A senior Labour MP has taken the fight against post-cancellation fraud on contactless credit cards to Parliament, vowing to work with the industry to "push for better security measures" for consumers.
It comes after a MoneySavingExpert.com investigation last September revealed that lost or stolen contactless cards can be used for fraudulent spending months or even years after they're cancelled, with banks unable to say when these criminal shopping sprees will end. The investigation sparked our ongoing campaign for banks to stop their cards working post-cancellation.
Rachel Reeves, a former Shadow Chief Secretary to the Treasury and now a member of the Treasury Committee, told MoneySavingExpert.com: "The industry should be looking to tackle this, especially given the high number of contactless cards in use and the fact that more and more transactions are contactless."
In a Treasury Committee meeting last month, Reeves quizzed industry regulators on the issue, and cited our story about one MoneySaver whose card was defrauded eight months after it was cancelled.
Addressing the chairman of the regulator, the Financial Conduct Authority (FCA), during the evidence session, Reeves said: "There was a customer recently who, eight months later, found out that his card was still being used.
"He phoned up the bank, which said the card could continue to be used until the expiry date on the card and that he should carry on checking his statements and let the bank know. Do you think that is acceptable?"
During the session FCA chairman John Griffith-Jones publicly acknowledged for the first time that the regulator is "actively looking at this [issue] with the banks to ensure that consumers are protected", and admitted: "It is an FCA responsibility to deal with contactless fraud of the sort that you are describing, and we take that seriously."
He then promised to write a letter to Treasury Committee chairman Andrew Tyrie about the issue.
Payment Systems Regulator managing director Hannah Nixon, also present at the session, told MPs: "I am absolutely aware of this problem. My understanding is it is an issue with the individual banks' IT setup." This mirrors MSE's own data which shows wide variation in how 15 different banks, building societies and credit card firms deal with this type of fraud.
In November 2016 MSE reported that the FCA had approached Lloyds Banking Group for information on this type of fraud – though at the time the regulator refused to confirm whether it was looking into the issue or had any plans to take action. Griffith-Jones's comments are the latest sign that the FCA may take action to protect consumers from this industry-wide problem.
Contactless card security flaw 'extremely worrying'
Speaking to MoneySavingExpert.com, Reeves said: "I first came across the issue of contactless fraud in my preparations for the Treasury Committee meeting with the Payment Systems Regulator and the Financial Conduct Authority, and I became aware of the case identified by the MSE investigation.
"You assume that if your card is lost or stolen you can cancel it and that's it – you don't have to worry about it anymore. Realising that because many contactless payments are offline it is still possible for people to use your card up until expiry, as highlighted in MoneySavingExpert's case study, was extremely worrying – especially given that banks don't even tell people that this can happen.
"Although banks will provide refunds, it seems unfair to place the burden on customers to check their account and apply for refunds rather than having an automatic refund mechanism. Many people are unaware of these issues.
"The industry should be looking to tackle this, especially given the high number of contactless cards in use and the fact that more and more transactions are contactless. I will continue to raise awareness of this issue and liaise with the Financial Conduct Authority and industry bodies in order to push for better security measures and a more customer-friendly refund process."
How is this fraud possible?
For a full explanation of how lost or stolen cards can be used by fraudsters after cancellation, read our full investigation.
But in brief, the issue arises because shops don't always immediately check with your bank when a payment is made on your card, so cancelled cards may not receive the instruction by the bank to stop working. Contactless cards are particularly at risk of being used after cancellation because you don't need to enter a PIN each time you use them.
The cards do stop working eventually, due to a number of industry-wide security measures built into the technology. However it's possible for cards to work months or even years after they're cancelled.
There are differences between how banks, building societies and credit card companies deal with such fraud; some take proactive steps to warn customers or block payments from debiting their accounts, others make it the customer's responsibility to spot the fraud.