Consumer group Which? has raised concerns that a feature designed to streamline the renewal of expired credit or debit cards could inadvertently allow criminals to continue spending using replacement card details after fraud is reported.
How the loophole works
When a customer reports fraud on their account, the bank cancels the card and issues a new one, which should sever the fraudster's ability to spend. However, Which? says that a process known as automatic billing updater (ABU) may create a loophole. This process automatically updates saved card details with major online merchants and digital wallets, ensuring subscriptions and payments continue seamlessly. But if a scammer has saved a victim's card details before fraud was reported, the new card details could update there too, allowing fraud to persist.
Inconsistent bank policies
Which? conducted mystery shopping research that revealed some banks do not allow customers to opt out of ABU. While some banks fully opt replacement cards out of ABU when fraud is reported, others apply a merchant block that may also block legitimate payments. The consumer group found that approaches vary widely across banks, leaving consumers vulnerable.
Jenny Ross, Which? Money editor, said: “When you’re issued with a new card, having the new number automatically updated in places you’ve saved it can be incredibly handy, allowing subscriptions to renew seamlessly and enabling you to spend online without manually updating. However, Which? has found that if you’re a victim of fraud, if this update isn’t turned off it could have unintended consequences, allowing criminals to keep on spending. Even more alarmingly, customers are most often powerless to opt out of this update, leaving them at the mercy of their individual bank’s fraud policy.”
Banks' responses
A spokesperson for UK Finance said: “Account updater services help keep payments running smoothly and prevent regular payments from being blocked when a card is replaced. Banks manage this service in different ways but fraud linked to these updates is rare. Anyone who spots an unusual payment should contact their bank immediately and they will be able to help.”
HSBC UK stated: “Billing updater services provide customers with smoother journeys and better outcomes. While customers are unable to opt out, our procedures prevent the type of repeat fraud described. When a customer’s card details are used by fraudsters, we inform Visa or Mastercard it’s been cancelled and block merchants from receiving replacement card details.”
Lloyds Banking Group said: “If a customer requests for a payment to be blocked or there is suspected suspicious activity on the account, we apply continuous payment authority blocks which are carried over to newly issued cards.”
Nationwide Building Society commented: “If a customer spots a fraudulent recurring payment, we will refund and take action quickly to keep their account safe. If necessary, we can block specific recurring transactions or change account details and issue new cards to them.”
Starling Bank told Which?: “The ABU process does not apply to cards that are cancelled by the customer or because of fraud. This is an additional layer of protection for our customers.”
Visa stated: “Visa account updater helps keep payments running smoothly. VAU is offered and managed by each Visa card‑issuing bank and banks are responsible for handling the service for each cardholder, which includes stopping VAU or stopping it for a specific merchant in an instance where fraud has been detected.”
Mastercard said: “Our automated billing updater service is designed with consumers in mind, helping reduce the inconvenience of missed or delayed payments by keeping card details up to date with retailers and service providers. If a card is lost or stolen, these updates are stopped if the cardholder’s bank marks the card as closed in ABU. At Mastercard, we are committed to protecting consumers at every step of the payment journey, combining technology, standards and safeguards to keep transactions secure.”
What consumers should do
Which? recommends that people reporting fraud ask their bank whether the link between their card and any fraudster-controlled accounts has been broken. Consumers should also closely monitor their account after being a victim of card fraud and report any unrecognised or suspect payments to their bank immediately.
