IBA Compliance Connection

Your go to source for compliance!

We issue MasterCard debit cards, and we received an email from our core processor that we have to participate in MasterCard’s Automatic Billing Updater (ABU) program. This service requires us to notify MasterCard when a cardholder’s account information changes, so that merchants who have an existing relationship with the cardholder can continue to process recurring payments without an interruption in service. We are required to participate in the program, but customers may opt-out. We will review our privacy policies and account agreements, but what state privacy laws or notice requirements should we be aware of with respect to the ABU program?

by

admin

We are not aware of any federal or Illinois law that would require you to provide notice about the MasterCard ABU program and opt-out option to your debit card customers, although we believe it may be prudent to do so.

Regulation P generally prohibits a bank from sharing nonpublic personal information about a consumer to a nonaffiliated third party, unless the customer has been provided the opportunity to opt out. The Illinois Banking Act includes similar limitations on sharing customer information. However, these laws create an exception for disclosing information “necessary to effect, administer, or enforce a transaction” that a customer authorizes. For example, a disclosure is exempt if it is “required, or is a usual, appropriate or acceptable method . . . to carry out the transaction” or is “in connection with . . . the authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card . . . .”

Here, your bank is required to participate in the MasterCard ABU program, through which your bank must provide customer account updates to a MasterCard database. The updated information in the database is passed on to merchants who have been authorized to process your customers’ recurring payments. Without the updates, the merchants would not be able to process the authorized payments. In our view, then, these updates are required to carry out customers’ authorized recurring transactions, and would be executed in connection with the “authorization, settlement, billing, processing, clearing, transferring, reconciling or collection” of their recurring card payments. Consequently, we believe the ABU program fits within this exception to the state and federal privacy laws.

Despite the privacy law exceptions, though, some customers may perceive the program as a violation of privacy — or simply may not want to take advantage of the program. Consequently, although not expressly required, there are practical reasons to notify your existing customers about the ABU program and of their right to opt out, and also to include the opt-out right in your new account agreements going forward. We found some examples of other banks’ notices that include a description of the ABU program and the customer’s right to opt out. One example is included in our resources below.

For resources related to our guidance, please see:

  • MasterCard Automatic Billing Updater (“The MasterCard Automatic Billing Updater ensures uninterrupted service for cardholders and uninterrupted payment for merchants. It seamlessly updates ‘card on file’ account information such as car rental agencies, without impacting cardholders.”)

  • MasterCard Automatic Billing Updater (“How the MasterCard Automatic Billing Updater Works Six Easy Steps 1. Participating issuers submit MasterCard account changes to the Automatic Billing Updater database. 2. Merchants who have registered for the program submit account number queries to their acquirers. 3. Acquirers submit these account queries to the MasterCard Automatic Billing Updater database. 4. MasterCard matches account queries to issuer submissions, then returns matches to acquirers. 5. Acquirers return matched account query records to the specific merchants. 6. Merchants can then update their billing files with the changed account information.”)

  • Regulation P, 12 CFR 1016.14(a) (“Exceptions for processing transactions at consumer’s request. The requirements for initial notice in §1016.4(a)(2), for the opt out in §§1016.7 and 1016.10, and for service providers and joint marketing in §1016.13 do not apply if you disclose nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes . . . .”)

  • Regulation P, 12 CFR 1016.14(b) (“Necessary to effect, administer, or enforce a transaction means that the disclosure is: . . . Required, or is a usual, appropriate or acceptable method: (i) To carry out the transaction . . . and record, service, or maintain the consumer's account in the ordinary course of providing the financial service or financial product . . . (vi) In connection with . . . The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means . . . .”)

  • Illinois Banking Act, 205 ILCS 5/48.1(b)(17) (“This Section does not prohibit: . . . (14) The disclosure of financial records or information as necessary to effect, administer, or enforce a transaction requested or authorized by the customer, or in connection with: (A) servicing or processing a financial product or service requested or authorized by the customer; (B) maintaining or servicing a customer’s account with the bank . . . .”)

  • Hastings City Bank, MasterCard ABU Notice