
How Plaid Reconciles Pending and Posted Transactions - bjacokes
https://blog.plaid.com/finding-the-right-fit-how-plaid-reconciles-pending-and-posted-transactions/
======
jaden
It's encouraging to see Plaid making this level of effort to be accurate. It
seems like it could be a viable alternative to Mint using something like
[https://github.com/yyx990803/build-your-own-
mint](https://github.com/yyx990803/build-your-own-mint) (written by the author
of Vue.js).

It's scary to think what would happen if one of these services (Mint, Personal
Capital, Plaid) had a backend data breach. If they can log in to your
financial sites, a breach would mean the attacker would be able to as well.

~~~
temp129038
Isn't it more scary to think how many people are so cavalier with sharing
their online banking credentials with a third-party app like Plaid?

I don't think enough people realize that when you authenticate with Plaid,
even for apps that don't provide "Mint-like" functionality and have no need
for your transaction history, you're giving that developer permission to pull
your transaction history, personal information, account balance, etc without
any additional permission at anytime.

~~~
ceejayoz
"I was surprised the app I gave my banking credentials could read my
transactions" seems like a weird complaint, considering there's not that much
else legitimate you _can_ do with them. I have concerns about Plaid/Mint/etc.
being breached. Less so about the access they have.

~~~
temp129038
It's not a weird complaint at all when it's being presented purely as a tool
to facilitate money transfer in/out of your bank account.

~~~
ceejayoz
If I'm trusting an app to literally _take my money_ , them having access to
transaction data should hardly be shocking.

~~~
temp129038
You're giving Plaid and your average user way too much credit.

If the inherit trust is so obvious, then why would Plaid not include a very
common step in authentication flows like FB and Google to explicitly tell
users what they are agreeing to share with XYZ developer before submitting
their credentials (which may be _just_ a bank account number, but might also
be transaction history, personal information, account balance, etc.)? They've
purposefully omitted this step because conversion would almost certainly tank.

~~~
jaymmartin
I've been playing around with Plaid the past few days and they very clearly
list the permissions during authentication:

[https://i.imgur.com/xNPTIzy.png](https://i.imgur.com/xNPTIzy.png)

They even link to a dashboard that displays all the information you are
sharing with developers:

[https://my-sandbox.plaid.com/account](https://my-sandbox.plaid.com/account)

That said, I agree that the average user won't realize the implications.
Additionally, revocation/deletion of the data requires emailing them.

------
lol768
This mostly seems to be required because banks don't provide usable data
properly. There should be a way to tie together authorisations and finalized
transactions. Any API/interface that doesn't permit this is just broken.

Monzo's API includes a unique transaction ID as well as a timestamp to
indicate when (if it has happened) the transaction 'settled'. The open banking
APIs implemented by the CMA9 include a BookingDateTime and Status (Booked or
Pending) and an immutable transaction ID. It's surely just common sense to do
this.

Why is there no regulation to require banks expose a _usable_ API in NA?

~~~
liveoneggs
why would a bank be required to expose this for a 3rd party commercial user?

~~~
ChrisSD
As mentioned on another thread, the UK enforces such an API for the largest
banks (it's voluntary for the others at the moment)
[https://www.openbanking.org.uk/](https://www.openbanking.org.uk/)

This is part of a wider "challenger bank" initiative. Creating space for
smaller, usually digital only, banks to create more competition in the
consumer banking market. This was thought to be especially important after the
"too big to fail" crash. Directly breaking up the larger banks was never going
to happen, so instead they created an environment where competition could
(hopefully) flourish.

~~~
liveoneggs
the US doesn't need more banks. The market is actually culling them
dramatically-
[https://www.fdic.gov/bank/statistical/stats/2019Mar/FDIC.pdf](https://www.fdic.gov/bank/statistical/stats/2019Mar/FDIC.pdf)
(number of banks since 1990!)

From what I can tell there are 10x (about) as many "banks" in the US.

------
dangero
Reminder that most banks still don’t provide an oauth api for granting read
only access to your account info, so we end up with scraping data and problems
like this to solve. Plus there is a ton of completely unnecessary risk created
here by forcing users to furnish full access credentials to their bank
accounts. It’s beyond stupid.

~~~
temp129038
On the other hand, it's crazy to me that we're all talking about how evil
Facebook is for selling the fact that I liked "Family Guy" 15 years ago but
for some reason we're all OK cheerleading a company that literally enables
real-time financial surveillance on unsuspecting users with a purposefully
deceitful onboarding flow that hides any mention of what permissions you're
actually providing and no simple way to revoke those permission.

~~~
ctoth
On the other other hand it literally takes 30 seconds to change your bank
credentials so...

