Skip to main content

Strong Customer Authentication

Changes to Online Banking

We're developing our Online Banking and mobile app which will change how you bank. This is in line with new regulations which affect all banks. We started making these changes last year and are continuing to put them in place.

What is Strong Customer Authentication?

From 14 March 2020, a new EU regulation meant that all banks needed to provide an extra level of security for their customers – it's called 'Strong Customer Authentication'.

This means more protection for you when you’re shopping and banking online, and will require extra checks to prove it is really you. This will help keep you safer from digital fraud.

What is changing?

In line with new regulations, you’ll see additional security checks to confirm it is you when you:

  • log in to Online Banking
  • make certain payments
  • make some changes to your account, such as setting up a payee.
When are these changes happening?

Business Online Plus, Commercial Online Banking and mobile app: We’ve already added an extra security step to logging in, dealing with payments and making changes to your account.

Online Banking: We’ve already added a layer of security to your login. We’ll be making payments and account changes even more secure between May and July 2021.

Will it change how I log in to Online Banking?

We're using different ways to make sure it's you trying to log in.

Online Banking and mobile app customers will need a one-time passcode (OTP) to log in. We’ll send this by text message to the UK phone number saved on your account.

It’s really important that we have your up-to-date mobile number to make sure you get the code. We can only send text messages to UK mobile numbers so you won’t receive the code unless your number is a UK one.  

To check the number we have, go to the 'personal details' section of your Online Banking, or ‘my details’ in your mobile app. If you need to change your details, you can call us anytime on 0345 0808 500 or visit your local store.

Business Online Plus and Commercial Online Banking customers will need to use their security device to generate an eight-digit security passcode, or accept a push notification using the Metro Bank Authenticator app. – you’ll find more details in the section below.

Why is it needed to make Online Banking more secure?

Passwords are the usual way of proving you are who you say you are, but they can be guessed or stolen by fraudsters. So we're adding another layer of security to check it really is you.

What are you doing to make it more secure?

There are different ways you can prove it’s you:

  • ‘Something you know’ – this is a piece of secret information that only you know, like your password or passcode
  • ‘Something you have’ – this is a device you own, such as your mobile phone if you’re a personal customer or your security device or your Metro Bank Authenticator app if you’re a business customer
  • ‘Something you are’ – this is something that is unique to you, such as your fingerprints or face ID

You’ll need to provide two of these to prove it’s you. This is known as 'two-factor authentication' or ‘2FA’.

What are one-time passcodes (OTPs)?

These are codes which you need for login and are sometimes used to authorise some transactions or account changes made on Online Banking, or some card purchases.

Your one-time passcode (OTP) is a secure key to your account, helping to stop anyone but you authorising transactions, making changes to your account or making purchases with your card.

We’ll send a text message with an OTP to the UK phone number saved on your account. Each OTP will be unique to a single transaction, and you’ll need to enter the code into your Online Banking, mobile app or as part of an online purchase, so that we know it is you.

If you use Commercial Online Banking or Business Online Plus, you’ll need to use your security device to generate an OTP or accept a push notification using the Metro Bank Authenticator app

Please always review the full text message when you receive your OTP, and check it has the correct details for your transaction.

You will not be charged for receiving an OTP.

When will I need to use an OTP?

We will use OTPs for certain types of transactions where we need increased security, such as paying somebody new, paying or transferring large amounts, ordering a new card, changing your address or making some online card purchases.

What should I do if I receive an unexpected OTP?

If you receive an OTP you haven’t requested, it will be due to fraud. Don't share it with anyone on the phone, in person or online, and call us immediately on 0345 0808 500.

If someone phones unexpectedly and tells you to expect an OTP and to read it to them, it will be fraud – call us immediately on 0345 0808 500.

Here are some examples that fraudsters may use to try and persuade you to give them your OTP:

  • they need to send you a refund
  • they need to secure your account
  • they need to stop a payment

Visit the Fraud and Security section of our website for more details on identifying scams.

I keep receiving one-time passcodes that I haven’t requested – what should I do?

To find out why the TPP is accessing your account and to stop the OTPs being sent, you need to contact them. You can then withdraw your permission for them to access your account. You can also get in touch with us to reset your login details for additional security.

If you don’t think you’ve ever given consent for a TPP to access your account, or are receiving OTPs other than logins which you have not requested, it may be fraud. To protect your security, it is important to reset all of your login details as soon as you can – just give us a call on 0345 08 08 500 or visit one of our stores.

To find out why the TPP is accessing your account and to stop the OTPs being sent, you need to contact them.   You can then withdraw your permission for them to access your account. You can also get in touch with us to reset your log in details for additional security.

If you don’t think you’ve ever given consent for a TPP to access your account, or are receiving OTPs other than logins which you have not requested, it may be fraud. To protect your security, it is important to reset all of your log in details as soon as you can – just give us a call on 0345 08 08 500 or visit one of our stores.

What happens if I change my mobile number?

If you change your mobile number, you need to let us know. To do this, call us anytime on 0345 0808 500 or visit your local store.

Why are you adding these additional checks?

The extra layer of security makes it harder for fraudsters to target your accounts. All banks will have to provide these extra checks.

Do I need to do anything?

To make sure you're ready for these extra security checks, there are a few things you should do:

  • Make sure you have your mobile phone with you when log in to Online Banking
  • Check that we have your correct UK mobile phone number so that we can send you one-time passcodes. To check the number we have, go to the 'personal details' section of your Online Banking, or ‘my details’ in your mobile app. If you need to change your details, you’ll need to call us anytime on 0345 0808 500 or visit your local store.
  • When you log in, a pop-up message will appear asking you to ‘trust’ the device you’re using. If the device you are using is secure and not accessible to anyone else, you can choose to do this and it will improve your Online Banking journey.
  • Check any biometric data (like faces and fingerprints) which are stored on your device as these will be able to log in to your mobile app and make changes on your account.
How can I verify myself?

To verify yourself when you log in, make payments or pay for things online. You can:

  • have a text message with a one-time passcode (OTP) sent to the UK mobile you have registered with us.
  • use a device you have told us is trusted

Business and Commercial customers, you will also be able to use your security device, or your Metro Bank Authenticator app.

Commercial Online Banking and Business Online Plus customers

What else do I need to do if I am a Business or Commercial Banking customer?

Check that we have your correct mobile phone number by looking at the 'personal details' section of your Online Banking. You can find this by clicking the settings icon next to your name to open the 'User Profile' section.

You’ll need to use your security device or your Metro Bank Authenticator app to log in, make payments and some changes to your account.

If you don’t have a security device, please contact your Relationship Manager or email business.commercial.support@metrobank.plc.uk or visit a store to request one.

How do I set up my security device?

To get your security device up and running:

  1. Turn your device on by pressing OK
  2. Enter the default PIN 125473
  3. Enter a new six-digit PIN (this can’t be consecutive numbers or the same number repeated six times) and press OK
  4. When you see CONFIRM, enter your six-digit PIN again, then press OK

When you see COMPLETE, your PIN is set up

How do I use my security device?

For Business Online Plus and Commercial Online Banking customers, you will need to use your security device to generate an eight-digit security code to make a payment.

Here’s how:

  • Turn your device on by pressing OK
  • Enter your six-digit PIN you chose when you set up your device and press OK
  • When ‘Select App’ appears on the device, enter ‘1’
  • Enter the eight-digit security code the device generates into the ‘Code’ field on screen

A confirmation message will show up if you’ve entered the passcode correctly.

What do I do if I’m locked out of my security device?

If you have entered your PIN incorrectly too many times, you’ll need to call us on 0345 0808 508 and have your 12 digit customer number to hand.

What do I do if Online Banking doesn’t accept my OTP?

If you’ve entered OTPs too many times without using them, Online Banking will no longer accept any OTPs your device generates. You’ll need to call us on 0345 0808 508 and have your 12 digit customer number to hand.

Metro Bank Authenticator app

What is the Metro Bank Authenticator app?

It’s an app you can use instead of your security device to prove it’s you when logging in or making changes on your Business Online Plus and Commercial Online Banking. You can use the app to:

  • log in using a different device or browser
  • make certain payments
  • make admin preference/access changes

The app is only available to those with a UK mobile number.

When will I be able to download the Metro Bank Authenticator app?

The app will be made available to customers gradually from 24 May. You’ll see a prompt on your Online Banking screen telling you when it’s available for you to download.

Do I need a certain device to use the Metro Bank Authenticator app?

Yes, you need to have:

  • an Android or Apple iOS device*
  • a UK-registered mobile number

* Not currently compatible with Huawei P40 or LG 5 devices.

How do I register for the Metro Bank Authenticator app?

Once you’ve logged into Online Banking and downloaded the app, you’ll need to follow the instructions on the screen to register it.

You’ll need to have phone network signal or an internet connection.

Note: If you have downloaded the app and are having trouble scanning your QR code, close your app and try again.

How do I use my Metro Bank Authenticator app?

If your phone has network signal, and you have allowed push notifications:

  1. A push notification will be sent to your device.
  2. Tap the notification and enter your passcode or use your Face or fingerprint ID to access the app.
  3. Tap ‘Approve’ to authorise the action, and if it’s successful a confirmation message will show up.
  4. A screen will show on Online Banking confirming that you’ve successfully authenticated.

If you haven’t allowed push notifications:

  1. Open the app
  2. Log in with your Face or fingerprint ID or pin
  3. You will see an authorisation for you to approve or decline
  4. Tap ‘Approve’. If it’s successful, a confirmation message will show up.
Can I use my Metro Bank Authenticator app when I’m not connected to the internet and I don’t have network signal?

Yes, but you must have your Face or fingerprint ID enabled in the app to use the app this way.

To log in, and make changes and payments:

  1. Click ‘Didn’t receive a notification’ on your Online Banking screen
  2. Open the Authenticator app and log in with Face or fingerprint ID
  3. Choose what you want to do e.g. Log in, Payment, Make Changes
  4. Authorise with Face or fingerprint ID again
  5. A one-time passcode with a 30-second limit will be generated for you to enter on your Online Banking screen
  6. Enter the passcode and click ‘Next’. If it’s successful, a confirmation message will show up.
  7. For payments offline authentication you will need to scan the QR code shown on your Online Banking screen. A one-time passcode will pop up which you’ll need to enter on your Online Banking screen, and then click ‘Next’. If it’s successful, a confirmation message will show up. If you can’t scan QR codes, you’ll need to wait until you’re back online.

Note: if you’re authenticating offline because you don’t have network signal, it’s likely that when you have internet, expired push notifications will come through on your device – you can ignore these. If you tap on the push notifications, you shouldn’t be asked for approval again.

What do I do if I haven’t received a push notification?

If you haven’t received a push notification, you can get one manually by following the steps under ‘How do I use my Metro Bank Authenticator app?’

What do I do if I’ve forgotten my PIN for my Metro Bank Authenticator App, my device has been lost/stolen or I’m locked out?

You can re-register for the app through your Online Banking. Please delete the app from your device before you start the re-registration process.

If you haven’t trusted your browser, log into Online Banking where you will be asked to use your Authenticator app. If you aren’t able to access it, click on the link on the right-hand side to re-register.

If you have trusted your browser, log into Online Banking and try to do something which needs your Authenticator app (this could be making a change or a payment). Click on the link on the right-hand side when the pop-up appears and follow the re-registration steps.

Who should I contact if I think my Metro Bank Authenticator app has been hacked?

Please call us on 0345 08 08 508 or visit the Fraud and Security section on our website.

Can I use the Metro Bank Authenticator app and my security device?

No, you can only use one or the other. Once you successfully register for the app, you won’t be able to use your security device.

Can I have the Metro Bank Authenticator app on more than one device?

No, you can only use the app on one device.

Can I switch back to my security device?

Yes, please get in touch with your Relationship Manager, call us on 0345 0808 508, or visit your local store to have your app de-registered. If you haven’t got your old security device, we’ll send you a new one. You won’t be able to use your security device until a colleague has confirmed that your app has been de-registered.

What happens if I enter my app-generated passcode into Online Banking incorrectly?

If you enter any of your security details incorrectly you may be locked out of your Online Banking to keep your accounts safe.

Please call us on 0345 0808 508 or visit your local store so we can help.

Do I have to pay for the Metro Bank Authenticator app?

No, the app is completely free to download and use. 

How do I enable Face or fingerprint ID on my device?

It depends on the device you’re using, but you’ll usually find it in the ‘Settings’ section. Here are the steps for Apple iOS and Android:

For Apple iOS:

  1. Tap the Settings icon
  2. Scroll down and tap ‘Touch ID & Passcode’
  3. Tap ‘Add a Fingerprint or Face ID’
  4. Follow the instructions on screen.

For Android:

  1. Tap the Settings icon
  2. Tap ‘Lock screen and security’/ Security & lock screen on android 11
  3. Scroll down and tap ‘Screen lock type’
  4. Follow the instructions on your screen to add your fingerprint or Face ID.