Variable Recurring Payments: The Open Banking Billing Rail That Could Replace Card-on-File

Card-on-file subscription billing has three structural problems that merchants have learned to live with: interchange that scales with revenue, card expiry that silently churns subscribers, and chargebacks that arrive months after the transaction. Variable Recurring Payments doesn’t fix all three — but it eliminates all three simultaneously for the use cases it covers.

VRP is the open banking mechanism for recurring pull payments. A customer authenticates once with their bank, sets consent parameters, and from that point the merchant can collect payments against that consent without any further customer involvement. No card. No card network. No interchange. No card expiry. No chargeback mechanism. Settlement over Faster Payments in seconds.

The UK is the furthest along. Sweeping VRP has been mandated since January 2022. Commercial VRP — the version merchants actually need — is rolling out now. If you operate a subscription business with meaningful UK volume, this is the payment infrastructure change worth understanding in 2026.

What VRP Actually Is

VRP creates a standing mandate authorising a third party to pull variable amounts from a customer’s bank account within set limits. The key word is variable: unlike a fixed direct debit, the amount can change charge-to-charge within the consent boundaries the customer approved at setup.

The consent parameters a customer sets at VRP setup:

• Maximum single payment amount — the largest any single collection can be
• Maximum aggregate amount — total that can be collected over a period
• Frequency — how often collections can occur (daily, weekly, monthly)
• Merchant — who is authorised to collect
• Expiry — when the consent lapses

Within those parameters, the merchant can collect any amount, at any time, without the customer taking any action. This is what makes it practical for subscription billing: a SaaS product that charges £29/month fixed, £49/month variable (based on usage), or a top-up that triggers when account balance drops — all work under a single consent framework.

Sweeping VRP vs Commercial VRP

There are two distinct VRP categories and they are at very different stages of availability.

Sweeping VRP (sometimes called “me-to-me VRP”) moves money between accounts owned by the same person. The canonical use case: automatically transferring excess funds from a current account to a savings account when the balance exceeds a threshold, or topping up a current account from savings when it drops below a limit. Sweeping VRP has been mandated for all nine CMA9 banks since January 2022 and is live today. Any fintech building account management or cash flow tools can access it now.

Commercial VRP (third-party VRP) is what merchants need — the ability for a business to pull payments from a customer’s account. This is the subscription billing replacement use case. Commercial VRP has been operationally more complex to roll out: it requires commercial agreements between open banking PSPs, individual banks, and the merchant, plus consumer protection frameworks that regulators wanted defined before broad deployment.

As of mid-2026, commercial VRP is available bilaterally with several major UK banks via PSP partners (Volt, TrueLayer, Token.io, GoCardless Open Banking). Full CMA9 coverage — which would make commercial VRP accessible for the majority of UK current account holders — is targeted for late 2026.

How VRP Works in Practice

The payment flow has two phases:

Consent setup (one time):

1. Customer selects “Pay by bank (recurring)” at checkout or in their account settings
2. Customer is redirected to their bank’s authorisation screen
3. Customer authenticates via SCA (biometric or OTP)
4. Customer reviews and approves the consent parameters — maximum amount, frequency, merchant name, expiry
5. Consent is stored at the bank; customer is returned to the merchant

Payment collection (recurring):

1. Merchant determines a payment is due (subscription renewal, usage threshold, etc.)
2. Merchant sends a payment initiation request to their open banking PSP, referencing the active consent
3. PSP validates the request against the consent parameters (amount within limits? merchant authorised? consent not expired?)
4. If valid, PSP initiates the payment over Faster Payments
5. Funds arrive in the merchant’s account typically within 10 seconds
6. Customer receives a push notification from their banking app

The customer is notified but takes no action. There is no authentication challenge on each collection — that was handled at consent setup. This is the structural difference from standard open banking payment initiation, which requires a full redirect and re-authentication for every single payment.

The Economics Compared to Card-on-File

For a UK subscription merchant processing £1M/month in recurring revenue, the cost comparison is direct:

Card-on-file (typical UK rates):

• Consumer debit: ~0.3–0.5% MDR
• Consumer credit: ~0.7–1.2% MDR
• Premium/rewards cards: 1.0–1.5%+ MDR
• Blended rate on a typical UK consumer mix: ~0.6–0.8%
• At £1M/month: £6,000–£8,000/month in card processing costs

VRP (Faster Payments via open banking PSP):

• Faster Payments transaction fee: typically £0.10–£0.20 per transaction
• Open banking PSP markup: varies by provider, typically small fixed fee
• At £1M/month with £30 average subscription: ~33,000 transactions × £0.15 = ~£5,000/month
• Effective rate: ~0.5% — but this includes fixed-cost economics that scale better at higher volumes

At £5M/month, the card blended rate is still ~0.7% (£35,000/month) while VRP economics improve because the per-transaction fixed cost amortises over larger average values. For high-value B2B subscription contracts (£500+/month), VRP is materially cheaper per pound processed than any card option.

Beyond MDR, the invisible card costs VRP eliminates:

• Card expiry failures: UK cards expire every 3–4 years; reissues cause billing failures that Account Updater partially catches. VRP consents are tied to the bank account, not a card number — they survive card changes automatically.
• Chargeback costs: No chargeback mechanism means no £20–£50 dispute fees, no chargeback ratio management, no representment overhead. For merchants with 0.5–1.0% dispute rates, this is meaningful cost avoidance.
• SCA conversion friction: The initial VRP consent setup involves one SCA step; all subsequent collections are frictionless. Compare to MIT card billing where EEA issuers can still trigger soft declines on renewal charges.

What VRP Does Not Solve

VRP is not a universal card replacement. The cases where card-on-file wins:

Card rewards preference: A meaningful segment of UK consumers prefers to pay subscriptions on rewards credit cards. VRP is debit-only — there is no rewards mechanism. Premium subscribers who value cashback or air miles will prefer card.

International subscribers: VRP is UK-specific. European subscribers need SDD or card; US/APAC subscribers have no VRP equivalent. Merchants with >50% non-UK subscriber base should not build their billing stack around VRP.

Consumer protection expectations: Cards come with well-understood chargeback rights. Some consumers and some merchant verticals (travel, high-value services) rely on chargeback as a consumer trust signal. VRP’s dispute resolution relies on bank complaints processes and the Financial Ombudsman — longer and less certain than a card dispute.

Instant merchant setup: Card-on-file works everywhere today. Commercial VRP requires an open banking PSP integration, active bank bilateral agreements, and consent setup flows. Implementation overhead is real.

VRP vs SEPA Direct Debit for European Merchants

If you have UK and EU subscription volume, VRP and SEPA Direct Debit serve the same structural need but with different mechanics:

	VRP (UK)	SEPA Direct Debit (EU)
Settlement	10 seconds (Faster Payments)	T+1 to T+3
Consumer auth	SCA at consent setup	Mandate signature
Variable amounts	Yes — by design	SDD Core: fixed preferred
Refund right	Not standardised (FOS process)	8 weeks no-questions
Consent management	Banking app	Merchant-held mandate
MDR	Near-zero	Near-zero

For UK-only operations, VRP is structurally superior to SEPA — real-time settlement and native variable-amount support. For EU-only, SDD is the incumbent with more established consumer protection. For multi-market operators, both are worth integrating: they are complementary rails, not competitors.

Who Should Integrate VRP Now

Commercial VRP integration makes sense now if you meet all three criteria:

1. UK subscription volume above £500K/month — below this threshold, the MDR savings don’t justify integration overhead and ongoing dual-rail maintenance
2. High card expiry churn — if you’re seeing >2% monthly involuntary churn from card failures, VRP’s expiry immunity directly addresses the root cause
3. Meaningful proportion of UK bank account holders — VRP requires a UK bank account; if your subscriber base is predominantly international, reach is limited

Merchants who should evaluate now: UK-focused SaaS, direct-to-consumer subscriptions (media, fitness, software), and any platform where card expiry is a documented churn driver.

PSPs offering commercial VRP access today: GoCardless Open Banking, TrueLayer, Volt, Token.io. Each has different bank coverage and pricing — check current availability before committing to an integration.

The Consent Management Question

One operationally underappreciated aspect of VRP: consent lives at the bank, not the merchant. This is different from card-on-file where the merchant (or their PSP) holds the stored credential.

Implications:

• Portability: A customer who switches banks needs to re-authorise VRP with their new bank. Consent does not follow the customer across banks automatically.
• Revocation: The customer can revoke consent from their banking app without contacting the merchant. Merchants need webhook notifications for consent revocation events and graceful billing failure handling.
• Expiry management: VRP consents have an expiry date. Merchants need consent renewal flows — prompting customers to re-authorise before expiry, without creating friction that drives churn.

These are solvable operational challenges, not blockers. But they require deliberate design in the customer-facing billing management experience. Build the re-authorisation flow before you need it.

---

For how VRP fits into the broader subscription billing rail landscape — including UPI AutoPay in India, PIX Automático in Brazil, and SEPA Direct Debit in Europe — see Subscription Payments by Rail. For the card-on-file mechanics that VRP partially replaces, including MIT flagging and Account Updater, those complement rather than conflict with a VRP integration.