It's been six months since Visa agreed to a wild valuation for the seven year-old Yodlee competitor that caused wealth fintechs to retain investment bankers left and right. Now Plaid faces two class action suits

June 10, 2020 — 12:40 AM by Oisin Breen

Brooke's Note: It's amazing how $5 billion galvanizes peoples' attention -- especially when such immense valuation baffles experts.  A San Francisco-based startup with modest revenues, fewer than 500 employees and $309 billion of VC backing is set to be scooped up this month for a price tag that exceeds even the larger IPOs in the RIA universe. Even today, Envestnet's market cap is about $4 billion and LPL's about $6.7 billion. In the aftermath of the June 13 Visa acquisition, Yodlee, Brinker and Orion tested the market, according to Barron's. The bad news that may keep the champagne on ice for Plaid owners is a pending class action. Lawyers have maximum leverage before a big deal. The teams of attorneys also have incentive to really do their homework. So if this suit turns out to be a "fishing expedition," as some experts claim, it may be the one with teeth because it sure has a thorough quality to it. The suit also has timely threads to yank because the political will to determine what is kosher when it comes to data collection is on the rise -- something we assumed until now was merely a Yodlee issue in the RIA world.  See: The odd case of Envestnet/Yodlee getting singled out as data scofflaw, just four days after Visa deal to buy rival Plaid and nine months after Raj Udeshi's 'Theranos' outcry.

Update: On July 17, Plaid was hit with a second similar lawsuit, from four fresh plaintiffs in the US District Court for the Northern District of California. Plaid denies the fresh allegations, and states the "copycat lawsuit is baseless."

7 Comments

As Plaid nears the date when it banks a $5.3 billion dollar check from Visa, it may face a final hurdle from a class action alleging its value proposition depends on a "massive invasion" of the privacy of over 200 million bank and brokerage accounts.

Shawn Kennedy
Shawn Kennedy: This is no shakedown ... we did our homework on Plaid.

Filed on May 5, the suit alleges that San Fransciso-based Plaid spoofs bank and investment firm logins to finagle a vast "trove" of "wrongfully obtained" data that it resells as "consumer behavioral insights." Plaid is also alleged to have failed to disclose its process.

The suit is a potentially major blow to the  company just six months after its sale to Visa effectively reset valuation expectations for wealth technology deals.

Visa agreed in early January to pay 25- to 50-times revenues -- a price many industry observers attribute to a bet that a growing market exists for aggregated data that can fine-tune marketing and other services. See: Visa gambles $5.3 billion that Plaid will pay Big Data dividends.

In Visa's case, it also serves as a hedge, if the Venmos of the world were to supplant plastic credit cards.

On July 17, one month after this article was published, a second class action suit -- along similar lines -- was filed against Plaid by four fresh plaintiffs.

Lodged in the US District Court for the Northern District of California, the second suit alleges Plaid "exploits ... ill-gotten information ... and wrongfully intruded upon [US citizens'] private financial affairs."

Plaid dismissed these allegations, as well as those of the first suit, and labelled the second a "baseless" "copycat"

FTC Bulls Eye

But it should come as no surprise that both lawsuits zero in on a hot button issue in the financial services industry. 

Lex Sokolin
Lex Sokolin: [Perhaps] suing [Visa] to achieve settlement based on a politically charged topic is what this is about.

The Federal Trade Commission (FTC) brought nine data security enforcement actions last year. The actions targeted companies with direct consumer relationships and service providers like Plaid, which will continue to be an area of FTC interest, according to the agency. 

Earlier this year, three Capitol Hill Democrats urged the FTC to probe Envestnet data subsidiary Yodlee over its data collection practices. The move came just four days after Visa bought Plaid.

Yodlee has been the subject of a FTC probe since Jan. 17.

Analysts suggested it was the direct result of industry lobbying to prevent aggregators from monetizing their data. See: Envestnet cautions about Yodlee subscription 'headwinds' and the FTC asking more Yodlee-data questions as the company recorded a blowout revenue quarter

Indeed, this mix of politics and hard dollars may be at the root of the suits against Plaid, says Lex Sokolin, a global co-head for financial technology at New York-based software firm ConsenSys, via email.

 "Perhaps Visa is seen as a deep pocketed entity, and suing [it] to achieve a settlement based on a politically charged topic is what this is about." See: The odd case of Envestnet/Yodlee getting singled out as data scofflaw, just four days after Visa deal to buy rival Plaid and nine months after Raj Udeshi's 'Theranos' outcry.

Banks and broker-dealers have also been working to restrict the level of access aggregators have to client data by offering direct and up-to-date feeds in return for the end of the practice of screen-scraping, whereby aggregators use client passwords to directly 'scrape' client data into an in-house database.

Push-back

Should the courts rule against Plaid, it could be sent scrambling, Sokolin adds. 

Nicomedes Sy Herrera
Nicomedes Sy Herrera: Plaids privacy policy ... evolved very quickly after this lawsuit was filed.

"If Plaid is actually downloading and saving financial data without permission,and in breach of consumers' rights, then it would need to reengineer the product and go on an apology tour ... and regulators may be punitive."

The desire for someone to take action against the aggregators is certainly rising, says Bill Singer, attorney and writer of the Broke and Broker blog, via email. See: Tired of having their screens scraped, Schwab and Fidelity launch API initiatives to curtail the practice.

"We may be heading into a new era of push-back from ... governments."

The suits could also dash Plaid's reputation as the halo-wearing version of Envestnet's Yodlee. Until now, Plaid has been known first and foremost for its technology and its bumper valuation.

The class action against Plaid could also lead to federal scrutiny.

Shakedown?

For all that, the first class action may just be an opportunistic nuisance lawsuit, says Ari Sonneberg, partner and chief marketing officer at Boston-based Wagner Law Group, via email.

Ari Sonneberg
Ari Sonneberg: The suit smells like a shakedown ... [but] Plaid will have a lot of reason to want to settle.

"The suit smells like a shakedown for several reasons, not  the least of which is timing."

"This [second suit] looks like more of the same. the sharks smell blood in the water and begin to circle, even when the blood is from fishermen chumming the water," he added, on July 29.

For its part, Plaid isn't conceding anything. 

"We are vigorously defending ourselves against the lawsuit and reject its baseless claims," said company spokeswoman Natalie Giannangeli of the first suit, via email. 

Plaid also categorically rejects all allegations made in the second, says a Plaid spokesperson quoted in several publications.

"This copycat lawsuit is baseless and Plaid will vigorously defend itself ... Plaid does not sell or rent consumers' personal information and personal information is only obtained with consent."

Visa's acquisition of 2013-founded Plaid was expected to close at some point between mid-March and mid-June, meaning the case against Plaid comes as its sale reaches the outer periphery of the agreed-upon calendar.

Legal sources note, however, that the sale could be delayed until the end of the year.

In it to win it

"Unequivocally, this [suit] is no shakedown," says Shawn Kennedy, a partner at at Oakland and Newport Beach, Calif., law firm, Herrera Purdy. "We did our homework on Plaid."

Herrera Purdy lodged the first suit against Plaid, and is supported by two other law firms, San Francisco's Lieff Cabraser Heimann & Bernstein and Dallas-based Burns Charest.

The latter two firms have not responded to a request for comment, nor has Visa. Plaid's legal team, headed by the white-shoe law firm Gibson Dunn & Crutcher in Los Angeles, did not provide comment by the time the article was published.

The second suit was filed by the Los Angeles, Calif.-based Tostrud Law Group, and New York-based Glancy, Prongay, and Murray.

Both Brian Murray, a partner at Glancy, Prongay and Murray; and Jon Tostrud, founder of the Tostrud Law Group have yet to respond to a request for comment sent on July 29.

RIABiz asked both attorneys what they made of their suit being labelled a copycat, and what they feel differentiates it from the initial suit filed by Herrera Purdy.

For now it's hard to tell whether there's meat on the legal bone, says Sonneberg.

"Ultimately, the plaintiffs will have to show Plaid deliberately collected unnecessary information and either used, or planned to use that information in an impermissible fashion."

The allure for Visa

The first is a zinger of a suit, no doubt about it, Singer says.

Natalie Giannangeli
Natalie Giannangeli: We are vigorously defending ourselves against the lawsuit and reject its baseless claims.

"Firms [like] Plaid are not merely in the business of facilitating interactions between consumers and financial institutions but in harvesting all sorts of consumer data and monetizing that stream."

Roughly 2,600 financial applications use Plaid to connect with consumer accounts at 11,000 firms, and about one in four people in the US have a Plaid-linked account, according to a release.

The firm uses these connections to garner data on approximately 3,700 transactions per consumer, according to the first suit.

This advantageous Plaid positioning between data producers and data users makes Visa happy to pay up, says Kennedy.

"They entrench their market position by saying to the Venmos of the world: 'We know your clients. We know these people and we can give you the value added product that gives you insight into it. You have to buy that from us because you can't get it anywhere else.'"

But Plaid's offices are hardly some Ernst Blofeld-styled lair of illegal data-gathering, according to Sokolin. "It's more likely they get paid primarily for authentication and aggregation, not [for] some mysterious global financial database."

Gone Fishin'

The suits are trying to expose some of Plaid’s allegedly questionable practices," says Sonneberg.

Bill Singer
Bill Singer: We may be heading into a new era of push-back from any number of governments.

"In the shadow of its deal with Visa, Plaid will have a lot of reason to want to settle and may even be pressured by Visa to do so depending on how far the case gets."

 Among the many lures cast into the surf, the first suit lists 10 distinct areas in which Plaid is alleged to have acted improperly.

They include violating the 1986 Computer Fraud and Abuse Act; the 1986 Stored Communications Act; the 2005 Anti-Phishing Act; the California Business and Professional Code; article one of the California Constitution; the California Civic Code and the California Comprehensive Computer Data Access and Fraud Act.

The suit also cites Common Law complaints that Plaid invaded citizens' privacy; that it wrongfully accessed, collected, stored, disclosed, sold and otherwise improperly used private data, and that it benefited from "unjust enrichment" at consumers' expense.

The second suit alleges similar breaches.

Joel Bruckenstein
Joel Bruckenstein: [There’s] no duty on the part of Plaid to keep [data] confidential.

But Nicomedes Sy Herrera, a partner at Herrera Purdy, cautions it would be unwise to be thrown off by the class action's sweeping allegations. 

"The audacity, scope and scale of the privacy violations may be unprecedented, but the principles that make it unlawful and wrong certainly are not," he says.

Herrera Purdy declined to reveal how many people have signed on in support of the class action, beyond two named plaintiffs, James Cottle and Frederick Schoeneman. It also declined to precisely state the details of its claimed long-running investigation.

What the plaintiff wish list includes is for Plaid to cease its allegedly "unlawful" data gathering, publicly notify all impacted consumers of its alleged "misconduct," and pay out damages based on both such misconduct and any enrichment it facilitated, according to the suit.

The four named plaintiffs in the second suit are David Evans, Patrick Lenahen, Adam Smotkin, and Oswaldo Herrera.

Its wish list is, again, similar to the first suit's, and includes a plea that Plaid purge all gathered data; stop using login credentials; follow industry protocols; disclose its software and what it does at each instance of data gathering; and notify consumers of any wrongdoing.

To sell or not to sell

The suits allege that Plaid gathers massive amounts of data about every consumer using its aggregated client accounts, including information about all their externally linked accounts.  Then it allegedly runs analytics on this data and resells it back to its own clients.

"For years [Plaid] has exploited its position as middleman ... to harvest vast amounts of private transaction history ... to amass what it touts as one of the largest transactional data sets in the world," the suit states.

Jean Denis Greze
Jean Denis Greze: We're not reselling the data or anything, we're just a pipeline.

But Plaid categorically rejects the allegation that it's assembling any such database, whether raw, or in an analytics-parsed bulk form, in order to sell it on to third parties.

"Plaid doesn’t obtain consumers’ data without consent, share consumers’ data without permission, or sell or rent consumers’ personal information," says Giannangeli.

This form of data sales does not, however, constitute the basis of Herrera Purdy et al.'s first complaint, says Kennedy.

"They're not denying the fact that when I sign up for Venmo to pay my babysitter, they go and collect years of transaction history … then sell that data unbeknownst to me to Venmo. That's what we're talking about," he says.

The data Plaid allegedly gathers "several times a day" on consumers covers investment holdings, annual salaries and income data, addresses, contacts, the names of any joint account holders and authorized users, as well as related accounts used for minors, according to the suit.

Plaid's Developer API documentation for app developers states that the firm automatically and consistently updates its cache of consumer private financial data every few hours.

"We update a users account at set intervals throughout the day, independent of how many times a client calls the connect endpoint," the documents state.

Honeypot

In an 2018 interview on Software Engineering Daily, Plaid’s Head of Engineering, Jean-Denis Greze, confirmed that his employer stores the data it collects for backup purposes, that Plaid is "effectively caching" banking data and that it permanently stores raw data.

Jon Tostrud
Jon Tostrud, whose firm filed the second suit against Plaid, has yet to comment, as of July 29.

"If you want to build a financial technology company building a better product experience around anything people do with the financial system every day, you need access to someone's spending history," he explained in the podcast interview.

"[But] we're not reselling the data ... we're just a pipeline ... data being shared without consent, we don't see that as right."

The problem is that it's one thing for an RIA to store client data, but a whole different kettle of fish if Plaid does, because there's no reason to trust them, says Bruckenstein.

"An RIA is acting in a fiduciary capacity, which means they always need to put the interest of the client first. That's affirmative, fully disclosed, and it's a fiduciary relationship. Plaid? None of that … [there’s] no duty on the part of Plaid to keep [data] confidential."

"[It's also] a honeypot for some hacker," he adds.

Rules aside, Plaid's need to protect the brand may sway how it responds to critics, says Will Trout, senior analyst at Boston-based consultancy, Celent, via email. "[But] if they’ve been reselling personal data without permission that's pretty tawdry."

Spoofing?

The second niggle to the case against Plaid is an alleged work-around it uses to "centralize" the security risk of holding consumer banking and investor passwords for the purposes of aggregation.

Rather than use the end-to-end encrypted OAuth process through which consumers directly connect with their financial institutions, the suit states that Plaid's software creates an alternative login procedure on its own servers that "mimics" bank and brokerage login pages.

"Sign up for Venmo, you get [sent] to a Plaid site and it has your bank[‘s branding] … there's nowhere around it that says Plaid," Herrera explains. 

"How can a business honestly say that they were interested in informing consumers of what they were giving over ... when the most obvious place you would do that is when you actually [give] it?"

If true, it’s "almost blatant fraud," says Bruckenstein.

"[By] making me think that I'm going to my bank's website when I'm not, you're misrepresenting at least by omission.  Even if it's anonymized ... if they're storing my data … they're going beyond the scope of what they were given permission to do ... [and] profiting through deception."

But Giannangeli insists Plaid is on the side of consumers.

"Plaid firmly believes consumers should have transparent, permission-based access to and control over their financial data and embodies these principles in our practices," she says.

It's in flux, says Herrera. "Plaid's privacy policy disclosures ... evolved very quickly after this lawsuit was filed."

For example, the complaint alleges that the login for connecting clients to Venmo did not adequately alert clients to a hyperlink to Plaid's privacy policy. That has now been modified. "The bright blue ‘Continue’ button [had] a legally insufficient statement—in small text, muted colors, and no underlining indicating a functioning hyperlink—concerning Plaid’s privacy policy," he explains. "That has changed since the lawsuit."

Under the spotlight

Yodlee-owner, Envestnet did not respond to a request for comment.

But in May 2018, three aggregators, Yodlee, Morningstar's ByAllAccounts and the now Plaid-owned Quovo tried to pre-empt such an eventuality by banding together to form a data gathering code of conduct, SODA. See: Envestnet quietly deals rivals in on Yodlee play to placate big banks and their latent threat of 'oblivion' in response to 'screen scraping'.

On May 19 this year, Plaid announced its intention to become the builder of data aggregation APIs for banks. See: Envestnet quietly deals rivals to placate big banks and their latent threat of 'oblivion' in response to 'screen scraping'

A previous version of this article did not explain in full what Herrera means when he says that Plaid's privacy policy 'evolved.' Now it clarifies he was referring to how it shows up on the site, not the wording.

No people referenced


Related Moves

Envestnet nabs Dani Fava to cross-pollinate semi-autonomous units and reap 'financial wellness' as the end product

The Chicago outsourcer has a massive, partially disconnected arsenal of products that CEO Bill Crager is rationalizing into 'wellness' with yet another new unit.

July 23, 2020 — 1:42 AM

Behind the scenes, Envestnet's board of directors had much to tussle over before finally subtracting the 'interim' from Bill Crager's CEO title

With Jud Bergman gone at a chairman, a power struggle ensued to fill that spot, and the process dragged when taking the company private came under review

April 2, 2020 — 2:34 AM



Share your thoughts and opinions with the author or other readers.

Gravatar

Brian Murphy said:

June 10, 2020 — 5:52 AM

From my perspective there aren't enough facts presented in this article to draw any real conclusions - though almost everyone will want to! Additionally, having not read through any of Plaid's "Terms of Service" docs, I'm at the disadvantage of not knowing what exactly user's of Plaid's services are agreeing to. (I'm sure I'm not the only one who hasn't read them!). One thing that can certainly be said is that again this comes down to who owns the data - and more importantly who SHOULD own the client data. This is the $64,000 question facing the entire financial services industry at present. I'll go out on a limb and throw out a "stawman" for how this big question ultimately could get resolved: a) any identifying data belongs to the client. b) any specific client unidentifiable data should be owned by both client and data gatherer (unless either party waves their right to it), and c) any aggregated non-identifiable datasets (say of 5 or more clients - pick a number) are owned by the data gatherer. Client gets the right to agree to b) or not. If client doesn't agree to b), then the data gathering entity is prohibited from retaining it in raw form however it can be aggregated into groups of 5 (pick a number) or more. If the client does agree to b), then data gathering entity can, or cannot (depending on their business model) share revenues with the client. OK - let the hole poking begin! ;-)
Gravatar

Brooke Southall said:

June 10, 2020 — 6:26 AM

Brian, Your willingness to be first to jump headlong into the deep murky waters is always appreciated. Brooke
Gravatar

Bill Singer said:

June 10, 2020 — 2:49 PM

Brian: Very fair comments. At the initial stage when a Complaint is filed, there are rarely enough facts for anyone to figure out whether a lawsuit is justified -- and even after the responsive Answer comes in, things are still at a he-said-she-said state and whatever the "truth" may be, rarely emerges, if at all. Part of what makes this lawsuit interesting is that these types of cases increasingly cite the TOS, which has mushroomed into a laughable document beyond the comprehension of most humans and, to some extent, is as much the problem with these disputes as anything. On Wall Street, we argue about "who owns the customer" when disputes arise between departing stockbrokers/advisers and their former firms. Similarly, with data aggregation and scraping "who owns the customer's data" seems as apt a question. For decades, Wall Street has struggled with so-called Negative Consents whereby the consumer does nothing and the law allows that individual to be screwed albeit legally. Similarly, we have implemented an agenda of Disclosure whereby unreadable font at the bottom of a television screen informs us of information that some bureaucrat thought important but is presented in a fashion that no one can read and, if they could, the image flickers off before the eye can scan even one line. The obfuscation of disclosure is the lifeblood of many professionals. We are in a restless age and folks are angry about everything and seeking immediate change. Unfortunately, legislating under pressure tends to yield overly broad and ineffective laws and rules. On the other hand, those responsible for self regulating their data harvesting have failed to timely address the issues and have only themselves to blame if others, less savvy, now fill the void of reasonable regulation. The process is always messy. Yet again, Bismarck knew his sausages.
Gravatar

Bob Miller said:

June 24, 2020 — 12:57 AM

I am not qualified to comment on legal claims. But my read .. A. Lender provides users loans B. Lender requires verification of user bank account C. Lender implements Plaid for this purpose D. User applies for loan online E. Lender directs user to logon to their bank to verify account F. Request handed to Plaid who presents what looks like bank's login G. Terms of service are presented H. User wants loan I. User trusts lender (have already given them personal information) J. User trusts bank (they will protect them) K. User accepts terms of service (without close examination) L. User gets loan M. Transaction complete N. Nope. Plaid repeatedly uses credentials to drain user information for profit. A healthy internet economy cannot thrive on deception rationalized by the failure of consumers to read fine-print. If the disclaimer next to the ACCEPT button read .. "By accepting, you allow us to use your credentials to repeatedly and perpetually access your account to gather information on every one of your credit and debit transactions for the purpose of building a database we can sell to others." How many people would accept?
Gravatar

Brian Murphy said:

June 24, 2020 — 4:09 AM

Hi Bob, If that is in fact what Plaid is doing (repeatedly using user credentials for what should be a one-off approval) - I agree that almost anyone would consider that problematic. That said, I can't verify that this is, or is not, a use case - as I haven't used the service. I also agree that if such a statement was placed anywhere in the process flow, most users would logically balk & deny such ridiculous over-reach.
Gravatar

Bob Miller said:

June 24, 2020 — 8:50 AM

Thanks Brian. It is likely that Plaid will be found to be operating within the letter of its TOC's -- they are smart guys running a big and successful company. Its really about the look forward sustainability of models that operate outside a "common sense consumer trust model" -- the point of my one line disclaimer. If we were in Europe the holders of those 200M accounts that interacted with a Plaid enabled or any other similar app would be able to request at any time that the provider (a) describe exactly what data the company has of the user; (b) request that they be provided a copy of that data; (b) request that all their data be deleted; (c) and that any authorization that believe they had to access the users data be revoked. Play that forward to similar privacy regulations in California likely to take shape in other states. Even with full informed consent of users to have contributed their data to the "database", its commercial and asset value could be extinguished quickly with an act of protest (recent events tell us the power of those) that has had masses of consumers simply exercise their "right to be forgotten". The data analytics businesses that accumulate data in this manner are challenged to balance the needs of consumers and the dangerous business of amassing vast quantities of our personal data. As a long term fin-tech entrepreneur its hard not to love the Plaid story - unicorns and all that. That aside, I am passionate about making sure we (the tech community) promote an eco-system of trust and verifiability that facilitates the flow of data while adhering to what are inevitable well-needed consumer privacy constraints. The Plaid suit, for me, is less about Plaid and more about a continued "caveat emptor" approach by tech companies to consumer rights that will produce both regulatory and consumer backlash. Remember Plaid's tag line is 'Make Money Easy' - that means one-click - not 20 page TOC's.
Gravatar

Brian Murphy said:

June 24, 2020 — 5:48 PM

Hi Bob, I couldn't agree with you more. Transparency and simple, full disclosure is the only way forward here. I suspect there are some great opportunities for new companies to develop in the space - such as "data fiduciaries" that help consumers navigate these services and potentially monetize their own data successfully.

Submit your comments: