Plaid has reached a $58 million settlement with a group of customers who claimed the FinTech company sold their bank transaction histories to third parties without their consent.

The settlement, reached Thursday between Plaid and 11 plaintiffs in U.S. District Court for the Northern District of California, establishes a fund for which customers who used Plaid to facilitate banking transactions from the company’s start in 2013 to the date the fund is created can apply for and receive a share of the money.

Although a federal judge dismissed parts of the plaintiffs’ claims regarding the use of their personal financial data, the settlement resolves claims Plaid’s data collection practices broke laws regarding invasion of privacy and unjust enrichment, as well as violating California’s anti-phishing law.

According to the settlement, the plaintiffs alleged Plaid collected users’ private login information to their financial accounts and transaction data and then used that information in an illegal manner. Although plaintiffs alleged Plaid sold their data, the company denied the allegation.

Plaid, headquartered in San Francisco, provides services that connect payment apps like Venmo and SoFi to the personal financial accounts of users and process payments between the apps and the financial institutions. The company was nearly acquired by Visa before both sides terminated the deal earlier this year amid antitrust scrutiny from the Department of Justice.

Compliance takeaways: As part of the settlement, Plaid agreed to change several of its business practices regarding how it collects, stores, and manages users’ financial data.

Plaid agreed to create a user portal that will allow its customers “to view and manage the connections made between apps and their financial accounts using Plaid.” Customers will also be able to use the portal to delete their financial data stored in Plaid’s systems.

Plaid will have to make disclosures to its customers every time they use the platform to connect to their account, with a link to the company’s privacy policy. The policy will “provide more detailed information about Plaid’s data collection, storage, use, sharing, and deletion practices,” the settlement said.

In addition, the company will also delete customer banking data from its systems related to its “Transitions” product, as well as any data from accounts where the password has changed or the account has been closed.

Plaid response: The company did not admit to any of the conduct alleged in the lawsuit and said the claims “do not reflect our practices.”

“We do not, nor have we ever, sold data. We make our role and practices clear and provide services that give consumers control over how and where they share their data,” a Plaid spokesperson said. “We believe settlement of this matter is best in light of the cost and burden associated with protracted litigation. Moving forward, we will continue to focus on empowering millions of people with control over the data they share across the thousands of applications Plaid supports.”

Aaron Nicodemus covers regulatory policy and compliance trends for Compliance Week. He previously worked as a reporter for Bloomberg Law and as business editor at the Telegram & Gazette in Worcester, Mass.

Topics