Contactless caps are going. SCA isn’t.

As the FCA removes fixed contactless limits, card payments rely on ever more compensating controls to manage fraud. Open banking takes a different path: embedding strong customer authentication at the bank layer. This post explains why the difference matters for security, UX and recurring payments.

The FCA change that caught attention

At the end of 2025, the FCA confirmed that firms will no longer be bound by fixed regulatory caps on contactless payments, instead setting their own limits based on risk and customer controls¹.

This was widely reported as a win for convenience. But it also exposes a deeper truth about card payments: contactless has always been an exception layered on top of a system that was not designed with inherent strong authentication.

Removing a hard cap doesn’t remove the risk. It simply shifts responsibility for managing that risk back onto issuers and schemes.

Why card payments keep accumulating controls

Card payments were never built with strong customer authentication (SCA) as a native property. The original model relied on possession of a card number, later supplemented by signatures and PINs.

As fraud evolved, the industry responded incrementally:

CVV codes to prove possession,
cumulative contactless limits to cap exposure,
step-up PIN prompts after repeated taps,
one-time passwords for remote transactions,
tokenisation and dynamic CVVs,
behavioural risk scoring layered invisibly on top.

Each control addresses a gap created by the fact that authentication is not inherent to the payment rail. The rail moves value; authentication is layered on top.

The FCA’s decision to allow firms to set their own contactless limits acknowledges this reality. The system can be made to work, but only through continuous compensating controls¹.

Open banking takes a different approach

Open banking payments invert that model.

Rather than adding authentication around the edges, authentication is embedded at the bank layer. A payment cannot occur unless the payer authenticates directly with their bank, using SCA methods the bank controls and evolves.

That distinction has practical consequences:

There is no stored credential to steal.
There is no silent replay of payment authority.
There is no concept of “card on file” in the traditional sense.
Each payment (or mandate) is explicitly authorised by the customer.

From a security architecture perspective, this is a fundamentally different trust model.

Why this matters more as limits rise

As contactless limits increase or disappear entirely, card payments increasingly rely on risk tolerance rather than hard security boundaries.

Issuers will:

raise thresholds for low-risk customers,
rely more heavily on behavioural analytics,
intervene reactively rather than preventatively.

This is not a criticism; it is a rational response to the constraints of the card system. But it does mean that risk is managed probabilistically, not deterministically.

Open banking, by contrast, is deterministic at the point of authorisation. A payment either has SCA or it does not.

The recurring payments problem

Nowhere is this difference clearer than in recurring payments.

Cards on file attempt to square the circle by treating an initial authenticated transaction as permission for future debits. Over time, this leads to:

credential expiry and reissue churn,
rising fraud exposure,
customer confusion about what they’ve authorised,
operational overhead in disputes and chargebacks.

Direct Debit solves recurrence, but at the cost of flexibility and modern UX.

This is where commercial variable recurring payments (cVRP), or as we prefer to name them, Smart Debits, become interesting.

Smart Debit is the “bank-on-file” cards never had

cVRP allows a customer to authorise a bounded mandate, authenticated using SCA, within which payments can occur without repeated re-authentication.

Critically:

the bounds are explicit (amount, frequency, duration),
the mandate can be amended or revoked,
and the authority lives with the bank, not the merchant.

From a security standpoint, this is closer to “bank-on-file” than “card-on-file”, without inheriting the card system’s structural weaknesses.

The FCA has acknowledged that VRPs are now a meaningful and growing part of open banking usage, accounting for a material share of open banking payments¹.

Considering Smart Debits for your business?

cVRP is not a feature you “switch on”. It introduces new questions around mandate design, scheme alignment, observability, security and operational resilience.

We’ve published an ungated Smart Debits (cVRP) procurement checklist covering the key questions larger retailers, platforms and fintechs should ask before choosing a supplier.

Download the checklist

The Asima view: security architecture shapes UX

The debate about contactless limits risks becoming a superficial one about speed versus safety. The more important question is where authentication belongs.

Card payments place it at the edge.
Open banking places it at the core.

As contactless caps rise, the card ecosystem will continue to add controls to compensate. That’s necessary, but it’s also a signal that the underlying model has limits.

For Asima clients, particularly larger retailers and fintech platforms, the strategic opportunity is not to replace cards overnight, but to:

reduce reliance on stored credentials,
shift recurring and predictable payments onto consent-based A2A rails,
and design payment journeys where security and UX reinforce each other rather than trade off.

cVRP is not a silver bullet. But it is the first recurring payment model where strong authentication is not an afterthought.

Closing thought

The FCA’s contactless decision doesn’t weaken security. It simply makes explicit how much work the card system does to manage risk.

Open banking starts from a different premise: authenticate first, then move value.

As payment limits rise and fraud pressure persists, that distinction will matter more, not less.

Footnotes

¹ Financial Conduct Authority. Greater flexibility to be given for setting future contactless limits. December 2025. Link

Kieron James
January 2026

Recent posts

January 22, 2026

Pricing clarity for open banking: FCA and PSR signal regulatory support for UKPI’s commercial model

The FCA and PSR have clarified their position on open banking pricing models for commercial VRPs. This post explains what that means for UKPI, infrastructure providers and enterprise buyers making long-term cVRP decisions.

January 13, 2026

Fintech and open banking news: 12/25

December brought concrete delivery signals for commercial VRP in the UK, alongside a major shift on contactless limits and renewed focus on safeguarding and insolvency outcomes for payments firms. Here are the stories that matter, with an Asima infrastructure lens.

December 23, 2025

Smart Debits (cVRP): what to consider before choosing a provider

Commercial variable recurring payments promise more control than cards on file and more flexibility than Direct Debit. But cVRP is not “just another payment method”. This post explains what Smart Debits really are, why rollout has taken time, and what Asima clients should evaluate before committing.

December 16, 2025

Open banking 2025: progress, momentum and what’s next

The FCA’s latest “Open banking: a year of progress” confirms that open banking is scaling beyond early use-cases, with over 16 million active users, sharp growth in payments, and commercial VRP schemes poised to enter the market.

December 11, 2025

The open banking Christmas miracle

When the North Pole’s fulfilment system collapsed days before Christmas, an exhausted elf found salvation not in magic, but in infrastructure. This is the story of how open sleigh banking saved Christmas.

December 04, 2025

Fintech and open banking news: 11/25

November brought the first commercial cVRP transaction via Visa A2A, a major BNPL player announcing its own stablecoin, and the FCA setting out how it plans to regulate cryptoassets and stablecoins. Here is Asima’s take on what matters.