Lawsuit against Plaid heightens focus on data privacy issues
Two California men have sued the data aggregator Plaid over alleged data privacy violations in a case that could have implications for firms that gather consumers' bank account data and feed it to fintechs.
According to the complaint, the two plaintiffs — James Cottle in 2019 and Frederick Schoeneman in 2016 — separately signed up for Venmo to send and receive payments. In three of their accusations, they assert that Plaid obtained their banking credentials in a misleading way, accesses more bank account information than it needs for its current business model, and may ultimately look to sell their data to others.
Plaid denies the allegations, but the case comes at an awkward time for the company, which is being sold to Visa. If U.S. and U.K. regulators approve the acquisition, Plaid's legal woes could become Visa's. The lawsuit was filed in May, but it has not been widely reported and has not yet been brought to court.
A review of some of the points of the class-action suit shines a light on data aggregator practices that some critics, including banks, have found objectionable for years. It also points to the kinds of data privacy issues financial companies will increasingly struggle with as new state data privacy laws and Europe’s General Data Protection Regulation are enforced.
Both plaintiffs say they later learned that Plaid collected their private bank login credentials; accessed, downloaded, transferred, stored, enriched, and analyzed their private banking information and data; sold their private banking information to Venmo; and monetized his private banking data by performing analytics on it and using it to develop value-added products for Plaid’s customers. They say they did not consent to these activities. Cottle says his child's bank account was also accessed by Plaid repeatedly and without authorization.
Plaid says all the allegations in the suit are false.
"The lawsuit filed against Plaid is baseless and Plaid will vigorously defend itself,” a spokesperson said. “Plaid does not sell and has never sold consumers’ personal information or data. Consumer data is obtained and used with consumer consent. Plaid believes strongly that consumers should have permission-based access to and control over their financial data, and embodies these principles in its practices."
Plaid’s basic business model is delivering consumers’ bank account data to its 3,000 fintech clients, including Venmo, Coinbase, Square and Stripe, which need that data for their applications to work. (Banks also sometimes use Plaid for certain tasks where they need account information from other banks or fintechs, for instance, for authentication, data validation and lending decisions.)
But how much data Plaid siphons out of banks, how long it keeps that information and how it uses that data internally are harder to pin down.
Plaid takes multiple routes to obtaining consumers' bank account data.
Plaid has direct relationships with some banks, including Wells Fargo and JPMorgan Chase, through which it draws customer account data directly through application programming interfaces.
Where Plaid does not have an API set up with a bank, it typically logs in to the bank’s online banking program on the consumer’s behalf, using the consumer’s username and password, and screen-scrapes the information. To get the user name and password, Plaid typically presents consumers with a screen that looks like their bank’s mobile or online banking login page, complete with a realistic-looking bank logo.
PNC vigorously complained about this use of its logo in December.
“When you get into some of those apps, you will find that all of the banking logos are out there, including the PNC logo,” said Karen Larrimer, executive vice president, head of retail banking and chief customer officer of PNC Financial Services Group, in an interview in December. (PNC and other banks declined to comment on the lawsuit.) “When a consumer clicks on that, that is not PNC.”
PNC has never given Plaid permission to use its logo, “nor do we believe that a consumer understands that it's not PNC’s website they're hitting,” she said.
The Cottle lawsuit states, “Plaid induces consumers to hand over their private bank login credentials to Plaid by making it appear those credentials are being communicated directly to consumers’ banks.”
The plaintiffs’ attorneys allege Plaid spoofs banks' websites to make customers think they are interacting directly with their bank, to get more people to cooperate.
“It's not full disclosure,” said Shawn Kennedy, partner at Herrera Purdy LLP. “It affirmatively misleads. It leaves out pertinent facts about things such as who Plaid is, what it does, the fact that it's a third party.”
The page that appears to be the bank’s own website or mobile app does not mention Plaid, Kennedy noted.
“In their own internal statements about why they're using the design of these bank websites, they say it’s to increase customer conversion,” he said. “The idea is that if the customer comes on and is asked to give up a very sensitive thing, like their bank login credentials, they will be less likely to do that if you don't deceive them into thinking that it's actually being given directly to the bank.”
Pam Dixon, executive director of the World Privacy Forum, said when she signed up for Coinbase, the cryptocurrency exchange and wallet provider, she was presented with screens that looked like an official authorization to her bank. She thought she was using an authorization standard called OAuth that some banks, including Bank of America, JPMorgan and Wells Fargo, use to authorize apps to use account data. In an OAuth scenario, consumers are redirected from a webpage or app directly to their banks. They log in to the bank’s webpage or app, and then are redirected back to the original page. Behind the scenes, the bank returns a token that allows the original app to access the consumer’s bank information as authorized by the consumer, but without giving the app provider access to the login information.
"OAuth is a well-known, well-established best practices standard, and it's the way you're supposed to do these things," Dixon said. "And they created an entirely fake one. I went through those screens and my perception of that was that it was OAuth because it was meant to look just like OAuth. I do think that there is a very serious argument that that was not a transparent use of screens for the consumer. There have to be clear, vibrant, in-your-face disclosures to consumers before authorization.”
Plaid says it does not use the OAuth standard because not all banks support it.
“OAuth is just one form of authorization, one that requires an interaction and exchange between a data intermediary and a bank,” a spokesperson said. “That means banks need to invest in the infrastructure to manage OAuth endpoints and the data resources behind them. Only a handful of banks in the U.S. have as of yet stood up these services, and OAuth hasn't yet reached scale in financial services.”
They also say the visual representation of bank sites is done strictly to guide people through the process.
“It’s like when I pay my bills online,” said Alexander H. Southwell, partner at Gibson Dunn. “If it's a credit card, I’ll see the logo for the credit card company. It helps me to understand visually, and quickly, what I'm doing. In internet navigation, particularly with smartphones, there are a lot of visual aids like this.”
Taking too much data
The lawsuit accuses Plaid of taking more data than it needs to.
“For each consumer, Plaid downloads years’ worth of transaction history for every single account they have connected to that bank (such as checking, savings, credit card, and brokerage accounts), regardless of whether the data in any of the accounts bears any relationship to the app for which the consumer signed up,” the lawsuit alleges. “Thus, a consumer who makes a single mobile payment on an app from a checking account unwittingly gives Plaid years’ worth of private, granular financial information from every account the consumer maintains with the bank, including accounts maintained for others such as relatives and children.”
The suit states that Plaid can analyze this data to create new products, unbeknownst to consumers.
Plaid’s attorney said this is not true.
Plaid does not gather data from every account the consumer maintains at the bank, including the consumer’s relatives, Southwell said. Plaid only collects data for accounts accessible through the user’s login.
“We're only collecting data for the specific purpose of the product that we're providing and with the consumer’s consent,” he said.
Banks and some consumer advocates have complained for years that data aggregators take too much data, and continue to access data long after the consumer has stopped using the app for which the data is being aggregated.
At a recent Consumer Financial Protection Bureau forum on data sharing, Lila Fakhraie, senior vice president of digital banking APIs at Wells Fargo, compared data aggregators’ screen scraping to “giving your house key to a house painter and saying, 'Just go in my bedroom and paint that one wall. That's all I want.' And then the house painter has your key forever and they come and go as they please and they look at things and take things if they want.”
The most serious accusation the lawsuit makes is that Plaid sells consumers’ data to others without their knowledge and that it performs data analytics on this information, also without consumers’ knowledge or consent, and uses the information to create new products it can sell.
Plaid says it does not sell or rent the data it collects.
“The allegation that Plaid collects vast amounts of data and then monetizes it is categorically untrue,” Southwell said.
Plaid says it makes money by charging its developer customers a fee when an end user connects financial accounts through Plaid APIs to the developer customer’s app.
Dixon says these and other questions around data sharing, which apply to most data aggregators, are crucial not only because of increasingly strict regulations like GDPR, but also because if consumers’ data isn’t handled carefully, they could end up with suboptimal or even predatory products.
“It's really important to understand that we can't think we can control data,” Dixon said. “We can't. It's so complex now, and there's so much there. But what we can do is we can put loads of guardrails around procedures, administrative protocols, technical protocols and standards.”