CMA letter marks significant step forward for payments industry

Posted on: 18 October 2021

Written by: John Burns

In July of this year, The Competition & Markets Authority (CMA) wrote a letter to the Open Banking Implementation Executive, which marked a significant step forward for the Payments industry by facilitating transfers between accounts held at different institutions. This is significant because it paves the way for the development of a personal and SME “treasury” style App, moving from advising customers where might be best for their money, to acting on behalf of customers and moving their money for them, helping them to get the best rates, and/or minimise charges.

In short, the letter from the CMA to Open Banking effectively mandates the use of Variable Recurring Payments (VRPs) for implementing sweeping. For those not au fait with the myriad of acronyms in payments, a VRP is an authorisation given to a firm with a Payment Initiation permission to access the client’s account with their Account Servicing Payment Service Provider (Bank, Building Society, E-Money Institution or, potentially Payment Institution), with something like an unspecified amount Direct Debit Mandate.

What is sweeping exactly? In the Open Banking Report on “Considerations when using VRPs for Sweeping Services” the definition of sweeping includes when “The transaction is between two accounts belonging to the same person or legal entity”.  The footnotes to the definition also state that “personal credit card accounts are valid destination accounts” and that “For the avoidance of doubt, it should be noted that the destination account may not have a unique sort code and account number… but a unique reference in the transaction will ensure the payment is applied to the correct customer’s account.”

What was in the CMA's letter?

The letter of 26 July 2021, specifically notes that:

“The Order should be understood in the context of the decision on remedies set out in the Final Report, whose aims include,facilitating the emergence on a large scale of new service providers with different business models offering innovative solutions to consumers and SMEs.”

It also notes that “there is no express limitation in the Order or the Final Report on the types of destination accounts for sweeping” and that “Sweeping is not limited to moving funds between low-interest current accounts… but to a range of products to the benefit of consumers.”

The possibilities for providers

The letter opens up the possibility that providers could:

  • Use Account Information Service permissions to view customer accounts with a number of different institutions;

  • Use Artificial Intelligence to identify where a customer’s funds can be best used to maximise interest returns and/or minimise interest charges and fees; and then

  • Use the VRP authorisation to make the necessary transfers

Such a service would clearly meet the stated aim of being an innovative solution to the benefit of consumers, and one can also see its attractions to small businesses.

Readers may have noted press coverage recently regarding frauds carried out on accounts at Barclays through a phishing scam, using a Payments Initiation Service Provider (‘PISP’). The FCA and Open Banking are clearly alert to the potential for fraud, and the Open Banking Report notes that, for consent to be valid:

In the FCA’s view, it must be “clear, specific and informed”.  In the context of VRPs, the PSU (customer) can be treated as having given explicit consent for each VRP Payment under a VRP Consent, provided that the following consent parameters are met:

  1. The payee is fixed;

  2. The number and/or frequency of payments is fixed (or capped); and

  3. Although the amount cannot be fixed in advance, there are clear parameters around the permitted value, such as maximum individual payment amount, maximum total value in a month or year etc.”

What's next?

The question of consent in some more innovative areas may mean that these parameters need tweaking where appropriate levels of consent can be seen to have been provided, but clearly, this is a key factor that needs to be got right to both protect the customer and inspire confidence in the providers.

At the time of writing, there are 118 Account Information Service Providers (‘AISP’) and 103 PISPs on the FCA Register.  While this development is still at the consultation stage, it seems that there is a fair wind behind it from the regulators, and a major opportunity for Fintechs to develop products of real and lasting value to customers.  However, given the extended authorisation timescales, we are currently seeing at the FCA, anyone thinking of operating such a service who is not already authorised would be well advised to get the process underway.

UPDATE as 16 November 2021

Disappointingly (but perhaps not surprisingly) the nine major banks mandated to provide the service have since told the CMA that they are unlikely to meet the original 31 January 2022 deadline, and the CMA has therefore agreed to push back the deadline to 31 July 2022.

The OBIE has put forward an amended timescale, accepted by the CMA under which, the nine largest UK banks will now need to share a detailed delivery plan for full capability with the OBIE by January 2022, start TPP testing and validation in the first quarter, and have had successfully completed testing of the VRP standard by July 2022.

While the delay is disappointing, it does leave time for greater consideration of the need to tweak the consent parameters proposed by the FCA as suggested above. 

John B

John Burns

John is one of the UK’s foremost compliance experts in payment services, and he is Senior Advisor in our Payment Services Practice.

Contact John

Related resources

All resources
iStock 479324890 Event

Payment Services Regulatory Compliance Forum 2025

iStock 1138124341 Event

Webinar: Operational Resilience – the final countdown

iStock 1065111748 Article

Managing reputational risk

iStock 1160915536 Article

FCA issues guidance on Payment Services Regulations 2024