Bank customers who have cancelled a lost or stolen contactless card may no longer have to check months or even years of statements for signs of fraud, after the regulator announced new measures to tackle a major security flaw following a MoneySavingExpert.com investigation.
In a key victory for MSE's six-month campaign on the issue, the Financial Conduct Authority (FCA) has promised Parliament it will clamp down on the vulnerability, and has outlined what it now plans to do to reduce the risk of post-cancellation fraud and help victims.
In a letter to the Treasury Committee, FCA chairman John Griffith-Jones said he'd agreed to tackle the issue because "public confidence could be eroded without further action". While the FCA hasn't given any firm timescales, industry body the UK Cards Association told us it expects measures to be in place "by the end of June".
The move comes after an MSE investigation last September revealed lost or stolen contactless cards can be used for fraudulent spending, months after they've been cancelled. Since then we've been campaigning on the issue – we raised it directly with the FCA and our article was cited when questions were asked in Parliament on the issue.
Why contactless cards are vulnerable
For a full explanation of how lost or stolen cards can be used by fraudsters after cancellation, read our investigation. But in brief, the issue arises because shops sometimes process lower-value transactions 'offline'. This means they don't immediately check with your bank when a payment is made on your card, so cancelled cards may not receive the instruction from the bank to stop working.
Contactless cards are particularly at risk of being used after cancellation because you don't need to enter a PIN each time you use them. The cards do stop working eventually, due to a number of industry-wide security measures – but this can be months or even years after cancellation. One MoneySaver discovered his Halifax cards were used to make a series of fraudulent contactless purchases eight months after cancellation.
There are differences between how banks, building societies and credit card companies deal with such fraud – some take proactive steps to warn customers or block payments, while others make it the customer's responsibility to spot the fraud, running the risk it could go undetected.
What the regulator is doing
In his letter to MPs, released today but dated 2 February 2017, Griffith-Jones revealed the FCA is already working with the card and banking industries to:
- Remove any onus on customers to identify fraudulent transactions
- Bring in technical improvements to reduce the likelihood of post-cancellation contactless fraud
- Make the option of having a non-contactless card more visible during card-issuing
- Improve communication with customers at the time of cancellation
- Provide clarity to customers on the clearing times for contactless payments
- Raise awareness of the Industry Hot Card File – a digital record of over 7.2 million lost, stolen or compromised UK cards, which is checked by retailers whenever a card is processed 'online' rather than 'offline'
The letter also reveals that Visa, the UK's largest card-operating scheme, is planning to introduce changes to eliminate this type of fraud. Visa told us it's "bringing all contactless transactions online this year" and this will make it "easier to immediately stop all transactions on a card if it is compromised".
The FCA's refused to specify what technical improvements it's looking at to reduce the risk of post-cancellation fraud. One option could be requiring more contactless payments to be made 'online'. Another could be to insist banks stop automatically debiting payments made on cancelled cards.
Richard Koch, head of policy at the UK Cards Association, told us: "The industry is not complacent and measures to address issues affecting a small number of contactless cards will be implemented by the end of June."
Writing exclusively for MSE today, FCA chief executive Andrew Bailey says: "This is an issue that we at the Financial Conduct Authority take very seriously. While there are controls in place and the overall risk is low, we have been urgently working with card schemes and banks to ensure this issue is fixed."
MSE's view: 'We now need to see practical measures'
Steve Nowottny, news and features editor at MoneySavingExpert.com, said: "It's welcome news that the FCA is finally taking action to tackle this shocking security flaw, six months after MoneySavingExpert.com's investigation revealed the scale of the problem.
"If a credit card is lost or stolen and you cancel it, you'd normally assume it can no longer be used. Most cardholders would be gobsmacked to hear they're still at risk of contactless fraud months after cancellation – and the policy some banks have of automatically debiting your account after a cancelled card is used, and not checking whether you made a purchase, is hard to justify.
"The regulator's right to warn this is a public confidence issue as well – with contactless cards now commonplace, it's vital that consumers can trust that they are secure. We now need to see what practical measures the FCA and credit card providers put in place to close this loophole – but today's announcement is a step in the right direction."
'Current chaotic system needs reform'
Leading members of the Treasury Committee also welcomed the FCA's measures – and acknowledged MSE's role in exposing the problem.
Committee chairman Andrew Tyrie MP said: "As things stand, in order to mitigate the risk of fraud, customers are expected to comb through their bank statements months after they have instructed their banks to block their lost or stolen cards. That seems unreasonable.
"The package of measures to resolve this problem, which the FCA proposes in their letter to the committee, is welcome. One of the FCA's operational objectives is to 'secure an appropriate degree of protection for consumers'. The committee will do what it can to hold the FCA to it."
Fellow committee member Rachel Reeves MP added: "The current chaotic system needs to be reformed to minimise the risk to consumers of fraudulent transactions. Bank customers must have full confidence the system works and that their money is safe. That's not the case at present."