The Financial Conduct Authority’s (FCA or the ‘regulator’) latest communication on improving contactless payments has sparked a great deal of interest in the payments industry. The proposed approach involves a physical payment instrument (e.g credit/debit/prepaid card), a payment device (e.g point of sale terminal), and a payment/e-money firm or merchant acquirer, and the strong desire from a customer to purchase efficiently at the till.
On 14 March 2025, the FCA issued its engagement paper on potential changes to its rules on contactless limits to 'allow firms and customers greater flexibility and level the playing field with digital wallets'. The proposal aims to loosen the current regulatory rules governing its use via Art 11 of the SCA RTS exemption, which enables contactless payments to be made without an additional payer authentication (for example, without a PIN) for single contactless transactions of up to £100; and a cumulative total of £300 across several contactless transactions; or for not more than 5 consecutive contactless transactions. These regulations were originally put in place as a barrier to fraud if a card is stolen or misappropriated.
And so, increasing the contactless limits provides a change in the way we physically ‘tap’ for payments, hosting a seemingly small yet significant change to the speed and convenience of payments in a retail environment. The change couldn’t come at a better time for the UK economy. A new digitalised era has certainly emerged more so than ever since the pandemic with other international regulators trying to keep up with the growing pace of the instant spending culture.
With any efforts to enhance regulatory change comes the opportunity to explore how compliance controls would operate to support its use. So, what could the new changes mean for firms?
The key mission
Interestingly, in its payment assignment it seems that the Government is advocating for a more comfortable payments experience for families to make transactions without compromising security. For PSPs and Banks, they are provided with a choice on setting the default level of contactless limits (up to a specific amount) which can be adjusted during the customer journey if necessary – on the condition that firms achieve low rates of fraud.
The FCA has considered three options for amending their existing standards for contactless limits, which may include:
- Introducing a new risk-based exemption for in-person transactions
- Amending the limits in the existing contactless payments exemption
- Relying on the Consumer Duty following legislative change
Behind the scenes, each sub-proposal could impact the compliance exposure and changes in regulatory frameworks implemented by firms. But what if these concerns could help to reframe the ‘fraud narrative’?
Risk-based, or risk averse?
Empowering PSPs with a new ‘risk-based’ exemption to determine the level of contactless limits for each payment service user provides firms with more control in monitoring consumer profiles. The exemption literally enables firms to decide the ‘card tapping’ threshold to above or beyond £100 depending on how risky they consider the customer and their activity to be.
With this comes more intense fraud monitoring by firms to review abnormal spending or behavioural patterns of the payer – and to demonstrate the actuality of lower fraud rates. Quite an onerous approach for firms manually but with the right technology in place, it could be a job done better.
It must be noted that the additional exemption for in-person transactions would be modelled on the current Art 18 of SCA RTS for remote electronic payments (i.e. online transactions only). This enables PSPs to exempt higher value payments from SCA if it can identify decreased fraud rates below the FCA fraud reference rates in its transaction risk analysis (TRA).
The cynic in us may consider that a risk-based approach could cause an overhaul of legislative change possibly causing delay to the introduction of extended contactless limits. Ironically, this could have the effect of stalling any potential development of an innovative means of payment.
Clearly, any contactless change incurs a degree of flexibility on firms to develop their fraud prevention solutions by leveraging technology; but reading between the lines, it assigns greater “onus” on firms to develop the ‘right’ fraud response and steers them in the direction of A.I. to help with fraud monitoring. Improved data analytic feeds from integrated features in tech solutions builds a better, broader and bolder picture of contactless customer spending, and could help to catch a thief in its tracks.
Raising or leaving limits?
In its contactless rebuild, the regulator has considered two other changes:
1. Increasing the single limit from £200 to unspecified higher figures, driven by inflation and the cost of living for individuals and corporates, amongst other reasons for validating threshold changes.
This implies that the regulator is likely to regularly conduct their own market research on UK spending and its consequential effect on customer experiences.
2. Determining contactless limits on a ratio basis. It currently stands at 3:1 (£300 cumulative limit:£100 single limit), but increasing to a 10:1 ratio (£3,000 cumulative limit:£100 single limit) and even the consecutive limit to say 10 transactions.
This might be seen as potentially increasing fraud rates, and would require greater focus by PSPs to ensure that their prevention controls are in good working order.
For any induced change, the regulator would lean on its interpretation and dependency on data, whether its from their industry-wide initiative or individual information requests to firms.
Any changes by the regulator would be reviewed against Regulation 100 and 106A, PSRs 2017 to ensure all contactless adjustments are proportionate to the risks imposed by the service provided, the amount of transaction, its frequency of payment and the payment delivery channel. From this, it can be implied that if PSPs are given discretion to set their own contactless limits (within reason), it would cause a dynamic shift in their current risk appetite and customer outcomes.
Ultimately, any contactless limits designed by firms could impact on the consumer’s choice of firm in the market – if the data shows an inflexibility for firms to remove friction in the customer journey, it could deter customers from using their payment device. So, how does Consumer Duty play a role in contactless limits?
Consumer Duty helps or hinders?
In its proposal, the regulator has folded in the influence of Consumer Duty (the ‘Duty’) to measure the extent of consumer bias, exclusion and harm from using any imposed contactless privilege. With this in mind, the regulator should consider how extending contactless limits beyond £100 could impact current target audience trends for ‘responsible spending’ by the younger generation. It throws more onus on customers to manage their own risk when setting contactless limits themselves. This is where risk-based decisions on contactless restrictions and effective fraud prevention by PSPs truly drives ‘card tapping’ liberties.
Other Consumer Duty risks include the increased risk of card theft to criminals which cannot be helped unless technology providers invent a fingerprint detection solution for detecting unwanted fingerprints handling the card (!).
Nonetheless the proposal has questioned if the governance of contactless limits should sit under the Consumer Duty arm of protection or in the technical rule-making of Strong Customer Authentication (SCA) requirements.
The regulator considered the Duty’ oversight provided it with a liberal and flexible yardstick to measure the financial objectives of customers, to see if some would benefit more from higher or lower contactless limits. This would make more sense than solely confining the suitability of contactless limits to a set of bespoke technical rules to review its effectiveness; though it did consider that it could wait until a wider legislative reform of the SCA framework for a better understanding.
Seemingly, the sensible approach for the regulator would be to strike a fine balance on existing customer protection requirements against legislation on authentication levels, to ‘police’ any technological payment enhancement.
International league table – Is the UK still winning in innovation?
Promisingly, the UK has scored far ahead in its cross-border innovation race for improving contactless limits, particularly against its EU peers which certainly invites opportunity for British waters to partner further afield.
In the EU, its contactless limits remain the same with an individual limit €50 (£42), cumulative limit of €150 (£126) and consecutive limit on contactless payments of 5 transactions. Their future approach to contactless payment limits is likely to change as they currently review PSD2 and replace the SCA elements with a new payment services regulation.
Across the seas, the United States impose varying limits between PSPs in each state due to industry-set, rather than federal regulatory limits. Singapore follows suit and provides firms with freedom to dictate their own contactless limits. And so, removing that element of regulation opens up the competition barriers in payments and encourages more innovation for firms worldwide.
The UK has undoubtedly considered its footing in global payment systems carefully in its attempt to keep pace with its international neighbours. Perhaps it’s the stepping stone to stronger international open banking (OBIE) initiatives? It would certainly be the best way to navigate its ship…
How Cosegic can help
The new shake-up has certainly invoked a series of question marks for the payments and banking industry on the extent of future contactless limits. The regulator is making gradual space for digital innovation and movement which slots neatly into the Government’s new Payment Vision box.
While we wait to receive a FCA consultation paper on any revised standards, rules or guidance on the contactless limits, firms should openly think about the possibilities of widening contactless limits to their current offering. Firms should review the security and technology behind its authentication devices and fraud monitoring intelligence: Could you invest in an up-to-date system to manage evolutionary advancements with transactions? Have you reviewed your current fraud transaction volumes and values?
If you’d like to speak with Cosegic about any of the themes here, we’d be happy to engage with you.
Contact us
Related resources
All resources
Talking Regulation: PISCES and the rise of secondaries: unlocking liquidity in private markets
What’s the risk? Best practices for conducting a Financial Crime Risk Assessment
UK Fraud Landscape 2025: Insights for Payment Service Providers
Key considerations in implementing a possible motor finance consumer redress scheme