Citi Security Centre - Security Update

Security updates

Warning about Investment Scams

We have become aware of attempts to impersonate Citibank UK Limited and Citigold Wealth Management through emails, cold calls and fake websites purporting to represent Citi. These fraudsters are sophisticated and in some instances are replicating our genuine product and service documentation.

The caller now has access to your online account and all features, including making payments.

Here are some ways in which to identify Investment Scams:

  • If you have come across a website offering Citi investment products or have been approached by email (not from our domain), cold call or text message offering an investment opportunity. The offer seems too good to be true; High return with low risk
  • Fraudsters may try to rush or pressurise you into making decisions saying that you need to act now or you will miss out. A legitimate company would never force you into making a decision regarding your investments or wealth
  • You may be asked to pay or transfer money by online payments or wire transfer to an unknown beneficiary

If you’re suspicious about an investment or opportunity then please contact us immediately via or 0800 00 55 00

In order to protect yourself, please remember:

  • We would never cold call, email or text you to offer an investment opportunity out of the blue.
  • In order to make an investment with Citibank UK Limited, you need to have an account with us. We would always open an account face to face, not over the phone or via email.
  • We would only email you using our “” domain and we do not use any variations of this.
  • We would never promise a low risk investment for a high return.

Please visit this website to learn more about Investment Scams and how they operate:

Please also take FCA’s quick Scam Smart Test:


New Citi security SMS

We will alert you by SMS if we identify suspicious activity on your debit card purchases.

We'll only ever ask you to reply to an SMS that has been sent from either 63363 or +447860065121.

Learn more >


Citi Mobile® Token

Learn more >


How Citi protects you

Learn more >

How to protect yourself

Learn more >

Need help regarding fraud?

Learn more >


Payment Services Directive 2 (PSD2)

Payment Services Directive 2 (PSD2)

Further changes resulting from the European Union’s Payment Services Directive 2 (PSD2) are coming into effect on 14 March 2020. These changes are designed to better protect you when you make payments and access your transaction details. Please be aware that additional changes will come into effect later in 2020 and in 2021 and we will write to you in advance detailing those changes.

What does it mean for Citi clients?

This means there will be extra levels of security when you take certain actions related to making payments and accessing your information.

What changes should I expect?

Some of your transactions may require additional levels of security

The new Strong Customer Authentication (SCA) requirements will have an impact on the way you transact on your account. They will require a higher level of authentication (authorisation by you) for certain types of transactions, e.g. where you are paying someone you have never paid before. This includes the introduction of two-factor authentication and generation of an authentication code for certain transactions. A factor can be one of the following options:

Knowledge: Something only you know (e.g. your Citi Unlock Code)

Possession: Something only you have (e.g. your Mobile phone)

Inherence: Something unique to you (e.g. your Fingerprint)

Two different factors will be required to make certain types of transaction e.g. When you are using the Citi Mobile © UK App, your two factor authentication will be Knowledge (your Citi Unlock Code) AND Possession (the presence of the app on your Mobile Phone).

An authentication code will be generated based on this two-factor authentication.

Changes to the way you transact on your account

Citi Mobile® Token – Push Notification on your mobile phone

If you have enabled Citi Mobile® Token with Push Notifications (a pop –up notification on your phone), you won’t need to enter an authentication code for your transactions, instead, you will be asked to authenticate yourself within the app, and an authentication code will be generated and verified automatically. You will be asked to opt in for this feature when you open your Citi Mobile® UK App.

To find out more about this new experience click here

If you have not enabled Citi Mobile® Token with Push Notifications, you will be asked to authenticate manually by generating a code using Citi Mobile® Token or using an SMS One-Time Password (an “SMS OTP”).

If you receive an SMS OTP, this will include the payee nickname and transaction amount in order to provide greater clarity on which transactions the OTP is being used to verify.

You will no longer be able to complete a transaction with just your signature.

As Citi Debit Cards have chip functionality, you will no longer be able to complete a transaction using your signature where the payment machine is chip-enabled. Instead, you must authenticate using your PIN.

Extra levels of security for your contactless payments

Occasionally you will be asked to put your card into a payment machine and provide your PIN, rather than using the contactless option. This is an extra level of security to ensure it is you that is using your card. We may ask you for your pin on the sixth contactless payment. There are some types of payments that are not included in this change (e.g. unattended terminals).

To better improve your contactless payment experience, we will be issuing new cards to a number of clients over the coming months. We will notify you if this is relevant to your card.

Changes to the way you access your account online

Additional security measures for accessing transactions.

Every 90 days we will ask you to authenticate yourself using either the Citi Mobile® Token or SMS OTP when logging in to Citi Online or your Citi Mobile® UK App

Within these 90 days, we will be able to provide you access to your balance and transactional information up to 90 days old without continuing to ask for verification. If you want to access transactional information older than 90 days, we will ask you to authenticate yourself using either the Citi Mobile® Token or SMS OTP.

Depending on the actions you are taking on your account we may ask you to authenticate yourself at other times.

Third party payment service provider (TPP) and their permissions when accessing your account

A TPP can allow you to view your accounts with us and other banks in one place as well as allowing you to make payments directly from your account. TPPs can only access your account information and make payments from your account with your permission. If you allow a TPP access we will treat an instruction from a TPP as if it was from you.

TPPs have to be authorised by the UK’s Financial Conduct Authority (FCA) or another European Regulator before allowing them to access your account. TPP’s are also required to comply with the PSD2 requirements by 14 March 2020 and this will change the way in which they can access your account. Where a TPP is not compliant, we are not able to permit them to continue accessing your account in the same way they used to and you may receive unexpected SMS OTPs during this time. In order to prevent these SMS OTPs from occurring, the best thing you can do is contact your TPP to remove their access.