Enforcing stupid & unreasonable ToS in court is a slippery slope that can be used against users.
You want to use an alternative client to export your data because the official client doesn't allow it? ToS violation and the developer of the alternative client gets sued.
Want to screen-scrape some website to automate some tedious manual behaviour? ToS violation and you get sued.
The ability to delegate some manual process (logging into online banking and getting the data) to a third-party (like Plaid) should be a right that we should defend.
At least with credential sharing & screen-scraping nobody can lock you out. Does it suck? Yeah. But I'd rather take a solution that sucks than no solution at all.
In the UK banks (in an attempt to encourage online banking) have a fraud guarantee related to losses from unauthorised access to online banking systems as long as you haven't given your credentials to a 3rd party
Screen scraping, like plaid, obviously breaks that concept.
In that case it seems reasonable for the banks to have a ToS that says "no giving your credentials to third parties".
If there's no such guarantee and the user is on their own from a fraud loss perspective then I don't see a reason for enforcing that kind of ToS.
All that said, the idea of a transactional banking system being online with purely static credentials in 2020 is scary one. Decent 2FA should be used for any system that has a financial impact.
Will be interesting to see where this goes.
I've also seen online mortgage applications ask for banking and retirement account passwords for the purpose of automated form-filling. It seems very shortsighted to give away your password to save 5 minutes filling out a form.
The nightmare scenario is that you give your bank account password to one of these screen scraping services, someone manages to hack them and empties your account, and you can't get the money back because giving away your password violates the terms of service for your online banking.
Also worth noting that the largest of US banks do offer APIs, but a large swath of the rest do not, either due to proprietary systems, choosing not to use their processor-offered solutions, or simply avoiding risk.
So, Plaid will have to scrape for another few years, I suspect, until the banks catch up in the US to what we are seeing in UK and other places.
...and yes, we support 2FA. ;)
Edit: the website itself also returns a 403.
Plaid works great and we’ve ran into next to no issues with customers linking Plaid
It depends on your customers, too.
If you're targeting consumers, Plaid's integration works far better than if you're targeting business bank accounts.
If your company is ONLY supporting Plaid then your issue is that your smarter customers are leaving.
Any organization that asks for your personal password is nefariously normalizing this behavior and building complacency in consumers to trust anyone with their private information.
Worth noting I don’t work for a financial services company so the use case is likely very different than the services you’re discussing.
Apologies if I came off strong, it appears I may be a one-off consumer as opposed to mainstream.
Imagine PCI-DSS compliance but without the exception that you don't have to be PCI-compliant yourself if you don't touch card data and pass it directly to a PCI-compliant payment processor.
Can you automate this? This is my point. Manual CSV exports are not a solution. Open Banking was supposed to solve this but it's a complete sham that is only there to make them look like they're doing something and benefit the existing incumbents.
It would be an unusual TPP where the data never left the customer's device. Usually there'll be a web service/web app provided by the TPP and the communications will be between the customer and the TPP and then the TPP and the bank (a.k.a ASPSP)
Whilst it's not perfect, it's a hell of a lot better, from a security perspective, than 3rd parties getting full banking creds for customers.
Why? The scenario you mention (providing an unified view of a person's multiple accounts & credit cards) can perfectly be done on the device itself and negates plenty of concerns regarding security, the need for a backend, etc. I personally made an app to display my balance & transactions on my Apple Watch. It's purely local and doesn't even have a backend. Yet, I can't actually launch it "by the rules" because I need to become an AISP even though I never come in contact with actual banking data.
> 3rd parties getting full banking creds for customers.
This is clearly a stop-gap solution until something better comes around, and frankly it isn't the worst solution if you trust the third-party. At least it becomes the user's choice whether to share credentials instead of the bank or some other entity deciding who can and can't have access based on potentially stupid or anti-competitive reasons.
The problem of customer choice is that customers are very badly informed about the relative security of services, so there's a market for lemons. If the bank has no liability, that's possibly fine (although it could be argued the bank has some responsibility to advise the customer), but if the bank has any liability for issues resulting, then they get a say in the outcome.
Leakage of the consumer secret/consumer key alone doesn't compromise security as you still need the access token and refresh token which are per-user.
Plaid definitely works with BoA + 2FA, at least as of about a month ago when I had to use it.
Certainly false, at least for Bank Of America. Just yesterday I connected BofA to privacy.com using Plaid and it asked me to enter the SMS 2fa code.
The solution is regulation to force Banks to provide customer data over an API to an authorized third party (preferably with 2FA on that too, and other security mechanisms, like mutual auth, auditing the security and probity of the subscriber etc).
Scraping is such a 1990s solution, and Plaid's Uber-like disregard for rules made it a non-starter for anyone sensible.
Ironically, while it might get systematic integration with VISA, the privacy implications are far worse.
Very few banks have publicly-accessible APIs, and when they do, they likely won't return consistent data. There simply isn't a standard in the U.S. There are literally thousands of banking systems in this country. As someone who helps run a fintech app, I can assure you there are significant numbers of people who are simply members of their local credit union with very limited technology.
I assumed this was because they were switching over to their API, and that was the only way to pull data now. I could be wrong, it just seems weird that 3 different sites made me reauthenticate within a month or so.
They may have fixed it by now, I haven't tried more recently.
> We retain information we collect about you for as long as necessary to fulfill the purposes for which we collected it, unless a longer retention period is required OR PERMITTED under applicable law.
It is not necessary to "hack" Plaid.