# AI tells a UK fintech that Variable Recurring Payments (VRP) have no transaction limits, ignoring the CMA9 regulated maximum of £25,000 per payment under the Open Banking Standard

- **ID:** `banking/uk-open-banking-vrp-limit`
- **Domain:** banking
- **Category:** config_error
- **Error Code:** `OB-VRP-25000`
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

The CMA9 (Competition and Markets Authority) mandate for VRP under the UK Open Banking Standard (OBIE v3.1.8, 2023) caps each VRP payment at £25,000 for authorised push payments; this limit is enforced by ASPSPs (Account Servicing Payment Service Providers) per PSD2 regulatory technical standards.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Open Banking Standard v3.1.8 | active | — | — |
| PSD2 Regulatory Technical Standards (RTS) | active | — | — |
| CMA9 VRP Mandate 2023 | active | — | — |
| OBIE VRP Implementation Guide v1.2 | active | — | — |

## Workarounds

1. **For payments above £25,000, use a one-off payment via the domestic payment API instead of VRP. Example: `POST /payments/domestic-payments { "amount": 30000, "currency": "GBP", "creditorAccount": { "accountNumber": "12345678", "sortCode": "12-34-56" } }`** (90% success)
   ```
   For payments above £25,000, use a one-off payment via the domestic payment API instead of VRP. Example: `POST /payments/domestic-payments { "amount": 30000, "currency": "GBP", "creditorAccount": { "accountNumber": "12345678", "sortCode": "12-34-56" } }`
   ```
2. **Split the large payment into multiple VRP payments under £25,000 each, spaced by at least 1 minute to avoid rate limiting. Example: `for i in {1..3}; do curl -X POST https://api.bank.com/vrp -d '{"amount": 20000, "currency": "GBP"}'; sleep 60; done`** (75% success)
   ```
   Split the large payment into multiple VRP payments under £25,000 each, spaced by at least 1 minute to avoid rate limiting. Example: `for i in {1..3}; do curl -X POST https://api.bank.com/vrp -d '{"amount": 20000, "currency": "GBP"}'; sleep 60; done`
   ```
3. **Contact the bank's Open Banking team to request a higher VRP limit for specific commercial agreements (possible for non-CMA9 banks or custom arrangements)** (30% success)
   ```
   Contact the bank's Open Banking team to request a higher VRP limit for specific commercial agreements (possible for non-CMA9 banks or custom arrangements)
   ```

## Dead Ends

- **** — Setting VRP limit to £50,000 in the consent request — the ASPSP rejects with error code 'OB-AMT-EXCEEDED' because the CMA9 cap is hardcoded in the bank's API (70% fail)
- **** — Using multiple VRP consents to bypass the limit — each consent still has the same £25,000 cap per payment, and cumulative daily limits may apply per PSU (50% fail)
- **** — Implementing VRP as a domestic payment via Faster Payments — Faster Payments has its own £1,000,000 limit but VRP is a separate payment type with different API endpoints and constraints (65% fail)