I’ve some friends that works there, so I’m hesitant to say this, because I’m sorry for them, but Plaid is a terrible company. Their main product scrapes financial data from unsuspecting users that simply think they’re making a bank transfer and not signing away the privacy and security of their banking, 401k and trading information.
They are getting sued by TD Bank for this very reason:
> The bank said in the court filings that the interface "dupes" consumers into believing they are entering personal information into TD Bank's trusted platform.
> "In reality, however, consumers are unwittingly giving their login credentials to the defendant, who takes the information, stores it on its servers, and uses it to mine consumers' bank records for valuable data (e.g., transaction histories, loans, etc.), which the defendant monetizes by selling to third parties," TD claimed in the court records.
Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions. If your account gets hacked and your money stolen, you may find out that the zero liability policy no longer applies to you.
I am sure I will be called naive, but this is shocking to me. I assumed that Plaid was integrating with the banks and not doing this sort of thing because of the people associated with Plaid. Their seed round included Spark Capital and Google Ventures. Their most recent round included Mary Meeker and Andreessen Horowitz. [1]
These investors have reputations to protect. This type of thing would certainly come out in diligence:
"How do you gain access to the customer's account data with their bank?"
"We impersonate their bank."
"Do you tell them you do this?"
"No."
"Ok, that's probably fine."
How in the hell does this conversation pass muster?
I'm surprised, because Plaid is far from the first mover in the "scraped banking data API" space. Mint (now Intuit) and Yodlee come to mind, and they use essentially the same sign-in flow and come with the same limitations.
There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:
You're right, they aren't the first. That said, when I use accounting software, it's pretty obvious to me that I am going to be sharing my transaction history with the accounting software. When I connect my bank account to Venmo, it is absolutely not obvious to me that I'm sharing my entire transaction history with Plaid. Replicating the appearance of my bank's login screens is critical to the illusion.
Even if I did understand that they are storing and using my credentials, I should be able to expect from a reputable business that they are not scraping irrelevant transaction data and then using it for purposes that don't explicitly support the app I am using. Selling my transaction history definitely isn't supporting the use case I'm authorizing.
Alternative title to this thread is "Plaid fails to sell customer data to Visa" (along with code, and the rest of the company). Consumers, as well as Plaid, have no idea where this data is going to end up ultimately, depending on who winds up getting control of Plaid. What are the odds of Private Equity acquiring Plaid and "leveraging synergies" with the pay-day loan company in their portfolio? I think the odds are greater than zero.
“We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law.”
If you authenticate with <mortgage broker> via Plaid, then the broker pays plaid money and the broker gets your bank information. So I suppose in a sense that's "selling your data," but I don't think that's what people are concerned about: You explicitly sign into the mortgage broker to give them data!
What Plaid has said on record they DON'T do is take that data they provided to the broker, bundle it up, and then sell it to marketing firms or hedge funds or other random third parties for which the user didn't explicitly ask their data to be shared.
“Plaid does not sell and has never sold consumers’ personal information or data. Consumer data is obtained and used with consumer consent. Plaid believes strongly that consumers should have permission-based access to and control over their financial data, and embodies these principles in its practices."
From the press release: "Plaid is a financial services company that operates the leading financial data aggregation platform in the United States"
I love the way they are literally defined as "the leading financial data aggregation platform in the United States", rather than "the leading financial integrations platform".
Seems like Justice does know their real business. And they don't seem to care.
> There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:
That is never going to work. The reason the world works the way it works is because banks dont want to give easy access, so market opportunity for companies like Plaid exists.
Open Banking is the result of the EU PSD2, so unfortunately is no longer guaranteed in the UK. UK firms have already lost passporting rights, and it's yet unclear whether the UK will align with EU regulation going forward.
I guess the question is what you mean by "open banking". Initially, in the UK, that phrase referred to the FCA's implementation of the PSD2 requirement for banks to allow a secure mechanism of access to third parties. I think that this definition of open banking has already regressed post-Brexit, from the absence of passporting. UK firms and banks are no longer able to interoperate with EU firms and banks, and PSD2 no longer applies to them.
Another definition may be domestic API access to bank accounts, which I agree will continue to be policy in the UK. It won't be PSD2 open banking, though.
PSD2 still applies. That was integrated into U.K. law long before Brexit. It would take an act of parliament to unwind.
Additionally the U.K. has generally been on the leading edge of open banking, which is why our standards weren’t identical to the EUs for a while. It’s going nowhere, and pass-porting will make no difference.
The only real impact of Brexit is the open banking entities will need to register separately in the U.K. and the EU, and be subject to two different regulators. But that’s just paperwork for the most part.
> PSD2 still applies. That was integrated into U.K. law long before Brexit. It would take an act of parliament to unwind.
It's not that simple. The FCA is no longer an EEA National Competent Authority and UK Third Party Providers must register with an EEA NCA to continue to operate in the EEA. Domestic legislation which put PSD2 in force is of course still UK law, and domestic TPPs and Account Servicing Payment Service Providers can continue to operate together (even using the same eiDAS certs), but they cannot engage in open banking with the rest of the EU/EEA.
PSD2 and its supporting institutions (EBA, EPC, ECJ) no longer apply to the UK.
> Additionally the U.K. has generally been on the leading edge of open banking, which is why our standards weren’t identical to the EUs for a while. It’s going nowhere, and pass-porting will make no difference.
Internally, maybe, but UK TPPs and ASPSPs can no longer interoperate with EU/EEA TPPs and ASPSPs unless they register with an EU/EEA NCA, and thus become subject to EU Directives. Again it comes back to your definition of "open banking". If you mean only UK banks and firms being able to operate an open banking scheme, then you are correct that this will continue. If you mean open banking as defined by PSD2, it has already come to an end in the UK.
> The only real impact of Brexit is the open banking entities will need to register separately in the U.K. and the EU, and be subject to two different regulators. But that’s just paperwork for the most part.
So either UK TPPs and ASPSPs have to abide by EU Directives (if possible - the UK legislature may diverge from the EU in unreconcilable ways), or the UK has to maintain alignment with the EU indefinitely. Doesn't seem like just paperwork to me.
"Open banking" and "cross-border banking" are two different things. The UK will definitely continue to have open banking. The UK-EU banking relationship is still up for negotiation. (I'm not hopeful though.)
> The UK will definitely continue to have open banking.
As discussed elsewhere in this thread, this requires a definition of "open banking" which is separate from PSD2 and not what the phrase commonly meant until now. The distinction isn't between "open banking" and "cross-border banking" - the distinction is between:
* PSD2 compliant "open banking" between TPPs and ASPSPs,
* Some banks in the UK must have APIs "open banking".
Up until January 1st, the phrase "open banking" referred to the former. The latter may become accepted as the definition in the UK, but it is materially different to the original meaning.
It doesn't really work. Open Banking doesn't seem to enforce a consistent API which means you either need to implement a client for each bank (and their data model) individually or use something like Plaid (in the UK our equivalent is TrueLayer) to aggregate all the different banks into a single API.
This is just not true, for Open Banking in the UK. API standards are published and banks must implement them.
There was a get-out, but it was a bad one for the banks - if any bank did not provide a compliant API by a specific date (IIRC sometime last year) then they would have to keep their web sites entirely unaltered in order to support scraping.
A lot of these banks never had any APIs. Plaid made its name basically scrapping the html of account pages. Companies used it because there were no alternatives (no apis)
I understand the situation. Another of Plaid's investors is Goldman Sachs. I naively assumed that Plaid's ability to build their product was likely based on access to private APIs available to them based on their relationships and backing.
If someone came to me and asked me to build what Plaid has built, I would decline the work. I would assume that impersonating a bank would be illegal. I would assume that the banks I am impersonating would treat me as a malicious actor. I would assume that I would go to jail for building a system like this.
Plaid does have real integrations with some institutions, using OAuth and the works. The list is relatively miniscule compared to the vast majority of institutions that still consider customer data their asset and not their customers'.
On the other hand, Plaid’s behaviour means that your data is not yours either, but is up for grabs by a 3rd party for which you may not have given consent to. Plaid is no Robin Hood (the story not the app) here.
Plaid is equivalent to a carrier, right? They merely provide the data to their client (whatever service/app you're signing into) and it's up to that client to decide how to use it.
Back when I used to run a web scraping shop, we had this exact request. I didn't know it was illegal at the time but we ultimately didn't do it because lot of people just want to pay as little as possible for scraping without considering the amount of work that goes behind it.
You are misremembering. CFAA defines criminal acts not civil, so Craigslist could not sue someone under the CFAA. The DA would have to bring charges first and then the civil suit by Craigslist would reference the criminal suit.
fraudulently obtaining people's banking information can be described many ways. The prosecutors won't call it web scraping and the judge hasn't seen that although he has heard of people who steal users information to hack their banks.
Let’s not forget the companies that enabled Plaid to do this. One of the worst offenders was Carta. They made you use Plaid to exercise your stock options. So you had to let Plaid scrape your account info to get the stock you worked so hard for. Most people had no idea they were allowing this.
They do integrate natively with some banks, like JPMC:
> When this is implemented, Plaid will access customer information through the bank’s secure API (application programming interface) connection. That will allow customers to share their information more safely and quickly with Plaid and the financial apps it supports while protecting their bank username and password.
and also Wells Fargo:
> The API used in the agreement will utilize a more secure, tokenized “handshake” between the companies’ servers through which customers’ financial data will be shared. Once integrated, the API will allow customers to share their financial data, while also maintaining the privacy of their user credentials. The enrollment process will be easy and designed to work seamlessly within Plaid-supported apps’ user experiences.
I think it would be good to do some quick Google searches before getting (all of) the torches out.
From their website [1]: "When you choose to connect your financial accounts to an app using Plaid, you will be prompted to enter the username and password associated with those accounts. Plaid then links your accounts to the app you want to use so you can share your data."
Disagree, they are hiding the fact by assuming ignorance of most users. A true “link” , would use something like OAuth to have the bank handle authentication and provide explicitly scoped subset of consumer data to Plaid. Instead they are taking the plaintext password and getting total access. Just taking that passwords itself is a security vulnerability. Google doesn’t even know your Gmail password, just the hash, but since Plaid can’t use a password hash to login, it must store your plaintext password to your financial accounts, some of THE most sensitive data. Furthemore they have access to way more data than they should rather than clearly defined scoped subsets of it.
The whole company is a privacy and security disaster. Of course it’s annoying that banks don’t provide reasonable OAuth APIs, but Plaid “disrupts” that by deceiving consumers into dangerous security vulnerabilities with their most sensitive personal data.
You speak idealistically, but the reality is that many of these banks did not having open banking standards nor APIs before. The scraping led to this movement and FSAs all over the world are starting to push for no scraping while financial institutions create APIs and contracts with these platforms.
The fact is pretty much hidden. I tried to link my Toshl (a budget app) account to my bank, to import automatically my movements. I saw that they were using Plaid, and I found that weird. I went to search the page you linked, and I still didn't know how was it connecting to my bank. I used an "application password" with limited permissions from my bank to use with Plaid, and funnily enough it didn't work. In fact, my bank locked my account because Plaid tried to login through the regular user interface with a wrong password several times. It was only then when I saw in forums and such that what Plaid does is to scrape HTML.
When you use Plaid, you don't get the impression that's what they're doing. We're used to dialogs to "give permissions to an app" that don't share our user/password with anybody. Plaid purposefully emulates those dialogs and gives you the impression that you're just logging in with your bank, instead of explicitly telling you "we will store your user and password and use that to log-i with your bank".
"link" to me implies something along the lines of a FB/Google/GitHub OAuth login, not that they steal my credentials.
I guess technically they just say, "you will be prompted to enter the username and password associated with those accounts" and don't specify that they (Plaid) will be using your credentials, but I don't think it's clear enough that you are giving your credentials away!
In the “startup” world, this is simply the only way to do it when your goals are to be everyone’s service. Banks rarely create open APIs, and even when they do they are fragile and subject to whims as the banks are optimizing for security first (plus: they need strong incentives to maintain APIs since it’s not even in their core business).
And since you can’t rely on an API, “there’s no other option” which compounds with the fact that coding up a web scraper for a specific bank takes maybe a dozen programmer-hours. Then throw on a disclaimer to cover legal, and start counting your billions of unhatched eggs.
> Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions. If your account gets hacked and your money stolen, you may find out that the zero liability policy no longer applies to you.
The trouble is, giving someone your account number also makes it not the bank's problem what they do with that number, even if it was clearly unauthorized by you. There's no good way to do ACH transfers without a high degree of trust in the recipient.
That's what OFX was supposed to provide, but realistic support never arrived. Even banks which allow you to download OFX format searches fail at complying with basics of the standard. (https://www.ofx.net/)
Not really, considering it doesn't enforce a single, consistent API, so most companies will still use something like TrueLayer (our local equivalent of Plaid) to aggregate all these separate APIs into a single consistent one.
Furthermore, "open" banking is very misleading because it's only open to corporations with deep pockets to obtain an AISP license/certification*, but doesn't even allow the account holder to gain API access to their own account. Unless you're lucky enough to be with a modern bank that provides that as a feature (which is legally separate from Open Banking, though often it's the same API), your only workaround is to sign up for TrueLayer yourself just to access your own account through them.
* given the "deep pockets" requirement, it almost forces all the account aggregator apps/services (Emma, Yolt, etc) to have a somewhat scummy business model and monetize the captured data. Wouldn't it have been nicer that you didn't need deep pockets to gain read-only access, so that an indie developer could make such an account aggregator and not have to resort to a scummy business model to fund the certification/compliance expenses?
> Not really, considering it doesn't enforce a single, consistent API, so most companies will still use something like TrueLayer (our local equivalent of Plaid) to aggregate all these separate APIs into a single consistent one.
That's not quite true. The CMA9 have to follow the Open Banking spec, and some other non-cma9 banks have decided to follow the same spec. In practise, there's some deviation from the spec between the banks (in part, due to ambiguity in the spec), but it's not like they're all pulling their own spec out of the air.
> Furthermore, "open" banking is very misleading because it's only open to corporations with deep pockets to obtain an AISP license/certification*, but doesn't even allow the account holder to gain API access to their own account. Unless you're lucky enough to be with a modern bank that provides that as a feature (which is legally separate from Open Banking, though often it's the same API), your only workaround is to sign up for TrueLayer yourself just to access your own account through them.
The 'deep pockets' don't need to be as deep as implied. I think it's <~£3k. It's not something that only big companies can afford, but I agree, it's not something that an individual would use to test out an idea, which would push them towards something like TrueLayer.
Do you have any more details? If this is indeed the price and it's a one-time cost without costly maintenance overheads (such as ongoing audits) I might just pay that to be able to release simple money management or just better UIs than the existing banks (even modern bank's apps have gotten worse lately as they try to push their "premium" offerings - looking at Monzo specifically here).
Yes, it's only 'open' to FCA registered entities, which is an entirely reasonable requirement given how easy it is for scammers to get people to give away the keys to the kingdom.
So no, it wouldn't have been nicer, it would have been a scammers delight.
And yes, it does require a consistent API, thought it's perhaps open to a bit too much interpretation.
> given how easy it is for scammers to get people to give away the keys to the kingdom
Restricting API access doesn't help. There are plenty of idiots out there who willingly install remote access software on their computers/phones, fall for "authorized push payment" fraud when scammers tell them to move their money to a "safe account" or to pay overdue "taxes" (gullibility taxes?) over the phone and even use the two-factor card readers despite the "do not use over the phone" text being printed right on them.
I'm not sure how read-only API access would benefit scammers (if people can be tricked into granting API access, they will usually just as well install remote access software or just do the payments manually) but it would open up a nice field of self-contained, on-device money management apps that don't need significant corporate (most likely VC) backing with all the (usually) nasty ramifications that entails.
> I'm not sure how read-only API access would benefit scammer
Information leaks are always useful to scammers, extortionists, blackmailers etc. It's one reason we protect financial info.
Like the other poster said, VC money isn't really needed, though the process of getting accredited with the FCA is more than just paying for a license. The Open Banking Implementation Entity (or just Open Banking Ltd, whatever they're calling themselves at the moment) may be able to help you go through the accreditation process if you approach them, they were certainly talking about doing that for people a couple of years back.
And before that you can sign up to their public sandbox service as a "Technical Service Provider" to start developing against the ecosystem, for nothing (I've done this though I've not really used the capability for anything).(You may need a Ltd company for this, can't remember off the top of my head)
I don't buy this. If I give someone a check (which has an account number on it) that doesn't mean they get to withdraw whatever they want from my bank account. What bank in the U.S. wont reverse fraudulent ACH debits?
It says on page 35 of my Bank of America Deposit Agreement and Disclosures:
> If you voluntarily disclose your account number to another personal orally, electronically, in writing or by other means, you are deemed to authorize each item, including electronic debits, which result from your disclosure. We may pay these items and charge your account.
It may be that there is some rule that says just giving someone a check doesn't count as "voluntarily disclosing" your account number.
handing out your login credentials is like giving a blanko check with your signature on it already.
> What bank in the U.S. wont reverse fraudulent ACH debits?
If you admit to handing out signed blank checks, I would hope that most if not all banks would at least have a discussion with you about how you may be not the customer they are looking for.
They are selling the data to marketing companies to build a dossier on you, and this could be used for any number of purposes once it is in the hands of data brokers.
They're tricking people into handing over the information, and then they're using it for purposes that may harm the victim, so like I said, it's hard to draw a line.
They do not make such an explicit claim in their privacy policy. There is a carve-out for "affiliates", although what constitutes an affiliate is not defined. They also say:
"We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research."
This is a cop-out used by a lot of services these days. De-identified data can be and is routinely re-identified. For financial transaction data this is fairly easy. For example, if you buy location data, it's trivial to determine where someone's home is, and therefore their likely identity.
Once you have a set of locations a person visited, you can correlate them with financial transactions. Even just a couple of retail transactions are often unique. You were probably the only person who was at your neighborhood Starbucks on Monday at 6:37am and also at Starbucks on Friday at 7:32am. Your credit card transactions provide a time and a location for every retail transaction.
Plaid can very well not use the data in this way, but any company using Plaid's APIs and gaining access to the end-user bank account can do whatever they want with the data.
There are no restrictions on potential bad actors who will do this, and no consumer protections.
Sure, and that would be true however a partner collected this data. It’s true whenever you apply for a credit card or a mortgage.
I believe that Plaid doesn’t work with just anyone, and they do attempt to put some limited controls in place to block bad actors - just like any other platform in the world.
All that said, the parent were suggesting that Plaid itself bundled and resold data for marketing purposes which it does not do (though I believe some of its competitors might).
You should hold their feet to the fire for real issues (potential for misuse by companies that use Plaid to gather info, security concerns), not imaginary ones
Doing it on purpose vs via black/grey market trickery is often treated as separate matters. Even if the legal mode is still full of moral issues that society has yet to fully confront.
Phishing people's bank credentials has been fully established as a computer crime (not even just bad within civil law).
I adore the idea of the Plaid founders, and everyone else deemed complicit in a court of law (I think this should likely include investors), going to fuck-you-in-the-ass prison instead of becoming billionaires.
Alas, I've lived in Silicon Valley too long to believe that anything moral will ever occur when there's money to be made.
It makes me sad that people actually admire this place for anything other than the geography.
That's true, and perhaps the real reason this really is a very valid anti-trust action is that Visa would be removing their only real competitor for providing this type of data.
> takes the information, stores it on its servers, and uses it
So does, for example, Yodlee, when you use them to have an API for bank statements. I cannot say if they too monetize the data that opens up to them for grabs.
It took legislation and years of preparation to enforce APIs and interoperability onto European banks (yes, I can now use bank A's app to view my account balance in bank B, while maintaining control over what kind of access I'm giving). Can't see it happening in the US, though, although the demand for such APIs is clearly there, given that companies like Plaid and Yodlee prosper.
I would wager that 90% of the business for Plaid, Yodlee, and Intuit is account verification; the thing that you used to do by having small ACH transfers of random amounts that you verify. The fact is that 90% of running a fintech business is identifying and bounding fraud risk, and these "banking API" companies are able to move the needle down a couple of basis points.
edit It's shit like this that just screams for the Fed to force FIs to implement a standard API for verifying accounts and making transfers. I bet half of fintech would collapse overnight, but the collective cost savings would be in the billions.
No, that's not the problem at all. The problem is that Plaid falsely used TD Bank without having a relationship with the bank. The company literally has a bank partnerships team so that "void warranty" argument doesn't even make sense.
> Also, giving your credentials to any third party, including Plaid, voids the warranty at many financial institutions.
Funny enough, I've seen that be the case at some banks that simultaneously integrate Plaid into their online account application flow for the initial/funding deposit but. Pretty ironic that users are implicitly coerced into voiding their liability protection at their existing bank during the course of opening an account at a new one. Who wouldn't hesitate to turn around and also invalidate your liability protections themselves if you
used your new bank's credentials with Plaid elsewhere.
That´s interesting, and it is an important "stick". On the other side, I know some banks are giving a "carrot" to these types of companies by providing a "portal access" that allows these companies to connect their customers with their bank accounts so that the customer can select what to share with these sites.
Of course, once those portals are enabled we enter the Facebook game: Where a lot of customers will blindly give all access to Plaid like companies, and then consumer group advocates will criticize for the amount of information that they are (still) mining from ignoring customers.
I think BofA does this, which I like. When I linked my account to Robinhood through Plaid, it asked for 2FA (text or phone call, BofA doesn't support TOTP codes) and verified in, then asked me to select which accounts to grant access to. Since it doesn't need the 2FA subsequently, it must be doing some kind of OAuth style authentication when it passes that token to the bank and then gets a long-term access token for that specific account.
From an HTTPS perspective this is still pretty concerning though. AFAIK browsers would block the Plaid widget if someone tried to load it insecurely and the page was HTTPS (what users have been trained to look for). But without going into devtools there is no easy way to verify that the widget is actually a real Plaid widget, thus POSTing your password directly to their server and not the merchant's, and no way at all to verify that they have such a partnership with your bank sanctioning them to collect your password.
Oh man I can't believe they actually pulled this on a Canadian Bank.
I tell my founders to always always fly straight or don't fly at all because if you cut corners or deceive, it will come back to you.
Had they been honest and played by the rules they could be sitting on a massive windfall.
Unfortunately, some VCs and founders think like gangsters and get surprised when things dont plan out. Just because it worked for someone in your circle doesn't mean its gonna work for you. It is a horrible behavior to emulate.
Yeah. TD is so tired of them they have a page warning customers about them, without naming names:
> When using a fintech app, you may be providing your confidential TD username and password directly to third parties over whom TD has no control. Please be aware that the sharing of your TD credentials is contrary to the terms of our agreements, and TD will not be responsible for any harm that results from the sharing of your credentials.
As someone who's worked in fintech for 10 years, I think this is a bad take. Out of all aggregators (what this is called), Plaid is by far the most open and privacy-forward.
First, they're transparent about being a 3rd party that's part of the flow (see https://plaid.com/blog/the-all-new-plaid-link/). It's clear it's Plaid, they use neutral colors and not the bank's, etc. They have a portal where you can manage your data (https://my.plaid.com/).
Second, they are very open about not selling data (unlike most of the their competitors). It's in their terms and their website (see https://plaid.com/how-we-handle-data/). I guess that could change, but from working with them I know it's part of their positioning so I'd be surprised if that changed.
Third, they've announced bank integrations and afaik they're moving to OAuth where the banks support it (I've seen this in the wild, but can't replicate right now). The key here is where banks support it. I think you have to look at the historical context: the banks do not want you to own your data as a consumer. They don't want fintech apps to exist. Having talked to banks about integrating directly with them, it's onerous and only the big players can do it. Plaid's fighting the good fight for fintech startups.
But yeah it's a less-than-ideal solution and it sucks that it doesn't work without creds flowing through and it's not clear regulators or banks will work to make it better. That sucks. I just think bashing on Plaid here is one-sided.
> It's clear it's Plaid, they use neutral colors and not the bank's, etc.
Every time I've been confronted with a Plaid-backed bank login prompt, they use the bank's colors and logo, the word "Plaid" or their logo is either nowhere to be found or is in tiny fine print, and I run away screaming from that service.
> But yeah it's a less-than-ideal solution and it sucks that it doesn't work without creds flowing through
I can appreciate that Plaid is trying to push stuff forwards, but (Presumably) storing your bank credentials in plain-text is a far worse than a "less-than-ideal solution".
I once went to use plaid to apply for a mortgage on one of the new fancy broker platforms. It asked me to type my login credentials.. sketchy , but alright banks and mortgage companies seem to trust them? Then they asked me to disable 2FA on my account and at that point it was indistinguishable from a phishing attack to me. I noped out and changed my bank password immediately.
This is why a standard API is needed, like Open Banking in the UK. When I use a third party app, the access request is redirected to my bank app and authorisation is granted there. At this point it is explicit what data the third party will require. Once authorised, I’m redirected back to the third party’s app. At no point have I given my credentials. This must be renewed every 90 days. Furthermore I can view what apps have access to my account and can revoke this access at any time.
PS Yes I know people like Ben Thompson [1] and even the US Treasury (mentioned in the same link) advocated for a private solution like Plaid (and nearly by extension Visa), but seriously this seems like something that needs to be government regulated to prevent incentives for selling user data.
I tried to use their API for a personal project and found starting one month a bunch of transactions were missing from my bank account. It turned out Chase included a promotion on the pdf statement that month which threw off their scraping algo. Really woke me up to their "tech", I changed passwords and avoid them now.
I can confirm this as I currently use Plaid in a few projects. People have no idea what they are signing up for when they authorize this. It's possible to get near real time transaction data from somoene's bank account as well as monitor their account balances for any linked account essentially in perpetuity. With this data it's possible to back in to a lot of behaviors about someone's life. All of that is handed to any firm you authorize to link your bank account.
Now I know why I can never think of good ideas for a business, I'm thinking about what I can build to help my customers, but in today's SV I need to be thinking how can I more easily steal user data at a lower cost than my competitors.
FWIW their competitor Teller uses the bank's own native APIs.
The idea is the bank can't shut off Teller clients without shutting off their own customers. This involves a lot of iOS reverse engineering.
So things like Plaid's Capital One integration breaking for months have never happened with Teller - who've been running for something like 5 years now.
They really do need an OAuth rather than save-and-forward-credentials approach to account access. Hopefully the new FedInstant platform will have improvements in this area.
That said, I personally wasn't surprised to see they have this access. It makes sense that if you give them your bank password, they will have full access to your account unless they clearly convince me otherwise.
Yes, awhile back my bank account was decoupled from Venmo for reasons unknown. I unwittingly used Plaid to sign into my bank account instead of the usual wait a couple days procedure. No indication whatsoever - only found out because I saw an article, probably on here, about this company and their basically fraudulent practices.
Nice to see somebody respecting the law. Atlassian is still claiming that if they give my account to somebody else then they can ignore my CCPA claims.
IIRC, they have basically an instance of a scraper for every different bank web site, which to me doesn't seem very scalable. I'm not sure if this is still the case, but when I interviewed a few years ago, it definitely seemed that way.
I am sorry to say this but your friends should really give a thought to why they are still working there. I understand that people have families to feed and mortgage, but they should at least consider changing jobs if they are software engineers.
Pretty much how 99% of this data robbery happens by all surveillance companies.
This is why Facebook is so pissed off at Apple that it dares to ASK users first.
"Most users aren't aware what data is gathered about them" is about 10x more accurate than "users don't care about privacy", even though it's the latter that gets repeated all the time (with some help from the surveillance companies themselves spreading this propaganda).
Even if the government bans XMR from exchanges, BTC to XMR atomic swaps are coming.
You can then
1. Use XMR as an anonymizing bridge to pseudonymous ETH or ADA wallets
2. Grow wealth with ETH or ADA smart contracts/decentralized finance
3. When you want to spend, transfer funds from your ETH/ADA wallets over the XMR bridge to newly generated spend wallets. (There's potential for a chain-analysis correlation attack at this point if you aren't careful with how you are withdrawing.)
---
Really, it's all a nightmare and very difficult to do it now, but I'll be damned if someone doesn't develop an app or program that does this all seamlessly in a few years.
It would have gone through had Visa's CEO not been so honest at the time of the merger announcement saying that they intended to use Plaid's data to get a leg up on their competitors.
> The DOJ cited Visa CEO Al Kelly’s description of the deal as an “insurance policy” to neutralize a “threat to our important US debit business.”
I don't even think it's a data issue. He literally says they bought Plaid because they're a threat. That's textbook anti-competitive behavior and a big smoking gun when it comes to anti-trust cases.
I'm a layman, so take this with a grain of salt, but here's the basic legal theory...
In antitrust law, intent matters. If your primary motivating intent is to make the market less competitive, that's what gets the book thrown at you. That's why it can be so hard to prosecute antitrust, because it's pretty easy to lie your way out as long as there's no direct proof of intent.
Let's take Facebook's acquisition of Instagram. Did they buy Instagram because they saw Instagram as a threat, or did they buy Instagram because they wanted to acquire their talent and improve their product? For a long time, you could argue it was the latter case, which warded off antitrust suits. Recently, some emails came to light where they explicitly talked about taking out Instagram because they were beginning to pose a threat. Now there's a smoking gun and a strong case to be made, which may well be prosecuted in the near future.
Yes, and they didn't invent the practice. Standard Oil brought competitors into its fold in order to maintain its pricing power and dominate the petroleum market.
As with most questionable business practices, they're not wise to be transparent about their true reasons for doing it, and inevitably they admit to their true reasons anyway.
Maybe they weren’t as astutely aware of the antitrust political wave we seem to be in. It feels like 5 or 10 years ago this merger would have happened regardless of comments like this. I think after the 08 recession there was little appetite for anything that could make business less effective, and big business loves mergers.
OK. But will DoJ disallow the acquisition of finicity by Mastercard ? VISA and Mastercard follow each other. I'm waiting to hear the verdict on finicity acquisition by MC
Whatever you think about Visa or this merger, this would be a major disappoint to Plaid's team members who thought they were in for a huge financial windfall.
If that applies to anyone here, my sympathies and best of luck figuring out what's next for Plaid. Hopefully the morale hit isn't too big on the team.
This comment strikes a nerve with me - perhaps because it's "saying the quiet part loud". I thought the typical goal of hackers and startups was to "change the world" and "make a difference". How does selling to Visa accomplish those things? Isn't expressing sympathy with Plaid's staff for not getting a payout effectively saying "sorry that you might actually have to deliver on the lofty promises this time"?
It's also kind of indicative of how small startup ambitions have become. Acquisition has become a measure of success, not failure.
The rank-and-file employees that work for companies like this have other goals, like buying houses and saving for retirement, it's not a single dimension. Yes, they want to help the world but not at the expense of themselves and their own financial future.
>I thought the typical goal of hackers and startups
Hackers and startups are two very different groups with very different ideologies and goals and incentives. No idea why you group them together. Some startups have no technical founders even.
>"change the world" and "make a difference"
Startups are businesses and like all businesses in the end they wish to make money. VCs, for example, are very clearly investors and not philanthropists. They are high risk, high reward businesses which means they need to change things to get those returns but in the end they are a business.
>How does selling to Visa accomplish those things?
It gives Plaid financial stability and long term platform for its technology. If its technology makes the world a better place then its continual existence does make a difference.
Lots of people have tried to capture this distinction, I'm sure I'll do a worse job here briefly than you can find around, but for me the tell is how people spend their time, and an attitude.
Hackers in the sense that I mean it have an innate need to understand things deeply, and a tendency to value achieving this directly (e.g. do something, don't just read up about it). As a result most hackers with any real talent will have achieved an unusually high level of expertise/mastery in at least one, often a few, technical areas. This is a result of having really spent a lot of time with it, in ways that may look "obsessive" to others.
This is by no means restricted to software. Another common characteristic is a tendency to take things apart (physically or virtually) to see how they tick.
I associate hackers as a group that startups wants to hire not as having similar philosophies. To me this site is a very successful marketing/recruitment tool and not some indication that YC follows the hacker ethos.
The point is that this represents a coöption of the term hacker by the venture capitalist community -- it's always easier to convince someone to accept less value as recompense for what they produce by convincing them that they are engaged in a noble or even a personally virtuous (see e.g. "guru", "rockstar") pursuit.
Tech workers want to buy homes and go on vacations just like everyone else. That's a good thing. They had an opportunity to make a lot of money making banking services easier for everyone; that's awesome and should be encouraged.
A startup exit doesn't simply erase all its impact. Plaid made many banking services a lot easier & popular, and it demonstrated how valuable that can be. All that doesn't just disappear. An acquisition/merger can also strengthen a startup's founding ambitions with more resources at its disposal.
Can, but often enough, it doesn't. We end up with a cancelled product/service, or one maligned beyond recognition by the acquirer, with users having to untangle the service from their lives at last minute, while acquirer holds all the IP.
Also, I question the general usefulness of startups created to pursue an exit in the first place. Besides there being often no point in entangling yourself with a service that's meant to be transient, the goals will be different too - the company will try to force hypergrowth by underhanded, and ultimately user-hostile means, vs. letting a thing grow on the strength of its usefulness. Myself, I strongly avoid dealing with any startup that I can smell was built for an exit.
In only one of those cases, did I join the company expecting an imminent-ish liquidity event. One hit me out of nowhere. Regardless of what you're planning on, and even if the dollar amount isn't that great, it's a huge rush, a lot of thinking about the possibilities. It would suck, at the very least, on an emotional level, to have that fall apart.
I joined a company (my first full-time salaried job) a few days before their IPO. I got stock options (like, 500. I was 18. heh.) but they were awarded/priced/etc post-IPO and were never actually in the money after vesting, as I recall. So I remember some of the IPO excitement but I'm not sure it really qualifies as "going through an IPO" for the purposes of the "full thrill ride package".
Incidentally, that company was also taken private during the dot-com crash, and I did make money from that, because the ESPP I was buying for <$1 got converted to cash at something like 3.5x the valuation. It wasn't much, but, again, I was young, so it seemed like a lot.
Plaid has ~500 employees with normal lives and financial goals. There are start-ups out there with a real chance to change the world, but I think it gets over played as a form of recruiting and media strategy.
Honestly I sort of agree with your sentiment, but I have some sympathy because many people who join early startups do it at comp deficits, and believing you're actually going to make a significant return on your investment only to suddenly realize you're not is pretty shitty-feeling no matter what.
Visa was going to pay $5.3b dollars for Plaid. I don't really think you can say that that is "small startup ambitions."
Is YouTube a failure? Is Instagram a failure? How about Github or Linkedin? There are reasons to remain an independent company, but there are also reasons that it might be better to be acquired. Besides the premium that the acquirer will pay, large companies can actually accelerate your growth while also insulating you from a lot of the pesky overhead of being a public company.
To be fair, Visa would’ve had the partnerships with banks to really push for standard API access to various banks. Plaid works by giving them your username and password in most flows (although some banks like Chase finally have an authorization flow without MITM).
I don't mean to be glib, but it's just a job. Pretending you have some sort of higher aspirations when you sign up to work at a generic fintech or, heck, a vast majority of startups? Mrpmhph.
At least rappers have the honesty to say it's about that cash.
It is probably 99% true. You can occasionally find a company that is proud that they made their users happy. Notch with Minecraft might be an example of that.
If you listen to VCs talk it is 100% about exit price.
> I thought the typical goal of hackers and startups was to "change the world" and "make a difference".
That sounds like the goal of a non-profit, not a startup. What a founder says at a TED talk (which I admit can often sound like the former) shouldn't be conflated with the nuts and bolt conversations they have with their closest lieutenants and investors. Assuming we mean venture funded by "startup" the definition has always been growth oriented, highly risky and innovative through disruption.
> It's also kind of indicative of how small startup ambitions have become. Acquisition has become a measure of success, not failure.
Really? I'm surprised you think that acquisition is either a measure of success or failure in a vacuum. Wouldn't the terms and the specific deal be important than how a company exits? After all, there's a world of difference between an acquihire and a strategic merger.
> I thought the typical goal of hackers and startups was to "change the world" and "make a difference". How does selling to Visa accomplish those things?
If your aim is that everyone should have access to these tools then getting Visa to integrate them is a pretty good way to accomplish that - Visa is big enough that if they adopt something then pretty much every credit card will have to match it.
It reminds me of something my friend would often say. "I'm very passionate about your product and mission. Just that it comes at a price". Also, as the joker said it, if you are good at something don't do it for free.
It's absolutely perfect to be passionate about customers/product/whatever. However, if one is constantly distracted trying to making ends meet the cognitive bandwidth is going to be spent on it rather than chasing the passion.
Can attest that some employees and ex-employees took a decent tax hit by exercising NSOs after the acquisition was announced at the $5.3 valuation price.
That doesn't mean much unless the employees have liquidity right? Presumably after the acquisition the employees would've been able to convert their options to cold hard cash.
They'll get some $$$ out of it, and I have no doubt that they have a solid future as an independent company. The fintech sector is red hot right now. Heck they might even be able to catch the next IPO wave.
each one with like, 200M in raised capital. maybe SPACs are a trend competing with vc money? which doesnt make sense...bc vc investors could also be bought out for a premium on acquisition as well...
The vast majority of tech workers that receive equity stakes in pre-IPO/acquisition companies don't ever see any financial windfall from their stakes. These guys will be just fine.
Please don't call it a windfall. Anyone in that company that would have seen life changing amounts of money has likely put incredible effort and hard work into making this happen.
Well, maybe it isn't a "windfall" to someone who lives in the tech world and comes to expect such good fortune and thinks their effort should be rewarded in an outsized way. I'm sure we think it's deserved in a relative sense.
But it is most definitely a windfall to the rest of the world (even the rest of the country), who work equally hard, under worse conditions, for their entire lives and cannot even hope to earn say 1/5 the wealth that a tech worker can accumulate after his/her first job.
To have a payday of millions of $ fall out of the sky, for toiling the same as others trying to make a living, yet also being lucky to be in the right place and the right time to have it rewarded.
It's almost like startups have non technical workers that also have an equity stake in the companies they work for. This comment strikes me as almost entirely out of touch. No one expects these results, most people never see a startup they work for successfully exit let alone to the tune of billions.
"Being in the right place at the right time" sure it's partly that but if you think you're getting there without some really hard work you'd be sorely mistaken.
Also startups everywhere need good folks to work for them it's not like this is some secret club to get into, many people just have no risk tolerance for one reason or another.
You're line of thinking really get's at me because the reality is a lot more than luck goes into things even if the current popular line of thinking is to suggest otherwise.
Especially on a community that was established initially to talk about startups.
Everyone works hard, and yes some work harder than others. And no one is saying that tech workers randomly won the lottery and should shut up and just be grateful.
But to imagine that suddenly having the fruits of your labor yield 10-100x the wealth that others in life can ever hope to produce, and think that it's just your hard work and not a function of having been blessed both with good talents and an environment in which your value can be exploited -- is sheer arrogance not to acknowledge that. Or be offended that someone points it out. What does being on HN have to do with keeping a sense of reality? We need to create a protective bubble of thought that doesn't offend millionaires?
As Warren Buffett has said, "I was born with a talent for capital allocation. If I had been born in rural Africa, my talents might never have given me the wealth I have today. I would not be so different from my secretary. Our positions might even be reversed. I thank America for that difference."
Maybe the word windfall triggers you in a way that suggests it should be taken away and you didn't "deserve it". No one said that. Yet also, everyone in such a fortunate position tends to grow to think they deserve it fully as a result of their talents and work. When in fact an objective person should see how much the factors have aligned to give you this gift.
Just because you read HN doesn't mean you are exempted from realizing how lucky you are. We're not that much of a bubble I hope.
I think we may be passing each other on the word tech workers -- do you mean everyone who works in a tech company, including customer support, sales, marketing, operations etc or are you defining tech workers as just the people who work with tech, ie engineers, analysts etc. and possibly on the accessibility and rarity because pretty much anyone can get hired at a startup and most startups fail.
Most people in startups are not lucky (relatively to others in the US economy of similar job positions) they actually generally make less than people in established companies and if they don't have a favorable exit are almost always numerically worse off than those who chose the stable path.
The reason I see people typically working in startups is more impact, freedom, the ability to quickly level up etc, but unless your company exits and you get paid from that exit no dice.
I've had friends who's shares were worth less than they paid for them when their company had an exit.
I continue to work in startups because I really find satisfaction in it, (right now trying to get my own off the ground) but I would triple my total compensation as an employee in most cases if I went to go work for one of the big players and that compensation is a real tangible thing not anywhere close of a gamble. It's actually somewhat of a problem right now in how do founders attract good talent for that reason.
I think you simply have an inaccurate picture of the majority of startups and the types of money in them.
The windfall typically isn’t anywhere close to millions of dollars for regular employers. We’re talking about payouts on the level of buying a new car or placing a down payment on a home.
I think you meant regular employees? From my limited experience, the windfall is actually much more than a new car or down payment and can reach into the millions of dollars if the stock rises a couple hundred percent. Most of the unicorn startups that have gone IPO were offering stock options close to or above the million dollar range for senior engineers. Don’t forget the refreshes. The big limiter is actually taxes which take close to half.
For options, taxes only become a big limiter if one waited for the value to rise substantially from the strike price, thus creating a large spread that will be taxed as income. If shares are purchased as they vest and held for over a year, the gains will be subject to much more favorable long term tax treatment when sold.
Larger companies will typically switch to RSUs, which get taxed like income, and isn't great for a non-liquid asset. Thats what double-trigger RSUs solve, by not having the employee own the shares until a liquidity event, they won't need to pay taxes on them until it happens. The catch is that now the employee needs to hold onto the shares for a year to get a more favorable tax treatment.
Taxes will really only take close to half if employees insist on selling their shares in less than a year.
Interesting, I just thought a windfall meant "a lot of money at once", but it looks like you're right that it implies luck. So agreed, a different word would be more accurate here.
But obviously some element of luck is present here. Unless we're willing to say that the success or failure of the merger is entirely on how hard each employee worked.
I mean, nobody reasonably joins a startup and expects to make buku bucks. It’s “unexpected good fortune” from my perspective, and certainly seems to qualify as a windfall.
If we ignore the lucky ones who where first employee at unicorn with very generously owner,,, do you really get any money as an employee when there is an acquisition !? How common is it outside Silicon Valley ?
I hope they fail. Some users report they deceptively impersonate the users bank in order to extract as many data points from them (loans, lines of credit, ...)
That Visa isn't fighting this should validate that the government's antitrust enforcement has been lax. For a merger valued in billions of dollars, hiring even the best lawyers for a long fight would have been a rounding error. The only way this happens is for Visa's lawyers to think that the government would likely win.
With public market valuations of B2B companies today, I could see Plaid being worth considerably more than the $5 billion that Visa agreed to. I think it's less likely buyer's remorse than just overwhelming evidence of anticompetitive behavior. The original DOJ complaint [1] has a lot of direct quotes from top level Visa execs. See paragraphs 9 and 10.
No, they always knew the 500x valuation was BS. It's pretty much like they said, it was a defensive acquisition to prevent the data from going to any of their closest competitors. Visa had no idea what it was going to do with the data, but just wanted to keep it out of everyone else's reach.
I'm surprised by this. I used to work in Foster City.
The joke on the campus was that VISA stood for "Very Inconspicuous Spy Agency".
You'd think that there wouldn't be this kind of miscommunication in the chain of command.
All jokes aside, I'm very curious to check out Plaid now because I didn't pay attention when it was independent and Visa is a *very* smart organization, so Plaid must be something special.
This seems to be changing. Nacha (the organization that governs ACH) has been developing open APIs so that more organizations can get access to the ACH network without any dirty hacks. I would expect to see a rise in the number of personal finance applications over the next few years due to this fact.
The problem is that Nacha is building these APIs on top of ACH. There needs to be a universal realtime payment and account-validation network, not a file FTP'd to the Fed that's sent out three times a day.
Take a look at FedNow which is aiming to offer a 24/7/365 instant payment service for all US banks by 2023-24. (I would realistically expect 2028-30 for it to go online) This is being worked on, but everything moves at a glacial pace.
FedNow is a while away. RTP (Real-time payments) from the The Clearing House is already doing it. They have appx half the DDAs (bank accounts) in the US covered. Another year or two they will have 80-90%
Also Push to Card and VISA/MC Debit are real-time payment systems i.e. 7x24x365 where you can pull or push money to the bank account linked to the VISA/MC branded ATM card
Yes. Plaid can be used to verify banking details (many stock brokers use it for this, for example).
Plaid works by asking the user to give their banking username and password to Plaid, and then their two factor authentication token too. Plaid logs into their account behind the scenes to verify ownership.
Plaid claims to not store this info, and I assume that they don't, but it still seems like one of the biggest security anti-patterns ever. If nothing else, it's training users to ignore the "don't share your password" warnings. Do we really want users trained to be more susceptible to phishing?
Yeah in the last decade, I have many times considered building a service that would have a better interface and access to information by fetching it from all my financial institutions, but what's held me back is the lack of APIs and I never even considered collecting user credentials as a viable option because of the potential security nightmare and possible libabilities. I guess it pays to be ignorant of all that and just plow ahead. Once you get billions in VC funding, you can fend off any consequences.
> Plaid claims to not store this info, and I assume that they don't
Think of it as Plaid storing OAuth2 access tokens, sort of; and the tokens do expire (over pretty long periods), though, some bank integrations do allow them to generate their equivalent of refresh tokens.
Plaid didn't go into this blind; they know the tightrope they're walking. As someone who's worked with Plaid to build an integration into our product, I'd say they're definitely in a very gray area, but that's pretty much all of the Fintech space right now.
Although, I'd also say they're not malicious; even if it is just motivated by the fear of the bad press resulting in a customer exodus.
It is a hack around regulatory failure to mandate this functionality at finance firms (both Congress and the Fed have failed in this regard). The Fed's instant payments product (FedNow [1]) goes live in 2023, which is going to put downward pressure on Visa's debit business. The Fed only began to move on instant payments when pressured by Congress [2] (who didn't want smaller banks held hostage by Early Warning System's "Zelle" product, which is operated by a consortium of the nation's largest banks).
Europe mandated this functionality (PSD2) [3]. With instant payments and if regulations required banks to offer this functionality, Plaid's value would evaporate.
FedNow is a while away. RTP (Real-time payments) from the The Clearing House is already doing it. They have appx half the DDAs (bank accounts) in the US covered. Another year or two they will have 80-90% Also Push to Card and VISA/MC Debit are real-time payment systems i.e. 7x24x365 where you can pull or push money to the bank account linked to the VISA/MC branded ATM card
Bottom line: Fednow may be too little too late, but real-time payments are happening outside of VISA/MC
VISA/MC are aware of this. They expect "Interchange compression" i.e. reduction in revenue from Credit Card fees as users switch to other systems. However it isn't a show stopper because in parallel they have discovered (and are using ) new ways to increase interchange revenue e.g. Virtual Cards, Prepaid Cards etc.
2-3 years isn't that long in financial services. Sure, The Clearing House provides an RTP platform (and is also a financial rail for Zelle payments). Can they do it as cheap as the Fed offering FedNow as a utility similar to ACH? And to every deposit account provider in the US at a reasonable cost? Probably not. Doesn't matter how many deposit accounts you cover if someone is going to come eat your lunch because they have a Congressional mandate.
Agree on interchange compression (it's fairly obvious credit card networks are overpaid for what they offer, so of course innovation is going to bring revenue destruction), but there's no way virtual and prepaid cards are going to make up the shortfall (especially with Congress starting to lean left and progressive banking policies on the table, such as central bank pass through accounts, negating the need for prepaid cards when deposit accounts become accessible to everyone).
Long story short, finance still consumes too much of a percentage of GDP, and it's a good thing when tech comes along that pushes that drag down.
Does FedNow solve all of the problems Plaid solves? I'm thinking specifically about Plaid functionality that lets consumers expose transaction history, investments, etc.
It would appear that FedNow solves for "How do I get money into my Schwab brokerage account?" but not "How can I let Schwab do risk analysis across all my investment accounts?"
It does not, which is why I mention Europe's PSD2, which would. You don't build a startup to do this, you mandate your financial institutions to provide this functionality to users.
My guess is that that Plaid will go public via a SPAC deal now. I think it's highly likely GSAH (Goldman Sachs Acquisition Holdings) is that SPAC that does a deal. They have $750M to play with and given Visa was going to buy Plaid for $5.3B, the numbers kind of make sense.
There's a decent bit of M&A activity going on in finanacial services lately- SoFi recently announced going public, Simple being dissolved after BBVA merging with PNC, Lending Club merging with Radius Bank, and now Plaid's merger termination with Visa. Lots more demand exists for building fintech tools, since significantly more transactions that would normally take place in-person have moved towards being online due to the pandemic. It makes a lot more sense for the whole ecosystem to move towards being data-driven and API-friendly both for consumers to to have less friction between services, and for businesses to deliver a better customer experience. Having the merger fall through is probably better on all sides such that one corporation doesn't retain too much power and act as monopolistic gatekeeper driving up fee prices.
Also, wanted to say thanks to Zach for doing a Fireside Chat with Lambda School students last month! It's great to hear from your perspective about industry knowledge & experience in order to prepare for a career in tech.
Not all acquisitions get structured as reverse triangular mergers. Not all acquisitions involve purchase of capital stock.
Lawyers refer to the field as "mergers and acquisitions" or "M&A" for short. A good bit of what good M&A lawyers do is navigate the various operational, strategic, tax, and other factors to find an optimal structure. Often, buyer and seller won't agree, as because stock and asset purchase carry different tax implications, and have to negotiate structure as part of a broader deal with potentially offsetting concessions.
Usage of "acquisition" and "merger" varies between lawyers, managers, and finance people. But it also varies among lawyers, and between states' laws. I'd recommend you just say "M&A". And try to stay out of the Delaware Court of Chancery.
I gave them access to my bank via coinbase. If I change my bank password would they lose access to my account? If not, what do I need to do to make Plaid lose my banking access?
Wait you actually login to a bank using a password? It’s all single use codes from a booklet or two factor application here in Finland (and has been for decades now)
(And the two factor is the kind where you input a pin code every time)
Which is crazy because Fincity bought Intuit's Aggregation engine (Customer Account Data - that intuit launched back @ Finovate 2012-ish) - so the block wasn't because of account aggregation and more for Plaid's comments towards making a alternative payment platform that would compete with VISA.
Either way all aggregators use screen-scraping when they can't get a direct connection, because banks are slow and protective of "their" data (which is really YOUR data) it's a constant tug of war.
I am surprised Plaid is a business. It is a bunch of scripts of dubious security. How businesses are coming on board with that is worrisome.
On the other hand, if we could have standard API and let people integrate services, totally welcome that. But let's not pretend this is anything like that.
Consider it market proof of how much demand there was for API integration that this suboptimal hack was viable. "Proper" APIs will follow; For example, Fidelity built a proper system (Fidelity Access) in response to all the screen scraping. The Fed is now also standardizing some kind of API I think.
https://twitter.com/seanieb/status/1298871471645761537?s=20