I regret handing over my bank login details to Plaid, since they scraped my bank statements without stating so upfront and offered that information to 3rd parties (indirectly, as a score of some sort, IIRC, but that's scraping very personal information).
When I mentioned it on HN a year or 2 ago, someone who works there denied the practice - might have been a cofounder. A few months ago I was contacted regarding a settlement for a Plaid class action suit regarding the very actions that had been denied on HN. Plaid - never again.
I will never sign up for a service that requires Plaid.
And how do Plaid bypass your bank's per-login 2FA if they're logging in as is they were a user?
Plaid just relays the 2FA question.
I think websites would have a tough time preventing users from sharing username/password. It would certainly be acceptable in a power of attorney situation.
Plaid is pretty clear in their privacy policy that they DO NOT repackage and resell data (they do sell data - as in, when you use Plaid to give your banking info to a mortgage broker, the broker is paying Plaid for your data, but it is at your explicit request).
If banks didn't want Plaid to do screen scraping, they could build APIs. Some are now. But they've been VERY VERY reluctant to do so, because they want to hold customers (us!) hostage to their services and make it painful to go anywhere else to get financial services. I appreciate that Plaid figured out how to break their stranglehold, which has directly enabled the current blossoming of FinTech apps ... even if they had to do so in a way I don't love.
Even if we take this as a given - what if customers don't want Plaid to scrape their data? I only used Plaid to verify that I own the bank account - but they went out of their way to scrape my transaction information, just because they could, and that data is valuable - that is messed up. I'm sure if my bank had an API, Plaid would still have hoovered up my transaction information, so the "API access vs Scraping" debate is a sideshow.
If they hadn't scraped my transaction information, I wouldn't have been part of the class, but they chose to maximize data collection. If it had been Facebook or Google that harvested financial info the way Plaid did, no one would be saying "Their TOS is clear about it". Additionally, any big tech company can purchase Plaid and get that data (I can't remember if the settlement has a provision for deletion of that data).
Small projects as you might imagine are measured in years, not days or months.
An API like you describe could take half a decade to build, at the cost of hundreds of millions of dollars. These are not fake numbers or estimates. This is what it would cost.
When you think big finance, think government.
Do you also believe that Bill O'Reilly and Fox News paid out $30m+ even though he didn't do anything? After all, they admitted no wrong doing in the settlements.
https://news.ycombinator.com/item?id=27467797#27476452
Me: Always been curious - do you (Plaid) use the transaction data or any other data obtained from customers logins for anything other than the reason the customer supply’s their credentials? I.e if I use plaid to link to my Robin Hood account, do you in any way sell/share/use my data apart from allowing me to fund my Robin Hood account?
Response: Good question! No, we don't. Our official statement on this is at https://plaid.com/how-we-handle-data/ "Plaid only shares your data with your consent. We don’t share your personal information without your permission, and we don’t sell or rent it to outside companies."
They say “personal information”. That is consumer-facing language for something which in banking has a legally (regulation) defined term: “PII” or personally identifiable information:
https://www.investopedia.com/terms/p/personally-identifiable...
It can be argued that lists of money spent at stores cannot be reversed back to a person without other information. So they might not consider your transactions PII.
As for the consent, the TOS click wrap generally gets your consent, in the part where firms mumble about “our partners” for “legitimate uses” or etc. while bucketing various data brokers in that class.
