'Fraud' lawsuit slams Plaid on eve of historic $5.3-billion payday; some experts say it's a 'fishing expedition,' but plaintiff's lawyers say, 'This is no shakedown' -- Second suit follows in July

Brooke's Note: It's amazing how $5 billion galvanizes peoples' attention -- especially when such immense valuation baffles experts.  A San Francisco-based startup with modest revenues, fewer than 500 employees and $309 billion of VC backing is set to be scooped up this month for a price tag that exceeds even the larger IPOs in the RIA universe. Even today, Envestnet's market cap is about $4 billion and LPL's about $6.7 billion. In the aftermath of the June 13 Visa acquisition, Yodlee, Brinker and Orion tested the market, according to Barron's. The bad news that may keep the champagne on ice for Plaid owners is a pending class action. Lawyers have maximum leverage before a big deal. The teams of attorneys also have incentive to really do their homework. So if this suit turns out to be a "fishing expedition," as some experts claim, it may be the one with teeth because it sure has a thorough quality to it. The suit also has timely threads to yank because the political will to determine what is kosher when it comes to data collection is on the rise -- something we assumed until now was merely a Yodlee issue in the RIA world.  See: The odd case of Envestnet/Yodlee getting singled out as data scofflaw, just four days after Visa deal to buy rival Plaid and nine months after Raj Udeshi's 'Theranos' outcry.

Update: On July 17, Plaid was hit with a second similar lawsuit, from four fresh plaintiffs in the US District Court for the Northern District of California. Plaid denies the fresh allegations, and states the "copycat lawsuit is baseless."

As Plaid nears the date when it banks a $5.3 billion dollar check from Visa, it may face a final hurdle from a class action alleging its value proposition depends on a "massive invasion" of the privacy of over 200 million bank and brokerage accounts.

Filed on May 5, the suit alleges that San Fransciso-based Plaid spoofs bank and investment firm logins to finagle a vast "trove" of "wrongfully obtained" data that it resells as "consumer behavioral insights." Plaid is also alleged to have failed to disclose its process.

Visa agreed in early January to pay 25- to 50-times revenues -- a price many industry observers attribute to a bet that a growing market exists for aggregated data that can fine-tune marketing and other services. See: Visa gambles $5.3 billion that Plaid will pay Big Data dividends.

In Visa's case, it also serves as a hedge, if the Venmos of the world were to supplant plastic credit cards.

On July 17, one month after this article was published, a second class action suit -- along similar lines -- was filed against Plaid by four fresh plaintiffs.

Lodged in the US District Court for the Northern District of California, the second suit alleges Plaid "exploits ... ill-gotten information ... and wrongfully intruded upon [US citizens'] private financial affairs."

Plaid dismissed these allegations, as well as those of the first suit, and labelled the second a "baseless" "copycat"

FTC Bulls Eye

But it should come as no surprise that both lawsuits zero in on a hot button issue in the financial services industry. 

The Federal Trade Commission (FTC) brought nine data security enforcement actions last year. The actions targeted companies with direct consumer relationships and service providers like Plaid, which will continue to be an area of FTC interest, according to the agency. 

Earlier this year, three Capitol Hill Democrats urged the FTC to probe Envestnet data subsidiary Yodlee over its data collection practices. The move came just four days after Visa bought Plaid.

Yodlee has been the subject of a FTC probe since Jan. 17.

Analysts suggested it was the direct result of industry lobbying to prevent aggregators from monetizing their data. See: Envestnet cautions about Yodlee subscription 'headwinds' and the FTC asking more Yodlee-data questions as the company recorded a blowout revenue quarter

Indeed, this mix of politics and hard dollars may be at the root of the suits against Plaid, says Lex Sokolin, a global co-head for financial technology at New York-based software firm ConsenSys, via email.

 "Perhaps Visa is seen as a deep pocketed entity, and suing [it] to achieve a settlement based on a politically charged topic is what this is about." See: The odd case of Envestnet/Yodlee getting singled out as data scofflaw, just four days after Visa deal to buy rival Plaid and nine months after Raj Udeshi's 'Theranos' outcry.

Banks and broker-dealers have also been working to restrict the level of access aggregators have to client data by offering direct and up-to-date feeds in return for the end of the practice of screen-scraping, whereby aggregators use client passwords to directly 'scrape' client data into an in-house database.

Push-back

"If Plaid is actually downloading and saving financial data without permission,and in breach of consumers' rights, then it would need to reengineer the product and go on an apology tour ... and regulators may be punitive."

The desire for someone to take action against the aggregators is certainly rising, says Bill Singer, attorney and writer of the Broke and Broker blog, via email. See: Tired of having their screens scraped, Schwab and Fidelity launch API initiatives to curtail the practice.

"We may be heading into a new era of push-back from ... governments."

The suits could also dash Plaid's reputation as the halo-wearing version of Envestnet's Yodlee. Until now, Plaid has been known first and foremost for its technology and its bumper valuation.

The class action against Plaid could also lead to federal scrutiny.

Shakedown?

For all that, the first class action may just be an opportunistic nuisance lawsuit, says Ari Sonneberg, partner and chief marketing officer at Boston-based Wagner Law Group, via email.

"The suit smells like a shakedown for several reasons, not  the least of which is timing."

"This [second suit] looks like more of the same. the sharks smell blood in the water and begin to circle, even when the blood is from fishermen chumming the water," he added, on July 29.

For its part, Plaid isn't conceding anything. 

"We are vigorously defending ourselves against the lawsuit and reject its baseless claims," said company spokeswoman Natalie Giannangeli of the first suit, via email. 

Plaid also categorically rejects all allegations made in the second, says a Plaid spokesperson quoted in several publications.

"This copycat lawsuit is baseless and Plaid will vigorously defend itself ... Plaid does not sell or rent consumers' personal information and personal information is only obtained with consent."

Visa's acquisition of 2013-founded Plaid was expected to close at some point between mid-March and mid-June, meaning the case against Plaid comes as its sale reaches the outer periphery of the agreed-upon calendar.

In it to win it

"Unequivocally, this [suit] is no shakedown," says Shawn Kennedy, a partner at at Oakland and Newport Beach, Calif., law firm, Herrera Purdy. "We did our homework on Plaid."

Herrera Purdy lodged the first suit against Plaid, and is supported by two other law firms, San Francisco's Lieff Cabraser Heimann & Bernstein and Dallas-based Burns Charest.

The latter two firms have not responded to a request for comment, nor has Visa. Plaid's legal team, headed by the white-shoe law firm Gibson Dunn & Crutcher in Los Angeles, did not provide comment by the time the article was published.

The second suit was filed by the Los Angeles, Calif.-based Tostrud Law Group, and New York-based Glancy, Prongay, and Murray.

Both Brian Murray, a partner at Glancy, Prongay and Murray; and Jon Tostrud, founder of the Tostrud Law Group have yet to respond to a request for comment sent on July 29.

RIABiz asked both attorneys what they made of their suit being labelled a copycat, and what they feel differentiates it from the initial suit filed by Herrera Purdy.

For now it's hard to tell whether there's meat on the legal bone, says Sonneberg.

"Ultimately, the plaintiffs will have to show Plaid deliberately collected unnecessary information and either used, or planned to use that information in an impermissible fashion."

The allure for Visa

The first is a zinger of a suit, no doubt about it, Singer says.

"Firms [like] Plaid are not merely in the business of facilitating interactions between consumers and financial institutions but in harvesting all sorts of consumer data and monetizing that stream."

Roughly 2,600 financial applications use Plaid to connect with consumer accounts at 11,000 firms, and about one in four people in the US have a Plaid-linked account, according to a release.

The firm uses these connections to garner data on approximately 3,700 transactions per consumer, according to the first suit.

This advantageous Plaid positioning between data producers and data users makes Visa happy to pay up, says Kennedy.

But Plaid's offices are hardly some Ernst Blofeld-styled lair of illegal data-gathering, according to Sokolin. "It's more likely they get paid primarily for authentication and aggregation, not [for] some mysterious global financial database."

Gone Fishin'

The suits are trying to expose some of Plaid’s allegedly questionable practices," says Sonneberg.

"In the shadow of its deal with Visa, Plaid will have a lot of reason to want to settle and may even be pressured by Visa to do so depending on how far the case gets."

 Among the many lures cast into the surf, the first suit lists 10 distinct areas in which Plaid is alleged to have acted improperly.

They include violating the 1986 Computer Fraud and Abuse Act; the 1986 Stored Communications Act; the 2005 Anti-Phishing Act; the California Business and Professional Code; article one of the California Constitution; the California Civic Code and the California Comprehensive Computer Data Access and Fraud Act.

The suit also cites Common Law complaints that Plaid invaded citizens' privacy; that it wrongfully accessed, collected, stored, disclosed, sold and otherwise improperly used private data, and that it benefited from "unjust enrichment" at consumers' expense.

The second suit alleges similar breaches.

But Nicomedes Sy Herrera, a partner at Herrera Purdy, cautions it would be unwise to be thrown off by the class action's sweeping allegations. 

"The audacity, scope and scale of the privacy violations may be unprecedented, but the principles that make it unlawful and wrong certainly are not," he says.

Herrera Purdy declined to reveal how many people have signed on in support of the class action, beyond two named plaintiffs, James Cottle and Frederick Schoeneman. It also declined to precisely state the details of its claimed long-running investigation.

What the plaintiff wish list includes is for Plaid to cease its allegedly "unlawful" data gathering, publicly notify all impacted consumers of its alleged "misconduct," and pay out damages based on both such misconduct and any enrichment it facilitated, according to the suit.

The four named plaintiffs in the second suit are David Evans, Patrick Lenahen, Adam Smotkin, and Oswaldo Herrera.

Its wish list is, again, similar to the first suit's, and includes a plea that Plaid purge all gathered data; stop using login credentials; follow industry protocols; disclose its software and what it does at each instance of data gathering; and notify consumers of any wrongdoing.

The suits allege that Plaid gathers massive amounts of data about every consumer using its aggregated client accounts, including information about all their externally linked accounts.  Then it allegedly runs analytics on this data and resells it back to its own clients.

"For years [Plaid] has exploited its position as middleman ... to harvest vast amounts of private transaction history ... to amass what it touts as one of the largest transactional data sets in the world," the suit states.

But Plaid categorically rejects the allegation that it's assembling any such database, whether raw, or in an analytics-parsed bulk form, in order to sell it on to third parties.

"Plaid doesn’t obtain consumers’ data without consent, share consumers’ data without permission, or sell or rent consumers’ personal information," says Giannangeli.

This form of data sales does not, however, constitute the basis of Herrera Purdy et al.'s first complaint, says Kennedy.

"They're not denying the fact that when I sign up for Venmo to pay my babysitter, they go and collect years of transaction history … then sell that data unbeknownst to me to Venmo. That's what we're talking about," he says.

The data Plaid allegedly gathers "several times a day" on consumers covers investment holdings, annual salaries and income data, addresses, contacts, the names of any joint account holders and authorized users, as well as related accounts used for minors, according to the suit.

Plaid's Developer API documentation for app developers states that the firm automatically and consistently updates its cache of consumer private financial data every few hours.

"We update a users account at set intervals throughout the day, independent of how many times a client calls the connect endpoint," the documents state.

Honeypot

In an 2018 interview on Software Engineering Daily, Plaid’s Head of Engineering, Jean-Denis Greze, confirmed that his employer stores the data it collects for backup purposes, that Plaid is "effectively caching" banking data and that it permanently stores raw data.

"If you want to build a financial technology company building a better product experience around anything people do with the financial system every day, you need access to someone's spending history," he explained in the podcast interview.

"[But] we're not reselling the data ... we're just a pipeline ... data being shared without consent, we don't see that as right."

The problem is that it's one thing for an RIA to store client data, but a whole different kettle of fish if Plaid does, because there's no reason to trust them, says Bruckenstein.

"[It's also] a honeypot for some hacker," he adds.

Rules aside, Plaid's need to protect the brand may sway how it responds to critics, says Will Trout, senior analyst at Boston-based consultancy, Celent, via email. "[But] if they’ve been reselling personal data without permission that's pretty tawdry."

Spoofing?

The second niggle to the case against Plaid is an alleged work-around it uses to "centralize" the security risk of holding consumer banking and investor passwords for the purposes of aggregation.

Rather than use the end-to-end encrypted OAuth process through which consumers directly connect with their financial institutions, the suit states that Plaid's software creates an alternative login procedure on its own servers that "mimics" bank and brokerage login pages.

"Sign up for Venmo, you get [sent] to a Plaid site and it has your bank[‘s branding] … there's nowhere around it that says Plaid," Herrera explains. 

"How can a business honestly say that they were interested in informing consumers of what they were giving over ... when the most obvious place you would do that is when you actually [give] it?"

If true, it’s "almost blatant fraud," says Bruckenstein.

"[By] making me think that I'm going to my bank's website when I'm not, you're misrepresenting at least by omission.  Even if it's anonymized ... if they're storing my data … they're going beyond the scope of what they were given permission to do ... [and] profiting through deception."

But Giannangeli insists Plaid is on the side of consumers.

"Plaid firmly believes consumers should have transparent, permission-based access to and control over their financial data and embodies these principles in our practices," she says.

It's in flux, says Herrera. "Plaid's privacy policy disclosures ... evolved very quickly after this lawsuit was filed."

For example, the complaint alleges that the login for connecting clients to Venmo did not adequately alert clients to a hyperlink to Plaid's privacy policy. That has now been modified. "The bright blue ‘Continue’ button [had] a legally insufficient statement—in small text, muted colors, and no underlining indicating a functioning hyperlink—concerning Plaid’s privacy policy," he explains. "That has changed since the lawsuit."

Under the spotlight

Yodlee-owner, Envestnet did not respond to a request for comment.

But in May 2018, three aggregators, Yodlee, Morningstar's ByAllAccounts and the now Plaid-owned Quovo tried to pre-empt such an eventuality by banding together to form a data gathering code of conduct, SODA. See: Envestnet quietly deals rivals in on Yodlee play to placate big banks and their latent threat of 'oblivion' in response to 'screen scraping'.

On May 19 this year, Plaid announced its intention to become the builder of data aggregation APIs for banks. See: Envestnet quietly deals rivals to placate big banks and their latent threat of 'oblivion' in response to 'screen scraping'

A previous version of this article did not explain in full what Herrera means when he says that Plaid's privacy policy 'evolved.' Now it clarifies he was referring to how it shows up on the site, not the wording.