP will be a generally available alternative to card subscriptions, but pricing models and bank coverage are still in flux.

For merchants considering VRP today, the realistic position is: sweeping use cases are production-ready, and commercial use cases are pilot-grade unless you're working with one of the specific bank partnerships that's already gone live.