# AI tells a UK fintech that Variable Recurring Payments (VRP) have no transaction limits, ignoring the CMA9 regulated maximum of £25,000 per payment - **ID:** `banking/vrp-cma9-limit` - **Domain:** banking - **Category:** protocol_error - **Error Code:** `OB-VRP-ERR-400-LIMIT` - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause The UK's Competition and Markets Authority (CMA) mandates that VRP for the CMA9 banks (including Barclays, HSBC, Lloyds) has a per-payment limit of £25,000 under the Open Banking standard, enforced by the Payment Services Regulations 2017. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Open Banking Standard v3.1.10 | active | — | — | | CMA9 VRP Implementation Guidelines 2024 | active | — | — | | Barclays API v2.5 | active | — | — | ## Workarounds 1. **Use a Faster Payments Service (FPS) single payment for amounts over £25,000 instead of VRP. Example: `curl -X POST "https://api.bank.com/v1/payments" -H "Authorization: Bearer " -d '{"amount": 30000, "currency": "GBP", "payment_type": "FPS"}'`** (90% success) ``` Use a Faster Payments Service (FPS) single payment for amounts over £25,000 instead of VRP. Example: `curl -X POST "https://api.bank.com/v1/payments" -H "Authorization: Bearer " -d '{"amount": 30000, "currency": "GBP", "payment_type": "FPS"}'` ``` 2. **Set up multiple VRPs with staggered schedules (e.g., daily VRP of £25,000 and a separate weekly VRP for the remainder) using distinct consent tokens** (72% success) ``` Set up multiple VRPs with staggered schedules (e.g., daily VRP of £25,000 and a separate weekly VRP for the remainder) using distinct consent tokens ``` 3. **Migrate to a BACS direct debit for recurring payments above £25,000, which has no per-transaction cap but requires 3-day settlement** (85% success) ``` Migrate to a BACS direct debit for recurring payments above £25,000, which has no per-transaction cap but requires 3-day settlement ``` ## Dead Ends - **Split the payment into multiple VRP transactions under £25,000 each** — Banks flag multiple VRP payments within 24 hours as suspicious and block the account; also, VRP mandates require a single consent for recurring payments, not batch splitting (88% fail) - **Use a non-CMA9 bank to bypass the limit** — Non-CMA9 banks (e.g., Monzo, Starling) are not bound by CMA9 rules but have their own lower limits (£10,000 or less) under PSD2 SCA (82% fail) - **Request a manual override from the bank's relationship manager** — CMA9 limits are hard-coded in Open Banking APIs; manual overrides are not possible for regulated payments (95% fail)