
Fintech startup Plaid raises $250M at a $2.65B valuation - AiaMD13
https://techcrunch.com/2018/12/11/fintech-startup-plaid-raises-250m-at-a-2-65b-valuation/
======
chatmasta
Plaid is a great idea, but the implementation worries me. My understanding is
that, for most banks, you give Plaid your username and password, and Plaid
scrapers on their servers log into your online banking account. Even worse,
Plaid obfuscates this behavior from users by replicating their banks login
window and making it appear that you are logging directly into your bank.

I'm not sure how to feel about this, because I understand that banks' lack of
open API access is the central problem. But it seems irresponsible to present
Plaid as a secure solution, when its login system is technically a phishing
page.

I think a much cooler, probably safer, solution would be a mobile SDK that
runs the scrapers directly from the user's phone, instead of on Plaid's
servers.

~~~
jaymzcampbell
It always blew my mind that services like Yodlee
([https://www.yodlee.com](https://www.yodlee.com)) worked that way. I can
understand it from the point of view that no traditional bank was set up to
allow structured access but it never felt right to me.

In the UK there is a big push around "open banking"[1] which will bring this
into the 21st century and allow for proper programmatic access to data. It's
still in it's infancy but the sector here is transforming around it.

[1]: ([https://www.openbanking.org.uk/customers/what-is-open-
bankin...](https://www.openbanking.org.uk/customers/what-is-open-banking/))

~~~
sjtgraham
Open Banking and PSD2 are both complete failures. Who is in market with a
decent product built on it? Nobody is. What people need to realise is that 1st
party APIs are completely at odds with the incentives to maintain the status
quo, i.e. they pose an intermediation threat and in the worst case relegate
banks to mere utilities with zero margin. Furthermore a bank will never use
it's own public API in it's own products, hence there being zero downside for
exposing a shitty one. The only way this is will happen is if 3rd party
companies in the market force it to.

~~~
semerda
Good number of companies using it already
[https://www.openbankproject.com/apps/](https://www.openbankproject.com/apps/)
and they claim 10K developers.

~~~
sjtgraham
That's not Open Banking. That's the Open Bank Project, a completely separate
thing. They're a company that tries to sell their platform to banks and
provide a FOSS sandbox.

------
alehul
There's been a whistleblower or two on HN about how Plaid scapes and sells
your bank account transaction history to third parties.

It seems more unethical than most selling-user-data strategies in that the
users don't even know Plaid is involved in the transaction _whatsoever_ ;
they're just a hidden middle layer.

I'd be interested to know if this is still part of their monetization
strategy, or if anyone at Plaid can confirm definitively that they do not
collect and sell your bank account transaction history?

Edit: So sorry on my part, specifically on selling data, must've mixed this up
now that I've read the comment (linked below). It involved scraping user data
against the wishes of the banks, and doing huge amounts of customer analytics
with such data, and another separate thread on giving transaction history as
part of the service. Still a negative but different than above-- will leave
this up so as to not destroy thread.

~~~
whockey
Co-founder of Plaid here. This is not true, we do not sell transactional data
to third parties. We make 100% of our money by letting developers build
financial applications[1].

[1] - [https://plaid.com/pricing/](https://plaid.com/pricing/)

~~~
alehul
Thanks William, and sorry for the wrong accusation. Super embarrassed; I read
so many comments on that thread I must've conflated two.

~~~
ryanackley
Here is one discussion from a so-called whistleblower I was involved in. I
will let you decide on the ethics[1].

I'm in the ACH space and I personally know a merchant who planned on using
them for account verification for point of sale ACH payments. This merchant
also planned on grabbing transaction history while they were in there for I
don't know what. Analytics maybe? I have no idea if they ever went through
with their plan.

[1][https://news.ycombinator.com/item?id=17692291](https://news.ycombinator.com/item?id=17692291)

~~~
bdcravens
This was the merchant, and not Plaid. While Plaid gives such merchants a lot
of power, I don't think the ethics issue lies with Plaid (though you could
make a good argument that they should grant limited access, and full API
access only on a more restricted whitelist basis)

~~~
galvanizer
So according to you Facebook is not responsible for Cambridge Analytica
scandal.

------
cryptica
I remember I spoke with both the CEO and CTO over Skype several years ago.

They actively reached out to me because of an open source project I created
and they wanted to recruit me. They made quite an impression on me but I
wasn't prepared to move to the US back then. Damn. Missed opportunity.
Obviously they were very proactive in reaching out to the developers that they
wanted rather than just passively waiting for resumes to flow in.

~~~
ativzzz
What project were you working on?

~~~
jondubois
SocketCluster. A WebSocket framework for NodeJS. I'm still working on it
actually.

------
Quanttek
For those interested: In Europe, banks are forced to provide fintech companies
access to customer data when the user consents to this under its "open
banking" initiative

[https://www.cnbc.com/2017/12/25/psd2-europes-banks-brace-
for...](https://www.cnbc.com/2017/12/25/psd2-europes-banks-brace-for-new-eu-
data-sharing-rules.html)

Personally speaking, i have a problem with companies like Plaid and SOFORT
(EU), where they kind-of hide the fact that you provide them with your login
credentials (and not the bank). From what I understand from this thread, Plaid
may be selling your data and gives developers full access to the customer's
transaction history. This is worrying

~~~
vichu
Per whockey's comment here[0], it doesn't seem like Plaid is selling your data
directly to 3rd parties - though it doesn't prevent the developers you're
giving your data to from selling it.

[0]
[https://news.ycombinator.com/item?id=18655507](https://news.ycombinator.com/item?id=18655507)

------
jncraton
I'm interested to see where this goes. I use Plaid as a developer, and it
feels like the user experience keeps getting worse. This isn't Plaid's fault,
but as more and more financial institutions require 2FA, it gets much less
automatic for Plaid to scrape data.

Instead of just seeing updated transactions, users frequently need to enter a
2FA code before Plaid can successfully complete the update. This is very
clunky, especially if you've linked 10+ accounts. Hopefully, Plaid (or even
government regulations) will be able to encourage banks to create real APIs
and Plaid can move away from scraping entirely.

~~~
dpflan
Wasn’t YC company Standard Treasury trying to help banks become more API
accessible? If the banks have an API an offering, I can see how a standard
would need to exist to support the primary use cases (auth, balance,
transaction), and perhaps Plaid is showing what they could look like (reducing
the complexity of interfacing disparate banks’ approaches to managing bank
data). [NB: if there is a standard or info I am clearly not knowledgeable of
based upon this comment, please educate me!]

~~~
colinloretz
That was the goal but they were acquihired by Silicon Valley Bank.
[https://www.svb.com/news/company-news/api-banking-startup-
st...](https://www.svb.com/news/company-news/api-banking-startup-standard-
treasury-joins-silicon-valley-bank/)

~~~
kbyatnal
And then they left SVB to try again

[https://treasuryprime.com](https://treasuryprime.com)

~~~
docker_up
Interesting, how is this different from Standard Treasury?

~~~
jimbru
Heyo, cofounder of Treasury Prime here.

The main differences are how we're working with banks. Back then we sold only
to large banks, plus banks weren't yet comfortable using cloud services,
meaning everything had to be built on-premise (very silly). Now we sell into
all sizes of bank because we're able to operate with a SaaS model.

Likewise for developers that means we can move much faster and there's a much
better chance we'll be able to find a bank that's a good fit for you. If
you're interested in using the API, email me and say hi:
hello@treasuryprime.com

------
rchaud
The billion-dollar battle to share your personal financial information to even
more unaccountable third parties.

------
zonethundery
I am not yet convinced that giving away your bank username and password to
plaid/mint/other scrapers does not exempt the bank from the liability limits
established in Reg E.

The user effectively gives away control of their deposit accounts. If it is
subsequently misused (unlike an access device like a debit card), the user's
disclosure of the password might give the bank an affirmative defense. Push to
shove, in a large breach with bulk cashouts via wire a depository institution
might not honor the claims.

It seems obvious that revocable access w/ tokens is a solution, but that gives
up the game on the transaction data (and likely drives some of banks'
reluctance to offer that functionality).

I'd love to have my mind changed about this, if someone can point me in the
right direction.

------
writepub
It seems disingenuous for the banks to not provide an API spec, and then
invest in and present Plaid as an alternative. This is not a technology
problem, this is about entrenched players making a buck wherever possible,
without doing the logical thing.

I'm glad Europe has defined an API for it's banks to avoid this from happening
there

~~~
sjtgraham
> I'm glad Europe has defined an API for it's banks to avoid this from
> happening there

Except it hasn't. If you're referring to PSD2, that is not what that is at
all.

------
yoran
Does anyone know if such a thing exists in Europe?

~~~
scient
I hope not, because its such a shitshow. You literally give your bank
credentials to a third party who then logs in to your account and scrapes info
off of it - info that you have no control over.

Capital One was smart enough to block them off (which is the bank I use), and
now they actually provide proper OAuth based APIs to access your account.

~~~
asianthrowaway
Things are changing with PSD2 regulations. Banks in the EU starting in 2019
will have to provide open (and secure) APIs to third parties.

~~~
scient
One can only hope this would make it to the US as well. The problem largely
seems to be banks being ancient behemoths in terms of technology, and
introducing APIs like this poses a significant risk from security and policy
perspective. Plus its not going to be a major source of revenue either, so why
bother?

------
elvirs
I looked into plaid+stripe solution for our ACH payments need and after
playing around with it a little I just didn't feel like I can put that in
front of my clients and tell them 'Yeah put in your bank login and password on
our website to make the payment, we promise it's secure'. Their solution didnt
sell with me and I went for Stripe ACH where they make microdeposit and
customer has to verify the amounts. Even PaySimple's eCheck solution sounds
more reasonable to put in front of clients than to demand their bank login and
password. IMHO

~~~
astura
Every service I've used where you can verify your account with your bank's
username/password had it as an option, not required.

------
ejcx
I met quite a few folks on the Plaid engineering team and was really impressed
with the people I met and how they were approaching building their product.
Congrats to them, and a lot more work to do!

------
semerda
Congrats Plaid!

Is Open Banking Standards going to abolish any international market
opportunities for Plaid?

\- CMA9 Major Banks in the UK are ready to roll out Open Banking Standards. \-
In Australia the ACCC is pushing for 1 July 2019 and within 12 months all
Australian banks, including the related brands of the big four, will be
brought within the scope of open banking. \- Canada too with it's 2020
initiatives.

US would be crazy not to adopt a similar standard but maybe this is where
Plaid is specializing in due to the large number of US banks?

------
dalbasal
I spoke to a young guy recently, who is doing a graduate/rotation with one of
of the big US banks.

He was excited for the rotation in one of the (several) "moonshot divisions,"
with a goal of 10X-ing the bank in theory. I told him that I hope _giant bank_
doesn't have 10X growth in it, but...

... I think that any truly disruptive idea for fintech/banking is likely to be
of the _" turn a billion dollar company into a million dollar company"_
variety.

------
harryf
Side note: I once heard from the venture arm of a rather well known CRM that
Patagonia gets upset when you embroider your logo on their jackets ( e.g. in
this picture [https://techcrunch.com/wp-
content/uploads/2018/12/DSC1296-2....](https://techcrunch.com/wp-
content/uploads/2018/12/DSC1296-2.jpg?w=1390&crop=1) )...

~~~
huac
that's not true, patagonia offers embroidery themselves:
[https://www.patagonia.com/corporate-sales-silk-screening-
emb...](https://www.patagonia.com/corporate-sales-silk-screening-
embroidery.html)

they DO refuse to do corporate orders for certain companies, e.g. oil
companies / oil bankers, given that those are antithetical to their mission.

------
CodeSheikh
I would not be comfortable giving my banks, cards info to Plaid so they can
provide an easy integration (API) to third party developers.

Why Venmo would need to hit Plaid API to get my banking info when they can
provide their own API and allow seamless integration with my bank and credit
card?

I honestly don't see the benefit over risk of handing over all my financial
institutions information so they can provide a seamless API to consumers.

------
deedubaya
I’ve stopped using a number of products because the underlying Plaid
connection to my banks would routinely break and take weeks (!!) to get fixed.
It got to the point that functioning connections was a rarity, and things not
working was the norm.

I want Plaid to succeed and I want to use those products, but beware of
building something on top of Plaid; you may be driving customers away.

------
siamakfr
Is the gist of this company logging into a bank's web service using a user's
credentials and scraping their account data and exposing that data via APIs to
other developers?

I thought they actually integrated with the banks on the backend, but if this
is all they do, I'm not comfortable using any product that snoops my bank info
without any accountability.

~~~
ivalm
Yup, I use Mint, occasionally, but now I am rethinking it. I really thought it
was integrated with the bank's api.

~~~
ceejayoz
It is, in some cases. Depends on the bank.

Capital One allows creation of read-only credentials explicitly for stuff like
Mint, too.

------
bonsai80
The thing that keeps me away from all of these kinds of things is the
requirement to hand over my user/pass for financial accounts.

Questions for those that know the space: 1\. Is that a big struggle for
fintech companies or do most people just shrug it off? 2\. Are companies
working on (and making progress) standards for system communication without
user/pass?

------
jplahn
Giving a plug to [https://truelayer.com/](https://truelayer.com/).

They have a great team and they're making a big push to bring PSD2 compliant
banking integrations to Europe. I haven't heard of many other offerings within
Europe.

------
RGamma
Isn't it bloody easy enough already to pay for stuff? Fintech startups (this
one with its dubious implementation especially) with huge valuations make me
sad...

------
kfroggie
“Plaid consolidates financial data from multiple sources and categorizes
transaction data with up to 24 months of history, making it easy to use and
analyze.”

------
martinald
What's the difference between Plaid and Yodlee?

------
eurothrow
Can anyone point to a list of apps/services that use this?

For privacy reasons, I'd prefer to avoid anything of the sort.

~~~
astura
You would know if you're being asked for your banks username and password by a
third party and can decide if you want to share that information; it's not
something that you really need to know anything about ahead of time to be able
to avoid.

The apps I know who use Plaid are Drop and Venmo. Some banks use it to
instantly link external accounts without having to do trial deposits.

~~~
siamakfr
That's not entirely true. They try and imitate your bank's branding on the log
in page and do not make any mention of Plaid. For example, when setting up
Venmo, I thought I was logging into something my bank had created.

~~~
astura
I mean, the only reason I even know what Plaid is is because the services I've
used advertise they are using Plaid, for example, Drop:
[https://imgur.com/a/l4PM6QG](https://imgur.com/a/l4PM6QG) I remember seeing
it on Citibank too.

You're still sharing your bank account information with someone else. Even if
it's your bank's API or whatever, "something my bank created" could be
"something my bank had hired an external company to create," or even "a front
end my bank created that uses third party software to do all the data
processing on the back end." I'm not sure of a meaningful distinction between
each case. If you want to minimize sharing bank account information "for
privacy" then you don't give your bank account information to anyone.

~~~
ghostly_s
> If you want to minimize sharing bank account information "for privacy" then
> you don't give your bank account information to anyone.

That's the whole point. You _don 't know_ you're giving your account
information to anyone. I use Venmo and had no idea they relied on this
technique until reading your comment.

------
travisoneill1
Startup. $2.65B valuation. I guess "startup" just means any non-public company
now.

~~~
estsauver
I think the pg definition of "A startup is a company that is pursuing a very
high growth strategy" still applies. If you believe Plaid is trying to get
themselves to 5B in the next two years, it can probably still apply.

I think of it as "Startup" vs "Steady State."

------
dpflan
Will Plaid be a data brokerage for financial transaction information?

------
sonnyblarney
The thought of giving any of my passwords to a 3rd party is problematic ...
but my _banking_ password ? This is an issue.

Also a risk, because any bank could simply shut this down pretty quickly and
if one does it, the others could follow.

The first 3rd party that messes up, with the whiff of a scandal ... and this
is going to dissapear, or rather, the banks may decided that they'll do some
API, but not for free.

I'm waiting for 'Cambridge Analytica' but with your money this time.

~~~
ceejayoz
> Also a risk, because any bank could simply shut this down pretty quickly and
> if one does it, the others could follow.

I mean, Mint's been doing it for twelve years, and they're hitting thousands
of banks. They're definitely on the major banks' radar by now.

------
creeble
why doesn't Mint have is kind of valuation?

I guess I don't understand how they differ, I do get that they both rely on
giving your bank credentials to a third party and that they both scrape your
financial history.

~~~
tommymachine
Mint is owned by Intuit, valued at 53.88B!

