Payment Initiation Services (PIS) In The UK: What You Need To Know

Open Banking isn’t just a buzzword anymore - it’s quietly reshaping how UK businesses accept payments. One of the most useful tools in that toolkit is Payment Initiation Services (PIS). In short, PIS lets customers pay you straight from their bank account, in real time, without cards. That can mean lower fees, fewer chargebacks and faster cash flow.

If you’re thinking about adding a “Pay by Bank” button at checkout, or you’re building a platform that triggers bank transfers on behalf of users, this guide is for you. We’ll explain how PIS works, when it makes sense, the key legal and compliance issues under UK law, and the contracts and policies you should have in place so you’re protected from day one.

What Are Payment Initiation Services And How Do They Work?

Payment Initiation Services (PIS) are regulated services that allow a third party (a regulated provider) to initiate a payment from a customer’s bank account to a merchant or another payee with the customer’s explicit consent. In the UK, PIS sits within the Payment Services Regulations 2017 (PSRs), which implemented PSD2 and created the Open Banking framework.

In practice, this looks like a “Pay by Bank” option on your checkout. When a customer chooses it, they’re redirected to their banking app to authenticate (usually with biometrics). Once they confirm, the payment is initiated via a secure API directly from their account to yours. You see immediate confirmation, and funds settle quickly between banks.

Two terms you’ll hear a lot:

• PISP: A “Payment Initiation Service Provider” - the regulated firm that actually initiates the bank transfer on the customer’s instruction.
• AISP: An “Account Information Service Provider” - they can access read-only data with consent. AIS is different to PIS but often offered by the same Open Banking provider.

Strong Customer Authentication (SCA) is built in. Because the customer authenticates with their bank using two factors (like device + biometrics), PIS can reduce fraud compared to some other methods. There’s no card number entry, and sensitive payment data doesn’t pass through your systems.

Is PIS Right For Your Small Business?

PIS can unlock value for a wide range of businesses - ecommerce, subscriptions, invoicing, marketplaces and B2B platforms. But it’s not a silver bullet. Here’s a straightforward comparison to help you decide.

Benefits Of Payment Initiation Services

• Lower costs compared to card acquiring - PIS often comes with flat fees per transaction rather than percentage-based interchange and scheme fees.
• Faster settlement and improved cash flow - payments clear quickly and you’ll usually see instant confirmation.
• Reduced chargeback risk - there’s no card chargeback scheme in the same way as card payments. Disputes still exist, but they’re different and generally less frequent.
• Better conversion on mobile - bank app authentication is familiar to customers and avoids typing long card numbers.
• Good for high-value purchases - fewer hard caps than some card rails and no card limits to contend with (subject to bank transfer limits).

Limitations To Be Aware Of

• No Section 75 protection - customers paying by bank won’t have the Consumer Credit Act’s Section 75 rights that apply to some card transactions, so you should clearly explain your refund and complaints process.
• Recurring payments are evolving - variable recurring payments (VRP) are currently mandated only for “sweeping” (moving money between an individual’s own accounts). Commercial VRP is expanding, but availability varies.
• Customer trust and habit - many customers still prefer card payments. Offering PIS alongside cards or wallets gives choice and mitigates drop-off.
• Bank limits and outages - payers’ bank limits or downtime can impact completion rates. Good UX and clear fallbacks help.

As a rule of thumb, PIS works particularly well for invoice payments, B2B transactions, higher-value baskets, and marketplaces where card fees erode margins. For retail checkouts, consider offering PIS as an extra option rather than removing cards entirely.

Legal And Regulatory Basics You Should Know

Most small businesses won’t be offering PIS themselves - you’ll use a regulated provider. Even so, there are important legal points to understand so you choose the right partner and stay compliant.

FCA Authorisation And Due Diligence

PIS is a regulated activity under the PSRs. Any provider initiating payments must be authorised or registered by the Financial Conduct Authority (FCA) or be an EU firm with appropriate permissions and UK access arrangements. Before you integrate, carry out due diligence:

• Verify FCA status on the Financial Services Register.
• Review how the provider safeguards funds and manages operational resilience (even though PISPs don’t hold customer funds in the same way as e-money institutions, they still need robust controls).
• Check their incident response and customer support processes.
• Understand their approach to fraud monitoring and Confirmation of Payee (where relevant).

Strong Customer Authentication (SCA)

PIS relies on the payer’s bank applying SCA under the UK Regulatory Technical Standards (RTS) on SCA and Common and Secure Communication. Make sure your flows don’t create workarounds that undermine SCA. If the provider offers any exemptions or streamlined flows, confirm they are compliant.

Data Protection And Privacy

Open Banking is consent-driven. You should handle any personal data in line with the UK GDPR and the Data Protection Act 2018. As a merchant, you’ll at least be a controller for customer data in your systems, and you may engage your PISP as a processor for certain flows. Document roles and responsibilities clearly.

• Have a clear, user-friendly Privacy Policy explaining what data you collect, why, and who you share it with.
• Put a Data Processing Agreement in place with the PIS provider and any other processors handling personal data.
• If you set cookies or tracking for analytics around your checkout, publish a compliant Cookie Policy.

Consumer Law And Transparency

Even if you’re not regulated as a financial services firm, you must comply with general consumer law for your sales. The Consumer Rights Act 2015 and the Consumer Contracts Regulations 2013 require clear, upfront information about price, how to pay, cancellation or refund rights and complaint routes. Spell out how bank-transfer refunds are processed and typical timelines.

Liability And Complaints

Under the PSRs, a PISP is responsible for correct execution of a initiated payment up to the point of acceptance by the payer’s bank, and the payer’s bank is responsible for executing onward. In your own terms, make sure you:

• Clarify what happens if a payment fails or is delayed (e.g., no dispatch until confirmation).
• Explain how customers can raise complaints and how you’ll handle them within clear timeframes.
• Align your position with the PISP’s allocation of responsibility to avoid gaps.

Remember that Authorised Push Payment (APP) fraud is a growing risk in bank transfers. While PIS with SCA reduces some fraud vectors, have a clear process to investigate suspected fraud and consider whether you will use Confirmation of Payee to help customers verify your account details where you present account payees.

Contracts And Policies To Put In Place

Good documents make your risk controlled and your customer experience smoother. At minimum, you’ll want customer-facing terms that reflect your payment methods, and back-to-back protections with your provider.

Customer-Facing Terms

• Website Terms and Conditions - set out how customers use your site, payments you accept (including “Pay by Bank”), when orders are formed, and limits of liability.
• Privacy Policy - explain your lawful basis, retention periods and who you share data with (e.g. your PIS provider and banks).
• Refunds and cancellations - include clear wording consistent with consumer law and your logistics.

Supplier/Partner Agreements

• PISP Agreement - commercial terms with the provider covering fees, performance commitments, security, incident reporting, liability caps and termination.
• Service Level Agreement - define uptime targets, response times and service credits if the PIS goes down, to match the promises you make to your customers.
• Data Processing Agreement - ensure GDPR-compliant processing, sub-processor approvals and audit rights.

Platform And Technology Contracts

If you’re embedding Open Banking into your own software or marketplace, pair your user T&Cs with robust platform terms:

• SaaS Terms or Terms of Use - if you provide a platform where users initiate payments (e.g., property rent portals or B2B marketplaces), set out responsibilities, prohibited uses and payment flows.
• Developer contracts - if a third party is building the integration, use a clear Software Development Agreement to secure IP, milestones, warranties and support.
• Risk review - before you sign anything, a quick independent Contract Review can help ensure your liabilities and indemnities line up across all agreements.

Implementation Steps, Security And Best Practice

Rolling out PIS is part legal, part technical, and part customer experience. Here’s a pragmatic approach to keep it smooth and compliant.

Step 1: Choose The Right Use Case

Decide where PIS will add real value. For many small businesses, the best early wins are:

• Invoice payments via “Pay Now” links in email
• Checkout for high-value items, alongside cards
• Marketplace disbursements and vendor payouts (where supported)

Set a simple KPI: e.g., reduce payment costs by X%, increase checkout conversion by Y%, or cut average time-to-cash from Z days to near-instant.

Step 2: Due Diligence On Providers

Shortlist FCA-authorised providers and compare:

• Coverage of UK banks and success rates for your customer profile
• Fees (fixed vs variable), settlement notifications and reporting
• Support for features you need (refund initiation, partial refunds, VRP as it expands)
• Security certifications, incident history and roadmap

Step 3: Map Data And Update Policies

Map what personal data flows through your journey, who touches it and for how long. Update your Privacy Policy, publish a Cookie Policy if you use tracking around checkout, and sign a Data Processing Agreement with the provider.

Step 4: Update Customer T&Cs And Checkout Copy

Your Website Terms and Conditions should state that you accept bank payments via a regulated provider, when an order is confirmed, and how refunds are processed. In the checkout itself, keep it transparent:

• Make it clear that the customer will be redirected to their bank to approve the payment.
• Explain that they’ll get immediate confirmation after approval.
• Set expectations about delivery timelines triggered by payment confirmation.

Step 5: Build, Test And Secure

Work with your provider’s SDKs and API documentation. Before go-live, test for:

• Edge cases - partial refunds, payment failures, bank timeouts and user cancellations
• Reconciliation - ensure your order status changes only on confirmed payment events
• Security - lock down API keys, enforce least privilege and monitor logs

If you rely on a third-party developer, lock in deliverables and support in a suitable Service Level Agreement or your development contract so fixes are prioritised if issues arise.

Step 6: Train Your Team And Launch

Make sure customer support and finance teams know the differences between PIS and card payments. Provide simple scripts that explain how bank payments work, how to verify payment confirmation, and what to do if a customer changes their mind before dispatch.

Security And Fraud Tips

• Display your legal entity name consistently so customers recognise it when they confirm in their bank app.
• Use Confirmation of Payee where you present account details for manual transfers.
• Keep a clear internal process for suspected APP fraud, including how to escalate to your provider and bank quickly.
• Document incidents and review controls periodically - this supports both GDPR accountability and your operational resilience.

Common Pitfalls To Avoid

• Over-promising about instant settlement - some banks have limits or delays. Promise confirmation, not guaranteed settlement times you can’t control.
• Leaving refund flows undefined - design and document how you’ll refund bank payments, including partial refunds.
• Not aligning contracts - if your PISP caps liability harshly but your customer terms don’t, you could be left exposed. Align caps, indemnities and SLAs.
• Ignoring VRP nuances - “recurring” via PIS is not the same as card continuous payment authority. Only offer VRP where the provider and banks support it, and get explicit consent.

Key Takeaways

• Payment Initiation Services enable secure, SCA-backed bank payments that can reduce fees, speed up settlement and cut chargebacks - great for invoices, high-value baskets and marketplaces.
• Work with an FCA-authorised provider and do basic due diligence on security, performance and support before you integrate.
• Update your customer-facing terms to reflect “Pay by Bank”, and underpin them with matched protections in your PISP contract and an appropriate Service Level Agreement.
• Stay compliant with privacy law: publish a clear Privacy Policy, sign a Data Processing Agreement and, if you use tracking, a compliant Cookie Policy.
• Design simple, transparent customer journeys - explain how bank payments work, when orders are confirmed and how refunds are handled.
• Align liability, refunds and SLAs across your customer terms and provider agreement, and consider a quick independent Contract Review before you go live.

If you’d like help drafting or reviewing your agreements and policies for Payment Initiation Services - or you want to sense-check your approach - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.