[eins1234]

Re: Plaid itself, having used some of their competitors, specifically Finicity, which is one of Stripe's partners for this, I wouldn't be too worried if I were them.

IME, Plaid is lightyears ahead in terms of reliability and overall developer and end-user experience.

[sangnoir]

> IME, Plaid is lightyears ahead in terms of reliability and overall developer and end-user experience.

I regret handing over my bank login details to Plaid, since they scraped my bank statements without stating so upfront and offered that information to 3rd parties (indirectly, as a score of some sort, IIRC, but that's scraping very personal information).

When I mentioned it on HN a year or 2 ago, someone who works there denied the practice - might have been a cofounder. A few months ago I was contacted regarding a settlement for a Plaid class action suit regarding the very actions that had been denied on HN. Plaid - never again.

[SpikedCola]

This is something that absolutely blows my mind. The bank's terms of service say you can't hand over your password to anyone, and here is Plaid asking users for their login information! I can't understand how they can ask users to breach terms of service, and have gotten so far.

[sangnoir]

I was dubious while doing it - and I gave Plaid access to my settling account. I consoled myself that they wouldn't have by income, but then realized they had a copy of my financial information on spending, which is equally bad, or worse than just income. I ought to have been more vigilant - I unfortunately fell into the trap of thinking that banks are slow-moving and reluctant to develop API access.

I will never sign up for a service that requires Plaid.

[chrisseaton]

Why isn't it done through a proper API that you grant them a token for?

And how do Plaid bypass your bank's per-login 2FA if they're logging in as is they were a user?

[pbreit]

Because not many banks have such an API.

Plaid just relays the 2FA question.

I think websites would have a tough time preventing users from sharing username/password. It would certainly be acceptable in a power of attorney situation.

[jjeaff]

Not only do they relay the login and 2fa information, they even show the login as a window with company colors and branding as if you were logging in to your bank directly.

[milesskorpen]

The class action was settled — which just means it was cheaper to settle than to fight in court, not that there was wrong doing. This kind of thing is very very common, and the settlement amount was modest in the scheme of class action settlements.

Plaid is pretty clear in their privacy policy that they DO NOT repackage and resell data (they do sell data - as in, when you use Plaid to give your banking info to a mortgage broker, the broker is paying Plaid for your data, but it is at your explicit request).

If banks didn't want Plaid to do screen scraping, they could build APIs. Some are now. But they've been VERY VERY reluctant to do so, because they want to hold customers (us!) hostage to their services and make it painful to go anywhere else to get financial services. I appreciate that Plaid figured out how to break their stranglehold, which has directly enabled the current blossoming of FinTech apps ... even if they had to do so in a way I don't love.

[sangnoir]

> If banks didn't want Plaid to do screen scraping, they could build APIs.

Even if we take this as a given - what if customers don't want Plaid to scrape their data? I only used Plaid to verify that I own the bank account - but they went out of their way to scrape my transaction information, just because they could, and that data is valuable - that is messed up. I'm sure if my bank had an API, Plaid would still have hoovered up my transaction information, so the "API access vs Scraping" debate is a sideshow.

If they hadn't scraped my transaction information, I wouldn't have been part of the class, but they chose to maximize data collection. If it had been Facebook or Google that harvested financial info the way Plaid did, no one would be saying "Their TOS is clear about it". Additionally, any big tech company can purchase Plaid and get that data (I can't remember if the settlement has a provision for deletion of that data).

[geraldwhen]

Not really. APIs cost money to develop, and people, and time. And many large banks don’t have robust engineering teams that can tackle new challenges or support a public api.

Small projects as you might imagine are measured in years, not days or months.

An API like you describe could take half a decade to build, at the cost of hundreds of millions of dollars. These are not fake numbers or estimates. This is what it would cost.

When you think big finance, think government.

[jjeaff]

I think you will rarely see a class action settlement for a complaint with zero merit. Otherwise, you would be getting a tiny class action check in your mailbox every week for every company that prefers to settle rather than fight.

Do you also believe that Bill O'Reilly and Fox News paid out $30m+ even though he didn't do anything? After all, they admitted no wrong doing in the settlements.

[mikeodds]

I got the same answer from them on HN here 10 months ago

https://news.ycombinator.com/item?id=27467797#27476452

Me: Always been curious - do you (Plaid) use the transaction data or any other data obtained from customers logins for anything other than the reason the customer supply’s their credentials? I.e if I use plaid to link to my Robin Hood account, do you in any way sell/share/use my data apart from allowing me to fund my Robin Hood account?

Response: Good question! No, we don't. Our official statement on this is at https://plaid.com/how-we-handle-data/ "Plaid only shares your data with your consent. We don’t share your personal information without your permission, and we don’t sell or rent it to outside companies."

[Terretta]

That could easily be a lawyer-speak official statement.

They say “personal information”. That is consumer-facing language for something which in banking has a legally (regulation) defined term: “PII” or personally identifiable information:

https://www.investopedia.com/terms/p/personally-identifiable...

It can be argued that lists of money spent at stores cannot be reversed back to a person without other information. So they might not consider your transactions PII.

As for the consent, the TOS click wrap generally gets your consent, in the part where firms mumble about “our partners” for “legitimate uses” or etc. while bucketing various data brokers in that class.

[propogandist]

change your bank account password, if you've ever used Plaid or any of the comparable services to verify your account, to prevent the scraping. They are constantly hitting bank accounts where they have access.

[fishywang]

>IME, Plaid is lightyears ahead in terms of reliability and overall developer and end-user experience.

I don't know. Maybe their competitors are even worse? But as an end-user Plaid's experience is far from good.

In their current state I really don't have much control after I gave them my banking credentials. If they can actually implement an OAuth model for their paying customers (e.g. third parties using their API) to integrate, that would be much better. For example when I try some service first I can initially only give it access to one of my least important account, evaluate whether it's useful, before giving it more of my accounts, or revoke it access to all my accounts. I have none of those controls today.

I actually also interviewed with them several years ago, and mentioned the OAuth thing during my interview. But after all these years it's still not there. If I have to _guess_ why, I would guess they fear such a feature will make their paying customers (API users) less likely to use their product, e.g. their business model actually relies on the end users' lack of control.

[Aeolun]

The product maybe, but my interactions with the company have been dissapointing.