News, Vision & Voice for the Advisory Community


The odd case of Envestnet/Yodlee getting singled out as data scofflaw, just four days after Visa deal to buy rival Plaid and nine months after Raj Udeshi's 'Theranos' outcry

Three Capitol Hill Democrats urged the Federal Trade Commission to probe the small firm -- and nobody else -- with little explanation of where its practices allegedly diverge from the norm

Monday, January 27, 2020 – 7:29 PM by Keith Girard
no description available
Sen. Ron Wyden: 'The consumer data that Envestnet collects and sells is highly sensitive.'

Envestnet's rise to become the nation's largest consumer financial data aggregator has pushed it to the front lines in a growing war over data privacy.

But more may be at stake than consumer rights. 

Three Capitol Hill lawmakers fired the latest salvo, demanding a federal investigation of Envestnet's data practices in a Jan. 17 letter-- four days after Visa bought smaller, San Francisco fintech rival Plaid. See: Visa gambles $5.3 billion that Plaid will pay Big Data dividends while big-footing Envestnet-Yodlee and beating back fintech banking competitors

Sherrod Brown
Sen. Sherrod Brown has been out front on data privacy, including filing legislation. 

"I feel like the push back against data aggregators in the US really comes not from consumers, but large banks like Chase that don't want some Fintech using a crowbar to get into its customer information," says Lex Sokolin, financial technology analyst and the co-founder of robo AdvisorEngine.

"And, the lobbying groups representing small community banks oppose things like Fintech charters due to the competitive threat," he adds.

Investors were definitely spooked. The same day the letter was released, Envestnet (ENV) stock tumbled 6% to $70.59 from $74.81. The stock dipped as low as $69.87 before rebounding.  In contrast, Visa (V) closed up 1.3% at $204.70 and peaked Jan. 22 at  $207.90. 

Envestnet closed today (Jan. 24) at $72.41.

Consumers burdened

The letter, signed by Sens. Ron Wyden (D-Ore), Sherrod Brown (D-Ohio) and Rep. Anna G. Eshoo (D-Calif.), was particularly harsh on the data aggregator. 

Jud Bergman
Jud Bergman held that identifying individuals in information used by third parties 'should never occur' without permission.

"Envestnet does not inform consumers that  it is collecting and selling their personal financial data," it flatly stated. "Instead, Envestnet only asks its partners, such as banks, to disclose this information to consumers in their terms and conditions or privacy policy." 

The lawmakers charged that Envestnet apparently doesn't take any steps to make sure consumers are provided with the information by its customers. 

"And even if they did, Envestnet should not put the burden on consumers to locate notice buried in small print... and  the find a way to opt out--if that is even possible--in order to protect their privacy."

The letter "urged" the Federal Trade Commission (FTC) to determine whether the company's sale of "sensitive financial transaction data from tens of millions of Americans violates the FTC Act."   

It's unknown whether consumer angst or some other reason percolated up to Capitol Hill and prompted the FTC complaint. The federal agency would only confirm it received the letter. It does not comment on investigations. 

RIABiz sought out the complaining politicians to answer questions -- especially about what catalyst sparked the complaint. Neither Sherrod's nor Eshoo's office responded to an email request for comment; Wyden's press spokesman only forwarded a copy of the press release.

There is a chance that Envestnet-Yodlee is being used as a legislative vehicle more than a scapegoat, says Brian Murphy, founder and CEO Kivalia who saw Zach Perret, CEO of Plaid, speak at a fintech meet-up in the city last week.

"My guess,is that the congressmen who initiated this effort need a way to get the topic of data ownership/protection onto the agenda - and Yodlee, being the largest stand-alone aggregator, serves their purposes well," he says from Los Altos, Calif. 

"It's likely the goal is to better flesh out rules of the road for financial data, and perhaps set standards - both would be welcomed by any serious fintech players. From what I've seen to date, Yodlee takes data protection quite seriously, so I suspect this is more of an effort to get the players to the table in a preventative way."

Follow the money

Wyden's advocacy on behalf of consumers may seem a little odd, given securities and investment companies have been leading campaign contributors during his Senate career.

The industry has donated $2.2 million since he was first elected in 1989, according to OpenSecrets, an arm of the Center for Responsive Politics. 

Anna Eshoo
Rep. Anna Eshoo represents California's 18th congressional district, which encompasses much of Silicon Valley.

In the current 2020 election cycle, the industry has donated more than $843,000, leading all other industry segments. Real estate ($685,000), insurance companies ($613,000) and law firms/lawyers ($595,000) follow. 

Wells Fargo (34,079), Cigna Corp. ($31,876), BlackRock Inc. ($31,876), Citigroup ($31,750) and Huntsman Corp. ($31,600) are his largest 2020-cycle financial service company contributors. 

Alphabet Inc. (Google) and Intel Corp. have been his most generous tech company contributors, donating $62,915 and $86,591 respectively. 

Brown's top campaign contributors have been lawyers and law firms, according to OpenSecrets. Collectively, they've ponied up $5.5 million since his first election in 1991. Financial services donations total about $1.56 million. 

Jones Day, the nation's fifth largest law firm, is his largest donor during the 2020 election cycle with $80,000 in contributions. The firm lobbies exclusively on behalf of Chinese tech giant  Huawei Technologies.

Brown's legislative efforts have mainly focused on education and health care.

Eshoo's District 18 on the outskirts of San Francisco, encompasses a large portion of Silicon Valley. As such, she's pulled donations from the likes of Stanford University ($178,587), Cisco Systems ($160,650), Kleiner, Perkins et al ($140,000), Johnson & Johnson ($139,400), Roche Holdings ($134,454) and Oracle Corp. ($122,450).

Google Inc., and the National Venture Capital Association have contributed $97,850 snf $92,500 respectively. 

It's unlikely any of the lawmakers are carrying water for Visa Inc. The financial giant hasn't contributed to their campaigns. But it spent $2.44 million on lobbying in 2019, using an army of 41 lobbyists, of whom 31 were former government officials. 

In contrast, Envestnet spent $410,000 on Washington lobbying in 2019, through its Yodlee subsidiary. Its efforts were focused on data protection and privacy issues. Envestnet does not make direct contributions to any candidates.

Nefarious purposes

For its part, Envestnet said in response that it "never sells data that identifies consumers" or "offer raw data that includes personally identifiable transaction information."

Bill Crager
Bill Crager: 'Envestnet doesn’t sell individual client data, Period. Full stop.'

The company says it has built-in privacy protection in "our enabling technology, business processes and operational procedures," according to the statement . 

"Additionally, we employ proprietary and third-party technical controls, such as encryption, to protect data while it resides on our systems, and further ensure protection of consumer anonymity.

"For support of data analytics and insights, we employ systems that monitor and remove all known identifiers from data elements that are collected."

But Raj Udeshi, CEO and co-founder of HiddenLevers and a critic of the Envestnet's data practices, suggested otherwise in a testy exchange at the Tiburon CEO Summit last April. See: Raj Udeshi invokes 'Theranos' fraud in testy exchanges over data collection with Envestnet's Bill Crager and Jud Bergman at Tiburon CEO Summit

Udeshi charged that the data industry in general, was "having its Theranos moment." And, in a slap at Envestnet, he suggested the company sale of personal information might be crossing the line.  

Envestnet's No. 2 executive Bill Crager, who was on the panel with Udeshi, issued a strong response afterward. 

“Envestnet doesn’t sell individual client data, Period. Full stop. To suggest otherwise is false and irresponsible,” it stated.

Udeshi did not respond to a request for comment on this story. 

Benefits, risks

The late Envestnet CEO, Jud Bergman, personally addressed the issue last August in a Bloomberg column. 

"Data security has always been embedded in our business. As more data becomes digitally available, the risk of it being stolen and put to work for nefarious purposes rises as well," he wrote.

But the benefits far outweigh the risks, he continued. 

"Financial advisers need a single source for financial information that would otherwise be spread across numerous accounts and paper statements. It helps advisers work with their clients to address the reality of their financial situations and find solutions that best meet their financial objectives."

At the time, he acknowledged that consumers had to be provided with "clear notice" how their personal information is being shared. Identifying individuals in information used by third parties "should never occur, unless there is clear disclosure and a straightforward ability for consumers to opt out."

Joel Bruckenstein, founder of the popular T3 conference, says he's at a loss over how Envestnet's data practices differ from the industry at large. 

"I really think there may be some misunderstanding about how their policies differ from others. I'd like more clarity on this myself," he says. 

Data breaches

Evestnet's latest problem, which comes on top other setbacks, including Bergman's Oct. 4 death, is part of a broader controversy over data privacy. It's been simmering for years, but recently began heating up. 

Raj Udeshi
Raj Udeshi challenged Envestnet over its data practices at a Tiburon Summit. 

Much of the public debate has been fueled by massive data breaches at companies like Yahoo!, First American Financial Group, Facebook and Marriott. In 2019, hackers exploited data at video game Fortnight, financial services firm BlackRock Inc., mortgage bank Ascension and Dow Jones among others. 

Some of the biggest developments have occurred overseas. The European Union in 2016 adopted its broad "General Data Protection Regulation." It sets strict guidelines for collecting information from "data subjects" and imposes stiff penalties for violators. It went into effect in May last year. 

The FTC, which oversees the data collection industry, also began cracking down. Last year, it impose hefty fines and penalties relating to the Equifax and Facebook data leaks, according to IdentityForce, which tracks data security. 

Envestnet jumped into the data game in Aug. 2015 when it paid $660 million for Yodlee (YDLE), then a leading cloud-based digital financial platform. At the time, Yodlee served more than 20 million paid users and over 850 financial institutions and financial technology firms. See: Envestnet buys Yodlee and its treasure trove of 'permissioned' data by selling its vision of the future of financial advice

Yodlee's specialty is "predictive analytics."  Advisers use the data to determine when to approach a client about mortgages, tax services, insurance products, credit cards and other lucrative opportunities.

Yodlee is especially good at tracking consumer debt and data relating to investments that may tell much about consumers wants and needs. See: A long-form explanation of why -- Wall Street be damned -- Envestnet's purchase of Yodlee might make sense

The FTC letter alleges Yodlee data yields much more than that. 

"Consumers' credit and debit card transactions can reveal information about their health, sexuality, religion, political views and many other personal details," the lawmakers charged. "Consumers, generally, have no idea of the risks to their privacy that Envestnet is imposing on them."

About 60% of payments in the United States are made using credit cards and mobile payments are expected to top $1 billion in the United States, according to the Federal Reserve. 

A recent study found that it was possible to determine the identity of an individual from so-called "anonymized" credit card data 90% of the time through simple extrapolation, according to Science magazine

Rise and fall 

Evestnet's profile outside the financial industry began rising in step the data industry's explosive growth. In the five years ending in 2017, Envestnet's revenues galloped by 34.2% annually. It's free cash flow rose by a 30.6% annual rate during the same time, according to Morningstar. 

Joel Bruckenstein
Joel Bruckenstein: 'I really think there may be some misunderstanding about how their policies differ from others.'

By the third quarter 2019, more than 100,000 advisors and more than 4,700 companies including 16 of the 20 largest U.S. banks, 43 of the 50 largest wealth management and brokerage firms, more than 500 of the largest RIAs and hundreds of internet services companies, leveraged Envestnet technology and services, according to the company.

Hundreds of apps, offering everything from savings suggestions and budgeting tools to online payments, typically connect to customers’ bank accounts through Yodlee and other aggregators.

“Yodlee can tell you down to the day how much the water bill was across 25,000 citizens of San Francisco, or the daily spending at McDonald’s throughout the country," Yodlee’s former chief product officer, Peter Hazlehurst, told the Wall Street Journal in a 2015 interview. 

Hedge funds became big users of Yodlee data in an effort to get an edge on the market. Two funds, Point72 Asset Management and Tiger Global Management paid more than $2 million each for annual subscriptions, the Journal reported. 

The media began reporting on the company in the same breath as Visa, MasterCard and American Express, traditionally, the largest sellers of financial data.  

At the same time, data aggregation competitors like Plaid and Quovo, sprouted in Silicon Valley. See: Plaid, valued at $2.65 billion, makes $200-million snack of Quovo -- albeit defensively -- and creates Yodlee super-foe

In fact, Visa’s acquisition of aggregator Plaid comes at a critical time for aggregators and the financial services companies from which they collect data, according to The Financial Times.  

Plaid's client list — Venmo, Crédit Karma, Goldman Sachs [Marcus], Lending Club-- are massive user-footprint businesses, and payments and lending in particular have been much more dynamic than wealth management,"Lex Sokolin, an analyst and global fintech co-head at ConsenSys, told RIAbiz in a separate story. 


The spate of widely publicized data breaches focused media attention on data aggregators and sparked a media/consumer backlash. At issue is how companies are using data and whether they meet consumer expectations about privacy, according to a 2019 survey by RSA.com, a digital risk management company.  

"Users are well-aware that technology’s tracking of their behavior has been more pervasive than they assumed, and that their personal data has been shared with third (and sometimes fourth) parties in ways that feel violating," according to one of the findings. 

"So it’s no surprise that individuals are increasingly cynical about companies’ data protection claims, promises, and policies."

 Wyden, who appears to have taken the lead on the complaint, has been focused on privacy issues for at least the past several months. 

Last October, he introduced the "Mind Your Own Business Act," which proposes the "most comprehensive protections for Americans’ private data ever introduced, and goes further than Europe’s General Data Protection Regulation," according to a statement. 

The same month, Wyden and Sen. Elizabeth Warren, (D-Mass.) urged the FTC to investigate Amazon’s failure to secure servers it rented to Capital One. The bank was hacked in July and personal data involving 100 million Americans was stolen. 

In another major run at the issue, Wyden also sponsored a bill to amend the Federal Trade Commission Act to beef up requirements to protect consumer privacy for entities that use, store, or share personal information. 

Existential threat

Given the makeup of the FTC, headed by Trump administration appointee, Joseph J. Simons, it's an open question whether the agency will pursue the Democratic lawmakers' request for an investigation. 

But the agency is examining changes to its Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.

And, it's also looking at the Privacy Rule, which requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.

All of the aggregators face the existential threat that big banks will freeze them out -- or that laws will get passed that change the economics of gathering and selling the data.

Last May, Bergman acknowledged his firm was also playing catch-up in both the quality and quantity of data beneficial to financial advisors -- and accessible to software developers.

The company was struggling with the purity of its data from uncooperative custodians. Some banks and brokerages don't provide direct feeds, requiring screen-scraping, an out-of-date technology that lacks granularity. 

"There is tremendous appetite for this data. We have a very good challenge in that some of this is readily available and is disseminated to the clients of Envestnet and Yodlee on the platform side--so it comes with the platform," the CEO said at the time. 

But it's clear, Envestnet will have to up its game if it hopes to weather the technical and regulatory challenges that lay ahead. 


Related Moves

Envestnet just named an ESG head to meld 'wellness,' 'The Intelligent Financial Life' and 'sustainable investing' into a single nirvana -- that starts outside of the product realm

Ron Ransom earned CEO Bill Crager's trust as chief business development officer and now will define how Envestnet conducts itself as a global citizen and vendor of wellness.

July 27, 2022 – 2:27 AM

Envestnet and Edmond Walters end odd couple 'Apprise' relationship with buyout, but leave open the door to jointly pursue RIA-to-entrepreneur dashboard... later

The MoneyGuidePro owner and eMoney founder execute clean break with Apprise IP rebranded as 'Wealth Studio.' Walters off to the races with a startup and vague promise to collaborate later.

April 6, 2021 – 12:50 AM

Envestnet turns to former FIS executive -- and replaces a CTO -- to help shape up the firm's disparate offerings into a unified whole around the concept of 'wellness'

The Chicago outsourcer gets Donna Peeples to harmonize products and marketing to move beyond the 'TAMP' label as Orion contends for market share with Brinker added.

November 10, 2020 – 2:45 AM

Envestnet nabs Dani Fava to cross-pollinate semi-autonomous units and reap 'financial wellness' as the end product

The Chicago outsourcer has a massive, partially disconnected arsenal of products that CEO Bill Crager is rationalizing into 'wellness' with yet another new unit.

July 23, 2020 – 1:42 AM

See more related moves

Mentioned in this article:

Envestnet Inc
Top Executive: Jud Bergman

Bill Winterberg

Bill Winterberg

January 28, 2020 — 2:22 PM
In 2016, Intuit was the number one contributor to FTC letter co-author Anna Eshoo's campaign, with $35,225 (plus $8,100 in 2020 and $8,200 in 2018). Would this potentially influence any calls for investigations against companies that could be viewed as Intuit competitors, such as Envestnet Yodlee? In addition, Eshoo announced in January 2019 that Asad Ramzanali, a former Intuit executive, would serve as her new senior technology policy advisor. Why was Intuit excluded from the stated concerns over consumer financial data privacy disclosures in the letter to the FTC? <a href="https://twitter.com/BillWinterberg/status/1218243689157361664?s=20">https://twitter.com/BillWinterberg/status/1218243689157361664?s=20</a>
Jeff Spears

Jeff Spears

January 28, 2020 — 11:05 AM
Seems like we have fought this battle with banks and MyCFO before. Not sure who won but I feel the consumer didn’t. My experience with regulators is the are focused on the issue but don’t have any definitive guidelines.
Pete Giza

Pete Giza

January 28, 2020 — 3:29 PM
This is especially ridiculous considering the breaches and subsequent loss of privacy, identity and material losses that one can only speculate associated with credit agencies like Experian et. al.

RIABiz Directory

The Industry Sourcebook for RIAs

   |    LISTING

RIABiz Directory sponsored by:

Directory Sponsor Logo