A Los Angeles accounting firm has sued online lender Lendistry, saying the company violated several California laws, including data privacy laws, in administering a state-funded grant program for California businesses. The lawsuit alleges that Lendistry collected and shared the sensitive personal and financial information of grant applicants without their knowledge or consent. Many of the data privacy breaches involve Lendistry’s technology partners, Plaid and Qualified, although they are not named as defendants.

The complaint is comprehensive and accuses Lendistry of failing to protect customer data in the course of several practices common to lenders, including using data aggregators to collect bank account information; using AI to analyze chatbot conversations, call center conversations and bank account data; and the use of tracking cookies. The lawsuit comes shortly after the Consumer Financial Protection Bureau finalized its personal financial data rights rule, sometimes called the open banking rule, that imposes restrictions on such data sharing.

The lawsuit alleges “Lendistry’s sharing and use of confidential business data with undisclosed third parties through artificial intelligence and advanced machine learning technologies,” JR Howell, the attorney who filed the suit, said in an email interview . “Creditors need to be aware that when they introduce these technologies into customer relationships, they can provide a backdoor to allow others to collect their customers’ data, violating privacy laws that have been in place for decades .”

It’s important that customers are informed about how their data will be used, said Aaron McPherson, principal at AFM Consulting Partners.

“The CFPB’s new open banking rule specifically prohibits what it calls ‘secondary use’ to prevent unintended use like this,” McPherson said. Once the CFPB rule goes into effect, “assuming it’s not thrown out by a court, I think we’re going to see more lawsuits like this.

Onisko & Scholz, the accounting firm that filed the lawsuit, applied for a state COVID-19 relief grant through Lendistry in June 2023. Lendistry is a Los Angeles-based minority-run small business lender that last year it was creditor no. 1 led by African Americans in the Small Business Administration 7(a) program. Lendistry’s legal name is BSD Capital.

Some of the allegations involve the grant itself. For example, the firm says it was entitled to a grant of more than $30,000, but only received $5,000 from Lendistry. (Lendistry declined to comment. Onisko & Scholz did not respond to a request for comment.)

But much of the complaint concerns alleged wrongdoing by Lendistry’s technology partners, particularly Plaid, its third-party verification provider, and Qualified, its customer-facing chatbot provider. According to the complaint, both companies are harvesting customer data and using it for their own unauthorized purposes.

For example, according to the complaint, Onisko & Scholz gave Plaid its online banking credentials to verify its bank account information in what the accounting firm thought would be a one-time data call. Instead, the complaint says, Plaid logged in “several times a day every day thereafter for the purpose of collecting data.” Plaid declined a request for comment.

Plaid “has acknowledged the frequency of its data collection activities,” said Howell, the attorney who filed the complaint. “What was not disclosed to the businesses that used Lendistry’s services to access funding was the nature and extent of that access or how access was limited.”

Disclosure and consent of these activities along with a permission management structure can help lenders and business customers protect confidential business information, he said.

“The problem here is that Lendistry’s user interface implied that such a permission structure existed, while also representing that business user data was safe, secure and protected by encryption,” Howell said.

The complaint also says that Plaid “exploits the information obtained in this way in a variety of ways, including marketing the data to its own customers, analyzing the data to gain insights into user behavior and, most recently, selling its collection of data to Visa . as part of a multi-billion dollar acquisition.”

Visa and Plaid announced a plan to merge in 2020. The two companies dropped the plan a year later after a challenge from the Justice Department.

In Howell’s view, Visa’s interest in Plaid’s customer data shows how valuable it is.

“While the merger was abandoned after the DOJ Antitrust Division’s investigation, the stake acquired by Visa through Plaid’s Series C financing was based on a multi-billion dollar valuation,” he said. “The point here is to inform the courts and the public that there is a large market for the type of data in question and that there are sizeable players fighting for access to the data. As more companies become aware that their confidential data is valuable to data participants. markets, they must consider appropriate safeguards to ensure that their privacy is protected in their own business relationships, such as those with their creditors.”

Previous lawsuits have accused Plaid of seeing the customer data it collects on behalf of its customers, a claim the company has consistently denied.

“Plaid does not and has never sold consumers’ personal information or data,” a company spokeswoman said in response to a 2020 suit brought by Venmo customers James Cottle and Frederick Schoeneman. “Consumer data is obtained and used with the consent of the consumer. Plaid strongly believes that consumers should have permission-based access and control over their financial data and incorporates these principles into its practices.”

The complaint also mentions Lendistry’s use of an AI chatbot provided by Qualified to answer customer questions. Qualified uses machine learning software to analyze communications for behavioral and biometric information, the complaint states.

“Qualified creates transcripts of conversations to be aggregated with behavioral data and other identifying information and subsequently monetized and used in other capacities for the benefit of Qualified and other third parties with whom Qualified does business without disclosure or consent of users,” it said in the complaint.

According to the complaint, Lendistry users are not told that Qualified is intercepting their communications or how it is using their information. Qualified did not respond to a request for comment.

Qualified’s AI system “trains itself on communications, which become part of the product/service itself and which increases the value of the AI ​​and the company that owns it, turning it into an increasingly valuable product,” it says in complaint. .

The complaint also said that Lendistry allows a third party to capture inbound and outbound calls to its call center, which many companies in the industries do.

These conversations may involve sensitive and private information, including passwords, business payroll data, and salary information.

“All such information is intercepted by a third party and used for incorporation into AI models for independent third party uses,” the complaint states, without consent.