The Federal Trade Commission (FTC) has sought investigative documents from huge financial data seller Envestnet. Envestnet, via a company it acquired called Yodlee, sells the bank and credit card transaction data of tens of millions of Americans to investment and research firms, which show how much people spent and where.
"In February 2020, we received a civil investigative demand from the FTC for documents and information relating to our data collection, assembly, evaluation, sharing, correction and deletion practices," an Envestnet document, filed with the Securities and Exchange Commission (SEC) in February, reads.
On Wednesday, lawyers filed a class action lawsuit against Envestnet and Yodlee in the Northern District of California, seeking damages for Yodlee allegedly selling individuals' data without taking proper security protections and sharing the data in unencrypted files.
Do you work at Yodlee, or another company selling data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
"Reports have revealed that Defendants are mishandling the data they collected from individuals without authorization by distributing it in unencrypted plain text files. These files, which can be read by anyone who acquires them, contain highly sensitive information that make it possible to identify the individuals involved in each transaction," the class action adds. Motherboard previously reported with a leaked Yodlee document that the company provides the data to its clients in a simple text file. Envestnet claims the data is anonymous, but the document also showed that individuals could likely be unmasked from the dataset.
The complaint in that class action lawsuit referenced the SEC filing and the FTC probe, which has not been previously reported.
Yodlee obtains the transactional data from credit card companies, financial institutions, and apps, including Bank of America, Citigroup, and HSBC, The Wall Street Journal previously reported.
The information itself includes a unique, pseudonymous identifier given to the individual who made the purchase; the amount spent; the date; the location of the business, and other pieces of metadata, according to the leaked document obtained by Motherboard.
Yodlee then sells this information to private clients including investment firms. A separate leaked J.P. Morgan document obtained by Motherboard describes the Yodlee "Data Platform" as, "provid[ing] the best and most comprehensive financial data at massive scale across retail banking, credit, and wealth management. This is made possible through the strengths of our data acquisition capabilities, extensive data cleaning and enrichment expertise, and massive scale."
The FTC has the power to issue fines to companies. In July 2019, as part of a settlement the FTC fined Facebook $5 billion, and Facebook was required to modify its corporate structure to hold the company more accountable for decisions around user privacy, the FTC said in a press release at the time.
The Envestnet SEC filing lays out what Envestnet sees as potential consequences of an FTC investigation.
"If, as a result of the FTC’s request, proceedings are initiated and we are found to have violated one or more applicable laws, we may be subject to monetary penalties and/or required to change one or more of our related business practices, any of which could have a material adverse effect on our results of operations, financial condition," the SEC filing reads. "Conduct giving rise to such liability could also form the basis for private civil litigation by third-parties allegedly harmed by such conduct."
The move from the FTC comes after Senator Ron Wyden, Senator Sherrod Brown, and U.S. Representative Anna G. Eshoo wrote a letter in January to the FTC urging the agency to investigate Yodlee.
It is unlikely that many of the individuals Yodlee sources data from are aware of, or gave informed consent for the data collection.
"Plaintiff Deborah Wesch connected her PNC Bank account to PayPal using a Yodlee powered portal in order to facilitate transfers among those accounts. At no time was it disclosed by PayPal, Yodlee, or PNC Bank that the Defendants would continuously access Plaintiff’s bank account to extract and sell data without her consent," the class action lawsuit reads.
Envestnet | Yodlee told Motherboard in a statement, "As previously disclosed in our Form 10-K dated February 28, 2020, the Federal Trade Commission (FTC) requested information from Envestnet | Yodlee. We are fully cooperating with this request and look forward to resolving this matter with the FTC soon."
An FTC spokesperson confirmed the agency had sent Envestnet a civil investigative demand, but declined to comment further.
Update: This piece has been updated to include comment from an FTC spokesperson.