Saeed Patel, Group Director at Eastnets
The world of consumer banking received an innovation boost when the EU regulation PSD2 enforced the rails for Open Banking. This disruptive force offers new ways to streamline payments and is predicted by Juniper Research to handle more than $116 billion in global payment transactions by 2026.
Innovations such as Open Banking often have a domino effect, opening many opportunities: Open Banking, as a system, provides the underlying capability to create innovations. One disruptive force driven by Open Banking is Variable Recurring Payment (VRP). This new payment model looks to shake up the traditional recurring payments scene. But what is VRP, and can it make waves in the incumbent payments systems?
What is a Variable Recurring Payment?
Open Banking was originally part of the EU’s PSD2 regulations, which set out the frameworks required to access customer data via APIs. The original specification for the Open Banking API standard was released in 2017. Since then, Open Banking and similar initiatives have become popular worldwide.
Opening access to banking data to third parties has encouraged new players into the financial space, namely FinTech. Companies like Plaid and Truelayer act as a middle-layer TPP (third party provider), connecting the Open Banking rails. This offers eCommerce vendors a link to thousands of banks; this gives customers a way to pay for goods and even provide identity assurance using their KYC verified bank account.
Open Banking is behind the emergence of the Variable Recurring Payment or VRP. Under Open Banking, a Payment Initiation Service Provider (PISP) provides a service to facilitate access to a customer’s bank account that is then used to transfer funds on the customer’s behalf. A VRP uses a PISP to set up recurring payments under rules and constraints. This system differs from the traditional bank debit system that handles recurring payments:
Under a direct debit system, the bank uses a ‘pull method’ where a business can request regular payments based on a pre-completed mandate set up by the bank customer.
A VRP uses a push-based model and differs in the mechanism used, i.e., Open Banking, with a centralized consent to pay mechanism. Importantly, this mechanism places the customer at the core of the transaction.
‘Sweeping’ is the first use case for VRPs.
What is ‘sweeping?’
NatWest is the first UK bank to offer VRP support for ‘sweeping’. Many banks are expected to follow their lead. Sweeping facilitates automated account transfers, specifically between two accounts of the same name, e.g., from a savings account to a current account. This particular use case has been identified as a great application of VRP because the transfers are fast, cheap, and secure, compared to the expense of credit cards or direct debits.
However, currently, there is no consumer protection in place for Sweeping and fees are yet to be set. A report from the Competition and Markets Authority (CMA) looking into VRPs concluded:
“Respondents also raised points around the need for minimising and managing disputes over sweeping access going forward as well as points around consumer protection.”
VRPs offer a great choice payment model as they provide the level of transparency and customer control expected by customers today.
Are VRPs the death knell for fixed recurring payments?
VRPs look set to change how funds are transferred, certainly in consumer models. Customers want seamless, cost-effective, and fast payment systems: this will drive competition in the financial sector, as evidenced in a recent Thales survey that found that 38% of consumers would move to another bank for better services or rates.
Financial analyst and renowned guru David Birch, quoting Mike Kelly on the potential of VRPs, says, “Mike Kelly, who was the product lead for VRP, says that they have “huge potential to revolutionise finance” and he is absolutely correct.”
VRP uses the Faster Payments service, so fund transfers are near-real time. This is great for retailers. In addition, VRPs are fully digital, so no paperwork is needed, unlike a direct debit mandate. This saves the customer time and potentially reduces fraud and manual error risks at this juncture in the user journey.
VRPs are customer-centric, placing the control of finances in the hand of the consumer. The VRP system allows granular control with customers setting maximum payment amounts, consenting to regular payments, and being able to cancel payments instantly.
In comparison, credit cards and debit systems are slow and costly. But they are incumbent, with 175 million American consumers owning a credit card with cumulative debts of $825 billion. Having a credit card is expensive for all involved, with the credit card companies pulling in vast sums of money. Customers and retailers actively want reduced costs and faster transfer speeds. VRPs offer a viable alternative to credit cards and debit payments that fulfil both needs.
Is the VRP system secure?
Open Banking uses a superset of OIDC that implements FAPI (Financial-grade API), which provides many extra security features compared to the standard OIDC flows. In addition, the Open Banking protocol includes several security features that help to secure transactions:
- Access control using digital signatures on any request made and on all tokens used in the system.
- mTLS (Mutual Transport Layer Security) is used to prove to the server where the request comes from.
- To ensure trust, the Open Banking directory issues certificates to any organization wishing to participate in an Open Banking-based service.
Are VRP payments open to fraud?
The CMA survey pulled out fraud as a possible issue in the VRP model of fund transfer: “One respondent said that sweeping to accounts which do not have the capability to sweep back in the event of fraud or error is problematic as there is a lack of suitable dispute resolution process should that occur.”
Another point in the paper was that “Others queried the benefit of FSCS protection on the basis it does not cover erroneous or fraudulent payments.”
Cybercriminals are already targeting the faster payments system that VRPs utilize. An FATF report, “Opportunities and Challenges of New Technologies for AML/CFT” points out that faster payments provide opportunities for faster cybercrime, with the short transfer windows allowing criminals to fly under the radar. The report recommends the use of intelligent technologies to catch fraud events in real-time.
A 2021 consultation from the Open Banking Implementation Entity (OBIE) exploring VRPs and Sweeping points out several notes on fraud in a VRP ecosystem:
- A TPP (third party provider) should use a mechanism, such as to assure the identity of the owner of the destination account. This will help reduce the risk of APP (authorized push payment) fraud and misdirection fraud.
- TPPs may not have mechanisms to check the link between a card and a specific account during a card-based Sweeping transaction.
- Confirmation of Payee (CoP) checks are lacking in current Sweeping systems making VRP susceptible to fraud.
Variable Recurring Payments have been called a gamechanger in banking and retail. The need for seamless, cost-effective, consented, and controllable payments is a no-brainer. But this cannot be at the cost of increased opportunities for fraudsters. The VRP ecosystem has several moving parts, each of which could add a vulnerability to the ecosystem.
Using faster payments also adds to the burden of anti-fraud checks by requiring that a VRP-based transaction is checked quickly and in real-time. Variable Recurring Payments offer innovation in banking that can help banks and FinTechs build new business models and better customer experiences. But it must have the same levels of anti-fraud checks and balances to ensure that this disruptive force is one for good and not bad actors.
