.svg)
The UK’s Financial Conduct Authority (FCA) is consulting on reforms to contactless payment rules. It has proposed replacing fixed regulatory limits with a risk-based exemption, giving payment service providers (PSPs) greater flexibility.
In the consultation, which closes on October 15, the regulator has thrown its support behind a risk-based approach, citing benefits such as stronger internal controls, flexibility to reflect risk appetite and greater scope for innovation.
In the consultation document, the FCA proposes amending the current rules to allow PSPs to waive strong customer authentication (SCA) on contactless transactions that they assess as low risk.
However, firms will remain free to keep or set limits, and the exemption for unattended terminals would stay.
The bigger picture
Contactless payments are a straightforward starting point for the FCA as it looks to make changes in the UK payments sector.
The consultation reflects the FCA’s broader post-Brexit shift towards outcomes-focused regulation, as shown by its commitment to frameworks such as the Consumer Duty.
As part of its “smarter regulator” approach, the FCA aims to move away from prescriptive rules towards a risk-based model. This would give firms more discretion while maintaining strong consumer protections.
The FCA’s proposals are also driven by the Labour government’s intense push for economic growth.
Responding to the Prime Minister’s call for regulators to support economic growth, the FCA sees relaxing contactless limits as a way to boost efficiency and encourage innovation.
Contactless payments are ubiquitous, although card use is declining as consumers shift to mobile payment methods such as Apple Pay.
Fraud rates are low: UK Finance’s Annual Fraud Report 2025 estimates contactless fraud at 1.3p per £100, compared with 6p per £100 for all unauthorised fraud.
The FCA noted that PSPs are liable for reimbursing unauthorised contactless payments. Raising limits could therefore raise fraud costs, giving firms a strong incentive to keep fraud levels low.
Why should you care?
If adopted, the new risk-based exemption would give firms much greater discretion over how they handle contactless authentication.
In the short term, it seems likely that most PSPs will opt to keep their existing limits and processes, so the immediate operational impact should be minimal. Over time, however, firms could adjust limits to reflect their own risk appetite, fraud controls and customer preferences.
Larger incumbents such as NatWest and Barclays may adopt risk-based limits more quickly.
These firms already run sophisticated fraud-detection systems, have deep data on their customers and can absorb the cost of building or refining risk models. They also have established compliance teams to demonstrate to the FCA that their approach meets the Consumer Duty.
In comparison, fintechs such as smaller or newer payment and e-money firms may be more cautious. These firms often rely on third-party fraud tools, and have been criticised by the FCA for having more limited compliance resources, as well as less customer transaction history.
The burden of designing and justifying their own risk thresholds may be higher, especially when these firms are also grappling with increased risk from the authorised push payment (APP) fraud reimbursement rules introduced last year.
The main benefits are greater flexibility and scope for innovation.
Firms will no longer be tied to fixed regulatory thresholds, which could add competitive edge, as they would be able to differentiate themselves through features such as higher limits for certain customers, customer-set limits or new forms of low-friction authentication.
This could reduce payment friction, strengthen customer loyalty and help PSPs respond to inflation or changes in consumer behaviour without waiting for regulatory changes.
The challenge is managing the responsibility that comes with this flexibility, and firms should prepare for more scrutiny from the FCA on their unauthorised fraud rates once they decide to deviate from the current framework.
Banks and payment firms will need to implement robust risk assessments, fraud monitoring and customer communications to justify their approach.
Smaller providers may find it more difficult to develop sophisticated systems or manage the regulatory expectations around risk-based decision-making.
Affected firms should consider the following steps:
- Engage with the consultation and evaluate whether to submit a response, as well as work with trade bodies or industry groups to shape the definition of “low-risk” transactions. Firms should also monitor the FCA’s timeline, and track the publication of final standards and guidance, so that they are in a position to plan operational changes and implement them smoothly.
- Review current policies and data, and assess how contactless authentication and fraud rates perform under existing limits to see where a risk-based approach could add value.
- Identify capability gaps, and check whether fraud monitoring, transaction analytics and customer profiling are strong enough to support higher or flexible limits.
- Model suitability and test different limit options internally. Firms should also document how they would meet the Consumer Duty compliance requirements, especially for vulnerable customers.
- Plan customer communications, and prepare opt-out or personal limit features and clear messaging so they can be rolled out quickly if the rules change.
By preparing now, organisations can be ready to seize the opportunities that greater flexibility in contactless payments may bring.
