PS21/2: Amendments to single and cumulative transaction thresholds for contactless payments

Amendments to single and cumulative transaction thresholds for contactless payments Policy Statement PS21/2 March 2021

1 Contents 1 Summary 2 2 Single and cumulative transaction thresholds for contactless payments 6 List of non-confidential respondents 9 Abbreviations used in this paper 10 Made rules (legal instrument) 11

2 1 Summary 1.1 On 28 January 2021, in CP21/3, we consulted on proposals to amend the technical standards on strong customer authentication and common and secure methods of communication (SCA-RTS), FCA Approach Document (AD) and Perimeter Guidance Manual (PERG). This policy statement (PS) focuses on Q5 and Q6 in CP21/3 on proposed changes to the single transaction limit and cumulative limits for contactless payments under Article 11 SCA-RTS. Consultation on all other questions in CP21/3 closes on 30 April 2021, a further policy statement on those questions will follow later this year. 1.2 This PS summarises the responses we received on our proposed changes relating to the contactless payments limits in Q5 and Q6 in CP21/3. 1.3 This PS also confirms that Article 11 of the SCA-RTS will be amended so that strong customer authentication is not required for single contactless transactions up to the value of £100 per transaction. This is subject to the cumulative thresholds in article 11. The cumulative transaction value threshold will be increased from £130 to £300. 1.4 The aim of our amendments is to ensure that our regulation of payments provides industry with greater flexibility to respond to changing consumer behaviour. Who this affects? 1.5 Payment service providers (PSPs), as well as trade bodies representing them, should read this PS. Our proposals affect credit institutions providing payment services and/or issuing e-money, as well as payment institutions (PIs) and e-money institutions (EMIs). It also applies to firms subject to the temporary permission regime (TPR) and the financial services contracts regime (FSCR) set out in Schedule 3 of the Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (Exit SI). It also applies to Gibraltar firms providing payment services in the UK. This PS will also be of interest to: • retailers • consumers and micro-enterprises • consumer groups • credit unions This list is not exhaustive The wider context of this policy statement Our consultation 1.6 Under the PSRs, the requirements for strong customer authentication apply when a payer initiates an electronic payment transaction. This includes card transactions initiated by the cardholder at the point of sale. Strong customer authentication aims

3 to make payments safer and more secure, requiring the use of two-factor authentication (for example Chip and PIN) to validate that the legitimate user has given their consent to the transaction. 1.7 The SCA-RTS includes exemptions to the application of strong customer authentication. One such exemption is the contactless exemption at Article 11. Issuers may choose not to apply strong customer authentication to contactless point of sale transactions if specific conditions are met. The conditions to apply the contactless exemption are twofold: (a) the individual amount of the transaction must not exceed £45; and (b) either the cumulative amount of transactions must not exceed £130 since the last time strong customer authentication was applied, or the number of consecutive contactless transactions initiated must not exceed five since the last application of strong customer authentication. We understand the industry has generally opted to apply the cumulative transaction value rather than transaction volume threshold. 1.8 The SCA-RTS prescribe maximum limits for contactless payments at point of sale. Card issuers set the contactless limit applicable to a customer’s contactless transactions up to the maximum amounts set out under the SCA-RTS. 1.9 In response to the coronavirus pandemic, the industry increased the contactless limit from £30 to £45 on 1 April 2020. In response, to further support consumers and merchants during the coronavirus pandemic, we confirmed that we were unlikely to take enforcement action where a firm fails to apply strong customer authentication, when a customer exceeds the cumulative transaction value threshold under Article 11. This is provided that the firm sufficiently mitigates the risk of unauthorised transactions and fraud by having the necessary fraud monitoring tools and systems in place and taking swift action where appropriate. 1.10 Consumers and merchants have relied more on contactless payments during the coronavirus pandemic. Transaction rates demonstrate an increased appetite for the convenience of contactless payments. 1.11 Contactless payments remain relatively safe compared to other payment methods. Fraud rate data has shown there to be no significant increase in contactless payment related fraud since industry increased the limit to £45 in April 2020 and we provided supervisory flexibility to allow firms to set the cumulative limits that are currently in place. 1.12 The total value of reported fraud falling within the new increased threshold (between £30 to £45) equated to 0.02% of the total amount spent using contactless cards since April 2020. Overall, the number of reported cases and the overall value of losses attributable to contactless transactions continues to fall. 1.13 No material increase in fraudulent transactions has been observed in other countries where the contactless limit increased to the equivalent of £100 or above. The card industry in Singapore, Australia and Canada have increased their single limits to SD200 (£110), AUD200 (£112), and CAD250 (£143) respectively. These jurisdictions do not operate cumulative limits.

4 Is this of interest to consumers? 1.14 Our amendments to the SCA-RTS are intended to support further uninterrupted use of contactless payments and keep pace with changing consumer behaviour and merchant expectations - while maintaining appropriate levels of consumer protection. What we are changing 1.15 We are amending Article 11 of the SCA-RTS to increase the single transaction threshold for contactless card payments from £45 to £100 and increase the cumulative transaction threshold from £130 to £300. 1.16 An increase in the single transaction threshold will enable consumers to use contactless card payments for higher value transactions such as purchasing fuel and weekly groceries without needing to authenticate with strong customer authentication. The change to the cumulative transaction threshold replaces the supervisory flexibility we introduced to support the industry during the coronavirus pandemic. This means that firms can set limits up to these thresholds but not exceed them. In making use of the new limits, firms must ensure they sufficiently mitigate the risk of unauthorised transactions and fraud, including by having the necessary fraud monitoring tools and systems in place and taking swift action where appropriate. We may take appropriate measures, including enforcement action, where breaches are identified. Outcome we are seeking 1.17 The amendments seek to ensure payments regulation keeps pace with changing consumer and merchant expectations for faster payment experiences, while ensuring that consumers are protected when using contactless payments. 1.18 Increasing the regulatory thresholds will allow the industry to increase contactless limits in the future, up to the new higher limits we set, to reflect the macroeconomic environment and changing consumer behaviours and merchant expectations. Measuring success 1.19 We will know this amendment to the SCA-RTS has been successful if there is continued growth in the number of contactless payment transactions, without any significant increase in fraud or associated crime. 1.20 We will evaluate the success of our changes through firm supervision and monitoring of information provided by firms. We will also engage with trades bodies and firms to assess the impact of these changes on consumer outcomes. Summary of feedback and our response 1.21 We received 34 responses to questions 5 and 6 within CP21/3. This included submissions from individuals, banks, trade associations, consumer representatives and merchants.

5 1.22 We observed that respondents were generally supportive of an increase in the single transaction limit to £100. Moreover, respondents suggested that to support the increase in a single transaction limit, the cumulative threshold should be increased to £300, instead of £200 as proposed. Such an increase would reduce the number of times a consumer would have to provide strong customer authentication when using contactless payment but would ensure a proportionate need for strong customer authentication if consumers are regularly making higher value payments. While we have increased the cumulative threshold from the amount consulted on, we consider that the instrument does not significantly differ from the draft instrument in CP 21/3. 1.23 However, some respondents expressed concern that higher limits could result in an increase in fraudulent transactions and associated crime. We note that firms are required to maintain appropriate systems and controls to mitigate this risk by identifying and stopping suspicious transactions. Firms should ensure the adequacy of their systems and controls before increasing their contactless limits. In addition, many consumers can now more readily identify unauthorised transactions with the increase in online and mobile banking technology. Contactless cards can now swiftly be blocked in the event of loss or theft. Based on the experience of other jurisdictions, and data provided on current and projected fraud rates in response to our consultation, we have not seen evidence to suggest that this will materially increase risk to customers. Consumers can find further information on using contactless payments safely here. 1.24 Feedback and our responses are set out in detail in Chapter 2. Equality and diversity considerations 1.25 We have considered the equality and diversity issues that may arise from the approach outlined in this PS. We do not consider that our rules negatively impact any of the groups with protected characteristics under the Equality Act 2010. 1.26 Contactless payments remain relatively safe compared to other payment methods. Fraud rate data has shown there to be no significant increase in contactless payment related fraud since the limit was increased to £45 and since the FCA provided supervisory flexibility on the cumulative limits. FCA continue to monitor fraud rates across all payment types and will consider further action as appropriate if fraud rates rise. What you need to do next 1.27 Our amendments to the single and cumulative transaction thresholds under Article 11 SCA-RTS will enable the industry to increase the contactless card limits in the future to meet the evolving expectations of customers and merchants while ensuring the right controls are in place to keep payments safe and secure.

6 2 Single and cumulative transaction thresholds for contactless payments 2.1 In this chapter, we summarise and respond to the feedback received to our proposed changes to the single and cumulative transaction thresholds for contactless payments under Article 11 SCA-RTS. We have considered respondents’ feedback to our consultation and set out our response below. Amendments to single and cumulative transaction thresholds for contactless payments 2.2 On 28 January, we consulted on amendments to Article 11 of the SCA-RTS, increasing the single and cumulative transaction thresholds for contactless payments from £45 up to £100 and from £130 to £200 respectively. We asked: Q5: Do you agree with our proposed amendment to increase the cumulative threshold of the contactless exemption from £130 to £200? If not, please explain your rationale, including supporting data where applicable. Q6: What is your view on increasing the current regulatory contactless (single) threshold limit of £45 to £100 (or potentially a maximum of £120) Please explain your rationale, including supporting data and new threshold where applicable. If your response identifies potential risks and benefits, please provide evidence in support of your response. Our response: We have considered the responses from all respondents. Making amendments to Article 11 is intended to enable the cards industry to support the use of contactless cards as the recovery from covid starts and to respond to evolving consumer behaviour. We consulted on an increase to the single and cumulative regulatory thresholds for electronic payments at the point of sale. We proposed to increase the single transaction limit to £100, and the cumulative limit to £200. Most respondents were supportive of the proposed increase in the single limit to £100, some supported an increase to £120. Most argued that the cumulative limit should be further increased to a minimum of £300. Some respondents argued that the cumulative limit should be removed entirely. Several respondents raised concerns about the potential for an increase in fraudulent transactions and other crime. Merchant organisations were also concerned about the potential for customers to accidentally leave without paying if their contactless transaction was declined due to the cumulative limit being exceeded. Some argued that there should be no increase to any of the limits proposed.

7 Based on the responses received, we have decided to increase the single limit to £100 as proposed and increase the cumulative threshold to £300. We believe these changes balance the need for appropriate security when making higher value payments, with the benefits to convenience offered by contactless payments. The higher cumulative limit will reduce the frequency with which consumers need to provide strong customer authentication, and so mitigate the risk of non-payment by mistake because a transaction has been declined. The higher limit also better reflects recent consumer experience, given higher cumulative limits during the period of our supervisory flexibility. We did not consider it appropriate to remove the cumulative thresholds entirely. The cumulative threshold is an important protection against unauthorised transactions in the case of repeated higher value transactions. We did not agree with those respondents who argued there should be no increase from current limits based on the potential for an increase in fraud or other crime. Data provided did not suggest that an increase in fraud or other crime was likely. We noted that other jurisdictions offering contactless card payments of a similar value have not experienced a material increase in fraud rates since raising the contactless limit. In addition, firms are required to maintain appropriate systems and controls to monitor for and mitigate such risks. Contactless card technology has continued to evolve, making it easier to quickly block cards reported as lost or stolen. In any event, it would be up to firms to decide whether and how much to raise limits in practice based on fraud controls and monitoring. We continue to monitor fraud rates across all payment types and will consider further action as appropriate if needed. Two respondents commented on the possible negative impact this could have on the availability of cash to consumers. Cash remains an important payment method for many, including vulnerable consumers and small businesses. It is part of the FCA’s Business Payments priority to make sure consumers can access the cash they need. In March 2020, the Government announced an intention to legislate to protect access to cash for those who need it. In advance of that legislation, we’re working closely with the cash industry, who have committed to developing a future model for people and small businesses to access cash when they need it. We do not expect this change to impact consumers’ ability to access cash. Two respondents highlighted potential higher costs as a result of our change. One respondent pointed to costs to card issuers from communicating changes to retailers, as well as higher costs from compensating victims of fraud. A second respondent highlighted potential higher costs to customers resulting from fraud. Our changes remove regulatory barriers to future increases by the industry to contactless limits in the UK. Any decision to increase contactless limits is a matter for the industry. In relation to fraud, as explained above, we do not think a material increase in fraud is likely as a result of these changes. After considering the feedback to our CBA we continue to believe the potential benefits of our proposals outweigh the costs. Increasing the regulatory limits serves as an enabler for the industry by setting higher maximum thresholds; this does not necessarily translate into an immediate change for consumers and businesses.

8 Any increase to the contactless limit available to customers will be determined by industry, up to a maximum of £100. Individual card issuers remain free to set their own cumulative limit up to £300.

9 List of non-confidential respondents • Mr R Trybis – Individual • Michael Bickford – Individual • Jackie – Individual • Derek McMahon – individual • Victor Bodger – individual • Cenerva Limited • emobix ltd • Association of Accounting Technicians • Transport for London • New Wave Capital Limited • Barclays

10 Abbreviations used in this paper SCA-RTS Regulatory Technical Standards on Strong Customer Authentication and common and secure methods of communication AD Approach Document CBA Cost-benefit analysis PERG Perimeter Guidance Manual PS Policy Statement PSP Payment Service Provider EMI E-money Institution TPR Temporary Permission Regime FSCR Financial Services Contracts Regime

11 Made rules (legal instrument) FCA 2021/7 TECHNICAL STANDARDS ON STRONG CUSTOMER AUTHENTICATION AND COMMON AND SECURE METHODS OF COMMUNICATION (AMENDMENT) INSTRUMENT 2021 Powers exercised A. The Financial Conduct Authority (“the FCA”) makes this instrument in the exercise of the powers and related provisions in or under: (1) the following Regulations of the Payment Services Regulations 2017: (a) Regulation 106A (Technical Standards); and (2) the following sections of the Financial Services and Markets Act 2000 (“the Act”): (a) section 138P (Technical Standards); (b) section 138Q (Standards instruments); (c) section 138S (Application of Chapters 1 and 2); (d) section 137T (General supplementary powers); (e) section 138F (Notification of rules); and (f) section 138I (Consultation by the FCA). Pre-conditions to making B. The FCA has consulted the Prudential Regulation Authority and the Bank of England as appropriate in accordance with section 138P of the Act. C. A draft of this instrument has been approved by the Treasury, in accordance with section 138R of the Act. Modifications D. The FCA makes the amendments to the Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication in accordance with the Annex to this instrument. Commencement E. This instrument comes into force on 3 March 2021. Citation

12 F. This instrument may be cited as the Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication (Amendment) Instrument 2021. By order of the Board 1 March 2021

13 Annex Amendments to the Technical Standards on strong customer authentication and common and secure methods of communication In this Annex, underlining indicates new text and striking through indicates deleted text. Chapter 3 Exemptions from strong customer authentication Article 10 Payment account information … Article 11 Contactless payments at point of sale Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a contactless electronic payment transaction provided that the following conditions are met: (a) the individual amount of the contactless electronic payment transaction does not exceed £45 100; and (b) the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed £130 300; or (c) the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five. …

14 Disclaimer All our publications are available to download from www.fca.org.uk. If you would like to receive this paper in an alternative format, please call 020 7066 7948 or email: publications_graphics@fca.org.uk or write to: Editorial and Digital team, Financial Conduct Authority, 12 Endeavour Square, London E20 1JN

© Financial Conduct Authority 2021 12 Endeavour Square London E20 1JN Telephone: +44 (0)20 7066 1000 Website: www.fca.org.uk All rights reserved Pub ref: 007586