Envestnet and its data aggregation service, Yodlee, have been named as defendants in a class action complaint brought by a New Jersey resident. In the complaint, Deborah Wesch asserts that the fintech entities have not done enough to safeguard domestic consumer data, including engaging in “various acts of deceit” and failing to implement some security protocols that are already in place for Yodlee users in Europe. The proposed class action was filed in the U.S. District Court for the Northern District of California.
The plaintiff alleges that despite severing a data connection that’s facilitated by Yodlee, the data aggregator continues to access and benefit from the bank account information initially provided. In the complaint, Wesch alleges that, “by design,” Yodlee acquires financial data from individuals who “often have no idea they are dealing with Yodlee.”
When linking two financial services, such as a PayPal account and a bank account, part of what Yodlee collects is individuals’ bank log-in information, according to the complaint. That information is then stored on Yodlee’s “own system after the connection is made between that individual’s bank account and any other third-party service” (emphasis in the original court filing).
Even if the individual removes the link between a bank account and a third-party app, like PayPal, “Yodlee relies on its own stored copy of the individual’s credentials to extract financial data from her accounts long after the access is revoked,” according to the court filing, tantamount to an “unagreed-to data collection.”
In the complaint, Wesch also alleges that Envestnet and Yodlee are distributing collected data in “unencrypted plain text files … which can be read by anyone who acquires them [and] contain highly sensitive information that make it possible to identify the individuals involved in each transaction.”
In another major accusation, Wesch asserts that Yodlee designed its domestic API to circumvent OAuth access, a type of authorization protocol considered by some to give more control to the user linking together two or more digital services. In 2018, Envestnet | Yodlee responded to European mandates around OAuth-facilitated token-based access by committing to “slowly migrate…existing accounts that are credential-based to token-based access.”
That same process hasn’t been replicated in the U.S., according to the complaint.
Yodlee and Envestnet “continue to deploy credential-based authentication because, though it falls short of the industry standard, it is a source of immense profit,” according to the court filing. “The user has no options to deny Yodlee any permissions at all,” which poses a “grave risk” to individuals using the service.
“We believe the claims filed are baseless and intend to vigorously defend ourselves,” said a spokesperson for Envestnet | Yodlee. “As a matter of policy, neither Envestnet nor Yodlee comments on pending litigation. However, we adhere to leading industry practices for data security and privacy and adhere to applicable laws and industry guidance regarding the use of consumer data.”