Warning: control features on card critical flaw


Dear all, please don’t rely on the blocking of online CNP transaction feature in the Starling app. It is critically flawed.
If the merchant has set up a recurring payment such as a subscription (Netflix or Spotify for example) it will punch right though the lock as if it was not there. It should be noted that I am not talking about a payment for service rendered in the past (as CPS were envisaged as being for) but for payment for a future service one which may be uncontracted such as the above or perhaps a pay as you go gym. So be warned the application of the online lock on your card in no way prevents all and sundry from debiting your card account and you are totally on your own getting your money back.


Hi Neil,

I was never under the impression the security controls would block recurring card payments, for example Netflix.

@sarah.guha can you clarify?


Well it says online transactions and they are that. Set up online processing online. They are not Swiped, contactless or EMV chip and pin… If classes of online transactions or merchants that have set CNP recurring transactions are to be allowed to punch through such locks then it should be clearly stated. I wonder if even a complete card freeze would stop them?


So what did the in app support say?


Yes, Neil, have you raised this directly with Customer Services?


I don’t see this as a bug. In my mind a card lock is to prevent unexpected transactions to happen when you lose the card, not the case of existing subscriptions.


I can see your point but it said block online transactions and it fails to do that. Look up the definition of to block, and it does not meet that. If I block online transactions I want ALL transactions blocked or to be TOLD explicitly which ones will still work.


Have you raised this with Customer Services?


Yes, I was told I am on my own that I should talk to the merchant its not a bank problem. My point that if the card is locked for online then a merchant can bypass that was dismissed by the agent.


Chances are, but I don’t know enough to confirm, is that CNP is probably flagged as a different kind of transaction to an “true” online transaction. It would be good however to get proper clarification.


Not quite sure it allows “all and sundry” access, you will have authorised these parties to take the money. If you want to try and block a payment which you have authorised you should be following the instructions to cancel a recurring payment.

Maybe we can get a real world example of how someone took money in this way and they weren’t meant to have it authorised?


I have to agree with you in that there should be full explainations included in pop-ups in app for the locking features. As a consumer it’s often not clear how a transaction is actually processed - particulaly online. Some websites will perform a standard online auth whereas others will actually do a card not present or offline auth. Unless you understand payment processes you would have no idea when you entered your details online that the transacation was going to be anything but an online payment.


Why not? Unless I’ve authorised this as a direct debit then I would expect it to be authorised as an online transaction each month as required?


Continuous Payment Authority is different to a one off Card Not Present transaction. You have given authority for repeat or regular charges, and you are contractually obliged to cancel thru the merchant, with the bank only stepping in should the merchant fail to comply with your request.

The banks abilities to cancel certain transactions shouldn’t be used to try and wriggle out of contractual obligations.

I therefore would not expect such transactions to be covered by a card freeze, and could imagine this being abused by some account holders if it is possible.


I would have assumed the same - Although my explanation would not have been quite as thorough (due to lack of actual knowledge!)

Question (which I’m sure I could google, but you seen to know more at times) - I am assuming this is the same for all cards/banks?

If I cancelled my HSBC debit card (lost/stolen), yet had recurring payments set up (Netflix/Amazon etc) - Would they still come out automatically? Which I guess is the exact same situation here… Just with a legacy bank (not sure why it would be any different…).


I know that if you cancel your card or it naturally expires it will not take payment as that card is not actually valid anymore (not sure about freezing though), as this has happened to me with Netflix.


Do Netflix regard it as a recurring payment though or just charge you monthly with whatever card is on the account?


This is a good article I’ve just read.

Basically… Any recurring online payment which is not a Direct Debit or Standing order, is a CPA (Continuous Payment Authority) - Which allows the company to take payment whenever they think they are owed.


My knowledge of the card schemes rules and technical parameters is a bit dated now, but it is quite complex.

There are sometimes different rules for different merchant types, e.g. public transport.

There are also a large number of 4 digit merchant type codes, so for example a bank should (if merchant accounts/terminals properly set up/configured) be able to tell if fuel from an Automated Fuel Dispenser (pay at pump) or a regular fuel pump.

The merchant data includes a number of different codes so it may be that there is a code indicating if it is a one off or continuous authority, but as I am currently dosed up to the eyeballs with pain killers I won’t be searching just yet. However, my experience with the bunq banking app leads me to believe there is!

I know the issue of Continuous Payment Authorities came up at another fintech and if I recollect correctly there was some discussion of the responsibility of banks in this regard. While the FCA gave instructions to the big high street banks on how cancellations should be handled, I am not sure if these instructions applied to smaller banks as well.

Big banks were asked to enable customers to be able to cancel their continuous payment authorities, even if no action had been taken to do so by the merchant.

Now it may be that such instruction would be verbal, however I see a technical solution. Why not be able to click on a transaction and select an option to cancel/reject further payments from that merchant?

In the bunq bank app card transactions at POS e.g. chip and pin have a terminal icon and they do not have any menu options regarding future reoccuring payments.

Other card payments appear as Online transactions and have a globe icon. These transactions have an option to edit future payments. So it may be possible to introduce something along these lines.

Here is a screenshot of their app, illustrating how they handle these payments:


Here is what you are looking for…probably good news to many:

“Customers can generally cancel a CPA* with the merchant as well as with their bank, although they are still responsible for any money they owe. The FSA*” became responsible for the rules around cancelling CPAs in November 2009 with the introduction of the Payment Service Regulations; under the rules banks must cancel any CPA so long as properly instructed to do so by the customer."

  • Continuous Payment Authority
  • Financial Services Authority

NB: The FSA has since been replaced by the FCA and PRA!

The FCA assessed firms’ processes and procedures in mid-2012 and followed this in early 2013 by testing outcomes for consumers who had asked their bank to cancel a CPA.

The FCA has worked with approximately 90% of the debit card market and a number of major credit card issuers on this issue - first looking at processes and procedures and then customer outcomes.

By 2012 most banks tested had processes and procedures that confirmed a customer’s right to cancel with them. However there were some inconsistencies in the actions that banks took following cancellation notices and therefore some consumers would not have been able to stop a CPA with their bank.

When the FCA tested individual outcomes in early 2013, of approximately 40,000 notifications assessed, around 70% were found to result in a successful stop. Where a cancellation notice did not result in a successful stop most firms provided a refund.

The FCA noted cases of customers not getting a refund if a payment was made and cases of customers being unable to stop payments to payday lenders. Where the FCA found these instances it intervened to ensure that the banks involved changed their processes. Customers of these banks should now be able to stop payments to payday lenders and receive refunds if payments are taken after cancellation notices.

Payments of over £7.5 billion are made each year through CPAs with each transaction worth on average £45; for payday loans the average is £80.