A new investigation by consumer champion Which? has revealed a concerning loophole where card fraud can persist, even after a bank cancels an original card and issues a replacement. The issue stems from a system designed to automatically update card details across various online merchants and digital wallets, which can inadvertently enable criminals to continue their fraudulent activities.
This technology, known as an automatic billing updater (ABU) by the major card schemes – Visa, Mastercard, and American Express – is typically switched on by default for banks and widely adopted by online retailers. While intended to provide convenience by seamlessly updating saved card details when a card expires or is renewed, Which? found it can have serious unintended consequences. If a fraudster has saved a victim's card details to a major online merchant or digital wallet, and the link is not properly severed by the bank, the new card details can also be updated, potentially allowing the fraud to restart.
The scale of the problem is significant. A recent survey conducted by Which? indicated that among those who had been victims of card fraud in the past two years, 61% reported experiencing further fraud on their replacement card within three months of receiving it. Although not all these cases are definitively linked to ABU, the figures suggest a widespread issue. Banking insiders cited by Which? suggested that fraud teams might sometimes be under pressure to meet targets, potentially leading to errors where ABU updates are not fully blocked.
Despite the potential for ongoing fraud, there appears to be a lack of awareness and customer control regarding ABU. Which? researchers attempted to opt out of the service with major high street banks including Barclays, HSBC, Lloyds, NatWest, Santander, Nationwide, Monzo, Starling, and Amex. In many instances, frontline staff appeared unaware of what ABU was or how to facilitate an opt-out request. Only Monzo offered a customer-controlled opt-out option during the process of ordering a new card, while Amex later confirmed that customers could opt out by calling a specific number, though staff awareness varied.
Starling, Monzo, and NatWest stated that they fully opt replacement cards out of ABU when the original card is cancelled due to fraud. Starling also extends this to any customer-initiated card cancellation. The findings highlight a critical gap in consumer protection and bank procedures, where a feature designed for convenience can become a conduit for persistent financial crime.