Financial Data Brokers

Financial Data Brokers

Beyond the Big Three credit bureaus, a separate ecosystem of companies collects and sells your financial transaction data, banking information, and income details. These companies sit between you and the fintech apps you use — harvesting bank credentials, scraping transaction histories, and monetizing your financial life in ways most consumers never realize.

Envestnet | Yodlee

What they are: The largest consumer financial data aggregator in the United States.^[1] Partners with over 1,400 companies including 15 of the top 20 U.S. banks.^[2] Sold by Envestnet to STG Partners (private equity) in September 2025.^[3] Envestnet had originally acquired Yodlee in 2015 for $590 million.

What data they have: Bank and credit card transaction data from tens of millions of Americans, detailed down to where, when, and how much people spent. This data is sold to investment firms, hedge funds, and research firms to reveal consumer spending patterns.

The problem: A leaked document obtained by Vice showed that despite Yodlee’s claims of selling only “anonymous” data, individuals could potentially be re-identified.^[1] UC Berkeley researcher Nicholas Weaver called Yodlee’s anonymization methods “bullshit,” and privacy researcher Yves-Alexandre de Montjoye concluded the data was “only pseudonymized.”^[1] Yodlee does not inform consumers that it is collecting and selling their financial data. Consumers’ transactions can reveal health conditions, sexuality, religion, and political views.

Scandals: Senators Ron Wyden and Sherrod Brown, along with Representative Anna Eshoo, demanded an FTC investigation in January 2020.^[4] The FTC issued a civil investigative demand to Envestnet the following month, seeking documents regarding data collection, assembly, evaluation, sharing, correction, and deletion practices.^[5] A class action lawsuit (Wesch v. Yodlee) alleged Yodlee shared consumer data in unencrypted plain-text files that could be read by anyone who acquired them, and that Yodlee continuously accessed consumers’ bank accounts to extract and sell data without authorization.^[6] A California federal court denied class certification in October 2024 and largely granted summary judgment in favor of Yodlee in February 2025.^[7]

Plaid

What they are: The most widely adopted open banking API in the U.S. Founded in 2012 by Zach Perret and William Hockey.^[8] Visa announced plans to acquire Plaid for $5.3 billion in January 2020, but the DOJ filed an antitrust lawsuit to block the deal, after which Visa and Plaid voluntarily abandoned the merger in January 2021.^[9] One in two U.S. adults has connected to an app or service through Plaid.^[10]

What data they have: Bank account data, transaction histories, identity verification, and income data from millions of consumers who connected their bank accounts through fintech apps like Venmo, Robinhood, Chime, and Coinbase. Connected 500 million consumer accounts worldwide.^[11] Over 150 million consumers have used Plaid.^[12] Integrations with 12,000+ financial institutions.^[13] Processes approximately one million new data connections daily.^[12]

$58 million class action settlement (2022): Judge Donna M. Ryu approved the settlement affecting an estimated 98 million people.^[14] Plaintiffs alleged Plaid used consumers’ banking login credentials to harvest and sell detailed financial data without consent. Approximately 1.25 million people filed claims, receiving roughly $31.50 each.^[14]

Deceptive login screens: Plaid’s user interface mimicked the login screens of individual banks, making users believe they were logging in via the bank’s own platform when they were actually providing credentials to Plaid.^[15] Plaid then used those credentials to mine, aggregate, and sell financial transaction data to third parties for purposes unrelated to the fintech app being used.

Required changes: The settlement required Plaid to delete certain user data, improve disclosures, maintain the Plaid Portal for users to view and manage connected accounts, and improve data deletion and minimization practices. These requirements apply for three years in the United States.^[16]

Recent developments: Plaid raised $575 million in April 2025 at a $6.1 billion valuation (down from $13.4 billion in 2021), with CEO Zach Perret indicating it would be the final private fundraise before an IPO.^[17] In September 2025, Plaid agreed to a new data transfer agreement with JPMorgan Chase that includes a pricing structure — meaning Plaid now pays JPMorgan for data access, a significant shift in open banking economics.^[18]

Finicity (now Mastercard Open Banking)

What they are: Financial data aggregator acquired by Mastercard in November 2020 for $825 million (with up to $160 million in additional performance-based earn-out payments).^[19] Co-founded the Financial Data Exchange (FDX), a nonprofit launched in October 2018 by Finicity and 21 of the largest banks, data aggregators, and financial services enterprises supporting standardized data sharing.^[20]

What data they have: Real-time financial data including lending verification, mortgage verification, account verification, and payment initiation data across the U.S. banking system. Finicity’s mortgage verification service is accepted by both Freddie Mac and Fannie Mae.^[21]

The concern: The Mastercard acquisition raised questions about the concentration of financial data access with a major payment network. Finicity has positioned itself as a leader in consumer-permissioned data access, but the combination of open banking data with Mastercard’s transaction network creates an extraordinarily detailed picture of consumer finances.

MX Technologies

What they are: Financial data aggregator providing connectivity, data enhancement, and analytics for financial institutions and fintech companies.

What data they have: Connects more than 16,000 financial institutions and fintechs.^[22] Combined reach of over 200 million consumers.^[23] Claims to power 85% of digital banking providers.^[22]

Worth noting: MX emphasizes its use of direct API connections and OAuth (rather than screen scraping), positioning itself as a more privacy-respecting alternative. However, a 2023 class action lawsuit (Lincoln v. MX Technologies) accused MX of the same “screen scraping” practices it criticizes — designing fake bank login pages to collect users’ credentials and selling financial data to third parties.^[24] California residents also received a Notice of Data Breach from MX Holdings.^[25]

ChexSystems

What they are: Owned by Fidelity National Information Services (FIS) through its eFunds subsidiary.^[26] A specialty consumer reporting agency that collects and reports data on checking account applications, openings, and closures — including reasons for account closure such as unpaid negative balances, suspected fraud, and account abuse. Used by more than 80% of U.S. banks and credit unions for account verification.^[27]

What data they have: Maintains a database of consumers who have been reported for account mishandling by banks, with nationwide coverage.

The problem: ChexSystems reports can effectively “blacklist” consumers from opening bank accounts for up to 5 years.^[27] Critics argue the system disproportionately affects low-income individuals and contributes to financial exclusion. Consumers often don’t know they have a ChexSystems record until they’re denied a bank account.

Innovis

What they are: Often called the “fourth credit bureau.”^[28] Owned by CBC Companies since 1999. Maintains consumer credit data and provides identity verification services, though unlike the Big Three bureaus, Innovis does not generate credit scores.^[28]

SageStream

What they are: Specialty consumer reporting agency providing identity verification, alternative credit scoring, and fraud prevention data to lenders and financial institutions. A subsidiary of ID Analytics, which is part of LexisNexis Risk Solutions.^[29]

TeleCheck

What they are: Check verification and check guarantee service owned by Fiserv (through its 2019 acquisition of First Data Corporation).^[30] Maintains records of checking account abuse including bounced checks and declined checks. Used by major retailers across the U.S.

The problem: Similar to ChexSystems, TeleCheck can effectively prevent consumers from writing checks at retailers nationwide based on past negative records. The system has been criticized for errors and difficulty in disputing incorrect records.

Enforcement: In January 2014, the FTC imposed a $3.5 million penalty on TeleCheck Services and its debt collection entity TRS Recovery Services for FCRA violations — the second-largest FCRA penalty the FTC had obtained at that time. TeleCheck failed to follow proper dispute procedures and failed to ensure maximum accuracy of information.^[31]

SBFE (Small Business Financial Exchange)

What they are: An exchange of small business credit data contributed by financial institutions, used for lending decisions, account monitoring, and collections.

What data they have: Aggregates trade credit data from major financial institutions on small businesses across the U.S. SBFE data is licensed to four certified commercial credit bureau partners: Dun & Bradstreet, Equifax, Experian, and LexisNexis Risk Solutions.^[32] D&B bundles SBFE data with 150+ D&B proprietary attributes in a single data packet containing 900+ SBFE attributes.^[33]

The problem: Small business owners often don’t know SBFE reports exist or that their payment data is being shared. The lack of transparency about how small business financial data flows between SBFE, its licensed bureaus, and lenders raises concerns about due process in small business lending decisions.

Dun & Bradstreet

What they are: One of the oldest and most dominant business data companies in the world. Maintains the DUNS Number system used globally for business identification. Taken private by Clearlake Capital Group in August 2025 in an all-cash transaction valued at $7.7 billion ($9.15 per share).^[34]

What data they have: The world’s most comprehensive business data collection: 600+ million business entities, 500+ million professional contacts, 250+ million consumer contacts, and 80+ million B2B2C contacts.^[35]

Scandals and fines:

• 2017 data exposure: A Dun & Bradstreet marketing database (originally from its NetProspex acquisition) containing 33.6 million records of corporate contacts — names, job titles, email addresses, phone numbers — was exposed online. Affected organizations included the Department of Defense (101,013 records) and USPS (88,153 records).^[36]
• July 2023 data breach: D&B was impacted by the CL0P ransomware group’s mass exploitation of the MOVEit Transfer vulnerability (CVE-2023-34362).^[37]
• September 2025: The FTC imposed a $5.7 million penalty for violating a prior 2022 FTC order and misleading small businesses, including deceptive marketing of business credit services and misleading auto-renewal practices. The penalty comprised $3.7 million for consumer refunds and $2.06 million in civil penalties.^[38] A January 2026 court order formalized the settlement, with $4.8 million in new payments (the remaining $924,590 had already been paid in prior refunds).^[39]

The company’s dominance in business data raises concerns about market concentration and the accuracy of information that can make or break small business lending decisions.

Sources & References