Fintech startup Plaid raises $250M at a $2.65B valuation(techcrunch.com) |
Fintech startup Plaid raises $250M at a $2.65B valuation(techcrunch.com) |
Also a risk, because any bank could simply shut this down pretty quickly and if one does it, the others could follow.
The first 3rd party that messes up, with the whiff of a scandal ... and this is going to dissapear, or rather, the banks may decided that they'll do some API, but not for free.
I'm waiting for 'Cambridge Analytica' but with your money this time.
I mean, Mint's been doing it for twelve years, and they're hitting thousands of banks. They're definitely on the major banks' radar by now.
I guess I don't understand how they differ, I do get that they both rely on giving your bank credentials to a third party and that they both scrape your financial history.
I'm not sure how to feel about this, because I understand that banks' lack of open API access is the central problem. But it seems irresponsible to present Plaid as a secure solution, when its login system is technically a phishing page.
I think a much cooler, probably safer, solution would be a mobile SDK that runs the scrapers directly from the user's phone, instead of on Plaid's servers.
In the UK there is a big push around "open banking"[1] which will bring this into the 21st century and allow for proper programmatic access to data. It's still in it's infancy but the sector here is transforming around it.
[1]: (https://www.openbanking.org.uk/customers/what-is-open-bankin...)
https://www.mccarthy.ca/en/insights/blogs/cyberlex/open-bank...
Basically, my password is hashed to see if I can log on. Then it's passed through a PBKDF to get the decryption key for my actual accounts, then that information gets sent to the scrapers to do the actual job. They don't store the keys after the job is done. The upshot is that a full database breach doesn't result in any bank credentials leaking, at the cost of inability to update accounts without the user explicitly logging in.
In order to do so, they most likely keep your banking password around in memory.
Note: Mint uses OAuth for access to Chase bank accounts, which is great. Last I checked Plaid does not.
At some point I think it's on the banks to offer OAuth APIs, then Plaid can swap out one-by-one (if it hasn't already started).
Nylas is facing the same challenge in the email space. They have oauth for gmail, but user/pass for Exchange/SMTP.
So your username and password are just kept in some internal database somewhere? The scrapers probably decrypt the credentials in-memory.
Also - "scraping" data off of an undocumented API sounds risky. How can I guarantee a "scraper" won't accidentally mess something up for me?
Plaid's implementation was aggressive (screen scraping, etc) but many banks are blocking that now and some, like JPMorgan Chase, have created APIs based on OFX (the industry consortium for secure data exchange) to allow controlled data access.
You, the customer, should always be able to choose which targets get to receive your data. Via OAuth mechanisms you grant them access without sharing your login/pw, and you can revoke at will.
It's worse than that. Sharing passwords with third-parties typically "voids the warranty." If money is stolen from your account, the bank can deny reimbursing you because giving a third-party your password voids their zero-liability guarant guarantee.
Banks in the US are really behind the ball on APIs, it's true. Just recently things have started to change though. I'm the cofounder of Treasury Prime (https://treasuryprime.com/) and we have a network of banks in the US who offer API access.
It doesn't solve Plaid's use case (getting data out of 1,000s of banks), but it's great if you need deep integration into a single bank, like if you're writing a fintech app for example. If anyone would like access, feel free to email me: hello@treasuryprime.com
Also, big congrats to Plaid on the fundraise!
It seems more unethical than most selling-user-data strategies in that the users don't even know Plaid is involved in the transaction whatsoever; they're just a hidden middle layer.
I'd be interested to know if this is still part of their monetization strategy, or if anyone at Plaid can confirm definitively that they do not collect and sell your bank account transaction history?
Edit: So sorry on my part, specifically on selling data, must've mixed this up now that I've read the comment (linked below). It involved scraping user data against the wishes of the banks, and doing huge amounts of customer analytics with such data, and another separate thread on giving transaction history as part of the service. Still a negative but different than above-- will leave this up so as to not destroy thread.
They actively reached out to me because of an open source project I created and they wanted to recruit me. They made quite an impression on me but I wasn't prepared to move to the US back then. Damn. Missed opportunity. Obviously they were very proactive in reaching out to the developers that they wanted rather than just passively waiting for resumes to flow in.
https://www.cnbc.com/2017/12/25/psd2-europes-banks-brace-for...
Personally speaking, i have a problem with companies like Plaid and SOFORT (EU), where they kind-of hide the fact that you provide them with your login credentials (and not the bank). From what I understand from this thread, Plaid may be selling your data and gives developers full access to the customer's transaction history. This is worrying
Instead of just seeing updated transactions, users frequently need to enter a 2FA code before Plaid can successfully complete the update. This is very clunky, especially if you've linked 10+ accounts. Hopefully, Plaid (or even government regulations) will be able to encourage banks to create real APIs and Plaid can move away from scraping entirely.
The user effectively gives away control of their deposit accounts. If it is subsequently misused (unlike an access device like a debit card), the user's disclosure of the password might give the bank an affirmative defense. Push to shove, in a large breach with bulk cashouts via wire a depository institution might not honor the claims.
It seems obvious that revocable access w/ tokens is a solution, but that gives up the game on the transaction data (and likely drives some of banks' reluctance to offer that functionality).
I'd love to have my mind changed about this, if someone can point me in the right direction.
I'm glad Europe has defined an API for it's banks to avoid this from happening there
Except it hasn't. If you're referring to PSD2, that is not what that is at all.
https://www.yodlee.com/yodlee/europe-africa
UK startups:
Capital One was smart enough to block them off (which is the bank I use), and now they actually provide proper OAuth based APIs to access your account.
Is Open Banking Standards going to abolish any international market opportunities for Plaid?
- CMA9 Major Banks in the UK are ready to roll out Open Banking Standards. - In Australia the ACCC is pushing for 1 July 2019 and within 12 months all Australian banks, including the related brands of the big four, will be brought within the scope of open banking. - Canada too with it's 2020 initiatives.
US would be crazy not to adopt a similar standard but maybe this is where Plaid is specializing in due to the large number of US banks?
He was excited for the rotation in one of the (several) "moonshot divisions," with a goal of 10X-ing the bank in theory. I told him that I hope _giant bank_ doesn't have 10X growth in it, but...
... I think that any truly disruptive idea for fintech/banking is likely to be of the "turn a billion dollar company into a million dollar company" variety.
they DO refuse to do corporate orders for certain companies, e.g. oil companies / oil bankers, given that those are antithetical to their mission.
Why Venmo would need to hit Plaid API to get my banking info when they can provide their own API and allow seamless integration with my bank and credit card?
I honestly don't see the benefit over risk of handing over all my financial institutions information so they can provide a seamless API to consumers.
I want Plaid to succeed and I want to use those products, but beware of building something on top of Plaid; you may be driving customers away.
I thought they actually integrated with the banks on the backend, but if this is all they do, I'm not comfortable using any product that snoops my bank info without any accountability.
Questions for those that know the space: 1. Is that a big struggle for fintech companies or do most people just shrug it off? 2. Are companies working on (and making progress) standards for system communication without user/pass?
They have a great team and they're making a big push to bring PSD2 compliant banking integrations to Europe. I haven't heard of many other offerings within Europe.
For privacy reasons, I'd prefer to avoid anything of the sort.
The apps I know who use Plaid are Drop and Venmo. Some banks use it to instantly link external accounts without having to do trial deposits.
I think of it as "Startup" vs "Steady State."
https://www.acorns.com/privacy/
>>> Acorns uses Plaid Inc. (“Plaid”) to gather your data from financial institutions...
>>> Acorns and Empyr will use transaction information from your Acorns debit card in connection with the Found Money Plus program as follows:
... to provide participating merchants or Empyr aggregated and anonymized information relating specifically to registered card activity solely to allow participating merchants and Empyr to assess the results of their campaign(s);
Seems legitimately useful for personal finance tools or loan providers.
However, I know your API is being used by point of sale systems. Seems super unethical for point of sale systems to access any info beyond, is this the right account, does it have enough money. I just hope you're enforcing some kind of restrictions or at the very least warning consumers what they're giving the merchant permission to access.
how does your statement fit with the fact that one of your products is literally selling transactional data? https://plaid.com/products/transactions
While I'll assume this is only of the customers of a particular product, it is still worrying as many customers may not understand that fact as you are not transparent about your role and the access granted.
This may be true - but you do still normalize users to the practice of entering their banking login credentials into a web form which is sent to a third party (i.e. yourselves).
In addition I believe the developer gains access to the users' bank transaction history - not just for the duration of their login session, but long-term, which is likely something that users aren't fully aware of in most cases.
Am I mistaken about those?
That is not 'selling' in the historically-used sense of the word, but we are now in a world where 'personal cost' means something different - especially when it comes to services which harvest personal data.
Pretty cool product, considered using it for my property rental's payment portal.
https://plaid.com/products/transactions
I flirted with the idea of using a trial account to feed that data to a Prometheus server to build graphs in Grafana. A slightly more powerful mint/personal capital would be a super valuable tool.
One hack incident of a developer that exposes bank numbers and transaction data would be a huge reputational hit.
They don't expose bank numbers though, that's kind of the point. Developer access is all tokenized.
That said, plaid does give you access to tons of detailed financial transaction data, and it's easy for companies to tie this to PII in their own systems, and I'm sure many of those companies have less robust security than plaid. As a developer, I thought "Wow, you can get so much data through plaid!" but then as a user I would refuse to ever use a plaid integration because I know how much data it gives them. Furthermore, I don't believe the average user really realizes just how much data they are giving up.
I agree with you, though, it really is similar to the Facebook API issue. All it would take is a third party company packaging data in a way to use it to target political ads and then you've got 60 Minutes exposes all over the place.
Recent incident was on "most unethical thing you've done" thread that reached the top of HN. Someone mentioned selling user data while being a middle layer, and confirmed it was Plaid after it was suggested.
Not claiming this is definitively true which is why I'd like to hear from someone at Plaid; I believe I've interacted with them through Robinhood so it'd be concerning.
I never claimed my list was inclusive, only those are the ones I know use Plaid off the top of my head.
"The ACCC envisages that the first tranche of open banking rules will come into effect from 1 July 2019. Within 12 months, all Australian banks, including the related brands of the big four, will be brought within the scope of open banking."
You also omitted a key quote:
>when you activate your Acorns debit card, you will be asked to enroll in Found Money Plus, a card-linked offer program offered in partnership with Empyr.
The Found Money Plus program is only for transactions on the Acorns debit card, and it is small bonuses for specific spending, for example, 10% cash back at Starbucks. It looks like a company called Empyr organizes these campaigns for the card link offers.
The Acrons debit card is also optional.
If you're getting cash back on a transaction you know the price is sharing your purchases, this concept isn't really new.
Edit update to root
But the comment is not quite as bad as what is suggested
You're still sharing your bank account information with someone else. Even if it's your bank's API or whatever, "something my bank created" could be "something my bank had hired an external company to create," or even "a front end my bank created that uses third party software to do all the data processing on the back end." I'm not sure of a meaningful distinction between each case. If you want to minimize sharing bank account information "for privacy" then you don't give your bank account information to anyone.
That's the whole point. You don't know you're giving your account information to anyone. I use Venmo and had no idea they relied on this technique until reading your comment.
As long as you're transparent about it in a 30 page ToS then it's all good. Because when you go to checkout at a cash register, you're going to stop and hold the line for an hour or more and read that page.
Not an exaggeration btw, my print dialog estimates that page to be 27 pages printed.
Can I ask what makes you believe that? Why would someone be A-OK with sharing the previous six months of account transactions but balk at sharing the next six months of account transactions?
I also think many consumers would simply be creeped out by the idea that these companies can continue to maintain access to their bank statement for 6 months into the future, especially in cases where the consumer has a dispute or negative experience with the company. There are also some underwriting arrangements where companies could leverage future Plaid data to make decisions about how to treat a customer (e.g. monitoring bank balances so that rebilling a delinquent customer can be automatically rescheduled after a deposit)
""" We're the team behind Standard Treasury and the Silicon Valley Bank API Banking Platform which forms the backend for Stripe Atlas - we're the experts in this space. """
The main differences are how we're working with banks. Back then we sold only to large banks, plus banks weren't yet comfortable using cloud services, meaning everything had to be built on-premise (very silly). Now we sell into all sizes of bank because we're able to operate with a SaaS model.
Likewise for developers that means we can move much faster and there's a much better chance we'll be able to find a bank that's a good fit for you. If you're interested in using the API, email me and say hi: hello@treasuryprime.com
It's explicitly stated within their sales page and directly contradictory to the statement he made above.
I understand what you're saying, but I think it would be less confusing to keep the idea I described above and what Plaid is doing (AFAIU) distinct.
More specifically I understand it as: If I engage with some entity/company/developer and give them the permission and secrets necessary to access my account, they can pay Plaid to make use of them on my behalf in the process of doing whatever it is I gave them that access for.
This activity is, and always has been to me, completely distinct from the activity of "selling my data", although it could result in the one I authorized to access my data through Plaid turning around and selling my data.
The developer is purchasing the technological infrastructure to deliver the data a single specific user has opted to provide to them.
Claiming the developer is a third party is like claiming I'm a third party when I order off Amazon, and that the USPS is the actual customer.
As for bank logins...that’s been around since long before Plaid. But I agree there must be a better way. Though I don’t have any great practical ideas.
Even if users are technically opting in, and even if everything is documented in the privacy policy, a potential end-game here is that startup companies have access to all bank transactions for the people who need to use Plaid - likely people on the ground in the sharing economy who rely on it for payments - and the more fortunate/wealthier folks continue to have financial privacy by virtue of not needing to use it.
That would be a really unfair world to live in.
Obviously this is a hugely sensitive service, I’m not denying that. But there’s a way to do it right and it seems that Plaid is attempting to do that. So I’m not ready to declare them evil before they actually do anything evil.
Accountability and transparency is important long-term; as is questioning possible abuse or misuse of power. Don't be afraid to continue to do so!
Also, always use Hanlon's razor, but it's getting harder and harder to tell genuine conversations from stage-managed ones online, unfortunately. It's the logical extreme of pg's article 'The Submarine'[0].
I'm in the ACH space and I personally know a merchant who planned on using them for account verification for point of sale ACH payments. This merchant also planned on grabbing transaction history while they were in there for I don't know what. Analytics maybe? I have no idea if they ever went through with their plan.
Under any framing, that's a third party paying for access to your transaction data.
The user hasn't opted-in if the co-founder of the company is telling people it doesn't happen. It's only opt-in if the user knows it's happening and agrees to it.
Then ask yourself why the founding team goes around and tells people they don't do that.
Unfortunately the current approach of the major aggregation players is the only way to motivate the banks to give customers access to their own data through more reliable means.
Sure, but the developer using Plaid's services doesn't.
Isn't this a clear parallel to the Google "Don't be evil" approach that gets discarded as soon as the opportunity cost becomes too large to ignore?
"Are you aware that connecting app Foo to your bank account gives app Foo access to your transactions?" is likely to be met with a resounding "no shit, that's the point..."
And your claim is that the point of the user signing up to Robinhood or Venmo is to give Robinhood or Venmo their entire bank account history for the last two years?
I find this implausible. You have an empirical claim. You're welcome to test it.
