Tesi etd-08252025-095941 |
Link copiato negli appunti
Tipo di tesi
Tesi di laurea magistrale
Autore
JIRON, CARLA
URN
etd-08252025-095941
Titolo
Blacklisted by Algorithm: How AI Risk Scoring Leads to MATCH List Placements under the EU AI Act and GDPR
Dipartimento
GIURISPRUDENZA
Corso di studi
DIRITTO DELL'INNOVAZIONE PER L'IMPRESA E LE ISTITUZIONI
Relatori
relatore Passaglia, Paolo
Parole chiave
- Artificial Intelligence
- Blacklist
- EU AI Act
- Financial Sector
- GDPR
- Mastercard
- MATCH
Data inizio appello
15/09/2025
Consultabilità
Non consultabile
Data di rilascio
15/09/2065
Riassunto
This thesis examines Mastercard’s Member Alert to Control High-Risk Merchants (“MATCH)” list as a focal point for understanding how private financial regulation operates in the payment processing industry. While artificial intelligence (“AI”) systems do not power MATCH itself, it sits at the end of the decisions that are driven by it, which are operated by acquirers and payment facilitators and controlled by Mastercard. I argue that this process confers quasi-regulatory power upon Mastercard since they push for standards, supervise compliance through data-driven monitoring and impose sanctions and blacklisting, such as MATCH, which have effects that can be compared to public administrative action.
This thesis combines legal and comparative regulatory analysis expressed on Mastercard Rules and EU and US regulations. Also, mock cases are included, which are drawn upon my professional experience at a US-based law firm representing merchants and their principals seeking removal from MATCH placements to shed light on recurring fact patterns. These mock cases do not describe any single client or reveal privileged information. Instead, details are composed across repetitive patterns identified during my experience so that the legal mechanics are preserved while confidentiality is protected. The mock cases serve to make the analysis practical by showing how rules, evidence and remedies function in practice.
On the US side, the ECOA/Regulation B and not FCRA governs merchant credit decisions, and I mention several financial and state-specific regulations that can be taken into account when considering MATCH placements and the reasons codes associated with it. On the EU side, the GDPR Article 22 applies where solely automated outcomes affect natural persons, meaning the principals associated with businesses that are placed on MATCH and that the EU AI Act classifies credit-adjacent scoring of such persons as high-risk, triggering risk-management, data-governance, human oversight, and Fundamental Rights Impact Assessment duties. I further analyze reason code 10 (violation of standards) as a broad enforcement mechanism exemplifying private administrative power.
Moreover, I include all the reason codes of MATCH placements based on Mastercard´s Rulebook, highlighting where AI is most determinative. I also provide a governance good practices guide that aligns with Article 22's “meaningful human review”, AI-Act obligations, and recommendations for AI auditing in payments, integrating accountability and transparent remedies. Finally, I explain a practical right to algorithmic justice, which includes the need for non-discrimination, transparency, contestability, accuracy, and effective redress as a unifying right for underwriting systems that can culminate in MATCH listings.
This thesis combines legal and comparative regulatory analysis expressed on Mastercard Rules and EU and US regulations. Also, mock cases are included, which are drawn upon my professional experience at a US-based law firm representing merchants and their principals seeking removal from MATCH placements to shed light on recurring fact patterns. These mock cases do not describe any single client or reveal privileged information. Instead, details are composed across repetitive patterns identified during my experience so that the legal mechanics are preserved while confidentiality is protected. The mock cases serve to make the analysis practical by showing how rules, evidence and remedies function in practice.
On the US side, the ECOA/Regulation B and not FCRA governs merchant credit decisions, and I mention several financial and state-specific regulations that can be taken into account when considering MATCH placements and the reasons codes associated with it. On the EU side, the GDPR Article 22 applies where solely automated outcomes affect natural persons, meaning the principals associated with businesses that are placed on MATCH and that the EU AI Act classifies credit-adjacent scoring of such persons as high-risk, triggering risk-management, data-governance, human oversight, and Fundamental Rights Impact Assessment duties. I further analyze reason code 10 (violation of standards) as a broad enforcement mechanism exemplifying private administrative power.
Moreover, I include all the reason codes of MATCH placements based on Mastercard´s Rulebook, highlighting where AI is most determinative. I also provide a governance good practices guide that aligns with Article 22's “meaningful human review”, AI-Act obligations, and recommendations for AI auditing in payments, integrating accountability and transparent remedies. Finally, I explain a practical right to algorithmic justice, which includes the need for non-discrimination, transparency, contestability, accuracy, and effective redress as a unifying right for underwriting systems that can culminate in MATCH listings.
File
| Nome file | Dimensione |
|---|---|
La tesi non è consultabile. |
|