VISA Account Updater-Analysis of Opt Out Requirements under the Gramm-Leach-Bliley Act
By: Katherine Romano Schnack, Senior Compliance and Corporate Counsel
Visa has declared that its Visa Account Updater (VAU) service is mandatory for all card issuers. The service provides a channel to provide changes to card and cardholder information to the parties in a Visa card transaction–the merchant, acquirer, and issuer.
There has been much discussion and confusion about whether a financial institution must provide an “opt out” option to its Visa cardholders. As discussed below, while there is no legal requirement to provide such an opt out option, financial institutions may choose to do so based on their business judgment.
An opt out is not required by the Gramm-Leach-Bliley Act or its implementing Regulation P because there are exceptions to the opt out requirement for sharing information necessary to process transactions authorized by the consumer, as set forth in Section 1026.14 of Reg P (Reg P Section 1016.14):
- Sec. 1016.14 Exceptions to notice and opt out requirements for processing and servicing transactions.
Exceptions for processing transactions at consumer’s request. The requirements for initial notice in §1016.4(a)(2), for the opt out in §§1016.7 and 1016.10, and for service providers and joint marketing in §1016.13 do not apply if you disclose nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:
Servicing or processing a financial product or service that a consumer requests or authorizes;
Maintaining or servicing the consumer’s account with you, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer.
Necessary to effect, administer, or enforce a transaction means that the disclosure is:
Required, or is one of the lawful or appropriate methods, to enforce your rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
Required, or is a usual, appropriate or acceptable method:
To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer’s account in the ordinary course of providing the financial service or financial product;
To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part;
To provide a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer’s agent or broker;
To accrue or recognize incentives or bonuses associated with the transaction that are provided by you or any other party;
To underwrite insurance at the consumer’s request or for reinsurance purposes, or for any of the following purposes as they relate to a consumer’s insurance: account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or state law; or
In connection with:
The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means;
The transfer of receivables, accounts, or interests therein; or
The audit of debit, credit, or other payment information.
In addition to the exception for the opt out requirement in Section 1016.14, there are also exceptions in Section 1016.15 related to information disclosed to protect against or prevent actual or potential fraud, and also for required institutional risk control or for resolving consumer disputes or inquiries (relevant sections included below; the full section can be accessed at Reg P Section 1016.15):
Exceptions to opt out requirements. The requirements for initial notice in §1016.4(a)(2), for the opt out in §§1016.7 and 1016.10, and for service providers and joint marketing in §1016.13 do not apply when you disclose nonpublic personal information:
To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
For required institutional risk control or for resolving consumer disputes or inquiries;
Since the Visa Account Updater service could fall under one or more of the GLB Act exceptions above for the opt out requirement, financial institutions are not legally required to offer an opt out to cardholders. However, consumers have already expressed dissatisfaction that their updated card information is shared with merchants, particularly in a recurring payment situation. Consumers claim that it is unfair for that information to be shared with merchants with whom they may not want to continue their recurring payment relationship. There is the potential for claims to be filed by consumers or the government under consumer fraud or unfair, deceptive, or abusive practices acts under state law and/or federal law. Because of this litigation risk, and to ensure a good customer service relationship with consumers, a number of financial institutions are choosing to offer an opt out option to cardholders. Visa only requires issuers to participate in the Visa Account Updater service but appears to allow individual cardholders to opt out of the service.
In conclusion, there is no legal requirement for credit unions to provide an opt out option from the Visa Account Updater service for Visa cardholders. Credit unions may choose to offer an opt out to cardholders for business reasons, including the potential for unfair, deceptive, or abusive acts and practices claims and to ensure member satisfaction.