Ongoing Third-Party Account Credential Re-Access Authorization

What it is

When you link an outside bank or investment account to Wealthfront, you are authorizing Wealthfront to repeatedly log into that account on your behalf using your credentials, for as long as the link is active, not just once.

Why it matters (compliance & governance perspective)

This authorization is broad and ongoing: it grants Wealthfront and its subprocessors (Yodlee or Plaid) continuous access to your external financial accounts, including transaction history and balances, until you actively remove the link.

Consumer impact (what this means for users)

Consumers who link external financial accounts grant Wealthfront and its service providers repeated access to those accounts, including all available account information, with this authorization persisting until the consumer actively deactivates the account link.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision engages the Electronic Fund Transfer Act (EFTA) and Regulation E regarding authorized account access, as well as emerging Consumer Financial Protection Bureau open banking rules under Section 1033 of the Dodd-Frank Act, which are intended to govern consumer-permissioned data access. GLBA also applies to the handling of nonpublic personal financial information accessed via this mechanism. The FTC's unfair or deceptive practices authority may be relevant if the scope of ongoing access is not adequately disclosed. (2) GOVERNANCE EXPOSURE: Medium. The provision clearly discloses the ongoing nature of the access, which supports a consent defense. However, the scope of 'all Outside Account Information available' is broad and may capture data beyond what is necessary for the stated purposes, creating potential proportionality questions under applicable data minimization principles. The delegation of credential storage and re-access to Yodlee or Plaid under their own terms creates a layered privacy governance structure that Wealthfront only partially controls. (3) JURISDICTION FLAGS: California residents may have CCPA rights to know about data collected via this mechanism. EU or EEA residents, if any use the service, would face additional exposure given GDPR's stricter requirements on purpose limitation and data minimization for credential-based access. The CFPB's Section 1033 rulemaking may impose additional requirements on this type of consumer-permissioned data sharing as it is finalized. (4) CONTRACT AND VENDOR IMPLICATIONS: Yodlee's FastLink Terms of Service and Plaid's privacy policy are incorporated by reference, meaning consumers are subject to third-party terms that Wealthfront does not control. Procurement teams should assess whether Yodlee and Plaid data use limitations align with Wealthfront's stated restrictions and whether contractual data use limitations are enforceable against these subprocessors. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should ensure that the consent mechanism for account linking is sufficiently specific and informed, particularly regarding the ongoing and periodic nature of credential re-use. Data mapping should capture Outside Account Information flows to Yodlee and Plaid separately from Wealthfront's own data stores, and vendor assessments should confirm that these providers do not use accessed data for their own purposes beyond what Wealthfront's policy permits.

Applicable agencies

Provision details

Other risks in this policy

• Client Data Deletion Restriction medium
• Biometric Data Collection and Vendor Destruction Requirement medium
• No Selling or Trading of Personal Information low
• Data Transfer in Merger or Asset Sale medium
• Cross-Device Tracking and Browsing Activity Matching medium
• Home Lending Expanded Data Sharing medium