On 27 January 2021, the Financial Conduct Authority (FCA) published Consultation Paper 21/3 on proposed changes to the manner in which the FCA regulates payment services and the issuance of electronic money (CP 21/3).
In CP 21/3, the FCA proposed a number of regulatory initiatives, including announcing that the FCA plans to consult on increasing the single transaction thresholds for contactless payments from GBP45 up to 100 (or potentially a maximum of GBP120).
This contactless payment aspect of the consultation will remain open until 23 February 2021.
Overview of CP21/3
As consumers are increasingly making use of contactless payments, the FCA notes that it is important for payments regulation to keep pace with consumer and merchant expectations. The coronavirus pandemic (COVID-19) has accelerated this process by further encouraging the adoption of contactless by business due to concerns about the availability and cleanliness of physical cash. For example, card spending data published by UK Finance reveals that the proportion of contactless payments in September 2020 reached its highest recorded level, accounting for 64 per cent of all debit card transactions. Recognising changing behaviour in how people pay, the FCA therefore intends to increase the contactless limit. The limit was previously increased from GBP30 to 45 in April 2020.
To maintain adequate protections for consumers, the FCA is proposing amendments to the regulatory technical standards on strong customer authentication and common and secure methods of communication (SCA-RTS) in light of the proposed increase in the contactless limit.
The rationale behind the increase
At present, consumers can make contactless payments until they reach the cumulative transaction value threshold of GBP130 or after making 5 contactless transactions in a row. Once they reach this threshold, they must meet the two factor authentication standard of Strong Customer Authentication (SCA). In practice, this means consumers will need to meet two of the three authentication tests of SCA: possession, knowledge and inherence. For example, the consumer may insert a card into a card reader (possession) and enter their PIN (knowledge) to securely authenticate a transaction in compliance with SCA. This SCA threshold is designed to reduce the risk of fraud by a fraudster using a stolen card.
After the contactless limit was increased to GBP45, the average number of transactions before a customer had to reauthenticate decreased significantly. Without changing the cumulative transactions value threshold, the frequency with which customers have to reauthenticate would increase, negating the benefits of having a higher contactless limit, particularly with the proposed significant increase of the single threshold from GBP45 to 100.
Without an increase in the cumulative value threshold, consumers will have to spend more time on reauthenticating under SCA. Consumers also face particular challenges in meeting the standard. For example, elderly consumers may not have access to a smartphone for the use of one-time password authentication. In addition, the COVID-19 pandemic has increased public concerns about the health risks associated with using a keypad for the input of their PIN at merchant terminals.
Additionally, the FCA notes in CP 21/3 that several countries have increased the single threshold for contactless payments either temporarily as a response to COVID-19 or as an acknowledgment of the changing nature of consumer and business behaviour:
- Australia has temporarily doubled its contactless limit from AUD100 (GBP56) to AUD200 (GBP112), to be reviewed every three months during the pandemic;
- Canada has increased the contactless limit to CAD250 (GBP143); and
- Singapore has increased its contactless limit from SGD100 (GBP55) to SGD200 (GBP110).
The FCA notes that these increases have not resulted in evidence of any adverse impact, including on fraud rates.
The significance of the changes
The proposed changes may be considered to bring the UK out-of-step with the EU implementation of Payment Services Directive (PSD 2) and the EU’s SCA Regulatory Technical Standards.
Unlike some other European Directives, PSD 2 does not contain a third country equivalency regime so this divergence of approach on contactless limits would not result in a negative equivalency decision under PSD 2.
While CP21/3 is a consultation, it is widely expected that the Government will increase the threshold as proposed and, in doing so, they are likely to emphasise that this is something they could not have done inside the EU due to the limits on the size of single contactless payments found in PSD 2.