Visa, the credit card network, is trying to buy financial technology company Plaid for $5.3 billion. The merger is bad for a number of reasons. First and foremost, it would allow a giant company with a controlling market share and a history of anticompetitive practices to snap up its fast-growing competition in the market for payment apps. But Plaid is more than a potential disruptor, it’s also sitting on a massive amount of financial data acquired through questionable means. By buying Plaid, Visa is buying all of its data. And Plaid’s users—even those protected by California’s new privacy law—can’t do anything about it.
Since mergers and acquisitions often fall outside the purview of privacy laws, only a pointed intervention by government authorities can stop the sale. Thankfully, this month, the US Department of Justice filed a lawsuit to do just that. This merger is about more than just competition in the financial technology (fintech) space; it’s about the exploitation of sensitive data from hundreds of millions of people. Courts should stop the merger to protect both competition and privacy.
Visa's Monopolistic Hedge
The Department of Justice lawsuit outlines a very simple motive for the acquisition. Visa, it says, already controls around 70% of the digital debit card payment market, from which it earned approximately $2 billion last year. (Mastercard, at 25% market share, is Visa’s only significant competitor.) Thanks to network effects with merchants and consumers, plus exclusivity clauses in its agreements with banks, Visa is comfortably insulated from threats by traditional competitors. But apps like Venmo have started—just barely—to eat away at the digital transaction market. And Plaid sits at the center of that new wave, providing the infrastructure that Venmo and hundreds of other apps use to send money around the world.
According to the DoJ, a Visa executive predicted that Plaid would undercut its debit card processing business eventually, and that buying Plaid would be an “insurance policy” to protect Visa’s dominant market share. The lawsuit alleges that Plaid already had plans to leverage its relationships with banks and consumers to launch a new debit service. Seen through this lens, the acquisition is a simple preemptive strike against an emerging threat in one of Visa’s core markets. Challenging the purchase of a smaller company by a giant one, under the theory that the purchase eliminates future competition rather than creating a monopoly in the short term, is a strong step for the DoJ, and one we hope to see repeated in technology markets.
But users’ interest in the Visa-Plaid merger should extend beyond fears of market concentration. Both companies are deeply involved in the collection and monetization of personal data. And as the DoJ’s lawsuit underscores, “Acquiring Plaid would also give Visa access to Plaid’s enormous trove of consumer data, including real-time sensitive information about merchants and Visa’s rivals.”
Plaid, Yodlee, and the sorry state of fintech privacy
Plaid is what’s known as a “data aggregator” in the fintech space. It provides the infrastructure that connects banks to financial apps like Venmo and Coinbase, and its customers are usually apps that need programmatic access to a bank account.
It works like this: first, an app developer installs code from Plaid. When a user downloads the app, Plaid asks the user for their bank credentials, then logs in on their behalf. Plaid then has access to all the information the bank would normally share with the user, including balances, assets, transaction history, and debt. It collects data from the bank and passes it along to the app developer. From then on, the app can use Plaid’s services to initiate electronic transfers to and from the bank account, or to collect new information about the user’s activity.
In a shadowy industry, Plaid has tried to cultivate a reputation as the “trustworthy” data aggregator. Envestnet/Yodlee, a direct competitor, has long sold consumer behavior data to marketers and hedge funds. The company claims the data are “anonymous,” but reporters have discovered that that’s not always the case. And Finicity, another financial data aggregator, uses its access to moonlight as a credit reporting agency. A glance at data broker listings shows a thriving marketplace for individually-identified transactions data, with dozens of sellers and untold numbers of buyers. But Plaid is adamant that it doesn’t sell or monetize user data beyond its core business proposition. Until recently, Plaid has often been mentioned alongside Yodlee in order to contrast the two companies’ approaches, when it’s been mentioned at all.
Now, in the wake of the Visa announcement, two new lawsuits (Cottle et al v. Plaid Inc and Evans v. Plaid Inc) claim that Plaid has exploited users all along. Chief among the accusations is that Plaid’s interface misleads users into sharing their bank passwords with the company, a practice that plaintiffs allege runs afoul of California’s anti-phishing law. The lawsuits also claim that Plaid collected much more data than was necessary, deceived users about what it was doing, and made money by selling that data back to the apps which used it.
EFF is not involved in either lawsuit against Visa/Plaid, nor are we taking any position on the validity of the legal claims. We’re not privy to any information that hasn’t been reported publicly. But many of the facts presented by the lawsuits are relatively straightforward, and can be verified with Plaid’s own documentation. For example, at the time of writing, https://plaid.com/demo/ still hosts example sign-in flow with Plaid. Plaid does not dispute that it collects users’ real bank credentials in order to log in on their behalf. You can see for yourself what that looks like: the interface puts the bank’s logo front and center, and looks for all the world like a secure OAuth page. Try to think about whether, seeing this for the first time, you’d really understand who’s getting what information.
Many users might not realize the scope of the data that Plaid receives. Plaid’s Transactions API gives both Plaid and app developers access to a user’s entire transaction and balance history, including a geolocation and category for each purchase made. Plaid’s other APIs grant access to users’ liabilities, including credit card debt and student loans; their investments, including individual stocks and bonds; and identity information, including name, address, email, and phone number.
For some products, Plaid’s demo will throw up a dialog box asking users to “Allow” the app to access certain kinds of data. (It doesn’t explain that Plaid will have access as well.) When we tested it, access to the “transactions,” “auth,” “identity,” and “investments” products didn’t trigger any prompts beyond the default “X uses Plaid to link to your bank” screen. It’s unclear how users are supposed to know what information an app will actually get, much less what they’ll do with it. And once a user enters their password, the data starts flowing.
Users can view the data they’re sharing through Plaid, and revoke access, after creating an account at my.plaid.com. This tool, which was apparently introduced in mid-2018 (after GDPR went into effect in Europe), is useful—for users who know where to look. But nothing in the standard “sign in with Plaid” flow directs users to the tool, or even lets them know it exists.
On the whole, it’s clear that Plaid was using questionable design practices to “nudge” people into sharing sensitive information.
What’s in it for Visa?
Whatever Plaid has been doing with its data until now, things are about to change.
Plaid is a hot fintech startup, but Visa thinks it can squeeze more out of Plaid than the company is making on its own. Visa is paying approximately 50 times Plaid’s annual revenue to acquire the company—a “very steep” sum by traditional metrics.
A huge part of Plaid’s value is its data. Like a canal on a major trade route, it sits at a key point between users and their banks, observing and directing flows of personal information both into and out of the financial system. Plaid currently makes money by charging apps for access to its system, like levying tariffs on those who pass through its port. But Visa is positioned to do much more.
For one, Visa already runs a targeted-advertising wing using customer transaction data, and thus has a straightforward way to monetize Plaid’s data stream. Visa aggregates transaction data from its own customers to create “audiences” based on their behavior, which it sells to marketers. It offers over two hundred pre-configured categories of users, including “recently engaged,” “international traveler - Mexico,” and “likely to have recently shifted spend from gasoline to public transportation services.” It also lets clients create custom audiences based on what people bought, where they bought it, and how much they spent.
Plaid’s wealth of transaction, liability, and identity information is good for more than selling ads. It can also be used to build financial profiles for credit underwriting, an obviously attractive application for credit-card magnate Visa, and to perform “identity matching” and other useful services for advertisers and lenders. Documents uncovered by the DoJ show that Visa is well aware of the value in Plaid’s data.
Through Plaid, Visa is about to acquire transaction data from millions of users of its competitors: banks, other credit and debit cards, and fintech apps. As TechCrunch has reported, “Buying Plaid is insurance against disruption for Visa, and also a way to know who to buy.” The DoJ went deeper into the data grab’s anticompetitive effects: “With this insight into which fintechs are more likely to develop competitive alternative payments methods, Visa could take steps to partner with, buy out, or otherwise disadvantage these up-and coming competitors,” positioning Visa to “insulate itself from competition.”
The Data-Sale Loophole
The California Privacy Rights Act, which amends the California Consumer Privacy Act (CCPA), was passed by California voters in early November. It’s the strongest law of its kind in the U.S., and it gives people a general right to opt out of the sale of their data. In addition, the Gramm-Leach-Bliley Act (GLBA), a federal law regulating financial institutions, allows Americans to tell financial institutions not to share their personal financial information. Since the CPRA exempts businesses which are already subject to GLBA, it’s not clear which of the two governs Plaid. But neither law restricts the transfer of data during a merger or acquisition. Plaid’s own privacy policy claims, loudly and clearly, that “We do not sell or rent personal information that we collect.” But elsewhere in the same section, Plaid admits it may share data “in connection with a change in ownership or control of all or a part of our business (such as a merger, acquisition, reorganization, or bankruptcy).” In other words, the data was always for sale under one condition: you had to buy everything.
That’s what Visa is doing. It’s acquiring everything Plaid has ever collected and—more importantly—access to data flows from everyone who uses a Plaid-connected app. It can monetize the data in ways Plaid never could. And the move completely side-steps restrictions on old-fashioned data sales.
Stop the Merger
It’s easy to draw parallels from the Visa/Plaid deal to other recent mergers. Some, like Facebook buying Instagram or Google buying YouTube, gave large companies footholds in new or emerging markets. Others, like Facebook’s purchase of Onavo, gave them data they could use to surveil both users and competitors. Still others, like Google’s acquisitions of Doubleclick and Fitbit, gave them abundant new inflows of personal information that they could fold into their existing databases. Visa’s acquisition of Plaid does all three.
The DoJ’s lawsuit argues that the acquisition would “unlawfully maintain Visa’s monopoly” and “unlawfully extend [Visa’s] advantage” in the U.S. online debit market, violating both the Clayton and Sherman antitrust acts. The courts should block Visa from buying up a nascent competitor and torrents of questionably-acquired data in one move.
Beyond this specific case, Congress should take a hard look at the trend of data-grab mergers taking place across the industry. New privacy laws often regulate the sharing or sale of data across company boundaries. That’s great as far as it goes—but it’s completely sidestepped by mergers and acquisitions. Visa, Google, and Facebook don’t need to buy water by the bucket, they can just buy the well. Moreover, analysts predict that this deal, if allowed to go through, could set off a spree of other fintech acquisitions. It may have already begun: just months after Visa announced its intention to buy Plaid, Mastercard (Visa’s rival in the debit duopoly) began the process of acquiring Plaid competitor Finicity. It’s long past time for better merger review and meaningful, enforceable restrictions on how companies can use our personal information.