TLDR
Yodlee, the financial data aggregator embedded in thousands of finance apps, sold consumer transaction records to hedge funds as investment intelligence — including Point72 Asset Management, Steven Cohen's firm. Subscriptions ranged from $50,000 to $4 million per fund per year, covering 30M+ de-identified individuals and 10M+ daily transactions. The Wall Street Journal broke the story in August 2015. The CFPB rule that would have prohibited this practice is currently frozen. Yodlee was sold to private equity in September 2025 and continues operating.
The Business Model Behind the Data Sale
Yodlee built its business on financial data aggregation — connecting consumer finance apps to bank accounts by storing user credentials and pulling transaction data on their behalf. By the mid-2010s, Yodlee had credentials and transaction access for users at 21,000+ financial institutions.
That is an enormous dataset. Transaction records from 30 million or more individuals, 10 million daily transactions spanning grocery stores, pharmacies, restaurants, investment brokerages, and every other merchant category in 60+ industries.
Yodlee recognized that this dataset had investment value. Hedge funds have paid enormous premiums for alternative data — information that gives them an edge in predicting company revenues before earnings announcements. Consumer transaction data is among the most valuable alternative datasets: it shows actual spending, not surveys or proxies.
So Yodlee built products around it.
Predictive Revenue Signals: Consumer spending data to predict corporate revenues. If Yodlee’s 30 million users were buying less at Target and more at Walmart, that signal might predict Target’s next earnings miss before the announcement.
Shopping Insights: Consumer behavior analytics across retail categories.
Corporate Data Analytics: Aggregated spending pattern analysis by company and industry.
Who Was Buying
Point72 Asset Management was among the disclosed clients — Steven Cohen’s firm. Point72 is the successor to SAC Capital, which paid $1.8 billion in insider trading penalties to the SEC and DOJ.
The WSJ reported “several large investment funds” as subscribers. The full client list was not publicly disclosed. Alternative data is a significant market in quantitative finance — Yodlee was not unusual in building analytics products on aggregated data, but the scale and the source (apps users trusted with their financial data) made it notable when the practice became public.
How the Story Broke
The Wall Street Journal published its investigation on August 6, 2015. Four days later — August 10, 2015 — Envestnet announced its $590M acquisition of Yodlee.
The timing was notable. Whether the acquisition was related to the story — acquiring Yodlee could concentrate data assets, or provide cover — was not established. Envestnet proceeded with the acquisition.
Congressional Response and FTC Action
Senators Ron Wyden and Sherrod Brown, along with Representative Anna Eshoo, wrote to the FTC in January 2020, specifically citing Envestnet/Yodlee’s data sales:
“Consumers generally have no idea of the risks to their privacy that Envestnet is imposing on them.”
The letter noted that transaction patterns reveal health conditions (pharmacy purchases, specialist visits), sexuality, religion (donation patterns), and political views — and that “de-identified” data is routinely re-identifiable through pattern matching.
The FTC issued a civil investigative demand to Envestnet/Yodlee in February 2020. The outcome of that investigation was not publicly disclosed.
The Class Action: Wesch v. Yodlee
A class action (Wesch v. Yodlee, filed 2020) alleged that beyond the data sales, Yodlee had distributed consumer data in “unencrypted plain text files.” Class certification was denied in October 2024 — on standing grounds, not on the merits of the underlying allegations. The denial means the case cannot proceed as a class action; it does not mean the court found the data practices acceptable.
What Happened to Yodlee
Bain Capital took Envestnet private for $4.5 billion in November 2024. The following year, Bain sold Yodlee to STG (Symphony Technology Group, a private equity firm) in September 2025. The Yodlee analytics business — including the products that had been the subject of the Congressional inquiry — continued under new ownership.
The Regulatory Gap
The CFPB’s Section 1033 rule, finalized October 2024, specifically included a provision prohibiting the sale of consumer data collected under data access authorization. This would have directly addressed what Yodlee did — using access granted by users for financial app connectivity to build and sell investment analytics products.
In October 2025, a federal court issued an injunction blocking the rule. It is currently under reconsideration. The prohibition on data sales like Yodlee’s is not in force.
Without that regulatory protection, the question of whether a given finance app’s aggregator sells your data comes down to the aggregator’s own terms of service, which may be updated without notice.
What “De-Identified” Actually Means
The term “de-identified” in Yodlee’s product descriptions means that personal identifiers — name, Social Security number — were removed. It does not mean the data cannot be linked back to individuals.
Research on transaction data re-identification has consistently shown that a small number of specific transactions is sufficient to uniquely identify most individuals in anonymized datasets. If Yodlee’s data included your transactions at specific merchants, the geographic and temporal patterns make re-identification feasible even without your name attached.
Congressional investigators specifically flagged this: transaction patterns reveal health conditions (specific pharmacies, specialist provider types), sexuality (specific merchant categories), religious affiliation (donation recipients, specific merchants), and political views. The “de-identified” label provides less protection than the term implies.
What This Means for Finance App Choices
The Yodlee case illustrates that privacy risk from a finance app is not only about breaches. Legal data sales — permitted by buried terms of service — can send your transaction history to investment funds without you knowing.
The business model question is the most direct filter. Apps funded by subscriptions have no commercial reason to build analytics products on user data — their revenue is the subscription fee. Apps that are free or ad-supported may be monetizing data in ways that are legal, disclosed in terms of service users don’t read, and not immediately obvious from the app experience.
Checking which aggregator an app uses (Plaid, MX, Finicity, Yodlee), then reading that aggregator’s current privacy policy for explicit prohibitions on data sales, gives a more accurate picture than the app’s own marketing materials.
Q&A
What data did Yodlee sell to hedge funds?
Yodlee sold consumer transaction data under product names including Predictive Revenue Signals, Shopping Insights, and Corporate Data Analytics. The data covered 30 million or more de-identified individuals, 10 million or more daily transactions, and spanned 60+ industries. Hedge fund clients received this data as investment intelligence — consumer spending patterns to predict company revenues before earnings announcements, retail traffic signals, and consumer behavior analytics. Subscriptions ranged from $50,000 to $4 million per fund per year.
Q&A
Which hedge funds bought Yodlee data?
Point72 Asset Management was among the named clients — Steven Cohen's fund, successor to SAC Capital, which paid $1.8 billion in insider trading penalties to the SEC and DOJ. The full client list was not publicly disclosed. The WSJ reported 'several large investment funds' as buyers. Congressional investigators noted hedge funds used the data to predict corporate revenues from consumer spending patterns — a form of alternative data that has become standard in quantitative finance.
Q&A
Was selling this data legal?
At the time, yes — under Yodlee's terms of service, which users had agreed to. This is the core of the Congressional letter from Senators Wyden and Brown: 'consumers generally have no idea of the risks to their privacy that Envestnet is imposing on them.' The data sale was legal under the terms users consented to, but users consented without understanding that their purchase history at the grocery store would be packaged and sold to hedge funds as investment intelligence. The CFPB rule that would have prohibited this practice was finalized in October 2024 but is currently frozen under a court injunction.
Q&A
Is de-identified financial transaction data actually anonymous?
No — not reliably. 'De-identified' means personal identifiers like name and Social Security number have been removed, but transaction patterns are highly re-identifiable. Congressional investigators specifically noted that transaction patterns reveal health conditions (pharmacy purchases, specialist visits), sexuality (specific merchant categories), religion (donation patterns, specific stores), and political views (contribution records, specific organizations). Academic research on transaction data re-identification has confirmed that a small number of transactions is sufficient to uniquely identify most individuals even in large anonymized datasets.