Plaid Class-Action Lawsuit Reveals Open Banking's Biggest Problem – Here's How to Protect Your Customer's Data - DirectPayNet

Plaid Class-Action Lawsuit Reveals Open Banking’s Biggest Problem – Here’s How to Protect Your Customer’s Data


Privacy concerns are trending since before the pandemic–swirling around the topic of open banking. If you’re not sure what open banking is, it’s the concept of allowing third-party companies to use consumer financial data for additional services and features. There are two main companies that provide open-banking platforms: Plaid and Trustly.

Now, it might sound like a good idea to transparently share personal financial data with third parties so they can offer additional services and products. Except, there’s a big problem with this — it 1) doesn’t protect your privacy and 2) makes data more vulnerable to hackers since it’s released in a more centralized way instead of only through your bank.

Plaid is now the plaintiff in a class-action lawsuit. What does this mean for the future of open banking? What about privacy? How can you protect your customer’s data while still offering them convenience?

Summing Up the Plaid Lawsuit

Plaid, Inc has taken more consumer banking data than necessary. The people who have filed a class-action lawsuit against Plaid also complain that Plaid’s login page called Plaid Link mirrors the login of individual banking establishments. Essentially, Plaid is accused of not only taking too much data but also tricking consumers into thinking they’re entering login information directly into their own bank account login screen or financial institution login credentials, when in fact they are logging in via Plaid, a 3rd party.

Plaid is an open banking platform, a financial technology, that links around 5500 different financial establishments together. That includes banks (Chime), credit cards (American Express), investment services (Acorns, Robinhood), P2P payment apps (PayPal, Venmo), and much more (Coinbase).

In the end, Plaid has agreed to pay $58 million to users of its service through a class-action settlement between a specific time period to halt the lawsuit against them. If you have used Plaid and want to fill out a claim form, you can go to the settlement website,, and request your settlement fund payout. Only those with valid claims will receive funds, as well as those who are US residents, and will receive notification once funds are deposited later this year. They’ve also recently updated their Plaid portal site to include privacy controls that allow users to manage what information gets used and from where.

What’s So Great About Open Banking, Anyway?

Open banking is the new kid on the block in financial services and it’s bringing a lot of change. Although the roll out has been gradual, and we’re still only seeing the very early stages of what this will mean for the industry, it’s important to understand how open banking works and why it can be a good thing.

The customer is at the center of all things when it comes to open banking. It’s all about creating a better customer experience by providing you with more choice and control over your finances. It also brings a lot more transparency (or it should, at least) when it comes to your data, how that data is used and how much you’re paying for it.

Open banking gives fintech startups access to bank customer data. The startup can then use machine learning to create customer-specific solutions. It is expected that open banking will result in a financial system that is more efficient, customer-focused, and resilient.

Problems with Open Banking Revealed by the Plaid Debacle

Outlined above, open banking sounds incredible for consumers, merchants, and innovation. But apparently that isn’t the case just yet. As we can see, transparency should be at the core of open banking, yet Plaid has already proven companies aren’t ready to reveal everything they do with the data they receive. That’s a big problem for consumers in this decade where privacy is a big concern.

It gives the idea that Plaid doesn’t care about its customers’ privacy. But we also have to keep in mind that nothing is free. Using a service like Plaid, information is what they sell even if there are zero or very little upfront costs.

While open banking could eventually lead to a more competitive market for the “free” current accounts that millions of us use, we’ve seen in some countries where it has been introduced it can lead to problems.

In Australia, for example, the banks have used their new powers to downsize their existing customers’ credit limits when they move to new providers. So, people who have been with their bank for years and never missed a payment can be punished for moving if they aren’t careful about how they switch accounts.

And nearly a year after some governments introduced open banking as a way to improve competition in the finance sector, banks are still failing to share data with new rivals.

Tens of thousands of people have been blocked from opening an app-based financial account because their current bank refused to share full details of their financial history.

But for you, as a merchant, the biggest issue you face now is either supporting open banking or not. And if you do, how will you inform your customers of the risks? Would you push responsibility onto the customer, the opening banking platform like Plaid, or hold it yourself?

What You Can Do to Protect Customer Data

Privacy and security are key. Customers want to know their data is safe and, by extension, your business is safe. The open banking initiative in the UK and the PSD2 directive in Europe are bringing new opportunities for innovation by allowing third party providers to access banks’ customer data. But with more personal information being shared, consumers will expect greater levels of security when it comes to financial data. Those initiatives are being adopted slowly in other countries, as well. So, this applies to merchants everywhere, not just in the UK or those who use Plaid.

Protect Consumer’s Personal Information with Encryption and Tokenization

Encryption and tokenization are two ways that merchants can ensure that customer data remains secure at all times. By encrypting personal information at rest or in transit, merchants can ensure that information cannot be accessed if it happens to fall into the wrong hands.

Additionally, tokenization allows you to replace sensitive data with unique, random numbers called tokens. The tokens are stored on your servers instead of the sensitive data, so hackers can’t get at it. And unlike credit card numbers, which are relatively easy to steal, tokens are much harder to use for fraud because they’re unique and tied directly to a customer’s identity.

Tokenization also makes it easier to share customer data across different departments. For example, after tokenizing credit cards, a department can use the tokens for marketing without exposing any actual payment information in their databases. And if the marketing department wants to send customers a reminder about an upcoming anniversary or other special offer, they don’t need to ask for or receive any sensitive information from their partners in order to do so.

Because tokenized data isn’t as useful for identity thieves, some payment providers only allow merchants who protect their customers’ information with tokenization to participate in their network.

Use PCI-Compliant Data Centers

PCI compliance refers to industry rules and regulations that were put in place in order to protect sensitive data. If your provider isn’t compliant with these rules, they might not be taking the proper security measures to ensure that your data is encrypted and protected from outside parties. This can lead to compromised credit card information, which can cause irreparable harm to your business.

Your payment gateway should absolutely be PCI-compliant no matter if you use open banking or not.

Inform Users Upfront When They’re Using an Open Banking Solution

Don’t fall into the same hole as this Plaid lawsuit. The best way to lose customers is to trick them into doing something, even if it’s something they’re already planning to do.

Be upfront about what opening banking protocols and connections they are enabling when using your service. Inform them of the risks, the benefits, and the liability. But, above all that, make it blatantly apparent that they’re using a 3rd-party open banking solution that is not native to your site.

Your Own Merchant Account Will Help You Keep Customer Data Safe

Merchants who take credit card payments should be aware of the potential risks that come with accepting a new payment method and integrating with open banking services. Many services can help minimize these risks and open up a number of new revenue opportunities.

Opening your own a merchant account, however, offers some extra security potential by allowing you to customize each portion of your storefront. From payment gateway to API integrations, you can add in 3DS, CCV, and other authentication methods on top of what we’ve mentioned above.

Contact DirectPayNet today to prepare your online business for open banking.

About the author

As President of DirectPayNet, I make it my mission to help merchants find the best payment solutions for their online business, especially if they are categorized as high-risk merchants. I help setup localized payments modes and have tons of other tricks to increase sales! Prior to starting DirectPayNet, I was a Director at MANSEF Inc. (now known as MindGeek), where I led a team dedicated to managing merchant accounts for hundreds of product lines as well as customer service and secondary revenue sources. I am an avid traveler, conference speaker and love to attend any event that allows me to learn about technology. I am fascinated by anything related to digital currency especially Bitcoin and the Blockchain.