IBA Compliance Connection

Your go to source for compliance!

Are we required to notify our debit card customers about their ability to opt out of the Visa Account Updater (VAU) program that Visa requires us to implement in October 2017? This program requires us to notify Visa when a cardholder’s account information changes, so that merchants who have an existing relationship with the cardholder can continue to process recurring payments without an interruption in service. We are required to participate in the program, but customers may opt-out. There are no customer fees or other changes associated with this new program. Also, because this is an information sharing issue, we want to make sure we will not violate any privacy laws if we do not notify our existing cardholders about new service and opt-out option.

by

admin

We are not aware of any federal or Illinois law that would require you to provide notice about the VAU program and opt-out option to your debit card customers, although we believe it may be prudent to do so.

Regulation E requires debit card issuers to notify customers about changes to certain terms and conditions, such as the circumstances under which the financial institution may provide customer account information to a third party. However, notice is required only when such a change will result in increased fees or customer liability, fewer types of available electronic fund transfers, or stricter limitations on the frequency or dollar amount of transfers, none of which appear to be the case here.

Also, we do not believe state or federal privacy laws require you to notify customers about the VAU program or the opt-out option. Regulation P generally prohibits a bank from sharing nonpublic personal information about a consumer to a nonaffiliated third party, unless the customer has been provided the opportunity to opt out. The Illinois Banking Act and Savings Bank Act include similar limitations on sharing customer information.

However, both laws create an exception for disclosing information “necessary to effect, administer, or enforce a transaction” that a customer authorizes. For example, a disclosure is exempt if it is “required, or is a usual, appropriate or acceptable method . . . to carry out the transaction” or is “in connection with . . . the authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card . . . .”

Here, your bank is required to participate in the VAU program, through which your bank must provide customer account updates to a Visa database, which will be used by merchants who have been authorized to process your customers’ recurring payments. Without the updates, the merchants would not be able to process the authorized payments. In our view, then, these updates are required to carry out customers’ authorized recurring transactions, and would be executed in connection with the “authorization, settlement, billing, processing, clearing, transferring, reconciling or collection” of their recurring card payments. Consequently, we believe the VAU program fits within this exception to the state and federal privacy laws.

Despite the privacy law exceptions, though, some customers may perceive the program as a violation of privacy — or simply may not want to take advantage of the program. Consequently, although not expressly required, there are practical reasons to notify your existing customers about the VAU program and of their right to opt out, and also to include the opt-out right in your new account agreements going forward. We found some examples of other banks’ notices that include a description of the VAU program and the customer’s right to opt out. One example is included in our resources below.

For resources related to our guidance, please see:

  • Visa Account Updater For Merchants (“Visa card issuers submit electronic files with updates to Visa when a cardholder’s account information changes. Such updates could result from a product upgrade, a portfolio conversion between Visa issuers or from MasterCard, American Express, or Discover to Visa, card expiration, loss or theft, account closure or other changes.”)
  • Visa Account Updater For Merchants (“A few days prior to billing, participating merchants submit account numbers through their acquirers for customers with whom they have a card-on-file or ongoing payment relationship. Alternatively, the acquirer may initiate such inquiries on behalf of the merchant. The acquirer submits the data to VAU, which processes inquiries against its database and responds with updates. . . .VAU responses are forwarded to the requesting merchants, who must then update accounts on file before requesting an authorization. Visa will only respond to specific data elements within an inquiry file from a qualified merchant. Responses include account number updates, expiration date updates, closed-account advices and contact-cardholder advices.”)
  • Regulation E, 12 CFR 1005.7(b)(9) (“A financial institution shall provide the following disclosures, as applicable: . . . The circumstances under which, in the ordinary course of business, the financial institution may provide information concerning the consumer’s account to third parties.”)
  • Regulation E, 12 CFR 1005.8(a)(1) (“A financial institution shall mail or deliver a written notice to the consumer, at least 21 days before the effective date, of any change in a term or condition required to be disclosed under § 1005.7(b) of this part if the change would result in: i. Increased fees for the consumer; ii. Increased liability for the consumer; iii. Fewer types of available electronic fund transfers; or iv. Stricter limitations on the frequency or dollar amount of transfers.”)
  • Regulation P, 12 CFR 1016.14(a) (“Exceptions for processing transactions at consumer’s request. The requirements for initial notice in §1016.4(a)(2), for the opt out in §§1016.7 and 1016.10, and for service providers and joint marketing in §1016.13 do not apply if you disclose nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes . . . .”)
  • Regulation P, 12 CFR 1016.14(b) (“Necessary to effect, administer, or enforce a transaction means that the disclosure is: . . . Required, or is a usual, appropriate or acceptable method: (i) To carry out the transaction . . . and record, service, or maintain the consumer's account in the ordinary course of providing the financial service or financial product . . . (vi) In connection with . . . The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means . . . .”)
  • Illinois Banking Act, 205 ILCS 5/48.1(b)(17) (“This Section does not prohibit: . . . (14) The disclosure of financial records or information as necessary to effect, administer, or enforce a transaction requested or authorized by the customer, or in connection with: (A) servicing or processing a financial product or service requested or authorized by the customer; (B) maintaining or servicing a customer’s account with the bank . . . .”)
  • Illinois Savings Bank Act, 205 ILCS 205/4013(c)(14) (“This Section does not prohibit: . . . (14) The disclosure of financial records or information as necessary to effect, administer, or enforce a transaction requested or authorized by the member or holder of capital, or in connection with: (A) servicing or processing a financial product or service requested or authorized by the member or holder of capital; (B) maintaining or servicing an account of a member or holder of capital with the savings bank . . . .”)