diff --git a/app/notify_client/user_api_client.py b/app/notify_client/user_api_client.py
index 1e5468505..3457274ae 100644
--- a/app/notify_client/user_api_client.py
+++ b/app/notify_client/user_api_client.py
@@ -3,6 +3,12 @@ from notifications_python_client.errors import HTTPError
 
 from app.notify_client.models import User
 
+ALLOWED_ATTRIBUTES = {
+    'name',
+    'email_address',
+    'mobile_number'
+}
+
 
 class UserApiClient(BaseAPIClient):
     def __init__(self):
@@ -47,9 +53,22 @@ class UserApiClient(BaseAPIClient):
             users.append(User(user, max_failed_login_count=self.max_failed_login_count))
         return users
 
-    def update_user(self, user_id, **kwargs):
+    def update_user(self, user):
+        data = user.serialize()
+        url = "/user/{}".format(user.id)
+        user_data = self.put(url, data=data)
+        return User(user_data['data'], max_failed_login_count=self.max_failed_login_count)
+
+    def update_user_attribute(self, user_id, **kwargs):
+        data = dict(kwargs)
+        disallowed_attributes = set(data.keys()) - ALLOWED_ATTRIBUTES
+        if disallowed_attributes:
+            raise TypeError('Not allowed to update user attributes: {}'.format(
+                ", ".join(disallowed_attributes)
+            ))
+
         data = dict(**kwargs)
-        url = "/user/{}".format(user_id)
+        url = "/user/{}/update-attribute".format(user_id)
         user_data = self.put(url, data=data)
         return User(user_data['data'], max_failed_login_count=self.max_failed_login_count)
 
diff --git a/tests/app/notify_client/test_user_client.py b/tests/app/notify_client/test_user_client.py
index 433a36952..9062ba8bd 100644
--- a/tests/app/notify_client/test_user_client.py
+++ b/tests/app/notify_client/test_user_client.py
@@ -1,3 +1,5 @@
+import pytest
+
 from app.notify_client.user_api_client import UserApiClient
 
 
@@ -13,3 +15,10 @@ def test_client_uses_correct_find_by_email(mocker, api_user_active):
     client.get_user_by_email(api_user_active.email_address)
 
     mock_get.assert_called_once_with(expected_url, params=expected_params)
+
+
+def test_client_only_updates_allowed_attributes(mocker):
+    mocker.patch('app.notify_client.current_user', id='1')
+    with pytest.raises(TypeError) as error:
+        UserApiClient().update_user_attribute('user_id', id='1')
+    assert str(error.value) == 'Not allowed to update user attributes: id'