Search
Choose a style
Dark
Light
Time to read: 4 min

Contactless limits are gone. The responsibility isn’t.

The FCA lifts its £100 cap on contactess payments
The FCA lifts its £100 cap on contactess payments. Image crefit: Shutterstock

Removing the £100 cap is the right call. But what’s really changed today isn’t what you can spend, it’s where the risk now sits

Louis Thompsett
Louis Thompsett, Payment Expert News Editor

For years, the UK’s £100 contactless card payment limit did two jobs.

The obvious one was capping how much damage a stolen card could do before a PIN was needed. The less obvious one was that it removed the need for banks to make any real-time risk judgment on contactless transactions at all.

The limit was the control, there was nothing else for banks to decide on the matter.

The latter is what is changing tomorrow (19 March), as by lifting the £100 contactless limit, the Financial Conduct Authority (FCA) has, in effect, given banks a new risk assessment responsibility as well as flexibility over spending thresholds. Every contactless transaction now needs to be evaluated against a bank’s own fraud controls, not signed off by a number in the rulebook.

Lifting the cap is broadly the right move, I think. The limit, which I’m sure many remember, started at just £10 in 2007. It has been raised several times since, and the anticipated fraud wave which was predicted each time never showed up. The cumulative PIN controls – triggered after consecutive taps or once spending hits £300 – were always doing more of the protective work than the single transaction cap anyway. 

And keeping a fixed national ceiling when Apple Pay and Google Pay have operated without one for years was becoming harder to defend, even though a smartphone does have more wallet protections than a physical one. 

I suppose what’s most interesting to me is what the cap lift eventually tells us about the industry. Up until now, the £100 limit was a shared floor; whether a PSP, acquirer, or merchant, each entity had to work from the same baseline. In that sense, nobody was disadvantaged by having a weaker fraud infrastructure when it came to contactless payments.

The banks that raise their limits or remove them entirely are effectively making a public statement about their contactless payment fraud capabilities. They’re confident they have adequate controls to mitigate any fraudulent activity on stolen cards. 

In this way, the £100 cap removal reinforces a growing trend that fraud capability is becoming a commercial differentiator. If you’re a payment service provider (PSP) today that can demonstrate robust controls, that’s typically a big thumbs-up for merchants who are thinking about where liability lands if something goes wrong at the checkout. 

A growing Consumer Duty responsibility

The Consumer Duty angle is worth mentioning too. Any firm which does raise its limits has to communicate that clearly to its customers, which means they have to think about whether raising its limits is appropriate for its customer base. I can imagine players like Monzo or Revolut, who know their customer bases are digital (being digital banks), may be more confident of raising the limit. They can rely on the knowledge that the vast majority of their customers will receive instant push notifications and alerts if something goes wrong. 

Most banks, though, particularly among the CMA9, have said they’re keeping the £100 limit for now, so there won’t be much practical change. UK Finance has said terminal infrastructure across most retailers needs updating first before higher limits can even be processed, so there will be a way to go before any shift can be expected. In that sense, today is less a starting gun and more a statement of direction in reality.

But the direction is important, and one to keep an eye on in the future. The FCA has been fairly open that this is part of a broader shift, in which it hopes to enforce fewer prescriptive rules, and impose more reliance on firms to deliver the right outcomes themselves. The old uniform cap meant nobody had to declare their hand on fraud capability. Now, whether you move or stay put in the long run, you may be saying something about where you stand.

Subscribe to our newsletter