Demo #18 · VRP · UK CMA9 · EU PSD3 · SEPA VRP · BaaS + Processors Hubs

Sweep window timeline Three regime profiles @ainumbers.co/vrp-mandate-v1

One mandate. Every recurring debit. The runtime obeys the window.

Compose a Variable Recurring Payment mandate the agentic runtime enforces on every recurring debit attempt. Configure the sweep window (period, day-of-month, hour-of-day), per-period and per-transaction caps, idempotency policy, the allowed beneficiary set, and SCA exemption thresholds — aligned with UK CMA9 commercial VRP (live), EU PSD3 (finalised 2024), and the SEPA VRP rulebook (2023). Visualise the resulting permitted-window timeline; export the mandate the bank-side validator will read on every PISP call.

Zero PII · Client-side UK CMA9 commercial VRP went live 2024–25; PSD3 / PSR apply from 2026–27 Last Reviewed · 2026-05-13

CMA9 · PSD3 · SEPA VRP — three converging tracks

UK CMA9 commercial VRP launched in 2024–25 following the OBIE's multi-step rollout from sweeping VRP (2022) to non-sweeping commercial use cases. The EU PSD3 package (Directive (EU) 2024/886 + the Payment Services Regulation) was finalised in 2024, with applicability from 2026–27 — it formalises "Multi-Step Payment Initiation Services" that include VRP-like mandates. The SEPA VRP rulebook (EPC, 2023) sets the euro-area baseline for VRP execution. All three regimes converge on the same control points: maximum amount per period, per-transaction ceiling, allowed-beneficiary scope, SCA application — and all three require the mandate to be machine-readable by the bank-side validator.

Sources: OBIE / OBL commercial VRP roadmap · Directive (EU) 2024/886 · EU 2024/PSR (PSD3 successor) · EPC SEPA VRP rulebook 2023 · FCA / PSR Guidance on VRP

Value at risk · enforcement & customer-dispute exposure

PSD3 administrative penalties up to ~10% of annual turnover · unauthorised-payment refunds default to the bank under PSR 2017

Under PSD3 / PSR the administrative-penalty ceiling is set at up to 10% of the annual turnover for systematic breaches (Article 96 successor regime). Under UK PSR 2017, the bank carries the refund burden on unauthorised payments — every VRP debit that escapes the mandate's bounds is a candidate dispute. A machine-readable mandate the bank-side validator can re-evaluate on every PISP call — and that the runtime cannot silently relax — is the operational artifact that turns "policy in the PSP's terms" into "policy at the rail."

Directive (EU) 2024/886 · EU PSR (PSD3 successor) Art. 96 · UK PSR 2017 reg. 76 (refund) · OBIE / OBL VRP standards · EPC SEPA VRP rulebook

§1 · Regime & Scope UK CMA9

Primary regime & merchant scope

The regime sets default field expectations and the bank-side validator's reference rulebook. The merchant scope drives which exemption regime applies (sweeping VRP is consumer-initiated; commercial VRP is merchant-driven).

VRP variant

§2 · Sweep Window Period · DoM · HoD

When the runtime is permitted to act

Period defines how often the mandate cycles. Day-of-month constrains within longer periods; permitted hour-of-day constrains within the day. The runtime refuses any attempt outside the window.

Period Counter resets at end of period.

Day-of-month allowed (monthly+ only) Set 0 for any day; or specify a fixed DoM 1–28.

Permitted hour-of-day window (start) Runtime allowed to debit between this hour and end-hour.

06:00

Permitted hour-of-day window (end) Outside the window: refused.

22:00

Permitted-window timeline (24h)

§3 · Amount Caps Per period · per tx

Ceilings the runtime enforces

Maximum amount per period Aggregate ceiling within one period window. Runtime refuses if breach would result.

£10,000

Maximum amount per single transaction Per-debit ceiling. SCA may also be triggered above the exemption threshold.

£2,500

SCA exemption threshold Below this amount, SCA may be exempted under RTS 2018/389 Art. 16 (low-value). Above, SCA required.

£30

§4 · Idempotency & Beneficiary Anti-replay · scope

Replay protection & allowed counterparties

Idempotency-key policy

Allowed-beneficiary posture

Whitelist (synthetic IBAN / labels)

§5 · Mandate Preview @ainumbers.co/vrp-mandate-v1

AP2 output

Period ceiling

—

per period

Permitted window

—

24h

AP2 v1.0 · valid · @ainumbers.co/vrp-mandate-v1

Compose with

Pair with #24 — AP2 BaaS Infrastructure Mandate (the BaaS programme policy this VRP mandate operates inside) or #17 — Wallet Float Yield Estimator (sweeping VRP balances are themselves a wallet-float lever). The mandate this demo emits is consumable by #27 — Agentic Mandate Sandbox via custom-schema paste. Position: Tool Chain Composer, T93 / T11 in the Open-Banking cluster.