Blog article
See all stories »

Will Variable Recurring Payments kill direct debits?

The world of consumer banking received an innovation boost when the EU regulation PSD2 enforced the rails for Open Banking. This disruptive force offers new ways to streamline payments and is predicted by Juniper Research to handle more than $116 billion in global payment transactions by 2026.

Innovations such as Open Banking often have a domino effect, opening many opportunities: Open Banking, as a system, provides the underlying capability to create innovations. One disruptive force driven by Open Banking is Variable Recurring Payment (VRP). This new payment model looks to shake up the traditional recurring payments scene. But what is VRP, and can it make waves in the incumbent payments systems?

What is a Variable Recurring Payment?

Open Banking was originally part of the EU's PSD2 regulations, which set out the frameworks required to access customer data via APIs. The original specification for the Open Banking API standard was released in 2017. Since then, Open Banking and similar initiatives have become popular worldwide. 

Opening access to banking data to third parties has encouraged new players into the financial space, namely FinTech. Companies like Plaid and Truelayer act as a middle-layer TPP (third party provider), connecting the Open Banking rails. This offers eCommerce vendors a link to thousands of banks; this gives customers a way to pay for goods and even provide identity assurance using their KYC verified bank account.

Open Banking is behind the emergence of the Variable Recurring Payment or VRP. Under Open Banking, a Payment Initiation Service Provider (PISP) provides a service to facilitate access to a customer's bank account that is then used to transfer funds on the customer's behalf. A VRP uses a PISP to set up recurring payments under rules and constraints. This system differs from the traditional bank debit system that handles recurring payments: 

Under a direct debit system, the bank uses a 'pull method' where a business can request regular payments based on a pre-completed mandate set up by the bank customer.

A VRP uses a push-based model and differs in the mechanism used, i.e., Open Banking, with a centralized consent to pay mechanism. Importantly, this mechanism places the customer at the core of the transaction. 

‘Sweeping’ is the first use case for VRPs.

What is ‘sweeping?’

NatWest is the first UK bank to offer VRP support for 'sweeping'. Many banks are expected to follow their lead. Sweeping facilitates automated account transfers, specifically between two accounts of the same name, e.g., from a savings account to a current account. This particular use case has been identified as a great application of VRP because the transfers are fast, cheap, and secure, compared to the expense of credit cards or direct debits.

However, currently, there is no consumer protection in place for Sweeping and fees are yet to be set. A report from the Competition and Markets Authority (CMA) looking into VRPs concluded:

“Respondents also raised points around the need for minimising and managing disputes over sweeping access going forward as well as points around consumer protection.

VRPs offer a great choice payment model as they provide the level of transparency and customer control expected by customers today.

Are VRPs the death knell for fixed recurring payments?

VRPs look set to change how funds are transferred, certainly in consumer models. Customers want seamless, cost-effective, and fast payment systems: this will drive competition in the financial sector, as evidenced in a recent Thales ​​survey that found that 38% of consumers would move to another bank for better services or rates.

Financial analyst and renowned guru David Birch, quoting Mike Kelly on the potential of VRPs, says, “Mike Kelly, who was the product lead for VRP, says that they have "huge potential to revolutionise finance" and he is absolutely correct.”

VRP uses the Faster Payments service, so fund transfers are near-real time. This is great for retailers. In addition, VRPs are fully digital, so no paperwork is needed, unlike a direct debit mandate. This saves the customer time and potentially reduces fraud and manual error risks at this juncture in the user journey.

VRPs are customer-centric, placing the control of finances in the hand of the consumer. The VRP system allows granular control with customers setting maximum payment amounts, consenting to regular payments, and being able to cancel payments instantly.

In comparison, credit cards and debit systems are slow and costly. But they are incumbent, with 175 million American consumers owning a credit card with cumulative debts of $825 billion. Having a credit card is expensive for all involved, with the credit card companies pulling in vast sums of money. Customers and retailers actively want reduced costs and faster transfer speeds. VRPs offer a viable alternative to credit cards and debit payments that fulfil both needs.

Is the VRP system secure?

Open Banking uses a superset of OIDC that implements FAPI (Financial-grade API), which provides many extra security features compared to the standard OIDC flows. In addition, the Open Banking protocol includes several security features that help to secure transactions:

  • Access control using digital signatures on any request made and on all tokens used in the system.
  • mTLS (Mutual Transport Layer Security) is used to prove to the server where the request comes from.
  • To ensure trust, the Open Banking directory issues certificates to any organization wishing to participate in an Open Banking-based service.

 Are VRP payments open to fraud?

The CMA survey pulled out fraud as a possible issue in the VRP model of fund transfer: “One respondent said that sweeping to accounts which do not have the capability to sweep back in the event of fraud or error is problematic as there is a lack of suitable dispute resolution process should that occur.

Another point in the paper was that “Others queried the benefit of FSCS protection on the basis it does not cover erroneous or fraudulent payments.

Cybercriminals are already targeting the faster payments system that VRPs utilize. An FATF report, Opportunities and Challenges of New Technologies for AML/CFT” points out that faster payments provide opportunities for faster cybercrime, with the short transfer windows allowing criminals to fly under the radar. The report recommends the use of intelligent technologies to catch fraud events in real-time.

A 2021 consultation from the Open Banking Implementation Entity (OBIE) exploring VRPs and Sweeping points out several notes on fraud in a VRP ecosystem:

  • A TPP (third party provider) should use a mechanism, such as to assure the identity of the owner of the destination account. This will help reduce the risk of APP (authorized push payment) fraud and misdirection fraud.
  • TPPs may not have mechanisms to check the link between a card and a specific account during a card-based Sweeping transaction.
  • Confirmation of Payee (CoP) checks are lacking in current Sweeping systems making VRP susceptible to fraud.

 Variable Recurring Payments have been called a gamechanger in banking and retail. The need for seamless, cost-effective, consented, and controllable payments is a no-brainer. But this cannot be at the cost of increased opportunities for fraudsters. The VRP ecosystem has several moving parts, each of which could add a vulnerability to the ecosystem.

Using faster payments also adds to the burden of anti-fraud checks by requiring that a VRP-based transaction is checked quickly and in real-time. Variable Recurring Payments offer innovation in banking that can help banks and FinTechs build new business models and better customer experiences. But it must have the same levels of anti-fraud checks and balances to ensure that this disruptive force is one for good and not bad actors.

 

9475

Comments: (5)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 26 October, 2022, 11:25Be the first to give this comment the thumbs up 0 likes

I get that the amount taken out will be according to pre-agreed limits (say £0-100) but I'm keen to know how the exact amount of a given payment (say £47, not £89) is decided at run time: (1) Is it manually entered by payor just before each payment is due? (2) Is it submitted by payee to bank for each payment? (3) Is it submitted upfront by payee to bank for all payments during the agreed tenure of the VRP mandate?

Can you please throw some light on this specific aspect of VRP? Thanks in advance.

Also, since bill amount is variable from one month to another, utility bill payment seems to be tailor-made for VRP but I've never heard of this use case in the context of VRP. 

Melvin Haskins
Melvin Haskins - Haston International Limited - 27 October, 2022, 08:58Be the first to give this comment the thumbs up 0 likes

As a user I can see no difference between a VRP and a Variable Amount Direct Debit, particularly for utilities, which vary month by month. VADDs have been in use for 40 years or more in the UK and for about 15 years in the US. They work perfectly, so what is the point of VRPs. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 27 October, 2022, 09:50Be the first to give this comment the thumbs up 0 likes

True dat.

In India, the Consumer / Payor has full control over the new UPI / eNACH autodebit instrument in terms of cancelling it anytime on bank website unlike the old ECS mandate for autodebit that required the payor to contact the merchant to make any changes. In that context, I can see why the new direct debit instrument is better than the old direct debit instrument for the Consumer.

Whereas, in UK, memory serves, I could go to bank website and cancel / modify the old direct debit mandates anytime. So VRP doesn't seem to provide any additional functionality for the Consumer / Payor.

I suspect VRP has some additional value proposition for the Merchant / Biller that is not widely talked about.

Melvin Haskins
Melvin Haskins - Haston International Limited - 27 October, 2022, 14:011 like 1 like

Ketheraman, you are quite right. In the UK you can cancel a VADD at any time by just contacting your bank. The same is true in the US. As a result, as a consumer, I cannot see any difference whatsoever.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 27 October, 2022, 14:24Be the first to give this comment the thumbs up 0 likes

@MelvinHaskins +1.

Hope the OP will enlighten us!

Now hiring