Hacker News new | past | comments | ask | show | jobs | submit login
Visa and Plaid Abandon Merger After Antitrust Division’s Suit to Block (justice.gov)
608 points by theBashShell 4 days ago | hide | past | favorite | 275 comments





I’ve some friends that works there, so I’m hesitant to say this, because I’m sorry for them, but Plaid is a terrible company. Their main product scrapes financial data from unsuspecting users that simply think they’re making a bank transfer and not signing away the privacy and security of their banking, 401k and trading information.

https://twitter.com/seanieb/status/1298871471645761537?s=20


They are getting sued by TD Bank for this very reason:

> The bank said in the court filings that the interface "dupes" consumers into believing they are entering personal information into TD Bank's trusted platform.

> "In reality, however, consumers are unwittingly giving their login credentials to the defendant, who takes the information, stores it on its servers, and uses it to mine consumers' bank records for valuable data (e.g., transaction histories, loans, etc.), which the defendant monetizes by selling to third parties," TD claimed in the court records.

https://www.ctvnews.ca/business/td-bank-files-lawsuit-agains...

Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions. If your account gets hacked and your money stolen, you may find out that the zero liability policy no longer applies to you.


I am sure I will be called naive, but this is shocking to me. I assumed that Plaid was integrating with the banks and not doing this sort of thing because of the people associated with Plaid. Their seed round included Spark Capital and Google Ventures. Their most recent round included Mary Meeker and Andreessen Horowitz. [1]

These investors have reputations to protect. This type of thing would certainly come out in diligence:

"How do you gain access to the customer's account data with their bank?"

"We impersonate their bank."

"Do you tell them you do this?"

"No."

"Ok, that's probably fine."

How in the hell does this conversation pass muster?

[1] https://en.wikipedia.org/wiki/Plaid_(company)#Funding


I'm surprised, because Plaid is far from the first mover in the "scraped banking data API" space. Mint (now Intuit) and Yodlee come to mind, and they use essentially the same sign-in flow and come with the same limitations.

There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:

- Open Banking Project: https://www.openbankproject.com/

- MX: https://www.mx.com/

P.S. Can we get real Markdown support already? The fact that the Markdown URL format isn't supported is extremely user-hostile.


You're right, they aren't the first. That said, when I use accounting software, it's pretty obvious to me that I am going to be sharing my transaction history with the accounting software. When I connect my bank account to Venmo, it is absolutely not obvious to me that I'm sharing my entire transaction history with Plaid. Replicating the appearance of my bank's login screens is critical to the illusion.

Even if I did understand that they are storing and using my credentials, I should be able to expect from a reputable business that they are not scraping irrelevant transaction data and then using it for purposes that don't explicitly support the app I am using. Selling my transaction history definitely isn't supporting the use case I'm authorizing.


Fortunately, Plaid doesn’t sell your transaction history, so this isn’t a concern.


Any chance you could point me to something more specific? From your link I found this:

> We do not sell or rent personal information that we collect.


Alternative title to this thread is "Plaid fails to sell customer data to Visa" (along with code, and the rest of the company). Consumers, as well as Plaid, have no idea where this data is going to end up ultimately, depending on who winds up getting control of Plaid. What are the odds of Private Equity acquiring Plaid and "leveraging synergies" with the pay-day loan company in their portfolio? I think the odds are greater than zero.

“We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law.”

Going by what was posted further up in the thread, that seems to be what TD Bank alleges in their suit?

If you authenticate with <mortgage broker> via Plaid, then the broker pays plaid money and the broker gets your bank information. So I suppose in a sense that's "selling your data," but I don't think that's what people are concerned about: You explicitly sign into the mortgage broker to give them data!

What Plaid has said on record they DON'T do is take that data they provided to the broker, bundle it up, and then sell it to marketing firms or hedge funds or other random third parties for which the user didn't explicitly ask their data to be shared.

See: https://www.americanbanker.com/news/lawsuit-against-plaid-he...

“Plaid does not sell and has never sold consumers’ personal information or data. Consumer data is obtained and used with consumer consent. Plaid believes strongly that consumers should have permission-based access to and control over their financial data, and embodies these principles in its practices."

That's pretty strong language.


From the press release: "Plaid is a financial services company that operates the leading financial data aggregation platform in the United States"

I love the way they are literally defined as "the leading financial data aggregation platform in the United States", rather than "the leading financial integrations platform".

Seems like Justice does know their real business. And they don't seem to care.


Re: formatting, I strongly suggest using markdown's [reference link syntax], which is much more readable when rendered as plain text.

[reference link syntax]: https://daringfireball.net/projects/markdown/basics


> There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:

That is never going to work. The reason the world works the way it works is because banks dont want to give easy access, so market opportunity for companies like Plaid exists.


It works in the UK where open banking is regulated by the FCA:

https://www.openbanking.org.uk/customers/what-is-open-bankin...


Open Banking is the result of the EU PSD2, so unfortunately is no longer guaranteed in the UK. UK firms have already lost passporting rights, and it's yet unclear whether the UK will align with EU regulation going forward.

I think it would be highly unlikely the UK would regress on open banking. It's been a cornerstone of a lot of govt policy for banking.

I guess the question is what you mean by "open banking". Initially, in the UK, that phrase referred to the FCA's implementation of the PSD2 requirement for banks to allow a secure mechanism of access to third parties. I think that this definition of open banking has already regressed post-Brexit, from the absence of passporting. UK firms and banks are no longer able to interoperate with EU firms and banks, and PSD2 no longer applies to them.

Another definition may be domestic API access to bank accounts, which I agree will continue to be policy in the UK. It won't be PSD2 open banking, though.


PSD2 still applies. That was integrated into U.K. law long before Brexit. It would take an act of parliament to unwind.

Additionally the U.K. has generally been on the leading edge of open banking, which is why our standards weren’t identical to the EUs for a while. It’s going nowhere, and pass-porting will make no difference.

The only real impact of Brexit is the open banking entities will need to register separately in the U.K. and the EU, and be subject to two different regulators. But that’s just paperwork for the most part.


> PSD2 still applies. That was integrated into U.K. law long before Brexit. It would take an act of parliament to unwind.

It's not that simple. The FCA is no longer an EEA National Competent Authority and UK Third Party Providers must register with an EEA NCA to continue to operate in the EEA. Domestic legislation which put PSD2 in force is of course still UK law, and domestic TPPs and Account Servicing Payment Service Providers can continue to operate together (even using the same eiDAS certs), but they cannot engage in open banking with the rest of the EU/EEA.

PSD2 and its supporting institutions (EBA, EPC, ECJ) no longer apply to the UK.

> Additionally the U.K. has generally been on the leading edge of open banking, which is why our standards weren’t identical to the EUs for a while. It’s going nowhere, and pass-porting will make no difference.

Internally, maybe, but UK TPPs and ASPSPs can no longer interoperate with EU/EEA TPPs and ASPSPs unless they register with an EU/EEA NCA, and thus become subject to EU Directives. Again it comes back to your definition of "open banking". If you mean only UK banks and firms being able to operate an open banking scheme, then you are correct that this will continue. If you mean open banking as defined by PSD2, it has already come to an end in the UK.

> The only real impact of Brexit is the open banking entities will need to register separately in the U.K. and the EU, and be subject to two different regulators. But that’s just paperwork for the most part.

So either UK TPPs and ASPSPs have to abide by EU Directives (if possible - the UK legislature may diverge from the EU in unreconcilable ways), or the UK has to maintain alignment with the EU indefinitely. Doesn't seem like just paperwork to me.


"Open banking" and "cross-border banking" are two different things. The UK will definitely continue to have open banking. The UK-EU banking relationship is still up for negotiation. (I'm not hopeful though.)

> The UK will definitely continue to have open banking.

As discussed elsewhere in this thread, this requires a definition of "open banking" which is separate from PSD2 and not what the phrase commonly meant until now. The distinction isn't between "open banking" and "cross-border banking" - the distinction is between:

* PSD2 compliant "open banking" between TPPs and ASPSPs,

* Some banks in the UK must have APIs "open banking".

Up until January 1st, the phrase "open banking" referred to the former. The latter may become accepted as the definition in the UK, but it is materially different to the original meaning.


It doesn't really work. Open Banking doesn't seem to enforce a consistent API which means you either need to implement a client for each bank (and their data model) individually or use something like Plaid (in the UK our equivalent is TrueLayer) to aggregate all the different banks into a single API.

This is just not true, for Open Banking in the UK. API standards are published and banks must implement them.

There was a get-out, but it was a bad one for the banks - if any bank did not provide a compliant API by a specific date (IIRC sometime last year) then they would have to keep their web sites entirely unaltered in order to support scraping.


PSD2 doesn't even mandate APIs as the mechanism of access!

The fact that the Markdown URL format cloaks URLs is user-hostile.

Markdown doesn’t cloak URLs; HTML does. We seem fine with that on every other webpage.

>P.S. Can we get real Markdown support already? The fact that the Markdown URL format isn't supported is extremely user-hostile.

Hear hear! Markdown is definitely the new formatting standard, and it's amazing (I even take notes in .md files).


A lot of these banks never had any APIs. Plaid made its name basically scrapping the html of account pages. Companies used it because there were no alternatives (no apis)

I understand the situation. Another of Plaid's investors is Goldman Sachs. I naively assumed that Plaid's ability to build their product was likely based on access to private APIs available to them based on their relationships and backing.

If someone came to me and asked me to build what Plaid has built, I would decline the work. I would assume that impersonating a bank would be illegal. I would assume that the banks I am impersonating would treat me as a malicious actor. I would assume that I would go to jail for building a system like this.

Absolutely unbelievable.


Plaid does have real integrations with some institutions, using OAuth and the works. The list is relatively miniscule compared to the vast majority of institutions that still consider customer data their asset and not their customers'.

On the other hand, Plaid’s behaviour means that your data is not yours either, but is up for grabs by a 3rd party for which you may not have given consent to. Plaid is no Robin Hood (the story not the app) here.

Plaid is equivalent to a carrier, right? They merely provide the data to their client (whatever service/app you're signing into) and it's up to that client to decide how to use it.

Back when I used to run a web scraping shop, we had this exact request. I didn't know it was illegal at the time but we ultimately didn't do it because lot of people just want to pay as little as possible for scraping without considering the amount of work that goes behind it.

Web scraping is not illegal per se. Though it may be against the specific terms of service of the site you are scraping.

that was before the 2018 ruling this was back in 2012, I remember Craigslist sued someone for scraping under CFAA.

Thanks to EFF, this scummy tactic used to kill Aaron Swartz is no more.


You are misremembering. CFAA defines criminal acts not civil, so Craigslist could not sue someone under the CFAA. The DA would have to bring charges first and then the civil suit by Craigslist would reference the criminal suit.

Even if it isn’t illegal it can be against the terms of service and void your warranty/insurance

fraudulently obtaining people's banking information can be described many ways. The prosecutors won't call it web scraping and the judge hasn't seen that although he has heard of people who steal users information to hack their banks.

Seems like a bad bet to me.


I've learned that when it comes to banks, assuming things like that is usually wrong.

Let’s not forget the companies that enabled Plaid to do this. One of the worst offenders was Carta. They made you use Plaid to exercise your stock options. So you had to let Plaid scrape your account info to get the stock you worked so hard for. Most people had no idea they were allowing this.

They do integrate natively with some banks, like JPMC:

> When this is implemented, Plaid will access customer information through the bank’s secure API (application programming interface) connection. That will allow customers to share their information more safely and quickly with Plaid and the financial apps it supports while protecting their bank username and password.

and also Wells Fargo:

> The API used in the agreement will utilize a more secure, tokenized “handshake” between the companies’ servers through which customers’ financial data will be shared. Once integrated, the API will allow customers to share their financial data, while also maintaining the privacy of their user credentials. The enrollment process will be easy and designed to work seamlessly within Plaid-supported apps’ user experiences.

I think it would be good to do some quick Google searches before getting (all of) the torches out.

https://media.chase.com/news/plaid-signs-data-agreement-with...

https://www.businesswire.com/news/home/20190919005081/en/Wel...


They're not hiding the fact.

From their website [1]: "When you choose to connect your financial accounts to an app using Plaid, you will be prompted to enter the username and password associated with those accounts. Plaid then links your accounts to the app you want to use so you can share your data."

[1] https://plaid.com/how-it-works-for-consumers/


Disagree, they are hiding the fact by assuming ignorance of most users. A true “link” , would use something like OAuth to have the bank handle authentication and provide explicitly scoped subset of consumer data to Plaid. Instead they are taking the plaintext password and getting total access. Just taking that passwords itself is a security vulnerability. Google doesn’t even know your Gmail password, just the hash, but since Plaid can’t use a password hash to login, it must store your plaintext password to your financial accounts, some of THE most sensitive data. Furthemore they have access to way more data than they should rather than clearly defined scoped subsets of it.

The whole company is a privacy and security disaster. Of course it’s annoying that banks don’t provide reasonable OAuth APIs, but Plaid “disrupts” that by deceiving consumers into dangerous security vulnerabilities with their most sensitive personal data.


You speak idealistically, but the reality is that many of these banks did not having open banking standards nor APIs before. The scraping led to this movement and FSAs all over the world are starting to push for no scraping while financial institutions create APIs and contracts with these platforms.

The fact is pretty much hidden. I tried to link my Toshl (a budget app) account to my bank, to import automatically my movements. I saw that they were using Plaid, and I found that weird. I went to search the page you linked, and I still didn't know how was it connecting to my bank. I used an "application password" with limited permissions from my bank to use with Plaid, and funnily enough it didn't work. In fact, my bank locked my account because Plaid tried to login through the regular user interface with a wrong password several times. It was only then when I saw in forums and such that what Plaid does is to scrape HTML.

When you use Plaid, you don't get the impression that's what they're doing. We're used to dialogs to "give permissions to an app" that don't share our user/password with anybody. Plaid purposefully emulates those dialogs and gives you the impression that you're just logging in with your bank, instead of explicitly telling you "we will store your user and password and use that to log-i with your bank".


"link" to me implies something along the lines of a FB/Google/GitHub OAuth login, not that they steal my credentials.

I guess technically they just say, "you will be prompted to enter the username and password associated with those accounts" and don't specify that they (Plaid) will be using your credentials, but I don't think it's clear enough that you are giving your credentials away!


VC's actually tend to love companies that are a little bit sneaky. Just not too sneaky to have to face consequences.

"Disruptive".

In the “startup” world, this is simply the only way to do it when your goals are to be everyone’s service. Banks rarely create open APIs, and even when they do they are fragile and subject to whims as the banks are optimizing for security first (plus: they need strong incentives to maintain APIs since it’s not even in their core business).

And since you can’t rely on an API, “there’s no other option” which compounds with the fact that coding up a web scraper for a specific bank takes maybe a dozen programmer-hours. Then throw on a disclaimer to cover legal, and start counting your billions of unhatched eggs.


I don't think you are naive at all regarding this but generally people see famous people, name dropping and due diligence goes out the window.

There are people who take advantage of that and are very successful. Disgusting because it is just another form of deceiving people's trust.


It’s clear as day in the privacy policy. You did click on the privacy policy link and read through it right?

> Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions. If your account gets hacked and your money stolen, you may find out that the zero liability policy no longer applies to you.

The trouble is, giving someone your account number also makes it not the bank's problem what they do with that number, even if it was clearly unauthorized by you. There's no good way to do ACH transfers without a high degree of trust in the recipient.


You are guaranteed a minimum of 30 days to contest an ACH charge. 2 days for businesses.

Return timeframe is 60 days for Unauthorized Debit.

Yeah, banks could have done oauth2 years ago but it never happened.

That's what OFX was supposed to provide, but realistic support never arrived. Even banks which allow you to download OFX format searches fail at complying with basics of the standard. (https://www.ofx.net/)

Open Banking in the UK does that now.

Not really, considering it doesn't enforce a single, consistent API, so most companies will still use something like TrueLayer (our local equivalent of Plaid) to aggregate all these separate APIs into a single consistent one.

Furthermore, "open" banking is very misleading because it's only open to corporations with deep pockets to obtain an AISP license/certification*, but doesn't even allow the account holder to gain API access to their own account. Unless you're lucky enough to be with a modern bank that provides that as a feature (which is legally separate from Open Banking, though often it's the same API), your only workaround is to sign up for TrueLayer yourself just to access your own account through them.

* given the "deep pockets" requirement, it almost forces all the account aggregator apps/services (Emma, Yolt, etc) to have a somewhat scummy business model and monetize the captured data. Wouldn't it have been nicer that you didn't need deep pockets to gain read-only access, so that an indie developer could make such an account aggregator and not have to resort to a scummy business model to fund the certification/compliance expenses?


> Not really, considering it doesn't enforce a single, consistent API, so most companies will still use something like TrueLayer (our local equivalent of Plaid) to aggregate all these separate APIs into a single consistent one.

That's not quite true. The CMA9 have to follow the Open Banking spec, and some other non-cma9 banks have decided to follow the same spec. In practise, there's some deviation from the spec between the banks (in part, due to ambiguity in the spec), but it's not like they're all pulling their own spec out of the air.

> Furthermore, "open" banking is very misleading because it's only open to corporations with deep pockets to obtain an AISP license/certification*, but doesn't even allow the account holder to gain API access to their own account. Unless you're lucky enough to be with a modern bank that provides that as a feature (which is legally separate from Open Banking, though often it's the same API), your only workaround is to sign up for TrueLayer yourself just to access your own account through them.

The 'deep pockets' don't need to be as deep as implied. I think it's <~£3k. It's not something that only big companies can afford, but I agree, it's not something that an individual would use to test out an idea, which would push them towards something like TrueLayer.


> I think it's <~£3k.

Do you have any more details? If this is indeed the price and it's a one-time cost without costly maintenance overheads (such as ongoing audits) I might just pay that to be able to release simple money management or just better UIs than the existing banks (even modern bank's apps have gotten worse lately as they try to push their "premium" offerings - looking at Monzo specifically here).


Yes, it's only 'open' to FCA registered entities, which is an entirely reasonable requirement given how easy it is for scammers to get people to give away the keys to the kingdom.

So no, it wouldn't have been nicer, it would have been a scammers delight.

And yes, it does require a consistent API, thought it's perhaps open to a bit too much interpretation.


> given how easy it is for scammers to get people to give away the keys to the kingdom

Restricting API access doesn't help. There are plenty of idiots out there who willingly install remote access software on their computers/phones, fall for "authorized push payment" fraud when scammers tell them to move their money to a "safe account" or to pay overdue "taxes" (gullibility taxes?) over the phone and even use the two-factor card readers despite the "do not use over the phone" text being printed right on them.

I'm not sure how read-only API access would benefit scammers (if people can be tricked into granting API access, they will usually just as well install remote access software or just do the payments manually) but it would open up a nice field of self-contained, on-device money management apps that don't need significant corporate (most likely VC) backing with all the (usually) nasty ramifications that entails.


> I'm not sure how read-only API access would benefit scammer

Information leaks are always useful to scammers, extortionists, blackmailers etc. It's one reason we protect financial info.

Like the other poster said, VC money isn't really needed, though the process of getting accredited with the FCA is more than just paying for a license. The Open Banking Implementation Entity (or just Open Banking Ltd, whatever they're calling themselves at the moment) may be able to help you go through the accreditation process if you approach them, they were certainly talking about doing that for people a couple of years back.

And before that you can sign up to their public sandbox service as a "Technical Service Provider" to start developing against the ecosystem, for nothing (I've done this though I've not really used the capability for anything).(You may need a Ltd company for this, can't remember off the top of my head)


I don't buy this. If I give someone a check (which has an account number on it) that doesn't mean they get to withdraw whatever they want from my bank account. What bank in the U.S. wont reverse fraudulent ACH debits?

It says on page 35 of my Bank of America Deposit Agreement and Disclosures:

> If you voluntarily disclose your account number to another personal orally, electronically, in writing or by other means, you are deemed to authorize each item, including electronic debits, which result from your disclosure. We may pay these items and charge your account.

It may be that there is some rule that says just giving someone a check doesn't count as "voluntarily disclosing" your account number.


> What bank in the U.S. wont reverse fraudulent ACH debits?

Ah that’s the key though, you have to tell them to reverse it. I think you have 60 days in most cases. But the onus is on you to dispute the debit.


Actually, if you hand someone a check they indeed can just use your account and routing number to pay for things using ACH.

Hence why I avoid ever linking my bank to anything.


handing out your login credentials is like giving a blanko check with your signature on it already.

> What bank in the U.S. wont reverse fraudulent ACH debits?

If you admit to handing out signed blank checks, I would hope that most if not all banks would at least have a discussion with you about how you may be not the customer they are looking for.


It's difficult to draw a clear line between what Plaid is doing and a phishing scam.

The difference is the pinky promise that they will not do bad things with their access.

They are selling the data to marketing companies to build a dossier on you, and this could be used for any number of purposes once it is in the hands of data brokers.

They're tricking people into handing over the information, and then they're using it for purposes that may harm the victim, so like I said, it's hard to draw a line.


I don't think this is true, and Plaid makes pretty explicit claims that they do not do this, i.e.:

- https://news.ycombinator.com/item?id=18655417

- https://plaid.com/how-we-handle-data/


They do not make such an explicit claim in their privacy policy. There is a carve-out for "affiliates", although what constitutes an affiliate is not defined. They also say:

"We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research."

This is a cop-out used by a lot of services these days. De-identified data can be and is routinely re-identified. For financial transaction data this is fairly easy. For example, if you buy location data, it's trivial to determine where someone's home is, and therefore their likely identity.

Once you have a set of locations a person visited, you can correlate them with financial transactions. Even just a couple of retail transactions are often unique. You were probably the only person who was at your neighborhood Starbucks on Monday at 6:37am and also at Starbucks on Friday at 7:32am. Your credit card transactions provide a time and a location for every retail transaction.


That was 2018 though when they were barely setting up.

And still the case from what I've heard.

Plaid can very well not use the data in this way, but any company using Plaid's APIs and gaining access to the end-user bank account can do whatever they want with the data. There are no restrictions on potential bad actors who will do this, and no consumer protections.

Sure, and that would be true however a partner collected this data. It’s true whenever you apply for a credit card or a mortgage.

I believe that Plaid doesn’t work with just anyone, and they do attempt to put some limited controls in place to block bad actors - just like any other platform in the world.

All that said, the parent were suggesting that Plaid itself bundled and resold data for marketing purposes which it does not do (though I believe some of its competitors might).

You should hold their feet to the fire for real issues (potential for misuse by companies that use Plaid to gather info, security concerns), not imaginary ones


Dont worry, visa, amex and MasterCard already do it directly

Doing it on purpose vs via black/grey market trickery is often treated as separate matters. Even if the legal mode is still full of moral issues that society has yet to fully confront.

Phishing people's bank credentials has been fully established as a computer crime (not even just bad within civil law).


I adore the idea of the Plaid founders, and everyone else deemed complicit in a court of law (I think this should likely include investors), going to fuck-you-in-the-ass prison instead of becoming billionaires.

Alas, I've lived in Silicon Valley too long to believe that anything moral will ever occur when there's money to be made.

It makes me sad that people actually admire this place for anything other than the geography.


Do you think Plaid founders are going to jail?

No. He specifically implied that they would become billionaires instead of going to jail.

It's sad that we award unscrupulous behavior.

That's true, and perhaps the real reason this really is a very valid anti-trust action is that Visa would be removing their only real competitor for providing this type of data.

> takes the information, stores it on its servers, and uses it

So does, for example, Yodlee, when you use them to have an API for bank statements. I cannot say if they too monetize the data that opens up to them for grabs.

It took legislation and years of preparation to enforce APIs and interoperability onto European banks (yes, I can now use bank A's app to view my account balance in bank B, while maintaining control over what kind of access I'm giving). Can't see it happening in the US, though, although the demand for such APIs is clearly there, given that companies like Plaid and Yodlee prosper.


I would wager that 90% of the business for Plaid, Yodlee, and Intuit is account verification; the thing that you used to do by having small ACH transfers of random amounts that you verify. The fact is that 90% of running a fintech business is identifying and bounding fraud risk, and these "banking API" companies are able to move the needle down a couple of basis points.

edit It's shit like this that just screams for the Fed to force FIs to implement a standard API for verifying accounts and making transfers. I bet half of fintech would collapse overnight, but the collective cost savings would be in the billions.


Yodlee literally sells the data directly to hedge funds.

https://www.thetrustedinsight.com/investment-news/yodlee-jum...


No, that's not the problem at all. The problem is that Plaid falsely used TD Bank without having a relationship with the bank. The company literally has a bank partnerships team so that "void warranty" argument doesn't even make sense.

> Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions.

Funny enough, I've seen that be the case at some banks that simultaneously integrate Plaid into their online account application flow for the initial/funding deposit but. Pretty ironic that users are implicitly coerced into voiding their liability protection at their existing bank during the course of opening an account at a new one. Who wouldn't hesitate to turn around and also invalidate your liability protections themselves if you used your new bank's credentials with Plaid elsewhere.


That´s interesting, and it is an important "stick". On the other side, I know some banks are giving a "carrot" to these types of companies by providing a "portal access" that allows these companies to connect their customers with their bank accounts so that the customer can select what to share with these sites.

Of course, once those portals are enabled we enter the Facebook game: Where a lot of customers will blindly give all access to Plaid like companies, and then consumer group advocates will criticize for the amount of information that they are (still) mining from ignoring customers.


I think BofA does this, which I like. When I linked my account to Robinhood through Plaid, it asked for 2FA (text or phone call, BofA doesn't support TOTP codes) and verified in, then asked me to select which accounts to grant access to. Since it doesn't need the 2FA subsequently, it must be doing some kind of OAuth style authentication when it passes that token to the bank and then gets a long-term access token for that specific account.

From an HTTPS perspective this is still pretty concerning though. AFAIK browsers would block the Plaid widget if someone tried to load it insecurely and the page was HTTPS (what users have been trained to look for). But without going into devtools there is no easy way to verify that the widget is actually a real Plaid widget, thus POSTing your password directly to their server and not the merchant's, and no way at all to verify that they have such a partnership with your bank sanctioning them to collect your password.


This is essentially the core thesis of MX [1], which creates an API exchange that FIs need to join in order to use.

I'm not sure how well it is catching on. Seems like they're diversifying more into other whitelabel products for fintech companies.

[1]: https://www.mx.com/


Oh man I can't believe they actually pulled this on a Canadian Bank.

I tell my founders to always always fly straight or don't fly at all because if you cut corners or deceive, it will come back to you.

Had they been honest and played by the rules they could be sitting on a massive windfall.

Unfortunately, some VCs and founders think like gangsters and get surprised when things dont plan out. Just because it worked for someone in your circle doesn't mean its gonna work for you. It is a horrible behavior to emulate.


The deal didn't go through because of antitrust concerns, not because of TD's lawsuit.

Yeah. TD is so tired of them they have a page warning customers about them, without naming names:

> When using a fintech app, you may be providing your confidential TD username and password directly to third parties over whom TD has no control. Please be aware that the sharing of your TD credentials is contrary to the terms of our agreements, and TD will not be responsible for any harm that results from the sharing of your credentials.

https://www.td.com/us/en/personal-banking/security-center/fi...


TD should force a password reset every time a login occurs from Plaid on behalf of a user.

Good god that's disgusting behavior. Surely VISA would have seen this as a huge risk?

I once went to use plaid to apply for a mortgage on one of the new fancy broker platforms. It asked me to type my login credentials.. sketchy , but alright banks and mortgage companies seem to trust them? Then they asked me to disable 2FA on my account and at that point it was indistinguishable from a phishing attack to me. I noped out and changed my bank password immediately.

This is why a standard API is needed, like Open Banking in the UK. When I use a third party app, the access request is redirected to my bank app and authorisation is granted there. At this point it is explicit what data the third party will require. Once authorised, I’m redirected back to the third party’s app. At no point have I given my credentials. This must be renewed every 90 days. Furthermore I can view what apps have access to my account and can revoke this access at any time.

PS Yes I know people like Ben Thompson [1] and even the US Treasury (mentioned in the same link) advocated for a private solution like Plaid (and nearly by extension Visa), but seriously this seems like something that needs to be government regulated to prevent incentives for selling user data.

[1] https://stratechery.com/2020/visa-plaid-networks-and-jobs/


As someone who's worked in fintech for 10 years, I think this is a bad take. Out of all aggregators (what this is called), Plaid is by far the most open and privacy-forward.

First, they're transparent about being a 3rd party that's part of the flow (see https://plaid.com/blog/the-all-new-plaid-link/). It's clear it's Plaid, they use neutral colors and not the bank's, etc. They have a portal where you can manage your data (https://my.plaid.com/).

Second, they are very open about not selling data (unlike most of the their competitors). It's in their terms and their website (see https://plaid.com/how-we-handle-data/). I guess that could change, but from working with them I know it's part of their positioning so I'd be surprised if that changed.

Third, they've announced bank integrations and afaik they're moving to OAuth where the banks support it (I've seen this in the wild, but can't replicate right now). The key here is where banks support it. I think you have to look at the historical context: the banks do not want you to own your data as a consumer. They don't want fintech apps to exist. Having talked to banks about integrating directly with them, it's onerous and only the big players can do it. Plaid's fighting the good fight for fintech startups.

But yeah it's a less-than-ideal solution and it sucks that it doesn't work without creds flowing through and it's not clear regulators or banks will work to make it better. That sucks. I just think bashing on Plaid here is one-sided.

(throwaway account because I work in fintech)


> It's clear it's Plaid, they use neutral colors and not the bank's, etc.

Every time I've been confronted with a Plaid-backed bank login prompt, they use the bank's colors and logo, the word "Plaid" or their logo is either nowhere to be found or is in tiny fine print, and I run away screaming from that service.


The plaid flow is typing your bank credentials into a domain not controlled by your bank, it's pretty big fail right at the start.

> But yeah it's a less-than-ideal solution and it sucks that it doesn't work without creds flowing through

I can appreciate that Plaid is trying to push stuff forwards, but (Presumably) storing your bank credentials in plain-text is a far worse than a "less-than-ideal solution".


I tried to use their API for a personal project and found starting one month a bunch of transactions were missing from my bank account. It turned out Chase included a promotion on the pdf statement that month which threw off their scraping algo. Really woke me up to their "tech", I changed passwords and avoid them now.

I can confirm this as I currently use Plaid in a few projects. People have no idea what they are signing up for when they authorize this. It's possible to get near real time transaction data from somoene's bank account as well as monitor their account balances for any linked account essentially in perpetuity. With this data it's possible to back in to a lot of behaviors about someone's life. All of that is handed to any firm you authorize to link your bank account.

FWIW their competitor Teller uses the bank's own native APIs.

The idea is the bank can't shut off Teller clients without shutting off their own customers. This involves a lot of iOS reverse engineering.

So things like Plaid's Capital One integration breaking for months have never happened with Teller - who've been running for something like 5 years now.

https://teller.io/


So Teller reverse engineers a bank's internal APIs and uses those to manage your account?

Yes.

Now I know why I can never think of good ideas for a business, I'm thinking about what I can build to help my customers, but in today's SV I need to be thinking how can I more easily steal user data at a lower cost than my competitors.

They really do need an OAuth rather than save-and-forward-credentials approach to account access. Hopefully the new FedInstant platform will have improvements in this area.

That said, I personally wasn't surprised to see they have this access. It makes sense that if you give them your bank password, they will have full access to your account unless they clearly convince me otherwise.



Yes, awhile back my bank account was decoupled from Venmo for reasons unknown. I unwittingly used Plaid to sign into my bank account instead of the usual wait a couple days procedure. No indication whatsoever - only found out because I saw an article, probably on here, about this company and their basically fraudulent practices.

I was under the impression that Venmo uses Plaid’s APIs on the backend, no?

I don't really know how the integration works. AFAICT you can avoid Plaid if you verify your account manually [1].

https://help.venmo.com/hc/en-us/articles/221073067-Verifying...


This is so terrible. Is there an easy way for me to write to Plaid to delete all my information or do I have to go into each service and unlink?


If you're in CA, use the CCPA. They claim to have removed my information in response to a CCPA request.

Nice to see somebody respecting the law. Atlassian is still claiming that if they give my account to somebody else then they can ignore my CCPA claims.

IIRC, they have basically an instance of a scraper for every different bank web site, which to me doesn't seem very scalable. I'm not sure if this is still the case, but when I interviewed a few years ago, it definitely seemed that way.

That's not true. Plaid says they'll be accessing your information literally when you sign into your account.

Well, better one small company doing that garbage than Visa! It makes it easier to avoid.

I am sorry to say this but your friends should really give a thought to why they are still working there. I understand that people have families to feed and mortgage, but they should at least consider changing jobs if they are software engineers.

Pretty much how 99% of this data robbery happens by all surveillance companies.

This is why Facebook is so pissed off at Apple that it dares to ASK users first.

"Most users aren't aware what data is gathered about them" is about 10x more accurate than "users don't care about privacy", even though it's the latter that gets repeated all the time (with some help from the surveillance companies themselves spreading this propaganda).


Blame the banks for dragging their feet and not making proper APIs for these companies to use instead of screen scraping.

Why are you sorry for them? They are making the choice to work at Plaid when they know Plaid is a terrible legal phishing company.

I can't wait until we have smart contracts on a privacy coin that let me invest and grow my wealth anonymously.

Anonymously is unlikely - how would the government get their taxes?

Even if the government bans XMR from exchanges, BTC to XMR atomic swaps are coming.

You can then

1. Use XMR as an anonymizing bridge to pseudonymous ETH or ADA wallets

2. Grow wealth with ETH or ADA smart contracts/decentralized finance

3. When you want to spend, transfer funds from your ETH/ADA wallets over the XMR bridge to newly generated spend wallets. (There's potential for a chain-analysis correlation attack at this point if you aren't careful with how you are withdrawing.)

---

Really, it's all a nightmare and very difficult to do it now, but I'll be damned if someone doesn't develop an app or program that does this all seamlessly in a few years.


what if tax is part of the smart contract?

then it would have to know who it is taxing? The same applies.

No, you cannot anonymously tax every transaction at some rate. Tax rates don't work that way, in a vacuum.


why not. it's how sales tax works

It would have gone through had Visa's CEO not been so honest at the time of the merger announcement saying that they intended to use Plaid's data to get a leg up on their competitors.

> The DOJ cited Visa CEO Al Kelly’s description of the deal as an “insurance policy” to neutralize a “threat to our important US debit business.”


I don't even think it's a data issue. He literally says they bought Plaid because they're a threat. That's textbook anti-competitive behavior and a big smoking gun when it comes to anti-trust cases.

I'm not informed when it comes to anti-competitive legislation, but don't companies like Google do this sort of thing all the time?

I'm a layman, so take this with a grain of salt, but here's the basic legal theory...

In antitrust law, intent matters. If your primary motivating intent is to make the market less competitive, that's what gets the book thrown at you. That's why it can be so hard to prosecute antitrust, because it's pretty easy to lie your way out as long as there's no direct proof of intent.

Let's take Facebook's acquisition of Instagram. Did they buy Instagram because they saw Instagram as a threat, or did they buy Instagram because they wanted to acquire their talent and improve their product? For a long time, you could argue it was the latter case, which warded off antitrust suits. Recently, some emails came to light where they explicitly talked about taking out Instagram because they were beginning to pose a threat. Now there's a smoking gun and a strong case to be made, which may well be prosecuted in the near future.


Yes, and they didn't invent the practice. Standard Oil brought competitors into its fold in order to maintain its pricing power and dominate the petroleum market.

As with most questionable business practices, they're not wise to be transparent about their true reasons for doing it, and inevitably they admit to their true reasons anyway.


They do, which is why it is so surprising that the DoJ is being so aggressive with this one.

They said both I believe. Them having access to all their competitors' data through Plaid was a big concern when the acquisition was announced.

Such a poor comment from Kelly that I almost wonder if it was intentional.

This angle makes sense if they wanted regulators to more closely examine the acquisition target.

Could be attempting a balance of convincing shareholders and not come out as just eating the upstart.

It would seem a CEO would have other, less public, tools to torpedo a deal if they wanted to, no?

Maybe not if the board was forcing him?

Maybe he wanted to tank the deal once they figured out Plaid scrapes financial portals instead of integrates with them.

because you sign a 5b deal and then do due diligence

not exactly the same situation but it happened with NKLA and GM, insufficient due diligence on what was vaporware. mistakes like that can happen.

That’s not the same at all. GM wasn’t losing anything in their original NKLA deal. While Visa would have spent billions.

Yes?

There are several iterations to deals that size with increasing levels of scrutiny.


Hubris enables people, especially "smart" people, to do things that look really stupid in hindsight.

But is it securities fraud?


Maybe they weren’t as astutely aware of the antitrust political wave we seem to be in. It feels like 5 or 10 years ago this merger would have happened regardless of comments like this. I think after the 08 recession there was little appetite for anything that could make business less effective, and big business loves mergers.

OK. But will DoJ disallow the acquisition of finicity by Mastercard ? VISA and Mastercard follow each other. I'm waiting to hear the verdict on finicity acquisition by MC

Whatever you think about Visa or this merger, this would be a major disappoint to Plaid's team members who thought they were in for a huge financial windfall.

If that applies to anyone here, my sympathies and best of luck figuring out what's next for Plaid. Hopefully the morale hit isn't too big on the team.


This comment strikes a nerve with me - perhaps because it's "saying the quiet part loud". I thought the typical goal of hackers and startups was to "change the world" and "make a difference". How does selling to Visa accomplish those things? Isn't expressing sympathy with Plaid's staff for not getting a payout effectively saying "sorry that you might actually have to deliver on the lofty promises this time"?

It's also kind of indicative of how small startup ambitions have become. Acquisition has become a measure of success, not failure.


The rank-and-file employees that work for companies like this have other goals, like buying houses and saving for retirement, it's not a single dimension. Yes, they want to help the world but not at the expense of themselves and their own financial future.

That's often true for startup founders too. However mission-driven some of us are, we still live in a capitalist world with bills to pay.

>I thought the typical goal of hackers and startups

Hackers and startups are two very different groups with very different ideologies and goals and incentives. No idea why you group them together. Some startups have no technical founders even.

>"change the world" and "make a difference"

Startups are businesses and like all businesses in the end they wish to make money. VCs, for example, are very clearly investors and not philanthropists. They are high risk, high reward businesses which means they need to change things to get those returns but in the end they are a business.

>How does selling to Visa accomplish those things?

It gives Plaid financial stability and long term platform for its technology. If its technology makes the world a better place then its continual existence does make a difference.


  > Some startups have no technical founders even.
And most technical founders aren't hackers, though some definitely are.

How would you describe a hacker vs your average dev?

Lots of people have tried to capture this distinction, I'm sure I'll do a worse job here briefly than you can find around, but for me the tell is how people spend their time, and an attitude.

Hackers in the sense that I mean it have an innate need to understand things deeply, and a tendency to value achieving this directly (e.g. do something, don't just read up about it). As a result most hackers with any real talent will have achieved an unusually high level of expertise/mastery in at least one, often a few, technical areas. This is a result of having really spent a lot of time with it, in ways that may look "obsessive" to others.

This is by no means restricted to software. Another common characteristic is a tendency to take things apart (physically or virtually) to see how they tick.


You're on Hacker News at ycombinator.com and you have no idea why folks here associate hackers and startups?

I associate hackers as a group that startups wants to hire not as having similar philosophies. To me this site is a very successful marketing/recruitment tool and not some indication that YC follows the hacker ethos.

The point is that this represents a coöption of the term hacker by the venture capitalist community -- it's always easier to convince someone to accept less value as recompense for what they produce by convincing them that they are engaged in a noble or even a personally virtuous (see e.g. "guru", "rockstar") pursuit.

This makes it sound like something dirty.

Tech workers want to buy homes and go on vacations just like everyone else. That's a good thing. They had an opportunity to make a lot of money making banking services easier for everyone; that's awesome and should be encouraged.


It's dirty when you couple it with the usual startup BS about changing the world, where the startup was created from day one with an exit in sight.

A startup exit doesn't simply erase all its impact. Plaid made many banking services a lot easier & popular, and it demonstrated how valuable that can be. All that doesn't just disappear. An acquisition/merger can also strengthen a startup's founding ambitions with more resources at its disposal.

Can, but often enough, it doesn't. We end up with a cancelled product/service, or one maligned beyond recognition by the acquirer, with users having to untangle the service from their lives at last minute, while acquirer holds all the IP.

Also, I question the general usefulness of startups created to pursue an exit in the first place. Besides there being often no point in entangling yourself with a service that's meant to be transient, the goals will be different too - the company will try to force hypergrowth by underhanded, and ultimately user-hostile means, vs. letting a thing grow on the strength of its usefulness. Myself, I strongly avoid dealing with any startup that I can smell was built for an exit.


I've been through 1.5 IPOs and 1 acquisition.

In only one of those cases, did I join the company expecting an imminent-ish liquidity event. One hit me out of nowhere. Regardless of what you're planning on, and even if the dollar amount isn't that great, it's a huge rush, a lot of thinking about the possibilities. It would suck, at the very least, on an emotional level, to have that fall apart.


Out of curiosity, what was the .5 IPO?

I joined a company (my first full-time salaried job) a few days before their IPO. I got stock options (like, 500. I was 18. heh.) but they were awarded/priced/etc post-IPO and were never actually in the money after vesting, as I recall. So I remember some of the IPO excitement but I'm not sure it really qualifies as "going through an IPO" for the purposes of the "full thrill ride package".

Incidentally, that company was also taken private during the dot-com crash, and I did make money from that, because the ESPP I was buying for <$1 got converted to cash at something like 3.5x the valuation. It wasn't much, but, again, I was young, so it seemed like a lot.


She/he is probably on the way to one right now, at their current company.

Plaid has ~500 employees with normal lives and financial goals. There are start-ups out there with a real chance to change the world, but I think it gets over played as a form of recruiting and media strategy.

There is no "typical goal" in tech or anything else. Different people want different things in life.

Honestly I sort of agree with your sentiment, but I have some sympathy because many people who join early startups do it at comp deficits, and believing you're actually going to make a significant return on your investment only to suddenly realize you're not is pretty shitty-feeling no matter what.

Visa was going to pay $5.3b dollars for Plaid. I don't really think you can say that that is "small startup ambitions."

Is YouTube a failure? Is Instagram a failure? How about Github or Linkedin? There are reasons to remain an independent company, but there are also reasons that it might be better to be acquired. Besides the premium that the acquirer will pay, large companies can actually accelerate your growth while also insulating you from a lot of the pesky overhead of being a public company.


To be fair, Visa would’ve had the partnerships with banks to really push for standard API access to various banks. Plaid works by giving them your username and password in most flows (although some banks like Chase finally have an authorization flow without MITM).

I don't mean to be glib, but it's just a job. Pretending you have some sort of higher aspirations when you sign up to work at a generic fintech or, heck, a vast majority of startups? Mrpmhph.

At least rappers have the honesty to say it's about that cash.


It is probably 99% true. You can occasionally find a company that is proud that they made their users happy. Notch with Minecraft might be an example of that.

If you listen to VCs talk it is 100% about exit price.


> I thought the typical goal of hackers and startups was to "change the world" and "make a difference".

That sounds like the goal of a non-profit, not a startup. What a founder says at a TED talk (which I admit can often sound like the former) shouldn't be conflated with the nuts and bolt conversations they have with their closest lieutenants and investors. Assuming we mean venture funded by "startup" the definition has always been growth oriented, highly risky and innovative through disruption.

> It's also kind of indicative of how small startup ambitions have become. Acquisition has become a measure of success, not failure.

Really? I'm surprised you think that acquisition is either a measure of success or failure in a vacuum. Wouldn't the terms and the specific deal be important than how a company exits? After all, there's a world of difference between an acquihire and a strategic merger.


> I thought the typical goal of hackers and startups was to "change the world" and "make a difference". How does selling to Visa accomplish those things?

If your aim is that everyone should have access to these tools then getting Visa to integrate them is a pretty good way to accomplish that - Visa is big enough that if they adopt something then pretty much every credit card will have to match it.


I'm doing it to get paid. Yeah, I also want to make a great product and all that but..

Also, I'm getting paid.


It reminds me of something my friend would often say. "I'm very passionate about your product and mission. Just that it comes at a price". Also, as the joker said it, if you are good at something don't do it for free.

It's absolutely perfect to be passionate about customers/product/whatever. However, if one is constantly distracted trying to making ends meet the cognitive bandwidth is going to be spent on it rather than chasing the passion.


> I thought the typical goal of hackers and startups was to "change the world" and "make a difference"

I care so little about "changing the world" or "making a difference". Those things don't pay the rent.


It's OK to say "I'm sorry you didn't get your payday" and "your company's exploitation of my data sucks big time" to the same person.

Is it really? Getting a big payday seems to validate the exploitation of the data. Those two sentiments seem mutually exclusive to me.

Looks like tech is the new finance

Can attest that some employees and ex-employees took a decent tax hit by exercising NSOs after the acquisition was announced at the $5.3 valuation price.

Uh no.

Plaid is probably worth much more now than it was when it was acquired. The entire market has become much more frothy.

I would not be surprised if it could command a $10B+ valuation as a standalone company.


That doesn't mean much unless the employees have liquidity right? Presumably after the acquisition the employees would've been able to convert their options to cold hard cash.

acquisitions aren't necessarily great for employees because liquidation preferences apply.

with SPAC-mania they could merge with a SPAC or go public. my point is the path to going public is much easier now than a year ago.


They'll get some $$$ out of it, and I have no doubt that they have a solid future as an independent company. The fintech sector is red hot right now. Heck they might even be able to catch the next IPO wave.

SPAC SPAC SPAC SPAC SPAC

Not sure why that was downvoted, there is a glut of funded SPACs and more on horizon who would love to take Plaid public.

each one with like, 200M in raised capital. maybe SPACs are a trend competing with vc money? which doesnt make sense...bc vc investors could also be bought out for a premium on acquisition as well...

The vast majority of tech workers that receive equity stakes in pre-IPO/acquisition companies don't ever see any financial windfall from their stakes. These guys will be just fine.

Agreed, except for one point.

Please don't call it a windfall. Anyone in that company that would have seen life changing amounts of money has likely put incredible effort and hard work into making this happen.


Well, maybe it isn't a "windfall" to someone who lives in the tech world and comes to expect such good fortune and thinks their effort should be rewarded in an outsized way. I'm sure we think it's deserved in a relative sense.

But it is most definitely a windfall to the rest of the world (even the rest of the country), who work equally hard, under worse conditions, for their entire lives and cannot even hope to earn say 1/5 the wealth that a tech worker can accumulate after his/her first job.

To have a payday of millions of $ fall out of the sky, for toiling the same as others trying to make a living, yet also being lucky to be in the right place and the right time to have it rewarded.


It's almost like startups have non technical workers that also have an equity stake in the companies they work for. This comment strikes me as almost entirely out of touch. No one expects these results, most people never see a startup they work for successfully exit let alone to the tune of billions.

"Being in the right place at the right time" sure it's partly that but if you think you're getting there without some really hard work you'd be sorely mistaken.

Also startups everywhere need good folks to work for them it's not like this is some secret club to get into, many people just have no risk tolerance for one reason or another.

You're line of thinking really get's at me because the reality is a lot more than luck goes into things even if the current popular line of thinking is to suggest otherwise.

Especially on a community that was established initially to talk about startups.


Everyone works hard, and yes some work harder than others. And no one is saying that tech workers randomly won the lottery and should shut up and just be grateful.

But to imagine that suddenly having the fruits of your labor yield 10-100x the wealth that others in life can ever hope to produce, and think that it's just your hard work and not a function of having been blessed both with good talents and an environment in which your value can be exploited -- is sheer arrogance not to acknowledge that. Or be offended that someone points it out. What does being on HN have to do with keeping a sense of reality? We need to create a protective bubble of thought that doesn't offend millionaires?

As Warren Buffett has said, "I was born with a talent for capital allocation. If I had been born in rural Africa, my talents might never have given me the wealth I have today. I would not be so different from my secretary. Our positions might even be reversed. I thank America for that difference."

Maybe the word windfall triggers you in a way that suggests it should be taken away and you didn't "deserve it". No one said that. Yet also, everyone in such a fortunate position tends to grow to think they deserve it fully as a result of their talents and work. When in fact an objective person should see how much the factors have aligned to give you this gift.

Just because you read HN doesn't mean you are exempted from realizing how lucky you are. We're not that much of a bubble I hope.


I think we may be passing each other on the word tech workers -- do you mean everyone who works in a tech company, including customer support, sales, marketing, operations etc or are you defining tech workers as just the people who work with tech, ie engineers, analysts etc. and possibly on the accessibility and rarity because pretty much anyone can get hired at a startup and most startups fail.

Most people in startups are not lucky (relatively to others in the US economy of similar job positions) they actually generally make less than people in established companies and if they don't have a favorable exit are almost always numerically worse off than those who chose the stable path.

The reason I see people typically working in startups is more impact, freedom, the ability to quickly level up etc, but unless your company exits and you get paid from that exit no dice.

I've had friends who's shares were worth less than they paid for them when their company had an exit.

I continue to work in startups because I really find satisfaction in it, (right now trying to get my own off the ground) but I would triple my total compensation as an employee in most cases if I went to go work for one of the big players and that compensation is a real tangible thing not anywhere close of a gamble. It's actually somewhat of a problem right now in how do founders attract good talent for that reason.

I think you simply have an inaccurate picture of the majority of startups and the types of money in them.


I don't know, yes maybe we're just misinterpreting each other.

I take the original comment at its word -- having to do with those workers for whom a "windfall" however you define it, is life-changing.


The windfall typically isn’t anywhere close to millions of dollars for regular employers. We’re talking about payouts on the level of buying a new car or placing a down payment on a home.

I think you meant regular employees? From my limited experience, the windfall is actually much more than a new car or down payment and can reach into the millions of dollars if the stock rises a couple hundred percent. Most of the unicorn startups that have gone IPO were offering stock options close to or above the million dollar range for senior engineers. Don’t forget the refreshes. The big limiter is actually taxes which take close to half.

For options, taxes only become a big limiter if one waited for the value to rise substantially from the strike price, thus creating a large spread that will be taxed as income. If shares are purchased as they vest and held for over a year, the gains will be subject to much more favorable long term tax treatment when sold.

Larger companies will typically switch to RSUs, which get taxed like income, and isn't great for a non-liquid asset. Thats what double-trigger RSUs solve, by not having the employee own the shares until a liquidity event, they won't need to pay taxes on them until it happens. The catch is that now the employee needs to hold onto the shares for a year to get a more favorable tax treatment.

Taxes will really only take close to half if employees insist on selling their shares in less than a year.


Interesting, I just thought a windfall meant "a lot of money at once", but it looks like you're right that it implies luck. So agreed, a different word would be more accurate here.

But obviously some element of luck is present here. Unless we're willing to say that the success or failure of the merger is entirely on how hard each employee worked.

I mean, nobody reasonably joins a startup and expects to make buku bucks. It’s “unexpected good fortune” from my perspective, and certainly seems to qualify as a windfall.

"Buku"? Beaucoup?

Yes, it's an intentional misspelling

If we ignore the lucky ones who where first employee at unicorn with very generously owner,,, do you really get any money as an employee when there is an acquisition !? How common is it outside Silicon Valley ?

I wonder if employees with equity will see any portions of the breakup fees as some sort of bonus.

Was there a breakup fee on this one? I'd expect it's pretty standard to waive that when it's due to unforeseen regulatory obstacles.

I hope they fail. Some users report they deceptively impersonate the users bank in order to extract as many data points from them (loans, lines of credit, ...)

I’m sure those wannabe monopolists will be fine and something else will come along. The rich always get richer.

That Visa isn't fighting this should validate that the government's antitrust enforcement has been lax. For a merger valued in billions of dollars, hiring even the best lawyers for a long fight would have been a rounding error. The only way this happens is for Visa's lawyers to think that the government would likely win.

It is strange that they're not fighting it harder. I wonder if Plaid identified a better exit strategy?

Or if Visa is having some buyer's remorse over the $5 billion price tag and saw this as an easy out?


With public market valuations of B2B companies today, I could see Plaid being worth considerably more than the $5 billion that Visa agreed to. I think it's less likely buyer's remorse than just overwhelming evidence of anticompetitive behavior. The original DOJ complaint [1] has a lot of direct quotes from top level Visa execs. See paragraphs 9 and 10.

[1] https://www.justice.gov/opa/press-release/file/1334726/downl...


No, they always knew the 500x valuation was BS. It's pretty much like they said, it was a defensive acquisition to prevent the data from going to any of their closest competitors. Visa had no idea what it was going to do with the data, but just wanted to keep it out of everyone else's reach.

Finally some antitrust enforcement!

This was clearly going to be anti competitive and bad for consumers.

Plaid has a great product and will either spac / ipo or be a great acquisition target for someone else.


Plaid broke the law and now someone can acquire it at a huge discount. They played themselves.

You get an upvote just for the sheer brashness of that comment! :D

Important to note that there is no break-up fee that Visa (or Plaid) will pay.

Source: https://www.bizjournals.com/sanfrancisco/news/2021/01/12/vis...


Nice pt. This is common as merger deals typically have MACs that carve out specific events like failure to get antitrust approval...

I'm surprised by this. I used to work in Foster City.

The joke on the campus was that VISA stood for "Very Inconspicuous Spy Agency".

You'd think that there wouldn't be this kind of miscommunication in the chain of command.

All jokes aside, I'm very curious to check out Plaid now because I didn't pay attention when it was independent and Visa is a *very* smart organization, so Plaid must be something special.


>Plaid must be something special.

It's not so much that Plaid is "something special" but that US banks are stuck in the 1950's technologically.

Plaid shouldn't exist. It only exists because banks refuse to create open APIs for others to integrate with.

With that said, Plaid has done a fantastic job.


This seems to be changing. Nacha (the organization that governs ACH) has been developing open APIs so that more organizations can get access to the ACH network without any dirty hacks. I would expect to see a rise in the number of personal finance applications over the next few years due to this fact.

https://www.nacha.org/content/available-apis https://www.nacha.org/content/phixius


The problem is that Nacha is building these APIs on top of ACH. There needs to be a universal realtime payment and account-validation network, not a file FTP'd to the Fed that's sent out three times a day.

Take a look at FedNow which is aiming to offer a 24/7/365 instant payment service for all US banks by 2023-24. (I would realistically expect 2028-30 for it to go online) This is being worked on, but everything moves at a glacial pace.

FedNow is a while away. RTP (Real-time payments) from the The Clearing House is already doing it. They have appx half the DDAs (bank accounts) in the US covered. Another year or two they will have 80-90% Also Push to Card and VISA/MC Debit are real-time payment systems i.e. 7x24x365 where you can pull or push money to the bank account linked to the VISA/MC branded ATM card

Bottom line: Fednow may be too little too late


Never used Plaid but didn't they require your banking credentials and also didn't have a very secure mechanism for storing them?

Yes. Plaid can be used to verify banking details (many stock brokers use it for this, for example).

Plaid works by asking the user to give their banking username and password to Plaid, and then their two factor authentication token too. Plaid logs into their account behind the scenes to verify ownership.

Plaid claims to not store this info, and I assume that they don't, but it still seems like one of the biggest security anti-patterns ever. If nothing else, it's training users to ignore the "don't share your password" warnings. Do we really want users trained to be more susceptible to phishing?


Yeah in the last decade, I have many times considered building a service that would have a better interface and access to information by fetching it from all my financial institutions, but what's held me back is the lack of APIs and I never even considered collecting user credentials as a viable option because of the potential security nightmare and possible libabilities. I guess it pays to be ignorant of all that and just plow ahead. Once you get billions in VC funding, you can fend off any consequences.

> Plaid claims to not store this info, and I assume that they don't

Think of it as Plaid storing OAuth2 access tokens, sort of; and the tokens do expire (over pretty long periods), though, some bank integrations do allow them to generate their equivalent of refresh tokens.

Plaid didn't go into this blind; they know the tightrope they're walking. As someone who's worked with Plaid to build an integration into our product, I'd say they're definitely in a very gray area, but that's pretty much all of the Fintech space right now.

Although, I'd also say they're not malicious; even if it is just motivated by the fear of the bad press resulting in a customer exodus.


Mercury bank seems to be a standout in this regard, promoting themselves as a "full stack" bank.

> It only exists because banks refuse to create open APIs for others to integrate with.

Mostly true, but both Capital One and Citibank have OAuth APIs. It's lovely.


It’s like oauth except you type your password for site A into a box on site B’s domain

Pretty wild it even exists


It is a hack around regulatory failure to mandate this functionality at finance firms (both Congress and the Fed have failed in this regard). The Fed's instant payments product (FedNow [1]) goes live in 2023, which is going to put downward pressure on Visa's debit business. The Fed only began to move on instant payments when pressured by Congress [2] (who didn't want smaller banks held hostage by Early Warning System's "Zelle" product, which is operated by a consortium of the nation's largest banks).

Europe mandated this functionality (PSD2) [3]. With instant payments and if regulations required banks to offer this functionality, Plaid's value would evaporate.

[1] https://www.frbservices.org/financial-services/fednow/index....

[2] https://www.paymentsjournal.com/timeline-the-feds-real-time-...

[3] https://en.wikipedia.org/wiki/Payment_Services_Directive


FedNow is a while away. RTP (Real-time payments) from the The Clearing House is already doing it. They have appx half the DDAs (bank accounts) in the US covered. Another year or two they will have 80-90% Also Push to Card and VISA/MC Debit are real-time payment systems i.e. 7x24x365 where you can pull or push money to the bank account linked to the VISA/MC branded ATM card Bottom line: Fednow may be too little too late, but real-time payments are happening outside of VISA/MC

VISA/MC are aware of this. They expect "Interchange compression" i.e. reduction in revenue from Credit Card fees as users switch to other systems. However it isn't a show stopper because in parallel they have discovered (and are using ) new ways to increase interchange revenue e.g. Virtual Cards, Prepaid Cards etc.


2-3 years isn't that long in financial services. Sure, The Clearing House provides an RTP platform (and is also a financial rail for Zelle payments). Can they do it as cheap as the Fed offering FedNow as a utility similar to ACH? And to every deposit account provider in the US at a reasonable cost? Probably not. Doesn't matter how many deposit accounts you cover if someone is going to come eat your lunch because they have a Congressional mandate.

Agree on interchange compression (it's fairly obvious credit card networks are overpaid for what they offer, so of course innovation is going to bring revenue destruction), but there's no way virtual and prepaid cards are going to make up the shortfall (especially with Congress starting to lean left and progressive banking policies on the table, such as central bank pass through accounts, negating the need for prepaid cards when deposit accounts become accessible to everyone).

Long story short, finance still consumes too much of a percentage of GDP, and it's a good thing when tech comes along that pushes that drag down.


Does FedNow solve all of the problems Plaid solves? I'm thinking specifically about Plaid functionality that lets consumers expose transaction history, investments, etc.

It would appear that FedNow solves for "How do I get money into my Schwab brokerage account?" but not "How can I let Schwab do risk analysis across all my investment accounts?"


It does not, which is why I mention Europe's PSD2, which would. You don't build a startup to do this, you mandate your financial institutions to provide this functionality to users.

Baby steps!


You'd think even without a mandate, banks would be motivated to implement secure auth instead of this insanity?

My guess is that that Plaid will go public via a SPAC deal now. I think it's highly likely GSAH (Goldman Sachs Acquisition Holdings) is that SPAC that does a deal. They have $750M to play with and given Visa was going to buy Plaid for $5.3B, the numbers kind of make sense.

Yeah I think this is a strong take.

Or may be PSTH.

Glad to see they're starting to flex that antitrust muscle a little bit, it's been atrifying over the past few decades.

* atrophying

But yes, and this is a taste of what's to come. FB, GOOG, AMZN... watch out.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: