Payments and the UK government’s pro-growth agenda: FCA seeks feedback on potential changes to contactless limits

FCA contactless payment limits review: Balancing (fraud) risk and reward

The FCA’s engagement paper on the payments contactless limit is one of its short-term (ie implementable within the next 12 months) pledges under the government’s policy paper containing a three-point action plan for ‘A new approach to ensure regulators and regulation support growth’ (Action Plan) which has now also been published. The government has couched the Action Plan in terms of reducing uncertainty and complexity across the UK regulatory system as part of its wider pro-growth push. As we pointed out in relation to the recently announced plans for simplifying aspects of mortgage regulation – also in the context of the government’s growth agenda - for retail financial services this appears to herald an increasing reliance on Consumer Duty outcomes (see our article here). In the engagement paper, the FCA suggests that with legislative change and wider reform of the strong customer authentication (SCA) requirements for payments in the longer term, it could ‘seek to rely substantively on the Duty, instead of setting bespoke rules for contactless limits’.

The continuing move towards more principles-based financial services regulation could mean more regulatory risk ahead as regulatory boundaries become less clear cut. Tying in with the principles-based approach, firms should also expect increased supervisory activity from the FCA as it focuses more on ongoing monitoring to ensure good customer outcomes and less on enforcement action.

Some other points to bear in mind in relation to potential changes to the contactless limits are:

• The FCA lists the recent increase in use of digital wallets to make payments among the reasons why it’s looking at contactless limits. But digital wallets include added security measures like tokenization of card details and biometric authentication to reduce the fraud risk and so are fundamentally different to a contactless card transaction which just requires the card.
• Rapid improvements in technology – including security and fraud prevention measures – are also included as a reason for the current review. It is questionable whether technology is sufficiently advanced to be able to significantly increase or entirely remove contactless limits without the risk of causing a spike in the relatively lower levels of unauthorised payment fraud attributable to in-person contactless payments. However, the FCA suggests that one way to manage the risk might be to combine a higher single limit with a requirement on firms to apply a risk-based approach, ie being able to demonstrate low levels of unauthorised payments fraud with reference rates set by the FCA as with the current TRA exemption – although it is worth noting that the maximum transaction limit under the TRA exemption is currently £440.  
• The impact of any change on the wider payments ecosystem – and consequent potentially negative effects on the broader economic growth mission - would also need to be considered. For example, a higher or variable (by payment service provider - PSP) contactless limit would require updates to point-of-sale systems, and may result in  higher processing fees.

How can Hogan Lovells’ combined legal and consulting teams help?

Hogan Lovells’ depth and breadth of knowledge of the legal, regulatory and policy drivers affecting financial services means we can help you get a grip on events, navigate uncertainty and capitalise on opportunities to shape your regulatory and policy environment.

We have significant experience in supporting firms on regulatory change projects - from undertaking initial gap analysis work, project managing and supporting the implementation of a rolling program of enhancements and operational changes.

The combination of our legal and consulting teams provides you with a full range of services, and clear guidance on how the solutions can be applied within the business. If you would like to discuss how we can help you, please reach out to any of the people listed in this article or your usual Hogan Lovells contact.

Why is the FCA reviewing the contactless limits?

On 14 March 2025, the FCA published an engagement paper seeking feedback on potential changes to contactless payment limits. Currently, the limit is £100 per transaction or £300 across multiple payments (or no more than 5 consecutive contactless transactions) before authentication is required. The FCA explains that, for the purposes of the paper, contactless payments are payments that are made without additional payer authentication under this exemption (Article 11 of the Strong Customer Authentication Regulatory Technical Standards - SCA RTS).

The review has been expedited by the government’s pro-growth agenda, and the FCA makes reference to its secondary international competitiveness and growth objective. It suggests that enabling more contactless payments could have positive secondary impacts on growth, through smoother consumer payment journeys resulting in more sales and higher productivity. Innovation and broader growth across the economy could also be supported by additional spending and payments. The development of new payment methods or types of fraud prevention solutions could help stimulate growth and give UK payment firms a competitive edge on the international front. If changes are to be made, both the FCA and firms may need to substantiate whether, in fact, the difference between a contactless transaction and a PIN verified transaction will result in more sales.  For example, is there evidence of consumers deciding not to proceed with a purchase if they are asked to input their PIN? In practice, does the time difference between a contactless transaction and a PIN enabled transaction result in lower productivity?

The FCA cites several other reasons for its decision to review the current limits:

• Changes to consumers’ behaviour when making payments and merchants’ abilities to receive payments.
• Technology – including security and fraud prevention measures – is improving rapidly. 
• The recent increase in use of digital wallets to make payments, where consumers don’t have to enter a PIN on a payment terminal because they have already authenticated on their device (eg using a biometric), has led to a smoother consumer journey than using a physical card.
• Inflation has risen significantly since the contactless limits were last set in 2021, so the FCA believes that many grocery and petrol transactions may now exceed the £100 limit.
• Changes to the contactless limits were also identified as having the potential to ‘further optimise the UK consumer experience [for in-person spending]’ in the 2023 Future of Payments Review report. It highlighted the opportunity to move to a more outcomes-based regime while not increasing risk.

The FCA also points out that contactless payment fraud (ie where a contactless card is lost or stolen and then used by someone other than the cardholder to pay for goods and services at a payment terminal) is currently a small part of overall payments fraud, and a relatively small part of unauthorised payment fraud. It refers to UK Finance’s Annual Fraud Report 2024, which found that fraudulent contactless spend totalled £41.5m in 2023, amounting to an increase of 19% on 2022. This was out of a total unauthorised fraud value of £708.7m in 2023. The UK Finance report also states that ‘recent rises in contactless fraud have been increasing at a much slower pace than the expansion in transactions volumes and values, and the fraud to turnover ratio for contactless fraud remains below that for unauthorised card fraud overall.’  What will be difficult to judge is whether any changes in approach will result in changes to this pattern of fraud.  Whilst there is considerable stress within the engagement paper on firms taking a risk-based approach and on giving increased control to the consumer in setting their own limits, will this deter potential bad actors from targeting card theft in an environment where contactless transactions are subject to no or significantly higher limits? 

There is a brief comparison of international regulatory approaches, with the FCA noting that several jurisdictions do not set regulatory limits and some opt for industry-led limits. 

What about the FCA’s wider review of SCA under the National Payments Vision?

The FCA also sets out how this work fits in with its wider review of SCA in accordance with the 2024 National Payments Vision (NPV). The NPV reinforced the conclusions from the Future of Payments Review about the lack of flexibility of contactless limits as well as confirming the Government’s commitment to revoke the payments authentication regulations relating to SCA in the Payment Services Regulations 20217 (PSRs), enabling the FCA to incorporate aspects of the technical standards into its rules for more agile and outcomes-based rulemaking. 

The FCA is considering prioritising reforms to the contactless payments exemption under its existing regulatory framework before considering wider SCA requirements. However, it confirms that it aims to replace the current prescriptive SCA regime, as and when legislation allows. In the meantime, any changes it might make to contactless limits in the short term will be considered in the context of future changes to the wider SCA framework.

What potential options is the FCA presenting in the engagement paper?

The FCA thinks that the existing approach to contactless limits may not be the most effective for preventing fraud. Chapter 4 of the paper sets out a number of questions on specific aspects of how it might approach contactless limits in the future. It is looking for views on the following options for change (but also allows for the possibility of keeping things as they are):

Introducing a new risk-based exemption for in-person transactions

There is some implication that this could be the FCA’s preferred option. It explains that a new risk-based exemption could enable firms to set their own contactless limits for in-person transactions, provided they can demonstrate low levels of unauthorised payments fraud (which the FCA would set reference rates for). It considers this could be a ‘more outcomes-focused approach to regulation’ by enabling firms to manage their fraud risks flexibly while ensuring that firms achieve low levels of fraud. It also points out that there is precedent for this approach within the existing SCA RTS, under the Article 18 risk-based exemption for remote electronic payments (eg online transactions) where a PSP has conducted transaction risk analysis (TRA) although, as noted above, the TRA operates on the basis of transaction limits which are currently £85 to £440 depending on the reference fraud rate.

The FCA suggests that, under a new risk-based exemption for in-person transactions, combined with the Consumer Duty (which requires firms to take into account the different financial objectives of their retail customers), a range of approaches to contactless limits could be delivered in the market. Although firms will bear the brunt of any fraud losses, whether all consumers will take comfort from a risk-based approach may be questioned as some may see the potential for large transactions to be made in a short space of time – even in circumstances where any losses will ultimately be met by the firm and/or the retailer – as a risk not worth taking, especially when they can use a more secure digital wallet.  

Amending the limits in the existing contactless payments exemption

Options here could include:

• Removing the contactless limits altogether, allowing PSPs and consumers to set limits for each consumer in line with the PSP’s risk appetite, and in line with existing requirements, such as the Consumer Duty. However, as things currently stand, the FCA thinks that this would require legislative change;
• Increasing the single limit to £200 or more; or
• Amending or removing the cumulative and consecutive limits.

The FCA acknowledges that any changes to the limits themselves could create risks and it would need to assess any changes against the criteria in Regulation 106A of the PSRs. It suggests that one way to manage these risks might be to combine a higher single limit with a requirement to apply a risk-based approach.

Relying on the Consumer Duty following legislative change

The FCA is considering the relationship between the Consumer Duty and contactless limits, focusing on areas such as fraud prevention and catering to the needs of different groups of retail customers eg financially vulnerable or digitally excluded customers. If changes are made, firms will need to consider carefully how to deal with these customers. For example, defaulting to higher contactless limits may increase the risk of exploitation of some vulnerable customers in circumstances where the vulnerable customer is less able to set a lower limit.

The FCA suggests that with legislative change and wider reform of the SCA requirements in the longer term, it could seek to rely substantively on the Duty instead of setting bespoke rules for contactless limits. It wants to understand from stakeholder feedback whether it should prioritise change to contactless limits under the existing SCA framework or wait until there is wider legislative reform.

Alternative options not raised in the paper

Although there is an implication that the FCA is keen on exploring a risk-based exemption for in-person transactions (see above), it makes it clear that it’s open to considering a range of options and their potential impacts. It emphasises that data and evidence will be ‘critical’ to informing its future policy approach, and encourages respondents to share any relevant data that might demonstrate the potential impacts of regulatory reform.

The FCA also asks whether there is still a benefit to separate exemptions based on use cases, such as the exemption in Article 12 of the SCA RTS for payments at unattended terminals for transport fares and parking fees.

Next steps

The deadline for feedback on the engagement paper is 9 May 2025, with consultation on any revised standards, rules or guidance to follow.

Authored by Julie Patient and Virginia Montgomery.