Are you protecting your client’s data?

Even before the pandemic, compliance professionals must operate in a world where, in some cases, data, especially client data, is viewed as a profit center, and sometimes mishandled. Nowhere is the risk of exposure more significant than among data aggregators, companies that collect and repackage data from various sources for sale to advertisers, investors, researchers, and other third parties.

Class action lawsuit brought against Envestnet and Yodlee

Now, a proposed class-action lawsuit seeks damages from Envestnet and Yodlee based on allegations of unsecured data and “unlawful collection and use of sensitive personal data from millions of consumers.”

What is Yodlee?

Yodlee is one of the largest financial data aggregators in the world. It focuses on selling highly sensitive financial data, such as bank balances and credit card transaction histories, collected from individuals throughout the United States. As Yodlee’s former chief product officer explained in a 2015 interview, “‘Yodlee can tell you down to the day how much the water bill was across 25,000 citizens of San Francisco,’ or the daily spending at McDonald’s throughout the country.”

The suit alleges that Yodlee collects these details from software products it markets and sells to some of the largest financial institutions in the country. These include 15 top banks (e.g., Bank of America, Merrill Lynch, and Citibank), 10 top wealth management firms, and digital payment platforms like PayPal. The entities use Yodlee’s software for various purposes, including to interconnect their systems. Yodlee, in turn, acquires financial data about each individual that interacts with the software installed on its customers’ networks. However, these individuals often have no idea they are interacting with Yodlee.

Given the highly sensitive nature of the data Yodlee collects, its software is developed to be seamlessly integrated directly into the host company’s existing website. When individuals connect their bank accounts to PayPal, they are prompted to enter their credentials into a log-in screen that mirrors what they would see if they directly logged into their respective bank’s website. Their financial institution’s logo displays prominently on each of the screens that they interact with, and the individuals use the same usernames and passwords they would use to log-in to their financial institution’s actual website or mobile app. At no point are the individuals prompted to create or use a Yodlee account.

Are there disclosures of data aggregation?

Yes. In most cases, the relationships are not entirely “secret.” For example, PayPal discloses that Yodlee is involved in connecting their bank account to PayPal’s service for the limited purpose of confirming the individual’s bank details, checking their balance, and transactions, as needed. However, the lawsuit alleges that Yodlee’s involvement with the individual’s data goes well beyond the limited consent provided to facilitate a connection between their bank account and PayPal. Rather, the aggregator stores a copy of each individual’s bank log-in information on its system after the connection is made between that individual’s bank account and any other third-party service.

The suit alleges that Yodlee then routinely extracts data from that user’s accounts without their knowledge or ongoing consent – even after an individual severs the connection between its bank account and the third-party service that Yodlee facilitated. Instead, Yodlee relies on its own stored copy of the individual’s credentials to extract financial data from those accounts long after the access is revoked.

Why does Yodlee continue to extract consumer data?

Remuneration. According to the Wall Street Journal, companies are willing to pay as much as $4 million a year for access to this sort of highly personal data. Plaintiff Deborah Wesch connected her PNC Bank account to PayPal using a Yodlee-powered portal to facilitate transfers among those accounts. She alleges that at no time did PayPal or PNC Bank disclose that Yodlee would continuously access her bank account to extract and sell data without her consent. Moreover, she alleges that reports reveal that Yodlee has been distributing the data collected in unencrypted plain text files, which can be read by anyone who acquires them, including information that makes it possible to identify the individuals involved in each transaction.

Were basic security and compliance protocols followed?

According to the lawsuit, “No.” The suit alleges that Yodlee’s failure to take such fundamental steps as requiring a “password” to open files to protect consumer data increases Plaintiff Wesch and all Class members’ exposure to fraud and identity theft. Moreover, the lawsuit alleges that Wesch Yodlee’s practice of reselling the data it collects—without authorization—to third parties increases that exposure.

In response, Yodlee says it does protect the data in its custody. But the company also has said in filings with the United States Securities and Exchange Commission (SEC) that it “does not audit its customers to ensure that they have acted, and continue to act, consistently with such assurances.” For this reason, Yodlee cannot guarantee that its clients, or anyone with whom its clients share Class members’ sensitive personal data, are not using such data for nefarious purposes.

What does this class action lawsuit mean for compliance professionals like you?

That proper handling of client data is critical. In fact, the regulators overseeing the financial services and insurance industries demand that all data be handled compliantly. That’s where Patrina can help. For more than 25 years, Patrina has been working with compliance professionals like you to keep your organizations on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture& file storage, and records archiving specifically designed for the financial services community. Be smart. Be covered.Let’s talk.