Jan 21, 2020

Visa's acquisition of Plaid throws up data reuse concerns

What happens when a service you shared your personal data with is acquired by a giant corporation?

As data becomes an increasingly valuable asset when corporate giants draw up their merger and acquisition strategies, there are growing concerns around how the new owners in this information economy can responsibly use this digital property.

Earlier this month payments firm Visa announced that it will be acquiring the fintech startup Plaid for $5.3 billion in cash. The San Francisco-based company has built what is essentially an identity layer that can link together customers' bank accounts with popular fintech apps like TransferWise or Venmo.

At first glance the acquisition appears to be a clear attempt by Visa to remain relevant in the digital age, and to hedge its business against the rising tide of digital payments over its traditional bread and butter of card transactions. But are existing customers getting the raw end of the deal?

What is Visa getting?

As Ben Thompson at Stretechery wrote: "There are some obvious parallels to be drawn between Visa’s network, particularly in its earliest days, and Plaid, the fintech startup Visa acquired yesterday."

Like its fellow San Francisco-based fintech Stripe, Plaid builds the digital pipes to allow software developers to connect directly to customers’ bank accounts without having to build hundreds, if not thousands, of custom integrations and partnerships, charging a small fee for each verification and each transaction in the process, taking a small fee every time a user accesses their account for a transaction.

However, in the USA, where open banking regulations have not yet been formally implemented, banks do not have a consistent set of application programming interfaces (APIs), meaning Plaid has to act as an intermediary for customers if they want to link their bank with a third-party application. In these instances Plaid effectively copies over a user's login credentials and acts as a secure intermediary, a practice known as 'screen scraping'– certainly not considered best practice iun either user experience or in security.

As Thompson writes: "If this sounds a bit shady, well, it kind of is! Bank login information is among the most sensitive credentials consumers have, and apparently one in four people in the U.S. with a bank account have shared those credentials with Plaid. Nearly all did so without knowing any better."

The emphasis is ours.

He continues: "Users, meanwhile, are likely unaware about just how much access and data they are giving away, but at the same time, have a real desire to access new financial services that require a connection to their bank account. The big problem is that the banks aren’t too sure if they want to participate."

For example, JPMogan Chase announced that it will clamp down on allowing screen scraping for access to its customers' accounts this year and had already signed a deal with Plaid in October 2018 to start using APIs, not screen scraping, when users wanted to link their accounts.

The CEO of Chase’s consumer banking division, Gordon Smith, said in the press release announcing the acquisition: “We believe Visa’s acquisition of Plaid is an important development in giving consumers more security and control over how their financial data is used.”

Where does Visa come in? As Thompson sagely points out, Visa can position itself as the de facto security solution in this new world by bringing together Plaid's network with its banking relationships to create a new, secure industry standard for verification. That is a best case scenario for this acquisition, however.

One potential roadblock is Plaid's screen scraping model is not fit for purpose in markets with forms of open banking, like the UK and the rest of the EU, and they will have to move fast to compete with competitors like OpenWrks, TrueLayer and Tink, all of which have adjusted to these regulations. Visa, of course, has the muscle to improve its odds of success here.

The regulations

As Gary LaFever, CEO and general counsel at data privacy specialists Anonos told Techworld, companies acquiring other companies now often do so with the intention of "repurposing that data beyond its initial use," which throw up some legal concerns under new data privacy laws such as the GDPR and the California Consumer Privacy Act.

The key concept in enabling the legal use of this data under the GDPR is 'pseudonymisation'. This is defined as: “The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual.”.

The new owners of this personal data must therefore seek fresh consent from users, or at minimum to put them on notice, and ensure ongoing pseudonymisation to remain compliant with the new rules.

If Visa is to hold up its end of the bargain here it will have to commit to a certain level of transparency, gain clear consent from customers and provide the tools to allow for that consent to be removed if the user desires.

"Possession of data no longer means the right to process the data," LaFever explained, "so you must put the data subjects on notice to use legitimate interest processing, enabled by GDPR compliant pseudonymisation and technical safeguard to reduce the risk. Also, data subjects must be given the opportunity to opt out of receiving offers based on processing."

Take another example of a recent acquisition where existing users have to reckon with their data landing in the hands of a new owner, when Google announced the acquisition of wearable maker Fitbit for $2.1 billion.

As the deal affected consumers who had consented to Fitbit accessing some of their most personal data, Google clearly felt the need to get out ahead of any data sharing controversies when it announced the acquisition.

At the time, Rick Osterloh, senior vice president of devices and services at Google wrote in a blog post: "To get this right, privacy and security are paramount. When you use our products, you’re trusting Google with your information. We understand this is a big responsibility and we work hard to protect your information, put you in control and give you transparency about your data.

"Similar to our other products, with wearables, we will be transparent about the data we collect and why. We will never sell personal information to anyone. Fitbit health and wellness data will not be used for Google ads. And we will give Fitbit users the choice to review, move, or delete their data."

Visa made no such announcement and, citing the ongoing nature of the deal as it awaits regulatory approval, refused to comment for this story.

The Competition and Markets Authority (CMA) said it cannot speculate on deals that it may or may not investigate.


This article originally appeared in TechWorld.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.


Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.