The FCA has launched a consultation on scrapping fixed limits for contactless card payments, proposing instead a risk-based model that would let providers set their own thresholds.
The UK’s Financial Conduct Authority (FCA) has opened consultation on a significant shift to the UK’s contactless rulebook.
Instead of hard regulatory caps, the regulator proposes a new, risk-based exemption in the Strong Customer Authentication technical standards that would let payment service providers decide when to allow a contactless transaction without a PIN if they judge it to be low risk.
Firms could still keep today’s limits or set their own, but the legal requirement to use fixed thresholds would go.

“We‘re seeing smarter payment technology and more well-established fraud controls, so it’s the right time to let firms tailor contactless payments to fit their customers’ needs and drive innovation, says David Geale, Executive Director of Payments and Digital Finance at the FCA.
“People are still protected; even with contactless, firms will refund your money if your card is used fraudulently.”
At the centre of the draft is a replacement to Article 11 of the SCA-RTS. The proposed text allows PSPs “not to apply strong customer authentication where the payer initiates a contactless electronic payment transaction identified by the payment service provider as posing a low level of risk,” subject to Article 2’s general obligation to operate robust transaction monitoring.
In parallel, the FCA would update its Approach Document to explain how firms might evidence “low risk,” including behavioural, spend-pattern and location signals. The transport-gate exemption in Article 12 would remain untouched.
This is not a free-for-all. Consumer protections do not change, and liability and reimbursement rules in the Payment Services Regulations continue to apply to unauthorised transactions. The FCA’s consumer-facing line also remain unambiguous: even with contactless, firms must refund you if your card is used fraudulently.
The regulator is also leaning on Consumer Duty in that it expects firms to consider vulnerable customers, to offer sensible controls such as optional personal limits or the ability to switch off contactless, and to communicate any changes clearly.
Why now?
The consultation forms part of the regulator’s pro-growth, digital-first package it flagged to UK Prime Minister Keir Starmer in January 2025. In the FCA’s telling, fraud controls and analytics have improved to the point where fixed contactless caps may be unnecessarily restrictive, and flexibility could support innovation without compromising safety.
The consultation closes on 15 October 2025.
“Fraud detection and prevention will have to continue to improve to make this work,” says Andy Brown, Head of Client Management and Commercialisation at Lloyds Banking Group.
UK Finance’s 2025 Annual Fraud Report puts contactless fraud at around 1.3p per £100 of spend, versus 6p per £100 across all unauthorised card fraud. Those ratios echo the FCA’s press brief and are integral to its case that contactless risk is already low by value.
The FCA has also modelled a deliberately conservative “what if” scenario to stress-test the policy. If providers raised the single and cumulative thresholds to £150 and £450 respectively, and if firms’ and fraudsters’ behaviour mirrored 2021, contactless fraud could increase by up to £31.3m a year over three years, a 131% uplift on the current contactless fraud rate.
The paper characterises that as a worst case, notes issuers’ reimbursement liability and financial incentives to keep fraud low, and points to the growth of strong-authenticated wallets as changing the market since the last uplift.
What changes day-to-day?
In 2015, the contactless limit in the UK was £30 – it is now £100 if you use a physical card. Payments made with mobile or wearable devices using digital wallets like Apple Pay or Google Pay can sometimes have different, potentially higher, limits than physical cards but this is dictated by a merchant’s individual contactless payment limit and the bank’s own limit.
The UK’s current limit is therefore the highest in Europe, but still less than Canada (C$250) and Singapore (S$200).
Legally, the fixed cap structure would be replaced with a risk-test anchored in Article 2 transaction monitoring.
Operationally, the authorisation logic, fraud models and “step-up” rules become the control point rather than the hard stop of a limit. The FCA’s draft guidance explicitly encourages firms to use real-time risk analysis analogous to what TRA does online.
It also clarifies that firms may still implement monetary, cumulative or consecutive-use limits if they choose, because simple limits are easily understood by customers and can help operationalise the low-risk test.
For transport and parking, nothing changes. Those flows will continue to rely on the Article 12 exemption, reflecting the practical reality that ticket gates do not support PIN entry.
Issuer product and risk implications
In the short term, the FCA itself expects most firms to leave the £100 single limit in place. Industry feedback to the earlier engagement paper showed there was little appetite to move the single limit immediately, with some openness to tweaking cumulative or consecutive controls, and a medium-term preference range of £150–£250 if the single cap ever moves.
That tempers expectations of rapid change on day one.
For risk teams, the proposal elevates model governance. They will need to evidence the “low level of risk” determination at the point of authorisation. The draft guidance suggests behavioural profiling and geolocation can be relevant factors and signals that rising contactless fraud rates could be a red flag that exemptions are being over-applied. Benchmarks and industry intelligence are encouraged.
Under Consumer Duty, if you change how you apply the exemption or your limits, you must check outcomes for different customer groups and consider offering customer-set personal limits or an opt-out from contactless.
Acquirer and merchant operations
There is a non-trivial merchant angle.
The FCA notes that many UK POS terminals are configured to decline contactless above £100, implying some reconfiguration costs if issuers and schemes move in different directions.
Acquirers should therefore expect a period where issuer-specific risk decisions produce more variability in decline reasons at the point of sale. Clear scheme rules and messaging will be vital to avoid customer confusion and to keep cashier training simple.
Scheme and wallet dynamics
The paper acknowledges market shifts since 2021, notably the increased use of mobile wallets that use on-device biometrics and are not constrained by a standard contactless cap. That context cuts both ways.
It supports the case that risk-based controls can safely accommodate higher values, but it also underlines that poor issuer controls will be punished by fraud. Some respondents also raised “online PIN” as a way to reduce friction while preserving SCA after a tap, a signal that schemes and issuers may revisit their chip, host and CVM configurations if the exemption changes.
“Alignment between mobile wallet’s and cards appears sensible so long as the additional checks and balances offered by phones can be present for cards,” says Brown.
The FCA proposes to bring changes into force immediately after making the instrument, with no transitional period, on the basis that firms can continue with their current limits while they adapt.
The scope would cover UK PSPs, Gibraltar firms serving the UK and firms in supervised run-off.