Millions of bank customers could still be vulnerable to fraud, a watchdog has warned.
A little-known banking system designed to make replacing cards seamless may also allow criminals to continue charging purchases to victims’ accounts, according to research by Which?. The consumer group says a “cancelled card” loophole means replacement card details can sometimes be automatically passed to retailers and online services where the old card was stored. This means that if fraudsters have linked stolen card details to those accounts, they could potentially carry on spending even after the original card has been blocked.
The warning comes after Which? found that six in ten victims of card fraud said they experienced further fraud on their replacement card within three months.
While repeat fraud can occur for several reasons, the watchdog believes automatic card updating systems can sometimes play a role. At the centre of the issue are so-called automatic billing updater services operated by Visa, Mastercard and American Express.
These systems are intended to save consumers hassle by automatically updating card details when a card expires or is replaced, ensuring subscriptions and recurring payments continue without interruption.
However, Which? says the same technology can have unintended consequences if a scammer has stored stolen card details with an online retailer or digital wallet. In some circumstances, the replacement card details could also be updated, allowing fraudulent spending to continue.
To test how banks deal with the issue, Which? carried out a mystery shopping exercise involving Amex, Barclays, HSBC, Lloyds, Monzo, Nationwide, NatWest, Santander and Starling.
It found that only customer service representatives at Monzo and Starling appeared familiar with automatic billing updater systems. Most banks either said customers could not opt out or offered no straightforward way of doing so.
Nationwide confirmed it does not currently allow customers to opt out of Visa Account Updater, while Barclays, Lloyds, NatWest and Santander also told Which? customers could not voluntarily opt out.
Jenny Ross, Money Editor at Which?, said: “When you’re issued with a new card, having the new number automatically updated in places you’ve saved it can be incredibly handy, allowing subscriptions to renew seamlessly and enabling you to spend online without manually updating.
“However, Which? has found that if you’re a victim of fraud, if this update isn’t turned off it could have unintended consequences, allowing criminals to keep on spending. Even more alarmingly, customers are most often powerless to opt out of this update, leaving them at the mercy of their individual bank’s fraud policy.”
The consumer group is calling on banks to give customers the option to switch off automatic billing updater services and to adopt a more consistent approach when handling fraud cases.
Banks and card companies insist safeguards are in place. A spokesperson for Mastercard said its Automated Billing Updater service is designed to make payments “fast, safe and simple” and help avoid missed or delayed payments.
The company said: “If a card is lost or stolen, these updates are stopped following the cardholder’s bank marking the card as closed. Cardholders who wish to opt out should contact their bank.”
Visa said its Visa Account Updater service helps prevent declined payments, late fees and interruptions to essential services such as insurance cover.
A spokesperson said: “Banks are responsible for handling the service for each cardholder, which includes stopping VAU or stopping it for a specific merchant in an instance where fraud has been detected.”
Nationwide said it keeps its policy under review. A spokesperson said: “We don’t currently offer an opt-out from Visa Account Updater, but we will keep this under review. If a customer spots a fraudulent recurring payment, we will refund and take action quickly to keep their account safe.”
Lloyds Banking Group said the updater service helps genuine payments continue when a card is replaced and that it carries payment blocks across to newly issued cards where suspicious activity has been identified.
Starling defended its use of Mastercard’s system, saying it helps customers avoid unnecessary declined payments and service cancellations.
The digital bank said the updater process does not apply to cards cancelled because of fraud and that customers must manually update their details with merchants after receiving a replacement card.
Which? is urging consumers who have been victims of card fraud to keep a close eye on their accounts even after receiving a replacement card and to report any suspicious transactions immediately. Unauthorised fraud should almost always be refunded by the bank.