Millions of bank customers remain vulnerable to fraud due to a little-known banking system designed to simplify card replacements, according to a warning from consumer group Which?. The system, intended to make replacing cards seamless, may inadvertently allow criminals to continue charging purchases to victims' accounts even after the original card has been blocked.
How the Loophole Works
Which? research reveals that a 'cancelled card' loophole exists when replacement card details are automatically passed to retailers and online services where the old card was stored. If fraudsters have linked stolen card details to those accounts, they could potentially carry on spending even after the original card has been cancelled. The watchdog found that six in ten victims of card fraud reported experiencing further fraud on their replacement card within three months.
At the centre of the issue are automatic billing updater services operated by Visa, Mastercard, and American Express. These systems are designed to save consumers hassle by automatically updating card details when a card expires or is replaced, ensuring subscriptions and recurring payments continue without interruption. However, Which? says the same technology can have unintended consequences if a scammer has stored stolen card details with an online retailer or digital wallet.
Which? Mystery Shopping Exercise
To test how banks deal with the issue, Which? carried out a mystery shopping exercise involving Amex, Barclays, HSBC, Lloyds, Monzo, Nationwide, NatWest, Santander, and Starling. It found that only customer service representatives at Monzo and Starling appeared familiar with automatic billing updater systems. Most banks either said customers could not opt out or offered no straightforward way of doing so.
Nationwide confirmed it does not currently allow customers to opt out of Visa Account Updater, while Barclays, Lloyds, NatWest, and Santander also told Which? customers could not voluntarily opt out.
Calls for Change
Jenny Ross, Money Editor at Which?, said: "When you're issued with a new card, having the new number automatically updated in places you've saved it can be incredibly handy, allowing subscriptions to renew seamlessly and enabling you to spend online without manually updating. However, Which? has found that if you're a victim of fraud, if this update isn't turned off it could have unintended consequences, allowing criminals to keep on spending. Even more alarmingly, customers are most often powerless to opt out of this update, leaving them at the mercy of their individual bank's fraud policy."
The consumer group is calling on banks to give customers the option to switch off automatic billing updater services and to adopt a more consistent approach when handling fraud cases.
Industry Response
Banks and card companies insist safeguards are in place. A spokesperson for Mastercard said its Automated Billing Updater service is designed to make payments "fast, safe and simple" and help avoid missed or delayed payments. The company said: "If a card is lost or stolen, these updates are stopped following the cardholder's bank marking the card as closed. Cardholders who wish to opt out should contact their bank."
Visa said its Visa Account Updater service helps prevent declined payments, late fees, and interruptions to essential services such as insurance cover. A spokesperson said: "Banks are responsible for handling the service for each cardholder, which includes stopping VAU or stopping it for a specific merchant in an instance where fraud has been detected."
Nationwide said it keeps its policy under review. A spokesperson said: "We don't currently offer an opt-out from Visa Account Updater, but we will keep this under review. If a customer spots a fraudulent recurring payment, we will refund and take action quickly to keep their account safe." Lloyds Banking Group said the updater service helps genuine payments continue when a card is replaced and that it carries payment blocks across to newly issued cards where suspicious activity has been identified. Starling defended its use of Mastercard's system, saying it helps customers avoid unnecessary declined payments and service cancellations. The digital bank said the updater process does not apply to cards cancelled because of fraud and that customers must manually update their details with merchants after receiving a replacement card.
Advice for Consumers
Which? is urging consumers who have been victims of card fraud to keep a close eye on their accounts even after receiving a replacement card and to report any suspicious transactions immediately. Unauthorised fraud should almost always be refunded by the bank.
