Plaid CTO here. This is not accurate. On 1. We do not (and have never) sell data to third parties. On 2. We have been a proponent of open authentication standards like OAuth and App2App and today, a majority of our bank connections run via bank APIs - in fact, as Zach pointed out, we’ve helped many financial institutions move towards OAuth. We don’t want to handle credentials in the long-term. However it will take years for a full transition to APIs to happen with more than 11k banks in the United States and we feel that it's important to support the tens of millions of Americans who bank at those institutions.
First, today a majority of all bank connections are on APIs or OAuth. This is mostly for the biggest banks in the U.S., but we also support some of the biggest platforms on top of which smaller banks & credit unions operate. We don’t want to be in the business of handling credentials in the long-term, for many of the reasons the author of the post pointed out. However, it will take years for this transition to happen with more than 11k banks in the United States. This is something we’ve been pushing for and we’ve worked closely with a lot of financial institutions to support OAuth and even App2App (which is a win not just for security, but also for convenience).
Second, the author focuses on what we call payment authentication (verifying account and routing information), but Plaid is used to power a lot of other use cases across fintech: lending, financial management, identity verification, brokerage, neo banking, etc. So although micro-deposits support verifying payment authentication, they do not support any of these other use cases.
Every day there are tens of millions of people who were not served by the traditional financial system who get access to better financial services because of Plaid. And that would not be possible without what we do.
Third, there are a few insinuations in this thread that we sell user data. We do not: the data goes from you to the app you authorize, through Plaid. We do provide some enhancements to the data for that app – e.g., fraud protection, transaction categorization, normalization of data (which is different for each financial institution).
(I can’t speak much to the lawsuit settlement for obvious legal reasons.)
Fourth, I do appreciate keeping companies honest about security practices. We invest a lot in security and privacy, and look forward to the day a post like this cannot be written because every bank is on OAuth. In the meantime, though, we’re actually the ones pushing for this – OAuth would not be happening at any banks if it weren’t for Plaid (there were companies that did what Plaid did for nearly a decade before we started and made zero progress in improving the technological foundation on top of which financial services are built). You may not believe in the current experience, but we view it as a key and necessary part to transitioning to better financial services and infrastructure for everyone.
I replied in a few other threads on this. We don't make the user's data accessible via API outside of the app the user connected. Your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app.
We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
Would love to help with this. YNAB hasn't always been a Plaid customer, so it might have been a historical connection -- either way, please contact our support team to help you figure this out ASAP https://my.plaid.com/help
You’re right that I can’t write much (legal, PR team say hello).
The bottom line point is, we don’t sell data and that’s not the main allegation. The main allegation is that people didn’t understand that we were part of the flow of connecting banks to apps. We disagree.
Before 2017, there was a whitelabel experience of Plaid that didn’t say “Plaid”, didn’t have the Plaid logo, etc. We still stand by our belief that our disclosures at the time were more than adequate. But it’s not something we want to have protracted litigation around.
The reality is that our experience today is vastly different (and has been for a while). As for “what meaningful business practice changes could you be making if there's no issue to begin with.” Like most companies, we’re always making improvements to our experience -- today we have a consent pane that makes our role clear, a portal for people to manage their data, etc.
You can use the Plaid Portal (https://my.plaid.com) to view what types of data are being shared, to revoke access (to both the apps and Plaid) and delete data stored in Plaid’s systems. You can also put a data deletion request through support.
As someone who has overseen our consumer privacy team over the past few years building out products like Plaid Link and Plaid Portal, I can attest this is a foremost priority for the company. FWIIW, I don’t agree with the allegations, and you can read our POV on this blog post.
Hi TruthWillHurt, are you in the UK? Looking at that list, that looks like what's required for a UK developer -- the environment in the UK is very regulated and quite different than the U.S.
You should be able to to put traffic through via the development environment without that, but you're right that to go to full production you would need to answer some compliance questions, but it should not take months. I understand your frustration if it's taking that long.
You have my email, and if you reach out I can see what I can do to help. Best.
Can you send me an email: jgreze plaid.com -- I'll see what I can do to help. For the vast majority of cases onboarding should be self-serve until you hit a certain level of scale, so I'd love to understand what's happening here and what we can do better.