November 15, 2022
Three principles for driving VRP adoption in the UK
Variable Recurring Payments (VRPs) have the potential to disrupt the recurring payments market. They offer consumers more control, more choice, and more security compared to direct debits and card payments. Businesses benefit from increased speed, greater certainty of success, and the ability to customise VRPs, allowing for improved user experience.
However, Plaid’s engagement with industry stakeholders highlights that some outstanding questions need to be addressed if we want merchants and consumers to adopt this payment method. These include questions around dispute resolution, payment security, and certainty, as well as the cost efficiency of VRPs relative to other payment methods.
In response, today, we published a report, Three principles for incentivising the adoption of Variable Recurring Payments (VRPs), which aims to set a foundation for future discussions on unlocking the potential of VRPs.
What are VRPs?
VRPs are similar to direct debits in that they allow payment initiation service providers (PISPs) to initiate recurring payments on behalf of consumers. The difference is that they enable consumers to approve transactions that vary in amount month-to-month within specific parameters that the customer controls.
VRPs for sweeping use cases (e.g., “me-to-me” payments), such as moving excess funds to a savings account, have been mandated by the Competition & Markets Authority (CMA). Commercial VRPs encompass a wider set of use cases, such as moving money to or to top-up a third-party account, paying for goods and services on a recurring basis, managing active subscriptions, and paying recurring bills such as utilities instead of relying on direct debits, among other use cases.
Direct debit and card payment risk
VRPs are less risky than direct debits and recurring card payments, which we explore in more depth below. Although direct debits and recurring card payments are familiar, and therefore, trusted methods of payments in the UK, there are risks associated with these payment types:
Loss of privacy: With VRP, the payer (a consumer) retains control of all of their sensitive financial information. Only the name and the amount to be paid is shared with the payee, such as a utility company. In contrast, direct debits require consumers to hand over their name, bank account number, and sort code. For recurring card payments, consumers are required to share their sixteen-digit card number, card verification value (CVV) number, expiry date, home address, and, if the payment is made online, email address and phone number. Merchants need to store this information in order to initiate future payments. In the wrong hands, this information can be used to set up fraudulent payments.
Data breaches: Third-party data breaches or phishing scams are the main channels through which malicious actors get access to and use customers’ financial information to make fraudulent remote purchases. Some actors also use “digital skimmers” - malicious code added to a retailer’s website at the checkout - to steal sensitive information. With VRPs, payees such as merchants will not need to store sensitive financial information, limiting fraudsters’ capacity to steal this information.
Fraud: Strong Customer Authentication (SCA) is performed during the setup of a VRP to minimise the risk of a fraudulent transaction. There is no SCA for setting up direct debits, and it is only required for higher-value or higher-risk e-commerce transactions when cards are used. Fraud rates for cards are 29 times higher than for account-to-account payments, such as VRPs, while some banks warned customers about criminals using their sensitive financial information to set up fraudulent direct debits.
Failed payments: 8 percent and 8.4 percent of direct debits and card payments respectively failed in 2020. VRPs use the Faster Payments Scheme which is instantaneous and significantly less likely to fail.
The risks associated with recurring card payments and direct debits have cost implications for the running of payment infrastructures, which firms need to recoup. These include investing in preventative measures to combat fraud and other financial crimes, investing time and other resources investigating when a payment goes wrong, and reimbursing consumers or merchants.
All of these factors suggest that VRPs have lower structural costs compared to direct debits and recurring card payments. However, given the novelty of VRPs, there are some outstanding questions about how they will be implemented in practice. For example, industry stakeholders raised questions about dispute resolution, payment security, and certainty, as well as the cost efficiency of VRPs relative to other payment methods. In response, we propose three principles as a foundation for shaping future discussions.
Principle 1: Build based on a push, not a pull payment framework
VRPs are a “push” payment mechanism: consumers are in control of the relevant payment parameters such as the date the payment is deducted, the number of payments, and the minimum and maximum values for the payment. The payee (such as a utility company) does not have access to the consumer’s sensitive financial information. In contrast, direct debits and recurring card payments require consumers to hand over their sensitive financial information so that the payee, such as the utility company, can initiate “pull” payments on the consumers’ behalf.
As a result, consumer protection frameworks were built for the risks inherent in recurring card payments and direct debits, which are not appropriate for VRPs. Adopting these frameworks wholesale risks raising the cost of providing this payment method, without recognising that VRPs offer more secure and less risky methods of payment. Any future changes to consumer protection frameworks need to ensure they are cost-effective and proportional to the risks involved in the payment.
Principle 2: Cap CVRP issuer fees, similar to the interchange fee for cards, and ensure they are free for the consumer
We believe that CVRP issuer fees should be capped, similar to card payments, to avoid banks charging fees that discourage businesses and consumers from adopting this payment method. Banks should benefit economically as they play a key role in bringing VRPs to life. However, we believe VRPs should be free for consumers and there should be an issuer fee cap on transfer pricing (10bps) to encourage adoption and avoid a value hold-up by issuers. Our previous research estimated that businesses could save £1.5 billion annually in payment processing fees by capping CVRP at 10 basis points.
Principle 3: Create a thin rulebook for VRPs that is enforced by an industry-agreed entity.
We advocate for creating a thin rulebook between ASPSPs, PISPs, and the relevant entity that takes over after the Open Banking Implementation Entity (OBIE). This would create a foundation for a common approach to key issues such as disputes and liability, which would build consumer and merchant trust in VRP, thereby boosting adoption. This rulebook should be enforced by the future entity, which would build further trust in VRPs by ensuring fair outcomes, while also increasing competition in the payments market.
Unlocking the value of open banking payments
Over the next few months, the Joint Regulatory Oversight Committee (JROC) will focus on growing the UK’s leadership of open banking, while the Strategic Working Group (SWG) of JROC has been tasked with convening expert panels to discuss priorities such as unlocking the future of open banking payments - such as VRPs.
At the same time, the UK government is taking further action to improve the safety and security of payments. For example, Confirmation of Payee and SCA requirements for e-commerce both came into effect in March 2022. There are also new proposals to tackle authorised push payment (APP) fraud.
The combined influence of these fora, as well as the increased regulatory scrutiny of existing payment methods, offers a unique opportunity to drive the adoption of VRPs as an alternative payment method to direct debits and card payments in the UK.