On 19 March 2026, the UK will scrap the regulatory limits that govern contactless card payments. Today, the rules set a £100 ceiling for any single contactless transaction, and require strong customer authentication once a customer hits a cumulative £300 spend or five consecutive contactless payments since the last check. From 19 March, banks and payment providers will be able to set their own limits, as long as they meet the conditions of the updated Strong Customer Authentication regime.
The change does not mandate higher limits. It removes a one-size-fits-all cap and replaces it with a risk-based approach. The FCA has said it expects most providers to keep the £100 limit in place, at least initially, while they assess controls and customer outcomes. The practical result is likely to be a patchwork: some providers will move early, others will stay conservative, and contactless rules may diverge by issuer.
That divergence matters because the old cap did more than shape consumer behaviour. It functioned as a blunt fraud control. Higher ceilings increase the value at risk if a card is lost or stolen, or if criminal activity exploits gaps in issuer monitoring. The FCA, however, has maintained that consumer protections remain in place. Where a card is used fraudulently, customers must typically be reimbursed for unauthorised transactions, subject to conditions. The regulator also notes that if a card is lost or stolen and not reported, a customer may have to pay up to £35 of unauthorised transactions in some circumstances.
Fraud in contactless payments remains low by value, according to figures referenced in the FCA’s earlier consultation materials, which cited UK Finance estimates of around 1.3p per £100 spent on contactless transactions. Low does not mean static. A regulatory cap provides a clear ceiling for worst-case loss on a single tap. Removing it shifts attention to issuer capability: monitoring, rules, data integration, and real-time decisioning.
Ryan Dolley, VP at GoodData, argues that the technical foundations exist — and that the UK’s change will reward providers that have already invested in them. “We work with the two major credit card companies in the US, who must work hand-in-glove with card issuing banks to prevent fraud using contactless, pinless transactions, as that’s the standard in the United States. They have developed very sophisticated algorithms, rules and integrations that detect and prevent fraud in real time based on massive streams of analytical and transactional data and are extending these controls with AI as we speak.
“Some UK banks already have the necessary infrastructure in place – for example Lloyds and NatWest – but many may lack the sophisticated analytics necessary to manage contactless fraud detection at scale and thus rely on the limit to prevent cases of high value fraud. We expect many banks to proceed slowly while this infrastructure is built, which could give a slight advantage to larger, more technically sophisticated institutions.
“Ultimately, this move is in line with the direction of travel in UK financial regulation, which is to remove the regulatory floor of a one size fits all approach and shift responsibility of monitoring and preventing fraud onto the banks themselves. Banks with the technology and talent to manage this environment have a built in advantage.”
For banks, the operational question is not simply where to set a number. It is how to run higher-value contactless payments without turning checkout speed into a fraud liability. That pushes issuers towards tighter behavioural analytics: unusual spend patterns, merchant anomalies, rapid-fire transactions, location mismatches, and customer-specific “normal” behaviour. Those systems already exist across the sector, but the removal of a common cap makes performance differences harder to hide.
There is also a communications problem. If limits become bank-specific, customers will need clearer information about what applies to their card, how cumulative checks work, and what controls are available in-app. The FCA has encouraged providers to give customers options — including setting their own contactless limit or switching contactless off. If that becomes standard practice, contactless limits may start to resemble card security settings rather than a fixed national rule.
The banking industry has had more than a year of notice that the FCA wanted to shift contactless policy from prescription to accountability. The next phase will be visible in small decisions: whether issuers keep £100, whether they relax cumulative checks, and how quickly fraud controls are strengthened without reintroducing friction.
You must be logged in to post a comment.