Plaid is a great idea, but the implementation worries me. My understanding is that, for most banks, you give Plaid your username and password, and Plaid scrapers on their servers log into your online banking account. Even worse, Plaid obfuscates this behavior from users by replicating their banks login window and making it appear that you are logging directly into your bank.
I'm not sure how to feel about this, because I understand that banks' lack of open API access is the central problem. But it seems irresponsible to present Plaid as a secure solution, when its login system is technically a phishing page.
I think a much cooler, probably safer, solution would be a mobile SDK that runs the scrapers directly from the user's phone, instead of on Plaid's servers.
It always blew my mind that services like Yodlee (https://www.yodlee.com) worked that way. I can understand it from the point of view that no traditional bank was set up to allow structured access but it never felt right to me.
In the UK there is a big push around "open banking"[1] which will bring this into the 21st century and allow for proper programmatic access to data. It's still in it's infancy but the sector here is transforming around it.
It's cool that governments are taking action now, but this is a chicken vs egg scenario. If services like Yodlee didn't exist to prove that there was significant demand for programmatic access to consumer financial data by building businesses around it, would governments care? And, how many more years will it take before it gets there? With Plaid/Yodlee/Whatever you can build a Fintech app _today_ in the US that supports thousands of banks. If you're an entrepreneur that's a game changer.
Open Banking and PSD2 are both complete failures. Who is in market with a decent product built on it? Nobody is. What people need to realise is that 1st party APIs are completely at odds with the incentives to maintain the status quo, i.e. they pose an intermediation threat and in the worst case relegate banks to mere utilities with zero margin. Furthermore a bank will never use it's own public API in it's own products, hence there being zero downside for exposing a shitty one. The only way this is will happen is if 3rd party companies in the market force it to.
"The ACCC envisages that the first tranche of open banking rules will come into effect from 1 July 2019. Within 12 months, all Australian banks, including the related brands of the big four, will be brought within the scope of open banking."
That's not Open Banking. That's the Open Bank Project, a completely separate thing. They're a company that tries to sell their platform to banks and provide a FOSS sandbox.
There's also the OpenID Financial API initiative, which aims to get financial institutions to provide exactly this need using a common API: https://openid.net/wg/fapi/
Not a Plaid user, but I believe Mint works the same way. It seems to only decrypt my bank credentials with a key derived from my session password, so I suspect Plaid, if what you say is correct, do something similar.
Basically, my password is hashed to see if I can log on. Then it's passed through a PBKDF to get the decryption key for my actual accounts, then that information gets sent to the scrapers to do the actual job. They don't store the keys after the job is done. The upshot is that a full database breach doesn't result in any bank credentials leaking, at the cost of inability to update accounts without the user explicitly logging in.
To add an interesting layer, financial institutions are investing in these solutions. Goldman previously invested in Plaid, and Fidelity invested in Quovo which takes a similar approach.
At some point I think it's on the banks to offer OAuth APIs, then Plaid can swap out one-by-one (if it hasn't already started).
Nylas is facing the same challenge in the email space. They have oauth for gmail, but user/pass for Exchange/SMTP.
Well Mint messes up all the time, transactions are not updated even though Mint says its up to date, transactions are listed multiple times, etc. It's mildly inconvenient, but not really "risky." Is Plaid and other bank scraping services used for anything important?
In Europe regulation forced the hands of the banks to API-ify the data and make it accessible. In the US, as with many things, it is left to industry to sort out.
Plaid's implementation was aggressive (screen scraping, etc) but many banks are blocking that now and some, like JPMorgan Chase, have created APIs based on OFX (the industry consortium for secure data exchange) to allow controlled data access.
You, the customer, should always be able to choose which targets get to receive your data. Via OAuth mechanisms you grant them access without sharing your login/pw, and you can revoke at will.
That ... sounds like it violates every bank's ToS out there, and not the abusive buried-in-fine-print part, either. Every bank could, quite reasonably, cut off your access for this.
> bank could, quite reasonably, cut off your access for this.
It's worse than that. Sharing passwords with third-parties typically "voids the warranty." If money is stolen from your account, the bank can deny reimbursing you because giving a third-party your password voids their zero-liability guarant guarantee.
It does, but it still allows large businesses to be built on this rather fragile approach, see for example (european) SOFORT that got sold to Klarna. The only thing they did was allow you to pay directly with your bank account in online-stores that used them although banks (mostly) didn't cooperate with SOFORT (they also conveniently checked you account balance and any prior failed transactions).
They could, but they won't (barring a change in the ecosystem). Basically everyone does exactly this when a bank doesn't have a federated login system. Take, for example, Personal Capital.
Yup. When done as-correctly-as-possible those passwords should be encrypted on a per-user basis and keys should not be stored in the same datastore as the ciphertext. That's what we ultimately did for a project circa 2013; I assume that most folks do similarly.
When you sign up, you grant the service the limited power of attorney to login as you. Typically a POA needs to be witnessed and/or notarized. I'm not sure how they're getting around that.
> I understand that banks' lack of open API access is the central problem
Banks in the US are really behind the ball on APIs, it's true. Just recently things have started to change though. I'm the cofounder of Treasury Prime (https://treasuryprime.com/) and we have a network of banks in the US who offer API access.
It doesn't solve Plaid's use case (getting data out of 1,000s of banks), but it's great if you need deep integration into a single bank, like if you're writing a fintech app for example. If anyone would like access, feel free to email me: hello@treasuryprime.com
I am a user of several Plaid-powered apps, and I will say that most of my banks eventually drop out and need me to reactivate the connection (usually because a security question is required or something like that). With an API, depending on the implementation, this may never happen, so in an odd sort of way it is more secure in that you definitely won't forget about it and have it running for years. I have to actively try to keep everything activated and running.
There's been a whistleblower or two on HN about how Plaid scapes and sells your bank account transaction history to third parties.
It seems more unethical than most selling-user-data strategies in that the users don't even know Plaid is involved in the transaction whatsoever; they're just a hidden middle layer.
I'd be interested to know if this is still part of their monetization strategy, or if anyone at Plaid can confirm definitively that they do not collect and sell your bank account transaction history?
Edit: So sorry on my part, specifically on selling data, must've mixed this up now that I've read the comment (linked below). It involved scraping user data against the wishes of the banks, and doing huge amounts of customer analytics with such data, and another separate thread on giving transaction history as part of the service. Still a negative but different than above-- will leave this up so as to not destroy thread.
Co-founder of Plaid here. This is not true, we do not sell transactional data to third parties. We make 100% of our money by letting developers build financial applications[1].
And just to point out, there are others that do sell this as part of their business model, so kudos to Plaid for trying to find another way.
https://www.forbes.com/sites/petercohan/2018/07/22/mastercar... (Another "Forbes Contributor" article, so grain of salt on the details)
I do think these aggregated services are a net benefit to the fintech ecosystem overall. However, any service that uses a Plaid type service still could be selling transaction data to third-parties. For instance, Acorns:
>>> Acorns uses Plaid Inc. (“Plaid”) to gather your data from financial institutions...
>>> Acorns and Empyr will use transaction information from your Acorns debit card in connection with the Found Money Plus program as follows:
... to provide participating merchants or Empyr aggregated and anonymized information relating specifically to registered card activity solely to allow participating merchants and Empyr to assess the results of their campaign(s);
That means they are only sharing data from your Acorns debit card, not your external bank accounts. The Plaid part is separate from the debit card/Found Money Plus part.
You also omitted a key quote:
>when you activate your Acorns debit card, you will be asked to enroll in Found Money Plus, a card-linked offer program offered in partnership with Empyr.
The Found Money Plus program is only for transactions on the Acorns debit card, and it is small bonuses for specific spending, for example, 10% cash back at Starbucks. It looks like a company called Empyr organizes these campaigns for the card link offers.
The Acrons debit card is also optional.
If you're getting cash back on a transaction you know the price is sharing your purchases, this concept isn't really new.
You may not sell the data but you give developer's access to bank balance, transaction history, and income streams. Essentially some of the most private aspects of a person's life.
Seems legitimately useful for personal finance tools or loan providers.
However, I know your API is being used by point of sale systems. Seems super unethical for point of sale systems to access any info beyond, is this the right account, does it have enough money. I just hope you're enforcing some kind of restrictions or at the very least warning consumers what they're giving the merchant permission to access.
As long as you're transparent about it in a 30 page ToS then it's all good. Because when you go to checkout at a cash register, you're going to stop and hold the line for an hour or more and read that page.
Not an exaggeration btw, my print dialog estimates that page to be 27 pages printed.
While I'll assume this is only of the customers of a particular product, it is still worrying as many customers may not understand that fact as you are not transparent about your role and the access granted.
It fits 100% in what he's saying. The API grants the developer of the application access to the account history of whoever's logged in. This in no way establishes they are selling anything to any third-parties.
First, I don't think this is usually what is meant when someone is claiming an entity is selling data. My normal interpretation would be that if a company is "selling my data" then they are selling that data to parties I have zero contact or reason to think they would have my data.
I understand what you're saying, but I think it would be less confusing to keep the idea I described above and what Plaid is doing (AFAIU) distinct.
More specifically I understand it as: If I engage with some entity/company/developer and give them the permission and secrets necessary to access my account, they can pay Plaid to make use of them on my behalf in the process of doing whatever it is I gave them that access for.
This activity is, and always has been to me, completely distinct from the activity of "selling my data", although it could result in the one I authorized to access my data through Plaid turning around and selling my data.
When you enter into a transaction using your bank, someone who is not a party to that transaction can see it, and they pay for that access.
Under any framing, that's a third party paying for access to your transaction data.
The user hasn't opted-in if the co-founder of the company is telling people it doesn't happen. It's only opt-in if the user knows it's happening and agrees to it.
If I'm using a financial app, and it pops up with a "App Foo wants to use Plaid to link to your bank", and I go in and enter my banking credentials into that dialog... you're arguing that I have no idea what I'm doing and aren't consenting to anything? Huh?
If you're so confident, go survey Plaid users and find what percentage are aware that Plaid makes money selling their financial transaction history to developers.
Then ask yourself why the founding team goes around and tells people they don't do that.
That'd be a very misleading survey question, as it heavily implies they're selling it to other developers the user didn't engage with at all.
"Are you aware that connecting app Foo to your bank account gives app Foo access to your transactions?" is likely to be met with a resounding "no shit, that's the point..."
So your claim is that the average person on the street understands that if they send someone money on Venmo once, then Venmo gets 24 months of their bank account history?
And your claim is that the point of the user signing up to Robinhood or Venmo is to give Robinhood or Venmo their entire bank account history for the last two years?
I find this implausible. You have an empirical claim. You're welcome to test it.
Thanks for speaking up alehul; for what it's worth, I think it can often be interesting to later reflect on these moments of apparent shame and embarrassment, especially in the context of attempting to speak truth to power.
Accountability and transparency is important long-term; as is questioning possible abuse or misuse of power. Don't be afraid to continue to do so!
Also, always use Hanlon's razor, but it's getting harder and harder to tell genuine conversations from stage-managed ones online, unfortunately. It's the logical extreme of pg's article 'The Submarine'[0].
Here is one discussion from a so-called whistleblower I was involved in. I will let you decide on the ethics[1].
I'm in the ACH space and I personally know a merchant who planned on using them for account verification for point of sale ACH payments. This merchant also planned on grabbing transaction history while they were in there for I don't know what. Analytics maybe? I have no idea if they ever went through with their plan.
This was the merchant, and not Plaid. While Plaid gives such merchants a lot of power, I don't think the ethics issue lies with Plaid (though you could make a good argument that they should grant limited access, and full API access only on a more restricted whitelist basis)
This may be true - but you do still normalize users to the practice of entering their banking login credentials into a web form which is sent to a third party (i.e. yourselves).
In addition I believe the developer gains access to the users' bank transaction history - not just for the duration of their login session, but long-term, which is likely something that users aren't fully aware of in most cases.
Am I mistaken about those?
That is not 'selling' in the historically-used sense of the word, but we are now in a world where 'personal cost' means something different - especially when it comes to services which harvest personal data.
I have my own issues with Plaid, but I think you’re reaching a bit here. Everything Plaid does is opt in by the end user. They’re not selling data unbeknownst to the user (assuming co-founder above is being genuine), the user is giving another service permission to use their data.
As for bank logins...that’s been around since long before Plaid. But I agree there must be a better way. Though I don’t have any great practical ideas.
It's possible I'm overreaching, yep, but I think the past decade has shown - is showing - that simply 'assuming the best' of what will happen with rapid adoption of new technology isn't the most effective strategy. Daemons will come home to roost over time.
Even if users are technically opting in, and even if everything is documented in the privacy policy, a potential end-game here is that startup companies have access to all bank transactions for the people who need to use Plaid - likely people on the ground in the sharing economy who rely on it for payments - and the more fortunate/wealthier folks continue to have financial privacy by virtue of not needing to use it.
Do users have any idea exactly what they're giving up here though? Do they have fine-grained permissions to allow read-only vs write access, and to choose between transaction and account level data? And is there anything that prevents those second-party developers from then turning around and selling data to third parties (besides their own TOS with Plaid)?
Obviously this is a hugely sensitive service, I’m not denying that. But there’s a way to do it right and it seems that Plaid is attempting to do that. So I’m not ready to declare them evil before they actually do anything evil.
Many (most?) banking websites allow transferring money through the UI. A screen scraper technically has the same access.
Unfortunately the current approach of the major aggregation players is the only way to motivate the banks to give customers access to their own data through more reliable means.
It's a big question that I don't have the answer to. I'd prefer we trade off on some innovation on features in exchange for innovating the way we segment and communicate our data. But the market is speaking and it has a different opinion...
Haven't we on this same website celebrated various Gmail clients and services? Same kinds of risk there (email being different than transactions, but in many cases, that may be worse)
The product is obviously amazing, and I know for a fact that it's creating credit opportunities for consumers with credit history that may not accurately reflect their current financial status, but there is an insidious aspect to the product: the 6 months of future access to transactions and banking information. Most consumers don't realize they're giving this up when they use your product and I believe they would be much less likely to use it if they were aware.
> the 6 months of future access to transactions and banking information. Most consumers don't realize they're giving this up when they use your product and I believe they would be much less likely to use it if they were aware.
Can I ask what makes you believe that? Why would someone be A-OK with sharing the previous six months of account transactions but balk at sharing the next six months of account transactions?
Because they have a mental model of what is inside the previous 6 months and can make a judgement regarding whether or not they are comfortable revealing that information, whereas the future 6 months could include purchases that they may not want to reveal for various reasons.
I also think many consumers would simply be creeped out by the idea that these companies can continue to maintain access to their bank statement for 6 months into the future, especially in cases where the consumer has a dispute or negative experience with the company. There are also some underwriting arrangements where companies could leverage future Plaid data to make decisions about how to treat a customer (e.g. monitoring bank balances so that rebilling a delinquent customer can be automatically rescheduled after a deposit)
I flirted with the idea of using a trial account to feed that data to a Prometheus server to build graphs in Grafana. A slightly more powerful mint/personal capital would be a super valuable tool.
Yes - the key issue being is that the product offering is an API used by second-party with assumed permission from first-party; they are not selling that data to a third-party.
It’s the Facebook API issue but IMO transaction data is much more sensitive so it’s a bigger issue. I have used the Plaid API and have no idea how they audit developers to make sure they are using the data as intended and storing that data securely.
One hack incident of a developer that exposes bank numbers and transaction data would be a huge reputational hit.
Edit: I stand corrected, I didn't think you get full account number access but you do. Leaving original comment below.
They don't expose bank numbers though, that's kind of the point. Developer access is all tokenized.
That said, plaid does give you access to tons of detailed financial transaction data, and it's easy for companies to tie this to PII in their own systems, and I'm sure many of those companies have less robust security than plaid. As a developer, I thought "Wow, you can get so much data through plaid!" but then as a user I would refuse to ever use a plaid integration because I know how much data it gives them. Furthermore, I don't believe the average user really realizes just how much data they are giving up.
I agree with you, though, it really is similar to the Facebook API issue. All it would take is a third party company packaging data in a way to use it to target political ads and then you've got 60 Minutes exposes all over the place.
Nah that’s not true. https://plaid.com/products/auth You get the full routing and account number with the Auth product - that is how you push and pull funds as a developer to a customer’s account.
Recent incident was on "most unethical thing you've done" thread that reached the top of HN. Someone mentioned selling user data while being a middle layer, and confirmed it was Plaid after it was suggested.
Not claiming this is definitively true which is why I'd like to hear from someone at Plaid; I believe I've interacted with them through Robinhood so it'd be concerning.
I remember I spoke with both the CEO and CTO over Skype several years ago.
They actively reached out to me because of an open source project I created and they wanted to recruit me. They made quite an impression on me but I wasn't prepared to move to the US back then. Damn. Missed opportunity. Obviously they were very proactive in reaching out to the developers that they wanted rather than just passively waiting for resumes to flow in.
For those interested: In Europe, banks are forced to provide fintech companies access to customer data when the user consents to this under its "open banking" initiative
Personally speaking, i have a problem with companies like Plaid and SOFORT (EU), where they kind-of hide the fact that you provide them with your login credentials (and not the bank). From what I understand from this thread, Plaid may be selling your data and gives developers full access to the customer's transaction history. This is worrying
Per whockey's comment here[0], it doesn't seem like Plaid is selling your data directly to 3rd parties - though it doesn't prevent the developers you're giving your data to from selling it.
I'm interested to see where this goes. I use Plaid as a developer, and it feels like the user experience keeps getting worse. This isn't Plaid's fault, but as more and more financial institutions require 2FA, it gets much less automatic for Plaid to scrape data.
Instead of just seeing updated transactions, users frequently need to enter a 2FA code before Plaid can successfully complete the update. This is very clunky, especially if you've linked 10+ accounts. Hopefully, Plaid (or even government regulations) will be able to encourage banks to create real APIs and Plaid can move away from scraping entirely.
Wasn’t YC company Standard Treasury trying to help banks become more API accessible? If the banks have an API an offering, I can see how a standard would need to exist to support the primary use cases (auth, balance, transaction), and perhaps Plaid is showing what they could look like (reducing the complexity of interfacing disparate banks’ approaches to managing bank data). [NB: if there is a standard or info I am clearly not knowledgeable of based upon this comment, please educate me!]
"""
We're the team behind Standard Treasury and the Silicon Valley Bank API Banking Platform which forms the backend for Stripe Atlas - we're the experts in this space.
"""
The main differences are how we're working with banks. Back then we sold only to large banks, plus banks weren't yet comfortable using cloud services, meaning everything had to be built on-premise (very silly). Now we sell into all sizes of bank because we're able to operate with a SaaS model.
Likewise for developers that means we can move much faster and there's a much better chance we'll be able to find a bank that's a good fit for you. If you're interested in using the API, email me and say hi: hello@treasuryprime.com
I am not yet convinced that giving away your bank username and password to plaid/mint/other scrapers does not exempt the bank from the liability limits established in Reg E.
The user effectively gives away control of their deposit accounts. If it is subsequently misused (unlike an access device like a debit card), the user's disclosure of the password might give the bank an affirmative defense. Push to shove, in a large breach with bulk cashouts via wire a depository institution might not honor the claims.
It seems obvious that revocable access w/ tokens is a solution, but that gives up the game on the transaction data (and likely drives some of banks' reluctance to offer that functionality).
I'd love to have my mind changed about this, if someone can point me in the right direction.
It seems disingenuous for the banks to not provide an API spec, and then invest in and present Plaid as an alternative. This is not a technology problem, this is about entrenched players making a buck wherever possible, without doing the logical thing.
I'm glad Europe has defined an API for it's banks to avoid this from happening there
I hope not, because its such a shitshow. You literally give your bank credentials to a third party who then logs in to your account and scrapes info off of it - info that you have no control over.
Capital One was smart enough to block them off (which is the bank I use), and now they actually provide proper OAuth based APIs to access your account.
One can only hope this would make it to the US as well. The problem largely seems to be banks being ancient behemoths in terms of technology, and introducing APIs like this poses a significant risk from security and policy perspective. Plus its not going to be a major source of revenue either, so why bother?
Well, at least in Germany we kind of have the FinTS protocol to get at the data and don't have to scrape. So less need for an intermediary. I also saw something about EU regulations for bank APIs, but unfortunately not one common API.
I looked into plaid+stripe solution for our ACH payments need and after playing around with it a little I just didn't feel like I can put that in front of my clients and tell them 'Yeah put in your bank login and password on our website to make the payment, we promise it's secure'. Their solution didnt sell with me and I went for Stripe ACH where they make microdeposit and customer has to verify the amounts. Even PaySimple's eCheck solution sounds more reasonable to put in front of clients than to demand their bank login and password. IMHO
I met quite a few folks on the Plaid engineering team and was really impressed with the people I met and how they were approaching building their product. Congrats to them, and a lot more work to do!
Is Open Banking Standards going to abolish any international market opportunities for Plaid?
- CMA9 Major Banks in the UK are ready to roll out Open Banking Standards.
- In Australia the ACCC is pushing for 1 July 2019 and within 12 months all Australian banks, including the related brands of the big four, will be brought within the scope of open banking.
- Canada too with it's 2020 initiatives.
US would be crazy not to adopt a similar standard but maybe this is where Plaid is specializing in due to the large number of US banks?
I spoke to a young guy recently, who is doing a graduate/rotation with one of of the big US banks.
He was excited for the rotation in one of the (several) "moonshot divisions," with a goal of 10X-ing the bank in theory. I told him that I hope _giant bank_ doesn't have 10X growth in it, but...
... I think that any truly disruptive idea for fintech/banking is likely to be of the "turn a billion dollar company into a million dollar company" variety.
I would not be comfortable giving my banks, cards info to Plaid so they can provide an easy integration (API) to third party developers.
Why Venmo would need to hit Plaid API to get my banking info when they can provide their own API and allow seamless integration with my bank and credit card?
I honestly don't see the benefit over risk of handing over all my financial institutions information so they can provide a seamless API to consumers.
I’ve stopped using a number of products because the underlying Plaid connection to my banks would routinely break and take weeks (!!) to get fixed. It got to the point that functioning connections was a rarity, and things not working was the norm.
I want Plaid to succeed and I want to use those products, but beware of building something on top of Plaid; you may be driving customers away.
Is the gist of this company logging into a bank's web service using a user's credentials and scraping their account data and exposing that data via APIs to other developers?
I thought they actually integrated with the banks on the backend, but if this is all they do, I'm not comfortable using any product that snoops my bank info without any accountability.
The thing that keeps me away from all of these kinds of things is the requirement to hand over my user/pass for financial accounts.
Questions for those that know the space:
1. Is that a big struggle for fintech companies or do most people just shrug it off?
2. Are companies working on (and making progress) standards for system communication without user/pass?
They have a great team and they're making a big push to bring PSD2 compliant banking integrations to Europe. I haven't heard of many other offerings within Europe.
Isn't it bloody easy enough already to pay for stuff? Fintech startups (this one with its dubious implementation especially) with huge valuations make me sad...
“Plaid consolidates financial data from multiple sources and categorizes transaction data with up to 24 months of history, making it easy to use and analyze.”
You would know if you're being asked for your banks username and password by a third party and can decide if you want to share that information; it's not something that you really need to know anything about ahead of time to be able to avoid.
The apps I know who use Plaid are Drop and Venmo. Some banks use it to instantly link external accounts without having to do trial deposits.
That's not entirely true. They try and imitate your bank's branding on the log in page and do not make any mention of Plaid. For example, when setting up Venmo, I thought I was logging into something my bank had created.
I mean, the only reason I even know what Plaid is is because the services I've used advertise they are using Plaid, for example, Drop: https://imgur.com/a/l4PM6QG I remember seeing it on Citibank too.
You're still sharing your bank account information with someone else. Even if it's your bank's API or whatever, "something my bank created" could be "something my bank had hired an external company to create," or even "a front end my bank created that uses third party software to do all the data processing on the back end." I'm not sure of a meaningful distinction between each case. If you want to minimize sharing bank account information "for privacy" then you don't give your bank account information to anyone.
> If you want to minimize sharing bank account information "for privacy" then you don't give your bank account information to anyone.
That's the whole point. You don't know you're giving your account information to anyone. I use Venmo and had no idea they relied on this technique until reading your comment.
I'm guessing those two companies probably use Plaid to instantly link external accounts without having to do trial deposits. Trial deposits can take several days. That's the use case that I used it for at Citibank anyways.
I never claimed my list was inclusive, only those are the ones I know use Plaid off the top of my head.
I think the pg definition of "A startup is a company that is pursuing a very high growth strategy" still applies. If you believe Plaid is trying to get themselves to 5B in the next two years, it can probably still apply.
The thought of giving any of my passwords to a 3rd party is problematic ... but my banking password ? This is an issue.
Also a risk, because any bank could simply shut this down pretty quickly and if one does it, the others could follow.
The first 3rd party that messes up, with the whiff of a scandal ... and this is going to dissapear, or rather, the banks may decided that they'll do some API, but not for free.
I'm waiting for 'Cambridge Analytica' but with your money this time.
I guess I don't understand how they differ, I do get that they both rely on giving your bank credentials to a third party and that they both scrape your financial history.
Plaid is a great idea, but the implementation worries me. My understanding is that, for most banks, you give Plaid your username and password, and Plaid scrapers on their servers log into your online banking account. Even worse, Plaid obfuscates this behavior from users by replicating their banks login window and making it appear that you are logging directly into your bank.
I'm not sure how to feel about this, because I understand that banks' lack of open API access is the central problem. But it seems irresponsible to present Plaid as a secure solution, when its login system is technically a phishing page.
I think a much cooler, probably safer, solution would be a mobile SDK that runs the scrapers directly from the user's phone, instead of on Plaid's servers.
It always blew my mind that services like Yodlee (https://www.yodlee.com) worked that way. I can understand it from the point of view that no traditional bank was set up to allow structured access but it never felt right to me.
In the UK there is a big push around "open banking"[1] which will bring this into the 21st century and allow for proper programmatic access to data. It's still in it's infancy but the sector here is transforming around it.
[1]: (https://www.openbanking.org.uk/customers/what-is-open-bankin...)
It's cool that governments are taking action now, but this is a chicken vs egg scenario. If services like Yodlee didn't exist to prove that there was significant demand for programmatic access to consumer financial data by building businesses around it, would governments care? And, how many more years will it take before it gets there? With Plaid/Yodlee/Whatever you can build a Fintech app _today_ in the US that supports thousands of banks. If you're an entrepreneur that's a game changer.
There's a push in Canada for open banking as well. I work at a smaller bank here and my CEO was talking about it to us recently.
https://www.mccarthy.ca/en/insights/blogs/cyberlex/open-bank...
Open Banking and PSD2 are both complete failures. Who is in market with a decent product built on it? Nobody is. What people need to realise is that 1st party APIs are completely at odds with the incentives to maintain the status quo, i.e. they pose an intermediation threat and in the worst case relegate banks to mere utilities with zero margin. Furthermore a bank will never use it's own public API in it's own products, hence there being zero downside for exposing a shitty one. The only way this is will happen is if 3rd party companies in the market force it to.
https://www.computerworld.com.au/article/646592/australia-bi...
"The ACCC envisages that the first tranche of open banking rules will come into effect from 1 July 2019. Within 12 months, all Australian banks, including the related brands of the big four, will be brought within the scope of open banking."
Good number of companies using it already https://www.openbankproject.com/apps/ and they claim 10K developers.
That's not Open Banking. That's the Open Bank Project, a completely separate thing. They're a company that tries to sell their platform to banks and provide a FOSS sandbox.
Or you just stop using banks and build these products on something like Bitcoin. It might pressure banks to open their APIs.
There's also the OpenID Financial API initiative, which aims to get financial institutions to provide exactly this need using a common API: https://openid.net/wg/fapi/
mint was built off of yodlee.
Not a Plaid user, but I believe Mint works the same way. It seems to only decrypt my bank credentials with a key derived from my session password, so I suspect Plaid, if what you say is correct, do something similar.
Basically, my password is hashed to see if I can log on. Then it's passed through a PBKDF to get the decryption key for my actual accounts, then that information gets sent to the scrapers to do the actual job. They don't store the keys after the job is done. The upshot is that a full database breach doesn't result in any bank credentials leaking, at the cost of inability to update accounts without the user explicitly logging in.
Mint will update transactions in the background (not only when you log in).
In order to do so, they most likely keep your banking password around in memory.
Note: Mint uses OAuth for access to Chase bank accounts, which is great. Last I checked Plaid does not.
So if the hashing is done correctly, if you lose your password, they are going to be happen to sign in anymore?
To add an interesting layer, financial institutions are investing in these solutions. Goldman previously invested in Plaid, and Fidelity invested in Quovo which takes a similar approach.
At some point I think it's on the banks to offer OAuth APIs, then Plaid can swap out one-by-one (if it hasn't already started).
Nylas is facing the same challenge in the email space. They have oauth for gmail, but user/pass for Exchange/SMTP.
> "you give Plaid your username and password, and Plaid scrapers on their servers log into your online banking account"
So your username and password are just kept in some internal database somewhere? The scrapers probably decrypt the credentials in-memory.
Also - "scraping" data off of an undocumented API sounds risky. How can I guarantee a "scraper" won't accidentally mess something up for me?
Well Mint messes up all the time, transactions are not updated even though Mint says its up to date, transactions are listed multiple times, etc. It's mildly inconvenient, but not really "risky." Is Plaid and other bank scraping services used for anything important?
In Europe regulation forced the hands of the banks to API-ify the data and make it accessible. In the US, as with many things, it is left to industry to sort out.
Plaid's implementation was aggressive (screen scraping, etc) but many banks are blocking that now and some, like JPMorgan Chase, have created APIs based on OFX (the industry consortium for secure data exchange) to allow controlled data access.
You, the customer, should always be able to choose which targets get to receive your data. Via OAuth mechanisms you grant them access without sharing your login/pw, and you can revoke at will.
That ... sounds like it violates every bank's ToS out there, and not the abusive buried-in-fine-print part, either. Every bank could, quite reasonably, cut off your access for this.
> bank could, quite reasonably, cut off your access for this.
It's worse than that. Sharing passwords with third-parties typically "voids the warranty." If money is stolen from your account, the bank can deny reimbursing you because giving a third-party your password voids their zero-liability guarant guarantee.
This is actually false in many jurisdictions, including the entirety of Europe.
Can you link to some information about that? I know at least one of my banks (I'm in the UK) has that in their ToS. Is that invalid? If so, how?
Re-read your bank ToS. If you're in Europe, it won't be in there. Such provisions are not compliant with PSD2.
It does, but it still allows large businesses to be built on this rather fragile approach, see for example (european) SOFORT that got sold to Klarna. The only thing they did was allow you to pay directly with your bank account in online-stores that used them although banks (mostly) didn't cooperate with SOFORT (they also conveniently checked you account balance and any prior failed transactions).
They could, but they won't (barring a change in the ecosystem). Basically everyone does exactly this when a bank doesn't have a federated login system. Take, for example, Personal Capital.
So all these services are storing plaintext passwords for the banks?
Yup. When done as-correctly-as-possible those passwords should be encrypted on a per-user basis and keys should not be stored in the same datastore as the ciphertext. That's what we ultimately did for a project circa 2013; I assume that most folks do similarly.
Basically, yes.
When you sign up, you grant the service the limited power of attorney to login as you. Typically a POA needs to be witnessed and/or notarized. I'm not sure how they're getting around that.
> I understand that banks' lack of open API access is the central problem
Banks in the US are really behind the ball on APIs, it's true. Just recently things have started to change though. I'm the cofounder of Treasury Prime (https://treasuryprime.com/) and we have a network of banks in the US who offer API access.
It doesn't solve Plaid's use case (getting data out of 1,000s of banks), but it's great if you need deep integration into a single bank, like if you're writing a fintech app for example. If anyone would like access, feel free to email me: hello@treasuryprime.com
Also, big congrats to Plaid on the fundraise!
How many banks do you have in your network? Is there a place I can see which institutions you support?
I am a user of several Plaid-powered apps, and I will say that most of my banks eventually drop out and need me to reactivate the connection (usually because a security question is required or something like that). With an API, depending on the implementation, this may never happen, so in an odd sort of way it is more secure in that you definitely won't forget about it and have it running for years. I have to actively try to keep everything activated and running.
I used plaid as a payment option at my SaaS company. Yes, it is a great idea, but the implementation is "meh".
There's been a whistleblower or two on HN about how Plaid scapes and sells your bank account transaction history to third parties.
It seems more unethical than most selling-user-data strategies in that the users don't even know Plaid is involved in the transaction whatsoever; they're just a hidden middle layer.
I'd be interested to know if this is still part of their monetization strategy, or if anyone at Plaid can confirm definitively that they do not collect and sell your bank account transaction history?
Edit: So sorry on my part, specifically on selling data, must've mixed this up now that I've read the comment (linked below). It involved scraping user data against the wishes of the banks, and doing huge amounts of customer analytics with such data, and another separate thread on giving transaction history as part of the service. Still a negative but different than above-- will leave this up so as to not destroy thread.
Co-founder of Plaid here. This is not true, we do not sell transactional data to third parties. We make 100% of our money by letting developers build financial applications[1].
[1] - https://plaid.com/pricing/
And just to point out, there are others that do sell this as part of their business model, so kudos to Plaid for trying to find another way. https://www.forbes.com/sites/petercohan/2018/07/22/mastercar... (Another "Forbes Contributor" article, so grain of salt on the details)
I do think these aggregated services are a net benefit to the fintech ecosystem overall. However, any service that uses a Plaid type service still could be selling transaction data to third-parties. For instance, Acorns:
https://www.acorns.com/privacy/
>>> Acorns uses Plaid Inc. (“Plaid”) to gather your data from financial institutions...
>>> Acorns and Empyr will use transaction information from your Acorns debit card in connection with the Found Money Plus program as follows:
... to provide participating merchants or Empyr aggregated and anonymized information relating specifically to registered card activity solely to allow participating merchants and Empyr to assess the results of their campaign(s);
That means they are only sharing data from your Acorns debit card, not your external bank accounts. The Plaid part is separate from the debit card/Found Money Plus part.
You also omitted a key quote:
>when you activate your Acorns debit card, you will be asked to enroll in Found Money Plus, a card-linked offer program offered in partnership with Empyr.
The Found Money Plus program is only for transactions on the Acorns debit card, and it is small bonuses for specific spending, for example, 10% cash back at Starbucks. It looks like a company called Empyr organizes these campaigns for the card link offers.
The Acrons debit card is also optional.
If you're getting cash back on a transaction you know the price is sharing your purchases, this concept isn't really new.
You may not sell the data but you give developer's access to bank balance, transaction history, and income streams. Essentially some of the most private aspects of a person's life.
Seems legitimately useful for personal finance tools or loan providers.
However, I know your API is being used by point of sale systems. Seems super unethical for point of sale systems to access any info beyond, is this the right account, does it have enough money. I just hope you're enforcing some kind of restrictions or at the very least warning consumers what they're giving the merchant permission to access.
They do outline everything pretty well at https://plaid.com/legal/, but I don't know that those terms are linked to from the login widget.
I can't tell if this is sarcasm.
As long as you're transparent about it in a 30 page ToS then it's all good. Because when you go to checkout at a cash register, you're going to stop and hold the line for an hour or more and read that page.
Not an exaggeration btw, my print dialog estimates that page to be 27 pages printed.
Hi William,
how does your statement fit with the fact that one of your products is literally selling transactional data? https://plaid.com/products/transactions
While I'll assume this is only of the customers of a particular product, it is still worrying as many customers may not understand that fact as you are not transparent about your role and the access granted.
It fits 100% in what he's saying. The API grants the developer of the application access to the account history of whoever's logged in. This in no way establishes they are selling anything to any third-parties.
The developer pays for that access. The developer is a third party. They're buying transaction data.
It's explicitly stated within their sales page and directly contradictory to the statement he made above.
First, I don't think this is usually what is meant when someone is claiming an entity is selling data. My normal interpretation would be that if a company is "selling my data" then they are selling that data to parties I have zero contact or reason to think they would have my data.
I understand what you're saying, but I think it would be less confusing to keep the idea I described above and what Plaid is doing (AFAIU) distinct.
More specifically I understand it as: If I engage with some entity/company/developer and give them the permission and secrets necessary to access my account, they can pay Plaid to make use of them on my behalf in the process of doing whatever it is I gave them that access for.
This activity is, and always has been to me, completely distinct from the activity of "selling my data", although it could result in the one I authorized to access my data through Plaid turning around and selling my data.
That's a silly framing.
The developer is purchasing the technological infrastructure to deliver the data a single specific user has opted to provide to them.
Claiming the developer is a third party is like claiming I'm a third party when I order off Amazon, and that the USPS is the actual customer.
When you enter into a transaction using your bank, someone who is not a party to that transaction can see it, and they pay for that access.
Under any framing, that's a third party paying for access to your transaction data.
The user hasn't opted-in if the co-founder of the company is telling people it doesn't happen. It's only opt-in if the user knows it's happening and agrees to it.
If I'm using a financial app, and it pops up with a "App Foo wants to use Plaid to link to your bank", and I go in and enter my banking credentials into that dialog... you're arguing that I have no idea what I'm doing and aren't consenting to anything? Huh?
If you're so confident, go survey Plaid users and find what percentage are aware that Plaid makes money selling their financial transaction history to developers.
Then ask yourself why the founding team goes around and tells people they don't do that.
That'd be a very misleading survey question, as it heavily implies they're selling it to other developers the user didn't engage with at all.
"Are you aware that connecting app Foo to your bank account gives app Foo access to your transactions?" is likely to be met with a resounding "no shit, that's the point..."
So your claim is that the average person on the street understands that if they send someone money on Venmo once, then Venmo gets 24 months of their bank account history?
And your claim is that the point of the user signing up to Robinhood or Venmo is to give Robinhood or Venmo their entire bank account history for the last two years?
I find this implausible. You have an empirical claim. You're welcome to test it.
Thanks William, and sorry for the wrong accusation. Super embarrassed; I read so many comments on that thread I must've conflated two.
Thanks for speaking up alehul; for what it's worth, I think it can often be interesting to later reflect on these moments of apparent shame and embarrassment, especially in the context of attempting to speak truth to power.
Accountability and transparency is important long-term; as is questioning possible abuse or misuse of power. Don't be afraid to continue to do so!
Also, always use Hanlon's razor, but it's getting harder and harder to tell genuine conversations from stage-managed ones online, unfortunately. It's the logical extreme of pg's article 'The Submarine'[0].
[0] - http://paulgraham.com/submarine.html
Here is one discussion from a so-called whistleblower I was involved in. I will let you decide on the ethics[1].
I'm in the ACH space and I personally know a merchant who planned on using them for account verification for point of sale ACH payments. This merchant also planned on grabbing transaction history while they were in there for I don't know what. Analytics maybe? I have no idea if they ever went through with their plan.
[1]https://news.ycombinator.com/item?id=17692291
This was the merchant, and not Plaid. While Plaid gives such merchants a lot of power, I don't think the ethics issue lies with Plaid (though you could make a good argument that they should grant limited access, and full API access only on a more restricted whitelist basis)
So according to you Facebook is not responsible for Cambridge Analytica scandal.
Hi William,
This may be true - but you do still normalize users to the practice of entering their banking login credentials into a web form which is sent to a third party (i.e. yourselves).
In addition I believe the developer gains access to the users' bank transaction history - not just for the duration of their login session, but long-term, which is likely something that users aren't fully aware of in most cases.
Am I mistaken about those?
That is not 'selling' in the historically-used sense of the word, but we are now in a world where 'personal cost' means something different - especially when it comes to services which harvest personal data.
I have my own issues with Plaid, but I think you’re reaching a bit here. Everything Plaid does is opt in by the end user. They’re not selling data unbeknownst to the user (assuming co-founder above is being genuine), the user is giving another service permission to use their data.
As for bank logins...that’s been around since long before Plaid. But I agree there must be a better way. Though I don’t have any great practical ideas.
It's possible I'm overreaching, yep, but I think the past decade has shown - is showing - that simply 'assuming the best' of what will happen with rapid adoption of new technology isn't the most effective strategy. Daemons will come home to roost over time.
Even if users are technically opting in, and even if everything is documented in the privacy policy, a potential end-game here is that startup companies have access to all bank transactions for the people who need to use Plaid - likely people on the ground in the sharing economy who rely on it for payments - and the more fortunate/wealthier folks continue to have financial privacy by virtue of not needing to use it.
That would be a really unfair world to live in.
Do users have any idea exactly what they're giving up here though? Do they have fine-grained permissions to allow read-only vs write access, and to choose between transaction and account level data? And is there anything that prevents those second-party developers from then turning around and selling data to third parties (besides their own TOS with Plaid)?
What write access would there be?
Obviously this is a hugely sensitive service, I’m not denying that. But there’s a way to do it right and it seems that Plaid is attempting to do that. So I’m not ready to declare them evil before they actually do anything evil.
Many (most?) banking websites allow transferring money through the UI. A screen scraper technically has the same access.
Unfortunately the current approach of the major aggregation players is the only way to motivate the banks to give customers access to their own data through more reliable means.
> A screen scraper technically has the same access.
Sure, but the developer using Plaid's services doesn't.
> it _seems_ that Plaid is attempting to do that
Isn't this a clear parallel to the Google "Don't be evil" approach that gets discarded as soon as the opportunity cost becomes too large to ignore?
Sure, but what do we do? No company should ever be allowed access to data?
It's a big question that I don't have the answer to. I'd prefer we trade off on some innovation on features in exchange for innovating the way we segment and communicate our data. But the market is speaking and it has a different opinion...
It's read-only access.
Haven't we on this same website celebrated various Gmail clients and services? Same kinds of risk there (email being different than transactions, but in many cases, that may be worse)
The product is obviously amazing, and I know for a fact that it's creating credit opportunities for consumers with credit history that may not accurately reflect their current financial status, but there is an insidious aspect to the product: the 6 months of future access to transactions and banking information. Most consumers don't realize they're giving this up when they use your product and I believe they would be much less likely to use it if they were aware.
> the 6 months of future access to transactions and banking information. Most consumers don't realize they're giving this up when they use your product and I believe they would be much less likely to use it if they were aware.
Can I ask what makes you believe that? Why would someone be A-OK with sharing the previous six months of account transactions but balk at sharing the next six months of account transactions?
Because they have a mental model of what is inside the previous 6 months and can make a judgement regarding whether or not they are comfortable revealing that information, whereas the future 6 months could include purchases that they may not want to reveal for various reasons.
I also think many consumers would simply be creeped out by the idea that these companies can continue to maintain access to their bank statement for 6 months into the future, especially in cases where the consumer has a dispute or negative experience with the company. There are also some underwriting arrangements where companies could leverage future Plaid data to make decisions about how to treat a customer (e.g. monitoring bank balances so that rebilling a delinquent customer can be automatically rescheduled after a deposit)
Yeah, the pricing tiers make me think they're/you're not trying to get CPM-type residuals (ad-based revenue).
Pretty cool product, considered using it for my property rental's payment portal.
They at least collect it, as they offer that as a service:
https://plaid.com/products/transactions
I flirted with the idea of using a trial account to feed that data to a Prometheus server to build graphs in Grafana. A slightly more powerful mint/personal capital would be a super valuable tool.
Yes - the key issue being is that the product offering is an API used by second-party with assumed permission from first-party; they are not selling that data to a third-party.
It’s the Facebook API issue but IMO transaction data is much more sensitive so it’s a bigger issue. I have used the Plaid API and have no idea how they audit developers to make sure they are using the data as intended and storing that data securely.
One hack incident of a developer that exposes bank numbers and transaction data would be a huge reputational hit.
Edit: I stand corrected, I didn't think you get full account number access but you do. Leaving original comment below.
They don't expose bank numbers though, that's kind of the point. Developer access is all tokenized.
That said, plaid does give you access to tons of detailed financial transaction data, and it's easy for companies to tie this to PII in their own systems, and I'm sure many of those companies have less robust security than plaid. As a developer, I thought "Wow, you can get so much data through plaid!" but then as a user I would refuse to ever use a plaid integration because I know how much data it gives them. Furthermore, I don't believe the average user really realizes just how much data they are giving up.
I agree with you, though, it really is similar to the Facebook API issue. All it would take is a third party company packaging data in a way to use it to target political ads and then you've got 60 Minutes exposes all over the place.
Nah that’s not true. https://plaid.com/products/auth You get the full routing and account number with the Auth product - that is how you push and pull funds as a developer to a customer’s account.
I'd note that you give those same numbers to every yahoo you ever write a check to. The US checking system is terrifyingly insecure in that regard.
Link, my friend.
I'll link as soon as I'm not on mobile.
Recent incident was on "most unethical thing you've done" thread that reached the top of HN. Someone mentioned selling user data while being a middle layer, and confirmed it was Plaid after it was suggested.
Not claiming this is definitively true which is why I'd like to hear from someone at Plaid; I believe I've interacted with them through Robinhood so it'd be concerning.
https://news.ycombinator.com/item?id=17692291
Edit update to root
But the comment is not quite as bad as what is suggested
I remember I spoke with both the CEO and CTO over Skype several years ago.
They actively reached out to me because of an open source project I created and they wanted to recruit me. They made quite an impression on me but I wasn't prepared to move to the US back then. Damn. Missed opportunity. Obviously they were very proactive in reaching out to the developers that they wanted rather than just passively waiting for resumes to flow in.
What project were you working on?
SocketCluster. A WebSocket framework for NodeJS. I'm still working on it actually.
For those interested: In Europe, banks are forced to provide fintech companies access to customer data when the user consents to this under its "open banking" initiative
https://www.cnbc.com/2017/12/25/psd2-europes-banks-brace-for...
Personally speaking, i have a problem with companies like Plaid and SOFORT (EU), where they kind-of hide the fact that you provide them with your login credentials (and not the bank). From what I understand from this thread, Plaid may be selling your data and gives developers full access to the customer's transaction history. This is worrying
Per whockey's comment here[0], it doesn't seem like Plaid is selling your data directly to 3rd parties - though it doesn't prevent the developers you're giving your data to from selling it.
[0] https://news.ycombinator.com/item?id=18655507
I'm interested to see where this goes. I use Plaid as a developer, and it feels like the user experience keeps getting worse. This isn't Plaid's fault, but as more and more financial institutions require 2FA, it gets much less automatic for Plaid to scrape data.
Instead of just seeing updated transactions, users frequently need to enter a 2FA code before Plaid can successfully complete the update. This is very clunky, especially if you've linked 10+ accounts. Hopefully, Plaid (or even government regulations) will be able to encourage banks to create real APIs and Plaid can move away from scraping entirely.
Wasn’t YC company Standard Treasury trying to help banks become more API accessible? If the banks have an API an offering, I can see how a standard would need to exist to support the primary use cases (auth, balance, transaction), and perhaps Plaid is showing what they could look like (reducing the complexity of interfacing disparate banks’ approaches to managing bank data). [NB: if there is a standard or info I am clearly not knowledgeable of based upon this comment, please educate me!]
That was the goal but they were acquihired by Silicon Valley Bank. https://www.svb.com/news/company-news/api-banking-startup-st...
And then they left SVB to try again
https://treasuryprime.com
Wow. Thanks for the update. From TP"s site:
""" We're the team behind Standard Treasury and the Silicon Valley Bank API Banking Platform which forms the backend for Stripe Atlas - we're the experts in this space. """
Interesting, how is this different from Standard Treasury?
Heyo, cofounder of Treasury Prime here.
The main differences are how we're working with banks. Back then we sold only to large banks, plus banks weren't yet comfortable using cloud services, meaning everything had to be built on-premise (very silly). Now we sell into all sizes of bank because we're able to operate with a SaaS model.
Likewise for developers that means we can move much faster and there's a much better chance we'll be able to find a bank that's a good fit for you. If you're interested in using the API, email me and say hi: hello@treasuryprime.com
The billion-dollar battle to share your personal financial information to even more unaccountable third parties.
I am not yet convinced that giving away your bank username and password to plaid/mint/other scrapers does not exempt the bank from the liability limits established in Reg E.
The user effectively gives away control of their deposit accounts. If it is subsequently misused (unlike an access device like a debit card), the user's disclosure of the password might give the bank an affirmative defense. Push to shove, in a large breach with bulk cashouts via wire a depository institution might not honor the claims.
It seems obvious that revocable access w/ tokens is a solution, but that gives up the game on the transaction data (and likely drives some of banks' reluctance to offer that functionality).
I'd love to have my mind changed about this, if someone can point me in the right direction.
It seems disingenuous for the banks to not provide an API spec, and then invest in and present Plaid as an alternative. This is not a technology problem, this is about entrenched players making a buck wherever possible, without doing the logical thing.
I'm glad Europe has defined an API for it's banks to avoid this from happening there
> I'm glad Europe has defined an API for it's banks to avoid this from happening there
Except it hasn't. If you're referring to PSD2, that is not what that is at all.
Does anyone know if such a thing exists in Europe?
The original one (expensive):
https://www.yodlee.com/yodlee/europe-africa
UK startups:
https://teller.io/
https://truelayer.com/
figo too perhaps
I hope not, because its such a shitshow. You literally give your bank credentials to a third party who then logs in to your account and scrapes info off of it - info that you have no control over.
Capital One was smart enough to block them off (which is the bank I use), and now they actually provide proper OAuth based APIs to access your account.
Things are changing with PSD2 regulations. Banks in the EU starting in 2019 will have to provide open (and secure) APIs to third parties.
One can only hope this would make it to the US as well. The problem largely seems to be banks being ancient behemoths in terms of technology, and introducing APIs like this poses a significant risk from security and policy perspective. Plus its not going to be a major source of revenue either, so why bother?
Well, at least in Germany we kind of have the FinTS protocol to get at the data and don't have to scrape. So less need for an intermediary. I also saw something about EU regulations for bank APIs, but unfortunately not one common API.
There is Bankin[0] which I believe shares a few similarities, however it mostly works with French bank accounts for now.
[0] https://bankin.com
I looked into plaid+stripe solution for our ACH payments need and after playing around with it a little I just didn't feel like I can put that in front of my clients and tell them 'Yeah put in your bank login and password on our website to make the payment, we promise it's secure'. Their solution didnt sell with me and I went for Stripe ACH where they make microdeposit and customer has to verify the amounts. Even PaySimple's eCheck solution sounds more reasonable to put in front of clients than to demand their bank login and password. IMHO
Every service I've used where you can verify your account with your bank's username/password had it as an option, not required.
I met quite a few folks on the Plaid engineering team and was really impressed with the people I met and how they were approaching building their product. Congrats to them, and a lot more work to do!
Congrats Plaid!
Is Open Banking Standards going to abolish any international market opportunities for Plaid?
- CMA9 Major Banks in the UK are ready to roll out Open Banking Standards. - In Australia the ACCC is pushing for 1 July 2019 and within 12 months all Australian banks, including the related brands of the big four, will be brought within the scope of open banking. - Canada too with it's 2020 initiatives.
US would be crazy not to adopt a similar standard but maybe this is where Plaid is specializing in due to the large number of US banks?
I spoke to a young guy recently, who is doing a graduate/rotation with one of of the big US banks.
He was excited for the rotation in one of the (several) "moonshot divisions," with a goal of 10X-ing the bank in theory. I told him that I hope _giant bank_ doesn't have 10X growth in it, but...
... I think that any truly disruptive idea for fintech/banking is likely to be of the "turn a billion dollar company into a million dollar company" variety.
Side note: I once heard from the venture arm of a rather well known CRM that Patagonia gets upset when you embroider your logo on their jackets ( e.g. in this picture https://techcrunch.com/wp-content/uploads/2018/12/DSC1296-2.... )...
that's not true, patagonia offers embroidery themselves: https://www.patagonia.com/corporate-sales-silk-screening-emb...
they DO refuse to do corporate orders for certain companies, e.g. oil companies / oil bankers, given that those are antithetical to their mission.
I would not be comfortable giving my banks, cards info to Plaid so they can provide an easy integration (API) to third party developers.
Why Venmo would need to hit Plaid API to get my banking info when they can provide their own API and allow seamless integration with my bank and credit card?
I honestly don't see the benefit over risk of handing over all my financial institutions information so they can provide a seamless API to consumers.
I’ve stopped using a number of products because the underlying Plaid connection to my banks would routinely break and take weeks (!!) to get fixed. It got to the point that functioning connections was a rarity, and things not working was the norm.
I want Plaid to succeed and I want to use those products, but beware of building something on top of Plaid; you may be driving customers away.
Is the gist of this company logging into a bank's web service using a user's credentials and scraping their account data and exposing that data via APIs to other developers?
I thought they actually integrated with the banks on the backend, but if this is all they do, I'm not comfortable using any product that snoops my bank info without any accountability.
Yup, I use Mint, occasionally, but now I am rethinking it. I really thought it was integrated with the bank's api.
It is, in some cases. Depends on the bank.
Capital One allows creation of read-only credentials explicitly for stuff like Mint, too.
The thing that keeps me away from all of these kinds of things is the requirement to hand over my user/pass for financial accounts.
Questions for those that know the space: 1. Is that a big struggle for fintech companies or do most people just shrug it off? 2. Are companies working on (and making progress) standards for system communication without user/pass?
Giving a plug to https://truelayer.com/.
They have a great team and they're making a big push to bring PSD2 compliant banking integrations to Europe. I haven't heard of many other offerings within Europe.
Isn't it bloody easy enough already to pay for stuff? Fintech startups (this one with its dubious implementation especially) with huge valuations make me sad...
“Plaid consolidates financial data from multiple sources and categorizes transaction data with up to 24 months of history, making it easy to use and analyze.”
What's the difference between Plaid and Yodlee?
Can anyone point to a list of apps/services that use this?
For privacy reasons, I'd prefer to avoid anything of the sort.
You would know if you're being asked for your banks username and password by a third party and can decide if you want to share that information; it's not something that you really need to know anything about ahead of time to be able to avoid.
The apps I know who use Plaid are Drop and Venmo. Some banks use it to instantly link external accounts without having to do trial deposits.
That's not entirely true. They try and imitate your bank's branding on the log in page and do not make any mention of Plaid. For example, when setting up Venmo, I thought I was logging into something my bank had created.
I mean, the only reason I even know what Plaid is is because the services I've used advertise they are using Plaid, for example, Drop: https://imgur.com/a/l4PM6QG I remember seeing it on Citibank too.
You're still sharing your bank account information with someone else. Even if it's your bank's API or whatever, "something my bank created" could be "something my bank had hired an external company to create," or even "a front end my bank created that uses third party software to do all the data processing on the back end." I'm not sure of a meaningful distinction between each case. If you want to minimize sharing bank account information "for privacy" then you don't give your bank account information to anyone.
> If you want to minimize sharing bank account information "for privacy" then you don't give your bank account information to anyone.
That's the whole point. You don't know you're giving your account information to anyone. I use Venmo and had no idea they relied on this technique until reading your comment.
There’s a bunch on their website. Amex, betterment seem to use them as well
I'm guessing those two companies probably use Plaid to instantly link external accounts without having to do trial deposits. Trial deposits can take several days. That's the use case that I used it for at Citibank anyways.
I never claimed my list was inclusive, only those are the ones I know use Plaid off the top of my head.
As a user, it would be pretty hard to tell if the app is using Plaid or Yodlee.
Startup. $2.65B valuation. I guess "startup" just means any non-public company now.
I think the pg definition of "A startup is a company that is pursuing a very high growth strategy" still applies. If you believe Plaid is trying to get themselves to 5B in the next two years, it can probably still apply.
I think of it as "Startup" vs "Steady State."
welcome to 5 years ago. I see people opening up conventional small business (think pizza place) calling themselves startups. but really who cares
Will Plaid be a data brokerage for financial transaction information?
The thought of giving any of my passwords to a 3rd party is problematic ... but my banking password ? This is an issue.
Also a risk, because any bank could simply shut this down pretty quickly and if one does it, the others could follow.
The first 3rd party that messes up, with the whiff of a scandal ... and this is going to dissapear, or rather, the banks may decided that they'll do some API, but not for free.
I'm waiting for 'Cambridge Analytica' but with your money this time.
> Also a risk, because any bank could simply shut this down pretty quickly and if one does it, the others could follow.
I mean, Mint's been doing it for twelve years, and they're hitting thousands of banks. They're definitely on the major banks' radar by now.
why doesn't Mint have is kind of valuation?
I guess I don't understand how they differ, I do get that they both rely on giving your bank credentials to a third party and that they both scrape your financial history.
Mint is owned by Intuit, valued at 53.88B!