Visa's acquisition of Plaid throws up data reuse concerns
What happens when a service you shared your personal data with is acquired by a giant corporation?
As data becomes an increasingly valuable asset when corporate giants draw up their merger and acquisition strategies, there are growing concerns around how the new owners in this information economy can responsibly use this digital property.
Earlier this month payments firm Visa announced that it will be acquiring the fintech startup Plaid for $5.3 billion in cash. The San Francisco-based company has built what is essentially an identity layer that can link together customers' bank accounts with popular fintech apps like TransferWise or Venmo.
At first glance the acquisition appears to be a clear attempt by Visa to remain relevant in the digital age, and to hedge its business against the rising tide of digital payments over its traditional bread and butter of card transactions. But are existing customers getting the raw end of the deal?
What is Visa getting?
As Ben Thompson at Stretechery wrote: "There are some obvious parallels to be drawn between Visa’s network, particularly in its earliest days, and Plaid, the fintech startup Visa acquired yesterday."
Like its fellow San Francisco-based fintech Stripe, Plaid builds the digital pipes to allow software developers to connect directly to customers’ bank accounts without having to build hundreds, if not thousands, of custom integrations and partnerships, charging a small fee for each verification and each transaction in the process, taking a small fee every time a user accesses their account for a transaction.
However, in the USA, where open banking regulations have not yet been formally implemented, banks do not have a consistent set of application programming interfaces (APIs), meaning Plaid has to act as an intermediary for customers if they want to link their bank with a third-party application. In these instances Plaid effectively copies over a user's login credentials and acts as a secure intermediary, a practice known as 'screen scraping'– certainly not considered best practice iun either user experience or in security.
As Thompson writes: "If this sounds a bit shady, well, it kind of is! Bank login information is among the most sensitive credentials consumers have, and apparently one in four people in the U.S. with a bank account have shared those credentials with Plaid. Nearly all did so without knowing any better."
The emphasis is ours.
He continues: "Users, meanwhile, are likely unaware about just how much access and data they are giving away, but at the same time, have a real desire to access new financial services that require a connection to their bank account. The big problem is that the banks aren’t too sure if they want to participate."
For example, JPMogan Chase announced that it will clamp down on allowing screen scraping for access to its customers' accounts this year and had already signed a deal with Plaid in October 2018 to start using APIs, not screen scraping, when users wanted to link their accounts.
The CEO of Chase’s consumer banking division, Gordon Smith, said in the press release announcing the acquisition: “We believe Visa’s acquisition of Plaid is an important development in giving consumers more security and control over how their financial data is used.”
Where does Visa come in? As Thompson sagely points out, Visa can position itself as the de facto security solution in this new world by bringing together Plaid's network with its banking relationships to create a new, secure industry standard for verification. That is a best case scenario for this acquisition, however.
One potential roadblock is Plaid's screen scraping model is not fit for purpose in markets with forms of open banking, like the UK and the rest of the EU, and they will have to move fast to compete with competitors like OpenWrks, TrueLayer and Tink, all of which have adjusted to these regulations. Visa, of course, has the muscle to improve its odds of success here.
As Gary LaFever, CEO and general counsel at data privacy specialists Anonos told Techworld, companies acquiring other companies now often do so with the intention of "repurposing that data beyond its initial use," which throw up some legal concerns under new data privacy laws such as the GDPR and the California Consumer Privacy Act.
The key concept in enabling the legal use of this data under the GDPR is 'pseudonymisation'. This is defined as: “The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual.”.
The new owners of this personal data must therefore seek fresh consent from users, or at minimum to put them on notice, and ensure ongoing pseudonymisation to remain compliant with the new rules.
If Visa is to hold up its end of the bargain here it will have to commit to a certain level of transparency, gain clear consent from customers and provide the tools to allow for that consent to be removed if the user desires.
"Possession of data no longer means the right to process the data," LaFever explained, "so you must put the data subjects on notice to use legitimate interest processing, enabled by GDPR compliant pseudonymisation and technical safeguard to reduce the risk. Also, data subjects must be given the opportunity to opt out of receiving offers based on processing."
Take another example of a recent acquisition where existing users have to reckon with their data landing in the hands of a new owner, when Google announced the acquisition of wearable maker Fitbit for $2.1 billion.
As the deal affected consumers who had consented to Fitbit accessing some of their most personal data, Google clearly felt the need to get out ahead of any data sharing controversies when it announced the acquisition.
At the time, Rick Osterloh, senior vice president of devices and services at Google wrote in a blog post: "To get this right, privacy and security are paramount. When you use our products, you’re trusting Google with your information. We understand this is a big responsibility and we work hard to protect your information, put you in control and give you transparency about your data.
"Similar to our other products, with wearables, we will be transparent about the data we collect and why. We will never sell personal information to anyone. Fitbit health and wellness data will not be used for Google ads. And we will give Fitbit users the choice to review, move, or delete their data."
Visa made no such announcement and, citing the ongoing nature of the deal as it awaits regulatory approval, refused to comment for this story.
The Competition and Markets Authority (CMA) said it cannot speculate on deals that it may or may not investigate.
This article originally appeared in COMPUTERWORLD. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS