Enforcing stupid & unreasonable ToS in court is a slippery slope that can be used against users.
You want to use an alternative client to export your data because the official client doesn't allow it? ToS violation and the developer of the alternative client gets sued.
Want to screen-scrape some website to automate some tedious manual behaviour? ToS violation and you get sued.
The ability to delegate some manual process (logging into online banking and getting the data) to a third-party (like Plaid) should be a right that we should defend.
At least with credential sharing & screen-scraping nobody can lock you out. Does it suck? Yeah. But I'd rather take a solution that sucks than no solution at all.
In the UK banks (in an attempt to encourage online banking) have a fraud guarantee related to losses from unauthorised access to online banking systems as long as you haven't given your credentials to a 3rd party
Screen scraping, like plaid, obviously breaks that concept.
In that case it seems reasonable for the banks to have a ToS that says "no giving your credentials to third parties".
If there's no such guarantee and the user is on their own from a fraud loss perspective then I don't see a reason for enforcing that kind of ToS.
All that said, the idea of a transactional banking system being online with purely static credentials in 2020 is scary one. Decent 2FA should be used for any system that has a financial impact.
Will be interesting to see where this goes.
I've also seen online mortgage applications ask for banking and retirement account passwords for the purpose of automated form-filling. It seems very shortsighted to give away your password to save 5 minutes filling out a form.
The nightmare scenario is that you give your bank account password to one of these screen scraping services, someone manages to hack them and empties your account, and you can't get the money back because giving away your password violates the terms of service for your online banking.
Also worth noting that the largest of US banks do offer APIs, but a large swath of the rest do not, either due to proprietary systems, choosing not to use their processor-offered solutions, or simply avoiding risk.
So, Plaid will have to scrape for another few years, I suspect, until the banks catch up in the US to what we are seeing in UK and other places.
...and yes, we support 2FA. ;)
Edit: the website itself also returns a 403.
Plaid works great and we’ve ran into next to no issues with customers linking Plaid
It depends on your customers, too.
If you're targeting consumers, Plaid's integration works far better than if you're targeting business bank accounts.
If your company is ONLY supporting Plaid then your issue is that your smarter customers are leaving.
Any organization that asks for your personal password is nefariously normalizing this behavior and building complacency in consumers to trust anyone with their private information.
Worth noting I don’t work for a financial services company so the use case is likely very different than the services you’re discussing.
Apologies if I came off strong, it appears I may be a one-off consumer as opposed to mainstream.
Imagine PCI-DSS compliance but without the exception that you don't have to be PCI-compliant yourself if you don't touch card data and pass it directly to a PCI-compliant payment processor.
Can you automate this? This is my point. Manual CSV exports are not a solution. Open Banking was supposed to solve this but it's a complete sham that is only there to make them look like they're doing something and benefit the existing incumbents.
It would be an unusual TPP where the data never left the customer's device. Usually there'll be a web service/web app provided by the TPP and the communications will be between the customer and the TPP and then the TPP and the bank (a.k.a ASPSP)
Whilst it's not perfect, it's a hell of a lot better, from a security perspective, than 3rd parties getting full banking creds for customers.
Why? The scenario you mention (providing an unified view of a person's multiple accounts & credit cards) can perfectly be done on the device itself and negates plenty of concerns regarding security, the need for a backend, etc. I personally made an app to display my balance & transactions on my Apple Watch. It's purely local and doesn't even have a backend. Yet, I can't actually launch it "by the rules" because I need to become an AISP even though I never come in contact with actual banking data.
> 3rd parties getting full banking creds for customers.
This is clearly a stop-gap solution until something better comes around, and frankly it isn't the worst solution if you trust the third-party. At least it becomes the user's choice whether to share credentials instead of the bank or some other entity deciding who can and can't have access based on potentially stupid or anti-competitive reasons.
The problem of customer choice is that customers are very badly informed about the relative security of services, so there's a market for lemons. If the bank has no liability, that's possibly fine (although it could be argued the bank has some responsibility to advise the customer), but if the bank has any liability for issues resulting, then they get a say in the outcome.
Leakage of the consumer secret/consumer key alone doesn't compromise security as you still need the access token and refresh token which are per-user.
Plaid definitely works with BoA + 2FA, at least as of about a month ago when I had to use it.
Certainly false, at least for Bank Of America. Just yesterday I connected BofA to privacy.com using Plaid and it asked me to enter the SMS 2fa code.
The solution is regulation to force Banks to provide customer data over an API to an authorized third party (preferably with 2FA on that too, and other security mechanisms, like mutual auth, auditing the security and probity of the subscriber etc).
Scraping is such a 1990s solution, and Plaid's Uber-like disregard for rules made it a non-starter for anyone sensible.
Ironically, while it might get systematic integration with VISA, the privacy implications are far worse.
Very few banks have publicly-accessible APIs, and when they do, they likely won't return consistent data. There simply isn't a standard in the U.S. There are literally thousands of banking systems in this country. As someone who helps run a fintech app, I can assure you there are significant numbers of people who are simply members of their local credit union with very limited technology.
I assumed this was because they were switching over to their API, and that was the only way to pull data now. I could be wrong, it just seems weird that 3 different sites made me reauthenticate within a month or so.
They may have fixed it by now, I haven't tried more recently.
> We retain information we collect about you for as long as necessary to fulfill the purposes for which we collected it, unless a longer retention period is required OR PERMITTED under applicable law.
It is not necessary to "hack" Plaid.
My wallet was stolen and before I realized it was gone and could cancel my CCs some dude made like six obviously fraudulent purchases. No Chip and Pin - zero verification. US banking needs to be legislatively hard-reset.
It also means you are holding your cards on your time all the time you use your phone on the street, which is prime time for somebody to come and snag it out of your hand
not a single point at all, it's just a couple cards in the slot.
A few of my friends were talking about Plaid the other day, and I told them I like the company/product, but "many people on HN hate it." They were perplexed and when I explained it was because you guys were nervous about entering your bank password into a third-party (yet reputable) company's interface (that's encrypted), they wrote it off as "being paranoid." Can't say I disagree...
It is probably the one thing you can do today that will at some point cause you lose money from your bank account.
It is not even paranoid. It's a bad idea to leave your bank access codes with someone else.
The less people understand how things work the more likely they are to trust it. This just opens up a new avenue for exploitation.
My problem with these services is not that I don't trust them - I know how bad banking IT is, they can't be much worse. What bothers me, is that they teach users that it's okay to enter your credentials into third party sites, a recipe for disaster.
I previously worked at a “reputable” company whose main product stores usernames and passwords for third-party sites. It’s a conceptually-similar product to what Plaid offers, but in a different problem space. These passwords were encrypted.
* any developer or ops member could trivially have dumped the entire plaintext dataset
* there were multiple bugs discovered that would have allowed dummy accounts to quickly, trivially, and remotely dump the entire plaintext dataset
* if these bugs had been exploited, we would have had no way to know past a few weeks due to log rotation policies
* administrator passwords to systems were often just single English words
If anyone with ill intent had looked at this product for more than an hour, they likely would have discovered some of the bugs mentioned; one was pretty much just a
Combine this with the consequences of a breach: if your credentials are stolen from Plaid and used to steal money from you, your bank, brokerage, or other financial institution can point to your use of this product as cause to deny your claim to have your funds returned. Essentially, they can point to Plaid as a violation of their terms of service, and hold you on the hook for any losses as you voluntarily gave your credentials to a third party.
Hell, even if Plaid isn’t breached and your account is compromised through other means, they can use the logs from Plaid regularly logging into your account to make the same case.
See PSD2 in the EU, for example.
Information we collect from your financial accounts. The information we receive from the financial product and service providers that maintain your financial accounts varies depending on the specific Plaid services developers use to power their applications, as well as the information made available by those providers. But, in general, we collect the following types of identifiers, commercial information, and other personal information from your financial product and service providers:
Account information, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, and account and routing number;
Information about an account balance, including current and available balance;
Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;
Information about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;
Identifiers and information about the account owner(s), including name, email address, phone number, date of birth, and address information;
Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and
Professional information, including information about your employer, in limited cases where you’ve connected your payroll accounts.
The data collected from your financial accounts includes information from all your accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials.
Does Plaid bank the underbanked? I am not sure what their appeal is.
Do they more than replace Yodlee nowadays where it's a SDK for people to scrap bank accounts? Like say if your an accounting app and need to import bank statements.
Here is the list Fintech companies which use Plaid as published in the Visa Acquisition presentation. Many of these (like non-lenders) have no legitimate use for all that info.
There was a github issue opened, and after several followed up complaints they blocked further commenting and the removed then ticket.
Subject of the ticket [plaid/link] privacy/security concerns (#68)
I refuse to do business with any business that uses plaid and has no sane alternative to get bank account numbers (deposit two small amounts, three days later I tell you what they are)
First time i saw it, i assumed the website had been hacked. I was actually more horrified when I found out that this was working as intended and some website wanted my bank password!
If in doubt, you should check your bank's terms of service for online banking.
I'm a bit horrified this is still a thing, too. Doing this just confirms you have the correct account and routing number, so you can deposit and withdrawal. It won't allow you to see transactions--will it?
FWIW, a minority of banks have "linked apps" that allow you to revoke access from the bank's website (some are clear they're restricting it to read-only access). But I'm not sure how consistent or widespread this kind of thing is. I doubt if you're offering a service like Plaid you could rely on only supporting these institutions.
This was my exact same impression. Even after some Googling and asking friends where I learned this was a thing, I was still very wary that it was legit.
We do use the Plaid Link widget (as do most other fintechs in the US). We don't touch credentials or handle the bank login page.
Commentary about the state of the US banking system aside, Plaid is pretty much the industry standard way to do instant bank account verifications today. However, we also have options to link with debit card and account / routing number if you're not comfortable with the Plaid route (totally understandable).
Also, it's one thing for me to let a third party withdraw money from my checking account (if I provide my account number), but that doesn't mean I want to give them the ability to do things like change my password, disable 2FA, read my transaction history, transfer money out of my other accounts, cancel my cards, and so on — which they can if they have my password. That's just insane.
I'm cautiously optimistic for a good outcome for the Plaid folks here: last round was two years ago for $250M. Could they have been suffering $10M/month losses and are running out of money? Could be.
No offense to Visa, but I don't think of them as the most innovative organization or one that is a sign of a "good outcome" for a company getting acquired. I can't think of a good exit to Visa, but I am open to being wrong on that one.
Disclosures: worked at Stripe; dealt altogether more than I would have liked with Visa. Have no knowledge of Plaid's particulars.
Edit: Visa and Mastercard were strategic investors in the C round. Curious what the competitive dynamics were that led to Visa grabbing the acquisition instead of MC. https://techcrunch.com/2019/09/16/plaid-announces-strategic-...
Visa is a $434B company. I guess "innovative" is subjective but their valuation trajectory has looked like a high growth tech co over the past 5 years.
But then the other part of me says that I clearly have no clue what I'm talking about, there's basically no chance they could stay relevant this long without being on top of it at some meaningful level. And potential quasi monopoly status doesn't quite capture it. So much of finance has been disrupted by technology, you figure if there's finance companies who wasn't disrupted, it must be because they are the technology.
It seems their main software division is in India and in the US it's mostly sales, servers, mobile, and POS support, suggesting that the company is focused on the bottom line and probably could be disrupted. For example Bitcoin is getting more and more prevalent. But it's going to take a while before supporting a new payment network is as easy as an over-the-air software update. And the recent trend in "disruption" is acquihires as seen here.
Apple couldn't even do it with their in-house credit card.
Governments are eventually going to see "a foreign company owning our major payment networks" as a national security and sovereignity risk, especially if we end up in a multi-major-power world. They'll also eventually covet the data and the ability to disable "inconvenient" business. You might see it take the form of a government-mandated account (would Visa/Mastercard have taken off at the same angle if universal, instant direct debits were available in the US?), or just providing a glidepath for local commercial alternatives. Look at what Russia is doing with the Mir card.
It's not Stripe or Airbnb level growth, however.
my point is that it's clearly not a dying dinosaur of a company. if anything, Visa has too much power in our financial system as more transactions are non-cash and non-ACH based.
FB and GOOG own a part of the internet traffic. Almost all of the worlds internet payments goes through VisaNet and is the fundamental processor of these internet payments and have been profitable for years.
Quite possibly got overbid in that case, which would be a good exit. MC is no slouch in this space.
Company A, 0.05% or 9000+ options vested, IPO, post-lockout sale at net ~$300k, was an early engineering employee
Company B, <0.001% or 10000+ shares vested, very late engineering employee, not liquid yet, hypothetical value in low-mid 6 figures
Make sure you do proper tax planning, taxes take an enormous bite, even with long term capital gains.
If your company IPOs they will withhold shares for you. Only thing to watch for is depending on your income they might underwithold. There isn’t much more to it than that.
Even if you have RSUs (where taxes are customarily withheld), the company will withhold at the minimum statutory rates, which may not match up with your personal tax bracket.
If a company hasn't IPO'ed, an 83(b) election may also make sense.
After whatever lockup you have some fraction of shares remaining. When you sell those and if the price is greater than the IPO price then you have capital gains on whatever shares you still hold.
You still owe tax from the IPO. My point is the company will withhold shares from you, but you might need to pay more if they underwitheld for the IPO. This has nothing to do with your capital gains from selling your remaining shares.
All said, the better companies offer partial recourse loans to early exercise.
This is days later, so not sure if you'll see this, but could you explain what QSBS has to do with it?
If you've been at a private company for a while you may have options that have vested approaching the ten year expiration with a large spread between strike and the fair market value.
If these options are ISOs then exercise has a lot of tax consequences to get right (AMT particularly to save some money). If you have NSOs you've still got a lot of tax to deal with on exercise, but you don't have to benefit of getting some tax free below AMT.
Most states tax capital gains at the same rate as ordinary income.
And then 10 states don't tax income at all.
The part where CA chases your stock grants/options for years after you leave the state is a bit less reasonable to me. (But I'd guess some other states do the same)
(Everyone, including the IRS, treats short term gains as regular income.)
imo it’s hard to shake how awkward it is when everyone around you is rich and you’re being offered a regular salary that is now dictated by Visa HR
I was hired by Sun. Just before my start date, Oracle announced they would be buying Sun. I was worried, but it turns out acquisitions are pretty slow processes. There was months of waiting for government approvals, then months more before the culture really started feeling like "Oracle" instead of "Sun."
In short, there's a decent chance that anyone applying now could be on payroll for months or years before Visa actually meaningfully changes anything about Plaid's workflow.
Plaid is a complete joke -- "give us your bank passwords and we'll validate your account". Banks are an even worse joke -- "20,000 logins today from one IP address, nope that's not a scam".
Plaid customers are the worst. Like Transferwise, you cannot setup a business account with them without giving Plaid your business banking passwords. What company treasurer would allow that?
Now that Visa is holding the bag this fixes two problems:
1. For customers, there is less risk that Visa will steal all your money than some "fintech" startup
2. For Plaid customers, they may realize Visa is buying this for the data and they may think of Visa as a competitor and not want to support them.
Because "just give us your sudo password to install software" and "just give us your bank password" to send money is a thing... the obvious dumber people in the future will have to do "just sign this power of attorney to create an account with us."
Banks (at least the big ones) often block aggregator traffic. This is resolved after speaking with them. The usual resolution is to whitelist specific IPs for massive traffic.
Lobby your lawmakers. Banks have no incentive to provide open APIs.
For example, in the UK banks did nothing until they were forced to - the market regulator now requires the nine largest banks to provide an open API (https://www.openbanking.org.uk).
The law doesn't restrict the banks giving access to non-AISPs and, like you say, many of the modern banks do have personal API access, it just sets a minimum bar you have to reach before they're forced to let you in. It seems like a pragmatic middle ground.
What is bad, in my eyes, is the law currently only applies to the CMA9.
In fact I randomly came across me bemoaning this fact 5 years ago lol . Also at one point I wrote my own small wrapper to access parts of their internal API  but I haven't touched that in years so I seriously doubt it still works at all.
I suspected it might be different elsewhere, but I had no idea that the situation was so dire that you had to actively go looking for a bank with an API.
 https://de.wikipedia.org/wiki/Financial_Transaction_Services (German)
 https://de.wikipedia.org/wiki/Homebanking_Computer_Interface (German)
It merely provides a standardized interface to access account data or initiate transactions, but it still uses a plain username/password login to authenticate.
Even that it does not do particularly well – the protocol is horrendously outdated and does not support "recent" inventions like credit cards on many popular banks, which means that banking aggregators have to fall back to screenscraping anyway.
However, this will hopefully change soon with PSD2/SCA, which does mandate such secure account access (based on OAuth2, if I understand it correctly).
I'm not currently aware of a US bank equivalent
In practice, banks never tell you the address of their OFX server and you have to rely on community compiled database (eg ofxhome); many banks' implementations are iffy; some banks even charge you for enabling OFX support on your account. In the end it's just so much easier to outsource this to Plaid, which is why they are a billion dollar business.
"Bank syncing is a critical feature that is coming soon!"
You can manually import QFX/other standard formats though, but not all banks have exports of this, and it's very manual.
I'm thinking of something where you download your statement (usually available in PDF form) and then drag it to a web interface where it then gets OCR'd and processed.
A bit more manual, but the upside is you're not leaking your creds and you should also have access to more data (banks have to provide statements and they usual provide them going back many years).
It uses Plaid out-of-the-box, but it has a pluggable provider model for other data sources: https://github.com/kevinschaich/mintable/blob/master/docs/PR...
In the absence of APIs from most banks, it would be nice if there was a client side personal finance web app that allowed uploading .csv or pdf statements, and scraped those for you locally, perhaps with the option of using your own Google Drive or Dropbox as a persistent storage backend beyond browser localstorage.
there are a few issues though:
1. some banks only send notifications for transactions that are over a certain amount (eg BofA is >$25)
2. the merchant name is arbitrarily cut-off (based on char length), so you don't really get reliable merchant info
Dark patterns galore. Absolutely no indication when you go through a Plaid flow that you're likely giving away much more than just the bare minimum account numbers to push money in/out of your bank account. Often, you're also giving away transaction data, identity, real-time balance, etc. There's no way to know prior to linking your account.
I had high hopes that would have made things more transparent given the new CCPA laws that went into effect on the 1st but have not seen anything change.
Edit: I think the 4D chess move here by Visa is the amount of data Plaid has. Bank transaction data from all types of transactions, not just Visa ones, is massively valuable.
If people were concerned about Google acquiring Fitbit data I would be incredibly concerned about Visa basically buying all financial transaction data...the FTC should really investigate the acquisition.
Banks aren't exactly happy that their API is basically scraping their website, for very valid reasons, including the customer's own security.
If enough of the big banks decided they had enough of Plaid then it would present a massive existential threat to the business. If anything, I think that threat is a reason why they wanted an exit sooner rather than later.
Have to imagine my statements hold more value than their scraping algo
Buying a company to get its most valuable assets is less complicated than that.
I think it's really hard to argue Visa/MC is not a duopoly. Unfortunately anti-trust enforcement in the US has been more political than anything.
Going by that reasoning a monopoly would be even better, as the card would be accepted everywhere.
The consumer pays by lack of innovation and high scheme fees.
IMO not super relevant to topic of competition, there’s 4 networks, the fact that two of them are structured differently doesn’t really have impacts on sellers & customers (other than that the two open networks are significant larger, visa & MasterCard)
Discover also does this, although there are less available. Here is an example through Comenity in partnership with True Value: https://d.comenity.net/truevaluediscover/pub/Home.xhtml They used to do something similar for a card with Wal-Mart.
Waaaaaay past any reasonable threshold for market power scrutiny.
But antitrust is currently dormant in the USA.