Consent guidelines for VRP mandates

You need to inform your users and gain their consent in your mandate authorisation flow.

If you are not regulated for payment initiation services under PSD2 in the UK or EU, then you must display some additional information in your payment journey. This page sets out what you need to include in your flow for either payments or mandates.

For all of the information on this page, for either payments or mandates, be aware of the following points:

  • All mandatory information you need to include in your flow is clearly identified by the word must.
  • The wording can be added in any format, but must remain clear and visible to your customers.
  • Your payment journeys require approval by TrueLayer before you can test in production and go live.
  • Your payment journeys must not be changed without TrueLayer’s prior approval.
  • TrueLayer will help you create the best experience for your customers, so contact us if you need it.

If you need approval before when you develop a payment journey, or to change an existing payment journey, raise a ticket with our Client Operations team. Include a copy of your customer’s payment journey, ensuring it covers the end user’s consent and the payment confirmation.

VRP mandate journey and consent

With consent for VRP mandates, there are two main parts of the authorisation flow you need to consider – where TrueLayer has strict requirements you must follow. These are:

  • Consent before mandate creation, and in turn, payment initiation: Pre-consent.
  • Consent after mandate creation: Post-consent.

 Pre-consent requirements for mandates

Before they create a VRP mandate with their bank, the user must consent to TrueLayer initiating payments on their behalf. The following steps advise you on how to gain user consent.

1. Clarify the mandate constraints

You must tell your user the details of the payment mandate you're asking them to authorise. This means you must clearly and explicitly inform them of the following information, including the constraints you specify in the TrueLayer API at mandate creation:

  1. The currency for any payments made through the mandate.
  2. The maximum amount that can be paid through the mandate over a time period.
    For example, you can set a maximum amount that can be paid per day, week, month, half-year, or year.
  3. The payee account name.
  4. The payee account identification details.
    For example, account number and sort code, roll number, or full IBAN.
  5. The mandate expiry date.
    This can be ongoing, or a specific date.
  6. A reference.

2. Tell the user the account the money's going to

You must let the end-user know the account details of the account money will be paid to through the mandate. This includes an account name, sort code and account number, or equivalent.

We recommend that you make the account name understandable. For example, if you're making a sweeping transaction from a Lloyds account to a Barclays account, we advise you to make the account name Your Barclays Bank Account.

3. Tell the user the account the money's coming from

In most situations, you will allow the user to select the account they will pay from with their bank. This means you only need the user to select which bank they want to pay with.

However, in some situations you may want to pre-select the account that the user will pay from. This could be because you’ve verified the account previously with the Data API, or you’ve collected the user’s bank details previously.

If you pre-select the account to make payments on the mandate from for the user, you must tell them the account you’ve pre-selected for them.

4. Be clear about why you're making payments

You must be clear with the user about why the mandate is being set up, as we have an obligation to treat customers fairly. You must tell the user what you are using this mandate to make payments for. If you go outside of that scope, you must explain again to the user why you are making payments.

We expect that this text will be specific to your use case. For example, in the case of paying off a credit card, you could say:

We need your permission to setup a Variable Recurring Payment in order to pay off your credit card account.

5. Display the Terms of Service and Privacy Policy

You must display the Terms of Service and Privacy Policy of the regulated entity that is making payments.

If that entity is TrueLayer, the Terms of Service and Privacy Policy are ours. If you are regulated in your own right, they should be yours.

We suggest you say:

By continuing you are permitting TrueLayer to initiate payments from your bank account on behalf of [CLIENT_NAME]. You also agree to our End User Terms of Service and Privacy Policy.

The links to the TrueLayer Terms of Service and Privacy Policy pages change depending on the language, regulatory area, and whether you're in the UK or the EU.

UK, in English:

EU, in English:

EU, in German:

EU, in Spanish:

EU, in French:

6. Tell the user they're transitioning to their bank to take an action

This is an optional step we recommend in your VRP mandate authorisation flow. You should say:

“We will securely transfer you to {Your banking provider} to authenticate”

Post-consent requirements for mandate

After your user has authorised a VRP mandate, your flow must follow the following steps.

1. Show the returning user mandate confirmation

You must let the user know whether their mandate setup has been successful or unsuccessful when they return to your domain.

You must also re-state the parameters that define the payment mandate the user set up (you clarified these as the first step pre-consent).

  1. Be clear with the user about the payment mandate you've created, and how much they can/should pay. You must include:
    1. Maximum amount of money taken per {{time window}} (eg per month).
    2. Maximum amount per payment.
  2. Tell the user the account that the money is going to.
  3. Tell the user the account that the money is coming from.

2. Send the user an email or SMS confirming their payment instructions

After you successfully set up a VRP mandate, you must send the end user an email or SMS that confirms their payment instructions. This email must restate the details in the explicit consent screen prior to mandate authorisation.

  1. Be clear with the user about what payment mandate you’re created, and how much they can/should pay. You must include:
    1. Maximum amount of money taken per {{time window}} (e.g. month/week).
    2. Maximum amount per payment.
  2. Tell the user the account the money is going to.
  3. Tell the user the account the money is coming from.
  4. Be clear about why you are making payments.
  5. Display the Terms & Conditions and Privacy Policy.

You must also include TrueLayer’s FAQ on Variable Recurring Payments. This is the link for the FAQ:

https://truelayer.zendesk.com/hc/en-us/sections/5263390255249-Variable-Recurring-Payments-VRP-End-User-FAQ

You must also make it clear that the user can cancel the mandate with either you or the bank, signposting how to do so.

3. Allow the user to view their mandate details and revoke it in your UI

You must allow the user to view and revoke their mandate in your app or website's user interface.

This means you should re-state the information included in the explicit consent screen prior to VRP mandate authorisation.

  1. Be clear with the user about the payment mandate you’ve created, and how much they can/should pay.
  2. Tell the user the account the money is going to.
  3. Tell the user the account the money is coming from, or let them select it with their bank.
  4. Be clear why you are making payments.
  5. Display the Terms of Service and Privacy Policy.
  6. Include the mandate reference.

You should also provide the user with a clear mechanism for revoking their mandate, and inform TrueLayer when the user requests for their mandate to be revoked.