Plaid is a great idea, but the implementation worries me. My understanding is that, for most banks, you give Plaid your username and password, and Plaid scrapers on their servers log into your online banking account. Even worse, Plaid obfuscates this behavior from users by replicating their banks login window and making it appear that you are logging directly into your bank.
I'm not sure how to feel about this, because I understand that banks' lack of open API access is the central problem. But it seems irresponsible to present Plaid as a secure solution, when its login system is technically a phishing page.
I think a much cooler, probably safer, solution would be a mobile SDK that runs the scrapers directly from the user's phone, instead of on Plaid's servers.
It always blew my mind that services like Yodlee (https://www.yodlee.com) worked that way. I can understand it from the point of view that no traditional bank was set up to allow structured access but it never felt right to me.
In the UK there is a big push around "open banking"[1] which will bring this into the 21st century and allow for proper programmatic access to data. It's still in it's infancy but the sector here is transforming around it.
Not a Plaid user, but I believe Mint works the same way. It seems to only decrypt my bank credentials with a key derived from my session password, so I suspect Plaid, if what you say is correct, do something similar.
Basically, my password is hashed to see if I can log on. Then it's passed through a PBKDF to get the decryption key for my actual accounts, then that information gets sent to the scrapers to do the actual job. They don't store the keys after the job is done. The upshot is that a full database breach doesn't result in any bank credentials leaking, at the cost of inability to update accounts without the user explicitly logging in.
To add an interesting layer, financial institutions are investing in these solutions. Goldman previously invested in Plaid, and Fidelity invested in Quovo which takes a similar approach.
At some point I think it's on the banks to offer OAuth APIs, then Plaid can swap out one-by-one (if it hasn't already started).
Nylas is facing the same challenge in the email space. They have oauth for gmail, but user/pass for Exchange/SMTP.
In Europe regulation forced the hands of the banks to API-ify the data and make it accessible. In the US, as with many things, it is left to industry to sort out.
Plaid's implementation was aggressive (screen scraping, etc) but many banks are blocking that now and some, like JPMorgan Chase, have created APIs based on OFX (the industry consortium for secure data exchange) to allow controlled data access.
You, the customer, should always be able to choose which targets get to receive your data. Via OAuth mechanisms you grant them access without sharing your login/pw, and you can revoke at will.
That ... sounds like it violates every bank's ToS out there, and not the abusive buried-in-fine-print part, either. Every bank could, quite reasonably, cut off your access for this.
> I understand that banks' lack of open API access is the central problem
Banks in the US are really behind the ball on APIs, it's true. Just recently things have started to change though. I'm the cofounder of Treasury Prime (https://treasuryprime.com/) and we have a network of banks in the US who offer API access.
It doesn't solve Plaid's use case (getting data out of 1,000s of banks), but it's great if you need deep integration into a single bank, like if you're writing a fintech app for example. If anyone would like access, feel free to email me: [email protected]
I am a user of several Plaid-powered apps, and I will say that most of my banks eventually drop out and need me to reactivate the connection (usually because a security question is required or something like that). With an API, depending on the implementation, this may never happen, so in an odd sort of way it is more secure in that you definitely won't forget about it and have it running for years. I have to actively try to keep everything activated and running.
There's been a whistleblower or two on HN about how Plaid scapes and sells your bank account transaction history to third parties.
It seems more unethical than most selling-user-data strategies in that the users don't even know Plaid is involved in the transaction whatsoever; they're just a hidden middle layer.
I'd be interested to know if this is still part of their monetization strategy, or if anyone at Plaid can confirm definitively that they do not collect and sell your bank account transaction history?
Edit: So sorry on my part, specifically on selling data, must've mixed this up now that I've read the comment (linked below). It involved scraping user data against the wishes of the banks, and doing huge amounts of customer analytics with such data, and another separate thread on giving transaction history as part of the service. Still a negative but different than above-- will leave this up so as to not destroy thread.
Co-founder of Plaid here. This is not true, we do not sell transactional data to third parties. We make 100% of our money by letting developers build financial applications[1].
I flirted with the idea of using a trial account to feed that data to a Prometheus server to build graphs in Grafana. A slightly more powerful mint/personal capital would be a super valuable tool.
It’s the Facebook API issue but IMO transaction data is much more sensitive so it’s a bigger issue. I have used the Plaid API and have no idea how they audit developers to make sure they are using the data as intended and storing that data securely.
One hack incident of a developer that exposes bank numbers and transaction data would be a huge reputational hit.
I remember I spoke with both the CEO and CTO over Skype several years ago.
They actively reached out to me because of an open source project I created and they wanted to recruit me. They made quite an impression on me but I wasn't prepared to move to the US back then. Damn. Missed opportunity. Obviously they were very proactive in reaching out to the developers that they wanted rather than just passively waiting for resumes to flow in.
For those interested: In Europe, banks are forced to provide fintech companies access to customer data when the user consents to this under its "open banking" initiative
Personally speaking, i have a problem with companies like Plaid and SOFORT (EU), where they kind-of hide the fact that you provide them with your login credentials (and not the bank). From what I understand from this thread, Plaid may be selling your data and gives developers full access to the customer's transaction history. This is worrying
Per whockey's comment here[0], it doesn't seem like Plaid is selling your data directly to 3rd parties - though it doesn't prevent the developers you're giving your data to from selling it.
I'm interested to see where this goes. I use Plaid as a developer, and it feels like the user experience keeps getting worse. This isn't Plaid's fault, but as more and more financial institutions require 2FA, it gets much less automatic for Plaid to scrape data.
Instead of just seeing updated transactions, users frequently need to enter a 2FA code before Plaid can successfully complete the update. This is very clunky, especially if you've linked 10+ accounts. Hopefully, Plaid (or even government regulations) will be able to encourage banks to create real APIs and Plaid can move away from scraping entirely.
Wasn’t YC company Standard Treasury trying to help banks become more API accessible? If the banks have an API an offering, I can see how a standard would need to exist to support the primary use cases (auth, balance, transaction), and perhaps Plaid is showing what they could look like (reducing the complexity of interfacing disparate banks’ approaches to managing bank data). [NB: if there is a standard or info I am clearly not knowledgeable of based upon this comment, please educate me!]
I am not yet convinced that giving away your bank username and password to plaid/mint/other scrapers does not exempt the bank from the liability limits established in Reg E.
The user effectively gives away control of their deposit accounts. If it is subsequently misused (unlike an access device like a debit card), the user's disclosure of the password might give the bank an affirmative defense. Push to shove, in a large breach with bulk cashouts via wire a depository institution might not honor the claims.
It seems obvious that revocable access w/ tokens is a solution, but that gives up the game on the transaction data (and likely drives some of banks' reluctance to offer that functionality).
I'd love to have my mind changed about this, if someone can point me in the right direction.
It seems disingenuous for the banks to not provide an API spec, and then invest in and present Plaid as an alternative. This is not a technology problem, this is about entrenched players making a buck wherever possible, without doing the logical thing.
I'm glad Europe has defined an API for it's banks to avoid this from happening there
I hope not, because its such a shitshow. You literally give your bank credentials to a third party who then logs in to your account and scrapes info off of it - info that you have no control over.
Capital One was smart enough to block them off (which is the bank I use), and now they actually provide proper OAuth based APIs to access your account.
Well, at least in Germany we kind of have the FinTS protocol to get at the data and don't have to scrape. So less need for an intermediary. I also saw something about EU regulations for bank APIs, but unfortunately not one common API.
I looked into plaid+stripe solution for our ACH payments need and after playing around with it a little I just didn't feel like I can put that in front of my clients and tell them 'Yeah put in your bank login and password on our website to make the payment, we promise it's secure'. Their solution didnt sell with me and I went for Stripe ACH where they make microdeposit and customer has to verify the amounts. Even PaySimple's eCheck solution sounds more reasonable to put in front of clients than to demand their bank login and password. IMHO
I met quite a few folks on the Plaid engineering team and was really impressed with the people I met and how they were approaching building their product. Congrats to them, and a lot more work to do!
Is Open Banking Standards going to abolish any international market opportunities for Plaid?
- CMA9 Major Banks in the UK are ready to roll out Open Banking Standards.
- In Australia the ACCC is pushing for 1 July 2019 and within 12 months all Australian banks, including the related brands of the big four, will be brought within the scope of open banking.
- Canada too with it's 2020 initiatives.
US would be crazy not to adopt a similar standard but maybe this is where Plaid is specializing in due to the large number of US banks?
I spoke to a young guy recently, who is doing a graduate/rotation with one of of the big US banks.
He was excited for the rotation in one of the (several) "moonshot divisions," with a goal of 10X-ing the bank in theory. I told him that I hope _giant bank_ doesn't have 10X growth in it, but...
... I think that any truly disruptive idea for fintech/banking is likely to be of the "turn a billion dollar company into a million dollar company" variety.
I would not be comfortable giving my banks, cards info to Plaid so they can provide an easy integration (API) to third party developers.
Why Venmo would need to hit Plaid API to get my banking info when they can provide their own API and allow seamless integration with my bank and credit card?
I honestly don't see the benefit over risk of handing over all my financial institutions information so they can provide a seamless API to consumers.
I’ve stopped using a number of products because the underlying Plaid connection to my banks would routinely break and take weeks (!!) to get fixed. It got to the point that functioning connections was a rarity, and things not working was the norm.
I want Plaid to succeed and I want to use those products, but beware of building something on top of Plaid; you may be driving customers away.
Is the gist of this company logging into a bank's web service using a user's credentials and scraping their account data and exposing that data via APIs to other developers?
I thought they actually integrated with the banks on the backend, but if this is all they do, I'm not comfortable using any product that snoops my bank info without any accountability.
The thing that keeps me away from all of these kinds of things is the requirement to hand over my user/pass for financial accounts.
Questions for those that know the space:
1. Is that a big struggle for fintech companies or do most people just shrug it off?
2. Are companies working on (and making progress) standards for system communication without user/pass?
They have a great team and they're making a big push to bring PSD2 compliant banking integrations to Europe. I haven't heard of many other offerings within Europe.
[+] [-] chatmasta|7 years ago|reply
I'm not sure how to feel about this, because I understand that banks' lack of open API access is the central problem. But it seems irresponsible to present Plaid as a secure solution, when its login system is technically a phishing page.
I think a much cooler, probably safer, solution would be a mobile SDK that runs the scrapers directly from the user's phone, instead of on Plaid's servers.
[+] [-] jaymzcampbell|7 years ago|reply
In the UK there is a big push around "open banking"[1] which will bring this into the 21st century and allow for proper programmatic access to data. It's still in it's infancy but the sector here is transforming around it.
[1]: (https://www.openbanking.org.uk/customers/what-is-open-bankin...)
[+] [-] CGamesPlay|7 years ago|reply
Basically, my password is hashed to see if I can log on. Then it's passed through a PBKDF to get the decryption key for my actual accounts, then that information gets sent to the scrapers to do the actual job. They don't store the keys after the job is done. The upshot is that a full database breach doesn't result in any bank credentials leaking, at the cost of inability to update accounts without the user explicitly logging in.
[+] [-] colinsidoti|7 years ago|reply
At some point I think it's on the banks to offer OAuth APIs, then Plaid can swap out one-by-one (if it hasn't already started).
Nylas is facing the same challenge in the email space. They have oauth for gmail, but user/pass for Exchange/SMTP.
[+] [-] xtrapolate|7 years ago|reply
So your username and password are just kept in some internal database somewhere? The scrapers probably decrypt the credentials in-memory.
Also - "scraping" data off of an undocumented API sounds risky. How can I guarantee a "scraper" won't accidentally mess something up for me?
[+] [-] wayzel|7 years ago|reply
Plaid's implementation was aggressive (screen scraping, etc) but many banks are blocking that now and some, like JPMorgan Chase, have created APIs based on OFX (the industry consortium for secure data exchange) to allow controlled data access.
You, the customer, should always be able to choose which targets get to receive your data. Via OAuth mechanisms you grant them access without sharing your login/pw, and you can revoke at will.
[+] [-] SilasX|7 years ago|reply
[+] [-] jimbru|7 years ago|reply
Banks in the US are really behind the ball on APIs, it's true. Just recently things have started to change though. I'm the cofounder of Treasury Prime (https://treasuryprime.com/) and we have a network of banks in the US who offer API access.
It doesn't solve Plaid's use case (getting data out of 1,000s of banks), but it's great if you need deep integration into a single bank, like if you're writing a fintech app for example. If anyone would like access, feel free to email me: [email protected]
Also, big congrats to Plaid on the fundraise!
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] sam0x17|7 years ago|reply
[+] [-] jaxn|7 years ago|reply
[+] [-] akarma|7 years ago|reply
It seems more unethical than most selling-user-data strategies in that the users don't even know Plaid is involved in the transaction whatsoever; they're just a hidden middle layer.
I'd be interested to know if this is still part of their monetization strategy, or if anyone at Plaid can confirm definitively that they do not collect and sell your bank account transaction history?
Edit: So sorry on my part, specifically on selling data, must've mixed this up now that I've read the comment (linked below). It involved scraping user data against the wishes of the banks, and doing huge amounts of customer analytics with such data, and another separate thread on giving transaction history as part of the service. Still a negative but different than above-- will leave this up so as to not destroy thread.
[+] [-] whockey|7 years ago|reply
[1] - https://plaid.com/pricing/
[+] [-] lbotos|7 years ago|reply
https://plaid.com/products/transactions
I flirted with the idea of using a trial account to feed that data to a Prometheus server to build graphs in Grafana. A slightly more powerful mint/personal capital would be a super valuable tool.
[+] [-] randomacct3847|7 years ago|reply
One hack incident of a developer that exposes bank numbers and transaction data would be a huge reputational hit.
[+] [-] skilled|7 years ago|reply
[+] [-] cryptica|7 years ago|reply
They actively reached out to me because of an open source project I created and they wanted to recruit me. They made quite an impression on me but I wasn't prepared to move to the US back then. Damn. Missed opportunity. Obviously they were very proactive in reaching out to the developers that they wanted rather than just passively waiting for resumes to flow in.
[+] [-] ativzzz|7 years ago|reply
[+] [-] Quanttek|7 years ago|reply
https://www.cnbc.com/2017/12/25/psd2-europes-banks-brace-for...
Personally speaking, i have a problem with companies like Plaid and SOFORT (EU), where they kind-of hide the fact that you provide them with your login credentials (and not the bank). From what I understand from this thread, Plaid may be selling your data and gives developers full access to the customer's transaction history. This is worrying
[+] [-] vichu|7 years ago|reply
[0] https://news.ycombinator.com/item?id=18655507
[+] [-] jncraton|7 years ago|reply
Instead of just seeing updated transactions, users frequently need to enter a 2FA code before Plaid can successfully complete the update. This is very clunky, especially if you've linked 10+ accounts. Hopefully, Plaid (or even government regulations) will be able to encourage banks to create real APIs and Plaid can move away from scraping entirely.
[+] [-] dpflan|7 years ago|reply
[+] [-] rchaud|7 years ago|reply
[+] [-] zonethundery|7 years ago|reply
The user effectively gives away control of their deposit accounts. If it is subsequently misused (unlike an access device like a debit card), the user's disclosure of the password might give the bank an affirmative defense. Push to shove, in a large breach with bulk cashouts via wire a depository institution might not honor the claims.
It seems obvious that revocable access w/ tokens is a solution, but that gives up the game on the transaction data (and likely drives some of banks' reluctance to offer that functionality).
I'd love to have my mind changed about this, if someone can point me in the right direction.
[+] [-] writepub|7 years ago|reply
I'm glad Europe has defined an API for it's banks to avoid this from happening there
[+] [-] sjtgraham|7 years ago|reply
Except it hasn't. If you're referring to PSD2, that is not what that is at all.
[+] [-] yoran|7 years ago|reply
[+] [-] BukhariH|7 years ago|reply
https://www.yodlee.com/yodlee/europe-africa
UK startups:
https://teller.io/
https://truelayer.com/
[+] [-] scient|7 years ago|reply
Capital One was smart enough to block them off (which is the bank I use), and now they actually provide proper OAuth based APIs to access your account.
[+] [-] tobias3|7 years ago|reply
[+] [-] jorge-d|7 years ago|reply
[0] https://bankin.com
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] elvirs|7 years ago|reply
[+] [-] astura|7 years ago|reply
[+] [-] ejcx|7 years ago|reply
[+] [-] semerda|7 years ago|reply
Is Open Banking Standards going to abolish any international market opportunities for Plaid?
- CMA9 Major Banks in the UK are ready to roll out Open Banking Standards. - In Australia the ACCC is pushing for 1 July 2019 and within 12 months all Australian banks, including the related brands of the big four, will be brought within the scope of open banking. - Canada too with it's 2020 initiatives.
US would be crazy not to adopt a similar standard but maybe this is where Plaid is specializing in due to the large number of US banks?
[+] [-] dalbasal|7 years ago|reply
He was excited for the rotation in one of the (several) "moonshot divisions," with a goal of 10X-ing the bank in theory. I told him that I hope _giant bank_ doesn't have 10X growth in it, but...
... I think that any truly disruptive idea for fintech/banking is likely to be of the "turn a billion dollar company into a million dollar company" variety.
[+] [-] harryf|7 years ago|reply
[+] [-] huac|7 years ago|reply
they DO refuse to do corporate orders for certain companies, e.g. oil companies / oil bankers, given that those are antithetical to their mission.
[+] [-] CodeSheikh|7 years ago|reply
Why Venmo would need to hit Plaid API to get my banking info when they can provide their own API and allow seamless integration with my bank and credit card?
I honestly don't see the benefit over risk of handing over all my financial institutions information so they can provide a seamless API to consumers.
[+] [-] deedubaya|7 years ago|reply
I want Plaid to succeed and I want to use those products, but beware of building something on top of Plaid; you may be driving customers away.
[+] [-] siamakfr|7 years ago|reply
I thought they actually integrated with the banks on the backend, but if this is all they do, I'm not comfortable using any product that snoops my bank info without any accountability.
[+] [-] ivalm|7 years ago|reply
[+] [-] bonsai80|7 years ago|reply
Questions for those that know the space: 1. Is that a big struggle for fintech companies or do most people just shrug it off? 2. Are companies working on (and making progress) standards for system communication without user/pass?
[+] [-] jplahn|7 years ago|reply
They have a great team and they're making a big push to bring PSD2 compliant banking integrations to Europe. I haven't heard of many other offerings within Europe.
[+] [-] unknown|7 years ago|reply
[deleted]