A Los Angeles accounting firm has sued online lender Lendistry, saying the company violated several California laws, including data privacy laws, in its administration of a state-funded grant program to California businesses. The lawsuit alleges Lendistry collected and shared grant applicants' sensitive personal and financial information without their knowledge or consent. Many of the data privacy violations involve Lendistry's tech partners, Plaid and Qualified, though they are not named as defendants.
The complaint is sweeping and it accuses Lendistry of failing to protect customer data in the course of several practices common to lenders, including the use of data aggregators to gather bank account data; the use of AI to analyze chatbot conversations, call center conversations and bank account data; and the use of tracking cookies. The suit comes shortly after the Consumer Financial Protection Bureau finalized its Personal Financial Data Rights rule, sometimes called the open banking rule, which puts restrictions around such data sharing.
The lawsuit is about "Lendistry's sharing with and use of confidential business data to undisclosed third-parties via artificial intelligence and advanced machine learning technologies," said J.R. Howell, the attorney who filed the claim, in an email interview. "Lenders need to be aware that when they bring these technologies into their client relationships, they may be providing a backdoor to allow others to harvest their clients' data, running afoul of privacy laws that have been on the books for decades."
Lendistry says it will fight this lawsuit. "Lendistry takes appropriate steps to protect the privacy of our customers' information," a spokeswoman said. "We deny the allegations in the complaint and intend to vigorously defend against these baseless claims."
It is important that customers be informed of how their data will be used, said Aaron McPherson, principal at AFM Consulting Partners.
"The new open banking rule from the CFPB specifically prohibits what it calls 'secondary use' to prevent unintended uses like this from taking place," McPherson said. Once the CFPB rule takes effect, "assuming it is not struck down by a court, I do think we will see more lawsuits like this taking place."
Onisko & Scholz, the accounting firm that brought the suit, applied for a state COVID-19 relief grant through Lendistry in June 2023. Lendistry is a minority-led small-business lender in Los Angeles that
Some of the allegations involve the grant itself. For instance, the firm says it was entitled to a grant of more than $30,000, but it received only $5,000 from Lendistry. (Onisko & Scholz did not respond to a request for comment.)
But much of the complaint is about the alleged misdeeds of Lendistry's tech partners, especially Plaid, its third-party verification provider, and Qualified, its customer-facing chatbot provider. According to the complaint, both companies harvest customer data and use it for their own unauthorized purposes.
For instance, according to the complaint, Onisko & Scholz gave Plaid its online banking credentials to verify its bank account information, in what the accounting firm thought was going to be a one-time data call. Instead, the complaint says, Plaid logged in "multiple times a day every day thereafter for the purpose of harvesting data." Plaid declined a request for comment.
Plaid "has acknowledged the frequency of its data harvesting activities," said Howell, the attorney who filed the complaint. "What was not disclosed to the businesses that used Lendistry's services to access funding was the nature and extent of this access or how to limit the access."
Disclosure and consent of these activities along with a structure to manage permissions can help lenders and business clients protect confidential business information, he said.
"The problem here is that Lendistry's user interface implied that such a permission structure existed while also representing that the business users' data was safe, secure and protected with encryption," Howell said.
The complaint also says Plaid "exploits the information obtained in this manner in a variety of ways, including marketing the data to its own customers, analyzing the data to derive insights into user behavior, and, most recently, selling its collection of data to Visa as part of a multibillion-dollar acquisition."
Visa and Plaid announced a plan to merge in 2020. The two companies dropped the plan a year later, after a challenge from the Department of Justice.
In Howell's view, Visa's interest in Plaid's customer data shows how valuable it is.
"While the merger was abandoned after the DOJ Antitrust Division's investigation, Visa's acquired stake via Plaid's Series C funding was based on a multibillion-dollar valuation," he said. "The point here is to inform the courts and the public that there is a large market for the type of data at issue and there are sizable players vying for data access. As more businesses become aware that their confidential data is valuable to participants in data markets, they need to consider appropriate safeguards to ensure their privacy is protected in their own business relationships, like those with their lenders."
Past lawsuits have accused Plaid of seeing the customer data it aggregates on its clients' behalf, and the company has consistently denied it.
"Plaid does not sell and has never sold consumers' personal information or data," a company spokeswoman said in response to
The complaint also calls out Lendistry's use of an AI chatbot provided by Qualified to answer customers' questions. Qualified uses machine learning software to analyze the communications for behavioral and biometric information, the complaint said.
"Qualified creates transcripts of the conversations to be aggregated with the behavioral data and other identifying information, and subsequently monetized and used in other capacities for the benefit of Qualified and other third-parties with whom Qualified does business without disclosure or consent to the users," the complaint stated.
Lendistry users are not told that Qualified is intercepting the communications, or how Qualified uses their information, according to the complaint. Qualified did not respond to a request for comment.
Qualified's AI system "trains itself on the communications, which become a part of the product/service itself, and which increases the value of the AI and the company that owns it — making it into a more and more valuable product," the complaint stated.
The complaint further said Lendistry lets a third party capture inbound and outbound calls in its call center — something many companies across industries do.
These conversations can involve sensitive and private information, including passwords, business payroll data and wage and salary information.
"All of this information is intercepted by a third-party and used for incorporation into AI models for a third-party's independent uses," the complaint stated, without consent.