Enjoy complimentary access to top ideas and insights — selected by our editors.
In the lawsuit the New York bank filed against Chicago-based TransUnion last week in Delaware Federal District Court, it said Argus collected the bank’s credit card data while under contract as a data aggregator for the
“While Argus did not have access to any of our customers’ personally identifiable information, this data is valuable and competitively sensitive,” said Seth Wheeler, Chase’s chief data and analytics officer. “Argus used Chase’s data for its own commercial gain, and it’s time this pattern of behavior stops once and for all.”
TransUnion’s response is that all of this happened before it
“The matter relates to actions at Argus, a subsidiary of TransUnion, that precede TransUnion’s acquisition of Argus,” a spokesman said in an email. “We have brought Argus under the rigorous data governance standards that make TransUnion a leader in this space and are proud of the work we’ve done to strengthen Argus at TransUnion.” Argus did not respond to a request for an interview.
The bank’s case is bolstered by the fact that
In announcing its settlement with Argus, the Department of Justice said that from 2010 through 2020, Argus improperly accessed, used and retained anonymized credit card data that it received under its contracts with the OCC, the Federal Reserve Board and the Consumer Financial Protection Bureau. The contracts each restricted Argus’ ability to use, disclose or distribute credit card data collected from banks for purposes other than the performance of the work under the government contracts.
But the company used this anonymized data to create synthetic data that it incorporated into the products and services it sold to some commercial customers, the DOJ said. The DOJ further alleged that Argus failed to disclose its improper access, use and retention of credit card data to the government and the extent to which it relied on synthetic data to its commercial clients. The government’s claims were filed under the False Claims Act and the Financial Institutions Reform, Recovery and Enforcement Act of 1989.
The bank’s case
“The $37 million settlement casts very powerful optics in favor of Chase,” said Eugene Mar, partner at Farella, Braun and Martel. “However, unless the settlement came with an admission of liability from Argus, the court overseeing the Chase action may not permit the government settlement to be presented at trial because of its potential prejudice to Argus.”
Nevertheless, some observers feel the bank has a strong case.
“The allegations underlying this case are shocking,” said Michele Alt, co-founder and managing director at Klaros Group. Despite the fact that Argus’ contracts with bank regulators restricted it from using, disclosing or distributing the credit card data for commercial purposes, Argus “allegedly repackaged the data and sold it to its commercial customers anyway. Wow.”
The fact that Argus admitted to the regulators that it misused
“Argus’ contract with the banking agencies was likely quite lucrative, as indicated by the $13.5 million in restitution the company must now pay to the government,” Alt said. “Argus should have enjoyed that payday and stopped while it was ahead.”
The case could have implications throughout the industry. There is a lucrative market for buying and selling credit card data, as well as other forms of financial data, to hedge funds, marketing firms and others that use it to understand market forces and trends. Banks, payment networks, co-branding companies, fintech companies and data brokers are all highly invested in this market.
And as the Consumer Financial Protection Bureau’s implementation of the 1033 section of the Dodd Frank Act takes effect, consumer financial data of all kinds will flow more freely out of banks. All banks will be required to share customer account data with third parties as long as the customers allow it.
Does credit card data qualify as trade secrets?
An interesting aspect of this case is the bank’s characterization of credit card data as “trade secrets.”
According to
“
Under the Uniform Trade Secret Act’s definition of a trade secret, the information that Argus acquired and misused probably does qualify as a trade secret because it is at least a compilation of information that is generally not available to the public, according to Mar.
“By filing this as a trade secret case, Chase’s lawsuit actually shines an interesting light on who owns credit card transaction data,” Mar said. “I believe the complaint asserts that the banks like Chase own credit card transaction data, but does an average user actually know that? Probably not.”
Under the concept of open banking, in theory, consumers own their account data.
“The biggest impact I see from this case is that I expect all the companies in this ecosystem like banks, co-branded companies, data brokers, data aggregators, and data analytic companies to closely scrutinize their agreements to see what limits are placed on each other to use the credit card data,” Mar said. “You could see more disputes among these players about one company improperly exceeding the scope of their agreements or misappropriating trade secrets in the form of compiled, synthesized, or aggregated credit card transaction data.”