Fraud risk linked to hidden card update system as banks face opt-out criticism
Fraudsters have been able to continue using cancelled bank cards in some cases because of a little-known payments feature designed to keep subscriptions running without interruption, according to consumer research and industry reporting.
The system, known as automatic billing updater (ABU), is used across major card networks including Visa, Mastercard and American Express, and is intended to automatically refresh saved card details when a customer is issued a replacement card. That allows recurring payments — from streaming services to online retailers — to continue without the user manually re-entering details after a card expires or is replaced.
But consumer group Which said the same mechanism can create a loophole when cards are replaced after fraud incidents. In its research, six in 10 respondents said they experienced further fraud on a replacement card within three months, although the group noted this could involve multiple causes. Critics argue that if compromised merchants or saved payment tokens remain active, updated details can still be used for unauthorised transactions.
Which also found that customers across several major banks — including Barclays, HSBC, Lloyds Banking Group, Nationwide, NatWest and Santander — were generally unable to opt out of ABU. In its checks, only Starling and Monzo customer service teams demonstrated clear understanding of the feature. Some banks said cardholders could not switch it off, while others indicated that opt-out handling varied depending on whether a card replacement followed suspected fraud or routine cancellation.
Consumer finance voices have warned the balance between convenience and control is increasingly fragile. Adam French, head of consumer finance at Moneyfactscompare, said automatic updates were useful for recurring payments, but argued that customers should retain final control over who can continue to take money from their accounts, particularly those previously affected by scams or financial abuse. Which? money editor Jenny Ross said the lack of a consistent opt-out option left consumers dependent on individual bank policies.
The issue sits within a broader debate in the UK and Europe over how much control card networks and banks should retain over payment infrastructure that is largely invisible to users. In parallel discussions, UK bank bosses have been moving toward creating a domestic alternative to Visa and Mastercard, amid concerns about heavy reliance on US-owned networks that process the vast majority of card transactions.
Under the plans, senior figures from banks including Barclays, Lloyds Banking Group, NatWest and Nationwide, alongside payments bodies and Visa and Mastercard themselves, are involved in early-stage work on a new UK system known as “DeliveryCo”. The initiative is being framed by officials and industry participants as a resilience measure, designed to ensure continuity of payments in the event of operational disruption or external shocks.
Supporters of the project argue that while existing card networks are deeply embedded in the UK economy, the combination of declining cash use and near-total dependence on Visa and Mastercard leaves limited fallback options. Some banking figures have pointed to geopolitical uncertainty and sanctions risks as factors reinforcing the case for a domestically controlled payments rail, though industry statements have generally stressed resilience and competition rather than confrontation.
Visa and Mastercard have said they remain committed to the UK market and welcomed competition, while emphasising the security and reliability of their systems. The Bank of England has previously described work on additional payment infrastructure as part of broader efforts to strengthen resilience in the payments landscape, particularly in the context of cyber and operational risks.